Privacy Commissioner speech at the iaapANZ summit 25 November 2013

November 26, 2013 |

For those interested in gauging the approach of the Privacy Commissioner to his use of soon to be newly acquired enforcement powers his utterances leading up to 12 March 2014 will be a reasonable starting point.  Better will be the prosecution guidelines and final guidelines for the Australian Privacy Principles and the Credit Reporting Code.

His speech to the iaapANZ summit is found here and provides:

Good morning.

I would like to acknowledge the Traditional owners of the land that we meet on today, the Gadigal people of the Eora Nation, and pay my respects to their elders both past and present.

Today, I am going to talk about the privacy law reforms that are due to commence on 12 March 2014, or what I have used as a title for today’s presentation ‘Privacy Reform — Act Three’. The first two Acts being the enactment of the Privacy Act in 1988 to cover the federal public sector, and the extension of the Act to cover much of the private sector.

And now we are just four months out from Act Three — the commencement of the Privacy Amendment (Enhancing Privacy Protection) Act 2012.

Over the last 12 months, I have spent a lot of time outlining and discussing various aspects of the reforms, focusing on the Australian Privacy Principles (or APPs), changes in credit reporting and enhanced enforcement powers.

However, today I want to cut to the chase and address some of the questions that have emerged in submissions on the APP Guidelines and recent meetings I have held with organisations and industry groups.

These questions can be categorised into four key issues:

  • First, the OAIC’s approach to enforcement, come 12 March 2014
  • Second, the drafting style of our guidance and our interpretation of the new laws
  • Third, the impact of the delay in finalising key documents such as the APP guidelines
  • Fourth, where to after 12 March

Act 1 to Act 3

But first, indulge me with a concise history of privacy law in Australia — a story in three Acts that will be familiar to many of you.

Act 1 starts in the 1970s and early 1980s, with the articulation of privacy as information handling principles in the OECD Guidelines governing the protection of privacy and transborder flows.

These Guidelines were developed by the OECD Expert Group on Privacy Principles headed by the Hon. Michael Kirby, who is here today. The Guidelines influenced the development of the Privacy Act 1988 that, while enshrining the OECD principles in domestic law, importantly also gave effect to Australia’s commitments as a party to the International Covenant on Civil and Political Rights — reinforcing privacy as a human right.

When first enacted, the Privacy Act only included the Information Privacy Principles (or IPPs) that regulate Australia’s federal public sector, but very shortly after was amended to introduce the Credit reporting provisions, the Act’s first foray into private sector regulation.

Act 2, coming a little over 10 years later, saw many of these concepts extended to the private sector (and for those of us with the corporate memory going back to 1998, with the support of much of the private sector). At this time a second set of principles, the National Privacy Principles, were developed and implemented. Both sectors were now covered by the Privacy Act, with some not uncontroversial exemptions.

The latest Act, Act 3, retains many of the benefits of the original Act, including its technology-neutral and principles-based approach. However, the reforms include some significant changes, such as one set of principles, the APPs, enhanced code making powers to support the technological neutrality of the Act, and of course additional regulatory and enforcement powers. Hopefully this will take us a step closer to national consistency in privacy regulation.

This latest Act is a natural and very welcome development and I look forward to seeing how of these changes contribute to the protection of personal information in Australia.

But don’t expect a final Act. As the last 25 years has shown us, privacy is a dynamic concept, and as technology changes this is truer than ever.

One aspect that is remaining constant in this story though is the community’s views on their privacy. We have heard repeatedly over the last 40 years that privacy is ‘dead’ and we should ‘get over it’. However, as our series of community attitudes survey results suggest, as technology advances and provides for greater collection of peoples’ personal information, people are increasingly looking for ways to ensure they maintain control over what happens to the personal information.

Our 2013 Community Attitudes to Privacy Survey reaffirms this.

