The Office of the Australian Information Commissioner (OAIC) released its Annual Report last month. It summarises the work of the OAIC over the 2016-2017 year, and indicates areas of future focus.
Today we look at three areas developments signalled in the Annual Report which may affect any business that deals with personal information.
- Ongoing implementation of the mandatory Notifiable Data Breach (NDB) regime
We have talked about the Privacy Amendment (Notifiable Data Breaches) Act 2017 before (https://compliancequarter.com.au/business-prepared-roll-notifiable-data-breaches-scheme/) This new legislation establishes a mandatory Notifiable Data Breaches (NDB) scheme that will apply to federal government agencies and businesses covered by the Privacy Act 1988 (the Privacy Act).
This new legislation means that from 22 February 2018, organisations covered by the Privacy Act will have to notify individuals, where there is a breach, if they are likely to be at risk of serious harm. At the same time, the OAIC must also be notified.
The OAIC notes that in June it released draft guidance on the NDB scheme for feedback from the public (see Annual Report, p68). It covered:
- the scope of the NDB scheme
- how to identify data breaches
- notifying individuals of a data breach
- the role of the OAIC with respect to the scheme
The OAIC signals also that, for the coming year, it will develop further resources ahead of the scheme’s commencement.
OAIC also emphasises that it already administers a voluntary scheme through which business and government agencies can voluntarily report their possible privacy breaches to the OAIC, so that the OAIC can support resolving any issues (see Annual Report, p68).
The rise in privacy complaints
The OAIC observed that it has received 17% more privacy complaints from individuals over the last year than it did the year before (see Annual Report, p16). This signals, perhaps, an increased awareness among the public of their privacy rights and a willingness to enforce them.
In response to this, the OAIC has piloted an early resolution scheme, which aims to bring the parties together early on, before they develop entrenched positions. OAIC recognises that already this has reduced their initial response times and contributed to an increase in the number of privacy complaints closed.
Privacy requests under the Freedom of Information Act 1982
As well as the Privacy Act, the OAIC also administers the Freedom of Information Act 1982 (the FOI Act) which governs the release of information held by government ministers and agencies. The OAIC observes that 82% of FOI Act matters that they deal with, are requests from individuals to access their own information (see Annual Report, p17). In many cases this is information that they are also entitled to access under the Privacy Act.
In light of this, OAIC suggests, agencies need to be pro-active in developing policies that will support the right of individuals to access their own personal information and streamline their access to it (see Annual Report, p17).
As the FOI Act deals with information held by government and government agencies, rather than private entities, you may well ask, what does this have to do with my business?
Arguably, there are two lessons here:
- As it indicates a general trend towards customers being more aware of their information and privacy rights, this will affect businesses that are covered by the Privacy Act. Businesses covered by that Act should think about which policies and procedures they can implement to better meet their compliance obligations under that Act.
- Your business may deal with the personal information of customers that gets passed on to government agencies, through your dealings with those agencies. In light of this, you need to be prepared for increased customer interest in their information which ends up being held by a government agency. but may have originally been sourced from your business (for example, if you transfer personal customer information to a government agency in a licence application or in a procurement bid)
To read the full 212 pages of the Annual Report, go to https://www.oaic.gov.au/resources/about-us/corporate-information/annual-reports/oaic-annual-report-201617/oaic-annual-report-2016-17.pdf
If you think that we could be of any assistance in helping comply with your obligations under the Privacy Act, the FOI, or information protection regulation in general, please get in contact with us.
 Businesses and not-for-profit organisations with an annual turnover more than $3 million are covered by the Privacy Act regime (see s6C(1) of the Privacy Act). Smaller business and not-for-profits may be covered as well, but it depends on the nature of their work (see ss6D and 6E of the Privacy Act).