Adrian De Luca

A new era in privacy?

Blog Post created by Adrian De Luca Employee on Mar 9, 2014

On the 12th March, Australia will usher in the biggest change to privacy law in the past 25 years with the introduction of the new Australian Privacy Principles, otherwise known as APPs.

 

While Australia is not unique (the European Union has a strict legal framework, and closer to home, countries like Singapore and Korea move toward greater privacy regulation), it is taking a leading role within Asia Pacific that has implications not only for local organisations, but anyone doing business in this jurisdiction. The new laws also mark a milestone for the seismic shift business have undergone in the past two decades from paper based processes to the digital age.  Organisations will be required to follow a consistent and transparent set of guidelines for the collection, use, storage and disposal of citizens’ personal information.

 

These days almost every enterprise, large or small uses some form of information technology to run their business so most of this personal information will be collected, held and distributed electronically.  Small businesses will store name and address details in email correspondence, spreadsheets or web forms.  Larger businesses would be holding even more personal information in customer relationship and helpdesk systems.

 

For those unprepared, complying to the act may be easier said than done. In a survey we conducted last year, a quarter of respondents were unsure when they had undertaken the last information inventory audit to establish their current level of regulatory compliance. The same survey also found 45% of organisations had inconsistent workflows for privacy and data collection.

 

I recently participated in an insightful Google Hangout with Privacy Lawyer Alec Christie from DLA Piper, and CEO of the Association of Data-Driven Marketing & Advertising, Jodie Sangster.  Jodie made the point that writing your Privacy Policy is the critical first step, as this will drive all the activities and decisions to create a culture of compliance.

 

Just like protecting the intellectual property of your company, safeguarding identifying information of your clients is the next step in protecting your brand and reputation.  If you think about it, protecting personal privacy should really be a logical extension to data security and management practices.

 

So with privacy policy inextricably to IT systems, what is the role of the IT department?  Which technologies can help to ease the burden of storing, managing and disposing of ever increasing volumes of personal information in a compliant manner?  And what does a Privacy Protected Enterprise look like?

 

Audit your information assets

 

Finding personally identifiable information amongst the interwoven relationship of applications and files is not trivial, you can't just set Google onto it!  Applications can store data in multiple places, making copies and snapshots and even in different formats. They are also not very good at cleaning up after themselves, so you may be inadvertently storing personal information about people long forgotten or no longer deemed of business use.

 

Conducting an audit of all your personal not just a logical first step, but an important one.  Not only will this help you uncover all your personally identifiable data, but it can also give you an opportunity to do a spring clean before getting your systems in order. PII (Personally Identifiable Information) software from companies like envo8, GroundLabs and Identify Finder quickly scour you systems to and catalog all your assets.

 

Manage the Information Lifecycle

 

A well architected IT infrastructure that is designed to support the privacy policy can significantly ease the burden of compliance.   Here are some examples;

 

In general, the APP’s require organisations to have well defined, documented procedures and systems for managing personal information. Do you remember Information Lifecycle Management (ILM)? Adopting policy based file management technologies for relevant data sets can not only automate some of these procedures, but also enforce disposal when it is no longer needed.

 

Various industry or legislative acts that overlay the APPs require the retention of information for a specified period of time.  This is where software like Data Migrator on Hitachi Network Attached Storage (HNAS) really helps, allowing you to create flexible policies to migrate files from a primary file server to the Hitachi Content Platform (HCP), a full featured object store. Once in HCP, it remains persistent and immutable for as long as it needs to be retained.   When no longer required as defined by the policy, the HCP will expire the objects where they can be permanently destroyed, helping to comply with APP 4 & 11.

 

Furthermore, if changes or updates are made, HCP also allows you to maintain multiple versions providing a full audit history, helping comply to APP ‘s 10 and 13.

 

Maintain Data Quality and Integrity

 

APPs 10 & 11 call for maintaining the quality and security of personal information, that is to make sure it is accurate and up to date.  Therefore being able to search all instances of personal data quickly can be an invaluable asset. The Hitachi Data Discovery Suite (HDDS) can search filesystems and objects independent of application, giving you a ‘Google’ like view of all your instances and assist in identifying any discrepancies.  Another benefit of HDDS is that work independent of application, so if your retire your application down the track, you can still retrieve all information wherever they may be.

 

hitachi-ppe.jpg

Of course infrastructure technology alone will not lead to compliance salvation, but adopting modern tools and transforming your IT infrastructure will reduce the overall cost of compliance in the long run, as well as minimise the risk of falling foul of these new laws.  I also believe the new privacy era is not only an opportunity for organisations to extend their existing data security practices to be more focused on individuals, but also to improve information workflows and efficiency across the enterprise.

 

I would be interested to hear how do you plan to tackle the privacy challenge in your organisation?

Outcomes