Don't forget all types of data in Privacy Act compliance: lawyer

Organisations reviewing their exposure to new privacy policies need to remember that the full extent of personal data they collect may extend well past simple name and address information, an intellectual property lawyer has warned.

Speaking during a Hitachi Data Systems (HDS)-sponsored Google Hangout (video here on the New Era of Privacy, Alec Christie, a partner in the Intellectual Property Group of DIA Piper, warned that ignorance about the full extent of the new amendments to the Privacy Act 1988 – which come into effect on March 12 with substantial new penalties for nonconformance with 13 new Australian Privacy Principles (APPs) – continues to be rife as companies struggle to inventory and manage the full extent of their data-collecting activities.

“A lot of my clients do not know exactly what [personal information] they collect,” Christie said.

“They know the obvious stuff, but forget to think about the automatic processes that collect information, including voice recording and help lines. For anyone doing business in the region, you've got to be considering not just what you're doing in Australia, but what you are collecting and storing in those countries.”

The growing need for better information management would soon drive many organisations towards cloud-based information lifecycle management (ILM) solutions, according to Adrian de Luca, chief technology officer with HDS, who said long-established ILM techniques were becoming invaluable in helping organisations meet privacy obligations.

“ILM is about how you manage data over a long period of time, and with today's tools we can nail down very specific data sets,” he said. “If you think about the current capabilities you need, it's really about being able to provide immutability of that information; persistence of information in how multiple versions of data are created and how you maintain those versions; and going back to search that [data] independent of the applications that produced them.”

Those capabilities have typically been the domain of the high end of the market, but cloud-based ILM is expanding the market as ever-smaller companies come under the domain of the new privacy provisions.

“We can apply policies that work not only on a particular application, but can actually work on different types of applications,” de Luca said. “With ILM available as a service, we've been able to bring down the bar quite far in terms of small organisations being able to access what has typically been enterprise-grade functionality.”

Better access to ILM allows increasingly self-aware organisations to better understand and manage the many types of data they deal with: many organisations, having inventoried and separated their private data, end up splitting it from their non-personally identifiable data, then storing the generic information in a cloud-storage service while keeping the sensitive data in their own data centre.

This approach helps focus data preservation and exploitation efforts on the data that is most in need of special protection – but organisations must also remember to extend their data controls to third-party data collected from a range of sources.

“Privacy policy isn't really the problem area,” said Jodie Sangster, CEO of the Australian Direct Marketing Association. “It's all about how am I transparent when I'm collecting third party data, online or from a data provider, and lead generation. I've got this data and want to use it – but how can I be transparent to these people when I don't even know I've got their information? That's the part businesses want to get right.”

Ultimately, transparency is the primary goal of the new legislation, Christie said, calling the new legislation “a quantum shift”.

“What they're really trying to do is to push us to have an ongoing relationship with the people we collect data from,” he said. “If you want to have a commercial relationship or use big data, that relationship is important.”

A concerted privacy effort will underscore the effort to build stronger relationships, Christie said. “But first,” he added, “you need to look at your information and map it against the APPs – and a lot of people will be very surprised that they're not really up to date with their compliance program. They need to map where the gaps are, and pedal like hell to fix them.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags Privacy Act 1988privacy actAustralian Privacy Principals

More about CSODirect Marketing AssociationGoogleHDSHitachi AustraliaHitachi DataHitachi Data SystemsHitachi Data Systems

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place