News > Getting privacy governance right at the board level

Getting privacy governance right at the board level

Published on the 13/05/2026 | Written by Heather Wright


Getting privacy governance right at the board level

Good privacy governance isn’t accidental…

Privacy and data security oversight doesn’t require boards or senior leaders to be technical experts, but it does require clear accountability, regular scrutiny and confidence that personal information is being handled appropriately.

That was the message from governance, tech and legal experts during a New Zealand Privacy Week privacy and data security session focused on how organisations manage personal information in practice, particularly when resources are constrained and operational complexity is high.

“We wouldn’t ignore our finances. I think we need to think about privacy in the same way.”

While the session was aimed at not for profits, the privacy and data security issues raised – from access control to incident response – apply equally to other organisations.

Leadership and governance consultant Jo Cribb says boards frequently underestimate the extent and sensitivity of the personal information their organisations hold, including client case files, donor records, staff files and even information relating to health, children and family circumstances.

“From a governance and leadership perspective, you don’t need to be a technical expert. But we do need to ask the right questions and get assurance that actually, we are looking after the data and information incredibly well,” Cribb says.

She likens privacy oversight to financial oversight, noting that boards routinely scrutinise accounts and funding use, and should apply similar rigour to privacy and data – something that is often the engine enabling organisations to run and have impact.

“We’re really interested in terms of what’s happening with our accounts and how we’re using our resources. We wouldn’t ignore our finances. We need to think about privacy in the same way.”

Privacy she says, should not be ignored simply because organisations are busy keeping the lights on or operating with limited capacity.

The questions leadership expects tech to answer

From a governance perspective, Cribb outlined a set of questions boards should be asking –the same questions CIOs, heads of IT and security teams are being asked to answer:

  • What personal information does the organisation hold?
  • Where is that information stored?
  • Who has access to it and why?
  • Are staff and volunteers aware of their responsibilities?
  • What happens in the first hours after a privacy or security incident?

Cribb says boards should be demanding visibility of privacy incidents and near misses and should receive regular reporting on privacy matters – with it on the agenda at least once, if not twice a year – rather than relying on ad-hoc updates when something has gone wrong.

Where everyday tech decisions create privacy risk

Anthony McMahon, Lancom chief customer officer, says many privacy incidents are not the result of sophisticated cyberattacks, but of common technology practices that organisations have normalised.

He highlighted shared log-ins as a well-intentioned practice which is creating privacy risks, particularly in organisations that rely on volunteers or have high turnover. Generic email accounts and shared system credentials make it difficult to control access when people leave and remove visibility over who has accessed information. While shared log-ins can feel convenient, they also create a single point of failure and significantly increase exposure.

He also warned about the use of spreadsheets to store sensitive personal information, particularly when access is broad or files are tied to individual user accounts, raising the potential for data to be lost when someone leaves and organisation and accounts are deleted. In other cases, information remains accessible to people long after their role has ended.

Louisa Joblin, principal at Moran Law, says she’s seen cases where spreadsheet data has been ‘weaponised’ by disgruntled former staff, creating ‘big issues’ for the organisations involved.

Minimum controls, maximum return

McMahon outlined a baseline set of technical controls organisations should be working toward. These included individual user accounts, multi-factor authentication, particularly for administrator accounts, and role-based access to ensure people can only see the information they need.

“Do people you’re bringing in need access to all your data or do they just need a very small subset? Don’t give them everything by default,” he says, noting it is a ‘simple mistake’ he sees a lot of organisations – not just not-for-profits – make.

He also discouraged attaching sensitive information directly to emails, instead recommending sharing links to files stored in systems that enforce access controls.

“That way, if it accidentally goes to the wrong person, I’ve already set the permissions. They could click on the link, but they’re not going to get access,” he says. “It takes it away from being a privacy breach to a simple ‘whoops, we sent an email to the wrong person’.

Best practice extends to areas including getting NFP licensing from the likes of Microsoft and Google, knowing who to call when something goes wrong – an issue he sees for commercial organisations as well as NFPs – and never using ‘free’ versions of tools such as ChatGPT, Copilot or Gemini. “The data you’re putting in there is being used to train the AI models themselves, so if don’t use the free ones. If you have to, don’t put any personal or sensitive data from your organisation in there.”

Policy as an operational control, not a checkbox

Joblin noted the need for privacy policies which reflect how organisations actually operate, rather than existing solely to meet compliance requirements.

“It’s not meant to be a tick box exercise where you just put up a policy on your website and say we do these things and now we’ve complied,” she says. “It’s actually a real opportunity to work through how you collect, handle, store, use and disclose. Let’s communicate that in a language that works for our organisation and communicates our brand and commitment to our people.”

From a governance perspective, Cribb encouraged boards and leadership teams to ensure policies are understood by all staff and volunteers and followed in practice, not just approved and filed. This includes asking whether staff and volunteers have been trained, and whether day-to-day behaviour aligns with written standards.

She also urged attendees to ensure their organisation has a privacy officer – “if you don’t have one, create one at your next board meeting” – and ensure you’re getting regular reports from them, including whether they’re getting the support and everything they need in order to implement the policy.

Post a comment or question...

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

MORE NEWS:

© Copyright iStart Since 2001…

ERP Buyer's Guide Leaderboard 728x90

SUBSCRIBE NOW
Processing...
Thank you! Your subscription has been confirmed. You'll hear from us soon.
Follow iStart to keep up to date with the latest news and views...
ErrorHere