It’s been a long time coming but finally, we have a new privacy law – the Privacy Act 2020, which comes into effect on 1 December 2020. That’s pretty soon, but don’t stress too much if you haven’t thought much about what its impact might be on your business – you still have time to get started.
At Simply Privacy we are all about supporting organisations (and their heroic Privacy Officers) to ‘do privacy right’. And to help get you in shape for the new law we’ve made a checklist of the things we think every organisation that handles personal information should do before then.
The big changes are a new obligation to notify the Office of the Privacy Commissioner and affected individuals of serious privacy breaches; greater accountability when transferring personal information overseas (including a new Information Privacy Principle (IPP)); and new and stronger compliance and enforcement powers for the Office of the Privacy Commissioner.
As always, we suggest taking a risk-based approach, prioritising the actions that impact on the more sensitive and/or high volumes of personal information that your organisation handles. If you need more information, the Office of the Privacy Commissioner website has a lot to offer, and of course, if you need some help, we’d be happy to have a chat.
Get your governance settings right
- Appoint a Privacy Officer if you haven’t already – it’s a mandatory requirement.
- Formalise your privacy accountabilities and reporting to ensure that privacy gets the appropriate level of attention and resourcing for your organisation’s risk level and risk appetite.
- Map where personal information sits within your organisation’s systems, and who has access to it.
Prepare for mandatory breach notification
- Ensure the systems holding your more sensitive personal information enable you to determine who has accessed what and when in the event of a breach.
- Check your service providers have satisfactory security safeguards in place.
- Ensure your service providers are required to notify you of a privacy breach and help you deal with it.
- Train your staff so they can identify a privacy breach and know who to report it to.
- Establish a privacy breach response plan.
- Practice your privacy breach response plan with the right people involved.
- Draft some notification communications to have ready to go (for the Privacy Commissioner and affected individuals).
- Think about who else you might have to notify in the event of a privacy breach (e.g. insurers/Police/under contract).
- Ensure you can manage a privacy breach in the midst of a privacy breach (e.g. if you can’t access your systems).
- Play around with the online reporting tool ‘NotifyUs’ on the Office of the Privacy Commissioner website to get a feel for how it works.
Get ready for cross-border information sharing
- Identify what personal information your organisation is sharing overseas, and for what purpose.
- Remember – disclosures to overseas service providers who are not using the information for their own purposes are not covered by the new IPP 12, but must comply with IPP 5 (your data must be kept protected).
If you’re sharing personal information with a ‘foreign entity’ that will use it for their own purposes, ensure:
- An exception to IPP 12 applies to permit the disclosure (document your justification)
- If you want to rely on the contractual exception, your current contracts provide for sufficient safeguards and limitations (The Office of the Privacy Commissioner has issued model contractual clauses that you can use, plus guidance).
- Ongoing governance around cross-border information sharing, to ensure exceptions still apply (e.g. if relying on equivalent laws).
Fine tune your processes for handling information requests
Check your identification verification processes to see if they are fit for purpose, including:
- How to reduce the risk of impersonation.
- Whether your staff understand and can identify when an information request may be made under threat of physical or mental harm.
- Ensure your information request process allows requests for urgency to be appropriately considered.
- Check your automated deletion processes can be paused to allow for the retention of personal information that has been requested under IPP 6.
Consider the relevance of tweaks to other privacy information Principles
- IPP1 – Purpose of collection: Review what personal information your organisation is collecting, including personal identifiers, and make sure it’s all necessary.
- IPP4 – Manner of collection: Check if you collect personal information directly from children/young people and if so, assess whether this is being done fairly, transparently and proportionately.
- IPP13 – Unique Identifiers: Ensure you’re taking appropriate steps to minimise the harm of misuse of your unique identifiers.
Take the opportunity to improve general privacy hygiene
- Check your external facing privacy statement is accurate and easy to understand.
- Use the new law as a lever to get your people thinking about privacy, not just as a compliance exercise but as an opportunity to build trust.
- Consider whether you need to review your insurance coverage.
- Refresh your information security awareness training for your staff – especially around email use and phishing, a significant cause of privacy breaches.
- Don’t forget your employee personal information – you have the same obligations there.
Simply Privacy is a specialist consultancy providing privacy advice, strategy and consultancy services to public and private sector organisations. They believe in a holistic, pragmatic approach to privacy practice and work with their clients to ensure that privacy solutions fit with their business needs and wider goals.