Learning from other people's mistakes

I am grateful to Tim Goswell for reminding us of the Pareto Phone breach and the article published by the ABC back in October sharing the details.

An employee of Pareto said - "The client would send us millions of rows of data" - "I don't ever recall that data being removed from our system."

The key lesson here is one of minimising data - The Australian Privacy Principle 11 clearly states that information that is no longer required should be destroyed or de-identified. Or is it...............

Time and again we continue to learn that these significant breaches can be linked back to either a failure of process or a failure to follow process.

You are only as strong as your weakest link.

For many organisations, the failure to understand where and how they may have risk of breaching regulations is a serious issue. You may have fantastic cyber security in place but, if you are not reviewing your privacy compliance policies and practices regularly you may be blissfully unaware of where there are gaps.

For those of you who are thinking about privacy and how best to ensure you are complying with regulations, you should be considered.

1. Setting up a standing working group of stakeholders from all areas of your organization that are responsible for setting policies for how information should be handled and how to best enforce these policies.
2. Review your policies. I have read countless privacy policies and while many are great, I have yet to find one that did not miss some requirement. When looking at internal policies the gaps may be even larger. Documenting policies takes time, effort and (of course) cost. While I understand the temptation to mush this to the "back burner" and focus on more interesting or lucrative things, the reality is that if staff do not understand what they are required to do - you may soon find yourself discussed in a similar article.
3. Training, training, training!! - I cannot stress enough how important it is to ensure all staff are regularly trained on how to handle personal information and the impact on the organisation should there be a breach of regulation. Privacy is not just about technology and process; Culture is a vital component. Please foster a culture of privacy protection.
4. Privacy Impact Assessments are now a vital tool. While not required under the APPs (yet), it is part of overseas regulations and has been best practice in Australia for over 10 years. Every new project or change to a system should require a PIA to determine where and how personal information will be used and protected.
5. Ensure you have some form of data catalogue that details where you store personal information, where it was collected, the purpose for which it was collected and a classification that indicates the policies to follow when managing this data. To help ensure staff understand the various data classifications, print posters and infographics that can be displayed around the office as a reminder to all of the importance of data.

I hope you will all learn the lesson that others have shown. Failing to have the right policies and procedures in place or not ensuring staff understand and follow them is your number one area of greatest risk.

As always, if you have questions or would like to talk with me about any concerns you have about your organisation's privacy compliance, please get in touch and I will be happy to talk.

#pii #privacy #governance #risk