Australian organisations unprepared for new privacy laws: McAfee

As the Australian Privacy Commissioner and Attorney-general warn businesses to prepare themselves for upchanges to the Privacy Act, McAfee has found that most don't even realise that there are changes or fines for non-compliance.
Written by AAP , Contributor and  Michael Lee, Contributor

A survey of business and government agencies has found that many are largely unaware of upcoming changes to the Australian Privacy Act under which large fines may be imposed if consumer data is not adequately protected.

The April survey, commissioned by internet security company McAfee, found that 59 percent of employees responsible for managing the personal information of customers were unaware or unsure of the changes.

From March 2014, organisations subject to the amended Privacy Act could face penalties ranging from $340,000 for individuals and $1.7 million for corporations. These fines are the maximum civil penalties that the Privacy Commissioner will be able to hand down to organisations for serious or repeated violations of the Australian Privacy Principles they are bound by.

Earlier on Monday, the Privacy Commissioner and the Attorney-general warned businesses that they need to start preparing for the changes now.

The research also showed that more than one in five organisations admitted to data breaches, and nearly half of the employees managing customer's personal information hadn't received training in managing and storing sensitive data.

Of those that were aware of the upcoming changes to the Privacy Act, just under half had taken action in the form of conducting a privacy impact assessment. Of the action-takers, 46 percent also reviewed their existing technology controls, and 33 percent sought legal advice.

Meanwhile, in terms of the data being collected by organisations, some believe that businesses are overstepping their bounds when it comes to asking customers for information.

Honorary Associate Professor Terry Beed from the University of Sydney Business School said that consumer information is being amassed in a way that does not comply with the code governing data collection by market and social researchers.

He said that market research tools such as SurveyMonkey are now readily available to individuals or firms who may not use them correctly or ethically.

"The ground is changing under our feet," he said in a statement on Monday.

"There has been an explosion in the amount of personal data being gathered in the digital environment, and it has revolutionised the way we go about marketing goods and services."

Beed said that much of the data was being gathered by people with no background in market and social research.

He said that it's important they are educated about working with consumers' personal information in accordance with the privacy regulations.

Much of the data is being on-sold to marketers, often via data brokers, without the knowledge or consent of consumers, and in possible breach of the privacy codes approved by the Australian Privacy Commissioner.

Beed said the use of age, gender, or product preferences to design highly targeted advertising may be annoying to some consumers, but is relatively harmless.

"Of far greater concern is data that might be related to incomes, debt levels, or health profiles, which is gathered and on-sold without any warning to the consumer."

His viewpoints are matched by Stephen Wilson, managing director of digital identity company Lockstep Consulting. Wilson highlighted at the Sydney launch of Privacy Awareness Week on Monday that technologists often don't understand their obligations under the Privacy Act, or even that the information they are collecting is considered personal information.

"Personal information is thought to be the stuff of forms, questionnaires, call centres, and the like. Technologists can be really surprised when they find that the definition encompasses things like metadata, event logs, and the stuff of technology that's personally identifiable," Wilson said.

He drew a parallel to the Google Streetview case, where Google was found to be in breach of the Australian Privacy Act to the surprise of many technologists that felt that if a wireless hotspot were broadcasting information in to the public domain, it should not be considered private.

"If the data is in the public domain, the technologists held that it was up for grabs, and that Google cannot have done anything wrong," Wilson said.

"[But] it doesn't matter where you got the information from. You can get information from the public domain and you've still committed a collection [of personal information]."

He also highlighted that many of the leading edge insights into big data often overshadowed the need to respect Australia's privacy principles. He ran through a brief example of a paper published in Science that found that despite certain donated genetic data (such as the 1,000 Genomes Project) being made anonymous, researchers had been able to match the information to genealogy databases, and thus narrow down individuals based on demographic information and other public records.

While noting how remarkable the research was, he said that it could also be considered in violation on Australia's current National Privacy Principles.

"If you put a name on something that was previously anonymous, you've collected data, and you probably need to get the consent of the person because it's a third party and they've got no prior relationship."

Editorial standards