9 min read

Seven steps for privacy and data security

Featured Image

The Australian and European Union updates to privacy and data security requirements come into effect in 2018.


The Privacy Act 1988 [Privacy Act] is an Australian law that regulates the handling of personal information about individuals. The Australian Privacy Principles [APPs] set out standards, rights and obligations for the handling, holding, use, accessing and correction of personal information including sensitive information. In other words, protecting a person’s privacy rights.

The European Union General Data Protection Regulation [GDPR] [Regulation [EU] 2016/679] is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union [EU].

The cost of noncompliance is extremely high in both financial and non-financial terms, making a failure to comply or not knowing how well you comply is not an option.

Australia’s data privacy laws reflect on the privacy of personal information, which is defined by whether a person is identified or identifiable from data.

‘information or an opinion (including information or an opinion forming part of a database), whether true or not, that is recorded in a material form or not, about an individual whose identity is apparent, or can be reasonably ascertained, from the information or opinion.’

The legislative changes in the EU focus on the protection of personal information as well as the privacy of personal information. This is a significant change that must be carefully considered if your organisation is involved in research activities with direct or indirect implications to the EU. This is additional to that required in Australia.

The specific criteria for companies required to comply include no presence in the EU but with processing of personal data of European residents.

The EU’s broad sweeping definition refers to personal data/information including emails, phone numbers, addresses and other commonly used identifiers. The definition used by the regulators is very broad including….

‘any information relating to an identified or identifiable natural person who can be directly or indirectly identified by reference to an identifier.’

Therefore consider the following as a due diligence approach to privacy and data security moving into 2018 both for the APP and GDPR requirements.

1. Technology Solutions

Review current technology solutions given the majority of personal data collected, stored and processed is in digital form. Technologies must be capable of tracking consent to use data and approvals/acceptance and tie the consent to the specific personal data collected in all circumstances.

  • Several Lucidity modules can work for you including tracking notifications and acceptance of notifications through the action system of the various modules.

  • Lucidity centralises information and provides a customisable dashboard and reports that deliver real insights into your operations and people, no matter where they are located.

  • Lucidity Contractor allows you to manage contractors and their people, with at-a-glance viewing of contractor approval status. Managing insurances, training and performance measures and an effective contractor due diligence process. Complete records in one place.

  • Lucidity Incident allows organisations to report, investigate, analyse and proactively action issues across the disciplines of safety, environment, quality assurance, product quality and business management. Lucidity is secure, easy to use and accessible through any device with internet access.

  • One of the biggest challenges facing Site Administrators on construction worksites is keeping track of all the contractors and employees that are onsite at any given time. Lucidity OnSite provides you with the ability to do this.

2. Risk assessment

Undertake a data protection impact assessment [DPIA] against any existing clients and new client work to determine whether APP alone or APP + GDPR requirements need to be met.

Lucidity Risk provides companies with the framework and processes for managing and monitoring risk. Lucidity Risk Management Software supplies companies with the risk management tools including business and operational, safety, environmental and product risk allowing companies to make more informed decisions on managing and monitoring risk.

3. Assigned Officer

In the case of Australia a Privacy Officer PO should be appointed and in the EU a delegated Data Privacy Officer DPO. The role/s must have the necessary legislative knowledge, knowledge of internal procedures and the authority to act according to the needs of the role.

4. Compliance

Transparency of compliance to APP and GDPR requirements is important. The legislation requires proof of compliance to the regulators regardless of and incident or breach that may or may not occur. Records must be both traceable and auditable.

5. Lawful

The collection and processing of data must be lawful. ‘Lawful’ means personal consent has been given [at the time of intended collecting and processing] for contractual/agreed performance purposes, compliance with legal obligations and protection of the vital interests of the respondent. Technology solutions for this purpose as mentioned in Pt. 2 above are therefore among the most effective options.

6. Data portability

Due to the increased demands of legislators and the GDPR in particular, it is important to know where your data is located and how to access it with consideration to tight turnaround times. If your data is with vendors then you will need to ask this question.

  • There are short timelines for reporting full enclosure [investigations] of a breach notification – 3 days GDPR. Full disclosure investigations are currently taking around 8 weeks.

  • GDPR also has in place a ‘right to be forgotten’ clause that requires access to data for removal [including archived data].

  • GDPR also requires data to be accessed and moved to another organisation on request of a person.

7. Incident response

Data loss and prevention processes for the prevention or loss of inadvertent data breaches should include proactively sensing when/how/what data is being breached, determining the extent of the breach and initiating an appropriate and timely response to affected parties. There are tight timelines for responses, particularly in the EU for full disclosure, including those persons whose information has been breached.

  • Lucidity Incident allows organisations to report, investigate, analyse and proactively action issues across the disciplines of safety, environment, quality assurance, product quality and business management. Lucidity is secure, easy to use and accessible through any device with internet access.

These points are a critical few only as an indicator of whether you are on track to manage the 2018 APP and GDPR demands.

The key is having a proactive rather than reactive approach.