Part 7: Organisational accountability requirements for entities

7.1          Accountability is globally recognised as a key building block for effective privacy regulation and management.[163] While the concept of ‘accountability’ can mean different things in different contexts, for the present purposes, it can be described broadly as the different actions and controls that an entity must implement to comply, and demonstrate compliance, with the privacy regulatory framework.

7.2          As outlined in Part 5, it is important that reforms to privacy self-management mechanisms are complimented by appropriate organisational accountability obligations to ensure that the burden of understanding and consenting to complicated practices does not fall solely on individuals.

7.3          The concept of accountability focusses on whether a regulated entity has translated its privacy obligations into internal privacy management processes that are commensurate with, and scalable to, the risks and threats associated with its personal information handling activities. The specific measures an entity should implement as part of its privacy management program will necessarily depend on its particular circumstances, including size, resources and business model.

7.4          More broadly, while strong accountability mechanisms facilitate compliance with privacy obligations, they can also improve business productivity and help to develop more efficient business processes, for example, by providing certainty and confidence for employees around the appropriate way to handle personal information, reducing the number and cost of data breaches, and improving overall operational efficiencies.[164] Entities with established internal processes are also better able to anticipate and adapt to different business and regulatory changes, as well as to crisis situations.[165]

7.5          By embedding strong accountability measures, entities can build a reputation for strong and effective privacy management, which is essential to realising the benefits of the personal information they hold and meeting their corporate social responsibilities. Accountability enables entities to not only meet the expectations of regulators, but to build consumer trust and confidence in their personal information handling practices.

Accountability under the Privacy Act

7.6          Accountability is at the core of APP 1, which requires entities to manage personal information in an open and transparent way. APP 1 does this in two key ways:

  • by requiring entities to take reasonable steps to establish and maintain internal practices, procedures and systems that ensure compliance with the APPs (APP 1.2), and
  • by requiring entities to have a clearly expressed and up to date APP privacy policy describing how it manages personal information (APP 1.3).

7.7          By complying with APP 1, entities will establish a culture and set of processes to assist with compliance with all the other APPs. In this way, APP 1 can be described as the ‘bedrock’ privacy principle.

7.8          However, unlike other data protection regimes with accountability requirements, APP 1 does not prescribe specific measures or practical steps that entities must take to ensure compliance with the APPs.[166] For instance, the OECD Guidelines require data controllers to be accountable for complying with measures which give effect to the basic data processing principles in the Guidelines.

7.9          Similarly, the GDPR has formally embedded accountability requirements into its data protection legislative framework with the inclusion of express obligations on data controllers to:

  • implement appropriate technical and organisational measures to ensure compliance with the GDPR (Article 24)
  • implement data protection by design and by default (Article 25)
  • maintain records of processing activities (Article 30)
  • carry out data protection impact assessments (Article 35)
  • designate a data protection officer (Article 37).

7.10       Domestically, the Privacy (Australian Government Agencies – Governance) APP Code 2017 (the Australian Government Agencies Privacy Code) sets out specific requirements and steps that Australian Government agencies must take as part of complying with APP 1.2. The Code requires agencies to move towards a best practice approach to privacy governance to help build a consistent, high standard of personal information management. In particular, the Code requires agencies to:

  • have a privacy management plan
  • appoint a Privacy Officer, or Privacy Officers, and ensure that particular Privacy Officer functions are undertaken
  • appoint a senior official as a Privacy Champion to provide cultural leadership and promote the value of personal information
  • undertake a written Privacy Impact Assessment (PIA) for all ‘high privacy risk’ projects or initiatives that involve new or changed ways of handling personal information
  • keep a register of all PIAs conducted and publish this register, or a version of the register, on their websites
  • ake steps to enhance internal privacy capability, including by providing appropriate privacy education or training in staff induction programs, and annually to all staff who have access to personal information.

Recommended enhancements to APP 1

7.11       The OAIC considers that APP 1 should include express accountability requirements for all regulated entities. This will provide further clarity to entities about the steps they should take to meet their ongoing compliance obligations under APP 1, which will support increased trust in their information handling practices among individuals.

