Privacy laws to address the human side of IT
- 13 August, 2008 12:55
The Australian Law Reform Commission this week concluded its largest ever research and public consultation exercise ever with the launch of its report For Your Information: Australian Privacy Law and Practice, which recommends a re-write of the nation's 20-year-old privacy laws to keep pace with the information age.
The three-volume, 2700 page report was launched Monday by Senator John Faulkner and Attorney-General Robert McClelland, recommending 295 changes to privacy laws and practices that will be implemented in two stages over the next three years.
ALRC president, Professor David Weisbrot, told Computerworld that Australia's current Privacy Act, legislated in 1988, was created in a completely different environment before technologies like the Internet, e-commerce and social networking greatly augmented the challenge of safeguarding the flow of personal information.
"The commissioners who were in charge of the report at that time wouldn't have had a mobile phone or a PC on their desk, no digital cameras, no e-tags, e-mail, no e-anything. There were no high speed computers for individuals or private industry with which they could do data matching and data mining, and no high-tech surveillance cameras," he said.
Since then, the information we gather has stayed the same but technology has allowed us to access, control and manipulate that information in a much easier way; electronic medical records and health information, online banking, finance and credit history, personal information on public and corporate databases, and social networking sites are just a few examples of technologies revolutionising the relationship between public databases, individual privacy and third party users.
Weisbrot said the most significant recommendation for reform is a complete restructuring and simplification of the statutory framework of the Privacy Act, so that it is focused around 11 uniform principles as opposed to separate principles for government and private sectors, which left many individuals and businesses wading through massive amounts of complex material to find what laws apply to them.
"We're saying lets flip it around - lets make it general with higher-order principles that will cover most situations most of the time. Then if you're dealing with some specialised area like health information or credit reporting, you supplement that area with rules that are dedicated specifically to regulate that area," he said.
Page BreakThe first stage of reforms, set to be implemented within a year's time, will address this process of simplifying and streamlining the Privacy Act, while the second stage, which will include statutory course of action for data and privacy breaches, will be looked at in 12-18 months time.
"First and foremost there is not going to be any real immediate impact in terms of changes of investment in either IT infrastructure or security infrastructure," said Gartner security analyst Andrew Walls.
"Part one is going to take a good 12 months to get all the actual regulations set out, then there will have to be some sort of compliance period so we're several years out from things really hitting the ground and organisations having to show compliance.
"But at the same time businesses should be looking carefully at the recommendations and the potential impact they will have on their business processes, their business models, and the infrastructure that supports all of those activities," he said.
One area of IT that will feel the impact will be the Human Resources department, where employee data will no longer be exempted under the ALRC's recommendations.
"That may affect internal practices and how security controls are applied. I suspect many organisations will have to look very carefully at how they manage employee data and ask themselves - if we have to treat that as private data, what are the implications?" Walls said.
According to security vendor Marshal's lead technical consultant, Oscar Marquez, internal traffic is a leading cause of data leakage, and organisations need solutions that monitor the flow of sensitive information like documentation, e-mails, and mobile-to-e-mail data.
"In essence, the new amendments are about being able to report on and monitor e-mail and Web use, internally and externally, before taking the necessary steps to prevent misuse," Marquez said.
"IT managers do not need to implement new technology for technology's sake. Instead they need to firstly educate end-users, as many data breaches can happen accidentally, and secondly, to update their internal policies to be in line with the Privacy Act. Industries such as health and financial services, as well as large companies, need to pay particular attention to these amendments."
Marquez cited the example of an end user at a health company who accidentally sent an entire database of contacts to a doctor, who in turn shared this with a pharmaceutical company for financial gain.
"This black market of information is exactly what the Privacy Act aims to prevent. End-users need to know their confidential data will be secured and not sold," he said.
Another key principle the ALRC proposed will be for the regulation of cross border data flows, with the basic principle that an agency or organisation that transfers personal information outside the country remains accountable for it, except in certain specified circumstances.
Government agencies and business organisations will also be required to notify individuals and the Privacy Commissioner where there is a real risk of serious harm occurring as a result of a data breach.
