Since the introduction of the new Australian Privacy Principles (APPs), there has been speculation as to which sector might be the first to have their privacy practices assessed by the Privacy Commissioner. Industries such as sport, health, and the banking industry were each considered likely suspects for a test-case of the new requirements.
Last week, the Office of the Australian Information Commissioner (OAIC) answered that question when it published a report of its assessment into the privacy practices of a health services provider.
The report provides a helpful guide for organisations in a wide variety of industries to understand their privacy requirements, and how the OAIC will look to apply the new Australian Privacy Principles. The report's recommendations provide a useful yardstick for organisations to measure when reviewing their own privacy practices.
Which APP's were assessed?
Calvary Hospital, a private sector organisation which provides health, aged and community care, was considered an ideal candidate for assessment by the OAIC and the Department of Health. In particular, the assessment was designed to review Calvary's privacy policies to ensure compliance with the requirements of APP 1 and APP 5.
APP1 and APP5 are two principles relevant to all organisations that handle personal information.
The OAIC has released a set of guidelines for organisations to consider when drafting their privacy policies. In assessing Calvary, the OAIC evaluated Calvary's policies, including draft collection notices, privacy brochures, and online privacy resources available on its website. OAIC used these guidelines as a measure.
The message for business is that those organisations who adopt practices in line with the OAIC guidelines will, for the most part, be compliant with their privacy requirements. The tricky part is that the OAIC has indicated that simply relying on the guidelines alone may not ensure total compliance. All business are different, and organisations need to apply the guidelines to their specific situation.
What are the take home lessons?
The OAIC's guideline in relation to APP1 is available here.
^top APP1: Tips from Calvary
As to lessons learnt from the OAIC's review into Calvary's compliance with APP1, the following tips should be noted:
APP 5 compliance
APP5 requires an organisation that collects personal information about an individual to take reasonable steps either to notify the individual of certain matters, or to ensure the individual is aware of those matters, either at the time of collection or as soon as practicable thereafter.
The OAIC's guideline in relation to APP5 is available here.
The OAIC has indicated that "reasonable steps" is tied to the sensitivity of the personal information. In short, the more sensitive the information, the more onerous the steps will need to be on the organisation to provide notification of the matters in APP5. For organisations in the health services industry, it is possible that much of the information they collect will be considered 'sensitive information.'
APP 5: Tips from Calvary
As to lessons learnt from the OAIC's review into Calvary's compliance with APP5, the following tips should be noted:
Although the APPs represent a 'principles-based approach' to privacy regulation in Australia, the clear indication from the OAIC is that businesses are obliged to comply with certain mandatory matters. Should things go awry, organisations that can demonstrate OAIC requirements have been implemented into their business practices will be viewed more favourably than those companies that haven't yet turned their mind to privacy matters.
The OAIC has not yet flexed its muscles and tested its expanded powers to ensure privacy compliance in most industries, and certainly no business wants to be that test case.