7.12       The OAIC recommends that the Privacy Act is amended to include similar accountability measures to those required under GDPR and the Australian Government Agencies Privacy Code. At a minimum, APP 1 should be amended to expressly require entities to:

  • take reasonable steps, and demonstrate those reasonable steps, to implement practices, procedures and systems that will ensure compliance with the APPs and any registered APP code under APP 1.2
  • implement, and be able to demonstrate the steps taken to implement, a ‘privacy by design’ and ‘privacy by default’ approach
  • provide the Commissioner, on request, with evidence of the steps taken to ensure compliance with the APPs and any registered APP code, and to implement a ‘privacy by design’ and ‘privacy by default’ approach, and
  • appoint a privacy officer or privacy officers and ensure that privacy officer functions are undertaken.

7.13       The requirement under APP 1 to implement practices, procedures and systems to ensure compliance with the APPs implicitly requires a ‘privacy by design’ approach by APP entities. Essentially, ‘privacy by design’ is an approach where privacy compliance is designed into projects, activities and initiatives dealing with personal information right from the start, and then throughout the information lifecycle, rather than being bolted on afterwards.

7.14       A ‘privacy by default’ approach requires entities to ensure that, by default, personal information is handled with the highest privacy protections.[167] For example, a ‘privacy by default’ approach requires entities to design new projects, activities or initiatives to ensure that they only collect the minimum amount of personal information that is necessary for a specific purpose. This links to the obligations in APP 3 and APP 6, which, respectively, require entities to only collect personal information that is reasonably necessary for their functions and activities, and to only use and disclose personal information for the primary purpose for which it was collected (or a secondary purpose if an exception applies).

7.15       ‘Privacy by design’ and ‘privacy by default’ are complementary concepts, which mutually reinforce each other.[168] APP entities will be better placed to meet their privacy obligations under the Privacy Act by adopting a ‘privacy by design’ and ‘privacy by default’ approach to their personal information handling practices.

7.16       In some instances, the OAIC has also observed that entities have not fully or comprehensively documented the steps they have taken to ensure compliance with APP 1.2.[169] Accordingly, the requirement that entities must be able to demonstrate that they have taken reasonable steps to implement practices, procedures and systems to ensure compliance, and a ‘privacy by design’ and ‘privacy by default’ approach, will necessarily require entities to document their controls and activities, which adds accountability to the process.[170]

7.17       Similarly, the requirement to provide evidence, on request, of the steps taken to meet these requirements will ensure the OAIC is able to verify that entities are complying with their privacy obligations where appropriate in the circumstances.[171] For instance, the Commissioner may request an entity or entities involved in certain ‘high privacy risk’ activities, such as the use of facial recognition technology, to provide evidence of the steps taken to meet their compliance obligations. As a matter of best practice, the OAIC may also encourage the use of external auditors to verify compliance in these circumstances.

7.18       More broadly, it is not possible for the OAIC to check compliance economy-wide, which means regulatory action can be reactive. Accreditation can be a proactive and effective way to verify that an entity is compliant with regulatory requirements to prevent harms, without direct intervention from the regulator. For example, under the CDR, any person who wishes to receive CDR data to provide products or services to consumers under the CDR regime must be accredited. Further, demonstrating accountability through accreditation promotes consumer confidence. It shifts some of the burden that is currently on individuals to assess and verify an entity’s privacy and security credentials to the entities seeking accreditation. An accreditation can be relied on by a consumer in deciding whether to trust one business over another.

7.19       There may be value in the future for the Privacy Act to make provision for a similar accreditation or audit model that could apply to entities seeking to engage in other high privacy risk activities and/or sectors that were specified in the Act or through delegated legislation.   

7.20       The OAIC considers that a holistic, demonstrable and ongoing approach to privacy management is central to meeting the requirements of APP 1 and implementing a ‘privacy by design’ and ‘privacy by default’ approach. The focus for all regulated entities should be on the quality, reliability and verifiability of a holistic and ongoing privacy management framework that addresses privacy risks throughout the information handling lifecycle. The OAIC’s Privacy Management Framework sets out the steps that entities can take to establish a privacy management framework and meet their ongoing compliance obligations.

7.21       A central component of a privacy management program is a process for conducting privacy impact assessments, which are critical to facilitating a ‘privacy by design’ and ‘privacy by default’ approach. For clarity, the OAIC recommends that the Explanatory Memorandum that will accompany the amending Bill notes that an ongoing and demonstrable privacy management program, which includes conducting privacy impact assessments where appropriate, is central to facilitating a ‘privacy by design’ and ‘privacy by default’ approach. 

7.22       The objective of enhancing accountability of APP entities for their personal information handling practices is similarly supported by the requirement to appoint a privacy officer or privacy officers. A privacy officer is the first point of contact for privacy matters within an entity and is responsible for ensuring day-to-day operational privacy activities are undertaken. Appointing a privacy officer is a key governance measure to foster a culture of respect for privacy and the value of personal information.

