A rude privacy shock on the horizon

Businesses were given a year's notice to prepare for the new privacy laws. But with half that time already gone, many haven't even started thinking about it.

Australia's about to get tougher new privacy laws. Businesses were given a year's notice, but with half that time already gone, many haven't even started thinking about it. They could be in for a rude shock — including fines of up to $1.7 million if they get it wrong.

Privacy experts have always said that the keys to getting privacy right were trust and transparency. From 12 March 2014, privacy law reforms put those concepts front and centre. The very first of the new Australian Privacy Principles (APP1) requires organisations to have open and transparent policies and processes for managing personal information.

"Organisations that have chosen not to respect requirements around privacy, they're going to be having to play catch-up," Gartner research director Rob McMillan told the media in Sydney late last month. "We've been talking about privacy in a pretty public way now for 25 years. This should not come as a surprise to anybody."

It's no secret that personal data has become "the new oil of the internet age and the new currency of the digital world", as European Consumer Commissioner Meglena Kuneva put it in 2009. In 2011, the World Economic Forum even declared that personal data is a new asset class.

Privacy concerns have evolved in parallel, and privacy has rapidly become a global debate — and that's without Edward Snowden's recent revelations of US surveillance by the NSA.

"I go back five years and I mention that I'm a privacy professional and people would basically give you the glazed-eye response," said Malcolm Crompton, who as Australia's privacy commissioner from 1999 to 2004 led the implementation of private sector privacy law. "Now you start getting their Facebook stories, instantly. People have connected to it in a visceral way."

Crompton now heads Information Integrity Solutions Pty Ltd (IIS), which provides "strategic privacy consulting services" — its very existence an indication of how the landscape has changed. We now have virtual companies, for instance, whose only asset might be personal and other data, and knowledge about how to use that data. But that asset can easily become a liability.

"I think there is a very reasonable case to be made [that] you're able to do so much with the personal information holdings in your company because the public is bone ignorant of what you're doing with it," Crompton told the Garner Security and Risk Management Summit.

APP1 is the "sleeper", he said. Australia's current privacy commissioner calls it "the bedrock principle". If something goes wrong, and the organisation doesn't have those transparent processes in order, it'll count against them — and under the new laws the privacy commissioner will be able to launch an investigation without a complaint having to be made.

Other key changes include a significant tightening of the rules for cross-border disclosure of personal information (APP8) — a key issue in this age of cloud computing — and an overhaul of credit reporting laws.

Crompton has some blunt advice for companies updating their online privacy policies. The key question to answer is about the intent of their policy.

"If the intent was to go back to the original Alan Weston intent [for privacy policies to inform individuals and allow them to make decisions about the use of their data], then you really would rip it up and start again. If your intent is actually not to inform but defend, then you may keep on going out from 20,000 words to 40,000, and at some stage we may have to see regulators globally attack that," he said.

Best practices include the layered privacy notice, and privacy by design principles.

Both McMillan and Crompton advise organisations to take a risk-management approach to privacy issues. Just as the information security and corporate risk disciplines moved closer together in recent years, privacy issues are now joining them.

"They have areas of commonality, but there's also large areas where they're not necessarily working in the same space," McMillan said.

But Australian organisations don't seem to be ready for the change. Hitachi Data Systems' chief technology officer for APAC, Adrian De Luca, told Technology Spectator that in their recent survey of media to large organisations, 79 per cent said the changes would affect them — especially in areas such as financial and audit, marketing data and the like.



{{ twilioFailed ? 'SMS Code Failed to Send…' : 'An SMS verification code has been sent ...' }}

Hi {{ user.FirstName }}

Looks like you have already taken a free trial

Please enter your payment details

We have sent you a code via SMS to {{user.DayPhone}}

please enter this code below to complete your SMS verification

We cannot send you a code via SMS to {{user.DayPhone}}

If you didn't receive SMS code please

SMS code cannot be sent due to: {{ twilioStatus }}

Please select one of the options below:

Looks you are already a member. Please enter your password to proceed

Please untick this box when using a public or shared device

Verify your mobile number to proceed...

Please check your mobile number below and press the Send Verification Code button. This will be used to complete your verification in the next step.

Please sign up for full access


Updating information

Please wait ...


{{ productPrice }} / day
( GST included )
Price $0
GST $0
Discount -{{productDiscount}}
TOTAL {{productPrice}}
  • Mastercard
  • Visa

Please click on the ACTIVATE button to finalise your membership


The email address you entered is registered with InvestSMART.

Please login or select "Don't know password"

Please untick this box when using a public or shared device

Register as a new member

(using a different email)

Related Articles