Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Up close and personal

Presentation by Professor John McMillan, Australian Information Commissioner, to the Privacy Awareness Week 'Up close and personal' business breakfast, 5 May 2014.

Good morning everyone. I would like to begin by acknowledging the Gadigal peoples of the Eora Nation, the traditional owners, of the land on which we meet today, and to pay my respects to their elders, both past and present.

Privacy Awareness Week

It gives me great pleasure to welcome you all here this morning to mark the start of Privacy Awareness Week. I’m also delighted to be here for our third Privacy Awareness Week business breakfast in what has been a huge year for privacy, with the commencement of the reforms to the Privacy Act made by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 — the most significant reform to privacy laws in over 20 years.

I would like to thank our guest speakers: Alan Kirkland from CHOICE, Rob Scott from the Coles Group and Ben Heyes from the Commonwealth Bank.  Thank you for giving up your time to share your insights on building an organisational culture that respects privacy. As we will hear this morning, privacy and transparency are an increasingly important market differentiator and business driver, and key to customer trust and brand reputation. I would also like to welcome Dr Elizabeth Coombs, NSW Privacy Commissioner and Gillian Triggs, President of the Australian Human Rights Commission.

Each year, our Privacy Awareness Week campaign brings together an increasing number of partners from business, government and the community who assist us in promoting privacy awareness. It’s a great show of support that we have more partners every year, and I’m pleased to report that we have over 200 partners this year. We have representatives from government agencies, IT and telco companies, law firms, financial institutions, consumer groups and professional associations. We couldn’t reach the large number of people we will this year without your support.

Just a reminder that we will be tweeting throughout the speeches this morning — please feel free to join the conversation using the hashtag #2014PAW.

As you will be well aware, the theme for our event this morning is ‘Up front and personal’ —privacy, transparency and your customer. This Privacy Awareness Week, we are talking about, and encouraging, transparency. Privacy has traditionally been associated with secrecy, but in an information age, privacy is increasingly being associated with openness and the ability to make choices about how our personal information is handled.

The introduction of the Australian Privacy Principles strongly support this — APP 1 sets up the expectation that entities will be open and transparent about how they handle personal information and implement privacy enhancing practices, procedures and systems. This is the first step in the information life cycle — planning. Planning is key to the management of personal information.

In the last 12 months we have all been very busy planning for the reforms, and the media has been full of discussion about big data, data breaches and information security. However, it can be easy to forget that privacy is a human right protected under international law and that the ‘information’ or ‘data’ we are talking about and handling is personal information. 

Not surprisingly, customers will often feel very strongly about how their personal information is handled. This is certainly what we hear from customers when they come to us. And they are increasingly coming to us. In 2012–13, the OAIC received 1496 privacy complaints. However, in the 2013–14 financial year (with two months to go), we have already received over 2,900.

This is also confirmed in the results of our Community Attitudes to Privacy survey. One of the key messages to come out of that study was that Australians are becoming more concerned about privacy risks. I thought we would kick off this morning by playing the video that was developed in partnership with our sponsors for this project. Some of you may have seen this video already, but it gives a great snapshot of why we’re all here today — showing the importance of privacy awareness, transparency and of engaging with clients and stakeholders on these important issues.

[Community attitudes to privacy video]

Today we also want to talk to you about two resources that will be invaluable tools for your business to establish and maintain best privacy practice. Today we are launching a revised Guide to conducting privacy impact assessments. We are also launching a completely new resource: the Guide to developing an APP privacy policy.

These two guides are key resources to enable you to establish and maintain transparent personal information handling practices, as well as to build an organisational culture that respects and prioritises privacy.

We have been talking about APP 1 and privacy policies a lot in the lead up to law reform, and the reason for that is that they are bedrock of your communication with your stakeholders and a way for you to assess your own processes. As you will see when you read through the Guide to developing an APP privacy policy, the process of creating and drafting a privacy policy requires you to fully understand your entire organisation’s personal information handling processes.

As part of the first step in this guide we recommend that you conduct an audit of all the personal information you hold, and how you handle it. If you haven’t already, you will find that this is extremely useful for assessing which areas of your personal information handling are already best practice, and which need improvement.

The Guide to developing an APP privacy policy takes you through the process of developing a privacy policy, and includes a checklist that will help you to double check that you have met all of your obligations, as well as achieved your aims.

This is where our second new publication comes in. The OAIC has been talking about the value of privacy impact assessments for years, and we are going to continue to do so. PIAs are an important tool for both government organisations and businesses to assess privacy risks and develop mitigation strategies. The best place to start with privacy is to build it in, right from the start — when you commence new processes or projects or, as in this case, there is a change in the law, it is absolutely essential that you assess or re-assess these processes.

The Guide to conducting privacy impact assessments will provide you with a step-by-step guide from assessing if the PIA is necessary, through conducting it, to preparing a report.  A PIA is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact.

The OAIC has always had a guide that assisted entities to undertake PIAs, but it was last updated in May 2010. Changes to the Privacy Act prompted a review of the OAIC’s PIA guide, but also provided an opportunity for us to consider how the guide could be improved more generally.

The new guide represents a significant revision of the previous guide — we have taken the opportunity to update the guide to better reflect international best practice in relation to PIAs, it is more user-friendly for both government agencies and business and now provides a more succinct ten step process for undertaking a PIA. The guide also includes links to other PIA resources and sample PIAs which provide further information and suggestions to entities.

The revised guide incorporates feedback from a variety of stakeholders, who helpfully provided input during the consultation process.

Something that both these guides have in common is that the final step is to ‘review’. Building privacy into your processes as ‘first principles’ is the right place to start, and you might find that when you review your processes that everything is compliant, but it’s essential that you don’t get complacent. The ways that personal information is collected, stored, used and disclosed are constantly changing, and without taking the time to assess your personal information flows and practices you may miss a situation where a seemingly simple change has a flow-on effect to something else.

Conducting privacy impact assessments will help you manage this, but you also need to ensure that you review and update your privacy policy regularly. Your privacy policy is a summary of your personal information handling processes, and it is essential that it is accurate and up-to-date. As it says in the guide — it is a key communication tool, through which you can maintain an open dialogue with your stakeholders, create and maintain trust, and provide important information.

Privacy compliance is an ongoing process, and you should all be striving for continual improvement. To help you with this we have also developed quick reference tools for these two guides — these two one page documents (which you will find in your packs) are perfect for use as a refresher, or even to put up on your wall to help you keep privacy at the front of your mind.