Now live: Best practices for Privacy Act compliance

By on
Now live: Best practices for Privacy Act compliance

Full report available for download.

You can now download the full report on compliance with Australia’s amended Privacy Act, prepared by iTnews, SC Magazine and Shelston IP.

The report, available for download from the Research page on our website, attempts to go to the heart of what changes to systems and policies IT managers may need to consider in light of their new responsibilities.

To summarise, any organisation that generates over $3 million a year in revenues should:

  • Keep privacy policies up-to-date and communicated to staff and customers.
  • Obtain consent to store data for a narrow range of activities at the point it is collected by customers.
  • Build systems that can store and easily retrieve consent data.
  • Bolster information security to protect stores of personally identifiable information.
  • Engage in active monitoring of network logs and security incidents.
  • Consider de-identification and encryption of customer data.
  • Push external providers for better security controls and audit/inspection rights.

The most pressing change in the Act is the Privacy Commissioner’s newfound ability to proactively audit, seek enforceable undertakings and shine a light on poor privacy practices. The Commissioner can apply to the Court to levy fines of up to $1.7 million.

“I’m convinced there are poor practices throughout the corporate world because organisations are not investing in protecting personal information,” noted co-author Mark Vincent at our recent Privacy Act workshop.

“And that’s because they have had nothing to fear so far: we haven’t had mandatory data breach notification and the Commissioner hasn’t had these powers.”

It's my opinion, however, that the Office of the Australian Information Commissioner (OAIC) is not geared up to use these means at anywhere near the scale of regulators like the Australian Competition and Consumer Commission (ACCC).

I expect these powers will instead be selectively applied — most likely to mid-sized companies initially — to draw attention to the Act and promote better privacy practice.

“The real risk to an audited organisation is reputational harm,” Vincent said.

It should be noted that the OAIC has not vetted or endorsed our advice, as it is struggling to respond to calls for further clarity prior to the March 12 deadline. We expect the Office to release updated guidance within the next few weeks.

Until then, I hope our recommendations set you on the right path.

Got a news tip for our journalists? Share it with us anonymously here.
Brett Winterford

One of Australia’s most experienced technology journalists, former iTnews Group Editor Brett Winterford has written about the business of technology for 15 years.

Awarded Business Journalist and Technology Journalist of the year at the 2004 ITjourno awards and Editor of the Year at the 2009 Publishers Australia 'Bell' awards, Winterford has extensive experience in both the business and technology press, writing for such publications as the Australian Financial Review and The Sydney Morning Herald.

As editor of iTnews Brett has led a team of award-winning journalists; delivered speeches at industry events; authored, commissioned and edited research papers, curated technology conferences [The iTnews Executive Summit and Australian Data Centre Strategy Summit and also shares the judging of the annual Benchmark Awards.

Brett's areas of specialty include enterprise software, cloud computing and IT services.

Read more from this blog: System II

Most Read Articles

Log In

  |  Forgot your password?