It’s common practice for employers to take photos of staff during the course of their employment. These photos may be used for training materials, internal communications, team events, or external promotion such as recruitment campaigns and marketing content.

But it’s important to remember: a photograph is personal information, and in many cases, it can be sensitive personal information. That means enhanced privacy protections are required.

When a privacy breach occurs, organisations often consider the impacts to them rather than the impacted individuals. They assess the reputational risks around notification, compliance obligations and legal liability. But what can easily get lost in the noise is consideration for the individuals involved and the harm that has or may occur to them.

It is common for organisations to utilise many tracking technologies on their websites to monitor performance, identify user experience issues and market to individuals.

The legislative requirements for providing notice and seeking consent for tracking technologies vary.

Employee browsing or the unauthorised access and misuse of personal information is one of the most common privacy breaches according to the Privacy Commissioner. Whether it’s curiosity, misplaced helpfulness, or something more malicious, unauthorised access to personal information continues to crop up in headlines.

Most organisations typically have some insight into what information they collect indirectly from large organisations but not a full picture.

When someone mentions a Privacy Impact Assessment (PIA) is needed for your project, your first thought is probably that it’s a compliance box to tick—and likely a delay waiting to happen.