On March 12 the Australian Government enacted a new set of laws that significantly enhance the privacy of Australian citizens, although it is likely that many won’t even notice.
But for any commercial organisation with revenue over $3 million, or healthcare providers of any size, the new Australian Privacy Principles (APPs) have a significant impact on the way they collect, store and utilise personal data.
For CIOs, that may have meant a lot of extra work in the lead up to March 12, and significantly, a lot of extra worries afterwards.
The new APPs replace the existing National Privacy Principles and are a response to a review by the Australian Law Reform Commission into the previous two decade old regime.
Australian Privacy Commissioner, Timothy Pilgrim, says one of the main issues was to reform the principles and make sure they were keeping up with rapid changes in technology, and to make them more flexible.
“The Australian Privacy Principles have been designed in such a way as to reflect the changes that have occurred over the last 25 years in terms of how personal information is being handled,” he says.
“But importantly, they have been written as principles, so they can remain technology neutral, and can apply to new technology as they come into place, as well as deal with older-style means of collecting information.”
The APPs include new obligations in relation to activities such as the collection of personal data, including receipt of unsolicited personal information, as well as new requirements for informing individuals as to how data is being used. Importantly, APP 8 sets outs specific requirements for what must happen when personal information is moved out of Australia.
Security is also a key consideration, with APP 11 setting out new requirements for the protection of personal information from misuse, loss, inference, unauthorised access and disclosure.
The Privacy Commissioner also gains the ability to approve privacy codes in relation to new technologies and their use for individual organisations or groups, and can develop his own codes to be imposed on technologies and the organisations that use them.
But while CIOs play an integral role as the custodians of customer data, it seems some have been bypassed in preparing for the APPs, or called on as a resource rather than as a strategic planner.
Information security specialist, David Simpson, says while awareness of the APPs in technologically mature industries such as banking and finance is high, the same cannot be said across all sectors. This is especially troubling in relation to APP 11, which he says should be a key priority for the involvement of CIOs.
Sign up for CIO Asia eNewsletters.