By Simon Liu and Chong Shao

For Privacy Awareness Week (PAW) 2023, IIS joined the OAIC and other organisations in promoting the importance of establishing a privacy foundation, as part of 2023’s theme ‘Privacy: Back to basics’.

This year’s theme puts the spotlight back on having a strong privacy foundation in light of recent high-profile data breaches in Australia and abroad. The OAIC has published its set of ‘Privacy 101’ tips for individuals, businesses, and government agencies.

IIS Partners Malcolm Crompton and Nicole Stephensen were invited to speak in various PAW events in Australia including IAPP Sydney KnowledgeNet and Office of the Information Commissioner Queensland, covering topics ranging from protecting your personal information in different settings, to a discussion about OAIC’s recommendations to the Attorney-General’s Department regarding the Privacy Act Review in 2022.

IIS mini bites: Getting back to privacy basics

At IIS, we strongly encourage organisations to proactively strengthen their privacy and security practices.

In this post, we summarise some key ‘Privacy 101’ basics that organisations can implement to be trustworthy, and therefore to be trusted by the customers and community that they serve.

1) Know your obligations

Understand the privacy laws and regulations that apply to you, and be aware of potential changes on the horizon (like the Privacy Act Review). Consider privacy as an integral part of your business. In other words, don’t just ‘tick the boxes’. Instead, build a privacy-aware culture and practice as part of your regular routine.

2) Have a privacy plan

Ensure that you have a Privacy Management Plan (PMP) in place to help build each component of the privacy foundation and introduce accountability for doing them. The OAIC has provided a PMP template to assess your current and future privacy practices here.

3) Appoint key privacy roles

Assign a senior staff member with overall responsibility for privacy, as well as staff member responsible for managing day-to-day privacy activities such as handling privacy enquiries and providing privacy advice. Ensure that the organisation’s leadership encourage a culture of privacy that values personal information and trust.

4) Assess privacy risks

Proactively undertake Privacy Impact Assessments (PIAs) that involve new or changed information handling practices, to assess the impact on privacy of individuals and steps to mitigate any risks. For high-profile or complex initiatives, consider engaging an independent expert to conduct the PIA.

5) Only collect or keep what you need

Minimise privacy risks by reviewing your products, services, and internal systems and processes to ensure that you only collect the personal information your organisation needs. Ensure that information that is no longer needed is destroyed or de-identified, to reduce the risk of data breach and possible impacts on customer trust and business objectives.

6) Secure personal information

Implement secure systems and processes to protect personal information from misuse, loss, and unauthorised access and disclosure. Start with the Essential Eight mitigation strategies. Recognise that the human element is often the ‘weak link’ – ensure that staff are aware of, and trained on, good security practices.

7) Simplify your privacy policy

Write your privacy policy in plain language and include a summary. Make it specific to your organisation and its information handling practices. Include information about how individuals and organisations can contact you about privacy matters.

8) Train your staff

Clearly outline how staff are expected to handle personal information in their direct duties. Provide tailored advice and training where their role requires it. Inform staff of the appropriate channel to report improper handling of personal information as well as data incidents and breaches.

9) Prepare for data breaches

Have a clear and practical data breach response plan that covers each stage of the data breach response. Regularly review and test out your plan to ensure staff and relevant team members know what actions to take.

10) Review your practices

Review and update your privacy policies and procedures regularly. Continually improve your privacy practices and anticipate future challenges, including keeping up-to-date with technological, market and regulatory changes.

Participating in Privacy Awareness Week 2023

IIS is proud to support PAW once again, as well as to help organisations with establishing privacy foundations. If you would like further information or assistance with raising privacy awareness and/or strengthening your organisation’s privacy and security practices, please reach out to us.

By Sarah Bakar, Sarah Brichet and Chong Shao

2022 Privacy Awareness Week (PAW) is scheduled for 2-8 May. The OAIC’s PAW theme is Privacy: The Foundation of Trust. Its most recent survey of Australian attitudes towards key privacy issues revealed that Australians want more protection – 70% see the protection of personal information as a major concern.

This year’s PAW theme emphasises the importance of protecting privacy and building trust by putting in place the key foundations. The OAIC has published its set of privacy tips for individuals, businesses and government agencies.

IIS and building trust

At IIS, building trust has been a hallmark of our work. We consistently advocate that if an organisation wants to be trusted, it has to be trustworthy.

Trust was crucial in the advice we provided on the COVID Safe Check-In solutions for certain states, where it was important to establish and communicate the right privacy stance about the collection, use and storage of contact information, as well as location and potentially health information. We emphasised that failure to do so would result in the community not trusting the service and jeopardise the uptake of the solution.

Trust was also essential in our work with the Australian Bureau of Statistics (ABS). We helped develop the privacy strategy for its 2021 Census and encouraged ABS to demonstrate its trustworthiness by showing that their privacy undertakings were actually being delivered.

In this post, we provide our take on some key privacy foundations that organisations can implement to be trustworthy, and therefore to be trusted by the Australian community.

1) Be honest - do not mislead

An early step for any organisation is to make a good promise about how it will handle the personal information it collects. This is usually presented in an organisation’s public-facing privacy documents, such as privacy policies, notices and consent forms.

The key is to not mislead consumers. Some questions for consideration:

If I cannot be honest about how I handle personal information or I need to obscure the truth then should I pursue this project/solution/process?
What does the community expect of us and do our promises meet these expectations?

Being honest about how personal information is handled and communicating this in the right way helps to make an organisation trustworthy.

2) Be clear, explicit and finite

The promises an organisation makes should be set out in its public-facing privacy communications and be clear, explicit and finite. As personal information is collected, used and disclosed in ever-greater ways, there is also a greater responsibility for organisations to get its privacy communication right.

Privacy legislation across Australia requires organisations to provide (i) contextual, just-in-time privacy collection notices, and (ii) a privacy policy that more comprehensively explains how an organisation handles personal information.

We believe privacy documents that are best at promoting trustworthiness will be clear, explicit and finite:

Clear – use simple, plain English to communicate to readers and active voice not passive voice if at all possible; avoid complex language and lengthy blocks of text
Explicit – tell people exactly what you will do and how you will do it; avoid vague and general statements
Finite – make your promises bounded, ideally going as far as setting out what you will not do; avoid using open-ended phrases like “including” and “such as”

Developing privacy notices and policies is the baseline. For organisations pursuing best practice, they should creatively explore how they can communicate their privacy stance in different settings and audio-visual formats, as well as consider how to make privacy an enduring part of their brand.

3) Provide proof of performance

An under-appreciated but important step to building trust is to provide proof of performance. Once the organisation has made a promise, trust is strengthened when individuals can see that it is living up to the promise.

An organisation can demonstrate its privacy bona fides by conducting privacy impact assessments (PIAs) on its internal initiatives and privacy health checks on its wider organisational practice. Privacy bona fides will be reinforced by committing to remediation and improvement steps.

For organisations pursuing best practice, we think proof of performance involves:

Committing to a regular program of privacy assurance for BAU projects and for the organisation as a whole
Engaging external, independent experts to conduct assurance, especially where the stakes are high
Publishing the results of, and responses to, assurance activities

To sum up: we believe an organisation can increase its trustworthiness by providing evidence that it is following through and doing what it says it will do.

Participating in Privacy Awareness Week 2022

IIS is once again proudly supporting PAW this year. If you have been considering taking steps to raise privacy awareness and/or strengthen your organisation’s privacy practices, participating in PAW is an excellent starting point. Please reach out if you would like further information or assistance with your PAW initiatives.

Insights on Privacy & Security

Getting back to privacy basics (PAW 2023)