Five steps to protect your customer data – and your firm’s reputation

By Anna Johnston, Principal, Salinger Privacy

From protecting against a significant data breach, to managing the challenges of new technologies like generative AI, it’s no surprise that privacy risk management is now top of mind. Clients, staff and business partners expect brokers and advisers to have foundational processes and compliance documents in place.

And with fines for breaches of the Privacy Act recently ramped up to $50M+, and more reforms expected in 2024, now is the time to get your house in order.

Here are five steps your business can take.

Check your inventory
Every business needs good data to operate effectively. But with data management come privacy risks and privacy obligations. Do you know where all your data is?

Start by conducting an inventory of personal information held by your firm. Include personal information about staff, contractors and others, as well as clients.

Identify and document the following, for each area of the firm:
• what personal information is held
• where the information is held, and who has stewardship of or responsibility for each database or set of records
• why the information is collected, and the purposes for which it is used and disclosed, and
• whether information is held by third parties on your firm’s behalf, including by contractors and service providers, and where those third parties hold the data.

Publish a Privacy Policy
It is a legal requirement to maintain an up-to-date and publicly accessible Privacy Policy. Ensure your Privacy Policy is available from a link on the footer of your website.

Your Privacy Policy must outline:
• the kinds of personal information that your firm collects and holds
• the purposes for which personal information is used or disclosed
• whether your firm is likely to disclose personal information to overseas recipients
• how a client, staff member or other person may access personal information that your firm holds about them, or seek correction if warranted, and
• how an individual may complain about a breach of privacy, and how the firm will deal with their complaint.

Check your collection points
The Privacy Act requires you to provide people with a Collection Notice at each point where you collect their personal information. Not to be confused with your Privacy Policy, a Collection Notice must be specific to the personal information being collected at that point. Collection Notices should be concise and in plain language, while also offering enough detail about how you propose to collect, use or disclose the individual’s personal information.

You must tell people:
• what information is being collected
• if providing the information is mandatory
• how you will use it
• to whom outside the organisation it might be disclosed (especially if overseas), and
• how the person may access or correct it.

Upskill and guide staff and contractors
Employees need to be actively engaged in good privacy practices for a compliance program to be effective. Staff need training to be able to understand their obligations, know how to implement those obligations in the firm, and know where to go for advice. Your firm should also have a plain language Privacy Manual for staff, and ask staff to sign an undertaking specifically about their privacy and confidentiality obligations.

Also review and revise the contractual requirements for third parties which have access to personal information held by your firm, or which hold personal information on your behalf. This should include everything from large-scale technology procurement processes, to small companies hired to perform a specific function, to advisers, consultants or individual contractors who might have access to personal information as part of their role with your firm.

Be prepared
A ‘data breach’ means any incident in which personal information has been lost, subject to unauthorised use, or part of an unauthorised disclosure. Data breaches which are likely to result in serious harm to one or more individuals must be reported to the Australian Privacy Commissioner, and to the affected individuals.

Develop a Data Breach Response Plan, to ensure your firm is ready and knows how to quickly and effectively respond in the event of a data breach. A Data Breach Response Plan should include clear responsibilities and procedures to follow, as well as template notification letters.

Privacy compliance is more complex than just respecting client confidentiality. Recently increased penalties for non-compliance, as well as the loss of client trust in the event of a data breach, suggest professional advisory firms should become more proactive in their management of privacy compliance.

Secure your privacy compliance with a SIAA Member offer
SIAA has partnered with Salinger Privacy to obtain a special membership rate on a suite of pragmatic privacy compliance resources for your business, including templates, checklists and training modules. Use the discount code SIAA20 to receive 20% off any of the following Compliance Kits from Salinger Privacy:
• Essential SME Paperwork
• Data Breaches and Privacy Complaints
• Using and Disclosing Data
• Everything for Businesses

Salinger Privacy also offers privacy compliance training modules; contact them to discuss your needs.