You may be spending generously on e-business and customer relationship management systems to get closer to your customers, but can you guarantee their privacy? To a legal certainty?

If these questions make you nervous, join the stampede: December 21, the date new national privacy laws kick into effect, is a whole lot closer than you think. David Braue takes a closer look.

If the legality of your privacy policy is a sobering thought, it should be. Although the world won't stop functioning as we know it if the deadline isn't met, it's not completely inaccurate to rank the introduction of the Privacy Amendment (Private Sector) Act 2000 up there with Y2K and GST in terms of sheer headache value. Only this time, it's not the just a few lines of code you've got to worry about. Successfully managing the transition into stricter privacy controls will require careful reassessment of the way your company handles information at every level.

Take a minute to think about where customer data lives in your company. It fuels marketing databases, data warehouses, and accounts receivable systems. It goes into the field on handhelds and notebook PCs, and gets written on business cards, napkins, and sticky notes.

It gets crunched into management reports, printed onto reams of mailing labels, and sent in bulk to business partners. All of this will fall under the aegis of the new laws, and it's your job to make sure that none of this ends up where it's not supposed to be.

This is the part of customer relationship management you were never told about during the sales pitch. Interact with customers online and gather their details while you're sleeping, vendors said, and you can increase profits through cross-selling, upselling and encouraging repeat business.

Processing customer data

Such goals are common to most companies adopting CRM. A recent survey of 51 Australian executives, conducted by CRM consultancy IT Factory, found that 43 percent named CRM as being important for better understanding customers' needs. One-third of respondents wanted to use CRM to share customer information among multiple sales teams, another third nominated personalisation of content as a driver, and 43 percent wanted to use CRM to give departments consistent interfaces tailored for their specific needs.

All of these strategies involve the movement or processing of large volumes of customer data, and all become more effective the more detailed the customer data that's collected. Because of this, companies aiming to use CRM as a strategic tool are going to feel the demands of the new privacy legislation like a bucket of cold water after a late night out.

That's not to say that it can't be done. Indeed, companies that have built their online systems with a considerable amount of prudence may find that complying with the new requirements is quite possible even in the limited time left. Just don't take the laws for granted; they are very real, and could have dire consequencesâ€"particularly as the European Union gradually puts sharper and sharper teeth behind its world-leading privacy principles.

Unless you can protect your customers' data to those standards or better, you could potentially be barred from doing business with European residents. Given that many of your online visitors probably fall into this category, just the threat of losing them should be enough to motivate you into action.

Paper tigers still have teeth

Debate over the Privacy Act changes has raged long and hard throughout government for years, and many critics argue that the current -soft touch" legislation has so many loopholes that it's more of a suggestion than a requirement. For example, the legislation does not apply to companies earning less than $3 million in revenues, nor is it binding on state government bodies, political parties, journalists, or employers' records about employees.

-It's so riddled with exceptions that we'd probably be better off scrapping it and starting again," says Kim Heitman, a Perth solicitor and chair of civil liberty advocacy group Electronic Frontiers Australia (www.efa.org.au). -Outside government and financial institutions, it is so light touch as to really be more of an industry code of practice rather than the law of the land. We have here a patchwork of privacy intrusions being permitted rather than a right to privacy."

Many observers assume the government will allow a short period of time for adaptation before beginning to pursue companies for violation of the act; as long as you can demonstrate that you're actively working towards meetings its requirements, you should be OK legally.

Should you ignore the law and attract the Privacy Commissioner's attention, that office can order you to meet the requirement via the Federal Court or Federal Magistrates Court. Ignore that and you'll be guilty of an offence. If you're the subject of multiple complaints you could also be exposed to a class action lawsuit for damages, and that's a headache nobody needs.

Prove your best intentions

The challenge is to convey to customers that their information is safe to you. One way to reinforce this point is to make sure every page on your site includes a link to a clearly stated privacy policy. And that doesn't mean some wishy-washy blanket statement like the ones on many sites; in this case, honesty is best. Specifically outline what information you collect about your customers, why you're collecting it, where and how it will be stored, and what customers should do if they have any more questions or want to opt out of marketing.

