Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Chapter 3: Enforceable undertakings

pdfPrintable version179.59 KB

Legislative framework

3.1 An enforceable undertaking is a written agreement between an entity or person (the respondent) and the Commissioner, which is provided under either the Privacy Act or the PCEHR Act and is enforceable against the respondent in the courts.

Enforceable undertaking under the Privacy Act

3.2 Section 33E of the Privacy Act empowers the Commissioner to accept a written undertaking given by an entity that it will either:

  • take specified action in order to comply with the Privacy Act

  • refrain from taking specified action in order to comply with the Privacy Act

  • take specified action directed towards ensuring that the entity does not do an act, or engage in a practice, in the future that interferes with the privacy of an individual.

3.3 An enforceable undertaking may be varied or withdrawn with the consent of the Commissioner (s 33E(3)), or cancelled by the Commissioner (s 33E(4)).

3.4 If the OAIC considers that an entity has breached an undertaking, the Commissioner may apply to the Federal Court or Federal Circuit Court to enforce the undertaking (s 33F).

Enforceable undertaking under the PCEHR Act

3.5 Section 94 of the PCEHR Act empowers the Commissioner to accept a written undertaking given by a person that the person will:

  • take specified action in order to comply with the PCEHR Act

  • refrain from taking specified action, in order to comply with the PCEHR Act

  • take specified action directed towards ensuring that the person does not contravene the PCEHR Act, or is unlikely to contravene the PCEHR Act, in the future.

3.6 An enforceable undertaking may be varied or withdrawn with the consent of the Commissioner (s 94(4)), or cancelled by the Commissioner (s 94(6)).

3.7 If the OAIC considers that a person has breached an undertaking, the Commissioner may apply to a court to enforce the undertaking (s 95).

Which Act to use?

3.8 Acts or practices that interfere with an individual’s privacy but do not relate to a contravention of the PCEHR Act are governed by the Privacy Act and an enforceable undertaking that relates to those acts or practices will be accepted by the Commissioner under the Privacy Act.

3.9 Acts or practices that contravene certain provisions of the PCEHR Act are breaches of the PCEHR Act and are also deemed by s 73 of that Act to be an interference with an individual’s privacy for the purposes of the Privacy Act. Depending on the circumstances, an enforceable undertaking in relation to these contraventions may be able to be accepted under the PCEHR Act or the Privacy Act.

3.10 Section 94 of the PCEHR Act also empowers the PCEHR System Operator[1] to accept enforceable undertakings. The OAIC may consult with the System Operator when investigating a complaint and considering accepting an undertaking, in line with the Agreement for information sharing and complaint referral relating to the personally controlled electronic health (eHealth) record system[2] between the OAIC and the System Operator.

Back to Contents

Purpose and key features of an enforceable undertaking

3.11 An enforceable undertaking is an important enforcement tool for use in situations where there has been or appears to have been an interference with the privacy of an individual[3] and the OAIC considers an agreed change to future behaviour offers the most appropriate regulatory outcome in the particular circumstances.

3.12 Generally, an enforceable undertaking seeks to have a respondent voluntarily agree to:

  • modify its acts, practices, procedures or behaviour to ensure it complies with the law (for example, ceasing the practice that led to the breach or implementing new policies for handling personal information)

  • remedy the damage any breach has caused (for example making an apology or making a payment to an individual or individuals to rectify damage)

  • commit to certain future compliance measures (for example conduct reviews and audits, training for managers and staff and implementing a compliance monitoring and reporting framework).

Who can give an enforceable undertaking?

3.13 An enforceable undertaking under the Privacy Act can only be given by ‘an entity’. The term ‘entity’ means an agency, an organisation or a small business operator (these terms are further defined in s 6(1)). The term ‘organisation’ can include an individual (including a sole trader).

3.14 An undertaking under the PCEHR Act can be given by ‘a person’.[4] This term captures both individuals and participants in the PCEHR system, such as registered repository operators, portal operators and healthcare provider organisations.

3.15 For each undertaking, the individual giving and executing the undertaking must have the authority to negotiate on behalf of, and bind, the respondent entity or person.

At what point can an enforceable undertaking be accepted?

3.16 The Commissioner may accept an enforceable undertaking given by an entity or person where the OAIC considers there is a reasonable basis to suggest that the entity or person has interfered with the privacy of an individual. For example, an enforceable undertaking may be accepted during a complaint investigation, an enquiry into a data breach incident, or a Commissioner initiated investigation.

