A new era in privacy

On March 12, Australia will usher in the biggest change to privacy law in the past 25 years with the introduction of the new Australian Privacy Principles, otherwise known as APPs.

While Australia is not unique (the European Union has a strict legal framework, and closer to home countries like Singapore and Korea are moving towards greater privacy regulation), it is taking a leading role within the Asia Pacific that has implications not only for local organisations but anyone doing business in this jurisdiction.

The new laws also mark a milestone for the seismic shift businesses have undergone in the past two decades, from paper-based processes to the digital age. Organisations will be required to follow a consistent and transparent set of guidelines for the collection, use, storage and disposal of citizens’ personal information.

These days almost every enterprise, large or small uses some form of information technology to run their business so most of this personal information will be collected, held and distributed electronically. Small businesses will store name and address details in email correspondence, spreadsheets or web forms. 

Larger businesses will be holding even more personal information in customer relationship and helpdesk systems.

For those not yet prepared, complying to the Act may be easier said than done. In a survey we conducted last year, a quarter of respondents were unsure when they had undertaken the last information inventory audit to establish their current level of regulatory compliance. The same survey also found 45 per cent of organisations had inconsistent workflows for privacy and data collection.

I recently participated in an insightful Google Hangout with Privacy Lawyer Alec Christie from DLA Piper, and chief executive of the Association of Data-Driven Marketing & Advertising, Jodie Sangster. Jodie made the point that writing your Privacy Policy is the critical first step, as this will drive all the activities and decisions to create a culture of compliance.

Just like protecting the intellectual property of your company, safeguarding identifying information of your clients is the next step in protecting your brand and reputation. If you think about it, protecting personal privacy should really be a logical extension of data security and management practices.

Where does IT fit in?

So with privacy policy inextricably to IT systems, what is the role of the IT department? Which technologies can help to ease the burden of storing, managing and disposing of ever-increasing volumes of personal information in a compliant manner? And what does a 'Privacy Protected Enterprise' look like?

Audit your information assets

Finding personally identifiable information amongst the interwoven relationship of applications and files is not trivial -- you can't just set Google onto it! Applications can store data in multiple places, making copies and snapshots, even in different formats. They are also not very good at cleaning up after themselves, so you may be inadvertently storing personal information about people long forgotten or no longer deemed of business use.

Conducting an audit of all your personal data is not just a logical first step, but an important one. Not only will this help you uncover all your personally identifiable data, but it can also give you an opportunity to do a spring clean before getting your systems in order. PII (Personally Identifiable Information) software from companies like envo8 and Identify Finder quickly scour you systems to and catalogue all your assets.

Manage the Information Lifecycle

A well-architected IT infrastructure that is designed to support the APPs can significantly ease the burden of compliance. Here are some examples:

• In general, the APPs require organisations to have well-defined, documented procedures and systems for managing personal information. Do you remember Information Lifecycle Management? Adopting policy-based file management technologies for relevant data sets can not only automate some of these procedures, but also enforce disposal when it is no longer needed.

• Various industry or legislative acts that overlay the APPs require the retention of information for a specified period of time. This is where software really helps, allowing you to create flexible policies to migrate files from a primary file server to a full-featured object store platform. Once in HP, it remains persistent and immutable for as long as it needs to be retained. When no longer required as defined by the policy, the HCP will expire the objects where they can be permanently destroyed, helping to comply with APPs 4 and 11.

• Furthermore, if changes or updates are made, HCP also allows you to maintain multiple versions to provide a full audit history, helping comply to APPs 10 and 13.

Maintain data quality and integrity

APPs 10 and 11 call for maintaining the quality and security of personal information, that is to make sure it is accurate and up to date. Therefore being able to search all instances of personal data quickly can be an invaluable asset. The Hitachi Data Discovery Suite can search filesystems and objects independent of applications, giving you a ‘Google-like' view of all your instances and assist in identifying any discrepancies.

Because HDDS works independent of applications, if you retire your application down the track you can still retrieve all information, wherever it may be.

Of course, infrastructure technology alone will not lead to compliance salvation, but adopting modern tools and transforming your IT infrastructure will reduce the overall cost of compliance in the long run, as well as minimise the risk of falling foul of these new laws.

I also believe the new privacy era is not only an opportunity for organisations to extend their existing data security practices to be more focused on individuals, but also an opportunity to improve information workflows and efficiency across the enterprise.

Adrian De Luca is chief technology officer for Hitachi Data Systems, Asia-Pacific.