About the Office of the Australian Information Commissioner

Similar documents
Castan Centre for Human Rights Law Faculty of Law, Monash University. Submission to Senate Standing Committee on Economics

Re: Review of Market and Social Research Privacy Code

What does the revision of the OECD Privacy Guidelines mean for businesses?

Australian Census 2016 and Privacy Impact Assessment (PIA)

24 May Committee Secretariat Justice Committee Parliament Buildings Wellington. Dear Justice Select Committee member,

Corporate Services. Yes. Chief Executive Officer. Head of Legal and Compliance. Policy and Compliance Officer

Our position. ICDPPC declaration on ethics and data protection in artificial intelligence

Session 1, Part 2: Emerging issues in e-commerce Australian experiences of privacy and consumer protection regulation

Should privacy impact assessments be mandatory? David Wright Trilateral Research & Consulting 17 Sept 2009

Protection of Privacy Policy

This policy sets out how Legacy Foresight and its Associates will seek to ensure compliance with the legislation.

Legal Issues Related to Accountable-eHealth Systems in Australia

ARTS LAW CENTRE OF AUSTRALIA

Seminar on Consultation on. Review of the Personal Data (Privacy) Ordinance. Why the review is being conducted and what this means to you

Consumer and Community Participation Policy

ISO/TR TECHNICAL REPORT. Intelligent transport systems System architecture Privacy aspects in ITS standards and systems

March 27, The Information Technology Industry Council (ITI) appreciates this opportunity

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: Safeguarding Policy Data Protection Policy

Global Standards Symposium. Security, privacy and trust in standardisation. ICDPPC Chair John Edwards. 24 October 2016

Ai Group Submission. in response to the REVIEW OF ELECTRICITY (CONSUMER SAFETY) ACT 2004 ISSUES PAPER

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: T:Drive. Safeguarding Policy Data Protection Policy

Microsoft Submission in response to ALRC Discussion Paper 72, Review of Australian Privacy Law

EXIN Privacy and Data Protection Foundation. Preparation Guide. Edition

EXPLANATORY STATEMENT. Issued by the Australian Communications and Media Authority. Australian Radiofrequency Spectrum Plan 2017

ITAC RESPONSE: Modernizing Consent and Privacy in PIPEDA

What We Heard Report Inspection Modernization: The Case for Change Consultation from June 1 to July 31, 2012

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

The Regulatory Framework for Media, Communications and the Internet. Based on material by John Corker, revised and updated David Vaile 2016

Hong Kong Personal Data Protection Regulatory Framework From Compliance to Accountability

Office for Nuclear Regulation Strategy

Diana Gordick, Ph.D. 150 E Ponce de Leon, Suite 350 Decatur, GA Health Insurance Portability and Accountability Act (HIPAA)

Whatever Happened to the. Fair Information Practices?

EXPLANATORY STATEMENT. Issued by the Australian Communications and Media Authority

FACULTY OF ENGINEERING & INFORMATION TECHNOLOGIES RESEARCH DATA MANAGEMENT PROVISIONS 2015

RESEARCH DATA MANAGEMENT PROCEDURES 2015

AS/NZS :2012. Regulatory compliance mark for electrical and electronic equipment AS/NZS :2012

2018 Census Independent Privacy Impact Assessment 7 July Trust An independent assessment. Privacy

CDT Annual Dinner. Center for Democracy and Technology, Washington. 10 March 2015

The Biological Weapons Convention and dual use life science research

2

The Information Commissioner s response to the Draft AI Ethics Guidelines of the High-Level Expert Group on Artificial Intelligence

Effective Data Protection Governance An Approach to Information Governance in an Information Age. OECD Expert Consultation Boston October 2016

Privacy Impact Assessments

The Role of the Intellectual Property Office

SAUDI ARABIAN STANDARDS ORGANIZATION (SASO) TECHNICAL DIRECTIVE PART ONE: STANDARDIZATION AND RELATED ACTIVITIES GENERAL VOCABULARY

Privacy. New technologies, same responsibilities. Carole Fleeman Office of the Victorian Privacy Commissioner

ICC POSITION ON LEGITIMATE INTERESTS

Commonwealth Data Forum. Giovanni Buttarelli

COMMISSION RECOMMENDATION. of on access to and preservation of scientific information. {SWD(2012) 221 final} {SWD(2012) 222 final}

Submission to the Productivity Commission inquiry into Intellectual Property Arrangements

Operational Objectives Outcomes Indicators

Nymity Demonstrating Compliance Manual: A Structured Approach to Privacy Management Accountability

I hope you will find these comments constructive and helpful.

