Airlines, banks and IT companies have failed on a report card into the impact of Australia's new Privacy Act, forcing the Federal Government to review the legislation and consider the introduction of tougher penalties in 2003.
Some of Australia's largest companies rated poorly in the report into the Federal Government's Privacy Amendment (Private Sector) Act 2000 which came into effect on December 21, 2001.
Responding to the report, which was undertaken by Federal Government privacy and security consultant Aulich & Co, a spokeswoman for the Office of the Federal Privacy Commissioner confirmed tougher legislation will be enforced if companies don't act.
"This is the minimal level of privacy compliance Australian companies will ever face, so they need to make it work to avoid tougher laws," she said.
A further review of the act will be undertaken next year after a formal, 12-month process of private sector education.
Aulich & Co director Terry Aulich is confident the Government's review will lead to legislative amendments, because Australian business is failing to take the legislation seriously.
The audit was undertaken across a range of industries and Aulich said companies that are motivated by self-interest and doing the absolute minimum to comply are abusing the act.
"Companies are sitting back thinking nothing is happening so it is okay, but in 2003 when the formal education process ends there will be a huge fallout with the public outing of miscreants, increased legal action and payouts that will force the Government to act," he said.
Speaking exclusively to Computerworld at the IT Security 2002 conference in Canberra on Monday, Aulich said the review will also lead to a parliamentary standing committee on privacy with government agencies and companies being forced to explain their lack of compliance to the Senate.
While the Family Court and health industry rated highly in the report, it was airlines, IT companies, banks and insurance companies that failed miserably.
Examples that Aulich cited include loyalty programs, like frequent flyer points, which combine credit cards and amass plenty of personal information, which is used for a "range of purposes".
He said there is little control over access to this information, which is even shown 'live' for training purposes.
"The airlines are not even willing to discuss the misuse of this information and have an arrogant attitude towards privacy concerns. The situation is similar with banks," Aulich said.
Without listing specific banks, he presented a 12-page brochure-type application form for a personal loan, pointing out that all information included is owned by the bank regardless of whether the loan is approved.
"The information goes to a central repository, which has no public access, and applicants are not told what happens to those personal details," he said.
Information provided to Telstra, Aulich said, is disclosed to a range of outside sources including telemarketing groups and market research.
Like insurance companies, he said Telstra advises personal information may be disclosed to outside sources such as outsourcers and debt recovery companies, but they are purposely listed together to obtain "bundled consent".
"But in reality consumers think they are only providing information to Telstra," Aulich said.
He attributes IT companies' poor privacy protection methods to a range of reasons including high staff turnover, market forces and vested interests, because they are part of an industry that utilises software like data mining tools.
"Also, a lot of technical operators in IT are under the age of 25 and our polling shows younger people do not think privacy is important whereas older people have a real concern," he said.