Queensland Privacy Commissioner, Phil Green, shares his insights below on how agencies can work smarter when it comes to embedding a privacy aware culture and minimising risk.
Leadership is critical
The COVID-19 pandemic has provided plenty of leadership challenges across the world in the past few months. You may have seen this played out in the privacy, data security and information management spheres too. The Office of the Information Commissioner's compliance audits, reviews and surveys have found that leadership is critical to an effective right to information and privacy culture. Higher levels of information management maturity require active engagement across agencies. Leaders throughout an organisation must lead this cultural change, demonstrating how the agency values, manages and shares information and data appropriately, and how respective business units contribute.
The Crime and Corruption Commission’s recent Operation Impala report reinforced the value of privacy champions, backed the use of Privacy Impact Assessments (PIAs), and made other far-reaching recommendations ensuring agencies use and protect information appropriately. Cultural change requires leaders, at all levels, to clearly communicate objectives and highlight the benefits to their internal and external stakeholders.
Everyone has a role to play
So, what is the link between privacy, leadership and risk? Well privacy is a human right recognised in Queensland’s Human Rights Act 2019 and CEOs of major companies, such as Telstra and Microsoft, acknowledge that privacy and data security are key to business success. Risks associated with the protection of personal information and data need to be managed from the top down and from the bottom up.
This two-way approach can also be applied to the public sector. All public servants and agencies need to understand their responsibilities in the Information Privacy Act 2009 (Queensland) and other legislation. This provides middle management and bottom up leadership opportunities, as everyone has a role to play when it comes to privacy. It is also critical that employees understand they have obligations, and there can be serious disciplinary and criminal consequences for privacy breaches such as unauthorised access to personal information.
Be a privacy champion
Handling personal information in a privacy-respectful way builds trust and transparency with Queenslanders. It’s also one of the key tenets of being a privacy champion. Privacy champions understand that trust and transparency are critical if we expect the public to access government services, programs and technologies with confidence.
Building privacy considerations into initiatives from inception through to implementation and beyond is critical. Failure to do so erodes trust and confidence in government, jeopardises a program’s success and damages the agency’s reputation.
Use privacy impact assessments to minimise risk
PIAs can de-risk the impact of a project, policy, new technology or initiative on the privacy of an individual’s personal information, and it helps generate recommendations to mitigate identified risks.
Building PIAs into taxpayer funded projects and initiatives can also build trust with the community. Governments and businesses have increasingly used PIAs in Australia and abroad to help ensure good outcomes for projects, policies and new technology. PIAs are being released publicly more and more, as we have seen with the recent COVIDSafe app. This supports government accountability while allowing the public to make informed decisions.
Ensure staff have privacy training
Agencies need to train staff about right to information, information privacy and information security in their mandatory induction process for all employees. Training should be comprehensive, contemporary and tailored to the agency’s context. Training tailored to particular issues for workgroups should also be provided. This goes hand-in-hand with embedding a privacy aware culture in agencies, as it improves applied understanding of information access and privacy rights and responsibilities.
With the help of everyone across the public sector, together we can promote the value of protecting and respecting personal information and encourage a privacy-aware culture in Queensland.
For more information about privacy responsibilities in Queensland, Privacy Awareness Week 2020 and resources (including tips for agencies and the community), visit the OIC’s website.
The OIC is here to help privacy champions and agencies across the state. Their role is to provide advice and assistance, resources and training to support greater trust and transparency between the public sector and Queenslanders. Contact the enquiries service on (07) 3234 7373 or via email.