A/AC.105/C.1/2014/CRP.13

Australian Communications and Media Authority (ACMA)

PRIVACY IMPACT ASSESSMENT CONDUCTING A PRIVACY IMPACT ASSESSMENT ON SURVEILLANCE CAMERA SYSTEMS (CCTV)

Draft Final Report: Scientific Inquiry into Hydraulic Fracturing in the Northern Territory

INTRODUCTION TO THE RESULTS OF THE IMO PUBLIC CONSULTATION ON ADMINISTRATIVE REQUIREMENTS IN MARITIME REGULATIONS

Dr Nicholas J. Gervassis University of Plymouth THE EMERGING UK DATA PROTECTION FRAMEWORK AND BEYOND

Pan-Canadian Trust Framework Overview

IPRs and Public Health: Lessons Learned Current Challenges The Way Forward

Privacy Impact Assessment on use of CCTV

Data Protection and Privacy in a M2M world. Yiannis Theodorou, Regulatory Policy Manager GSMA Latam Plenary Peru, November 2013

Privacy Policy SOP-031

PIA Expectations of the OPC

ANZPAA National Institute of Forensic Science BUSINESS PLAN

REPORT ON THE INTERNATIONAL CONFERENCE MEMORY OF THE WORLD IN THE DIGITAL AGE: DIGITIZATION AND PRESERVATION OUTLINE

The General Data Protection Regulation and use of health data: challenges for pharmaceutical regulation

MINISTRY OF HEALTH STAGE PROBITY REPORT. 26 July 2016

Violent Intent Modeling System

Banco de Sabadell, S.A. Policy on communication and contacts with shareholders, institutional investors and proxy advisors

Global Trade and Personal Data Flows Are the Rules of Engagement Incompatible with Privacy?

Biometric Data, Deidentification. E. Kindt Cost1206 Training school 2017

COUNCIL OF THE EUROPEAN UNION. Brussels, 19 May 2014 (OR. en) 9879/14 Interinstitutional File: 2013/0165 (COD) ENT 123 MI 428 CODEC 1299

Standards and privacy engineering ISO, OASIS, PRIPARE and Other Important Developments

Safety related product corrective action

EXPLORATION DEVELOPMENT OPERATION CLOSURE

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Privacy framework

ONR Strategy 2015 to 2020

NCRIS Capability 5.7: Population Health and Clinical Data Linkage

ICO submission to the inquiry of the House of Lords Select Committee on Communications - The Internet : To Regulate or not to Regulate?

Privacy Procedure SOP-031. Version: 04.01

AMTA Submission addressing the draft Terms of Reference of the Convergence Review 2011

The EU's new data protection regime Key implications for marketers and adtech service providers Nick Johnson and Stephen Groom 11 February 2016

GDPR Awareness. Kevin Styles. Certified Information Privacy Professional - Europe Member of International Association of Privacy professionals

IAASB Main Agenda (March, 2015) Auditing Disclosures Issues and Task Force Recommendations

Proposed International Standard on Auditing 315 (Revised) Identifying and Assessing the Risks of Material Misstatement

IAB Europe Guidance THE DEFINITION OF PERSONAL DATA. IAB Europe GDPR Implementation Working Group WHITE PAPER

CONSENT IN THE TIME OF BIG DATA. Richard Austin February 1, 2017

BSA COMMENTS ON DRAFT PERSONAL DATA PROTECTION ACT

MEMORANDUM OF UNDERSTANDING BETWEEN ANCI AND THE MINISTRY OF COMMUNICATIONS

ARTICLE 29 Data Protection Working Party

BUREAU OF LAND MANAGEMENT INFORMATION QUALITY GUIDELINES

AusBiotech response to Paper 1: Amending inventive step requirements for Australian patents (August 2017)

Ten Principles for a Revised US Privacy Framework

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Presentation Outline

National Workshop on Responsible Research & Innovation in Australia 7 February 2017, Canberra

British Columbia s Environmental Assessment Process

Broadcasting Services Act 1992

Transcription:

