Data Privacy and Security

Australia's Federal Privacy Act Gives Watchdog Teeth

Laws covering data protection and privacy exist in the majority of developed economies, and most such laws have been around since long before the invention of the internet. But the huge expansion in the amount of data about individuals collected and stored by governments and private companies in the past two decades has made those laws increasingly relevant.

So it's perhaps surprising that legislation has often failed to keep up with technological developments. Laws designed to cover the accidental loss of a few paper documents from a musty government warehouse are hardly suited to an era in which millions of individuals’ highly personal details can be mislaid on a USB drive the size of a thumbnail. The UK government demonstrated that when it lost the personal details of 25 million people on two non-encrypted CDs in 2007. Many other examples exist, all around the world. In fact the list of major organisations that haven't lost customer data seems to get shorter by the week.

For those whose personal data has been compromised, the consequences can be long-lasting. Identity theft and fraud are stressful, often traumatic experiences that can take a lot of time and money to resolve. At a time when hackers are increasingly ingenious, and personal credit ratings matter so much to so many people, even the implication of fraud can be damaging to a person's finances. Yet when such transgressions do occur, whether through incompetence or malicious acts like hacking, the organisation concerned is rarely given more than a slap on the wrist from the relevant data protection commissioner. A contrite promise along the lines that "it won't happen again because lessons have been learned" is usually the end of the matter, at least for the organisation. That's hardly an incentive to improve data security.

Many of today's large businesses, especially internet companies, couldn't exist in their present form without the vast amounts of user data they store and analyse. The implied contract when users hand over their personal data, whether to a company or to a government department, is that it will be treated with the respect and care it deserves… not burned onto a CD and popped in the post.

As of 12th March 2014 this state of affairs is changing, at least in Australia. The passing into law of amendments to the Federal Privacy Act changes the apparent role of the country's Office of the Australian Information Commissioner (OAIC), from observation and admonishment to active prosecution and punishment. The updated Act includes a number of Australian Privacy Principles (APPs) which replace the previous National Privacy Principles and Information Privacy Principles. Each APP has a different scope, with some covering the collection of data on job applicants, others governing direct marketing, disclosure, access and correction of stored data, and so on.

John Martin, principal technologist at NetApp, believes APP number 8 is likely to be of particular relevance to IT companies, especially those companies that provide or use data storage facilities.

"From an IT infrastructure point of view, an interesting feature is APP 8 (cross-border disclosure): this may affect the use of overseas cloud computing services, and in some cases there will be differences on a state to state basis that need to be considered."

According to a report jointly issued by storage company Iron Mountain and law firm K&L Gates, "Under APP 8, before an organisation discloses personal information overseas, they must take reasonable steps to ensure that the overseas recipient of the information does not breach the APPs. Importantly, although organisations that meet this requirement are lawfully permitted to disclose personal information, they may still be held accountable for any breach of the APPs by their overseas recipient."

That's quite a worry. Greg Lever, managing director of Iron Mountain Australia, explains the scale of the problem: "In Iron Mountain's recent study into Australian organisations' preparedness [for the Act], we found that 17 % of organisations have experienced a material information mishap in the past 12 months."

Such companies will want to amend their behaviour as soon as possible as the OAIC can now undertake investigations on its own initiative, and penalties of up to AUS$1.7m (US$1.6m) may be applied.

Australia is unlikely to be the last country to beef up its data security and privacy laws. Jason Ha, national manager, Security at Dimension Data, says:

"Requirements for data governance are ever increasing, whether it is private data, credit card data or some other form of sensitive data asset. Storage companies need to provide additional security capabilities to their clients beyond standard storage - clients with data governance requirements need to be able to classify data as private or sensitive, encrypt it in a business-intelligent way, manage and audit who has access to it and be able to prevent inappropriate or unauthorised exfiltration of the data."

Will the new legislation make a real difference in Australia? Until the amended Act is tested in court it's hard to know how strictly its penalty provisions will be applied. But if nothing else, it marks a transition in the attitude of law-makers towards the storage of Australian citizens' personal data. Previously, the OAIC might have barked a warning at companies or public sector agencies who played fast and loose with customer data security and privacy. Now it has teeth.


Freelance technology journalist Alex Cruickshank grew up in England and emigrated to New Zealand several years ago, where he runs his own writing business



« Analysis: 15 Future Indian eCommerce Giants?


West Africa: Combatting Ebola Online and Offline »
Alex Cruickshank

Alex Cruickshank has been writing about technology and business since 1994. He has lived in various far-flung places around the world and is now based in Berlin.  

  • Mail


Do you think your smartphone is making you a workaholic?