Don't forget all types of data in Privacy Act compliance: lawyer

Organisations reviewing their exposure to new privacy policies need to remember that the full extent of personal data they collect may extend well past simple name and address information, an intellectual property lawyer has warned.

Speaking during a Hitachi Data Systems (HDS)-sponsored Google Hangout (video here on the New Era of Privacy, Alec Christie, a partner in the Intellectual Property Group of DIA Piper, warned that ignorance about the full extent of the new amendments to the Privacy Act 1988 – which come into effect on March 12 with substantial new penalties for nonconformance with 13 new Australian Privacy Principles (APPs) – continues to be rife as companies struggle to inventory and manage the full extent of their data-collecting activities.

“A lot of my clients do not know exactly what [personal information] they collect,” Christie said.

“They know the obvious stuff, but forget to think about the automatic processes that collect information, including voice recording and help lines. For anyone doing business in the region, you've got to be considering not just what you're doing in Australia, but what you are collecting and storing in those countries.”

The growing need for better information management would soon drive many organisations towards cloud-based information lifecycle management (ILM) solutions, according to Adrian de Luca, chief technology officer with HDS, who said long-established ILM techniques were becoming invaluable in helping organisations meet privacy obligations.

“ILM is about how you manage data over a long period of time, and with today's tools we can nail down very specific data sets,” he said. “If you think about the current capabilities you need, it's really about being able to provide immutability of that information; persistence of information in how multiple versions of data are created and how you maintain those versions; and going back to search that [data] independent of the applications that produced them.”

Those capabilities have typically been the domain of the high end of the market, but cloud-based ILM is expanding the market as ever-smaller companies come under the domain of the new privacy provisions.

“We can apply policies that work not only on a particular application, but can actually work on different types of applications,” de Luca said. “With ILM available as a service, we've been able to bring down the bar quite far in terms of small organisations being able to access what has typically been enterprise-grade functionality.”

Better access to ILM allows increasingly self-aware organisations to better understand and manage the many types of data they deal with: many organisations, having inventoried and separated their private data, end up splitting it from their non-personally identifiable data, then storing the generic information in a cloud-storage service while keeping the sensitive data in their own data centre.

This approach helps focus data preservation and exploitation efforts on the data that is most in need of special protection – but organisations must also remember to extend their data controls to third-party data collected from a range of sources.

“Privacy policy isn't really the problem area,” said Jodie Sangster, CEO of the Australian Direct Marketing Association. “It's all about how am I transparent when I'm collecting third party data, online or from a data provider, and lead generation. I've got this data and want to use it – but how can I be transparent to these people when I don't even know I've got their information? That's the part businesses want to get right.”

Ultimately, transparency is the primary goal of the new legislation, Christie said, calling the new legislation “a quantum shift”.

“What they're really trying to do is to push us to have an ongoing relationship with the people we collect data from,” he said. “If you want to have a commercial relationship or use big data, that relationship is important.”

A concerted privacy effort will underscore the effort to build stronger relationships, Christie said. “But first,” he added, “you need to look at your information and map it against the APPs – and a lot of people will be very surprised that they're not really up to date with their compliance program. They need to map where the gaps are, and pedal like hell to fix them.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags privacy actPrivacy Act 1988Australian Privacy Principals

Show Comments