The battle against cybercrime has been big news for big business for months now. Just ask the executives at Optus and Medibank. But is has implications for businesses of all sizes.
In our companion article: Lock the digital doors: cybercrime and your business we discussed how you can protect your business against cybercrime. In this article we take a look at your responsibility to protect your clients’ privacy.
Protect their privacy
If your business has a turnover of over $3 million, you need to comply with the Privacy Act of 1998. Even if you come in under this number, there may be situations where you need to comply with the Act. Under the Privacy Act you are required to protect your clients’ data privacy from a whole range of threats including theft, misuse, unauthorised access and disclosure. When you no longer need client data you are obliged to either destroy it or de-identify it.
This point is increasingly important. Many businesses, big and small, have collected lots of customer data. But whilst that data may improve your ability to serve your clients, it needs to be managed well. “Too many businesses have client information stored using old technologies. Some may have ‘lost’ that data in old databases,” says Fordham Partner, Adrian Palone. “So that data has changed from being a business asset into a business risk. If you’re holding client data in your computer system you need to know it’s safe, secure and you need processes and technologies that help you delete that data once you no longer need it.
Privacy is heavily regulated,” says Adrian. “And that regulation is only going to get more rigorous. In short, it doesn’t matter how big your business is – customer privacy is your responsibility.
The trust factor
It’s important to understand the legal risks and sanctions involved in data loss and breaches of your customers’ privacy. But there’s also significant reputational and brand risks involved in any breach because consumers are increasingly conscious of their data privacy. A 2020 survey by the Office of the Australian Information Commissioner revealed that privacy is a major concern for 70% of Australians. Nearly 90% want more control and choice over the use of their personal information. Very few businesses can comfortably afford the data-breach sanctions governmen t are discussing today. But no business can afford to lose its customers’ trust.
"When trust is lost, a nation’s ability to transact business is palpably undermined.”
Alan Greenspan
Your Customer Privacy action plan?
So what are the concrete steps your business can take to improve management of your customers’ data? Perhaps the first step is to understand what counts as personal information. In effect it’s anything that can be used to identify an individual. It can include:
- Name
- Signature
- Date of Birth
- Address details
- Bank details
- Medical records
- IP address
- Photo and video content.
When things go wrong
If your business is covered by the Privacy Act, you have a legal responsibility to report any customer data breach both to the individual/s affected and to the Office of the Australian Information Commissioner (OAIC) via this link. The site does more than just facilitate a breach notification. It has useful information on how to respond to the data breach and how to prepare a data breach response plan. It’s an invaluable resource.
Understand the act
The Australian Privacy Principles outline how businesses need to act to conform to the Privacy Act. The guidelines cover the whole gamut of personal information issues, including but not limited to:
- how businesses should manage, use and disclose personal information
- how they collect personal information
- how and when they must notify customers that they’re collecting information
- how they secure personal information.
A key part of the principles is the requirement that businesses generating revenue of over $3 million must have a Privacy Policy that covers the issues discussed above plus detail how a customer could complain if you breach the Privacy Principles and how that complaint would be handled. The Office of the Australian Information Commissioner has a handy guide to how to draft a privacy policy.
And act on it
Developing a Privacy Policy is a legal requirement which businesses must comply with. Beyond this legal requirement, it has a more important role. “The importance of the Privacy Policy is that it gets businesses to methodically think through – and operationalise – how they handle their customers data. That’s why companies that don’t legally need a Privacy Policy should have one anyway.” Many businesses also publish and promote their Privacy Policy on their corporate website, so their customers know this is a business that protects their privacy.
What next?
As you can see from the brief outline above, protecting your clients’ data is important – and getting more so. There are cybercrime consultants who can help you and the Australian Cyber Security Centre and Privacy agencies are focused on helping small and medium businesses manage the risks.
If you have any questions about privacy issues, about drafting and implementing a Privacy Policy and about broader data security initiatives, reach out to your Fordham Partner. They can advise on an approach that’s tailored to your business and your clients.