speech at the annual
iappANZ summit, Australian Privacy Commissioner Timothy Pilgrim
underlined the importance of Australian Privacy Principle 1:
"If you get APP 1 right, you've got privacy governance
right." he said.
The Commissioner also forewarned that over the next 12 months,
the OAIC will be re-visiting those top 50 Australian websites that
failed its 2013 "
privacy sweep", to assess whether their privacy policies
are now compliant. (Ahead of the reforms to Australia's privacy
laws in March 2014, the OAIC took part in a global internet privacy
sweep to assess whether the privacy policies on the websites most
used by Australians would comply with the new laws. The majority
had "issues". The URLs for the websites were not
Mr Pilgrim said that the focus of the next sweep will be on
organisations that are "high risk or high volume users of
personal information", rather than on a particular
sector. He also said during his speech that, despite the
uncertainty following the announcement in the Federal Budget that
the OAIC would be abolished, it is "business as usual"
for privacy regulation.
This serves as a timely reminder (read: warning) of the
APP 1 requires an organisation to have a clearly expressed and
up-to-date policy detailing how it manages personal information.
This includes, among other things, being open and transparent about
how you use, hold and disclose personal information and the
overseas location of any recipients of your personal information.
To comply with APP1, you will also need to make your policy readily
and freely available (usually by publishing the policy on your
The OAIC has provided
guidance as to "best practice" for privacy polices,
which includes ensuring the policy is not too long, uses plain
English and is presented in a way that is easy to read. This is
particularly important for mobile sites and apps. Facebook and the
Commonwealth Bank of Australia are two examples of organisations
that take a particularly innovative approach to their privacy
policies, through the use of YouTube clips to help explain the
content of their policies.
CAUTION: A COMPLIANT POLICY IS ONLY ONE PIECE OF THE
It is important to remember that compliance with APP 1 requires
(although this is important).
To comply with APP 1, an organisation will also need to have
practices, procedures and systems in place that ensure privacy
compliance and facilitate the organisation being able to handle
privacy-related queries and complaints. It should also have robust
systems to anticipate, identify and respond quickly to a data
breach. This includes appropriate escalation procedures and a
crisis communications strategy.
There are increasing numbers of automated tools and data
security products and services available to assist an organisation
to meet the "system" component of APP 1. But the heart of
privacy compliance goes to having awareness and buy-in at all
levels of the organisation, particularly at the Board level. The
consensus among the privacy professionals at the iappANZ summit was
that organisations get privacy compliance right when they see it as
a corporate governance issue, and a whole-of-organisation
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Most awarded firm and Australian deal of
Australasian Legal Business Awards
Employer of Choice for
Equal Opportunity for Women
in the Workplace (EOWA)
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The legal rights and wrongs of taking photos can be confusing, so what does the law say about photos in a public place?
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).