On 17 November 2014, the Privacy Commissioner launched a new Privacy regulatory action policy (Policy) which explains the range of powers afforded to the Office of the Information Commissioner, the office's regulatory strategy, approach and priorities. The Privacy Commissioner has emphasised that the Policy does not seek to make a radical shift in terms of the approach taken by the office to regulation, but rather seeks to provide transparency to the office's existing approach.
What powers does the Privacy Commissioner have?
The Policy explains that the Commissioner has a range of powers which allow for an escalation model to regulation. At one end of the spectrum, the Commissioner's powers may facilitate compliance with the Privacy Act 1988 (Cth). For example, the Commissioner can request entities to develop a code, direct an agency to provide a privacy impact assessment, or monitor or conduct an assessment of an entity's information handling practices to determine the entity's compliance with the privacy obligations.
To investigate and deal with alleged interferences with privacy, the Commissioner may then take various action including:
- investigating a matter on his own initiative or following a complaint;
- attempting to reconcile a complaint;
- investigating a complaint;
- deciding whether to hold a hearing in relation to the complaint;
- requiring information to be produced or a person to attend to answer questions under oath or affirmation;
- directing a complainant, respondent or another relevant person to attend a conference presided over by the Commissioner related to the complaint; or
- referring the complaint to an alternative complaint body.
At the other end of the spectrum, the Commissioner has enforcement powers which include the ability to accept enforceable undertakings, make a determination, seek an injunction (which may occur during or after an investigation) and to apply to a court for a civil penalty.
What is the Privacy Commissioner's approach to regulation?
The Policy explains that the preferred regulatory approach of the Commissioner is conciliation. The Commissioner prefers to facilitate voluntary compliance with privacy obligations and to work with entities to achieve best practice and to prevent privacy breaches. In the Privacy Commissioner's words 'we want to work with organisations to help them figure out what went wrong, so they can stop it from happening again'.
In keeping with this conciliatory approach, the Commissioner may undertake a range of activities not only steps that involve use of his regulatory powers. For example the Privacy Commissioner may engage with regulatory entities to provide guidance and to seek to address their privacy concerns, engage with entities who voluntarily and proactively notify the office of a data breach incident (such as providing information to them about containing and responding to the breach) and make a recommendation to an entity that it conduct a privacy impact assessment.
However as the Commissioner has previously emphasised, this approach to compliance does not translate into a 'softly, softly' approach. At an iappANZ conference on 17 November 2014, the Commissioner voiced his disappointment and concern that organisations were either waiting for a breach to happen, waiting for a complaint to be made, or waiting to see an organisation taken to the courts for a civil penalty. He reiterated that failing to take the right approach to managing privacy appropriately will not put an organisation in good stead in the event that he undertakes an investigation of that organisation.
How will the Privacy Commissioner determine what regulatory action to take?
In light of the Commissioner's preferred approach to regulation, the Policy explains that the Commissioner will use discretion to select and target matters that warrant privacy regulatory action. The fact that an entity has engaged cooperatively with the office will be taken into account when deciding appropriate regulatory action.
The Policy explains that the Commissioner will look at both:
- the risk that a matter poses to the goal of promoting and ensuring personal information protection. For example, a high number of affected individuals will pose a higher risk.
- the opportunity that taking action presents. For example, the Commissioner may have the opportunity to deliver a targeted compliance message to an industry that is engaged in a systemic contravention by taking regulatory action against an entity within that sector.
The Policy lists the variety of specific factors taken into account by the Commissioner exercising its discretion to take regulatory action. For example, the seriousness of the incident/conduct is relevant. This includes the number of individuals that have been affected; whether 'sensitive information' is involved; the adverse consequences of the incident/conduct; the disadvantage and vulnerability of groups affected; whether the conduct was deliberate or reckless; and the seniority and level of experience of the person or persons responsible for the conduct. Other factors listed in the Policy that have been emphasised include:
- whether previous compliance or enforcement action has been taken against the entity;
- the appropriateness of steps taken by the entity to remedy the breach or attempt to conceal the breach; and
- whether the conduct relates to a systemic issue.
According to the Policy, a systemic privacy issue is one which may have implications or an effect beyond a particular incident. It may occur within an entity or across an industry section and be identified by a multitude of complaints of a similar nature.A systemic issue may arise where the incident indicates that an entity has an ongoing or underlying problem with its practices, procedures or systems that relate to privacy compliance, a problem in adhering to those practices, or a problem with the entity's attitudes to privacy compliance.
What industry sectors are at risk?
During the iappANZ conference on 17 November 2014, the Commissioner indicated that he does not intend to single out an industry group, but will focus that organisations that are high risk and handle a high volume of personal information.
Over the coming 12 months, the Commissioner anticipates conducting assessments of the organisations that were the subject of the office's annual Global Privacy Enforcement Network privacy sweep, which covered public and private companies, across sectors including government, financial and telecommunications. It is unsurprising that these industries were mentioned by the Commissioner, given the high complaints that these sectors traditionally receive. The assessment of these entities will focus on their governance frameworks.
Where will the Privacy Commissioner's focus be?
During the iappANZ conference on 17 November 2014, the Commissioner signalled that he will be looking at testing the governance frameworks of entities governed by the Privacy Act. In his view, adopting the correct privacy governance framework starts with complying with the bed-rock principle set out in Australian Privacy Principle 1.
Working with other regulatory bodies
The Policy also states that the Commissioner will work in partnership with external dispute resolution schemes. A list of these schemes is available on the Commissioner's website.
The Policy further states that the Commissioner will seek to work with state and territory and foreign regulators. In this way, the Commissioner may be hoping to overcome some of the practical difficulties that he may otherwise face when seeking to enforcing the long-arm jurisdiction of the Privacy Act.
Where to from here?
In light of the Commissioner's new Policy, the time is ripe for organisations and agencies to review their privacy policies, practices and system to ensure that they have adopted corporate governance frameworks that will ensure compliance with the Privacy Act.
The Commissioner anticipates releasing a Guide to privacy regulatory action shortly. The Guide will support the Policy by providing a detailed explanation of the Privacy Commissioner's privacy regulatory powers. The OAIC is currently seeking public comment on an exposure draft of the Guide, with the closing date being Friday 12 December.