Several recent data breach incidents reported to us provide examples of how letting it go may not be as liberating as hoped. Using Software as a service (or SaaS) offerings makes sense for many organisations. Like Elsa in Frozen, you may feel like you are casting off the burden of an obligation. But as Elsa found out, there may also be impacts on others that you did not realise might occur.

But first, what is SaaS? It is a way of delivering centrally hosted applications to clients over the internet. SaaS applications are sometimes called web-based software, on-demand software, or hosted software - and it can come with risks.

Hacked

Out of the 17 data breach incidents involving hacking reported to us last year, eight of those resulted from third-party systems (generally SaaS providers) being hacked.

One of the third-party service systems breached was PageUp, a platform that handles online service job applications. Several New Zealand based organisations reported to us that their job applicants might have been affected. Six months later, PageUp report that the independent forensic examination found no evidence that people’s information had been taken.

If you decide to use a third-party service to handle personal information, you remain responsible for protecting that information. This responsibility should not stop you from using third-party services. You simply need to assess the risks and make sure you deal with them appropriately.

Ticketmaster

This can be complex if your third-party provider also combines services from other providers to provide their service – as Ticketmaster in Britain found out. Ticketmaster had to deal with a large breach caused by software brought in by Ticketmaster’s service provider. Many New Zealanders who had used Ticketmaster had their credit cards replaced and some had to have fraudulent transactions reversed.

Choose the right options

You need to ensure you choose the configuration options available with the service to make it as secure as practicable. For example, in the case of PageUp, we are told that customers could set maximum periods for how long applicants’ details remain in the system. The sooner the service deletes the applications that you do not want, the fewer individuals’ personal data you are responsible for. Getting rid of information you no longer need is the common sense underlying information privacy principle 9 in the Privacy Act – agencies should not keep personal information for longer than necessary. If you no longer need it, get rid of it.

You also need to make sure that the contract you sign requires the service provider to promptly report any problems to you. You need to hear about any data breaches, promptly and in sufficient detail, so you can meet your obligations to the individuals affected. You are holding their information and, while you do so, you are responsible for keeping that information secure. This is the logic underlying principle 5 of the Privacy Act which relates to the storage and security of personal information.

You can indeed “let it go” - but remember, you are responsible for the impacts your choices have on others.


Article provided from the Privacy Commissioner.