Submission to the Australian Human Rights Commission on Rights and Responsibilities 2014 Discussion Paper

1 November 2014

November 2014

Overview

As Australian Privacy Commissioner, I appreciate this opportunity to make a submission on the Australian Human Rights Commission’s Rights and Responsibilities 2014 Discussion Paper. I make this submission in the context of privacy being an important human right protected under the International Covenant on Civil and Political Rights and Australian laws.

This submission explains how the right to privacy is regulated in Australia and the functions and activities that are currently being undertaken to promote and protect this human right. The comments may also assist in identifying practical initiatives to advance the promotion and protection of other human rights and freedoms more generally.

The comments in this submission are structured as follows:

  • An overview of the laws that protect the right to privacy in Australia.
  • Steps the Office of the Australian Information Commissioner (the OAIC) takes to influence laws and policies that may unduly restrict the exercise of the right to privacy.
  • Initiatives undertaken by the OAIC to promote a culture of respect for the right to privacy.
  • How the protection and promotion of the right to privacy could be advanced further.

About the Office of the Australian Information Commissioner

The OAIC was established by the Australian Information Commissioner Act 2010 (Cth) and commenced operation on 1 November 2010. The OAIC is an independent statutory agency headed by the Australian Information Commissioner. The Information Commissioner is supported by two other statutory officers: the Freedom of Information Commissioner and the Privacy Commissioner. In exercising its privacy functions, the OAIC’s central aim is to protect the community’s personal information rights, and to work closely with Australian government agencies and private sector organisations to ensure that such information is respected and protected.

The Australian Government has introduced a Bill into Parliament to abolish the OAIC on 31 December 2014.[1] This was passed by the House of Representatives on 28 October 2014, and has been referred to the Senate Legal and Constitutional Affairs Committee for report by 25 November 2014. Under the Bill, privacy matters will be handled by the Australian Privacy Commissioner from 1 January 2015.

How is the right to privacy protected in Australia?

International Covenant on Civil and Political Rights

As noted in the Discussion Paper, Australia has agreed to uphold and respect seven main international human rights treaties. This includes the International Covenant on Civil and Political Rights (the ICCPR). The right to privacy is protected at Article 17 of the ICCPR, which states:

  1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
  2. Everyone has the right to the protection of the law against such interference or attacks.

To the extent that there is a restriction on an individual’s right to privacy, any interference must be ‘necessary for reaching a legitimate aim, as well as in proportion to the aim and the least intrusive option available.’[2]

Other international human rights instruments, as well as laws across many countries at the regional and national level, contain similar provisions. As recently noted by the Office of the High Commissioner for Human Rights, these laws reflect the ‘universal recognition of the fundamental importance, and enduring relevance, of the right to privacy and of the need to ensure that it is safeguarded, in law and in practice.’[3]

The Australian Privacy Act 1988

The Privacy Act gives effect, in part, to Australia’s obligations under Article 17 of the ICCPR.[4] It establishes a strong and effective mechanism for protecting individuals’ personal information, that is, information or an opinion about an identified individual, or an individual who is reasonably identifiable.

The objectives of the Privacy Act include promoting the protection of the privacy of individuals and promoting the responsible and transparent handling of personal information by entities.[5] As principles-based law, the Act is able to apply to many different Australian Government agencies and industry sectors, and to the myriad of ways personal information is handled in Australia. Moreover, the Act provides an accessible mechanism for individuals to complain about acts or practices that may be an interference with their privacy and a range of powers that allow the Commissioner to resolve those disputes.

The Act includes thirteen Australian Privacy Principles (APPs), which apply to most private sector organisations and Australian and Norfolk Island Government agencies (referred to as APP entities). The APPs set out standards, rights and obligations for the handling, holding, accessing and correction of personal information (including sensitive information). A breach of an APP is an ‘interference with the privacy of an individual’.

This principles-based law provides entities with the flexibility to tailor their personal information handling practices to their diverse needs and business models, and to the diverse needs of individuals.[6] The APPs are also technology neutral, applying equally to paper-based and digital environments. This helps to preserve their relevance and applicability, in a context of continually changing and emerging technologies.

The Privacy Act also contains provisions that regulate consumer credit reporting, specifically, the handling of personal information about the credit worthiness of an individual. For example, the provisions in Part IIIA of the Privacy Act outline:

  • the types of personal information that credit providers can disclose to a credit reporting body, for the purpose of that information being included in an individual’s credit report
  • what entities can handle that information, and
  • the purposes for which that information may be handled.

