Do you need an all-in-one online payment solution?sign up
The recent update of the Office of the Australian Information Commissioner’s Guide to securing personal information offers a useful reminder to ensure your treatment of customer data is up to scratch. The media is filled with too many stories of lost recording devices, accidental data releases and unintentional breaches. Even if you do manage to avoid a nasty fine, the resulting reputational damage can hurt or destroy your business.
So, how can a business protect against such damage? There are several basic steps to take to ensure your customer data is safe, says Jeannette Scott, ADMA’s Director – Legal & Regulatory Affairs. One simple fix is not to keep too much of it.
In terms of collection provisions, Scott points to the Privacy Act, which says the collection of personal information should directly relate to, and be reasonably necessary for, current business activities only. “The shorthand term for that is, ‘no fishing’,” she adds. “If you don't need the data right now for current business, you should not collect it. Having a wish list of future plans does not constitute a need. And if you once needed the data but do not need it any longer, you must destroy it or de-identify it.”
Any data collection must be carried out with the customer’s consent, and all data collected must record the time of collection, the source of the acquisition and the nature of the customer’s consent to collect.
“If the regulator or a customer asks for that information then you need to be able to provide it,” says Scott. “So, if Mrs Jones rings and asks how you got her details, you should be able to say, ‘We got your personal information because you entered a competition at this particular shopping centre on August 1, 2014. You filled in one of our entry forms’.”
Scott says all such data collection devices, such as entry forms, must contain a privacy statement. She also suggests businesses include a specific code on the statement that indicates the specific wording used. That code can then be recorded against the information and a log of privacy statements and their actual wording can be kept elsewhere, making it simple for people within the business to identify what it was that a particular customer had consented to. Businesses also need to incorporate a way to capture data and the source of data collection in their collection process.
Once the data enters the business, be sure that only those who need access are given access. This can be as simple as creating different access permissions for different types of staff. Physical data should be kept behind locked doors or in locked cabinets.
“If you allow staff to bring their own devices, make sure you have robust protections in place, including passwords on the devices,” advises Scott. “Make sure sensitive documents are password protected or encrypted. Too often we see businesses taking lots of steps internally but then somebody walks out of the office with a laptop that doesn't have a password and leaves it in the back of a taxi.”
Finally, says Scott, when you de-identify or destroy data after it is no longer needed, make sure it cannot be reverse engineered. Similarly, ensure that data is not identifiable due to context.
“The Privacy Commissioner can introduce fines of up to $1.7 million for a breach,” warns Scott.
While the fines represent a significant penalty, the bigger problem for a business is often reputational damage. “Even where regulatory intervention has been avoided altogether, you can be crucified on social media and it can be very difficult to recover from that,” says Scott.
“Conversely, you can make privacy your point of difference. If you are transparent with your privacy practices and you can demonstrate your commitment to compliance, that may well be a point of distinction for you.”
SecurePay offers a range of fraud mitigation tools.