SYDNEY (ZDNet Australia)--Australians are increasingly concerned about privacy, yet a "substantial chunk of Australian businesses" won't be ready to meet the requirements of the Privacy Amendment (Private Sector) Act, which comes into force on December 21, warns Mark Sumich, director of the Australian Privacy Compliance Centre.
Like the implementation of the GST and (arguably) Y2K, the new privacy requirements are a business issue that can have a deep impact on information systems.
One of the principles is that information can only be used for the purpose it was obtained, and Sumich points out that the federal Privacy Commissioner has indicated that a narrow view will be taken of any particular purpose and such interpretations will favour individuals. Does your customer database include the purpose for collecting each piece of information, and do you have a record of the customer granting permission for that purpose?
Another issue that IT will need to address is that organisations must be able to tell data subjects exactly what information is held about them, and give them an opportunity to correct any mistakes.
That shouldn't be too onerous if all the information is held in a modern CRM system, for example, but where customer data is stored across multiple independent databases it might be difficult to generate a full account of the information stored about any one person.
There's also a requirement that information must be "reasonably secure", said Sumich. Establishing what's "reasonable" in any particular circumstance is not a technical issue, but you will need to ensure that your technical staff are informed of what's required and that they maintain suitable protection.
And don't assume that cavalier use of the data you collected before December 21, 2001 will be acceptable. Sumich points out that the new rules will apply as soon as "old" data is updated.
The Australian Privacy Compliance Centre is a division of eTick, an audit and certification business. Its Australian Privacy Seal program provides a way for organisations to show the public not only that they complied with the National Privacy Principles at the time of an audit, but also that they have systems and procedures in place to ensure continuing compliance.