References

1. ASIC. (2022). Guidance for consumers impacted by the Optus data breach. Retrieved from ASIC: https://asic.gov.au/about-asic/news-centre/news-items/guidance-for-consumers-impacted-by-the-optus-data-breach/
2. OAIC. (n.d.). The Privacy Act / Rights and responsibilities. Retrieved from OAIC: https://www.oaic.gov.au/privacy/the-privacy- act/rights-and-responsibilities
3. Chen, R.-R., Lin, Y.-H., Chiang, S.-C., & Chang, H.-K. (2010, June 29). Management of personal health information sharing for long term care services. 2010 7th International Conference on Service Systems and Service Management. doi:10.1109/ICSSSM.2010.5530130
4. Ball, K. S. (2001, December 1). Surveillance Society: Monitoring Everyday Life. Information Technology & People, 14, 406-419. doi: https://doi.org/10.1108/itp.2001.14.4.406.5

5. Bélanger, F., & Crossler, R. E. (2011, December). Privacy in the Digital Age: A Review of Information Privacy Research in Information Systems. 35, 1017-1041. doi:https://doi.org/10.2307/41409971
6. Conger, S., Pratt, J. H., & Loch, K. D. (2012, June 01). Personal information privacy and emerging technologies. Information System Journal. doi: https://doi.org/10.1111/j.1365-2575.2012.00402.x
7. KU. (2009, January 15). DATA CLASSIFICATION AND HANDLING PROCEDURES GUIDE. KU Policy Library. Retrieved from https://policy.ku.edu/IT/data-classification-handling-procedures
8. Benson, V., Saridakis, G., & Tennakoon, H. (2015, August 3). Information disclosure of social media users: Does control over personal information, user awareness and security notices matter? Information Technology & People, 28(3), 426-441. doi:https://doi.org/10.1108/ITP-10-2014-0232
9. Nakagawa, Y., Matsuda, Y., & Ogi, T. (2013). Framework for handling personal data proposed system of the self-control on buying information. 8th International Conference for Internet Technology and Secured Transactions (ICITST-2013). doi:10.1109/ICITST.2013.6750172

10. Optus. (2022). Latest updates & support on our cyber response. cyber Response. Optus. Retrieved from https://www.optus.com.au/support/cyberattack?gclid=Cj0KCQjw-fmZBhDtARIsAH6H8qj81jkVEdv2ulLFarg0Coxf2O0paLktHG3kGb9-IpchnBaPQ0zSU4IaArHREALw_wcB&gclsrc=aw.ds
11. ACS. (2014, April). ACS Code of Professional Conduct. Retrieved from https://learn-ap-southeast-2-prod-fleet01-xythos.content.blackboardcdn.com/5c1c4db3261aa/1545153?X-Blackboard-Expiration=1618725600000&X-Blackboard-Signature=cJiiWtL8JKLcSqUy7EIpTgNLmx%2BQ5eEa1DaMvblDJYI%3D&X-Blackboard-Client-Id=116148&response-cache-con
12. OAIC. (n.d.). Right and Responsibilities. Retrieved from oic.gov.au: https://www.oaic.gov.au/privacy/the-privacy-act/rights-and-responsibilities/
13. Commision, F. T. (n.d.). Fair Credit Reporting Act. Retrieved from Federal Trade Commision: https://www.ftc.gov/legal-library/browse/statutes/fair-credit-reporting-act
14. Roeber, B., Rehse, O., Knorrek, R., & Benjamin, T. (2015, February 07). Personal data: how context shapes consumers’ data sharing with organizations from various sectors. Springer Link, 95-108. Retrieved from https://link.springer.com/article/10.1007/s12525-015-0183-0
15. Gressin, S. (2017, Septembre 8). The Equifax Data Breach: What to Do. Attorney, Division of Consumer & Business Education, FTC. Retrieved from https://www.penncommunitybank.com/wp-content/uploads/2019/12/The-Equifax-Data-Breach_-What-to-Do-_-Consumer-Information.pdf
16. Newman, L. H. (2017, 03 10). 6 Fresh Horrors From the Equifax CEO’s Congressional Hearing. Wired. Retrieved from https://www.wired.com/story/equifax-ceo-congress-testimony/
17. FALK, A. (2022, October 04). Privacy Commissioner wnats to know what security Optus had in place before data breach. (SARA, Interviewer) Retrieved from https://www.youtube.com/watch?v=j5Bp-V5lynw

Acknowledgment

In all humility I bow before God, the compassionate and most merciful who gave me the brain to think and capability to hear so to know what I do not.

