Australia’s privacy landscape is
a transformation. The Australian Law Reform Commission has called for reforms including updating and redrafting the Privacy Act; strengthening and clarifying the privacy commissioner’s powers and functions, and enhancing privacy surrounding e-health and credit reporting data, among other provisions.
Privacy Commissioner Timothy Pilgrim was
to a five-year term last July. Amidst plans for broad reforms, Pilgrim has been busy investigating the recent Vodafone
, addressing cloud computing
and drafting guidelines about fingerprint scanners increasingly used at Australian pubs and clubs. His office was integrated into the Office of the Australian Information Commissioner (OAIC) in November.
Pilgrim says he takes a “proactive approach” to regulating compliance and consults regularly with relevant stakeholders to establish compliance priorities.
In this
Privacy Advisor
Q&A, Pilgrim discusses his first few months on the job and what can be expected as the privacy landscape continues to shift.
Privacy Advisor: How would you describe your approach to enforcement?
Timothy Pilgrim:
Education is key to an effective enforcement regime. The first step toward an Australian culture that values and respects privacy is to educate individuals about their privacy rights and organisations and agencies about their privacy responsibilities. I regularly accept opportunities to communicate directly with privacy professionals across government and the private sector. The OAIC also publishes a wide range of guidance material and runs promotional campaigns, including the annual Privacy Awareness Week (PAW).
We generally adopt a conciliation-focused approach to complaints we receive from individuals about the handling of their personal information. However, for particularly serious privacy breaches, or where conciliation is not appropriate, I am prepared to use my power to make determinations directing how complaints should be resolved. My determinations are enforceable in the federal court.
An effective regulator takes a proactive approach to compliance. I consult regularly with key stakeholders and privacy regulators in other jurisdictions to discuss emerging privacy issues and trends. These discussions assist us to identify our compliance priorities.
When I become aware of an act or practice that may be an interference with privacy, I can initiate an investigation into it—this is known as an “own motion” investigation. In these cases, I focus on working with the relevant organisation or agency to improve its practices and procedures to ensure ongoing compliance with the Privacy Act. An example of this was the office’s investigation into Google's collection of unsecured WiFi payload data in Australia using Street View vehicles.
We also conduct regular audits of the privacy practices of Australian and ACT government agencies and credit reporting agencies and publish audit results on our website. The Privacy Act 1988 (Cth) does not empower me to audit private-sector organisations. The Australian government has announced that it intends to legislate to give me this power.
Privacy Advisor: How does the establishment of the Office of the Australian Information Commissioner impact the development of enforcement approaches, privacy policy and enforcement?
Timothy Pilgrim:
Although the former Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner on 1 November 2010, it is “business as usual” for the regulation of personal information-handling in Australia. Our vision remains for an Australian community in which privacy is valued and respected. The office will continue to focus on education and proactive compliance to help Australian organisations and agencies mitigate privacy risks at the outset. We will also continue our conciliation-focused approach to complaints-handling to ensure that, where possible, privacy disputes are resolved swiftly, fairly and to the satisfaction of both parties.
While it may appear to some that privacy and freedom of information are fundamentally opposed, they are, in fact, complementary information rights that underpin our representative democracy. Government information is a national resource, and an individual’s right to access government information is an important way of increasing scrutiny and review of government activities. Equally, in a democracy, individuals have the right to control how their personal information is handled. The office’s role is to protect individuals’ information rights and advance information policy in Australia.
Similar powers exist for the enforcement of both the Privacy Act and the Freedom of Information Act 1982 (Cth), for which the office has responsibility. To take advantage of this, the office has adopted an integrated structure with its three branches—compliance, policy and—operationshaving responsibilities in both the privacy and freedom of information areas.
Privacy Advisor: How would you describe your approach to consultation with stakeholders; i.e., government agencies, business and interest groups?
Timothy Pilgrim:
The office values the input it receives from government agencies, businesses and interest groups. Engagement with stakeholders is essential to informing the office’s approach to key privacy issues. The office has a long history of involving stakeholders when developing guidance and when informing itself of emerging privacy issues.