Recommendation 42 – Amend APP 1 to include express accountability requirements for all regulated entities. At a minimum, APP 1 should require entities to:

  • take reasonable steps, and demonstrate those reasonable steps, to implement practices, procedures and systems that will ensure compliance with the APPs and any registered APP code under APP 1.2
  • implement, and be able to demonstrate the steps taken to implement, a ‘privacy by design’ and ‘privacy by default’ approach
  • provide the Commissioner, on request, with evidence of the steps taken to ensure compliance with the APPs and any registered APP code, and to implement a ‘privacy by design’ and ‘privacy by default’ approach, and
  • appoint a privacy officer or privacy officers and ensure that privacy officer functions are undertaken.

Recommendation 43 – Include a note in the explanatory memorandum that will accompany the amending Bill that an ongoing and demonstrable, comprehensive privacy management program, which includes conducting privacy impact assessments where appropriate, is central to facilitating a ‘privacy by design’ and ‘privacy by default’ approach. 

Accountability in relation to ‘purpose’

7.23       Under APP 5.2, entities must notify individuals of, amongst other things, the purposes for which the entity collects the personal information. This includes the primary purpose of collection, that is, the specific function or activity for which particular personal information is collected.

7.24       The purposes of collection is relevant to how the information may be subsequently used and disclosed and if an entity seeks to rely on the ‘reasonable expectations’ exception in APP 6.2(a) to authorise a secondary purpose. However, there is no requirement in APP 3, which deals with the collection of personal information, for entities to identify and record, at or before the time of collection, the purposes for which they handle personal information.

7.25       A requirement to record information in this way would assist entities to ensure that they have a clear and specific purpose in mind for the subsequent handling of the information. It would encourage entities to consider the purposes of collecting the information earlier and not just in the context of the notification requirements in APP 5, which is consistent with a ‘privacy by design’ approach to privacy compliance. It would also assist entities to formulate and document the information they must provide to individuals through their APP 1 privacy policy and APP 5 notices.

7.26       Accordingly, to support the accountability requirements in APP 1, the OAIC recommends that APP 3 is amended to expressly require entities to determine, at or before the time of collection, each of the purposes for which the information is to be collected, used or disclosed and to record those purposes.[172]

Recommendation 44 – Amend APP 3 to expressly require entities to determine, at or before the time of collection, each of the purposes for which the information is to be collected, used or disclosed and to record those purposes.

Certification

51.     What would be the benefits of developing a domestic privacy certification scheme, in addition to implementing the CBPR system?

7.27       The OAIC supports the introduction of an independent third-party certification scheme. Privacy certification schemes have a role to play in facilitating overseas transfers of personal information. However, an independent certification mechanism could also significantly increase the transparency of organisations’ data practices by enabling Australians to quickly assess the level of data protection offered by an APP entity, as noted in the ACCC’s Digital Platforms Inquiry final report.[173]

7.28       The OAIC considers that an independent third-party certification scheme could assist in ensuring that regulated entities are meeting their obligations under the Privacy Act without the need to substantially increase regulatory action. It also provides consumers with evidence-based information about the privacy credentials of entities with which they may engage.

7.29       There are benefits for entities that obtain certification as well. For example, certified entities may obtain a competitive advantage over non-certified entities. Additionally, certification may assist entities to mitigate against potential enforcement action by creating effective safeguards to address risks around personal information handling activities.

7.30       Several jurisdictions around the world, including Japan,[174] New Zealand[175] and Singapore[176] have implemented privacy certification schemes. While these schemes differ in their nature, scope and requirements, they ultimately enable entities that meet the relevant requirements and certification criteria to display a ‘seal’ or ‘trustmark’ as evidence of certification. The GDPR also makes provision for the introduction of data protection certification mechanisms, including data protection seals and marks, at both the member-state level or at the European Union level for the purposes of demonstrating compliance with the requirements of the GDPR.[177]

7.31       Additionally, the APEC CBPR System operates as a regional certification scheme and requires certified businesses to demonstrate compliance with a commonly understood set of privacy standards. The APEC Joint Oversight Panel of the Data Privacy Subgroup endorsed Australia’s application to participate in the CBPR System in 2018.

7.32       The OAIC considers that there are benefits to implementing a domestic privacy certification scheme in addition to the CBPR System.

