With a little over four months to go before the amendments to the private sector privacy legislation come into effect, confusion still abounds.
The Internet Industry Association (IIA) yesterday released its draft privacy code for the Internet industry. After a seven-week consultation period, the code will be formally submitted for registration by the privacy commissioner.
According to IIA chief executive Peter Coroneos, the code's enforceability is through a government-backed co-regulatory regime.
"The lack of trust which presently permeates e-commerce, at least in the minds of many end users, means that the industry has to go that extra mile to deal with the natural reticence of people to deal with unseen entities in a virtual environment," Coroneos asserted.
Gerard Florian, general manager for multiservice networks at systems integrator Dimension Data, said its concern at the moment is that there's simply not enough practical advice out there.
Dimension Data had surveyed its customers and found there were some very basic things that needed to be fixed first. He believes this needs to be driven by the industry as a whole, including the channel, regulators, and other organisations.
"This legislation requires organisations to rethink some things and they've got a lot to do." For example, Florian said there security issues with the way some networks are currently set up.
"The environment has to be safe for the information to be safe," he asserts. "The organisations have to be helped to walk before we can help them to run."
Florian believes the direction of the code itself is a good thing for businesses, but he doesn't think people are going to be prepared by the December 21 deadline. "We've got four months to go and that's not very long at all."
From a legal perspective, Simon Bailey, a partner in the Melbourne office of lawyers Phillips Fox said the act requires organisations to write down how they are handling information, in statements and policies which set out their privacy practices.
To comply with the legislation, a business handling personal information --whether online or otherwise -- has to understand the information it holds, how it collects it, what it does with it and how it manages its database in order to comply with the legislation. Bailey admits businesses are only just starting to wake up to the implications of the changes.
"My view is that businesses have taken a while to understand the significance [of the changes]," he said. "It's asking business to make a cultural change - to effectively change the whole way they view and deal with personal information."
There is also confusion about what the transitional arrangements for compliance after December 21 when the amendments come into force. According to Bailey these are complex, but he advises businesses to have their documentation and procedures bedded down before the deadline.
There are still far too many Australian companies affected by this legislation, that appear to be taking an Ostrich like approach to the inevitable date of December 21st - that is if we ignore it it will not happen!.
The problem is 2-fold: firstly as mentioned the data needs to be secured in the first place, and secondly, it needs to be readily available on request from individuals.
In the first instance, those companies that are securing their data are too concerned with detecting an intrusion, rather than preventing it - somewhat like shutting the gate after the horse has bolted! Companies have to step up to the bigger responsibility of protection through pro-active security measures, through 3rd party agencies which give advance alert of new viruses, and offer 24x365 monitoring and certification of their security measures. Customers want independent assurance and recognised certification that the data is safeguarded, not the companies own assurance that they have taken adequete measures. The concept of being independently "certified" will be common one year from now, but currently it appears only those companies really focused on customer service are looking for this extra differentiator
On the second issue of accessibility, Many of those that are pro-active, are looking to their CRM vendors for answers, or worse, expecting this to already be included in their CRM solution. Almost invariably they are being faced by a very large bill to modify their CRM to provide this information in a way compliant with the Bill.
eGlobal Technology has developed a very cost efective solution -specific for this legislation- that integrates with exisitng CRM/eCRM solutions to deliver a compliant Data Privacy solution in a matter of weeks, avoiding the costly CRM consulting fees.
For those customers without the basics in CRM, the eglobal solution offers a total management of the registration/escalation and fulfillment of the requests for information.