The theme for Privacy Awareness Week 2022 is “Privacy: The foundation of trust.” Accordingly, the Office of the Australian Information Commissioner (OAIC) is spending this week promoting privacy building blocks and simple foundations that businesses can implement to protect personal information. The OAIC challenges businesses to take this week as an opportunity to “check how well your privacy practices stack up.”
Managing the risks associated with privacy and cybersecurity is a large undertaking for any organisation and we expect this will only become more complex with increasing regulation and rising pressure from regulators. To assist businesses with undertaking a review of their information practices, below we have set out our top five best practice tips for businesses to not just comply with, but exceed their privacy and cybersecurity obligations.
The first step is to conduct internal review(s) of your practices and systems from a privacy perspective, including:
Of course, these reviews do not have to be completed all at once but could be done over time. If you are unsure of what to action first, we can assist you in determining this bespoke to your business needs and current circumstances.
As digital transformation continues to pose new risks and liabilities, businesses should look to implement the most robust cybersecurity and privacy standards and practices available.
Some of the best standards include:
Businesses that implement ISO 27001 and ISO 27701 will have all the tools and procedures necessary to not only comply with a breadth of global cybersecurity requirements and privacy laws, but uplift their standard controls in the management of personal information collected, used and/or disclosed. For financial services organisations, it will also assist your CPS 234 requirements.
Human error remains the biggest cyber (and data breach) threat to businesses yet, in practice, it is one of the cheapest and most cost-efficient cyber issues to remedy (or at least lessen).
Phishing attempts and ransomware attacks represent a large and increasing volume of cyber incidents (often resulting in data breaches), yet many employees do not have the necessary training to identify malicious links and emails. In a WFH hybrid working world we expect cyber-attacks like these to increase and tactics to become even more sophisticated, especially in the ‘hot’ sectors of healthcare, financial services, energy and higher education and research.
Employee training, such as tabletop scenarios and regular cybersecurity/privacy refresher sessions, is paramount and a key line of defence in a landscape where cyber threats continue to increase and evolve. Training helps establish a strong privacy culture, builds organisation-wide awareness of good information security practices, builds ‘muscle memory’ and addresses a preventable cyberthreat: human nature.
Businesses collect personal information from employees during onboarding processes and throughout their working careers. Recently, and commendably, an increasing number of businesses are adopting welcome workplace initiatives such as diversity and inclusion schemes and family abuse prevention programs. While these initiatives are well intentioned, they collect increasing amounts of extremely sensitive information, including ethnic origin, sexuality, medical information, histories of abuse and other intimate details.
It is important that businesses consider the potential privacy and cyber implications of these workplace initiatives ahead of their implementation to avoid inadvertently causing harm. These initiatives are not BAU, and often cyber and privacy risk assessments related to them are overlooked during the excitement of their implementation.
Businesses must ensure (and review to ensure existing) programs only collect sensitive information:
By embedding privacy and cyber considerations and reviews from the design phase of these programs, businesses will:
While a business’ commercial instinct might be to collect as much personal information as possible and use it for everything, businesses must moderate this behaviour due to the potential significant risks arising from such behaviour.
More considered and targeted personal information collection and usage, still essential to many informed business strategies, must be centred around privacy compliance, including:
Businesses should always seek to minimise the personal information and/or sensitive information collected and delete personal information and/or sensitive information once used for the notified purpose for collection (subject to any express legal retention periods). Review your most personal information heavy projects to ensure that this is the case.
While not part of our top five, you should also consider if you fall within the newly regulated sectors and areas resulting from the new critical infrastructure amendments, including data storage and processing, food and grocery, higher education and research, financial services and markets and/or suppliers to these businesses. If your business is considered to run a critical infrastructure asset, you will face significant new cyber obligations and must review your systems for compliance gaps.
In addition, if your business model includes a customer facing aspect then you should consider the previous year or two of the Australian Competition and Consumer Commission’s ‘consumer privacy’ cases and rulings and uplift your privacy policies accordingly. Also, with escalating rates of cyber incidents and the ongoing Attorney-General’s review of the Privacy Act, which is expected to lead to greater obligations and higher penalties, businesses should also consider cyber insurance. Despite cyber insurance becoming more costly (and more difficult to obtain), we view cyber insurance as an essential component of any reasonable management of cyber and privacy risks.
Clyde & Co’s Cyber & Digital Law team has unparalleled and specialised expertise across the privacy, cyber and broader technology and media practice areas and houses the largest dedicated and market-leading privacy and cyber incident response practice across Australia and New Zealand. Our team is also highly regarded for their expertise and experience in managing all forms of disputes across sectors and international borders including advising on some of the most high-profile disputes and class actions commenced in Australia.
The firm's privacy, cyber, tech and media practice provides an end-to-end risk solution for clients. From advice, strategy, transactions, innovations, cyber and privacy pre-incident readiness, and incident response and post-incident remediation through to regulatory investigations, dispute resolution, litigated proceedings (plaintiff and defendant), recoveries and third party claims (including class action litigation), the team assists clients across the full spectrum of legal services within this core practice area.