Opening Address, Australian Government Agencies Privacy Code Seminar

28 November 2017
Tags: privacy Australian Government Agencies Privacy Code Open Government National Action Plan data breaches Timothy Pilgrim

Presentation by Australian Information Commissioner and Privacy Commissioner, Timothy Pilgrim, at the Australian Government Agencies Privacy Code Seminar on 28 November 2017 in Canberra.

The Australian Information and Privacy Commissioner and other OAIC representatives presented an overview of the requirements of the Code, and highlighted the range of resources that will be available to support agencies. The event also included a panel session, where representatives from the Attorney-General’s Department, the Department of Human Services, the Department of Immigration and Border Protection, and the Australian Bureau of Statistics shared the current privacy initiatives within their agencies, and the ways in which they are preparing for the implementation of the Code.

Printable version of seminar slides

If you require these slides in a more accessible format, please contact

 Good morning everyone.

I would first like to acknowledge the Ngunnawal people as the traditional custodians of this land, and pay my respects to elders past and present.

Welcome to the OAIC’s seminar on the Australian Government Agencies Privacy Code.

As I am sure you are aware, the Privacy Code was registered in late October, after we had opportunity to review and incorporate feedback on the initial draft released in June.

Many of you were therefore likely involved in the development of the Code, either by a submission during consultation or through conversations over the phone or by email. So thank you again to those that did engage with us on this.

This collaboration continues as we move towards the commencement of the Code on the 1st of July next year. And today, our focus will be on implementation.

We will be showcasing and discussing a variety of resources we have developed to assist you in putting the obligations of the Code into practice.

We will also be hearing from representatives from

  • the Department of Immigration and Border Protection
  • the Attorney-General’s Department
  • the Australian Bureau of Statistics
  • and the Department of Human Services — to provide their insights into how they currently implement some of the key privacy governance mechanisms formalised by the Code.

But before going any further, I will first address one change to the Code that followed consultation.

The name of the Code has changed since the initial draft.

The Code is registered as The Privacy (Australian Government Agencies — Governance) APP Code 2017.

We found that this name more adequately captured the scope of the Code’s application to all public sector entities with existing obligations under the Australian Privacy Act.

Also, the shift in naming from ‘APS’ to ‘Government agencies’ reflects the fact that good privacy governance is a whole of agency exercise, not just a task for staff.

While the name has changed, the principles supported by the Code have not.

These are the principles of accountability and transparency in the management of personal information.

In today’s digital, globalised environment, demonstrating a commitment to these principles is essential to realising the Australian Government’s goals for data.

In 2016, the Government published Australia’s first Open Government National Action Plan.

One of the commitments made was to make more public data openly available, and support its use in various ways.

This includes using data to launch commercial and non-profit ventures, conduct research, make data-driven decisions and solve complex problems.

A year earlier, the Public Data Policy, which was released as part of the National Innovation and Science Agenda, committed Commonwealth Government entities to a similar goal — extending the value of public data for the benefit of the Australian public, and an ‘open access by default’ approach to non-sensitive data.

The potential for data collected by government to benefit the Australian community is well known.

It can be used to predict where services will be needed, identify gaps in existing services, further research, and lead to better-informed policy decisions.

But these benefits rely on Australians’ data being used and shared by government agencies.

Something which can only occur when Australians’ have confidence that their data is being managed and protected to the high-standard they expect.

As shown in our Community Attitudes to Privacy surveys, Australians are generally open to the use of their data to realise the benefits of new technologies and digital services.

However, this is on the condition that privacy remains protected.

Peoples’ overall discomfort with unexplained uses of their personal information was made apparent in the Survey.

86 per cent of Australians consider that the secondary use of their personal information is a misuse of that information.

Our survey then went on to ask about data sharing.

When asked the specific question ‘how comfortable or uncomfortable are you with government agencies sharing your information with other government agencies’ only 33 per cent of people were comfortable.

