Privacy Awareness Week Part III- The importance of being privacy prepared

By Cameron Abbott, Rob Pulham, Stephanie Mayhew and Dadar Ahmadi-Pirshahid

The APPs require organisations to “take reasonable steps to implement practices, procedures and systems that ensure compliance with the APPs”. Putting your mind to privacy after a data breach or complaint is very much shutting the stable door after Phar Lap has bolted (good luck getting him back!)

Good privacy management starts with a good privacy culture in your organisation. Recommended steps to develop this include:

  • appointing appropriate roles and responsibilities within the organisation, including a privacy officer (which may soon become mandatory);
  • implementing a privacy management plan that aligns your business processes with your privacy obligations; and
  • establishing mechanisms for reporting privacy issues to senior management.

An organisation’s privacy regime should also include:

  • processes to monitor personal information through its life cycle “prior to collection, once personal information has been collected, while you hold it and once it is no longer needed”;
  • mechanisms to identify and manage privacy risks, which might include conducting privacy impact assessments on certain projects or decisions; and
  • procedures for receiving and responding to enquiries and complaints regarding your organisation’s personal information holdings.

Setting up good privacy hygiene will also help identify:

  • if you’re collecting more personal information than you need;
  • whether it is appropriately secured; and
  • whether it is destroyed or de-identified regularly.

You should also turn your mind to more technical IT and cyber security considerations such as using off-site servers for backups, for circumstances where a data breach may affect business operations due to the ‘online’ servers being compromised.

With those safeguards in place, and with the implementation of a data breach response plan prepared to minimise the impact of a data breach and to notify the OAIC and affected individuals after a notifiable data breach, your organisation can better weather the storm of a data breach incident!

Copyright © 2024, K&L Gates LLP. All Rights Reserved.