ALRC’s preference for compliance-oriented regulation

4.62 With its focus on achieving outcomes, compliance-oriented regulation provides a useful framework to administer a principles-based regime such as the Privacy Act. The theory on which compliance-oriented regulation is based provides a prism through which to view and assess the compliance model underpinning the Act and the approach taken by the OPC to fostering compliance. It also provides an holistic approach for considering which regulatory strategies would best achieve the objectives of the Act.[52]

4.63 The ALRC makes a number of recommendations in this Report to strengthen the Commissioner’s ability to foster and secure compliance in the first instance, monitor compliance as an on-going concern, and enforce compliance where required.

Securing compliance

4.64 The Privacy Commissioner is currently empowered under the Privacy Act to give advice, undertake education programs and issue guidelines and other forms of guidance to help agencies and organisations comply with the privacy principles and the objects underlying these principles. The ALRC supports these current functions, and recommends that certain functions be amended to be expressed as broadly as possible.

4.65 The ALRC particularly supports the critical role of the Privacy Commissioner to provide guidance, consistent with the third part of the ALRC’s regulatory approach. Guidance can be provided in a variety of forms. One of the most obvious is through guidelines issued by the Privacy Commissioner. Guidance can be provided in information available on the regulator’s website, through frequently-asked-questions (FAQs), information sheets, advice, a telephone hotline for enquiries, education programs and tips for compliance. As well as prescribing positive steps for compliance, guidance can be phrased in the negative and set out what will not be sufficient in order to achieve compliance with a principle. For example, guidance on the ‘Data Security’ principle could state that the application of a user name and password is not considered adequate security.

4.66 The Privacy Commissioner has a number of functions that empower him or her to provide guidance to agencies and organisations. These include the functions to: promote an understanding and acceptance of the privacy principles and the objects of those principles;[53] prepare guidelines for the avoidance of acts that might be interferences with privacy or have adverse effects on privacy;[54] provide advice to an agency, organisation or a minister on any matter relevant to the operation of the Act;[55] and undertake education programs for the purpose of promoting the protection of individual privacy.[56] These functions and powers are discussed in detail in Chapter 47.

4.67 A technique suggested by Parker to foster compliance is to encourage the growth of ‘compliance professionals’ and to promote communication between the compliance professionals and the regulator. Parker has suggested that ‘an emerging compliance profession can act as a medium of [a] regulatory community if regulators are willing to engage with them and can also act as a pool of compliance expertise that can be translated into corporate compliance capacity’.[57]

4.68 The ALRC recognises the emergence of the ‘privacy professional’ in recent years, and the increasing profile of ‘privacy officers’ in the organisational hierarchy.[58] The OPC should continue to support the growth of privacy professionals and networks such as Privacy Contact Officers and Privacy Connections. Consistent dialogue between the regulator and regulated can help build a ‘culture’ of privacy, by integrating compliance into organisational practice and developing a shared understanding of the objectives of the Privacy Act.[59] A strong relationship between the regulator and regulated entities can also provide a constant update on compliance levels in industries, and can provide more ‘intelligence’ into how compliance programs are working, how determinations are being received, and other issues. It also provides support to privacy officers in their respective entities, in being able to promote proper privacy practices and engage top levels of management in making privacy compliance a priority.

Monitoring compliance

4.69 Monitoring for compliance is an important part of administering a principles-based regime such as the Privacy Act. It recognises that agencies and organisations can decide the steps they will take to achieve the outcome set by the principle, and it provides an avenue for the regulator to assess whether those steps are adequate in an educational, non-confrontational and facilitative way.

4.70 The ALRC recommends in Chapter 47 that the Commissioner’s existing powers to monitor compliance be expanded with the addition of a power to conduct a Privacy Performance Assessment of organisations, in addition to the Commissioner’s existing powers to audit in the public sector. Monitoring can and should be used as a proactive tool to secure compliance and to ensure that compliance has been restored after an incident of non-compliance.

Enforcing compliance

4.71 In relation to enforcing compliance, the ALRC strongly supports the enforcement pyramid approach to regulating the Privacy Act, and makes several recommendations in Part F to widen the range of strategies that are available to the OPC to enforce compliance with the Privacy Act.

