Broadening the focus to secondary use of data sets
An organisation's governance arrangements are likely to become even more critical to both its compliance with the Privacy Act and handling of personal information. Whilst not specifically raised in the Issues Paper, the Discussion Paper recommends further organisational accountability requirements be introduced into the Privacy Act, targeting measures to where there is greatest privacy risk.
Of note is the recommendation to amend APP 6 to expressly require organisations to determine, at or before using or disclosing personal information for a secondary purpose, each of the secondary purposes for which the information is to be used or disclosed and to record those purposes.1 In practice, this is likely to be similar to the GDPR's record of processing, although not as expansive.
Whilst this introduces an additional record-keeping layer, it will require organisations to turn their minds to secondary uses and to ensure there are appropriate governance arrangements in place so that consideration is given to APP 6 requirements prior to any secondary use of existing data sets within an organisation in particular.
Certification
The Discussion Paper proposes to introduce a voluntary domestic privacy certification scheme, which would draw upon the UK certification framework adopted by the UK ICO and APEC Cross-Border Privacy Rules.
The proposed Australian model would be flexible and scalable, allowing for both enterprise-wide certifications and certifications for specific products, data or business processes. The OAIC would act as both the accrediting body for certification agents and as the enforcing regulator, but an independent third party would administer the scheme itself to ensure functional independence.
Footnote
-
Discussion Paper, 155.