Privacy Potholes

2016 01 01 Privacy Potholes Image Cropped.jpg


Whether you drive a Range Rover, a Mercedes Benz, or a Volkswagen Beetle, there’s always the chance that you will drive right into one of these deep, circular hollows on the road.

Potholes occur when water flows into soil beneath the asphalt pavement and weakens its structure. When traffic from cars repeatedly fatigues the pavement, the road eventually breaks.

Some potholes mean nothing- tiny blips in your adventures - but others can damage your tyres and force you to reassess your situation.

Let’s start the year by assessing some business potholes from 2015: inadequacies (or ‘holes’) in a company’s business processes that eventually caught up to it and forced managers to re-evaluate their procedures.

Privacy Potholes

With the introduction of recreational drones, the proliferation of social media platforms/apps, and the decisions of many significant court cases, an individual’s right to privacy has cemented itself as a key issue in politics, social debate, and even business operations.

March 2015 also marked one year since the release of the Australian Privacy Principles (APPs) and one year since the Australian Information Commissioner’s powers were increased to include significant penalties for non-compliance with the Privacy Act 1988. Most businesses are now required to have robust privacy policies and management procedures in place for the collection, retention, disclosure, destruction of personal information.

Notwithstanding this, there have been many high-profile cases of non-compliance. 2015 began with inquiries and investigations made by the Office of the Australian Information Commissioner (OAIC) into alleged privacy breaches by Aussietravelcover, Gemalto and Telechoice.

Telechoice had improperly stored personal information (such as old customer records) by keeping it in an open shipping container on publicly accessible land. This information had subsequently been broken into by thieves and Channel 9 reported the incident on A Current Affair on 23 April 2015. APP 11 requires companies to take reasonable steps to secure any personal information that it holds and to destroy/de-identify information that it no longer needed. The Commissioner expressed that “physically locking a container that holds personal information is not sufficient if the container is publically accessible and unmonitored for extended periods [of time]”[1]. Telechoice accepted full responsibility for the breach and later provided an enforceable undertaking to the Commissioner to, amongst other things, reimburse the cost of a 12 month credit monitoring service for affected individuals who were concerned about the possibility of credit fraud.

As the year progressed, enquiries into Catch of the Day, Adobe, iiNet, Woolworths, and Ashley Madison either commenced or finalised. We discussed Adobe’s breach in detail here.

The year ended with several more companies implicated in breaches, including Kmart Australia, David Jones, VTech Learning Lodge, ARC Mercantile and Optus. We are awaiting the finalisation of the investigations.

In 2016, privacy compliance takes even more importance: the Australian Government is currently inviting public comment for mandatory data breach notification laws that are soon to be released. In the event of serious data breaches, businesses subject to the Privacy Act 1988 must notify the national privacy regulator and all individuals affected by the breach.

At the end of the day, it does not matter whether your company is a retail conglomerate, a controversial dating website, or a recruitment company- anyone can fall into a privacy pothole.

The most common privacy breaches occur when data security is overlooked: when companies are still using improper privacy practices instead of updating their knowledge to reflect changes to the Privacy Act 1988. When senior management do not integrate privacy knowledge into every facet of their business procedures. When managers simply slap on an (outdated) privacy policy onto their website/collection statement. When employees are not properly trained with respect to their privacy obligations.

Privacy potholes occur when improper procedures flow from the top of corporate ladder right through to each individual worker, weakening the structure of every business decision.

Eventually, the road will break.

2015 has been a bumpy ride. Let’s make 2016 a smooth sailing trip.

If you would like an evaluation of the efficiency of your current privacy policy, click here.

Service Excellence Consulting intend to write a series of articles about business potholes that we have observed in our consulting and business advisory services in 2015. Stay tuned for more.