45.12 Chapter 47 examines the functions and powers vested in the Privacy Commissioner by the Privacy Act. The general approach of the Privacy Act is to state the Commissioner’s ‘functions’ and give the Commissioner ‘power’ to do all things necessary or convenient to be done for or in connection with the performance of his or her functions. While much of this Report refers to the ‘OPC’, the actual functions and powers outlined in the Privacy Act are vested in the Privacy Commissioner and are to be exercised—or delegated—by the individual appointed as Privacy Commissioner.
45.13 The Privacy Commissioner has functions in relation to interferences with privacy generally, tax file numbers and credit reporting. The Commissioner also has compliance functions under other federal legislation.
Oversight and compliance functions
45.14 Chapter 47 considers the Privacy Commissioner’s functions of overseeing and monitoring compliance with the Privacy Act—including the functions of giving advice and guidance, undertaking educational programs, and conducting audits—and the Commissioner’s powers to issue Public Interest Determinations. The ALRC makes a number of recommendations to reform these functions, to expand and strengthen the Commissioner’s powers of securing and monitoring compliance with the Privacy Act. One recommendation is to empower the Privacy Commissioner to conduct a Privacy Performance Assessment of an organisation’s compliance with the model UPPs, privacy regulations, rules and any privacy code that binds the organisation.
Privacy impact assessments
45.15 Chapter 47 also examines the very topical issue of Privacy Impact Assessments. The chapter looks at the role of Privacy Impact Assessments in the regulatory regime, and considers the role they play in facilitating privacy compliance. The ALRC recommends that the Privacy Act should be amended to empower the Privacy Commissioner to direct an agency to provide to the Commissioner a Privacy Impact Assessment in relation to a new project or development that the Commissioner considers may have a significant impact on the handling of personal information. Another recommendation is that guidelines be developed for organisations to encourage them to use Privacy Impact Assessments as part of their planning processes.