The traditional view of data privacy in the workplace won’t wash anymore.
On a quiet May day in 2017, one of the worst things that can happen to a company happened – and it didn’t even know. A global shipping provider operating in Australia was hacked. The perpetrators gained access to its computer systems and maintained this access for 11 months.
This wasn’t just a security incident; it was a privacy breach. The data of about 500 employees – an assortment of information such as their tax file numbers or bank details – was being auto-forwarded via 60,000 emails to people outside the company.
Even had it wanted to, the company couldn’t hide it. The Notifiable Data Breaches scheme had just started in Australia. The company had to tell its employees it had failed to protect them and that their personal information had been in the hands of bad actors.
Stories such as this are why the traditional view of privacy, as a compliance piece that fits within the risk and legal space, is no longer tenable. Companies have realised they can’t function without the trust of their customers and their staff, and that’s why it is critical to value and protect the privacy of both.
Indeed, it doesn’t just have moral value. Data is often an organisation’s most treasured asset. Companies everywhere hoover up every scrap they can. This includes everything from simple contact details to the sensitive information HR uses to optimise the people experience.
Andrea will be de-mystifying privacy risks at the HR Tech Conference at this year’s AHRI National Convention – view the full program here.
Different privacy laws cover different entities based on their size and the jurisdiction in which they operate. In Australia, many organisations are bound by state-based laws or the Federal Privacy Act and can be penalised for contraventions. There are also fines for breaches that fall under the Federal Notifiable Data Breaches scheme.
In the global space, there is the EU’s General Data Protection Regulation, which massively scaled up the fines for non-compliance with privacy laws.
But such fines are not the real threat to your organisation. The loss of income and loss of reputation due to poor privacy practices can far outstrip any fine you may receive. This is why organisations need to think of privacy long before there is a breach.
I hate to say it, but a lot of projects in the IT space tack on privacy after the fact, usually after the system is built. And they then say, “Oh my, we’ve got all these privacy risks and we didn’t realise, and now we have to retrofit fixes.” And that costs dollars, it costs time, it pushes projects out and it frustrates people.
That’s why many companies advocate for privacy by design. This is a concept that puts the individual at the centre of all decisions when it comes to building a new IT system or creating a new process for dealing with the personal information of employees.
So when bringing in a new HR management system not only should you look at the tech specs to make sure it sits with the IT needs of the company. You need to look at things such as the need-to-know security barriers and the data fields you really need to incorporate, as they’re all linked to privacy responsibilities.
Privacy by design means looking at and identifying privacy risks as part of project planning. As you would with any risk management process, you overlay the identified risks and come up with mitigation strategies. Even if you outsource your IT, contractors should be bound under the same privacy responsibilities as your organisation. That they’re a third party will not be a good enough excuse should a breach happen.
No matter how well your procedures are written, or how sure you are that staff understand privacy, if you’re not training and educating your staff regularly about the importance of privacy, a breach will happen.
That’s why you need to instil a respect for privacy in all staff, because a single person can inadvertently click on a link and not realise they’ve just given a stranger all of their company’s data.
In HR we talk about the need to be good communicators, the need to be agile and so on. We call these things core competencies. In today’s world, I would add respect for privacy as another core competency.
Andrea Calleia CPHR is the privacy learning manager at Salinger Privacy.
This article originally appeared in the August 2019 edition of HRM magazine.