Significant changes to the Privacy Act 1988 will commence on 12 March 2014. The changes include a new set of harmonised Australian Privacy Principles (or APPs) that will replace the two sets of principles that currently apply to Australian Government agencies and to businesses. There will also be changes to credit reporting, including the introduction of a more ‘comprehensive credit reporting’ system and a simplified and enhanced correction and complaints process. The reforms also include new enforcement powers and remedies in relation to investigations.
The Office of the Australian Information Commissioner (OAIC) has adopted an enforcement approach to the reforms which recognises that Australian Government agencies and businesses are working hard to implement the new requirements. Our compliance focus in the months following 12 March 2014 will be on working with entities to ensure that they understand the new requirements and have the systems in place to meet them. In resolving matters brought to the attention of the OAIC we will take into account the steps taken by entities to genuinely prepare for the changes and to comply with the new legal requirements.
Central to the OAIC’s enforcement approach is an escalation model that includes a range of regulatory responses.
Individuals will continue to have the right to make a complaint to the OAIC and we will deal with these according to our usual processes. That is, in the first instance, in the case of individual complaints we would expect to see a person try to resolve a matter with the organisation or agency first. If the respondent is a member of a recognised External Dispute Resolution scheme, we would also expect the individual to have first accessed that scheme. If a matter is accepted by us, we will always attempt to resolve issues through conciliation. In relation to Commissioner initiated investigations the OAIC will work with respondent organisations and agencies to resolve the matter.
However, where conciliation or working with entities is not effective, we may use our other tools, including determinations, enforceable undertakings or in the case of serious or repeated breaches, initiating court proceedings for civil penalties. This is consistent with our current practices and the approach of the OAIC for some time.
The OAIC has been preparing detailed guidance to assist businesses and agencies understand the reforms and make the necessary changes to their personal information handling practices. The OAIC has conducted a number of targeted and public consultation processes on this guidance to ensure that the guidance is practical and useful. This guidance, together with other materials that sets out the key changes and compliance checklists, is available on the OAIC website.
Prof John McMillan, Australian Information Commissioner
Timothy Pilgrim, Privacy Commissioner
Update: On 6 March 2014, the OAIC released a draft OAIC privacy regulatory action policy for consultation.