Introduction to the APPs and the OAIC’s regulatory approach
Director, Regulation and Strategy
Office of the Australian Information Commissioner (OAIC)
- Independent statutory authority
- OAIC remains operational
- Privacy Commissioner and staff will continue to administer the Privacy Act 1988
Let me first begin with a brief overview of the OAIC:
- We are an independent Government agency.
- We have 2 commissioners
At the moment we have responsibility for freedom of information functions, privacy functions and information policy functions.
Our privacy functions, set out in the Privacy Act are mainly carried out by the Privacy Commissioner.
As some of you may be aware, we were to be disbanded by 1 January 2015. What was going to happen was that the existing privacy functions would continue to be administered by the Privacy Commissioner and supporting staff from an office based in Sydney. The FOI Act was going to be administered jointly by other agencies. However, as the Bill which proposed these changes has not yet been passed by Parliament, we will continue in our current form until further notice. In short, it’s business as usual for privacy!
The OAIC Executive and staff are committed to ensuring that the Privacy Act and the FOI Act continue to operate effectively and that a smooth transition to any new arrangements will occur.
What does the Privacy Act cover?
- Information privacy
- Australian Privacy Principles
- Privacy Act contains provisions that deal with:
- ‘personal information’
- ‘sensitive information’ (such as health information)
- tax file numbers
- credit information
- Commissioner’s regulatory powers
Now, we will look more closely at the Privacy Act and the OAIC’s regulation of privacy.
The type of privacy protected by the Privacy Act is ‘information privacy’ – that is, people’s personal information. ‘Personal information’ is information that identifies you or could reasonably identify you. Common examples include your name, signature, address, telephone number, medical records, bank account details and commentary or an opinion about you. Some types of personal information, called “sensitive information” are considered particularly sensitive, and given a higher level of protection. Sensitive information includes information about a person’s health, their religion, politics, racial or ethnic origin, sexual orientation and so on. I am sure you can imagine that the consequences of this type of information being inappropriately handled could be especially serious.
The Privacy Act includes 13 Australian Privacy Principles (or APPs). These set out standards, rights and obligations for the handling, holding, accessing and correction of personal information, as well as imposing the higher standards for sensitive information.
The Act also contains provisions that deal with:
- tax file numbers
- information in Australia’s credit reporting system.
It also sets out regulatory powers that can be exercised by the Commissioner.
This presentation focuses on the APPs and the Commissioner’s regulatory powers. You can find lots of useful information on our website about these matters, as well as about the privacy regulation of TFNs and credit information. I’ll refer to a few key resources throughout this presentation.
Australian Privacy Principles
- 13 APPs
- Principles apply to government agencies and private sector organisations (referred to as ‘APP entities’)
- Structured to reflect the information life cycle — planning, collection, use and disclosure, quality and security, access and correction
- APP Guidelines
The APPs are legally binding principles which are the cornerstone of the privacy protection framework in the Privacy Act. The APPs set out standards, rights and obligations in relation to handling, holding, accessing and correcting personal information. They apply to most Australian Government agencies and many private sector organisations -together called APP entities.
The APPs are principles-based law. What this means is that they set out relatively high – level objectives and principles, but don’t include as many detailed and prescriptive rules about how those principles should be implemented. This provides you with the flexibility to tailor your personal information handling practices to your needs and business model, and to the diverse needs of individuals. The APPs are also technology neutral, which means that they apply equally to paper-based and digital environments.
The APPs are structured to reflect the personal information lifecycle. That is the APPs are ordered according to whether they deal with ensuring transparency in information collection, use and disclosure of information, information quality and security, and finally access and correction of information.
I will now go through each of the APPs to provide a little more detail. However, this will only be a brief summary. More detail about the APPs are contained in a key piece of guidance produced by our office called the APP guidelines.
The APP guidelines outline:
- the mandatory requirements in the APPs
- the OAIC’s interpretation of the APPs
- examples of how the APPs may apply to particular circumstances
- and suggestions for good privacy practice to supplement minimum compliance with the mandatory requirements in the APPs.
