Australian Attorney-General Mark Dreyfus and Privacy Commissioner Timothy Pilgrim have warned businesses to get ready for the changes due to Australian privacy reforms that are set to take effect in March next year.
Speaking at the Office of the Information Commissioner (OAIC)'s launch of Privacy Awareness Week and its information security guide, Dreyfus said that businesses should be getting ready for the changes now, and not waiting for the March 2014 deadline.
"Now is the time to change existing systems and practices, and begin to get your staff familiar with the new regime. The sooner these changes are embedded, the easier it will be to comply with the new measures in March 2014," he said.
Under recent privacy reforms, private-sector National Privacy Principles (NPPs) (PDF) and public-sector Information Privacy Principles (IPPs) (PDF) will be combined under a unified set of Australian Privacy Principles (APPs) (PDF). The overall effect is less confusion and better alignment of privacy values into one set of principles. However, there are some subtle differences.
"For many of you, this will involve moving from the compliance with the National Privacy Principles to compliance with the Australian Privacy Principles," Dreyfus said.
"In some cases, the changes required will be minimal. In other cases, there needs to be careful consideration about what needs to be updated."
One such difference is APP 11 — security of personal information. It replaces IPP 4 and NPP 4.
"The obligations remain largely the same; however, under APP 11, an entity must now take reasonable steps to protect the personal information it holds from misuse; interference and loss; and from an unauthorised access, modification, or disclosure. The inclusion of interference is new, and recognises that attacks on personal information may not be limited to simple attacks being with modification of content of the information," Pilgrim said.
"The new element may require additional measures to be taken to protect against computer attacks and other interferences of this nature."
Although private organisations subject to the Privacy Act are not required to conduct their own privacy impact assessments as the public sector is, they will be subject to other such scrutiny. The privacy reforms have also provided the Privacy Commissioner with the ability to conduct privacy performance assessments on businesses at any time.
"I'm putting business on notice that they need to have their systems and processes in place to be ready at all times for a performance assessment."
A similar compulsory-for-public, but voluntary-for-private situation exists for data-breach notifications. Currently, government agencies dealing with healthcare information are required by law to provide notification in the event of a data breach, but for other types of data, and in the private sector, no such mandatory scheme exists.
Dreyfus said that the adequacy of the current voluntary system is still a question that needs to be considered, as highlighted by the Attorney-General's Department releasing a discussion paper on the issue in October last year.
"If there continues to be under-reporting of data breaches, or we continue to find out about them only through media reports, some would argue that there is strong case to move to a mandatory scheme," Dreyfus said.
"Large-scale data breaches continue to occur, and every incident that is reported in the media continues to raise community concerns about the need for a mandatory scheme."
It is currently following up with the feedback from the last round of consultation, and still has to make a final decision on whether to propose any new legislation. However, Dreyfus did admit that a mandatory scheme could act as an incentive to better secure information, and would additionally provide the government with a better idea of what breaches the country is experiencing. The Computer Emergency Response Team (CERT) Australia is currently undertaking similar studies to determine how widespread attacks on Australian organisations are, but it only began its research this year.
In the meantime, the OAIC has released its own guide on what organisations should do in the event of a data breach, but this has not stopped its own employees from speculating. Former OAIC assistant commissioner of compliance Mark Hummerston previously said that his personal view is that the data-breach laws will come into play in late 2013.