By Alec Christie, Partner and James Wong, Associate
Mills Oakley is a proud supporter of this year’s Privacy Awareness Week (PAW). For individuals, PAW is about sharing information and practical tips that empower them to take control of their personal information. For organisations, it is a reminder to check privacy controls and systems to ensure that you are doing your part to handle personal information in accordance with—not only legal obligations—best practice and community expectations.
This PAW we want to encourage your organisation or agency to consider the following three questions:
1. Are your privacy controls fit for your business today?
We operate in a dynamic, fast-moving digital business environment. Gone are the days when an organisation could assess risks, implement controls then ‘set and forget’ for a few years. In this digital age privacy controls need to be constantly assessed, re-assessed and tweaked to ensure they remain fit-for-purpose and aligned to the risks you face today, tomorrow and every day after that.
A privacy and security review (which can be performed as part of your internal audit program) is an incredibly powerful tool to determine the current privacy and information security compliance of your organisation or agency. Its purpose is to methodically examine your organisation’s activities (as they relate to personal information), compare them to privacy law obligations and ‘best practice’ and create a visual diagnostic that highlights those areas where controls are presently inadequate to manage your privacy risks.
On an ongoing basis you should conduct privacy impact assessments (PIAs) as and when appropriate (e.g. every time you integrate new technology solutions or commence new projects or initiatives). A PIA is a systematic assessment that considers how your new project will positively or adversely impact privacy compliance. It is a requirement of Australian Privacy Principle (APP) 1 that you take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs. While not mandated, the Office of the Australian Information Commissioner (OAIC) expects that a PIA will be considered for all projects that involve personal information.
Privacy management goes beyond simply having the right policies and procedures. The OAIC emphasises the need to embed a culture of privacy in your organisation or agency, proactively evaluate privacy processes and seek to periodically enhance your response to privacy issues. With penalties to soon increase to the greater of $10 million and 4% of domestic annual revenue, now is a good time to consider getting your privacy compliance ‘house’ in order.
2. When did you last review your on-boarding protocols?
Many of the major privacy ‘fails’ we see originate at the very start of the ‘data lifecycle’ – that is, when you first collect personal information, whether from your customer/client or from a third party. However, if you get your privacy on-boarding protocols and processes right, you will be well on the way to compliance as regards your privacy obligations.
A common mistake is to collect a significant amount of personal details about an individual who signs up for (or registers their interest in) your products or services because ‘that’s just how it’s done’. As a consequence, many businesses collect and hold personal information that they have no lawful reason to collect and hold. APP 3.1 restricts your collection of personal information to circumstances where such collection is reasonably necessary to carry out your functions and activities. An important threshold question before getting stuck into the ‘nitty gritty’ of privacy compliance is simply this: ‘What are our functions and activities as an organisation and what is the minimum amount of personal information we require to undertake these functions and activities?’ Or, even more to the point: ‘Do we need this personal information to perform this task, request or function?’
Where you collect sensitive information (including health information), you must obtain the informed consent to such collection (and its use) from the individual.
3. When did you last review your document and data retention policies and practices?
While the majority of organisations are aware of retention period requirements for certain types of records (e.g. employment and taxation records), many organisations do not have a definitive timeline for the deletion of information. As a result, as time passes, they find themselves with expansive databases full of archived (and often out-of-date) data about their customers/clients. Not only is it expensive to hold on to such data unnecessarily, it is also very often unlawful and a data breach waiting to happen.
APP 11.2 requires deletion (or permanent de-identification) of personal information when it is no longer required for the purposes (as previously notified to the individual) for which it was collected and by law required to be kept in an identified form. These requirements also often interface with other legal requirements, which requires some level of analysis to ensure all relevant legal requirements are satisfied.
With that in mind, does you organisation have a document/data retention policy and actively delete or de-identify personal information in accordance with it? Do you have triggers or reminders built into your IT systems to periodically assess whether the personal information you hold needs to be deleted? If not, you are likely in breach of your privacy law obligations and adding fuel to the potential data breach fire that will inevitably come your way.
Privacy is important to us, which is why we are a PAW 2020 supporter. We trust these three questions assist you to turn your mind to better privacy practices this week. We encourage you to engage with the OAIC’s campaign and consider how you can #RebootYourPrivacy.
Get the latest news insights and articles straight to your inbox, simply enter your details.