Business underprepared for privacy reform rollout

Privacy1

When the Australian Privacy Principles come into force on 12 March 2014, business will have had 15 months to prepare. Yet many industry commentators are warning of a spate of tough new penalties awaiting unprepared businesses.

Australian companies that fail to strengthen their data collection, storage and management processes before the privacy reforms take effect next month, stand to cop up to $1.7 million in fines from the regulator. What’s more, penalties of $370,000 may be applied to individuals deemed responsible for breaches.

Aaron Greenman, Director, IT Security & Privacy at global risk consulting firm, Protiviti said the new rules beef up the enforcement powers of the Office of the Australian Information Commissioner, which will also be able to impose enforceable undertakings against non-compliant organisations.

The Australian Privacy Principles (APPs) will replace the existing Information Privacy Principles and National Privacy Principles. The 13 Australian Privacy Principles (APPs) significantly raise the bar on how businesses and federal government agencies collect, store and handle individuals’ personal information.

“For the first time under Australian information privacy law, organisations have an express obligation to take positive steps to adopt practices and systems to protect personal data in accordance with the APPs,” said Aaron Greenman, Director, IT Security & Privacy at Protiviti.

“Organisations will be saddled with a raft of new responsibilities including ensuring they have processes to deal with privacy complaints, making sure they are accountable for personal information disclosed to overseas parties, establishing security measures to prevent information breaches, and many more,” he added.

According to Alison Baker, Partner at Hall & Wilcox Lawyers, businesses that fail to prepare for the 12 March ‘go live’ date are at risk of prosecution and a severe penalty regime.

Indeed, the Privacy Commissioner has made it clear that he will not shy away from using his new powers and companies should not expect a ‘softly, softly’ approach to enforcement.  This is because the rules have been in the public domain for some time and organisations have effectively had 15 months to prepare.

Yet many companies aren’t prepared for the changes, Baker said.

“Failure to comply with the new Privacy Act puts business at serious reputational, legal and financial risk. It’s a big change from the previous regime, which was much softer on privacy breaches,” Baker added.

McAfee’s Chief Privacy Officer Michelle Dennedy, developed a practical guide to the new laws. Co-author of The Privacy Engineer’s Manifesto, the guide is a strategic toolbox for the development of appropriate policies, procedures and technologies for products, systems, processes and applications that involve personal information right across the business.

“It’s now or never – businesses need to get real about privacy. We know consumers are becoming more aware of their digital footprint and the value of their privacy, but businesses are struggling to navigate this complex issue,” Dennedy said.

“Privacy protection is about much more than complying with tightening regulations, because data is not just data, it’s information on human beings. The goal of better privacy protection shouldn’t be businesses avoiding fines or CEOs avoiding jail, it’s about doing what’s right for the customers. Fines are bad, but treating people with disrespect is worse,” Dennedy added.

Protiviti provided the following steps to become APP-ready

1. Identify the classes of personal information collected and held. Examples include: contact details, employment history, educational qualifications, racial or ethnic origin, Tax File Numbers, health information.

2. Identify how such information is collected, held, used and disclosed, and the purposes for which it is collected and used.

3. Identify the scope of any cross-border disclosures including where possible, the countries where recipients are likely to be located.

4. Review and update procedures and policies for managing the privacy risks at each stage of the lifecycle of this information, including at the time of collection, use, disclosure, storage and destruction.

5. Implement security systems for protecting the information from misuse, interference, loss and unauthorised disclosure, such as IT systems, internal access controls and audit trails.

6. Implement procedures for identifying and reporting privacy breaches and for receiving and addressing complaints.

7. Implement access and correction procedures.

8. Introduce procedures to give individuals the option of not identifying themselves or of using a pseudonym.

9. Establish a process to conduct a privacy impact assessment for any new projects where personal information will be handled.

10. Establish governance mechanisms to ensure ongoing compliance with the APPs such as appointing designated privacy officers and regular reporting to the board and management.