Privacy has often been cast as the victim of the information age. New legislation that comes into force in December aims to change that.
The NPPs are 10 principles or rules in the Privacy Amendment (Private Sector) Act 2000 about how organisations should handle personal information. They cover collection (NPP1), use and disclosure (NPP2), data quality (NPP3), data security (NPP4) openness (NPP5), access and correction (NPP6), identifiers (NPP7), anonymity (NPP8), transborder flow of data (NPP9) and sensitive information (NPP10).
By mid 2001, around one in 30 Australian companies was ready to cope with the demands of the government's new privacy regime, which comes into force for most businesses from December 21, 2001. For the other 29 companies, with the clock ticking away, much work needs to be done. CIOs ought to be used to the sounds of the ticking. In 1999, it emanated from the Y2K threat; in 2000 it was the GST.
Ulysses Chioatto, national director of intellectual property and privacy for Deloitte Touche Tohmatsu, provided these estimates of the national preparedness for privacy. However, he cautions companies against thinking that privacy is just another Y2K or GST. This time, he says, only around one-fifth of the problem is software- and hardware-related; companies need to pay much more attention to policy, management and structure.
"I know that there have been some links drawn between this and Y2K or the GST; but it is more appropriate to compare it with the unfair dismissal legislation of the 1990s," he says. That legislation fundamentally altered the way companies interacted with their employees, Chioatto says, and the application of the Privacy Amendment (Private Sector) Act will just as fundamentally affect the way a company interacts with its employees, and also with its customers and business partners.
At the heart of the legislation are 10 National Privacy Principles (NPP) - use and disclosure, data quality, security, access and correction, use of identifiers, openness, transborder flows, anonymity and sensitive information - with which corporate Australia will have to comply. Businesses may choose to comply with the principles as they are set down, may choose to adhere to a code generated for their particular industry sector, or develop their own internal policy. Any self-generated code or policy would need to offer privacy protection at least as robust as that offered by the NPPs and would need to be ratified by the Federal Privacy Commissioner. Further, any code must specify the organisations bound by it, how an organisation may cease to be bound by the code and when that could take place. It should also establish a complaints procedure and nominate an independent adjudicator.
Australian businesses should remember that the EU's information privacy directive states that the transfer of data to non-EU countries is only to be allowed where that country demonstrates an "adequate" level of protection. Australia's privacy regime as it stands is not deemed adequate, as the EU noted in March this year when a privacy working committee expressed reservations about the Australian legislation (see "A Lack of Privacy", page 40). At present, the EU and Australia are continuing discussions; nevertheless, any business not prepared to wait for a diplomatic settlement may wish to follow a privacy code of conduct which would allay European fears for its citizen's rights and permit international data transfer to continue.
Duncan Giles, Andersen Legal partner, notes that "the opinion from the EU is that the Act won't be adequate by itself although (individual) codes could fix the problem". Any codes seeking to circumnavigate the EU's current objections would need to address the nine areas of concern that the EU working party has raised regarding the Australian legislation. There may be other sound reasons to develop a privacy code more robust than that demanded by the legislation, Giles says, and warns that other countries may also restrict data flow to nations where privacy regimes are not considered sufficiently robust.
Like many law firms and professional services firms, Andersen Legal has been growing its privacy practice to help steer existing and prospective clients through the privacy maze. The firm has created an online privacy training and monitoring solution, marketed as Privacy:Prompt, which guides corporations through the 10 NPPs that govern Australian privacy law.
Australia's oversight needs to be addressed by December 21 if companies are to comply with NPP5 (openness). This demands private sector companies clearly express their policies regarding storage and use of personal information; this applies to personal information sourced via the Web, through telephone calls or in written documents.
New tools are becoming available to help companies meet these requirements. One is the automated monitoring, analysis and reporting tool developed by PricewaterhouseCoopers in conjunction with Watchfire, which alerts companies to potential privacy compliance issues across Internet, intranet and extranet Web sites.
Guaranteeing privacy on the Internet is especially difficult because of the free flow of information between individuals and organisations. Within the terms and conditions of the Act, however, this difficulty does not lessen the obligation of organisations to allow people access to their personal records (NPP6), correct any inaccuracies (NPP3), and expect secure storage of this information.
Bernard Hill, a barrister and privacy specialist with risk management firm 90East Asia Pacific, believes that one of the biggest challenges that will face business is this requirement to provide access. On the other hand, there will be a reward for corporations, he believes, in that a trust will develop between companies and their customers, who will have "visitation rights" to their personal data.
