The Australian Law Reform Commission this week concluded its largest ever research and public consultation exercise ever with the launch of its report For Your Information: Australian Privacy Law and Practice, which recommends a re-write of the nationโs 20-year-old privacy laws to keep pace with the information age.
The three-volume, 2700 page report was launched Monday by Senator John Faulkner and Attorney-General Robert McClelland, recommending 295 changes to privacy laws and practices that will be implemented in two stages over the next three years.
ALRC president, Professor David Weisbrot, told Computerworld that Australiaโs current Privacy Act, legislated in 1988, was created in a completely different environment before technologies like the Internet, e-commerce and social networking greatly augmented the challenge of safeguarding the flow of personal information.
โThe commissioners who were in charge of the report at that time wouldnโt have had a mobile phone or a PC on their desk, no digital cameras, no e-tags, e-mail, no e-anything. There were no high speed computers for individuals or private industry with which they could do data matching and data mining, and no high-tech surveillance cameras,โ he said.
Since then, the information we gather has stayed the same but technology has allowed us to access, control and manipulate that information in a much easier way; electronic medical records and health information, online banking, finance and credit history, personal information on public and corporate databases, and social networking sites are just a few examples of technologies revolutionizing the relationship between public databases, individual privacy and third party users.
Weisbrot said the most significant recommendation for reform is a complete restructuring and simplification of the statutory framework of the Privacy Act, so that it is focused around 11 uniform principles as opposed to separate principles for government and private sectors, which left many individuals and businesses wading through massive amounts of complex material to find what laws apply to them.
โWeโre saying lets flip it around โ lets make it general with higher-order principles that will cover most situations most of the time. Then if youโre dealing with some specialized area like health information or credit reporting, you supplement that area with rules that are dedicated specifically to regulate that area,โ he said.
The first stage of reforms, set to be implemented within a yearโs time, will address this process of simplifying and streamlining the Privacy Act, while the second stage, which will include statutory course of action for data and privacy breaches, will be looked at in 12-18 months time.
โFirst and foremost there is not going to be any real immediate impact in terms of changes of investment in either IT infrastructure or security infrastructure,โ said Gartner security analyst Andrew Walls.
โPart one is going to take a good 12 months to get all the actual regulations set out, then there will have to be some sort of compliance period so weโre several years out from things really hitting the ground and organizations having to show compliance.
โBut at the same time businesses should be looking carefully at the recommendations and the potential impact they will have on their business processes, their business models, and the infrastructure that supports all of those activities,โ he said.
One area of IT that will feel the impact will be the Human Resources department, where employee data will no longer be exempted under the ALRCโs recommendations.
โThat may affect internal practices and how security controls are applied. I suspect many organizations will have to look very carefully at how they manage employee data and ask themselves โ if we have to treat that as private data, what are the implications?โ Walls said.
According to security vendor Marshalโs lead technical consultant, Oscar Marquez, internal traffic is a leading cause of data leakage, and organizations need solutions that monitor the flow of sensitive information like documentation, e-mails, and mobile-to-e-mail data.
โIn essence, the new amendments are about being able to report on and monitor e-mail and Web use, internally and externally, before taking the necessary steps to prevent misuse,โ Marquez said.
โIT managers do not need to implement new technology for technologyโs sake. Instead they need to firstly educate end-users, as many data breaches can happen accidentally, and secondly, to update their internal policies to be in line with the Privacy Act. Industries such as health and financial services, as well as large companies, need to pay particular attention to these amendments.โ
Marquez cited the example of an end user at a health company who accidentally sent an entire database of contacts to a doctor, who in turn shared this with a pharmaceutical company for financial gain.
โThis black market of information is exactly what the Privacy Act aims to prevent. End-users need to know their confidential data will be secured and not sold,โ he said.
Another key principle the ALRC proposed will be for the regulation of cross border data flows, with the basic principle that an agency or organization that transfers personal information outside the country remains accountable for it, except in certain specified circumstances.
Government agencies and business organizations will also be required to notify individuals and the Privacy Commissioner where there is a real risk of serious harm occurring as a result of a data breach.
Gartnerโs Walls said that large organizations engaging in good security practices already have the processes and infrastructure required to monitor and identify breaches and therefore will not require large expenditure to comply. Rather, the impact of changes to the Privacy Act will be felt on the human side of business rather than the technology side.
