The Office of Australian Information Commissioner (OAIC) has released the draft Australian Privacy Principles (APPs) Guidelines for public consultation. The guidelines outline how the OAIC will interpret and apply the APPs. To access the draft guidelines, click here.
The APPs set out the rules for collection, use, disclosure, access and correction of personal information and replace the National Privacy Principles from 12 March 2014. The APPs will apply to private and public sector organisations.
The OAIC expects to release the guidelines for interpreting the APPs in three tranches. At this stage, the OAIC has released draft guidelines for APPs 1 - 5. Further draft guidance is expected to be released in coming weeks.
Organisations are encouraged to review the draft guidelines and provide feedback to the OAIC within the consultation period which ends on 20 September 2013.
The draft guidelines include a chapter setting out "Key Concepts" which outlines the OAIC’s interpretation of some key words and phrases that are used in the Privacy Act 1988 (Cth) (Privacy Act) as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth).
In that chapter, the OAIC states that the key elements of consent are:
it must be provided voluntarily
the individual must be adequately informed of what they are consenting to
it must be current and specific, and
the individual must have the capacity to understand and communicate their consent.
Bundled consent is where an organisation gets an individual to consent to a wide range of collection, uses and disclosure of personal information through a single affirmation consent. The draft guidelines raise some concerns about organisations' use of bundled consents. Paragraph B.33 of Chapter B states that the bundled consents have "the potential to undermine the voluntary nature of the consent" as the individual is not given the opportunity to choose which collections, uses and disclosures they agree to and which they do not. This could mean that bundled consents may not satisfy the key elements of consent as set out above.
There may well be practical IT difficulties in refining the use of bundled consents.
Organisations may wish to provide feedback to the OAIC to seek further clarity about the use of bundled consents.
Privacy Commissioner Reviews Website Privacy Policies
On 14 August 2013, the OAIC released the results of its review of privacy policies listed on over 50 websites. In its review, the OAIC assessed the privacy policies for their accessibility, readability and content.
The review found that over 65% of the privacy policies provided information that was not relevant to the handling of personal information, and was potentially confusing.
Starting the Privacy Project
The changes to the Privacy Act commencing in March 2014 require organisations to not only update their policies and procedures before the start date but also impose additional ongoing commitments. The Privacy Commissioner has further commented that organisations should make a commitment to conducting a Privacy Impact Assessment for any new projects in which personal information will be handled.
Organisations can obtain a better understanding of their information handling practices by completing a simple questionnaire developed by K&L Gates. This survey will identify the information flows and any privacy hot spots within the organisation. This questionnaire can also form part of a Privacy Impact Assessment for any new project.
K&L Gates has developed a Privacy Compliance Checklist which organisations can use to assess their readiness for the privacy reforms and review compliance with the amended Privacy Act on an ongoing basis post March 2014.