Privacy Commissioner releases his regulatory action policy in draft form for consultation

March 7, 2014 |

There has been some critisism about the effectiveness of the Guidelines to the APP.  That has prompted quite a lively response from the Privacy Commissioner (found here).  He rarely reacts so quickly and assertively to media reportage. It is important issue to clarify.  The extent of work undertaken to comply by organisations has been uneven, to put it mildly.  That has been a subject of reports over the last 15 months.  Having mixed signals in the marketplace can only hamper regulatory compliance.  Ultimately the assertiveness of the Privacy Commissioner will influence how compliant organisations really become.

The consultation details relevantly provides:

Significant amendments to the Privacy Act 1988 (the Privacy Act), made by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (the Privacy Amendment Act), commence on 12 March 2014.

The amendments include enhancements to the regulatory and enforcement powers conferred on the Australian Information Commissioner, including the ability to:

  • direct an agency (but not an organisation) to provide the Office of the Australian Information Commissioner (OAIC) with a privacy impact assessment in relation to a proposed function or activity
  • conduct an assessment of privacy compliance for a private sector entity, in addition to an Australian Government agency
  • accept an enforceable undertaking
  • make a determination in a ‘Commissioner initiated investigation’, in addition to in a complaint investigation
  • seek a civil penalty from the courts in the case of serious or repeated interferences with privacy, or in the case of breaches of certain credit reporting provisions.

The OAIC has developed new guidance that outlines and explains the OAIC’s approach to using its privacy regulatory action powers. The guidance covers both existing powers and the new powers conferred on the Information Commissioner.

OAIC’s privacy regulatory action policy

The OAIC’s privacy regulatory action policy explains the OAIC’s range of powers and its approach to using its privacy regulatory powers and making related public communications.

The policy sets out information including the OAIC’s goals of taking privacy regulatory action, guiding principles, approach to regulatory action, and how the OAIC decides whether to take regulatory action in a particular circumstance. The policy also outlines the circumstances in which certain privacy regulatory actions may be publicly communicated, and provides information about the OAIC’s interaction with recognised EDR schemes, other regulators and complaint bodies, and international regulators.

Future resources to support the policy

The policy will be supported by a ‘Guide to the OAIC’s privacy regulatory action’. The OAIC is currently developing this guide. It will consist of a series of chapters each addressing different privacy regulatory powers and will provide stakeholders with a more detailed explanation of how the OAIC will exercise each power. As well as being a useful resource for stakeholders seeking more information about particular powers, the guide will provide practical guidance for OAIC staff involved in the exercise of those powers.

The OAIC also intends to develop a series of fact sheets, business resources and agency resources to provide brief and practical information for stakeholders involved in relevant regulatory processes.

Purpose of the public exposure

The OAIC has commenced a three week public exposure period in relation to the draft OAIC’s privacy regulatory action policy.

Question for comment

The OAIC is seeking comment from interested stakeholders on whether the policy clearly outlines the OAIC’s approach to regulatory action, noting that the guide will provide a more detailed explanation of how the OAIC will exercise each power.

While the policy is primarily directed towards entities regulated by the Privacy Act, and other legislation conferring regulatory functions on the Information Commissioner, the OAIC welcomes comments by other interested stakeholders and members of the community.

Any comments on the clarity of the policy should be provided by Friday 28 March 2014.

The guidelines are found here.  The consultation period concludes on 28 March 2014.

It provides, absent footnote:

Overview of approach and guidance

1. The Privacy Act 1988 (Privacy Act) confers on the Information Commissioner a range of privacy regulatory powers. These include powers that allow the OAIC to work with entities to encourage compliance and best practice privacy practices, as well as investigative and enforcement powers to use in cases where a breach has occurred.

2. The Office of the Australian Information Commissioner’s (OAIC) privacy regulatory action policy explains the OAIC’s approach to using its privacy regulatory powers and making related public communications. In particular, the purpose of this policy is to allow entities to understand the OAIC’s range of powers, and the OAIC’s regulatory strategy, approach and priorities.