โNotification [of a data breach] to the government and affected individuals is actually a public relations activity, a marketing function. So organizations will have to take their incident response and incident management teams and integrate them with PR,โ he said.
Walls also suggests we get ready for an onslaught of data breach headlines.
โThe reality is there probably wont be any more [data breach] activity than normal, weโre just going to hear and talk about every one now, which is a healthy thing because it provides transparency and establishes security performance as a market differentiator. But it will be painful for a few years,โ he said.
Walls said he was somewhat disappointed with the data breach notification proposals, particularly where the threshold that has to be reached before notification is required is decided by the organization, not the individual whose information has been exposed.
โThey made some very ambiguous statements about level of harm. If an organization experiences a breach on just one personโs details out of hundreds of thousands then that is not a big deal for the organization. But for that individual it could be catastrophic, so by adopting this test based on the organizationโs assessment the recommendations are really saying privacy is a problem for business and government agencies, not an individual problem.โ
In the US, Walls said, if private data is breached the individualโs are notified, whether it is one or one thousand customers.
โThe company doesnโt get to say โno, its not that big a deal, weโll ignore itโ. But under this reasonable test that may not occur.โ
The ALRC also made recommendations to give the Privacy Commissioner more power to exact stronger penalties on non-compliant organizations, allowing the Commissioner to seek court orders enforcing compliance, or imposing monetary sanctions or civil penalties for serious or repeated breaches.
โWe were responding to community concerns there that the Privacy Act might be a bit of a toothless tiger, so we wanted the Privacy Commissioner to be able to issue notices to comply, amazingly they cant do that at the moment,โ Weisbrot said.
More comprehensive credit reporting has also been recommended to facilitate better risk management practices by credit suppliers and lenders.
โIโve actually asked friends and neighbors what they think can be collected and they are astonished at how limited it is,โ Weisbrot said.
According to Weisbrot credit lenders currently can keep on record that a customer has applied for credit, a card or an overdraft, but cannot keep on record whether the customerโs application was approved, for how much, or how many accounts they might have.
โWeโve recommended opening it up a bitโฆso if youโre applying for a [A]$100,000 loan to buy a boat the lenders and credit agencies should know that youโve got a $500,000 mortgage, a $20,000 loan for a car, four credit cards with $50,000 limit, for example. That will enable better risk management practices because itโs hard to know how they make those assessments with the limited amount of information they [currently] have.โ
The recommendations also called for consultation with young people to improve their control of personal information on social networking sites. However, Walls said he was surprised at the assumption that social networks were exclusive to young people, and believes the ALRC missed a crucial component regarding the flow of corporate and personal data over professional social networking sites.
โMany Australians are attached to things like LinkedIn, Myspace, Beebo, Facebook etc which are multi-national entities based in the US, Europe and elsewhere, but the recommendations make no comment about what we should be doing there.
โWestpac is experimenting with Facebook as a collaboration and productivity enhancer, and I know of other Australian organizations using virtual worlds like Second Life to do team collaboration. They are all using off shore resources so what is the status of law thereโฆI think they missed an opportunity to grapple with this issue,โ he said.
Weisbrot said he doesnโt expect the reforms, once they are legislated, to require significant hardware or software infrastructure expenditure for enterprises to comply, as any organization engaging in responsible security practices would already have adequate measures in place. For small businesses that file data on customers and employees, he said an econometrician predicted several hundred dollars in security software would be required.
In order to ensure the new Privacy Act remains future-proof, an expert sub-committee of IT-related professors and industry representatives advised the ALRC on new and emerging technologies. But Weisbrot said the new Act would be โtechnology-neutral but technology-awareโ with general principles rather than specific regulation on technologies that will become outdated, โso that even if the technology changes, we will still have the eleven commandments as I call them,โ he said.
Walls said the real fight will start once parliament gets a hold of the recommendations and starts trying to trim them into real laws.
โThen weโll see whether enforcement actually occurs. But that is several years out, I think weโre probably looking at three years in terms of real impact,โ he said.
The report For Your Information: Australian Privacy Law and Practice can be viewed in full here.
Related content:
In Canada, your pictureโs worth a thousand words for privacy
Privacy Down Under: โGarbage, trash or junkโ
Federal privacy chief urges law revamp