02 July 2018

Australian Government Agencies Privacy Code

The OAIC has announced that The Australian Government Agencies Privacy Code came into effect on 1 July 2018
requiring Australian Government Agencies to move to a best practice approach to privacy governance across the APS, with the ongoing support of the Office of the Australian Information Commissioner (OAIC). 
As with many OAIC announcements, the news is less exiting than it sounds.

Under the Code, agencies are required to
  • have a privacy management plan 
  • appoint a Privacy Officer, or Privacy Officers, and ensure that particular Privacy Officer functions are undertaken
  •  appoint a senior official as a Privacy Champion to provide cultural leadership and promote the value of personal information, and ensure that the Privacy Champion functions are undertaken 
  • undertake a written Privacy Impact Assessment (PIA) for all ‘high privacy risk’ projects or initiatives that involve new or changed ways of handling personal information 
  • keep a register of all PIAs conducted and publish this register, or a version of the register, on their websites 
  • take steps to enhance internal privacy capability, including by providing appropriate privacy education or training in staff induction programs, and annually to all staff who have access to personal information.
In practice we can expect to see the traditional OAIC emphasis on process over outcome, activity counts over quality. Being busy - and having a champion or two - is not synonymous with best practice.

One context for championship is the OAIC's own advocacy. In the past week law academics, health specialists and consumer advocates have been busy tweeting and blogging about #HealthEngineFail, ie controversy regarding that health sector booking service's expungement of negative consumer reviews and sale to law firms of information about people using the service. In essence HealthEngine is making money from a spotters fee, something prohibited in NSW in the tow truck sector. Somewhat dourly I've quipped that people appear to be less valuable than bent cars.

HealthEngine has claimed that users of the service have consented to the sale of their details; critics disagree, claiming that disclosure was inadequate.

As yet, there is no tweet from the OAIC or statement on its site indicating that the agency is aware, concerned, taking action. Mainstream media reports indicate that the national Health Minister has asked for an investigation. The OAIC does have social media and other resources: in recent days it has for example tweeted release of the best practice code and the participation of two senior executives at a conference in San Francisco.

The agency has presumably been in contact with HealthEngine and in time - which judging by past performance may be several months, in contrast to more timely action by ACMA - will presumably release the usual terse statement that there was contact and we should all move on.

That is regrettable. The notion of a 'Privacy Champion' should include the OAIC itself. It should set the stage for the 'champions' in other parts of the Commonwealth administration by using its soft power through timely public statements that address specific controversies and look beyond the specifics to reiterate privacy as a statutorily-recognised value across Australia.

Bureaucratic complaisance is not championship; it is instead a lost opportunity to both foster a privacy-respecting culture and reinforce the legitimacy of the OAIC.