The words can’t express my gratitude to my family for their support, encouragement and sacrifices to push me up to this level in my academic journey. I also could not undertake this journey without particular motivation from my lovely and learned Sister MARANATHA and my learned brother MARCEL who generously provided their knowledge support and being referred to as my knowledge base.

This Endeavor would not have been possible without the generous knowledge contribution and support from HELEN PUTLAND who supported me since the first day at the University and continued to provide her support throughout this journey.

I am grateful to all my university lecturers and support team for their great teaching experience and support throughout my learning journey.

Additionally, I’m thankful to Dr. MOHSIN IFTIKHAR and KENNETH EUSTACE form Charles Sturt University for their encouragement and cooperation during my research work.

I am also grateful to all my best and close friends for their feedback, motivations and moral support. Thanks, should also go to my Pastor MWENDAMBALI for all the prayers you have been doing for this success.

Finally, I would express my gratitude to my lovely parents who always believe in me and support me.

Conclusion

In this paper we present the Security framework for better handling personal information and have discussed in details about securing personal information. In this study we discussed various point of view and facts as well as security concerns in regard to personal information. Different point has been made such as Privacy concerns, rights and responsibilities in personal information management, information sharing, data classification and security measures as best practice to protect individual’s personal data. And we also demonstrate the experimental result for the framework implementation. The question left with is that in the future I intend to concentrate on the new Security policies around personal information management and the government response toward personal information handling. From this paper we learned that personal information is the major subject to many securities breaches and attack due to the trend of new technologies and data exploitation. Therefore, organization and individuals need to safeguard themselves and apply strong security measures to protect both individual and the nation against risk involved.

Experimental Result

Based on the study I try to implement a personal information handling framework with the contribution of various literatures form different authors and different point of views as well as the collection scholarly material and information gathered throughout learning process. i used a combination of security mechanism to come up with a strong framework and guideline.

Personal Information Handling

Personal information handling is a major concern that has effect to both organization level and implication in individuals’ life when it comes to data handling. This is a complex case due to the use of high capability technologies with facilitation of user interface platforms such as social media, financial institution website or e-commerce websites. Failure to properly handle personal data result into concerns about individuals’ privacy and it remain a trending subject and the primary concern in regards to personal information because of data exploitation trend at all organization levels, from businesses to improve their marketing capabilities, social media companies that use to refine advertisement to government agencies to improve their services [9] It creates a great struggle in managing personal information and open the risk of information to be exploited.

Following the latest news on Optus recent Data breach that Optus were subject to where up to 9.8 million customers have been impacted by the breach and their personal information been compromised and exposed by hacker. [10] This is the great evidence which demonstrate that even large companies still need more controls on a daily basis to better handle and protect users’ personal information.

In terms of handling personal information, organization need to highly consider strengthen their security controls and policies and perform the review of existing controls and protocols in place to improve in accordance to the new technologies and innovations.

The problem with handling personal information is that often businesses, companies and organizations are using customers personal data to shape their marketing and campaign and these activities are mostly performed without customers or users’ permission which in my perspective and in respect to personal privacy and professional ethic, it represents a data exploitation by misusing personal data for their interest. In accordance with [11] This represents as well a violation of ACS (Australian Computer Society) code of professional conduct principal as it stated in the principal 1.2.1 (The primacy of the public interest) that the public interest should be put above all others such as personal, sectional or business,

To resolve this problem, organizations that handle individuals’ personal data need to design a strong framework or improve existing ones and work closely with the government and in compliance to government guidelines to avoid any risk that might occur in the process of handling sensitive personal data as this can cause harm to individuals as well as economic harm to the national economy.