-If you imagine yourself as a responsible player in the community at large, you're going to want to make sure you do what the act requires, which reflects what the community requires and what it should be," advises David Jones, partner in charge of business strategy for KPMG's financial service consulting business. -If you're going to spend money on improving and dealing with data, you're better off getting data right and putting processes around it, and making sure it's used appropriately."

Making customers feel comfortable about your data protection processes is essential to building long-term, profitable online relationships. As a sign of your good faith, you may do well to contact the Australian Privacy Compliance Centre (www.privacycompliance.org), which offers privacy consulting services and works closely with eTick, administrator of the Australian Privacy Seal Audit and Certification (APSAC) program.

To get APSAC certification, your privacy policies and data handling procedures need to be audited by JAS-ANZ certified organisations (searchable list) or law firms. Once you've been certified, you'll be allowed to tag your Web site with the Australian Privacy Seal, a small logo that tells potential customers that your policies are up to scratch. APSAC participation also gives you access to a centralised dispute resolution scheme that will help deal with any sticky issues down the road.

Whose privacy is best?

While APSAC certification should be your goal, there are many ways to reach it. To this end, you'll have to decide whether you want to simply comply with the terms of the Act, or whether it's worth it to hold yourself to a stricter standard. This is particularly the case if you want to do business with Europeans, since the law on its own doesn't meet European Union requirements.

Aiming to add their own spin to Australia's legislation, at least two industry organisations have built new binding codes of practice based on the National Principles for the Fair Handling of Personal Information that preceded the current Act. The Australian Direct Marketing Association (ADMA), for one, wrote a Code of Practice adding specific provisions such as telemarketing and e-commerce standards, a seven-day cooling off period for customers, and the ability for customers to put themselves on a specific list to which ADMA members must not advertise.

-Marketers walk the line every day between having enough information to make their offers relevant and not having so much that they're perceived to be prying into peoples' lives," says Scott McClellan, regulatory affairs director with ADMA.

-The dilemma they face is that in order to be effective as marketersâ€"and for their offers not to be perceived as unwanted or irrelevantâ€"they need a certain amount of information. We advise them to focus on good customer relationship techniques, and customer acquisition strategies that use techniques to bring customers to you. It's considered more customer-friendly to post a really interesting Web site and have people coming into the site make a decision to offer themselves up as prospects."

ADMA has made adherence to the Code of Practice a condition of membership, and it's been cleared by the Australian Competition and Consumer Commission under the Trade Practices Act s88(1) despite initial concerns that it was an anti-competitive moveâ€"in that blacklisting under a mandatory scheme could indelibly taint a company's reputation. Given its clear acceptance, you may do well to follow the ADMA Code of Practice as well as the specific letter of the law.

If you're specifically concerned about being able to sell to European customers, you'll want to look at the Internet Industry Association's (IIA) evolving Code of Practice. In August, that organisation's Privacy Virtual Taskforce debuted privacy provisions for public comment; the final text will be firmed up in the leadup to the Act's December 21 deadline.

The IIA's privacy policies generally deal with ensuring that Australian companies can import information from Europe, include direct marketing restrictions, and require companies to obtain parents' consent before collecting information about children.

Respect your data

If you're a relatively small dot-com who's always used a single centralised database to store customer information, you may find life a lot easier than larger companies, who have years or decades of legacy information strewn across the country on paper, disks, filing cabinets and in countless departmental databases.

-Businesses still tend to make decisions based on strategy which is going to cover the entire business," says IT Factory sales and marketing manager Frank Cuiuli. -Each department chooses the applications that do what they want to do. Apps just start popping up, and the problem is most of those apps manage the same sort of customer information but there's no real strategy on how they can work forward. Larger and medium-sized companies would have many instances of customer data spread across marketing, sales, customer service, and so on."

Thanks to years neglecting customer data, conforming with the new privacy requirements is going to require you to do a careful audit of the way you collect and store information about your customers.

