Build privacy into your systems or risk penalties: Pilgrim

Australia’s Privacy Commissioner has warned businesses need to seriously consider their privacy strategies ahead of changes to the Privacy Act, due to go live in less than a year.

Privacy Commissioner Timothy Pilgrim.

The Privacy Act of 2012, passed through Parliament late last year, will give new powers to the Privacy Commissioner and introduce a new set of privacy principles, consolidating two previous sets into one. 

Attorney General Mark Dreyfus told businesses at the launch of Privacy Awareness Week that while the start date of the new laws is 10 months away, they need to prepare now.

“Now is the time to change existing systems and practices and get staff prepared,” he said.

“For many of you this will involve moving from compliance with the National Privacy Principles (NPPs)  to compliance with the Australian Privacy Principles (APPs). In some case the changes will be minimal, others will require careful consideration.”

The Privacy Act 2012 will replace the current Information Privacy Principles (IPPs) for the public sector and NPPs for the private sector, with one set of Australian Privacy Principles (APPs). 

Privacy Commissioner Timothy Pilgrim said it was imperative businesses embrace 'privacy by design'.

He recommended organisations undertake a Privacy Impact Assessment (PIA) for any new business processes that involve the handling of personal information. Under the new Privacy Act, government agencies will be required to do so but it will remain voluntary for the private sector. 

The obligations under the new APPs remain largely the same as under the IPPs and NPPs, however an entity is now required to take reasonable steps to protect personal information it holds from interference, misuse, loss, and unauthorised action, modification or disclosure.

“The inclusion of 'interference' is new and recognises that attacks on personal information may not be limited to simple attacks dealing with modification of content. The new element may require additional action to be taken to protect against computer attacks and other interferences of this nature,” Pilgrim said.

“Information security is clearly a significant privacy issue and has emerged as a major challenge to all of us.

"As technology is evolving, so are privacy risks. There are more opportunities for hackers to compromise information security infrastructure.”

New powers

The Privacy Commissioner will also benefit from a new range of enforcement powers come March 2014.

Among them, Pilgrim will be able to conduct performance assessments of private sector organisations.

“These assessments may be conducted at any time, so I’m putting business on notice that they need to have their systems and processes in place to be ready at all times for a performance assessment.”

Pilgrim will also be able to apply for civil penalties orders, of up to $340,000 for an individual and up to $1.7 million for companies. 

The Privacy Commissioner’s office would not immediately jump into using its new powers, he said.

“I will seek to conciliate the matter first between individuals and the respondent organisation, and similarly in the case of large scale data breaches, we would want to work on a conciliatory approach with those organisations to come up with a good outcome for those people who have been affected by the breach, before we would launch into using any of the new enforcement powers,” he said.

“However I would temper that by saying those powers are there for a reason, and where there are serious and repeated breaches, I would suggest we won’t hold back from using them when necessary.”

He urged businesses not to concentrate on the potential penalties but rather the “compelling” business case to be made for privacy. 

“It’s about the bigger question of how we create privacy options for our customers. If an organisation mishandles the personal information of its customers or clients it risks serious financial consequences associated with remediation, loss of trust and considerable harm to the organisation’s reputation," he said.

"It can lead to loss of customers and a serious impact on the organisation’s capacity to perform its core functions and activities.

“The business case is simply that good privacy practice is simply good business practice.”