Making privacy a business priority includes talking about privacy at the governance level, or ‘breaking the mahogany ceiling’ explains Privacy Commissioner, Michael Webster.
Your business depends on privacy for trust and reputation, which is often operationalised by the actions of your staff. A new year is a great time to take stock of how privacy is dealt with in your business and make sure you’re set up for success.
Make privacy a business priority
There’s a change in approach and culture needed for business when it comes to privacy. It needs to be treated as a core focus for agencies, as much as health and safety, or good financial reporting, or achievement of key financial and non-financial targets.
I’d like to see all New Zealand agencies talking about privacy at the governance level. It’s a movement I refer to as, ‘breaking the mahogany ceiling.’
Under the Privacy Act, every business and organisation in New Zealand is required to have a privacy officer. Empower your privacy officer and give them the resources they need to grow a privacy protective culture. In this data-rich environment they are a core component to your business’s success and what you put into that role will be repaid several times over.
Install a two-minute delay rule on emails
Two minutes is almost nothing but could be huge if it’s saving you from a privacy breach. Have your staff add a rule in their email so that when they hit ‘send’ their email hangs around in the outbox for two minutes. It’s a surprisingly quick and effective way to add a safeguard for those ‘oops’ moments and will help stop staff accidentally sending personal information to the wrong recipient.
Check your attachment, every time
My Office recently investigated a case where a person’s personal information was accidentally shared to others from a form, she’d filled in. This case resulted in a $15,000 settlement.
A woman completed a form asking an organisation to review its decision on an outstanding debt. Several months later, she received a message from a stranger through a social media site. The stranger sent the woman an image of her own form that they’d been sent in error. It was full of her personal information. The employee in this case had saved the regularly used form on their desktop for easy access and thought they were attaching a blank form each time. A quick check of the attachment before it was sent would have prevented this privacy breach and the significant stress it caused.
Know about employee browsing and take it seriously
Businesses have an obligation to prevent their employees from inappropriately accessing customer information – a practice called employee browsing.
In one example I’ve seen, a person in a position of power looked up the details of a colleague’s partner then used their position to repeatedly sexually harass the partner via text message. The victim felt intimidated, scared, and fearful in their own home so contacted our Office.
Other examples include people looking up the addresses of ex-partners or looking up health information for someone unrelated to their work.
Have a data retention policy
If your business is finished with personal information, you must dispose of it securely, whether it is in physical or digital form. I would caution that you cannot destroy information about an individual if that individual has requested access to it, which they are entitled to do. It is an offence to do so.
A person came to us after learning their credit card had been used for purchases, they hadn’t made. Eventually they discovered copies of their personal information, including a driver’s licence, had been stolen from an ex-employer who kept employee information in a locked cabinet that was accessible by several staff, including maintenance workers. The workplace had no policies and procedures in place to ensure the security of the information.
Consider what processes you have in place to make sure you’re deleting information or not holding it too long. But also, that you’re not over-collecting it in the first place. You can’t lose what you don’t have so this is also an effective way of minimising the data that might be shared in a hack.
Michael Webster is New Zealand’s Privacy Commissioner.