Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Privacy and transparency

Presentation by Timothy Pilgrim, Privacy Commissioner, to the Privacy Awareness Week 'Up close and personal' business breakfast, 5 May 2014


It’s a great to be here this morning for our third Privacy Awareness Week business breakfast. We’ve had a huge year — we’ve been busier than ever over the last 12 months, and it just keeps getting busier! I look around the room and I see so many familiar faces, across many industry sectors who have been working tirelessly to implement the reforms and I thank each of you for your work. But folks it doesn’t stop here!

Today we’re here to launch Privacy Awareness Week, and to talk about the importance of transparency in information handling.

John has given you an introduction to our two new guides the Guide to developing an APP privacy policy and the Guide to conducting privacy impact assessments.

These guides are essential reading for entities setting the framework for good privacy practices and for meeting the requirements of APP1, which is after all the bedrock principle for not only facilitating compliance with all the APPs, but also for establishing trust with your customers through transparency and openness.

As you know, APP 1 sets up two distinct components in regard to embedding privacy. The first is implementing practices, procedures and systems to ensure compliance with the APPs and to enable complaints and enquiries from individuals. The second is having a clearly expressed and up to date privacy policy.

This is about businesses practice, about building privacy into your processes so that it becomes a part of the first steps on any project. In order to maximise the value of the privacy processes that you set up, it is essential to create and embed a culture in your organisation that recognises the importance of privacy, and respects it. These two components are complimentary, each supporting the other, but to have truly best privacy practice, you need to be proactive in establishing both.

The question today is how you are building trust with your customers. A customer-centric approach has become central to brand reputation and marketing strategies of most organisations, but we’re not the expert on your customers, you are, and you need to think about what their expectations are and how you can demonstrate your information handling credentials. The principles based law we have provides the flexibility for you to do this, while setting the boundaries for you to work within.

But what I’d like to do now is take a little time to talk about what we in the OAIC see as our priorities for the next year. With the law reform deadline of 12 March behind us we are now looking to continue work on our suite of guidance, and work to bring everyone, organisations and individuals, to a point where they have a good understanding of their rights and responsibilities under the reformed Act.

Our focus

I have been frequently asked whether we will be targeting specific organisations and industries for regulatory action and publicising this along the lines of other regulators like the ACCC. Part of the answer to this lies in our regulatory Action Statement, our draft Regulatory Action Policy, soon to be followed by our Guide.

Generally, I see the next 12 months as a period of consolidation for all of us as we bed down the reforms. We want to continue to work with all entities covered by the Act to help them with this. We will continue to produce guidance, and we are starting to move from the broad type of guidance such as the APP guidelines to guidance dealing with specific areas and issues. In doing this we will also look to specific business practices and feedback from all entities as input to help determine our focus.

This approach reflects our view that it is better to work with business to improve compliance and help them to avoid situations that might give rise to regulatory action. Our approach in this regard won’t change — we have always been of the opinion that it is better to help prevent a privacy breach than punish an organisation after it has occurred.

For example, what used to be called audits are now called ‘assessments’, which I feel is a good name for them — we like to treat these assessments as just that — a chance to work with us to assess your information handling, and address areas for improvement.

We have released a lot of new guidance over the last year, and there is more to come. Our publications are designed to help you to achieve and maintain compliance in all situations — whether that be when you are creating new processes or commencing new projects, changing your business practices, or dealing with a data breach.

In the year ahead we are also broadening our focus to individuals’ rights. This Privacy Awareness Week we are asking all of our partners to think about and act, to educate their customers and clients, to focus on engaging with their clients to create trust, and to build an organisational culture that respects privacy.

Now that we have released quite a lot, but by no means all, of the guidance for entities we have started working on a series of consumer facing publications.

This PAW we have released a plain English fact sheet on the key changes under law reform. This has been translated into 11 community languages, and we hope that it will help a large number of people to better understand their rights. We have also released a poster on what to look for in a privacy policy. This is the consumer-facing partner to the Guide to developing an APP privacy policy. The Guide helps you to develop your privacy policy, and the poster helps individuals get the most out of it.

We have also released a series of 16 fact sheets on credit reporting. Credit reporting is an area of high community concern — it’s an area where people need to understand their rights, but it is also a complicated area of law. Each of our 16 consumer-facing credit fact sheets deals with just one aspect of the credit reporting system, so that people can more easily access the information on their specific area of concern.

During this week, the OAIC will also be holding a credit reporting webinar to help advocates like consumer credit legal centres and EDR schemes get fully up-to-date on the changes.

Later in the week I will also be visiting several universities discussing privacy awareness and current issues in the privacy arena.

OAIC’s regulatory approach

I’ll talk briefly now about our regulatory action approach. As I mentioned, the OAIC has released a draft Privacy regulatory action policy, which will be finalised shortly. This was developed by us in response to the substantial changes under the new laws, in particular the changes to the enforcement powers.

With business and government asking ‘how’ we would be exercising these powers we wanted to be transparent about how the new enforcement powers are likely to be used in practice. We also want to make it clear that, while much of the media coverage has focused on financial penalties, we are not looking to jump straight to using them when assessing breaches of the Act. Embedding change and best practice successfully into organisations and agencies that are entrusted with the personal information of the community must be what we are aiming for and we will remain keen to work with all entities to achieve this through the coming year.

Our policy therefore sets out our regulatory action powers in the context of our escalation model. The policy sets out the range of factors that we will take into account when deciding whether to pursue regulatory action in a particular matter — such as the seriousness of the breach, or the potential impact of a proposal on individuals — as well as outlining our aims in taking action.

In assessing whether or not to take action, we will be guided by the following principles: independence, accountability, proportionality, consistency, timeliness, and transparency.

We will shortly be releasing the Guide to the OAIC’s privacy regulatory action, which will set out in more practical terms how specific regulatory action powers will be used. This is an operational guide, a procedural document for the OAIC’s staff. But it will also help you to understand the how and why of what the OAIC is doing — it is important to us that you have confidence in our processes, and the reasons behind them.

While we will not hesitate to take action in the case of a serious breach of the law, such as might be caused by lack of adequate information security or having a severe impact of a large number of individuals, we don’t want organisations to be afraid to approach us for help in the case of a data breach or other privacy issue. Notification of a data breach may not stop us from commencing an investigation if we feel that it is necessary and appropriate in the circumstances, but proactive notification of a data breach will be taken into account when considering whether regulatory action is necessary.

Although the OAIC is receiving more voluntary data breach notifications than previously, we suspect that we only receive notification of a small fraction of the number that actually take place. Like transparency generally, transparency in this area is always in your best interest, whether it is in regards to your relationship with us as the regulator, or as importantly, in your relationship with your customers.

We would like to see transparent privacy practice become second nature to all organisations.

After all, organisations are entrusted with their customer’s personal information, and like all of us in this room this is the information that says who we are, what we have done, what we want to do, what we like, believe and feel. It is what makes each of us individuals. The use or misuse of that information can have significant impacts on people . This is why building trust is so important, and the starting point for building that trust is through transparency

Thank you.