Privacy for Business
The privacy and technology landscape is changing – now is a critical time for your organisation to get privacy right.
This Privacy Awareness Week, the OAIC is urging Australian businesses and other organisations to ‘power up’ on privacy.
With privacy reform on the way, make sure you are well positioned to meet the privacy standards your customers will expect.
Transparency
Clarity matters
The best privacy practice starts with transparency. If your business or organisation is collecting personal information from people, you must be open and transparent about how you will handle it.
Transparency needs to apply both within your organisation – so staff know the parameters and requirements they work within – and outside it.
Most critically, the people whose information you hold need to be clear on what you will use their information for, and give their informed consent where required.
If you are thinking of doing something new – whether that’s developing or deploying new technology such as generative AI or biometrics, or a new tool or process, make sure privacy requirements are front and centre.
Know what’s in the box
Be clear on what data your organisation has, where it’s stored, why it was collected, and how you are protecting it. Are you meeting privacy and security requirements? Unnecessary personal information poses unnecessary risks.
Some practical steps are to:
Do the housekeeping
Is your organisation holding information it doesn’t need? Map the information life cycle, and ensure appropriate review, retention and destruction schedules are in place. Don’t forget to consider information held by third-party providers.
Seek informed consent
Make sure your privacy information is clear, accessible, and accurate when seeking consent.
Apply privacy by design
Embed good privacy practices into the design of products and services from the beginning. Privacy impact assessments will help you adopt a privacy by design approach, including when looking at new technologies.
Accountability
Show your privacy leadership – in good times and bad
Privacy is a human right and it’s one Australians value highly. Maintaining strong privacy practices should be a foundation of your business.
A strong privacy posture and culture across your organisation supports customer and consumer trust, as well as protecting against harms.
It also helps position your organisation for the future – particularly with privacy reforms on the way.
Good privacy practices include how you deal with problems and breaches, so be prepared to act quickly, openly and thoughtfully.
And remember that outsourcing services or activities doesn’t mean outsourcing responsibility: be vigilant when using third-party providers.
By making sure privacy is firmly on the leadership agenda, and empowering staff to be strong custodians of privacy in day-to-day practice, you will have a stronger, more secure and privacy-aware organisation.
Only collect information you need
Consider what personal information your organisation is asking for. Is it necessary? Look at forms, processes and technology such as app settings. Set the default to only what you require.
Some practical steps are to:
Apply high standards
Don’t just follow the rules: get ahead of them. Make great privacy practices a strength.
Act fast — don’t delay
If you suspect a data breach, be flexible and adaptive. Take required steps simultaneously or in quick succession, where possible.
Embed a strong privacy culture
Make privacy a leadership priority and foster a strong privacy culture at all levels.
Security
Protect personal data
Power up the security of personal information in your organisation by using the right tools and guarding against known and emerging threats.
Having the right processes in place will help you keep your customers’ (and other) personal information safe.
That means strong data governance, and reviewing and strengthening access security and ICT security measures, including to detect and respond to threats – particularly with a view to emerging threats, such as the increasing use of credential stuffing.
Look at additional authentication requirements, such as multi-factor authentication, to secure systems containing sensitive personal information. And shore up human risks with regular, clear and accessible staff training.
Ensure processes to detect and respond to cyber threats in a timely manner – and report cybercrimes, cyber security incidents or vulnerabilities to the Australian Signals Directorate’s Australian Cyber Security Centre.
You can power up your organisation’s privacy settings with the help of the resources on our website – find out more below.
Power up your people
The human factor is a dominant theme in data breaches. Three key things you can do are:
- promote staff awareness about secure information handling practices
- look for technology solutions that help staff (such as email filtering)
- design systems and processes that anticipate and minimise the risk of human error.
Some practical steps are to:
Guard against impersonation
Access to customer accounts through credential stuffing, and compromised staff access, are key issues to look out for. Strengthen identity management and authentication steps.
Use the right tools
Have up-to-date privacy management and data breach response plans, and make use of our guidance and tools. Utilise cyber security mitigation strategies.
Lock the doors
Assume human error will occur and design for it. And choose wisely when outsourcing the handling of personal information to service providers and contractors; make sure the right security measures are in place.
Test your knowledge
Test how ‘powered up’ your privacy settings and knowledge is with our quick quiz, and claim your reward.
Did you know?
The Privacy Act covers organisations with an annual turnover of more than $3 million and some other organisations.
If your business is not covered by the Privacy Act, you can opt in as a public commitment to good privacy practice.
Become a PAW supporter
Becoming a PAW supporter gives your organisation access to our supporter toolkit to help increase privacy awareness among your staff, customers and stakeholders. It shows your commitment to good privacy practice and advancing the privacy rights of individuals.
Additional resources for business
Want to know more about best practice in privacy, and responding to data breaches?
There is a range of information available from us (the Office of the Australian Information Commissioner) at the links below. We have also included links to a range of other very useful resources.
-
Privacy management plan template
Our privacy management plan template can help you develop a privacy management plan for your organisation.
-
Privacy for health service providers
Find out how health service providers must uphold the privacy rights of patients.
-
Responding to a data breach
Access our resources for organisations and agencies to help prevent and manage data breaches.
-
Protect your business and customers – cyber security advice
Access cyber security resources for businesses, including the Essential Eight mitigation strategies, from the Australian Signals Directorate’s Australian Cyber Security Centre.
-
Privacy breaches involving cyber incidents
The Australian Signals Directorate’s Australian Cyber Security Centre’s incident management capabilities provide technical incident response advice and assistance to Australian organisations that have been, or may be, impacted by a cyber security incident.
-
Report a cybercrime, incident or vulnerability
You can report a cybercrime, incident or vulnerability to the Australian Signals Directorate’s Australian Cyber Security Centre. For advice, you can also call the Australian Cyber Security Hotline 1300 292 371 (1300 CYBER1), which is contactable 24 hours a day 7 days a week.
-
Protecting identity information
Find out more about collecting, storing and disposing of identity information securely and responsibly, and help you keep your business and customers safe from identity theft.
-
Uplifting privacy protections
Read more about the work to progress the Australian Government’s response to the Privacy Act Review Report.