The Sydney Morning Herald reports that over 186,000 people were affected by a phishing attack on Service NSW back in March 2020 and has suggested that a large amount of the personal information that was obtained was in the form of scanned documents (such as scans of identity documents, like passports and licences, or banking and Medicare details). For its part, Service NSW’s states that over 3.8million documents were stolen, of which 500,000 contained customer information.
This is unfortunately another example of where an organisation’s Privacy and Data security practices can let them down, and ultimately cop some bad press.
So how do you avoid becoming the hottest scoop for all the wrong reasons?
Simply put, privacy and data should be at the centre of your organisation’s systems development and training. As the year winds down, it is an ideal time for organisations of any kind to look at what are their privacy and data keeping practices.
Ideally you will want to take a top to bottom spring clean, a full data audit of your organisation by an independent professional… but 2020 has been a tough year and it’s time for some easy wins, so here are our top three things you can do, right now to spruce up your approach to privacy and data security.
1 – Don’t collect it (or keep it) if you don’t need to!
How do you cut the costs of bandwidth and data storage, and save you a lot of privacy concerns? Cut down on the personal information you collect! You should ask yourself (and your management teams) what information are you collecting about people, are you collecting identity documents, and if so, why?
If the answer is anything less than “we have specific legal advice saying we must keep this” then you may wish to consider whether your practices should change.
We know businesses, from real estate agents, to accountants, to pubs and clubs, love to collect identity documents, but they’re not always required or not always required to be kept on file. If you do collect identity documents, then consider:
– Do we need it to begin with?
– Do we have a valid purpose for collecting it?
– If yes, do we need to actually keep a copy or just a record that we have seen it?
– If yes, can we record this identity verification by another means and keep the verification instead of the identity document?
For example, you might need to obtain a copy of someone’s drivers licence to do some identity checks. Once the checks are done, will it be sufficient to have a signed file note recording that a senior employee has done this verification, and then destroy the copy of the licence?
While time is required to implement changes to any process, it will save you time, money and avoid the risk of disclosures (and public commentary).
2 – Keep it secret, keep it safe
If you do need to keep a person’s documents with their details, don’t let email become your organisation’s artificial document storage. Use a file management system.
Where possible, any files you collect, hold, and need to send (at least internally) should be housed within an encrypted file system. Ideally if you are using a document management system you can simply send a link to a document, not the document itself. This is not only more secure but again any accidental disclosure by staff will be guarded against as someone who is external to your organisation won’t be able to utilise such a link.
If your sending files externally, use a secure file sending facility. There are a myriad on the market, and with many organisations using Microsoft’s 365 package, OneDrive is very useful for this. Remember to apply password protection and access settings to your files and you are now significantly safer than using email.
Using a file storage/sending facility will usually involve a separate system to your emails. Again, the added benefit here is if your email is compromised, there’s a good chance your separate systems will still stand.
Once you’ve convinced your organisation to all participate in this practice, it’s a good idea to speak to your IT team about archiving and taking offline your prior-to-this-practice email database. Remember all those emails you’ve already sent will continue to linger and continue to be a data risk until they’re deleted.
3 – Train your staff in privacy like you train them in WHS
This is another easy win. We’ve all either had to sit through, or train people on work health and safety. Why? It’s not just a legal requirement and a concern for Directors, but because its important – a workplace injury can have long lasting and tragic impacts on a person.
Of course, so too can a privacy breach. The circumstances and immediacy might be different, but a privacy breach can haunt your organisation and those affected. So why not have routine training and a solid onboarding program to ensure your staff are privacy and data conscious?
Unlike some WHS issues, privacy issues can often be harder to spot, especially if there has been entrenched practice, or perhaps some of your staff are inexperienced in particular systems and emerging technology. As such, its important your training is pitched so all staff know their obligations and gain core competencies in privacy and data handling.
4 – Ask the experts
Okay so we added one more. If your organisation needs to focus on building its business and is time poor when it comes to privacy and data considerations, then ask Hunt & Hunt’s team of privacy experts. Whether you need a foundational workshop, a 360-degree audit, help investigating a suspected data breach or anything in between, Nicholas Commins and our other privacy gurus are ready to assist you.
For more information please contact us at [email protected]
Article prepared by: Nicholas Commins – Associate, Sydney