In brief
To coincide with Privacy Awareness Week, the Office of the Australian Information Commissioner has released a number of business resources, a Privacy Management Framework to assist businesses to comply with their obligations under the Australian Privacy Principles, and the results of its audit of the online privacy policies of 20 Australian and international organisations. The OAIC has also made some announcements regarding its next areas of focus. Partner Gavin Smith, Senior Associate Valeska Bloch and Lawyer Tom Kavanagh report on these updates and how they might affect your business.
How does it affect you?
- The new 'Send Personal Information Overseas' privacy business resource clarifies that, although the Australian Privacy Principles (APPs) that apply to an entity will vary depending on whether there is technically a 'use' or an offshore 'disclosure' of personal information, the practical steps that an organisation will need to take will nonetheless be similar in both circumstances. Where it is unclear whether personal information is being used or disclosed by an organisation, the organisation may still be held accountable for the mishandling of that personal information by an overseas recipient and the Office of the Australian Information Commissioner (OAIC) recommends that the organisation take reasonable steps to ensure the APPs are complied with. This has implications for the use of offshore cloud services. The OAIC recommends that both contractual and non-contractual mechanisms are taken in these circumstances in order to mitigate the relevant privacy risks.
- Entities should adopt the OAIC's new privacy management framework in order to take reasonable steps (as required under APP 1.2) to implement practices, procedures and systems that ensure compliance with the APPs. The OAIC expects that all organisations will 'commit' to implementing the new framework.
- APP 1.3 requires that APP entities have privacy policies that are clearly expressed. The Commissioner has clarified that entities should ensure that their policies are easily accessible to the general public, and are as brief as possible, make it easy to locate critical information, and they avoid jargon, long sentences and complex or formal language. Policies should also adequately describe how entities protect the personal information that they hold. It may be insufficient, for example, to simply state that the entity uses reasonable measures to protect information. Privacy policies should at least broadly explain the measures in place to manage security risks.
- Next in focus for the OAIC are websites and mobile apps targeted at children aged 12 and under.
Privacy business resources
The Commissioner has released two new privacy business resources to provide more detailed advice and practical tips to assist business to comply with their obligations under the Privacy Act 1988 (Cth).
Sending personal information overseas
Privacy business resource 8: Sending personal information overseas aims to assist organisations to understand their obligations when sending personal information overseas.
The key message of this resource is that although the APPs that apply vary depending on whether there is a 'use' or a 'disclosure' of personal information, in practice the steps that an organisation should take and their accountability when sending personal information overseas can be similar.
Although the terms 'use' and 'disclosure' are not defined in the Privacy Act, the Commissioner has issued guidance that:
- an entity uses personal information when it handles or manages that information within its effective control; and
- an entity discloses personal information when it makes it accessible or visible to others outside the entity and releases the handling of the information from its effective control.
For example, the provision of information to a cloud service provider located overseas may be considered a use if the information is provided for the limited purpose of performing the services of storing, and ensuring the organisation can access, the personal information, and a binding contract between the parties limits handling the information for that limited purpose, imposes the same obligations on any subcontractors and gives the entity effective control over the information.
Nevertheless, where it is unclear whether personal information is being used or disclosed, an organisation may still be held accountable for the mishandling of that personal information by the overseas recipient and the OAIC recommends that the organisation take reasonable steps to ensure the APPs are complied with.
On the question of what constitutes reasonable steps, the OAIC confirms in this privacy resource that it is generally expected that an entity will:
- enter into an enforceable contractual arrangement with the overseas recipient to handle personal information in accordance with the APPs;
- take steps to ensure compliance with those contractual arrangements; and
- ensure non-contractual mechanisms are in place to minimise the relevant risks, including by verifying that the overseas recipient has in place technical and organisational safeguards to ensure the personal information is secure, and by asking the recipient to provide any internal policies and procedures for handling personal information.
The OAIC acknowledges in this resource that reasonable steps will depend on factors that include the sensitivity of the information, the possible adverse consequences if information is mishandled, the relationship with the overseas recipient, existing technical and operational safeguards, and the practicability of particular steps (including time and cost involved).
The OAIC also envisages that there may be circumstances in which entities decide on the information available that the proposed overseas disclosure of personal information to a particular entity or to a particular overseas location would be unwise because the risk that the information might be mishandled is too high.
Ten tips to protect your customers' personal information
Privacy business resource 9: ten tips to protect your customer's personal information provides a brief guide to assist business to comply with their obligations when handling the personal information of customers.
The ten tips are:
- Familiarise yourself with internal privacy policies, processes and procedures.
- Know who is responsible for privacy – the OAIC recommends that entities appoint both a senior member of staff to have overall accountability for privacy and a privacy officer who understands the entity's responsibilities under the Privacy Act and handles access and correction requests and complaints and enquiries about your personal information handling practices.
- Consider privacy during project planning – the OAIC suggests a privacy impact assessment (PIA) be developed for any project that involves new or changed personal information handling practices. Such an assessment identifies how a project can have an impact on individuals' privacy and makes recommendations for managing, minimising or eliminating privacy impacts.
- Only collect the personal information you need – the OAIC emphasises the importance of not collecting unnecessary information, or information that may only become required at a later date.
