It has been five months since the amended legislation came into effect, and a concise indication of the channel's compliance is as mixed and mysterious as it was in March. That is a conclusion based on the input of resellers, vendors, and distributors which have not shut the doors on providing insight; a number of organisations in the IT industry - including some very common names across hardware, software, and telecommunications - prefer to steer clear of the public discussion. On the flipside, many are quick to stake their security claim, although the effectiveness of policies can only be determined over time.
As IBRS outlines in its June 2014 Privacy Act amendments: what leading organisations are doing report, some organisations have been proactive and subsequently spent hundreds of thousands of dollars to ensure compliance. A small number are covered by their international parents, but others have not yet started reviewing internal processes - all within what has been described as a disclosure regime rather than a consent one.
The fact that the document is not an easy one to read for all but lawyers will not hold up in court.
What do do if you haven't already done it
CA Technologies' advice to partners is to assess visibility and control, two overlapping elements.
"We encourage partners to ask, 'what and where is that personally identifiable information and, more importantly, who has access to it?' Those questions are quite difficult to answer for a lot of organisations... but that visibility is important because it creates a lot of conversation in terms of where an organisation has got controls in place," CA Technologies A/NZ solution strategist, Trevor Iverach, said.
According to Iverach, organisations should then consider whether there are any controls in place around the extent of data which administrators can access on a server in order to fulfill their role without exposing personally identifiable information.
"When the Commissioner comes and talks to you and says you have breached the Privacy Act, if you have information that shows what happened and how you will prevent it from happening, it will go a long way to reducing the penalty," he said.
Sign up for CIO Asia eNewsletters.