As of March 12, 2014 changes to the Privacy Act will impact all Australian businesses with an annual turnover of more than $3M, so now is the time to make sure you’re prepared.
As a business you will by and large be operating under the same privacy principles that were already there (with a few more onerous requirements) – the main difference is that now you will be liable and face penalties should a breach of the Privacy Act occur.
The changes will have a substantial impact on direct marketing initiatives and strategies as well as third party engagements. You will need to be incredibly careful with who you entrust personal information collected by your business to, because ultimately you will be held liable for any breach by a third party you’re engaged with.
So how do you prepare for the changes?
Your organisation needs to understand what information you have, why you have it, what you do with it and how secure you are.
The first step would involve undertaking a privacy audit to uncover what personal information is collected, how it is stored, used and disposed of. The best thing to do is collect only what you need, and keep in mind that businesses may face challenges with Big Data initiatives where the ultimate use of data may change over time.
You should put privacy policies online and get collection statements in place that disclose (at the time of collection) what the data will be used for and how it will be destroyed. You will also need to set up policies for the maintenance and disposal of data.
If you aren’t already taking a multi-layered approach to security then you should definitely implement a defence-in-depth strategy. Your IT department needs to ensure that they are providing the necessary network level protection mechanisms, monitoring, email filtering, Security Information and Event Management (SIEM) and awareness training. Most importantly funding should be set aside in budgets for Penetration Testing to be undertaken (annually at a minimum). Penetration Testing is the most effective way of testing the security of a network and the impact of awareness training.
The good news is that as consumers we can look forward to greater transparency in how businesses use our personal information as well as the greater security of it. Kiandra expect to see organisations raising the bar when it comes to security. The threat of fines and penalties for breaches of the Privacy Act should deter organisations from taking short-cuts when it comes to their security posture. In turn this should bolster the overall security stance of an organisation, hopefully leading to fewer instances of confidential information leakage, not just personal information leakage, and this is great for all of us.