I regularly meet with privacy contact officers from Australian and ACT government agencies and with privacy and consumer advocates so that I remain aware of privacy issues affecting the Australian community. I also meet regularly with the Privacy Advisory Committee, which is established under the Privacy Act to provide us with advice and to assist us to engage in community education and consultation. The committee has members with expertise in a wide range of areas, including business, government, the trade union movement, promotion of civil liberties and electronic data processing.
The office also collaborates with privacy regulators across the region and throughout the world through the Organisation for Economic Co-operation and Development (OECD), Asia Pacific Economic Cooperation (APEC), the Asia Pacific Privacy Authorities Forum and the International Conference of Data Protection and Privacy Commissioners. The office is a foundation member of the OECD’s Global Privacy Enforcement Network, which is designed to facilitate cross-border cooperation in the enforcement of privacy laws, and APEC’s Cross?Border Privacy Enforcement Arrangement, which provides a framework for privacy regulators to cooperate and to seek information and advice from each other on cross-border enforcement matters. As well as facilitating cross-border privacy enforcement, these bodies provide a valuable opportunity for the office to share knowledge with its international counterparts about emerging privacy issues.
Privacy Advisor: What is your prognosis for the rewrite of the Privacy Act; i.e., timetable for exposure draft legislation, introduction of bills, passage and commencement date?
Timothy Pilgrim:
In the Australian system of government, the privacy commissioner is not responsible for reforming the Privacy Act. The Privacy Act may only be amended by the parliament.
In May 2008, the Australian Law Reform Commission (ALRC) completed its two-year inquiry into the Privacy Act with the delivery of its final report,
For Your Information: Australian Privacy Law and Practice
(ALRC Report 108), to the Australian government. Given the large number of recommendations in ALRC Report 108, the government decided to respond to it in two stages. The first stage outlines the government’s position on 197 recommendations and includes:
a new set of privacy principles, which will cover both the public and private sectors (currently, the Information Privacy Principles cover the Australian and ACT governments and the National Privacy Principles cover the private sector)
- provisions introducing more comprehensive credit reporting
- provisions relating to the protection of health information
- provisions to strengthen the privacy commissioner’s powers to conduct investigations, resolve complaints and promote compliance with the Privacy Act.
The government has proposed that draft legislation to affect these changes be written and referred to a senate committee for public consultation and final report by 1 July 2011. The government then proposes to introduce legislation progressing these reforms in the second half of 2011.
Once the government’s first-stage response has been progressed, it will consider the remaining 98 recommendations in ALRC Report 108. These include:
- proposals to clarify or remove certain exemptions from the Privacy Act
- introducing a statutory cause of action for serious invasion of privacy
- serious data breach notifications
- privacy and decision-making issues for children and authorised representatives
- handling of personal information under the Telecommunications Act 1997 (Cth)
- national harmonisation of privacy laws (partially considered in stage one).
Privacy Advisor: Do you see mandatory breach notification coming to fruition in Australia? What is happening currently with the ALRC’s review of proposed privacy laws?
Timothy Pilgrim:
There is currently no requirement in the Privacy Act that organisations or agencies notify individuals whose personal information has been compromised. In ALRC Report 108, it was recommended that the Privacy Act be amended to require organisations and agencies to notify our office and affected individuals if there is a data breach that gives rise to a real risk of harm to individuals. Our office supported this recommendation. The government has stated that it will consider this issue as part of its second-stage response to ALRC Report 108.
In 2008, our office published the
Guide to Handling Personal Information Security Breaches
. The guide incorporates illustrative examples which assist organisations and agencies to decide whether notification is an appropriate response to a personal information security breach. In general, if there is a real risk of serious harm as a result of a breach, it is best practice for the affected individuals to be notified. Notification can operate as an important mitigation strategy for individuals and can promote transparency and trust in the organisation or agency.
