Privacy (Australian Government Agencies – Governance) APP Code 2017

The Privacy (Australian Government Agencies — Governance) APP Code 2017 (the Code), which commenced on 1 July 2018, represents a step towards best practice privacy governance in the Commonwealth.

The Code imposes a host of new requirements on Commonwealth agencies, adding to existing obligations under the Privacy Act 1988 (Privacy Act), and symbolises the commitment of the Commonwealth government to the protection of privacy and greater transparency in information handling practices.

The impetus for the Code’s development lies in the increasing emphasis in current policy-making on improving the availability of public data, and the ongoing shift towards the digital and online provision of many government services. In this context, the Code may help build public trust and confidence in government information handling practices and any future uses of public data by agencies.

Broadly, the Code imposes obligations on Commonwealth agencies in respect of:¹

1. their privacy management and governance (Part 2 of the Code);
2. Privacy Impact Assessments in relation to high privacy risk projects (Part 3 of the Code); and
3. their internal privacy capability (Part 4 of the Code).

Whilst some of these obligations required an immediate response from agencies prior to 1 July 2018, many of the requirements set out in the Code are ongoing, and agencies will need to vigilantly monitor their compliance with the Code.

This article provides an overview of the requirements of the Code to assist agencies in managing their compliance. We have also included a checklist which agencies may wish to have regard to as part of their ongoing compliance activities.

By now, your agency should have made arrangements to:

• put in place a privacy management plan (section 9 of the Code);
• designate a Privacy Officer (section 10 of the Code);
• designate a senior official as Privacy Champion (section 11 of the Code);² and
• set up a Privacy Impact Assessment Register (section 15 of the Code).

Each of these initial requirements leads to further related ongoing obligations. Each agency to which the code applies will need to:

• maintain its privacy management plan;³
• measure and document its performance against its privacy management plan at least annually;⁴
• ensure that a system is in place to provide for the proper handling of internal and external privacy enquiries, privacy complaints, and requests for access to and correction of personal information made under the Privacy Act;⁵
• maintain a record of the personal information that it holds;⁶
• at all times have at least one Privacy Officer, and when the contact details of the Privacy Officer(s) change, keep the OAIC notified in writing;⁷
• ensure that there is a culture of privacy within the agency that values and protects personal information;⁸
• ensure that there is leadership within the agency on broader strategic privacy issues;⁹ and
• ensure that regular reports are provided to the agency’s executive in relation to any privacy issues arising from the agency’s handling of personal information.¹⁰

These requirements may necessitate changes to policy and procedure within an agency. For example, internal policies will need to reflect the requirement to annually measure and document performance against its privacy management plan.

Helpfully, the OAIC has launched a Privacy Officer toolkit and suggests that agencies should sign up to its Privacy Professionals’ Network to receive notifications on developments in Code resources and events.

In addition to these requirements, section 16 of the Code sets out an obligation for agencies to ensure that:

• appropriate privacy education or training is included in any staff induction program that the agency provides; and
• reasonable steps are taken to provide appropriate training annually to all agency staff who have access to personal information in the course of performing their duties.

The training must address the privacy obligations of agency staff, and agency policies and procedures relating to privacy. However, the level and amount of training that will be appropriate may differ depending on the degree to which the staff members deal with personal information in the course of their employment.¹¹

Separately, section 17(1) of the Code imposes an obligation on agencies to regularly review and update their privacy practices, procedures and systems to ensure their currency and adequacy for the purposes of compliance with the APPs. As a minimum, the scope of such a review must encompass a review of the agency’s privacy policy (prepared for the purposes of APP 1) and any privacy notices (prepared for the purposes of APP 5). Given the pace at which privacy law and policy is evolving in Australia, agencies will need to actively monitor privacy developments in order to comply with this requirement.

Additionally, an agency must regularly monitor its compliance with these privacy practices, procedures and systems. The OAIC expects agencies to consider (and where appropriate, respond to) the outcomes of such compliance reviews in accordance with the APPs and their privacy management plans.¹²

Significantly, the Code mandates that an agency must conduct a Privacy Impact Assessment for all ‘high privacy risk projects’.

A privacy impact assessment (PIA) is a written assessment that both identifies the impact that a project might have on the privacy of individuals and sets out recommendations for managing, minimising or eliminating that impact.¹³

A project may be a ‘high privacy risk’ project for these purposes if the agency reasonably considers that the project involves any new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals.¹⁴ Where such a risk exists, the process of developing a PIA can be complex and time-consuming.

Pursuant to section 13, an agency may publish a PIA, or may choose to publish a summary version or an edited copy of the PIA, on the agency’s website; however neither is mandatory.¹⁵

Section 15 also imposes an obligation on agencies to maintain a register of the PIAs that they conduct. Agencies must publish this register, or a version of this register, on their websites. Agencies will need to include all PIA titles and any other relevant information on the published register, unless doing so would divulge information that it would not be appropriate to share publicly (e.g. for reasons of national security).¹⁶

Agencies must also provide a copy of the register and all PIAs that are listed on it to the OAIC on request.

The OAIC is developing guidance on the PIA requirements in the Code, including in relation to the assessment of privacy risk.

Pursuant to section 26A of the Privacy Act, an agency must not do an act, or engage in a practice, that breaches the Code. A breach of a registered APP code will be an interference with privacy by the entity under section 13 of the Privacy Act and subject to investigation by the Commissioner under Part 5 of the Act.

Before 1 July

 Put in place a privacy management plan.

 Designate a Privacy Officer (pursuant to section 10 of the Code).

 Designate a Privacy Champion (as required by section 11 of the Code).

 Set up a Privacy Impact Assessment Register.

After 1 July

Continually

 Maintain the privacy management plan.

 Conduct Privacy Impact Assessments for all high privacy risk projects.

 Maintain the Privacy Impact Assessment Register.

 Have in place a system to handle privacy enquiries, complaints, and requests.

 Maintain a record of all personal information held throughout the agency.

 At all times, have a Privacy Champion and at least one Privacy Officer.

 When the details of the Privacy Officer(s) change, keep the OAIC notified in writing.

 Ensure that there is leadership within the agency on broader strategic privacy issues.

 Include privacy education or training in all staff induction programs.

On a recurring basis

 Measure and document performance against the privacy management plan at least annually.

 Ensure that regular privacy reports are provided to the agency’s executive.

 Take reasonable steps to provide training annually to all staff with access to personal information.

 Regularly review and update privacy practices and procedures (including privacy policy and notices).

 Regularly monitor compliance with privacy practices, procedures and systems.

Thanks to lawyer David Martin from our Sydney office for contributing to this article.