The first anniversary of the amendments to the Privacy Act 1988

March 12, 2015 |

The Privacy Commissioner has marked the first anniversary of the significant tranche of amendments to the Privacy Act 1988, passed in December 2012, coming into force.  Whether the centrepiece of the amendments the substitution of the National Privacy Principles and the Information Privacy Principles by the Australian Privacy Principle is a net benefit or not is a matter of some conjecture.  Providing the Privacy Commissioner with effective enforcement powers, such as enforceable undertakings and the power to commence civil penalty proceedings in the Federal Magistrates/Federal Court is a definite advance.

The media release, Privacy law reform report card, provides:

Today marks the first anniversary of the most significant changes to Australian privacy laws in over 25 years. On 12 March 2014, changes to the Privacy Act 1988 (Privacy Act) commenced.

The Office of the Australian Information Commissioner’s (OAIC) focus over the past year has been on developing guidance and working with organisations and agencies to ensure compliance.

‘Over the last year we have focused on working with business, government agencies and the wider community to ensure that everyone has the tools and information they need to understand and implement the changes,’ said the Australian Privacy Commissioner, Mr Timothy Pilgrim.

‘I’ve been particularly pleased with how organisations and agencies have responded positively to the challenge of implementation. This is recognition that good privacy practices are good for business, particularly in building customer trust’.

The changes included the introduction of a new set of unified privacy principles, the Australian Privacy Principles (APPs), changes to the credit reporting provisions and new enforcement powers for the Commissioner.

Over the past 12 months, the OAIC has:

  •          received 4016 privacy complaints (a 43% increase on the previous 12 months)
  •          received 14,064 privacy enquiries
  •          received 104 voluntary data breach notifications
  •          commenced 13 privacy assessments

Since 12 March 2014, the OAIC has encouraged organisations and agencies to focus on being open and transparent with customers about how their personal information is managed, a new requirement in the APPs. The Commissioner has commenced a targeted assessment program of a selection of online privacy policies, with more assessments focusing on APP compliance to come in 2015. 

‘For the next twelve months our focus will be on governance, assisting organisations and agencies to build a culture of privacy, and ensuring that organisations and agencies are proactive in meeting their compliance requirements. My message for all organisations and agencies is: it is more effective, and ultimately cheaper, to embed privacy in day-to-day processes than it is to respond to issues such as data breaches as they arise’, said Mr Pilgrim.

The OAIC has been undertaking privacy law reform work during a period of significant change within its own structure, as foreshadowed by the Government in the 2014 Budget.

‘The implementation of such significant privacy reforms could not have been achieved without the commitment of a dedicated and skilled group of staff who worked tirelessly to ensure that businesses, agencies and the OAIC were prepared,’ said Mr Pilgrim.

What the media release highlights is that there has been no determinations under the new provisions.  That is very disappointing.  Similarly there has been no enforceable undertakings obtained from any party which has interfered with the privacy of others.  Nor has any civil penalty proceedings been instituted.  Notwithstanding the Privacy Commissioner’s pollyannaish comments about how pleased he is with positive responses to the challenge of implementation compliance is extremely patchy and the culture is generally poor.  There is no real prospect of things changing without proper enforcement taking place.  Reputational risk is important for some organisations, such as financial institutions, but not all.  Poor publicity and exposure to censure by may inspire agencies to comply. If there is no risk associated with poor practice and compliance why would organisations divert resources to compliance.  But there is a large proportion of organisations covered by the operation of the Privacy Act who will not comply unless they feel it is in their interests to do so.  Or, more importantly, realise it is an obligation.  As with most areas of regulation the possibility of enforcement action is critical in making those organisations focus on their responsibilities.  Having the powers and not using them is probably worse than not having the powers.  That brings the regulator into disrepute.

The Privacy Commissioner’s plan to spend the next 12 months focusing on “..governance, assisting organisations and agencies to build a culture of privacy, and ensuring that organisations and agencies are proactive in meeting their compliance requirements..” is more about form and less about substance.  Put bluntly, even with the best will in the world it is hard enough to work out what exactly that sentence means. It is mushy to the point of meaningless.  It sends a very poor signal to the market about what the regulator intends upon doing.  To the extent that the regulator is saying anything it tends to be more of the same. The same has not been effective.  That does not bode well for effective regulation.

George Orwell’s classic essay “Politics and the English language” was a forensic analysis and then searing indictment of how language is being used to mask truth and evade meaning.  His conclusion about political  language was that it “..has to consist largely of euphemism, question-begging and sheer cloudy vagueness.”  Much the same can be said of the bureaucratisation of the language as set out in parts of the Privacy Commissioner’s media release. 

 

One Response to “The first anniversary of the amendments to the Privacy Act 1988”

  1. The first anniversary of the amendments to the Privacy Act 1988 | Australian Law Blogs

    […] The first anniversary of the amendments to the Privacy Act 1988 […]

Leave a Reply





Verified by MonsterInsights