Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Introduction

pdfPrintable version228.99 KB

June 2015

Purpose of the Guide to privacy regulatory action

The Guide to privacy regulatory action consists of different chapters, each relating to a regulatory power under the Privacy Act 1988 (Cth) (Privacy Act), the Personally Controlled Electronic Health Records Act 2012 (Cth) (PCEHR Act) and other legislation that confers functions relating to privacy on the Commissioner.[1] Each chapter includes information about the legislative framework, purpose and procedural steps for exercising the regulatory power.

The purpose of this guide is to:

  • be a source of information for entities about the Office of the Australian Information Commissioner’s (OAIC’s) exercise of particular regulatory powers
  • provide OAIC staff with practical guidance about exercising a particular regulatory power
  • promote consistency and transparency in the OAIC’s exercise of its regulatory powers
  • facilitate efficient and effective regulatory action.

Back to Contents

Other documents relating to regulatory powers

The Guide to privacy regulatory action is one of a suite of documents that relate to the OAIC’s use of its regulatory powers:

  • The Privacy regulatory action policy explains the OAIC’s approach to using its regulatory powers under the Privacy Act and other legislation, and communicating information publicly. This includes the considerations the OAIC will take into account in deciding when to take privacy regulatory action and what action to take. This document also explains the principles which will guide the OAIC when taking regulatory action, and the circumstances in which information about regulatory activity may be communicated publicly. The chapters in this guide should be read in conjunction with the policy.
  • The PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013 is a registered legislative instrument which explains the OAIC’s approach to using its enforcement powers in its role as regulator of the personally controlled electronic health records system. These guidelines are made by the Commissioner under s 111 of the PCEHR Act.
  • A number of fact sheets and resources relate to the OAIC’s regulatory powers. These are designed to provide targeted information about specific regulatory powers to the OAIC’s various stakeholders, including complainants and regulated entities.

Back to Contents

Regulatory powers available

As outlined in the Privacy regulatory action policy and the PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013, the Privacy Act and PCEHR Act confer a range of enforcement and other regulatory powers on the Commissioner, which are based on an escalation model. These include the following powers:

  • directing an agency (but not an organisation) to give the Commissioner a privacy impact assessment (Privacy Act s 33D)
  • monitoring, or conducting an assessment of, whether personal information is being maintained and handled by an entity as required by law (Privacy Act ss 28A and 33C)
  • conciliating a complaint (Privacy Act s 40A)
  • investigating a matter (either in response to a complaint (Privacy Act s 40(1)) or on the Commissioner’s own initiative (Privacy Act s 40(2)), and various related powers including to decline to investigate a complaint (s 41), to refer the matter and discontinue an investigation where certain offences may have been committed (s 49), and to refer a complaint to a specified alternative complaint body (s 50) (see generally Privacy Act Part V)
  • reporting to the Minister in certain circumstances following an investigation, monitoring activity or assessment (Privacy Act ss 30 and 32)
  • accepting an enforceable undertaking (Privacy Act s 33E; PCEHR Act s 94)
  • bringing proceedings to enforce an enforceable undertaking (Privacy Act s 33F; PCEHR Act s 95)
  • making a determination (Privacy Act s 52)
  • bringing proceedings to enforce a determination (Privacy Act ss 55A and 62)
  • seeking an injunction (Privacy Act s 98; PCEHR Act s 96)
  • applying to the court for a civil penalty order (Privacy Act s 80W; PCEHR Act s 79).

Contraventions of certain provisions of the PCEHR Act are ‘interferences with privacy’ for the purposes of the Privacy Act and the OAIC may investigate those contraventions either under the Privacy Act (using the investigative provisions in Part V of the Privacy Act) or under the PCEHR Act. The PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013 provide guidance about the OAIC’s approach to investigating these PCEHR Act contraventions.

It is open to the OAIC to use a combination of privacy regulatory powers to address a particular matter.

Back to Contents

Regulatory action principles

The Privacy regulatory action policy sets out the principles which will guide the OAIC when it takes privacy regulatory action. These principles are independence, accountability, proportionality, consistency, timeliness and transparency.

The OAIC will take regulatory action in accordance with the principles set out in the Privacy regulatory action policy and, where relevant, the PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013.

Importantly, when taking privacy regulatory action, the OAIC will act consistently with general principles of good decision making, as explained in the Best Practice Guides published by the Administrative Review Council in 2007.[2] In particular, the OAIC will act fairly and in accordance with principles of natural justice (or procedural fairness).

In addition, in any litigation, the OAIC will act in accordance with its obligations to act as a model litigant in accordance with the Legal Services Directions 2005.

Back to Contents

Approach to using regulatory powers and selecting appropriate action

The preferred regulatory approach of the OAIC is to work with entities to facilitate legal and best practice compliance.

An investigation may be commenced by the OAIC into a suspected or alleged interference with privacy, either on receipt of a complaint or as a Commissioner initiated investigation (CII).

Following a complaint investigation or CII, the Commissioner may decide to take enforcement action against an entity. The available enforcement powers escalate from less serious to more serious options.

The Privacy regulatory action policy and PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013 provide further guidance about how the OAIC decides whether to take privacy regulatory action and what action to take, including:

  • the steps the OAIC can use to facilitate legal and best practice compliance
  • the factors taken into account in deciding when to take privacy regulatory action, and what action to take
  • the sources of information the OAIC will consider in seeking to identify both systemic issues and serious issues that can be targeted for privacy regulatory action.

When making a decision as to whether or not to exercise a regulatory power, the OAIC will be guided by the Privacy regulatory action policy or PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013 as appropriate.

Back to Contents

Footnotes

[1] For example, Part VIIC Division 5 of the Crimes Act 1914 (Cth) confers on the Commissioner regulatory powers in relation to spent convictions.

[2] The Administrative Review Council Best Practice Guides are published at Other ARC publications <www.arc.ag.gov.au/Publications/Reports/Pages/OtherDocuments.aspx>

Back to Contents