Framework aims to embed privacy culture in Australian organisations

The Office of the Australian Information Commissioner (OAIC) has launched a new privacy management framework in a bid to encourage organisations to embed sound privacy practice into their operations.

The new framework, which was launched on Monday to coincide with Privacy Awareness Week (PAW) 2015, outlines four steps that the OAIC wants organisations to employ in order to ensure good privacy governance: Embed a culture of privacy enabling compliance; establish robust and effective privacy processes; evaluate privacy processes for continued effectiveness; and enhance responses to privacy issues.

It comes just over a year after reforms to Australia's privacy laws came into effect in March 2014, with the changes applying to Australian government agencies, private sector businesses, and not-for-profit organisations covered by the Privacy Act 1988.

With the reforms came the Australian Privacy Principles (APPs), which replaced the National Privacy Principles and Information Privacy Principles, and apply to organisations and Australian government agencies.

In an assessment of the online privacy policies of 20 organisations operating in Australia, including Twitter, Microsoft, Instagram, and Westpac, the OAIC revealed that 55 percent of the organisations' policies did not meet one or more of the basic content requirements under APP 1, which requires organisations and agencies to have a privacy policy that is clearly expressed and up to date.

While all the policies assessed adequately described the kinds of personal information they collect and how it is collected, some did not outline how personal information could be accessed and corrected, said the OAIC.

However, all 20 organisations had privacy policies that were easy to find on their websites, and all privacy policies adequately described the kinds of personal information each organisation collects and how it is collected, the OAIC said.

The release of the new framework sees the OAIC move to shift its focus away from law reform implementation to a broader strategic view, and ongoing privacy awareness and enforcement.

Australian Information Commissioner Timothy Pilgrim, who spoke at the PAW event launching the new framework in Sydney on Monday, said that embedding good privacy practice into daily business processes would help organisations respond to change and implement best privacy practice.

"I expect all organisations that have responsibilities under the Privacy Act to make a commitment to implement this framework," said Pilgrim. "This will put organisations in the best position to address privacy challenges head on, meet their obligations under the Act, and ultimately get ahead of the game."

While Pilgrim hopes the new framework will help both government and non-government sectors in Australia to develop best practice information privacy cultures within organisations, the head of policy for Facebook in Australia and New Zealand Mia Garlick said that the social network looks to Europe for its privacy policy guidance.

"It's very hard for us to segment the product based on jurisdiction, so we really need to want to encourage a global perspective on policy," said Garlick, who spoke at the PAW business breakfast. "For us, we adopt a European standard of privacy ... and we try to apply that as much as we can across the world."

However, Garlick revealed that this approach was not a perfect fix, with Facebook having to turn off some information-gathering features of its service in certain regions.

"The ideal is that there is one global standard, but sometimes that is just not possible," she said.

Additionally, Mark Burdon from TC Beirne School of Law at the University of Queensland suggested that Australia needs to compile a deeper reservoir of legal rulings around information privacy issues from which policy makers and organisations alike can draw legal guidance.

"One of the difficulties that we have in Australia is that we just don't have enough jurisprudence," said Burdon. "We need more cases to get to the courts so the courts can consider the kinds of issues.

"We haven't really had that deep sense from a jurisprudential perspective of what is personal information, and more importantly what should be personal information," he said.

According to new research by professional services firm Deloitte, the majority (67 percent) of Australians consider their credit card details to be the personal information they are most concerned about being subject to an information breach.

Deloitte Australia's inaugural Australian Privacy Index, also launched on Monday to coincide with PAW 2015, revealed that other major sources of breach concern for Australian consumers were passport numbers (46 percent) and driver licence numbers (43 percent).

The study, which was informed by more than 1,000 surveyed individuals, also found that the banking and finance, and government sectors were the top two most trusted industry areas by consumers when it comes to safeguarding personal information.

The study suggested that transparency played a key role in how trustworthy an industry sector appears to consumers, with the media, telecommunications, and travel and transport sectors claiming the bottom three places in the overall Privacy Index 2015 ranking, which rated 11 industries in total.

Curiously, social media ranked third, just below banking and finance, with Deloitte suggesting that the industry's minimal use of third-party cookies compared to other industries such as retail, and its moves towards greater transparency, helped to buoy its place on the list.

This comes despite social media and the telecommunications sectors collectively accounting for 58 percent of the consumer complaints regarding privacy.

Another unexpected result from the study was the discovery that good data breach disclosure practices resulted in over a third (34 percent) of respondents claiming to have more trust in the organisations that had experienced a breach of personal information, rather than less.

"It is critical that as organisations derive benefit from personal information, the consumer is kept informed about the use and any changes to their data," said Cyber Risk Services director and key author of the inaugural Deloitte Australian Privacy Index Gavin Cartwright.