  • 33% of Australians reported that they had a problem with how their personal information was handled in the last 12 months
  • 48% of Australians reported that they believe that online services, including social media, now pose the greatest privacy risk
  • Only 9% believe social media sites are trustworthy
  • 74% of Australians reported they were more concerned about providing information via the internet than they were two years earlier, and
  • 60% have decided not to deal with an organisation because of concerns about privacy.

Clearly, the need for privacy regulation is as important as ever and is clearly an established community expectation.

Privacy regulation post-March 2014

So what will privacy regulation look like post-March 2014?

From the first day of operation, the privacy reforms will provide me with new enforcement powers and remedies in relation to own motion investigations — those that commence as a result of my own initiative rather than as a result of a complaint from an individual.

I will be able to make a determination (as I can already with a complaint lodged by an individual), accept written undertakings that will be enforceable through the courts, or apply for civil penalty orders of up to $340,000 for individuals and up to $1.7 million for companies.

I will also be able to conduct Performance Assessments of private sector organisations to determine whether they are handling personal information in accordance with the new APPs, the new credit reporting provisions and other rules and codes.

The power will consolidate the existing discretion I have to conduct audits of Australian Government Agencies, tax file number recipients, credit reporting agencies, credit providers and extend it to include private sector organisations. There has been a power in the current Act to allow me to audit a private sector organisation by invitation; however, it seems organisations have been too shy to extend such an invitation up to now.  So from 12 March I’ll be able to invite myself in.

These assessments may be conducted at any time, whether the organisation has had a previous Privacy breach or not.

I will also have enhanced code making powers that will allow me to approve and register enforceable codes which are developed by entities, on their own initiative or on request from the Commissioner, or by the Commissioner directly.

Regulatory approach

Not surprisingly then, one of the most common questions is what my approach will be to these new enforcement powers.

Of course, our regulatory approach will be informed primarily by the Privacy Act, but we will also have regard to a series of resources we are developing to provide guidance about when and how we will take enforcement action.

These will be internal operational documents, providing advice and guidance to OAIC staff regulating all aspects of the reformed Privacy Act. However, these documents will be available on our website once they are complete. We anticipate that you find them useful, as they will provide practical and relevant information about the OAIC’s regulatory approach.

Central to the OAIC’s enforcement activity is an ‘enforcement pyramid’ approach to regulation. For example, in the first instance, in the case of individual complaints we would expect to see a person try to resolve a matter with the organisation first. If a matter is accepted by us, we will always attempt to resolve issues through mutual agreement, conciliation. However, in the event that this is not effective, we will not hesitate in using our other tools to resolve a matter, including determinations, enforceable undertakings or in the case of serious or repeated breaches, civil penalties.

This is consistent with our current approach. As I have been telling businesses and government since I became Privacy Commissioner in mid-2010, my focus will always be on resolving the majority of complaints via conciliation. However, I will not shy away from using new and existing powers where it is appropriate to do so. My publication of reports into major breaches is an example of this.

I have been asked whether I will I be taking a ‘softly, softly’ approach after implementation of the reforms. Well, I have never been known to be subtle so the answer to that question is probably ‘no’. Now before people get too excited about the bluntness of that response remember that I said I would always start by trying to resolve matters through conciliation. But please do not interpret conciliation to mean softly, softly.

APP Guidelines

Since the Privacy Amendment Act passed in November last year the OAIC has been working on producing guidance to assist business, government and individuals with the transition to the new laws.

You would be familiar with the guidance that we have released so far, including the APP quick reference tool, the APP/NPP comparison guide, compliance checklists as well as a number of other resources.

We have also been working with the Australian Retail Credit Association (ARCA) on the credit reporting code, which will be an important tool. This has been a big task for our Office and I am pleased to say that it is nearing completion — all the substantive issues have been addressed and we are expecting to receive the final amended version from ARCA before Christmas.

