8 Nov 2017

Running a business can be complex and you may find yourself in a position where you are not meeting certain legal obligations. After years of working with small businesses, we have found that one of the most overlooked aspects of running a business is how data is managed and secured.

How you collect and manage customer data is incredibly important as it carries legal, moral and financial implications. The first step in ensuring your obligations are being met and the data is being managed securely is to understand what information you collect.  Once this is understood, it is important to identify your responsibilities regarding its storage what steps will be taken to protect this information.

1.   Important data to consider

Personal Information

Personal information is any information or an opinion about an individual who can be reasonably identified from that information or opinion. Information might not be personal information by itself but can become personal information when it is linked to other available information to identify an individual. This may, depending on context, include a person's name, date of birth, phone number, bank account details or commentary about a person, and, in the age of big data, may also include information like person's web browsing history or online purchases.

 Corporate information

This is information that is collected during normal business activity with another company or government agency. Be it a supplier, customer or partner, this information should be treated with the same sensitivity as personal information. Corporate information can include non-public information about the company, your particular relationship with them, any sensitive financial information as well as any intellectual property and documentation that has been provided to you in the course of conducting business.

2.   The law

The Australian Privacy Act provides guidelines and regulations with regards to the collection, use and storage of personal data. The Privacy Act Contains the Australian Privacy Principles (APPs), these principles cover:

  • The open and transparent management of personal information including having a privacy policy
  • An individual having the option of transacting anonymously or using a pseudonym where practicable
  • The collection of solicited personal information and receipt of unsolicited personal information including giving notice about collection
  • How personal information can be used and disclosed (including overseas)
  • Maintaining the quality of personal information
  • Keeping personal information secure
  • Right for individuals to access and correct their personal information

There are also separate APPs that deal with the use and disclosure of personal information for the purpose of direct marketing (APP 7), cross border disclosure of personal information (APP 8) and the adoption, use and disclosure of government related identifiers (APP 9).

Not all APPs are going to apply to your business but if you are storing client’s personal and identifying information it is best to think about your responsibilities and plan accordingly.

Legal obligations around the storage and use of corporate information are a bit more abstract. An understanding will be formed at the time of conducting business with the company or government body. Often this understanding is implied rather than explicitly documented. Should there be a breach, you may not face federal ramifications however the company would be within their right to bring legal action against you for any negligence that resulted in loss. Therefore it is advised that any corporate data the business holds should be managed with the same care as personal information

3.   Securing sensitive information

The approach you take to securing this information should be multi-faceted and consideration should be given to the following factors:

  • Governance, culture and training – allocating appropriate training and resourcing as well as fostering a culture amongst staff that values privacy and security.
  • Internal practices, procedures & training – As per the APPs, entities are required to take reasonable steps to establish and maintain practices, procedures & systems that comply with the Act. Make sure these measures are all documented.
  • ICT Security – employ effective ICT security for both your hardware & software to protect from misuse, interference, loss, unauthorised access, modification or disclosure.
  • Access security & monitoring controls – help protect against internal and external risks by ensuring that only authorised persons have access to secured information.
  • Third party providers (including cloud computing) – entities have a responsibility to understand where and how their data is being managed by the provider. It is important to also consider ‘ownership’ of any information.
  • Data breaches – establish a response plan that outlines clear lines of authority and assists in the containment of any breach. Ensure that all staff and contractors are aware of the correct procedure and understand the importance of reporting in line with the established policies.
  • Physical security – what steps, if any, will ensure that physical copies of information remain secure. Consider whether the design of your workspace facilitates good privacy practices.
  • Destruction and de-identification – establishing procedures for when information is no longer needed / passed any required retention period is required under the APP and is generally good business practice.

This is a quick look at businesses’ responsibilities when dealing with personal and corporate information. If you would like more in depth information, please refer to the Office of the Australian Information Commissioner https://www.oaic.gov.au

Now that you know what to look for, we’ll provide some essential steps on how to protect this data. Stay tuned for our upcoming posts on simple and effective approaches to achieve this!

What's Next?

Subscribe to our newsletter to be notified when we publish tips for securing this data.

Subscribe for more articles like this

* indicates required