Privacy: It’s everybody’s business

CFOs Increasingly Concerned About Privacy

Consulting firm, Protiviti, recently surveyed more than 1,000 finance leaders, including CFOs, vice presidents of finance, and a broad range of finance directors and managers as part of their 2020 Global Finance Trends Survey. Representing a broad cross-section of public and privately held companies, respondents were asked to identify their top finance priorities for the year ahead.

‘Security and Privacy of Data’ ranked the highest, with 81% of Australian respondents listing it as among their major priorities.

Concerns about privacy have escalated among CFOs since COVID-19 reshaped the way many organisations operate, with many staff transitioning to Work from Home (WFH) arrangements. This is to be expected given that PII may be more prone to compromise in circumstances where accounting department staff may be accessing the company network using their own devices, or via home Wi-Fi routers that are not sufficiently secure. Furthermore, in the home context, many staff may become lax with regards to following company policies and procedures around handling, storing or transmitting data.

Following the introduction of WFH arrangements, 86% of CFO respondents expressed that their concerns around privacy have escalated, from a moderate extent up to a significant extent.

Privacy Considerations for CFOs

There are a range of considerations for CFOs when it comes to privacy. Given that finance and accounting departments are entrusted with large volumes of valuable data, they are top order targets for any financially motivated threat actor.

As an example, your Vendor Master File not only contains valuable information about all your suppliers. It also contains their banking details. On their own, banking details may not be particularly valuable for a fraudster. However, bank account information is useful data for any scammer seeking to engage in identity theft.

Typically, PII concerns itself with personal data that can be used to identify an individual. This may lead some CFOs to consider that supplier banking information is not covered by the Australian Privacy Act’s 13 Privacy Principles. However, this would be a mistake.

Consider the following:

Your Vendor Master File contains hundreds of entries for suppliers you have paid for many different types of products or services over the years. Some of those suppliers may have business names that identify the individual owner of the business. This is often the case with sole traders or smaller companies, e.g., John Citizen owns a company named John Citizen Pty Ltd.

Alternatively, many companies are owned by Family Trusts. If your supplier has invoices being paid directly into an account that is held by their Family Trust, this too can be used to identify the owner of the business.

That’s why many CFOs now treat all data in their environment in alignment with the stringent requirements mandated by the Australian Privacy Principles, irrespective of whether that data directly relates to an individual or an organisation.

APPs and Data Accuracy

The 13 Australian Privacy Principles (APPs) are the cornerstone of the privacy protection framework in the Australian Privacy Act.

The Act covers Australian Government agencies, as well as organisations with annual revenues in excess of $3 million. It also covers some additional organisations, irrespective of their revenue, such as those in the health sector, credit reporting bodies, or those contracted to provide services to the Australian Government.

The APPs govern standards, rights and obligations around:

• The collection, use and disclosure of personal information.
• An organisation or agency’s governance and accountability.
• Integrity and correction of personal information.
• The rights of individuals to access their personal information.

Under Chapter 10 of the APPs, an organisation has an obligation to take reasonable steps to ensure that the personal information it collects is accurate, up-to-date and complete.

That’s easier said than done for any CFO managing a Vendor Master File containing hundreds of supplier entries. With supplier details, including banking information, regularly changing, it can be an administrative nightmare ensuring the data is always accurate, up-to-date and complete.

eftsure can help your organisation achieve, demonstrate and maintain compliance with the APPs, particularly as they pertain to your Chapter 10 obligations.

Chapter 10 specifies that there are two distinct points in the information handling cycle when you need to ensure the quality of your data:

1. At the time the information is collected.
2. At the time the information is used or disclosed.

eftsure helps you at both of these stages.

When you first collect new supplier data, we cross-check it against our database of nearly 2 million Australian organisations. This helps verify that the supplier’s information is correct. In any circumstances where the data is found to be incomplete or inaccurate, we take further verification steps.

At the time when the supplier data is being used in order to process an EFT payment, the eftsure platform undertakes a further verification in real-time to ensure the data remains accurate and has not been nefariously manipulated in any way.

We understand that maintaining compliance with the APP requires ongoing vigilance. Our secure vendor onboarding and management capabilities help you navigate the challenge of maintaining data hygiene when handling large numbers of suppliers.

eftsure helps make it easier than ever to ensure your data is accurate, up-to-date and complete.

Contact eftsure for further information about our platform and how it can help your organisation achieve, demonstrate and maintain compliance with the Australian Privacy Act.