The new Federal privacy legislation is likely to create as many headaches as opportunities for the IT channel, with resellers struggling to incorporate the myriad of issues associated with data security and liability into their solutions.
As the December 21 compliance deadline draws inexorably nearer, resellers find themselves facing a dilemma -- balancing potential profits with the legal ramifications of getting it wrong. It is a unique position because many channel companies are themselves grappling with compliance.
The crux of the new privacy regime centres around 10 National Privacy Principles, which will require organisations to review the way they treat personal information. This includes databases, marketing lists, survey files, correspondence relating to personal information, policy documents relating to privacy such as confidentiality of information, and the transfer of information. The principles decree that companies must take "reasonable steps to protect the personal information it holds from misuse or loss and from unauthorised access, modification or disclosure". Furthermore, organisations must also destroy or permanently de-identify personal information if it is no longer needed.
That second point has already proven a sticky one for computer resellers, particularly those operating in the second-hand market. A case in point is Queensland-based distributor and data and security specialist Swe-Tech, which recovered credit card details, IP addresses, financial records and salary and account details from the hard drives of computers bought at auction.
"It is a real concern," said Swe-Tech chairman Hans Axmarcher. "The key words here are ignorance and complacency. The second-hand computer market has been getting away with these practices for years, but with the changes it will soon dawn on them that it is a very risky business. They have done nothing to protect themselves and as such they could be held liable if data is recovered from the systems they sell."
Axmarcher estimates around one million used PCs will be resold in the next 12 months. Although untested in court, resellers could be held responsible for unsecured data.
"A lot of resellers understand that there is a problem with simply formatting the disks, but I am not convinced they fully understand the implications of the Privacy Act," said Swe-Tech manager Peter Lee. "Hitting the delete key or formatting the hard disk goes nowhere close."
It is no wonder, therefore, that the channel has hung back from the opportunities the new legislation could bring to the IT market.
"It really is a can of worms," said Phillip Press, managing director of reseller and sub-distributor Unitafe in Sydney. "We see the opportunities from the point of view of supplying and installing products, but the legal problems could offset the advantages of advising customers and providing services. If something goes wrong, there are legal liabilities to consider and this will be an ongoing issue. We have to consider the implications and balance the risk of the liabilities compared to the profits."
Hamish Fraser, a lawyer with the firm Gilbert & Tobin, said there would be many transition issues associated with the legislation. To some degree, he said, cultural changes will need to occur within a business in relation to how it handles personal data.
"The following questions should be asked of all managers. Who collects the personal information? For what purpose is it collected? Is the customer told? Who has access to the files? How are the files maintained? Is the information ever transferred and how? How is it disposed of?"
These are big questions for the likes of e-tailers, or call centres, for which personal information is a fundamental part of the business model. In IT, where e-mail is all-pervasive, managing this data takes on mammoth proportions. But companies such as Swe-Tech are looking to help resellers protect their own businesses, holding seminars on various strategies that they can also extend to their clients.
"Resellers can look at incorporating a licence into their hardware to provide a service to the end user," Axmarcher said. "Or they can incorporate the product in a lease. In a way, it is like insurance because you are also protecting yourself from liability which could run into hundreds of millions of dollars."
What it all means
* The changes to the Act introduces national privacy standards.
* These control the collection, use, and transfer overseas of personal information.
* Information must be kept accurate, up to date, complete and secure.
* Organisations must be open about the management of personal information.
* Organisations must provide access and correction rights to individuals.
* Organisations must allow for people to deal with them anonymously, where lawful.
* Businesses with an annual turnover of $3 million or less have an additional 12 months before they have to comply (unless they provide health services).
Privacy information Web sites