Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Message from the Privacy Commissioner, Timothy Pilgrim

Photograph of Timothy Pilgrim

12 March 2014 saw the commencement of the reforms to the Privacy Act 1988 (Privacy Act), the culmination of the Review of the Privacy Act commenced by the Australian Law Reform Commission in 2006.

The successful implementation of these reforms was the result of excellent work by a committed and dedicated team of people within the Office of the Australian Information Commission (OAIC). As a result of their work, prior to the commencement of the reforms, the OAIC had released a series of materials designed to assist entities covered by the Privacy Act to comply with their responsibilities, including a comprehensive set of Australian Privacy Principles guidelines (APP guidelines), a series of fact sheets and the updating of a number of existing materials to reflect the changes to the Privacy Act. As well, the OAIC worked closely with industry to develop and subsequently approve the Credit Reporting Code, necessary to allow for the operation of the Credit Reporting provisions of the Privacy Act. The success of these processes was also due to a collaborative and consultative approach, working closely with those entities covered by the Privacy Act as well as civil society, intended to ensure that the material produced would be relevant and easily understood.

In the lead up to the commencement of the new provisions, and in the first few months of their operation, I have been heartened by the positive way in which entities have worked to ensure compliance. Regulatory reform of this size and complexity does by its nature result in implementation costs and an increased risk of adverse events. However, from my many meetings, particularly with large private sector organisations, I was reassured by the acknowledgment that while the implementation of these changes was a significant challenge, the benefits to organisations from the perspective of enhancing customer relationships were clearly visible.

During the year, the focus on the reforms, particularly through the media, raised awareness and acted as a reminder to the broader community of their privacy rights. This has been reflected in a marked increase in the number of people coming to the OAIC with privacy related enquiries and complaints. During the financial year, the OAIC experienced an almost 10% increase in the number of privacy phone enquiries received, a 30% increase in the number of privacy written enquiries received and a hefty 183% increase in the number of privacy complaints. With regards to the increase of complaints, it was notable that for the first time two large data breaches resulted in a significant number of individual complaints being lodged with the OAIC about each matter.

Community awareness of, and concern with, their privacy remains a constant as was reflected in the results of the OAIC's 2013 Community Attitudes to Privacy survey. The Survey results showed a community that, rather than accepting the view of some commentators that the online world removes any possibility for privacy, looks for ways to control what happens to their personal information. In that respect, a key finding of the Survey was that 63% of respondents had decided not to deal with an organisation or government agency because of concerns for how their personal information would be handled. Similarly the vast majority of Australians, 96%, believe that organisations and government agencies need to be transparent about how they are going to handle their personal information. This issue continues to be a challenge for entities covered by the Privacy Act as 51% of people also reported that they do not read privacy policies. The OAIC will focus on how to assist entities to make their privacy policies more accessible.

A further positive trend identified during the year was an increase in the number of voluntary data breach notifications. In line with the OAIC's voluntary data breach notification guidelines, a greater number of entities chose to notify the OAIC of a data breach incident. A total of 71 notifications were made, an increase of 16%. It is pleasing to see that an increasing number of entities recognised the benefits in notifying not just the OAIC but also their clients. In appropriate cases, notification can assist people to take further steps to secure their personal information following a breach and thereby limit any potential harm that could occur. Notification also demonstrates that an entity respects their customers' personal information and thereby strengthens the trust equation in the relationship.

Correspondingly, there were fewer occasions whereby I was required to commence a Commissioner initiated investigation (CII). CIIs are usually commenced when the OAIC becomes aware of a data breach through a third party rather than the affected organisation. The OAIC will continue to monitor these trends to assess whether there is a positive change in the privacy practices of entities covered by the Privacy Act.

Given that the reforms also included enhancements to the regulatory powers available to the Commissioners, the Australian Information Commissioner and myself issued a joint statement on how we would undertake our regulatory role in the new environment. To build on that statement, the OAIC has started developing a Regulatory Action Policy and accompanying Guide. These materials will further clarify how the OAIC will use these enhanced regulatory powers. The guiding principle for this guidance is that the OAIC will work with entities in the first instance to ensure good privacy practices. This is a long standing policy of both the OAIC and the former Office of the Privacy Commissioner. Consequently, our compliance focus in the months following March 2014 was to work with entities to ensure that they understand the new requirements and have the systems in place to meet them.

The future regulation of privacy in Australia will go through yet another change. As part of the announcement in the Budget that the OAIC would be disbanded, the Government also announced that an Office of the Privacy Commissioner would be established. I am confident that the importance that the community places in the protection of their personal information will be reflected in the regulatory approach of the new Office of the Privacy Commissioner, and in the work of a committed and dedicated team of colleagues.