Privacy law reform came into the spotlight once again on May 6, with the release of the Government's Draft National Privacy Policy Guidelines, as a prelude to the introduction of new laws on December 21. Compliance with the new laws would be an obvious extension of Company Secretary duties and CSA believes it is vital that the Government provides sensible, workable reforms. The consultation period for the guidelines, which runs until July 6, is an important opportunity for Company Secretaries to take an active role in the development of the new legislation, and this survey covers some of the issues involved. Properly implemented reforms will have the potential to affect companies positively in the long term, but it is vital that any slated reforms do not place an unfair burden of compliance, and its associated costs, on companies.

1. Should the Privacy Act be extended from the public sector to the private sector? Yes/No

Yes        76%
No         7.6%
Unsure   3.8%

2. Should a breach of the Privacy Act be a civil or criminal action?

Civil            69.2%
Criminal        7.6%
Both            11.5%
Unsure         11.5%

Comments:

This would depend on the nature of the breach. Certain action which is harmful to an individual should be treated as a criminal offence while minor disclosures could be treated as a civil offence. The Act would need to spell out the difference between the two but the individual should have the right to apply to the courts for a ruling before taking action.

3. Has there been sufficient time to prepare your company's database of clients/customers for the new obligations under the Privacy Act? Yes/No

Yes         46%
No          42.3%
Unsure    11.5%

Comments:

At this stage the legislation has not been enacted and until it does, no action is required to be taken. The legislation allows a leadtime to enable companies to establish the necessary internal procedures.
Yes, the requirements have been known in general for some time. Those companies dealing with the EU should certainly be aware of their requirements — on which Australia's are based. The guidelines for developing your own industry codes were not out in sufficient time. The review, consultation and approval process is unlikely to be completed on time unless you were well on the way by the time the guidelines were provided.

4. Should the Company Secretary be responsible for ensuring a company complies with the Privacy legislation? Yes/No

Yes         57.6%
No          23%
Unsure    19.2%

Comments:

Not necessarily — it depends on a company's organisational structure.
The company should be responsible and should nominate a specific company officer to deal with compliance. In many companies this responsibility would be delegated to the Company Secretary as part of the corporate compliance function.
Responsibility should rest with the business units, who should report quarterly (or immediately when appropriate) to their compliance officers and then through to the Board via the quarterly compliance report, and to the Board Compliance Committee.
This is an administrative function which except for a very small company is unlikely to be the Company Secretary. Possibly treat as a Public Officer so each company could nominate a Privacy Officer which is responsible. Then a company can appoint a Company Secretary if it wishes to.
Yes, but might need assistance in large organisations eg the need for a questionnaire to be completed by all business units.
Yes, possibly in an overseeing capacity. Many companies are appointing a person/committee responsible for compliance and privacy could fall within that role. The Co Sec could oversee through the Corporate Governance aspects. Particularly to ensure the Board is provided with updates and sufficient training and information to recognise any risk to the organisation.

Tim Sheehy
CHIEF EXECUTIVE