Invasion of Privacy

Back in 2001 Peter Piper picked a pack of Privacy Principles, but thus far no one's found themselves in much of a pickle.

The advent of Australia's privacy Act for the private sector in December 2001 was going to create a significant impost for corporate IT departments. They would have to ensure that their computer systems were secure, that access to personal data stored on computers was rigorously controlled, and that all employees understood their obligations as far as keeping personal information secure and confidential.

They would also have to be ready to field complaints when their privacy regime failed.

Six months before the legislation came into effect, industry analysts warned direly that just one in 30 companies was ready for the dawn of the new regime. There was going to be a mad scramble to comply with the legislation.

Then . . . well, then very little actually.

Large corporations got on with it; created codes and policies, established education modules, and upgraded security and access controls on their databanks. SMEs were not as thorough, but they also were not particularly worried about sanctions.

Australia's first federal privacy commissioner, Malcolm Crompton, made it clear even before the law came into effect that he was operating a light touch regime, and was more interested in educating companies and consumers about their rights than riding roughshod over recalcitrants, ultimately making just a handful of determinations during his tenure. His successor, Karen Curtis, who has been privacy commissioner since July 2004, has a similarly light touch and is yet to issue a binding determination.

Sting, but No Bites

Professor Graham Greenleaf of the University of New South Wales focuses on the intersections and relationship between information technology and the law. The founding editor of the Privacy Law & Policy Reporter and a well-known privacy advocate, Greenleaf believes that five years on, Australia's federal privacy regime has thus far proved something of a fizzer. While arguing that the legislation itself is far from perfect, Greenleaf nonetheless believes that it does offer scope for enforcement, which has so far been largely ignored.

"There has been a lack of serious enforcement by the privacy commissioner," Greenleaf says, adding that the current commissioner, Curtis, has yet to issue any binding rulings on complaints at all, despite a stated intention to ramp up enforcement in last year's review of the privacy regime.

Although he would like to see the Act itself reviewed and significantly improved, he believes that the current enforcement provisions have enough sting in the tail for test cases to be mounted in order to send a message to the business community that it needs to pay more than lip service to the legislation.

As it is, Greenleaf suspects many companies weigh the risk of being caught out against the cost of compliance, and are doing little to put their privacy house in order given the low level of enforcement activity thus far. "The advice I would give as a privacy advocate is to comply with the spirit of the legislation - because in the long run it makes good business sense to comply with this legislation - as if it were being actively enforced. But accountants measure risk, and the business risk of not complying is probably pretty low to nil," he says.

In spite of this perceived lack of vigorous policing, Paul Cavanagh-Downs, CIO of Aristocrat, says that privacy is something that business does have to be aware of, and says that all of Aristocrat's managers are put through privacy education. However, privacy issues are not something that he concerns himself with day by day. As a company mainly in the business-to-business space, Cavanagh-Downs says that most personal information is held in HR and payroll systems, which were secured before the legislation came into effect in any case.

At St.George Bank, where personal information is lifeblood, compliance with the new regime was more of an issue, although the bank had security and privacy on its agenda long before it was mandated by government. CIO John Loebenstein says that privacy and security is something they do in the bank as a matter of course. "You buy trust and security from your bank otherwise you'd keep your money under the mattress," he says. "For the financial services industry it was not a huge, radical change in behaviour or training."

Compliance with the new regime cost the bank "a couple of million dollars", which was "a pimple compared to Y2K, which cost $60 million, or the $20 million for GST, and Basel II was at least that big", Loebenstein says.

Varying Costs

The cost of compliance naturally varied according to the amount of personal information stored by organizations. In her review of the private sector provisions of the Privacy Act, last year, Curtis noted that the Insurance Council of Australia claimed its members had spent $10 million to $15 million on systems changes needed to comply with the new laws. Coles Myer had spent about $300,000 (a cost it claimed outweighed the benefit to customers), Suncorp $1.2 million, and NAB and MLC spent around $28 million over three years.

All very interesting and indicative of the disparate approaches taken, but the Australian National University's Professor Roger Clarke, a long-term privacy advocate, is not impressed by Australia's current legislation or the lack of enforcement. Clarke believes there are genuine benefits available to companies that take privacy seriously, and look beyond bald compliance with the current regime. He remains "appalled that we have still not got any real legislation or protection".

According to Clarke a "flood of instant experts merged" when the privacy regime was extended to the private sector, all eager to sell "expertise". (Clarke's own company, Xamax, was established in 1977 with privacy high on its agenda.) In the end many companies developed their privacy policies in-house, with limited external support, created education programs, tweaked their back-office systems and structured complaints processes themselves.