Gearing up for the changes to the Privacy Act
In a week's time, on March 12, 2014, reforms to the privacy laws will come into effect, which will apply to Australian government agencies, private sector businesses, and not-for-profit organisations covered by the Privacy Act 1988.
As part of the reforms, consumers will be able to request access to their personal information held by an organisation or agent; request a correction to their personal information held by an organisation or agency; opt out of receiving direct marketing communications from organisations; ask an organisation where they collected their personal information from; and find out if their personal information will be sent overseas.
Also, the Privacy Commissioner will have the power to proactively seek out whether businesses are being compliant, accept written undertakings that will be enforceable through courts, and slap companies with fines of up to AU$1.7 million if consumer data is not adequately protected.
"The new laws see a greater responsibility put on businesses and Australian government agencies to be more transparent about how they handle personal information," said Australian Privacy Commissioner Timothy Pilgrim.
"Being upfront with customers and having good privacy practices in place makes good business sense. Organisations will now be required to have a clearly expressed and up-to-date privacy policy about the way they handle personal information.
"Everyone should take an active interest in protecting their privacy and read an organisation's privacy policy to decide whether they want to do business with that organisation. I'm encouraging people to be aware of the changes to privacy laws so that they will have greater confidence in their ability to exercise their privacy rights."
This will be the second time the Privacy Act has been reformed. It was initially reformed back in 2001, and was extended to include the private sector, as initially it was only applicable to Australia's federal public sector and the credit reporting agencies.
ADMA CEO Jodie Sangster believes that given how important data has become over the years that it has now reached a point where it is driving business decisions, the Privacy Commissioner could have done more.
"[The Privacy Commissioner] took the 2001 legislation and kind of revamped parts of it," she said.
"In reality, I would like to have seen them start again and take a more innovative approach to privacy and data protection, which they didn't. It's a slightly outdated piece of legislation they tried to retrofit, and they're going to try make it fit with what's happened," she said.
Sangster also noted that the new reforms will apply to certain areas that businesses would have no control over, but yet will still be held accountable if anything goes wrong.
"Where it doesn't work is when, for example, a company is using something like Dropbox. Businesses use it as a service to help get information from one place to another, and you won't have a lot of choice to how Dropbox is going to manage that information, so you're reliant on them to do the right thing; but if they don't, the onus could be on you," she said.
Earlier last year, McAfee found that most businesses were largely unaware of the upcoming changes. It found that 59 percent of employees responsible for managing the personal information of customers were unaware or unsure of the changes.
ASI Solutions director Maree Lowe said the ignorance of the incoming changes is mainly due to an overall impression, especially among smaller companies, that the reforms will be similar to the ones that were seen in 2001.
"Businesses can take the approach that if they don't do the right thing, they could be fined. But I think our liability as businesses, whether in enterprise or government, is that we're under a lot more pressure to follow these stringent guidelines in the way data is shared. I think we need to be more wary about the repercussions when we share information from now on," she said.
As a sound warning to those companies that have yet to look into the changes that will be coming into force, Sangster advises them to complete a data audit, get their privacy policy right at all touch points with the consumer, appoint a "privacy champion" to lead the change, and train everyone within the company who comes in contact with data.