If you need more information about the APPs, I encourage you to consult the guidelines which are available on our website.
Now to the APPs.
APP 1 — Open and transparent management of personal information
- Take reasonable steps to implement practices, procedures and systems to ensure compliance with APPs
- Privacy policies must be clearly expressed and up to date
APP1 is the bedrock principle for the APPs. By complying with this APP you will be establishing a culture and set of processes that will assist you in complying with all the other APPs, right from the start.
APP 1 requires you to put policies into place to ensure that you manage personal information in an open and transparent way. The intention behind APP1 is to promote a ‘privacy by design’ approach – to ensure that privacy compliance is included in the design of your information systems and practices from the beginning.
It does this in two ways.
First, it requires you to take reasonable steps to establish and maintain internal practices, procedures and systems that ensure your compliance with the APPs. So how would this look? It could mean that you implement governance mechanisms, regular staff training, and a program of proactive review and audit of the adequacy and currency of your organisational practices, procedures and systems. We recognise that this is an area where people need some help and the OAIC has developed a Privacy management framework to assist you to develop or review your privacy program and related governance structures, and to meet the requirements set out in APP 1. 2. I will talk more about this framework in the next slide.
- The kinds of personal information collected and held by you
- How you collect/hold personal information
- The purposes for which you collect, hold, use and disclose personal information
- Your access, correction and complaint mechanisms
- Whether you are likely to disclose personal information to overseas recipients, and the countries in which recipients are likely to be located.
Privacy management framework
Now, back to the Privacy management framework. You can see the outline of it here on the slide. You can use it to assist you to meet your ongoing compliance obligations to establish and maintain internal practices, procedures and systems that ensure compliance with the APPs, as required by APP 1.2.
The Framework provides practical guidance on how to establish and implement a privacy management plan. It includes a four step approach that the OAIC expects you to take to meet your ongoing privacy obligations, and establish good privacy governance.
Step 1 is Embed. It looks at how you can embed a culture of privacy in your organisation or agency that enables compliance.
Step 2 is Evaluate. It looks at how you can establish robust and effective privacy practices, procedures and systems.
Step 3 is Evaluate. It looks at how you can evaluate your privacy practices, procedures and systems to ensure continued effectiveness.
Step 4 is Enhance. It looks at how you can enhance your response to privacy issues.
Within each step, the Framework outlines a number of things you should commit to to achieve each step. Which commitments you implement within each step, and who within your agency or organisation performs these, will depend upon your particular circumstances, including your size, resources and business model.
APP 2 — Anonymity and pseudonymity
- Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym
- Doesn’t apply if identification is required by law or it is impracticable
We now move on to APP 2 which requires you to provide individuals with the option of dealing with you using a pseudonym or of not identifying themselves. One of the reasons it does this is that by permitting individuals to interact with you anonymously, you reduce the risk of unnecessary collection of personal information.
You are not required to provide those options where:
- you are required or authorised by law or a court or tribunal order to deal with identified individuals, or
- it is impracticable for you to deal with individuals who have not identified themselves.
What is impracticable will depend on the circumstances. To give you an idea
- An example of impracticability could be where an agency like Centrelink processes an application for a benefit from an individual and it can’t deal with that an individual without identification.
- On the other hand, if an individual is seeking general information from Centrelink, it shouldn’t be necessary for the individual to provide identity details.
APP 3 — Collection of personal and sensitive information
- Covers collection of personal information and sensitive information
- Collection must be ‘reasonably necessary’ for one or more of an APP entity’s functions or activities
- Additional obligations apply to sensitive information.
We will now look at the next part of the information cycle – the collection of personal information – which is dealt with by APPs 3, 4 and 5.
APP 3 outlines when and how you may collect personal information that is solicited from an individual or another APP entity. What is meant by solicit is where you explicitly request another entity to provide personal information, or you take active steps to collect personal information.
