IT departments are not prepared for the new privacy legislation and will face major issues in the race to comply byDecember 21, the Australian Privacy Compliance Centre (APCC) has warned.
APCC director Mark Sumich said IT issues surrounding the legislation are probably the ones that have been "leastassessed".
"Many organisations have old legacy systems and databases which are not integrated into current networks.
[Therefore] there is a question of how will an organisation ensure an updated view of all personal information heldon a person."
Bernard Hill, senior manager, corporate services for security consultancy 90East, said the legislation will bring tothe fore issues surrounding the use of e-mail.
"There is still a large degree of ignorance about the security of e-mail correspondence. There needs to be asignificant change in how organisations use e-mail as it is vulnerable to tampering and manipulation externally.
"There are questions to be answered, such as should all correspondence with more than one recipient have alladdresses bcc'ed (blind carbon copied) to ensure that e-mail addresses are not forwarded on and usedinappropriately?"
The Privacy Amendment (Private Sector) Act 2000 is based on the National Privacy Principles (NPPs) regulating thecollection, storage, access to, use, disclosure and de-identification of personal information.
Hill believes companies should look upon the next few months as a time to do a "spring-clean"; an audit ofinformation and how it is stored, and what sort of security and level of security protects it.
Greg Carvouni, the NSW Roads and Traffic Authority's CIO, said his organisation was "not all there yet".
"For front-office procedures we are well positioned, but for the back end, I would have no comment."
Carvouni said there are still a lot of things about the legislation that need definition. "I think software vendorshave to look at their packages to ensure they meet the requirements. Some of the requirements [of the legislation]relate to individual logins and most ERP systems do not cater for this."
Denis Wilson, IT security manager for Orica Australia, said that unlike Y2K and GST compliance, changes within hisorganisation are being driven by the legal team, not the IT department.
With policies and standards currently being written through the legal team, Wilson said his company was a month ortwo behind where they should be, but expects to get a "move on" in September to be in good shape by October.
"I don't think the legislation will have that much of an impact on our business. Our CRM systems are fairlyunsophisticated, just simple PC systems, mainly Lotus Notes which are not difficult to change."
According to a recent survey commissioned by the Office of the Federal Privacy Commissioner into the attitudes of560 businesses, about half had little or no knowledge of the new law, and less than 40 per cent knew that theprivacy amendment legislation would be enacted on December 21.