|Postcard from Privacy|
On 22 February 2018 the amendments to the Australian Privcy Act came into force. From that date on, companies had to take serious care of any and all personal information that they stored. Well, almost all. As usual, it's not quite that obvious.
There's a concept of _Personally Identifiable Information_ underlying the change. This is information which, when taken from a single source, can uniquely identify an individual. So, if I have a database of names and mobile numbers that will probably be covered. Name and address also fits. But what about car rego?
The thing is though, name and address will only identify you while the address is current. Home owners here in Australia move every 7 years on average - renters far more often. Cars are changed every 5 years - again that's an average length of time. So, to me that implies that my list of names and addresses has a useful life unless I keep it up to date, but does the law agree?
Part of my job right now is helping the place I work conform to the legal requirements, and the lawyer has the view that a full appreciation of the requirements won't be known until a few people have been through the courts and we can all see what penalties are handed out. Because, on paper, they're quite stiff. Fines of up to $2.1 million and possible prison time for senior managers and the exec team.
There are a couple of exclusions of course. The company has to have an annual turn-over of $3 million or more, and for some reaason, HR data is excluded. The HR exception makes no sense at all to me. Having my name, address, tax file number, super fund details and so on is almost the definition of "personally identifiable information", but for this law it isn't. The lawyers we've spoken to don't understand either, so maybe there's a view that this is already covered by other legislation.
If your stored data is compromised, you have to tell the commissionner, inform those individuals whose data my now have leaked and investigate the leak. And you only have 30 days to do those things, otherwise the penalties can kick in. So far, Australia has had one major reported breach, but there's clearly going to be more, it's a fact of life these days.
Thankfully, our new legislation is less far-reaching than the European equivalent which has seen some US companies withdraw services from Europe rather than attempt to comply!