A survey of top Australian brands, both those listed among the ASX Top 100 and those outside it, has found that 43% of the staff in these organisations are unaware whether their employers have data breach policies in place or not.
The survey, done to create the Deloitte Privacy Index, found that the worst informed companies were in the health services, education and retail sectors.
This was the third annual assessment and it found that there was a gap between what organisations do and what their employees want them to do.
Deloitte Cyber Risk Services partner Tommy Viljoen said: “In this index we wanted to see if there was any difference between what organisations and what staff members believe is occurring when it comes to protecting data and honouring customer privacy.
{loadposition sam08}"We surveyed more than 1000 employees of these top organisations, asking for their opinions of their organisation’s privacy practices, in particular their expectations of trust, complaints and information handling.
The most trusted industries in the Deloitte Australia Privacy Index 2017 overall. Courtesy: Deloitte
"One of our key findings was that 91% of organisations believe their organisation could be more transparent with consumers about how their information is used. And almost 60% of organisations believe they should do more to build trust with their employees."
The main findings of the survey were:
- Financial services have the best privacy governance and least risk taking followed by government;
- The highest ranking industries have a privacy officer, regular privacy training, and require third parties to notify them in the event of a likely data breach'
- Ninety-one percent of organisations believe their organisation could be more transparent with consumers about how their information is used;
- Fifty-eight percent of employees believe that regulatory compliance is more important to their organisation than building trust with customers (36%); and
- Fifty-nine percent of organisations believe they are neglecting to build trust with their employees.
Viljoen said the focus was on employees as consumers because most organisations have reached a level of maturity in their website privacy and security controls and policies.
“The reality is that mobile apps are now more open and transparent to consumers, so we wanted to discover if there was any dichotomy between organisational governance practices and actual operations. And we found that there was," he said.
“An organisation may feel for example, it has all the requisite boxes ticked and all its policies and procedures in place. Yet it appears that many staff members may circumvent these processes, and find what they consider to be easier ways of doing things, even if ‘adequate’ monitoring processes are in place.
“To preserve and indeed build trust, organisations need to be authentic. This requires transparency of how customer data is being managed and staff members who are fully aligned to managing the information safely and securely and so act accordingly.”
Deloitte Cyber Risk advisory director Marta Ganko, co-author of the Privacy Index, said: "We wanted to explore whether training and policies translate into compliant behaviours; and if not, what to do about it. We found that the organisations that ranked the best in terms of risk awareness and privacy protection had a privacy officer, regular training programmes, and ensured their third parties notified them in the event of a breach.
“Also the survey revealed that bundled consent, terms and conditions, or privacy policies cannot be relied on to manage information. And that 40% of the consumer/employee respondents said they only received privacy training at induction or on an ad hoc basis.
“Given this current situation of ‘could do better’, plus the future direction for organisations both here and around the world, for individuals to have greater controls over the collection and sharing of their data, our organisations have a big challenge ahead to maintain and/or build trust, develop resilience and create an environment of real consumer and business confidence.
“In Australia the Productivity Commission has called for greater controls for consumers to both manage access to and the sharing of their data.
“Such provisions already are enacted in other parts of the world, including the European Union. The two salient directives are the Revised Payment Services Directive and the General Data Protection Regulations."