What you need to be thinking about as you handle confidential information throughout your business
Privacy and data protection are closely interconnected, perhaps so much so that we often think of them as synonymous. Distinguishing between the two is fundamental to understanding what business obligations we have in protecting data and abiding by regulations. Alison Baker, Partner at Hall & Wilcox, explains, “data protection is a broader concept in that it protects all sorts of data, whereas privacy is about protecting an individual’s personal information.” Alison is an expert in assisting organisations with privacy law compliance and responding to data breaches, and the aim of this is to help you understand what your business obligations are.
Privacy laws protect and regulate information that’s capable of identifying somebody, so they seek to provide safety nets around how organisations manage personal information whereas data protection could deal with the protection of all sorts of information. Regarding the protection of broader and non-personal data, this is often addressed in commercial contracts via a confidential information clause. That’s where the expectations between parties to a contract are often set with regard to the passing of confidential information between the parties.
For the private sector, most businesses need to comply with the Federal Privacy Act and its thirteen Australian Privacy Principles (APPs). The APPs regulate the lifecycle of personal information through an organisation. APP1 is about setting up all the right systems and processes, and the rest of the privacy principles are all about how to manage information in your business, including what types of personal information you can collect and how you can use and disclose that information. One of the key things is how you keep the information secure within the business, including that you must take all reasonable steps to make sure the personal information you hold in your business is well managed and protected from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Pursuant to APP12 and APP13, it should also be possible for people to access and correct the information that you hold.
“I think privacy legislation is something that needs to be constantly reviewed, because how we collect data continues to change, the types of data that we collect continues to change”
The Privacy Act is drafted in a way that is technology neutral. This is to recognise that personal information may be collected and stored in many different ways. If the Privacy Act continues to remain technology neutral with general principles, then it should be able to manage the changes with regard to how we use personal information. However, it certainly can’t be the kind of legislation that gets passed and is left to sit on the shelf, it has to be regularly considered and reviewed and it has to continue to evolve as needed.
“Planning ahead and preparing for worst case scenario will put you in the best possible position.”
Make sure you have a data breach response plan in place so that if you suffer a data breach you have your guidance material available. The data breach notifications scheme has been in place for two years now and it requires organisations covered by the Privacy Act to take certain steps if they’ve suffered an ‘eligible data breach’. Where an organisation’s obligations under the data breach notifications scheme have been triggered, the organisation must notify the Australian Information Commissioner and any impacted individuals within thirty days about details of the breach. To come out of what could possibly be a traumatic experience in the most effective way you should be organised beforehand. Save crucial time by forming a response team who can quickly mobilise to contain the breach and move the organisation forward.
“The more we share information from a technological perspective the more likely people can breach your privacy.”
Ultimately, the Australian privacy principles are about making sure that businesses only collect, use, disclose and store personal information that’s reasonably necessary for their functions or activities. Privacy laws should apply to wherever personal information travels, regardless of whether or not employees are working in the office or remotely. Make sure you have strong security rules in place for the devices your employees are using, this includes requiring employees to only use employer issued devices and have multi-factor authentication on employer issued devices and to remotely access your systems, and so on. Most importantly, keep educating and updating your staff about the opportunistic tactics that hackers use. “You only get one chance at doing this so you might as well do it as best as you can.”
For more information about online privacy, read Online Privacy: What's At Risk?