Privacy Awareness Week

 

Each year, the Office of the Australian Information Commissioner (OAIC) holds a week of events to promote privacy and encourage best practices by companies and organisations on how they can keep your personal information safe.  Each year has a different theme: This year, the focus of the week is “trust and transparency”.

“This Privacy Awareness Week (PAW) we explore privacy through the theme Trust and Transparency. This speaks to the consumer and community trust that flows to organisations who handle personal information transparently, and with care, throughout the information life cycle.

Personal data can travel through numerous transactions, media and organisations — but it’s always personal — so it’s important that we take care at every step.”

– Timothy Pilgrim, Australian Information Privacy Commissioner

This year, Rouse Lawyers is a proud partner of the Privacy Awareness Week and we are encouraging you to take some time this week to think about how you implement trust and transparency within your organisation.

Achieving Trust and Transparency

Achieving trust and transparency with your staff and customers may seem daunting at first, but by following and implementing a few simple steps, you can be on a path towards achieving this goal.

Implementing a clear Privacy Policy, making that policy easily available on your website and holding regular staff training to encourage positive behaviours towards privacy processes are all examples of ways you can create an environment of trust and transparency.

If you are unsure where to get started, the OIAC website publishes many helpful guides to assist you in being compliant with your privacy obligations (or if you wish to have a more in-depth conversation contact us to discuss any privacy related matter).  One such guide is the Privacy Management Plan; implementing a plan is an excellent way to keep you focussed on creating trust and transparency.

Creating a Privacy Management Plan

STEP 1: EMBED A culture of privacy that enables compliance. Good privacy management stems from good privacy governance. Ensure your leadership and governance arrangements create a culture of privacy that values personal information. – OAIC

Ways to Achieve Step 1:

• Create a Privacy Policy in line with the Privacy Act.  Having a clear and easily accessible Privacy Policy is the first step in building trust with your customers.  When your customers know how you will handle their information safely, they are more likely to engage with your company.
• Include as part of your induction training a module on what is personal information and the steps you take to protect that information.
• Conduct staff training where you discuss when personal information can be disclosed and when it cannot.
• Talk to your staff about risks associated with disclosing personal information.  This will not only assist in protecting personal information you hold but may also prevent a staff member from having their personal information misused.
• Consider any professional or ethical standards that apply to your industry relating to client confidentiality and disclosure of customer information.

STEP 2: ESTABLISH Robust and effective privacy practices, procedures and systems Good privacy management requires the development and implementation of robust and effective practices, procedures and systems.  – OAIC

Ways to Achieve Step 2:

• Conduct regular staff training session where privacy is a focus.   When you discuss privacy compliance with your staff on a regular basis, it is more likely that your staff will implement your privacy processes correctly.
• Create a method on how you will handle privacy concerns raised by your customers.  Does your staff know how to answer customer’s questions?  If your staff is unsure or inadequately trained, your customers may not feel that you are being transparent with how you handle their information.
• Encourage a culture where concerns and complaints are treated seriously.  If your customers feel that you are care about their concerns, they will in turn trust in you with their personal information.
• Start thinking about how you will handle a data breach. Consider developing a written procedure and management plan. New obligations on how you must handle data breaches is set to start in 2018.

STEP 3: EVALUATE Your privacy practices, procedures and systems to ensure continued effectiveness Systematically examine the effectiveness and appropriateness of your privacy practices, procedures and systems to ensure they remain effective and appropriate. – OAIC

Ways to Achieve Step 3:

• Undertake regular audits of your organisation.  Are policies and procedures being implemented correctly?
• Consult periodically with a privacy expert to keep you up-to-date regarding your privacy obligations.
• Evaluate the purpose for collecting any personal information.  Do you require each piece of information?  If not, making the disclosure of that personal information optional is another way to build trust with your customers.

STEP 4: ENHANCE Your response to privacy issues Good privacy management requires you to be proactive, forward thinking and to anticipate future challenges. By continually improving your privacy processes, you will ensure you are responsive to new privacy issues and that implementation will not be a burden. 

Ways to Achieve Step 4:

• Change and adapt your processes and procedures based on the feedback you receive form your staff, customers and internal audits.

We are here to help

Privacy is rarely about secrecy, but is about transparency, security, and choice. It’s about organisations being up-front about their personal information handling practices so that individuals can make informed choices about how they share their information. And it’s about respecting customer trust by maintaining strong security and information handling practices throughout the life cycle of personal data.

Unsure if you are compliant with your obligations concerning personal information or need to create or update your Privacy Policy?  Contact Rouse Lawyers and ask to speak with one of our privacy law experts to discuss how we can assist you with all things concerning privacy law.

