12 Common Issues with Privacy Policies
For many small business owners, protecting the privacy of personal information just isn’t a priority. There are lots of reasons for that.
- Not knowing what makes up personal information
- Not realising when the business is collecting personal information
- Not understanding what the business is doing with personal data after its collected
- Thinking that publicly accessible data, like through Facebook or a website, means its ok to collect it
- Not understanding the difference between privacy and confidentiality, or the importance of privacy
- Having competing priorities – like the need to make money – that mean privacy always sits on the back burner
A template might work. It might not. If you never read it or attempt to understand it, it probably won’t help your business meet its legal obligations.
Are you prepared to put your credibility at risk?
If you don’t know what your obligations are, how do you know a simple template will protect your business?
2. Copying and pasting a policy from somewhere else
Cookies may not be classified as personal information but cookies can be functional (you won’t get full use of the website without them), performance focused (like analytics), focused on personalisation (like advertising based on your search history), or marketing focused.
Internet cookies are little data packets that store enough information to identify you when you return to a site for the purpose of say, pre-filling your username or password, or adjusting the display of a website, or advertising to better reflect your preferences. Cookies have to be matched with other data before they can be used to identify you and the information stored is not generally available for inspection. Cookie data may be collated to create a picture of who you are.
There was a ‘horror’ story that went around some years ago about a pregnant teenager being discovered by her family because her search history meant her parents got served advertising for pregnancy help. The cookies didn’t identify her, but enable her parents to put two and two together.
Personal information is information about an individual which by itself identifies that individual, or with other information can be used to identify an individual. Types of personal information can include:
- name or alias
- postal, street or electronic address
- enrolment in a course
- biological samples
- genetic data
So, a cookie pop up by itself just won’t cut it.
Privacy obligations only apply to information about real people – whether in their personal or business capacity – but do not apply to companies or other entities. Depending on where you are in the world, privacy obligation may also be limited to people who are still alive, and not the deceased.
So, what do you do with the personal information you collect? Unless you use integrated technology, you probably have data about your clients and supplies in a variety of places:
- your CRM
- your finance software
- your email marketing software
- your email management system
- a project management tool
- other software used in your business
Whilst the problem of keeping information consistent across databases is widely acknowledged, the type of protections each of those systems offer, and how you use them, probably isn’t.
For many types of businesses, your privacy obligations mean that you can’t send data overseas without the consent of the person providing it. This is particularly so for financial or health data. Personal trainers, life coaches, psycho-therapy providers all collect health data and probably don’t realise that every email they send pushes personal information overseas.
6. Not considering any procedures to support your policy
When you run a small business, the people who work with you, employees or contractors, need to understand your priorities around personal information and what can and cannot be done with it.
Do you allow contractors to keep contact details on their mobile devices outside your systems?
What controls or oversight do you have over what they are doing with their mobile device each day?
How many times have you seen parents hand a mobile device to their child to keep them quiet or entertained? Do you know the personal data of others isn’t being accessed?
For businesses in Australia which are obliged to comply with the Privacy Act 1988, there are now also mandatory data reporting obligations so that if any data is lost or accessed, it needs to be reported. Leaving a device on public transport can be a reportable event if that device cannot be remotely locked and contains any personal information that is supposed to be controlled by your business.
7. Not knowing where you are collecting data or what you are doing it
We’ve spoken with many small business owners who simply don’t realise how often or in what way they are collecting data.
- a form filled through a website
- an email received
- a video conference recorded
- a note made of a telephone conversation
- a voicemail received
- video feedback recorded and sent by a client
- patient notes written and yet to be filed
All these examples involve the collection of personal information. Does your business have protocols in place for the destruction of information that is no longer required for the purpose of your business? Privacy law generally requires that you only collect what is necessary, and destroy it after it is no longer required. Interestingly, many large organisations, like banks, appear to keep your information indefinitely.
The GDPR (regarding information about EU residents) now requires that you monitor what you collect, how you collect it, and how long you keep it.
We can help you put together policies to assist people in your workplace to manage how information is collected, stored, used and destroyed.
8. Not updated to match data practices
You might be offering a new product or service that means you collect additional information from your clients, more than you did previously.
You might have started working with another business in a joint venture, which means they now have access to some of your personal information, and vice versa.
Take time to review your practices and procedures for managing personal information and privacy, as well as checking that you are legally compliant with your obligations.
9. Doesn’t address all the different people affected – customers, partners, developers, general users
You may or may not treat personal information from different relationships in the same way. By relationships, consider the different people you interact with in your business – your clients and customers, your suppliers, your employees and contractors, volunteers, etc.
Consider: if you still have a business that uses paper forms, you might have collected similar or only slightly different data on different forms. You might scan that information and store it electronically, but then what happens to the paper copy? Is it securely destroyed? Is it stuck in a filing cabinet somewhere? Is that filing cabinet locked? Is any member of staff able to access that filing cabinet?
Do you have forms to be filed sitting on someone’s desk without any security or privacy around that information?
Do you have phone numbers written on a white board that can be seen from outside your office? This happened on a morning TV cross to a bank financial data room.
You might have a list of supplier details stuck on a wall, or a piece of paper near the computer.
If you treat the personal information you collect about different groups of people differently, all those scenarios need to be covered.
10. Hiding the terms
When your business has privacy obligations, you should share how you meet those obligations with the people whose data you collect. So, if you have employees, you should have an employment policy around how you manage their personal information.
With regard to your customers, you should have a policy about how you manage their personal information and what you do with it.
A link to a blank page is not helpful.
11. Wrong laws or no laws
A contract came across my desk the other day between two Queensland, Australia based small businesses. Goodness knows where they got it. The agreement was four years old and mentioned the laws of Ontario, Canada as the governing law. No, no, no, no. Not helpful at all!
If you’ve copied something from overseas, it is also possible that you’ve not complied with the laws that do apply to your business, putting your business at risk.
Although there are certainly some similarities in obligations in different countries, law is not universal and there are often inconsistencies within countries, particularly federated countries, as well as between countries.
Make sure you are undertaking to comply with the laws that apply to your business.
12. Hard to read – legalese or no whitespace
Simply headings like:
- How we collect your personal information
- What we do with your personal information
- Where we store your personal information
- Your rights regarding the personal information we have collected about you
How can Onyx Legal help you?