The Office of the Australian Information Commissioner (OAIC) has set out its approach to using its enhanced regulatory powers under the amended Privacy Act 1988 (Privacy Act). In its Privacy Regulatory Action Policy (Regulatory Policy), the OAIC sets out its regulatory strategy, approach and priorities.
In a welcome move, the Regulatory Policy confirms that the OAIC will continue its current preference to facilitate voluntary compliance and work with entities to achieve best practice and prevent privacy breaches.
In particular, the Regulatory Policy sets out the OAIC's position and approach to some key areas of privacy, including:
- taking regulatory action
- using its regulatory powers
- investigations, and
- exercising its enforcement powers.
Taking regulatory action
The OAIC's stated goal of taking regulatory action is to promote and ensure the protection of personal information. However, the Regulatory Policy notes that taking regulatory action may also aid the OAIC's role as privacy regulator by:
- ensuring Privacy Act compliance
- increasing public knowledge of:
- personal information handling rights and obligations, and
- the Commissioner's privacy regulatory powers
- assisting and influencing entities to adopt best privacy compliance practice
- deterring conduct that contravenes privacy obligations
- securing an appropriate remedy for an aggrieved person where there has been a breach of privacy obligations
- addressing systemic issues in personal information handling, and
- instilling public confidence in the OAIC's regulatory role.
The following principles have been identified as guiding the OAIC's approach when taking privacy regulatory action:
- acting independently and taking action that is impartial and objective
- being accountable for its privacy regulatory action through a range of review and appeal rights
- adopting regulatory action that is proportionate to the situation or conduct concerned
- acting consistently, in a manner that is guided by and reflects the Regulatory Policy
- striving to conduct and finalise regulatory action as promptly as practicable, and
- being open about how it uses its privacy regulatory powers.
Using regulatory powers
The Regulatory Policy sets out a range of steps the OAIC can use as part of its preferred regulatory approach of working with entities to facilitate legal and best practice compliance, including:
- engaging with regulated entities to provide guidance, promote best practice compliance, and identify and seek to address privacy concerns as they arise
- engaging with regulated entities that voluntarily and proactively notify the OAIC of a data breach incident
- conducting an assessment of whether personal information is being maintained and handled by entities in line with applicable privacy legislative obligations
- recommending that an entity conduct a privacy impact assessment (PIA) where the entity proposes to engage in a new activity or function involving the handling of personal information about individuals, or when a change is proposed to information handling practices, and
- formally directing an agency to conduct a PIA where the entity proposes either to engage in a new activity or function involving the handling of personal information about individuals, or to make a substantive change to information handling practices.
The Regulatory Policy notes that the fact that an entity has engaged cooperatively with the OAIC will be considered in deciding whether to take regulatory action and what regulatory action to take.
The Regulatory Policy states that when deciding whether or not to open a Commissioner instigated investigation (CII), the OAIC may consider whether the entity has:
- voluntarily and promptly notified the OAIC of any data breach incident
- taken appropriate steps to respond to a breach, and
- cooperated with the OAIC in remedying any breach.
It is the stated intention of the OAIC to work with the parties concerned when investigating a complaint or conducting a CII.
Exercising enforcement powers
The stated factors that the OAIC will consider when deciding to take privacy regulatory action, and what action to take, include the following:
- the objects of the Privacy Act
- the seriousness of the incident or conduct to be investigated or the potential impact of a proposal
- the level of public interest or concern attracted by the incident, conduct or proposal
- whether the burden on the entity likely to arise is justified
- the specific and general educational, deterrent or precedential value of the particular privacy regulatory action
- prior privacy record of the entity responsible for the incident or conduct
The Regulatory Policy indicates that the OAIC will continue to take its pre-Privacy Act amendment's approach to facilitate voluntary compliance and work with entities when implementing its enhanced powers under the Privacy Act.
- the likelihood of the entity contravening the Privacy Act, or other legislation that confers functions relating to privacy on the Commissioner, in the future
- whether the conduct is an isolated instance, or whether it
- a potential systemic issue (either within the entity concerned or within an industry), or
- an increasing issue
- action taken by the entity to remedy and address the consequences of the conduct
- the time since the conduct occurred
- the cost and time to the OAIC
- whether there is adequate admissible evidence available to prove a contravention on the balance of probabilities, and
- any other factors that the OAIC considers relevant in the circumstances, including factors that are relevant to the specific regulatory power being used.
What this means for agencies
The Regulatory Policy indicates that the OAIC will continue to take its pre-Privacy Act amendment's approach to facilitate voluntary compliance and work with entities when implementing its enhanced powers under the Privacy Act. While this is welcome news, agencies need to be aware of their privacy obligations and comply with them, as the policy makes it clear that the OAIC is prepared to use the enhanced powers if the circumstances warrant it.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.