Privacy Commissioner releases new Privacy Regulatory Action Policy

At the opening keynote of the IAPPANZ Summit, Australia's Privacy Commissioner Timothy Pilgrim announced the release of his office's new Privacy Regulatory Action Policy.

"This policy explains the range of regulatory powers available to me, and formalises the approach our office has been taking in using these powers," he said.

According to Pilgrim, the new policy is not a significant departure from past regulation. " What it does is provide transparency about our existing approach, making it as clear as possible to organisations what our powers are, and what we see as our responsibilities in regards to using them," he explained.

Alongside the new policy, Pilgrim mentioned that his department is also preparing a Guide to privacy regulatory action, and releasing a number of chapters of an exposure draft for consultation.

The guide is designed to read alongside the new policy and the APP guidelines, to assist organisations understand what is expected of them.

"While we are generally required to investigate and attempt to conciliate complaints, we have the discretion to choose when to use our other privacy regulatory powers. The Regulatory Action Policy sets out situations when we will select and target matters warranting regulatory action," explained Pilgrim.

In addition to these policy reforms, Pilgrim's team has also been working on ways to assist businesses to better comply with their privacy obligations. He noted that recent research undertaken by his department found that many of the 50 largest organisations in Australia did not comply with the first principle in the Australian Privacy Principles.

As an outcome of that research, Pilgrim's team set about producing their Guide to securing personal information. This is an update of the Guide to Information Security, and describes examples of reasonable steps entities are required to take under the Privacy Act to protect the personal information they hold.

Pilgrim said "In rewriting and refocusing this guide we held a public consultation so that we could ensure that it, as much as possible, met the needs of the organisations using it".

Pre-empting some of the later sessions at the IAPPANZ Summit, Pilgrim pointed to the Internet of Things as one of the most important technical changes that will have an impact on privacy.

"The International Conference of Data Protection and Privacy Commissioners was held in Mauritius recently, and the focus of the Conference’s declaration was on the Internet of Things," he said. "The Mauritius declaration says that personal development should not be defined by what business or the government know about you, and yet, the proliferation of the Internet of Things — the sheer volume of data that is collected about all of us every day — is increasing the risk that this is exactly what will happen".

Pilgrim's concern is that there is a constant struggle between the protection of personal privacy and the need to interact with the world.

"No regular person can fully understand all the ramifications of providing what may seem like small and insignificant snippets of information in their day to day transactions".

In order for companies and individuals to be ready for this changing world, privacy needs to be built into systems from the start - it will be too complex to add this later as a bolted on capability.

"But of course, it is far better to build compliance into your business processes, than to leave things to chance and end up meeting the regulatory side of our office. With that in mind, our office is continuing to work on publications that are designed to help you build privacy compliance into your processes and your culture from step one."

Pilgrim noted that over the last year his department has received a record number of complaints. A significant number of these complaints stemmed from the leak of data in February by the Department of Immigration and Border Protection who published a statistical report with links back to raw, identifiable data in source spreadsheets. However, with that large breach removed from their statistics, Pilgrims department has seen a doubling in the number of complaints received.

In closing his address, Pilgrim warned businesses that privacy was now an important element in how customers choose service providers.

Read more: Privacy, Patients and Healthcare - where the rubber hits the road

"This tells me, and it should tell you, that consumers are just as aware as we are of how privacy has become an inherent part of everything they do. And remember the figure from last year’s Community Attitudes to privacy Survey – 60% were prepared to not deal with an organisation because of concern about their personal information handling practices".

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Tags breachEnex TestLabprivacy commissionerTimothy PilgrimAustralian Privacy PrinciplesCSO Australiaregulatory actionIAPPANZ SummitPrivacy Regulatory Action PolicyAPP guidelinesprivacy Survey

Show Comments