Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Message from the Privacy Commissioner, Timothy Pilgrim

Photograph of Privacy Commissioner, Mr Timothy PilgrimThe most significant reforms to the Privacy Act 1988 (Privacy Act) since its commencement, passed through the Parliament in November 2012. As I foreshadowed in last year's annual report, these reforms include a new set of Australian Privacy Principles (APP), which will replace the existing Information Privacy Principles that apply to Australian and Norfolk Island Government Agencies, and the National Privacy Principles that apply to many private sector organisations. Part IIIA of the Privacy Act, which regulates the handling of personal credit information, was also significantly amended to provide for, amongst other things, the inclusion of additional information sets to assist entities participating in the credit system to make decisions about the provision of credit. As well, the amendments to the Privacy Act provide the Commissioners with broadened code making powers and the ability to undertake performance assessments of private sector organisations under the APPs. The Commissioners will also have access to additional enforcement powers for resolving investigations including obtaining enforceable undertakings and, in the case of serious or repeated breaches, seeking civil penalties through the courts.

The amendments will commence on 12 March 2014 and their passage was a pivotal moment as it refocused both Australian Government Agencies and private sector organisations on the need to ensure that they respect the personal information entrusted to them by the community. There will be a considerable amount of work to do for all entities covered by the Privacy Act, and for the Office of the Australian Information Commissioner (OAIC), in preparation for the commencement date. The OAIC has already started to develop new guidance material to assist entities to comply with the APPs, the credit provisions of Part IIIA and to understand how the OAIC will utilise its new regulatory tools. In all, approximately 50 sets of key guidance material, information sheets and various legislative instruments will need to be ready for 12 March 2014.

While this is a daunting task for the OAIC, given that it has received no additional resourcing for this implementation work, I am extremely pleased that by 30 June 2013 we had already released guidance material to assist entities to understand the key changes between the current sets of principles and the APPs, and the key changes to the credit provisions.

In December 2012, I requested that the Australian Retail Credit Association, in consultation with industry, commence the process of developing the draft Credit Code of practice to support the new credit provisions of the Privacy Act. The draft code is to be lodged with the OAIC by 1 July 2013.

Another important step was taken in respect of privacy reform during the year and that was the introduction into the Parliament of the Privacy Act (Privacy Alerts) Bill 2013. This Bill introduces a scheme for the mandatory reporting of serious breaches of personal information. I believe that this Bill will further the protection of personal information in Australia. While the Bill has passed the House of Representatives and had gained additional support via the Senate Legal and Constitutional Committee, it had not been debated in the Senate prior to it rising for the winter recess on 28 June 2013. It is my hope that the Bill will be passed by the Parliament in the near future.

The reforms to the Privacy Act will make it more responsive to the rapidly changing environment in which personal information flows. These flows are being facilitated by new and exciting technological advances. This statement is almost becoming redundant in the context of the speed that these advances take place. We now expect that we will regularly see new ways in which personal information can be collected and used. Two pieces of technology that have caught the community's attention during the year because of their potential for doing just this were aerial drones, with the capacity to film while being controlled, and Google Glass, a wearable device that allows the user to collect, access and transmit information.

While such technology captures the community's attention it also captures the attention of privacy regulators globally. During the year privacy regulators around the world continued to foster greater international cooperation in the light of such developments. Through forums such as the Global Privacy Enforcement Network run under the auspices of the OECD, the APEC Cross Border Privacy Enforcement Arrangement and regional groupings of Privacy Regulators such as the Asia Pacific Privacy Authorities Forum, concerted efforts were undertaken to build a coordinated approach to regulating the protection of personal information as it moves around the globe.

People remain extremely sensitive to what is happening with their personal information. The release of information relating to the US PRISM system reignited an important and complex debate about the collection of personal information for the purpose of national security. While privacy laws around the world recognise that in democratic societies such as ours privacy cannot be absolute, it is even more important that where collection of individuals' personal information occurs for the broader interests of the community, there is as much transparency of these activities as possible. There is also need for the information to be protected in terms of strictly limiting its use, destroying unnecessary information in a timely way and ensuring that those entities with access to the information are subject to strict protocols and oversight by independent bodies. Greater transparency of these activities would help to go some way in engendering increased community trust.

So that the OAIC can be better placed to understand the contemporary views of the community, in terms of their expectations of privacy, the OAIC commenced its Community Attitudes to Privacy survey in June 2013. This survey has been run regularly for over a decade and is a key tool for assisting the OAIC to prioritise its activities under its privacy functions. This research has been highly valued over the years by many organisations that also use it to better understand their customers' expectations. To that end, I welcomed the sponsorship of this year's survey by the Commonwealth Bank, Henry Davis York and McAfee, and look forward to the release of the results in late 2013.

It is an exciting time to be working in the privacy field. The large scale of these reforms present interesting challenges and opportunities for all of us as privacy laws are brought up to date with technology and contemporary approaches to privacy regulation. It also means that it is more important than ever for entities covered by the Privacy Act to be vigilant when handling personal information.