Start preparing for Privacy Bill changes

Australian organisations should act now and start preparing for next year’s changes to privacy law, lest they breach the new rules and cop a huge fine.

The Privacy Amendment (Enhancing Privacy Protection) Bill 2012, passed in parliament on November 2012, comes into effect in March 2014 and amends the Privacy Act 1988. It was formed in response to an Australian Law Reform Commission inquiry into the Privacy Act.

Background

The bill includes a raft of changes, but most notably it supposedly makes it easier for organisations to comply with privacy laws, while giving the privacy commissioner greater powers to punish organisations that don’t.

It also includes changes to credit reporting, including an increase to the amount of information some organisations can collect on a person’s credit worthiness.

The bill replaces the existing separate privacy principles for the public and private sectors with a single set of principles - the Australian Privacy Principles (APPs). The government expects this streamlining to make it easier for organisations to comply with privacy laws.

It also gives the privacy commissioner a range of powers, including the ability to seek civil penalties against companies that breach the Privacy Act, backed up by fines that could exceed $1 million; and the ability to register binding codes on specified agencies and organisations.

The information commissioner will have greater powers to resolve complaints, conduct investigations and promote compliance with privacy obligations.

Recommendations

According to new Act, Australian organisations may be held responsible under some circumstances for the privacy of any information they pass on to offshore third parties. So if your company sends personal information on one of your customers to an offshore partner and that partner loses or leaks that information, your company may be held liable, and cop a huge fine.

In a new report, ‘Government and Private-Sector Organizations Must Take Australian Privacy Changes Seriously’, Gartner analyst Rob McMillan recommends keeping a close eye on what personal information you store. Protect those stores that are necessary for your business and delete those that aren’t. This can help “minimise the footprint of any information falling under the act, to reduce costs associated with controls and the risks associated with uncontrolled information”.

McMillan also says to “immediately conduct a review of privacy practices within the organisation, partner organisations with which personal information may be shared”. If you’re not confident that a third party will secure any shared information in compliance with the act, “do not send that partner that information”. Alternatively, consider employing techniques such as encryption, data loss prevention, data masking or tokenisation.

The commissioner’s new powers to conduct investigations into an organisation’s privacy practices are also a concern. Such an investigation could be lengthy and quite costly.

Gartner suggests organisations prepare for such an investigation by keeping track of their privacy practices.

“Reviews or investigations can run far more smoothly if a catalogue of relevant information is maintained and that information can be located quickly,” McMillan said in the report.

“An internally run program for regularly (for example, annually) reviewing compliance and addressing any shortcomings can be used for providing evidence attesting to practices and safeguards that comply with both the letter and the spirit of the law, thus reducing the likelihood of unexpected, prolonged and unpleasant interactions with the regulator.”

Such a program would consume time and money, so be sure to plan the extra expense into budgets.

You should also regularly review how your business partners approach privacy - as mentioned above, you may be held responsible for what they do with information you send their way.

Image credit ©iStockphoto.com/DNY59