Pilgrim to audit 21 Australian privacy policies

Privacy commissioner Timothy Pilgrim is gearing up to audit 21 privacy policies published by Australian entities to make sure they meet all the obligations of new legislation that came into effect just under a year ago.

Pilgrim and his team will assess each of the selected privacy policies against the demands of Australian Privacy Principle 1.

APP 1 demands that all entities subject to the Privacy Act publicly display “a clearly expressed and up to date” privacy policy listing the types of information the organisation collects, the purpose of collecting the information, how customers can access and correct their information, and any countries in which that data is stored.

Speaking in Sydney earlier this month, Pilgrim foreshadowed that the audits would “look at whether the policies are clearly expressed and up-to-date, cover the content and contact requirements and are available in an appropriate form”. The findings of the review are expected to be released in May.

A spokeswoman for the Privacy Commission told iTnews the organisation would not release names of the 21 entities being targeted while the assessment was still underway.

According to Pilgrim, the move to actively audit privacy policies heralds a shift in focus for the commission, now that the first year has passed since the APPs came into effect.

“We have been talking for a long time about the need to build privacy into ‘business as usual processes’, and how essential it is to include in business and project planning,” he said.

“Our messages around this aren't going to change, but now that we have had almost a year to settle into the changes to privacy laws, we'd like to start talking about more than just basic compliance, and shift the conversation to ongoing governance.

“This demonstrates that the OAIC is proactively looking at entities responses to the new requirements,” he said.

The new privacy laws took effect on 12 March 2014, and handed Pilgrim and his team a new level of power to fine Australian entities up to $1.7 million for privacy breaches.

Pilgrim hinted that not all organisations had been as quick to adhere to the new regime as he would have like.

“By now I assume that you, and your clients, all have well established policies and processes, but what we are seeing is that a lot of organisations don't have an adequate privacy governance structure in place," he told the Sydney gathering of privacy professionals.

He said he expected the buck to stop with the CEO or board of any organisation when it comes to privacy breaches, not an appointed staff member.

“It is these roles that must promote privacy as an asset to be respected, managed and protected,” he said.