Brennan IT recently hosted an event on the topic of data protection and privacy in light of the changes to Australian Privacy Act in March 2014 applying to all businesses earning more than $3 million per year. The attendees were provided with an overview of changes to the Privacy Act along with practical steps business is expected to undertake by the regulator starting with a professional Privacy Impact Assessment of data security and processes. Attendees were then invited to ask questions regarding the changes to the Australian Privacy Act and what those mean for their specific businesses.

With many organisations still either unfamiliar or unprepared for the new laws, the answers to these questions are key in setting organisations on the right path towards privacy law compliance, and avoiding the potentially stiff breach penalties and reputation damage.

What is the overlap between PCI and the Privacy Act?

PCI is mainly about card numbers & PIN – those who use them, store them and access them. Privacy on the other hand is more widespread; it covers anyone who stores personal data of any kind.

In terms of compliance, PCI has specific data procedures that you need to follow. Privacy on the other hand does not dictate specific procedures only that you need to take ‘reasonable steps’ to comply.

If you have made the ‘reasonable steps’ to protect your data, what happens when you have a breach?

Answer: In one case, Telstra mailed out hundreds of statements to the wrong client names and addresses. Essentially, many people ended up with the account details of others and vice versa. Telstra as investigated, and it was shown that they had reasonable steps in place, but that human error was to blame in this instance. It is very likely that they would not have been fined or held accountable under the new Privacy Act revisions.

When you tick a box that says ‘I allow you to pass on my information to third parties’ what happens?

If you provide consent, your details are able to be passed on to third parties. As an individual, you really need to consider who needs what information about you to minimise the risk of your data being misused.

We mainly deal with company data through a CRM system. Do we have to worry?


The truth is that even if you are processing just one piece of customer data a year, and you are over $3 million in revenue, you have to make the reasonable steps to meet the Privacy Act requirements.

We profile our clients at times, usually based on opinions. Does that data need to be protected?

You need to be clear in your privacy policy what data you are collecting and what the data is for. If you acquire a marketing list for example, the contract that you sign to purchase that list determines who is responsible for the data.

For this specific case, we would strongly recommend doing a privacy impact assessment.

If you have a customer loyalty program that’s managed abroad, who is responsible for the safety of the data?

The act covers any businesses collecting data in Australia and places sole responsibility on the business that owns the customer relationship – so even if the data moves overseas, the data collected is still your responsibility. Any global platform needs to adhere to every individual privacy laws in each country.

In the assessments you have done so far, what are some common gaps?

The key one is third party management. If any third parties manage or access your data (which they probably do), you need to be aware of their privacy policy and their security processes. You need to take due diligence when you select a service provider, and that doesn’t always happen. It’s also important to manage the amount of data that third parties have access to – they may not need everything, just a small section.

Secondly, businesses commonly don’t have a Privacy Policy that address information collection, storage and use– which is a must.

What is the Brennan IT policy on security?

We provide security at an infrastructure and network level, but we have no control of data at a client level. We give our clients a secure platform for to host and operate applications, but ultimately the applications are our client’s responsibility to keep secure.