It's all about the tone

As an executive leader in your agency how engaged are you with privacy?  Let’s reframe that – how engaged are you in managing the personal information that your organisation uses to provide services?

Maturity assessments exist for variety of corporate activities, including security, risk and assurance, finance and not least privacy.  They all embrace a requirement for leadership responsibility and accountability. Expectations in the latest state sector Privacy Maturity Assessment Framework include that leadership should deliver “consistent and positive messages about how privacy is everyone’s responsibility and how privacy is an enabler of public trust and quality service delivery”.  There is no secret about how influential you are as an executive leader in your organisation.  When you model behaviour through your actions and communications, your people listen and act.

In 2016 changes to the Health and Safety Act meant that directors and executive leaders became personally liable for safety in the workplace.  The result was a rapid leadership focus on employee wellbeing, ensuring that risks were identified and managed.  It’s probably fair to say that most risk registers have health and safety front and centre now. No doubt regular discussions about health and safety risks and issues are common at the top tables. There has been an appropriate shift in emphasis and consciousness motivated by law change and active executive leadership.

Agencies that are adept at managing personal information ensure oversight for privacy is integrated into the risk management organisational structure. In addition, an active three lines of defence assurance process will be evident.  How is privacy reflected in your risk profiles and discussions?  Is it seen as solely an IT issue? A security issue?  They both have connections to the management of personal information but they don’t cover all expectations and responsibilities that flow from the Privacy Act or best practice such as Privacy by Design.  Is there any oversight by your executive of how the personal information you hold is being used and disclosed?  Are there controls to detect the internal threat of employee browsing or other misuses of information? Are the controls derived from risk identification and analysis?

The technology wave has well and truly run over the top of businesses big and small and many are scrambling to ensure that systems are deployed and used safely.  A plethora of data breaches are having the effect of raising concern among clients and customers.  People are becoming more perceptive and concerned about how their information is being managed and used.  As executive leaders you will be challenged by the need to engage with new technology to provide better services to your customers.  The IT systems and structures you acquire are akin to beating hearts that improve your service capacity, and perhaps put you ahead of your competitors.  But sticking with the beating heart metaphor, what is your organisation doing to manage the life blood, personal information, flowing through these systems?

Trust and confidence in an agency and its executive leaders is today significantly influenced by the attention you pay to your customers’ personal information.  Technology structures, money and employees are assets that need active management, nurturing and care.  As executive leaders you may be in charge of bigger asset, not characterised by monetary value but perhaps more important to both you and your customers and the services that you offer.  The challenge is how well you convey this importance to your organisation. It’s all about the tone, and the tone at the top needs to be just right.