Australia's privacy and data protection laws are hard to explain and often poorly understood. The first challenge is to explain that the Australian Privacy Commissioner sits in the Office of the Australian Information Commissioner (OAIC) and applies laws that the Australian parliament has misleadingly called 'principles'.
The second challenge is describing how to read principles as laws and fit them together with other provisions in the Privacy Act that clearly are drafted as laws.
And then there's the difficulty of trying to interpret these provisions when dealing with novel issues such as cross-border cloud deployment and access to personal information held in another jurisdiction (or jurisdictions unknown), geo-tracking of devices, data warehouses, virtualised servers, big data and customer data analytics.
Third is the challenge of explaining how privacy and security by design become law from 12 March 2014 (through principles drafted in very general terms that never refer to these concepts).
Privacy and security by design must then become part of information flows and the engineering of how organisations structure their processes and design their products. The law will then require organisations to devise technical, operational and contractual safeguards to implement privacy and security by design.
But industry practice has not yet developed to the stage where we can reliably say what safeguards are appropriate, implemented how and when.
Scepticism often sets in when management are told by some hapless lawyer or privacy professional that this isn't just a case of bolting on some additional technical security to existing information and work flows.
Incomprehension usually arrives when the information engineers and the privacy and compliance professionals gather together and the engineers hear that their best practice security risk management frameworks and methodologies don't really work for personal and sensitive information.
They also hear that all that information about customers that looks innocuous and everyone 'must know' is really personal information about individuals that is regulated.
Next is the challenge of explaining the legal status of guidance from the OAIC, particularly in an environment where the Australian parliament dodges hard issues by placing increasing reliance upon OAIC guidance. The parliament does this without giving OAIC guidance any formal legal status.
Then follows the challenge of explaining that although the Privacy Commissioner, Timothy Pilgrim, has a central guidance and enforcement role, he has been allocated very limited staff and other resources.
In fact, the resources available to the commissioner have declined despite a major expansion in his responsibilities and the range and complexity of privacy issues throughout the Australian economy.
Sign up for CIO Asia eNewsletters.