OAIC gets cracking on raising awareness of new privacy laws

The Office of the Australian Information Commissioner (OAIC) has kicked off a targeted campaign to raise awareness on the new privacy laws before take effect next March.

This comes off the back of the State of Privacy Awareness in Australian Organisations survey, commissioned by security vendor McAfee and launched at the beginning of Privacy Awareness Week 2013 – a joint effort of eight Asia-Pacific countries’ privacy authorities that runs through Friday 4 May – which found that despite being responsible for managing the personal information of customers, 59 per cent of respondents were unaware of the recent major changes to the Privacy Act.

Those changes that will increase the onus on both private and public-sector organisations to tighten their privacy controls – and they could represent a time of reckoning for many organisations that haven’t taken appropriate steps to protect their corporate information.

One third of respondents believe personally identifiable information is not well handled within their organisation, with 38% admitting they have never received training in the management and storage of sensitive data.

Of those who have received training, 52% have received training in the last year, while 19% receive ‘regular frequent updates’.

Use of poorly secured cloud technologies was a common behaviour across the surveyed companies, with 36% of respondents saving data to cloud-based file-sharing services like Dropbox and YouSendIT. One-fifth of respondents use Webmail services like Gmail and Hotmail to share information with colleagues and third-party suppliers; however, that figure rises to 36% among those who have experienced a data breach in the past.

With just ten months to go until the new Privacy Act changes kick in, those findings suggest the federal Office of the Australian Information Commissioner (OAIC) has its work cut out for it in raising awareness about the changes, which were introduced in November 2012 after an extensive review of previously-disparate privacy regulations for public and private-sector organisations.

Rationalisation of the two prior sets of privacy principles will produce a single set of 13 Australian Privacy Principles (APPs) to which all Australian organisations must adhere or risk fines from $340,000 for individuals and $1.7m for corporations.

The OAIC this week kicked off that campaign with the launch of its Guide to Information Security, which offers guidance for organisations keen to update their practices.

Yet any fines are only the beginning of the damage that poor privacy protection can do, with reputational damage seen as a potentially longer-term problem for organisations that are perceived to be lax in their protection of customer data.

“We measured the repercussions most feared by companies when it comes to a data breach,” McAfee practice head for data protection Joel Camissar said. “Reputational damage and loss of customer trust are feared far more than monetary penalties or the cost of fixing the breach itself.

“With the growing volume of big data being collected by Australian organisations, the implications for protecting privacy and building customer trust will be more important than ever and could even be leveraged as a competitive advantage.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.