The Australian Government’s open data and digital agenda has sparked renewed debate around privacy, governance and security. As Australia moves towards an open data regime, the Office of the Australian Information Commissioner (OAIC) has flagged the importance of taking an approach that supports ‘privacy by design’.
In this context, on 26 October 2017, the OAIC registered a new APP Code – the Privacy (Australian Government Agencies – Governance) APP Code 2017 (Code). From 1 July 2018, all agencies will be required to comply with the Code. The Code imposes a host of new obligations on agencies with respect to privacy management and governance. Significantly, the Code mandates the conduct of a Privacy Impact Assessment for all ‘high privacy risk projects’.
It is therefore critical that you understand your new obligations under the Code and that you get your data house in order ahead of July next year. Read on to find out how the Code will affect you.
The Australian Privacy Principles (APP 1.2) require agencies to take reasonable steps to implement practices, procedures and systems to ensure compliance with both the APPs and any binding registered APP code. Earlier this year, the OAIC released a draft version of the Code for consultation, noting that the application of a uniform privacy standard across the APS would be critical to ensuring community buy-in for government data sharing activities.
Relevantly, the Code applies to all Departments and incorporated or unincorporated bodies established for a public purpose by or under Commonwealth law (as well as other bodies listed in section 6 of the Privacy Act 1988 (Cth)). The Code is likely to have significant implications for agencies undertaking data sharing and release activities. This is the case even if agencies are already undertaking to comply with guidance such as the OAIC’s Privacy Management Framework and De-identification Decision-Making Framework.
Mandated Privacy Impact Assessments (PIAs)
As noted above, the Code mandates the conduct of a PIA for all ‘high privacy risk projects’. However, the concept of a ‘high privacy risk project’ is sufficiently broad as to capture most (if not all) data sharing and release activities.
A project will be a ‘high privacy risk project’ if an agency reasonably considers that the project involves new or changed ways of handling personal information – where that is likely to have a significant impact on the privacy of individuals. Given that most datasets comprise at least some personal information, there is a high likelihood that any data sharing, release or use initiatives will meet this threshold criteria, including where data has been inadequately de-identified. This applies even if you are de-identifying data for public or limited release – in those circumstances a PIA must be conducted to probe the integrity of the de-identification methodology applied to a particular dataset. Indeed, a release of personal data that has been de-identified will in almost every circumstance constitute a very high risk privacy project. As fast as de-identification techniques are created – techniques to re-identify that data are only a few steps behind.
The characteristics of a PIA should be scalable, to reflect the complexity and size of the project. A PIA will typically require expert examination of public policy and perception issues, relevant laws and legal ramifications, technical issues, and practical and pragmatic recommendations for action and management. Larger PIAs may also require stakeholder engagement and best practice advice around governance and monitoring.
What should you be doing? Agencies should review the types of data-related activities they currently undertake (and will undertake in future) and consider whether a PIA will be required for those activities. For example, moving to the cloud, data sharing and the creation of new platforms to manage applications or processes are all likely to be ‘high privacy risk projects’ for the purposes of the Code.
Privacy management and governance
A key feature of the Code is a requirement for agencies to have a privacy management plan and to designate Privacy Officers and a Privacy Champion as part of an agency’s privacy management and governance framework.
The OAIC has previously prepared guidance on how to prepare a privacy management plan. However, the OAIC is now in the process of developing a privacy management plan template and a privacy self-assessment tool to assist agencies to assess their current privacy practices.
Agencies must also ensure that they formally designate persons as the Privacy Officer and Privacy Champion by reference to a position or role within the relevant agency. The Privacy Officer is the first point of contact for privacy matters within an agency and is responsible for ensuring day-to-day operational privacy activities are undertaken. A Privacy Champion is to be a senior official within an agency who is responsible for leadership activities and engagement that require broader strategic oversight. It is important to note that the Code permits agencies to designate officers as Privacy Officers by reference to a position or role in another agency (and there may be more than one Privacy Officer).
Other requirements in the Code are designed to build internal privacy capability within agencies. Agencies must regularly review and update their privacy practices, procedures and systems to ensure they are appropriate and current. This is particularly important in the face of technological advances and shifting policy. In particular, de-identification methodologies require constant monitoring, to ensure that historical processes are updated if no longer technically adequate.
Agencies must also provide annual privacy education / training for all staff who access personal information in the course of their employment. Similar training must also be provided to all new starters within an agency.
The requirements in the Code are geared towards ensuring agencies comply with their obligations under the Privacy Act, namely to take reasonable steps to implement practices, procedures and systems that ensure compliance with the Australian Privacy Principles when handling personal information. It is also a timely reminder for agencies to start preparing for Australia’s new open data regime. If you have any questions about the Code or what action you can be taking to get your data house in order, please get in touch.
KWM and Galexia bring together a multi-disciplinary data governance practice to give clients a joint service offering that covers the legal and privacy aspects of data sharing and use, data linkage and digital identity. This collaboration gives clients access to a leading provider of Privacy Impact Assessments and privacy management strategies, as well as market-leading strategic advice and legal expertise in respect of data and privacy. Our services are designed to give clients confidence to engage with the new open data economy.