Of course, one of the major changes under the reforms is the introduction of a single set of privacy principles, replacing the existing NPPs and IPPs. The APPs are structured to more closely reflect the information lifecycle — from openness and transparency in personal information handling practices, collection, notification and through to use and disclosure, quality and security, to access and correction. They aim to simplify privacy obligations and reduce confusion and duplication.

Our Office is also currently working on producing the Guidelines to the APPs. The first two consultation processes, addressing the preliminary chapters and APPs 1­ to 11, have been completed. The third stage of consultation, addressing APPs 12 and 13, is currently underway, and submissions are due by 16 December 2013. If you are interested in making a submission, more information is available on the OAIC website.

We have received a great and largely positive response to this consultation process, and there have been a large number of submissions that address specific areas of the Guidelines where business, agencies and peak bodies would like further information or clarification.

The submissions are still being assessed, but a few examples useful feedback that we received included:

  • requests for additional practical examples
  • requests for further clarification on areas of definitional changes, such as ‘Australia link’ and the differences between ‘use’ and ‘disclosure’
  • support for layered privacy policies, as outlined in Guideline on APP 1, but further guidance is requested on how to develop and implement these policies, as well as further information on the interaction between APPs 1 and 5.

We have also received some feedback from stakeholders who are keen for the APP Guidelines to provide guidance not just on those areas that are mandatory, but also on those areas that we will be looking for when we are assessing compliance, and those areas that we consider to be best practice.

To that end we are also working on clarifying language around those areas that are covered by the Act: the ‘musts’; those areas that we feel are reasonable in standard business practice: the ‘shoulds’; and those areas that are best practice, but which will not always be practical for all businesses: the ‘coulds’.

These are just a few examples of practical feedback that we received, all of which will help us to make the Guidelines as practical and useful as possible.

People have noted the delay in the release of Guidelines, and we have been asked whether this will mean the OAIC will be taking a lenient approach for the period immediately following commencement, as entities will still be designing processes and policies.

My answer to that is ‘no’. Reference to the NPP Guidelines would tell you that the guidelines on privacy principles are not intended to be a step by step guide to developing process and procedures, and this continues to apply to the APP guidelines.

Let’s also remember that the public sector have been working with the Act for nearly 25 years and the private sector for over 12 years, these concepts are not new. Organisations have had 15 months to prepare, most of the requirements are not new requirements and in my view should already be happening, so I will not shy away from taking action where it is appropriate or necessary to do so.

So where to on 12 March 2014?

APPs 1 and 5

In terms of ensuring that your business complies from 12 March, APP 1 is a great place to start. And, because APP 1 sets the ground for compliance with the other 12 APPs, it is also where we will start when assessing compliance with the changes.

I have mentioned APP1 to you before, but I feel that it would be helpful to you for me to provide a little more detail on it.

The intention of APP 1 is to promote a ‘privacy by design’ approach — to ensure that privacy compliance is included in the design of information systems and practices from inception.

APP entities must implement practices, procedures and systems to ensure compliance with the APPs. APP 1 also requires agencies and organisations covered by the Privacy Act to have a clearly expressed and up to date privacy policy about the way they handle personal information.

An APP Privacy Policy should contain a general description of how the entity manages the personal information it collects and holds. The 2013 Community Attitudes to Privacy survey shows that 95% of Australians feel that public and private sector organisations should make them aware of how their information is handled on a day-to-day basis.

More specifically the policy must contain certain information relating to the:

kinds of personal information usually collected and held: eg contact details, employment history, educational qualifications, complaint details, sensitive information et: racial or ethnic origin, TFNs, health information.

  • how such information is collected and held: eg directly from individuals or from other APP entities; the agencies usual approach to holding PI: security, whether information is combined with other information
  • the purposes for which the entity collects, holds, uses and discloses personal information
  • access and correction procedures
  • complaint-handling procedures, and
  • information about any cross-border disclosure of personal information that might occur, including where practicable, the countries where recipients are likely to be located.