3. As outlined further in this policy, the OAIC’s preferred regulatory approach is to encourage voluntary compliance with privacy obligations and to work with entities to ensure best privacy practice and prevent privacy breaches. When resolving matters brought to the attention of the OAIC, the OAIC will take into account the steps taken by an entity to comply with its privacy obligations, in addition to considering the factors outlined further in this policy.

4. This policy also outlines the manner in which investigations are undertaken and the circumstances in which certain privacy regulatory actions may be publicly communicated.

Guide to the OAIC’s privacy regulatory action

5. In addition to this policy, the OAIC has developed the Guide to the OAIC’s privacy regulatory action which provides a more detailed explanation of each privacy regulatory power. This guide will be a useful resource for stakeholders, as well as providing practical guidance for OAIC staff exercising privacy regulatory powers. The guide is available on the OAIC’s website.

The OAIC and its jurisdiction

6. The OAIC was established by the Australian Information Commissioner Act 2010 (AIC Act) as an independent statutory agency headed by the Australian Information Commissioner. The Information Commissioner is supported by two other statutory officers: the Freedom of Information Commissioner and the Privacy Commissioner.

7. The OAIC brings together the functions of government information policy, and independent oversight of privacy protection and freedom of information.

8. This policy relates to the OAIC’s privacy functions, and in particular the OAIC’s use of regulatory powers conferred on the Information Commissioner by the Privacy Act and other legislation. These include both powers that allow the OAIC to engage and work with regulated entities to encourage compliance and best practice privacy practices, as well as investigation and enforcement powers to redress privacy breaches.

9. Entities that are regulated by the Privacy Act need to comply with relevant provisions in that Act or in legislative instruments made under that Act. This may include agencies and organisations that must comply with the Australian Privacy Principles (APPs) in Schedule 1 or a registered APP code, credit reporting participants that must comply with Part IIIA (relating to credit reporting) and the registered CR Code, and file number recipients that must comply with Tax File Number Rules 2011 issued under s 17. A breach of these provisions is an ‘interference with privacy’. ‘Interferences with privacy’ can also arise from breaches of particular provisions in other legislation. The OAIC can investigate an alleged interference with privacy (and certain other privacy breaches), either following a complaint or on the Information Commissioner’s own initiative, which may result in enforcement action being taken.

10. The Information Commissioner also has privacy regulatory responsibilities in relation to the personally controlled electronic health record (PCEHR) system. The information in this policy is also relevant to the OAIC’s regulatory action in connection with the PCEHR system. However, thePCEHR (Information Commissioner Enforcement Powers) Guidelines 2013 prevail over the terms of this policy in the event of any inconsistency between those two documents.

The goals of taking privacy regulatory action

11. In taking privacy regulatory action, the OAIC’s main goal is to promote and ensure the protection of personal information, consistent with the objects of the Privacy Act and the OAIC’s strategic plan.

12. More specifically, the OAIC will take privacy regulatory action aiming to:

  • ensure compliance with personal information handling obligations
  • increase knowledge of personal information handling rights and obligations and the Information Commissioner’s privacy regulatory powers
  • assist and influence entities to adopt best practice personal information handling practices
  • deter contravening conduct (both specifically and generally)
  • secure remedies where contraventions have occurred
  • address systemic issues in relation to personal information handling
  • instil public confidence in the OAIC’s role of ensuring the protection of personal information.

