Peter A Clarke

The OAIC has released the enforcement guidelines (found here).

Significant changes to the Privacy Act 1988 will commence on 12 March 2014. The changes include a new set of harmonised Australian Privacy Principles (or APPs) that will replace the two sets of principles that currently apply to Australian Government agencies and to businesses. There will also be changes to credit reporting, including the introduction of a more ‘comprehensive credit reporting’ system and a simplified and enhanced correction and complaints process. The reforms also include new enforcement powers and remedies in relation to investigations.

The Office of the Australian Information Commissioner (OAIC) has adopted an enforcement approach to the reforms which recognises that Australian Government agencies and businesses are working hard to implement the new requirements. Our compliance focus in the months following 12 March 2014 will be on working with entities to ensure that they understand the new requirements and have the systems in place to meet them. In resolving matters brought to the attention of the OAIC we will take into account the steps taken by entities to genuinely prepare for the changes and to comply with the new legal requirements.

Central to the OAIC’s enforcement approach is an escalation model that includes a range of regulatory responses.

Individuals will continue to have the right to make a complaint to the OAIC and we will deal with these according to our usual processes. That is, in the first instance, in the case of individual complaints we would expect to see a person try to resolve a matter with the organisation or agency first. If the respondent is a member of a recognised External Dispute Resolution scheme, we would also expect the individual to have first accessed that scheme. If a matter is accepted by us, we will always attempt to resolve issues through conciliation. In relation to Commissioner initiated investigations the OAIC will work with respondent organisations and agencies to resolve the matter.

However, where conciliation or working with entities is not effective, we may use our other tools, including determinations, enforceable undertakings or in the case of serious or repeated breaches, initiating court proceedings for civil penalties. This is consistent with our current practices and the approach of the OAIC for some time.

The OAIC has been preparing detailed guidance to assist businesses and agencies understand the reforms and make the necessary changes to their personal information handling practices. The OAIC has conducted a number of targeted and public consultation processes on this guidance to ensure that the guidance is practical and useful. This guidance, together with other materials that sets out the key changes and compliance checklists, is available on the OAIC website.

It is a bland statement which provides little guidance.  One issue in the past has been the perception that the Privay Commissioner has been languid in investigating complaints and not particularly industrious to seeing complaints through to determination.  The opaque quality of the data regarding the number of complaints made, where they progressed and the reasons for not proceeding to finality makes it difficult to comment on whether that perception is grounded in fact.

There are good public policy grounds for regarding the past as just that and 12 March as day one in Year Zero (absent historical conotations with that term).  On that basis reference in the statement to usual processes is a bit concerning.  It is not at all clear what an escalation model means in practical terms.  The language is quite woolly.  To the extent that anything can be taken from the statement the likely approach is a liberal serving of softly softly with a dash of tentativeness.  If that is the case it is a shame.  Given the likely poor take up for organisations becoming compliant by 12 March, the time they have had to do so and the importance of privacy moving to the fore in terms of regulatory awareness (from the relative backwater it has resided) the need for assertive action, with suitable publicity, is warranted.  The Privacy Commissioner should look to the actions of the FTC in the USA and the ICO in the UK, neither of which are by any means the gold standard but both of which make a definited mark in changing behaviours.  Resolving problems behind closed doors has limitations.