Over 80 per cent of 150 companies surveyed by IDC Australia were aware of the Australian Privacy Principles (APPs) changes but 72 per cent of those said that they sought third party guidance on data management, according to a new whitepaper.
The whitepaper, The Increasing Value of Data in Australia: Privacy, Security and Compliance, was produced by IDC on behalf of NTT Communications and Hitachi Data Systems in June 2014.
Speaking at a briefing in Sydney, IDC Australia software and services research director Sally Parker said the high level of awareness about the APPs was “not surprising” because of the attention the APPs received in the Australian press.
High-profile data breaches such as Target United States and the United Kingdom supermarket chain Morrisons had also drawn attention to the importance of data security.
- Financial System Inquiry recommends mandatory data breach notification
- How to avoid a Privacy Act breach
- Australian Privacy Principle guidelines released
However, Parker said that when IDC drilled down to see exactly what people knew about the APPs, it was a “different story.”
“While people were aware of their requirements around offshoring of data and the civil penalties of up to $1.7 million, they were less aware of the proper disposal of personal data,” she said.
For example, 72 per cent of respondents sought third party guidance on management of their data.
Of those organisations entrusting a third party with their personal data, few have mandated requirements around the physical location of data, total number of copies, deletion process, or impose restrictions regarding access to the data.
According to IDC, this has resulted in irregularities in the disposal of personal data by third party services, which leaves Australian organisations vulnerable to non-compliance with the revised principles.
“They have little insight into the management of their data during its lifecycle and the terms of their consequent liability,” said Parker.
The analyst firm also asked companies what actions they had taken since the APPs came into effect.
While the vast majority of respondents had taken action, such as staff education, 8.3 per cent of the respondents said they had taken no action at all.
“Either it’s a flippant attitude towards the changes or they believe the processes in place already are sufficient to handle the changes to the privacy laws,” she said.
“The financial services industry had the largest number of companies that didn’t take any action because they believed they were ready for the APPs.”
Parker warned that data breaches will continue to happen and companies should treat data in the same way as financial and physical assets.
“Risk policies should be set based on the expectation that your data will leak. We need to see who has access to it [data] and what that data is worth,” she said.
Follow Hamish Barwick on Twitter: @HamishBarwick