Principles that guide the OAIC’s regulatory decisions and action

13. The OAIC will be guided by the following principles when taking privacy regulatory action:

  • independence: in making regulatory decisions, the OAIC will act independently and make decisions that are impartial and objective
  • accountability: the OAIC will be accountable for its privacy regulatory action through a range of review and appeal rights, and will ensure stakeholders are aware of such review and appeal rights
  • proportionality: the OAIC’s privacy regulatory action will be proportionate to the situation or conduct concerned
  • consistency: the OAIC will strive to make consistent privacy regulatory action decisions which are guided by and reflect this policy
  • timeliness: the OAIC will strive to conduct and finalise its regulatory activities efficiently
  • transparency: the OAIC will be open about how it intends to use its privacy regulatory powers, and about the regulatory outcomes it has achieved.

14. Further, when making decisions in connection with privacy regulatory action, the OAIC will act consistently with general principles of good decision making, as explained in the Best Practice Guides published by the Administrative Review Council in 2007.[9] In particular, the OAIC will act fairly and in accordance with principles of natural justice (or procedural fairness).

15. When dealing with an alleged contravention, the OAIC will give individual consideration to that alleged contravention and have regard to all relevant circumstances.

16. In any litigation, the OAIC will act in accordance with its obligations to act as a model litigant.

The Information Commissioner’s privacy regulatory powers

A range of regulatory responses

17. The Privacy Act confers a range of enforcement and other regulatory powers on the Information Commissioner which are based on an escalation model.

18. Privacy regulatory powers that allow the OAIC to work with an entity to encourage compliance and best practice privacy practices include the power to:

  • request an entity, group of entities, body or association to develop an APP code, or the CR code, and apply to the Information Commissioner for the code to be registered, or to develop the code himself or herself and register it (ss 26E(2), 26G, 26P(1) and 26R)
  • direct an agency (but not an organisation) to give the Information Commissioner a privacy impact assessment (s 33D)
  • monitor, or conduct an assessment of, whether personal information is being maintained and handled by an entity in accordance with relevant provisions (ss 28A and 33C).

19. The OAIC has a range of powers to use when investigating or otherwise dealing with an alleged interference with privacy. These powers are contained in Part V of the Privacy Act and include the power to:

  • investigate a matter following a complaint (s 40(1)) or on the Information Commissioner’s own initiative (referred to as a ‘Commissioner initiated investigation’ (CII)) (s 40(2))
  • attempt to conciliate a complaint (s 40A)
  • decline to investigate, or further investigate, a complaint (s 41)
  • conduct preliminary inquiries to determine whether or not to open an investigation (s 42)
  • decide whether or not to hold a hearing in response to a request from a complainant or respondent (for a complaint) or the respondent (for a CII) (s 43A)
  • require information or a document to be produced, or a person to attend before the Information Commissioner to answer questions under oath or affirmation (ss 44–45)
  • direct the complainant, respondent and any other relevant person to attend a conference presided over by the Information Commissioner related to a complaint (failure to comply with the direction is an offence) (s 46)
  • refer a complaint to one of the specified alternative complaint bodies (s 50).

20. The privacy regulatory powers relating to enforcement include the power to:

  • accept an enforceable undertaking (s 33E)
  • bring proceedings to enforce an enforceable undertaking (s 33F)
  • make a determination (s 52)
  • report to the Minister in certain circumstances following a CII, monitoring activity or assessment (ss 30 and 32)
  • seek an injunction including before, during or after an investigation or the exercise of another regulatory power (s 98)
  • apply to the court for a civil penalty order for a breach of a civil penalty provision (s 80W).

21. In some instances, the OAIC may decide to use a combination of privacy regulatory powers to address a particular matter.

