Privacy – particularly the protection of personal data – is a hot topic both here and internationally, as organisations struggle to cope with the quantity and transferability of electronic communications.
This Brief Counsel provides some tips for businesses on how to manage privacy obligations in relation to collecting, storing and distributing personal information.
When collecting data, reasonable steps must be taken to ensure that individuals are aware of, among other things, the purpose of collection and the intended recipients of the information. That notification could be given by a note on the organisation’s website, or by using a privacy collection consent form.
Only data that is required for the specified purpose should be collected. Consents to collect (and disclose) data should be phrased to reflect this purpose and thought should be given to the breadth of the stated purpose.
The recent report on ACC1 identified several ways to mitigate the privacy risk inherent in information processes. The specific privacy risks for an organisation dealing in sensitive information such as ACC will not be universal, but there are practices of more general application that can be taken from the ACC report:
ensure that research, actuarial and similar work streams are never conducted on raw, identifiable information. If this is unavoidable, de-identify the data by replacing names with random identifiers
reduce the organisation’s reliance on email
ensure data loss protection software is in place
implement an “enter once” (as opposed to multiple entry) policy for any data entry or reporting system, and
keep personal data only as long as necessary.
Privacy compliant processes should be supplemented by a structured and comprehensive security assurance programme. Security should be treated as a business rather than an IT issue. A security programme would ideally include:
formal assurance mechanisms implemented within project-based activities
methods for identifying unusual system access, and
independent periodic compliance assessments.
The ACC Report highlighted the need to increase staff accountability and awareness and establish clear lines of responsibility within the organisation, specifically:
the business owner or a member of the executive board should hold ultimate accountability for privacy
staff roles should be clearly defined and their responsibilities regarding privacy specifically set out and documented
staff should be given practical, scenario-based training on managing privacy. The training should be operational and use work-related examples, and
there should be clear ownership of all data held by the organisation, including that on shared hard drives.
Distribution and use of personal data
Complaints and incidents should be dealt with immediately. Consistent systems and processes should be developed for recording, monitoring and reporting all near misses, privacy breaches and privacy complaints. The resulting privacy incident statistics should be used to support a programme of continuous improvement.
Data subjects should be aware of their right to make a complaint.