How Can I Remain Compliant?
Compliance with privacy regulations is an every day activity. That is why a privacy program is best to keep things on track! Have a look at some best practices that can help with monitoring compliance.
1. Start with a List You’ll probably have personal information saved on your phone, tablet or computer to enable you to do your job – such as the names and contact details of customers, members or clients. You may also have details of upcoming bookings or appointments, or other notes. If you can identify someone personally from something you have stored, then it’s personal information and you need to account for it. Make a list of the personal information that you have, or plan to collect, even if you don’t have much at first. For this list, you should be generalizing types of information such as ‘phone numbers of customers’, rather than listing actual phone numbers. Information privacy and protection laws don’t apply when you’re using personal information for purely personal or household activities, so don’t worry about things like your family photo album and personal holiday planning calendar.
2. The Power of Why Creating a balance between what you want to do with people’s personal information, the benefits that it will bring to them or to society as a whole, and any harm that might be caused as a result is a top goal. If you’re holding or using people’s personal information, it must always be fair as well as lawful. This means you should only use their information in ways they’d reasonably expect so, if you’ve got their personal information through means that are deceitful or misleading, then everything you do after that (whether you think it’s lawful or not) is unlikely to be fair. You also need a valid reason or condition for using the personal information. Be sure to choose the best condition for the purpose and keep a record of your decision.
3. Think holistically with security embedded Check that your security measures line up with the sensitivity of the data you hold. Put stronger security measures in place if the data poses a higher risk or is sensitive. The measures you choose are up to you but could include things like locking filing cabinets and putting strong passwords on your devices.
4. Transparency is key! To build trust it’s essential to explain to people why you hold their personal information, what you'll do with it, and how long you'll keep it before getting rid of it. You should record this information in a document, describing your approach to information privacy and protection. This is known as a privacy notice. You should have a privacy notice before you collect any information from anyone so best to get one in place if you don't have a notice on your website as yet. Contact a privacy professional or consultancy, or service provider for assistance with creating a privacy notice, and be sure to include everything you need to for your entity.
5. Beware of information access requests By law, people have the right to know what personal information you hold about them. There are other rights, too, but one of the most commonly asked questions is how to deal with a request for this personal information, which is known as an access request. Visit the PrivCom Shop to download Access Request templates to tailor to your organisation.
6. Prepare for the worst If you lose personal information – such as in a cyber-attack, flood, fire or theft – it could be a potential personal data breach. If it’s likely to result in a risk to the people affected, you'll need to report it to us. We’re here to help. Soon, we will publish a guide on how to respond to a personal data breach so you know what steps to take in an emergency. If you have questions, contact Assistant Commissioner/Head of Investigations Unit, Christopher Moulder, at 543-7748.
7. Set reminders Data privacy and protection compliance is a journey. We update our website regularly to help you take simple steps towards improving your information privacy compliance. By setting regular reminders to check our news and advice pages, you will remain aware of current events and best practices.