28 February 2014

Privacy Enforcement

A recent post noted the Compliance & Enforcement Priorities statement by the Australian Competition & Consumer Commission, a useful tool for business, consumers and scholars of regulation.

The Office of the Australian Information Commissioner has today released a statement on its "enforcement approach" (implicitly its priorities.)

As you might expect, given that agency's performance, it is vague but the OAIC is to be commended for actually making a statement after years in which its priorities weren't clear.

Key passages are -
The Office of the Australian Information Commissioner (OAIC) has adopted an enforcement approach to the reforms which recognises that Australian Government agencies and businesses are working hard to implement the new requirements. Our compliance focus in the months following 12 March 2014 will be on working with entities to ensure that they understand the new requirements and have the systems in place to meet them. In resolving matters brought to the attention of the OAIC we will take into account the steps taken by entities to genuinely prepare for the changes and to comply with the new legal requirements. 
Central to the OAIC’s enforcement approach is an escalation model that includes a range of regulatory responses. 
Individuals will continue to have the right to make a complaint to the OAIC and we will deal with these according to our usual processes. That is, in the first instance, in the case of individual complaints we would expect to see a person try to resolve a matter with the organisation or agency first. If the respondent is a member of a recognised External Dispute Resolution scheme, we would also expect the individual to have first accessed that scheme. If a matter is accepted by us, we will always attempt to resolve issues through conciliation. In relation to Commissioner initiated investigations the OAIC will work with respondent organisations and agencies to resolve the matter. 
However, where conciliation or working with entities is not effective, we may use our other tools, including determinations, enforceable undertakings or in the case of serious or repeated breaches, initiating court proceedings for civil penalties. This is consistent with our current practices and the approach of the OAIC for some time.
Indeed, business as usual. No indication about timeliness of response. No indication about vigorous investigation and commitment to publishing reports on inadequate performance by entities that hold personal information. No indication that the OAIC will be proactive rather than reactive.

In practice the statement doesn't go beyond what appears in the Act or in previous indications by the OAIC.  It enshrines, as the OAIC indicates, "our current practices and … approach".

From a regulatory perspective it is the sort of prioritisation that you have when you don't have much sense of priorities and - to be fair - don't have major resources, although the OAIC might perhaps spend less time and money on promo and more in actively dealing with problems.

A more useful approach would be for the agency to indicate that the OAIC will be concentrating on areas of particular concern, whether on an ongoing or one-off basis. That would require more energy and creativity but we do, after all, pay the OAIC for initiative and smarts rather than corporate self-congratulation.