The Office of the Australian Information Commissioner (OAIC) is seeking public comment on an exposure draft of the Guide to privacy regulatory action.
The Guide provides stakeholders with an explanation of how the OAIC will exercise its regulatory powers.
The chapters of the Guide are being drafted in stages, and will be released for public exposure in two parts. The final guide will consist of nine Chapters.
Six draft chapters of the guide have been released for public exposure:
•Chapter 1: Introduction
•Chapter 3: Data breach incidents and Commissioner initiated investigations
•Chapter 4: Enforceable undertakings
•Chapter 7: Civil penalties — serious or repeated interference with privacy and other penalty provisions
•Chapter 8: Privacy assessments
•Chapter 9: Directing a privacy impact assessment (PIA).
Part 2 of the public exposure includes Chapter 2: Complaint investigations, Chapter 5: Determinations, and Chapter 6: Injunctions. These will be released in 2015.
The Privacy regulatory action policy explains the Office’s approach to using its regulatory powers under the Privacy Act, and communicating information publicly. This includes the considerations the Office will take into account in deciding when to take privacy regulatory action and what action to take. The document also explains the principles which will guide the Office when taking regulatory action, and the circumstances in which information about regulatory activity may be communicated publicly. The chapters in the guide should be read in conjunction with the policy.
The Privacy regulatory action policy explains the range of powers the Privacy Commissioner has and the way in which those powers are used.
The policy states that “The preferred regulatory approach of the OAIC is to work with entities to facilitate legal and best practice compliance. This will often be a more efficient and effective means of pursuing the objects of the Privacy Act. The OAIC can use a range of steps as part of this approach, only some of which involve the use of regulatory powers.”
The range of available steps available to the Privacy Commissioner include:
• engaging with regulated entities to provide guidance, promote best practice compliance, and identify and seek to address privacy concerns as they arise.
• engaging with regulated entities who voluntarily and proactively notify the OAIC of a data breach incident, including by providing information to an entity about containing and responding to an incident.
• conducting an assessment of whether personal information is being maintained and handled by entities in accordance with applicable privacy legislative obligations, such as the Australian Privacy Principles (s 33C). An assessment may enable the OAIC to identify privacy risks and areas of non-compliance, and may include recommendations as to how an entity might reduce risks or address areas of non-compliance.
• recommending that an entity conduct a privacy impact assessment (PIA) where the entity proposes to engage in a new activity or function involving the handling of personal information about individuals, or when a change is proposed to information handling practices.
• formally directing an agency to conduct a PIA where the entity proposes either to engage in a new activity or function involving the handling of personal information about individuals, or to make a substantive change to information handling practices, and the OAIC considers that the activity or function might have a significant impact on the privacy of individuals (s 33D).
The fact that an entity has engaged cooperatively with the OAIC will be taken into account in deciding whether to take regulatory action and what regulatory action to take.
An investigation may be commenced by the Office into a suspected or alleged interference with privacy, either on receipt of a complaint or as a Commissioner initiated investigation.
Following a complaint investigation, the Commissioner may decide to take enforcement action against an entity. The available enforcement powers escalate from less serious to more serious options.
The Commissioner’s enforcement powers, range from less serious to more serious regulatory action, including powers to:
• accept an enforceable undertaking
• bring proceedings to enforce an enforceable undertaking
• make a determination
• bring proceedings to enforce a determination
• report to the Minister in certain circumstances following a complaint investigation, monitoring activity or assessment
• seek an injunction including before, during or after an investigation or the exercise of another regulatory power
• apply to the court for a civil penalty order for a breach of a civil penalty provision.