As a part of Privacy Awareness Week in early May, the Office of the Australian Information Commissioner (OAIC) launched a new Privacy management framework to assist public and private sector organisations meet their compliance obligations. The framework outlines the major components of four key steps organizations need to take, including creating and embedding a culture of privacy that values personal information; establishing robust and effective privacy practices, procedures and systems; evaluating these practices, procedures and systems to ensure continued effectiveness; and responding proactively to results of the evaluations and to new privacy challenges. Taken collectively, the steps (Embed; Establish;Evaluate; and Enhance) set forth the expectations of the OAIC as to how organizations should meet the requirements of APP 1.2. This provision requires them to take reasonable steps to implement practices, procedures and systems that ensure compliance with all the Australian Privacy Principles (APPs), which came into effect in March 2014.
The framework may be helpful to some degree, but it leaves much to be desired in being only a high level summary of the issues and concerns that any privacy management framework should address. The framework is basically a six-page document presenting key steps followed by half-a-dozen or so single-sentence bullet points. By comparison, the draft Privacy Risk Management Framework issued in the U.S. by the National Institute of Standards and Technology (NIST) in later May, while covering much the same ground, weighs in at 64 pages and is far more substantive. It would appear that having a comprehensive privacy law on the books is no substitute for having a sufficiently resourced standard-setting regulator. There are many indications that it will take significantly more than rudimentary educational efforts by the OAIC to induce many Australian businesses to take privacy seriously.