Published on the 11/02/2014 | Written by Newsdesk
Australia’s new privacy regime comes into force early next month; the clock is ticking down fast for organisations which have been slow to ensure compliance…
From 12 March most Australian enterprises will have to comply with 13 new privacy principles governing the way organisations collect, manage, protect, use, disclose, discard and destroy personal information. At the very minimum organisations need to have a clearly defined and well telegraphed policy regarding data management and ensure that staff understand and comply with that policy.
The new rules will require much more transparency on the part of large organisations which use personal data. From 12 March consumers receiving direct marketing materials will be able to ask organisations where they sourced their personal information; opt out of receiving direct marketing; find out if their personal information will be sent overseas; ask to see the personal information an organisation holds about them; and request a correction.
Australians – like most of the world following the Edward Snowden revelations – seem to have a sharpening focus on privacy. In its 2013 report the Office of the Australian Information Commissioner (OAIC) reported a 10 percent increase in the number of privacy complaints that it received during the year.
This year could bring an even greater crop which should concern enterprise Australia as along with the 13 new Australian Privacy Principles, which replace the previous 10 National Privacy Principles, the range of penalties available to the OAIC has been extended.
Compliant organisations – and the new rules govern Government departments, most private enterprise and not-for-profit organisations – will have to have processes and technology in place to allow access to information not just on corporate CRMs for example, but also information collected from emails or social networks.
Hitachi Data Systems has released a useful paper which outlines the key changes, noting that organisations need to ensure that any personal data they retain must also be protected, copied and searchable in order to comply. Data which cannot be protected in this manner must be destroyed or anonymised.
It recommends organisations at least audit their current system to determine their level of compliance, review technology to identify gaps, educate employees and appoint a privacy manager.