7.33       As noted in the Issues Paper, some participating economies in the CBPR System also maintain a domestic certification scheme, including Singapore’s Data Protection Trustmark and Japan’s Privacy Mark. Additionally, the CBPR System is focussed on facilitating overseas transfers by ‘controllers’ of personal information, so certification will likely only be relevant and feasible for those entities with significant cross-border disclosure practices to participating economies.[178] A domestic privacy certification scheme could operate to certify a wide range of personal information handling activities or circumstances against the broader requirements of the APPs.

Key issues for consideration for a new certification scheme

Voluntary or mandatory scheme

7.34       The Issues Paper notes that a key issue for an Australian certification scheme is whether it should be voluntary or mandatory. The OAIC considers that a domestic privacy certification scheme should be voluntary for APP entities. However, it may be necessary in the future to consider whether mandatory certification or accreditation requirements should be required for certain high privacy risk activities, such as the use of facial recognition technology, or sectors of the economy.

7.35       Internationally, most existing privacy certifications are voluntary, including the CBPR system, certification schemes in Japan, Singapore and New Zealand, and the GDPR’s data protection certification scheme.

7.36       A voluntary scheme would also reduce some of the concerns raised by submitters to the ACCC’s Digital Platforms Inquiry that a mandatory certification scheme would carry significant compliance costs and likely be cost-prohibitive for smaller APP entities.

Scope of the scheme

7.37       Another key issue is whether a certification scheme should be broad or narrow. That is, should entities be able to seek enterprise-wide certification or should certification be limited to certain specific products, data types or business processes.

7.38       Under the CBPR system, the scope of the certification is flexible and is determined by the organisation wishing to obtain a certification to participate in the CBPR system.

7.39       The OAIC considers that a domestic certification scheme should enable entities to seek enterprise-wide certification for all of its operations, or certification for specific products, data types or business processes. This will help to ensure that the scheme is flexible and scalable for APP entities of different sizes and with different personal-information handling activities.

Certification criteria

7.40       Certification criteria forms an integral part of any certification mechanism. The Issues Paper notes that developing a privacy certification scheme requires consideration of whether criteria should be based on regional standards, such as the requirements of the CBPR, or standards that have been developed by a private standard-setting organisation.

7.41       The OAIC considers that certification criteria should maintain and build upon the protections and obligations set out in the Privacy Act and reflect community expectations of privacy.

7.42       As highlighted in the ACCC’s DPI report, a domestic certification scheme will need to take into account the broader reforms to Australia’s privacy regulatory framework. Accordingly, the underlying privacy regulatory framework will need to be settled before key elements like certification criteria can be designed in more detail.

7.43       The Issues Paper also highlights that another consideration is the extent to which a certification scheme could operate consistently with existing accreditations in Australia that incorporate privacy safeguard requirements, such as the CDR and the proposed Data Availability and Transparency scheme. The OAIC agrees that a privacy certification should be interoperable with existing Australian accreditations to the extent possible, in order to minimise the fragmentation of privacy certifications and accreditations for which regulated entities may wish to apply.

7.44       Guidance on general considerations for designing certification criteria may be drawn from the Certification Guidelines issued by the European Data Protection Board, which state that certification criteria should:

  • be uniform and verifiable
  • auditable in order to facilitate the evaluation of processing operations under the GDPR
  • be relevant to the business model of different entities (e.g. business to business and business to customer)
  • take into account and where appropriate be interoperable with other standards (such as ISO standards), and
  • be flexible and scalable for application to different types and sizes of organisations.[179]
Role of the OAIC

7.45       The key participants, and the functions of those participants in other existing certification schemes, can be broadly described as follows:

  • a certification or assessment body that assesses and approves applications from entities seeking certification
  • a body that accredits certification or assessment bodies
  • entities seeking certification.

7.46       The role of the regulator in these activities varies across international jurisdictions. For instance, in Singapore the data protection authority is involved in accrediting assessment/certification bodies and in New Zealand, the Privacy Commissioner’s Office is responsible for issuing certifications directly. However, as noted above, the nature, scope and requirements of these schemes differ significantly.

7.47       The OAIC suggests it would be preferable for an independent third party to administer the scheme to ensure the functional independence of the OAIC. As an independent, statutory regulator, the OAIC is concerned to ensure both the fact and perception of independence are maintained by retaining separation between the certification of entities and the broader regulation of the scheme. The OAIC suggests further consideration could be given, as part of the implementation process, to whether there is a current government body that could undertake the certification function.

