Home
| Databases
| WorldLII
| Search
| Feedback
Precedent (Australian Lawyers Alliance) |
ORGANISATIONAL ACCOUNTABILITY KEY TO PROTECTING PRIVACY
By Sarah Ghali
Research commissioned by the Office of the Australian Information Commissioner (OAIC) shows that the community overwhelmingly wants more to be done to protect their privacy rights.
According to the 2020 Australian Community Attitudes to Privacy Survey (ACAPS), privacy is a major concern for 70 per cent of Australians, and 87 per cent want more choice and control over how their personal information is handled. The survey also found that in the previous 12 months nearly 60 per cent of Australians had experienced a problem with the handling of their personal information.[1]
The OAIC considers that strong data protection and privacy rights are necessary to uphold our human right to dignity in the digital age, and are also a precondition for consumer confidence, economic growth and the meeting of other societal objectives such as the protection of health, safety and security. This was a central focus of our submission to the review by the Attorney-General’s Department (the Department) of the Privacy Act 1988 (Cth) (Privacy Act).[2]
Privacy controls and practices that live up to community expectations will create the trust and confidence that is needed for the public to engage in the data-driven economy and to access services, while enabling innovation and growth by both government and business. However, the flexibility to innovate that is necessary for a strong Australian digital economy needs to be paired with greater accountability for how personal information is handled through the law.
ACCOUNTABILITY AT THE CENTRE
As the Department considers reforms to the Privacy Act that will support Australia’s privacy framework into the future and restore trust and confidence in the handling of personal information in the digital age, the OAIC has called for the Privacy Act to have fairness and accountability at its centre.[3]
Accordingly, the OAIC recommends that the Privacy Act be amended to include enhanced organisational accountability requirements,[4] to ensure that entities regulated by the Act implement actions and controls that demonstrate their compliance with the privacy regulatory framework. We believe this is an important step and will explore it in more depth in this article.
Enhanced organisational accountability measures are also necessary to support other proposed reforms to Australia’s privacy framework. For instance, we consider that reforms to privacy self-management mechanisms, such as notification and consent requirements, should be complemented by appropriate organisational accountability obligations to ensure that the burden of understanding and consenting to complicated practices does not fall solely on individuals.
We also recommend a broader change to the Privacy Act to require a new standard or benchmark of fair and reasonable handling of personal information when it is collected, used and disclosed.[5] We see a need for this new baseline for privacy practice that meets community expectations and helps to restore trust, requiring entities not just to collect information by fair and lawful means – as is the current legal test – but to collect, use and disclose it fairly and reasonably. Assessing whether personal information-handling practices are fair and reasonable will rely on effective organisational accountability practices.
Accountability under the Privacy Act
What do we mean by ‘organisational accountability’? Accountability is globally recognised as a key building block for effective privacy regulation and management.[6] While the concept of ‘accountability’ can mean different things in different contexts, for the present purposes it can be described broadly as the different actions and controls that an entity must implement in order to comply, and demonstrate compliance, with the privacy regulatory framework.
The concept of accountability focuses on whether a regulated entity has translated its privacy obligations into internal privacy management processes that are commensurate with, and scalable to, the risks and threats associated with its personal information-handling activities.[7] This is a crucial element of good privacy practice.
The specific measures that an entity should implement as part of its privacy management program will necessarily depend on its particular circumstances, including its size, resources and business model.
Accountability is at the core of Australian Privacy Principle (APP) 1 in Schedule 1 of the Privacy Act, which requires entities to manage personal information ‘in an open and transparent way’. APP 1 does this in two key ways by:
• requiring entities to take reasonable steps to establish and maintain internal practices, procedures and systems that ensure compliance with the APPs (APP 1.2); and
• requiring entities to have a clearly expressed and up-to-date APP privacy policy describing how they manage personal information (APP 1.3).[8]
By embedding strong accountability measures, entities can build a reputation for strong and effective privacy management, which is essential for realising the benefits of the personal information they hold and meeting their corporate social responsibilities.
