Peter A Clarke

There has been the occasional article on the upcoming amendments to the Privacy Act and their impact.  Less than the changes deserve.  I have been posting on this issue since the Enhancing Privacy Bill was passed in December last year.  I have been giving seminars on aspects of the changes in particular regarding the credit provisions and compliance with the APPs.  Given the significant new enforcement powers that will soon be available to the Privacy Commissioner it is surprising that there has not been greater urgency by organisations covered by the Privacy Act to get their privacy house in order.  With penalties of up to $340,000 for individuals and $1.7 million for corporations the cost of compliance should fade into insignificance against the possibility of being at the wrong end of a civil penalty proceedings.

The Australian Financial Review in How to prepare for the incoming data privacy law looks at some of the things that should be done to get compliant with the incoming changes.

It provides:

One of the strangest requests a lawyer gets is “We’re setting up a new business. Do you have a standard privacy policy you can send us?”

Beyond some basics and generic guesswork, how do we know what personal information they’ll be collecting, and how and why? How do we know how they’ll hold it or who they’ll disclose it to? How could a standard document say much that’s meaningful about the practices of any particular business? It’s like asking your accountant “Do you have a standard tax return I can lodge?”

With a national enhanced privacy law kicking in on March 12, many businesses are leaving it very late for an effective response to their obligation to take reasonable steps to implement practices, procedures and systems that ensure compliance with the new Australian Privacy Principles.

Step one

The first step is to audit and understand what personal information your enterprise collects and holds, how it collects and holds it, and what it does with it. Since privacy law is all about personal information in records, and those records are almost always on computers these days, your information audit will necessarily focus on the servers, desktops, phones, pads, notebooks and cloud services that power the business, and the people who use them.

For years now, we’ve had a practice of setting up a dedicated data folder on any server, desktop and notebook in our care. Anything in the nature of a business record goes into that folder, or rather a sub-folder within it. Whenever new software wants to tuck files away in some obscure corner, we point it back to the designated data folder. Windows and Mac computers both think it’s helpful to store data by default in personal storage areas buried deep within their hard drives. Have none of it. Know exactly where all your records and files are located. Not only does it make back up much easier, it gives you a fighting chance of answering the question “What’s on this three-year-old machine, anyway?”

If you’re serious about complying with the Privacy Act’s demands that you know what you’re holding, understand what you do with it, and are transparent with the outside world about those things, somebody needs to take charge of the data audit. At the same time, somebody else should be surveying staff about the records they need to capture, and why. If there are substantial chunks of personal information disclosed by the technology audit that aren’t explained by any need reported by the team, you may have identified data that’s unnecessary, and the Privacy Act has something to say about collecting or retaining that.

Errors of the past

Your audit will turn up personal information that’s plain stale. In the age of unlimited storage, it’s so easy to retain material going back years, and for no good purpose. When Telstra was caned for one recent privacy breach, the information wasn’t something it should even have been holding any longer, let alone leaving forgotten on a third party’s server. Your personal information audit needs to extend to current and past service providers that may be holding records on your behalf.

It’s also worthwhile learning advanced Google searching so you can carry out targeted searches on your own websites. In another Telstra gaffe, an internal customer database was accidentally opened up to Google and duly indexed so that the world could find and query it. If you don’t know how to do an advanced Google search, just google “advanced google search”. Then query your sites for names and terms that should not return any results. You don’t need a network security guru to get some comfort that your web server isn’t broadcasting your customer records.

An information audit may disclose that you’re not even covered by the Privacy Act.

If your annual turnover is under $3 million, you don’t deal with certain types of data and you don’t engage in certain practices, the act doesn’t apply.

In that case, don’t publish a “standard” privacy policy that asserts that Bill’s Biscuits is bound by the Privacy Act and complies like a star. In fact, the Information Commissioner and the Australian Competition and Consumer Commission would find many current policies disturbing reading, given how many are “standard” documents that bear little relation to the actual privacy practices of the business concerned.

For an instance of a privacy policy that shows all the hallmarks of a good technology and business audit, highly tailored to its actual practices, check out Telstra’s. But copy their process, not their document.

As far as it goes it is a reasonable very broad introduction to the subject.