But you should do so much more to make sure you don’t get done by the Privacy Commissioner.
Some of the things to consider when determining what are reasonable steps for you:
- Do you have a procedure for identifying and managing privacy risks?
- Are your security systems strong enough to ensure information is not misused, disclosed, lost, hacked etc?
- Do you have a procedure for identifying and dealing with privacy breaches and for dealing with complaints?
- Is someone in your organisation charged with overseeing privacy issues?
- Have staff who deal with personal information received training on privacy compliance?
It’s basically all about policies and being reasonable. One of the regulator’s recommendations is a password policy. Seriously.
While these obligations are not that new, they are much more important now that the Commissioner has power to impose penalties of up to $1.7 million.