Privacy regulatory priorities 2020-21
The OAIC has identified four broad areas for regulatory focus in 2020-21:
- Online platforms, social media and high privacy impact technologies
- Security of personal information, particularly in the finance and health sectors, and in relation to failure to take reasonable steps to protect personal information where risks and mitigations have previously been publicised by the OAIC
- The implementation of the Consumer Data Right
- New personal information handling practices arising from COVID-19, including the COVIDSafe app.
The Office of the Australian Information Commissioner’s (OAIC’s) purpose is to promote and uphold privacy and information access rights. Our vision for privacy is to increase public trust and confidence in the protection of personal information. Our work has never been more important than it is now, in the midst of uncertain times, as we respond to the very serious challenges presented by the COVID-19 pandemic.
The OAIC has a range of regulatory functions, including handling privacy complaints made by individuals. We also conduct assessments (audits) to identify and mitigate risks to privacy. The OAIC’s assessment program focuses on personal information handling in areas where proactive monitoring can mitigate risks and provide the greatest overall benefit for the community.
The OAIC may also undertake Commissioner-initiated regulatory action, without a complaint from an individual. The objectives of Commissioner-initiated regulatory action are to deter, rectify and remedy conduct that interferes with privacy. In this way, we seek to influence the behaviour of regulated entities to comply with the Privacy Act 1988 (Privacy Act) and achieve improved privacy outcomes for the community.
Our 2020-21 OAIC Corporate Plan signalled our focus on advancing online privacy protections for Australians and influencing and upholding privacy frameworks. We are pursuing these goals by ensuring that compliance risks and significant or systemic issues are identified, and appropriate regulatory and enforcement action is taken to change practices.
Broadly, we are focused on taking regulatory action that gives individuals greater choice and control over the handling of their personal information; and which incentivises entities to build in systems and processes to comply and demonstrate accountability for handling the personal information with which they are entrusted.
In the current environment we also recognise that health and other personal information needs to be shared to prevent and manage COVID-19. We have a significant role to play in supporting public trust and confidence in the handling of our personal information to support these public health initiatives. The fast pace of change in this environment highlights the need for the OAIC to be agile and flexible in our approach and to take swift action where necessary.
Decisions to undertake regulatory action are taken in accordance with the OAIC’s Regulatory Action Policy. Factors taken into account include the objects of the Privacy Act; the seriousness of and level of public concern about the incident; the educational, deterrent or precedential value; any remedial action taken; and the likelihood of a further occurrence.
The OAIC’s Regulatory Action Policy also states that the OAIC may identify particular sectors in government or industry, or recurring acts or practices, that warrant privacy regulatory action.
The OAIC cannot take regulatory action on its own initiative in relation to all privacy issues. The OAIC is identifying sectors and acts or practices of concern and will prioritise matters that fit within those parameters over the next financial year.
OAIC privacy regulatory priorities for 2020-21
1. Online platforms and social media
The OAIC is currently preparing for the planned introduction of legislation to enable a binding code to apply to social media and online platforms. This will focus on issues such as increasing individuals’ ability to manage privacy choices through transparent policies, notices and clear and specific consent, as well as the protection of Australians with particular needs by ensuring privacy is built into products and services by design.
We will take regulatory action to shift certain behaviours of regulated entities and deter non-compliant conduct with privacy principles. The OAIC was provided with additional funding to facilitate timely responses to privacy complaints and support strengthened enforcement action in relation to social media and other online platforms that breach privacy regulations.
Priorities within this area include technologies and business practices that record, monitor, track and enable surveillance, which may impact the privacy of millions of Australians through opaque information sharing practices. We will also be focusing on the practices of online platforms and services, which impact on individual’s choice and control (including default settings, consents and security) and the accountability of these businesses for their personal information handling practices.
2. Security of personal information; particularly in the finance and health sectors
The security of personal information is the second clear area of regulatory focus. The OAIC has provided education, advice and reports on the known causes of notifiable data breaches. Consequently, the OAIC now has high expectations in relation to entities both reporting breaches in line with legislative requirements and improving the security of personal information they hold to prevent breaches.
The finance and health sectors will be areas of particular focus as these are the top two sectors reporting breaches. Consequently, the OAIC will focus regulatory attention on assessing elements of the My Health Record system, COVID-19 related privacy protections, as well as notifiable data breaches arising from the finance sector that relate to the security of personal information. The OAIC will also prioritise regulatory action where there are significant failings to take reasonable steps to protect personal information, particularly where risks and mitigations have previously been publicised by the OAIC.
3. Consumer Data Right
There are significant changes to information sharing practices through the introduction of the new Consumer Data Right (CDR). From 1 July 2020 the Consumer Data Right applies in the banking sector and will be expanded to the energy sector and then telecommunications.
Monitoring compliance and enforcement of CDR regulatory obligations will be jointly conducted by the ACCC and the OAIC. Our co-regulatory approach to compliance and enforcement will be underpinned by the objective of ensuring that consumers can trust the security and integrity of the CDR system. We will use a risk-based approach to monitoring compliance and taking action, and while prevention is always preferable, if breaches occur we will take regulatory action proportionate to the seriousness of the breach and the level of harm or potential harm.
Priority areas will include:
- Consent – ensuring accredited data recipients collect CDR data with valid consent from consumers
- Misuse or improper disclosure of CDR data – ensuring the proper handling of CDR data, including ensuring consent and data minimisation principles are complied with
- Security controls – ensuring CDR participants have sufficient controls and processes to protect CDR data from misuse, interference and loss, and unauthorised access, modification or disclosure.
Detailed information about our approach can be found in our joint Compliance and Enforcement Policy.
4. COVID-19 personal information handling practices
The protection of personal information provides individuals with the trust and confidence necessary to support and engage with public health initiatives. The OAIC is focused on providing timely guidance to assist regulated entities to implement programs and services quickly while at the same time ensuring that the personal information collected is only that which is reasonable, necessary and proportionate. We will call out areas for improvement by working constructively with government and regulated entities and taking action to rectify practices in a timely manner.
The Privacy Act was amended on 14 May 2020 to protect data in the COVIDSafe app and the National COVIDSafe Data Store. The OAIC has an independent oversight function and is actively monitoring and regulating compliance with the Privacy Act which governs the COVIDSafe app, including through conducting assessments (audits).