Businesses have an obligation to educate and prevent staff from employee browsing, or looking up data for their own interest, writes Michael Webster.
As New Zealand’s Privacy Commissioner, it’s my job to promote and protect individual privacy. Privacy needs to be a core business focus in the same way health and safety is, and as managers it’s important to be savvy about what privacy is, how it works, and where you might go wrong. Here are some easy mistakes business leaders make:
Mistake one: Assuming staff know how to protect and respect people’s privacy: I encourage all businesses to train their staff on the importance of respecting the right to personal privacy, especially when they handle client or customer information.
Businesses have an obligation to educate and prevent staff from employee browsing (looking up data for their own interest). We see this practice reported as privacy breaches and they range from accidental to malicious.
An easy way to prevent this is to have clear policies about employee browsing in your agency’s code of conduct, educate staff about what it is (and not to do it), and have clear consequences.
Mistake two: Thinking you’ve done enough to protect yourself from malicious cyber-attacks: There isn’t anything wrong with planning for the worst-case scenario; in fact, I encourage people to be over-prepared, especially when it comes to keeping client information safe. Ignorance and inevitability are not legal defences under the Privacy Act.
I recommend as minimum-security that all staff have secure and strong email passwords – long phrases with additional numbers. Tricks like making your way through a catchy song you know all the lyrics to is also a good bet for long and strong.
Two factor authentication (2FA) is another valuable tool in the breach prevention kit and there’s several options there from text message to apps. And, of course, businesses need to ensure their device software is up to date.
Mistake three: Personal information is only ‘sensitive or private’ information: Personal information is any information that can identify a person.
Names are the most basic example. But there’s also addresses, contact details, employment or medical records, bank details, a picture of a face, an NHI number, or sometimes even someone’s opinions on social media.
When you think about it, all sorts of things have the capacity to contain personal information including notes, emails, recordings, photos, and scans.
Whether this is in hard copy or digital format it’s covered by the Privacy Act 2020 and managers need to be clear about how they’re managing that.
Mistake four: Privacy breaches happen to other people: We have seen that privacy breaches can (and do) happen to anyone or any organisation in any demographic or profession. The media will often cover the larger breaches that get reported, but smaller organisations can breach a client’s privacy too and sometimes in very simple ways; giving information to unauthorised staff (like delivering a letter to the wrong house), not correcting personal data when asked (like not removing a record of debt that a client never had), or taking personal information without informed consent (like unauthorised filming in the workplace).
Mistake five: The 13 Principles of the Privacy Act are complicated: Having a dedicated staff member focused on helping your organisation comply with its privacy obligations is a requirement under the Privacy Act. Agencies must appoint at least one individual as a privacy officer (who is responsible for ensuring the organisation complies with the Privacy Act). Find out who your privacy officer is because they should be a great source of knowledge and will assist your business to know what it should be doing to comply with its privacy obligations.
Michael Webster is the Privacy Commissioner. More information at privacy.org.nz