Under APP 3 you must not collect personal information unless it is reasonably necessary for one or more of your functions/activities.
Even more stringent requirements apply if you collect sensitive information. Unless an exception applies, you may only collect sensitive information where it is both reasonably necessary for your agency or organisation’s functions or activities and the individual concerned consents to your collection. One example of an exception is that you can collect sensitive information without consent if you are taking appropriate action in relation to suspected unlawful activity or serious misconduct.
It is also important to know that APP 3 only allows you to collect personal information by lawful and fair means. Examples of unlawful collection might include computer hacking or using an unauthorised listening device.
So when will your collection be unfair? This will depend on the circumstances. For example, it would usually be unfair for you to collect personal information covertly without the knowledge of the individual. However, this may be a fair means of collection if you were collecting the information in connection with a fraud investigation.
Finally, you must collect personal information from the individual concerned, unless this is unreasonable or impracticable. This might be where direct collection would jeopardise the purpose of collection or the integrity of the personal information collected, say where you are collecting the information as part of an investigation. There are also some additional exceptions about when personal information does not have to be directly collected that apply only to public sector agencies.
APP 4 — Dealing with unsolicited personal information
If an APP entity receives unsolicited personal information, it must:
- Assess whether it could have collected the information under APP 3
- If not, destroy or de-identify that information
- But different rules apply to Commonwealth records
APP 4 also deals with the collection of personal information. APP 4 outlines the steps you must take if you receive unsolicited personal information. Examples of unsolicited information include misdirected mail or a resume sent by a jobseeker not in response to an advertised vacancy but on their own initiative.
So what should you do if you receive unsolicited personal information? Firstly, APP4 requires you to consider whether you could have collected the information under APP 3. If you could not have collected the personal information under APP 3, different rules apply according to whether or not the information is contained in a ‘Commonwealth record’. Generally speaking, a Commonwealth record is any information held by a Commonwealth public sector agency.
- If the unsolicited personal information is contained in a Commonwealth record, APP 4 does not require it to be destroyed or de-identified. This is because special considerations apply to Commonwealth records, which can only be destroyed or altered in accordance with the Archives Act 1983 (Archives Act).
- If it is not contained in a Commonwealth record and it could not have been collected under APP 3, you must destroy or de-identify it as soon as practicable if it is lawful and reasonable to do so.
If you are not required to destroy or de-identify the unsolicited personal information under APP 4 – you can keep the personal information but must comply with APPs 5–13. I’ll move on to talk about those APPs now.
APP 5 — Notification of collection
- Outlines what an APP entity must tell an individual and when
- Who the entity is and how to contact it
- The purpose(s) of the collection
- Usual disclosures to third parties
- Complaint handling process
- Likely overseas disclosure
APPs 5 – 9 are about the next stage of the information cycle, dealing with personal information.
APP 5 – sets out the matters you must make an individual aware of when collecting that individual’s personal information. Some of these matters are set out on the slide.
Additional matters about which you must make an individual aware include:
- your identity and contact details
- the consequences if personal information is not collected
You must take reasonable steps to notify the individual about these matters when you collect personal information, regardless of who you have collected the information from. So, if you have collected an individual’s personal information from another business, you will still need to take reasonable steps to make sure the individual is aware of the relevant matters.
To give you an idea about what reasonable steps might involve, where you collect information from another business, you might require that business to notify the individual of those matters.
However, sometimes it may be reasonable for you to take no steps to notify an individual about the collection of the personal information. For example, where you collect personal information from an individual on a recurring basis in relation to the same matter, and you have already provided notice under APP 5. In this scenario, it might be that no reasonable steps are required for each subsequent collection.
APP 6 — Use or disclosure
Can only use or disclose personal information for:
- Purpose for which it was collected, or
- Secondary purpose if an exception applies
We now move on to APP 6, which outlines when you may use or disclose personal information.
Under APP 6, you may use or disclose personal information for the primary purpose of collection. So what does that mean in practice? Essentially it means you can use or disclose personal information for the reason it was collected. However, if you want to use or disclose the information for another purpose (the secondary purpose), you can only do so where the individual consents or another exception applies.
