The information security aspect of the forthcoming privacy legislation is missing out as companies become bogged down in what it all means, according to new study by Deloitte Touche Tohmatsu and Dimension Data.
Mark Sercombe, head of privacy at Deloitte, said the study indicates many larger companies are finding that, to evaluate the collection and distribution methods of personal information is taking longer than expected, which is delaying other key steps in the privacy compliance process.
"We're seeing projects stall, they're 'spinning their wheels'. We can see them running into the crunch and not moving forward," he said.
One of the main areas of neglect, according to the study, is the way that information is kept secure under the new privacy regime which comes into affect on December 21, 2001.
The study revealed that 29 per cent of large companies are following "better practices" for storing sensitive personal information. The National Privacy Principle Four (NPP4) outlines the need for organisations to take "reasonable steps" to protect personal information it collects and stores.
While many companies strive to keep information secure for commercial reasons, the legislation will add a legal obligation to do so. With a Dimension Data survey revealing that 53 per cent of large organisations have experienced an IT security breach, Dean Kingsley, head of information security at Deloitte, is urging companies to fill the gaps in their security.
"The National Privacy Principles require companies to take 'reasonable' steps to protect personal information, a benchmark which many companies will be aiming for based on good corporate governance," he said.
"The immediate need is for companies to identify any significant gaps between their current level of security for personal information and the requirements of the act, particularly for 'sensitive' data such as health information," Kingsley said.
He praised revised privacy guidelines that were released this week, saying they clearly outline what steps are deemed "reasonable" in terms of securing information.
"The revised guidelines reinforce that people and process elements of security are more important than technology elements," he said.
The revised guidelines also contain tips for compliance for organisations, including risk assessment, the development of a security policy, training staff to be security aware and monitoring and reviewing security practices.