Privacy Policies: Why Slavishly Following The Law Doesn't Help

Australia's privacy laws are being tightened up and reformed, and from 12 March 2014 businesses will have to ensure they carefully stick to new rules. However, privacy experts suggest that it's more important for businesses (and their IT departments) to ensure they're following sensible privacy guidelines that respect the rights of individuals than to worry about every last detail of the legislation.

Privacy picture from Shutterstock

The Office of the Australian Information Commissioner (OAIC) has a series of detailed guides for businesses on the requirements of the revised act. The rules don't apply to small businesses, but do affect larger organisations and government departments.

Speaking in a media session yesterday as part of the Gartner Security & Risk Management Summit in Sydney, former privacy commissioner and current managing director of consultancy IIS Malcom Crompton noted that the rules could create extra risks for businesses. "Not only do you get beaten up if you make mistakes, you also get beaten up if you don't have a privacy program. That's going to have long term repercussions."

Responses have varied. "We're seeing a few companies that are nicely on the curve to doing something about it, and some companies curling up under the desk and hoping it will wash over the top," Crompton said.

The rules are being noticed even outside the immediate Australian jurisdiction. "These changes have gained attention from other parts of the world," Gartner analyst Rob McMillan said. "This is not just a set of changes that's of interest locally. This is being looked at more broadly than we realise."

However, the key theme of the session was that law changes are less relevant than the overall attitude of the business towards privacy. "Organisations that already have a culture of respecting privacy, maybe some changes are entailed but for them it's not a huge event," McMillan said. "It's the organisations that have chosen not to respect requirements around privacy that are going to have to play catch up."

Taking a proactive attitude would pay dividends, Crompton suggested. There's an increasing commercial reason to think about privacy matters. We're seeing a trend away from complaint -based approaches to enforcement to privacy law."

The rapid evolution of technology also means that thinking about privacy purely in terms of current laws will come back to bite you, Crompton added. "Arguably, whether or not the privacy law changes or not in March of next year doesn't matter. Even under the current law issues would emerge to be dealt with."

"The culture of privacy in the organisation matters It might not be very fashionable to talk about it, but your ability to respond to complex and subtle issues will depend on the willingness of the organisation to identify and deal with problems. Culture isn't an easy thing to shift overnight. It's a long term process that requires constant attention."


Comments

    I have absolutely no idea how the title has anything to do with the article.. If you didn't handle privacy with customer data at all previously as suggested by:

    “It’s the organisations that have chosen not to respect requirements around privacy that are going to have to play catch up.”

    ... then I suppose yes, that is correct - if you are already in breach of Australian privacy laws by not respecting the REQUIREMENTS.. You're already in hot water... So I guess from that standpoint its technically trueeeee............ technically...

    Privacy laws are already ridiculous in that they inhibit individuals normal day to day life while doing minimal to actually protect out privacy beyond the basics we would expect and in some cases are even eroding them - how many of you outside the finance industry knew that the privacy laws have been amended to allow credit reporting agencies to record your payment history whereas in the past they could only report if you'd applied for credit or if a default notice had been issued now every time you miss a payment say on your phone account it can be reported and lenders are looking forward to it so they can make "better credit risk assessments". Yet I can't even find out our gas or electricity bill if it's in my wife's name without her written consent.
    And lets not even forget the 'privacy act excuse' to avoid doing work - classic example my son was sick one day when he was meant to have a Centrelink appointment and we couldn't get through on the phone so I went into the local office it inform them "Sorry he's too sick to come in today can you please reschedule another time for him" only to be told that I couldn't tell them that because his Mums nominated to act on his behalf not you so we can't even open his file to view it without his permission "you'd appreciate it if it was your privacy we were protecting" - no I bloody wouldn't appreciate it if I was in his spot and had to get out of my sick bed because of pricacy and how is me giving you information in anyway causing you to break his privacy. Next time you think about reporting somebody for defrauding the system make sure you have their written permission to report them so their privacy isn't breached! Sorry rant over

Join the discussion!