Small and medium business and Privacy regulations in Australia

In addition to all those dangers that awaits every one on the Net, such as computer hijacking, identity theft, productivity and indirect business losses, business in Australia has legal obligation to keep securely all personal data it has. Some small businesses with turnover less than 3 million dollars do not have to comply with the Federal Privacy Act. States have their own privacy legislation (State of Victoria has Information Privacy Act). If you want to verify do privacy legislation's apply to your business please ask appropriate state or federal Privacy Commissioner office or your legal advisor.

Privacy legislation require many things from private businesses but I want to bring up one aspect: Principle 4 - Data security, from National Privacy Principles. It requires organisation to take reasonable care to protect private information. Every business to which privacy legislation apply should think is it taking reasonable care about private information it stores.

What could reasonable care include? It would include technical and organisational means.

From Information System technology side it would be something like these:

• It definitely has to include properly maintained anti virus product, so the most active sort of malicious software would not be able access private information
• It has to include professionally configured and monitored firewall, to prevent unauthorised access to private information from the outside
• It would include (most probably) storing private information in encrypted form, especially if it resides on easily removable carrier, such as floppy disk, CD-ROM or laptop hard drive.

From organisational side it would include:

• Specific section in company policy or security policy or even special policy on collecting, storing, handling and destroying of private information
• Means to verify that policy has been enforced