If you are running your own business or you are responsible for someone else’s operation, data security should be at the forefront of your risk management strategies. More than ever these days we rely on the regular information transfer to manage our affairs. We email, call, share video links and even fax like never before. Electronic money transfer is the main method of payments and we tend to get hold of and store some very private and sensitive information. Put it simply – without handling and storing of sensitive and private data, majority of businesses these days would not be able to operate.
In Australia data handling and privacy obligations are defined by an act of Parliament, so it is in everyone’s interest to adhere to these laws. Australian Privacy Act 1988 (Cth) is rather clear about collection, use, disclosure, data security and transfer obligations. These laws are a foundation of numerous other laws and standards, such as National Consumer Credit Protection Act 2009 (NCCP) that guide consumer financial services in Australia. So what are the risks in handling sensitive and private information?
- Loosing private information;
- Using private information in unlawful manner;
- Mixing up private information;
- Storing private information in the ways that make it easy for theft & subsequent fraud.
Consequences of failure to manage data appropriately could be severe for any business and individuals responsible for safe data handling. When using private information, major risk areas are:
- Using private information without individual’s or organisation’s consent;
- Producing and storing paper copies of private information;
- Using out-dated electronic transfer systems;
- Using improper electronic storage systems;
- Allowing untrained staff to handle private and/or sensitive data.
To reduce risk of data loss and unlawful conduct, business owners and managers should consider some of the techniques:
- Conduct a formal risk assessment reviewing data handling and internal systems. You will be surprised how much can you discover and improve by conducting one.
- Ensure appropriate privacy policy and disclosures are presented to the parties whose private data is received and handled.
- Reduce your reliance on the paper copies of private data (see our paperless office blog post for detail)
- Only use safe, encrypted and proved electronic transfer and storage system. Systems like Gmail or Box (encrypted version) are a good start.
- Use timed PC screen savers with password protection. Screensaver should activate in less than 5 min of PC being unattended.
- Ensure only complex P@s$w0Rds are utilised in the organisation and changed regularly. This can be done by setting up the system requirements and through company policies.
- Reduce private data storage on the individual PCs or hard drives. These get lost, outdated/disposed and are relatively easy to hack into.
- Train your staff, conduct security checks on new employees and always ensure they are aware of their legal obligations.
- Carefully plan and manage staff level of access to your systems.
- If transferring data to other parties, ensure that they are at the same level of understanding and legal obligations as yourself.
These are obviously some of the risks and the control measures. Every business is different and the common feature for most is the reliance on data handling for business purposes.