INSIGHTS: Privacy Awareness Week 2024 | Understanding transparency, accountability and security

May 3, 2024

Author

Hayley Bowman, Special Counsel, Meridian Lawyers
Hayley Bowman
Special Counsel
John Florio
Solicitor

Privacy Awareness Week (PAW) 2024 is an annual campaign led by the Australian privacy regulator, the Office of the Australian Information Commissioner (OAIC). PAW seeks to promote and raise awareness of the importance of protecting personal information.

The focus of this year’s PAW campaign is on privacy and technology; specifically the principles of transparency, accountability, and security.

In basic terms, these concepts can be described as:

  • Transparency: The best privacy practices start with being open and honest. Your business must be transparent about how you handle a customer’s personal information
  • Accountability: Privacy is the right to be free from interference and intrusion and is highly valued by Australians. Maintaining good privacy practices should be a foundation of your business and is crucial to maintaining the trust of clients and customers, and
  • Security: Your business must continually use the right tools to guard against known and emerging threats and be able to adapt to the rapidly changing privacy landscape.

Outsourcing client data to third party service providers

Of particular emphasis in this year’s PAW campaign is how the same basic privacy principles apply, regardless of the technology used across the lifecycle of personal information.

Many organisations, large and small, entrust and outsource client data, which contains personal information to third parties (such as software companies and marketing agencies).

However, before exchanging any personal information with third parties it is important to undertake a number of checks and balances to understand how that service provider will use, store, and otherwise engage with that personal information.

Prior to entering into these arrangements, it is important to thoroughly review and understand the contractual arrangements with the third party service provider.

In the unfortunate event of a data breach in relation to personal information that an entity has disclosed to a third-party service provider, it is likely the business that collected and disclosed the personal information, rather than the service provider, will be the culpable party.

With privacy reform imminent in Australia, it is imperative that businesses remain on top of and well positioned to meet the privacy standards customers expect.

Key considerations

The following factors should be considered when engaging third party service providers:

  • Is the service provider contractually obliged to:
    • adhere to all laws, including privacy laws?
    • maintain data security standards consistent with good industry practice?
    • provide appropriate indemnities to compensate your organisation for any losses that arise as a result of a breach of any privacy laws or cyber security obligations by the service provider?
  • Is the service provider obligated to immediately notify you about any suspected or actual data breach involving that personal information?; and
  • Is the service provider contractually obliged to hold and maintain adequate cyber insurance?

Good privacy practice – ten basic steps to protect your business

By implementing these ten basic steps, you can help your business maintain good privacy practices:

  1. Familiarise yourself with, and regularly train all staff on internal privacy policies, processes and procedures
  2. Know who is responsible for privacy in your business
  3. Consider privacy during project planning
  4. Only collect the personal information you need
  5. Check that your proposed use or disclosure of personal information is permissible
  6. Do not disclose personal information to overseas recipients without thoroughly understanding the recipient’s privacy practices and putting necessary safeguards in place. Best practice is to keep personal information within Australia
  7. Take extra care when handling ‘sensitive information’
  8. Restrict access to personal information to only those with a ‘need to know’ requirement
  9. Keep personal information secure, and
  10. Familiarise yourself with your business’s data breach response plan.

For further information including tips on protecting privacy, we encourage you to visit the OAIC website.

How we can help

Meridian Lawyers assists organisations and individuals in addressing their privacy obligations.

We are experts in advising clients on their privacy and data security obligations, including managing responses to data breaches, developing privacy training materials, and negotiating appropriate contractual arrangements before any personal information is exchanged with service providers.

If you have any questions about your obligations in collecting, handling, disclosure, or storage of personal information, or require assistance in reviewing your privacy practices and procedures, please contact Special Counsel Hayley Bowman or Solicitor John Florio.

Disclaimer: This information is current as of May 2024. This article does not constitute legal advice and does not give rise to any solicitor/client relationship between Meridian Lawyers and the reader. Professional legal advice should be sought before acting or relying upon the content of this article.