New laws open door for ACT information privacy commissioner

The Australian Capital Territory's new information privacy laws, which came into effect today, open the door for the appointment of an information privacy commissioner for the territory.

The Australian Capital Territory (ACT) is making moves to appoint an information privacy commissioner, following the introduction of the territory's new Information Privacy Act 2014 (ACT), which came into effect today.

The new legislation is aimed at regulating how personal information is handled by ACT public sector agencies, and includes a set of Territory Privacy Principles (TPPs) that are similar to the Australian Privacy Principles (APPs) introduced with the changes in March to the federal privacy laws.

"It requires agencies to protect personal information and manage it in a responsible, transparent, and balanced way," said ACT Attorney-General Simon Corbell. "At the same time, the Information Privacy Act supports the efficient delivery of services to Canberrans by the ACT government."

Section 5 of the new ACT-specific Act says, "The Executive may appoint a person as information privacy commissioner".

The Act stipulates that a proposed information privacy commissioner would not be appointed for longer than seven years. However, it also said that a person can be reappointed to a position if he or she is eligible to be appointed to the role.

The information privacy commissioner's role, according to the Act, is to promote an understanding of the TPPs and their objectives; provide information and educational programs to promote the protection of individuals' privacy; help public sector agencies to comply with the TPPs; and investigate privacy complaints.

"The TPPs will guide the protection of personal information by ACT agencies, and underpin the sharing of information within an appropriate framework," said Corbell. "In particular, the principles place additional emphasis on the proactive design and implementation of practices, procedures, and policies for the management of personal information.

"The Act also establishes a system for the handling of privacy complaints by the independent information privacy commissioner," he said.

At present, under an arrangement between the ACT government and the federal government, the Australian Information Commissioner is exercising some of the functions of the ACT Information Privacy Commissioner.

These responsibilities include handling privacy complaints against, and receiving data breach notifications from, ACT public sector agencies, and conducting assessments of ACT public sector agencies' compliance with the Information Privacy Act.

Australian Privacy Commissioner Timothy Pilgrim said that the first priority for ACT public sector agencies under the new Act will be to make sure their privacy policies are up to date.

"We will work with ACT public sector agencies to assist them to implement the new principles across government," he said. "We will be expecting agencies to take steps to update their privacy policies to ensure that they meet the requirements of the TPPs.

"The OAIC [Office of the Australian Information Commissioner] welcomes the introduction of these new laws and principles that promote responsible and transparent handling of personal information by public sector agencies and contracted service providers," he said.

Until now, ACT public sector agencies had been covered by the Privacy Act 1988 (Cth), but the territory chose to introduce the ACT-specific TPPs when federal privacy laws changed in March this year.

The areas the TPPs cover include the open and transparent management of personal information, the collection and notification of collection of personal information, the use and disclosure of personal information, and the access and correction of personal information.

The federal government's reforms to the nation's privacy laws came into effect on March 12, and apply to Australian government agencies, private sector businesses, and not-for-profit organisations covered by the Privacy Act 1988.