IT managers tackling the mammoth task of complying with Australia's new privacy regime are finding it costly, complex and difficult to interpret. With the December 21 deadline looming, IT departments are struggling to define the untried legislation. This has led to the Big Five consultancies ramping up services in recent weeks and large organisations drawing on the skills of legal eagles to ensure funds are not misdirected in the compliance process.
It involves reviewing internal IT systems so CRM applications meet the guidelines, securing customer data and implementing extensive user training so employees know what the legislation actually means.
Under the Privacy Amendment (Private Sector) Act companies must demonstrate how they will handle, store and maintain customer information to ensure it is accurate and that individuals have access to any information kept about them.
A company must respond to requests by individuals to view information held about them within 14 days and provide the information within 30 days.
Gartner analyst Steve Bittinger said the new regime is a "balancing act" and believes "huge company investment" will be necessary over the coming decade as initial compliance is only the first step.
"It's a three-legged stool -- balancing privacy, security and CRM -- but it is only the organisations that get it right that will survive in the e-commerce space in the next decade; it's all about customer trust," he said.
Commenting on problems IT managers are having interpreting the legislation, Bittinger said the laws are not "a done deal", and its real impact will not be known until prosecutions are played out in the courts.
"We still don't know how it will be interpreted in practise, because it is yet to be played out in the courts so the real impact is undefined," he said.
"A chain is only as strong as its weakest link and this certainly applies to security and privacy which will eventually form the basis of all enterprise IT systems."
Bittinger also warned the cost of CRM implementations will increase as part of the compliance process, at a time when the amount of data collected on customers is doubling every year.
By the year 2006, there will be 30 times more data to be managed than there is today.
"I have seen a jump in CRM investment recently. Tying privacy and CRM together is not a routine IT project with a cost and deadline framework," he said.
Since September, companies have really been picking up the pace to meet the December deadline which is reflected in a joint Deloitte Touche Tohmatsu and Dimension Data survey released this month.
Two-thirds of large companies have initiated projects to address the privacy regime, but compliance has taken much longer than expected.
Mark Sercombe, Deloitte's head of privacy, said the bigger companies are finding it hard to evaluate how they collect and distribute personal information.
"This is delaying them in getting to other key steps in the privacy compliance process, such as ensuring that personal information is properly secured," he said.
Gerard Florian, Dimension Data multiservice networks general manager, said the need to change the way personal information is stored and used is not merely procedural, but also has serious technical ramifications.
"Our research shows serious problems with corporate network security; how can companies claim to be storing data securely if they cannot be sure their networks are safe from intrusion?" he asked.
Mark Sumich, director of the Australian Privacy Compliance Centre, told Computerworld that IT issues surrounding the legislation are the ones that have been "least assessed".
"Many organisations have old legacy systems and databases which are not integrated into current networks," he said, leaving the question of how an organisation will provide an updated view of all personal information held on a person.
"Compliance is too complicated to leave to the last minute and companies that do not act will lose customers and revenue," he said.
"In some cases organisations will need to completely re-engineer their data collection and handling procedures; this does not happen overnight but companies that make the effort will turn a compliance issue into a competitive advantage."
Research firms and privacy bodies agree there is plenty of work to be done.
Currently, only 30 per cent of Australian companies provide customers with access to their records and 15 per cent still use technologies to track customers' Internet usage without their consent.
In effect, companies are increasing CRM expenditure but paying little attention to effective data privacy management.
User training
An IT manager at one of Australia's big four banks said the company's privacy compliance project has been under way for months but interpreting the legislation has been tough.
The other hurdle is staff training.
"Certain parts of the legislation apply from day one so a major challenge we face is ensuring our staff can manage the migration of our existing customer base to comply with the new privacy rules," he said.
Training can be costly and the bank is providing online training as well as more comprehensive seminars for staff who deal directly with customers.
Greg Carvouni, NSW Roads and Traffic Authority CIO, said his organisation "is not there yet".
"For front-office procedures we are well positioned, but for the back-end, I have no comment."
David Burden, Qantas executive general manager for technology and services, said the new act has led to a broad set of policy and procedural changes within the company.