4.72 It is important that the OPC adopt a compliance-oriented approach in applying these strategies. While it is consistent with compliance-oriented regulation—and principles-based regulation—to focus initially on restoring compliance through negotiated outcomes (such as conciliation), the OPC should not confine itself to this approach. In particular, the ALRC notes Parker’s suggestion that a compliance-oriented regulatory design must incorporate enforcement, ‘otherwise, regulators cannot meaningfully and discriminately apply incentives, persuasion, and cooperation to organisations that are complying or attempting in good faith to comply’.[60] As Black suggests, enforcement can play a pivotal role in providing ‘incentive structures’ to promote compliance.[61]

4.73 It is crucial that there be an element of public enforcement in the OPC’s regulation of privacy, consistent with Parliament’s expectation that the Commissioner ‘be the means by which there will be accountability to the public on the use by government of their personal information’.[62] A clear enforcement policy that outlines what the usual response to a particular type of breach will be and how that response can be mitigated—such as by evidence of a good internal compliance program—can provide incentives for organisations to put in place those mitigating practices. Such a policy also allows the regulator to discriminate between agencies and organisations that are genuinely trying to comply and those that are not. The regulator can then adopt enforcement responses that send a strong message of general deterrence to the regulated community. This encourages agencies and organisations to keep complying (or at least keep trying to comply), as they will see that non-compliance, combined with no effort to comply, will attract strong sanctions from the regulator.

4.74 Consistent with the compliance-oriented regulatory design underpinning the Privacy Act, the ALRC encourages the OPC to implement a compliance policy that adopts an explicit enforcement pyramid approach to restoring compliance and enforcing the Privacy Act. If the OPC is using, and is being seen to be using, a wide range of strategies to ensure compliance with the Privacy Act, the benefits of specific and general deterrence that can be generated by a transparent, balanced and vigorous enforcement approach can be achieved.

Light-touch regulation?

4.75 The issue of enforcement often raises the related issue of ‘light-touch regulation’. This term appears to be used to describe a variety of approaches and behaviours, some pertaining to the actual form of regulation, others to the regulator’s approach to enforcing the Act.

4.76 ‘Light-touch’ can refer to the impact of the actual form of regulation. A pure form of principles-based legislation can be described as ‘light-touch’ in the sense that its object is not to regulate by laying down detailed operational rules that an organisation must follow in order to be in compliance with the law. Rather, principles-based legislation steps back and states the outcome the regulator wants the regulated entity to achieve, and generally leaves it up to that entity to determine how it is best suited to achieving that outcome.

4.77 Given the hybrid regulatory model adopted by the ALRC, it is not appropriate to describe the privacy regime as uniformly light-touch. While areas regulated primarily by the model UPPs could be described as relatively light-touch, it is unlikely that the recommended Privacy (Credit Reporting Information) Regulations would be similarly described.

4.78 Whether the regime can be described as ‘light-touch’ does not affect the level of compliance which is to be achieved by regulated entities. That is, a light-touch regime does not mean that an agency or organisation does not have to find a way to the outcome, or that compliance is optional or flexible.

4.79 Similarly, the emphasis on preventing breaches in the first instance does not mean that non-compliance with the law will be tolerated and punitive sanctions will not follow a breach. ‘Light-touch’ does not necessarily mean ‘soft-touch’ in the compliance response of the regulator, nor does it mean that Parliament intended that the Privacy Act not be enforced or that non-compliance be tolerated.

4.80 While compliance-oriented regulation emphasises attempts to restore or nurture compliance through voluntary and conciliatory methods, this merely is the preferred approach; it is not the only approach. In some instances, the nature of the breach may be so serious and the behaviour so egregious that a punishment-oriented response—such as seeking civil penalties—will be considered appropriate.

4.81 Alternatively, the particulars of the breach may demonstrate that the respondent is having trouble, either deliberately or in good faith, with finding its own way to achieving the principle. In such circumstances, the appropriate enforcement response may be to prescribe the steps the respondent should take to achieve compliance with the principle. A principles-based regime does not mean that agencies and organisations will always be left to find their own way to achieving compliance with the principle after an instance of non-compliance.

[52] C Parker, ‘Reinventing Regulation within the Corporation: Compliance Oriented Regulatory Innovation’ (2000) 32 Administration and Society 529, 531.

[53]Privacy Act 1988 (Cth) s 27(1)(d).

[54] Ibid s 27(1)(e).

[55] Ibid s 27(1)(f).

[56] Ibid s 27(1)(m).

[57] C Parker, ‘Reinventing Regulation within the Corporation: Compliance Oriented Regulatory Innovation’ (2000) 32 Administration and Society 529, 555.

[58] The growing prominence of privacy officers within corporations was noted in International Association of Privacy Professionals, ‘Ponemon Institute, IAPP Announce Results of Annual Salary Survey’ (Press Release, 11 March 2005).

[59] The ALRC notes the OPC Review’s recommendation that it would ‘develop strategies for communication with stakeholders, including establishing a privacy contact officer network for private sector organisations’: see Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), rec 50.

[60] C Parker, ‘Reinventing Regulation within the Corporation: Compliance Oriented Regulatory Innovation’ (2000) 32 Administration and Society 529, 534.

[61] J Black, Principles Based Regulation: Risks, Challenges and Opportunities (2007) London School of Economics and Political Science, 8.

[62] Commonwealth, Parliamentary Debates, House of Representatives, 1 November 1988, 2117 (L Bowen–Attorney-General). This speech only refers to the government, as organisations were not covered by the Privacy Act when the Act was originally passed.