OAIC Annual Report 2017: Three developments of note for businesses that deal with personal information

Share on twitter
Share on linkedin
Share on facebook

The Office of the Australian Information Commissioner (OAIC) released its Annual Report last month. It summarises the work of the OAIC over the 2016-2017 year, and indicates areas of future focus.

Today we look at three areas developments signalled in the Annual Report which may affect any business that deals with personal information.

  • Ongoing implementation of the mandatory Notifiable Data Breach (NDB) regime

We have talked about the Privacy Amendment (Notifiable Data Breaches) Act 2017 before (https://compliancequarter.com.au/business-prepared-roll-notifiable-data-breaches-scheme/) This new legislation establishes a mandatory Notifiable Data Breaches (NDB) scheme that will apply to federal government agencies and businesses covered by the Privacy Act 1988 (the Privacy Act)[1].

This new legislation means that from 22 February 2018, organisations covered by the Privacy Act will have to notify individuals, where there is a breach, if they are likely to be at risk of serious harm. At the same time, the OAIC must also be notified.

The OAIC notes that in June it released draft guidance on the NDB scheme for feedback from the public (see Annual Report, p68). It covered:

  • the scope of the NDB scheme
  • how to identify data breaches
  • notifying individuals of a data breach
  • the role of the OAIC with respect to the scheme

The OAIC signals also that, for the coming year, it will develop further resources ahead of the scheme’s commencement.

OAIC also emphasises that it already administers a voluntary scheme through which business and government agencies can voluntarily report their possible privacy breaches to the OAIC, so that the OAIC can support resolving any issues (see Annual Report, p68).

  • The rise in privacy complaints

The OAIC observed that it has received 17% more privacy complaints from individuals over the last year than it did the year before (see Annual Report, p16). This signals, perhaps, an increased awareness among the public of their privacy rights and a willingness to enforce them.

In response to this, the OAIC has piloted an early resolution scheme, which aims to bring the parties together early on, before they develop entrenched positions. OAIC recognises that already this has reduced their initial response times and contributed to an increase in the number of privacy complaints closed.

  • Privacy requests under the Freedom of Information Act 1982

As well as the Privacy Act, the OAIC also administers the Freedom of Information Act 1982 (the FOI Act) which governs the release of information held by government ministers and agencies. The OAIC observes that 82% of FOI Act matters that they deal with, are requests from individuals to access their own information (see Annual Report, p17). In many cases this is information that they are also entitled to access under the Privacy Act.

In light of this, OAIC suggests, agencies need to be pro-active in developing policies that will support the right of individuals to access their own personal information and streamline their access to it (see Annual Report, p17).

As the FOI Act deals with information held by government and government agencies, rather than private entities, you may well ask, what does this have to do with my business?

Arguably, there are two lessons here:

  • As it indicates a general trend towards customers being more aware of their information and privacy rights, this will affect businesses that are covered by the Privacy Act. Businesses covered by that Act should think about which policies and procedures they can implement to better meet their compliance obligations under that Act.
  • Your business may deal with the personal information of customers that gets passed on to government agencies, through your dealings with those agencies. In light of this, you need to be prepared for increased customer interest in their information which ends up being held by a government agency. but may have originally been sourced from your business (for example, if you transfer personal customer information to a government agency in a licence application or in a procurement bid)

To read the full 212 pages of the Annual Report, go to https://www.oaic.gov.au/resources/about-us/corporate-information/annual-reports/oaic-annual-report-201617/oaic-annual-report-2016-17.pdf

If you think that we could be of any assistance in helping comply with your obligations under the Privacy Act, the FOI, or information protection regulation in general, please get in contact with us.

[1] Businesses and not-for-profit organisations with an annual turnover more than $3 million are covered by the Privacy Act regime (see s6C(1) of the Privacy Act). Smaller business and not-for-profits may be covered as well, but it depends on the nature of their work (see ss6D and 6E of the Privacy Act).

More to explorer

Autumn leaves falling with copy space on black background

Avoiding Compliance Atrophy: The Critical Role of Assurance Reviews for Growing Energy Retailers

As energy retailers expand their customer base and operations, ensuring ongoing compliance with regulatory obligations can become increasingly challenging. A key risk is “compliance atrophy” – where initially compliant documents, processes and systems slowly deteriorate and waste away over time if not regularly monitored and reviewed. What is compliance atrophy? Compliance atrophy is typically a result of documents, processes and systems being ‘updated’ or ‘reworded’ to reflect changes in focus for the business and input from other stakeholders including marketing

person holding debit card

AER payment difficulty framework review

The Australian Energy Regulator (AER) is conducting a review of the consumer protections available under the National Energy Customer Framework (NECF) for those experiencing payment difficulties. On 14 May 2024, the AER released an issues paper for consultation. The review is driven by the commitment in Action 8 of the ‘Towards Energy Equity’ strategy in which the AER committed to considering whether improvements could be made to the NECF to ensure that consumers experiencing payment difficulties are identified early, engaged

Technicians installing photovoltaic solar panels on roof of house.

Compliance Quarter’s Submission to the AER’s Review of the Compliance Procedures and Guidelines

On 11 April 2024, Compliance Quarter put forward its submission on proposed changes to the AER Compliance Procedures and Guidelines. The AER is reviewing its Compliance procedures and guidelines, which set out the manner and form in which energy businesses in jurisdictions that have adopted the National Energy Retail Law must submit compliance information and data to the AER. We argue that there should be consideration of measures to incentivise early reporting of potential breaches. These may, for example, take the

Leave a Reply

Your email address will not be published. Required fields are marked *