Privacy Law and Policy Reporter
Office of the Federal Privacy Commissioner The Commissioner’s Office has released the following ‘work plan’ for 2001.
In the lead time that organisations will have before they must comply with the new private sector legislation, some key aspects of our strategic plan will come into play. These include that we will be known among our stakeholders as:
We recognise that many organisations will have to work hard to develop an appropriate approach to privacy. Implementing the baseline standards for handling personal information — the National Privacy Principles (NPPs) — will not be straightforward in every case. It will require some organisations to focus in detail on the way they manage personal information and, in some cases, to think laterally about how they can meet the requirements of the NPPs.
We see our primary role as helping organisations to get it right. The Office of the Federal Privacy Commissioner is focused on using its limited resources in the most effective way possible to support organisations to achieve this. Strategies we are adopting include:
We will involve stakeholders closely in developing guidelines and information.
Both the Privacy Act 1988 (Cth) and our strategic plan require us to provide a balanced approach to interpreting the NPPs. The Privacy Act gives important privacy rights to individuals and requires the Privacy Commissioner to recognise the right of businesses to achieve their objectives in an efficient way. In working out how the NPPs apply to a particular business or industry — the Office will, as far as possible, be looking for an interpretation or solution that protects consumer rights and at the same time enables business to continue to operate in a profitable way.
The Privacy Commissioner has considerable powers of enforcement. However, he proposes to use them only as a last resort and in circumstances where an organisation demonstrates it has little commitment to getting its approach to privacy right.
As a first step to help organisations and individuals understand the new private sector provisions and to help organisa-tions work out how to prepare for when the private sector scheme comes into effect, this Office proposes to produce the following information sheets which will be available on our website <www.privacy.gov.au>.
Later in the year, depending on feedback from organisations and cons-umers, we propose to prepare additional information sheets on topics such as how to make a complaint, employee inform-ation, children and particular sectors such as tenancy and health.
The Privacy Commissioner is preparing guidelines to explain in a clear and simple way how the NPPs will work in practice. The guidelines will aim to help organisations assess their practices against the NPPs and to work out what they should do to get their privacy practices right. The guidelines will also aim to help consumers work out their privacy rights and whether or not these rights have been breached.
We see the guidelines as a body of information that will develop as our understanding of consumer interests and organisational practice increases. We propose to consult all relevant stakeholders in developing them. The information in Box 1 below an indicative timetable of the steps we propose to take.
The Office’s consultation strategy is not yet finalised, but in developing our strategy we will take into account the need to ensure:
Personal health information is generally considered to be among the most sensitive and intimate of personal information. Privacy of personal health information has historically been an important concern of health consumers and providers. The NPPs will apply to personal health information and health service providers. However, there are likely to be special privacy issues about how the NPPs apply in the health environment that require specifically tailored solutions.
The Office has undertaken to develop health guidelines to the NPPs. The health guidelines will complement the general NPP guidelines and will provide specific guidance on how the NPPs will operate for health consumers and health service providers such general practitioners, private hospitals and other health service providers. This guidance may include more detailed rules, best practice options and examples of particular relevance to the health sector. We have already identified some areas where guidelines are needed in a report on health and the NPPs we published in December 1999. This report is on the Office website at <www.privacy.gov.au/publications/pg2pubs.html#21.3>.
This Office proposes to take the steps outlined in Box 2 in preparing these health guidelines.
The Privacy Commissioner proposes to consult widely with stakeholders in the health sector, including health practitioners and health consumers. National and regional input including State governments and State and private health service providers will be critical to ensuring a nationally consistent approach.
A working group of the Australian Health Ministers’ Advisory Council (AHMAC) is concurrently developing a national health privacy code that could operate in the public and private sectors. They are likely to undertake separate consultations on this draft code during 2001. When developing the NPP guidelines for health information, the Privacy Commissioner will take into consideration developments in the AHMAC Code.
Some organisations and industry sectors may wish to develop their own code. The Privacy Act sets out certain requirements that a code must meet before the Privacy Commissioner can approve it to replace the NPPs. The Privacy Commissioner can make guidelines:
The Privacy Commissioner is developing guidelines on these matters and proposes to take steps outlined in Box 3 to develop these guidelines.
The Office intends to consult with all stakeholders, including organisations and peak industry and consumer groups with an interest in code development and approval.
The Privacy Act requires the Privacy Commissioner to consult everyone he considers has a real and substantial interest in guidelines about making and dealing with complaints under approved privacy codes. Consultation with already existing industry dispute resolution schemes will be essential.
Informing individuals about their privacy rights is critical to the successful operation of the new privacy sector provisions. This is particularly so as the new scheme relies to a large extent on enforcement of the scheme through the complaints process.
The Privacy Commissioner has a strong commitment to ensuring that Australians are well informed about their privacy rights and know how to enforce them. At the same time as we are taking a wide range of steps to ensure organisations are ready to comply with the new private sector provisions when they come into operation, we are taking the first key steps in working out the best way to reach Australians to ensure that they, too, are ready.
The Privacy Commissioner is undertaking an extensive program of research into community, business and Commonwealth agency attitudes, needs and behaviours in relation to privacy. The research will be complete by May 2001, and will enable the Office to take a highly focused approach to issues and communications management to ensure all Australians and organisations know about their new privacy rights and responsibilities.
We will be communicating with community, business and Government agencies throughout the year, building up to a more intensive educational strategy to encourage and support business in meeting their new responsibilities in the third quarter of this year, and targeting Australians about their new rights and practices to protect privacy in the final quarter.
In the mean time we will publish on our website and distribute to key consumer organisations some preliminary information for consumer and advocates groups including the following information sheets.
As well, the Privacy Commissioner will be consulting with Australians during May and June 2001 on the NPPs guidelines to ensure that individual attitudes to privacy are properly taken into account. (See NPP guideline timetable outlined above.)