The Australian writes about impending changes to the Privacy Act

February 14, 2014 |

There have been a steady but not overwhelming number of stories in the broadsheet press (including the Australian Financial Review) regarding the impending changes to the Privacy Act.  In the Australian’s New principles offer a point of difference the impact of the changes are again highlighted.  The impact of this fairly muted publicity has been such that within the business community there is only a reported 50% compliance rate at this stage.  That is a concern.  The other concern is how the Privacy Commissioner deals with this.  Having new found powers is one thing.  Doing something with them is another.  The Guardian in coverage of the impending changes commented on concerns about the Commissioner’s office not being adequately resourced.  This could be a major problem.  Until now the Privacy Act has been an after thought, if there is any thought, to compliance with the Act by many organisations.

THE next month of new Australian Privacy Principles represents an opportunity for companies to differentiate themselves by the way they handle their customers’ personal information.

Revelations in The Australian last month that 50 per cent of organisations would not be compliant when the new principles came into effect on March 12 highlighted the need for companies and government agencies to urgently raise the profile of privacy issues.

Organisations with annual turnover of more than $3 million must:
–   Update their privacy policy.
–   Review and update their information handling processes,
including contingencies for data breaches.
–   Update privacy statements advising consumers how their information is used.
–   Conduct a privacy audit and address any gaps or areas of non-compliance.
–   Develop an internal privacy compliance guide.
–   Train staff in the correct handling of personal data.

The 13 Australian Privacy Principles (APPs) replace the existing Information Privacy Principles (IPPs) that apply to Australian government agencies and the National Privacy Principles (NPPs) that apply to business.

They have largely been promoted as strengthening privacy protections andcertainly give Privacy Commissioner Timothy Pilgrim greater enforcement powers, with fines of up to $1.7 million for significant or persistentbreaches and the right to audit any business, regardless of a breach.

Privacy campaigner and ACS Fellow Roger Clarke believes the revisions areproblematic, with the decision to integrate and harmonise the previous setsof principles resulting in a dilution of protections across the board.

Mr Clarke raised concerns about APP8 opening the door for a greater flow ofpersonal information across international borders and questioned the inclusion of a principle detailing various exceptions for organisationsinvolved in direct marketing. “With APP7, the authorisation of direct
marketing is now embodied in a privacy principle, representing a major reduction in privacy protection,” he said.

“These changes put us significantly behind the European Union and countries like Canada, Singapore and Hong Kong in relation to privacy laws. The EU Directive is already the strongest privacy regime in the world and they are currently looking to strengthen many of its provisions, while Australia is going backwards,” he said.

As the professional association for the ICT sector, the ACS acts to safeguard the interests of the community in relation to the development and
application of information technology.

In the wake of the Edward Snowden leaks about NSA surveillance and controversial intrusions by Facebook, Google and others, some sections of the community have become more cynical about the agendas of corporations and governments.

Recent research by the Office of the Australian Information Commissioner found that 60 per cent of Australians had decided not to deal with
organisations because of privacy concerns and 48 per cent believed that online services and social media posed the greatest risk to privacy and
information security.

This creates an opportunity for ethical companies to demonstrate a higher level of awareness and sensitivity around the handling of personal data.

There is an important role for ICT professionals in business and government to work with and guide their marketing teams in demonstrating a high level of privacy sensitivity in how they manage personal information.

This means companies that implement best-practice policies will set themselves apart as ethical and trustworthy, with potential benefits in
terms of competitive advantage and customer loyalty.

The ACS already incorporates best-practice privacy methodologies in the professional development we offer ICT professionals through our
Certification Program.

Brenda Aynsley OAM is president of the ACS, principal consultant with ICT career planning & management firm Oz Business Partners and chairwoman of IFIP’s IP3 International Professional Practice Partnership.

 A somewhat sobering article Here’s an office that’s hardly free with information reflects poorly on the Office of the Australian Information Commissioner.  It may be a somewhat simplistic article, based on cute mathematics from an annual report.  That said the Privacy Commissioner’s history, certainly in relation to the previous Commissioners, was a study in inertia.  Given the amendments to the Privacy Act require proper regulation a lethargic approach to regulation would be a public policy and administration failure.

The article provides:

If the government was looking for some low-hanging fruit to make its budget savings, it might be tempted to cast a quiet eye over the Office of the Australian Information Commissioner.

Were it do so, however, it might find that the Office of the Australian Information Commissioner was so low-hanging as to qualify not as fruit but rather as a root vegetable.

Perusing the annual report for the office, one finds that the commissioners – of which there are three – ”delivered 59 speeches and presentations” for the year to June 2013.

Yet in the same period, the office managed only 89 ”information commissioner review decisions”. Of these, the office decided in favour of other government agencies seeking to keep publicly-funded information away from the public 65 per cent of the time.


So it was that we posed a question to the office. As the head count had averaged 85.27 during the year, and as they had collectively made just 89 decisions, was it reasonable to assume that the rate of decisions equated to roughly one decision per staff member per year?

Not at all, we were advised.

The office has more functions than merely making decisions. Its mandate spans freedom of information, privacy matters and information policy.

Although some staff work in only one of these three areas, many work across two or all three functions. The office estimates that 35 per cent of its resources are directed towards exercising its ”freedom of information functions”.

The real strike rate then is 2.98 decisions per staff member per year.

A cynic could be deluded into thinking, as this rate of decisions was in inverse correlation to the surfeit of speeches, reams of policy advice and the explosion in guidelines, that this was bureaucracy heaven. A cynic, however, would not understand the real demands of agency ”through-put”.

Some 447 freedom of information requests were backed up in the system at year’s end, up 25 per cent on the previous year. Of these, 105 had been filed at the office for longer than 12 months.

However, the legendary Will Matthews FOI request was not among these. Matthews’ Homeric campaign to wrest a straight answer out of government celebrates its 10th anniversary this year and is again bogged down in the Administrative Appeals Tribunal.

The AAT is the tribunal of last resort for those appealing a government decision.

But we digress. To its credit, the office does acknowledge a lack of breakneck speed: ”This level of delay has a detrimental effect on the FOI system,” the annual report says.

The blame, however, lies with government. The office has called for an increase in its $10 million funding. It wants more staff, not fewer. The feeling is not mutual, though, as staff turnover for the year was 24.7 per cent, roughly one in four.

Nonetheless, some metrics are on the up. Wages and salaries rose 9 per cent and fees paid to consultants were up 20 per cent.

(Note to self: tactfully refrain from snide comment here.)

One person who has enjoyed the office experience says he was told straight away that it would be at least six months before a case officer would be assigned to his case.

”If you question the delays,” this person said, ”the message is: ‘This is how we roll, everyone has to wait.’

”The office clock is different to the applicant’s clock. When you get a letter you have to respond within two weeks. But when it’s their turn to respond, time stands still. The seasons pass.”

Our beleaguered crusader was finally handed a four-page judgment advising him that the FOI Act did not apply.

”An afternoon’s work in a year,” said he … for no information.

Another metric tells the story: 95 of 419 applicants simply withdrew last year. ”The take away is ‘don’t bother asking’ because you will be put in a queue so long or dealt with so slowly that giving up becomes the only logical course of action,” the weary source said.

Leave a Reply