As you can imagine, there might be circumstances where an organisation or agency would want to use or disclose the information for a secondary purpose, without necessarily obtaining consent. So what are some of the exceptions?
Use or disclosure of personal information is permitted if the individual would reasonably expect you to use or disclose their personal information for the secondary purpose, and that purpose is related to the primary purpose of collection, or, in the case of sensitive information, directly related to the primary purpose
if the use or disclosure is necessary to assist in the location of a person reported as missing
if you have reason to suspect that unlawful activity or serious misconduct relating to your functions or activities may be being engaged in, and the use or disclosure is necessary for you to take appropriate action.
if the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety
However, APP 6 does not apply where you are a private sector organisation and you are using or disclosing personal information for the purpose of direct marketing. Rather, APP 7 applies.
APP 7 — Direct Marketing
- Only use or disclose personal information for direct marketing purposes if certain conditions are met
- Opt-out option
- Direct marketing of sensitive information requires consent
APP 7 allows an organisation to use or disclose personal information for a direct marketing purpose under specific conditions. APP7 doesn’t apply to public sector agencies, only to private sector organisations.
So, when could your organisation use or disclose personal information for direct marketing? You can do this if you collected information from an individual and that individual would reasonably expect you to use or disclose the information for direct marketing purposes. However, where the individual wouldn’t reasonably expect you to use or disclose the information for that purpose, or you collected the information from a third party, then you would generally need to get the consent of the individual.
In each of these scenarios you will be required to provide a ‘simple means’ for the individual to opt-out of receiving any marketing. You must also generally include a ‘prominent statement’ informing the individual of the option to make such a request.
Again more stringent rules apply to sensitive information - APP 7 provides that you may only direct market using sensitive information if the individual has consented.
If you are using or disclosing information for a direct marketing purpose, the individual may also ask you to tell them where you got their information from.
You should also keep in mind that where another Act specifically deals with a particular type of direct marketing or direct marketing by a particular technology, this will override APP 7. For example, the Spam Act 2003 or the Do Not Call Register Act 2006, which contain specific provisions regarding direct marketing, will in some cases displace the provisions under APP 7. However, APP 7 will still apply to acts or practices of organisations that are exempt from those Acts.
APP 8 — Cross border disclosure
- Before disclosing personal information overseas, reasonable steps must be taken to ensure that the overseas recipient does not breach the APPs
- The APP entity will be accountable for a breach of the APPs by an overseas recipient
- Subject to exceptions
- OAIC’s resource on Sending personal information overseas
Now on to APP 8. APP 8 and section 16C deal with the disclosure of personal information to overseas recipients, and who is accountable if the overseas recipient of the information handles the information in a way that would breach the APPs.
So how does this work? Under APP 8, before you disclose personal information overseas, you must take reasonable steps to ensure that the overseas recipient does not breach APPs in relation to that information. In addition, section 16C provides that where you disclose personal information overseas, you will usually be accountable for breaches of the APPs by the overseas recipient. You might ask, why should your agency or organisation be held responsible for the breach of another? Well this is based on the principle of accountability in international privacy frameworks, which provide that an entity should be held accountable for the handling of information. This framework is intended to help individuals to be able to seek redress in Australia, if their information is mishandled overseas.
What reasonable steps could you take to comply with APP 8.1? It is generally expected that if you are going to disclose personal information to an overseas recipient, that you would enter into an enforceable contractual arrangement with the overseas recipient that requires them to handle the personal information in accordance with the APPs. Where this is not reasonable, you should take steps with a view to minimising the risk that the personal information will be mishandled by the overseas recipient. The OAIC has published a Business Resource on Sending Personal Information Overseas, which sets out some steps that might be taken and I would encourage you to look at this resource if you are considering sending information overseas or utilising an overseas based cloud service.