3.17 An enforceable undertaking may form part of a conciliated outcome following a complaint. Section 40A of the Privacy Act requires the OAIC to make a reasonable attempt to conciliate a complaint where the OAIC considers there is a reasonable possibility that the complaint can be conciliated successfully.

Enforceable undertaking terms and requirements

3.18 The Privacy Act and the PCEHR Act do not impose a particular structure for an enforceable undertaking. However, the key requirements under both Acts for an undertaking to be written and to be expressed to be an undertaking under the relevant section in the relevant Act must be met.

3.19 In addition, the OAIC expects that the terms of any undertaking will usually (at a minimum):

  • state the name of the respondent, the date the undertaking was accepted by the Commissioner and the date when the undertaking comes into effect

  • be signed by the CEO or other senior executive of the respondent and the Commissioner (or approved delegate) – without the signature of both parties, the undertaking has no effect

  • describe the act(s) or practice(s) about which the OAIC is concerned

  • outline specified steps the respondent will take to rectify the act or practice, and ensure that it is not repeated or continued. This will usually include a requirement for the respondent to complete reviews and establish a monitoring and reporting framework. Specifically, the respondent will usually be required to:

    • nominate in writing a representative responsible for overseeing compliance with the requirements of the undertaking and reporting to the OAIC

    • engage, in consultation with the OAIC, an appropriately experienced and qualified third party to review the act or practice and make recommendations for the purpose of improving the respondent’s compliance with the Privacy Act

    • provide a copy of the third party’s report to the OAIC

    • implement the recommendations in that report

    • provide a certification by the third party to the OAIC that the respondent has implemented the recommendations and rectified the deficiencies identified by the review.

  • outline what, if any, steps the respondent will take to notify individuals affected by the act or practice, where it has not already done so

  • contain dates by which the respondent is required to complete each step

  • be readily understood; for example, an undertaking that deals with complex and technical issues may have a glossary to define the terms used

  • be capable of implementation and include action which is capable of being measured or tested objectively

  • be certain and capable of enforcement; for example, each step that the respondent is required to complete must be clear and unambiguous

  • contain the respondent’s agreement to material that arose in conciliation (if conciliation occurred) being submitted in any proceeding to enforce the undertaking.[5] Where an undertaking forms parts of a conciliated outcome, this could be achieved by a statement of agreed facts being attached to the undertaking with the consent of both the respondent and complainant

  • outline what, if any, steps the respondent will take to resolve the matter with individuals affected by the act or practice, for example, payment the respondent will make by way of compensation for any loss or damaged suffered by reason of the act or practice of concern

  • contain the respondent’s acknowledgement that the OAIC may publish the undertaking in full (see ‘Publication’ below for further information). Any concerns the respondent has about publication should be raised and resolved as the terms of the undertaking are being negotiated.

3.20 For undertakings under the PCEHR Act, reference should also be made to clause 8 of the PCEHR Enforcement Guidelines when considering the terms of an undertaking.

3.21 The OAIC will not accept an undertaking that:

  • denies responsibility for the act or practice of concern[6]

  • merely undertakes to comply with the law without explaining how compliance will be achieved

  • seeks to impose terms or conditions on the OAIC (however, the undertaking may include an acknowledgement that certain information provided to the OAIC in accordance with the undertaking is communicated in confidence).

Back to Contents

Procedural steps

3.22 When the acceptance of an enforceable undertaking is a possible regulatory outcome in a matter, the OAIC will generally follow the process set out below.

Raising the possibility of an enforceable undertaking

3.23 The possibility of an enforceable undertaking may arise where either:

  • the respondent suggests to the OAIC that it gives an undertaking in relation to a matter
  • the OAIC raises the possibility of an undertaking with the respondent as a potential option in relation to a matter.

3.24 Before the OAIC raises the possibility of an undertaking, or when the respondent suggests giving an undertaking, the OAIC must assess whether an undertaking offers an appropriate regulatory outcome in a matter, or whether an alternative regulatory outcome would be more appropriate. In making this assessment, the OAIC will refer to the factors set out in paragraph 38 of the Privacy regulatory action policy or the PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013.

Negotiating the terms of the enforceable undertaking

3.25 Where the OAIC considers that an undertaking may be an appropriate regulatory outcome in the matter and the respondent is willing to consider giving an undertaking in relation to the matter, the OAIC and respondent can commence negotiation of the terms of that undertaking.

