If you want to be trusted, you have to be trustworthy (PAW 2022) — IIS Partners

By Sarah Bakar, Sarah Brichet and Chong Shao

2022 Privacy Awareness Week (PAW) is scheduled for 2-8 May. The OAIC’s PAW theme is Privacy: The Foundation of Trust. Its most recent survey of Australian attitudes towards key privacy issues revealed that Australians want more protection – 70% see the protection of personal information as a major concern.

This year’s PAW theme emphasises the importance of protecting privacy and building trust by putting in place the key foundations. The OAIC has published its set of privacy tips for individuals, businesses and government agencies.

IIS and building trust

At IIS, building trust has been a hallmark of our work. We consistently advocate that if an organisation wants to be trusted, it has to be trustworthy.

Trust was crucial in the advice we provided on the COVID Safe Check-In solutions for certain states, where it was important to establish and communicate the right privacy stance about the collection, use and storage of contact information, as well as location and potentially health information. We emphasised that failure to do so would result in the community not trusting the service and jeopardise the uptake of the solution.

Trust was also essential in our work with the Australian Bureau of Statistics (ABS). We helped develop the privacy strategy for its 2021 Census and encouraged ABS to demonstrate its trustworthiness by showing that their privacy undertakings were actually being delivered.

In this post, we provide our take on some key privacy foundations that organisations can implement to be trustworthy, and therefore to be trusted by the Australian community.

1) Be honest - do not mislead

An early step for any organisation is to make a good promise about how it will handle the personal information it collects. This is usually presented in an organisation’s public-facing privacy documents, such as privacy policies, notices and consent forms.

The key is to not mislead consumers. Some questions for consideration:

If I cannot be honest about how I handle personal information or I need to obscure the truth then should I pursue this project/solution/process?
What does the community expect of us and do our promises meet these expectations?

Being honest about how personal information is handled and communicating this in the right way helps to make an organisation trustworthy.

2) Be clear, explicit and finite

The promises an organisation makes should be set out in its public-facing privacy communications and be clear, explicit and finite. As personal information is collected, used and disclosed in ever-greater ways, there is also a greater responsibility for organisations to get its privacy communication right.

Privacy legislation across Australia requires organisations to provide (i) contextual, just-in-time privacy collection notices, and (ii) a privacy policy that more comprehensively explains how an organisation handles personal information.

We believe privacy documents that are best at promoting trustworthiness will be clear, explicit and finite:

Clear – use simple, plain English to communicate to readers and active voice not passive voice if at all possible; avoid complex language and lengthy blocks of text
Explicit – tell people exactly what you will do and how you will do it; avoid vague and general statements
Finite – make your promises bounded, ideally going as far as setting out what you will not do; avoid using open-ended phrases like “including” and “such as”

Developing privacy notices and policies is the baseline. For organisations pursuing best practice, they should creatively explore how they can communicate their privacy stance in different settings and audio-visual formats, as well as consider how to make privacy an enduring part of their brand.

3) Provide proof of performance

An under-appreciated but important step to building trust is to provide proof of performance. Once the organisation has made a promise, trust is strengthened when individuals can see that it is living up to the promise.

An organisation can demonstrate its privacy bona fides by conducting privacy impact assessments (PIAs) on its internal initiatives and privacy health checks on its wider organisational practice. Privacy bona fides will be reinforced by committing to remediation and improvement steps.

For organisations pursuing best practice, we think proof of performance involves:

Committing to a regular program of privacy assurance for BAU projects and for the organisation as a whole
Engaging external, independent experts to conduct assurance, especially where the stakes are high
Publishing the results of, and responses to, assurance activities

To sum up: we believe an organisation can increase its trustworthiness by providing evidence that it is following through and doing what it says it will do.

Participating in Privacy Awareness Week 2022

IIS is once again proudly supporting PAW this year. If you have been considering taking steps to raise privacy awareness and/or strengthen your organisation’s privacy practices, participating in PAW is an excellent starting point. Please reach out if you would like further information or assistance with your PAW initiatives.