Malcolm Crompton, Federal Privacy Commissioner, sees the privacy regime as an opportunity for smart operators to achieve best practice and foster closer relationships with their customers. Crompton is the regulator of the regime and believes that the legislation creates a light touch rather than being overly prescriptive and is technology-neutral. Nevertheless, he warns that this technological neutrality and lack of prescription should not be taken to mean that the regime is without teeth.
Although the legislation is peppered with phrases such as "if reasonable" and "if practicable", the advance of technology means what was not reasonable or practicable yesterday will prove eminently practicable and reasonable tomorrow. The commissioner makes it clear that it will not be easy for corporations to hide behind their legacy data systems and say that it is not reasonable or practicable to allow access to the personal information contained within.
"With tools like the Axiom product being available, which will let you conduct data mining in bank silos, it makes information access a hell of a lot easier than it used to be. I'll take a lot more persuading now than I did 12 months ago that access is not practicable," Crompton says.
Similarly, development in security technology mean that business will be obliged to ensure that personal information is stored in the most secure manner possible. Just as Axiom might permit access where access was once not practicable, Tivoli might develop secure access software affording that personal information greater security, he says. Corporations will have to move with the times or risk the anger of the commissioner.
Crompton argues, though, that the need to create and implement privacy policies should not paralyse business or be seen as an unnecessary impost, but be seen as a way of delivering good practice. He offers the example of the draft code development guidelines, which sought public comment until mid June. The final code development guidelines are due out at the end of July. Crompton has sought as much community comment as possible, believing that "for a code to be controversial, it means that it is almost by definition a mistake".
What he aspires to is the development of privacy codes that are mutually beneficial to the corporation and the consumer, claiming that there is a competitive advantage to be won by those companies that develop greater trust with their clients.
Having waved the velvet glove, he then applies the iron fist, warning that "if business treats the privacy law as purely a compliance issue then they will not get it right. This law is up for review in two years. Business faces the regulatory risk of this law tightening if they treat it as a compliance issue.
"This law will not be diluted," Crompton says.
All Bark and no bite?
Sceptics may ask how much clout the commissioner really has. While corporations might not enjoy the publicity associated with being nominated as a poor performer in the privacy stakes, it will not entirely hobble their business. The commissioner can force recalcitrants to the courts - initially to the Federal Magistrates Court. Past experience suggests this won't be necessary often.
Crompton currently has oversight of the privacy regime as it applies to the public sector and says that in a year he could receive 10,000 initial contacts and 1000 complaints. Of these,100 might require some work to resolve and fewer than 10 would need financial compensation.
"I try to run alternative dispute resolution," he says. In truth, Crompton's stick is relatively small, which is why he is spending so much effort on the carrot: that good privacy means good business.
Andersen's Giles offers him some support in this. He cites Forrester Research, which reveals that while $US45 billion of business-to-consumer trade is taking place around the world, $US12 billion worth of potential revenue is a non-event because people's concerns with privacy or the security of the information associated with online commerce.
THE PRIVACY PRICE TAG
However attractive the lure, good privacy does not come cheaply.
Deloitte Touche Tohmatsu estimates that compliance with the privacy regime will add an overhead of around 1 per cent to the annual operating costs of financial institutions. Crompton is less specific about the costs although he confirms that organisations of any scale developing their own codes might expect it to cost "tens of thousands of dollars".
Mary Ann Maxwell, CIO of Westpac, says that getting Westpac's house in order with respect to privacy is not inexpensive, although it is cheaper than, say, preparing for the rollout of the GST. "This is one of the costs of being a public organisation in a world where people are much more aware of the amount of data about them that is out there," Maxwell says.
However, where the GST demanded a fundamental change to many of the bank's information systems, the Privacy Act involves more systems tweaking, continued vigilance about data security, and overhauling agreements with suppliers (including outsourcers) to ensure privacy is not compromised. The main expense comes in ensuring Westpac employees and customers realise their obligations and rights with regard to private information, Maxwell says.
At this stage, the bank does not have a chief privacy officer, although Maxwell does not rule one out for the future. All the bank's management is charged with communicating the privacy message, the campaign being led by Susan Brooks, the bank's chief compliance officer and a former banking ombudsman. Maxwell, however, notes that privacy is far more than a pure compliance issue.
Brooks says that the banking sector has had privacy as a touchstone for the last decade both through common law and the banker-customer relationship. "What is new for us are two things. First, we are required to give the customer the right to opt out of receiving marketing material, so that has to be flagged.