There are some exceptions to this requirement in APP 8.1 to take reasonable steps and to the accountability provision in s 16C – for example:
- if an individual consents to the cross-border disclosure, after you expressly inform them that APP 8.1 will no longer apply if they give their consent
- if the cross-border disclosure is required/authorised by or under an Australian law or court/tribunal order
- if the overseas recipient is subject to laws that are substantially similar to the APPs.
APP 9 — Adoption, use or disclosure of government related identifiers
- Prohibits an organisation from adopting, using or disclosing a government related identifier
- Number, letter, symbol used to identify an individual, e.g. Medicare #
- Exceptions include where the adoption, use or disclosure is required or authorised by law
APP 9 restricts the adoption, use and disclosure of government related identifiers by organisations. Like APP 7, this principle only applies to organisations.
An identifier might be a number, letter, symbol used to identify an individual or verify the identity of an individual. They include things like a medicare number, centrelink number or drivers’ licence number.
- where the adoption, use or disclosure is required or authorised by law.
- The use or disclosure is reasonably necessary for your organisation to verify the identity of the individual for its functions or activities
- The use or disclosure is reasonably necessary for certain law enforcement purposes
APP 10 — Quality
- An APP entity must take reasonable steps to ensure personal information it collects, uses or discloses is:
- Must also take reasonable steps to ensure that personal information is relevant for the purpose of the use or disclosure
APP 10 and APP 11 deal with the next part of the information cycle – the integrity of personal information.
APP 10 requires you to take reasonable steps to ensure personal information you collect is accurate, up-to-date and complete. You must also ensure personal information you use or disclose is accurate, up-to-date, complete and relevant having regard to purpose of use or disclosure.
Some examples of reasonable steps your organisation might take could include:
- ensuring updated or new personal information is promptly added to relevant existing records
- reminding individuals to update their personal information each time your organisation engages with the individual
- contacting the individual to verify the quality of personal information when it is used or disclosed, particularly if there has been a lengthy period since collection
APP 11 — Security
- Must take reasonable steps to protect personal information held from misuse, interference and loss, and from unauthorised access, modification or disclosure
- Obligation to destroy or de-identify personal information in certain circumstances
- OAIC’s Guide to securing personal information
APP 11 requires you to take reasonable steps to protect personal information you hold. This includes protecting the information from interference, misuse and loss, and unauthorised access, modification and disclosure.
What would reasonable steps include for APP11? It is important that you should consider how you will protect personal information at all stages of the information lifecycle – from before you collect the personal information (including whether you should collect the information at all), to when you collect and hold the information, to its eventual destruction or de-identification when you no longer need it.
So what happens if you don’t need the information anymore? If you no longer need the information for any authorised purpose APP 11 actually requires you to take reasonable steps to destroy or de-identify information. Again, as with unsolicited information, this requirement does not apply to Commonwealth records (or where there are legal requirements for you to retain the information).
The OAIC has published on its website a Guide to securing personal information. This guide sets out the information lifecycle, which is designed to help you visualise and understand the dynamic nature of personal information handling, and demonstrates why personal information security must be embedded in day-to-day processes, rather than only being considered in the context of specific projects or activities. It also includes examples of ‘reasonable steps’ you should consider taking to protect personal information.
APP 12 — Access to personal information
An APP entity must provide an individual with access to the personal information they hold about them, unless a specific exception applies
APPs 12 and 13 deal with the final part of the information cycle – that is, providing access to, and correction of, personal information.
If you hold information about an individual, APP 12 requires you to give the individual access to that information on request.
APP 12 also sets out other requirements in relation to you giving an individual giving access, including how you must give access and when you can refuse access. There are separate grounds on which public sector agencies and private sector organisations may refuse to give access.
Where access is given under the Privacy Act, public sector agencies must respond within 30 days. Private sector organisations need to respond within a reasonable period.
So what do you need to do if you are refusing to give access to an individual? Under APP 12, if you refuse to give access, or to give access in the manner requested, you must seek to take reasonable steps to give access in a way that meets your needs and the needs of the individual. One such step you might take could be to use a mutually agreed intermediary.