In addition, the Privacy Act regulates the handling of tax file numbers (TFNs). The Tax File Number Guidelines 2011 issued under s 17 of the Privacy Act are legally binding guidelines that regulate the collection, storage, use, disclosure, security and disposal of individuals’ tax file number information.[7] These requirements supplement the protections in the APPs. This reflects the sensitivity attaching to TFNs, as unique identifiers, issued and handled by the Australian Government about many Australians.

Exemptions

There are a number of ways in which entities can be exempt from the Privacy Act. For example, agencies that are completely exempt from the Privacy Act include intelligence agencies, the Australian Crime Commission, the Integrity Commissioner, the Australian Government Solicitor and royal commissions. Examples of agencies that are partially exempt include certain courts and tribunals (which are exempt in respect of non-administrative matters) and Ministers.

Examples of entities that are exempted from the APPs, include some small businesses, registered political parties, most State or territory government agencies, and media organisations where the media organisation is publicly committed to observing published privacy standards.

For some exempt entities, other oversight mechanisms apply to the handling of personal information.[8]

Regulatory powers

Essential to an effective regulatory regime is an independent regulator with powers to monitor and investigate non-compliance, enforce compliance, and encourage best practice privacy practices. The Privacy Act confers a range of regulatory action and enforcement powers on the Commissioner, which are based on an escalation model. These powers include:

  • issuing guidelines for the avoidance of acts or practices that might interfere with privacy
  • directing agencies to give the Commissioner a privacy impact assessment for proposed activities or functions that might have a significant impact on the privacy of individuals
  • registering and, where necessary developing, APP and credit reporting codes of practice
  • making binding rules, by legislative instrument, relating to the collection, use or disclosure of personal information in certain circumstances
  • conducting an assessment (audit) of privacy compliance for both an agency and a private sector entity
  • accepting an enforceable undertaking and bringing proceedings to enforce an undertaking
  • making a determination in both a complaint investigation and a ‘Commissioner initiated investigation’ (CII)
  • seeking a civil penalty from the courts in the case of a serious or repeated interference with privacy, or in the case of a breach of certain credit reporting provisions.

While the Commissioner has a range of regulatory action powers to draw on, the preferred regulatory approach is to work with entities to encourage compliance and best practice privacy practices and prevent privacy breaches.[9] The OAIC can use a range of steps as part of this approach, including engaging with regulated entities to provide guidance, promote best practice compliance, and identify and seek to address privacy concerns as they arise, as well as engaging with regulated entities who voluntarily and proactively notify the OAIC of a data breach incident.

The OAIC may commence an investigation into a suspected or alleged interference with privacy, either on receipt of a complaint or as a CII. If a complaint is received and certain conditions are satisfied, the complaint must be investigated.[10] When investigating a complaint, a reasonable attempt must be made to conciliate the complaint.[11] The majority of complaints are resolved in this way.

In investigating a complaint or conducting a CII, the OAIC will seek to work with the parties concerned. Following a complaint investigation or CII, the Commissioner may decide to take enforcement action against an entity.

The OAIC’s handling of privacy complaints is the final tier of a three-tiered complaint process for Privacy Act breaches. In the first instance, an aggrieved individual should complain to the respondent. Where not satisfied with the response or outcome, the individual may complain to an external dispute resolution (EDR) scheme of which the respondent is a member (if any) which has been recognised by the Commissioner. If the individual is not satisfied with the outcome of the EDR process, they may complain to the OAIC. EDR schemes currently recognised by the OAIC include the Financial Ombudsman Service and the Credit Ombudsman Service Limited.

In addition to having a range of regulatory action powers to draw on, and the collaborative approach to regulation outlined above, the OAIC has extensive experience in complaint conciliation, meaning it provides a method for fast, informal and low-cost resolution of disputes. The inclusion of recognised EDR schemes in the OAIC’s regulatory model further contributes to this dispute resolution model and the OAIC is committed to working collaboratively with EDR schemes to ensure consistency in the application of the Privacy Act.

