By Simon Liu and Chong Shao

For Privacy Awareness Week (PAW) 2023, IIS joined the OAIC and other organisations in promoting the importance of establishing a privacy foundation, as part of 2023’s theme ‘Privacy: Back to basics’.

This year’s theme puts the spotlight back on having a strong privacy foundation in light of recent high-profile data breaches in Australia and abroad. The OAIC has published its set of ‘Privacy 101’ tips for individuals, businesses, and government agencies.

IIS Partners Malcolm Crompton and Nicole Stephensen were invited to speak in various PAW events in Australia including IAPP Sydney KnowledgeNet and Office of the Information Commissioner Queensland, covering topics ranging from protecting your personal information in different settings, to a discussion about OAIC’s recommendations to the Attorney-General’s Department regarding the Privacy Act Review in 2022.

IIS mini bites: Getting back to privacy basics

At IIS, we strongly encourage organisations to proactively strengthen their privacy and security practices.

In this post, we summarise some key ‘Privacy 101’ basics that organisations can implement to be trustworthy, and therefore to be trusted by the customers and community that they serve.

1) Know your obligations

Understand the privacy laws and regulations that apply to you, and be aware of potential changes on the horizon (like the Privacy Act Review). Consider privacy as an integral part of your business. In other words, don’t just ‘tick the boxes’. Instead, build a privacy-aware culture and practice as part of your regular routine.

2) Have a privacy plan

Ensure that you have a Privacy Management Plan (PMP) in place to help build each component of the privacy foundation and introduce accountability for doing them. The OAIC has provided a PMP template to assess your current and future privacy practices here.

3) Appoint key privacy roles

Assign a senior staff member with overall responsibility for privacy, as well as staff member responsible for managing day-to-day privacy activities such as handling privacy enquiries and providing privacy advice. Ensure that the organisation’s leadership encourage a culture of privacy that values personal information and trust.

4) Assess privacy risks

Proactively undertake Privacy Impact Assessments (PIAs) that involve new or changed information handling practices, to assess the impact on privacy of individuals and steps to mitigate any risks. For high-profile or complex initiatives, consider engaging an independent expert to conduct the PIA.

5) Only collect or keep what you need

Minimise privacy risks by reviewing your products, services, and internal systems and processes to ensure that you only collect the personal information your organisation needs. Ensure that information that is no longer needed is destroyed or de-identified, to reduce the risk of data breach and possible impacts on customer trust and business objectives.

6) Secure personal information

Implement secure systems and processes to protect personal information from misuse, loss, and unauthorised access and disclosure. Start with the Essential Eight mitigation strategies. Recognise that the human element is often the ‘weak link’ – ensure that staff are aware of, and trained on, good security practices.

7) Simplify your privacy policy

Write your privacy policy in plain language and include a summary. Make it specific to your organisation and its information handling practices. Include information about how individuals and organisations can contact you about privacy matters.

8) Train your staff

Clearly outline how staff are expected to handle personal information in their direct duties. Provide tailored advice and training where their role requires it. Inform staff of the appropriate channel to report improper handling of personal information as well as data incidents and breaches.

9) Prepare for data breaches

Have a clear and practical data breach response plan that covers each stage of the data breach response. Regularly review and test out your plan to ensure staff and relevant team members know what actions to take.

10) Review your practices

Review and update your privacy policies and procedures regularly. Continually improve your privacy practices and anticipate future challenges, including keeping up-to-date with technological, market and regulatory changes.

Participating in Privacy Awareness Week 2023

IIS is proud to support PAW once again, as well as to help organisations with establishing privacy foundations. If you would like further information or assistance with raising privacy awareness and/or strengthening your organisation’s privacy and security practices, please reach out to us.