The clock is ticking down rapidly to the arrival of the biggest changes to privacy laws in 25 years, and some channel businesses are scrambling to meet the March 12 deadline. Those that are not ready will not be given any grace by the Privacy Commissioner, Tim Pilgrim, who has made it quite clear he will carry a big stick and won’t hesitate to use it.
Fines of up to $1.7 million will be inflicted on those that fall foul of the newly minted Australian Privacy Principles (APP).
The APP is a single set of principles that will cover both the public and private sectors when amendments to the Privacy Act 1988 (Privacy Act) made by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 come into force.
The Office of the Australian Information Commissioner (OAIC) recently released APP guidelines for the implementation of this change.
The introduction of the APP is one of the most significant changes under the new laws. Currently, Australian Government agencies are covered by the Information Privacy Principles, while the private sector is covered by the National Privacy Principles.
The APP guidelines will be a key resource for entities covered by the Privacy Act in assessing their compliance with the new laws.
“The APP guidelines are not intended to be a step-by-step guide to developing compliant processes. Most of the requirements contained in the APP are not new, and business and government should be ready to hit the ground running come March 12,” Pilgrim said.
The Missing Link security manager, Aaron Bailey, said he was seeing a last minute scramble among his clients to understand the impact on their specific organisation.
“We have had many clients across the retail, insurance, recruitment and healthcare sectors requesting our Privacy Impact Assessment consulting service as a rapid method to determine their exposures to the revised privacy principles,” he said.
“What we are seeing now is the current impact of the new laws and adoption and strategic investment will continue at a slow pace for now, through March, and beyond.
Bailey predicted a “sizeable” breach in the coming year. “This will accelerate consideration and investment at a pace which may be difficult for the channel to keep up with,” he said. “It’s important for a client to choose a partner who has experience in both the pragmatic assessments and the remediation strategies that follow.”
He said businesses most vulnerable remained those with the highest value personal information and the weakest set of controls securing that information.“Some tension will arise once a large breach comes into effect post-March,” he said. “Many vendors, resellers and consultancies will be claiming to have solutions and only some will be truly effective. Those that have formed strategic alliances in advance and invested early in capabilities will be the best suited in the channel to provide client guidance and support.”
Nexus IT principal, Sean Murphy, said the new laws would impact most on the higher end of business, except for verticals specifically dealing with marketing information and health patient data.“Most of the requirements are around policy and business policy on data, not IT requirements per se – the actual channel impact is therefore not high,” he said.
Every business ought to review the changes to identify what impact they have on data collection, records management and, most importantly, marketing practices, according to Murphy. “Outsourced marketing, and third party suppliers who have [or have in the past had] access to customer data, particularly ought to be reviewed,” he said.
“The new laws are not especially restrictive, nor are the compliance requirements very onerous. Some more aggressive marketing practices will need reform, for both consumers and suppliers of these services. “It is all very well having a policy, which IT can help develop, but the key is the practice of the staff teams in the trenches, which is a business challenge.”
Kiandra IT director – technology and infrastructure, Chris Munro, said it was still unclear just how prescriptive these changes would be and how they would be enforced.
“But regardless the scary reality is that all businesses are vulnerable to breaches,” he said. “One of the major hurdles to IT security has always been funding, if companies start to plan and allocate budget for testing, and combine this with consistent review and improvements on the IT security side of the network, this will reduce the risk of breaching the Privacy Act and greatly improve their security stance.”
The channel will by and large be operating under the same privacy principles that were already there (with a few more onerous requirements). The main difference is that now the channel, like all other businesses, will be liable and face penalties should a breach of the Privacy Act occur, Munro said.
“Security providers, in particular, need to lead by example,” he said. “Aside from penalties associated with non-compliance, security providers are also faced with substantial loss of reputation and brand recognition should they fail to meet the amended requirements.
“Security providers will need to take an extremely proactive approach in order to act as a trusted advisor for clients, navigating them through the changes.”
According to Munro, the channel will benefit through increased opportunity to consult on how technology can support compliance with the Privacy Act. He also expects increased demand for specialist security services.
“As a channel we should be pushing our clients to adopt security best practices and a multi-layered security strategy,” he said.
“We can also assist clients in undertaking their due diligence when engaging with technology third parties, such as Cloud providers.”
Munro’s advice to organisations was to get to know what personal information they have, why they have it, what they do with it and how secure it is.
“The first step would involve undertaking a privacy audit to uncover what personal information is collected, how it is stored, used and disposed of,” he said.
Organisations should put privacy policies and collection statements in place that disclose what the data will be used for and how it will be destroyed at the time of collection. They also need to set up policies for maintenance and disposal of data.
Pilgrim has made it clear that he will not shy away from using his new powers and come March, 12 companies should not expect a ‘softly, softly’ approach to enforcement. This, he said, is because the rules have been in the public domain for some time and organisations have effectively had 15 months to prepare.
You have been warned.
I0 steps to take to be APP-ready
- Identify the classes of personal information collected and held. Examples include: contact details, employment history, educational qualifications, racial or ethnic origin, tax file numbers, health information.
- Identify how such information is collected, held, used and disclosed, and the purposes for which it is collected and used.
- Identify the scope of any cross-border disclosures including where possible, the countries where recipients are likely to be located.
- Review and update procedures and policies for managing the privacy risks at each stage of the lifecycle of this information, including at the time of collection, use, disclosure, storage and destruction.
- Implement security systems for protecting the information from misuse, interference, loss and unauthorised disclosure, such as IT systems, internal access controls and audit trails.
- Implement procedures for identifying and reporting privacy breaches and for receiving and addressing complaints.
- Implement access and correction procedures.
- Introduce procedures to give individuals the option of not identifying themselves or of using a pseudonym.
- Establish a process to conduct a privacy impact assessment for any new projects where personal information will be handled.
- Establish governance mechanisms to ensure ongoing compliance with the APPs such as appointing designated privacy officers and regular reporting to management.