A rude privacy shock on the horizon

Australia's about to get tougher new privacy laws. Businesses were given a year's notice, but with half that time already gone, many haven't even started thinking about it. They could be in for a rude shock — including fines of up to $1.7 million if they get it wrong.

Privacy experts have always said that the keys to getting privacy right were trust and transparency. From 12 March 2014, privacy law reforms put those concepts front and centre. The very first of the new Australian Privacy Principles (APP1) requires organisations to have open and transparent policies and processes for managing personal information.

"Organisations that have chosen not to respect requirements around privacy, they're going to be having to play catch-up," Gartner research director Rob McMillan told the media in Sydney late last month. "We've been talking about privacy in a pretty public way now for 25 years. This should not come as a surprise to anybody."

It's no secret that personal data has become "the new oil of the internet age and the new currency of the digital world", as European Consumer Commissioner Meglena Kuneva put it in 2009. In 2011, the World Economic Forum even declared that personal data is a new asset class.

Privacy concerns have evolved in parallel, and privacy has rapidly become a global debate — and that's without Edward Snowden's recent revelations of US surveillance by the NSA.

"I go back five years and I mention that I'm a privacy professional and people would basically give you the glazed-eye response," said Malcolm Crompton, who as Australia's privacy commissioner from 1999 to 2004 led the implementation of private sector privacy law. "Now you start getting their Facebook stories, instantly. People have connected to it in a visceral way."

Crompton now heads Information Integrity Solutions Pty Ltd (IIS), which provides "strategic privacy consulting services" — its very existence an indication of how the landscape has changed. We now have virtual companies, for instance, whose only asset might be personal and other data, and knowledge about how to use that data. But that asset can easily become a liability.

"I think there is a very reasonable case to be made [that] you're able to do so much with the personal information holdings in your company because the public is bone ignorant of what you're doing with it," Crompton told the Garner Security and Risk Management Summit.

APP1 is the "sleeper", he said. Australia's current privacy commissioner calls it "the bedrock principle". If something goes wrong, and the organisation doesn't have those transparent processes in order, it'll count against them — and under the new laws the privacy commissioner will be able to launch an investigation without a complaint having to be made.

Other key changes include a significant tightening of the rules for cross-border disclosure of personal information (APP8) — a key issue in this age of cloud computing — and an overhaul of credit reporting laws.

Crompton has some blunt advice for companies updating their online privacy policies. The key question to answer is about the intent of their policy.

"If the intent was to go back to the original Alan Weston intent [for privacy policies to inform individuals and allow them to make decisions about the use of their data], then you really would rip it up and start again. If your intent is actually not to inform but defend, then you may keep on going out from 20,000 words to 40,000, and at some stage we may have to see regulators globally attack that," he said.

Best practices include the layered privacy notice, and privacy by design principles.

Both McMillan and Crompton advise organisations to take a risk-management approach to privacy issues. Just as the information security and corporate risk disciplines moved closer together in recent years, privacy issues are now joining them.

"They have areas of commonality, but there's also large areas where they're not necessarily working in the same space," McMillan said.

But Australian organisations don't seem to be ready for the change. Hitachi Data Systems' chief technology officer for APAC, Adrian De Luca, told Technology Spectator that in their recent survey of media to large organisations, 79 per cent said the changes would affect them — especially in areas such as financial and audit, marketing data and the like.

But according to Crompton, many don't even realise the changes are coming, let alone having started planning for it.

"We're seeing a few companies that are nicely on the curve to doing something about it, and some companies that are just closing their eyes and curling up under the desk and hoping that this will just wash over the top," Crompton said.

"It's a valid risk management strategy, so long as you know what you're doing."