Online, you're probably aggregating this information through strategies both overt (requesting contact details and preferences in order to customise content) and covert (using cookies to store user information, monitoring session times and URLs visited, and so on).

As data piles up, so too does your understanding of the best way to build your site, the best content to provide, what services customers want access to, and so on. But what happens to this data once it's come in through your company's front door?

Is it aggregated in a single database or is it owned by the department where it arrives? Is it confirmed for accuracy and corrected for consistency, or does it just go straight into the repository in whatever form it happens to be in? Is it distributed to employee desktops or taken with salespeople on the road? Remember that even a simple handheld organiser can contain sensitive customer information.

Even though you might have gone to great lengths to secure your Web site, these potential pressure points mean even the most conscientious company may encounter a few surprises when modelling the flow of information through their business.

Build a privacy SWAT team

To meet the December 21 deadline, you've got to assemble a team of people who know just where data goes within the company. If your company is small, this may only include one or two people. However, if you've got multiple departments and managers, make sure they're all involved in the project. If they're stonewalling, go to their supervisors; this is no time for office politics to obscure the larger imperative.

A multidisciplinary approach not only ensures the company's entire scope is considered, but avoids the ghettoising that might eliminate potentially useful points of view. It also helps spread responsibility across the company and avoids creating a situation where one person is seen to be responsible for a history of questionable data collection practices.

-We've found that this Act has, in a lot of cases, ended up within the legal groups in a business," says Gerard Florian, general manager for multi-service networks with systems integrator Dimension Data. -Effectively managing this means it definitely can't be IT only and it can't be legal only. As simple as this might sound, it's quite amazing how many companies still haven't been able to get together a committee that represents both the legal and technical parts of the business."

Engendering co-operation between business units will also be essential in providing adequate support for any last-minute technical changes that need to be made. At the most extreme, this might be the consolidation of various databases into a single data warehouseâ€"although if you haven't already started something of this scope by now, you'll find it virtually impossible to plan, complete and test by December 21.

Your privacy team should also involve key business partners. Under the terms of the legislation you need to make sure that you're not sharing customer information with any other party that doesn't meet similar criteria. Demanding APSAC privacy certifications may be a good way of ensuring your partners measure up, and will be critical to protecting your own privacy credentials in the long term.

Under lock and key

-Amongst other things, the Act is requiring people to ensure that any customer data they store is stored in an encrypted and secure fashion," says Florian. -That's difficult to achieve if the environment the data sits in is not secure yet. Our surveys of customers show that a lot of effort and money has been spent on [security] equipment, but perhaps the degree of comfort people are taking is not justified. The whole discussion is a lot more complex than simply throwing in a firewall and saying 'we're done'."

Although it grants wide latitude regarding just how data is secured, National Privacy Principle 4 requires you to protect data against -misuse and loss from unauthorised access, modification or disclosure."

That's a tall order given that few companies have yet bothered to address ways to monitor how employees use information. Given that your company could potentially be held liable for the compromising of customer data stored on a network, you'll want to establish a way that all access to that data is logged. Paired with this is the need to effectively authorise employee access so you know who's doing what at any given time.

Given its susceptibility to compromise, a simple user ID and password system may be inadequate for providing this kind of access.

Consider installing a token-based authentication system that requires both a password and a physical device issued to every employee. This allows for much strong authentication that can then be used to track employees' access to customer information.

The issue of secure data access becomes somewhat more complex when you're considering how to provide customers with access to their own information, something that's also mandated by the new legislation.

You'll need an authentication system linked to a self-service interfaceâ€"either via encrypted virtual private networks or more conventional means like SSL (secure sockets layer).

Such an approach might help ensure outsiders don't access customer information, but your responsibility extends inside your company as well. So how can you make sure data integrity hasn't been compromised?

-If you've got information sitting on a server inside your organisation, not only do you need to control access to that, but you probably need to be able to show who did access it and what did they do," says Pete Sandilands, regional director of security vendor Check Point Software Technologies.