Also, if you decide not to give an individual access you must generally provide written reasons for the refusal and the mechanisms available to complain about the refusal.
APP 13 — Correction of personal information
An APP entity must take reasonable steps to correct personal information to ensure it is accurate, up-to-date, complete, relevant and not misleading, if:
- the entity is satisfied it needs to be corrected, or
- the individual requests correction.
And now we come to APP 13 - the last of the APPs.
APP 13 requires you to take reasonable steps to correct personal information to ensure that, having regard to the purpose for which it is held, it is accurate, up-to-date, complete, relevant and not misleading.
So when would you need to do this? The requirement applies where:
- you are satisfied the personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, having regard to a purpose for which it is held, or
- an individual requests you to correct the personal information.
Again, special considerations apply to Commonwealth records, as these can only be destroyed or altered in accordance with the Archives Act.
Like APP 12, a public sector agency must respond within 30 days after the request is made and a private sector organisation within a reasonable timeframe. APP 13 also sets out other minimum procedural requirements in relation to correcting personal information. You must:
- take reasonable steps to notify other APP entities of a correction
- give notice to the individual which includes reasons and available complaint mechanisms if correction is refused
- take reasonable steps to associate a statement with personal information you refuse to correct
- respond to a request for correction or to associate a statement, and
- not charge an individual for making a request, correcting personal information or associating a statement.
OAIC’s regulatory powers
- Powers to:
- Promote privacy compliance
- Handle complaints and conduct investigations
- Enforcement powers
- OAIC’s Privacy regulatory action policy
Now that we have had a brief overview of the obligations in the APPs, I want to turn our focus to talk about how the OAIC, as the privacy regulator, works with organisations and agencies to ensure compliance with the APPs.
We have a range of regulatory powers. These include powers to:
- promote privacy compliance
- powers to handle complaints and conduct investigations
- and powers to enforce compliance.
Our preferred regulatory approach is to work with you to facilitate legal and best practice compliance. This will often be a more efficient and effective means of ensuring you understand and meet your privacy obligations.
With that introduction, I’ll now give a brief overview of some of our regulatory powers. If you would like more detail, I suggest you look at the OAIC’s Privacy regulatory action policy which outlines the OAICs privacy regulatory powers, and explains our approach to using them.
Promoting privacy compliance
- Approve enforceable codes
- Code obligations apply in addition to the APPs
- developed by entities (on their own initiative or on request) or by the Commissioner
- Privacy performance assessments
- Direct an agency to give the Commissioner a privacy impact assessment
One of the tools that can be used to clarify and promote best practice compliance are APP codes.
An APP code is a document that applies to a stated set of APP entities. It sets out how the APPs are to be complied with for those entities.
The Commissioner has the power to approve and register these codes, and they are enforceable – that is, once registered, they are mandatory requirements for the entities to which they apply.
The obligations in APP codes apply in addition to the APPs for entities bound by the code, and they may include obligations that go beyond the requirements of the APPs.
Codes may be developed by:
- entities on their own initiative
- a particular entity, body or association at the Commissioner’s request (if this is considered in the public interest)
- the Commissioner on his own initiative, but only where an entity has not complied with the Commissioner’s request to develop a code, or the Commissioner has not approved and registered the code that was developed following that request.
A code may be used by industry or the Commissioner to promote best privacy practice, address customer expectations for a particular industry or technology, or clarify how the APPs apply to the circumstances of a particular industry or technology.
For you are interested in developing an APP code, the OAIC has published Guidelines for developing Codes which will assist you.
Privacy performance assessments
Another important power to promote privacy compliance is the power to conduct an assessment of whether an entity is maintaining and handling personal information in accordance with the APPs. These assessments may be conducted at any time.
These assessments are essentially audits. The OAIC sees these assessments as one way of working with you to ensure that you are meeting your privacy requirements and that you adopt best privacy practice standards.
