Recent high-profile data breaches have elevated privacy as a critical governance and compliance risk issue across the public and private sectors. While for decades now it has been largely acknowledged and recognised that privacy breaches and non-compliance can cause significant adverse outcomes for organisations, it has taken the events of the last two months to fully and properly appreciate the scale and scope of the adverse impacts and outcomes that an organisation can be subject to as a result of a privacy breach.
To add to this, the Federal Government has introduced the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which contains a range of amendments to the Privacy Act that will see a significant increase in penalties that can be imposed for serious or repeated privacy breaches and increased powers to the Australian Information Commissioner. In the coming months, particularly once these amendments are passed, there really will be no place to hide or no justification for poor or non-complaint privacy practices.
In these circumstances, now more than ever, it is essential that privacy considerations take a central place in compliance, governance and decision-making processes across public and private sector organisations. Indeed privacy should be given the same high priority as any other issue which has the capacity to significantly and materially adversely impact on an organisation’s financial, operational and reputation position and standing. To put the significance of privacy into focus, proper and appropriate personal information-handling practices are forming to be categorised through the lens of social licence and part of the “social” in ESG terms.
The question now is how do organisations start this task and move to make privacy front and centre?
In this article, we will explore this issue through two essential steps that any public or private sector organisation must take to get across this challenge:
- Refresh and reboot privacy 2.0 – properly understanding privacy compliance obligations and personal information holdings; and
- Putting privacy first – injecting privacy considerations into compliance, governance and decision-making frameworks
Refresh and reboot privacy 2.0 – understanding compliance and personal information holdings
With the risk of stating the obvious, the first step is to properly and fully understand what constitutes compliance with the relevant privacy principles, be that the Australian Privacy Principles under the Commonwealth Privacy Act or the State-based Information Privacy Principles in legal, practical and operational terms.
As the foundational compliance obligation, the first focus area should be to ensure that an organisation’s personal information holdings can be said to be reasonably necessary for, or directly related to at least one or more of the organisation’s functions or activities. Although the precise drafting of this obligation varies across jurisdictions (see for example APP 3 or in Queensland, IPP 1), the policy driver is consistent in seeking to ensure that organisations only collect personal information that is necessary or related to an organisation’s activities and functions. In shorthand, this obligation is about only collecting the personal information that is needed and resisting the temptation to over-collect personal information.
This is one of the most crucial and the foundational compliance obligations as it is from this point – as personal information is collected and held by an organisation – that the other key compliance obligations will be triggered, including how the organisation uses, stores, updates and potentially discloses the personal information that is collected.
Relevantly too, routine experience dictates that this obligation is perhaps the most widely mis-applied and misunderstood of all the privacy obligations. This is because it is commonly accepted that compliance with this obligation can be discharged with consent, and therefore it is open to an organisation to collect whatever personal information it elects, provided that consent is obtained – which is plainly incorrect.
It has always been the case that compliance with this obligation requires an organisation to be satisfied that its personal information holdings are necessary or relevant to the organisation’s activities and functions. Therefore, in practical terms, the first step for any organisation will be to ensure that:
- it understands the nature of the personal information that it holds; and
- a connection between the collection of the personal information to the organisation’s functions and activities can be established.
If no such connection can be established, then the personal information should be lawfully disposed of by the organisation.
From this point, the next step is to review and consider privacy collection notices to ensure that the organisation not only understands the nature of its personal information holdings but also what the organisation must, can or cannot do with that personal information.
This process is effectively a personal information audit which involves an organisation mapping out and understanding the nature of its personal information holdings and from that point, understanding how that personal information must be managed and dealt with across the organisation in accordance with the relevant privacy obligations, established under State-based or the Commonwealth privacy frameworks.
Putting privacy first and injecting privacy considerations into organisational frameworks
Given the broad-ranging impact that privacy breaches can have on an organisation, it is essential that privacy be considered in the same manner as any other risk would be considered in an organisation’s compliance, governance and decision-making frameworks and processes.
From a governance and decision-making perspective, boards and other decision-makers should ensure, where it is lawful to do so, that any approval or decision-making process incorporates privacy considerations including the impact of the decision, approval or program on privacy compliance and risk with this assessed in the immediate and longer term. Ensuring that privacy issues and risks have been afforded appropriate consideration should become a routine and regular consideration.
Measures that can be adopted in ensuring proper consideration of privacy issues include adopting a “privacy by design” approach and using privacy impact assessments. Privacy practitioners have long championed and recommended the adoption of “privacy by design” approaches to the design of new process and business practices. Privacy by design is a proactive approach in managing privacy risks by including and incorporating privacy considerations into the design and structure of new programs and practices. This ensures the new program or practice is by its very design, privacy aware and designed in a manner which mitigates privacy risks. On a process level, a privacy by design approach can be implemented using mechanisms such as privacy impact assessments which involves, through a set of privacy-based compliance criteria, assessing the impact that the new program, decision or process will have on privacy, privacy risks and compliance.
The important aspect to these mechanisms is to deal with privacy considerations proactively, and to avoid a reactive, patch work approach to privacy compliance which has clear cost and resourcing benefits. Furthermore, privacy compliance is a critical reputational risk and is more and more being considered through the lens of social licence and as a social consideration in broader ESG considerations. That’s why, to mitigate and manage all these risks, organisations must place privacy front and centre in compliance, governance and decision-making processes.