Issued: 4 April 2023
Last modified: 4 April 2023
Each year we are proud supporters of Privacy Awareness Week (PAW). PAW is an annual event led by the Office of the Australian Information Commissioner (OAIC) to raise awareness of privacy issues and the importance of protecting personal information. This year, PAW runs from 1 – 7 May 2023 and the theme is ‘Back to Basics’.
Back to basics
In today’s digital world, privacy is fundamental to our existence. But how can you best protect yours and your clients’ privacy? Here are some tips:
Know your obligations
Make sure you understand your business's obligations under The Privacy Act 1988 and ensure you consider privacy as your business, and your business systems and practices evolve. Anticipate how your clients expect you to handle their personal information and respond to any needs and concerns they may have. Privacy is integral to building and maintaining your clients’ trust in your business’s handling of their personal information.
As a registered tax practitioner, you also have obligations under the Code of Professional Conduct (Code item 6) to maintain the confidentiality of client information and other legislation to protect tax file number information.
Have a privacy plan
Make sure you have a privacy management plan in place. This helps embed a culture of privacy and establish robust privacy practices. If you haven’t got a privacy management plan, check out this handy template created by the OAIC. It can help you assess your privacy practices and set appropriate goals and targets.
Only collect or keep what you need
Over-collection of personal information increases your risk in the event of a data breach. Holding onto clients’ personal information that you don’t need can also undermine your clients’ trust in your business. You should only collect information that is necessary to carry out your services to your clients. Equally as important is to ensure that information that you no longer need is destroyed or de-identified. This is especially important when you are verifying a client’s identity.
Check out our guidance for more tips on how to protect your client’s personal information.
Secure personal information
Ensure you have secure systems in place to protect personal information from misuse, loss and unauthorised access and disclosure. If you mishandle the personal information of your clients, you can incur a financial or reputational loss which could seriously impact your business.
Train your staff
Clearly outline how your staff are expected to handle personal information in their everyday duties, not just in terms of general principles. Integrate privacy into your induction and regular staff training programs (including for short-term staff, service providers and contractors). Also, make sure your staff have all the information they need to protect their own privacy at work. The OAIC has training resources you and your staff can use.
Appoint privacy champions
A strong privacy culture comes from the top so it’s important to assign a senior staff member with overall responsibility for privacy. You should also assign staff responsible for managing privacy day-to-day, including handling internal and external privacy enquiries, complaints, and access and correction request. Implementing reporting mechanisms that ensure senior managers are routinely informed about privacy issues will also help keep your business’ eyes on privacy and respond promptly if there’s an issue.
Prepare for data breaches
Make sure you have a clear and practical data breach response plan available so you and your staff know what to do if there is a data breach. A quick response is critical to effectively managing a breach. Your data breach response plan should outline your entity’s strategy for containing, assessing and managing the incident from start to finish. If you don’t have a data breach response plan, check out the OAIC’s preparing a data breach response plan information.
Assess privacy risks
Assess privacy risks early. Undertake a privacy impact assessment for projects that involve new information handling practices, such as new technologies. A privacy impact assessment is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact.
Simplify your privacy policy
Make sure your privacy policy is written in plain English and includes a summary. Your privacy policy should be a document that creates trust in your business and speaks to your clients. You should also include information about how your clients can contact you about privacy matters.
Review your practices
You should be reviewing your privacy practices and policy regularly. Privacy law reform is on the way, so make sure your privacy practices are up to date now so that any further changes required down the track will be easier to implement.