The Office of the Australian Information Commissioner (OAIC) will be rolling out a privacy management framework in May this year to help organisations develop or review their privacy program.
Speaking at an International Association of Privacy Professionals Australia and New Zealand (iaapANZ) seminar in Sydney, Australian Privacy Commissioner Timothy Pilgrim told delegates that the framework will also help companies meet the requirements set out in Australian Privacy Principle (APP) 1. APP 1 covers the open and transparent management of personal information.
“Our framework will emphasize governance, leadership and accountability,” he said. “It will provide a practical guide on how to establish a privacy management framework including elements such as planning and strategy, risk assessment, breach, incident management and regular evaluation.”
The privacy management framework will also encourage organisations to go beyond mere compliance and commit to best practice, said Pilgrim.
“Organisations must be aware of the value of their personal information, both to the organisation and to their customers, so that decisions can be made about the framework put in place to protect it.”
The framework will be launched in time to coincide with Privacy Awareness Week which runs from 3 to 9 May.
“Our theme for this year’s week is privacy every day. The theme emphasises the need for organisations to embed privacy practices into business as usual practices,” said Pilgrim.
For example, organisations must commit from the top down to grow a robust privacy culture of continuous improvement.
“Should I have to 'visit' an organisation as a result of a privacy incident, I will be focusing on assessing the privacy culture of that organisation from the top down as well as process and technology issues,” he said.
While the day-to-day responsibility for personal information and privacy may sit within various areas of the business, Pilgrim’s view is that responsibility for privacy governance sits with the CEO, executive, board or management.
“It is these roles that must promote privacy as an asset to be respected, managed and protected,” said Pilgrim.
“Simply maintaining the status quo in response to a changing landscape of data protection and information handling is the most inefficient way of dealing with the challenges of the information age.”
According to Pilgrim, the key component of a successful privacy program is regular monitoring. This will ensure that privacy policies, procedures and guidance are being followed and that they remain relevant to businesses and the privacy risks they face, he said.
Follow Hamish Barwick on Twitter: @HamishBarwick
- How will data retention laws cope with the Internet of Things?
- Companies need a culture of privacy and risk management: NSW Privacy Commissioner
- Metadata not about ‘big brother’ watching you: AFP
- Australian Privacy Commissioner investigating SIM card hack
- Privacy Act amendments chalk up first anniversary
- A short guide to privacy law: Part 2