The Improbability of Privacy Act Compliance, Pt 4

For the past three days I've opined as to the reasons why Australian organisations are unlikely to be prepared for the updated Privacy Act come March 12, with emphasis on what constitutes personal data and the impact of the amended Act on cloud computing and big data.

Today I'm focusing on one part of the Act that isn't entirely new, but that remains among the most problematic from a systems perspective.

Any Australian business with over $3 million in annual revenues wears an obligation under the Privacy Act to tell a customer exactly what data you have on them upon request, and if necessary modify or delete that data at their request.

This obligation was introduced with the best of intentions — transparency. Balanced against that privacy outcome is a compliance burden that few organisations can meet.

Also in this blog series:

From a systems perspective, compliance with this aspect of the Act would requires best practice approaches to IT, such as a customer relationship management (CRM) system that offers a single source of the truth on a given customer.

In most organisations I speak to, that's an ideal scenario. It tends to be reserved for recently-incorporated companies that have installed a modern CRM system (complete with an auditable record of all agent and customer activity) and usually for organisations that only offer a handful of products and services, not for large integrated banks, telcos or retailers.

Consider a company with the scale of a large telco or bank, which has often developed different CRM systems across multiple divisions and inherited yet more during mergers and acquisitions: the time required to complete such a request starts to get prohibitive.

How many organisations could genuinely say they have a single customer record? How many times are datasets exported into spreadsheets for use by staff? How many copies of those spreadsheets have been distributed on mobile devices?

Further, how practical is the obligation to destroy data once its stated use (for consent) is complete? Data can be deleted, but destroyed?

Consider the ASD standards for destruction of data. Are multi-tenant cloud providers destroying data when asked to delete records?

As one CIO pointed out in our workshop, how many copies of customer data has your organisation made in the name of availability and redundancy? Does deleting a customer record genuinely destroy that record in replicated systems?

Attendees at our workshop — covering the full gamut of financial services, healthcare, retail and utilities — noted that meeting this requirement, despite all its best intentions, could spiral out of control. Government officials that have faced these requirements for several years longer than the private sector are overwhelmed by it.

"At the moment it is clearly already a burden," said Mark Vincent, partner at Shelston IP. "If this got out of hand — if requests came in from more than the occasional privacy obsessed customer — it would be a massive burden.

"This goes to an IT systems design problem — whether you built your systems from the ground up to classify data so that data relating to an individual is available at a keystroke and is able to be corrected. It would be a rare organisation that has all the data about an individual stored in one record.

"How can you design systems so that you can correct and delete a record if you need to, without resorting to an expensive, manual process? It takes a significant number of hours to fulfil some of these requests. For large organisations today it could take a full-time employee just to manage it."

I'm left with many questions. Perhaps you can think of some answers?

  • An SME might feasibly be earning $3 million in annual revenues with fewer than ten staff. How might they deal with an influx of requests for customer data with so few resources?
  • What if disaffected former staff or competitors chose to wage a nuisance campaign on a target organisation? Would an influx of data requests tie up a company's ability to respond to legitimate customer campaigns, in much the way a Distributed Denial of Service (DDoS) attack might?

  • [Mark Vincent notes that a request can be refused if it is considered frivolous or vexatious. I would be interested in hearing from the Office of the Australian Information Commissioner (OAIC) as to how this would be arbitrated].

  • A more constructive question — how could this requirement be tempered such that it meets the desired privacy objective, without causing too much pain in the IT department?

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.