3.26 When negotiating the terms of the enforceable undertaking, the OAIC will have regard to:

  • the requirements for the terms of an undertaking set out above in this chapter or (if the undertaking is related to the PCEHR Act) clauses 8.8 and 8.9 of the PCEHR Enforcement Guidelines

  • the interests of individuals who have been the subject of an interference with privacy

  • the OAIC’s goal of taking enforcement action and how an undertaking will contribute to fulfilling the OAIC’ regulator role in the particular matter (see paragraphs 10-11 of the Privacy regulatory action policy)

  • the principles guiding regulatory decisions and action outlined in paragraphs 14-16 of the Privacy regulatory action policy or (if the undertaking is related to the PCEHR Act) clause 6.1 of the PCEHR Enforcement Guidelines.

3.27 Up until an undertaking is accepted and signed by the Commissioner, the Commissioner retains the discretion to accept or not accept the undertaking when it is submitted for final approval. Any agreement on terms between OAIC staff and the respondent is ‘in principle’ agreement only and subject to final acceptance by the Commissioner.

3.28 At the outset of negotiations, the OAIC will identify a reasonable time frame within which any undertaking should be negotiated. If an agreed undertaking cannot be negotiated within that time, the OAIC will consider pursuing alternative enforcement mechanisms in the matter such as proceeding to making a determination.

Commissioner considers whether to accept the enforceable undertaking

3.29 Where OAIC staff and the respondent have reached agreement on terms, the proposed undertaking to be given by the respondent will be submitted to the Commissioner for consideration.

3.30 The decision to accept an undertaking in the terms given by the respondent will be made by the Commissioner.

3.31 Whether the Commissioner accepts an undertaking will be determined on a case by case basis, with reference to the Privacy regulatory action policy and the PCEHR Enforcement Guidelines (as applicable), and whether the Commissioner believes that the respondent has the ability to, and genuinely intends to, comply with the terms of the undertaking.

Decision communicated to the respondent

3.32 The OAIC will communicate the Commissioner’s decision in writing to the respondent.

3.33 Where the Commissioner has agreed to accept the undertaking, this written correspondence will request the respondent to arrange signing of the undertaking by the CEO or other senior executive of the respondent, before returning the signed copy to the OAIC for execution by the Commissioner.

3.34 Where the Commissioner has not agreed to accept the undertaking, the written correspondence will advise the respondent of the OAIC’s next steps in the matter. This may involve further negotiations in relation to the proposed undertaking, or consideration of alternative enforcement action.

Undertaking published

3.35 Once the undertaking has been executed by both the respondent and the Commissioner, the OAIC will generally publish the undertaking (see the ‘Publication’ heading below).

Ongoing monitoring

3.36 It is the respondent’s responsibility to ensure it complies with the terms of the undertaking. The OAIC will maintain contact with the respondent and monitor the respondent’s compliance, including by ensuring that required reports and notifications are provided in accordance with the timeframes outlined in the enforceable undertaking. If the respondent breaches the undertaking, the OAIC may take further action (see below).

Back to Contents

Varying, withdrawing and cancelling an enforceable undertaking

3.37 A respondent can vary or withdraw an enforceable undertaking, but must have the consent of the Commissioner in order to do so.[7]

3.38 The decision as to whether or not to allow a respondent to vary or withdraw an undertaking will be made by the Commissioner on a case-by-case basis.

3.39 The Commissioner generally will only consent to the variation or withdrawal of an undertaking if:

  • compliance with the enforceable undertaking is subsequently found to be impractical, or

  • there has been a material change in the circumstances which led to the undertaking being given, meaning that variation or withdrawal are appropriate in the circumstances.

3.40 In addition, the Commissioner will only consent to variation or withdrawal where satisfied that an appropriate regulatory outcome will still be achieved in the circumstances. In the case of the withdrawal of an undertaking, this may mean the OAIC decides to take alternative enforcement action.

3.41 A respondent wishing to seek consent to varying or withdrawing an undertaking should make a request in writing to the OAIC. Where the Commissioner consents to the variation or withdrawal of an undertaking, the OAIC will communicate this decision to the respondent in writing.[8]

3.42 In addition, the Commissioner may, by written notice given to the respondent, cancel an undertaking accepted under either the Privacy Act or the PCEHR Act.[9] A decision to cancel an undertaking would normally only be made where subsequent information or conduct by the respondent leads the OAIC to consider that the undertaking is not an effective regulatory outcome in the circumstances. This is only expected to occur in exceptional circumstances, for example, if the OAIC was misled about the extent of a particular breach.