Approach to using privacy regulatory powers

Working with entities

22. The OAIC’s preferred regulatory approach is to work with entities to encourage compliance and best practice privacy practices. This avoids contraventions and the subsequent need to investigate matters and take formal enforcement action. The tools which the OAIC will use to encourage voluntary and best practice compliance include:

  • engaging with regulated entities to provide guidance, promote best practice compliance, and identify and seek to address privacy concerns as they arise. This engagement may occur in different ways including through providing advice to an entity or directing them to relevant OAIC guidance, open dialogue between the OAIC and specific entities, correspondence with an entity which identifies the OAIC’s concern that the entity may not be compliant with privacy obligations
  • engaging with regulated entities who voluntarily and proactively notify the OAIC of a data breach incident, including by providing advice to the entity on containing and responding to the incident
  • conducting an assessment of whether personal information is being maintained and handled in accordance with applicable privacy legislative obligations, such as the Australian Privacy Principles in the Privacy Act (s 33C). Through such an assessment, the OAIC would identify privacy risks and areas of non-compliance, and may make recommendations for how the entity might reduce those risks or address areas of non-compliance
  • recommending an entity conduct a privacy impact assessment (PIA) where it proposes to engage in a new activity or function involving the handling of personal information about individuals, or when a change is proposed to information handling practices. A PIA is a systematic written assessment of an activity or function that identifies the impact that the activity or function might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact. The OAIC may also formally direct an agency to conduct a PIA in these circumstances, where the OAIC considers that the activity or function might have a significant impact on the privacy of individuals (s 33D).

Responding to interferences with privacy

23. However, where a suspected or alleged interference with privacy is identified, the OAIC:

  • in response to a complaint, must generally investigate and attempt to conciliate the complaint if it meets the requirements of the Act and is not declined under s 41 or referred under s 50. If the OAIC is satisfied there is no reasonable likelihood that the complaint will be resolved by conciliation, the OAIC may investigate the matter further or may decide to not investigate the matter further
  • may decide to investigate the matter by conducting a CII (whether or not a complaint has been made).

24. When considering whether or not to open a CII following a data breach incident, the OAIC will take into account the fact that an entity voluntarily and proactively notified the OAIC of the incident and can demonstrate that it is responding appropriately to the breach.

25. Following a complaint investigation or CII, the OAIC may decide to take formal enforcement action against the respondent.

Differences in the conduct and outcomes of complaint investigations and CIIs

26. When investigating a complaint, the OAIC must make a reasonable attempt to conciliate the complaint where the OAIC considers it is reasonably possible that the complaint may be successfully conciliated (s 40A). The majority of complaints will be resolved in this way. In other cases, the OAIC will consider enforcement action such as accepting an enforceable undertaking or making a determination or, in some cases, seeking an injunction or a civil penalty from the courts.

27. When the OAIC becomes aware of a possible contravention in the absence of a complaint, or a complaint indicates a possible systemic and serious issue that cannot be dealt with through the complaint process, the OAIC may consider whether or not to commence a CII. Where the OAIC chooses to commence a CII, the OAIC will work with the respondent to investigate the matter. Where the respondent is not cooperative, the OAIC will rely on its powers to require the necessary information and documents. Where a contravention is substantiated, the OAIC will consider enforcement action such as accepting an enforceable undertaking or making a determination or, in some cases, seeking an injunction (including to restrain an entity from engaging in conduct while the OAIC investigates the possible contravention) or a civil penalty from the courts.

How the OAIC decides whether to take privacy regulatory action

28. Alleged interferences with privacy or other privacy concerns may be brought to the OAIC’s attention by a range of avenues. Illustrative examples include:

  • a complaint by an individual or a representative complaint
  • a data breach notification
  • OAIC engagement with stakeholders
  • a referral from another regulator or external dispute resolution scheme
  • media and social media
  • information provided by an informant
  • information provided by a law enforcement agency
  • during the course of an assessment or investigation conducted by the OAIC.

29. When the OAIC becomes aware of an alleged interference with privacy or other privacy concerns, it has a range of responses available to it to enable it to perform its privacy regulatory activities. As outlined above, these range from stakeholder engagement, to regulatory activities where the OAIC works with entities to ensure compliance and best practice privacy practices, to formal enforcement action against a respondent.

Prioritising matters for privacy regulatory action

30. While the OAIC is required to investigate and attempt to conciliate complaints, the OAIC has the discretion to choose when to exercise its other privacy regulatory powers.

