Why this free privacy policy is essential protection for your organisation

It’s an essential addition to your policy portfolio. Why? Because not-for-profits have a responsibility to treat information carefully. Cyberattacks and identity theft have become common, personal data is being sold for profit, and health information must be stored securely. This free 15-page policy template will help you to protect private information and meet your legal obligations.

This policy features best-practice processes for:

• data collection, use and disclosure
• data storage, destruction & de-identification
• data quality, security and retention
• openness about data, with measures for access and corrections
• proper use of “identifiers”, anonymity and third parties

Included with the free download is a suggested statement about your privacy policy for external use. It complies with the Privacy Act and covers:

• whether the Privacy Act 1988 applies to your organisation
• the type of information you hold and how it’s collected
• employee, contractor, job applicant and volunteer information
• marketing and fundraising
• handling disclosures and sensitive information
• managing security and data breaches
• updating or destroying information

The pandemic has seen a spike in ransomware attacks and privacy breaches, but a good policy will help groups to keep information safe, and able to respond better to breaches.

According to the Office of the Australian Information Commissioner (OAIC) there were 518 notifiable data breaches in the six months to June 2020, with a big spike in May. Significantly, ransomware attacks leapt 150% over the previous six months.

And these are only the notifiable breaches in which it was expected that the breach would risk “serious harm” to victims.

While malicious attacks accounted for 61% of the notifications, human error was behind 34% of the breaches. Once again, the health services industry – which has many not-for-profit operators – was the worst affected, with more than one in five reported cases.

The education sector was also in the top five sectors for notifications, while charities continue to account for many notifications.

Cyberattacks such as the the July phishing attack on Scouts Victoria highlight the risks to not-for-profits.

Our Community’s director of data intelligence, Sarah Barker, stressed that cyber attacks were not the only threat.

“There are other causes of data breaches which are even more common, such as unauthorised access or accidental data loss,” she said.

The advent of COVID-19 had accelerated the need for groups to address privacy issues.

“There has been a rapid shift for organisations adapting to remote working and providing services online. This means a greater reliance on digital systems. Now is a great time to ensure there are appropriate controls in place, even for small organisations.”

Ms Barker urged organisations to ask themselves key questions to better understand data privacy, such as:

• What personal information do we collect? This may be information about donors, supporters, volunteers, people you serve and other contacts.
• How is this data used? Do you have consent to use the data for that purpose?
• Where is this data stored? Is it secure, and who has access to it? Many organisations rely on cloud-based tools for surveys, mailing list, document storage and contact management – these tools might be hosted outside Australia.
• What would we do if there was a data breach?

She said that working through ICDA’s new privacy policy template was “a great way to surface these considerations and identify actions an organisation can take”.

“Not-for-profit organisations collect information about people they work with and serve, and enacting a privacy policy can help ensure personal information is managed effectively and responsibly.”

Recently, Our Community hosted a webinar on this very issue: Cyber trends – protecting your people, processes and technology.

Presenter Adam Smallhorn, from the Commonwealth Bank’s cyber security outreach team, outlined some of the other methods organisations can use to protect themselves.

He said the three keys to good cybersecurity are:

• Technology
• People
• Processes.

Mr Smallhorn said it was necessary to look at all those areas.

But as he puts it, “the easiest attack vector for criminals is people”.

In the presentation, Mr Smallhorn demonstrated how easy it is for crooks to target organisations.

In one example, he showed how a would-be hacker could simply look at a founder’s bio, usernames, social media accounts, birthdays and other dates, favourite sports teams, pets; and children’s names, and use that information in a freely available password generator.

Password generators are able to compose 10,000 likely passwords in “milliseconds”. Those can be used to access websites, emails and worse.

“That’s why we say that people are actually a huge component of your cybersecurity.”

He said that phishing scams accounted for most successful cyberattacks, and that even though 80 percent of workers knew the risks, “they click on the link anyway”.

He stressed that raising awareness of the risks – and increasing knowledge about the signs of phishing scames, such as misspellings and requests for personal information – was very important for organisations.

Questions to ask include “Have I talked to my staff, my team about this? Are we vulnerable to attack?”

His top tips?

• Lead by example, and expect your organisation to use strong passwords
• Make someone in the organisation responsible for cyber security
• Focus on the people and process, not just technology
• Build a cybersecurity culture
• Use the free resources available.

He suggested a good place to start your cyber safety journey was with Damn Good Advice on Cyber Safety and Fraud Prevention, jointly produced by Our Community and CommBank.