March 12, 2014 marked the date when changes to the Australian Privacy Act came into effect.
Some of the reforms that were made included giving consumers the power to request access to their personal information held by an organisation or agent; request a correction to their personal information held by an organisation or agency; opt out of receiving direct marketing communications from organisations; ask an organisation where they collected their personal information from; and finding out if their personal information will be sent overseas.
In turn, these reforms required businesses to make changes to their own privacy and compliance policies. But a newly released whitepaper by NTT Communications ICT Solutions and Hitachi Data Systems has revealed that while 80.7 percent of organisations were aware of the changes, over 70 percent of IT decision makers are still seeking third party guidance on how they should manage their data.
The Increasing Value of Data in Australia: Privacy, Security and Compliance study, which was carried out by IDC Australia, showed that more than half of organisations rated themselves as being "good" in handling risk and compliance.
"When we saw what they knew about the privacy changes, most were aware of their requirements when it came to offshore data, breaches, and the impact it could have on their brand, and civil penalties. But they didn't really know who it affected, which was quite low," said Sally Parker, IDC Australia cloud and big data research director.
From an industry perspective, the financial and communication sectors are twice as likely than the retail, wholesale, and service industry to have a designated person overseeing the risk and compliance in their company.
Although ironically, it was those in the retail, wholesale, and service industry that rated themselves most highly in terms of maturity level when it comes to handling risk and compliance, versus the financial and communication sectors that rated themselves as less prepared.
When the 150 organisations that were surveyed were asked what actions they have taken since the introduction of the revised Privacy Act, a majority of them made internal changes whether it was bumping up employee education on the topic, or amending their existing guidelines of how they handle data.
But this left 8.3 percent of those surveyed admitting they took no action at all, and according to Parker it was mainly due to complacency or organisations — mainly those in the financial sector — believed the existing processes they had in place was sufficient enough to handle the changes.
Parker also indicated the advent of new technologies, such as cloud, social media, and mobile technologies are dictating the way Australian businesses are handling their data, as they foster a borderless IT environment. Of the organisations surveyed, 93.7 percent shared that public cloud had changed how they approach security and risk.
"What we see here is all of these technologies have impacted people's approach to security compliance," she said.
Andrew McGee, Hitachi Data Systems CTO, added that while there is a big focus on privacy laws, there is a disconnect within organisations between the IT departments and knowing where the data lives within an organisations.
"That's a concern because we have a tendancy to not delete anything because it's often difficult to identify within an archive each file whether we need to keep or not, and then so we end up just keeping it, so it highlights there is a deficiency in data disposal."
Another outcome Parker said the survey highlighted was that the value of data is rising, and it's not just between corporations or government, but for individuals as well, highlighting situations such as the most recent conversations around data retention and the right to be forgotten are generating their interest.
"If you're an organisation it's not the time to sit back and wait to act. It's imperative to act to how consumers behave now for tomorrow, and trust will play a big part of that," Parker warned.
"Individuals are on the cusp of awareness and the onus is on organisations to protect their data and empower them to have a say in its use."