Australian Government Office of the Australian Information Commissioner www.oaic.gov.au GPO Box 5218 Sydney NSW 2001 P +61 2 9284 9800 F +61 2 9284 9666 E enquiries@oaic.gov.au Enquiries 1300 363 992 TTY 1800 620 241 ABN 85 249 230 937 Our reference: D2018/004204 Secretariat Office of the United Nations High Commissioner for Human Rights Geneva, CH 1211 via email: privacvreport@ohchr.org Dear Secretariat OHCHR report on the right to privacy in the digital age Thank you for the opportunity to provide comments to the Office of the United Nations High Commissioner for Human Rights (OHCHR) for its forthcoming report, 'the right to privacy in the digital age'. The Office of the Australian Information Commissioner (OAIC) recognises that global and technological developments are creating unprecedented opportunities and challenges for privacy regulation, in particular for how regulation can support individuals to exercise meaningful choice and control in how their personal information is handled by governments and businesses. The Australian Privacy Act 1988 (Privacy Act) provides a principle-based and robust framework for protecting individuals' information privacy in Australia. Our comments provide an overview of how the protections and oversight mechanisms in the Privacy Act operate, and interact with other privacy laws where the OAIC has oversight functions. When exercising these functions, the OAIC draws on our domestic and international networks to shape how entities harness emerging technologies and data practices to improve the lives of Australians. About the Office of the Australian Information Commissioner The OAIC is an independent statutory agency within the Commonwealth Attorney-General's portfolio. The Australian Parliament established the OAIC in 2010 to bring together three functions: freedom of information functions, including access to information held by the Australian Government in accordance with the Freedom of Information Act 1982 (Cth) privacy functions (regulating the handling of personal information under the Privacy Act 1988 (Privacy Act) and other Acts) information management functions. www.oaic.gov.au I 1

The integration of these three interrelated functions into one agency provides the OAIC with a unique insight into the challenges of the digital age, particularly with regard to striking an appropriate balance between individuals' right to privacy and the flow of information in the digital environment. Privacy regulation in Australia In Australia, information privacy is protected by a number of regulatory schemes at the national and state levels. Australia's national privacy law is the Privacy Act 1988 (Privacy Act), which applies to the handling of information by both Australian (Commonwealth) Government agencies and the private sector, while various State and Territory schemes generally apply to the handling of information by agencies of those governments.' The Privacy Act is intended to give effect to Australia's obligations under international agreements,2 including: Article 17 of the International Covenant on Civil and Political Rights (ICCPR),3 and the Organisation for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) (OECD Guidelines).4 The Privacy Act is consistent with these key international privacy agreements. It aims to ensure that Australia is able to meet the international community's expectations of privacy protection so that Australian organisations are able to participate in international markets and Australians have comparable privacy protections. The 13 Australian Privacy Principles (APPs) in the Privacy Act are the cornerstone of the privacy protection framework in the Privacy Act.' They are principles-based, providing regulated entities with the flexibility to tailor their personal information handling practices to their diverse needs and business models, and the varied needs of individuals. The APPs are also technology neutral, preserving their relevance and applicability to changing and emerging technologies. The APPs set out obligations in relation to governance and accountability,' and 1 See the 0A1C's information on other privacy jurisdictions in the Australian states and territories <https://oaic.gov.au/privacy-law/other-privacy-iurisdictions> 2 As reflected in the objects of the Privacy Act, at s 2A(h). 3 Opened for signature 16 December 1966 (entered into force 23 March 1976), [1980] ATS 23. The full text of the ICCPR is available on the United Nations High Commissioner for Human Rights website, at: <http://www.ohchr.org/en/professionalinterest/pages/ccor.aspx>. 4 See the OECD's Recommendation of the Council Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, (23 September 1980) <http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacvandtransborderflowsofpersonaldata.htm#reco mmendation>. 5 Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012, p 52. 6 APP 1 outlines the requirement for an APP entity to manage personal information in an open and transparent way. www.oaic.gov.au I 2

around the collection,7 use and disclosure,8 integrity,9 and correction" of personal information, as well as individuals' ability to access personal information held about them by regulated entities.' The Notifiable Data Breaches scheme in Part IIIC of the Privacy Act, which commenced on 22 February 2018, formalises long-held community expectations around data transparency. The scheme requires regulated entities with information security obligations under the Privacy Act to notify affected individuals, and the OAIC, in the event of a data breach that is likely to cause serious harm12. A breach of an APP, or a failure to report a notifiable data breach, is an 'interference with the privacy of an individual'.13 The 0A1C's regulatory powers include undertaking assessments of regulated entities,' investigating individuals' complaints and commencing Commissioner initiated investigations, making a determination about breaches of privacy,' and applying to the Federal Court for a civil penalty order for serious or repeated interferences with privacy.' The 0A1C's approach to using its privacy regulatory powers is outlined in the 0A1C's Privacy regulatory action policy.' Balancing privacy with other interests The right to privacy is not absolute, and privacy rights will necessarily give way where there is a compelling public interest reason to do so. The Australian privacy framework recognises that entities may have legitimate reasons to undertake projects that may limit or interfere with privacy, provided that any impacts are reasonable, necessary and proportionate for the achievement of the particular policy objective. The OAIC plays a leading role, across both the private and public sectors, to support entities in striking the right balance between the right to privacy and legitimate functions or activities, including through: promoting an understanding and acceptance of the APPs and the objects of those principles' 7 See APPs 3, 4 and 5 which all deal with the collection of personal information. 8 See APPs 6, 7, 8 and 9 which all deal with the use or disclosure of personal information. 9 APP 11 requires an APP entity to take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. APP 13 requires an APP entity to take reasonable steps to correct personal information to ensure that, having regard to the purpose for which it is held, it is accurate, up-to-date, complete, relevant and not misleading. 11 APP 12 requires an APP entity that holds personal information about an individual to give the individual access to that information on request. For more information about the APPs see < https://www.oaic.gov.au/individuals/privacy-factsheets/general/privacy-fact-sheet-17-australian-privacy-principles>, or for detailed guidance see https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/ 17 For more information about the Notifiable Data Breach scheme see < https://www.oaic.gov.au/agencies-andorganisations/guides/data-breach-preparation-and-response> 13 Privacy Act 1988 (Cth), s 13. 14 Privacy Act 1988 (Cth), s 33C. 18 Privacy Act 1988 (Cth), ss 36, 40 and 52. 18 Privacy Act 1988 (Cth), s 80W. 17 <https://www.oaic.gov.au/about-us/our-regulatory-approach/privacv-regulatory-action-policv/> 18 Section 28(1)(c) of the Privacy Act www.oaic.gov.au I 3