-User names and passwords won't be enough unless you can say for certain who's sitting at the keyboard. This is really going to highlight the need for strong encryption: all staff will have to be properly identified, and access control will need to come down to a very fine level of control. Security technology is one of the few things that's going to help companies do this."

This may mean it's time to consider an outsourced digital certificate service from the likes of KeyTrust or beTRUSTed, which offer digital certificate-based remote authentication services. You'll probably want to combine these with a strong directory service such as Novell eDirectory or Microsoft Active Directory, which may already be built into your environment depending on the servers you're using.

Of course, there's a cost for all this technology; ultimately you'll have to weigh up the cost effectiveness of using digital certificates compared with keeping customer access to their information offline and delivering it over more conventional means like phone or fax.

The law doesn't mandate how customers can access their information, so it's up to you to identify the most cost-effective strategy. Time and experience will ultimately provide the best indication as to just how much of an investment is necessary, says RSA Security regional manager Scott McKinnel.

-We've got the legislation, and now we need the education before we can do the implementation," he explains. -[Authorities] will have to be reasonable before they can expect people to make a full 180-degree turn in the way they do their information systems. The order of magnitude for the resources to make them 100 percent compliant could be astronomical, but the risk might not warrant the reward. Until a few legal test cases get sorted out, we won't know the magnitude. You want to find what's pragmatic and sensible and in line with the intention of the legislation."

When thinking technology, don't forget to address the many complexities that so often trip up otherwise well-intentioned companies. For example, make sure you've got policies about the removal of employees from all systems when they leave the company. Such ancillary policies aren't directly mandated by the new privacy legislation, but they're critical to making sure your business processes address its other requirements.

-A lot of effort can be spent focusing on a piece of data while still leaving open a number of potential areas of breach because of the way the network is designed," says Dimension Data's Florian. -At the end of the day, we're trying to provide network and data and security, and the Privacy Act is helping raise awareness of that need."

The value of straight talking

The best way to avoid such problems is to be completely up front about what you want to do with their personal information, and make sure they know you're not hiding things from them. Give customers the option to interact anonymously with your Web site if it's possible, leaving the option that they provide more information later as they become more comfortable with your company.

Mobile service provider BlueSkyFrog, for one, has enjoyed considerable success with more than 300,000 opt-in customersâ€"20 percent of its subscriber baseâ€"specifically authorising the company and its partners to market to them via their mobiles.

Compare that response with the furore whenever a Web site is discovered to be making illicit use of customer information:

RealNetworks, for one, was pushed into a very public backdown after it was revealed that its software was sending it information about users' listening habits without their knowledge.

Privacy issues are a key part of US-based Fry's Electronics' deal to purchase bankrupt e-tailer Egghead.com, with Fry's reserving the right to back out of the deal if more than 10 percent of Egghead's customers decline to allow their details to be transferred to the new company.

Advertising company DoubleClick has had to deal with both federal and state lawsuits alleging its use of cookies violated Web surfers' privacy. And US banks are facing the threat of federal sanctions after a study by the Center for Democracy and Technology found that only 22 percent of banks gave consumers an easy way to opt out of having their information redistributed.

Ultimately, only you can decide just how much effort and money it's going to take to bring yourself in line with the new legislative requirements. The key is to start now, work quickly, and make it a corporate priority to continually inform your online customers what you're doing. They will respect you for it, and in the longer term it will make your online business far more viable.

-The law doesn't say you can't keep information," says Sandra Birkensleigh, partner for global risk management with PricewaterhouseCoopers. -It just says that if you're going to obtain it, keep it, and use it, you have to be prepared to tell people that's what you're keeping on them and why. None of this is meant to stop you doing things unless you're doing the wrong thing. It's simply about greater transparency and access for individuals to what companies know about them."

