Privacy Law and Policy Reporter
This survey has been designed to address the current level of privacy awareness within Australian organisations. It examines issues such as the use of privacy policies, the coordination of the privacy function, the monitoring of privacy compliance and attitudes towards potential privacy legislation in the private sector. It also looks at current attitudes towards privacy in general.
The survey was circulated to organisations spanning all major industries including:
The results presented in this report are the major findings of our survey. We have surveyed the top 400 companies in Australia with a response rate of over 25 per cent. They are responses that we feel can be used to gain a better understanding of the level of privacy awareness within the Australian business community.
In conducting this survey, we have generated some important statistics about the way Australian business is currently approaching the issue of information privacy.
One of the most imposing statistics that we found is the overwhelming support for the introduction of privacy legislation with endorsement by 70 per cent of respondents. This is in contrast to the Government view that legislation would add unnecessary burden and overhead to Australian business. Of the organisations surveyed, it was found that 79 per cent felt only minor changes would be required to their business practices in order to comply with legislation, highlighting the fact that Australian business does not believe there will be significant costs associated with applying good privacy practice. (See Graph 1).
The organisations surveyed had widespread views on the major privacy issues facing them for the future. The key issues identified are as follows:
The issue that was deemed the most important to Australian organisations was the fact they will be required to comply with international privacy legislation. This is especially crucial given the looming deadline for the introduction of privacy legislation for all member states of the European Union. It is interesting to note that Australian organisations are aware of this and have realised that it is an issue they need to address. Also interesting was the fact that the issue given the second highest priority was the potential impact a privacy breach would have on the company’s public image. This highlights that organisation’s have identified privacy as a risk and there is a need to manage this like any other business risk.
This report presents the major findings of our survey into the information privacy practices of Australian business. Also provided is an analysis of these findings and commentary on the messages Price Waterhouse considers these results convey.
(See Graph 2). Of the companies surveyed, it was found that only 38 per cent have formally documented privacy policies. While it is pleasing to see that a number of organisations have taken steps to address this issue, the growing concerns about information privacy will mean more organisations will need to look at developing policies. As such, it is a positive step that only five per cent of respondents stated that they did not have a policy in place and were not interested in developing one. It was interesting to note that 45 per cent of organisations follow privacy guidelines rather than formalised policies. These organisations, while taking positive steps towards identifying privacy as an issue, need to have formalised policies in place to ensure compliance through both employee and management support. Organisations that currently have policies in place are well placed to meet the Australian Government’s requirements for self regulation.
Graph 3 highlights that organisations are beginning to address the need for organisational procedures that address privacy issues. While only 38 per cent of organisations may have formally documented policies, 50 per cent of the organisations do have operational procedures and guidelines. A further 11 per cent are in the process of developing them. This illustrates that organisations have attempted to develop procedures for those activities that they deem to be particularly privacy sensitive rather than developing organisation wide policies that encompass all of the operations of the company. A significant 26 per cent of respondents have stated that they do not have any privacy related procedures or guidelines.
Six per cent of organisations employ specific privacy coordinators. This illustrates that organisations are beginning to become aware of the fact that privacy is an important business issue. It is interesting to note that last years results found that ten per cent of organisations employed specific privacy coordinators. This disparity in the results could be due to the fact that many organisations are unclear of what the role of a privacy coordinator should be and whether a dedicated coordinator for their organisation is required.
Graph 5 illustrates the wide variety of people responsible for privacy co-ordination within organisations. This confirms the fact that while organisations are aware that privacy is an important business issue, they are unclear as to where it fits into their daily operations. It is interesting to note that 28 per cent of organisations view privacy as a human resources issue, while only a small proportion see it as being relevant to risk management.
The appointment of specific privacy co-ordinators within larger organisations provides a clear area of responsibility for the coordination, implementation and communication of privacy policies and issues. Smaller organisations, while not requiring the services of a full time privacy coordinator, need to appoint an individual/department that is best equipped to oversee the organisation’s privacy responsibilities. This serves to establish distinct lines of accountability for both policy compliance and communication. As evidenced by the previous two charts, this is currently lacking within Australian organisations. Organisations should begin to view privacy as a specific business risk and one that should fall under the control of the employees responsible for business risk management.