There is a strong relationship between APP 1 and APP 5, which outlines in what circumstances an entity must notify an individual of the collection of their personal information, and details the matters about which the individual must be made aware.

APP 5 is substantively the same as current requirements. One significant change is that APP 5 requires entities to notify individuals about the access, correction and complaints processes in their APP privacy policies, and also the location of any likely overseas recipients of individuals’ information


APP 8 is a new principle that addresses the dramatic growth in the global flow of personal information, and the many different ways in which personal information is used, disclosed or stored overseas these days.

APP 8 states that in certain circumstances entities will remain accountable for an act or practice engaged in by an overseas recipient of personal information, if that recipient does something that would be a breach of the APPs if the APPs had applied to those acts or practices.

Where NPP 9 prohibited cross-border disclosure of personal information, subject to some exceptions, APP 8 aims to permit cross-border disclosure of personal information but also to ensure that any personal information disclosed is still treated in accordance with the Privacy Act. This approach facilitates cross-border disclosure in a manner that ensures appropriate privacy protections are in place and that individuals will be able to seek redress if their information is mishandled.

The Community Attitudes to Privacy survey shows that 79% of Australians believe sending customer data to an overseas processing centre is a misuse, and 90% are concerned about personal information being sent overseas. As more information is stored ‘in the cloud’ or shared by global organisations, Australians are becoming more aware of the risks as well as the benefits associated with these practices.

Clearly, openness and transparency about the transfer of information, as well as being able to demonstrate how information will be protected, is a critical component of doing business in today’s electronic world.

A global view of privacy regulation

With the increasingly international nature of business and information storage, the implementation of APP 8 is a timely reminder of the importance of taking a global view of privacy regulation.

Privacy regulation is becoming increasingly complex, but electronic communication and storage is here to stay, so it is essential that regulators operate in the global community. International cooperation is absolutely crucial — and we are now all familiar with high profile data breaches that have raised cross-jurisdictional issues.

Global compliance work is very familiar to the OAIC. We engage actively with a large number of global networks, such as the Asia Pacific Privacy Authorities Forum (APPA) and the OECD Global Privacy Enforcement Network (GPEN).

Connections like the meeting of the Asia-Pacific Privacy Authorities forum this week, where regulators from around the world are able to discuss their approaches, their local issues and their experiences are key to maintaining privacy protections both locally and internationally.


I would like to conclude by providing some practical advice for ensuring that you are ready for the reforms come March.

If your policies and procedures are robust and up-to-date then you will be well on your way to best privacy practice. To this end, I recommend you:

  • Get working on your APP privacy policy: Establishing a comprehensive and practical privacy policy that is ready to go in March will get you started with a ‘privacy by design’ approach to your business.
  • Review information security: The Guide to information security that we released in Privacy Awareness Week this year gives some practical advice about how to ensure your systems comply with information security requirements.
  • Review your data breach plan: Do you have a response plan ready for if you have a data breach? The OAIC’s Data breach notification guide will provide you with processes to follow if your business does find itself in this situation. Remember, although mandatory data breach laws did not pass this year, being transparent about data breaches, and acting quickly to mitigate the damage is the best way to protect your business reputation.
  • Conduct a privacy impact assessment for new projects: Conducting a PIA for any new processes will help you to identify any potential problems before they impact on your business. The Privacy impact assessment guide is available on our website to assist you conduct a PIA.

In conclusion, I strongly encourage you to not only engage with the latest changes to the Privacy Act, but also join us in telling the community about the changes and what they mean for them.

In 2014, the OAIC will launch a consumer education campaign to educate the public about the changes. The campaign will culminate in Privacy Awareness Week (or PAW). PAW will be in the first week of May 2014, and is an easy way to demonstrate a commitment to privacy, especially in the year of reform. Increasingly, good privacy practice is becoming a market differentiator, and signing up as a PAW partner and getting ahead of the game with consumer education is a great way your organisation can show leadership in the field.


Leave a Reply