Privacy 101 for Business
Protecting the privacy of people’s personal information is fundamental.
That’s why we have put together 10 tips for businesses and other organisations to apply to keep personal information safe.
Privacy 101 for Business
Know your obligations
There is no better time than now to make sure your organisation is getting privacy right.
It’s important to understand your business’ obligations under the Privacy Act, and ensure you consider privacy as your business, or your business systems or practices, evolve.
And don’t just ‘tick the boxes’. Anticipate how your customers and the wider community expect you to handle their personal information and respond to their needs and concerns.
Privacy is integral to building and maintaining the community’s trust in your organisation’s handling of their personal information.
Have a privacy plan
Make sure you have a privacy management plan in place, to help embed a culture of privacy and establish robust privacy practices.
Our handy privacy management plan template can also help you assess your privacy practices and set appropriate privacy goals and targets.
A good privacy management plan helps ensure that your organisation is meeting its requirements under the Privacy Act. And if you’re not covered by the Act, it will help you ensure best practice in privacy, and meet community expectations.
Appoint privacy champions
A strong privacy culture comes from the top, so assign a senior staff member with overall responsibility for privacy.
Also appoint staff responsible for managing privacy day-to-day, including handling internal and external privacy enquiries, complaints, and access and correction requests.
Good privacy management stems from good privacy governance. Ensure your leadership and governance arrangements create a culture of privacy that values personal information.
Implementing reporting mechanisms that ensure senior managers are routinely informed about privacy issues will also help keep your organisation’s eyes on privacy, and respond promptly when there’s an issue.
Assess privacy risks
Assess privacy risks early. Undertake a privacy impact assessment for projects that involve new information handling practices, such as new technologies.
A privacy impact assessment is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact.
To be effective, a privacy impact assessment should be an integral part of the project planning process.
Privacy impact assessments can help facilitate a privacy-by-design approach, identify better privacy practices and help ensure compliance with the Privacy Act.
Only collect or keep what you need
Over-collection of personal information increases your risk in the event of a data breach.
Holding onto personal information you don’t need can also undermine customer trust.
It’s more effective and efficient to manage privacy risks proactively.
Minimise privacy risks by reviewing your products, services, and internal systems and processes to ensure that you’re only collecting the personal information you need.
In other words only collect personal information that is reasonably necessary to carry out your functions and activities.
Equally importantly, ensure that information that is no longer needed is destroyed or de-identified. If information is not collected, or is not stored, it cannot be mishandled.
A ‘privacy by design’ approach helps to ensure you get privacy right, and build good privacy practices into what you do.
Secure personal information
Ensure secure systems are in place to protect personal information from misuse, loss and unauthorised access and disclosure.
Personal information security is about more than just ensuring compliance with the requirements of the Privacy Act.
If you mishandle the personal information of your customers, it can cause a financial or reputational loss to both the customer and your business, and have a serious impact on your business-as usual activities.
Effective information security can also make your business more efficient, and help with requirements for handling commercially-confidential information.
Simplify your privacy policy
Australians are more likely to trust your website or service if they have read your privacy policy, but less than a third of us read them because they’re too long and complex.
Make sure yours is written in plain language and includes a summary.
Don’t treat the privacy policy as a legal document to manage legal risk. It should be a document that creates trust in your entity and speaks to your customers or clients. Make it specific to your business or organisation.
And importantly, remember to include information about how individuals can contact you about privacy matters.
Train your staff
Clearly outline how staff are expected to handle personal information in their everyday duties, not just in terms of general principles. Make it real, and relevant.
Integrate privacy into your induction and regular staff training programs – including for short-term staff, service providers and contractors.
Conduct regular refreshers and ensure your whole team is aware of their privacy and security obligations.
Also, make sure your staff also have all the information they need to protect their own privacy at work.
The OAIC has a number of training resources to help organisations develop or improve their privacy training programs.
Encourage your staff to engage with Privacy Awareness Week, including checking out the ‘Privacy 101 for Individuals’ section of this website!
Prepare for data breaches
Have a clear and practical data breach response plan at hand so staff know what to do if there is a data breach. A quick response is critical to effectively managing a breach.
Your data breach response plan should outline your entity’s strategy for containing, assessing and managing the incident from start to finish.
It can help you meet your obligations under the Privacy Act, limit the consequences of the breach, and preserve and build public trust.
You will need to regularly review and test your plan to make sure it is up to date and that your staff know what actions they are expected to take.
Treat all suspected data breaches seriously – it’s always best to be cautious.
Review your practices
Good privacy management means being proactive, and anticipating future challenges.
By continually improving your privacy processes, you will ensure you are responsive to new privacy issues and that implementation will not be a burden.
Review your privacy practices and policy regularly. Make sure they meet community expectations, comply with the law, remain relevant to current practices and address new risks.
Privacy law reform is on the way, so making sure your privacy practices are up to scratch now will make any further improvements required easier.
Did you know?
The Privacy Act covers organisations with an annual turnover of more than $3 million and some other organisations. If your business is not covered by the Privacy Act, you can opt in as a public commitment to good privacy practice.
Build up your privacy expertise
Explore our training resources to help you build on your privacy knowledge.
More resources
- Privacy management plan template (for organisations)
- Data breach preparation and response
- Information for health services
Become a PAW supporter
Becoming a PAW supporter gives your organisation access to our supporter toolkit to help increase privacy awareness among your staff, customers and stakeholders. It shows your commitment to good privacy practice and advancing the privacy rights of individuals.
Congratulations!
