New privacy champions and privacy officers, and Privacy Impact Assessments for all "high privacy risk" projects, will soon be mandatory for Commonwealth agencies.
Agencies have until 1 July 2018 to ensure they comply with a new Australian Privacy Principle (APP) Code under the Privacy Act 1988 (Cth) (Agency APP Code), with compliance mandatory for all Australian Government agencies that are "agencies" under the Act.
Agencies that have not yet done so will need to:
- appoint a privacy officer and privacy champion, empowered to manage ongoing compliance requirements;
- ensure a Privacy Management Plan is in place; and
- ensure processes are in place for undertaking necessary privacy impact assessments and training.
The requirements for a privacy officer and privacy champion are similar to regulations also being introduced in Europe in 2018 to make these roles compulsory in many organisations. However, the Agency APP Code does not go as far as European regulations in regulating the establishment and independence of a privacy officer that is tasked with managing organisational privacy compliance.
The Agency APP Code is only the third APP Code under the Act, with other APP Codes applying for Market and Social Research and Credit Reporting.
Why have a new Agency APP?
The Agency APP Code is intended to help unlock the potential of government-held data, by support strong personal information protection within the Australian Public Service, improving expertise and experience, and enabling an increase in both internal capacity and external transparency with regard to personal information protection.
Under APP 1.2, agencies are required take reasonable steps to implement practices, procedures and systems that ensure compliance with the APPs and to deal with related inquiries and complaints. The Agency APP Code does not replace agencies' obligations under APP 1.2 or the Act, but does set out some specific requirements and steps that must be taken by agencies in order to comply.
The definition of "agency" in the Privacy Act 1988 (Cth) will generally extend to include both corporate Commonwealth entities and non-corporate Commonwealth entities under the Public Governance, Performance and Accountability Act 2013 (Cth), excluding incorporated companies, societies and associations. While included in the definition of agency, Ministers are excluded from compliance with the Agency APP Code.
Establish and maintain a Privacy Management Plan
The Privacy Management Plan must identify specific measurable privacy goals and targets and identify how the agency will comply with APP 1.2. There is a requirement to report annually against the Privacy Management Plan, as well as more general obligations on agencies to regularly:
- review and update privacy processes to ensure currency and adequacy; and
- monitor compliance with privacy practices, procedures and systems.
Appoint at least one designated Privacy Officer
The Privacy Officer is to be the primary point of contact within each agency on matters of privacy, including handling privacy inquiries and complaints, including access to and correction of personal information under the Act. Their functions also include managing a number of the requirements under the Agency APP Code, such as monitoring and reporting against the Privacy Management Plan. More than one Privacy Officer may be required by some agencies.
Appoint a Privacy Champion
Agencies are required to appoint a champion for privacy matters. They can be the same individual as the Privacy Officer, but need to be a senior official. The role for the Privacy Champion is focused on promoting a culture of privacy, leadership on privacy matters, and managing review and reporting on privacy, including to the agency executive.
A Privacy Impact Assessment for all "high privacy risk" projects
A privacy impact assessment (PIA) is a written assessment that both identifies the impact that a project might have on the privacy of individuals and sets out recommendations for managing, minimising or eliminating that impact.
The concept of "high privacy risk" captures projects that the agency reasonably considers involve new or changed ways of handling personal information, likely to have a significant impact on privacy of individuals. While most projects are unlikely to impact on the privacy of individuals in this way, where a PIA is required, the process can be complex and time-consuming, requiring knowledge of both the specific project and applicable privacy laws. The Privacy Officer has a role in assisting with this process and agencies will need to ensure that their project initiation processes provide for a privacy assessment to take place before the project commences. PIAs can also be conducted jointly with another agency as relevant.
PIAs that are conducted need to be published on the agency's website (or in summary format), and be recorded in a register also available on the website. PIAs and the register must be made available to the Information Commissioner on request.
Appropriate education and training
Agencies need to ensure appropriate privacy education or training is included in staff induction programs, as well as taking reasonable steps to provide appropriate training annually to all staff who have access to personal information in the course of performing their duties.
The Agency APP Code works to target a number of outcomes within Agencies consistent with the objectives in the May 2017 announcement:
- Increase in consistency across agencies. While most Australian Government agencies already have a Privacy Officer and some regularly conduct PIAs for high privacy risk projects, practices vary greatly across government. The Agency APP Code can be seen as establishing minimum mandatory requirements that must be implemented at a practical level by all agencies to ensure compliance with the APPs and the Act more generally. This furthers the goal of unlocking the potential of Australian Government-held data, by providing confidence and consistency regarding handling of personal information.
- Ensure accountability and focus. The emphasis placed in the Agency APP Code on the role of the Privacy Officer and Privacy Champion are aimed at ensuring there is a point of accountability within each agency and that privacy issues are given appropriate focus by agencies. The consequence of breaching the Agency APP Code would also put the agency in breach of the Act and subject them to possible enforcement action by the Information Commissioner.
- Provide for executive level buy-in. Requiring a Privacy Champion further emphasises the need for agency executives to buy into the compliance measures. Obtaining appropriate resources for privacy compliance and training are a key hurdle and executive buy-in helps to address this problem, by providing a voice in the executive that can argue for appropriate privacy measures and resources.
- Promote awareness and understanding. Particular emphasis is given to training in the Agency APP Code, including annual training for relevant staff, with the intention to ensure privacy compliance matters are identified and dealt with by agencies more efficiently and as part of their business processes. While the dedicated Privacy Officer focused attention on the issue of privacy, another way to deal with a shortage of resources is to directly empower individuals who deal with projects involving personal information on a day-to-day basis.
Area for further reforms?
In Europe a new law regulating privacy in the form of the General Data Protection Regulation 2016/679 (GDPR) will come into effect from May 2018, raising the bar and making privacy laws more consistent across the European Union. Mandating the role of a Privacy Officer is one aspect that is consistent with similar reforms that are being put in place for relevant bodies in Europe under the GDPR. However, the Act and the Agency APP Code do not go as far as the GDPR and this flags one area where further reforms may be possible.
Under GDPR requirements, public authorities (as well as many private sector organisations) are required to establish the role of data protection officer, which have a number of functions broadly equivalent to the training, monitoring and reporting requirements of Privacy Officers. However, the GDPR further regulates (and protects) the position of data protection officer, including by requiring that they:
- be properly qualified and resourced (including having relevant expert skills and knowledge of data protection law and understanding of the relevant technology being used in the organisation);
- act independently, without being directed as to how to perform their functions;
- ·not perform other roles that create a conflict of interest - such as a CIO role where they would be both reporting on and scrutinising projects;
- be protected from dismissal as a result of undertaking their functions (including from termination of a contract if the role is outsourced); and
- have access to the highest levels of management within the organisation (this merges the role of Privacy Champion under the Agency APP Code).
In this context, the Agency APP Code is a measured attempt by the Information Commissioner and the Australian Government to introduce consistency and transparency into the handling of personal information by agencies, while still allowing significant flexibility in the implementation of the Act and the APPs.
The Agency APP Code only extends to Australian Government agencies and while the Information Commissioner encourages all organisations to identify a privacy officer, similar best practice standards are not mandated in the private sector.