[plug] OT: New Privacy Legislation - impact on IT - securing of data, backups, IT responsibilities etc.

Mon Dec 24 22:02:27 WST 2001

Daniel wrote:

> Hi Plug, I wonder if anyone is a full bottle on the new legislation?  
> It seems to me that $3m turnover(as opposed to profit) may include 
> quite a few 'small' businesses right now, and anyhow the others have 
> only 12 months to comply. 

I'll put in my 2c worth, though I'm far from full bottle.
WAIA members can probably find a copy of the Privacy Comissioner's 
presentation to the 2001 WAIA conference online.
It was a good presentation. I, as someone who at the time had not even 
heard of the Act, found it covered a lot of the key concepts quite well.
(If you're not a WAIA member then I suggest you join. It's only $20/yr 
and is a great organisation in my experience. http://www.waia.asn.au/)

> I thought I heard someone saying that this meant that forwarding on 
> someone else's e-mail would contravene this act.
> I wonder if it also means that historical backups need to be kept so 
> businesses can prove what data they actually had at what time.
> I also wonder 'where the buck stops' with responsibility with 
> complying with these details [ie does the person responsible for IT 
> end up viewed as responsible] 

AFAIK the company must delegate a person to be "the privacy guy/gal" who 
must be fully rehearsed on the company's responsibilities wrt the new 
act. That is likely to be the existing HR person/people.
If they do not delegate anyone, then personal responsibility lies purely 
with senior management. So don't fret, if you're not told about it - 
either you don't need to do it or someone's not doing their job (either 
way you should be fine.)
Being ultimately and personally responsibly for policing a large 
corporation's adherence to such a comprehensive agendum is not something 
that appeals to me personally.

> How could workstations running 'Doze' popular often not secured 
> workstation o/s comply? Even if all the data is kept on a 
> 'comparatively more secure' server surely the fact that it can be 
> accessed from a client that is not secure then invalidates any concept 
> of security? 

The government in it's fantasy-land interpretation of IT will probably 
take the definition of "secure" from All The Wrong People[tm].
So a Win98 box hosting an Access Database with confidential client 
information on it might actually qualify.
But it's nearly Christmas, enough cynicism.

>
> What are the repercussions for the IT industry?  I look forward to any 
> responses. 

Lots. For one, any information you are keeping on a customer must be 
made available to them. To some, that might sound horrifying. ("This guy 
is a moron. Speak to the wife, she's the one wearing the pants" etc etc).

Luke