Many Australian businesses are likely to be ‘caught short’ early next year when new Australian privacy legislation comes into effect. The legislation puts consumers firmly in charge of their personal data, with the right to demand that organisations provide copies of data they retain about the person, and to delete it on request.
The changes are as yet not widely understood, particularly among small and medium enterprises (SMEs), but the legislation comes into effect in just four months’ time in March 2014.
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Privacy Amendment Act) has a raft of implications for how you do business. In a nutshell, the new legislation forces organisations to understand what data it holds, what the lifecycle of that data is from acquisition to disposal and what the value of it is. The more valuable the data, the greater the requirements for protecting it across the whole of its life.
The value of data is largely governed by its use for marketing purposes, and therefore the richer the set of data about a person, the more valuable it is to organisations seeking to sell products or services.
A small organisation, such as a one person lawn mowing business, holds limited data about customers – probably just name, address, phone number and email address. Such an organisation’s responsibilities under the new legislation are limited to simple steps such as taking reasonable precautions to prevent unauthorised access to customer lists on phones and computers, and to deleting contact details from current and archived storage if requested to do so by a customer.
Contrast this with an organisation such as a large supermarket chain with a loyalty program, which holds (anonymised) data about shopping patterns, preferences, locations in which the customer frequently shops and more. This data, particularly if combined with data from other sources, contributes to what’s now known as ‘big data’ – rich data sets much in demand for consumer and business marketing.
For data sets of this complexity, the rules for protection are more arduous. Stricter physical and electronic security is expected, and there should be documented processes that explain how data is captured, stored, used, archived and eventually deleted. These processes also need to cover explaining to people what data is captured and how it is used and managed, and provide a process for providing them with a full set of data held about them, and for deleting it if requested to do so.
While it’s natural to focus on the IT aspects of data storage and management, the new legislation is actually a ‘whole of business’ issue. While legislation does not come into effect until March 2014, it is time to start preparing now. What should you do?
- Recognise that you need to act, and appoint someone within your organisation to be responsible for understanding your requirements under the legislation and planning how you will meet them.
- Make a plan for analysing and documenting your business data – its sources, storage and overall management.
- Understand your IT environment, particularly if you use cloud-based services. Even if data is stored offshore, it must be protected with the same rigour as if it was stored locally.
- Identify the gaps in your policies and processes, and the risks that need to be mitigated, and make a plan to address these.
- Don’t be afraid to engage your IT service provider, legal and financial specialists and others to help you meet your obligations under the Act.
In future blog posts, we will explore the new legislation from the perspective of consumers, individuals and employees. What data is stored? What is it used for? And what can people or organisations do to limit the amount of data gathered and stored about them, should they want to do so.
We’d be happy to answer any specific questions you might have so please don’t hesitate to contact us.