In just over a month, Australia will have a new set of data privacy laws with harsh financial penalties for individuals and companies found guilty of serious information breaches.
Under the new legislation, the Australian Privacy Commissioner can seek civil penalties of up to $340,000 for individuals and up to $1.7 million for companies in the case of a serious privacy breach.
Organisations will need to get their houses in order by building privacy and data protection in the design specifications and architectures of their IT systems to facilitate compliance.
Carrying out privacy impact assessments to understand information flows and the impact on customer privacy will also be vital, said Matthew McMillan, partner at law firm Henry Davis York.
This enables companies to look at a project from a privacy perspective, understand information flows, analyse impacts on customer privacy, and find new ways to manage, minimise or avoid those impacts while still achieving what the project set out to do, he said.
But many organisations haven’t yet reached this stage, McMillian said.
“My experience is that a lot of companies haven’t matured to that level,” he said. “Some are doing it, I am aware of some of the larger institutions implementing the concept of privacy by design,” he said.
This concept was created in back in 1995 by the Privacy Commissioner of Ontario, Canada and the Dutch Data Protection Authority.
“It’s about how you go about building privacy into your products and services from the get-go,” he said.
“This is something that some of the larger companies and institutions are starting to consider or are looking at. But I think often privacy has been thought about as being ‘what do we need to bolt onto this to become compliant’ rather than actually addressing the issue up front.”
So what else should your organisation be doing between now and the March 12 deadline when the new privacy laws come into effect?
Creating policies and procedures
Companies need to create robust policies and procedures for identifying and reporting privacy breaches, and receiving and responding to complaints from individuals, said McMillan.
Having designated privacy officers, regular staff training and information bulletins is also crucial, he said
“There is a bit of a balancing act involved but the types of practices, procedures and systems CIOs should be thinking about is really mapping out the information lifecycle throughout the organisation,” he said.
Auditing existing databases to discover what personal information is held, the purpose of data collection, and whether or not the personal data is now likely to be used for purposes other than originally intended will also be useful.
“So really starting to get a feel for what’s there and what it is being used for is a first step, and then going forward, having a privacy management project in place that looks at how you can build and integrate privacy protections into your day-to-day operations,” he said.
Cross-border information disclosure
McMillan said organisations should also be aware of Australian Privacy Principal 8, which requires an entity – before they disclose information to an overseas recipient such as an offshore data centre or cloud provider – to take reasonable steps to ensure the receiver does not breach the new rules.
“In some circumstances, if those reasonable steps have not been taken, the organisation may well be accountable for the acts and practices of the overseas recipient,” said McMillan.
“For organisations and CIOs, it’s about making sure the contracts with suppliers – particularly offshore suppliers – are robust,” he said.
McMillan said he works with several Australian banks which already have robust contractual provisions in place to address these issues.
“Many have been updated in the light of the reforms coming through but again for a lot of organisations, it will be looking at who are their strategic suppliers and where are they located offshore – and if their contracts are robust enough to give them the assurance they need that the data is going to be handled in accordance with the Australian Privacy Principles,” he said.
Finally, McMillan warned that under the new laws, the Privacy Commissioner can do his own “motion investigations”.
“This means it doesn’t have to necessarily be a customer complaint which triggers the action,” he said.