In a recent speech the Privacy Commissioner Timothy Pilgrim discussed privacy in the context of risk and privacy governance.
He referred to Australian Privacy Principle 1.2 which requires organisations to take reasonable steps to establish and maintain internal practices, procedures and systems that ensure compliance with the APPs. This includes implementing governance mechanisms, regular staff training, and a program of proactive review and audit of the adequacy and currency of the privacy policy and of the practices, procedures and systems implemented under APP 1.2. This obligation is a continuous and proactive one.
He expressed concern that whilst businesses may have implemented privacy policies and procedures there is a weakness in ongoing monitoring and a lack of understanding of the importance of privacy of personal information.
He said:
while the day-to-day responsibility for personal information and privacy may sit within various areas of a business, in my view, responsibility for privacy governance sits firmly with the CEO, the Executive, the board or the management of any organisation. It is these roles that must promote privacy as an asset to be respected, managed and protected.
The Commissioner said he will soon launch a Privacy Management Framework to assist organisations develop or review their privacy program, and to meet the requirements set out in APP 1.2. The framework will emphasise governance, leadership and accountability as forming the basis of a robust management framework.