Hit enter to search or ESC to close
12 January 2021
The biggest change of the Privacy Act 2020, which came into effect on 1 December 2020, was the requirement for businesses to notify the Privacy Commissioner of a privacy breach.
Adopting a privacy breach response plan and holistic privacy management framework, can help ensure businesses are prepared to meet these new obligations.
While every business is different, there are some common steps owners and managers can take to reduce the risk of non-compliance, and their exposure to compensation claims.
Prepare, implement, and test a response plan. This should cover notification obligations under the Privacy Act as well as any other notification steps that may be relevant to your business. Ensure a copy of the plan can be accessed remotely even when systems are locked down following a breach.
Carry out a privacy review (or ‘privacy health check’) to make sure you understand the full life cycle of information within your business, and your privacy practices are up to date.
Review your supplier and customer contracts to ensure appropriate provisions are incorporated to reflect the new breach notification obligations. Consider the impact on other provisions, including force majeure, liability, data sovereignty, confidentiality, announcements, and disaster recovery.
Consider whether your data strategy delivers on your purpose and is consistent with your business values. Does it identify your strengths, weaknesses, and maturity level regarding data?
Ensure your privacy statements are up to date, and accurately and transparently reflect your collection, use and disclosure of personal information.
Update your internal policies and procedures (eg. privacy policies, IT security policies) to support your data strategy and privacy management framework.
Provide regular training to make sure your staff are aware of the policies and procedures in place, and understand their obligations.
It is important your privacy framework is integrated across teams to ensure appropriate security measures (including access controls) are in place to prevent and minimise the risks of a privacy breach.
Make sure you have a clear record-keeping and document destruction process in place to ensure the information you hold is up to date and securely destroyed when no longer required.
There is a risk that a privacy breach could lead to legal and regulatory claims. You should ensure your processes for responding to, investigating, and reviewing a breach take legal privilege into account.
Review insurance policies to ensure these are appropriate to your business and the risks associated with a privacy breach.