Gartner's Walls said that large organisations engaging in good security practices already have the processes and infrastructure required to monitor and identify breaches and therefore will not require large expenditure to comply. Rather, the impact of changes to the Privacy Act will be felt on the human side of business rather than the technology side.
"Notification [of a data breach] to the government and affected individuals is actually a public relations activity, a marketing function. So organisations will have to take their incident response and incident management teams and integrate them with PR," he said.
Walls also suggests we get ready for an onslaught of data breach headlines.
"The reality is there probably wont be any more [data breach] activity than normal, we're just going to hear and talk about every one now, which is a healthy thing because it provides transparency and establishes security performance as a market differentiator. But it will be painful for a few years," he said.
Walls said he was somewhat disappointed with the data breach notification proposals, particularly where the threshold that has to be reached before notification is required is decided by the organisation, not the individual whose information has been exposed.
"They made some very ambiguous statements about level of harm. If an organisation experiences a breach on just one person's details out of hundreds of thousands then that is not a big deal for the organisation. But for that individual it could be catastrophic, so by adopting this test based on the organisation's assessment the recommendations are really saying privacy is a problem for business and government agencies, not an individual problem."
In the US, Walls said, if private data is breached the individual's are notified, whether it is one or one thousand customers.
"The company doesn't get to say 'no, its not that big a deal, we'll ignore it'. But under this reasonable test that may not occur."
The ALRC also made recommendations to give the Privacy Commissioner more power to exact stronger penalties on non-compliant organisations, allowing the Commissioner to seek court orders enforcing compliance, or imposing monetary sanctions or civil penalties for serious or repeated breaches.
"We were responding to community concerns there that the Privacy Act might be a bit of a toothless tiger, so we wanted the Privacy Commissioner to be able to issue notices to comply, amazingly they cant do that at the moment," Weisbrot said.
More comprehensive credit reporting has also been recommended to facilitate better risk management practices by credit suppliers and lenders.
"I've actually asked friends and neighbours what they think can be collected and they are astonished at how limited it is," Weisbrot said.
According to Weisbrot credit lenders currently can keep on record that a customer has applied for credit, a card or an overdraft, but cannot keep on record whether the customer's application was approved, for how much, or how many accounts they might have.
"We've recommended opening it up a bit...so if you're applying for a $100,000 loan to buy a boat the lenders and credit agencies should know that you've got a $500,000 mortgage, a $20,000 loan for a car, four credit cards with $50,000 limit, for example. That will enable better risk management practices because it's hard to know how they make those assessments with the limited amount of information they [currently] have."
The recommendations also called for consultation with young people to improve their control of personal information on social networking sites. However, Walls said he was surprised at the assumption that social networks were exclusive to young people, and believes the ALRC missed a crucial component regarding the flow of corporate and personal data over professional social networking sites.
"Many Australians are attached to things like LinkedIn, Myspace, Beebo, Facebook etc which are multi-national entities based in the US, Europe and elsewhere, but the recommendations make no comment about what we should be doing there.
"Westpac is experimenting with Facebook as a collaboration and productivity enhancer, and I know of other Australian organisations using virtual worlds like Second Life to do team collaboration. They are all using off shore resources so what is the status of law there...I think they missed an opportunity to grapple with this issue," he said.
Weisbrot said he doesn't expect the reforms, once they are legislated, to require significant hardware or software infrastructure expenditure for enterprises to comply, as any organisation engaging in responsible security practices would already have adequate measures in place. For small businesses that file data on customers and employees, he said an econometrician predicted several hundred dollars in security software would be required.
In order to ensure the new Privacy Act remains future-proof, an expert sub-committee of IT-related professors and industry representatives advised the ALRC on new and emerging technologies. But Weisbrot said the new Act would be "technology-neutral but technology-aware" with general principles rather than specific regulation on technologies that will become outdated, "so that even if the technology changes, we will still have the eleven commandments as I call them," he said.
Walls said the real fight will start once parliament gets a hold of the recommendations and starts trying to trim them into real laws.
"Then we'll see whether enforcement actually occurs. But that is several years out, I think we're probably looking at three years in terms of real impact," he said.
The report For Your Information: Australian Privacy Law and Practice can be viewed in full here.