Agencies are required to take reasonable steps to implement practices, procedures and systems that ensure compliance with the APPs. In its guide, Privacy management framework: enabling compliance and encouraging good practice, the OAIC provides steps it expects agencies to take to meet their obligations.

The Guide sets out four steps with suggested commitments under each, however, it acknowledges that the commitments set out should be applied flexibly, depending on the agency's size, resources and model.

Step one - Embed a culture of privacy

The Guide suggests agencies commit to:

  • treating personal information as a valuable business asset
  • appointing roles and allocating responsibilities for privacy management
  • considering the seven foundational principles of privacy by design in all projects and decisions involving personal information:
    • proactive not reactive, preventative not remedial
    • privacy as the default setting
    • privacy embedded into design
    • full functionality (positive-sum, not zero-sum)
    • end-to-end security (full lifecycle protection)
    • visibility and transparency (keep it open), and
    • respect for user privacy (keep it user-centric).
  • allocating adequate resources
  • implementing reporting mechanisms
  • understanding its privacy obligations, and
  • understanding the OAIC's role.

Step two - Establish robust and effective privacy practices, procedures and systems

The Guide suggests agencies commit to:

  • keeping information about its personal information holdings up-to-date
  • developing and maintaining processes to ensure personal information is handled in line with privacy obligations, including:
    • addressing the handling of information throughout each stage of the information lifecycle, and
    • clearly outlining how staff are expected to handle personal information in their everyday duties.
  • promoting privacy awareness within the agency by integrating privacy into induction and  staff training programs (including short-term staff, service providers and contractors)
  • developing and implementing a clearly expressed and up-to-date privacy policy
  • implementing risk management processes that allow you to identify, assess and manage privacy risks
  • undertaking Privacy Impact Assessments for business projects or decisions involving new or changed personal information handling practices (e.g. implementing new technologies)
  • establishing processes for receiving and responding to privacy enquiries and complaints
  • establishing processes that allow individuals to promptly and easily access and correct their personal information, and
  • developing a data breach response plan.

Step three - Evaluate your privacy practices, procedures and systems to ensure continued effectiveness

The Guide suggests agencies commit to:

  • monitoring and reviewing privacy processes regularly
  • documenting compliance with privacy obligations, including keeping records on privacy process reviews, breaches and complaints
  • measuring performance against your privacy management plan, and
  • setting up staff and customer feedback opportunities on your privacy processes.

Step four - Enhance your response to privacy issues

The Guide suggests agencies commit to:

  • using  results from evaluations conducted under step three to improve privacy processes
  • considering external assessments to identify areas for improvement
  • considering adopting privacy practices that go beyond APP requirements
  • keeping informed of privacy law issues and developments and changing legal obligations
  • monitoring and addressing new security risks and threats
  • examining and addressing the privacy implications, risks and benefits of new technologies
  • introducing initiatives that promote good privacy standards, and
  • participating in privacy events.

Ongoing guidance from the OAIC

This Guide is one of many in the expanding suite of publications by the OAIC concerning the application of the APPs and the steps that the OAIC considers necessary for agencies to comply with their obligations.

We will continue to keep you up to date with developments in this area.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.