Understanding Risks of Sharing Personal Information Online
Staff should be aware of online privacy risks and use settings to control who sees their personal info.
Plain language
This control is about protecting your personal information online. If people don’t understand the risks of sharing too much personal data, they could experience identity theft, financial loss or even harm to their reputation. By using privacy settings, you can control who sees your information, reducing these risks.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Sept 2019
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information.
Why it matters
Posting personal details publicly can enable identity theft, targeted phishing, financial loss and reputational harm to staff and the organisation.
Operational notes
Brief personnel on risks of posting personal details (e.g., DOB, address, travel) and require use of platform privacy settings to limit who can view profiles.
Implementation tips
- HR should conduct a training session: Organise a workshop for staff to explain the dangers of posting personal details online, like on social media or professional networking sites. Use real-world examples to show how personal data has been misused in the past.
- IT should configure default privacy settings: Check and set privacy settings on commonly used platforms to restrict access to personal information by default. Provide step-by-step guides or visual resources to assist employees in adjusting their own settings.
- Managers should lead by example: Encourage leaders to regularly review their own online presence and share tips with their teams on how they safeguard their personal information online. This could include regular checks of social media privacy settings and removing outdated posts.
- The communications team should develop guidelines: Create easy-to-understand guidelines about what types of personal information should not be shared on the internet. Distribute these guidelines via email and incorporate them into the employee handbook.
- System owners should monitor online services for breaches: Keep an eye on platforms where personal data is shared for any signs of unauthorized access or leaks. Use alerts or notifications if the service offers them to detect any suspicious activity quickly.
Audit / evidence tips
-
Askthe training attendance records: Ensure records show that all staff have attended a privacy awareness session recently
Goodsign is up-to-date records showing everyone has participated and engaged with the material
-
Goodchecklist will cover multiple platforms with current settings options
-
Askthe online posting guidelines: Check if there is a clear policy on what personal information should not be posted online. Ensure these guidelines are accessible to all employees and have been reviewed in the last year
Goodhas clear, specific instructions aligned with online best practices
-
Goodshows consistent and targeted messaging
-
Askreports on online monitoring activities: Check reports summarising any findings or incidents related to staff's personal data being shared online
Goodhas thorough, dated reports showing proactive issue management
Cross-framework mappings
How ISM-0821 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 5.34 | Annex A 5.34 requires the organisation to meet privacy and PII requirements, including preventing inappropriate disclosure | |
| link Related (1) expand_less | ||
| Annex A 6.3 | Annex A 6.3 requires role-relevant information security awareness and regular updates to policies and procedures | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.