Recent years have seen big changes in privacy legislation in many countries. The differences in privacy laws of countries or regions can make this a tricky realm to navigate. Having respect for people’s privacy rights as a guiding principle — a north star if you will — will go a long way towards helping you navigate the choppy oceans of privacy compliance.
If you strive to always keep your customer’s best interests top of mind, you’ll start to find this spirit translates into your business processes and that they become aligned with privacy principles. Your north star principle will help to ensure that the ways in which you collect, store, use, and share personal information aligns with relevant privacy law requirements.
We talked to Simply Privacy to find out more about putting people at the centre of privacy compliance.
A people-focused approach to privacy
We recognise that many small to medium-sized organisations don't have the luxury of having privacy advisors or legal experts on hand. Hoping to pull back the privacy curtain, we asked our friends Daimhin Warner and Emma Pond at Simply Privacy for their views on a few pressing privacy issues facing organisations today.
Simply Privacy are experts in privacy. They offer a range of services to support clients to measure their practices against both their legal obligations and community expectations. But more than that, they recognise that privacy is about giving people meaningful choices over their information.
Changes in privacy legislation have been accompanied by an increase in people’s general awareness of privacy-related topics. Fears about identity theft and financial loss make people more cautious about sharing their personal information with businesses.
Daimhin points out some interesting statistics coming out of the 2020 Australian Community Attitudes to Privacy Survey. The results indicate that privacy is a major concern for 70% of Australians and 84% of Australians consider privacy extremely important when choosing a digital service. These sentiments are fairly consistent across the globe.
Managing your privacy obligations
Organisations need to keep in step with their legal obligations to protect the personal information they are entrusted with. Emma highlights that privacy laws require organisations to protect the personal information they hold about their customers and business associates and that we’re not just talking about large organisations.
Small to medium-sized organisations are not necessarily exempt from privacy obligations. If an organisation handles personal information about its customers, it may also be legally bound to protect it. Regardless, we should never lose sight of the fact that personal information is about people, and doing privacy right is just part of good customer service.
We asked Emma and Daimhin to help us focus on some of the key things to consider when businesses handle personal information.
Most organisations collect some form of personal information from their clients or customers. What’s important to consider when collecting personal information?
Try to be as open and transparent as possible when collecting personal information. This way, everyone understands what their personal information will be used for, and there will be no nasty surprises.
Also remember to minimise the personal information you collect. Asking for only the information you really need to get the job done makes for a less intrusive experience, improving the overall customer experience for your clients or customers.
What are the essential things organisations should be doing to address privacy concerns?
Be clear with your customers about what you will do with their personal information. Open and transparent communication helps everyone understand why you are collecting the information and helps build trust.
Protect the personal information you hold. Limit access to this data to only the people who require access to perform their jobs.
Only use collected personal information for the purpose you initially collected it for. Just because the information has been collected doesn't mean it can be used however you want.
Can you give examples of the misuse of personal information?
- Misuse can happen when organisations use information collected for one purpose (which should be positive) for another entirely different purpose (which could be harmful), resulting in unhappy customers. This is sometimes called “scope creep,” and it's really bad for trust.
- Using incorrect or outdated personal information can be very harmful. Think about a case where an organisation links inaccurate erroneous debt information to an individual. Real-life consequences of unwarranted debt collection and a bad credit rating for this person would cause untold stress and harm.
- Unauthorised access to personal information can happen when employees search up customer records for non-business purposes. They may be curious about friends, family members or well-known people, and they may gossip about what they find out.
What key advice would you give to help organisations understand how to build privacy compliance into their systems and processes?
The best thing an organisation can do to stay on the right side of privacy laws is to think about privacy right from the beginning of any new process or project. Early consideration of privacy helps you avoid or fix problems before spending too much time and money on something that doesn’t meet privacy compliance standards.
Reframing the way you think about privacy can be very helpful. Instead of focusing on privacy purely as a compliance issue, focus on privacy as a cornerstone of building consumer trust, showing respect for people’s personal information and delivering an outstanding customer experience.
How can organisations find out whether the ways they’re collecting and using personal information is legal?
Most countries have a privacy regulator that protects people’s privacy rights and regulates how businesses collect, use, share, and store personal information.
Privacy laws usually include regulations about what organisations must tell their customers when collecting personal information and how they will use the information.