To the individual’s perspective when it comes to handle personal information, there is a whole study that need to be understood by the public due to the trend of technologies that facilitate the usage and transaction of our data trough technology means. Awareness from entities that provides technology and platforms has a great importance to the society to guide them on how to wisely use the platform and protect themselves against any form of risk and attack that can be subject to. Organization to provide as well flexibility and access to control their information might facilitate individual to easily limit the exposure of sensitive information [8]

How information is being shared among organizations

Sharing of personal information either between organization or among individuals can be critical and can raise an ethical issue and even promote the risk of information being compromised or misused by malicious entities or in committing crime. This discussion is based on how users’ information is being collected and shared between organization to improve their marketing campaign

Referring to the analysis of this special feature in Facebook “Off Facebook Activity “This Facebook Tool Reveals How You Are Being Tracked Online” shows that Facebook reveal to users how their data are being shared between organization to help them improve their advertisement campaign which is ethically right for the user to know how their data are being used by the organization or any institution, but also organization needs user consent to fully share and use their data. Because according to Australia privacy Act 1988 [12] “As an individual, the Privacy Act gives you greater control over the way that your personal information is handled.” Again, the act argue that individuals need to know why their information is being collected, which entity will be disclosed to and even how that information will be used. This means that personal privacy is taken seriously, and users’ data cannot be shared with other organization without the user knowledge.

Scenario 1

How does this scenario work from this Facebook experience:

• Facebook connect and sync with various organization that handle and process user information or activities such as google, when performing search, usage of browsers stored cookies when browsing online for our daily activities as our activities depends mostly on our need or desire.
• So, any activity that we perform online during our day-to-day life is being tracked and saved in the browser by cookies capabilities, whether is navigating social media, browse our banking website, filling the online forms. This information is taken and shared to all organization in the agreement.
• Then all this information is taken and analyze by the organizations in accordance to their products then perform advertisement accordingly. This is why we can see Ads that suit our interest in just less than a minute after browsing from one device which is either connected to the same network or login with same account.
• This can escalate to all devices connected to the same network

Referring to the Visual argument bellow explain the fact about this feature with support attached

Figure 1

In this visual argument I demonstrate my support that user has right to know how their information are being used, this fact will be appreciated by the society as it gives people the hint of the kind of information to protect against online malicious activities. Furthermore, I expressed my dissatisfaction on the fact of sharing user’s data with other organization without user consent as this act represent a big risk to user personal information as it can be compromised or even hacked.

Scenario 2

Another scenario demonstrating how financial institution share our personal data.

Financial or landers institutions such as bank, mortgage lander or credit card issuer can share any information at any time with credit report agencies and they also have no requirement to do so. The credit report agencies act as a warehouse of our personal and financial information that all these financial institutions can send report to and refer from about how the client pay their bill or credit to determine the eligibility of the client. When the agency has collected individuals’ data it generates a credit report and sale them to landers institutions.

On the other hand, the client is covered by the low regarding accessibility of your information.

When your information is reported to the reporting agencies you have immediately considerable amount of rights under the Fair credit reporting act [13]

There is a security concern about this method of information sharing due to the fact that credit report agencies are a central point of all our data in relation to financial. If the system is compromised or the agency become a subject to cyber-attack, can cause a major damage to the public and risk of customers information being disclosed. Looking back to the massive data breach of Equifax Credit Report where millions of customers personal and sensitive data have been disclosed.

How information is shared between individual and organization

For organization to better serve users and clients, individuals’ information is needed to recognize the person to be served. Example of purchasing online where you have to enter personal information as identifies to recognize who has perform the purchase.

According to [14] in their research they demonstrate different Hypothesis around sharing of personal information, the way information is exchanged between individuals and organization. In our case, we focus on the 2^nd hypothesis where people value their personal data differently depending on the data type. The authors demonstrate the level of utility of various data type and list some top records as the one showing the lowest utilities. They mention data such as financial data, credit card data and health record. Therefore, these data are considered private. Furthermore, the author argue that consumers appear to be highly protective and have the less will to share these data and consider them highly sensitive data. And on the network perspective is considered the most confidential data type that should be taken care and highly secured while traveling on the network. Again, the author state in the finding that the majority of social network users do not behave in accordance to their privacy concerns.

