This year the Privacy Awareness Week campaign of the Office of the Australian Information Commissioner (OAIC) is about safeguarding data as the pandemic continues to change the way we live, work and play. The Make Privacy A Priority campaign highlights data from the ACAPS survey that, while 85% of Australians have a clear understanding of why they should protect personal information, 49% of us don’t know how to go about it.
We agree with the OAIC: It’s easier and faster than you think to protect your privacy. Some of the most effective measures for protecting personal information involve little effort or time. The OAIC offers ten tips for protecting personal information at work. In this article, we share our take on these based on our practical experience helping organisations to implement them.
Prioritise staff training
Staff training is consistently one of the most poorly executed aspects of privacy management in organisations today. When it comes to putting privacy principles and obligations into practice, no internal policy or amount of written of guidelines can compete with a well-trained workforce. There are a range of resources available online including an online course offered by the OAIC. However, in our experience it is far more effective to contextualise privacy awareness by giving staff space to practise applying it in their everyday work. That means going one step further than offering an off-the-shelf privacy workshop or online training module. You need to ‘do the work’ of identifying the often business-specific 20% of activities that give rise to 80% of the privacy risk for your organisation and use applied exercises to build that issue-spotting and problem-solving muscle among your staff.
Reduce the risk of data breaches caused by human error
Human error remains the second biggest source of data breaches reported to the OAIC (when you exclude instances of phishing, which are treated in OAIC statistics as ‘malicious attacks’ rather than ‘human error’ even though both play a role) but is one of the easiest to address. Training is half of the answer. However, there are also controls that can be implemented to reduce the likelihood of simple errors becoming very costly. The OAIC provides examples of disabling the autofill function in the ‘To:’ field in your email software and implementing a prompt or alert that warns someone before they click ‘Send’ on an email addressed to external recipients.
Other actions to consider include reducing reliance on email for routine communications (consider closed-channel platforms like Slack), adding a ‘delayed send’ on emails to provide an opportunity to recall/undo, using email software addons that strip hidden personal information from attachments by default (while offering the email sender an option to override this) and blocking the sending of attachments that contain certain types of data (e.g. tax file numbers).
Physically protect personal information
Physical security has suffered recently due to remote-working arrangements, with laptops and printed materials being brought into communal living areas, local cafes and, particularly for many tech companies, co-working spaces (and let’s not even start on rampant free-for-all BYOD practices during the pandemic)! Organisations should consider ‘going paperless’ and ensure that staff lock devices that are not in use. Leaving phones, laptops or bags unattended in public (or in publicly accessible spaces) should be strongly discouraged – with disciplinary measures if necessary. Employee use of personal devices for work should be subject to a thorough BYOD policy, vetting and mandatory installation of security controls by IT. It sounds harsh but the privacy consequences can be much harsher.
Prepare a data breach response plan
Every organisation must have a data breach response plan by now and it should be tailored to the organisation's specific privacy risks and context. We’ve seen some pretty shocking ‘copy and paste’ jobs in recent times. Remember, a data breach response plan isn’t worth the paper it’s printed on (or its digital form if you are paperless!) if it doesn’t ease and speed up the processes of detecting, containing, assessing and, if required, notifying a data breach. You’ll quickly make back the time investment of preparing one if you: (i) identify the top 3 to 5 categories of data breach that are most likely to occur and/or cause trouble in your organisation; and (ii) do as much of the ‘thinking’ ahead of time as possible. Then, as alluded to in the ‘training’ section above, get your team to put it into action. If you do, when your next data breach occurs you’ll be in a much better position to respond in a calm, collected and compliant manner.
Put secure systems in place
APP 11 requires that you take ‘reasonable steps’ in the circumstances to protect personal information. What steps are reasonable depends on a very long list of factors. These factors are constantly changing as your organisation takes on new projects, changes its product offering, starts using a new IT system and decommissions another and as new tools and technologies are introduced to support your operations.
At the same time, the cyber threat landscape is constantly evolving and organisations can only keep up by constantly prioritising and re-prioritising efforts to focus on the most important issues at any given time. The biggest risks to your organisation in May will usually not be the biggest risks in July. That’s why our team has been helping privacy professionals to advocate within their organisations for a more holistic approach to the previously separate disciplines of cybersecurity, business continuity and governance risk and compliance (GRC). We propose a 7-step process to achieve ‘digital resilience’ – this is what it takes to have secure systems in the emergent volatile environment.
Build in privacy by design
We are heartened to see more and more organisations appreciate the benefits of privacy by design, which is about embedding privacy into any project rather than leaving it as a bolt-on at the end. In the digital age, it is rare that any consumer-facing product will not be impacted by considerations of privacy. Privacy professionals play a key role in co-designing with product and marketing teams and this ultimately saves costly retrofitting and re-work down the track. In our experience, privacy by design happens best when the privacy subject-matter expert (SME) is present at initial ideation sessions then periodically at stand-up meetings. This allows them to issue-spot early on and resolve those issues in real time.
As privacy has gone mainstream over the past three years, two schools have emerged in relation to privacy policies.
In 2021, savvy consumers are well versed in the many ways their personal information can be misused by the companies they interact with. They are drawn to companies that are ‘fair dinkum’ on matters of privacy and increasingly avoid those with vague or misleading privacy policies.
Undertake a PIA
Even in organisations that already take privacy seriously, there can be a tendency to see privacy impact assessments (PIAs) as something of a chore, and a voluntary chore at that. In our view, however, completing a PIA need not be an overly burdensome exercise if conducted in tandem with the usual product development or procurement process and is such a great tool (and expected by the OAIC) that it should be treated as mandatory for key projects and changes to BAU.
If your organisation is equipped with a robust PIA template, doing the PIA can significantly speed up parallel activities by painting a clearer picture of technical and process elements of a project. On a practical level, this is about teamwork – the business should be liaising with the privacy SME when undertaking the PIA while the software architects plot out the technical details, lawyers negotiate commercial details with vendors and marketing teams seek rapid feedback from user groups. Privacy doesn’t have to only be about compliance; it should also be about and enable innovation and creativity.
Only collect the PI you need
Long gone are the days when organisations could collect all the personal information they wanted. Now consumers are hyper-aware and have a lower ‘creepiness threshold’. This trend is set to continue as jurisdictions around the world embed the ‘data minimisation’ principle into their legal frameworks. Data minimisation may also become more prominent in Australia, given the Attorney-General’s Department’s current review of the Privacy Act. If you are collecting personal information, you need to have a good reason tied to your business’ functions and activities and carefully communicate that reason to individuals.
Making privacy a priority comes from the top
The OAIC observes that ‘strong leadership commitment to a culture of privacy is reflected in good privacy governance’. What does this mean in practice?
While we agree that every organisation needs a Privacy Management Plan in place (as suggested by the OAIC), we caution against the pitfall of thinking that having a Privacy Management Plan means you have ‘arrived’. Privacy risks emanate from any activity involving personal information. A Privacy Management Plan is only as good as the triggers and touchpoints that are built into all of your organisation’s other activities so it actually gets done day in and day out. Making privacy a priority starts at the top but it needs to happen in every layer of the organisation that handles personal information.
And another thing!
If COVID-19 has left a lasting impact on the world of work (and we think it has), we can expect the lines between ‘work’ and ‘home’ to stay blurred. In a post-pandemic environment, organisations should make some allowance for their employees bringing their work lives home and their home lives to work.
While you may not be directly responsible for your employees’ privacy practices outside work, keep in mind that if they are thinking about protecting their personal information at home they’ll bring that practical wisdom into their job too which, we believe, will go a long way to helping #MakePrivacyAPriority this year.