Another article on the impending changes to the Privacy Act

February 4, 2014 |

The Age has again run a story on the impending changes to the Privacy Act with Privacy deadline nears: are you ready? Twelve March 2014 is looming closer and closer and in my observation the level of preparadness is quite patchy.  Given the scope and depth of what will now be required, particualrly for those involved in providing credit (a broad term as defined in section 6G of the Privacy Act), this is a worry.  If the Privacy Commissioner adopts an assertive approach to regulation there could be some reputational damage and financial outlays on the part of chastened organisations. The key will be the approach taken by the Privacy Commissioner.

The article provides:

Australian companies have just weeks to get their data collection, storage, management and disposal practices in order before several changes to the privacy regime come into effect.

On March 12, the Information Privacy Principles and National Privacy Principles, which apply to federal government agencies and businesses respectively, will be replaced by 13 Australian Privacy Principles (APPs).

The APPs require organisations to be more transparent about how they collect, use and store individuals’ personal data.

They cover the way information can be used for credit reporting and marketing purposes and put the onus on businesses to ensure overseas suppliers that have access to customer personal data don’t breach the APPs.

Organisations must take reasonable steps to implement practices, procedures and systems to comply and are able to deal with privacy queries and complaints as they arise.

Those that don’t, face the prospect of a big stick as the Office of the Australian Information Commissioner will have greater powers to investigate and the ability to impose penalties of up to $1.7million for those found to be  in breach.

The international director of ITsecurity and risk association ISACA, Jo Stewart-Rattray, said organisations needed to have their houses in order. ‘‘Hoping for the best is never the best approach,” she said.  ‘‘Companies need to understand where they currently sit in relation to the new privacy legislation in order to understand where the gaps lie and what needs to be undertaken to fill in those gaps … Business owners and IT will need to work together to ensure that personal information is appropriately protected.”

So what should be on businesses’ to-do lists?

1. Audit

Documenting what personal information is collected and how it’s used is a good first step, says Matthew McMillan, an IT and privacy specialist at law firm Henry Davis York. He suggests an information lifecycle audit to track data from its point of collection through to use, storage, de-identification and destruction.

“If you have a rich understanding of the lifecycle you can implement procedures to enable compliance at every stage,” McMillan says.

2. Spring clean

Got clients’ personal data stored just because? It’s a no-no, under the new rules, which state it should only be collected where reasonably necessary. Spring clean your databases and get rid of anything that fails this test, McMillan says.

3. Waste disposal

While you’re in tidy-up mode, it pays to ensure the organisation has a clear hardware decommissioning policy, Mason Hooper, security information and event management solutions practice manager at McAfee, says. Mobile devices, laptops, hardware and USB keys all need to be stripped of data as they’re retired from service.

4. How did you get my number?

Got databases full of prospective customers but no record of how you acquired their names and numbers? You’ll need to amend your systems to document how you came by these particulars, AVG Technologies security advisor Michael McKinnon warns. ‘You’re just in our database’ won’t cut the mustard – under the new laws, customers are entitled to ask and you need to be able to tell them.

5. Security alert

Sure your security provisions are up to scratch? The new APPs compel companies to protect against interference and this means making sure your firewalls and anti-virus software pass muster and systems are rigorously password protected, Hall and Wilcox law partner Alison Baker says.

“Make sure the doors are locked,” McKinnon adds. “It’s every business’s responsibility to make sure they’re doing all that’s reasonably possible.”

6. Overseas angst

Offshoring work to suppliers in developing countries? It’s a good time to run the slide rule over contracts, to ensure their data management practices are as rigorous as your own, McMillan says. Under the new regime, firms will be held accountable for any breaches their suppliers commit, if they can’t show they’ve taken reasonable steps to ensure they won’t occur.

7. Upfront action

New projects involving customer data in the pipeline? Don’t let privacy be an afterthought, McMillan says. Conducting a privacy impact assessment upfront will ensure personal information is handled appropriately from the get-go.

The above list is but the broadest and most general overview. The CR Code and Part IIIA of the Act sets out very comprehensive obligations by Credit Providers.  The APPs place serious obligations on an organisation in having a meaningful privacy policy and proper processes for collecting, using, disclosing and protecting personal information.

Leave a Reply