The Australian privacy landscape will go through significant change from March 2014, following the Australian Government passing the Privacy Amendment (Enhancing Privacy Protection) Act 2012, at the end of 2012.
The Act contains new, and at times vague, security requirements which may put organisations at heightened regulatory risk for some time.
The most significant changes to be aware of are:
• A new set of Australian Privacy Principles (APPs) comes into force
• The Australian Information Commissioner has enhanced powers
• Credit reporting laws have been changed.
Although the majority of the Act comes into force in 2014, some provisions relating to credit reporting have been in force since December 2012.
The Privacy Act continues to bind the same set of organisations as before, which generally includes most Government and many private-sector organisations. The big issue for many businesses, however, is that historically privacy is not something that has necessarily been high on the radar as the Act has not carried significant penalties. The new changes to the Privacy Act represent an escalation in privacy-related risk and are likely to influence a shift in spending. This doesn’t necessarily mean that organisations are going to go spend a lot of money preparing for changes to the Act per se; however, some funds might be reallocated or privacy might be a topic that gets greater boardroom focus.
In the lead up to the recent Gartner Security & Risk Management Summit in Sydney, Gartner carried out market research that indicated that businesses are starting to take notice, rating privacy as a higher priority that it has ever been before – it was in the top three focus areas. While promising, we also know that many are still very under prepared for the changes to the Privacy Act. In the event of a significant complaint, an organisation that is unable to quickly demonstrate a program for compliance to the Act may experience a painful investigation and penalty.
To help matters, the Office of the Australian Information Commissioner (OAIC) is developing comprehensive guidance on many new aspects of the Act. Although some of it is still in draft form, this guidance provides greater clarity for businesses to understand the requirements needed to comply.
What is obvious though, is that complying with these new and complex privacy concepts creates an added burden for companies, and risk-averse organisations should start preparations as soon as possible.
Avoiding complexity
The new definitions and other provisions in the Privacy Act are necessary to maintain its relevance to recent technologies and public expectations. However, they do add further complexity. Some of these new elements are significant, such as a new APP that restricts the use of personal information with respect to direct marketing, whereas others are more subtle, but may in time carry side effects that are not yet obvious, such as an updated definition of ‘personal information’.
These changes, coupled with privacy reforms in other countries, are generating a global regulatory environment that is changing quickly. These complexities, and their interplay with disruptive technologies such as cloud computing, mean that a specialist role that can understand the legislative, commercial and technical implications, as well as solve associated problems, is almost essential in large organisations. Assigning an unskilled person to be a privacy officer, merely for the purpose of deflecting customer complaints, for example, is unlikely to adequately serve the future needs of the organisation.
It is also important to ensure that all staff members are aware of the implication of the Act and adjust their practices accordingly. This may require a training program to reiterate safe practices. For example, the combination of Principles 5 and 8 place a high degree of onus on organisations regarding migration of information. A breach of this principle might occur if a mobile phone or unprotected USB storage device containing another person’s sensitive information was lost while on an overseas trip, thus exposing the information to an unauthorised person in another country. READ MORE