New guidance on enforceable undertakings in privacy regulatory action by the OAIC

The Office of the Australian Information Commissioner (OAIC) recently updated its guide to privacy regulatory action (Guide) to provide greater clarity about the matters the Commissioner considers regarding enforceable undertakings and independent experts.

The Commissioner may accept an enforceable undertaking from an entity which has or appears to have interfered with the privacy of an individual, when it considers that an agreed change to future behaviour would be the most appropriate outcome in the circumstances.

In the 10 undertakings issues to date there has often been a requirement to engage an independent expert to verify the terms of the undertaking have been complied with.

The Guide sets out the factors taken into account by the Commissioner when it is negotiating and determining whether to accept an enforceable undertaking from a respondent, instead of taking a different regulatory approach (e.g. commencing proceedings for a breach). The Commissioner will consider the interests of the individuals affected by the respondent's conduct and the underlying guiding principles of the OAIC's Privacy Regulatory Action Policy (Policy), such as:

  • the nature and seriousness of the conduct or incident, including whether it suggests an isolated or systemic issue
  • the public interest in and educational, deterrent or precedential value of proposed action
  • the particular respondent's co-operation with the OAIC and history of compliance with privacy legislation.

If the undertaking is related to the My Health Records Act, the Commissioner will also have regard to the My Health Records Enforcement Guidelines.

The Guide also details matters the Commissioner considers when deciding whether a proposed independent expert is suitable to make a reliable and impartial assessment of respondent's compliance with the terms of the undertaking. These include enhanced requirements as to both their competence and independence. The changes relating to competence include not only qualifications, experience and technical expertise but include adequacy of resources and any references demonstrating its experience in related work.

From an independence perspective, the guide now probes more deeply into previous commercial relationships with the expert and its senior staff covering the last two years. This takes a broader approach to requiring disclosure of financial links which may negatively impact on perceptions of independence.

Since the OAIC accepted its first enforceable undertaking from Optus in March 2015, respondents targeted by the OAIC for potential breaches of privacy legislation have generally undertaken to overhaul privacy and data protection practices and policies, implement greater privacy training to staff and have their renewed policies and practices audited for compliance.

What does this mean for NSW government agencies?

While the activities of the OAIC have no direct application to NSW government agencies regulated by the Information and Privacy Commission, it is in line with moves by other regulators both locally and internationally to impose more rigorous standards on external reviewers to enhance both the perception of reliability and actual reliability of third party reviews.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.