Even after their introduction, many companies still deciphering new privacy laws

Australia's tough new privacy laws may now be in place, but many organisations are still trying to figure out what the regulations mean for their businesses, a lawyer specialising in IT and privacy policy has warned.

Noting that many businesses had been caught off guard by the extent of the changes involved in the   Privacy Amendment (Enhancing Privacy Protection) Act 2012, Baker & Mackenzie partner Patrick Fair said that, despite a long leadup and extensive warnings, the deadline had gotten the best of many companies.

"Many businesses are only now starting to understand the implications of the changes that have taken place," he told CSO Australia. "It seems like a relatively small adjustment to the old law, but there are a few requirements which have very significant ramifications for day-to-day business operation."


"Because we've gone from a very light-touch regulatory regime to one with potentially significant financial penalties, people are being more conservative as to how they interpret the rules and are wanting to be more diligent and conservative in how they comply."

In many cases, this had led to compliance programs that are "still at the policy phase," said Gerry Tucker, country manager with content-security firm Websense, which like Baker & Mackenzie has seen a groundswell of interest in privacy during the runup to the introduction of the new guidelines.

What Fair called "subtle changes" to the wording of privacy requirements were causing consternation amongst many companies that need to rework their management of personally identifiable data around the requirements of the new Australian Privacy Principles.

Among the most problematic changes were the idea that a simple email address, if it contained enough detail to identify a person, could be considered to be a personal identifier even when used only for access to an online account.

Proper handling of issues such as collection notices require a much greater level of detail than the previous legislation, with organisations required to inform customers at every point of data collection what is being collected and why. This issue was previously managed in National Privacy Principle 5, but under the new legislation it must be more explicitly addressed.

"Many people complied with this requirement in NPP 5 by linking to their privacy policy and saying that 'these matters are dealt with in my privacy policy'," Fair says, "but it's pretty clear from the new law that it's not going to be satisfactory."

Also proving tricky are APP 8, which deals with transparency around the flow of transported data to other jurisdictions – particularly important in companies that outsource customer-support operations –as well as the obligation to protect and secure data under APP 13. Complaints-handling mechanisms must be documented and clarified for customers, with an external dispute resolution agency named for customer redress.

Demonstrating compliance with the new regulations requires organisations to use "much more explicit language in your privacy policy and much more explicit policies internally", Fair said, adding that the new legislation "is not about traditional ideas of identity. This has widespread implications for what's caught in the legislation, and what you need to consider.

Tucker agreed, noting that the upshot of the new laws is that ignorance about customer privacy is even less of a defence than it used to be.

"From a maturity point of view and the ability to distil the legislation down to business processes – and from there to the technology – that's what most organisations we're dealing with are trying to figure out," he explained.

"Whilst the Privacy Commissioner has said they would be more lenient on cybercrime-originated attacks, more recently he's come out and said that the lack of resources will not necessarily be a justification of the fact you've been hacked. A lot of organisations just aren't aware of what this means in terms of having to change their policies; they have scant knowledge of it."

This article is brought to you by Enex TestLab, content directors for CSO Australia.


More articles on the New Privacy Laws

Data privacy must unify IT engineering, legal and policy objectives, CPO warns

A Brief Guide to the ICT Security Controls Required by the Australian Privacy Principles

Check your compliance with privacy law changes today download our app



Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags privacyprivacy lawscomplainceAustralian Privacy Principlesidentifiable dataPrivacy Amendmentprivacy requirements

More about CSOEnex TestLabICT SecurityWebsense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by David Braue

Latest Videos

More videos

Blog Posts