Privacy impact assessment (PIA) directions
I’d now like to touch on another important power, and this relates to privacy impact assessments – or PIAs. Before I explain that power, I want to talk about what a privacy impact assessment is.
Privacy impact assessment (PIA)
- A systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact
- Consider conducting PIAs as a matter of course for projects that involve personal information.
- OAIC’s Guide to undertaking privacy impact assessments
Many of you will be familiar with this phrase, but for those that don’t, a PIA is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact.
PIAs are an important component in the protection of privacy, and you should consider conducting a PIA for projects that involve the handling of personal information as part of your overall risk management and planning process.
And why is it important to do a PIA? Well, a large part of a project’s success will depend on whether it meets legislative privacy requirements and community privacy expectations. Privacy issues that are not properly addressed can impact on the community’s trust in you and undermine the project’s success. It is in your interest to consider undertaking a PIA for any projects that handle personal information.
Relevantly, the Commissioner can require a public sector agency to give the Commissioner a PIA about a proposed activity or function. The Commissioner may issue a PIA direction where the proposed activity involves the handling of personal information, and the Commissioner considers that the activity or function might have a significant impact on the privacy of individuals.
However, the OAIC strongly encourages you to conduct PIAs as a matter of course for projects that involve personal information. Undertaking a threshold assessment — the first step in the PIA process, outlined below — can assist you to determine whether a PIA is necessary for a project, and should be routinely conducted for every project.
Typically, a PIA should be conducted when a particular activity or program is at the proposal stage. The findings of a PIA conducted at this stage can then be taken into account when designing the proposal before proceeding to implementation.
The OAIC has published a Guide to undertaking privacy impact assessments that will assist you to assess whether a PIA needs to be undertaken, and a step by step approach to conducting a PIA.
Complaints and investigations
- Privacy powers to investigate an alleged interference with privacy include powers to:
- investigate a matter following a complaint by an individual
- Can decline a complaint for certain reasons, or refer to an alternative complaint body
- Otherwise, must attempt to conciliate the complaint
- investigate a matter following a complaint by an individual
- investigate on the Commissioner's own initiative (a ‘CII’)
Now on to some of the Commissioners powers to handle complaints and privacy investigations.
Firstly, privacy complaints: An individual can complaint to the OAIC if he or she considers that his or her privacy has been interfered with. However, they must generally first complain to the organisation the subject of the complaint.
Where it receives a complaint, the OAIC can decline to investigate it on a number of grounds, including that the organisation or agency has adequately dealt with it. If we accept it and investigate the complaint, we must make a reasonable attempt to conciliate the complaint. Most complaints are resolved in this way.
Commissioner initiated investigations (CIIs). The Information Commissioner also has the power to investigate an entity that is covered by the Privacy Act on his own initiative, that is, without someone making a complaint. These are called Commissioner initiated investigations, or CIIs. For example, if the media reports an alleged breach of privacy, the OAIC may take action and investigate before a complaint is made. The results of these investigations are published in Privacy Commissioner initiated investigation’s reports on the OAIC website.
When considering whether to open a CII following a data breach, the Commissioner will take into account whether the entity notified the OAIC of the incident and whether it responded appropriately to the breach.
I’ll speak more about notifying the OAIC of data breaches a little later.
- Enforcement powers, that range from less serious to more serious, include powers to:
- Accept an enforceable undertaking
- Make a determination following a complaint or CII
- Bring proceedings to enforce a determination
- Apply to the court for an injunction
- Apply to the court for a civil penalty order for a breach of a civil penalty provision
Following a complaint where conciliation is not successful, or following a CII, the Commissioner may decide to take formal enforcement action. There are a number of options:
Enforceable undertakings. The Commissioner may accept an enforceable undertaking from an entity. An enforceable undertaking is a promise by an entity that it will take specified action or refrain from taking specified action in order to comply with the Privacy Act, or to ensure it does not do an act or engage in a practice that interferes with an individual’s privacy. If an entity does not comply with the terms of an undertaking it has given, the Commissioner may apply to the courts to enforce the undertaking. You can see the enforceable undertakings the Commissioner has entered into on our website.
