Privacy Commissioner releases new Privacy Regulatory Action Policy

At the opening keynote of the IAPPANZ Summit, Australia's Privacy Commissioner Timothy Pilgrim announced the release of his office's new Privacy Regulatory Action Policy.

"This policy explains the range of regulatory powers available to me, and formalises the approach our office has been taking in using these powers," he said.

According to Pilgrim, the new policy is not a significant departure from past regulation. " What it does is provide transparency about our existing approach, making it as clear as possible to organisations what our powers are, and what we see as our responsibilities in regards to using them," he explained.

Alongside the new policy, Pilgrim mentioned that his department is also preparing a Guide to privacy regulatory action, and releasing a number of chapters of an exposure draft for consultation.

The guide is designed to read alongside the new policy and the APP guidelines, to assist organisations understand what is expected of them.

"While we are generally required to investigate and attempt to conciliate complaints, we have the discretion to choose when to use our other privacy regulatory powers. The Regulatory Action Policy sets out situations when we will select and target matters warranting regulatory action," explained Pilgrim.

In addition to these policy reforms, Pilgrim's team has also been working on ways to assist businesses to better comply with their privacy obligations. He noted that recent research undertaken by his department found that many of the 50 largest organisations in Australia did not comply with the first principle in the Australian Privacy Principles.

As an outcome of that research, Pilgrim's team set about producing their Guide to securing personal information. This is an update of the Guide to Information Security, and describes examples of reasonable steps entities are required to take under the Privacy Act to protect the personal information they hold.

Pilgrim said "In rewriting and refocusing this guide we held a public consultation so that we could ensure that it, as much as possible, met the needs of the organisations using it".

Pre-empting some of the later sessions at the IAPPANZ Summit, Pilgrim pointed to the Internet of Things as one of the most important technical changes that will have an impact on privacy.

"The International Conference of Data Protection and Privacy Commissioners was held in Mauritius recently, and the focus of the Conference’s declaration was on the Internet of Things," he said. "The Mauritius declaration says that personal development should not be defined by what business or the government know about you, and yet, the proliferation of the Internet of Things — the sheer volume of data that is collected about all of us every day — is increasing the risk that this is exactly what will happen".

Pilgrim's concern is that there is a constant struggle between the protection of personal privacy and the need to interact with the world.

"No regular person can fully understand all the ramifications of providing what may seem like small and insignificant snippets of information in their day to day transactions".

In order for companies and individuals to be ready for this changing world, privacy needs to be built into systems from the start - it will be too complex to add this later as a bolted on capability.

"But of course, it is far better to build compliance into your business processes, than to leave things to chance and end up meeting the regulatory side of our office. With that in mind, our office is continuing to work on publications that are designed to help you build privacy compliance into your processes and your culture from step one."

Pilgrim noted that over the last year his department has received a record number of complaints. A significant number of these complaints stemmed from the leak of data in February by the Department of Immigration and Border Protection who published a statistical report with links back to raw, identifiable data in source spreadsheets. However, with that large breach removed from their statistics, Pilgrims department has seen a doubling in the number of complaints received.

In closing his address, Pilgrim warned businesses that privacy was now an important element in how customers choose service providers.

"This tells me, and it should tell you, that consumers are just as aware as we are of how privacy has become an inherent part of everything they do. And remember the figure from last year’s Community Attitudes to privacy Survey – 60% were prepared to not deal with an organisation because of concern about their personal information handling practices".

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags breachAustralian Privacy PrinciplesIAPPANZ Summitprivacy SurveyAPP guidelinesprivacy commissionerdata protectionCSO Australiaregulatory actionTimothy PilgrimEnex TestLabPrivacy Regulatory Action Policy

More about CSOEnex TestLab

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place