Telstra’s response to the OAIC’s Privacy Regulatory Action Policy and Guide to Undertaking Privacy Impact Assessments
Introduction
Telstra would like to thank the OAIC for providing these comprehensive documents for review. With the recent amendments, including the strengthening of the regulatory and enforcement powers conferred on the Australian Information Commissioner and the increased awareness around the need to incorporate privacy into the design of business initiatives, both these papers are important to our business.
Privacy Regulatory Action Policy
General Comment
Telstra would like to congratulate the OAIC on the drafting of the Regulatory Action Policy. It is a detailed outline of the OAIC’s intention of how itwill take regulatory action and clearly a great deal of effort has gone into outlining the goals, principles and responses.
Telstra understands the need for this policy, but like our industry body, the Australian Communications Alliance, we are concerned about the broad scope of this document. We suggest the policy would benefit from more guidance by the OAIC on:
-Events or thresholds that would trigger regulatory action by the OAIC, and
-Guidance on the approach in which regulatory action will be taken.
We are also concerned about the impact that this will have on the collaborative workings between businesses and the OAIC. We acknowledge the scope of the new regulatory and enforcement powers, but believe that the OAIC should balance those powers with its commitments to its preferred regulatory approach, which is to work with entities to encourage compliance and best practice privacy practices. The focus on taking action should not be at the expense of collaboration, especially as privacy enters into a new era where technology impacting privacy is evolving at a rapid rate, cyber threats are increasing and customer expectations around privacy are increasingly maturing. Collaboration is essential given the necessary sharing of information.Telstra therefore is seeking clarity as to how the OAIC intends to work with entities.
Telstra has cooperated extensively with the OAIC when it has taken regulatory action in the past. We respect the OAIC’s regulatory powers and have worked extensively to provide commitments to remediate any identified weaknesses in our privacy control framework. Our feedback from this experience which may support the finalisation of this policy includes:
-The OAIC needs to balance its regulatory powers with respect to its resources. Telstra has been subjected to investigations stemming from regulatory action which have lasted over years. Leaving investigations open for such long periods of time creates an additional administrative burden and can create confusion for our customers when the final conclusions are made public. In addition, timely investigations especially in relation to core processes would assist entities in implementing any necessary changes to process to reduce the potential detrimental impacts to future customers. In this respect, we believe the draft policy should consider a commitment to taking regulatory action in a timely manner that is not unduly burdensome on businesses.
-Paragraph 22 of the draft policy states “...conducting an assessment of whether personal information is being maintained and handled in accordance with applicable privacy legislative obligations, such as the Australian Privacy Principles in the Privacy Act (s 33C). Through such an assessment, the OAIC would identify privacy risks and areas of non-compliance, and may make recommendations for how the entity might reduce those risks or address areas of non-compliance”. In our experience when regulatory action has resulted in findings of non-compliance, the OAIC has not elaborated on findings associated with a “failure to take reasonable steps”. In Telstra’s view, this output resulting from the regulatory action does not support ourbusiness or our customers as there is no clear reasonableness benchmark. In this respect, we believe the draft policy would benefit from the OAIC outlining:
- what sources of information it will access in interpreting whether an entity has taken “reasonable steps” with regards to taking regulatory action (paragraph 35), and
- how it will communicate to the public information around findings related to “a failure to take reasonable steps” including what it deems are the reasonable steps that needed to have been taken (subject to matters of confidentiality) (paragraph 54).
Communications
Like the Australian Communications Alliance, we are concerned of the possibility that the OAIC may publicise regulatory action without consulting or giving advanced warning to the entity under ‘The OAIC’s approach to communication privacy regulatory action’. This seems to be in contradiction to the constructive approach of the ‘Working with entities’ section, and takes away the opportunity from the entity to investigate, assess and respond prior to a statement being published by the OAIC. Telstra is committed to the highest level of customer service and, in circumstances where customers have been impacted, would require the opportunity to contact such customers to inform them of the situation. The suggested approach by the OAIC could unnecessarily cause concern by the public and damage relationships and the trust Telstra has formed with its customers.
Prioritising matters for privacy regulatory action
Telstra believes that clear guidance should be provided as to when and how discretion will be used to select and target matters for regulatory action and what factors would influence such a prioritisation. We believe that where the OAIC decides to undertake an assessment of an entity where it is funded to do so, that there is transparency as to where that funding has come from and why the particular entity was chosen for an assessment.
The OAIC has indicated in the policy that it will be transparent and accountable for its regulatory action through a range of review and appeal rights. However, details of how it intends to be transparent appears to be missing from the policy in general and there is no information about the review and appeal rights mentioned.
We understand and support the need for a body to protect personal information of individuals. Notwithstanding, there is a concern that the OAIC will fail to conduct preliminary investigations and reasonably substantiate an alleged breach of privacy before contacting the accused entity and initiating an investigation. The OAIC needs to be aware and take into consideration that a large amount of time and resources are invested into responding to queries initiated by a regulatory body. When those allegations are not initially investigated and are discovered to be unfounded, there is a significant and unnecessary burden placed on the entity in question. This includes not only a financial burden but also a personal burden to its employees and an inevitable impact on the customer as resources are focused away from daily functions. We propose that there be guidelines detailed in the policy for the OAIC to follow to ensure it reasonably validates an allegation before it contacts the entity in question.
Guide to Undertaking Privacy Impact Assessments
General Comment
Even though there are good take-outs for entities to consider in their approach to conducting a Privacy Impact Assessment, the Guide to Undertaking Privacy Impact Assessments is very detailed and prescriptive and we would suggest the Guide be limited to high level principles making it more practical and flexible for entities to use, particularly as the Privacy Act applies to such a broad range of entities. Entities should be allowed the freedom to customise their Privacy Impact Assessments targeting their specific range of products or services they provide or functions they undertake, this will allow for a more valuable assement in protecting our privacy, rather than an mind-set that entities need to go through a check list which might not effectively cater for the functions of that entity.
We are concerned with the intent of the Guide to Undertaking Privacy Impact Assessments and the use of the Guide by regulators (including the OAIC) for investigations into privacy complaints or privacy breaches. We strongly suggest that a statement of intent be included in the Guide, explicitly stating that the principles are a guide only and not to be used by a regulator to assess whether an entity has conducted an appropriate Privacy Impact Assessment or not, thus ensuring regulators understand the purpose of the Guide and uses the Guide appropriately.
If more detail is required for agencies, agency applicable inclusions should be clearly highlighted as such.
Feel free to contact me if there are items raised that you would like to discuss.
Yours sincerely,
Ben Carr
Chief Privacy Officer
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 28/03/14Final for Approval| Telstra Unrestricted | Telstra-Id-System Generated if EDMS | Telstra’s response to the OAIC’s Privacy Regulatory Action Policy and Guide to Undertaking Privacy Impact Assessments page 1/3