Even the most sophisticated privacy system won’t work well unless some key basics are in place first, writes Privacy Commissioner, Michael Webster.
When developing effective privacy practices many agencies focus on implementing the ‘hard stuff’, like strong data security, and rigorous compliance regimes. While these are very important measures, they won’t be as effective as they could be unless they are built on a strong privacy foundation.
The Privacy Act requires all agencies to have at least one person who’s familiar with the agency’s privacy obligations and fulfils the role of a privacy officer. Not only is this a legal requirement, but they also help serve as centre of excellence about all things privacy.
However, feedback we’ve received, including from company directors, and our own observations suggest to us that a number of organisations have not formally appointed privacy officers, or haven’t given them the visibility and authority that they need to ensure the Privacy Act is complied with.
It’s difficult to see how organisations can implement good privacy practices if they don’t even have a privacy officer…
It’s difficult to see how organisations can implement good privacy practices if they don’t even have a privacy officer (who is known to, and active in, the organisation), which is one of most basic requirements of the Privacy Act.
Michael Webster
Training staff about privacy is another simple but important step that helps people understand privacy and make sure they’re up to date with their knowledge. Again, feedback we’ve received suggests leaders of a number of organisations are not confident that privacy training is both available and taken up within those organisations.
Free e-learning modules
There are free e-learning modules on our website (some take just 30 minutes) and lots of other training and development opportunities. Training is a reasonably quick and cost-effective way to upskill staff, especially for people handling personal information.
The low figures relating to privacy officers and training contrast with the feedback we’ve had relating to breaches. Over half of organisations said they had policies or procedures in place to help manage privacy breaches, and fewer than 10 percent said there were no policies in place.
It raises the question of whether even the best breach policy is helpful if that organisation doesn’t have a privacy officer or adequately trained staff in place to lead the response to a breach and to make sure the organisation implements any improvements they identified.
The feedback also suggest that organisations are focusing on ‘big issues’ like resolving privacy breaches, without checking their practice is grounded in solid basics like training.
It’s important agencies implement these simple measures. Having a privacy officer and training staff will help agencies improve their privacy practices and put them in a better place to develop and enforce more complex privacy practices like developing breach management plans.
My message to agencies is make sure you have the privacy basics covered first – they matter.
Michael Webster is New Zealand’s Privacy Commissioner.
