Privacy management plans, privacy officers, privacy champions, privacy training and privacy impact assessments — federal agencies will soon have a more explicit set of rules to spell out how they must employ each of these, and the draft is out for consultation.
More prescriptive than either the Privacy Act or the Australian Privacy Principles on which it is based, the Australian Public Service Privacy Governance Code will effectively reduce the amount of wiggle-room agencies have when interpreting their responsibilities, rather than adding new ones.
A brief preamble underscores Australian Privacy Principle 1 — entities covered by the act should “manage personal information in an open and transparent way” — as the “foundation” of the system that demands compliance with the other principles:
“APP 1 implicitly promotes a ‘privacy by design’ approach to ensure that privacy compliance is included in the design of information systems and practices from their inception.”
APP1 is important here because it also binds organisations to follow the relevant privacy code for their sector, if there is one. The APS will be only the third group of organisations subject to one, setting out specific mandatory steps to implementing “privacy by design” in the public service. The other two cover firms doing market and social research and those in the credit history and reporting game.
The APS code aims to raise compliance through improved capability, and “promote good privacy governance within agencies to create and embed a culture that respects privacy and treats personal information as a valuable asset” — as a way to build up faltering community trust and confidence in how federal agencies handle personal information.
There are three operative sections in the draft code that go to improving privacy management and governance, clarifying the use of privacy impact assessments, and improving capability through training as well as regular reviews of policies, procedures and systems.
The Office of the Australian Information Commissioner is accepting comments on the proposal until August 11 and has set out three discussion questions:
- Is the text of the draft code clear and easy to understand?
- Would the code have any unintended consequences? Are there any factors that might make implementation difficult?
- What matters in the code do you think the OAIC should provide guidance on?
A new definition of ‘high-risk’ activities
The draft would require agencies to have both a designated privacy officer and a more senior officer privacy champion at all times, and sets out some proposed responsibilities for them. Agencies would also have to devise an overarching plan with “specific, measurable privacy goals and targets” and report against it annually.
PIAs will now be mandatory for every “high risk” project, broadly defined as one involving any of the following:
- material change to existing policies, processes or systems that involve personal information;
- the establishment of a new way of identifying individuals, such as a unique identifier, biometrics or online identification system;
- a material difference in the collection of, or the method of collection of, new or changed types of personal information;
- the collection of sensitive information;
- the use or disclosure of personal information for a purpose other than the purpose for which it was collected;
- data matching or the bulk transfer of data;
- the transfer of personal information to an overseas recipient;
- a changed, or new, risk of misuse, interference and loss, or unauthorised access, modification or disclosure of personal information;
- the agency considers that the project involves such sensitivity, or is of such significance, that it constitutes a high risk project; or
- the agency considers that the project is a high risk project for one of the above reasons or any other reason relating to privacy.
Under the draft code, agencies would have to prepare a written report on every PIA and a response to any recommendations, which they would have to keep in a register and provide to the information commissioner on request. They would also have to publish a written report and the agency’s response to any recommendations, but not necessarily the same documents.
Agencies would be able to get out of publishing a PIA by asserting that it would:
- unreasonably reveal information about an agency’s systems, processes or operations;
- involve unlawful or unreasonable disclosure of personal information about any individual;
- unreasonably reveal information about law enforcement or national security activities; or
- involve the disclosure of an exempt document for the purposes of the Freedom of Information Act 1982.
If it is possible to produce a shorter summary version of the PIA report that doesn’t fall afoul of any of these caveats, then it must be done, under the draft code.
The final section would make privacy training mandatory for inductions and “regular staff training programs” — including for contractors, short-term employees and service providers. A yearly refresher would also be required for everyone who has access to personal information.
There are also provisions requiring agencies to “regularly” review their internal “privacy practices, procedures and systems” and monitor compliance with them among their employees.