Part 7: Organisational accountability requirements for entities

7.1 Accountability is globally recognised as a key building block for effective privacy regulation and management.[163] While the concept of ‘accountability’ can mean different things in different contexts, for the present purposes, it can be described broadly as the different actions and controls that an entity must implement to comply, and demonstrate compliance, with the privacy regulatory framework.

7.2;As outlined in Part 5, it is important that reforms to privacy self-management mechanisms are complimented by appropriate organisational accountability obligations to ensure that the burden of understanding and consenting to complicated practices does not fall solely on individuals.

7.3The concept of accountability focusses on whether a regulated entity has translated its privacy obligations into internal privacy management processes that are commensurate with, and scalable to, the risks and threats associated with its personal information handling activities. The specific measures an entity should implement as part of its privacy management program will necessarily depend on its particular circumstances, including size, resources and business model.

7.4More broadly, while strong accountability mechanisms facilitate compliance with privacy obligations, they can also improve business productivity and help to develop more efficient business processes, for example, by providing certainty and confidence for employees around the appropriate way to handle personal information, reducing the number and cost of data breaches, and improving overall operational efficiencies.[164] Entities with established internal processes are also better able to anticipate and adapt to different business and regulatory changes, as well as to crisis situations.[165]

7.5By embedding strong accountability measures, entities can build a reputation for strong and effective privacy management, which is essential to realising the benefits of the personal information they hold and meeting their corporate social responsibilities. Accountability enables entities to not only meet the expectations of regulators, but to build consumer trust and confidence in their personal information handling practices.

Accountability under the Privacy Act

7.6Accountability is at the core of APP 1, which requires entities to manage personal information in an open and transparent way. APP 1 does this in two key ways:

• by requiring entities to take reasonable steps to establish and maintain internal practices, procedures and systems that ensure compliance with the APPs (APP 1.2), and
• by requiring entities to have a clearly expressed and up to date APP privacy policy describing how it manages personal information (APP 1.3).

7.7By complying with APP 1, entities will establish a culture and set of processes to assist with compliance with all the other APPs. In this way, APP 1 can be described as the ‘bedrock’ privacy principle.

7.8However, unlike other data protection regimes with accountability requirements, APP 1 does not prescribe specific measures or practical steps that entities must take to ensure compliance with the APPs.[166] For instance, the OECD Guidelines require data controllers to be accountable for complying with measures which give effect to the basic data processing principles in the Guidelines.

7.9Similarly, the GDPR has formally embedded accountability requirements into its data protection legislative framework with the inclusion of express obligations on data controllers to:

• implement appropriate technical and organisational measures to ensure compliance with the GDPR (Article 24)
• implement data protection by design and by default (Article 25)
• maintain records of processing activities (Article 30)
• carry out data protection impact assessments (Article 35)
• designate a data protection officer (Article 37).

7.10 Domestically, the Privacy (Australian Government Agencies – Governance) APP Code 2017 (the Australian Government Agencies Privacy Code) sets out specific requirements and steps that Australian Government agencies must take as part of complying with APP 1.2. The Code requires agencies to move towards a best practice approach to privacy governance to help build a consistent, high standard of personal information management. In particular, the Code requires agencies to:

• have a privacy management plan
• appoint a Privacy Officer, or Privacy Officers, and ensure that particular Privacy Officer functions are undertaken
• appoint a senior official as a Privacy Champion to provide cultural leadership and promote the value of personal information
• undertake a written Privacy Impact Assessment (PIA) for all ‘high privacy risk’ projects or initiatives that involve new or changed ways of handling personal information
• keep a register of all PIAs conducted and publish this register, or a version of the register, on their websites
• ake steps to enhance internal privacy capability, including by providing appropriate privacy education or training in staff induction programs, and annually to all staff who have access to personal information.

Recommended enhancements to APP 1

7.11 The OAIC considers that APP 1 should include express accountability requirements for all regulated entities. This will provide further clarity to entities about the steps they should take to meet their ongoing compliance obligations under APP 1, which will support increased trust in their information handling practices among individuals.