- Use and disclosure – entities should consider whether they can conduct their business activities without using or disclosing personal information, and, where it is necessary, only doing so to the minimum extent required.
- Overseas disclosure – the OAIC reinforces the importance of taking reasonable steps to ensure that any overseas recipient of personal information complies with the APPs.
- Take greater care when handling sensitive information.
- Access personal information on a need-to-know basis – staff should only have access to personal information required for their role or function in order to protect the information from unauthorised access, use or disclosure.
- Keep personal information secure.
- Familiarise yourself with your data breach response plan – all entities should have such a plan, as a quick response can substantially decrease the impact on the affected individuals. It is also best practice to notify the OAIC when you suffer a data breach and there is risk of serious harm to the affected individuals.
Privacy Management Framework
The OAIC has released a privacy management framework that is designed to assist organisations to take reasonable steps, as required under APP 1.2, to implement practices, procedures and systems that ensure compliance with the APPs.
The framework sets out a practical structure and methodology to enable entities to establish and implement a privacy management plan in order to meet their compliance obligations by:
- embedding a culture of privacy enabling compliance;
- establishing robust and effective privacy processes;
- evaluating privacy processes to ensure continued effectiveness; and
- enhancing responses to privacy issues.
The framework explains that compliance with APP 1.2 should be seen and understood as a matter of good governance for every organisation and, consistent with that message, each step of the framework sets out certain actions that an organisation can 'commit' to in order to comply with their obligations and encourage good practice.
In the associated media release, the Commissioner indicated that he expects all organisations that have responsibilities under the Privacy Act to make a commitment to implement the framework and that this would put them 'in the best position to address privacy challenges head-on, meet their obligations under the Act and ultimately get ahead of the game'.
Audit of privacy policies
The Commissioner has conducted a privacy assessment under section 33C of the Privacy Act of the online privacy policies of 20 APP entities against the specific criteria set out in APP 1.
The assessment covered all four major banks, technology companies, media companies (including Fairfax, ninemsn and Newscorp) and government departments. The entities were selected either because the entity had a high volume of traffic, they had been identified by the OAIC for follow-up action or the OAIC had received a large volume of complaints.
The assessment found that, while all 20 entities had taken some steps to address APP 1 requirements and had privacy policies that were easy to find, 55 per cent of the entities had privacy policies that did not adequately address the content requirements in APP 1.4. Specifically, some of the privacy policies did not:
- outline how an individual can request access or correction of their personal information;
- outline how the organisation would deal with a privacy complaint it may receive;
- adequately describe how they protect the personal information that they hold; or
- outline whether the organisation was likely to disclose personal information overseas and the countries in which such recipients are likely to be located.
In the associated media release, the Commissioner suggested that some of the policies were still too long, which made it difficult to locate relevant information (the median length of the policies considered in the assessment was 3413 words). This conclusion is of particular interest because it suggests that the Commissioner does not encourage the practice of adopting an extremely exhaustive and granular approach to disclosing all specific potential uses of personal information in a privacy policy. On the contrary, provided that a privacy policy is not misleading, broader descriptions of the use of personal information should be acceptable.
What's next for the OAIC?
OAIC to continue to examine how new requirements have been implemented
In reporting on his findings in relation to the assessment of privacy policies, the Commissioner indicated that the assessment activity was indicative of his overall regulatory approach:
Over the last 12 months, we have provided a range of guidance to organisations and agencies including how to develop privacy policies. We are now checking in on how the new requirements have been implemented. I encourage all organisations and agencies to review their privacy policies with the aim to make it as easy as possible for their customers to understand how their personal information will be respected and protected.
Although the OAIC did not identify the steps (if any) that would be taken as a result of the audit, the key findings suggest that the OAIC is carefully scrutinising the privacy policies of high-profile websites and all entities will need to be careful to ensure that their privacy policies adequately cover their obligations under APP1.
Websites and apps aimed at children are next in the spotlight
On 11 May 2015, the OAIC announced that it was now turning to websites and mobile apps to assess the extent to which 44 websites and mobile apps targeted at children aged 12 and under protect privacy. The OAIC will be conducting this sweep as one of 29 privacy enforcement authorities worldwide that are engaging in a coordinated effort to examine privacy issues as part of the Global Privacy Enforcement Network.
As part of this assessment, the OAIC will be looking at whether such websites and apps:
- collect children's personal information and, if so, whether protective controls exist to limit that collection;
- seek parental involvement;
- allow users to be redirected off the site;
- make it easy to delete personal information; and
- whether any privacy communications are tailored to the age group through approaches such as simple language, large print, audio or animation. The results of the audit will be made publicly available later this year.
Focus on governance
The most recent tranche of resources and guidance released by the OAIC during Privacy Awareness Week further develops the content of the Australian Privacy Principles and provides greater guidance as to the obligations imposed on organisations and other entities subject to the APPs.
However, these resources form only one part of the OAIC's approach. In March 2015, the OAIC announced that the next 12 months would see a particular focus on 'governance, assisting organisations and agencies to build a culture of privacy and ensuring that organisations and agencies are proactive in meeting their compliance requirements'. Consistent with this focus, the Commissioner reminded organisations that 'it is more effective, and ultimately cheaper, to embed privacy in day-to-day processes than it is to respond to issues such as data breaches as they arise'.