OAIC forces Australian govt into a data privacy code

The Australian government has agreed to a push by the Information Commissioner to implement a privacy code that guides its handling of personal data in light of several high-profile bungles and policy changes.

The Department of Prime Minister and Cabinet today said it would work with the Office of the Australian Information Commissioner to create a code that will "enhance the capability of Commonwealth agencies to deliver data innovation that integrates personal data protection".

The announcement was prompted by a letter [pdf] sent to the department by Information Commissioner Timothy Pilgrim in late March urging the agency to help the OAIC develop a privacy code for the Australian Public Service, rather than have one forced upon it.

Pilgrim said recent privacy breaches with open datasets - like at the APSC and the Health department, whose botched Medicare dataset led the government to try to criminalise those who point out badly de-identified government open data - showed there was "a need to strengthen the overall privacy governance processes within APS agencies".

Factors such as the government's open data strategy and shift towards digital services, as well as the 2016 online Census bungle and the Productivity Commission's push for data reform, also contributed to this need, he said.

"I believe that if this is not done, there is a risk that the community may lose trust in the ability of government to deliver on key projects which involve the use of personal information," Pilgrim said.

"Given the range of new policy proposals which seek to expand uses of (and access to) personal information held by government, in my view the APS first needs to take steps to build public trust and confidence in the ability of the APS to implement its agenda consistent with community expectations, and in a way that respects privacy."

He said it was important to remember that many agencies have the power to collect information on an individual without their approval, in order to provide services and payments.

"This means that in a practical sense, individuals are not always able to exercise meaningful choice over how their personal information is used."

Pilgrim also today revealed he would conduct an audit into the privacy aspects of Centrelink's robo-debt data matching program following widespread complaints about the system. It will be conducted in the first quarter of next year.

The new privacy code will detail the steps all Australian government agencies need to take to meet their existing regulatory privacy obligations.

It will require all agencies to have a privacy management plan, dedicated privacy contact officer, senior 'privacy champion', to undertake written privacy impact assessments for projects of high risk or involving personal data, keep a register of all PIAs, and undertake any training or audits needed to enhance privacy capability.