31 Mar 2014

Australia Has New Privacy Laws; Are You Compliant?

According to a recent report on the Australian Financial Review (AFR), it’s unlikely that you have properly prepared for the new privacy laws, which are in effect now. (http://www.afr.com/p/national/many_firms_not_ready_for_privacy_y3mEQytyUnM26ZR31dUAkI). This is despite the fines being up to $1.7 million for being found in breach of these regulations going forwards.

The new laws mandate that organisations have detailed disclosure on how their companies collect, store, use, disclose, provide access and correct personal data. The provisions cover both direct marketing and the use of offshore cloud computing providers or other contractors to store and process personal data.

The AFR story suggests that one of the reasons that organisations are not prepared for these requirements is a sense of complacency. There seems to be many organisations that are underestimating the scale of the task in making provisions for the new privacy laws, and indeed there are many senior decision makers that are unaware of what the need to do to their systems to prepare them for the new laws.

The Australian Government has released a guide to information security that outlines what is expected of Australian businesses going forward: (http://www.oaic.gov.au/images/documents/privacy/privacy-guides/Guide-to-information-security-summary.pdf).

These requirements are extensive, and while the privacy commissioner may have once been lax at times in the management of these regulations, the new laws would suggest that the watchdog will no longer take breaches casually.

Organisations should work with reliable partners to become compliant with these new privacy laws as quickly as possible. It starts with an audit. http://www.brennanit.com.au/security-consulting If you haven’t already, you need to run a full audit of your organisation, to ensure you fully understand what personal information your organisation is collecting and storing, and what you do with it. Gaps may exist in your process and also IT systems so it is important to address both in parallel.

You’re going to need to be able to provide this information quickly when requested, and so make sure that you’re storing it in a logical and secure fashion. It’s also important to go through a process of cleaning your data, since these laws apply to old data as well.

The main goal of the new privacy laws is to ensure that businesses are being responsible with the use of customer’s data, so you should also use the new laws as an opportunity to rewrite your company’s privacy policy, to ensure that it adequately reflects your organisation’s collection and then use of customer’s data.

So for instance, Telstra’s recent data loss was for information that it was no longer using, and by its own privacy policy shouldn’t be holding any longer. That’s the kind of data loss risks that these new laws are trying to mitigate, and if even Telstra can get things wrong, there’s a clear need for every other business to check and ensure that it is compliant before it becomes a problem.