Back to Contents

Breach of an enforceable undertaking

3.43 Where the OAIC believes that a respondent has breached the terms of an enforceable undertaking, the OAIC will generally use the following procedure.

3.44 The OAIC will first bring the issue of suspected or actual non-compliance with the terms of the undertaking to the attention of the respondent and seek a response. This notification and response may be sufficient to resolve the breach.

3.45 The OAIC may decide to address non-compliance through the court enforcement mechanisms provided for under the Privacy Act (s 33F) and the PCEHR Act (s 95). This process is outlined below.

3.46 The factors which the OAIC will take into account when deciding whether to seek an order from a court to enforce an undertaking are set out in paragraph 38 of the Privacy regulatory action policy (for a non PCEHR related undertaking) and clauses 8.13-8.14 of the PCEHR Enforcement Guidelines (for a PCEHR system related undertaking). In addition, the OAIC will also take the following factors into account:

  • the nature and length of non-compliance
  • the reason for non-compliance
  • whether the compliance was inadvertent
  • whether the respondent had previously not complied with the terms.

3.47 In limited circumstances, the OAIC may initiate further negotiations with the respondent with a view to expanding or otherwise varying the terms of the undertaking.

3.48 For an undertaking relating to compliance with the PCEHR Act, the OAIC may also refer the issue to the PCEHR System Operator who has the power to take administrative action against the respondent.

Enforcement through the Court

3.49 Where the OAIC decides to address non-compliance through the court enforcement mechanisms (s 33F Privacy Act and s 95 PCEHR Act), the OAIC may apply to a relevant court for one of a number of orders.

3.50 In general terms, a court may make any or all of the following orders:

  • directing the respondent to comply with the undertaking
  • directing the respondent to pay compensation
  • any other kind that the court thinks appropriate.

Back to Contents

Publication

3.51 Sections 33E(5) of the Privacy Act and s 94(7) of the PCEHR Act allow the OAIC to publish an enforceable undertaking on the OAIC’s website.

3.52 Generally, the OAIC will publish an undertaking on its website <www.oaic.gov.au>. An undertaking will usually contain an acknowledgement from the respondent that the undertaking may be published, unless the OAIC has agreed otherwise with the respondent when the undertaking terms were being negotiated (see above). The OAIC may agree otherwise where it is inappropriate to publish all or part of an undertaking because of statutory secrecy provisions or for reasons of privacy, confidentiality, commercial sensitivity, security or privilege.

3.53 The publication of an undertaking may be accompanied by other communications such as a media release, media interview or social media posts. The OAIC generally will also publicly communicate:

  • a decision by the Commissioner to vary, withdraw or cancel a published undertaking
  • the initiation of court proceedings to enforce an undertaking.

3.54 In addition, before court proceedings are initiated, the OAIC may publicly communicate the fact that a respondent has breached the terms of an undertaking and that the OAIC is making inquiries with the respondent.

Back to Contents

Footnotes

[1] ‘System Operator’ is defined in s 14 of the PCEHR Act.

[2] Agreement for information sharing and complaint referral relating to the personally controlled electronic health (eHealth) record system <www.oaic.gov.au/about-us/corporate-information/memorandums-of-understanding/oaic-system-operator-information-sharing-agreement>

[3] The Privacy regulatory action policy and the PCEHR Enforcement Guidelines (clause 4.11) outline the range of avenues through which the OAIC may become aware of alleged interferences with privacy or other privacy concerns.

[4] The term ‘person’ is not defined in the PCEHR Act, so the meaning is drawn from the Acts Interpretation Act 1901 (Cth). That Act states that expressions used to denote persons generally, such as ‘person’, include a body politic or body corporate as well as an individual (s 2C).

[5] This is necessary because s 40A(5) of the Privacy Act limits the circumstances in which evidence of anything said or done in the course of the conciliation can be relied upon in legal proceedings. Such material can be used for this purpose where both the respondent and complainant agree. The OAIC would also need to obtain the complainant’s agreement before material from conciliation can be submitted in enforcement proceedings.

[6] However, this does not preclude the possibility of an enforceable undertaking being accepted on a ‘without prejudice’ basis in circumstances where the OAIC considers that it would provide an effective regulatory outcome.

[7] Privacy Act s 33E(3); PCEHR Act s 94(4).

[8] While s 33E of the Privacy Act does not specify that written consent is required, the OAIC will only give consent in writing given the original undertaking is recorded in writing.

[9] See s 33E(4) of the Privacy Act and s 94(6) of the PCEHR Act; also see clause 8.3 of the PCEHR Guidelines.

Back to Contents