Learn@IoD
Cart

Putting privacy on the boardroom table

type
Article
author
By Michael Webster, Privacy Commissioner
date
9 May 2024
read time
3 min to read
Putting privacy on the boardroom table

It is Privacy Week, which is great time to consider the importance of privacy and to help make sure the companies and groups you exercise governance over are aware of their obligations.

This year’s theme is “busting privacy myths”, one of which is that privacy is purely a compliance function, which delivers few tangible business benefits. 

Most directors understand the importance of protecting sensitive information about a business, staff and clients, but there is less knowledge about the role privacy plays in driving business success.

So, what are your duties and responsibilities as a director?

The Privacy Act covers the public, private and not-for-profit sectors. It applies to any person, organisation or business (referred to in the legislation as an “agency”), whether it’s in the public sector or private sector, that collects and holds personal information about other people. 

This includes:

  • government departments and agencies
  • companies
  • small businesses
  • social clubs
  • charities, societies, and community groups
  •  other types of organisations

An individual acting in their personal or domestic capacity is not an agency. 

Whether you’re on the board of a major corporate or of your local tennis club, you still need to ensure you protect the personal information of clients, staff, members and stakeholders.

The Privacy Act requires all agencies to have at least one person who’s familiar with the agency’s privacy obligations and fulfils the role of a privacy officer.  Not only is this a legal requirement, but having a privacy officer with the legitimacy, tools and training to do their job effectively will help them educate the business and support best practice.

There are also some other aspects of the Privacy Act to pay attention to. 

  • Even where an agency outsources services to a third-party provider, including those using cloud storage, the agency remains responsible for ensuring the data remains secure and is used in a way that is compliant with the Privacy Act.
  • Under privacy principle 12 of the Act, agencies are accountable for the “international disclosure” of personal information and will need to demonstrate they’ve carried out the necessary due diligence checks required.
     

Ignorance is not a legal defence under the Privacy Act, so make sure you understand your obligations. The best way to do this is making sure you as a director take privacy seriously.

Data is such a quintessential element of our work that data management, and consideration of privacy concerns, need to be as important as health and safety protocols or robust financial reporting. Privacy is important and getting it wrong can have serious consequences. 

If your staff, your customers and your clients have trust and confidence in you as an organisation, and in how you go about your business or delivering your functions, then that creates ‘permission space’ for you to be innovative, to take opportunities, to try new ways of doing things. 

Losing that trust and confidence through privacy breaches will, I suggest, undermine efforts to be innovative, and to improve productivity. In a competitive marketplace, it will also see customers make decisions to go with the trusted and secure provider.

In a recent survey conducted by my office, 70% of respondents said they would likely change service providers if they heard theirs had poor privacy and security practices. A recent Talbot Mills Research survey focussing on cybersecurity, found 71% said they would consider no longer dealing with a company if it lost their data in a cyberattack.

Surveys and studies around the world conclude the following:

  • Privacy protective cultures and systems will have a positive bottom-line impact for a company or organisation.
  • There are significant real costs associated with responding to, and recovering from, a privacy fail.
  • There are significant revenue forgone costs associated with losing actual and potential customers’ trust and confidence because you have suffered a privacy fail.
  • There is a competitive advantage in being known as the organisation that is cyber smart, that securely holds and manages personal information.
  • There is a positive rate of return in taking the time and effort to embed privacy into project planning, risk management planning and reporting, into internal audit programmes, and into the performance accountabilities from the chief executive down.

Developing and maintaining a solid privacy protective culture is just good business. As a director, here are some good questions to ask to help ensure your organisation is promoting good privacy practices:

  • Is there adequate preparation in place to prevent a cyberattack occurring?
  • Does you have an up-to-date privacy breach response plan?
  • Are the IT system and associated business processes fit for purpose?
  • Does the IT system have internal access controls so staff have access only to the information needed to do their role?
  • Does the organisation know what private information it holds?
  • Does it have a retention and deletion policy in place, and is it implemented?

By having good privacy practices in place, not only will you be fulfilling your obligations under the Privacy Act, but you’ll also help reduce the chances of having a privacy breach, either through a mistake, or by being subject to more malicious activity like a cyberattack or data hack. 

There’s also lots of information about Privacy Week and the importance of privacy at www.privacy.org.nz  

Related content