Australia's privacy laws are being tightened up and reformed, and from 12 March 2014 businesses will have to ensure they carefully stick to new rules. However, privacy experts suggest that it's more important for businesses (and their IT departments) to ensure they're following sensible privacy guidelines that respect the rights of individuals than to worry about every last detail of the legislation.
Privacy picture from Shutterstock
The Office of the Australian Information Commissioner (OAIC) has a series of detailed guides for businesses on the requirements of the revised act. The rules don't apply to small businesses, but do affect larger organisations and government departments.
Speaking in a media session yesterday as part of the Gartner Security & Risk Management Summit in Sydney, former privacy commissioner and current managing director of consultancy IIS Malcom Crompton noted that the rules could create extra risks for businesses. "Not only do you get beaten up if you make mistakes, you also get beaten up if you don't have a privacy program. That's going to have long term repercussions."
Responses have varied. "We're seeing a few companies that are nicely on the curve to doing something about it, and some companies curling up under the desk and hoping it will wash over the top," Crompton said.
The rules are being noticed even outside the immediate Australian jurisdiction. "These changes have gained attention from other parts of the world," Gartner analyst Rob McMillan said. "This is not just a set of changes that's of interest locally. This is being looked at more broadly than we realise."
However, the key theme of the session was that law changes are less relevant than the overall attitude of the business towards privacy. "Organisations that already have a culture of respecting privacy, maybe some changes are entailed but for them it's not a huge event," McMillan said. "It's the organisations that have chosen not to respect requirements around privacy that are going to have to play catch up."
Taking a proactive attitude would pay dividends, Crompton suggested. There's an increasing commercial reason to think about privacy matters. We're seeing a trend away from complaint -based approaches to enforcement to privacy law."
The rapid evolution of technology also means that thinking about privacy purely in terms of current laws will come back to bite you, Crompton added. "Arguably, whether or not the privacy law changes or not in March of next year doesn't matter. Even under the current law issues would emerge to be dealt with."
"The culture of privacy in the organisation matters It might not be very fashionable to talk about it, but your ability to respond to complex and subtle issues will depend on the willingness of the organisation to identify and deal with problems. Culture isn't an easy thing to shift overnight. It's a long term process that requires constant attention."