When the same question was asked in respect of private sector businesses, the figure drops to a mere 10 per cent.

However, when we put some context to the proposed use of that information we see a somewhat different response.

So in the 2017 survey we also asked about peoples’ level of comfort with their information being used by government agencies and departments for ‘research, service delivery development or policy development purposes’. And, when given some context for the use, 46 per cent of Australians said they were comfortable with the use of their personal information for such purposes.

This goes some way to support the view that by being transparent about the purposes for the use and demonstrating the social benefits to be derived, you can move to achieving the social licence so essential for data innovation.

But we aren’t necessarily there yet.

It is sobering to remember that these results also show that a further 21 per cent were neither uncomfortable or comfortable, which represents a large potential swing vote that may be convinced when a case for the public benefit is made.

While 30 per cent remained somewhat uncomfortable to very uncomfortable.

In my view this, in part, shows that in addition to communicating the why of data use – there is a persistent need to demonstrate how you will protect personal information to build community confidence.

We also know that failing to meet privacy expectations already directly impacts the bottom line of private businesses.

In the same survey, 69 per cent of Australians said they are more concerned about their online privacy now than just five year ago.

83 per cent believe online environments are inherently risky to their privacy.

This perception informs their decision-making, and consequently, 58 per cent of Australians have walked away from a business due to privacy concerns.

This statistic has remained consistent over the past community surveys.

So, most often, where there is a perceived risk in the use of personal information, individuals will withdraw their support and, where possible, look for alternative options.

While that opportunity to “vote with your feet” is often not as directly applicable in public sector contexts – the opportunity to express concern through other methods, such as a lack of community buy, certainly is.

Without public support, and the social licence this creates, projects that involve personal data can struggle for public support.

Which means that demonstrating privacy best practice is essential to unlocking the benefits of data to government services, research, policy-making and more.

I have said many times before that privacy is not about secrecy – it is about transparency.

In an increasingly globalised data environment, where technologies that utilise personal data are rapidly developed and shared, transparency provides assurance that agencies are accountable for privacy protection.

And this assurance serves to build community confidence in the use and management of personal data. In this way, the principle of accountability supports data innovation.

We know there is room to build greater confidence in the public sector’s management of data.

In the 2017 Australian Community Attitudes to Privacy Survey, we also found that Australian Government agencies are in third place when ranked by net trustworthiness in personal information protection – behind both the health and the financial sector.

The Code is therefore one tool that can improve public trust – by demonstrating a high standard of privacy governance across all public sector entities.

Specifically, the Code will require agencies to:

  • Have a privacy management plan
  • Appoint a Privacy Officer, or Privacy Officers, and ensure that particular Privacy Officer functions are undertaken
  • Appoint a senior official as a Privacy Champion to provide cultural leadership and promote the value of personal information
  • Undertake a written Privacy Impact Assessment (PIA) for all ‘high privacy risk’ projects or initiatives.

A project may be a high privacy risk project if the agency reasonably considers that the project involves any new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals.

The Code also requires you to:

  • Keep a register of all PIAs conducted and publish this register, or a version of the register, on their websites, and
  • Take steps to enhance internal privacy capability, including by providing appropriate privacy education or training in staff induction programs, and annually to all staff who have access to personal information.

    The level and amount of privacy education or training that will be appropriate may differ between and within agencies, depending on the degree to which an agency’s staff members deal with personal information in the course of their employment.
  • Finally, there is the obligation to review and update your privacy practices, procedures and systems regularly; and, to monitor compliance with internal privacy practices, procedures, and systems regularly. This will include referring to your privacy policy and privacy notices.

These actions support compliance with Australian Privacy Principle 1.2, which since 2014 has required entities to implement technical and organisational measures to demonstrate compliance with the Privacy Act.

This means putting in place practices and processes that show how your agency has established and maintains the principles of the Act.