In my point of view, I agree with the author hypothesis on the fact that financial data, credit card data and health record constitute the Most sensitive information that is attached with the highest risk of compromising and negatively impacting individuals. People have worries to share such information which result in being more protective against financial theft, cyber bullying that can result from individual medical record being disclosed to third party.

In that case throughout this research, in most literatures majority of authors focus on the privacy, securing sensitive information applying necessary security control internally inside the organization but forget about another very sensitive aspect of data type that is the “User Access Credentials”.

With the today trend and revolution of technology, most business, organization and government institution have adopted the usage of technology as the easiest solution for customer to access the services but as this access is through online platform and the user need to be identified to make sure the service is delivered to the right person, in this case, access level and user credential need to be generated for each user to access the service, example: accessing your Bank account, medical information, check you purchase online and so on. This revolution makes this type of data more sensitive and confidential because now with just a hand on someone credentials such as username and password, one can be able to access sensitive information of a person and miss use them.

There is a major security concerns discovered here:

How user access this information and modify the information when needed.

I will start with a common scenario from organization perspective when the user wants to modify their information or access a service.

• In case of login online, client is prompt to enter the Username and password and nowadays systems have another layer of security a multifactor Authentication if client has set it up, and in most case they don’t due to limitation in technology wise.
• When the user ring a company to modify or access sensitive information,

The client is asked a combination of question to constitute a strong security layer in order to access information, data such as:

• First name and last name
• Date of birth
• Mobile phone number and this is read for you to confirm the last 3 digit.
• In some cases, you are asked to provide the address
• In case of insurance, you are asked the member number or car Registration number.

When analyzing this way of performing security checks in the organization, I found the result of this as the very basic method of performing security check, why? Because:

1. Many of these information is publicly exposed, almost everyone knows each other first and last name and we can hear even from presentation on different activities
2. Everyone celebrate birthdays nowadays and nothing is hidden on that aspect
3. The car plates number are open to public on the road due to the help that it provides to the government to identify vehicle and owners
4. Social media exposures, big part of these information is commonly exposed on social media and people are posting more information of daily activities which identifies them more

With this represent a high risk of mis presentation or impersonation and can easily give access to unauthorized people on others information,

I propose that businesses and organization to improve or adopt a different Authentication and authorization approach such as:

• Biometric Authentication: where the person can be identified and authenticated based on recognizable and verifiable data, unique and specific. Example voice recognition system, fingerprint system
• Authenticate users based on what they know such as Security questions upon access request, provision of unique security code that some can easily be kept in mind. Like many banks does which I strongly encourage
• Application of the Multi factor Authentication method and preferably using mobile number or email or a combination of both rather than authentication mobile application as if the user gets hacked or compromised can easily be locked out of the app and won’t get back in.
• Usage of Single sign on system as it helps securely login and authenticated through organization website.

privacy concerns about personal information

In personal information handling, privacy is the main concern that has been there for years and still remain the main concern up to date. As all battle start from knowing information about the adversary, all cyber-criminal and attackers start from finding about the victim. According to [5], they demonstrate different levels of privacy concerns and explore it impact in different variables represented as dependent including the willingness to disclose or provide information to an entity or to deliberately transact the information either online or peer to peer. Then again, the author here argues that there are four major concerns about privacy which include Privacy, Accuracy, accessibility and property but with strong argument on the Privacy as the major concern. This led my argument to confirm that it remains the very major concern at all levels including organization as well as individuals.

Referring back to [8] they pose arguments that control over personal information in social network is negatively associated with the disclosure of information. However, they show the strong side and positive impact of security notification as well as user awareness when information is being disclosed or shared.

In my perspective on privacy concerns, I strongly urge organizations to establish control with a combination of both security mechanism over transaction of personal information and user awareness in order to come up with best and strong measures to protect the user information.

Without organization improving the way of securing personal information and providing strong user awareness, data will remain dangerous risk to the society as well as to national security and economy.

