A client’s off-the-cuff comment about “complying with some legal stuff” has seen me researching some very important privacy legislation that becomes law next month. This legislation will become law on March 12th and thus far, despite the potential impact, both at an individual and organisational level there has been very little fanfare or information released.
Lack of awareness
In fact I did a very unscientific, non-random straw poll of 5 people. 5 of 5 mid to senior IT people in my social circle had no idea about this legislation. Even a lawyer friend who works in a government agency was not across it. (He is now, mostly because of a half hour discussion with him about the legal use of the word reasonable. The words “reasonable”, “reasonably necessary”, “reasonably”, and “unreasonable” appear 21, 11, 9 and 4 times respectively.)
Welcome to the Privacy Amendment (Enhancing Privacy Protection) Act 2012 consisting of 13 Australian Privacy Principles (APPs) containing 60 clauses. My head is spinning from reading the Act, the 13 draft guidelines and trying to decipher what each one means. In this post I will touch on the main points of the Act and try to highlight the ones that will have the most impact on Australian organisations (and their overseas partners and suppliers).
Purpose of the Act
The purpose of the act is to strengthen individual privacy rights of all Australians. For example under the amendments you can:
- Ask an organisation where they collected your personal information from (in response to receiving direct marketing)
- Opt out of receiving direct marketing communications from an organisation
- Find out if your personal information will be sent overseas
- Request access to your personal information held by an organisation or agency
- Request a correction to your personal information held by an organisation or agency
The Act will be overseen by the Office of the Australian Information Commissioner, which has been granted additional enforcement, conciliation and other remediation powers. OAIC has also issued some draft guidelines to help organisations comply with the new regulations and to navigate the numerous tests of reasonableness – with 45 mentions of the word reasonable or its derivative this is the bulk of the guidance. Some commentators have suggested that the regulations are sufficiently vague that these tests will allow the courts and case law to ultimately shape the Act.
Draft guidines have been provided
To help organisations OAIC has provided draft guidelines on their website. It is important to note that this guidance is not binding; rather it is OAIC’s interpretation of the APPs, a signal to how they plan to police these APPs, and their attempt to reduce some of the ambiguity. It is crucial and very, very stimulating (from all the coffee you will drink and pacing you will do) reading for anyone involved in the privacy and security of their organisation’s data.
Impacts on your organisation could be large
The impact of this legislation could be huge. Imagine the situation where the marketing department is sending direct mail from a list of customers sourced from the data warehouse (APP 7). A customer asks where you got their personal information from (APP 3) and for a copy of the personal information your hold (APP 12). They mention they don’t remember being notified that this data was being collected (APP 6). Did you capture their acceptance? Who handles this request? Do you have a process to handle it? Does the data warehouse store information about where the customer’s information was sourced (i.e. the source data)? Do you have the processes to trace this data back to this source (all APP 1)? Does the marketing department have access to this source system (or possibly multiple source systems)? Now what happens when the customer (finally) gets the information they requested and it’s wrong? They submit a request to correct it (APP 13). Where do you correct it and how are these changes propagated across the systems?
These questions just covered APP 1, 3, 5, 6, 7, 10, 12, and 13. If any of your processing is overseas, and the individual’s personal information is accessed there it also covers APP 8. Wow! 9 of the 13 APPs covered in one example!
Offshore processing a compliance troublespot
I expect that offshore back office processing or overseas customer service / call centres will be one of the most important and potentially troublesome APPs for a number of organisations. A company that offshores any function that uses personal or sensitive information, as defined by APP 8, is responsible for ensuring that the offshore entity adheres to the Act. If there is a breach of the Act offshore the Australian entity will be held accountable. This could add considerable compliance costs to these offshore contracts. Who is going to wear these costs?
Another scenario with potential ramifications is where an organisation (let’s call them Company X) receives personal customer information, in this case credit information, from Company Y. All of the issues above are relevant here, but there are further complications. Company X does not likely have Company Y’s source system information (because why would Company Y supply it – in the past this was not needed) so may struggle to comply with APP1. Second if there is an error in the customer’s data Company X will either have to direct the customer to Company Y to fix the data( is this good customer service?), or become the intermediary to fix it with Company Y on behalf of the customer. Would this be allowed under the Act? Its unclear. How much extra cost does this involve on both sides? would need to occur?). Both these scenarios increase the processing and compliance costs of both companies and may also increase the risk of non-compliance with the Act.
To further complicate things because we are dealing with credit information in this example we also have to be across the regulations of the new Credit Reporting Code. This code will be discussed in more detail in a future blog.
Non compliance penalties are substantial
OAIC is able to apply penalties of up to $1.7 million, so compliance is not optional. This will be a good test of the information management processes and procedures of Australian companies. Those with good to great information management practices and well documented systems and data flows should, for the most part, be able to comply relatively easily and quickly. The reason I say should is that getting some systems to comply may be more of a challenge. There is likely to be some compliance issues with older, inflexible core systems as well. Those organisations that don’t have great IM practices -well, you will very quickly find the gaps.