7.12 The OAIC recommends that the Privacy Act is amended to include similar accountability measures to those required under GDPR and the Australian Government Agencies Privacy Code. At a minimum, APP 1 should be amended to expressly require entities to:

• take reasonable steps, and demonstrate those reasonable steps, to implement practices, procedures and systems that will ensure compliance with the APPs and any registered APP code under APP 1.2
• implement, and be able to demonstrate the steps taken to implement, a ‘privacy by design’ and ‘privacy by default’ approach
• provide the Commissioner, on request, with evidence of the steps taken to ensure compliance with the APPs and any registered APP code, and to implement a ‘privacy by design’ and ‘privacy by default’ approach, and
• appoint a privacy officer or privacy officers and ensure that privacy officer functions are undertaken.

7.13 The requirement under APP 1 to implement practices, procedures and systems to ensure compliance with the APPs implicitly requires a ‘privacy by design’ approach by APP entities. Essentially, ‘privacy by design’ is an approach where privacy compliance is designed into projects, activities and initiatives dealing with personal information right from the start, and then throughout the information lifecycle, rather than being bolted on afterwards.

7.14 A ‘privacy by default’ approach requires entities to ensure that, by default, personal information is handled with the highest privacy protections.[167] For example, a ‘privacy by default’ approach requires entities to design new projects, activities or initiatives to ensure that they only collect the minimum amount of personal information that is necessary for a specific purpose. This links to the obligations in APP 3 and APP 6, which, respectively, require entities to only collect personal information that is reasonably necessary for their functions and activities, and to only use and disclose personal information for the primary purpose for which it was collected (or a secondary purpose if an exception applies).

7.15 ‘Privacy by design’ and ‘privacy by default’ are complementary concepts, which mutually reinforce each other.[168] APP entities will be better placed to meet their privacy obligations under the Privacy Act by adopting a ‘privacy by design’ and ‘privacy by default’ approach to their personal information handling practices.

7.16 In some instances, the OAIC has also observed that entities have not fully or comprehensively documented the steps they have taken to ensure compliance with APP 1.2.[169] Accordingly, the requirement that entities must be able to demonstrate that they have taken reasonable steps to implement practices, procedures and systems to ensure compliance, and a ‘privacy by design’ and ‘privacy by default’ approach, will necessarily require entities to document their controls and activities, which adds accountability to the process. [170]

7.17 Similarly, the requirement to provide evidence, on request, of the steps taken to meet these requirements will ensure the OAIC is able to verify that entities are complying with their privacy obligations where appropriate in the circumstances.[171] For instance, the Commissioner may request an entity or entities involved in certain ‘high privacy risk’ activities, such as the use of facial recognition technology, to provide evidence of the steps taken to meet their compliance obligations. As a matter of best practice, the OAIC may also encourage the use of external auditors to verify compliance in these circumstances.

7.18 More broadly, it is not possible for the OAIC to check compliance economy-wide, which means regulatory action can be reactive. Accreditation can be a proactive and effective way to verify that an entity is compliant with regulatory requirements to prevent harms, without direct intervention from the regulator. For example, under the CDR, any person who wishes to receive CDR data to provide products or services to consumers under the CDR regime must be accredited. Further, demonstrating accountability through accreditation promotes consumer confidence. It shifts some of the burden that is currently on individuals to assess and verify an entity’s privacy and security credentials to the entities seeking accreditation. An accreditation can be relied on by a consumer in deciding whether to trust one business over another.

7.19 There may be value in the future for the Privacy Act to make provision for a similar accreditation or audit model that could apply to entities seeking to engage in other high privacy risk activities and/or sectors that were specified in the Act or through delegated legislation.

7.20 The OAIC considers that a holistic, demonstrable and ongoing approach to privacy management is central to meeting the requirements of APP 1 and implementing a ‘privacy by design’ and ‘privacy by default’ approach. The focus for all regulated entities should be on the quality, reliability and verifiability of a holistic and ongoing privacy management framework that addresses privacy risks throughout the information handling lifecycle. The OAIC’s Privacy Management Framework sets out the steps that entities can take to establish a privacy management framework and meet their ongoing compliance obligations.

7.21 A central component of a privacy management program is a process for conducting privacy impact assessments, which are critical to facilitating a ‘privacy by design’ and ‘privacy by default’ approach. For clarity, the OAIC recommends that the Explanatory Memorandum that will accompany the amending Bill notes that an ongoing and demonstrable privacy management program, which includes conducting privacy impact assessments where appropriate, is central to facilitating a ‘privacy by design’ and ‘privacy by default’ approach.

7.22 The objective of enhancing accountability of APP entities for their personal information handling practices is similarly supported by the requirement to appoint a privacy officer or privacy officers. A privacy officer is the first point of contact for privacy matters within an entity and is responsible for ensuring day-to-day operational privacy activities are undertaken. Appointing a privacy officer is a key governance measure to foster a culture of respect for privacy and the value of personal information.

