Privacy Awareness Week: 5 tips for improving your organisation’s privacy and cybersecurity practices

The theme for Privacy Awareness Week 2022 is “Privacy: The foundation of trust.” Accordingly, the Office of the Australian Information Commissioner (OAIC) is spending this week promoting privacy building blocks and simple foundations that businesses can implement to protect personal information. The OAIC challenges businesses to take this week as an opportunity to “check how well your privacy practices stack up.”

Managing the risks associated with privacy and cybersecurity is a large undertaking for any organisation and we expect this will only become more complex with increasing regulation and rising pressure from regulators. To assist businesses with undertaking a review of their information practices, below we have set out our top five best practice tips for businesses to not just comply with, but exceed their privacy and cybersecurity obligations.

1. Review your privacy practices, documentation and systems

The first step is to conduct internal review(s) of your practices and systems from a privacy perspective, including:

• what key areas of your business collect, use and/or disclose personal information and sensitive information;
• review your client onboarding process;
• review the processes to assess new projects regarding your privacy compliance;
• review your personal information retention/deletion program and implementation; and
• for companies with internal audit (IA) programs, add privacy process, documentation and implementation reviews to your IA programs.

Of course, these reviews do not have to be completed all at once but could be done over time. If you are unsure of what to action first, we can assist you in determining this bespoke to your business needs and current circumstances.

2. Implement robust cybersecurity and privacy standards and practices

As digital transformation continues to pose new risks and liabilities, businesses should look to implement the most robust cybersecurity and privacy standards and practices available.

Some of the best standards include:

• (ISO) 27001 – The International Organisation for Standardisation (ISO) 27001 is the most used cyber/information security standard globally, on which the extension ISO 27701 (AS 27701) is built.
• AS 27701 / ISO 27701 – Takes a risk-based privacy information management system approach (like the ISMS approach of ISO 27001) and is built on top of ISO 27001.

Businesses that implement ISO 27001 and ISO 27701 will have all the tools and procedures necessary to not only comply with a breadth of global cybersecurity requirements and privacy laws, but uplift their standard controls in the management of personal information collected, used and/or disclosed. For financial services organisations, it will also assist your CPS 234 requirements.

3. Invest in cybersecurity awareness training

Human error remains the biggest cyber (and data breach) threat to businesses yet, in practice, it is one of the cheapest and most cost-efficient cyber issues to remedy (or at least lessen).

Phishing attempts and ransomware attacks represent a large and increasing volume of cyber incidents (often resulting in data breaches), yet many employees do not have the necessary training to identify malicious links and emails. In a WFH hybrid working world we expect cyber-attacks like these to increase and tactics to become even more sophisticated, especially in the ‘hot’ sectors of healthcare, financial services, energy and higher education and research.

Employee training, such as tabletop scenarios and regular cybersecurity/privacy refresher sessions, is paramount and a key line of defence in a landscape where cyber threats continue to increase and evolve. Training helps establish a strong privacy culture, builds organisation-wide awareness of good information security practices, builds ‘muscle memory’ and addresses a preventable cyberthreat: human nature.

4. Consider the potential privacy and cyber implications of workplace initiatives from the outset

Businesses collect personal information from employees during onboarding processes and throughout their working careers. Recently, and commendably, an increasing number of businesses are adopting welcome workplace initiatives such as diversity and inclusion schemes and family abuse prevention programs. While these initiatives are well intentioned, they collect increasing amounts of extremely sensitive information, including ethnic origin, sexuality, medical information, histories of abuse and other intimate details.

It is important that businesses consider the potential privacy and cyber implications of these workplace initiatives ahead of their implementation to avoid inadvertently causing harm. These initiatives are not BAU, and often cyber and privacy risk assessments related to them are overlooked during the excitement of their implementation.

Businesses must ensure (and review to ensure existing) programs only collect sensitive information:

1. with informed consent; and
2. as is reasonably necessary for the program (and, also, that the program itself is reasonably necessary for its activities and justifies the collection under the minimisation principle).

By embedding privacy and cyber considerations and reviews from the design phase of these programs, businesses will:

• have a more streamlined implementation process (by not creating future privacy hurdles);
• incur less costs when implementing programs (compared to retrofitting a privacy solution further down the line); and
• ensure ongoing compliance and further incentivise staff to participate in these programmes.

5. Comply with data minimisation and privacy by design principles

While a business’ commercial instinct might be to collect as much personal information as possible and use it for everything, businesses must moderate this behaviour due to the potential significant risks arising from such behaviour.

More considered and targeted personal information collection and usage, still essential to many informed business strategies, must be centred around privacy compliance, including:

• Australian Privacy Principle 3 – which limits the collection of personal information to that which is reasonably necessary to carry out that organisation’s functions or activities; and
• Australian Privacy Principle 11 – which requires businesses to take active steps to ensure that personal information held is both protected against unauthorised access and compromise, and is deleted or de-identified when that personal information is no longer required (once any legal retention period has expired) for the notified purpose for collection.

Businesses should always seek to minimise the personal information and/or sensitive information collected and delete personal information and/or sensitive information once used for the notified purpose for collection (subject to any express legal retention periods). Review your most personal information heavy projects to ensure that this is the case. 

Other considerations

While not part of our top five, you should also consider if you fall within the newly regulated sectors and areas resulting from the new critical infrastructure amendments, including data storage and processing, food and grocery, higher education and research, financial services and markets and/or suppliers to these businesses. If your business is considered to run a critical infrastructure asset, you will face significant new cyber obligations and must review your systems for compliance gaps.

In addition, if your business model includes a customer facing aspect then you should consider the previous year or two of the Australian Competition and Consumer Commission’s ‘consumer privacy’ cases and rulings and uplift your privacy policies accordingly. Also, with escalating rates of cyber incidents and the ongoing Attorney-General’s review of the Privacy Act, which is expected to lead to greater obligations and higher penalties, businesses should also consider cyber insurance. Despite cyber insurance becoming more costly (and more difficult to obtain), we view cyber insurance as an essential component of any reasonable management of cyber and privacy risks.

How we can help

Clyde & Co’s Cyber & Digital Law team has unparalleled and specialised expertise across the privacy, cyber and broader technology and media practice areas and houses the largest dedicated and market-leading privacy and cyber incident response practice across Australia and New Zealand. Our team is also highly regarded for their expertise and experience in managing all forms of disputes across sectors and international borders including advising on some of the most high-profile disputes and class actions commenced in Australia.

The firm's privacy, cyber, tech and media practice provides an end-to-end risk solution for clients. From advice, strategy, transactions, innovations, cyber and privacy pre-incident readiness, and incident response and post-incident remediation through to regulatory investigations, dispute resolution, litigated proceedings (plaintiff and defendant), recoveries and third party claims (including class action litigation), the team assists clients across the full spectrum of legal services within this core practice area.