Noting that many businesses had been caught off guard by the extent of the changes involved in the Privacy Amendment (Enhancing Privacy Protection) Act 2012, Baker & Mackenzie partner Patrick Fair said that, despite a long leadup and extensive warnings, the deadline had gotten the best of many companies.
"Many businesses are only now starting to understand the implications of the changes that have taken place," he told CSO Australia. "It seems like a relatively small adjustment to the old law, but there are a few requirements which have very significant ramifications for day-to-day business operation."
"Because we've gone from a very light-touch regulatory regime to one with potentially significant financial penalties, people are being more conservative as to how they interpret the rules and are wanting to be more diligent and conservative in how they comply."
In many cases, this had led to compliance programs that are "still at the policy phase," said Gerry Tucker, country manager with content-security firm Websense, which like Baker & Mackenzie has seen a groundswell of interest in privacy during the runup to the introduction of the new guidelines.
What Fair called "subtle changes" to the wording of privacy requirements were causing consternation amongst many companies that need to rework their management of personally identifiable data around the requirements of the new Australian Privacy Principles.
Among the most problematic changes were the idea that a simple email address, if it contained enough detail to identify a person, could be considered to be a personal identifier even when used only for access to an online account.
Proper handling of issues such as collection notices require a much greater level of detail than the previous legislation, with organisations required to inform customers at every point of data collection what is being collected and why. This issue was previously managed in National Privacy Principle 5, but under the new legislation it must be more explicitly addressed.
Also proving tricky are APP 8, which deals with transparency around the flow of transported data to other jurisdictions – particularly important in companies that outsource customer-support operations –as well as the obligation to protect and secure data under APP 13. Complaints-handling mechanisms must be documented and clarified for customers, with an external dispute resolution agency named for customer redress.
Tucker agreed, noting that the upshot of the new laws is that ignorance about customer privacy is even less of a defence than it used to be.
"From a maturity point of view and the ability to distil the legislation down to business processes – and from there to the technology – that's what most organisations we're dealing with are trying to figure out," he explained.
"Whilst the Privacy Commissioner has said they would be more lenient on cybercrime-originated attacks, more recently he's come out and said that the lack of resources will not necessarily be a justification of the fact you've been hacked. A lot of organisations just aren't aware of what this means in terms of having to change their policies; they have scant knowledge of it."
This article is brought to you by Enex TestLab, content directors for CSO Australia.
More articles on the New Privacy Laws