​Privacy Commissioner to probe Australian government agencies on compliance

The Office of the Australian Information Commissioner will be conducting assessments of government agencies over the coming year to confirm their compliance under privacy obligations.

Australian Information and Privacy Commissioner Timothy Pilgrim has said his office will be conducting assessments of Australian government agencies over the next 12 months in accordance with the Office of the Australian Information Commissioner's (OAIC) commitments under the Privacy Act 1988.

Under the nearly 30-year-old Act, the OAIC has the power to conduct an assessment of any business or Australian government agency to help them understand their privacy obligations.

As mentioned in the OAIC's Corporate Plan 2017-18, the probe will require the commissioner to encourage agencies and businesses to "respect and protect" the personal information of citizens that they handle.

The plan [PDF] details the OAIC's intention to also conduct commissioner-initiated inquiries, which will see Pilgrim investigate an incident that may be an interference with privacy without first receiving a complaint from an individual.

Over the next 12 months, the OAIC also plans to develop and implement an Australian Public Service (APS) Privacy Governance Code, as well as a "maturity model" and a toolkit to allow government agencies to benchmark against and self-assess their privacy compliance performance.

Pilgrim's office will also work with agencies, particularly the Department of Prime Minister and Cabinet, to ensure that the Australian government's Public Data Policy Statement is implemented in a way that upholds the highest standards of privacy for individuals, the Corporate Plan published on Thursday explains.

In an effort to legislate around informing Australians of when their privacy has been breached, the federal government finally passed data breach notification laws at its third attempt in February, which will see people be alerted of their data being inappropriately accessed come February 2018 under the Privacy Amendment (Notifiable Data Breaches) Act.

The legislation is restricted to incidents involving personal information, credit card information, credit eligibility, and tax file number information that would put individuals at "real risk of serious harm".

Notification laws apply only to companies covered by the Privacy Act, and sees intelligence agencies, small businesses with turnover of less than AU$3 million annually, and political parties exempt from disclosing breaches.

In preparation of the legislation, the OAIC said it will be developing guidance and support tools for businesses and government agencies to help them fully comply, and it will also be educating the community about the commencement and operation of the data breach scheme.

The commissioner's office will measure its public awareness through increased media and social media mentions about privacy rights, the plan explains.

Under another internal performance measurement, the OAIC has given itself a target of finalising 80 percent of data breach notifications within 60 days.

Also flagged in the Corporate Plan was the OAIC's desire to continue the administration of the My Health Records data breach notification scheme, as well as new initiatives to review the privacy guidelines of the Medicare Benefits and Pharmaceutical Benefits Programs under s135AA of the National Health Act 1953 and the Privacy (Credit Reporting) Code 2014 over the next year.