conducting-privacy-audit

How are your privacy processes stacking up?

Auditing your business for privacy compliance

Are your customers happy about how you are handling their personal information? Do you collect only the information you need to deliver your service, and only use it for the purposes it was provided? Possibly not, according to the Office of the Australian Information Commissioner (OAIC), which has been reminding organisations to make privacy a priority.

While most organisations are aware they need a privacy policy, and most have a document in place, there’s still a disconnect between organisations and their customers when it comes to the way personal information is handled.

The 2020 Australian Community Attitudes to Privacy Survey (ACAPS), conducted at the end of last year, noted nearly two-thirds of Australians (59%) had experienced problems with the way their personal information was handled in the past 12 months. Many were concerned about organisations sending unsolicited direct marketing without consent (43%). While another significant concern was organisations collecting personal information that was not required to deliver the service.

Privacy is about trust, more than simply a legal issue

Certain organisations must comply with Australian privacy legislation. These include government entities, organisations that provide health services, organisations that sell or purchase personal information, and other businesses with a turnover greater than $3 million.

However, even if your organisation is not covered by the Privacy Act, as the ACAPS survey indicates, managing your customers’ information appropriately is a matter of trust. It seems customers are voting with their feet when they believe their private information is not being respected. The ACAPs survey also reported that three-quarters of Australians say they will take action to protect their privacy. Many say they have deleted apps, or changed providers. Customers will also check privacy settings on a website before they provide personal information to a business. As some large corporations have discovered recently, customers will also complain if they feel they are being spammed.

A disconnect between privacy policy and processes

If you’re not entirely sure, you are probably not alone. One of the main problems we see with our small and medium (SME) business clients is the disconnect between the privacy policy and the processes in place. Employees broadly understand they have privacy obligations and that there is a privacy policy. Do all your processes work effectively to keep customer information secure?

Privacy in the real world: employees do make mistakes

The OAIC’s Notifiable Data Breaches report routinely identifies human error as a significant cause of data breaches. The most recent report (January 2021) noted an increase both in number and proportion of breaches (38%) attributable to human error. A significant number of malicious attacks also  succeed because of an element of human error, clicking on a link on a phishing email or falling for a scammer impersonating a government authority for example.

The pandemic effect

Processes can also be prone to failure when people are under pressure or when businesses need to adapt quickly to changing circumstances such as natural disasters, economic stresses, or health emergencies. Privacy processes may assume, for example, that personal information will only ever be held securely in a central location such as head office. They may not fit a situation where staff suddenly need to start working from home or conducting business remotely, and access customer information on mobile devices, over Zoom, or from their kitchen tables, which all adds to the likelihood of an inadvertent breach.

Auditing and designing processes for privacy

Privacy agencies increasingly call for organisations to make privacy processes more robust by implementing ‘privacy by design’. Or to put it another way, design processes with privacy in mind first. Don’t think about how you would keep personal information secure only after you’ve set up the workflow for capturing it, using it and storing it.

Privacy processes should allow for the likelihood a laptop may be lost, a password hacked, or an email address typed incorrectly.

They should consider the possibility your business may need to scramble to get up and running again in an emergency, when checking the privacy policy may not be the first thing on everyone’s minds.

Before you add a field for phone number or date of birth into your form just in case you need it later, think about whether you actually need that information and what you are going to do with it.

Consider things like office layout and design, so that clients in your reception area cannot see or overhear other clients’ information while they are waiting.

Make sure every part of your business starts from the position that you only capture personal information you need, only access it when needed for the purpose for which it was collected, and that you think about how that information will be kept securely and destroyed when it is no longer needed.

One of the best ways to check what’s going on in your organisation is to conduct a privacy audit. The OAIC’s privacy impact assessment checklist includes a useful list of issues to think about.

Hello, how may I help you?