"To get it right you will need to [discuss it] with people across the organization, including HR and marketing," said Johnston, who is also a director of privacy consulting at Salinger & Co. "Most breaches of privacy and security come from your own staff. The most secure technology can't protect you from lazy, accident-prone, or corrupt staff."

No longer surprised at how many people write passwords on post-it notes, Johnston cited one case where an executive would shout out to a secretary "what's my username and password" and the secretary, in an open-plan office would shout it back.

"If you're in charge of data security in your organization you should be very afraid of your most helpful staff," she said, adding her favorite story is of a police officer who accidentally left DNA evidence on a train on the way to a hearing and as a result the charges were dropped.

"There is no technology system that can compensate for human frailties. You need good people and data protection must encompass hard copies of data."

Rather than telling employees you need to prove their identity because of terrorists or the Privacy Act, Johnston recommends being open with staff about what the information will be used for.