For the past three days I’ve opined as to the reasons why Australian organisations are unlikely to be prepared for the updated Privacy Act come March 12, with emphasis on what constitutes personal data and the impact of the amended Act on cloud computing and big data.
Today I'm focusing on one part of the Act that isn't entirely new, but that remains among the most problematic from a systems perspective.
Any Australian business with over $3 million in annual revenues wears an obligation under the Privacy Act to tell a customer exactly what data you have on them upon request, and if necessary modify or delete that data at their request.
This obligation was introduced with the best of intentions — transparency. Balanced against that privacy outcome is a compliance burden that few organisations can meet.
Also in this blog series:
From a systems perspective, compliance with this aspect of the Act would requires best practice approaches to IT, such as a customer relationship management (CRM) system that offers a single source of the truth on a given customer.
In most organisations I speak to, that's an ideal scenario. It tends to be reserved for recently-incorporated companies that have installed a modern CRM system (complete with an auditable record of all agent and customer activity) and usually for organisations that only offer a handful of products and services, not for large integrated banks, telcos or retailers.
Consider a company with the scale of a large telco or bank, which has often developed different CRM systems across multiple divisions and inherited yet more during mergers and acquisitions: the time required to complete such a request starts to get prohibitive.
How many organisations could genuinely say they have a single customer record? How many times are datasets exported into spreadsheets for use by staff? How many copies of those spreadsheets have been distributed on mobile devices?
Further, how practical is the obligation to destroy data once its stated use (for consent) is complete? Data can be deleted, but destroyed?
Consider the ASD standards for destruction of data. Are multi-tenant cloud providers destroying data when asked to delete records?
As one CIO pointed out in our workshop, how many copies of customer data has your organisation made in the name of availability and redundancy? Does deleting a customer record genuinely destroy that record in replicated systems?
Attendees at our workshop — covering the full gamut of financial services, healthcare, retail and utilities — noted that meeting this requirement, despite all its best intentions, could spiral out of control. Government officials that have faced these requirements for several years longer than the private sector are overwhelmed by it.
“At the moment it is clearly already a burden,” said Mark Vincent, partner at Shelston IP. “If this got out of hand — if requests came in from more than the occasional privacy obsessed customer — it would be a massive burden.
“This goes to an IT systems design problem — whether you built your systems from the ground up to classify data so that data relating to an individual is available at a keystroke and is able to be corrected. It would be a rare organisation that has all the data about an individual stored in one record.
“How can you design systems so that you can correct and delete a record if you need to, without resorting to an expensive, manual process? It takes a significant number of hours to fulfil some of these requests. For large organisations today it could take a full-time employee just to manage it.”
I’m left with many questions. Perhaps you can think of some answers?
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.