Data Security – Show Pony Group Pty Ltd v Black Swallow Boutique Pty Ltd & Ors

Show Pony Group Pty Ltd (“ShowPo”) has settled a dispute with competitor Black Swallow Boutique Pty Ltd (“Black Swallow”) and two individuals, Mr Alexander Baro (chief executive of Black Swallow) and Ms Melissa Aroutunian (a former graphic designer for ShowPo), over the alleged theft of ShowPo’s contact database.

The case highlights the risks of unauthorised use and disclosure of confidential information. It also reveals that sometimes the greatest threat comes from within.

Details of the ShowPo case

ShowPo, a hugely popular online women’s fast fashion retailer, commenced proceedings in the Federal Court of Australia in mid-November 2016. It was alleged that the former employee, Ms Aroutunian, downloaded a copy of  ShowPo’s Client Contact List before leaving ShowPo and provided a copy of that list to Black Swallow. According to court filings, the database contained contact information for all of ShowPo’s customers, competition entrants, suppliers and other contacts. It was estimated that the database contained around 306,000 entries.

ShowPo was successful in obtaining an interim injunction (a temporary court order made subject to the subsequent trial of the proceedings) to prevent the three respondents from using or disclosing the Client Contact List.

The proceedings then headed to Mediation, following which the case was finalised by agreement between the parties.

According to the final orders, dated 24 March and 10 April, each of the respondents is permanently restrained from using or disclosing the Client Contact List, and Black Swallow has been ordered to pay $60,000 in compensation to ShowPo over instalments.

The customers of a business are its lifeblood, and their information is increasingly being obtained and stored online. So, what measures can be taken to protect this essential and sensitive information from unauthorised breach? And what can you do if a breach occurs?

Basic Data Security

It goes without saying that effective password management and data security measures are key steps in protecting any sensitive data.

Ask yourself these questions:

• Do only those employees who need access to the data have access? Do your entry level staff need admin level access? In most cases, not all data needs to be known, accessible or editable by every person in the business. Work with your IT/software provider to restrict unnecessary access.
• Is your data secured on the move and at rest? Use industry standard encryption (eg https) to protect data transactions and ensure your data is encrypted whenever it’s stored.
• Are strong passwords being used? Everyone knows that “Password1234” is not secure. But do your staff or your business use their birthdate, street address, family members’ names or a similar formula to choose a password? Do they change passwords by incrementing a digit at the end? Do they use the same work password for their social media account? Consider training your staff to use a reputable password manager to generate unique passwords for each account or implement mandatory lengths of time when your staff need to change their system passwords.
• Are system passwords being stored securely by staff? Do your staff share passwords with each other? Do they allow others to use their accounts? – Hint: Passwords should not be scribbled on a post-it note and stuck to your computer monitor! If everyone knows Johnny’s password, then everyone can use his account with impunity. Using a reputable password manager can even allow the business to generate secure passwords and grant access to the system without even disclosing the password to the employee.
• When an employee leaves, is their account access immediately suspended and the password reset? Do your staff contracts contain confidentiality provisions, and do you remind them of their obligations post-termination? Even if you part with an employee on good terms, leaving the gate open is never a good idea.
• Does your staff know what to watch out for to avoid falling victim to scam or phising emails?  Consider training your staff on how to identify illegitimate emails by visiting www.scamwatch.gov.au.
• Does your system log user’s access and activities? Do you get automatic alerts if unauthorised access occurs? Server access logs are vital evidence if the worst should happen.
• Are your devices and those used by your staff secure? You wouldn’t leave the house without locking up: Don’t leave your desk (or your smartphone) without doing so! Physical and digital security is critical. Keep all your systems patched with the latest manufacturer and vendor updates.
• Are all your eggs in one basket? Backups, backups and more backups. Ensure they are kept securely too, to guard against deletion, data corruption, and ransomware or cryptoware attacks. Backups also allow you to resume or continue business operations more quickly in the event of a disaster.

In case of emergency…

Knowing what to do if a breach occurs can make the difference between swift recovery and absolute disaster.

• Consider engaging a data security consultant to develop a disaster management plan – you’ll need to manage both your IT and your PR.
• Train your staff to be security conscious and identify and report risky and suspicious behaviour.
• Know how to lock down access to the system to prevent further breach. Continuing to operate on a compromised system can be risky.
• Know how to quickly obtain your evidence and act quickly as soon as you discover a breach. As in the ShowPo case, in some circumstances with quick action it is possible to obtain interim court orders to protect your position before the horse has bolted.

References

Show Pony Group Pty Ltd v Black Swallow Boutique & Ors (Federal Court of Australia, File No. NSD1984/2016) [ https://www.comcourts.gov.au/file/Federal/P/NSD1984/2016/actions ]

If you have concern’s over the security of your client data contact Rouse Lawyers today to discuss how we can assist you.