Significant and costly changes in the Privacy Act, scheduled for March 2014, are set to seriously impact the majority of companies handling personal information.
The changes, aimed at forcing businesses to be more transparent about how they handle personal information, will impact both private and public sector organisations with an annual turnover of more than $3 million, and will also affect Australian subsidiaries of global organisations.
Regardless of the type of industry, companies have to deal with the reforms that include a new set of principles, enhanced enforcement powers for the Privacy Commissioner and new credit reporting requirements.
The Australian Privacy Act has been in place since 1988, but there will be 13 new principles coming into place dealing with the open and transparent management of personal information, the use and disclosure of personal information for direct marketing and cross-border disclosure of personal information.
The Privacy Commissioner will be empowered to hand out penalties – reaching up to $1.7 million for an organisation and $370,000 for an individual – for breaching the new rules. The commissioner will also be able to demand a company’s privacy performance assessment.
“In the age of Big Data, social media, and Cloud computing, it is increasingly important that people think about the concept of privacy and what it means to them,” Privacy Commissioner, Timothy Pilgrim, said in a recent report.
Distribution Central managing director, Nick Verykios, said the reforms affect any business that is doing third party analytics, right down to the analytics software provider.
Kyocera Document Solutions A/NZ managing director, David Finn, warned the changes will have a massive impact on the telemarketing industry.
“A lot of industries, especially IT, depend a lot on telemarketing and they’re going to have all sorts of problems,” Finn said. “This privacy thing is very scary. A lot of people will get caught will their pants down.
“I can guarantee a lot of the smaller distributors, have no idea what’s coming. On the flipside, the chances of getting caught may be slim, but if you do, it’s going to be a big problem.”
Finn’s warning is underscored by statistics from security vendor, McAfee, which commissioned a survey recently involving 500 respondents on awareness of the Privacy Act changes. It found 59 per cent were unaware or unsure there had been any recent changes. However, of the companies that were aware of them, only 49 per cent conducted a Privacy Impact Assessment.
Data owners within organisations that were surveyed were more concerned over the damage to the company’s reputation and loss of customer trust, than a potential fine, McAfee Asia-Pacific practice head of data protection, Joel Camissar, said. “The reputation damage is significant, but at the same time the IT department within an organisation struggles to get board-level attention sometimes to get the necessary funds and build a business case for privacy.
“It will encourage organisations to take privacy more seriously.”
Are you ready for compliance?
Communications Alliance CEO, John Stanton, said considerable effort will be required of service providers to ensure they can comply with the new requirements.
“Many service providers will have to undertake compliance assessments across their businesses to ensure readiness for incoming APPs,” he said.
According to Stanton, the reforms introduce an accountability approach to an organisation’s cross-border disclosures of personal information, putting pressure on taking reasonable steps to ensure that the overseas recipient does not breach Australia’s Privacy Act reforms.
Changes related to compliance requirements, could tip some companies over, Kyocera’s Finn said. He pointed out small distributors as an example and the information retained within credit accounts such as banking details, date of birth and personal addresses.
“They all run on the skin of their teeth and on the smell of an oily rag, and if you’ve suddenly got to put privacy compliance officers in and all these other things, can you support that overhead and do you want to support it?,” Finn said. “Compliance can be one of the biggest accelerators for consolidation.”
Finn said it would have an overhead to manage compliance with the Privacy Act, which he estimated would cost his business about $120,000 to $180,000 per year.
“We’re a large company and it hurts because it’s something we didn’t have to worry about before,” he said. “Those figures don’t include rewriting all our systems. We have to write new programs, implement new systems and put in place a new regime for compliance.”
Communications integrator, Orange Business Services, managing director, Gordon Makryllos, said it was in the process of understanding how new its technologies will be impacted by the reforms. The integrator is part of the global France Telecom-Orange branch.
“We’ve conducted a privacy audit looking at how we’re managing information that will be impacted by this new act,” Makryllos said. “We’re undertaking training and are appointing someone to lead as a privacy officer, and there’s lots of work to be done and it shouldn’t be underestimated.
“We have to change the way we’re doing things, we do marketing and hold customer information, and a big part of our business is security.”
Makryllos said it was also in the process of conducting security audits with its customer base.
The channel needs to understand how the reforms affect customers and take up the role of a trusted advisor in helping rewrite security policies and add technology to help with compliance.
The changes will also force a bigger emphasis on where sensitive customer data actually resides, and it will be in the hands of the managed service provider that puts it there, not the datacentre operator, placing more importance on the role of datacentre security.
“Organisations need to review their third party Cloud providers to make sure there are clauses in those contracts to adhere to the Australian Privacy Act and how they manage their data, which is an important part of the new provisions,” McAfee’s Joel Camissar said.
The industry can also use privacy protection as a competitive differentiator. “Cloud service providers that want to engender customer trust will market the fact they look after customer privacy really well,” Camissar said. “It could encourage people to place their business there rather than with a competitor that doesn’t take privacy as seriously.”
He pointed out Commonwealth Bank’s Kaching payment app, which incorporates privacy as part of the development process. Cammisar also underscored how the bank strongly markets its obligation to protect money in an electronic vault as well as customer information in a digital vault.