Determinations. The Commissioner can make a determination which is a decision that sets out whether the Privacy Act has been breached, and can include declarations that the entity do certain things, such as pay compensation, do certain things in a specific time period to prevent the breach happening again. Determinations can provide useful guidance about the application of the Privacy Act, and they are published on our website. If an entity does not comply with a determination, the Commissioner may bring proceedings in the Federal Court to enforce it.
Injunctions and civil penalty orders. The last two enforcement powers involve court proceedings. First, the Commissioner may apply to the courts for an injunction to restrain a person from breaching the Act. And second and importantly, Commissioner may apply to the courts for an order that an entity pay the Commonwealth a civil penalty. The Information Commissioner can make this application where, for example, where there is a serious or repeated breach of the Act. The penalty can be up to 1.7million dollars for organisations.
The OAIC’s focus will always be on working with you to ensure best practice compliance, and on resolving the majority of complaints via conciliation. However the Commissioner’s message has been that while he will always seek to resolve matters in this way, he will not shy away from using these enforcement powers where appropriate.
- Create and implement privacy management plan
- Consult OAIC guidance
- PIA for new information handling practices
- Manage customer/client expectations
- Clear APP 5 notice
- Staff training and awareness – OAIC’s ten tips for protection customers’ personal information
- Robust IDR process
- Data breach notification – OAIC’s Data breach notification guide
Finally, some tips for you to ensure best practice compliance. This can enhance your agency or organisation’s reputation, and its relationship with their customers, and minimise regulatory intervention.
The first, and most important, is to consider the OAIC’s privacy management framework and implement a privacy management plan. I spoke about this piece of guidance earlier. Our experience has shown that governance and accountability is key to good privacy practice and compliance. The following tips are all things that appear in the management framework, but I thought I’d draw them out as they are important.
So, if you are unsure how the Privacy Act applies to particular circumstances, you should always consult OAIC guidance, and I’ve referred to some of the key pieces of guidance throughout already. While the Commissioner’s decision will always depend on the circumstances of the case, our guidance gives an indication of how the Commissioner will interpret and apply the privacy laws. You can find our guidance on our website.
The next is to conduct a Privacy Impact Assessment for new information handling practices. I spoke about this a little earlier. This will assist you to identify and minimise any privacy risks. As I mentioned, there is a guide on our website that provides more information about undertaking a PIA.
Next, ensure that your staff implement and comply with privacy procedures and policies. Regular staff training, and a culture of privacy awareness and essential to ensure compliance. A culture of privacy that is supported by senior members of the business, as outlined in the management framework, will assist you to achieve this. We have developed a resource for staff called Ten tips to protecting your customers’ personal information which is a quick reference for staff about some of the key things to think about in terms of privacy.
Another thing that is important is to plan carefully for a breach, and have robust internal dispute resolution processes. In the event of a complaint by an individual, you can minimise the impact if you act quickly to respond and deal with the complaint. You should have a clear policy and procedure for dealing with complaints. It is particularly important for the frontline staff that deal with the individual, such as receptionists or call centre staff, to be trained and aware of these policies.
Finally, and on a related point, you should have a clear policy about how you will respond in the event of a data breach. The OAIC’s data breach notification guide sets out best practice standards for dealing with data breaches, and sets out when you should notify the OAIC of a data breach.
Need further information?
- Visit our website – www.oaic.gov.au
- OAIC resources
- Sign up for OAICnet newsletter
We have covered lots of information today and for more detail or to access the publications mentioned, please refer to our website.
We also have a number of new publications in the pipeline. To stay informed about the work of the OAIC, including new or updated pieces of guidance, important decisions or regulatory action, I encourage you to sign up for OAICnet newsletter in the ‘News and events’ section of our website.
So I hope that has provided you with a useful overview of the APPs, our regulatory powers and some of the key implications of your business.