Why having a clear, easy-to-follow process is crucial for complying with privacy legislation
New and old privacy legislation around the world has Australian organisations reviewing their processes to ensure they can comply with all the different aspects of such legislation. One of the key challenges of these legislative requirements is complying with information access requests.
In Australia, individuals have the right to demand access to all of the information an organisation holds about them. Once an organisation receives the request, it generally has just 30 days to comply, unless it can provide written notification of grounds for refusal.
While that 30-day timeframe may seem generous, the complexities involved in finding all of the relevant information, extracting it from various systems and information repositories, redacting information where necessary, and preparing it for presentation to the individual, can make this a time-consuming and labour-intensive operation.
For example, the individual’s information could include job application data, phone call recordings, CCTV footage, medical records, purchase history, customer support requests, and any number of other information. Therefore, the amount of data that needs to be collected alone could be overwhelming.
There are certain steps you should consider when responding to information requests:
1. Receive request
2. Engage and clarify
In clarifying the individual’s identity it is important to ensure you don’t inadvertently disclose personal information to a malicious actor. This includes requiring information requests to be accompanied by identification.
You should also review the request to make sure it’s valid; not every request for data needs to be satisfied under the law. To decide whether to provide the information, you should refer back to the relevant legislation.
3. Verify focus and scope
Satisfying some information requests can mean collating a massive amount of information, which involves a great deal of work and oversight. However, in many cases the petitioner may only want certain information. It’s therefore a good idea to engage with the individual to ensure you understand the scope of their request so you only provide the information they’re looking for.
Sometimes people request information maliciously because they want the organisation to have to expend time and resources. It’s important to engage with these people carefully to set expectations and to consider charging a reasonable fee (if permitted by the legislation) to cover the expenses associated with fulfilling the request.
4. Manage project
Following a clearly-defined process is important to efficiently manage information requests. You should appoint a project manager to ensure the request is dealt with appropriately and effectively at each stage.
5. Identify and collect
It’s essential to identify the information that needs to be provided, which includes understanding where that data resides and what other data is associated with it. To provide the information to the petitioner, you’ll need to gather all of the data into a central repository. The data to be included should be based on a defined set of search criteria.
7. Review, produce, and handover
Review all the data to ensure it’s correct and complete according to the scope of the request. It’s also important to consider how the information will be handed over including whether it needs to be encrypted, converted to other formats, or whether metadata needs to be hidden.
By putting the right processes in place, you can foresee and, if necessary, circumvent the challenges that could make it costly and difficult to comply with information requests under privacy legislation.
To find out how Cohesion can help your organisation set the pace of change, contact us today.