May has been a milestone month for privacy in Australia – from Privacy Awareness Week and our call to Reboot your privacy, to the enactment of new laws to protect personal data in the COVIDSafe app and National Data Store. As privacy hit the headlines, we heard from a wide range of stakeholders about the importance of this fundamental right.

May is also Information Awareness Month, when the OAIC and other organisations come together to promote best practice information handling.

To mark this event, we joined with information access regulators in Australia and around the world to emphasise the importance of documenting decisions, preserving records, and providing access to information during and following the pandemic.

As the statement from Australian Information Access Commissioners makes clear, the duty to document does not cease in a crisis, it becomes more essential.

In the privacy sphere, the public discussion about the COVIDSafe app helped to elevate awareness of the importance that Australians place on privacy and protecting personal information. It also focused attention on the need to take a privacy-by-design approach to any project involving personal information, not only to ensure it is protected, but to minimise privacy impacts and build public trust and confidence in the use of data.

These issues were front and centre in the Privacy Impact Assessment (PIA) process for the COVIDSafe app, as my office worked constructively with the Australian Government to build in strong privacy protections.

Following the recent amendments to the Privacy Act, COVIDSafe app data can only be used for purposes related to contact tracing and must be stored in Australia and destroyed when the app is no longer required. The new law is in keeping with our advice on the PIA that legislation provides the strongest form of protection to codify the privacy safeguards.

We are now monitoring the handling of personal information through the COVIDSafe system as part of a comprehensive oversight program. We have published information for the public on the COVIDSafe app and my privacy rights, explaining these protections and how to make a privacy complaint.

In parallel, we are continuing to develop resources to help guide organisations and agencies through privacy issues related to the COVID-19 outbreak. Our new step-by-step PIA tool will help guide organisations and agencies through this process, both in the current crisis and into the future.

Over the coming year our oversight of COVIDSafe data handling will be a top priority for the OAIC, along with our continuing focus on the online environment and new technologies, security of personal information, and the implementation of the Consumer Data Right (CDR).

Our approach to compliance and enforcement is intended to prevent, detect, redress and incentivise regulated entities to improve personal information handling practices. We have also released a joint Compliance and Enforcement Policy for the CDR with our co-regulator, the Australian Competition and Consumer Commission, to make it clear to consumers and participants how we will uphold the privacy safeguards of the system.

Looking ahead, we are expecting more changes to the Privacy Act to strengthen penalties for interferences with privacy, as well as a broader review to make sure our regulatory framework is able to protect Australians’ personal information into the next decade. You can hear more about this in my address for the launch of PAW 2020 in Queensland.

While we are now seeing restrictions begin to ease across the nation, the impact of the pandemic was also felt in the planning and delivery of Privacy Awareness Week earlier this month. I am pleased to report that a record number of supporters signed up for PAW 2020, working with us to reach a broader audience with important information about protecting personal information online.

Thank you for your commitment to promoting good privacy practice and making the PAW campaign a success during these challenging times.

Angelene Falk
Australian Information Commissioner and Privacy Commissioner

Strict privacy safeguards for COVIDSafe app data have been enshrined in law, along with an expanded regulatory oversight role for the OAIC. The amendments to the Privacy Act 1988 passed earlier this month ensure the app is voluntary and make mishandling of COVIDSafe app data an offence and an interference with privacy.

“The new law contains strong privacy measures to give Australians confidence in the protection of their personal information within the COVIDSafe system,” Commissioner Falk said.

Any breaches of COVIDSafe app data at a federal or state level will need to be notified to the OAIC, which can proactively assess the system to identify any privacy risks and has expanded powers to compel information and documents.

Individuals can also make complaints to the OAIC about the handling of their personal information within the COVIDSafe system.

We have launched a new Privacy Impact Assessment Tool (DOCX), which helps you conduct a PIA, report its findings and respond to recommendations. Accompanying the Guide to undertaking privacy impact assessments, entities are encouraged to take a flexible approach and adapt this tool to suit the size, complexity and risk level of their project.

We are continuing to develop privacy resources to help guide organisations and agencies through privacy issues related to the COVID-19 outbreak, including detailed advice to help regulated entities assess the privacy risks involved in changed working environments.

The OAIC has also published privacy guidance for Australian Government agencies and organisations covered by the Privacy Act 1988 to help keep workplaces safe and handle personal information appropriately during the pandemic.

We are seeking your views on a draft resource designed to help Australian Government agencies determine when a Privacy Impact Assessment (PIA) is required.

The resource is intended to:

• provide guidance on how to screen for high privacy risk projects by completing a threshold assessment to determine whether a PIA is required
• set out the benefits of conducting a PIA, even when a project does not meet the ‘high privacy risk’ threshold.

While the guidance is primarily aimed at agencies who are subject to the Privacy Act, we welcome comments by other interested stakeholders and members of the community. The closing date for comments is 19 June 2020.

Catch up with our media releases and other updates throughout the month via our website.