Beware the privacy minefield: spotlight on your customers’ information
As a business, you insure your assets and liabilities. So, why do some companies struggle to protect perhaps their most valuable asset – the personal information they hold about their customers and staff?
Australian companies’ data-sharing practices are “appalling”, according to the 2019 State of Cyber Securityreport. It found 84% of companies surveyed had not conducted formal reviews of the practices of businesses with whom they shared data. As well, about six in 10 of those surveyed said they’d experienced a third-party data breach in the past year.
That was before circumstances changed dramatically with the COVID-19 pandemic and the majority of our social and work interactions were taken online, as highlighted by this year’s Privacy Awareness Week.
The onus is on businesses to comply with privacy and other laws, but you might think there are some grey areas.
This article explains your business obligations to insure the privacy of personal data that individuals or entities give you.
Under lock and key
Your go-to law in Australia is the Privacy Act 1988 (Privacy Act).
It defines personal information as “information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not”.
The aim of the law is to protect that information, particularly if it’s not meant to be made public.
The Privacy Act’s implications for you
If the Privacy Act applies to your business, you’ll need to also comply with the Australian Privacy Principles – there are 13. These govern standards, rights, and obligations for:
- Collecting, using and disclosing personal information
- Your business’ governance and accountability
- How you store, maintain the integrity and correction of personal information
- Individual’s rights to access their personal information.
Businesses and organisations may also have other legal privacy obligations, including:
- Victorian, NSW, and ACT health records laws
- State and federal surveillance laws
- Federal laws about email marketing and telemarketing (think the Spam Act 2003 and the Do Not Call Register 2006)
- The General Data Protection Regulation (GDPR) – if your business processes personal data relating to an individual in the European Union.
You might think the GDPR relates only to businesses operating in countries of the European Union (EU) with customers and clients in that region. However, it also applies to any business offering goods or services to EU residents, according to professional services consultancy firm, PwC. GDPR came into force in 2018. Contravening it means you can be fined up to €20 million (AU$32.7M) or 4% of annual worldwide turnover, whichever is higher.
With many business operations now ‘in the cloud’, you may not know where your company’s data is stored. Check with your third-party software providers for their privacy policies. They should detail where and how they’re storing and using your data. Check this small business guide from the Department of Communication to help you review your providers’ practices.
When you’ve been hacked
Just say a device storing your customers’ personal information is stolen or lost, the database with such information is hacked, or personal details go to the wrong person. These are notifiable breaches, and you have two obligations.
You must tell the individual at risk of serious harm (the intention to tell the individual(s) is so that they may take action to minimise their loss, therefore acting quickly is paramount) and notify the Office of the Australian Information Commissioner. This is covered in the Notifiable Data Breaches Scheme, a 2017 amendment of the Privacy Act. Check the commissioner’s website for the finer details about eligible breaches and the timing of your report.
You’ve got 30 days to take reasonable steps to look into suspected data breaches in your business. Miss that deadline, and you face a $360,000 fine or up to $1.8M for your business, plus other penalties under the act.
Your obligation to protecting your customers’ personal information even extends to when you no longer need it. That’s when you should destroy or de-identify it, such as by shredding documents or storing them in a secure place.
Putting it down in writing
There’s a lot here to take on board about privacy, so don’t leave it to chance. You’ll need a privacy policy and privacy statement (as well as an IT and data security policy) in plain English that you regularly review and update and have available on your website. It should spell out what information you collect, what you’ll use it for, how you’ll protect it, and, when you need to, how you’ll destroy it. A privacy policy will also cover how you handle sensitive information, disclosure to third parties, and how customers can access the personal information you hold about them.
Don’t reinvent the wheel, though. You’re best to seek legal advice to assist in drafting a Privacy Policy and Statement which aligns to your business needs.
As well, businesses need to understand their privacy obligations in the COVID-19 pandemic. Think about the risks if you have staff working remotely and not using multi-factor authentication to access your computer systems and resources. Maybe you have customers visiting your premises and signing in by hand. Can other customers see who’s on the list?
So, pause to see just how much information you’re collecting from customers and ask, do you need it, and why? The more information you hold, the higher the risk of exposure should your systems be breached.
Insuring personal information security is everyone’s business.