Now live: Best practices for Privacy Act compliance

You can now download the full report on compliance with Australia’s amended Privacy Act, prepared by iTnews, SC Magazine and Shelston IP.

The report, available for download from the Research page on our website, attempts to go to the heart of what changes to systems and policies IT managers may need to consider in light of their new responsibilities.

To summarise, any organisation that generates over $3 million a year in revenues should:

• Keep privacy policies up-to-date and communicated to staff and customers.
• Obtain consent to store data for a narrow range of activities at the point it is collected by customers.
• Build systems that can store and easily retrieve consent data.
• Bolster information security to protect stores of personally identifiable information.
• Engage in active monitoring of network logs and security incidents.
• Consider de-identification and encryption of customer data.
• Push external providers for better security controls and audit/inspection rights.

The most pressing change in the Act is the Privacy Commissioner’s newfound ability to proactively audit, seek enforceable undertakings and shine a light on poor privacy practices. The Commissioner can apply to the Court to levy fines of up to $1.7 million.

“I’m convinced there are poor practices throughout the corporate world because organisations are not investing in protecting personal information,” noted co-author Mark Vincent at our recent Privacy Act workshop.

“And that’s because they have had nothing to fear so far: we haven’t had mandatory data breach notification and the Commissioner hasn’t had these powers.”

It's my opinion, however, that the Office of the Australian Information Commissioner (OAIC) is not geared up to use these means at anywhere near the scale of regulators like the Australian Competition and Consumer Commission (ACCC).

I expect these powers will instead be selectively applied — most likely to mid-sized companies initially — to draw attention to the Act and promote better privacy practice.

“The real risk to an audited organisation is reputational harm,” Vincent said.

It should be noted that the OAIC has not vetted or endorsed our advice, as it is struggling to respond to calls for further clarity prior to the March 12 deadline. We expect the Office to release updated guidance within the next few weeks.

Until then, I hope our recommendations set you on the right path.