At Ash St. we were alarmed to read, recently, that more than a third of consumers had experienced privacy “issues” with Australian companies and, further, more than half of all major Australian companies examined by the Information Commissioner had failed to comply with privacy rules.
The statistics expose an absolutely poor performance on the part of businesses of all sizes. (Revealed by the SMH here, for Privacy Awareness Week, May 4-8): http://www.smh.com.au/it-pro/business-it/privacy-complaints-leap-as-companies-struggle-with-compliance-20150504-1mzcvc.html )
Further, Information Commissioner Timothy Pilgrim is also particularly concerned about the length of some privacy policies, the median length of 20 he assessed being an “excessive 3413 words”, one coming in at a “whopping 18,000 words”: http://www.itnews.com.au/News/403478,top-aussie-websites-need-to-improve-privacy-policies-pilgrim.aspx#ixzz3ZoGB4SCT
Ash St. regularly helps businesses understand, and comply with, privacy law requirements.
“It’s not as straightforward as it appears,” says Jason Dixon, Ash St Director, IT & IP. “Compliance can be challenging, especially considering that both Federal and State legislation might apply in any given circumstance. Add to that, several different privacy guidelines, industry specific requirements and OAIC decisions”.
At Ash St., we recommend these Top Five Tips for privacy compliance:
- Privacy by design: Be proactive. Privacy must be your company's default mode of operation, rather than just being based on regulatory frameworks. With changing information and communications technologies and large-scale data systems becoming a way of life, a reactive response to privacy is not enough. A proactive company will ensure its policies and procedures are visible, transparent and user-centric.
- Staff should be trained on how to deal with personal information and that training must be regularly updated.
- Don’t over complicate things – aim for simple, plain-English drafting.
- Bring Your Own Device (BYOD): Do your staff members really need access to personal customer information on their devices? If so, you need to have measures in place to protect that data, e.g. encryption, data partitions from employee personal data.
- Risk of out-sourcing and cloud service providers: In most cases, even if you outsource the storage of personal information which your company collects and holds, you are still liable to ensure it is protected. Do you know where that information is stored? Is it secure? Can you easily access it to correct the information if requested to do so? Can you easily destroy or de-identify it, once it is no longer required?
- Consider a privacy risk assessment: It could save your business from the wrath of the OAIC, hefty fines and significant reputational damage.