Many of our clients across diverse industry sectors have sought from us practical advice on the implications of the recent changes to The Privacy Act 1988 (Privacy Act).
These changes have:
placed new obligations on private businesses and organisations aimed at protecting individuals’ personal information; and
given new, wide ranging powers to the Office of the Australian Information Commissioner (OAIC).
Primarily, the amendments to the Privacy Act are responsive to community concerns regarding unsolicited direct marketing, credit reporting and general concern regarding the use of personal information. However their implications and impact are not limited to these issues.
Breaching the Privacy Act and being subject to investigation and penalties by the OAIC are not the only potential exposures to consider in relation to potential privacy breaches.
You may be liable:
for breach of contract;
in negligence (for failing to maintain information);
for engaging in misleading conduct (if you make misleading representations regarding privacy or your businesses’ technology and information management systems);
for defamation (if a breach adversely affects someone’s reputation); and
criminal prosecutions (for example unauthorised access to computers, electronic stalking & harassment or unauthorized surveillance).
Perhaps the most serious risk is damage to your organisation’s brand and reputation. If your clients lose confidence in your ability to manage their personal information the damage is likely to be serious and in professions or industries, irreparable.
A pro-active approach to managing personal information carefully and using all practical means of protecting it from unauthorised disclosure is absolutely necessary not only to comply with the law but to protect and preserve your brand.
What can the OIAC do?
The new powers the OAIC have been given under the Privacy Act are based an escalation model:
Encouraging Compliance Ü Investigating Ü Enforcement / Punishment
The OAIC has powers to work with an entity to encourage compliance and best practice privacy protections.
The OAIC can request an entity, group of entities, body or association (for example insurance, credit providers, telecommunications etc) to develop an Australian Privacy Principles (APP) Code and apply to the Information Commissioner for the Code to be registered.
Once registered the Code becomes legally binding on all organisations it relates to. This will allow industry groups to develop codes that consider their specific industry needs. If an industry or entity fails to develop and register a code the OAIC has the power to impose a Code. This power provides clear incentive for industries and groups to efficiently participate in development of an APP Code which adequately considers factors that affect management of personal information specific to their business type.
The OAIC can also monitor and assess whether personal information is being maintained and handled by an entity in accordance with relevant provisions of the Privacy Act.
Investigating Breaches/ Complaints
A breach of any of the provisions of the Privacy Act by an entity will be considered to be an ‘interference with privacy’. Where such an interference occurs, or is suspected the OAIC can investigate.
The OAIC may undertake preliminary inquiries, hold a hearing or conference and require information to be produced or a person to attend before the Information Commissioner to answer questions under oath. If necessary the OAIC can also refer the complaint to an alternative complaint body for further investigation.
Enforcement / Punishment
Where a complaint has been investigated the OAIC may accept an enforceable undertaking from an entity in relation to actions that will remedy or avoid interferences with privacy. Such an undertaking can be accepted even where no clear breach of the Privacy Act has been established.
If the OAIC determines that an interference with privacy has occurred, or may be occuring it can seek an injunction to prevent further interference from occurring. Where breaches are serious and/or repeated the OAIC can apply to the court for a civil penalty order which can result in fines of up to $34,000 for individuals and $1.7 million for body corporates.
Staying out of trouble with the OAIC
The OAIC has released a draft policy statement that outlines how it intends to apply its new powers. http://www.oaic.gov.au/privacy/privacy-engaging-with-you/previous-privacy-consultations/oaic-s-privacy-regulatory-action-policy/oaic-s-privacy-regulatory-action-policy-draft
The policy is at pains to underscore that the OAIC will encourage voluntary compliance and resort to enforcement only where conciliation and cooperation have failed.
Best Efforts Defence
Before taking any actions the OAIC will “take into account the steps taken by an entity to comply with its privacy obligations”
Report Your Own Breaches
If there is a data breach incident the OAIC will consider whether to launch a Commissioner Initiated Investigation (CII). The OAIC may decide a CII is unnecessary where “an entity voluntarily and proactively notified the OAIC of the incident and can demonstrate that it is responding appropriately to the breach.”
Where there is a complaint, the OAIC will generally investigate – however the stated aim of their investigations is conciliation.
If an entity is cooperative the conciliation ought to be successful relatively quickly.
External Dispute Resolution Schemes (EDRS)
Review and Appeal Rights
You can request the OAIC to review any decision it makes (internal review).
You can make a complaint to the Commonwealth Ombudsman who will consider whether there has been any unfair treatment and can recommend the OAIC reconsider or change its action.
It is possible to appeal to the Federal Court for judicial review where you feel you have not been accorded procedural fairness by the OAIC.
The Administrative Appeals Tribunal is only available to review orders relating to compensation to be paid by or to a government body.