In his speech at the annual iappANZ summit, Australian Privacy Commissioner Timothy Pilgrim underlined the importance of Australian Privacy Principle 1: “If you get APP 1 right, you’ve got privacy governance right.” he said.
The Commissioner also forewarned that over the next 12 months, the OAIC will be re-visiting those top 50 Australian websites that failed its 2013 “privacy sweep”, to assess whether their privacy policies are now compliant. (Ahead of the reforms to Australian’s privacy laws in March 2014, the OAIC took part in a sweep to assess whether their privacy policies would comply with the new laws. The majority had “issues”. The URLs for the websites were not revealed.)
Mr Pilgrim said that the focus of the next sweep will be on organisations that are “high risk or high volume users of personal information”, rather than on a particular sector. He also said during his speech that, despite the uncertainty following the announcement in the Federal Budget that the OAIC would be abolished, it is “business as usual” for privacy regulation.
APP 1 requires an organisation to have a clearly expressed and up-to-date policy detailing how it manages personal information. This includes, among other things, being open and transparent about how you use, hold and disclose personal information and the overseas location of any recipients of your personal information. To comply with APP1, you will also need to make your policy readily and freely available (usually by publishing the policy on your website).
The OAIC has provided comment and guidance as to “best practice” for privacy polices, which includes ensuring the policy is not too long, uses plain English and is presented in a way that is easy to read. This is particularly important for mobile sites and apps. Facebook and the Commonwealth Bank of Australia are two examples of organisations that take a particularly innovative approach to their privacy policies, through the use of YouTube clips to help explain the content of their policies.
CAUTION: A COMPLIANT POLICY IS ONLY ONE PIECE OF THE PUZZLE
To comply with APP 1, an organisation will also need to have practices, procedures and systems in place that ensure privacy compliance and facilitate the organisation being able to handle privacy-related queries and complaints. It should also have robust systems to anticipate, identify and respond quickly to a data breach. This includes appropriate escalation procedures and a crisis communications strategy.
There are increasing numbers of automated tools and data security products and services available to assist an organisation to meet the “system” component of APP 1. But the heart of privacy compliance goes to having awareness and buy-in at all levels of the organisation, particularly at the Board level. The consensus among the privacy professionals at the iappANZ summit was that organisations get privacy compliance right when they see it as a corporate governance issue, and a whole-of-organisation responsibility.