Other Australian laws relating to privacy

The Commissioner also has certain regulatory responsibilities under a range of other laws with links to privacy. These include:

  • Telecommunications Act 1997. Thishas a number of provisions that deal with personal information held by carriers, carriage service providers and others.
  • Telecommunications (Interception and Access) Act 1979. This prohibits the interception of communications passing over a telecommunications system.
  • The National Health Act 1953 and legally binding privacy guidelines issued under this Act. These regulate the handling of Medicare and pharmaceutical benefits information.
  • The Data-matching Program (Assistance and Tax) Act 1990 and legally binding guidelines issued under that Act. These regulate the use of tax file numbers in matching personal information held by the Australian Taxation Office and assistance agencies such as the Department of Human Services and the Department of Veterans’ Affairs.
  • Part VIIC of the Crimes Act 1914. This relates to criminal records covered by the Commonwealth Spent Convictions Scheme, which provides protection for individuals with old minor convictions in certain circumstances.
  • The Anti-Money Laundering and Counter-Terrorism Financing Act 2006. This imposes a number of obligations on the financial sector, gambling sector, bullion dealers and other professionals or businesses that provide particular ‘designated services’.
  • The Healthcare Identifiers Act 2010. This establishes the Healthcare Identifiers Service and prescribes how healthcare identifiers will be assigned and how they can be used and disclosed.
  • The Personally Controlled Electronic Health Records Act 2012 and the rules and regulations issued under that Act. These create the legislative framework for the Australian Government’s personally controlled electronic health record system.
  • The Personal Property Securities Act 2009. This established a single, national, online Personal Property Securities Register. This Register allows lenders and businesses to register their security interests over personal property. Registrations on the Register may include personal information about individuals.
  • The Student Identifiers Act 2014. This establishes a national online record of student’s vocational education and training attainments and qualifications, as part of the Unique Student Identifier scheme which commences on 1 January 2015.[12]

State and Territory privacy laws

The Privacy Act generally does not apply to state and territory government agencies.[13]

Instead, where they exist, state and territory laws create information privacy requirements similar to those under the Privacy Act. These generally apply to state and territory government agencies as well as local councils, state and territory government-owned corporations and universities.[14] These laws provide various mechanisms for individuals to make complaints and seek redress. With the exception of the Australian Capital Territory (ACT) Information Privacy Act 2014, the OAIC does not have regulatory responsibilities in relation to these laws.

Under an arrangement between the ACT Government and the Australian Government, the OAIC is exercising some of the functions of the ACT Information Privacy Commissioner. These responsibilities include handling privacy complaints against, and receiving data breach notifications from, ACT public sector agencies, and conducting assessments of ACT public sector agencies’ compliance with the Information Privacy Act.[15]

Other aspects of privacy

The Privacy Act is not a complete legislative response to the requirements of Article 17 of the ICCPR. There are a number of areas not covered by privacy regulation in Australia. For example, the Privacy Act does not cover the actions of individuals per se[16] or various exempt entities and acts or practices (outlined above). In addition, the Privacy Act only regulates information privacy and provides no protection for:

  • Bodily privacy, which concerns the protection of people’s physical selves against invasive procedures such as genetic tests, drug testing and cavity searches
  • Territorial privacy, which concerns the setting of limits on intrusion into the domestic and other environments such as the workplace or public space. This includes searches, video surveillance and ID checks.[17]

However, other legislation or common law doctrines may provide limited or partial protection against privacy-invasive conduct. For example, laws exist in each of the states and territories that variously restrict the use of listening, optical, data and tracking surveillance devices. These surveillance device laws provide criminal offences for using a surveillance device to record or monitor private conversations or activities, for tracking a person or for monitoring information on a computer system.[18]

Laws and policies that may unduly restrict the exercise of the right to privacy

Balancing privacy with other interests

The Privacy Act recognises that the protection of individuals’ privacy, through the protection of their personal information, is not an absolute right. Rather, those interests must be balanced with the broader interest of the community in ensuring that APP entities are able to carry out their legitimate functions and activities.[19] This balancing is reflected in the exceptions to a number of the APPs, which except from the operation of those APPs, certain information handling practices considered to be in the public interest when balanced with the interest in protecting an individual’s privacy. Exceptions cover a range of matters including where a use or disclosure of personal information is authorised or required by Australian law[20] or where an entity reasonably believes that a use or disclosure is reasonably necessary for an enforcement related activity conducted by an enforcement body.[21]

A range of the OAIC’s responsibilities involve examining proposals that may restrict the exercise of individuals’ privacy protections in favour of another public interest objective. These responsibilities include:

  • examining proposed enactments that would require or authorise acts or practices that might otherwise interfere with privacy[22] and ensuring that any adverse effects of a proposed enactment on the privacy of individuals are minimised[23] (noting that an act or practice that is required or authorised by or under an Australian law is generally excepted from the requirements around the collection of sensitive information and the use and disclosure of personal information in the APPs). This responsibility is discussed in more detail below
  • examining a proposal for data matching or linkage that may involve an interference with the privacy of individuals, or which my otherwise have any adverse effects on the privacy of individuals[24] and ensuring that any adverse effects of a the proposal on the privacy of individuals are minimised[25]
  • providing reports and recommendations to the Minister in relation to any matter concerning the need for, or desirability of, legislative or administrative action in the interests of the privacy of individuals[26]
  • directing an agency to give the Commissioner a privacy impact assessment, if an agency proposes to engage in an activity or function involving the handling of personal information about individuals and the Commissioner considers that the activity or function might have a significant impact on the privacy of individuals.[27]

Some examples of how the OAIC exercises these responsibilities are outlined below.

Close working relationship with APP entities

The OAIC works closely with APP entities to understand and provide advice about proposals and issues that may impact the privacy of individuals while pursuing another objective. This includes initiating discussions with entities about new technology and its potential privacy implications. For example, during the last year the OAIC joined with privacy regulators from around the world to engage with Google about the potential privacy concerns around the development and use of Google Glass.

More specifically, the OAIC maintains informal dialogue and engagement through two key stakeholder networks it administers:

  • The Information Contact Officer Network (ICON) – a network for FOI, privacy and information policy contact officers in Australian Government agencies. ICON also includes the Norfolk Island administration and, in relation to privacy, ACT Government agencies. [28] During 2013–14, the OAIC held four ICON meetings and issued regular email alerts to ICON members.
  • The Privacy Connections Network – a dedicated network for privacy professionals in the private sector. The OAIC hosts an annual Privacy Connections business breakfast, and sends regular eNews alerts to members.

The OAIC also regularly meets with a range of agencies with responsibility for programs in which significant amounts of personal information are handled, as part of providing dedicated privacy-related services to agencies funded under memorandums of understanding and exchanges of letters.[29]

The OAIC’s focus on working together with regulated entities to understand developments in data processing and technology can help to ensure that privacy considerations are considered at an early stage of developing any new proposals, and that any adverse effects of such developments on the privacy of individuals are minimised.

Laws that invoke the ‘required or authorised by law’ exception in certain APPs

The OAIC is regularly invited to comment on draft laws that require or authorise the collection, use or disclosure of personal information in a manner that would otherwise be inconsistent with one or more of the APPs. As noted above, the effect of such laws is that one or more APPs will not apply to the collection of sensitive information or the use or disclosure of personal information, described in the law.

Consistent with the approach taken in applying Article 17 in the ICCPR, the OAIC’s advice generally suggests consideration should be given to whether those measures are proportionate and necessary. That is, whether they appropriately balance the intrusion on individuals’ privacy with the overall public policy objectives of the proposal. Additionally, when handling of individuals’ personal information is authorised in the broader interests of the community, it is generally recommended that those activities be accompanied by an appropriate level of privacy safeguards and accountability. Should such a proposal be considered to appropriately balance these objectives, it is generally recommended that the scope of the proposal be drafted consistent with the spirit and intent of the Privacy Act.

The OAIC regularly refers agencies to the ‘4A framework’ – a document it published to assist agencies in the development of new law enforcement and national security powers that may have an impact on privacy. A copy is attached at Appendix A. The 4A Framework outlines a four step approach for assessing and implementing these new powers.[30] The aim of the framework is to bring balance and perspective to the assessment of proposals for law enforcement or national security measures with significant effects on privacy by asking:

  • Whether the proposed measure is a proportional response, in light of its impact on privacy and existing community expectations?
  • Under what circumstances the powers can be exercised?
  • What safeguards are in place?
  • Whether there are any built in review mechanisms?

For example, the OAIC recently made a submission to the Inquiry into the Counter-Terrorism Legislation Amendment (Foreign Fighters) Bill 2014, concerning the need to appropriately balance the intrusion on individuals’ privacy with the overall public policy objectives of the proposal. This Bill was intended to strengthen and improve Australia’s counter-terrorism legislative framework, but also contained some proposed measures that impact upon the privacy of individuals.[31]

Promoting a culture of respect for the right to privacy

The results of a recent OAICCommunity Attitudes to Privacy Survey 2013 confirmed that Australians continue to be concerned about their privacy and that they expect their personal information to be properly protected by business and government.[32] The survey results also confirmed a high level of awareness about the Privacy Act and the OAIC across the Australian community. The OAIC’s visibility, experience and expertise foster individuals’ confidence that privacy rights will be defended – confidence that is integral to individuals’ trust in the information handling practices of APP entities.