"Second, we have to disclose all the authorised third parties with which we share information." That, she notes, can be quite extensive given the range of different business units within the Westpac group, plus brokers and outsourcers with which the bank shares data during the course of business. "They are the two big changes," Brooks says, and adds that the bank will be ready in good time for the December 21 deadline.
"As the CIO, I also need to bring IT to that - to have systems and policies that are privacy-compliant," Maxwell says. "You have to have systems that know when and how to get consent, which can mean a change in systems. Then in the internal systems you need the right mechanism to flag [personal] data. You need adequate protection. With your outsourcers - such as IBM GSA - we have to have the right agreements with them and spend time with them. We need the right security and encryption."
With less than six months to go, Maxwell is confident that the bank will be ready by December 21. "We are well under way with the changes," she notes.
Having moved to Australia last year from the US, she feels far more comfortable with the Australian privacy regime than that in the US, which has received far less legislative focus. "I think I would prefer to do business in Australia because [the government is] far more direct about what we can and can't do.
"In the US, it's left quite open." This, she says, can be awkward for companies that have international dealings with nations far more prescriptive about data privacy and protection.
To view the NPPs visit www.privacy.gov/royalnpp.pdf.
A Lack of Privacy.
Since 1995, the European Union has embraced a directive regarding the processing of personal data and its transfer. By autumn this year, 11 of the 15 member states had the directive on their statute books, with just France, Germany, Luxembourg and Ireland to go.
According to Aneurin Hughes, head of the European Commission delegation in Canberra, the directive has been found compliant with the GATT in spite of its ability to block the transfer of data traffic to other countries where the data protection is considered inadequate. Blocking traffic, however, is seen as "a measure of last resort", Hughes says. Nevertheless, it is possible and could have ramifications for Australian businesses which transfer data internationally.
An EU working party with responsibility for data protection has found Australia's current privacy regime lacking, although Hughes says that "we recognise that an adequate level of protection could come from regulatory self-policing underpinned by legislation".
In the EU's opinion given the current law, "data transfer to Australia would be allowed only if appropriate safeguards were introduced to address our concerns. This could be achieved on a case-by-case basis or by a change to the law." Practically, this means that companies will have to adhere to codes that embrace the NPPs and also address the eight areas of concern outlined by the EU working party. This also will apply to small businesses.
For the most part, businesses with annual turnover of less than $3 million will not have to comply with the Australian privacy legislation unless they handle sensitive information (for example, health records). Hughes, however, sees this as an artificial situation and suspects that small business will have to comply if it wants to transfer personal information internationally.
He also expressed concern that the current Australian regime might allow the use of personal information for direct marketing purposes without, in some cases, providing an individual the opportunity to opt out. Hughes says this was "not acceptable under any conditions".
At present, Australia and the EU are continuing discussions about privacy, and Hughes says that, "in the interim, the situation will not change and data can go through as long as companies use approved industry codes. But we feel that the long-term solution could be voluntary codes of conduct or a change in the law.
"If Australia wishes to minimise the cost to industry and project a positive image of Australian privacy in action, then this change should come sooner rather than later."
Devil in the Detail.
Market researchers face a curious privacy situation. For about 24 hours they hold vast quantities of personal information associated with their profession, detailing the people they have interviewed and their responses to a series of questions. Then the personal is stripped away, leaving the market researcher with the raw data, the tools of the trade.
According to Janice Besch, executive director of the Market Research Society of Australia, this segregation of the personal from the general is important in order to "get to the truth in an objective sense". It is also why the organisation did not initially come up with its own privacy code for the sector. It simply did not see the need for one for its 1700 members Australia-wide.
Now, however, the society thinks it will need a privacy code to ensure its members stay within the letter and spirit of the law. Initially, it has turned to the Market Research Society in the UK. Of course, the benefit here is that the UK society is bound by the EU directive, which should ensure that the Australian code at least aims for the privacy high watermark.
The society is now preparing fact sheets about privacy on behalf of its members, scheduling a conference for September. It plans to run seminars in every mainland state and the ACT in October and November. That will leave members with between four and eight weeks to put the theory into practice, which Besch admits is "tight" and she still cannot estimate the likely cost of compliance.
However, she stresses that "it is in our interest to keep the information private. There is a feeling among some of the clients that they think market researchers are being overly precious" in keeping identifying information confidential. "It is not unusual to be asked for more information to add to their [clients'] databases."
In the future, the privacy regime would outlaw any such actions. Market research practitioners need to get a firm grasp on how they will need to refine their business processes in order to ensure they comply with the law.
Despite the difficulties, Besch does see this as a "great opportunity to explain our business better and say why we are different from direct marketing, which might make people more willing to participate in market research".