Home Articles If your company still hasn’t prepared for the new privacy laws, you...

If your company still hasn’t prepared for the new privacy laws, you guys are in really big trouble!


Have you heard about the sweeping new privacy rules?

Well, whether or not you’ve heard about them, they come into effect this month and if your company fails to strengthen its data collection, storage and management processes, you risk suffering tough new penalties from a regulator with wider powers.

On 12 March 2014, the Australian Privacy Principles will come into force, replacing the existing Information Privacy Principles and National Privacy Principles.

The 13 Australian Privacy Principles (APPs) really raise the bar on how businesses and federal government agencies collect, store and handle individuals’ personal information.

The new rules also beef up the privacy regulator’s enforcement powers with the Office of the Australian Information Commissioner able to levy penalties of up to $1.7 million and also impose enforceable undertakings against those who refuse to comply.

What do these new privacy rules mean for corporate Australia?

Aaron Greenman, Director, IT Security & Privacy at Protiviti commented that for the first time under Australian information privacy law, organisations will now have an express obligation to adopt practices and systems to protect personal data in accordance with the APPs.

He explained that organisations will have a whole load of new responsibilities on their shoulders including ensuring they have processes to deal with privacy complaints, making sure they are accountable for personal information disclosed to overseas parties, establishing security measures to prevent information breaches, and many more.

Green man added that these wide-ranging changes will greatly impact organisations that collect a lot of personal information such as online businesses, retailers, utilities, healthcare providers, communications companies and most businesses finance and insurance.

“While government departments are generally well-prepared, regrettably, our experience has shown that the majority of corporates are not”, he noted.

The whip will come down extra hard on the disobedient

And if you are still taking things lightly, Timothy Pilgrim, the Privacy Commissioner has made it clear that he will not shy away from using his new powers and come 12 March, companies should not expect a ‘softly, softly’ approach to enforcement.

This is because the rules have been in the public domain for some time and organisations have effectively had 15 months to prepare. Clearly, play time is over, so here are some steps your businesses can take immediately to become APP-ready before it’s too late.

  1. Identify the classes of personal information collected and held.  Examples include: contact details, employment history, educational qualifications, racial or ethnic origin, Tax File Numbers, health information
  2. Identify how such information is collected, held, used and disclosed, and the purposes for which it is collected and used
  3. Identify the scope of any cross-border disclosures including where possible, the countries where recipients are likely to be located
  4. Review and update procedures and policies for managing the privacy risks at each stage of the lifecycle of this information, including at the time of collection, use, disclosure, storage and destruction
  5. Implement security systems for protecting the information from misuse, interference, loss and unauthorised disclosure, such as IT systems, internal access controls and audit trails
  6. Implement procedures for identifying and reporting privacy breaches and for receiving and addressing complaints
  7. Implement access and correction procedures
  8. Introduce procedures to give individuals the option of not identifying themselves or of using a pseudonym
  9. Establish a process to conduct a privacy impact assessment for any new projects where personal information will be handled
  10. Establish governance mechanisms to ensure ongoing compliance with the APPs such as appointing designated privacy officers and regular reporting to the board and management.

It’s not just the government that is serious about privacy

However, it is worth noting that the pressure on companies for better privacy protection is not coming from the government only, but from the general public as well.

Greenman explains that with the rise of online technologies and social media, public concerns about how organisations use or misuse private information are at an all-time high.

“Today, privacy if done well, builds deep trust and customer loyalty.  But on the flipside, when things go horribly wrong such as when a major security breach occurs, the public backlash and negative publicity can inflict long-lasting damage to corporate reputations and see customers deserting a company for a very long time,” he says.

The 2013 Community Attitudes to Privacy Survey indeed confirms Greenman’s assertions, indicating that 60 per cent of Australians had decided not to deal with an organisation simply because of privacy concerns.

So ask yourself, when it comes to privacy, is my house in order yet?