Deloitte Privacy Index reveals organisations could be more transparent

A national survey of how organisations handle privacy shows that 91 per cent believe they could be more transparent with consumers about how their information is used.

The Deloitte Privacy Index also reveals that financial services and government have the best privacy governance.

Deloitte surveyed more than 1000 employees of major companies and government agencies.

The highest ranking industries were found to have a privacy officer, regular privacy training and a policy to notify third parties in the event of a likely data breach.

Deloitte cyber risk services partner Tommy Viljoen said there was some disconnect between what organisations do and what their employees want them to do.

Mr Viljoen said the focus this year was on employees because most organisations in Australia had reached a level of maturity with website privacy and security controls.


"The reality is that mobile apps are now more open and transparent to consumers, so we wanted to discover if there was any dichotomy between organisational governance practices and actual operations. And we found that there was," he said.

"An organisation may feel it has all the requisite boxes ticked and all its policies and procedures in place.

"Yet it appears that many staff members may circumvent these processes, and find what they consider to be easier ways of doing things, even if adequate monitoring processes are in place.

"To preserve and build trust, organisations need to be authentic. This requires transparency of how customer data is being managed and staff members who are fully aligned to managing the information safely and securely and so act accordingly."

Mr Viljoen told Fairfax Media that incoming breach notification laws had pushed privacy and data management higher up the priority list for most organisations.

"Obviously this varies from organisation to organisation but ultimately it will result in more accountability to deliver on the statements they make regarding compliance to privacy laws and specific claims they make in their privacy policies," he said.

"Overall the main impact is unlikely to be in areas such as policy disclosure, but more likely in areas of data management, governance and security.

"We are seeing more interest in organisations truly understanding where the data resides and how it gets there, especially when it comes to less structured systems or repositories such as email and shared drives.

"Often this is the first step towards identifying and implementing stronger controls and oversight."

Mr Viljoen said he believed financial services, government and telecommunications ranked highly because the sectors were highly regulated.

"Financial services conduct frequent privacy training. Their employees can correctly identify a privacy impact assessment and they know the process to follow in the event of a data breach," he said.

"Each of the top three sectors have employees who said they would be comfortable being consumers of their own employer's brand."