Comparing the Equifax credit report agency Data breach where customers sensitive information was exposed and around 143 million users were affected including names, social security numbers, dated of birth, driver’s license as well as the credit card number that was stolen [15] [16] and the recent Optus data breach, Optus as Big among the largest Internet Service Provider in Australia, But has been subject to the cyber-attack on the 22 September 2022 where personal information of their customers of around 9.8 million has been compromised and disclosed such as: Driver’s licenses, Medicare card information, names, date of birth, passport number. [10] . This definitely shows that strong security control must be put in place and review from time to time and improvement of security over information privacy is highly needed.

Following the Interview of Information and Privacy Commissioner ANGELINE FALK at ABC television, [17] argues on the fact that the privacy act stipulate that the organization need to collect only necessary information for their function and usage because collecting information can be a benefit, create innovation and economic value but can also create a risk for the economy and the community. This is due to the significant amount of personal data that Optus was handled.

Information classification

As mentioned in information sharing section that people value information depending on the type of information needed by the organization, several types of information has been considered as private and sensitive as well as confidential. financial data, credit card data and health record has been identified as the most sensitive data but also argued on the fact that user credentials is also the most critical type of data.

For better handling personal information, it is very important to know every type of data organization possess and transact as well as the ones that need to be destroyed. Knowing these types of data and categorize them shape the way security can be implemented in the organization level over personal data.

According to [7] information is classified according to it level of confidentiality listed in category: Level 1, Level 2 and Level 3 where we have Confidential data, Sensitive data and public data. And describe the way this information can be interacted with in terms of accessibility, disclosure safeguard of information in transit, security of stored as well as disposal of information.

This author categorizes information depending with the level of need and integrity of data as such:

• Confidential: considered high need and level 1 protection and that special care is required
• Sensitive: has medium need as level 2 and urge people to be cautious about it
• Public: as lowest needed data and mark as level 3 and this requires awareness.

After deep analysis and research on best personal data handling procedure, I realized this is a critical and complex duty to organizations due to the trend of technologies today which incite people to disclose their information even unconsciously as well as the value that everyone gives to information. That led my research to construct a considerable way of data classification that can be adopted by organization before implementing security over personal information.

• Confidential information: this type information has a highest volume of risk; therefore, it requires a maximum level of security implementation. It is a dangerous sort of data that has significant consequences over personal information. The data can be such as User login credentials, security pin or code. And can be shared with a very limited number of people or among the user and organization.
• Sensitive information: the organization has responsibility to Highly secure this type of information as they are attributes attached to the personality of a person and can trigger bias or prejudice. This information can be such as political opinion etc. once this information is compromised individual can be subject to cyber bullying or other form of cyber-attack. Can also be a combination of information handled by the organization such as financial data etc.
• Private information: when the organization need some private information from individuals in order to constitutes the right amount of information to better serve the customer, we end up sharing with them an amount of personal or private information such as date of birth, first and last name, drivers’ licenses, Medicare information and this can result into many attacks. So, the right amount of protection is needed in terms of accessing this information, sharing of the information, storing these info as well as when disposing this information.
• Critical information: This is the information that can quickly cause ham or lead to big consequences. This mostly regards individuals and need their attention in order to know what to share online with others because cyber-criminal can put together all information publicly available to constitute an attack. It requires the organization to provide a proper user awareness on what information to share to public and when to share that information.
• Important information: this is the information that is important to the user and limited to specific group of people of entity.
• Public information: This information can be made publicly available and considered by both organization and individual to have low risk of causing harm.

Once the organization categorize each available information to the right position, security measures and controls can be implemented accordingly. This will allow the right protection to be applied to the right information.

Rights and Responsibilities in information handling

For the personal information to be handled in a quality manner and securely, everyone associated to personal data has number of responsibilities toward the management of personal data. After analyzing the flow of personal data during it transaction, we distinguished each concerning party that play a role which are follow:

• Individuals

In accordance with the Australian privacy act regulation, [2] individuals are given control over the way their information is being handle by organization, this give power to individuals to be able to monitor how their information is being used. The act state that:

• As an individual you have right to know the reason why your personal information is being collected, how it will be use and to which entity it will be disclosed
• Gives the flexibility to not identify yourself or using the pseudonym when necessary
• Having right to access your personal information and modify it when necessary
• Individual has also the right to report any agency that handle personal data if they misused them.

In regard to responsibilities, after research I come to conclusion that individuals have responsibility of control the type of data they want to disclose or share with either organization or public, to avoid any sort of risk to information.

• Organizations and Government agencies

When it comes to responsibilities, organizations that handle personal data have the major responsibilities toward security of personal information. They need to establish and apply security from the bottom ground when they start collecting personal data, secure data at rest, in transit, and at disposal of data.

The Australian privacy act state that all government agencies and organization with an annual turnover more than $3 million have responsibilities under the privacy act.

Security measures and mechanisms to use in personal information handling

Following is proposed mechanism that can be used in managing personal data:

• Entities can put in place additional controls to protect their customers against identity theft
• Need to review security control that was set at the time of data breach and improve to protect from future breach
• The government need to put in place a centralize approach to provide enough expertise in handling the data breach
• All business needs to make sure they have in place the right protection for users’ personal information
• Nee to elaborate strong privacy policies and notices
• From the low perspective it is recommended for the government to have a positive obligation to all organization on how to handle personal data in a reasonable way depending on the sensitivity level of data and the risk attached to it

Proposed Security framework on handling personal information

• When collecting the information organization need to focus on getting only necessary information they need, this will help avoid the risk in relation to data at rest, because when the data is sitting in the disk storage or database without being used can be vulnerable to data loss or exploitation. The reason for this risk to happen is that these unused data will not benefit from security update and latest framework for active data.
• Perform a classification of personal information in accordance to it level of sensitivity such as highly sensitive, medium, private and public. This will allow a better implementation of security and access control level to personal information.
• Perform a risk assessment to each data classification by defining the sensitivity level of data, analyze to find all the risk associated to it, how vulnerable is the type of information, determine possible threat and attacks attached to the type of information.
• Find all possible solution to risk raised according to each type of data.
• Develop security controls accordingly, both Technical and administrative controls
• Develop policies that protect both this framework and data handling procedure from being violated.
• Apply encryption to personal information, either the data is at rest or in transit.
• Develop a user’s and employees awareness program for them to have enough knowledge about the system, risk attached to personal information, privacy concerns, type of attacks and how to protect both individual and organization from these attacks.
• Develop a notification channel for when the data breach or security event happen
• Develop an incident response plan to make sure the data is taken a good care in case of data breach.

Research questions

Personal information handling is the most critical task that both organization and individual has due to the trend of cyber criminality and attack that is emerging today.

Following are key research questions which are assessed throughout the project as personal information has become the subject to cyber-criminal attacks:

• Investigating how Personal information is being handled by organizations and individuals and find the best way to handle personal data
• Assess the privacy concerns and their effect on personal information disclosure and protection
• Evaluate the responsibilities between individuals, organizations and government in protection of personal information?
• How personal information is being exploited for cyber-crime and mechanism to protect against exploitation
• Investigate how Personal information are being classified and prioritized
• Research on the types of attack can be used over personal information exploitation
• What’s the security measures and mechanisms to be used in personal information handling

Research Methodology

The method that is primarily used in this research is a literature review and the conceptual modelling, I collect and analyses data from various sources including interviewing people and discussing the issues with practitioners in industries that collect, store and process personal information such as hospitals and Banks. Reading journal and books related to personal information, getting different views from people, consulting the government website to understand the law and regulation on handling personal information and privacy regulation applied to handling of personal data.

Step to undertake the research

In the first step the study will review the type of personal information and how their classified according to the level of access and security. Based on this analysis, the protection and prevention mechanisms will be developed to ensure the security of information.  In accordance to [7] , the minimum level of protection when performing activities need to be outlined based on classification of information handled.

In the following stage of the research, existing literature will be reviewed on how personal information is being handled and security measures which are taken into consideration when sharing information between organization. This will allow to find gap in existing study and elaborate best methods to put into account upon information sharing.

Then we will analyze the existing studies on how personal information is exploited by cyber criminals through various form of attack and draw the relationship with organization. This will help determine and demonstrate how the modern technology facilitate the trend of cyber-attack trough different platforms such as social media platforms [8]

Next the study will review the privacy concerns in regard to personal information, evaluate what entities are covered by the privacy Act, find the risk and provide techniques to securely disclose and share personal information.

