Australian companies that fail to strengthen their data collection, storage and management processes before sweeping new privacy rules take effect next month, risk copping tough new penalties from a regulator with wider powers, warns a technology expert at global risk consulting firm, Protiviti.
On 12 March 2014, the Australian Privacy Principles come into force, replacing existing Information Privacy Principles and National Privacy Principles. The 13 Australian Privacy Principles (APPs) significantly raise the bar on how businesses and federal government agencies collect, store and handle individuals’ personal information.
The new rules also beef up the privacy regulator’s enforcement powers with the Office of the Australian Information Commissioner able to levy penalties of up to $1.7 million and impose enforceable undertakings against non-compliant organisations.
“For the first time under Australian information privacy law, organisations have an express obligation to take positive steps to adopt practices and systems to protect personal data in accordance with the APPs,” said Aaron Greenman, Director, IT Security & Privacy at Protiviti.
“Organisations will be saddled with a raft of new responsibilities including ensuring they have processes to deal with privacy complaints, making sure they are accountable for personal information disclosed to overseas parties, establishing security measures to prevent information breaches, and many more.
“These wide-ranging changes will have a big impact on organisations that collect a lot of personal information such as online businesses, retailers, utilities, healthcare providers, communications companies and most businesses in the finance and insurance sectors. Yet, while government departments are generally well-prepared, regrettably, our experience has shown that the majority of corporates are not”, Mr Greenman added.
The Privacy Commissioner has made it clear that he will not shy away from using his new powers and come 12 March, companies should not expect a ‘softly, softly’ approach to enforcement. This is because the rules have been in the public domain for some time and organisations have effectively had 15 months to prepare*.
In view of the regulator’s tough stance, Mr Greenman warns that companies which have not already done so, need to take immediate steps to become APP-compliant.
“Corporate Australia’s appetite for yet another compliance measure may be underwhelming, but companies need to appreciate that privacy is much more than just a bureaucratic requirement”, he said.
“With the rise of online technologies and social media, community concerns about how organisations use or misuse private information are at an all-time high. Today, privacy is an issue that if done well, builds deep bonds of community trust and customer loyalty. But on the flipside, when things go horribly wrong such as when a major security breach occurs, the public backlash and negative publicity can inflict long-lasting damage to corporate reputations and see customers deserting a company for a very long time”.
The 2013 Community Attitudes to Privacy Survey indeed affirmed that 60 per cent of Australians had decided not to deal with an organisation because of concerns about privacy.
Steps businesses should take to become APP-ready
1. Identify the classes of personal information collected and held. Examples include: contact details, employment history, educational qualifications, racial or ethnic origin, Tax File Numbers, health information
2. Identify how such information is collected, held, used and disclosed, and the purposes for which it is collected and used
3. Identify the scope of any cross-border disclosures including where possible, the countries where recipients are likely to be located
4. Review and update procedures and policies for managing the privacy risks at each stage of the lifecycle of this information, including at the time of collection, use, disclosure, storage and destruction
5. Implement security systems for protecting the information from misuse, interference, loss and unauthorised disclosure, such as IT systems, internal access controls and audit trails
6. Implement procedures for identifying and reporting privacy breaches and for receiving and addressing complaints
7. Implement access and correction procedures
8. Introduce procedures to give individuals the option of not identifying themselves or of using a pseudonym
9. Establish a process to conduct a privacy impact assessment for any new projects where personal information will be handled
10. Establish governance mechanisms to ensure ongoing compliance with the APPs such as appointing designated privacy officers and regular reporting to the board and management.
Source: *‘Privacy Reform – Act Three’: Speech by Timothy Pilgrim Privacy Commissioner to the ANZ Privacy Unbound Summer, Sydney 25 November 2013.
-- end --
For further information contact Su Lin Ho at CallidusPR on 02 9283 4113 or 0421 616 617
About Protiviti
Protiviti (http://www.protiviti.com.au/) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through its network of more than 70 offices in over 20 countries, Protiviti has served more than 35 percent of FORTUNE 1000® and FORTUNE Global 500® companies. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies.
Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.