Development and implementation of Australian Public Service Privacy Governance Code among key 2017-18 priorities for OAIC
The Office of the Australian Information Commissioner (OAIC) has released its Corporate Plan for 2017–18, outlining its priorities and key success factors. During 2018, the implementation of the Notifiable Data Breaches scheme, the Australian Public Service Privacy Governance Code, the implications of the EU General Data Protection Regulation requirements and the review of the Credit Reporting Code will be key priorities for the OAIC’s privacy role.
The OAIC will also publish a regulatory action policy, and deliver more tools and guidance for Australian Government agencies on compliance with the Freedom of Information Act 1982. In 2017–18 OAIC plans to trial an early resolution process to assist more efficient processing of privacy complaints.
On 18 May 2017, the OAIC announced the development of the Australian Public Service (APS) Privacy Governance Code. The Code will be developed by the OAIC, in collaboration with the Department of Prime Minister & Cabinet (PM&C). It will play a key role in building public trust in the APS, support the Australian Government’s public data agenda and enhance privacy governance and capability.
The Code will apply to all Australian Government agencies subject to the Privacy Act 1988. The Code sets out requirements for agencies, such as having a privacy management plan, appointing a designated privacy officer, undertaking a written Privacy Impact Assessment (PIA) for all ‘high risk’ projects or initiatives that involve personal information and keeping a register of all PIAs conducted and make this available to the OAIC on request.
The code is expected to play a key role in building public trust in the APS, support the Australian government’s public data agenda and enhance privacy governance and capability. The OAIC will provide resources to support transition to the Code, and will monitor the success of implementation and its effect on building privacy management capability. OAIC will develop a maturity model to assist agencies to self-assess their privacy compliance under the APS Privacy Code.
During 2017–18 OAIC will also conduct assessments of Australian Government agencies. Targeted assessments will be conducted in the areas of national security, identity management, the data retention scheme, digital health and the enhanced welfare payment integrity data matching program.
In 2017–18 the OAIC will prepare for the implementation of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Notifiable Data Breaches scheme) on 22 February 2018. From February 2018, businesses and agencies with existing obligations under the Privacy Act will be required to notify the individuals whose personal information is involved in a data breach which, as described in the legislation is ‘likely to result in serious harm’. There is also a requirement to notify the OAIC.
The OAIC develop guidance and support tools for businesses and Australian Government agencies in relation to the Notifiable Data Breaches scheme and the My Health Records data breach notification scheme and provide information to the community about the commencement and operation of the Notifiable Data Breaches scheme.
The OAIC will continue to administer the legislated My Health Records data breach notification scheme. The Australian government is in the process of extending the My Health Record to all Australians, unless they choose to opt out.
The changes to My Health Records Act 2012 in relation to notifying data breaches took effect on 1 March 2016. The changes have removed ambiguity to make clear that entities participating in the My Health Record system (i.e. the My Health Record System Operator, registered repository operators, registered portal operators and registered contracted service providers) must notify the Australian Information Commissioner and/or System Operator of potential and actual data breaches. Entities that do not comply with this obligation may be subject to a civil penalty of up to 100 penalty units ($21,000 for individuals and $105,000 for bodies corporate).
During 2017, the OAIC will also review the Privacy Guidelines for the Medicare Benefits and Pharmaceutical Benefits Programs under s135AA of the National Health Act 1953.