Facilitating compliance with the Privacy Act

Compliance-oriented regulation

45.7 As examined in Chapter 4, the Privacy Act is a principles-based regime. As such, it relies on relatively high-level principles to set out the objects that Parliament has determined regulated entities should achieve in dealing with personal information. These objects are, for example: to collect only information that is necessary to fulfil the regulated entity’s functions; to take reasonable steps to secure data; and to take reasonable steps to ensure that the data is accurate.

45.8 In a principles-based regime, the regulator plays a particularly significant role, for a number of reasons. First, in supporting the continuation of principles-based regulation for the privacy regime in Australia, the ALRC is supporting both the use of principles as the primary regulatory tool and also the adoption of a more outcomes-based approach to regulating privacy.^[6] In particular, the ALRC endorses the emphasis on fostering and securing compliance through guidance, education and other facilitative methods.

45.9 The emphasis on guidance raises the second reason why a regulator plays a pivotal role in a principles-based regime. Guidance is a critical part of administering a principles-based regime such as the Privacy Act and, as such, is a key component of the ALRC’s recommended regulatory model. The OPC must play a critical role in providing this guidance, to help regulated entities understand their obligations under the Privacy Act. Throughout this Report, the ALRC has made recommendations to increase the level of guidance offered by the OPC.

45.10 The other key components of the regulator’s role in a compliance-oriented regulatory design is to monitor compliance and enforcement. While Chapter 4 explores the theory behind these issues in more detail, Part F looks at the functions and powers of the federal privacy regulator which will help give life to the ALRC’s model of compliance-oriented regulation. In particular, it is useful to consider the powers set out in Chapter 47 in terms of their purpose in either fostering compliance (for example, the oversight powers) and monitoring compliance (such as the audit powers), and the powers in Chapters 49 and 50 in relation to enforcing compliance.