How private is private? Privacy Amendment (Private Sector) Act 2000 -Light touch" legislation based on National Privacy Principles Australian Direct Marketing Association Code of Practice Compulsory Do Not Mail/Do Not Call opt-out service Introduced 7-day cooling-off period Members are responsible for conduct of subcontractors and suppliers Telemarketing Standards of Practice E-Commerce Standards of Practice Establishes Code Authority, an independent complaints resolution body Internet Industry Association (IIA) Code of Practice Closes some loopholes to ensure compliance with European Union privacy guidelines Imposes restrictions on direct marketers Requires companies to obtain parents' consent before collecting data about children

Privacy's Ten Commandments

1.Collection
The law says: You can only collect information relevant to your business, by fair means, and not in an -unreasonably intrusive" way. Let customers know when you collect information. Don't use back-handed means or get data from other parties with less stringent privacy controls.

What this means for you: Link every page on your site to a clear, coherent and specific privacy policy. State who you are, what data you're collecting, who else will see it, why you need the data, and what will happen if you don't have it. Consider adding this information onto specific Web pages where you collect personal information.

2.Use and disclosure
The law says: You can't disclose personal information unless it's for a specific need and customers would -reasonably expect" you to do so. Include contact details and opt-out instructions in any marketing communication, then facilitate and honour their requests to that effect.

What this means for you: Hiding behind anonymous remailers (ie spamming) is bad business practice and will get you blacklisted across the Web so fast your head will spin. Customers are trusting you when they give you personal information, and it's in your best interest not to abuseâ€"or even stretchâ€"that trust in any way. Use commonsense and run questionable ideas past a privacy consultant.

3.Data quality
The law says: Make sure the personal information you collect, use or disclose is accurate, complete and up-to-date.

What this means for you: As anybody who's maintained a database knows, inaccurate and out-of-date information is all too common. Offer online self-service tools, and encourage customers to notify you of any changes to their information.

4.Data security
The law says: You have to take -reasonable steps" to protect personal information from misuse and loss from unauthorised access, modification or disclosure. Destroy or eliminate identifying details from information you no longer need for a specific purpose.

What this means for you: Implement appropriate security measures that both protect data (ie encryption) and prevent unauthorised access to and/or use of that data (ie authentication and activity logging).

5.Openness
The law says: You must document your personal information management policy and make this policy available to anyone that asks for it.

What this means for you: Prominently include links to your privacy policy on your Web site. Consider pairing these links with the logo for APSAC certification, if you've gone down that path.

6.Access and correction
The law says: In all but frivolous or legally compromising situations, you have to let customers see the information you have about them. They must be able to correct incorrect information.

What this means for you: Establish mechanisms to allow customer access to their information. This might be through a call centre, faxback service, or ideally straight through your Web site. You'll also need to provide a procedure for customers to update information that's not correct, such as an online self-service portal.

7.Identifiers
The law says: You cannot use the same identification number or code that another company or agency has assigned to a particular customer.

What this means for you: This is designed to prevent aggregation of customer data from multiple sources. Only a customer's name may be used as an identifier by multiple companies. Develop your own process for identifying customers and don't include those numbers when sharing data with other companies. Be particularly careful where multiple divisions of a company may have access to similar data.

8.Anonymity
The law says: Wherever it's practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.

What this means for you: Don't demand personal information just to access the site. Build a basic level of functionality that's available to anybody, and consider offering extra value-adds if customers tell you more about themselves.

9.Transborder data flows
The law says: Don't transfer information out of Australia unless the recipient is in a jurisdiction where privacy is up to NPP standards and the recipient is likely to uphold the privacy. Get approval for such transfers from customers wherever possible.

What this means for you: Be very, very careful about who you share data with. If you compromise customers' privacy, even inadvertently, it could lose you customers and cause major problems for your company's reputation.

10.Sensitive information
The law says: Don't collect sensitive information about people unless they've authorised it, would authorise it but can't, or you need it to benefit public health or safety.

What this means for you: Although it doesn't define 'sensitive', this principle is intended to protect medical records and other healthcare-related information. If you're working in this area, get advice before implementing anything dealing with such data.

See the full text of the National Privacy Principles, or contact the Privacy Commissioner's Privacy Hotline on 1300 363 992 if you have further questions. Another valuable source of privacy-related information is the Attorney-General's page.

Top 100 sites more responsive to privacy concerns