Secret agents: choosing the right people and tools to meet new privacy obligations

Data has become the currency of modern business – and with that comes real obligations.

Time to read: 4 mins

Nicola Hankinson National Technical Manager

Nicola Hankinson | National Technical Manager

Under the new Privacy Act, which came into force in December 2020, New Zealand organisations are required to have privacy officers to ensure information is protected, yet more accessible to the people it relates to.

With recent high-profile cyberattacks on the NZX and Reserve Bank, the need for strong protections is obvious. There is also increasing global regulation around how data is shared. However, that also puts great responsibility on the people whose job it is to monitor compliance. The role of privacy officer is a key one for every organisation, so choosing the right member of your team for the role and supporting them with the right technology and resources will help your business avoid a $10,000 fine, or a public relations nightmare.

 

What is a privacy officer and what do they do?

In short, the privacy officer is the champion of privacy in their organisation. They make sure all the business’s activities are compliant with the new Privacy Act and report any breaches to the Privacy Commissioner. Their role is also to raise awareness of these obligations across the wider organisation.

Greg Taylor Business Development Manager Taranaki

Greg Taylor | Business Development Taranaki

Although it shouldn’t require too much time on top of their everyday role, it does take someone who’s willing to spend the time getting up to speed on the obligations and training others on the requirements. They should also be someone who is well respected in their workplace, to ensure the privacy message is heard and followed at all levels of the organisation.

Key things they’ll need to look out for are whether personal information such as CVs or personnel records are deleted regularly when staff leave, that contracts and engagement letters clearly state how data will be treated and stored, and whether Anti-Money Laundering (AML) requirements are followed. The AML/CFT Act requires much more information about clients to be gathered than previously, and can involve relying on information provided by third parties, so it’s a great place for a privacy officer to look for weak spots. Businesses need to investigate exactly how third parties they are engaging with treat information, what it’s being used for and why it’s being collected. This can include cloud storage providers.

Finally, it’s the privacy officer’s responsibility to report serious data breaches. While it’s only a requirement in cases of serious harm, they’ll need to know what that looks like. Developing a privacy breach response plan is essential to ensure the right steps are followed, and that information can be retrieved if necessary.

 

How can you support your privacy officer?

Luckily the government has developed some useful resources to help new privacy officers. There are free 30-minute training modules that can be viewed on the Office of the Privacy Commissioner’s website, and the website also provides tips on how to know if a data breach is considered serious enough to report. There are also privacy officer roundtables (PORTs) in all major centres to provide a network of support for new officers.

However, it’s important to note that a privacy officer is only one person. All staff should know the thirteen Privacy Principles and how they apply to their organisation as well as who to go to if a breach occurs. This includes situations such as laptops with personal information or client details being left on trains, or inadvertently clicking on a dodgy link that leaves the door open to hackers. Many people may not realise New Zealand organisations can also be liable for breaches of international law such as the European Union’s GDPR regulations if they’re doing business across borders. An annual refresher session for all staff is a valuable way of making sure everyone remembers their obligations.

As a business, it’s also a good idea to go through standard engagement letters and other agreements to ensure these are still fit for purpose. The old notion of storing information in case it’s needed one day is not appropriate when it comes to personal information.

The 13 Privacy Principles of the Privacy Act 2020

Boosting privacy with the right tech treatment

Another way to make compliance easier is to invest in the right security software and practices. Purchasing or leasing secure solutions like Microsoft365 or Trend Micro antivirus software is important, as is ensuring this is business-grade rather than your standard home version. However, protecting your data doesn’t need to cost the earth.

Passwords seem like an obvious thing, but too many people still use basic and easily guessable passwords like ‘password123’. Passwords are the low-hanging fruit hackers look for, using automated hacking tools that scroll through the top 20 or 30 most common passwords to attempt to enter your office systems. Try a sentence rather than a word, or substituting vowels for numbers. Advising team members against storing passwords on a Post-It note stuck to the computer screen is also a good rule of thumb a more common behaviour than you might think! A free password vault like LastPass is worth investigating, storing passwords securely without relying on busy people’s memories.

Sharing personal data beyond your organisation without their permission, or with people who don’t need to know, is now against regulations. Simple rules can be set up via tools like Sharepoint to ensure files are only shared with the people who need access. It’s also easy and advisable to lock down individual USB ports so key files can’t be downloaded from business computers and on-sold or shared, something several clients have experienced. A chat with your current IT provider can quickly get these sorted.

Another great way to ensure everyone is being vigilant is to do regular email checks, something else your IT provider can do. For example, an email that mimics a typical phishing email can be sent to all staff, and this monitors who clicks on suspicious links or opens attachments.

The majority of businesses and privacy officers should be able to manage their Privacy Act requirements very well, with a little preparation and investment in the right tools.

DISCLAIMER No liability is assumed by Baker Tilly Staples Rodway for any losses suffered by any person relying directly or indirectly upon any article within this website. It is recommended that you consult your advisor before acting on this information.

Sign up to our newsletter

Thanks for signing up!