Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

OAIC PAW update 2015

Presentation by Timothy Pilgrim to PAW breakfast, Sydney

Thank you John, and I’d just like to add my own welcome to everyone for our fourth Privacy Awareness Week (PAW) breakfast. From humble beginnings back in 2006, it seems that every year Privacy Awareness Week gets a little bigger. I know that we try to do a little more each year, and it seems like our more than 200 partners are striving for that too, which is great to see. We’ve seen some fantastic commitments from our partners to promote privacy awareness — we certainly couldn’t do it without your support.

Traditionally, at the PAW breakfast I give a report on the year that’s been, and talk about what we’ve been working on for the past 12 months. But this year I feel like it’s fair to say that the majority of you here in the room will know what we’ve been working on — we have had a year and more of close engagement with organisations and agencies to help with implementation of the new laws, providing advice, responding to questions, and listening to stakeholders and as a result, refining our guidance that we’ve given, and continue to give, to your organisations. We’ve all worked together all year, so this morning I’m going to talk about our agenda for the next 12 months, about our expectations and the ways we’re going to help you meet those expectations.

Privacy is becoming increasingly entwined within both business processes and everyday activities. The availability of data on every imaginable topic is making connections between all aspects of our public and private lives.

Cross-border data flows, online tracking and behavioural advertising, connected smart devices, and instantaneous communications are changing not just how we think but how we behave and interact as a society, and in all of these areas privacy awareness is key.

A new report by Verizon into data breaches found that it takes an average of 82 seconds from the time a phishing campaign is launched, until the first person falls for it.[1] And there was an interesting study by MIT recently that looked at how quickly the shift from ‘anonymous data’ to ‘personal information’ can occur. And it can happen quickly. This study found that with four pieces of information that were not considered personal information — so no names, addresses, or credit card numbers — the researchers were able to identify 90% of people in a data-set of 1.1million users over 3 months.[2]

Even just these two examples show why privacy awareness is steadily increasing in its importance. 

It is in recognition of this that there is an equivalent increase in cooperation between privacy regulators around the globe. Our office  has worked across borders on issues like the Adobe and LinkedIn data breaches, but also on potential issues or developing technology — we were the first privacy regulator to get our hands on Google Glass, which came about through working with privacy regulators around the globe to request additional information from Google. And late last year we worked with counterparts in the UK, Canada and Macao to successfully have a web site that was live streaming private webcam images of people in their homes, taken down.

An awareness of the importance of privacy is influencing how people think about personal data at an international level. There are strong regional and global trends in discussion of how personal information can be used, how it must be protected and stored.

For example, the United Nations has just voted to appoint a special rapporteur for privacy, which is in line with the strong focus on privacy in the EU, where we have seen a number of significant decisions and directives with international ramifications.

Big data, monetization of our personal information, integrated technology, social media and technological storage solutions are well and truly on their way to shaping every aspect of our society, and with that comes a responsibility to ensure that privacy is as integrated into our lives as our technology is. 

Assessment Schedule

For us, that means talking about embedded privacy, about privacy by design, and about developing a culture of privacy.

We’re a year into the new privacy laws and everyone has had 12 months to bed down their processes, so with this in mind we have been developing an assessment schedule that allows us to strategically assess specific issues, such as APP privacy policies, or specific sectors, such as ACT government agencies and telcos, which we have just completed, or GP clinics, which we have just commenced.

As you know, meeting the compliance requirements of Australian Privacy Principle (APP) 1 involves a range of actions and commitments, and privacy policies are an important one of these. Australia has principles-based privacy law, which is designed to be flexible to change, and to give individuals choice and control over how their personal information is handled. The requirement for organisations to have a privacy policy is a big part of this — consumers need to be able to take responsibility to make decisions based on the information in policies.

With this in mind, our first focus in our assessment schedule was looking at the privacy policies of 20 public and private sector websites, checking for APP 1 compliance. The assessment considered the online privacy policies of organisations and agencies across a variety of sectors, including finance, government, media and social media. I’m pleased to release the findings of this assessment today.

The good news is that all 20 websites had a privacy policy which was easy to find on their website. We found that there was certainly room for improvement in terms of the readability with some of the privacy policies, with the median length being 3,414 words. This kind of length in an important document like a privacy policy makes it difficult to locate important information. The longest policy that we assessed was 18,000 words, and I think we can all agree that’s far too long for readability.

The Office of the Australian Information Commissioner (OAIC) has provided feedback to each of the organisations and agencies and has made recommendations to address any privacy issues that were identified. We have released the list of organisations that were assessed, as well as a summary report and that information is available on our website.

Privacy management framework

However, the requirements of APP 1 are broader than just privacy policies — APP 1 requires organisations to take reasonable steps to establish and maintain internal practices, procedures and systems that ensure compliance with the APPs. This means that in addition to having an up-to-date privacy policy, organisations and agencies need to implement governance mechanisms and processes, practices and systems.