The OAIC has published a suite of guidance materials to assist entities to embed strong accountability measures and implement a ‘privacy by design’[9] approach. Essentially, this is an approach where privacy compliance is part of the initial design of projects, activities and initiatives dealing with personal information, and then is included throughout the information lifecycle, rather than being bolted on afterwards.
The OAIC’s guidance materials include:
• a privacy management framework;[10]
• a privacy management plan template for organisations[11] and agencies;[12]
• a guide to undertaking privacy impact assessments (PIAs);[13]
• a privacy impact assessment tool;[14] and
• a privacy impact assessment e-learning course.[15]
We currently encourage entities to adopt a best practice approach which, together with effective communication and community engagement strategies, can help to ensure that the handling of personal information is both compliant with privacy laws and meets community expectations.
THE PRIVACY ACT REVIEW
The Department’s current review of the Privacy Act provides an opportunity to strengthen the existing legislative requirements around organisational accountability and responsibility.
A key theme from submissions made to the Issues Paper was the need for additional protections in relation to the collection, use and disclosure of personal information so that individuals can be confident that when they engage with entities the law will protect them from harm and their information from misuse.[16]
Several submissions supported introducing further organisational accountability measures into the Privacy Act, including expanding the circumstances in which APP entities must conduct a PIA.[17] While requiring APP entities to adequately identify and mitigate privacy risks where they engage in certain activities has a role within the privacy framework, additional accountability measures should not be limited to the episodic and project-specific conduct of PIAs.[18]
Rather, we consider that a holistic, demonstrable and ongoing approach to accountability is critical to address current and emerging privacy risks and mitigate harms associated with personal information handling. The focus of all regulated entities should be on the quality, reliability and verifiability of a holistic and ongoing privacy management program supported by a legislated framework that addresses privacy risks throughout the information-handling lifecycle.
Consequently, we recommend that the Privacy Act be amended to include similar accountability measures to those required under the European General Data Protection Regulation[19] and the Privacy (Australian Government Agencies – Governance) APP Code 2017,[20] including an express obligation to undertake a ‘privacy by design’ approach.
While the Privacy Act recognises that ‘the protection of the privacy of individuals is balanced with the interests of entities in carrying out their functions or activities’,[21] the APPs do not, of themselves, specifically encourage entities to consider ways to achieve their objectives that are less privacy intrusive.
Good organisational accountability involves going beyond a check-box exercise of compliance with the APPs. It requires entities to consider how their information-handling activities will impact individuals, and to mitigate against foreseeable privacy risks and harms.
Organisations should be asking: even if a proposed activity is permitted from a compliance perspective, is the activity fair and reasonable in the circumstances?
The community often expects more from companies than is currently required by the Privacy Act. Requiring entities to act fairly and reasonably is about ensuring that entities consider the impact on individuals when handling their personal information. To enable that to happen, entities need to have the necessary structures, policies and procedures in place to properly identify and assess those impacts, which is where strong accountability measures are critical.
We consider that an express requirement in APP 1 to implement a privacy by design approach, combined with the proposed requirement to handle personal information fairly and reasonably, will facilitate positive privacy outcomes by specifically requiring entities to consider how their activities will impact individuals and whether there are less privacy intrusive options for new projects, activities or initiatives.
The objective of enhancing the accountability of APP entities for their personal information-handling practices would similarly be supported by the requirement to appoint a privacy officer or privacy officers. Appointing a privacy officer is a key governance measure to foster a culture of respect for privacy and the value of personal information. This officer would be the first point of contact for privacy matters within an entity and would be responsible for ensuring that day-to-day operational privacy activities are undertaken. [22]
We consider that these reforms will provide further clarity to entities about the steps they should take to meet their ongoing compliance obligations under APP 1, enhancing the existing accountability requirements and increasing trust in personal information-handling activities.
ORGANISATIONAL ACCOUNTABILITY OR PRIVACY SELF-MANAGEMENT?
Why are we seeking a shift towards organisational accountability rather than the onus being on individuals to understand and consent to personal information-handling practices? Surely, if the user is informed of all the consequences, this would empower them to make the ultimate decision about how their personal information is used?
