Even after their introduction, many companies still deciphering new privacy laws

Australia's tough new privacy laws may now be in place, but many organisations are still trying to figure out what the regulations mean for their businesses, a lawyer specialising in IT and privacy policy has warned.

Noting that many businesses had been caught off guard by the extent of the changes involved in the   Privacy Amendment (Enhancing Privacy Protection) Act 2012, Baker & Mackenzie partner Patrick Fair said that, despite a long leadup and extensive warnings, the deadline had gotten the best of many companies.

"Many businesses are only now starting to understand the implications of the changes that have taken place," he told CSO Australia. "It seems like a relatively small adjustment to the old law, but there are a few requirements which have very significant ramifications for day-to-day business operation."


"Because we've gone from a very light-touch regulatory regime to one with potentially significant financial penalties, people are being more conservative as to how they interpret the rules and are wanting to be more diligent and conservative in how they comply."

In many cases, this had led to compliance programs that are "still at the policy phase," said Gerry Tucker, country manager with content-security firm Websense, which like Baker & Mackenzie has seen a groundswell of interest in privacy during the runup to the introduction of the new guidelines.

What Fair called "subtle changes" to the wording of privacy requirements were causing consternation amongst many companies that need to rework their management of personally identifiable data around the requirements of the new Australian Privacy Principles.

Among the most problematic changes were the idea that a simple email address, if it contained enough detail to identify a person, could be considered to be a personal identifier even when used only for access to an online account.

Proper handling of issues such as collection notices require a much greater level of detail than the previous legislation, with organisations required to inform customers at every point of data collection what is being collected and why. This issue was previously managed in National Privacy Principle 5, but under the new legislation it must be more explicitly addressed.

"Many people complied with this requirement in NPP 5 by linking to their privacy policy and saying that 'these matters are dealt with in my privacy policy'," Fair says, "but it's pretty clear from the new law that it's not going to be satisfactory."

Also proving tricky are APP 8, which deals with transparency around the flow of transported data to other jurisdictions – particularly important in companies that outsource customer-support operations –as well as the obligation to protect and secure data under APP 13. Complaints-handling mechanisms must be documented and clarified for customers, with an external dispute resolution agency named for customer redress.

Demonstrating compliance with the new regulations requires organisations to use "much more explicit language in your privacy policy and much more explicit policies internally", Fair said, adding that the new legislation "is not about traditional ideas of identity. This has widespread implications for what's caught in the legislation, and what you need to consider.

Tucker agreed, noting that the upshot of the new laws is that ignorance about customer privacy is even less of a defence than it used to be.

"From a maturity point of view and the ability to distil the legislation down to business processes – and from there to the technology – that's what most organisations we're dealing with are trying to figure out," he explained.

"Whilst the Privacy Commissioner has said they would be more lenient on cybercrime-originated attacks, more recently he's come out and said that the lack of resources will not necessarily be a justification of the fact you've been hacked. A lot of organisations just aren't aware of what this means in terms of having to change their policies; they have scant knowledge of it."

This article is brought to you by Enex TestLab, content directors for CSO Australia.


More articles on the New Privacy Laws

Data privacy must unify IT engineering, legal and policy objectives, CPO warns

A Brief Guide to the ICT Security Controls Required by the Australian Privacy Principles

Check your compliance with privacy law changes today download our app



Join the CSO newsletter!

Error: Please check your email address.

Tags Privacy Amendmentcomplainceprivacy requirementsAustralian Privacy Principlessecurityidentifiable dataprivacy lawsprivacy

More about CSOEnex TestLabICT SecurityWebsense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place