Privacy is fundamental to our existence. But how do we best protect it in today’s digital world? Digital Balance is proud to support Privacy Awareness Week (PAW). This year, the Office of the Australian Information Commissioner is asking Australian businesses to get back to basics.
For businesses, protecting the privacy of people’s personal information is fundamental. Here are ten tips for businesses and other organisations can apply to keep personal information safe.
1. Know your obligations
There is no better time than now to make sure your organisation is getting privacy right.
It’s important to understand your business’ obligations under the Privacy Act, and ensure you consider privacy as your business, or your business systems or practices, evolve.
And don’t just “tick the boxes”. Anticipate how your customers and the wider community expect you to handle their personal information and respond to their needs and concerns.
Privacy is integral to building and maintaining the community’s trust in your organisation’s handling of their personal information.
Make sure you have a privacy management plan in place, to help embed a culture of privacy and establish robust privacy practices.
Further reading:
2. Have a privacy plan
This handy privacy management plan template can also help you assess your privacy practices and set appropriate privacy goals and targets.
A good privacy management plan helps ensure that your organisation is meeting its requirements under the Privacy Act. And if you’re not covered by the Act, it will help you ensure best practice in privacy, and meet community expectations.
Further reading:
3. Appoint privacy champions
A strong privacy culture comes from the top, so assign a senior staff member with overall responsibility for privacy.
Also appoint staff responsible for managing privacy day-to-day, including handling internal and external privacy enquiries, complaints, and access and correction requests.
Good privacy management stems from good privacy governance. Ensure your leadership and governance arrangements create a culture of privacy that values personal information.
Implementing reporting mechanisms that ensure senior managers are routinely informed about privacy issues will also help keep your organisation’s eyes on privacy and respond promptly when there’s an issue.
Further reading:
4. Assess privacy risks
Assess privacy risks early. Undertake a privacy impact assessment for projects that involve new information handling practices, such as new technologies.
A privacy impact assessment is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising, or eliminating that impact.
To be effective, a privacy impact assessment should be an integral part of the project planning process.
Privacy impact assessments can help facilitate a privacy-by-design approach, identify better privacy practices, and help ensure compliance with the Privacy Act.
Further reading:
5. Only collect or keep what you need
Over-collection of personal information increases your risk in the event of a data breach.
Holding onto personal information you don’t need can also undermine customer trust.
It’s more effective and efficient to manage privacy risks proactively.
Minimise privacy risks by reviewing your products, services, and internal systems and processes to ensure that you’re only collecting the personal information you need.
In other words, only collect personal information that is reasonably necessary to carry out your functions and activities.
Equally importantly, ensure that information that is no longer needed is destroyed or de-identified. If information is not collected, or is not stored, it cannot be mishandled.
A ‘privacy by design’ approach helps to ensure you get privacy right and build good privacy practices into what you do.
Further reading:
6. Secure personal information
Ensure secure systems are in place to protect personal information from misuse, loss and unauthorised access and disclosure.
Personal information security is about more than just ensuring compliance with the requirements of the Privacy Act.
If you mishandle the personal information of your customers, it can cause a financial or reputational loss to both the customer and your business and have a serious impact on your business-as usual activities.
Effective information security can also make your business more efficient and help with requirements for handling commercially-confidential information.
Further reading:
7. Simplify your privacy policy
Australians are more likely to trust your website or service if they have read your privacy policy, but less than a third of us read them because they’re too long and complex.
Make sure yours is written in plain language and includes a summary.
Don’t treat the privacy policy as a legal document to manage legal risk. It should be a document that creates trust in your entity and speaks to your customers or clients. Make it specific to your business or organisation.
And importantly, remember to include information about how individuals can contact you about privacy matters.
Further reading:
8. Train your staff
Clearly outline how staff are expected to handle personal information in their everyday duties, not just in terms of general principles. Make it real, and relevant.
Integrate privacy into your induction and regular staff training programs – including for short-term staff, service providers and contractors.
Conduct regular refreshers and ensure your whole team is aware of their privacy and security obligations.
Also, make sure your staff also have all the information they need to protect their own privacy at work.
The OAIC has a number of training resources to help organisations develop or improve their privacy training programs.
Further reading:
9. Prepare for data breaches
Have a clear and practical data breach response plan at hand so staff know what to do if there is a data breach. A quick response is critical to effectively managing a breach.
Your data breach response plan should outline your entity’s strategy for containing, assessing, and managing the incident from start to finish.
It can help you meet your obligations under the Privacy Act, limit the consequences of the breach, and preserve and build public trust.
You will need to regularly review and test your plan to make sure it is up to date and that your staff know what actions they are expected to take.
Treat all suspected data breaches seriously – it’s always best to be cautious.
Further reading:
10. Review your practices
Good privacy management means being proactive and anticipating future challenges.
By continually improving your privacy processes, you will ensure you are responsive to new privacy issues and that implementation will not be a burden.
Review your privacy practices and policy regularly. Make sure they meet community expectations, comply with the law, remain relevant to current practices, and address new risks.
Privacy law reform is on the way, so making sure your privacy practices are up to scratch now will make any further improvements required easier.
Further reading:
Additional steps you can take
As more information becomes available regarding the changing privacy legislation in Australia, Digital Balance will keep providing updates.
To ensure compliance with the upcoming changes in privacy laws, it is essential for companies to prepare a consent mechanism on their websites. If you haven’t done this yet, Digital Balance can assist you in exploring options from our partners such as Ensighten, OneTrust, Tealium, and other vendors, and help you with the implementation process.
While we cannot provide legal advice, we can assess the potential impact of your policies on data collection for analytics and marketing purposes. Contact us and a member of our team will be in touch.