In reality, in emphasising increased organisational accountability we are not devaluing the roles of notice and consent – just recognising their limitations. Consent does have a role to play, but for it to be meaningful, individuals need to be provided with genuine, inherently fair choices regarding how their personal information will be handled. Meaningful consent also requires an individual to be properly and clearly informed about how their personal information will be handled, so that they can decide whether to give consent.
Privacy policies are intended to help individuals understand what will happen to their information and to support informed consent. Yet according to the ACAPS privacy survey only 31 per cent of people normally read online privacy policies, with many avoiding them because they are too long or complex. For example, recent research shows that social media privacy policies run at an average of more than 6,000 words.[23] More than half of the people who do read those policies say they are not confident they have understood them.[24] An individual’s ability to understand how their personal information will be handled in order to provide informed consent in these circumstances is limited.
Entities in the digital economy are collecting more information than ever before, and many are basing their business model around the collection and disclosure of personal information.[25] Data handling is becoming increasingly complex, making it difficult for individuals to understand everything that is happening with their information. A large proportion of all school, work and social activities are taking place in the online environment, which means that individuals cannot opt out of digital services if they want to continue engaging meaningfully in society.
So it is neither realistic nor fair to expect individuals to absorb long and technical policies, decipher complex practices, and give their meaningful agreement in all cases, and such an expectation does impact consumer trust and confidence. The burden of understanding and consenting to complicated practices should not fall on individuals alone. Further, we should not rely solely on a notice and consent framework as the solution for data protection.
If we raise the standard of data handling in Australia through the enhanced obligations outlined above, individuals can have greater confidence that they will be treated fairly, no matter how they choose to engage with a service. Ideally, this would prevent consent being used to legitimise handling of personal information in a manner that, objectively, is unfair or unreasonable.
CONCLUSION
Strong accountability mechanisms facilitate compliance with privacy obligations and can also improve business productivity and help to develop more efficient business processes by, among other things, providing certainty and confidence for employees around the appropriate way to handle personal information. This reduces the number and cost of data breaches and improves overall operational efficiencies.[26]
Entities with established internal processes are also better able to anticipate and adapt to different business and regulatory changes, as well as to crisis situations.[27] Accountability enables entities not only to meet the expectations of regulators but also to build consumer trust and confidence in their personal information-handling practices.
More broadly, we consider that our suggested amendments to the Privacy Act, as outlined above, will create a fairer data environment, rewarding organisations with good organisational accountability practices that demonstrate a genuine interest in the impacts of their practices on the individual.
The OAIC’s message to the legal community is that organisations are increasingly aware of the reputation risks relating to data handling, even where they are technically complying with the Privacy Act. As lawyers, you are already aware of these issues and are asking not just ‘could we’ but ‘should we’ when it comes to advising client organisations on their activities involving personal information. The potential reputational harms stemming from the handling of personal information in ways that do not meet community expectations is a risk to your clients.
Requiring entities to be accountable for their personal information-handling practices, and to act fairly and reasonably both now and into the future, is about ensuring that the best interests of individuals are considered when handling their personal information to achieve organisational objectives. Ultimately, that is in the public interest of all Australians.
Sarah Ghali is Principal Director, Regulation and Strategy Branch, of the Office of the Australian Information Commissioner.
[1] Office of the Australian Information Commissioner (OAIC), Australian Community Attitudes to Privacy Survey 2020 (Survey, September 2020) <https://www.oaic.gov.au/engage-with-us/research/>.
[2] OAIC, Privacy Act Review – Issues Paper (Submission, 11 December 2020) <https://www.oaic.gov.au/assets/engage-with-us/submissions/Privacy-Act-Review-Issues-Paper-submission.pdf>.
[3] Attorney-General’s Department, Review of the Privacy Act 1988, <https://www.ag.gov.au/integrity/consultations/review-privacy-act-1988>.
[4] OAIC, above note 2, 101–2.
[5] Ibid, 87–8.
[6] Centre for Information Policy Leadership (CIPL), What Good and Effective Data Privacy Accountability Looks Like: Mapping Organisations’ Practices to the CIPL Accountability Framework (Report, May 2020) 35, <https://www.informationpolicycentre.com/cipl-2020-accountability-mapping-report.html>.
