Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Speech at the launch of the Privacy Impact Assessment guide.

Download PDFDownload PDF



Launch - Privacy Impact Assessment Guide

6 May 2010

Welcome and acknowledgements

Thank you for that introduction, Karen, and for asking me to speak this evening in celebration of privacy awareness week.

• Commissioner • Craig Scroggie - Vice-President/Managing Director Asia-Pacific Symantec Corp (event sponsor) • Graeme Innes - Disability Discrimination Commissioner, Australian Human

Rights Commissioner

• Mick Gooda, Aboriginal and Torres Strait Islander Social Justice Commissioner • Malcolm Crompton - past Privacy Commissioner • All stakeholders and advocates, particularly those who have actively

participated in the privacy law reform process so far. • Ladies and gentlemen

First I'd like to acknowledge the traditional owners of these lands, the Gadigal people of the Eora nation, and pay my respects to their elders, both past and present.

I’d like to acknowledge the Office of the Privacy Commissioner and commend the Commissioner and her staff for taking the leading role in promoting and protecting privacy across the Australian community.

It’s a pleasure to spend an evening with such a dedicated group of privacy practitioners. Privacy Awareness Week is an important time to reflect on the importance of privacy for a healthy democracy, and to promote awareness of privacy rights and responsibilities. I see tonight as an opportunity to share with leaders in the field the Rudd Government’s progress in achieving a reformed national privacy framework.

The theme of this year’s Privacy Awareness Week is 'Privacy: It's in your hands'. This is such an apt theme in this age of unprecedented opportunities to share and gather information through the use of ever more sophisticated communications

technology, including mobile phones and social networking sites. It’s also a time of rapidly changing attitudes to information, especially amongst younger people, which is why it’s such a good idea to raise awareness about privacy and to help people take control of their personal information.

There’s a fantastic series of events lined up to mark this year’s Privacy Awareness Week, including the release of an online tool to help prevent ID theft (a joint product of the Asia Pacific Privacy Authorities), the launch of guidance on privacy and your mobile phone, and the release of an updated information sheet and FAQs on ID scanning. We’re also marking Privacy Awareness Week with the launch tonight of an important new Privacy Impact Assessment guide.

Privacy Impact Assessments The Rudd Government recognises that Privacy Impact Assessments are a best practice tool for evaluating the impact a project or policy may have on someone’s privacy, and for identifying possible solutions to address any privacy issues. 1

For example a Privacy Impact Assessment was conducted in 2006 while the government was developing anti-money laundering and counter-terrorism financing legislation. That Impact Assessment helped ensure that effective privacy protections were established in parallel with the expanded reach of law enforcement powers that the new legislation entailed. Ultimately, these privacy protections are crucial to the success of the scheme, which depends on public compliance; in turn, that compliance can only stem from public trust that the government has made every

attempt to minimise unnecessary and avoidable privacy intrusions.

In 2006, the Office of the Privacy Commissioner issued its first guidance for agencies on Privacy Impact Assessments. That Guide provided much needed assistance to government agencies in determining when and how to conduct a Privacy Impact Assessment. It’s been used by many agencies when developing policies that affect Australians.

The Australian Law Reform Commission saw how useful these guidelines were. In its landmark report on the state of privacy in Australia, the ALRC recommended that the guidelines also be tailored to meet the needs of the private sector. The Government agreed with the ALRC that such guidelines would be an important tool to encourage and assist private organisations to undertake voluntary Privacy Impact Assessments. 2

The Office of the Privacy Commissioner has already taken up the baton; it’s my pleasure tonight to launch this important new Privacy Impact Assessment guide, which includes a module specifically for the private sector.

The Office of the Privacy Commissioner is to be congratulated on its hard work developing the revised Privacy Impact Assessment guidelines. These guidelines will be a handy reference tool for agencies and organisations to ensure they’re in compliance with the Privacy Principles, and that privacy protection is built in to their

operations, rather than tacked on.

Because Privacy Impact Assessments are so important, in the Governments response to the ALRC report, it was decided that where an agency was undertaking a project that may have a significant impact on the handling of personal information

and the agency had not undertaken an Impact Assessment, then the Privacy Commissioner would have the power to direct an agency to conduct such an assessment. 3 However it's important to be clear that a Privacy Impact Assessment must not merely become a ‘tick-a-box’ exercise undertaken at the direction of the Commissioner. It will still be important for agencies to determine when developing a policy whether it will have an impact on privacy and therefore whether an impact assessment is needed.

As part of the government’s first stage reforms to the Privacy Act - and I'll update you on our privacy reforms in a moment - we’re drafting reformed Privacy Principles which apply to both the private and public sectors. This will entail a renewed focus

on ensuring that agencies and organisations demonstrate compliance with the Principles. The revised ‘Openness’ principle will encourage agencies and organisations to consider their information handling needs and practices before information is collected - that is, at the beginning of the information cycle. 4

Agencies and organisations will be required to take reasonable steps to develop and implement internal policies and practices that enable compliance with the Principles. This will include establishing procedures to identify and manage privacy risks and compliance issues, especially where designing and implementing systems for collecting and handling personal information. A Privacy Impact Assessment would be a clear example of an agency or organisation’s action to ensure compliance with the Privacy Principles.

Privacy Reform: Next steps I'd like to turn now to the government's broader plans for privacy reform. Late last year I announced the government’s first stage response to the ALRC's report on privacy reforms and our intention to make significant reforms to the Commonwealth

Privacy Act 1988. The reforms are intended to re-establish the foundations for a clear and simple framework for privacy protections.

Broadly speaking, our reforms to the Act include:

• a single set of Privacy Principles which will apply to both the public and private sectors; • the creation of a framework to allow comprehensive credit reporting along with requirements to strengthen complaints resolution mechanisms for

credit reporting disputes;

• improvements to protections around health information flows; and • stronger powers for the Information Commissioner to conduct investigations, resolve complaints and promote compliance.

The government also outlined its intention to simplify the structure and drafting of the Privacy Act. That means we expect to make substantial amendments to the Act to implement our first stage reforms.

We’ve begun drafting these significant reforms. In the next few months, I expect to release the proposed amendments to the Privacy Act in exposure draft form for independent review, before we introduce such legislation to Parliament. Instead of releasing one exposure draft, the government plans to release the amendments in parts for review by a Senate Parliamentary Committee.

This way, we can build the blocks to reform with as much input and discussion with experts and stakeholders as possible. We will start by releasing the first and fundamental block - the Privacy Principles. The Principles will set the foundations for

all other amendments to the Act, so we need to get it right, we need to make sure the foundations are strong, stable and can support the rest of the reforms. With this strong basis, we will build the next block of reform, and the next.

We anticipate that staged release of the amendments as exposure drafts will ensure that the Government progresses the reforms in an informed way, with each building block being as strong and stable as the next.

After each part of these significant reforms is consulted on, the government will introduce the reforms into Parliament as one bill.

In conclusion the Government is committed to establishing a first class privacy regime, and it’s pleasing that so many government agencies and private organisations already strongly support this agenda. In particular, I’d like to thank the Privacy Commissioner for starting to deliver the changes needed to fulfil the government’s reforms, including the new Privacy Impact Assessment guide we are here to launch tonight. Thank You.


Response to ALRC recommendation 47-4. Response to ALRC recommendation 47-5. Response to ALRC recommendation 47-4. Response to ALRC recommendation 24-1.

Media Contact: Website:

Sarah Cosson - 0423 823 843 or (02) 6277 7600