The OAIC exercises an important role in promoting awareness about the Privacy Act and the OAIC’s functions, and, in turn, building a culture of respect for the right to privacy in Australia. Progress in developing such a culture is demonstrated through the high level of access to the OAIC’s services. For example, the OAIC Annual Report for 2013-2014 indicates that the OAIC:

  • received 4239 privacy complaints from individuals under s 36 of the Privacy Act. This was a 183% increase in the number of privacy complaints from the previous financial year
  • resolved 2617 privacy complaints. This was an increase of 74% on the previous financial year
  • responded to 11737 telephone enquiries and 2455 written enquiries which related to privacy matters. This represented an almost 10% increase in the number of privacy phone enquiries received and a 30% increase in the number of written enquiries. The majority of enquiries were from individuals wanting information about their privacy rights and about how to make a complaint
  • received 71 voluntary data breach notifications. This represented a 16% increase from the previous financial year. The OAIC considers this to indicate that an increasing number of entities recognise the benefits in notifying the OAIC
  • commenced 6 CIIs (previously named ‘own motion investigations’)
  • undertook work on 13 privacy assessments (previously known as audits).[33]

The OAIC also builds a culture of respect for privacy by providing advice and guidance to entities to promote an understanding and acceptance of the responsibilities and obligations in the Privacy Act.[34] For example, the OAIC delivered a comprehensive campaign about reforms to the Privacy Act that commenced on 12 March 2014, regularly communicating the changes to stakeholder groups via the OAIC’s website, stakeholder networks, social media, publications and events. The OAIC also produced an extensive range of guidance and legislative instruments to assist agencies, organisations and the public to understand their privacy obligations and rights. The OAIC’s privacy publications also include guidance for entities not covered by the Privacy Act, to encourage best privacy practice.[35]

Examples of other educational programs in which a culture of respect for privacy is promoted by the OAIC include:

  • Coordinating the highly successful annual national Privacy Awareness Week, with over 200 partners joining the OAIC in awareness-raising activities during the week.
  • Launching the Community Attitudes to Privacy Survey Report 2013 and accompanying infographic video at an event attended by industry and consumer groups. The video has received over 3000 hits on Youtube alone.
  • Publishing a range of educational materials on the OAIC website for APP entities and the community, including fact sheets, frequently asked questions and agency and business resources. Some educational materials are published in different community languages to help a larger number of people to better understand their rights. For example, the plain English fact sheet on recent reforms to the Privacy Act was translated into 11 community languages.
  • Regularly communicating with stakeholder groups via the OAIC’s website, stakeholder networks, events, social media, e-newsletters and other web 2.0 platforms, to promote and inform stakeholders about the work of the OAIC. For example, in the 2013/2014 financial year, the OAIC made more than 270 keynote speeches and presentations to public conferences and in-house agency and business seminars, on open government and privacy protection.
  • Conducting regular community attitudes surveys to explore changes in attitudes to privacy across a range of areas, as well as considering privacy issues associated with new and emerging technologies.[36]

Co-ordinated international approach to data protection regulation

The Privacy Act operates in an environment where organisations carry on their businesses globally, and where personal information is regularly transferred, handled and stored overseas. The globalised nature of data flows makes it particularly important for the OAIC to work towards a co-ordinated approach, internationally, to privacy regulation.

The OAIC participates actively in international privacy and data protection forums. This enables the OAIC to build collaborative relationships with other privacy regulators and to keep abreast of emerging international privacy protection issues. For example, the OAIC provides secretariat services to the Asia Pacific Privacy Authorities (APPA) Forum, that includes members from the United States, Mexico, Hong Kong, South Korea, Canada, New Zealand and Singapore. The OAIC’s responsibilities include hosting and administering two websites[37] (both of which include privacy education materials), secretariat functions and the facilitation of a range of working groups. The OAIC has led the APPA Communications Working Group for the last four years, developing education products for use across 17 jurisdictions in the Asia Pacific Region. These products include an identity theft tool, a survey on social media and video and privacy tips for using mobile apps.