7.48       The GDPR does not make the issuance of certifications a mandatory task of the supervisory authorities. Instead, it provides for a number of different models which enable a supervisory authority to decide to, for example, issue certification itself, in respect of its own certification scheme; create its own certification scheme and entrust certification bodies with the certification procedure which issue the certification; or encourage the market to develop certification mechanisms.

7.49       The OAIC considers that the model adopted by the UK ICO could be adopted for a domestic privacy certification scheme. Specifically, in the UK, the certification framework will involve:

  • the ICO publishing accreditation requirements for certification bodies to meet
  • the UK’s national accreditation body, UKAS, accrediting bodies and maintaining a public register
  • the ICO approving and publishing certification criteria
  • accredited certification bodies issuing certification against those criteria, and
  • controllers and processors applying for certification and using it to demonstrate compliance.

7.50       The OAIC should be identified as the scheme’s regulator for privacy breaches. It is important to note that any domestic certification scheme does not prove compliance but rather forms an element that can be used to demonstrate compliance. Accordingly, a domestic certification scheme should be carefully designed to ensure that it does not reduce the responsibility of APP entities for compliance with the Privacy Act, or fetter the OAIC’s discretion in the exercise of its regulatory powers.

Recommendation 45 – Introduce a domestic privacy certification scheme into Australia’s privacy framework. The certification scheme should:

  • be interoperable the APEC CPBR system and other relevant domestic accreditation or certification schemes
  • be voluntary across the economy generally, but may be made mandatory in relation to specific high privacy risk sectors or practices through an APP code or rules where appropriate
  • be flexible and enable entities to seek enterprise-wide certification for all of its operations, or certification for specific products, data types or business processes
  • enable the OAIC to develop and publish accreditation requirements for certification bodies and certification criteria for the scheme
  • ensure that an independent third party is responsible for appointing the accreditation body or bodies that will carry out audits of entities seeking certification and approving the use of a trust mark or seal and identify the OAIC as the scheme’s regulator for privacy breaches.

[163] Centre for Information Policy Leadership (CIPL) (May 2020) What Good and Effective Data Privacy Accountability Looks Like: Mapping Organisations’ Practices to the CIPL Accountability Framework [online document], CIPL, accessed 26 November 2020, 35.

[166] The OAIC has published a non-binding Privacy management framework guidance document that sets out the steps the Commissioner expects entities to take to meet their ongoing compliance obligations under APP 1.2.

[167] European Commission (n.d.) What does data protection ‘by design’ and ‘by default’ mean?, European Commission website, accessed 26 November 2020.

[168] European Data Protection Board (EDPB) (October 2020) Guidelines 4/2019 on Article 25 Data Protection by Design and by Default [online document], EDPB, accessed 26 November 2020.

[170] Solove, Daniel J and Schwartz, P.M., “ALI Data Privacy: Overview and Black Letter Text” (January 24, 2020), (2020) UCLA Law Review, Vol. 68, pg 27 as cited in Leonard P (2020) Privacy harms, report to the OAIC, Data Synergies.

[171] A similar requirement can be found in cl 10 of Canada’s new privacy Bill C-11, which requires an organisation to, on request of the Commissioner, provide the Commissioner with access to the policies, practices and procedures that are included in its privacy management program.

[172] A similar requirement can be found in cl 12(3) of Canada’s new privacy Bill C-11, which requires an organisation to determine at or before the time of the collection of any personal information each of the purposes for which the information is to be collected, used or disclosed and record those purposes.

[173] Australian Competition and Consumer Commissioner, Digital Platforms Inquiry Final Report (June, 2019), 480.

[174] More information about Japan’s PrivacyMark System can be found at https://privacymark.org/

[175] More information about New Zealand’s Privacy Trust Mark can be found at https://www.privacy.org.nz/resources-2/applying-for-a-privacy-trust-mark/

[176] More information about Singapore’s Data Protection Trustmark can be found at https://www.imda.gov.sg/programme-listing/data-protection-trustmark-certification

[177] Articles 42, 43 and Recital 100 of the GDPR. At the time of writing, there are no approved certification criteria or accredited certification bodies for issuing GDPR certificates.

[178] There are currently nine participating economies in the CBPR system: USA, Mexico, Japan, Canada, Singapore, the Republic of Korea, Australia, Chinese Taipei and the Phillippines.

[179] European Data Protection Board (EDPB) (June 2019) Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation [online document], EDPB, accessed 26 November 2020.