The APPs require organisations to “take reasonable steps to implement practices, procedures and systems that ensure compliance with the APPs”. Putting your mind to privacy after a data breach or complaint is very much shutting the stable door after Phar Lap has bolted (good luck getting him back!)
Good privacy management starts with a good privacy culture in your organisation. Recommended steps to develop this include:
- appointing appropriate roles and responsibilities within the organisation, including a privacy officer (which may soon become mandatory);
- implementing a privacy management plan that aligns your business processes with your privacy obligations; and
- establishing mechanisms for reporting privacy issues to senior management.
An organisation’s privacy regime should also include:
- processes to monitor personal information through its life cycle “prior to collection, once personal information has been collected, while you hold it and once it is no longer needed”;
- mechanisms to identify and manage privacy risks, which might include conducting privacy impact assessments on certain projects or decisions; and
- procedures for receiving and responding to enquiries and complaints regarding your organisation’s personal information holdings.
Setting up good privacy hygiene will also help identify:
- if you’re collecting more personal information than you need;
- whether it is appropriately secured; and
- whether it is destroyed or de-identified regularly.
You should also turn your mind to more technical IT and cyber security considerations such as using off-site servers for backups, for circumstances where a data breach may affect business operations due to the ‘online’ servers being compromised.
With those safeguards in place, and with the implementation of a data breach response plan prepared to minimise the impact of a data breach and to notify the OAIC and affected individuals after a notifiable data breach, your organisation can better weather the storm of a data breach incident!