We live in a world of cyber security threats: hackers breaching organisational firewalls, Wikileaks publishing private state documents, and employers tracking cyber activity for productivity sakes. Privacy, in relation to digital data, is a hazy topic.
The internet alone is increasingly being used as a medium to collect information for consumer profiling. According to Nielsen’s 2013 Australian Online Consumer report, 17.2 million Australians accessed the internet in the month of July and spent an average of 38 hours online across 60 sessions.
As more and more Australians surf the internet, check their mail, shop online, apply for jobs, or simply socialise with friends, they are leaving a trail of digital data that for some people is a gold mine. This includes email services like Gmail, file storage services like Dropbox, photo galleries like Flickr, and the list goes on. And this is not just on PC’s: laptops, smart phones, tablets, and televisions with internet capability all leave a cyber-trail.
When March 2014 hits, easy access to digital data will no longer be the case. Australia is about to get tougher on its privacy laws: effective March 2014, the 2012 Privacy Amendment Act will require that all Australian organisations, regardless of size and industry, implement open and transparent policies for managing personal data. This may seem simple, but it opens a crevasse of questions: how did you obtain this person’s contact details? Were you transparent in your original address? How are you storing these details? What is the purpose of collecting personal details? Are you sharing them amongst your organisation or more broadly?
These questions relate not only to your employees, but to everyone your organisation interacts with: stakeholders, customers, past employees, marketing databases….and the list goes on.
With the clock ticking, there is less than a year remaining until privacy is changed forever. Yet the implication of privacy is rarely discussed. The question is: are businesses prepared? The answer is, more likely than not, no. If personal data is not adequately handled, organisations may be liable and can be imposed with fines of up to $1.7 million for an organisation and $ 370,000 for an individual.
As the generation of digital data continues to grow exponentially, it provides challenges for corporates to correctly manage, store and secure it. The pressure is on and the onus is on all companies to evaluate:
- Who ‘’owns’’ the privacy realm within their organisation?
- And if they have the necessary approvals to use third party data?
Achieving data privacy is a challenge for all organisations and the amount of work that needs to be done should not be underestimated. There is no time like the present to consider how to manage risk involved– what is lacking, what policies need to be put in place, and what needs to change.
1) Conduct a Privacy audit
Organisations need to implement a privacy audit which evaluates the type of sensitive information held by an organisation. This sensitive information can refer to employees’ personal details such as their tax file number or Medicare number and includes whether or not you have the rights to audit and access information, as well as the timely return of information when an agreement ends. Analyse each aspect of this process which includes the collection, retention, use, and disclosure of personal information and determine risk levels. In cases where an organisation uses a cloud provider, it is important to understand who the stakeholders are, what their roles and responsibilities include, and where data is located and replicated.
Ask yourself: is third party data simply stored or is it being mined for advertising and marketing purposes?
2) Data protection and privacy impact strategy
Ask yourself: what happens in the event of a data breach?
3) Create privacy policies and procedures
Develop policies and procedures that clearly state the importance of protecting sensitive information stored in-house or in the cloud which complies with the requirements of the Australian Privacy Principles (APPs). An organisation needs to take measureable steps to protect the personal information it holds from misuse. This includes mechanisms to protect and manage the information, including disaster recovery processes to protect against data loss. An organisation’s legal advisor needs to fully understand the nature of both the cloud and privacy requirements and should be able to tailor the legal protections in your agreement.
Ask yourself: what are the privacy policies that your organisation needs? Understand your key areas of weakness so you can develop a plan to protect data.
4) Ensure accuracy and transparency of all personal information held
Personal information collected by an organisation needs to be accurate, complete, and up to date. Customers should have access to their information and make corrections if required. For instance, if an organisation holds a database which records the phone number and address of its customers, a process needs to be put in place which allows customers to change or update their details.
Ask yourself: when was the last time you updated your customer database?
5) Appoint a policy offer and train employees to mitigate security risks
Monitoring employees to ensure that privacy policies are applied will be very hard to manage on a daily basis. Transferring knowledge to your employees will identify weakness and help mitigate security risks. This is no simple task. Look at appointing a policy officer that trains employees and regularly monitors content and activity to prevent any violation.
Ask yourself: is it worthwhile hiring a policy officer to ensure that a breach does not occur?
But this is just the beginning. Let’s throw a spanner in the works.
Consider all of these advances in the context of data stored in cloud. The list of considerations and concerns gets infinitely bigger. There are different approaches to how privacy is interpreted when it comes to data stored in the cloud space. The following is a general starting point, but not specific advice, as individual circumstances vary and need to be looked at in more detail.
- The Infrastructure as a Service (IaaS) model, where the service provider is responsible for housing customer information and is not involved in any handling or processing of personal information. In this case all obligations to privacy are held with the customer.
- Software as a Service (SaaS) model, where the service provider is responsible and plays an active role in handling and managing customer’s personal information. In such cases, the service provider needs to obtain consent from the customer to hold and or use this information.
- Platform as a Service (PaaS) model, where the service provider delivers tools to enable customers to deploy applications. The service delivery model means that customers need to use best practices and privacy–friendly tools.
Privacy remains a critical component for Australians doing business or simply engaging online. We are entering a challenging new era as tougher privacy laws come into effect. While some Australian companies have already initiated the ground work, others have simply turned a blind eye.
Business owners who want to mitigate risks without sacrificing their ability to do business need to start addressing where they currently stand in relation to digital privacy. Assessing the business structure now will identify strengths and weaknesses, and set the wheels in motion for the new privacy approach.