The OAIC also participates in global forums that aim to build a coordinated approach to regulating crossborder data flows and challenges, including the Global Privacy Enforcement Network, under the auspices of the OECD, and the Asia-Pacific Economic Cooperation Cross Border Privacy Enforcement Arrangement.[38]

Building effective and transparent privacy practices to further advance the right to privacy

Agencies and businesses are entrusted with individuals’ personal information. The use or misuse of that information can have significant impacts for individuals. Concern about the potential misuse of personal information is reflected in results of the OAIC’s Community Attitudes survey 2013 – 63% of respondents said that they have decided not to deal with an organisation because of privacy concerns.[39]

In the OAIC’s view, the right to privacy could be further advanced through the widespread adoption by entities, of transparent privacy enhancing practices. Three related examples of how the OAIC works to foster such cultural change are, by encouraging entities to:

  • make open and transparent privacy practices second nature
  • increase the reporting of data breaches
  • undertake privacy impact assessments for new projects that involve personal information, or when a change is proposed to information handling practices.

Open and transparent privacy practices

The Privacy Act requires APP entities to manage information in an open and transparent way. For example, APP 1 requires entities to have a clearly expressed and up-to-date privacy policy about the management of personal information by the entity. Entities must also take reasonable steps to ensure compliance with the APPs or a registered APP code that binds the entity. The intention of APP 1 is to ensure that privacy compliance is embedded in the design of entities’ practices, procedures and systems.

The OAIC has released a range of guidance to help entities to build and support privacy and transparency throughout their practices, procedures and systems. For example, it has published the APP guidelines, which include detailed guidance on APP 1. They also outline the mandatory requirements in the APPs as well as the OAIC’s interpretation of the APPs, good privacy practice suggestions and examples of how the principles may apply to particular circumstances.[40] It has also published a guide to developing a privacy policy which is designed to help entities build privacy and transparency into their processes and their culture.[41]

Data breach notification

Greater transparency could also be fostered through increased reporting of data breaches to the OAIC. Data breaches are a significant risk associated with doing business in the information age. The preparation and implementation of a data breach policy and response plan (that includes notifying affected individuals and the OAIC) would help entities deal with this risk, and respond to a breach, as well as mitigating the potential privacy impacts of a breach for individuals.

While Australia does not have a system of mandatory data breach reporting, other than in relation to specific e-health laws,[42] the OAIC has developed a voluntary guide to assist agencies and businesses to respond effectively to data breaches, Data breach notification – A Guide to handling personal information security breaches.[43] The guide is aimed, in part, at encouraging entities to voluntarily put in place reasonable measures to deal with data breaches (including notification of affected individuals and the OAIC). However, despite a recent increase in the level of data breaches reported to the OAIC,[44] there have been a number of high profile data breaches that were not reported to the OAIC, and which were brought to the OAIC’s attention through complaints or through the media.

The OAIC recognises that entities may consider the possibility of regulatory action by the OAIC a disincentive to voluntary data breach notification. The OAIC will soon release a Privacy Regulatory Action Policy that addresses this issue. The policy notes that one of the factors taken into account when considering whether regulatory action is necessary, is any action taken by the entity to remedy and address the consequences of the conduct, including whether the entity attempted to conceal a contravention or data breach, and whether the entity cooperated with the OAIC during containment and any investigation of the breach.[45] This Policy will be supported by a Guide to privacy regulatory action. The Guidewill provide stakeholders with a more detailed explanation of how the OAIC will exercise each regulatory power, as well as providing practical guidance for OAIC staff involved in the exercise of those powers.

Privacy impact assessments

A privacy impact assessment (a PIA) is a systematic written assessment of an activity or function that identifies the impact that the activity or function might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact. Undertaking a PIA can assist APP entities to build privacy considerations into the design of a project and achieve the project’s goals while minimising the negative and enhancing the positive privacy impacts. A PIA can also help to build the community’s trust that privacy risks have been identified, and protections embedded, at the design stage of a new project involving personal information handling.

The OAIC strongly encourages APP entities to conduct a PIA as a matter of course, for new projects that involve personal information, or when a change is proposed to information handling practices. In addition, the Commissioner may formally direct an agency (though not an organisation) to conduct a PIA for new projects involving personal information, where the OAIC considers that the activity or function might have a significant impact on the privacy of individuals.[46] The scope of this provision is to be reviewed within 5 years of its commencement, to assess whether this section should also apply in relation to organisations.[47]

As discussed above, the OAIC has published A Guide to undertaking privacy impact assessments to help to educate entities on the value of a PIA, the process involved, and the assistance that the OAIC can give.[48] The Guide sets out a suggested ten step process for undertaking a PIA. It can be used alongside existing project management and risk management methodologies or as a process in its own right, and adapted to suit specific business needs or functions of the entity.

