The tag line for Privacy Awareness Week (PAW) 2023 is “Back to Basics.” This encourages organisations to take stock of their current practices, existing data holdings, and any high-risk areas. Taking stock now will prepare you to respond to legislative change that is on the horizon for later in 2023.
For more information about potential reforms to the Privacy Act 1988 (Cth), see:
What are your current collection practices?
To improve your privacy compliance – as is increasingly expected by the regulators and the public – you need to know what data you hold and where your risks are. The first step in this process is to reflect on what data you are collecting and ask yourself:
- Do you need it?
- Should you be collecting it?
- Are you entitled to collect it?
- Do you need consent to collect it?
- Is the collection fair and not unreasonably intrusive?
While for many years data was considered an asset, Victorian Privacy Commissioner, Rachel Dixon, has recently observed that data should be viewed as neutral on the balance sheet due to the risks associated with non-compliance and data breaches.
Understanding the regulatory and reputational risks of data breaches, organisations are encouraged to consider practices of data minimisation. Data minimisation involves only collecting and storing the information you need, and that is relevant to your functions and activities.
What are your existing data holdings?
The next element is to map your existing data holdings. Yes, this can sound technical. It really means, make a list of all the locations where you store data, and what is stored where.
This means thinking about all the digital and physical locations where you store information relating to individuals. It is common that schools, early learning centres and other charities operate with many different programs and systems, including customer relationship management programs such as Compass and Consent2Go.
Reviewing your existing data holdings gives you the opportunity to consider what you don’t need anymore, and then what you can delete. This is another data minimisation strategy. Granted, deletion and destruction of information needs to be tempered with reporting and retention obligations. For example, charities often have reporting obligations or audit requirements in funding contracts, and Victorian independent schools are subject to retention requirements from the Public Records Office Victoria. To balance the data minimisation and retention conflicts, good data governance needs to be implemented, to empower staff to understand when information can be deleted, and automate this process going forward.
Where does your organisation face high privacy or data security risks?
Now you know what you are collecting, and what you hold. This should position you to identify your privacy high risks, and consequently some steps to mitigate risks to privacy. Some common risks to consider:
- contractors, and sharing information with third parties;
- human error breaches, such as wrong email addresses or lost devices; and
- cyber security, firewalls, phishing.
How we can help
Please contact us for more detailed and tailored help.
Subscribe to our email updates and receive our articles directly in your inbox.