Safeguarding privacy from the outset can save you a lot of time and money as you develop your new products and services. Consider the methods below to build on your ideas and build customer confidence. Remember to follow the “What, When, Where, Who and How” process of thinking when justifying your collection and use of personal information.
By understanding how you are, or intend to use personal information, will enable you to design ‘appropriate’ information security controls throughout the lifecycle of the product or service, as well as comply to the Principles of the Australian Privacy Act.
Here we break down the eight basic steps that must be considered.
1 – What information do you need as a ‘minimum’, to achieve your product or service requirements?
Less is more, focus on the information you absolutely need to provide the product or service. Be specific and do not collect personal information ‘just in case’, you must be able to justify it. Collecting data ‘just in case’ may be a clever thought, but it breaches the principles of the Privacy Act. The more information you collect, the more controls you must have in place to protect the data. Remember: information is valuable!
2 – What would a standard customer expect you to collect?
To give customers confidence in you, only collect the information you absolutely need. What would a standard customer expect you to need for your product or service? i.e., Do they really need to provide their inside leg measurements?
3 – When in the relationship/process will you collect personal information? Will the type of information change over time?
Consider the stages of information collection, as you build a relationship the requirements of the customer may change over time, what additional information may you need and at what point in time? How will this impact your decisions when building the service(s)?
4 – How will you collect the personal information?
- What information will you provide to the customer at the point of collection?
- Can they opt out of the service? How?
- Consider where and how you will interact with current and potential customers. What methods can you use to collect information?
5 – Where will the information be stored?
- Are you collecting electronic and/or hardcopy information?
- Where will it be stored?
- How long do you need the information for to provide the required service?
- How will it be kept secure?
- How will you gain access to the information?
- At what point can the information (if hardcopy) be archived or destroyed?
6 – Where will the information go (who are the recipients of the data)?
To enable you to provide a product or service, do you need to share or disclose the information to a third party? If so:
- What information do they need (as a minimum) to provide what’s needed?
- Would the customer expect you to share the information?
- How will you inform customers of recipients?
- Is the disclosure included in your privacy statement?
7 – Who will have access to the information?
Consider who will need to access the information and to what end?
- What level of access do they require?
- What do they need to do with the information (read only/edit/delete)?
- How will you manage access rights?
- Will you give customers access to their own data? How? What will they be allowed to do to the record? How do you secure the account?
8 – How will you keep the information accurate and up to date?
- In designing your requirements, how can you minimise data entry errors?
- How will you interact with customers in the future to update their data and maintain the expected level of service(s)? Can they update their own records?
- How will you update/remove data or record on request?
Hopefully I have given you some tips you haven’t yet thought of, or at least you can challenge your approach and assess your product or service against these eight points.
ISD Cyber is a Cyber Resilience Consultancy offering services that cut across Business Continuity, IT Continuity, Operational Risk Management, Cyber Security and Privacy.
Contact us today to find out more.
About the Author:
Yvonne Sears MSc, LLM, CIPM, CISM, PICIP, MBCI
Yvonne has over 18 years’ experience in information security and Privacy in the UK and Australia. She is uniquely qualified having both a Master’s in Information Security and Computer Crime, and a Master’s in Information Law (covering: Data Protection, Freedom of Information and Copyright Law).
She has worked on several trail blazer projects leading the way on data sharing and privacy issues in sensitive and complex areas and has worked for a wide variety of public and private sector organisations worldwide.
She has contributed at industry events as a speaker and has contributed to several publications including ISACA’s Privacy book: “Implementing a Privacy Protection Program” (2017) and “Women in the Security Profession” (2016).