Management

Practical tips to proactively manage privacy risk

With the new Privacy Bill due to impact business later this year, Hamish Kynaston explains what businesses can do to proactively protect themselves. In preparation for the new Privacy Bill, […]

Glenn Baker
Glenn Baker
April 18, 2018 3 Mins Read
371

With the new Privacy Bill due to impact business later this year, Hamish Kynaston explains what businesses can do to proactively protect themselves.

In preparation for the new Privacy Bill, which is set to replace the 25-year-old Privacy Act later this year, and as a matter of good practice, it is essential for agencies to proactively manage privacy risks. Given the speed at which information is being created, reproduced, disseminated and stored, the new Bill is long overdue. 

We are now living in the age of ‘Big Data,’ which brings both great benefits and significant risks. The Law Commission recommended the Bill be renewed in a 2011 review, and we are falling behind other countries, and privacy law reform has become urgent. 

So what can businesses do to proactively protect themselves? 

KNOW THE RISKS

Know your data – Find out what information is held, why and whether it is needed. What are the potential consequences of disclosure?

Be aware of all risks, not just the obvious ones. Security incidents can come from within – for example, opportunistic or careless employees, service providers or any third parties who have access to your systems.

Consider the entire data lifecycle. Be aware of the risks during all stages of the data’s life cycle, from collection, use, sharing and storage, to destruction.

Consider any appropriate measures to minimise risk. These should include a blend of technical, organisational, and physical measures.

DEVELOP A PRIVACY MANAGEMENT PROGRAMME OR PLAN

Businesses need to be proactive in this area, rather than waiting for a data or privacy breach to occur.  While not currently mandatory in New Zealand, designing privacy and data security into a business’ systems will naturally better equip it to deal with these risks. Further, implementing a privacy management programme or plan will assist in identifying and responding to issues as they arise.  

A privacy management programme or plan should be tailored to the structure, volume and sensitivity of your operations, and the considerations above will inform its development. Careful planning is necessary to ensure processes are put in place to prevent data breaches and respond appropriately should they occur. When a breach occurs, it is hugely beneficial to have a clear and common understanding internally as to what steps to take.  

KNOW WHAT TO DO WHEN A DATA BREACH OCCURS

The following is abridged from the Privacy Commissioner’s current ‘Data Toolkit’, which sets out the recommended process to be followed in the event of a data breach:  

Take immediate steps to limit the breach – can the information be retrieved, or other steps be taken to prevent any further disclosure or harm?  

Notify the affected individuals directly, whether it be by phone, letter or email. An indirect notification is less sincere and should be used as a last resort. A genuine and prompt apology, where appropriate, is also preferable. 

A notification should come from the agency with a direct relationship with the affected individual – for example, if a credit card information breach comes from a retailer, the credit card issuer would be the best agency to inform the affected individual.

Be aware of what breach notifications should contain – given that time is often of the essence where a breach has occurred, it is important to plan ahead so that the notification is comprehensive and can be made quickly. Generally, notifications should include:

–    A description of the incident, including when it occurred and the type of information disclosed.

–    The agency’s response to the breach, what it is doing to control or reduce harm, any assistance offered, and personal steps to take for protection.

–    Contact details of the Office of the Privacy Commissioner.

–    How to lodge a complaint to the Commissioner.

Notify the Office of the Privacy Commissioner – the OPC can provide helpful advice on what to do, and is able to assist in the management of a complaint if it has been advised in advance by the agency responsible for the breach. Notifying affected individuals and the Privacy Commissioner about any breach is currently recommended, but these steps are likely to become mandatory when the Bill becomes law (with only a few exceptions).   

Prevent a repeat – After a breach occurs, agencies should take time to fully investigate the cause of the breach, review policies and practices and make any changes necessary to prevent future breaches

Hamish Kynaston (pictured) is a partner at Buddle Findlay. 

 

Share Article

Glenn Baker
Follow Me Written By

Glenn Baker

Glenn is a professional writer/editor with 50-plus years’ experience across radio, television and magazine publishing.

Other Articles

Related Posts