Australian privacy commissioner Timothy Pilgrim said his office will release long-awaited final guidance on new privacy legislation before the end of next week, less than a month before the stricter regime takes effect.
Pilgrim said the Office of the Australian Information Commissioner (OAIC) would also release “operational regulatory guidance” that would give Australian organisations “a very clear understanding of our expectations and under what circumstances we will take regulatory action.”
Speaking at a privacy training awareness session hosted by the International Association of Privacy Professionals ANZ, Pilgrim said he will not rule out putting his new enforcement powers to the test in their first 12 months, but said his office would take into account the steps an organisation had taken to achieve compliance with new privacy legislation before applying fines.
New privacy rules will see businesses made accountable for the privacy breaches of third party providers and liable for fines up to $1.7 million - come into effect on 12 March.
Pilgrim hinted that the Office of the Australian Information Commissioner (OAIC) could be lenient towards caught businesses (those with a turnover of more than $3 million per annum) in the first months after the reforms take effect.
“Our compliance focus in the months following 12 March will on working with entities to make sure they understand the new requirements and have systems in place to meet them,” he said.
“To that end, in resolving matters brought to the attention of the office, we will take into account the steps that entities have taken to genuinely prepare for the changes and to comply with the new laws.”
However he added that the OAIC would take “a tougher approach where it finds that attempts have not been made to comply with the new laws.
“It is not enough to have it on your agenda,” he told iTnews.
Appearing at the same privacy forum, partner at the Gilbert and Tobin law firm Peter Leonard also emphasised that companies and organisations must not forget about the privacy implications of third party support arrangements, such as offshore call centres and “follow the sun” style support arrangements for operations outside of Australian working hours.
Under APP 8, Australian organisations are accountable for the breaches of these third party suppliers, he said, such as “call centres in the Philippines where operators in the Phllippines have access to a screen on information about a customer to enable them to deal with a complaint or enquiry” or hardware support deals which “enable a remote equipment support provider to dial in to the hardware to remotely diagnose a problem.”
“Many of these remote support arrangements don’t have full segregation of personal data that might be held on the machine,” he warned.