Communicating Professionally

It is important that you understand the requirements for how we handle, store and share information that is considered confidential. For any organisation, policies that set the standard for keeping information confidential are important. Information needs to be managed within the workplace and may be subject to confidentiality based on such policies. 

• Privacy: This refers to the right of individuals to have some sort of control over how their personal information is collected, used and shared.
• Confidentiality: It is our duty to keep personal and restricted information secret.

Respecting the privacy rights of a client involves: 

1. Establishing and respecting professional boundaries 
2. Ensuring that you are clear about the information that should be both respected and treated as confidential 
3. Keep notes separate from relevant individuals 

The workplace should have a confidentiality agreement to ensure that a customer’s personal information is only shared with appropriate personnel or where they give consent. Personal Identifiable Information (PII) Personal Identifiable Information is commonly defined as any data that can be used to identify a specific person. This information can be sensitive information or non-sensitive information. Sensitive information is information that, when shared with an unauthorised party or one that is not protected properly, could cause harm to an individual. A common example is identity theft. Personal Identifiable Information includes: 

1. Names 
2. Addresses 
3. Emails 
4. Birthdates 
5. Medical records 
6. Credit card numbers 
7. Financial statements 
8. Passport numbers 
9. Social security numbers 
10. Drivers licenses 
11. Vehicle plate numbers 
12. Biometric data such as handwriting, fingerprints and photographs 

Classification of Information  

As we discussed earlier, Personal Identifiable Information can be sensitive or non-sensitive. An organisation’s best practice when handling information is to classify information into three separate categories:

• Public data
• Private data
• Restricted data

Let us take a closer look at each classification.

Sets of data should be categorised according to the highest level of data that is accompanying the data set. 

Note: A set of data that includes an individual’s name, date of birth, workplace and social security number should be classified as restricted since the social security number falls in the restricted data classification.

Handling Information  

Every organisation will have its own process and stages regarding handling information, from collecting information to the time it is not needed and disposing of it. 

This process includes: 

Collect, Create and Receive   

• Define the data and source 
• Determine the required data and how it will be collected 
• Receive and interpret the data and transform it into information 
• Follow the correct practice when collecting personal information 

Organise and Store 

• Determine the format. How will the data be represented in the information system? 
• Categorise the info so that it is easily understood 
• Store the information in an appropriate location, such as shared drives, intranet or other secured company databases 
• Follow security guidelines for storing information 

Use and Share

• Send and receive information through channels and formats. This should be appropriate to the message, purpose, and user needs. 
• Follow legal and organisational requirements for using, maintaining and sharing information. 
• Protect and restrict access to personal, confidential and classified information.

Dispose 

• Dispose of information that is no longer required for legal, business or operational purposes 
• Destroy any confidential information 
• Archive info as needed

Note: Any document that contains customer information, such as name, address, contact information, social security numbers, etc., must be destroyed properly into a shredder or a secured shred bin.

Australian Privacy Rights   

Laws and regulations that have been created by government bodies outline how organisations will protect the confidentiality of information. The Office of the Australian Information Commissioner outlines the Australian Privacy Principles (APP) that apply to any organisation or agency that the Privacy Act (1988) covers. There are 13 Australian Privacy Principles, and they govern the standards, rights and obligations around (OAIC, 1988): 

1. The collection, use and disclosure of personal information 
2. An organisation or agency’s governance and accountability
3. Integrity and correction of personal information 
4. The rights of individuals to access their personal information

The list below is a quick reference guide to the Australian Privacy Principles. It references each privacy principle and what it covers. 

A Summary of Australian Privacy Principles  

1. Open and transparent management of personal information Ensures that APP entities manage personal information in an open and transparent way. This includes having a clearly expressed and up-to-date APP privacy policy. 
2. Anonymity and pseudonymity require APP entities to give individuals the option of not identifying themselves or of using a pseudonym. Limited exceptions apply. 
3. Collection of solicited personal information Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of ‘sensitive’ information. 
4. Dealing with unsolicited personal information Outlines how APP entities must deal with unsolicited personal information. 
5. Notification of the collection of personal information Outlines when and under what circumstances an APP entity that collects personal information must notify an individual of certain matters. 
6. Use or disclosure of personal information Outlines the circumstances in which an APP entity may use or disclose personal information that it holds. 
7. Direct marketing An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met. 
8. Cross-border disclosure of personal information Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas. 
9. Adoption, use or disclosure of government-related identifiers Outlines the limited circumstances when an organisation may adopt a government-related identifier of an individual as its own identifier or use or disclose a government-related identifier of an individual. 
10. Quality of personal information An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. 
11. Security of personal information An APP entity must take reasonable steps to protect the personal information it holds from misuse, interference and loss and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances. 
12. Access to personal information Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies. 
13. Correction of personal information Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals. 