Accountability in relation to ‘purpose’

7.23 Under APP 5.2, entities must notify individuals of, amongst other things, the purposes for which the entity collects the personal information. This includes the primary purpose of collection, that is, the specific function or activity for which particular personal information is collected.

7.24The purposes of collection is relevant to how the information may be subsequently used and disclosed and if an entity seeks to rely on the ‘reasonable expectations’ exception in APP 6.2(a) to authorise a secondary purpose. However, there is no requirement in APP 3, which deals with the collection of personal information, for entities to identify and record, at or before the time of collection, the purposes for which they handle personal information.

7.25 A requirement to record information in this way would assist entities to ensure that they have a clear and specific purpose in mind for the subsequent handling of the information. It would encourage entities to consider the purposes of collecting the information earlier and not just in the context of the notification requirements in APP 5, which is consistent with a ‘privacy by design’ approach to privacy compliance. It would also assist entities to formulate and document the information they must provide to individuals through their APP 1 privacy policy and APP 5 notices.

7.26 Accordingly, to support the accountability requirements in APP 1, the OAIC recommends that APP 3 is amended to expressly require entities to determine, at or before the time of collection, each of the purposes for which the information is to be collected, used or disclosed and to record those purposes.[172]

Certification

7.27The OAIC supports the introduction of an independent third-party certification scheme. Privacy certification schemes have a role to play in facilitating overseas transfers of personal information. However, an independent certification mechanism could also significantly increase the transparency of organisations’ data practices by enabling Australians to quickly assess the level of data protection offered by an APP entity, as noted in the ACCC’s Digital Platforms Inquiry final report.[173]

7.28 The OAIC considers that an independent third-party certification scheme could assist in ensuring that regulated entities are meeting their obligations under the Privacy Act without the need to substantially increase regulatory action. It also provides consumers with evidence-based information about the privacy credentials of entities with which they may engage.

7.29There are benefits for entities that obtain certification as well. For example, certified entities may obtain a competitive advantage over non-certified entities. Additionally, certification may assist entities to mitigate against potential enforcement action by creating effective safeguards to address risks around personal information handling activities.

7.30 Several jurisdictions around the world, including Japan,[174] New Zealand[175] and Singapore[176] have implemented privacy certification schemes. While these schemes differ in their nature, scope and requirements, they ultimately enable entities that meet the relevant requirements and certification criteria to display a ‘seal’ or ‘trustmark’ as evidence of certification. The GDPR also makes provision for the introduction of data protection certification mechanisms, including data protection seals and marks, at both the member-state level or at the European Union level for the purposes of demonstrating compliance with the requirements of the GDPR.[177]

7.31 Additionally, the APEC CBPR System operates as a regional certification scheme and requires certified businesses to demonstrate compliance with a commonly understood set of privacy standards. The APEC Joint Oversight Panel of the Data Privacy Subgroup endorsed Australia’s application to participate in the CBPR System in 2018.

7.32 The OAIC considers that there are benefits to implementing a domestic privacy certification scheme in addition to the CBPR System.

7.33 As noted in the Issues Paper, some participating economies in the CBPR System also maintain a domestic certification scheme, including Singapore’s Data Protection Trustmark and Japan’s Privacy Mark. Additionally, the CBPR System is focussed on facilitating overseas transfers by ‘controllers’ of personal information, so certification will likely only be relevant and feasible for those entities with significant cross-border disclosure practices to participating economies.[178] A domestic privacy certification scheme could operate to certify a wide range of personal information handling activities or circumstances against the broader requirements of the APPs.

Key issues for consideration for a new certification scheme

Voluntary or mandatory scheme

7.34 The Issues Paper notes that a key issue for an Australian certification scheme is whether it should be voluntary or mandatory. The OAIC considers that a domestic privacy certification scheme should be voluntary for APP entities. However, it may be necessary in the future to consider whether mandatory certification or accreditation requirements should be required for certain high privacy risk activities, such as the use of facial recognition technology, or sectors of the economy.

7.35 Internationally, most existing privacy certifications are voluntary, including the CBPR system, certification schemes in Japan, Singapore and New Zealand, and the GDPR’s data protection certification scheme.

