5 minute read
Optus data breach puts privacy management in the spotlight
The Optus data breach has resulted in 2.8 million account holders having at least one form of ID stolen, including 150,000 passport numbers and 50,000 Medicare card numbers. This was closely followed by a major attack on Medibank revealing health and other sensitive information. We are still to see the full extent of the damage caused. Many readers would have been caught up in this. These events are a serious wake-up call for all businesses to reconsider how they are managing their cybersecurity risks. Potentially, the concern is even greater for recruitment businesses. By Dianne Gibert, Managing Director, Certex International.
Why this is important to recruiters?
Recruitment companies collect many documents on candidates such as identity documents, work histories, pay slips, bank account details, and superannuation, and more. This could make recruiters a real target for cyber attacks. Historically, a large candidate database has indicated a higher asset value of a recruitment business. Now, however, such a database, particularly one that is not current and active, could be a real liability.
Angelene Faulk, Privacy Commissioner, said in her opening remarks for the Privacy Summit in Sydney recently “Prevention is better than cure. There are three things’ organisations should do: 1 check your data holdings, 2 ensure the right security settings, and 3 delete data not required. ” Valuable advice for all organisations.
Penalties for a breach are now considerable. The maximum penalty for a serious or repeated breach by a body corporate will increase to whichever is the greater out of $50 million, 30% of turnover, or three times the benefit obtained from the breach. Possibly even worse is the reputational damage that could be sustained. There are so many competing recruitment businesses, and whilst we all like to believe our clients are loyal, the reality is that if our reputation is damaged then the business is going to be damaged as well, as clients and candidates chose to move on to the next agency.
What you should know
Possibly the biggest failure is an inadequate understanding of privacy obligations. Data protection is both a legislative responsibility and an ethical one.
Compliance starts with an appropriate privacy policy, which should be meaningful, understood, and available. The policy should set out, broadly: what data is being collected; for what purpose; how it will be used; who the data may be share it with; how long the data will be held; the process of updating the data to keep it current, and what the person can do if they have a complaint or they want to make changes to the data that's being held.
Then there is the collection statement. This can be brief, but it should explain the purpose of collecting the data, and what it will be used for. You don’t want to be too specific, or you may need to prepare another notice for each job, but you don’t want to be too general of the candidate may, quite reasonably, not be comfortable to hand over their personal information.
One of the most common problems is the agency retains the notice after it has been signed. The individual no longer has the collection notice available to them.Perhaps this is done so that the agency holds proof the notice was provided, but this is not the best way to approach this.
Another problem is the timing of handing over the notice. Ideally it should be at the time of collecting the personal information. It is a transaction –thanks for your information (the agency says), this is what I will do with it.
Including a notice in a contact or agreement once the placement has been decided is far too late.
Don’t keep it if you don’t need it
Of course, one of the biggest privacy problems, and the problem that could cause the greatest security risks, is holding on to the data for too long. If you no longer have a use for the data, then don’t keep it. This is the point being pressed home to Optus now. Data that you no longer need should be secured destroyed. Holding the information just because you may one day have a use for it - is not acceptable.
Collecting the data for convenience – is not acceptable. A good test is to ask your self how you would like your most personal information to be used, shared and stored. If you wouldn’t like it to be done that way, then reconsider how you are managing the data of others.
Failing to keep the data current and accurate – is not acceptable.
Failing to use and manage the data in a way the individual would expect you to – is not acceptable.
Deputy Prime Minister Richard Marles
A good test is to ask your self how you would like your most personal information to be used, shared and stored If you wouldn’t like it to be done that way, then reconsider how you are managing the data of others.
Check how well you are doing
Certex is proud to support many of our clients with data and privacy security. We are risk-management professionals. Through robust risk assessments, we can help identify and address cybersecurity hazards. Certex’s iSuite of risk management programs include iPrivacy and iCyber. Please reach out to our team for more information.
