Amendments to the Privacy Act will be effective December 21 and there is still concern that, from an IT systems point of view, many businesses are unprepared.
-We're really short on action, that's the bottom line of it," said John Grant, chief executive officer at Data#3.
Grant claims that the scope of requirements for just implementing standard security systems and the events of September 11, which have turned much more attention to business continuity, is what's really preoccupying IT managers.
"Privacy hasn't got the guernsey that it needs to actually participate with the importance of these two drivers," Grant said. -Business is not aware of the [privacy] requirements, business has not prioritised or allocated funding, business is not prepared to implement it and business is preoccupied with the security of corporate data, so we have some issues."
However, the argument is still strong that the new privacy legislation lacks bite, with the Privacy Commissioner unable to slap companies with financial penalties for non-compliance, and that this is the real reason many businesses lack commitment to comply with the deadline.
Gnashing teeth but lacking bite?
Leif Gamertsfelder, e-security group leader at Deacons lawyers, said that from a strictly legal perspective "there's not a hell of a lot of bite in the laws".
Gamertsfelder pointed out that it's a very -onerous undertaking" for an individual or organisation to prove a privacy breach has occurred.
Firstly a complaint has to be made to the Privacy Commissioner, who may or may not decide to investigate the claim. If the Commissioner does investigate the issue s/he can make a determination about the conduct -- possibly enforcing the company that breached the Act to pay compensation.
"It's not remarkable to see something around the order of AU$1000 - AU$1500 in compensation, but we're not talking extraordinary sums of money for breach of privacy," Gamertsfelder said.
Furthermore, to really enforce the breach and to have a truly legally binding decision, the claimant will have to take the matter to Federal Court, which for -constitutional reasons" will have to recommence the investigation from -ground zero", he added.
Gamertsfelder says that non-legal penalties, such as risk of reputation and the cost of re-engineering security that you get wrong, are much more sensitive issues for businesses than the actual penalties that may be handed down under the Act.
Changing business culture
However, regional director of Check Point Software, Peter Sandilands, believes that there has to be culture change within businesses before privacy compliance becomes prevalent.
"Privacy and security have parallel aims. They're about educating the workforce to behave in a way that's beneficial to the business," he said. -These have to be driven by policies, they have to be driven by the management of organisations."
According to Sandilands, it's no good having a policy unless workers have the right attitude in dealing with it and accept this is the way the company does business. This means educating the workforce.
"We are talking about culture change," he said. -There's a lot of people still need to wake up and get out and act."
This is a point ANZ bank's information risk manager of global information security, Theo Nassiokas, agreed with.
"At the end of the day, staff have got to be aware of the policy and understand the spirit of the policy to be able to apply it, so the awareness and education side of things, the change of mindset, is in my opinion the most important."
