In the age of Wikileaks, Edward Snowden’s revelations about the USA’s National Security Agency spying activities and phone hacking scandals galore, comes Australian law reforms that compels organisations to develop a policy around the collection, storage and retrieval of confidential information and report data breaches when they occur. But are Australian organisations ready for the legislation?
Compared to technology, legislation moves at a glacial pace. Parliament needs to balance the practicalities of implementing a new law against the need for legislation, then there’s the process of asking for stakeholder input, and the subsequent debate and deliberation that occurs before the Bill comes into effect.
The Privacy (Enhancing Privacy Protections) Act 2012, due to commence on 12 March 2014, is on-trend with results from a survey conducted by the Office of the Australian Information Commissioner (OAIC) last year that revealed Australian attitudes towards online privacy. A majority of Australians (60 percent) indicated they had declined to deal with a company due to concerns regarding how their personal information would be used. It seems their concerns are well founded, with data breaches a common occurrence.
Privacy in principle
When the privacy amendments come into effect, organisations will need to adhere to the new Australian Privacy Principles, which cover how entities must collect and hold personal information; the purpose for which they may collect information; how individuals may access and seek correction of their information; how individuals may complain about privacy breaches; and what to do if an entity is likely to disclose personal information to overseas recipient. The fine for non-compliance is up to $1.7 million per organisation, or $340,000 per individual.
Rob Livingstone, a fellow of the University of Technology Sydney Faculty of Engineering and Information Technology, who also runs his own IT advisory practice, says the amendments show the law has taken community attitudes seriously. It will also help organisations refocus on what controls they have including checking if software security controls and measures are up to a standard that would be defensible.
Michael Toms, ANZ Regional Director of information security company Clearswift, says good policy can’t be broad, it needs to detail what information the organisation will collect and why. “If you have a clear policy and procedure on how you’re going to deal with a person’s information or another entity’s information, if you can cover that in a meaningful way, I think you’re on a very good path.”
Despite the era it has taken for the privacy amendments to come to fruition, however, it turns out that there is still a significant portion of Australian organisations that are in the dark about the law. According to research conducted by Clearswift,35 percent of Australian businesses and 73 percent of IT decision makers are unaware of the changes and what it might mean for their information gathering, storage and retrieval processes. READ MORE