31. The OAIC will use discretion to select and target matters that warrant privacy regulatory action. For a particular circumstance, this involves considering both the risk that it poses to the OAIC’s goal of promoting and ensuring the protection of personal information, and the opportunity that taking privacy regulatory action in that circumstance presents for promoting and ensuring best practice compliance.

32. For example, the risk posed by a particular scenario is likely to be greater where the personal information of a larger number of people is involved, while the opportunity might be greatest where an alleged contravention is suspected to be systemic within an industry and privacy regulatory action can be used to deliver a targeted compliance message to that industry.

Factors taken into account

33. Where the OAIC has a discretion as to whether to exercise a particular regulatory power, the OAIC must prioritise matters for privacy regulatory action. The OAIC will take into account the following range of factors as applicable:

  • the objects of the Privacy Act (set out in s 2A)
  • the seriousness of the conduct (or the potential impact of a proposal), including:whether a new personal information handling activity or function or change to an existing personal information handling activity or function is planned, or a new personal information handling practice has been recently implemented or an existing practice changed
    • the number of persons affected
    • the adverse consequences caused or likely to be caused
    • whether disadvantaged or vulnerable groups have been or will be particularly affected or targeted
    • whether the conduct was deliberate or reckless
    • the seniority and level of experience of the person or persons responsible for the conduct
    • whether urgent action by the OAIC is required
  • the specific and general educational, deterrent or precedential value of the particular privacy regulatory action
  • whether the entity has been the subject of prior compliance or enforcement regulatory action under the Privacy Act or other legislation that confers functions relating to privacy on the Information Commissioner, and the outcome of that action
  • the likelihood of the entity contravening the Privacy Act, or other legislation that confers functions relating to privacy on the Information Commissioner, in the future
  • whether the conduct is widespread or increasing, or the conduct is likely to continue if no intervention is taken
  • whether the conduct is an isolated instance, or whether it indicates systemic issues (either within the entity concerned or within an industry) which may pose ongoing compliance or enforcement issues
  • action taken by the entity to remedy and address the consequences of the conduct, including whether the entity attempted to conceal a contravention or data breach
  • whether the entity has cooperated with the OAIC
  • whether the conduct, proposal or activity is of significant public interest or concern
  • whether the conduct was unconscionable
  • the time since the conduct occurred
  • the cost and time required to achieve an appropriate remedy through enforcement action
  • whether pursuing court action (where appropriate) would test or clarify the law
  • whether there is adequate evidence available and admissible in a court to prove a contravention on the balance of probabilities
  • any other factors which the OAIC considers relevant in the circumstances, including factors which are relevant to the specific regulatory power being used.

34. While the OAIC will take into account the above factors (as applicable) when deciding whether to undertake an assessment, the OAIC may also decide to undertake an assessment of an entity where it is specifically funded to do so.

Sources of information

35. To help inform the OAIC’s regulatory priorities and decisions to take privacy regulatory action, the OAIC will also consider a range of sources of information, including:

  • complaint trends
  • data breach notification trends
  • international developments
  • media reports
  • informants
  • surveys
  • information obtained during privacy assessments
  • information obtained during CIIs
  • credit reporting body annual reports
  • annual reports from recognised external dispute resolution schemes
  • reports from APP code administrators
  • advice from the Information Advisory Committee[ and Privacy Advisory Committee.

36. This information will assist the OAIC to identify both systemic issues and serious issues that can be targeted for privacy regulatory action.

37. These sources of information may also be used by the OAIC to identify particular sectors or acts or practices for privacy regulatory action. These sectors or acts or practices are areas where the OAIC believes privacy regulatory action is necessary in order to have a significant impact on the protection and handling of personal information. For example, if the OAIC’s complaints statistics showed that a significant number of complaints relate to a particular industry, that industry may be identified for OAIC privacy regulatory action. In addition to using the prioritisation factors in the above list, the OAIC will also prioritise matters that fit within any identified sector or involve an identified act or practice. The identified sectors or acts or practices from time to time will be noted on the OAIC’s website. In addition, where a new sector or act or practice is identified, the OAIC will publicise that fact by issuing a public statement.

