PAYMENTS

NEWS

Privacy Management Framework: the Commissioner’s expectations for APP entities

The week of 3 to 9 May 2015 is Privacy Awareness Week (PAW) in Australia. PAW is an annual initiative of the Asia Pacific Privacy Authorities Forum, intended to promote awareness of privacy issues. It is recognised by several countries in the Asia Pacific Region, along with some others, that hold joint and individual events targeting the protection and prudent management of personal information.

To mark the start of PAW, the Office of the Australian Information Commissioner (OAIC) has released its Privacy Management Framework (Framework), which provides a detailed explanation of the steps that the OAIC expects relevant entities (known as APP Entities) to take so as to comply with Australian Privacy Principle (APP) 1.2.

Until the release of the Framework, the OAIC’s expectations in respect of APP 1.2 were not explained in detail. APP 1.2 states:

  • “1.2 An APP entity must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the entity’s functions or activities that:
    • a. will ensure that the entity complies with the Australian Privacy Principles and a registered APP code (if any) that binds the entity; and
    • b. will enable the entity to deal with inquiries or complaints from individuals about the entity’s compliance with the Australian Privacy Principles or such a code.”

The exact steps required by the Framework will vary based upon a number of factors, including an APP entity’s size, means and structure.

There are four steps that APP entities are expected to take in order to illustrate to the OAIC that it is meeting its privacy obligations, and the Framework explains each of these in relatively broad terms. These steps are titled Embed, Establish, Evaluate and Enhance. A brief summary of each of these is as follows:

  • Step 1 ‘Embed’: as personal information is a valuable business asset for APP entities, it should be treated as such, by the development of good governance to protect it. Policies should be implemented to manage and protect personal information. People within each APP Entity should be appointed as being accountable for the overall privacy objectives, including the management of internal and external enquiries and complaints. Those people should, of course, be familiar with the APPs, the OAIC and the APP entity’s privacy objectives;
  • Step 2 ‘Establish’: the establishment of the APP entity’s privacy objectives should be apparent in this step. Processes should be developed to ensure that privacy obligations are observed; from the time that personal information is collected, to when it is no longer needed. Privacy policies should be clearly expressed to staff of the APP entity, through induction programs as well as through the creation, communication and updating of those policies. Information should be kept regarding where, when and why personal information is held and what will happen if privacy obligations are breached;
  • Step 3 ‘Evaluate’: APP entities must be committed to regular internal audits and evaluation of privacy policies and practices to ensure that they are up to date and effective. Compliance with obligations should be documented, and records should be kept on privacy process reviews, breaches and complaints. Internal and external opportunity should be given to receive feedback in relation to the operation of an APP entity’s practices in this respect;
  • Step 4 ‘Enhance’: this final step requires, primarily, acting upon the findings from step 3, and suggests that if necessary, APP entities should seek to have their privacy processes assessed by an external consultant to identify areas for improvement. The OAIC also suggests that consideration be given to adopting practices that go beyond the ambit of the APPs, where appropriate, and to keeping abreast of, among other things, new technologies and their implications upon the protection of personal information.

The OAIC’s expectations of APP entities are not easy to meet and, for some, will require rethinking their privacy objectives and strategies from the ground up. To satisfy the OAIC, some entities will need to undertake significant cultural changes, to show a commitment to both the protection of personal information and the development of a culture that fosters that protection.

Complying with APP 1.2 will be particularly important for insurers, given that their businesses rely almost exclusively upon the provision of personal information by their customers. Strong consideration should be given to the Framework, and external consultation or advice obtained, to ensure that initiatives and processes are compliant.

The Framework may be found here

Robert Ishak

Principal Lawyer, Director

Profile

Related News

Insights

Duty to Mitigate and the Reasonableness Standard

When a party (Plaintiff) suffers loss and damage (usually from a breach of contract or tort), the approach of the Courts will be to put

Read More
Insights

Navigating Subrogation Limits – Section 65 of the Insurance Contracts Act 1984

Did you know?  A key provision of the Insurance Contract Act 1984 is section 65 on subrogation.  Specifically, subrogation of rights against family members or

Read More
Insights

A learner’s duty of care

Have you ever wondered whether a learner driver would be responsible for the damage to a supervisor’s vehicle, or vice versa? A learner’s duty of

Read More
VIEW ALL NEWS

Get in touch

Contact our team today

CONTACT US

Stay informed

Keep up-to-date with our regular news and insights

This field is for validation purposes and should be left unchanged.
William Roberts Lawyers

Sydney

Level 22
66 Goulburn Street
SYDNEY NSW 2000

Melbourne

Level 21
535 Bourke Street
MELBOURNE VIC 3000

Brisbane

Level 8
300 Ann Street
BRISBANE QLD 4000

Singapore

Level 19
Singapore Land Tower
50 Raffles Place
SINGAPORE 048623