Did you know it was Privacy Awareness Week last week? We shared a few tips on our Facebook page, and today we’re going into more detail about the importance of protecting personal information both online and in the workplace.
Just like you shouldn’t share a photo of your car packed up to go on holidays with the street sign and house number in the background, you need to protect your employees and your customer’s personal information. Even companies with robust systems in place suffer from data breaches at times!
In 2020, 1051 data breaches were reported to the Office of the Australian Information Commission (OAIC), relating to either:
- human error – like the time that the Department of Foreign Affairs and Trade forgot to use the BCC function when sending a bulk email to Aussie travellers stuck overseas last October.
- system faults – such as the leaky Elasticsearch database, which left 5 billion Keepnet Labs record exposed in March 2020
- criminal or malicious attacks – such as the Westpac bank SMS phishing scam in March 2020 or the COVID-19 payment phishing email, which used Australian Government branding
So, how can you minimise your risk and make sure you aren’t oversharing in the office?
Only collect what you need
When you build a form, whether it is one that you stick on a clipboard or add to a landing page on the website, it is tempting to find out everything from date of birth to whether they bat for the same football team you do.
Instead of asking for their life story, you need to determine what information you need and how the business will use it. Too often, companies collect data “just in case” they need it. With no plan or strategy to leverage this data, it gets shelved, using valuable storage space and leaving you open to a data privacy breach. Plus, a short form provides a better user experience – who wants to spend half an hour slaving over a form?
Disclose the use
Honesty and transparency are essential for building trust with your customers around data collection and use. Even when people are happy to share their intimate relationship details on Facebook, they don’t always like to give details like their medical history, place of work or income level to an organisation if they don’t understand how the company will use it.
Secure it
As we mentioned on Facebook, 123456 is not a secure password, despite (and because of) the fact that 23 million people use it. But as well as using passphrases and multi-factor authentication to ensure that your digital data is secure, you also need to consider in-office security. Is paperwork with personal information secured in a locked filing cabinet? Are people’s computer screens angled so that a passer-by couldn’t peek at some confidential information over their shoulder? In today’s digital world, some businesses can forget the basics of in-office security.
Put the A into accountability
While it is crucial to lead by example and train all staff members to understand and follow your privacy policy, you also need to know who is ultimately accountable for managing privacy in your office. They will need to understand the business’s responsibilities under the Privacy Act and manage staff access to personal information stored on the system or in the office. They will also be the go-to person for any complaints, enquiries or correction requests.
Have a Data Breach Response Plan
If you do suffer from a data breach, do you know what to do? It is crucial to act quickly to deal with the issue – this isn’t the time to play ostrich. Some of the steps you need to take include:
- Find out what data was stolen or accidentally shared
- Notify the OAIC if the breach will put people at risk
- In the case of a malicious attack, hire a cybersecurity expert to get to the bottom of how the breach occurred and stop the data leakage. They should be able to remove the hacker from the system and patch up the vulnerability
- Identify how the breach occurred
- Put in place measures to ensure that it doesn’t happen again
- Record the evidence of the violation in your company records
- Notify your customers of the data breach and how it impacts them
Data privacy is a big deal, and you need to act quickly and decisively in case of a breach. If big businesses like Facebook and the Australian Government can be affected, then you can too. Let us know if you need a hand putting some data governance in place in your office.
For more info on data security, check out our recent blogs on cloud security and Mac security.