The perennial threat to privacy is increasing everyday with technological advances. Businesses are beginning to appreciate the potential risks associated with the use of commercial photocopy machines and multi-function devices with the capability of retaining digital files of material on internal hard drives. Such intelligent electronic devices pose significant privacy and security risks if not addressed.
Such devices provide repositories of data consisting of thousands of pages of sensitive personal and financial data which can remain on photocopy machines bought and sold by businesses. They represent easy targets for identity thieves and cybercriminals in search of data to retrieve and use for nefarious purposes, with possible legal ramifications and reputational and public relations calamities for businesses.
Businesses are being educated about the privacy risks associated with photocopiers, whilst photocopier manufacturers and resellers are becoming aware of the need to provide machines with options for secure copying of information. There is a case for ensuring all photocopiers are designed to automatically erase all copies of files scanned from hard drives, and hard drives of non-erasing copiers are wiped clean before the copiers are re-sold, a feat which can be accomplished using software programs that can digitally erase the hard drive.
Privacy Regulators have turned to their attention to the legal issues associated with photocopiers due to information privacy principles and laws regulating the handling of personal information. Agencies and organisations involved in gathering personal information are subject to various data handling obligations under privacy legislation in Australia.
Agencies and businesses using digital photocopiers and multi-function printers and devices which save and store scanned images created in the process of making copies, scanning documents, emailing or sending faxes are at risk of breaching their legal obligations.
Such devices could also cause employee discord and a range of risks in the workplace, as savvy workers no longer necessarily have to hack into computers to discover confidential reports of various kinds, ranging from trade secrets, to what their colleagues are earning or what expenses their bosses claimed or assets they own. People sometimes forget that intelligent multi-function devices are computers, potentially containing phone numbers, fax numbers and email addresses.
The risks are magnified where photocopiers are not linked to a secure network, so activity may be able to be viewed and tracked online. The problem is attributable to a lack of awareness about technology and a failure to appreciate that photocopiers are storage devices of information. There is a flawed assumption that when electronics are retired the data perishes instead of living on, not just on computer and server hard drives, but across a much broader range of devices like printers, copiers, scanners, faxes, PDAs, mobile phones and network equipment like routers.
In Australia, the Office of the Information Commissioner has recently released a Privacy Fact Sheet titled ‘Digital photocopiers: inadvertent collection and storage of personal information‘ to assist with the compliance of obligations under the Privacy Act 1988 (Cth) in relation to the use of digital photocopiers and multi-function printers.
The fact sheet contains suggestions and strategies to assist businesses and agencies to offer guidance on network security and the common issues which arise in the use of such devices.