Home' HR Monthly : August 2019 Contents 38
HR TECH TALK
On a quiet May day in 2017, one of
the worst things that can happen to a
company happened – and it didn't even
know. A global shipping provider operating in
Australia was hacked. The perpetrators gained
access to its computer systems and maintained
this access for 11 months.
This wasn’t just a security incident; it was
a privacy breach. The data of about 500
employees – an assortment of things such as
their tax file numbers or bank details – was
being auto -forwarded via 60,000 emails to
people outside the company.
Even had it wanted to, the company couldn’t
hide it. The Notifiable Data Breaches scheme
had just started in Australia. The company had
to tell its employees it had failed to protect them
and that their personal information had been in
the hands of bad actors.
Stories such as this are why the traditional
view of privacy, as a compliance piece that fits
within the risk and legal space, is no longer
tenable. Companies have realised they can't
function without the trust of their customers
and their staff, and that's why it is critical to
value and protect the privacy of both.
Indeed, it doesn't just have moral value. Data
is often an organisation's most treasured asset.
Companies everywhere hoover up every scrap
they can. This includes everything from simple
contact details to the sensitive information H R
uses to optimise the people experience.
Different privacy laws cover different entities
based on their size and the jurisdiction in
which they operate. In Australia, many
In this day and age, privacy can’t be
BY ANDREA CALLEIA CPHR, PRIVACY LEARNING
MANAGER, SALINGER PRIVACY
organisations are bound by state-based laws or
the Federal Privacy Act and can be penalised for
contraventions. There are also fines for breaches
that fall under the Federal Notifiable Data
In the global space, there is the EU’s G eneral
Data Protection Regulation, which massively
scaled up the fines for non-compliance with
But such fines are not the real threat to your
organisation. The loss of income and loss of
reputation due to poor privacy practices can
far outstrip any fine you may receive. This is
why organisations need to think of privacy long
before there is a breach.
I hate to say it, but a lot of projects in the IT
space tack on privacy after the fact, usually after
the system is built. And they then say, "Oh my,
we've got all these privacy risks and we didn't
realise, and now we have to retrofit fixes."
And that costs dollars, it costs time, it pushes
projects out and it frustrates people.
That’s why many companies advocate for
privacy by design. This is a concept that puts the
individual at the centre of all decisions when it
comes to building a new IT system or creating
a new process for dealing with the personal
information of employees.
So when bringing in a new HR management
system not only should you look at the tech
specs to make sure it sits with the IT needs of
the company. You need to look at things such as
the need-to-know security barriers and the data
fields you really need to incorporate, as they’re
all linked to privacy responsibilities.
Privacy by design means looking at and
identifying privacy risks as part of project
planning. As you would with any risk
management process, you overlay the identified
risks and come up with mitigation strategies.
Even if you outsource your IT, contractors
should be bound under the same privacy
responsibilities as your organisation. That
they’re a third party will not be a good enough
excuse should a breach happen.
No matter how well your procedures are
written, or how sure you are that staff
understand privacy, if you’re not training
and educating your staff regularly about the
importance of privacy, a breach will happen.
That's why you need to instil a respect for
privacy in all staff, because a single person
can inadvertently click on a link and not
realise they’ve just given a stranger all of their
In HR we talk about the need to be good
communicators, the need to be agile and so
on. We call these things core competencies. In
today’s world, I would add respect for privacy as
another core competency. •••
Andrea will be de-mystifying privacy risks at the
HR Tech Conference at this year's AHRI National
Convention – view the full program online.
Become a Certified HR Practitioner with the APC Program
“As a leader, I have the privilege
and responsibility to ensure each person
in the business is happy and productive.”
Marc Havercroft FCPHR, SuccessFactors Australia
Becoming certified is about setting
an example for your team: a standard
that is globally-recognised and sets
the bar for good HR.
Become certified via the
Senior Leaders Pathway
18/7/19 5:46 pm
Links Archive July 2019 September 2019 Navigation Previous Page Next Page