Pilgrim launches privacy regulatory action policy

Australian Privacy Commissioner, Timothy Pilgrim, addresses the IAPP Privacy Summit 2014.

Privacy Commissioner Timothy Pilgrim has launched a regulatory action policy to shed more light on how his office operates.

“The policy explains the range of regulatory powers available to me and formalises the approach our office will be taking in using these powers,” Pilgrim said at the IAPP ANZ Privacy Summit in Sydney today.

The policy, which can be read here in full, makes no changes to privacy regulation in Australia, he said.

“What it does is provide transparency about our existing approach, making it as clear as possible for organisations what our powers are and what we see as our responsibilities for using them,” Pilgrim said.

For example, he said the policy explains that factors that might lead OAIC to take regulatory action include the seriousness of the situation, whether the organisation has been subject to prior enforcement action, whether conduct relates to a systemic issue, and whether the organisation has taken appropriate steps to remedy the problem.

“In the case of a data breach, this includes whether the organisation attempted to conceal the breach, which will not be looked on well by our office,” he said.

Also towards greater transparency, the Office of the Australian Information Commissioner (OAIC) plans to release a guide to privacy regulatory action, and today is releasing several chapters of an exposure draft for consultation. The guide provides more detail on items in the regulatory action policy, he said.

Pilgrim affirmed that privacy regulation is not going away even with the government’s budget measure to defund the OAIC and establish an Office of the Privacy Commissioner at the start of 2015.

The legislation to ratify that measure, the Freedom of Information Amendment (New Arrangements) Bill, has been passed by the House of Representatives and referred to a Senate committee hearing, which occurred last week. A committee report is expected on 25 November, said Pilgrim.

“We do not know precisely what our fate will be, but what we do know is that it will be business as usual for privacy,” he said.

“There will be a Privacy Act as it is now. There will be a privacy commissioner supported by an office.”

Over the next year, Pilgrim said his office plans to test organisations’ governance frameworks to ensure they have stepped up to comply with the Australian Privacy Principles.

In 2013, the office did a sweep of privacy policies for the top 50 websites by traffic in Australia and discovered that most did not comply with the APP1 section of the principles, which include foundational privacy measures.

In the next 12 months, Pilgrim said his office will conduct “assessments of the websites that we have identified for follow-up action, checking for their compliance with APP1.”

The websites include a range of sectors including finance, telecom and government, he said.

“We will not be singling out a specific sector for attention, but we will bringing our eye to bear on organisations that are the high risk or high-volume users of personal information.”

Adam Bender covers telco and enterprise tech issues for Computerworld and is the author of dystopian sci-fi novels We, The Watched and Divided We Fall. Follow him on Twitter: @WatchAdam

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia