At a roundtable discussion in Sydney last week with PricewaterhouseCoopers (PWC), the issue of what would be needed to get businesses to comply to the new amendments was a primary concern. The general feeling from PricewaterhouseCoopers seemed to suggest that the issue of privacy was not merely about complying with regulations and legislation but was more about engaging in solid business practices.
"[This is more about] privacy as a strategic cost," explained Sandra Birkensleigh, partner of PricewaterhouseCoopers and the Asia Pacific leader of the organisation's Compliance Risk Management practice.
Although the legislation lays down some important groundwork for the issue of privacy, Birkensleigh believes there is nothing radical about the guidelines contained in the act. "This legislation is codifying a basic human right," said Birkensleigh. "You have the right to ensure that information [kept about you] is correct... You should have informed consent about what happens to your personal data."
Birkensleigh contends that complying with the legislation will not be easy and in fact, it is only now that Australian organisations are beginning to understand the full cost of that operation. PricewaterhouseCoopers conducted a Privacy Survey of top Australian businesses at the end of last year and it determined that companies expected to be paying around AU$50,000. Over a quarter of respondents to the survey at the time said they had no idea how much it would cost.
However, things now are very different and organisations such as banks are now beginning to estimate the costs to be in the hundreds of millions of dollars, although Birkensleigh believes that this is perhaps a little exaggerated.
Birkensleigh points out that in order to effectively manage the process of compliance, private sector organisations will have to become more aware of their customer's needs and deal with them proactively. "How [privacy compliance] is done is dependent on the maturity of the relationship with your customers and how you treat them and how you wish them to treat you," said Birkensleigh.
One way in which Australian businesses can broker a greater level of trust with its customers in terms of privacy compliance is to establish a code. The Privacy Amendment Act allows private sector organisations to develop their own privacy cods, which can exceed, though must at least comply, with the National Privacy Principles (NPP). There are ten principles contained within the NPP and they cover the areas of collection of personal information (NPP1), use and disclosure of that information (NPP2), data quality (NPP3), data security (NPP4), openess (NPP5), access and correction of that infomation (NPP6), identifiers (NPP7), anonymity (NPP8), transborder flow of private data (NPP9) and sensitive information (NPP10).
Birkensleigh explained that codes might be developed to achieve a higher level of privacy that might be industry specific, although they must be approved by the Australian Privacy Commissioner. "We believe that our [PricewaterhouseCoopers] clients wish to develop codes because they want to be seen as market leaders," said Birkensleigh, "that they're taking this issue seriously."
One of the major problems that could arise from the new privacy act is what might happen when businesses are in breach of the legislation. The Privacy Commissioner is taking a "light touch" approach to enforcement of the act, Birkensleigh explained. "A shame policy is being used to penalise businesses, but if this 'light touch' doesn't work, financial penalties might be integrated into a rehash of the legislation."
Birkensleigh feels that the key to achieving compliance with the act requires businesses to take the issue onboard rather than wait for a legislator to tell them what to do. "It is important to get this in place and make it work so that we can find out if we can work in a co-regulated environment in this country," said Birkensleigh.
