OAIC Annual Report 2017: Three developments of note for businesses that deal with personal information

Share on twitter
Share on linkedin
Share on facebook

The Office of the Australian Information Commissioner (OAIC) released its Annual Report last month. It summarises the work of the OAIC over the 2016-2017 year, and indicates areas of future focus.

Today we look at three areas developments signalled in the Annual Report which may affect any business that deals with personal information.

  • Ongoing implementation of the mandatory Notifiable Data Breach (NDB) regime

We have talked about the Privacy Amendment (Notifiable Data Breaches) Act 2017 before (https://compliancequarter.com.au/business-prepared-roll-notifiable-data-breaches-scheme/) This new legislation establishes a mandatory Notifiable Data Breaches (NDB) scheme that will apply to federal government agencies and businesses covered by the Privacy Act 1988 (the Privacy Act)[1].

This new legislation means that from 22 February 2018, organisations covered by the Privacy Act will have to notify individuals, where there is a breach, if they are likely to be at risk of serious harm. At the same time, the OAIC must also be notified.

The OAIC notes that in June it released draft guidance on the NDB scheme for feedback from the public (see Annual Report, p68). It covered:

  • the scope of the NDB scheme
  • how to identify data breaches
  • notifying individuals of a data breach
  • the role of the OAIC with respect to the scheme

The OAIC signals also that, for the coming year, it will develop further resources ahead of the scheme’s commencement.

OAIC also emphasises that it already administers a voluntary scheme through which business and government agencies can voluntarily report their possible privacy breaches to the OAIC, so that the OAIC can support resolving any issues (see Annual Report, p68).

  • The rise in privacy complaints

The OAIC observed that it has received 17% more privacy complaints from individuals over the last year than it did the year before (see Annual Report, p16). This signals, perhaps, an increased awareness among the public of their privacy rights and a willingness to enforce them.

In response to this, the OAIC has piloted an early resolution scheme, which aims to bring the parties together early on, before they develop entrenched positions. OAIC recognises that already this has reduced their initial response times and contributed to an increase in the number of privacy complaints closed.

  • Privacy requests under the Freedom of Information Act 1982

As well as the Privacy Act, the OAIC also administers the Freedom of Information Act 1982 (the FOI Act) which governs the release of information held by government ministers and agencies. The OAIC observes that 82% of FOI Act matters that they deal with, are requests from individuals to access their own information (see Annual Report, p17). In many cases this is information that they are also entitled to access under the Privacy Act.

In light of this, OAIC suggests, agencies need to be pro-active in developing policies that will support the right of individuals to access their own personal information and streamline their access to it (see Annual Report, p17).

As the FOI Act deals with information held by government and government agencies, rather than private entities, you may well ask, what does this have to do with my business?

Arguably, there are two lessons here:

  • As it indicates a general trend towards customers being more aware of their information and privacy rights, this will affect businesses that are covered by the Privacy Act. Businesses covered by that Act should think about which policies and procedures they can implement to better meet their compliance obligations under that Act.
  • Your business may deal with the personal information of customers that gets passed on to government agencies, through your dealings with those agencies. In light of this, you need to be prepared for increased customer interest in their information which ends up being held by a government agency. but may have originally been sourced from your business (for example, if you transfer personal customer information to a government agency in a licence application or in a procurement bid)

To read the full 212 pages of the Annual Report, go to https://www.oaic.gov.au/resources/about-us/corporate-information/annual-reports/oaic-annual-report-201617/oaic-annual-report-2016-17.pdf

If you think that we could be of any assistance in helping comply with your obligations under the Privacy Act, the FOI, or information protection regulation in general, please get in contact with us.

[1] Businesses and not-for-profit organisations with an annual turnover more than $3 million are covered by the Privacy Act regime (see s6C(1) of the Privacy Act). Smaller business and not-for-profits may be covered as well, but it depends on the nature of their work (see ss6D and 6E of the Privacy Act).

More to explorer

notes on board

How to Manage Multiple Compliance Deadlines: A Case Study

Compliance managers in the energy sector are constantly juggling a large work load with competing deadlines. Managing time effectively is a core skill for compliance managers. In this article, we will present a hypothetical case study of a compliance manager in an energy retailer who has to juggle multiple compliance tasks and deadlines, and how they can use some strategies and tools to manage their workload and prioritise effectively. We will also share some insights and tips from Compliance Quarter,

laptop on table top

How to Avoid Compliance Risks by Effective Communication: A Case Study

Compliance managers in the energy sector face many challenges in ensuring that their businesses comply with the regulatory framework. One of the most common and frustrating situations is when their advice is ignored or overridden by senior management or other stakeholders, exposing the business to potential compliance risks and penalties. In this article, we will present a hypothetical case study of a compliance manager in an energy retailer who faced this scenario and how it affected the business outcomes. We

Contemporary design of multifamily living houses. Modern luxury apartments buildings.

Modernising Electricity Regulation: The AES Framework and Embedded Networks in Western Australia

Background The existing licensing framework overseeing the sale and supply of electricity in Western Australia (WA) has struggled to adapt to the rapid expansion of emerging and atypical electricity business models in recent years. To address this, in 2019, the then Minister for Energy commissioned Energy Policy WA to assess the regulatory framework in Western Australia. In 2020, Energy Policy WA initiated consultations on a proposed regulatory framework for various categories of ‘alternative electricity services’ called the Alternative Electricity Services

Leave a Reply

Your email address will not be published. Required fields are marked *