Where privacy regulatory action is not taken

38. The OAIC will not be able to take privacy regulatory action in all circumstances. Where privacy regulatory action is not taken, the OAIC may take other steps to assist an entity to comply with the Act. For example, the OAIC may provide advice to the entity or direct them to relevant OAIC guidance. An entity may also be flagged as a possible future candidate for assessment.

The OAIC’s interaction with recognised EDR schemes

39. Under s 35A of the Privacy Act, the Information Commissioner may recognise an external dispute resolution (EDR) scheme to handle particular privacy related complaints. EDR schemes constitute the second tier of a three-tiered complaint process envisaged by the Privacy Act:

  • first, a complaint should be made in writing to the respondent entity and the entity given a reasonable time to respond
  • second, if the individual is not satisfied with the outcome, they may complain to a recognised EDR scheme of which the entity is a member (if any)
  • third, if the individual is not satisfied with the outcome of the EDR process, they may complain to the OAIC.

40. Where a complainant has not first complained to a recognised EDR scheme of which the respondent entity is a member, the OAIC will generally suggest that the complainant first make their complaint to the recognised EDR scheme, or use its power to decline complaints that are being or could be dealt with by a recognised EDR scheme (ss 41(dc) and (dd)), in preference to formally referring the matter from the OAIC to the recognised EDR scheme (s 50).

41. Where the OAIC has recognised an EDR scheme to handle particular privacy related complaints, the OAIC will seek to work in partnership with that EDR scheme with a view to achieving consistent and efficient regulatory outcomes. The OAIC will seek to implement open communication practices to ensure information and knowledge sharing, and clear procedures relating to how information relating to a complaint is moved between the OAIC and a recognised EDR scheme.

The OAIC’s interaction with domestic regulators and alternative complaint bodies

42. In some instances, the OAIC’s privacy jurisdiction will raise issues common to the jurisdiction of other Australian regulators, including State and Territory privacy regulators, regulators in other sectors and law enforcement agencies.

43. Where the OAIC and another domestic regulator have a shared interest in privacy regulatory action, the OAIC will seek to work in partnership to share knowledge and information, and coordinate regulatory processes and communication approaches where appropriate. This may include agreeing to a protocol or principles for how collaboration should take place. Collaboration brings practical and resource advantages, and at a minimum ensures each regulator is aware of the other regulator’s actions. However, the OAIC will always operate within its legislative framework, including limits on its ability to share information.

44. Where the OAIC receives a complaint, the OAIC may not always be the most appropriate body to investigate and resolve that complaint. The OAIC has various powers to decline to investigate where there is an alternative applicable law or complaint handling body, or to refer complaints to other complaint bodies in certain circumstances. Before formally referring a matter to an alternative complaint body, the OAIC may suggest that the complainant make a complaint or application to the alternative complaint body.

The OAIC’s role in international enforcement

45. Increasingly, privacy threats and challenges extend beyond national boundaries. A consistent and harmonised global response can maximise the effectiveness of any regulatory response to a global privacy issue.

46. When dealing with an interference with privacy or potential privacy risk that operates across national boundaries, there can be an obvious practical and resource advantage in networking with other privacy regulators to avoid duplication, share information and synchronise the release of investigation findings.

47. With this in mind, the OAIC will seek to work in partnership with privacy regulators in foreign jurisdictions where the OAIC’s interests in protecting personal information align with the interests of other regulators. Through such partnerships, the OAIC will share knowledge and expertise with a view to ensuring a consistent and harmonised approach to regulatory action in a particular matter. If appropriate, the OAIC may also seek to coordinate regulatory activities and share investigative information with foreign privacy regulators. However, the OAIC will always operate within its legislative framework, including limits on its ability to share information.