We recognise that this is an area where organisations and agencies need some help so we have developed a privacy management framework to assist organisations develop, implement and review their privacy management program and related governance structures. There is a growing international awareness of the need for this kind of framework to assist organisations with the fundamentals of privacy governance.

Privacy governance is essential to make sure you have the leadership, resources and accountability to put the necessary practices, procedures and systems in place to ensure good privacy management.  So today I am pleased to release the OAIC’s new Privacy management framework (Framework), a tool to help you meet your ongoing compliance obligations and embed a culture of privacy within your organisation or agency.

Our framework provides the structure and methodology to enable organisations to build privacy into their business processes by emphasising governance, leadership and accountability as forming the basis of robust privacy management. It provides practical guidance on how to establish a privacy management plan, an action oriented document that sets out how you will embed a culture of privacy that enables compliance, establish robust and effective privacy practices, procedures and systems, and evaluate and enhance them.

Within each of the four steps in the Framework are a range of commitments that you should make to protect privacy and improve your processes. Not all commitments will be appropriate for all organisations or agencies, but, as with all aspects of compliance with the APPs, you need to make informed decisions about what is right for your organisation.

A privacy management plan should commit both people and resources to make sure there is clear accountability for privacy in your organisation, and to ensure you practice good privacy governance and meet your ongoing compliance obligations. We want to see organisations taking a proactive, rather than a reactive approach to privacy. The framework also encourages organisations to go beyond basic compliance and commit to best practice. 

Our experience has found that it is significantly more effective to develop a focus on governance and privacy leadership than it is to attempt to implement privacy practices or processes that relate only to a specific project or task, and don’t engage with the bigger picture.

APP 1 is the bedrock of the APPs, and this four step approach should demonstrate to you the importance of continually building on your foundation principles. Privacy management is an obligation that is continuous and proactive, and you need to ensure you are prepared for challenges before they arise, that you deal with them effectively and appropriately when they do occur, and that you reflect on both your response and your processes in the aftermath of any situation — whether it be a data breach, implementation of a new technology, or business-as-usual project planning. Taking steps to implement the framework will assist your organisation to demonstrate that it has taken reasonable steps to comply with APP 1.2, and the other APPs, in the case of a complaint or a data breach.

You will find a copy of the Privacy management framework in your packs, and it is available on our website. I expect you to walk away from the event this morning and have a conversation with your Executive and board about embedding this framework in your organisation. Privacy should be seen as a hallmark of good governance and it is essential to have support from your leadership team. This will put you in the best position to address privacy challenges head-on, meet your obligations under the Privacy Act 1988, and ultimately get ahead of the game.  

Strategic themes for upcoming year

And on that note, I’d like to finish up today by talking about our strategic focus for the next year. As John has noted, the last 12 months has been about law reform implementation, and working with organisations and agencies to help you bed down your response to the new laws.

Given we’re more than a year into the new laws, we’re moving our focus away from implementation, which we feel that you should all have a good handle on by now, to a broader strategic view of information handling, privacy protection, and whole of government response to issues, such as can be seen in our collaboration with the Australian Communications and Media Authority (ACMA) last year, which lead to a joint investigation and the formalising of our relationship by signing a memorandum of understanding.  

One of the most widely publicised privacy discussions this year has been about data retention laws. Over the next 12 months, we’re looking forward to working closely with telecommunications providers on ensuring that the privacy of individuals’ personal information is protected at all times. And we’re also looking forward to working closely with the Attorney-General’s Department to develop and implement the mandatory data breach notification legislation that the Government has said it will introduce.

We’re also planning a big year working with agencies from across the government on a broad range of issues, including contributing to the Government’s review of their cyber security policy, and taking an active role in any follow on from the review of the eHealth system.

And next week we’re participating in the Global Privacy Enforcement Network’ annual privacy sweep, where we will be looking at popular websites and apps used by children and young people. The results of this sweep are likely to be very interesting, and we’re looking forward to working with the new children’s eSafety Commissioner in addressing those results.

The last year was a big one for us, and the coming year is proving to be no different. I’d like to finish today by saying thank you all very much for all your feedback and support. Our collaboration with industry and government is integral to the work we do as a regulator. I wish you all the very best for Privacy Awareness Week and look forward to seeing you out and about at events over the next few days.

Footnotes

[1] The Number Of People Who Fall For Phishing Emails Is Staggering, http://www.gizmodo.com.au/2015/04/the-number-of-people-who-fall-for-phishing-emails-is-staggering/

[2] Just four credit card clues can identify anyone, http://www.newscientist.com/article/dn26879-just-four-credit-card-clues-can-identify-anyone.html