Sweeping privacy reforms that came into effect on the 12 March 2014 are the most significant changes to the Privacy Act 1988 since it came into force 25 years ago.  The 13 new Australian Privacy Principles (APPs) regulate the handling of personal information by the Australian Government and businesses with an annual turnover of more than $3 million. 

The changes also provide the Information Commissioner with the power to seek civil penalties (up to $1.7 million for organisations and $340,000 individuals) in the case of serious or repeated privacy breaches. 

The advent of cloud computing, global information flows, social media and big data - to name just a few - have increased awareness of how personal details are captured, stored and used. 

Changes to privacy legislation are enjoying high visibility within organisations, and present an opportunity to leverage privacy to enable business process improvements. By actively reviewing information management practices, business operations can be improved while also avoiding potential civil penalties for breaches of the APPs. Pragmatic opportunities for leveraging privacy within your organisation may include: 

Sharing personal information to improve client experience – Review all internal and external facing systems to ensure that data is shared with the proper levels of protection, consideration and consent. Start by reviewing internal systems to identify common identity data used for different purposes within the same organisation. Personal information collected for a specific purpose cannot be used for a secondary purpose e.g. a client list cannot be shared or sold to another company. 

Recordkeeping to demonstrate reasonable steps – Keep accurate records as evidence of business activities and functions to demonstrate accountability. A notice of consent from an individual authorising collection, use or disclosure of personal information forms evidence of your organisation’s management of personal information. Ensuring evidence is managed within a recordkeeping system goes a long way to demonstrating that reasonable steps have been taken to ensure information is used or disclosed for the purpose for which it is collected.  Recordkeeping is also vital to demonstrate how unsolicited personal information is managed within the organisation. 

Giving your customers choices to amend or release – Review existing processes to ensure an individual can interact with your organisation either anonymously or by using pseudonyms. This is a new requirement which existing information systems may be not be designed to manage. Individuals must also be able to review or amend the data held about themselves. Again, ensuring that all instances of an individual’s personal information can be updated at once may not be a capability of existing information systems.

Managing breaches to minimise risks of penalties – Implement a process to proactively manage information and security breaches.  Actions to consider include developing a process for when to notify customers of a breach and the steps required to contain the breach, rectify the damage and prevent reoccurrence.

Assessing sovereignty impacts – Develop a risk assessment and compliance framework to assess the impact of cross border transfer. This will enable an informed decision about data hosting that meets business requirements. The APP’s do not prohibit cross border transfer and hosting of data; however, organisations must negotiate appropriate arrangements with overseas recipients to ensure personal information is handled in accordance with the APPs. 

Reduce risks of inappropriate access - Upgrade security certifications and measure compliance against national and international standards such as ISO 27001: Information Security and Management Systems to ensure personal information is protected. Privacy changes are an opportunity to review and improve internal security systems. If personal information is being hosted externally, request evidence of the level of security certification attained.

This is by no means an exhaustive list of actions that could be undertaken to ensure your organisation is managing information in accordance with the privacy legislation. It highlights opportunities to move the focus from compliance into an enabler of business outcomes.  The “do nothing” approach is not appropriate at this time. A pragmatic decision framework to guide future decisions about the collection, storage use and sharing of personal information will prove beneficial across all areas of your business. 

Glentworth has recently worked with a large Queensland Government entity to develop a decision framework to assess the implications of moving email and calendar services to the cloud. The process involved:

• identification of the personal information involved;

• preparation of a Privacy Impact Assessment;

• risk identification and mitigation strategies;

• analysis of identified business requirements against the service offerings of cloud providers; 

• investigation into jurisdictional arrangements; 

• negotiating contractual terms with the cloud provider; and

• development of a framework to guide future decisions.

The decision framework is tailored to the specific requirements of an organisation. It is used pragmatically to inform future decisions about moving services and/or information to the cloud. 

The recent changes to the Australian information privacy landscape provide astute information managers with an opportunity to view and leverage off the new APPs as an enabler to their business.  Seize the opportunity to review policy and procedures, evaluate what information is being collected and by whom, and ensure the purpose for which personal information is collected aligns with how it is being used and/or disclosed.  

This is a time of renewal. Ensuring your organisation’s information management practices respect and secure the privacy of personal information will assist compliance with the new legislation and help avoid civil penalties. However, the greater opportunity is to leverage information privacy to add value, and enable improved business services.

Renee Pera is Enterprise Information Practice Lead at Glentworth.  http://glentworth.com/