What did you do to celebrate Privacy Awareness Week last week? It has never been more challenging to balance privacy, data security and appropriate access to information within any business. Why is it so tough?

  • Your staff need access to business data to get on with their job, whether working remotely or in the office

  • We are collecting more data than ever before
  • People are busy, so it is easy to look for the easy (and potentially less secure) option, like having a shared password or sticking the log in details to the front of your computer

The theme for last week’s privacy awareness week was Privacy 101: Back to Basics. At the risk of sounding like a broken record, protecting people’s personal information, whether it is your staff, customers, or vendors, is crucial.

And now is the perfect time to brush up on the fundamentals and do a quick business audit to ensure you meet your obligations. This brings us to step 1.

1. Do you know what your legal obligations are?

The Privacy Act was introduced in 1988 to protect people’s personal data and regulate how businesses and government organisations collect, store and share data. Just like we have evolved from using fax machines and phones that plug into the wall, the Privacy Act has evolved to suit today’s modern digital age.

Organisations have a responsibility to:

  • Notify individuals what information about them is being collected, how it will be used and who will have access to this data
  • Give people the option to not be identified
  • Provide people access to their personal information and allow them to remove themselves from unwanted direct marketing lists
  • Correct any incorrect personal data that has been collected
  • Protect people’s personal data from disclosure, unauthorised access, loss, theft, misuse, interference or modification

If they fail in these responsibilities and suffer a data breach, they could be fined up to $50 million.

2. Ensure there is a privacy plan in place

The second fundamental step in Privacy 101 is ensuring your company has a privacy management plan. Having this plan ensures that you meet the above requirements and embed a data privacy culture within your organisation.

If you don’t already have a privacy plan, the Office of the Australian Information Commissioner (OAIC) have a template to help you build one HERE.

3. Appoint privacy champions within the team

You can’t just set and forget your responsibilities – you need to manage them on a day-to-day basis through strong privacy governance. The OAIC recommends having a senior staff member with overall accountability, staff who deal with access and enquiries daily, and regular reporting mechanisms.

4. Know the primary risks for your business

Cybersecurity is all about balance. Because any organisation has finite resources available to protect its systems and data, it is crucial to consider not only what risks exist but the likelihood and impact or consequence of a data breach. This matrix helps you to prioritise your investment in data protection.

5. Secure personal information

Some people hear about data privacy and protection and think, “Ah well, I have a firewall and anti-virus protection – I’m all good.” But guess what? That is not enough!

Data protection includes:

  • Physical files – is the filing cabinet always locked and the key secured so only authorised personnel can access it? Are all documents containing personal information shredded rather than thrown in the bin?
  • Digital files – are they password protected and only viewable to these staff who need that data?
  • Password hygiene – are you using a password manager and deleting users from the system when they leave or changing shared access passwords?

6. Train your staff

Now, you have your privacy policy in place, you have appointed your privacy champions, and you have your password manager in place. Unfortunately, these measures are only as effective as the staff that are implementing them. Did you know that phishers will routinely target new employees? New employees who aren’t familiar with your systems and processes and are eager to please can often be manipulated into sharing payment information, purchasing electronic gift cards, or clicking on a phony link.

The business is responsible for ensuring that team members are fully trained to recognise the signs of a spoofed email address, phishing attack, and other cybersecurity red flags.

7. Prepare for a breach

Even with all of these measures in place, there is still a chance that your company’s system will be breached. So, you need to be forearmed with a plan. We have put together a handy form that can help you to build your own data response plan in just a few easy steps: Build a Data Response Plan

8. Review regularly

Our final piece of advice is to review your plan regularly. Malicious threat actors work full-time to develop new ways to infiltrate companies and steal their data, so your privacy policies can’t just gather dust on a shelf. Instead, they need to be well-thumbed documents which are continually updated and reviewed as the business landscape changes.

For more tips and some fun data privacy quizzes, check out the 2023 Privacy Awareness Week website: https://education.oaic.gov.au/paw2023/for-business/#course-tips