Privacy Week 2022 is 9 – 14 May 2022. This year, the theme is Privacy: The Foundation of Trust.
In the blog below, Jared Nicoll from the Office of the Privacy Commissioner outlines the steps small businesses should be taking to ensure information they collect is kept safe.
If you hold personal information, you must protect the privacy and mana of those who have entrusted it to you. As well as meeting your legal obligations, taking care of New Zealanders’ personal information helps ensure people maintain trust and confidence in your organisation.
The Privacy Act applies to any person, organisation, or business that collects and holds personal information about other people. Knowing how to safely manage people’s personal information is a cornerstone for building strong relationships and good business.
For Privacy Week 2022, the Office of the Privacy Commissioner has focused on events and activities to help agencies understand and improve their privacy practices, The theme for this year’s Privacy Week is Privacy: The Foundation of Trust. OPC has collaborated with others across the privacy community to put on a week of webinars and workshops across a broad range of privacy-related topics from 9 to 14 May.
Topics include a panel discussion on Tikanga Māori and Privacy: reflections from the High Court review of decisions about Māori Covid-19 vaccination data; a workshop on cyber-incident response best practice; plus specialist privacy expertise for those working in specific industries including healthcare and education. Visit privacy.org.nz for further details.
To support this year’s Privacy Week events, here is some more information to help those in businesses understand their obligations.
All businesses must have someone familiar with privacy obligations who fulfils the role of a privacy officer. In smaller organisations, the manager is normally responsible for all legal compliance, including privacy.
Only collect information you need
Only collect personal information that’s necessary for a clear lawful purpose. Your purpose is what you’re trying to achieve by collecting the information. For example, it could be to deliver a product or service, or find the right person to employ.
Think carefully about why you are collecting it. Don’t collect people’s identifiers such as name, phone number, etc unless it’s necessary for your collection purpose. If the personal information you are asking for isn’t necessary to achieve something closely linked to your organisation’s activities, you shouldn’t collect it.
Always try to get it directly from the person when possible, and ensure they understand what you will do with it. If your lawful purpose changes or you want to use the personal information you have collected for an unrelated purpose, you are likely to need the agreement of the people you collected it from.
Store personal information securely
Make sure that you take reasonable steps to store and use personal information securely. You may need a locked cabinet for physical documents, or password protection for electronic files. Do you use portable storage devices such as USBs? Are they encrypted?
Make sure only appropriate people can access the information. Depending on the sensitivity of the information, it may be necessary to set up systems that limit or keep track of who accesses it.
People have the right to access the personal information you hold about them, and to correct anything when necessary.
Don’t keep personal information for longer than you need
Businesses shouldn’t keep information for longer than they need it. Holding more information means a greater risk of a privacy breach. However, retaining key information can be helpful, for example if a customer returns to your service. Remember, ensure people understand what you will do with their information from the start.
Once it is no longer required, dispose of personal information securely so that no-one can retrieve it. For example:
- remove names, addresses and birthdates from documents before you dispose of them
- use shredders and secure destruction services
- wipe hard drives from machines – including photocopiers – before you sell or decommission them
- delete back-up files as well as originals.
Human error and the need for good email hygiene
More than 60 per cent of privacy breaches last year were due to ‘human error’. Businesses are responsible for ensuring their systems are fit for purpose and that the personal information they hold is protected by reasonable security safeguards.
Poor email hygiene is a common cause of privacy breaches.
One example we were made aware of involved an email containing detailed health information about a group of patients, which was intended to be sent internally to the staff of a medical provider. A typing error in the ‘TO’ field resulted in a member of the public receiving these patients’ medical records. Having their sensitive personal information exposed in this way caused considerable emotional harm to a number of these patients.
Respect the people whose information you’re sending by double-checking who you’re sending it to. Go a step further and use a delayed send option on your email to avoid any hasty mistakes. Always use the BCC field when emailing groups of recipients. If you are emailing sensitive material, encrypt the material. If you do this, the password (phrase or code) should be sent by some method other than email so that the wrong person doesn’t receive both.
When things go wrong
If your business has a privacy breach that is likely to cause anyone serious harm, you are legally required to notify the Office of the Privacy Commissioner and any affected persons as soon as you are practicably able to.
Our expectation is that a breach notification should be made to our Office no later than 72 hours after agencies are aware of a notifiable privacy breach.
All privacy breaches should be appropriately noted so changes can be made to help ensure they don’t happen again.
Further information
Please visit privacy.org.nz for further information about your rights and responsibilities under the Privacy Act.
