Keeping information safe and private
Non-digital information and records are vulnerable from slow destruction and from disaster. It's important to take active steps to protect your records from risk.
Avoiding gradual destruction
Some sources of damage are slow-acting or infrequent, but can still make information unusable. They include heat, humidity, light, computer security threats (viruses, malware, etc.) vermin (insects and rodents), damp and mould (which can adversely affect paper, disks, photos, slides and videos).
You can reduce these risks by keeping records in folders, covers or boxes in clean, dry surroundings. Keep them off the floor, and away from:
- cleaning supplies and other chemicals
- heaters and open flames
- water, heating and sewerage pipes.
- have fire extinguishers, smoke detectors and/or a sprinkler system in the records area
- keep your computer safe and your information secure - always back-up your data. Secure cloud storage is a cost-effective way of securing your data.
- keep records in secure storage in a safe if necessary.
Protecting against disaster
Some damage happens suddenly and unexpectedly. Examples include fire, flood, storm, earthquake, explosion, computer crash and power failure. Your group should have a disaster recovery plan for records.
Disaster protection checklist
You can help protect your records from being damaged in a disaster by:
- duplicating information and keeping hard copies
- by having backups of your computer records
- keeping important originals (e.g. leases, bonds etc.) at the bank, with the lawyer, or in a fireproof safe
- keeping copies of important records away from your office (e.g. creditor lists, insurance documentation etc)
- knowing where to find experts who can help in the event of disaster. There are experts in this field, called conservators, and most computer firms have expertise in recovering computer records.
Protecting private information about people is just as important as safeguarding other important business data. This includes contact details, employment agreements, personnel records, and payment information.
Some information, like client records and personal staff files should not be accessible to everybody in the organisation. You can only collect personal information that is needed for business purposes, and you must not let it be leaked or misused — even accidentally. It also means doing whatever you reasonably can to protect any paper files or documents. How you safeguard personal information depends on the sorts of information you collect. The more sensitive the information, the more measures you will need to take to protect it.
Privacy Act 1993
The Privacy Act 1993 (and associated principles) govern the way organisations need to keep information private. It also gives a guide to sharing information with others. The Act is based on 12 privacy principles. These set out broad rules (together with limited exceptions) relating to the collection, storage, security, accuracy, use and disclosure of personal information, as well as an individual's rights to access and correct personal information.
The Privacy Act applies only to personal information about an identifiable individual. It does not apply to information about organisations, companies or other bodies. See more at https://privacy.org.nz
Agencies - that is almost everyone holding personal information about others - have to comply with the Privacy Act. The Act's 12 information privacy principles model the way in which good organisations handle personal information.
Information Privacy Principles
The following the principles describe the key issues around privacy for organisations:
- Only collect personal information if you really need it
- Get it straight from the people concerned where possible
- Tell them what you're going to do with it
- Collect it legally and fairly
- Take care of it once you've got it
- People can see their personal information if they want to
- They can correct it if it's wrong
- Make sure personal information is correct before you use it
- Get rid of it when you're done with it
- Use it for the purpose you got it
- Only disclose it if you have a good reason
- Only assign unique identifiers where permitted.
Together, these principles form a 'life-cycle' for personal information.
Organisations must first decide what information they need, and where and how they are going to get it. They then need to ensure they hold the information with appropriate protections and that they comply with any access or correction requests they receive. Finally, personal information should be used and disclosed with care and kept securely, and in line with the purposes for which the information was collected.
Source: Privacy Commissioner - https://privacy.org.nz/privacy-for-agencies/your-obligations/
The Privacy Commission's website includes a number of tools to help your organisation meet its legal requirements and identify potential risks of collecting, using and handling personal information.
You can undertake a privacy impact assessment (PIA), particularly useful when you are looking at new proposals or systems or system changes. Read more here: Privacy Impact Assessment Toolkit - https://privacy.org.nz/news-and-publications/guidance-resources/privacy-impact-assessment/
Another easy assessment can be found here: https://privacy.org.nz/privacy-for-agencies/getting-started/
The basics you need to think about are:
- the purpose
- what responsibilities you have when you are handling personal information
- how you will collect personal information fairly
- can you justify your use of personal information?
- how long will you keep personal information for?
- how will you dispose of personal information appropriately?
Technology and digital guidance
Organisations are responsible for a considerable amount of digital information, and therefore need to design, recommend or install systems which manage personal information in a privacy protective way.
You can find guidance on privacy obligations around technical developments on the Privacy Commissioner's website, including:
- app development - describing your obligations when gathering personal information through mobile apps, this guide is built on five key points:
- Integrating privacy starts on day one - make a plan and spot the risks
- Be open and transparent about your privacy practices - when a user makes decisions - to download your app, update it, or share personal information - be there with the right information.
- Collect and keep only what your app needs to function, and secure it - "Nice to know" doesn't mean "need to know"
- Obtain meaningful consent despite the small screen challenge - spend time working out how to make privacy understandable with the tools you have
- Timing of user notice and consent is critical - providing information in real time is as important as being up front in advance.
- data safety toolkit - how to deal with a data breach. This includes the four key steps in dealing with a data breach:
- Contain the breach and make a first assessment
- Evaluate the risks
- Notify affected people if necessary
- Prevent a repeat
- using the cloud - evaluate your needs and work out which cloud services will work for you, considering your risk level and responsibilities. You are still responsible for any information you put in the cloud. See this checklist for cloud computing and read more here: https://privacy.org.nz/news-and-publications/guidance-resources/using-the-cloud/
- privacy statement development - you can easily generate your own privacy statement by using the Privacy Commissioner's Priv-o-matic tool which can be found here: https://privacy.org.nz/further-resources/privacy-statement-generator/
- guidance on the use of portable storage devices - USB sticks, smart phones etc are easy to use devices that are capable of storing and transferring large volumes of information. Assess the risks associated with using these storage devices, develop appropriate policies, and actively monitor their use - read more here: https://privacy.org.nz/news-and-publications/guidance-resources/guidance-note-on-the-use-of-portable-storage-devices/
- use of data and analytics - Stats NZ and the Privacy Commissioner have jointly developed six key principles to support safe and effective data analytics.
- deliver clear public benefit
- ensure data is fit for purpose
- focus on people
- maintain transparency
- understand the limitations and
- retain human oversight
Information privacy checklist
To ensure privacy of information:
- have a procedure that identifies records that are sensitive and make sure authorised staff know they are sensitive
- have a clear desk policy for sensitive records put records away promptly
- be aware of physical security and lock records away when not in use
- take care when disposing of confidential records they should be shredded or disposed of securely (an option for larger organisations)
- develop a confidentiality policy
- do not leave records where an unauthorised person can read them or steal them
- keep records in their covers, folders or boxes
- do not take records home
- make a note of who took them if records are taken from where they are normally kept, including, when they were taken, and when returned
- protect sensitive computer-based information with passwords, and
- do not keep personal information longer than required either by law or for the purpose for which it was obtained.