[7] See P Leonard, Privacy Harms: A Paper for the Office of the Australian Information Commissioner, Data Synergies, June 2020, 47, <https://www.oaic.gov.au/assets/privacy/the-privacy-act/research-papers/Privacy-Harms-Paper.PDF>.
[8] Privacy Act 1988 (Cth), sch 1.
[9] A Cavoukian, ‘Privacy by design: The 7 foundational principles’, Information and Privacy Commissioner of Ontario, <https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf>.[10] OAIC, ‘Privacy management framework: Enabling compliance and encouraging good practice’ (4 May 2015) <https://www.oaic.gov.au/privacy/guidance-and-advice/privacy-management-framework-enabling-compliance-and-encouraging-good-practice/>.
[11] OAIC, ‘Privacy Management Plan template (for organisations)’ (16 May 2016) <https://www.oaic.gov.au/privacy/guidance-and-advice/privacy-management-plan-template-for-organisations/>.
[12] OAIC, ‘Interactive Privacy Management Plan (for agencies)’ (19 July 2018) <https://www.oaic.gov.au/privacy/guidance-and-advice/interactive-privacy-management-plan-for-agencies/>.
[13] OAIC, ‘Guide to undertaking privacy impact assessments’ (4 May 2020) <https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-undertaking-privacy-impact-assessments/>.[14] OAIC, ‘Privacy Impact Assessment Tool’ (May 2020) <https://oaic.gov.au/pia-tool>.[15] OAIC, ‘e-learning: Undertaking a privacy impact assessment’ (15 May 2017) <https://www.oaic.gov.au/privacy/training-resources/e-learning-undertaking-a-privacy-impact-assessment/>.
[16] Submissions made to the Review of the Privacy Act 1988 Issues Paper have been published on the Attorney-General’s website: <https://www.ag.gov.au/integrity/publications/submissions-received-review-privacy-act-1988-issues-paper>.
[17] See for example submissions to the Issues Paper from Salinger Privacy, <https://www.ag.gov.au/sites/default/files/2020-12/salinger-consulting-pty-ltd.PDF>; ElevenM, <https://www.ag.gov.au/sites/default/files/2021-02/elevenm.PDF>; Privcore, <https://www.ag.gov.au/sites/default/files/2020-12/privcore-pty-ltd.PDF>; Castan Centre for Human Rights Law, Monash University, <https://www.ag.gov.au/sites/default/files/2020-12/castan-centre-for-human-rights-law-%E2%80%93-monash-university.PDF>; and the Australian Privacy Foundation, <https://www.ag.gov.au/sites/default/files/2021-01/australian-privacy-foundation.PDF>.
[18] P Leonard, above note 7, 61.
[19] Regulation (EU) 2016/679.
[20] OAIC, ‘Privacy (Australian Government Agencies – Governance) APP Code 2017’ (26 October 2017) <https://www.oaic.gov.au/privacy/privacy-registers/privacy-codes-register/australian-government-agencies-privacy-code/>.
[21] OAIC, above note 2, 22.
[22] Ibid, 101.
[23] J Brookes, ‘Social media privacy policies average 6,000 words, difficult to understand, study finds’, which-50.com (25 November 2020) <https://which-50.com/social-media-privacy-policies-average-6000-words-difficult-to-understand-study-finds/>.
[24] Australian Government, Office of the Australian Information Commissioner, Australian Community Attitudes to Privacy Survey 2020, Report prepared by Lonergan Research (Report, 2020) 69–71 <https://www.oaic.gov.au/assets/engage-with-us/research/acaps-2020/Australian-Community-Attitudes-to-Privacy-Survey-2020.pdf>.
[25] See Australian Competition & Consumer Commission, Digital Platforms Inquiry – Final Report (Report, June 2019) 115, 379, 434, <https://www.accc.gov.au/publications/digital-platforms-inquiry-final-report>.
[26] CIPL, above note 6, 7.
[27] Ibid.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/PrecedentAULA/2021/54.html