Resource  

Australian Privacy Principles quick reference  ¹⁸

Since the APP is a principle-based law and it gives us the flexibility to tailor our information handling practices to our specific business models and the diverse needs of individuals. A breach of an Australian privacy principle is a direct interference with the privacy of an individual and can lead to regulatory action and penalties. 

Note: Our main goal is to protect the privacy of the individuals we serve and to hold a good reputation in doing so.

Data Classification  

Complete the following activity making sure to keep notes for your future reference, as this information will support you in your assessment and professional practice. 

In your own work document or workspace, Create a table like this one:

Review the data sets in this section and categorise them to their correct data classification. Are they public Data, Private Data OR Restricted Data? 

• First name, last name, zip code and date of birth
• Financial records
• Place of business
• First name, last name and social security number
• First name and last name
• First name, last name and date of birth
• Credit card numbers
• Zip code
• Date of birth
• Business phone number
• First name, last name and email address
• First name, last name, business phone number and personal email address

Within an organisation, the policy outlines the principles of what will be done. The policy document states the principles behind the organisation's views on specific subjects. For example, the organisation's vision sets the overall culture; then the specific policies build on that for a specific area. An organisation may have a privacy policy and document management policy, and so on, yet both will relate to the organisation's vision.

Procedures are related to a policy. They set out how the organisation wants things done, generally concerning a policy area. For example, a machine's Safe Operating Procedure (SOP) will relate to the Safety Policy. There may be a procedure on how the organisation manages its paper waste and a separate one for liquid waste – each of these procedures will relate to the Sustainability/Environment policy.

Policies and procedures are generally set, so everyone knows what they are. Often the organisation has a system to store these documents (such as electronically on an intranet or hard copies in a folder held locally) and also a system to check that the documents are current and valid. They are often reviewed regularly (annually in most cases); new policies/procedures follow the same format as all others within the organisation.

Procedures formats can vary from wordy documents that explain the procedure to graphical documents using flow charts and diagrams to explain what needs to be done. A Safe (or Standard) Operating Procedure (SOP) is also a procedure.

How each organisation formats such documents also varies, as does the terminology with the document. Some may talk about 'Goals' and 'Objectives'; others may view these as the same thing. However, most organisations have accepted templates for developing policies and procedures. The critical aspects are that:

The document is 'fit for purpose', that is, suited to what and who it's designed for. So, for example, it may be best to create a flow chart to explain the number of steps that must be taken instead of words.

The document meets the organisation's requirements. In many cases, the documents will become part of the way things are done and are therefore subject to audit and review requirements of the organisation. If tools and templates are available, these should be used. (If the current tools and templates are unsuitable, then the due process needs to be completed to add the new template to those available).

Policies and procedures may be separate documents, but they are also interlinked. For example, the organisation may commit to addressing environmental issues; part of this may be developing suitable policies and related procedures. Alternatively, the policy may have been developed at a higher level, and as part of its implementation, the relevant procedures must be developed and circulated. 

Examples of policies and procedures affecting communications may include:

Communication Policy and Procedures  

Stipulates the channels of communication for use in the organisation, determines their intended purpose, and the roles and responsibilities of staff in accessing and using them.

• Acceptable use of Communication channels 
• Communication Objectives
• Communication Channels
• Communicating Confidential information 
• Compliance with policy
• Meeting Etiquette and process.
• Non-acceptable use of Communication channels
• Use of email
• Use of Intranet

Confidentiality Policy and Procedures  

Ensures confidentiality is maintained concerning both organisational and client information where necessary. Can relate to:

• The definition and nature of confidential information
• Defining the roles of people handling confidential information.
• Collection of confidential information
• Access to confidential information
• Disclosure of confidential information.

Document Management Policy and Procedures  

Defines the organisation's approach to developing, reviewing, naming and controlling all documents, including tools, forms, resources, policies and procedures. Can include: 

• Document Storage and Development
• Document Development and Reviews
• Document Approval
• Document Development
• Document Approval
• Document Storage
• Saving Approved Versions
• Version Control

Privacy Policy and Procedures  

Designed to ensure that the organisation collects, stores, and secures personal information it holds on individuals meets the legal requirements of the Australia Privacy Act 1988 and its associated Australian Privacy Principles:

