The effective management of information is made up of a few key parts, namely: transparent policies; strong information security systems; board and staff training and awareness; and effective breach response plans. Stick to getting these key points right, and your business will be in a better legal and regulatory compliance position and will be better placed to withstand data breaches.

What to consider?

  1. Have an up to date and effective privacy policy: Your privacy policy should clearly identify how you collect, handle, use, disclose and manage personal information, the access rights your customers have to that information, and as to how you will handle privacy complaints. An effective policy will have effective procedures behind it – don't state in your privacy policy that you will do or are doing something, unless you have a clear policy in the background to back that assertion up. And applying those policies and standards to non-personal information is a good starting point for the protection of other commercial information in a business.

  2. Collecting, Using and Disclosing Information: Consider what information you are collecting and as to whether you really need it. Only collect information that is reasonably necessary for your business' activities. If you collect it, you're responsible for it; so think about whether you need all of the personal information you are collecting. Remember also that some third party cloud providers you use may store information overseas, and this will place additional obligations on your business in handling and dealing with that information.

  3. Security: Take steps to secure the information you hold. The OAIC and the Australian Signals Directorate provide useful guidance on the steps you should take. Consider how your staff handle information – are they aware as to the level of protection required for certain types of information? By law, personal information, sensitive information and health records require an additional layer of protection. Information security goes beyond your IT department and staff should receive ongoing training and education as to privacy and the management of information.

  4. Breach Response: Data breaches are inevitable, In fact, many stem from simple human error. So, plan for them. Having an effective response plan in place is key to mitigating the harm caused by a data breach, including reputational damage, resulting customer claims, legal proceedings, and regulatory investigations. Know what to do in the event of a data breach, know who needs to respond and know who to call. Test the plan regularly, and update it if it doesn't work. With mandatory breach notification laws looming, a response plan is an essential aspect of business management. Don't be the business that gets caught off-guard.