Look for support or resources available from the official privacy regulator in your country. Examples of government privacy regulators include:
- Office of the Australian Information Commissioner
- New Zealand Office of the Privacy Commissioner
- UK Information Commissioner’s Office
What are some common privacy mistakes and some tips on how to avoid them?
- Many organisations collect more personal information than is needed to complete their business purpose. Our advice is to think before you collect any personal information. Ask yourself, “Do I really need this particular information to deliver this service?”
- It’s much easier for mistakes and breaches to happen when you don’t actually know what personal information your company holds and where it is stored.
We recommend carrying out a data mapping exercise to identify personal information and where you keep it, especially sensitive personal information. Data mapping helps you understand where your most significant risks lie and what measures you can use to protect the information you hold.
- In some cases, businesses may not even realise that they are dealing with personal information. Remember, information can still be identifiable even if specific details — like the name — are removed.
Personal information is considered ‘de-identified’ only when it is no longer able to be linked to an identifiable person or a reasonably identifiable person. Once information is appropriately de-identified, it falls outside the scope of privacy legislation.
- Give careful attention to the restriction of access to personal information. Only those who need personal information to complete their jobs should have access to it. Giving your employees access to the smallest subset of data required to complete the task minimises the risk to the organisation.
- Personal information should only be kept for as long as it’s needed for a lawful purpose. Once it’s no longer needed, and taking into account any applicable legal minimum retention periods, personal information should be securely disposed of or thoroughly de-identified.
- Finally, if organisations don’t train their employees about the importance of privacy, and safe, respectful personal information handling, they can be exposed to a greater risk of privacy breaches.
Empowering people with the right privacy know-how can help establish fair social contracts with customers, improve customer experience and build an organisation’s brand.
Thank you Daimhin, Emma, and Simply Privacy for sharing this valuable information with our community. Your advice highlights that there are many practical and achievable ways to implement privacy awareness and compliance in our work processes. Working with care when we handle people’s personal information is the right thing to do and demonstrates respect for privacy in action.
Empowering people to uphold privacy
Building a culture of privacy awareness begins and ends with people. You can have included all the privacy considerations in your business practices and projects, but it will fall short if your employees don’t apply these principles.
Privacy Awareness training focuses on practical actions that help teams collect, store, use, and even dispose of personal information securely and following privacy principles.
Privacy Awareness for Australia
In Australia, the Privacy Act 1988 covers information privacy rights and how entities within its scope must handle personal information.
This legislation is currently under review by the Attorney-General’s Department, and significant changes to privacy regulation in Australia are on the horizon. These changes will likely include stricter rules around managing personal information and more substantial fines for non-compliance.
Now is the time to make sure your team is up to scratch on privacy to keep you, your data and your organisation safe.
And that's where SafeStack Academy's Privacy Awareness programme comes in. We develop our privacy awareness courses in partnership with Simply Privacy.
We focus on teaching the behaviours that help people handle the personal information entrusted to them in respectful, secure and transparent ways. The courses present helpful content without overwhelming learners with complex legal terms and language.
Each course covers a privacy awareness-related topic and includes an interactive lesson and a short knowledge check. Engaging activities help learners recognise the situations where they should consider privacy and the best practices for handling personal information respectfully and securely.
We regularly add content to our Australian and New Zealand Privacy Awareness programmes. We’d love to be part of your organisation’s training journey to embed privacy throughout your business practices.
Course 1: Introduction to privacy
We introduce the concept of personal information and teach learners to recognise situations requiring privacy awareness.
Course 2: Collecting personal information
We expand on personal information and learn about how much and in what ways we can lawfully collect it. The Australian Privacy Principles (APPs) set the rules for how entities can collect personal information. We focus on how to ensure personal information is collected and handled in safe, transparent, and respectful ways.
Course 3: Securing, using and disclosing personal information
Entities have a responsibility to safeguard the personal information their customers trust them to hold. We encourage learners to think about the aspects of their job where they are required to handle personal information and to learn about — and follow — the procedures that are in place for protecting personal information.
Some (not so) small print
We develop these courses with the guidance of privacy experts at Simply Privacy. However, these courses are not legal advice.
The learning objective is to help learners understand why privacy matters and how to break that down into simple, action-oriented behaviours.
Try it yourself
We love to hear from you
If you enjoyed reading this blog post or if something sparked an interest, please share it with us! Drop us a line at firstname.lastname@example.org and let us know what you think.