7.36 A voluntary scheme would also reduce some of the concerns raised by submitters to the ACCC’s Digital Platforms Inquiry that a mandatory certification scheme would carry significant compliance costs and likely be cost-prohibitive for smaller APP entities.

Scope of the scheme

7.37 Another key issue is whether a certification scheme should be broad or narrow. That is, should entities be able to seek enterprise-wide certification or should certification be limited to certain specific products, data types or business processes.

7.38 Under the CBPR system, the scope of the certification is flexible and is determined by the organisation wishing to obtain a certification to participate in the CBPR system.

7.39 The OAIC considers that a domestic certification scheme should enable entities to seek enterprise-wide certification for all of its operations, or certification for specific products, data types or business processes. This will help to ensure that the scheme is flexible and scalable for APP entities of different sizes and with different personal-information handling activities.

Certification criteria

7.40Certification criteria forms an integral part of any certification mechanism. The Issues Paper notes that developing a privacy certification scheme requires consideration of whether criteria should be based on regional standards, such as the requirements of the CBPR, or standards that have been developed by a private standard-setting organisation.

7.41 The OAIC considers that certification criteria should maintain and build upon the protections and obligations set out in the Privacy Act and reflect community expectations of privacy.

7.42As highlighted in the ACCC’s DPI report, a domestic certification scheme will need to take into account the broader reforms to Australia’s privacy regulatory framework. Accordingly, the underlying privacy regulatory framework will need to be settled before key elements like certification criteria can be designed in more detail.

7.43 The Issues Paper also highlights that another consideration is the extent to which a certification scheme could operate consistently with existing accreditations in Australia that incorporate privacy safeguard requirements, such as the CDR and the proposed Data Availability and Transparency scheme. The OAIC agrees that a privacy certification should be interoperable with existing Australian accreditations to the extent possible, in order to minimise the fragmentation of privacy certifications and accreditations for which regulated entities may wish to apply.

7.44 Guidance on general considerations for designing certification criteria may be drawn from the Certification Guidelines issued by the European Data Protection Board, which state that certification criteria should:

• be uniform and verifiable
• auditable in order to facilitate the evaluation of processing operations under the GDPR
• be relevant to the business model of different entities (e.g. business to business and business to customer)
• take into account and where appropriate be interoperable with other standards (such as ISO standards), and
• be flexible and scalable for application to different types and sizes of organisations.[179]

Role of the OAIC

7.45The key participants, and the functions of those participants in other existing certification schemes, can be broadly described as follows:

• a certification or assessment body that assesses and approves applications from entities seeking certification
• a body that accredits certification or assessment bodies
• entities seeking certification.

7.46 The role of the regulator in these activities varies across international jurisdictions. For instance, in Singapore the data protection authority is involved in accrediting assessment/certification bodies and in New Zealand, the Privacy Commissioner’s Office is responsible for issuing certifications directly. However, as noted above, the nature, scope and requirements of these schemes differ significantly.

7.47 The OAIC suggests it would be preferable for an independent third party to administer the scheme to ensure the functional independence of the OAIC. As an independent, statutory regulator, the OAIC is concerned to ensure both the fact and perception of independence are maintained by retaining separation between the certification of entities and the broader regulation of the scheme. The OAIC suggests further consideration could be given, as part of the implementation process, to whether there is a current government body that could undertake the certification function.

7.48The GDPR does not make the issuance of certifications a mandatory task of the supervisory authorities. Instead, it provides for a number of different models which enable a supervisory authority to decide to, for example, issue certification itself, in respect of its own certification scheme; create its own certification scheme and entrust certification bodies with the certification procedure which issue the certification; or encourage the market to develop certification mechanisms.

7.49The OAIC considers that the model adopted by the UK ICO could be adopted for a domestic privacy certification scheme. Specifically, in the UK, the certification framework will involve:

• the ICO publishing accreditation requirements for certification bodies to meet
• the UK’s national accreditation body, UKAS, accrediting bodies and maintaining a public register
• the ICO approving and publishing certification criteria
• accredited certification bodies issuing certification against those criteria, and
• controllers and processors applying for certification and using it to demonstrate compliance.

7.50 The OAIC should be identified as the scheme’s regulator for privacy breaches. It is important to note that any domestic certification scheme does not prove compliance but rather forms an element that can be used to demonstrate compliance. Accordingly, a domestic certification scheme should be carefully designed to ensure that it does not reduce the responsibility of APP entities for compliance with the Privacy Act, or fetter the OAIC’s discretion in the exercise of its regulatory powers.