A Privacy Compliance Tool to Overcome Common Privacy Issues You Need to Avoid
Compliance with Australia’s Privacy Principles is non-negotiable for organisations covered by Australia’s privacy laws (APP entities). Yet, organisational privacy is complex and time-consuming, and compliance considerations too often fall to the wayside as a result.
To combat this, we’ve created a list of 5 common APP compliance issues and a powerful tool that assesses and reports on your compliance.
Overcoming Common APP Privacy Compliance Issues
We reviewed and summarised recent Privacy Commissioner decisions in an earlier blog post. During our review, we discovered that the top 3 APPs which attracted the most complaints were:
- APP 6: use and disclosure of personal information.
- APP 11: security of personal information.
- APP 10: failure to take reasonable steps to ensure that personal information is updated and correct.
We also found that APP 1 investigations were Commissioner instigated.
5 Steps for Organisations to Improve APP/Privacy Compliance
Based on these findings, APP entities should ensure that they do the following five things (at a minimum) to meet their obligations under the APPS:
Understand Your Personal Data
Understanding what personal data you collect, where it comes from, and why you collect it is a critical starting point for any privacy program. You also need to know how the data is used, disclosed, and at which point it is deleted or destroyed. That is to say, you need to understand the data you collect and its lifespan within your organisation.
It’s also important that, once you understand your data inventory, you map your organisation’s data flows. Again, this is a cornerstone of organisational privacy. Your understanding of your data inventory and data flow map will help your organisation meet its privacy and compliance obligations.
Implement a Privacy Management System
Implementing a privacy management system at your organisation is essential for many reasons, including:
- APP 1 requires (amongst other things) that APP entities implement practices, procedures, and systems to ensure it complies with the APPs. That is to say, if you’re an APP entity, you are required to implement a privacy management system.
- Implementing a privacy management system is the only way to ensure you’re proactively managing your privacy compliance across the organisation.
- It gives the board and senior leadership visibility into how privacy risk and compliance are being managed.
Furthermore, a robust privacy management system transitions your organisation away from a reactive privacy approach to a proactive approach that supports compliance and good governance.
Undertake a Privacy Impact Assessment for New Systems, Services and Projects
Any time your organisation considers implementing new systems, services, or projects, your privacy team should undertake a privacy impact assessment at the earliest possible stage.
A privacy impact assessment identifies and evaluates the potential privacy impacts of new systems, services, and projects. It goes on to identify ways to manage those risks.
Organisations that habitually request a privacy impact assessment at the earliest possible stage are empowered to build privacy into the new system, service, or project. This puts the organisation in a better position to achieve win-win outcomes with privacy, instead of ‘privacy compliance’ being an expensive task that is simply checked off before launch.
Train your people
Human error is the leading cause of privacy breaches in Australia (and in many places worldwide). To combat this, training and awareness are some of the most powerful tools in any APP entity’s belt when it comes to preventing privacy breaches and minimising the resulting harm.
Training should be provided during the onboarding process and at least annually thereafter. This is because the privacy and security threats your organisation faces are rapidly changing. We are continually seeing increases in the sophistication of phishing, spearphishing, and social engineering attacks on Australian organisations.
Annual training empowers your employees with the information they need about current trends in privacy and cybersecurity attacks. It also ensures that privacy and security remain top of mind as they make decisions throughout the year.
Understand Your Legal and Regulatory Privacy Obligations
“If the Privacy Act 1988 covers your organisation, you need to understand your obligations when handling personal information.” – The OAIC
Ignorance is not an excuse under the law. If you’re unsure whether your organisation complies with the APPs, it’s time to work it out.
Privacy 108’s APP Compliance Tool is developed by Dr Jodie Siganto as a simple tool to help Australian businesses self-assess their privacy compliance.
You will receive a comprehensive report delivered to your email, with clear next steps and compliance scoring against the Australian Privacy Principles.