The week of 3 to 9 May 2015 is Privacy Awareness Week (PAW) in Australia. PAW is an annual initiative of the Asia Pacific Privacy Authorities Forum, intended to promote awareness of privacy issues. It is recognised by several countries in the Asia Pacific Region, along with some others, that hold joint and individual events targeting the protection and prudent management of personal information.  To mark the start of PAW, the Office of the Australian Information Commissioner (OAIC) has released its Privacy Management Framework (Framework), which provides a detailed explanation of the steps that the OAIC expects relevant entities (known as APP Entities) to take so as to comply with Australian Privacy Principle (APP) 1.2.  Until the release of the Framework, the OAIC’s expectations in respect of APP 1.2 were not explained in detail. APP 1.2 states:

  • “1.2 An APP entity must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the entity's functions or activities that:
    • a. will ensure that the entity complies with the Australian Privacy Principles and a registered APP code (if any) that binds the entity; and 
    • b. will enable the entity to deal with inquiries or complaints from individuals about the entity's compliance with the Australian Privacy Principles or such a code.”

The exact steps required by the Framework will vary based upon a number of factors, including an APP entity’s size, means and structure.  There are four steps that APP entities are expected to take in order to illustrate to the OAIC that it is meeting its privacy obligations, and the Framework explains each of these in relatively broad terms. These steps are titled Embed, Establish, Evaluate and Enhance. A brief summary of each of these is as follows:

  • Step 1 ‘Embed’: as personal information is a valuable business asset for APP entities, it should be treated as such, by the development of good governance to protect it. Policies should be implemented to manage and protect personal information. People within each APP Entity should be appointed as being accountable for the overall privacy objectives, including the management of internal and external enquiries and complaints. Those people should, of course, be familiar with the APPs, the OAIC and the APP entity’s privacy objectives; 
  • Step 2 ‘Establish’: the establishment of the APP entity’s privacy objectives should be apparent in this step. Processes should be developed to ensure that privacy obligations are observed; from the time that personal information is collected, to when it is no longer needed. Privacy policies should be clearly expressed to staff of the APP entity, through induction programs as well as through the creation, communication and updating of those policies. Information should be kept regarding where, when and why personal information is held and what will happen if privacy obligations are breached; 
  • Step 3 ‘Evaluate’: APP entities must be committed to regular internal audits and evaluation of privacy policies and practices to ensure that they are up to date and effective. Compliance with obligations should be documented, and records should be kept on privacy process reviews, breaches and complaints. Internal and external opportunity should be given to receive feedback in relation to the operation of an APP entity’s practices in this respect; 
  • Step 4 ‘Enhance’: this final step requires, primarily, acting upon the findings from step 3, and suggests that if necessary, APP entities should seek to have their privacy processes assessed by an external consultant to identify areas for improvement. The OAIC also suggests that consideration be given to adopting practices that go beyond the ambit of the APPs, where appropriate, and to keeping abreast of, among other things, new technologies and their implications upon the protection of personal information.

The OAIC’s expectations of APP entities are not easy to meet and, for some, will require rethinking their privacy objectives and strategies from the ground up. To satisfy the OAIC, some entities will need to undertake significant cultural changes, to show a commitment to both the protection of personal information and the development of a culture that fosters that protection.  Complying with APP 1.2 will be particularly important for insurers, given that their businesses rely almost exclusively upon the provision of personal information by their customers. Strong consideration should be given to the Framework, and external consultation or advice obtained, to ensure that initiatives and processes are compliant.  The Framework may be found at the following link: