On March 12 the Australian Government enacted a new set of laws that significantly enhance the privacy of Australian citizens, although it is likely that many won’t even notice.
But for any commercial organisation with revenue over $3 million, or healthcare providers of any size, the new Australian Privacy Principles (APPs) have a significant impact on the way they collect, store and utilise personal data.
For CIOs, that may have meant a lot of extra work in the lead up to March 12, and significantly, a lot of extra worries afterwards.
The new APPs replace the existing National Privacy Principles and are a response to a review by the Australian Law Reform Commission into the previous two decade old regime.
Australian Privacy Commissioner, Timothy Pilgrim, says one of the main issues was to reform the principles and make sure they were keeping up with rapid changes in technology, and to make them more flexible.
“The Australian Privacy Principles have been designed in such a way as to reflect the changes that have occurred over the last 25 years in terms of how personal information is being handled,” he says.
“But importantly, they have been written as principles, so they can remain technology neutral, and can apply to new technology as they come into place, as well as deal with older-style means of collecting information.”
The APPs include new obligations in relation to activities such as the collection of personal data, including receipt of unsolicited personal information, as well as new requirements for informing individuals as to how data is being used. Importantly, APP 8 sets outs specific requirements for what must happen when personal information is moved out of Australia.
Security is also a key consideration, with APP 11 setting out new requirements for the protection of personal information from misuse, loss, inference, unauthorised access and disclosure.
The Privacy Commissioner also gains the ability to approve privacy codes in relation to new technologies and their use for individual organisations or groups, and can develop his own codes to be imposed on technologies and the organisations that use them.
But while CIOs play an integral role as the custodians of customer data, it seems some have been bypassed in preparing for the APPs, or called on as a resource rather than as a strategic planner.
Information security specialist, David Simpson, says while awareness of the APPs in technologically mature industries such as banking and finance is high, the same cannot be said across all sectors. This is especially troubling in relation to APP 11, which he says should be a key priority for the involvement of CIOs.
“There is a big focus on that area, and the CIOs have been left out of the loop,” Simpson claims. “In the business units that made some of these choices on how information is stored, retained, archived, and deleted, I’m not sure many have the skills or knowledge at hand to make good choices.
“IT traditionally has all of the experience that could add value back into that decision making process. But more often than not they can be quite isolated from some of those front-line decisions. They feel they have been almost left outside of this privacy process in a quite a number of the organisations we deal with.”
Penalties for breaching the new APPs are significant, with Pilgrim holding the power to levy fines of up to $1.7 million for serious and repeated breaches. And there is no amnesty for organisations that haven’t caught up yet.
Just a month before the laws were enacted, Simpson claimed many IT teams were still facing a significant compliance task to be executed. “It is going to take people months, and a big chunk of it has got to involve IT,” he said.
Next up: Defining data sovereignty