Organisations who haven’t done anything about the Privacy Act need to put best practice measures, such as privacy training, in place before Privacy Commissioner Timothy Pilgrim comes knocking, according to IBRS advisor James Turner.
Speaking at a CA privacy briefing in Sydney, Turner told delegates that one organisation has already fallen afoul of the <i>Privacy Act</i>.
In May 2014, global ID card supplier Multicard was found by Pilgrim to have breached the Act when they stored personal information of 9,000 Australian Maritime Security Identify Card applicants on a publicly accessible Web server.
The Maritime Security Identity Card scheme is used to identify people who have been subjected to background checks.
Pilgrim launched the own notion investigation in February 2013 after it emerged that the 9,000 applicant’s details – including names, dates of birth, addresses, partial credit card numbers and photos – were discoverable online for four months using a Google search.
His investigation found that Multicard failed to implement a number of basic security measures, resulting in a large amount of personal information being exposed.
However, Pilgrim added that Multicard “acted appropriately” to contain the data breach by immediately disabling its website and restricting access.
Since the data breach, he said the company has appointed an independent auditor and taken a “number of steps” to improve its information security.
- Privacy Act lacks sufficient protection against drone invasion
- New data privacy laws: What you need to do to comply
- Cost of a Privacy Act breach could extend to ongoing audits: legal expert new
If companies want to avoid a Multicard-type investigation, Turner said they should invest now to prevent a potentially more expensive disaster later on that could damage the organisation's brand and image.
“The more mature organisations have an established governance function with roles like chief risk officer or chief privacy officer. These are the people who are leading these projects for compliance,” he said.
“These organisations also have a strong appreciation for the strength of the organisation’s brand because they have given consideration to the potential impact of a publicly disclosed privacy breach.”
Turner then shared some privacy best practice steps for CIOs and IT managers.
He suggested that companies get in a third party organisation to run a simulated audit that uses the Privacy Act as its basis.
“Also, if you are sharing information with a third party, you need to make sure that they are compliant with the Privacy Act. Some organisations are going to their parties and saying 'prove it with an audit’.”
Some organisations that Turner has spoken to are conducting information audits to work out what data they hold about their customers.
“These companies want to find out what they actually need [to retain] because they are aware that the more data they hang on to, the more exposure they have,” he said.
However, that there are challenges with data deletion, such as removing data from backup tapes, Turner said.
“There are plenty of organisations out there that have years of archives sitting in storage facilities. They are not going to be deleting all of that.
“Under the Privacy Act, it’s actually more important that you know where the information is. The customer wants transparency so they need to be able to come to you and say 'what have you got about me, is it accurate and how is it protected?’. If you can say that the data is on backup tapes in a secure facility, this is a good start.”
According to Turner, an organisation’s internal legal and human resources (HR) staff will need to determine the discipline steps if a staff member makes decisions that result in the organisation being in breach of the Privacy Act.
“Legal and HR will need to determine if it was wilful intent by a disgruntled employee or a genuine mistake. The demonstrated degree of intent to self-correct [the breach] is going to be a key point that the Privacy Commissioner [Timothy Pilgrim] will be interested in when investigating a data breach complaint,” he said.
Turner explained that if Pilgrim is unconvinced that the organisation has dealt effectively with the breach, then he can seek an enforceable undertaking.
“If the organisation declines the enforceable undertaking or accepts the undertaking and does not carry out the agreements, the commissioner has discretion to take the organisation to the federal court," said Turner.
Follow Hamish Barwick on Twitter: @HamishBarwick