Australian article on changes to the Privacy Act

January 22, 2014 |

The Australian in Industry in dark on privacy law (found here behind the paywall) reported on 21 January 2014 on the poor state of preparedness of many organisations in complying with the amendments to the Privacy Act when they come into force on 12 March 2014.

The article provides:

HALF of all organisations are not even aware of amendments to the Privacy Act that could see fines of about $1.7 million imposed when it comes into effect next month.

IT vendors and privacy advocates hope the startling low awareness figure will shock corporate Australia and smaller players into action.

“Fifty per cent of organisations in Australia don’t even know about the legislative changes,” Capgemini Australia testing services director Shane Lonergan said. “It’s across the board from tier-one to tier-two organisations … they’re major players (in the dark).”

He said only about 25 per cent of organisations were “doing something about it”. Mr Lonergan singled out the finance industry as “doing a lot to be compliant”.

The new privacy laws apply to all businesses that turn over more than $3m a year and which collect personal data. This covers online retailers, tech start-ups, large corporations and all federal government departments and agencies.

Agencies and companies can be fined $1.7m and individuals $340,000 for serious or repeated invasions of privacy.

Currently, if company A collected personal information from a consumer and wanted to share it with company B, the only obligation on company A was to state in its privacy policy that it would share the information with a third party.

The new laws mean the obligation also falls on company B to contact the consumer and let them know how they plan to use their data.

DLA Piper intellectual property and technology partner Alec Christie told The Australian last month that 50-60 per cent of corporate Australia would not be compliant by March 12.

Mr Christie urged organisations to undertake a “mini privacy audit” and “look at what they collect, how they collect it, what purposes they use it for, how long they keep it”, and map the findings against Australian Privacy Principles.

“I think most of them will find at least one of those scenarios is contrary to what their obligations are,” Mr Christie said.

Australian Privacy Foundation health sub-committee chair Juanita Fernando said the Act meant different things to different people.

“Not only do private organisations not know about amendments to the Privacy Act, each of them interpret it differently in real life too. And they do not understand how to apply the Act to business,” Dr Fernando said.

“Industry and governments simply behave as if it is their right to collect and mine big data – they are not philosophically prepared to think of personal data as linked to actual people … it is all simply a technical, number-crunching concern.

“Privacy rights are subject to machine logic with the technological revolution (and) people and policies work to machine capabilities rather than human ones. The entire issue is a debacle that governments cannot manage effectively worldwide.”

Australian Privacy Foundation vice-chairman David Vaile said the 50 per cent figure was consistent with what he had heard from the compliance and regulatory community.

Mr Vaile said one reason for the ignorance could be attributed to the low profile of the Privacy Commissioner’s office, coupled with the fact that is has been absorbed into the Office of the Australian Information Commissioner.

The Privacy Commissioner has in the past been likened to a toothless tiger. Mr Vaile said that “compared with competition regulator the ACCC, or the Australian Securities & Investments Commission that are often in the news for having made substantial decisions, one of the concerns with the practice of the Privacy Commissioner’s office is that they rarely make any actual determinations.

“Because that doesn’t happen so much business has been lulled into a false sense of security,” he said.

Dr Fernando said there was enormous ignorance of the issue across healthcare, which isn’t penalised for misuse. “Patients that experience privacy breaches point out doctors and other clinicians as well as executive staff from health organisations are confused when patients complain about a breach of privacy,” Dr Fernando said.

“The personnel evidently often ride roughshod over patient privacy rights and don’t understand the nature of complaints as the patient that presents to them is ‘treated’. They do not understand or have even heard of Privacy Impact Assessments at all.”

Authorities tended not to label patient breaches as significant, she said. “Those patients that can prove financial loss from the breach litigate as individuals, generally signing out-of-court agreements which exchange patient silence for ‘out-of-court’ agreements,” Dr Fernando said.

“They tend to represent themselves as the patients often have limited access to resources. Moreover, no penalty looks at organisational learning with remedial staff training so the breach will not reoccur.”

DLA Piper’s Mr Christie said the new laws meant corporate Australia must have a complete change in attitude towards consumer privacy.

But experts agree that many organisations don’t know where to start with mini-audits. The gap has created an opportunity for local vendors like start-up Enov8, which has developed an automated data security profiling solution for privacy purposes.

The patented technology could “point, shoot and discover” personally identifiable information, Enov8 spokesman Nick Finlayson said.

“Up until now the only real way to discover PII is a manual process and it’s subjective,” Mr Finlayson said. “You have to ask companies or their employees where they think such data resides. But this technology can instantly discover the data in all company databases.”

He warned that organisations that tended to use “production” or real-life data in a test environment would have to change their ways come March: “You won’t be allowed to use production data in testing and development environments.”

He challenged any chief information officer to declare that their testing environment was 100 per cent free of production data. Capgemini has partnered with Enov8 to market the latter’s product globally.

Leave a Reply