Reading time: 5 minutes

A privacy audit is an evaluative procedure where you analyse how your business protects the privacy of anyone whose personal information you store. A privacy audit:

  • determines how compliant you are with the Privacy Act;
  • reviews the security of any personal information you store;
  • identifies potential breach risks; and
  • evaluates the efficacy of your privacy procedures.

Essentially, a privacy audit is a sort of check-up on how you deal with personal data at your business. Your privacy officer will likely lead this process. Alternatively, you can hire an external perspective to conduct this process, such as a legal professional. This person will identify areas of potential privacy risk and areas where you may not be meeting your privacy law obligations. Therefore, you have the chance to improve those areas. This article will provide a guide that suggests eight steps for conducting a privacy audit for some guidance.

1. Identify What Personal Information You Collect

Firstly, to determine the scope of your privacy audit, you need to identify what personal information you collect and whose. For example, you may collect personal data from:

  • staff;
  • customers and clients;
  • the public; or
  • business partners. 

Do you collect personal information online or just in person? You may collect personal data from:

  • email;
  • website cookies;
  • conversation;
  • social media; or
  • paper documents.

If you collect a lot of personal data, this can take a while to process. However, once you have a clear picture of what personal information your business collects, you can analyse how you handle it.

2. Evaluate How You Collect Personal Information

The law requires that you collect personal information in a unintrusive and reasonable way according to the circumstances. Indeed, you must do so for a legitimate reason. Therefore, you need to analyse your data collection means. Do you collect information:

  • with full consent;
  • securely;
  • only when necessary;
  • legally; and
  • while providing necessary disclosure information?

3. Determine Where You Store Personal Information

If your business collects personal data from different points, it can be challenging to track. Consequently, you may store it in multiple places, especially if you operate both online and offline. Therefore, once you have identified where you have stored all personal data at your business, you need to review how secure it is. For example, if you store particularly sensitive information, such as health information or financial details, you need to have security measures proportionate to this sensitivity. Indeed, it would be best if you also took this opportunity to throw out any data you do not use anymore.

4. Identify Who You Share Information With

When you collect personal information from people, you need to tell them both who:

  • has access to their data; and
  • you share their data with.

You can only share personal information if:

  • that was the reason you collected it;
  • you have the consent of the person involved;
  • the law requires it; or
  • it does not identify the person it is about.

Review contracts with anyone you share personal information with, particularly overseas parties. Check that there are privacy safeguards in these contracts.

5. Evaluate Your Breach Response Plan

A privacy breach can be devastating for your business, particularly if you lose critical personal data. However, you can lessen the negative impact of a privacy breach if you have an efficient plan for handling it. Your plan should detail steps for:

  • containing the breach;
  • assessing its impacts;
  • determining its level of harm;
  • identifying what information you lost; and
  • notifying both the Privacy Commission and relevant parties where necessary.

Part of your privacy audit should be to identify risks for potential breaches. Then, you can determine ways to mitigate those risks.

6. Check Your Access Request Responses

People can ask your business for access to the personal information it holds about them and correct it. Hence, in your privacy audit, you should evaluate how you:

  • respond to information access requests;
  • determine whether you should grant access; and
  • decide whether to implement corrections.

Generally, you should comply with such requests unless you have a good reason not to.

7. Check Your Business Completes PIAs

A privacy impact assessment (PIA) is a process that analyses the privacy impact of any new project or change in system at your business. You should conduct these for projects that are likely to affect the personal data you deal with. Ideally, your business should build these into the process of starting any new project to identify privacy impacts early on.

8. Review Employee Training

A further step in your privacy audit is to ensure employees know their privacy obligations within your business. Human error causes the majority of privacy breaches, so ensure that they know:

  • how to keep their transmissions secure;
  • their privacy obligations towards your customers; and
  • their own privacy rights.

Review instruction manuals and training to ensure it is up to date.

Key Takeaways

These steps are not absolute, and the contents of your privacy audit will vary according to your business. However, your privacy audit should identify how well you comply with the Privacy Act. It should also determine any areas of privacy risk within your business. If you would like more information or help with your privacy audit, contact LegalVision’s privacy lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is a privacy audit?

A privacy audit is a review of your business’ privacy systems and processes. It should check that you are adequately complying with the Privacy Act and protecting your customers’ privacy.

What is personal information?

Personal information is any kind of information about an identifiable individual. For example, if you can identify a living person while using the information, then that data is personal information. Examples include names and addresses.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards