In a recent speech Timothy Pilgrim, the Privacy Commissioner, gave an update on his approach to enforcement and preparation for the new rules on 12 March 2014.
OAIC’s Enforcement approach
” I have been telling businesses and government since I became Privacy Commissioner in mid-2010, my focus will always be on resolving the majority of complaints via conciliation. However, I will not shy away from using new and existing powers where it is appropriate to do so. My publication of reports into major breaches is an example of this.
I have been asked whether I will I be taking a ‘softly, softly’ approach after implementation of the reforms. Well, I have never been known to be subtle so the answer to that question is probably ‘no’. Now before people get too excited about the bluntness of that response remember that I said I would always start by trying to resolve matters through conciliation. But please do not interpret conciliation to mean softly, softly.”
Credit Reporting Code
“We have also been working with the Australian Retail Credit Association (ARCA) on the credit reporting code, which will be an important tool. This has been a big task for our Office and I am pleased to say that it is nearing completion — all the substantive issues have been addressed and we are expecting to receive the final amended version from ARCA before Christmas.”
Guidelines
“People have noted the delay in the release of Guidelines, and we have been asked whether this will mean the OAIC will be taking a lenient approach for the period immediately following commencement, as entities will still be designing processes and policies.
My answer to that is ‘no’. Reference to the NPP Guidelines would tell you that the guidelines on privacy principles are not intended to be a step by step guide to developing process and procedures, and this continues to apply to the APP guidelines.”
Preparation for 12 March
“If your policies and procedures are robust and up-to-date then you will be well on your way to best privacy practice. To this end, I recommend you:
- Get working on your APP privacy policy: Establishing a comprehensive and practical privacy policy that is ready to go in March will get you started with a ‘privacy by design’ approach to your business.
- Review information security: The Guide to information security that we released in Privacy Awareness Week this year gives some practical advice about how to ensure your systems comply with information security requirements.
- Review your data breach plan: Do you have a response plan ready for if you have a data breach? The OAIC’s Data breach notification guide will provide you with processes to follow if your business does find itself in this situation. Remember, although mandatory data breach laws did not pass this year, being transparent about data breaches, and acting quickly to mitigate the damage is the best way to protect your business reputation.
- Conduct a privacy impact assessment for new projects: Conducting a PIA for any new processes will help you to identify any potential problems before they impact on your business. The Privacy impact assessment guide is available on our website to assist you conduct a PIA.”