Privacy – particularly the protection of personal data – is a hot topic both here and internationally, as organisations struggle to cope with the quantity and transferability of electronic communications.
This Brief Counsel provides some tips for businesses on how to manage privacy obligations in relation to collecting, storing and distributing personal information.
When collecting data, reasonable steps must be taken to ensure that individuals are aware of, among other things, the purpose of collection and the intended recipients of the information. That notification could be given by a note on the organisation's website, or by using a privacy collection consent form.
Only data that is required for the specified purpose should be collected. Consents to collect (and disclose) data should be phrased to reflect this purpose and thought should be given to the breadth of the stated purpose.
The recent report on ACC1 identified several ways to mitigate the privacy risk inherent in information processes. The specific privacy risks for an organisation dealing in sensitive information such as ACC will not be universal, but there are practices of more general application that can be taken from the ACC report:
- ensure that research, actuarial and similar work streams are never conducted on raw, identifiable information. If this is unavoidable, de-identify the data by replacing names with random identifiers
- reduce the organisation's reliance on email
- ensure data loss protection software is in place
- implement an "enter once" (as opposed to multiple entry) policy for any data entry or reporting system, and
- keep personal data only as long as necessary.
Privacy compliant processes should be supplemented by a structured and comprehensive security assurance programme. Security should be treated as a business rather than an IT issue. A security programme would ideally include:
- formal assurance mechanisms implemented within project-based activities
- methods for identifying unusual system access, and
- independent periodic compliance assessments.
The ACC Report highlighted the need to increase staff accountability and awareness and establish clear lines of responsibility within the organisation, specifically:
- the business owner or a member of the executive board should hold ultimate accountability for privacy
- staff roles should be clearly defined and their responsibilities regarding privacy specifically set out and documented
- staff should be given practical, scenario-based training on managing privacy. The training should be operational and use work-related examples, and
- there should be clear ownership of all data held by the organisation, including that on shared hard drives.
Distribution and use of personal data
- Complaints and incidents should be dealt with immediately. Consistent systems and processes should be developed for recording, monitoring and reporting all near misses, privacy breaches and privacy complaints. The resulting privacy incident statistics should be used to support a programme of continuous improvement.
- Data subjects should be aware of their right to make a complaint.
If not, you may be at risk and, more importantly, you may be putting individuals' personal information at risk.
If you need assistance, please contact any of the Chapman Tripp lawyers featured.
1 KPMG and Information Integrity Solutions "Independent Review of ACC's Privacy and Security of Information" (22 August 2012)
The information in this article is for informative purposes only and should not be relied on as legal advice. Please contact Chapman Tripp for advice tailored to your situation.