Once the privacy of information is understood and all other information are collected and reviewed, responsibilities for handling personal information will be outlined in accordance to the status level of every entity responsible for collecting, storing and processing personal information including individuals. According to [2] the privacy act stipulates how individual’s personal information need to be handled by organization that are covered by the privacy act, it again gives individual great control over the way personal information need to be handled.

Various studies and approaches have been proposed to provide solution to the problem of personal information security issues and privacy concerns. In most cases such as filling online registration form, browsing the internet, posting on social media, responding to online surveys, making online payment and purchases, the individual personal identity and sensitive information are being directly shared with these entities during this transaction. The organization that provides these technologies and process individual personal information have struggled on assuring the security of individual identity and balance the privacy due to the trend of cyber-attack using high technology. Because the security of personal information and privacy still the major concern for many individuals and organizations, the government have focused on responsibilities of companies to collect personal information but not determining their liability on misusing that personal information. This raise an ethical issue of being able to collect personal data with the difficulties in protecting them. Referring to the recent Optus data breach that has happened on the 22 September 2022 where personal information of their customers has been compromised and disclosed such as: Driver’s licenses, Medicare card information, names, date of birth, passport number. The Australian government has provided the guide to customer impacted by the breach [1]

What makes it difficult is the concept that every individual give to the privacy, because of different things that different people consider private and sensitive.[2]

In this study, personal information handling is not limited only to organizations, government agencies but also individuals with the use of technology capabilities. [3] urge that it is so challenging under the current situation for sharing personal information among organization as it raises a privacy concern.

With the advancement of technology and platforms individual are forced to deliberately disclose personal information in different forms. This raise an important concern for person’s privacy and the liberties for the society, these concerns are increasing due to the development and improvement of technology capabilities such as Geo – localization integrated in smart devices, information attached to metadata when taking a photo which reveal individual location, this exposes individual to being a subject to cyber-attack [4] demonstrate the importance of conducting more research to the issue of information privacy in the area which personal information security is concerned.

In reviewing the personal information security literatures, it appears that information security is linked with the information privacy and maintaining both privacy and security of information is similar concept but differ from its usage where this information are transacted online which require more security of it to build a sense of privacy. [5]

Nowadays some research studies stipulate that in a connected world, privacy of personal information is no longer under individuals control and left with organization that hold and process the information [6]

This study aims to address the emerging issues and challenges around personal information handling. The paper intends to understand and discuss the different factors involved in sharing of personal information among organization and individuals. Then we will discuss the privacy of personal information in the context of information management, discuss the consequences that may affect our lives when it comes to disclosure of information. We will then address the gap from existing literature and propose techniques to help better manage personal information.

Security issues in Personal Information Handling

Mr. Mubalama.B.R

Abstract – Personal information Handling has become a major concern in the digital world due to the amount of personal information being transmitted, shared between organizations and individual, personal data that are being collected through online platforms day by day. In this paper, the research about personal information handling is not only limited to organizations, government agencies but also the importance of securing our personal data individually. This research will bring great convenience for both individuals and organizations and raise the efficiency in the way personal data is managed because it requires an extensive and clear understanding of its implication in cyber-crime. Security mechanisms and techniques to handle sensitive information are proposed in this paper. The assessment of responsibilities among individuals and organizations is also provided, and a demonstration on how personal information is classified according to its level of disclosure. Furthermore, we assess the specific privacy concerns in relation to personal information. Through this both individuals and organizations can securely manage information concerns and data associated with individuals.

Keyword – cyber-crime, cyber security, information security, personal information, information privacy, data handling, data protection, data classification, confidentiality, information risk, information vulnerability, threat in information.

Objectives

The purpose of this research is to cover the difference or gap find in the existing literature by exploring the existing mechanism of handling personal information of individual in organization. In particular this research paper investigates the link between personal information handling, personal information privacy, information disclosure, organization vs individual responsibilities, attack over personal information, user awareness and security concerns in personal information management. This relationship will be demonstrating the difference from existing studies in regard to handling information from organization level to individuals.

The result of this research will be valuable to both organization and individual directly affected by the management of personal information as well as design best practices to ensure all personal sensitive information is being handled in ethical manner.