Towards cultural change

The OAIC recognises that there is still work to be done fostering cultural change. This will take time. However, the OAIC considers that its guidance, advice and educational activities, as well as its regulatory approach of working closely with entities outlined above, have been successful in enhancing awareness and understanding of the right to privacy in Australia. Over time, these activities will continue to help entities to build more transparent privacy enhancing practices, and advance the right to privacy.

Appendix A

Privacy fact sheet 3: 4A framework — A tool for assessing and implementing new law enforcement and national security powers

The Office of the Australian Information Commissioner has developed a proposed framework for assessing and implementing new law enforcement and national security powers. The 4A framework sets out a life cycle approach from development to implementation and review. The aim of the framework is to bring balance and perspective to the assessment of proposals for law enforcement or national security measures with significant effects on privacy.

Analysis

Careful analysis is needed in the development phase to ensure that the proposed measure is necessary, effective, proportional, the least privacy invasive option and consistent with community expectations. This analysis should involve consideration of the size, scope and likely longevity of the problem, as well as the range of possible solutions, including less privacy invasive alternatives. The impact on privacy of the proposed solution should be analysed and critical consideration given to whether the measure is proportional to the risk.

Authority

The authority by which the measure is implemented should be appropriate to its privacy implications. Where there is likely to be a significant impact on privacy, the power should be conferred expressly by statute subject to objective criteria. Generally, the authority to exercise intrusive powers should be dependent on special judicial authorisation. Intrusive activities should be authorised by an appropriately senior officer.

Accountability

Implementation of the measure should be transparent and ensure accountability. Accountability processes should include independent complaint handling, monitoring, independent audit, and reporting and oversight powers commensurate with the intrusiveness of the measures.

Appraisal

There should be periodic appraisal of the measure to assess costs and benefits. Measures that are no longer necessary should be removed and unintended or undesirable consequences rectified. Mechanisms to ensure such periodic review should be built into the development of the measure. This could involve a sunset clause or parliamentary review after a fixed period.

In summary:

Analysis – is there a problem? Is the solution proportional to the problem? Is it the least privacy invasive solution to the problem? Is it in line with community expectations?

Authority – Under what circumstances will the organisation be able to exercise its powers and who will authorise their use?

Accountability – What are the safeguards? Who is auditing the system? How are complaints handled? Are the reporting mechanisms adequate? And how is the system working?

Appraisal – Are there built in review mechanisms? Has the measure delivered what it promised and at what cost and benefit?

Footnotes

[1] The Freedom of Information Amendment (New Arrangements) Bill 2014 (the Bill) is available on the comlaw website

[2] Office of the United Nations High Commissioner for Human Rights, The Right to Privacy in the Digital Age UN Doc A/HRC/27/37 (2014), paragraph 23.

[3] Office of the United Nations High Commissioner for Human Rights, The Right to Privacy in the Digital Age UN Doc A/HRC/27/37 (2014), paragraph 13

[4] The objects in s 2A of the Privacy Act include ‘to implement Australia’s international obligation in relation to privacy’ (s 2A(h))

[5] Sections 2A(a) and 2A(d) of the Privacy Act

[6] Explanatory memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012, p. 52

[7] For more information, see Tax file numbers on the OAIC website

[8] See for example, the Attorney-General’s Guidelines, which set out the Attorney-General’s expectations of ASIO in the collection and handling of personal information. These are available on the ASIO website.

[9] See OAIC, Privacy regulatory action policy (draft), March 2014, at paragraph 22; see also ‘The OAIC’s enforcement approach to new privacy laws from 12 March 2014 — Statement from the Australian Information Commissioner and Privacy Commissioner’, 28 February 2014. These documents are available on the OAIC website

[10] Sections 36, 40, 43 and 50 of the Privacy Act

[11] Section 40A of the Privacy Act

[12] For more information about these laws, please see the OAIC website

[13] However, section 6F of the Privacy Act provides for a State or Territory authority or an instrumentality of a State or Territory to be prescribed in the Privacy Regulations in certain circumstances, with the effect it will be treated as an organisation under the Privacy Act

[14]Privacy and Personal Information Protection Act 1998 (NSW); Information Privacy Act 2009 (Qld); Premier and Cabinet Circular No 12 (SA); Personal Information Protection Act 2004 (Tas); Privacy and Data Protection Act 2014 (Vic); Information Privacy Act 2014 (ACT); Information Act (NT). For more information about State and Territory privacy laws, please see the OAIC website

[15] For more information on the OAIC’s role, please see Australian Capital Territory Privacy on the OAIC website

[16] Individuals are covered in limited circumstances, such as where the individual is also an organisation (such as a sole trader with an annual turnover of greater than $3 million), the individual derives a commercial benefit from handling personal information, or the individual handles tax file numbers.

