29 May, 2016
The privacy goalposts have moved and businesses must now manage and value information like any other asset.
Maintaining and implementing detailed processes and procedures to ensure good information management in a business not only protects a business from unauthorised disclosure of customers' personal information, but also protects a business' trade secrets, intellectual property and commercial know-how.
The effective management of information is made up of a few key parts, namely: transparent policies; strong information security systems; board and staff training and awareness; and effective breach response plans. Stick to getting these key points right, and your business will be in a better legal and regulatory compliance position and will be better placed to withstand data breaches.
What to consider?
Have an up to date and effective privacy policy: Your privacy policy should clearly identify how you collect, handle, use, disclose and manage personal information, the access rights your customers have to that information, and as to how you will handle privacy complaints. An effective policy will have effective procedures behind it – don't state in your privacy policy that you will do or are doing something, unless you have a clear policy in the background to back that assertion up.
And applying those policies and standards to non-personal information is a good starting point for the protection of other commercial information in a business.
Collecting, Using and Disclosing Information: Consider what information you are collecting and as to whether you really need it. Only collect information that is reasonably necessary for your business' activities. If you collect it, you're responsible for it; so think about whether you need all of the personal information you are collecting. Remember also that some third party cloud providers you use may store information overseas, and this will place additional obligations on
your business in handling and dealing with that information.
Security: Take steps to secure the information you hold. The OAIC and the Australian Signals Directorate provide useful guidance on the steps you should take. Consider how your staff handle information – are they aware as to the level of protection required for certain types of information? By law, personal information, sensitive information and health records require an additional layer of protection. Information security goes beyond your IT department and staff should receive ongoing training and education as to privacy and the management of information.
Breach Response: Data breaches are inevitable, In fact, many stem from simple human error. So, plan for them. Having an effective response plan in place is key to mitigating the harm caused by a data breach, including reputational damage, resulting customer claims, legal proceedings, and regulatory investigations. Know what to do in the event of a data breach, know who needs to respond and know who to call. Test the plan regularly, and update it if it doesn't work. With mandatory breach notification laws looming, a response plan is an essential aspect of business management. Don't be the business that gets caught off-guard.
Clyde & Co advises clients on a broad range of privacy related matters, including in assisting businesses address their legal and regulatory obligations as well as in preparing for and responding to data breaches. We offer fixed price privacy packages to provide certaintly and to help you effectively manage your legal costs.
We are proud to be a privacy partner of the Office of the Australian Information Commissioner's (OAIC) Privacy Awareness Week, which is being held from Sunday 15 May to Saturday 21 May. The week promotes awareness and discussion with business, government agencies and the broader community on how to protect and respect the privacy rights of Australian citizens. We will be sharing a series of updates on privacy throughout the week.
For further information, please contact:
Dean Carrigan, Partner, Clyde & Co
dean.carrigan@clydeco.com