In this topic:
Understanding Privacy Laws
In Australia, certain groups are governed by the Australian Privacy Act (1988), which provides guidance on the reasonable steps entities are required to take to protect the personal information they hold about their stakeholders. The Act defines a set of Australian Privacy Principles (APPs) that regulate the handling of this information.
Specifically, APP 11.1 states that an APP entity that holds personal information must take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. This is where small business comes into play – it is your responsibility to protect customer and supplier information from any of these items.
Personal information is defined as any information that identifies a person, or makes a person “reasonably identifiable”. This includes, but is not limited to:
- Customer names
- Email addresses
- Contact information
- Billing and transactional information, such as credit card details
- Photos and videos, such as those you might take of a job site
- Information about a person’s preferences or opinions.
But protecting this data is about more than complying with the law – it’s also about protecting your customers from identity or monetary theft, and protecting yourself from what could turn into a publicity nightmare. Conducting a Privacy Impact Assessment can help you understand the risks of a data breach or loss, and the implications one would have on your business. Visit the Office of the Australian Information Commissioner for more information on how to undertake a Privacy Impact Assessment for your business.
When you’re developing content for your digital platforms, it is particularly important to pay attention to where that content comes from, who owns it, and whether or not you have the right to use it. Copyright principals extend to the online world, so it is illegal to simply take someone else’s content and claim is as your own.
If you or an employee are creating the content, you should be able to use it freely without consequence. If you’re employing a contracted person to create content for you, you should put in place a written contract that clearly states who owns the intellectual property rights to the content.
There are several instances where you might want to use someone else’s content. For example, you might wish to share a web page, blog post, photo or comment on one of your social media pages. Australian copyright laws states that you can use material in this was so long as you are not using a substantial part of the work. Note that substantial does not reference a certain element of the work, or its size, but rather than importance of the material in the entire body of work.
Additionally, content that you’ve used in this way should always be attributed to the original creator. There is a difference between linking to someone else’s work (which is legal) and presenting the work as your own by embedding or framing it. In websites, link back to the original URL. On Facebook, LinkedIn, Twitter and other social media accounts, tag the original creator in your post. The Australian Copyright Council regularly updates their Information Sheets – you can browse through them to find content that is applicable to your business. Please note the information sheets are updated regularly, so it’s best to return to the website to find current resources, rather than saving or printing the current documents.
Keeping Your Customer Data Safe
There are several steps you can take to keep your data safe and secure. Several best practices to keep in mind include:
- Keep your machines clean – make sure you regularly update security software, web browsers and operating systems. This will ensure you’re up to date with security patches if a vulnerability is found in any of these systems.
- Use a firewall – a firewall is a system designed to prevent unauthorised access to or from a private network. They can be implemented on hardware or software, or both. It acts as a barrier between a trusted network and an untrusted network, with the intention of keeping malicious traffic from reaching the source it is protecting. Invest in a secure firewall to protect yourself.
- Use spam filters – like firewalls, spam filters can help to keep malicious traffic from entering your network. Spam can contain viruses and phishing scams – a good spam filter will keep most of this out, making your email service safer.
- Be mindful of phishing scams. We’ve all seen email campaigns that seem to good to be true – you’ve won the lotto, received an inheritance or are entitled to a government payment. These sorts of emails are known as phishing scams – generally they’re seeking your bank account details, a small sum of cash or both. They “fish” for information from you, only to exploit any weaknesses they may find. Hopefully, your spam filter will catch this type of communication, but if they don’t, avoid the sparkly and exciting headline and hit delete without opening.
Tips for the Electrical Industry – a 7 Step Guide to Follow if Your Data is Stolen
If the worst case scenario – a hacker has successfully stolen your customer or business data – does happen, the following steps can help you address the issue:
Step 1: Recognise The Severity Of The Situation
We don’t want you to panic, but it’s important to understand whether or not the hack constitutes a serious issue or not. Show initiative and quickly find out what has been breached, which systems, data etc. Then, remove the hackers access to those systems to prevent a further breach. This may require some work from your IT Team, or outsourcing to an IT professional.
Step 2: Fix The Problem
Obviously it’s important to repair the problems – this means everything from changing your passwords across all accounts, and removing remote access to your networks.
Step 3: Bring In The Troops
You’ll most likely need help addressing the situation, especially if financial or customer information has been stolen. Now is the time to talk to your lawyer, accountants, IT team, PR team and any employees critical to resolving the issue.
Step 4: Report
Assess the damage and create a report on your findings. Get a full group of people together who can assist in creating a damage report that you will then be able to communicate to all staff and affected parties.
Step 5: Inform The Affected
Involve your PR team in this step if you have one. If not, your legal team might be able to assist. Communication is key to keeping the trust alive with your customers or suppliers – if they’re data has been compromised in any way, it’s imperative you let them know. Explain to them how you’re fixing the problem, how they could be targeted, and your suggestions for limiting risk on their part. If nothing else, make sure they change the passwords on their accounts.
Step 6: The Big Clean
It might take time to clean up your software and hardware after an attack. Be sure to have all aspects of your business checked by a professional – everything from your website and server through to software and hardware. You might have to revert back to a very old version of your website, so be sure to backup your customer data beforehand.
Step 7: Improve Your Security
You’ve been hacked, so that’s a sure sign there’s a gap in your security somewhere. You will need to review your current protection and improve it where there’s holes. It might help to talk to a security professional and see what they suggest for your particular business.
Think about your audience
Analyse your current data
Delve into your current database to determine what type of information you’re collecting, and why you might need it. This will help you accurately summarise how your business handles your customers’ information.
Describe what you do
Protecting Your Identity Online
Many activities within our business and personal lives are now conducted online – banking, shopping, talking to friends and family. Naturally, you end up sharing personal information online. There are several steps you can take to protect your identity during these interactions.
- Use strong passwords – see our Security Topic for more
- Check your billing and accounts records on a regular basis to look out for unusual purchases
- Don’t share personal information on social media. This includes details such as your home address, phone number and birthday, as well as details of movements such as holidays, which can alert people to when your home is empty
- Know the warning signs for an online scam – be suspicious of emails from people or businesses who you don’t know, especially if they’re asking for personal details. Similarly, be suspicious of emails from financial institutions, the government or your utility providers that state you have an unclaimed refund – it’s always best to call the relevant office and check if this is true before providing the person who emailed you with your bank details.