[17] D Banisar, Privacy and Human Rights 2000: An International Survey of Privacy Law and Developments Privacy International (as cited in Australian Law Reform Commission Report 108, For Your Information: Australian Privacy Law and Practice, paragraph 1.31, available on the Australian Law Reform Commission website).

[18] Surveillance Devices Act 2007 (NSW); Invasion of Privacy Act1971 (Qld); Listening and Surveillance Devices Act 1972 (SA); Listening Devices Act1991 (Tas); Surveillance Devices Act 1999 (Vic); Surveillance Devices Act 1998 (WA); Listening Devices Act1992 (ACT); Surveillance Devices Act (NT). For more information about laws that may regulate broader notions of privacy, see Australian Law Reform Commission, Serious Invasions of Privacy in the Digital Era (ALRC Report 123), available on the Australian Law Reform Commission website

[19] Section 2A(b) of the Privacy Act

[20] APP 6.2(b), Schedule 1 of the Privacy Act

[21] APP 6.2(e), Schedule 1 of the Privacy Act

[22] Section 28A(2) of the Privacy Act

[23] Section 28A(2)(c) of the Privacy Act

[24] Section 28A(2)(b) of the Privacy Act

[25] Section 28A(c) of the Privacy Act

[26] Section 28B(1)(c) of the Privacy Act

[27] Section 33D of the Privacy Act

[28] For more information about the Information Contact Officers’ Network, see the OAIC website

[29] For more information about these memorandums of understanding, see OAIC Annual Report 2013–14, available on the OAIC website

[30] The 4A framework is available on the OAIC website

[31] Submission by the Australian Privacy Commissioner on the Inquiry into the Counter-Terrorism Legislation Amendment (Foreign Fighters) Bill 2014

[32] In that respect, a key finding of the Survey was that 63% of respondents had decided not to deal with an organisation or government agency because of concerns for how their personal information would be handled. Similarly the vast majority of Australians, 96%, believe that organisations and government agencies need to be transparent about how they are going to handle their personal information. For more information about the OAIC Community Attitudes to Privacy survey 2013, see Launch of Community Attitudes to Privacy report

[33] The OAIC Annual Report 2013–14 is available on the OAIC website

[34] Section 28(1)(c) of the Privacy Act

[35] For example, Mobile privacy: a better practice guide for mobile app developers, available on the OAIC website

[36] Surveys have been conducted in 2201, 2004, 2007 and 2013. For more information about the OAIC Community Attitudes to Privacy survey 2013, see Launch of Community Attitudes to Privacy report

[37] See Privacy Awareness Week and APPA Forum

[38] For more information about the OAIC’s involvement in these forums, see OAIC Annual Report 2013–14, Chapter 5, available on the OAIC website

[39] For more information about the OAIC Community Attitudes to Privacy survey 2013, see Launch of Community Attitudes to Privacy report

[40] The OAIC’s APP guidelines are available on the OAIC website

[41] The OAIC’s Guide to developing a APP Privacy Policy is available on the OAIC website

[42] Section 75 of the Personally Controlled Electronic Health Records (PCEHR) Act 2012 requires certain participants in the PCEHR system to notify the OAIC of a data breach, and includes a civil penalty for failing to do so.

[43] Data breach notification – A guide to handling personal information security breaches is available on the OAIC website

[44] In 2013–14, the OAIC received 71 voluntary data breach notifications, which is a 16.4% increase on the number received in the previous year (see OAIC Annual Report 2013–14).

[45] See OAIC, Privacy regulatory action policy (draft), March 2014, at paragraphs 24 and 33, available on the OAIC website

[46] Section 33D of the Privacy Act

[47] Section 33D(7) of the Privacy Act provides that ‘before the fifth anniversary of the commencement of this section, the Minister must cause a review to be undertaken of whether this section should apply in relation to organisations.’

[48] Guide to undertaking privacy impact assessments is available on the OAIC website

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au