Start of the Australian Government Agencies Privacy Code

July 2, 2018 |

The Australian Government Agencies Privacy Code came into effect yesterday.  That is effectively today.

As the Privacy Commissioner notes on its media release under the Code agencies are required to:

  • have a privacy management plan
  • appoint a Privacy Officer, or Privacy Officers, and ensure that particular Privacy Officer functions are undertaken
  • appoint a senior official as a Privacy Champion to provide cultural leadership and promote the value of personal information, and ensure that the Privacy Champion functions are undertaken
  • undertake a written Privacy Impact Assessment (PIA) for all ‘high privacy risk’ projects or initiatives that involve new or changed ways of handling personal information
  • keep a register of all PIAs conducted and publish this register, or a version of the register, on their websites
  • take steps to enhance internal privacy capability, including by providing appropriate privacy education or training in staff induction programs, and annually to all staff who have access to personal information.

Some of those matters, such as having a privacy officer, providing appropriate training and having someone responsible for complying with privacy requirements is part of good practice.  Others, such as having a Privacy Champion, is a hokey way of having someone imbuing an organisation with an appropriate privacy culture. Which should be done without having a Privacy Super Hero.  Requiring a register of PIAs and having a specific PIA for high privacy risk projects is something newish.  And welcome.

The Office has prepared a Privacy Officer Toolkit, an interactive privacy plan, and a written course of conducting a privacy impact assessment.  There is valuable material contained in these documents.  It is what the Commissioner’s Office does quite well, though not as well as the UK Information Commissioner; setting up resources, particularly on administrative matters.

All of this means very little however if there is no enforcement for non compliance.  That is a chronic problem in Australia and one in which the Information Commissioner has little appetite.  And, unfortunately on the few occasions where action is taken, much aptitude.

Leave a Reply

Verified by MonsterInsights