(See Graph 6). While 83 per cent of organisations surveyed follow either formalised policies or general privacy guidelines, 80 per cent of organisations do not employ privacy training programs for their employees. This is consistent with last years findings and again highlights that organisations have not identified how important it is that employees receive adequate training. The compliance with privacy policies and guidelines is greatly hindered if employees are not educated about their existence or the policies impact on their daily duties.
If privacy legislation is passed, the impact of companies employees not being made aware of privacy policies is increased. A breach of an individuals privacy, would also mean a breach of legislation, so it is vital that employees are made aware of privacy issues and the way they impact upon their day to day tasks. Front line staff are the most at risk of causing an inadvertent privacy breach, so it is important that they receive adequate levels of training.
(See Graph 7). One of the reasons given by the Australian Government to cancel their moves to introduce privacy legislation in the private sector was the perceived burden and overhead it would add to Australian business. However, of the organisations surveyed, there was substantial support for the introduction of privacy legislation, with 60 per cent providing support, and a further 10 per cent, strong support. This illustrates that Australian business has identified privacy as a major business risk and they are looking to the Australian Government for guidance on how to manage it. It also highlights that organisations feel privacy policies require legislative backing to provide sufficient force and ensure compliance. Only 20 per cent of the organisations surveyed were opposed to the introduction of privacy legislation, which is relatively minor given the perceived burden that the Federal Government has indicated privacy legislation would create.
(See Graph 8). The Australian Government has advocated the development of privacy codes of practice within Australian organisations. These codes of practice will be used to allow Australian companies to self regulate rather than complying with legislation. Sixty-two per cent of organisations have stated that they are willing to participate in the development of codes of practice. Of this, 25 per cent have stated that they would like to participate in the development of industry wide standards, illustrating that many organisations view privacy as more than just an individual company issue. A further 37 per cent have stated that they would develop company specific privacy codes. Thirty-six per cent of organisations have indicated that rather than developing a specific code of practice, they would be satisfied with simply adopting any legislation that is imposed on them. It is these organisations that will now need to reconsider their approach to implementing privacy policies within their organisation.
(See Graphs 9 and 10). It has been argued that privacy legislation will be a hindrance to Australian business and changes required to ensure compliance will be considerable and costly. However, the organisations surveyed do not believe that legislation will enforce undue or unreasonable requirements on them. Of the organisations surveyed, 75 per cent stated that they would only require minor process re-engineering, if change was required at all. This illustrates that many organisations believe that their current business practices are sufficient to comply with any form of privacy legislation.
The organisations surveyed have also shown that they believe maintaining compliance with the legislation will not be a costly exercise. Sixty-two per cent of organisations surveyed believe it will cost less than $100,000 to conform to the legislation. Only four per cent of organisations believe compliance costs will be greater than $500,000.
The 10–15 per cent unknown element may indicate uncertainty about potential system changes necessary to support customers ‘opting out’ and customer right of access to information, which good privacy practices dictate.
(See Graph 11). Organisations have identified the fact that additional measures will need to be implemented in order to ensure compliance with any privacy legislation. It is interesting to note that 39 per cent of organisations believe that the best way to ensure compliance with any legislation is to increase employee training. This in contrast to the previous finding which stated that 80 per cent of organisations do not currently utilise employee privacy training. While organisations have identified that it is important to train employees if legislation was in place, privacy training should be introduced as a means of ensuring good business practice.
(See Graph 12). A substantial 41 per cent of companies surveyed state that they keep redundant information in storage. As the Federal Privacy Act 1988 states that information must be kept up to date before it is used, this raises the question of the accuracy of an organisations information. Organisations must examine their policies in relation to the length of time information is retained to alleviate the risk of inaccurate information being used. There should be no requirement for an organisation to retain information once it has been established that it is no longer relevant or required. The reuse of potentially out of date or inaccurate information serves to increase consumer concerns about the privacy and security practices of an organisation.