Understand How Your Organisation Uses Personal Data
This factsheet is designed to teach businesses how to reflect on how they currently use and manage personal information. It's important to be able to distinguish between personal and sensitive information, so click here if you need to learn about this first. It may also be helpful to work as a group and to consider the following guidelines:
- Map out clearly the business' processes in its collection, storage, use and disposal of personal information.
- This process should consider practical factors (such as the accessibility for different levels of employees to gain access to a customer's record and the process data can be edited).
- Complete an audit of the personal information held by the business.
- Discussions should also consider where the data is held (on a USB disc, an internal program, or in hard copy files) and the length of time the data has been retained.
- Write a description of your organisation’s functions and activities. Compile a list of the personal information needed to effectively carry out the business.
- The list should then expose which excess data can be destroyed securely or data that is outdated or of no relevance.
- Review what information is collected, and the process for how it was collected.
- Critique the audit and descriptions.
- Ask whether the information collected was necessary and essential to the core business?
- Consider whether the business was transparent with its customers/clients about how it collected and used personal information.
- Discuss whether explicit or implied consent is appropriate in the business and the reasons why.
Other topics worth discussing include:
- Do the systems and processes currently employed support relating to the use of personal information have inbuilt measures to ensure the data is kept private and secure?
- Does the business have security protocols in place to detect unauthorised access?
- Is there a breach alert system in place?
- Is there a process for the disposal of personal information no longer relevant or needed?
- Does the disposal process ensure that it is actually destroyedthe security of personal information?