1. Open and transparent management of personal information
2. Anonymity and pseudonymity
3. Collection of solicited personal information
4. Dealing with unsolicited personal information
5. Notification of the collection of personal information
6. Use or disclosure of personal information
7. Direct marketing
8. Cross-border disclosure of personal information
9. Adoption, use or disclosure of government-related identifiers
10. Quality of personal information
11. Security of personal information
12. Access to personal information
13. Correction of personal information.
    Can relate to:
    • Access to and correction of records
    • Amendment to records
    • Collection of information
    • Complaints about privacy
    • Disclosure of information
    • Email marketing
    • Storage and use of information
    • Privacy notices
    • Request to access records

Information Technology Policy and Procedures   

Defines how an organisation's computers, information and technology are used. This policy ensures that emails, internet usage and other electronic communication are properly used at all times and that the organisation is protected from actions of fraud, error, defamation, discrimination, harassment and privacy violation. Can relate to:

• Acceptable use of systems 
• Accessing cloud-based storage systems
• Accessing software programs 
• Computer login and accessing the computer system
• Confidential information 
• Compliance with policy
• Email use and access 
• Liability 
• Monitoring 
• Non-acceptable use of systems 
• Resolving equipment faults
• Storage of information 

More examples 

For more information about policies and procedures and example documents and templates you can use, visit the website of the fictional company CBSA (Complete Business Solutions Australia). CBSA is a simulated online business that supports you to become workplace-ready. 

Organisations need to address privacy on various different levels, from handling employee data to the use of mobile devices and the treatment of customer information. Having the right policies in place can make all the difference. In this section, we will review tips for creating policies for your organisation.

Developing Policies   

Creating a privacy policy should be a simple process. If the information is too complicated, it may lead to misinterpretation of the information, and that is the last thing you want when dealing with policies and regulations.

You will want to be sure to:

While policies regarding confidentiality and privacy are likely to be similar between organisations, each workplace may differ in its approach to meetings, negotiations and presentations. Keep in mind that while privacy and confidentiality policies are relevant in these settings, there may be additional policies or procedures in place as well. Below are some examples of items that may be present in meetings, negotiations or presentation policies: 

• Team leaders to chair and conduct negotiations 
• Which employee or director is to chair formal meetings 
• Presentations to important clients to be conducted by team leaders
• Relevant department heads to be present in supplier negotiations, meetings and visits

Additionally, an organisation may include some of the following items in these policies to encourage participation and professional growth:

• Regular team sales meetings are chaired by a different person each week
• Monthly presentations showcasing each department’s wins
• Junior team members to be present during negotiations and de-brief with their managers afterwards

Case Study Jillian

Jillian works for an insurance company handling customer accounts.

Every week Jillian is required to take all of the paper applications that customers have completed with their personal information and enter the customer data into the secure database before disposing of the paper documents.

This week Jillian is going out of town in the morning and wants to get home early to finish packing for her trip.

After she finishes entering customer information into the company database, she takes all of the paper applications and throws them in the trash can.

Jillian is glad she got her work done in such record time; she can now get home and finish her packing for her trip.

Answer the following questions n your own work document or workspace for your future reference, as this information will support you in your assessment and professional practice. 

1. Was this the proper way to dispose of the documents?
2. What process should have been followed?

When it comes to communication, ethics enhances credibility and improves the decision-making process, which also allows us to communicate with a basic understanding of what is expected in the workplace. The same level of understanding in ethics applies to all forms of communication, including verbal, written and digital. 

Codes of ethics are important in any organisation. They benefit both the workplace and individuals by:

• Reinforcing the organisation’s standard of conduct
• Reminding staff of ethical issues and correct
• standards
• Identifying practices that are and are not allowed
• Allowing leaders, managers and others to share
• Experiences and ideas about what is and is not an
• Ethical position
• Developing a shared culture based on ethics and
• Accountability

Stakeholder Mapping  

As a manager, you may need to deal with external and internal stakeholders.

• Internal stakeholders are usually those that are within the business, such as employees and managers
• External stakeholders exist directly outside of the business, and they are not affiliated with the business

Stakeholder mapping allows you to identify key individuals and target groups to then meet the objectives of the company. As a manager, you will need to present various types of information. It is important to recognise your stakeholders to then know the most appropriate way(s) to present this information. 

The following types of stakeholders are included below:

• Apathetic Stakeholders: Have low interest and low power and should be monitored by the project manager. 
• Latent Stakeholders: Have low interest but high power; they are those who need to be satisfied by the outcome of the project. 
• Defender Stakeholders: Have high interest and low power; they are individuals that support the project.
• Promoter Stakeholders: Have high interest and high power; they have the capacity to promote the project, such as marketers.

External Stakeholders   

Use your own organisation or an organisation that you would be interested in working for, and think about who their external stakeholders might be. 

In your own work document or workspace, keep notes for your future reference, as this information will support you in your assessment and professional practice. 

List five external stakeholders of the organisation you are interested in.

Use the following questions to check your knowledge.