Privacy Management Framework: the Commissioner’s expectations for APP entities

The week of 3 to 9 May 2015 is Privacy Awareness Week (PAW) in Australia. PAW is an annual initiative of the Asia Pacific Privacy Authorities Forum, intended to promote awareness of privacy issues. It is recognised by several countries in the Asia Pacific Region, along with some others, that hold joint and individual events targeting the protection and prudent management of personal information.

To mark the start of PAW, the Office of the Australian Information Commissioner (OAIC) has released its Privacy Management Framework (Framework), which provides a detailed explanation of the steps that the OAIC expects relevant entities (known as APP Entities) to take so as to comply with Australian Privacy Principle (APP) 1.2.

Until the release of the Framework, the OAIC’s expectations in respect of APP 1.2 were not explained in detail. APP 1.2 states:

  • “1.2 An APP entity must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the entity’s functions or activities that:
    • a. will ensure that the entity complies with the Australian Privacy Principles and a registered APP code (if any) that binds the entity; and
    • b. will enable the entity to deal with inquiries or complaints from individuals about the entity’s compliance with the Australian Privacy Principles or such a code.”

The exact steps required by the Framework will vary based upon a number of factors, including an APP entity’s size, means and structure.

There are four steps that APP entities are expected to take in order to illustrate to the OAIC that it is meeting its privacy obligations, and the Framework explains each of these in relatively broad terms. These steps are titled Embed, Establish, Evaluate and Enhance. A brief summary of each of these is as follows:

  • Step 1 ‘Embed’: as personal information is a valuable business asset for APP entities, it should be treated as such, by the development of good governance to protect it. Policies should be implemented to manage and protect personal information. People within each APP Entity should be appointed as being accountable for the overall privacy objectives, including the management of internal and external enquiries and complaints. Those people should, of course, be familiar with the APPs, the OAIC and the APP entity’s privacy objectives;
  • Step 2 ‘Establish’: the establishment of the APP entity’s privacy objectives should be apparent in this step. Processes should be developed to ensure that privacy obligations are observed; from the time that personal information is collected, to when it is no longer needed. Privacy policies should be clearly expressed to staff of the APP entity, through induction programs as well as through the creation, communication and updating of those policies. Information should be kept regarding where, when and why personal information is held and what will happen if privacy obligations are breached;
  • Step 3 ‘Evaluate’: APP entities must be committed to regular internal audits and evaluation of privacy policies and practices to ensure that they are up to date and effective. Compliance with obligations should be documented, and records should be kept on privacy process reviews, breaches and complaints. Internal and external opportunity should be given to receive feedback in relation to the operation of an APP entity’s practices in this respect;
  • Step 4 ‘Enhance’: this final step requires, primarily, acting upon the findings from step 3, and suggests that if necessary, APP entities should seek to have their privacy processes assessed by an external consultant to identify areas for improvement. The OAIC also suggests that consideration be given to adopting practices that go beyond the ambit of the APPs, where appropriate, and to keeping abreast of, among other things, new technologies and their implications upon the protection of personal information.

The OAIC’s expectations of APP entities are not easy to meet and, for some, will require rethinking their privacy objectives and strategies from the ground up. To satisfy the OAIC, some entities will need to undertake significant cultural changes, to show a commitment to both the protection of personal information and the development of a culture that fosters that protection.

Complying with APP 1.2 will be particularly important for insurers, given that their businesses rely almost exclusively upon the provision of personal information by their customers. Strong consideration should be given to the Framework, and external consultation or advice obtained, to ensure that initiatives and processes are compliant.

The Framework may be found here

Related News

What happens if you, as an insurer, have not yet concluded whether or not to indemnify an insured, and a third party commences Court proceedings against your insured (with the indemnity decision still pending)?

When these types of claims arise, an insurer (and its panel firm) can continue to act for an insured on a “reservation of rights” basis.

Read More

Can you sue if a “registered” company is “in liquidation”, “under administration” or has become “deregistered”? 

It is common to see Court proceedings commenced in the name of an individual or against an individual.   But sometimes, Court proceedings are commenced by

Read More

The Briginshaw-test

Did you know that the Briginshaw-test requires a higher standard of evidence in civil matters where serious allegations are made, such as fraud. This principle

Read More

Get in touch

Contact our team today

Stay informed

Keep up-to-date with our regular news and insights

This field is for validation purposes and should be left unchanged.
William Roberts Lawyers


Level 22
66 Goulburn Street


Level 21
535 Bourke Street


Level 8
300 Ann Street


Level 19
Singapore Land Tower
50 Raffles Place