I stress that these principles must be integrated throughout your organisation. They must be applied to your software, hardware, and organisational practices – from the beginning of any project involving personal information, to its end.

In other words, your agency must develop an ethos of privacy by design, which has accountability at its centre. The Code’s governance obligations are key tools to achieve this, and the impending commencement is your organisation’s chance to embed them.

It’s also a timely opportunity to reflect on the Code is in line with national and international developments in the field of personal data protection.

One major international development is the European Union’s General Data Protection Regulation, which commences in May next year, and which is of interest to all Australian organisations with EU trade and engagement.

Those familiar with GDPR requirements will know that many of them have similarity – in broad effect if not in strict form – with those provided for in the Code.

Examples of these include the requirement to appoint a data protection officer, and the requirement to conduct data protection impact assessments.

And without dwelling on the GDPR in detail my point, for now, is that the similarities between the GDPR and Australia’s privacy regulation show that the requirements of the Privacy Code are neither exceptional, nor unexpected.

In fact, these requirements follow a trajectory of privacy regulation that we are seeing unfold across the world.

In our own jurisdiction, mandatory data breach reporting will be established in a matter of months.

From the 22nd of February 2018, entities required to secure personal information under the Privacy Act will have obligations under the Notifiable Data Breaches scheme.

From that date forward, you must notify individuals affected by a data breach that is likely to result in serious harm. There is also an obligation to notify myself as the Australian Information Commissioner.

This has the practical benefit of enabling individuals to take action to protect their personal information.

And, as a transparency measure, it reinforces organisation’s accountability for personal information, and encourages better personal information security across industries.

The OAIC’s Assistant Commissioner in Dispute Resolution, Andrew Solomon, will cover the NDB scheme in more detail later on – so we will be discussing more than one significant advancement in privacy regulation today.


So it’s fair to say that we have reached a global tipping point, where privacy and data protection management is changing to emphasise accountability and transparency in order to build consumer and community trust.

The Privacy Code provides practical tools to turn these principles into action. They are a few of the building blocks for building a risk-aware and risk-averse culture of privacy that is responsive to an evolving data environment.

And the good news is – most of you will already have the requirements of the Code in place, or governance structures in place which give you a head start on compliance. For you, the implementation of the Code will mean little net change.

For others, you may be thinking there is a lot of work to be done ahead of the 1st of July 2018. And indeed, if you are not implementing best practice currently, there will be some substantial work ahead.

The resources we are presenting today are the first in a series we are creating to assist you in getting compliance right.

So – a quick overview of what we will be covering today.

Melanie Drayton, will present the:

  • Privacy Self-Assessment Tool and Privacy Management Plan template. These tools are designed to assist you in building a Privacy Management Plan that complies with the Code and is suitable to the circumstances of your agency
  • Privacy Officer Toolkit. This will serve as a holistic guide to meeting the privacy needs of your agency, and
  • A compliance checklist – to assist you in understanding the context of your data use

We will have a Q&A session after this presentation.

Then we will break for morning tea.

Following this, we will have a presentation on the Notifiable Data Breaches scheme, and then a panel session.

The Deputy Commissioner of the OAIC will be joined by:

  • Vidoshi Jana, from the Department of Immigration and Border Protection
  • Andrew Rice from the Attorney-General’s Department
  • Annette Musolino from the Department of Human Services; and
  • Lily Viertmann from the Australian Bureau of Statistics

And I want to thank each of them for their commitment and leadership at this event.

We will conclude with another Q&A session – your chance to ask anything you wanted to know about the Code but were afraid to.

Just a quick note on filming, you’ll see there is a camera here in the venue – but rest assured that it is recording my, Melanie and Andrew’s presentations only. The panel sessions and questions and answers will not be filmed.

So on that privacy positive note, thank you for joining us today, and for your commitment to creating a single, high standard of data protection for Australian Government agencies.

And now please welcome Melanie.