examining draft laws,19 and proposals for data matching or linkage, 20 that may involve an interference with the privacy of individuals, or which may otherwise have any adverse effects on the privacy of individuals ensuring that any adverse effects of draft laws or proposal for data matching on the privacy of individuals are minimised21 undertaking research into, and monitoring developments in, data processing and technology to ensure that any adverse effects on the privacy of individuals are minimised22 providing reports and recommendations to government in relation to any matter concerning the need for, or desirability of, legislative or administrative action in the interests of the privacy of individuals23 directing an agency to give the Commissioner a privacy impact assessment' an oversight role in aspects of mandatory data retention and other requirements under the Telecommunications Act 199725 and the Telecommunications (Interception and Access) Act 1979 (TIA Act),26 and engaging with government on the development of its biometric face matching capability, focussing on the need for a robust governance framework and independent oversight. In performing these functions, the 0A1C's key message is often the importance of adopting a privacy by design approach from the outset of a proposal, including conducting privacy impact assessment where appropriate.27 To support entities in leveraging the value of data while protecting privacy, the OAIC has developed a range of practical tools and guidance. Recently for instance, the OAIC and Data6128 have jointly produced a De-identification Decision-Making Framework,' and the OAIC has released a guide to De-identification and the Privacy Act.' 19 Section 28A(2)(a) of the Privacy Act. 28 Section 28A(2)(b) of the Privacy Act. 21 Section 28A(2)(c) of the Privacy Act. 22 Section 28A(2)(d) of the Privacy Act. 23 Section 28B(1)(c) of the Privacy Act. 24 Section 33C of the Privacy Act. 25 regulates the activities of a number of participants in the telecommunications industry, including the use and disclosure of information obtained by certain bodies during the supply of telecommunication services. 26 Under the TIA Act the Australian Security and Intelligence Organisation (AS10) and certain domestic law enforcement agencies can authorise the disclosure of telecommunications data by a carrier or carriage service provider, including telecommunications data collected and retained under the data retention scheme. Under s 183(3) of the TIA Act, the Information Commissioner must be consulted about requirements relating to the form of those authorisations. 27 The OAIC has developed the Guide to undertaking privacy impact assessments <https://www.oaic.gov.au/agencies-andorganisations/guides/guide-to-undertaking-privacy-impact-assessments> and an elearning course on conducting a PIA < https://www.oaic.gov.au/elearning/pia/>, which can be used by any entity undertaking a PIA. 28 Part of Australia's Commonwealth Scientific and Industrial Research Organisation (CSIRO). 29 <https://www.oaic.gov.au/agencies-and-organisations/guides/de-identification-decision-making-framework>. 38 <https://www.oaic.gov.au/agencies-and-organisations/guides/de-identification-and-the-privacy-act> www.oaic.gov.au I 4

Leveraging international partnerships Increasingly, businesses are carried on globally, personal information moves across borders, and privacy threats and challenges extend internationally. A coordinated and consistent global approach is important for responding to global privacy concerns. The OAIC is actively engaged in a range of international privacy and data protection forums and enforcement arrangements.31 The OAIC looks forward to reviewing the OHCHR's report and stakeholder comments, to inform our regulatory approach to the challenges of safeguarding privacy in the digital age. If you would like to discuss these comments or have any questions, please contact me or Sophie Higgins, Director, Regulation & Strategy, on (02) 9284 9775 or sophie.higgins@oaic.gov.au. Yours sincerely Angelene Falk Acting Australian Information Commissioner Acting Privacy Commissioner 30 April 2018 31 <https://www.oa ic.gov.a u/engage-with-us/networks>. www.oaic.gov.au I 5

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback