One of the many things we have learnt over the years is that clients often see privacy as a regulatory obligation that, you know, just has to be complied with. An administrative burden, an expense involving another process with protocols and public statements that you don’t really mean. We have news for you – nothing could be further from the truth.

Forget the substantial fines if you get privacy wrong (or simply don’t care), forget the interruption to business and forget the actual cost. Privacy is a business necessity. The simple business formula is:-

No/limited privacy awareness = no trust = damaged reputation = greatly diminished/no business.



It’s no longer enough to simply comply with regulatory obligations. It is now time to implement a culture of privacy.

Put yourself in your Customer’s shoes, how would you feel if your personal information was shared with the world at large? Why would anyone want to do business with an organisation that does not respect you and your personal information?



If you would like to refresh your understanding of the Privacy Principles and the requirement for a Data Breach Response Plan, have a look at the OAIC website ( and our articles (Parts 1 and 2) here:-

and here:- 



One area of privacy that flies under the radar is the issue with supply chain security. In this cloud-based world your data could be held anywhere and if the storage of records or access to data is outsourced to a third party, then your organisation could be responsible in the event of a data breach by that supplier.

Do you know how your suppliers plan to handle a data breach that involves information relating to your business? Have they had data breaches in the past? Have they a record and reputation for trustworthy services? Do you need to ensure your contracts will protect your company in the event of a breach?

Did you know that if a supplier is responsible for a privacy breach relating to your employees or customers that you could also be liable?

Consider this example…

You outsource all customer marketing automation to ‘Trust Us? Sure Can Pty Ltd’ (TUSC). A disgruntled ex-employee of TUSC who still has system access knowingly discloses your customer records to their new employer, a competitor of TUSC.

Whilst you cannot stop the disclosure after the fact, you can take steps to mitigate any damage that might occur including business interruption costs.



When you are considering any services from any supplier especially cloud services then try/insist on the following additional clauses in any agreement:-

  1. The supplier warranting it complies with privacy laws and policies;
  2. The supplier indemnifying you if there is a breach of those laws and policies;
  3. The supplier having a Data Breach Response Plan. Ask to see it and ensure if there is a breach that you are advised immediately;
  4. The supplier providing independent assurance reports or certifications to confirm it has appropriate security controls in place;
  5. The supplier allowing you to access any of the supplier’s systems and any personal information held on your behalf to be able to satisfy yourself that any privacy obligations are being complied with and information is held securely.



Andrew Millward, a Director at Risk Consultancy Firm Amstelveen, ( has some insights from a cyber security perspective.

“You may be able to outsource the storage and processing of your data, but you can’t outsource the risks. If there is a data breach, your customers won’t care if it was your fault or your supplier. When it comes to supply chain security, trust but verify is the best advice I can offer and remember, security is always a shared responsibility.”

Some indicative controls he recommends are:-

  1. Information classification and inventory – Know what sensitive data you have and where it is stored, including what suppliers have access.
  2. Data retention – For sensitive data, store only the minimum you require for the shortest period you need it with your suppliers.
  3. Encryption – Make sure to encrypt sensitive data whenever you exchange it with suppliers and never e-mail it in plain text. When sharing decryption keys, do it securely in a separate communication channel.
  4. Identity and access management – When it comes to cloud software, you are responsible for managing access so make sure user lists are up to date and integrate to identity sources where possible (e.g. active directory) so ex-employees don’t keep their access when they leave.
  5. Backups  – Don’t rely on your suppliers to keep your mission critical data safe. You should always keep a copy somewhere else (e.g. another supplier, backup service or your own storage medium).
  6. Contingency plans – Be prepared for what to do if your supplier experiences an outage, a breach or goes bust. Is there an alternative supplier you can turn to or can you bring the services in house?



 From a practical perspective, Andrew offers these tips:-

  1. Do your due diligence before providing a supplier with access to your data. For example, ask for a copy of their information security policy, check they have someone responsible for security, ask how they will keep your data secure and do some background research for any negative publicity.
  2. If you develop your own software in-house, it’s highly likely you rely on a stack of proprietary supplier software which can pose supply chain security risks too, so don’t forget them either.
  3. Know where your data is stored. Are their data centres or staff providing you services located offshore? If so, is in countries with comparable privacy laws, crime rates and sociopolitical stability?
  4. Don’t take their word for it, look for suppliers who have industry certifications (e.g. ISO 27001, PCI DSS) or can provide periodic independent assurance reports (e.g. SOC 2 Type 2) to confirm they implement best practice security controls.
  5. Evaluate security options and understand your responsibilities. Suppliers typically offer a variety of add-on services, and in the case of cloud software, configuration options to choose from. Take the time to carefully evaluate them and aligning to your level of risk tolerance. Seek advice if you are not sure on best practices and make sure to clarify what security activities you are responsible for.

Want more details? See for articles and publications on relevant technology, risk and regulatory issues faced by Australian businesses.



 Don’t forget:-

  1. Privacy is Personal. Develop a Privacy Culture from top to bottom, be that trusted supplier.
  2. Your suppliers matter. Know what data they have access to and trust, but verify they are doing the right thing.
  3. Get some legal protections in place.
  4. Don’t forget Cyber Security. Take advice from the experts (preferably now).

Remember, privacy is here to stay. If anything, the regulatory regime will become more complex and more “personal”. The sooner you show the world you value a person’s privacy, the sooner you earn the trust of your Customer.


For more information, contact Ledlin Lawyers:-


Phone:              02-8488-3389