Burden also listed training as a key challenge and said the cost of compliance is yet to be determined.
"At least 15,000 employees need some degree of training before the end of the year," he said.
One of Australia's largest financial services companies has a response team in place to meet legislative requirements, but said there is no rush to meet the December 21 deadline.
"After initial scare tactics by certain vested interests, sanity has prevailed and implementation will be in a series of initiatives spread over the next year or so -- we're not doing it over a couple of months," he said.
"Costs are not small but it is nowhere near the levels of a GST or Y2K which has been hinted at by the more hysterical elements of the media and consulting groups."
Public pressure to protect personal information is driving the new privacy regime.
Politicians realise the electorate is demanding more private and secure standards to accompany the emergence of e-commerce.
Customers have been hesitant to adopt online shopping as a result of privacy and security fears and company executives realise this once sleeping issue is becoming a waking giant.
In fact, a survey of Australian Internet users released last month found 83 per cent of respondents were willing to pay a monthly fee to prevent their personal details from being collected by Web sites.
Undertaken by APT Strategies nearly 5000 Internet users responded to the survey, some willing to pay up to $40 a month to protect personal information.
Surveys undertaken by the Office of the Federal Privacy Commissioner found more than 90 per cent of respondents want businesses to seek their permission before personal information is used for marketing.
Swe-tech Group of Companies chairman Hans Axmacher believes IT security and personal liability laws are about to collide.
"If executives think network security and privacy is the responsibility of the IT team down the hall, they've got another thing coming," he said.
Australia, he said, is unaware of prosecutions that have taken place in Europe and the impact it has had in the corporate arena.
"Privacy of data, the theft of a person's identity and unlawful hacking to access information, are all key topics that are creating a sudden sense of urgency as companies move to protect their assets and their people from intrusion," he said.
However, Orica Australia IT security manager, Denis Wilson, said the compliance process at his organisation is actually being driven by the legal team, not the IT department.
With policies and standards being written by the legal team, Wilson said compliance has been delayed, but the company will be in good shape before deadline day.
"I don't think the legislation will have that much of an impact on our business. Our CRM systems are fairly unsophisticated, just simple PC systems, mainly Lotus Notes, which isn't difficult to change," he said.
Bernard Hill, senior manager, corporate services for security consultancy 90East, said companies should look upon the process as an opportunity to do a "spring clean" by undertaking a comprehensive audit of information and how it is stored.
To assist companies in the compliance process the Office of the Federal Privacy Commissioner publishes a checklist on its Web site (www.privacy.gov.au).
The Office recommends large organisations appoint a privacy officer to be the first point of contact within an organisation. This should be followed by a privacy audit.
A Privacy Connections Network has also been established to help business; details are available at the Privacy Commissioner's Web site.
Despite the new privacy regime Australian organisations have rejected the emergence of privacy officers, instead leaving the process to the IT department.
The trend is different in the US where high profile IT companies such as IBM and Doubleclick have appointed executives to oversee their data privacy policies.
IDC enterprise and Internet software analyst, Natasha David, said Australian companies are loathe to add yet another executive member to their teams choosing to delegate the privacy task to an existing employee.
"The IT industry loves a new title almost as much as it loves acronyms, but Australian companies produce more generalist executive holders compared to the US," she said.
Penalties
There are no set penalties for not complying with the new privacy regime. It is complaints-based legislation and determinations are made by the Privacy Commissioner Malcolm Crompton.
If a solution is not found it will then be directed to the High Court.
Privacy advocates Electronic Frontiers Australia has criticised the light-touch legislation, pointing out that under the act complainants do not have a right of appeal against a determination made by the commissioner.
Advocates expect a few high-profile cases next year to test the new legislation, so companies that lag behind could be under the microscope.
As the privacy compliance centre director Mark Sumich has warned: "Come December, consumer interest groups will be looking for some showcase examples of privacy in different businesses and the current regulatory climate in Australia is unforgiving for corporate malfeasance."
Kelly Mills and Lauren Thomsen-Moore contributed to this article.