How to promote good organisational privacy practices

Most leaders understand the importance of privacy and the need to protect and respect sensitive information, but perhaps there is less awareness about the benefits that good privacy practices can bring. By Privacy Commissioner, Michael Webster.

Respecting privacy is as much about driving business success as it is about taking steps to avoid harm.

Most managers understand the importance of privacy and how they need to protect and respect sensitive information about their organisation, staff, and clients, but there is less awareness about the benefits that good privacy practices can bring. 

Reducing the risk of privacy incidents and getting rewards from treating privacy as an important business function are best seen as two sides of the same coin – managing privacy risks will improve business outcomes, while having privacy discussed at the highest level of management will, in turn, help companies minimise their privacy risks.

Privacy breaches can happen to any organisation – large or small, in any profession. Even the best privacy practices can’t provide total protection from a breach, but they can help keep you safer and put you in a better place to respond and recover.

 What are some of the steps you can take to promote good privacy practices?

Be over-prepared: It is definitely better to be over-prepared and plan for the worst-case scenario especially when it comes to keeping client information safe. Given the devasting impact a cyber-attack can have, it’s very sensible to make sure you’re adequately prepared to both prevent an attack occurring and respond to it effectively should it occur.

Know your obligations: Make sure you understand the obligations of the Act on you and your company. The Privacy Act requires all agencies to have at least one person who’s familiar with the agency’s privacy obligations and fulfils the role of a privacy officer. While this is a legal requirement, it’s also important your privacy officer has the legitimacy, the tools, and training needed to do their job effectively.

Train staff: As good as your privacy officer might be, don’t just rely on them to make everything all right. Businesses should train all their staff on the importance of respecting the right to personal privacy, especially when they handle client or customer information.

Business processes: Ensure your IT systems and associated business processes are fit-for-purpose. Most breaches reported as ‘human error’ have a root cause of being due to an IT or business process not being fit-for-purpose. Humans make errors where they are using workarounds for systems that don’t make it easy to do their work.  

Retention and deletion policy: Know what private information you hold, and have a retention and deletion policy in place, that gets implemented. Ensure your IT system has internal access controls so that staff only have access to the information needed to do their role. Then audit those settings to both make sure they’re working and to proactively identify any unauthorised access.

Breach response plan: Businesses should have an up-to-date privacy breach response plan so they know what to do when a breach happens. It’s also good to have a real-life scenario to test and practice this response – don’t just pretend it won’t or can’t happen to you.

By having good privacy practices in place, not only will you be following the law and fulfilling your obligations under the Privacy Act, but you’ll also help reduce the chances of having a privacy breach, either through a mistake, or by being subject to more malicious activity like a cyber-attack or data hack.

 Follow the steps outlined, read the information, and use the resources at and it will help protect your business and help you better respond should a data breach happen.

Michael Webster is New Zealand’s Privacy Commissioner.

Visited 143 times, 1 visit(s) today
Close Search Window