The Office of the Australian Information Commissioner (OAIC) announced on 26 May 2021 that it is undertaking an assessment of compliance with section 15.1 of the Privacy (Australian Government Agencies – Governance) Code 2017 (Code).
What is the Code?
The Code was made under section 26G of the Privacy Act 1988 (Privacy Act). It applies to all Commonwealth agencies that are subject to the Privacy Act (excluding Ministers).
The Code is limited to addressing governance issues relating to compliance with the Privacy Act, including the Australian Privacy Principles (APPs). Accordingly, the focus of the Code is on APP 1, which sets out the core requirements for regulated entities to manage personal information in an open and transparent way. In particular, APP 1.2 requires entities to take positive steps, which should be documented, to both establish and maintain internal practices, procedures and systems that comply with the APPs.
Given its focus, the Code has four specific objectives, as set out in section 6:
What is the OAIC assessing?
The OAIC’s assessment is limited to considering compliance with section 15.1 of the Code. That section requires each regulated agency to maintain a register of their Privacy Impact Assessments (PIAs) and to publish that register on its website.
Under section 12.1 of the Code agencies must conduct a PIA for all “high privacy risk” projects. Section 12.2 provides that a project may have a high privacy risk if it involves new or changed ways of handling personal information that are likely to have a significant impact on privacy.
PIAs require an assessment to be undertaken of the impact that the project might have on privacy as well as recommendations for mitigating, or if possible eliminating, that impact. PIAs must be documented. There are many high profile examples of PIAs undertaken by agencies, including for example the PIA undertaken by the Department of Health in relation to the COVIDSafe app
Carrying out PIAs in appropriate circumstances is a key part of ensuring best practice privacy management by agencies. Accordingly establishing appropriate policies to determine when PIAs are required is a necessary element of compliance with APP 1.2. There is little doubt that the value PIAs add to the identification and management of privacy risks is the reason for the OAIC’s focus on compliance with section 15.1 of the Code in this assessment.
The OAIC’s assessment will occur under section 33C(1)(a) of the Privacy Act. This means that the assessment may occur in any manner that the Australian Information Commissioner sees fit (see section 33C(2) of the Privacy Act). The OAIC has determined that it will undertake its assessment of compliance with this requirement by carrying out a desktop review of agencies’ websites.
What does this mean for agencies?
The OAIC provides significant support to agencies to assist them to comply with the Code. For example, the OAIC makes available many useful resources on its website not only to assist agencies in undertaking PIAs but also to assist in compliance with other requirements of the Code, such as providing resources for Privacy Officers and an interactive privacy management plan.
The OAIC’s assessment will assist agencies in determining whether they are meeting the requirements of the Code concerning PIAs but will also assist the OAIC in determining whether further support for agencies in this area is required.