Privacy compliance is often seen as a massive hurdle for a company. How do you adopt something that seems so amorphous? In essence, privacy compliance is part of a process, and that process can be achieved using some simple forethought and best practices. To assist your company in developing good privacy practice, we have developed the following seven simple tips.
- Design your products to minimise, manage or eliminate privacy risks
Adopt a privacy by design approach when creating products or services. This means that privacy should be one of your first thoughts rather than an afterthought.
By building privacy practices into product and services design at the outset, privacy compliance becomes a part of how you work. You will be able to anticipate the questions you need to answer and prevent privacy disasters before they occur.
- Develop a privacy policy
Being open and transparent about how you handle personal information is essential for consumer trust. It is also a legal requirement for organisations covered by the Privacy Act 1988 (Cth). If you are struggling to develop a comprehensible policy, do not hesitate to contact us for advice and assistance. As well don’t forget the extensive resources of the OAIC.
Once you have developed a comprehensive and digestible privacy policy, ensure it is readily available to your customers. Best practice is to post this on your website in an obvious place.
- Collect de-identified data
Avoid collecting personal information and focus on collecting and retaining de-identified data wherever possible. This involves removing or altering information that identifies an individual. For example, allow customers to use pseudonyms instead of their names where practicable.
- Always obtain consent for new uses and sharing of data
Only use or disclose information for the purposes you collected it. If you need to use data for an alternative purpose, then ensure you get the individual’s consent before doing so.
- Check the privacy practices of third parties you share data with
If a third party mishandles the data you share with them, you may still bear the commercial and reputational damage of any fallout. Before sharing data you should ensure that your commercial arrangements with third parties explicitly detail how data will be handled and that they will comply with privacy practices at least as good as yours.
- Protect the data you hold
Analyse the potential threats to the security of the data you hold and take steps to minimise these threats. This may include:
- implementing network security;
- access controls;
- password management; and
- training staff to ensure that human error does not facilitate a security breach.
- Be prepared for a data breach
Have a data breach response plan in place and understand your obligations under the Notifiable Data Breach (NBD) Scheme. As with any risk management exercise, it is important that you are familiar with your response plan and all key employees understand the plan. It is not enough to turn to the OAIC website at the time the data breach hits. For more information on developing a data breach plan and your legal responsibilities under the NBD Scheme, do not hesitate to contact us.
For more information and advice on privacy practice, please contact Katherine Sainty at katherine.sainty@saintylaw.com.au