48. To facilitate its approach to international enforcement, the OAIC will continue to actively engage with global privacy networks, including the Asia Pacific Privacy Authorities Forum (APPA), the OECD Global Privacy Enforcement Network (GPEN) and the APEC Cross Border Privacy Enforcement Arrangement.

Communicating the OAIC’s privacy regulatory action

49. In addition to the privacy regulatory powers, public communication relating to privacy regulatory action is an important tool for the OAIC.

50. Public communications enhance the impact of the privacy regulatory action that the OAIC takes. For example, public communication may:

  • encourage compliance by increasing awareness and knowledge of privacy rights and obligations, and deterring contravening conduct
  • promote public confidence in the OAIC’s privacy regulatory activities by clearly communicating that the OAIC deals with entities that are not complying with privacy laws, and ensuring transparency around the OAIC’s use of privacy regulatory powers.

51. Decisions made by the OAIC concerning privacy regulatory action involve the exercise of public power. Public communication about this action will assist the OAIC to ensure it acts transparently and is accountable.

The OAIC’s approach to communicating privacy regulatory action

52. The OAIC’s communication of privacy regulatory action will be consistent with the OAIC’s goals of taking and publicly communicating privacy regulatory action which are identified earlier in this policy. In addition, when making privacy regulatory action communications, the OAIC will be guided by the same important principles identified in this policy under the heading ‘Principles that guide the OAIC’s regulatory decisions and action’.

53. The OAIC will deal fairly with an entity that may be the subject of privacy regulatory action when making public communications related to that regulatory action. The OAIC is mindful of the negative inferences and reputational damage to an entity that may arise from the fact that an investigation has been opened or that an ‘interference with privacy’ has been alleged.

54. The OAIC will therefore strive to ensure that:

  • all public statements are accurate, fair and balanced
  • communications make clear that allegations of an ‘interference with privacy’ are no more than allegations until the OAIC or a court finds them proved
  • where it is appropriate for the OAIC to comment on court proceedings prior to their resolution, such comment will generally be restricted to the outcome of particular steps in the court process, and will refer to any statement made by the entity involved in the proceedings
  • its public communications in relation to privacy regulatory action comply with its legal obligations, including privacy, confidentiality and secrecy obligations and court or tribunal orders
  • privacy regulatory action that is either unsuccessful or results in a finding that an entity did not contravene relevant privacy provisions will also be the subject of public communications where the OAIC has previously communicated about the matter.

55. The OAIC will aim to contact an entity it is taking enforcement action against in advance of making a public statement if it is possible and appropriate in the circumstances. However, the OAIC generally will not provide an individual or entity with an assurance that the OAIC will not publicise its regulatory action or that it will give advance warning.

56. To the extent possible, the OAIC will publish reports and other documents relevant to the exercise of regulatory powers in full or in an abridged version on its website: <www.oaic.gov.au>. It is sometimes inappropriate to publish all or part of a report or document because of statutory secrecy provisions or for reasons of privacy, confidentiality, commercial sensitivity, security or privilege.

Examples of communications

57. Examples of where the OAIC will generally communicate in connection with privacy regulatory action include:

  • issuing a public report following an assessment
  • issuing a public report following a CII
  • publishing a PIA direction issued to an agency
  • publishing a determination made by the OAIC
  • publishing an enforceable undertaking accepted by the OAIC
  • issuing a public statement where the OAIC commences court proceedings.

58. The OAIC generally will not issue communications about ongoing complaint investigations, complaint conciliations, CIIs, data breach notifications or the exercise of investigative powers. However, where a particular incident is of community concern and has already been reported in the media, the OAIC may confirm the fact it is investigating or making enquiries in relation to the matter, but will then not comment further until that investigation is complete.

Leave a Reply