Audit functions

Background

47.87 The Commissioner has a number of functions under the Privacy Act to audit compliance. The OPC describes an audit as ‘a snapshot of personal information handling practices in relation to an agency or organisation program at a certain time and in a particular location’.[122] An audit involves a systematic inspection and review of an agency or organisation, to obtain evidence to enable the Commissioner to assess the extent to which records are maintained in accordance with various provisions of the Act.[123] The ‘spot-audit’ and examination functions conferred on the Commissioner are divided among the IPPs,[124] TFN information,[125] and credit reporting provisions.[126]

47.88 The number of audits carried out each year by the OPC has ‘varied over the life of the Privacy Act depending on the nature of privacy complaints and other priorities of the Office’.[127] The OPC notes, in its 2006–07 Annual Report, that consistent with the approach taken since 2002–03, the OPC mainly undertook audits where it received specific funding to so do. With the clearing of the backlog of complaints in late 2007, the OPC expects to expand its audit program in 2008.[128]

Audits of organisations

47.89 Organisations are subject to audit by the Commissioner under functions associated with the TFN and credit reporting provisions, as discussed above. There is no general power to ‘spot audit’ the privacy compliance of organisations. If an organisation requests it, however, the Commissioner can examine the records of personal information maintained by the organisation, for the purpose of ascertaining whether the records are maintained in compliance with either an approved privacy code or the NPPs, as applicable.[129] As at the date of the OPC Review, the Commissioner had not conducted any audits under this power.[130]

Previous inquiries

47.90 Several stakeholders making submissions to the OPC Review and Senate Committee privacy inquiry submitted that the NPPs should be amended to confer an audit power on the Commissioner.[131] One participant in the OPC Review commented that if the Commissioner had audit powers, ‘we might be able to convince our boards to comply [with the Privacy Act]’.[132] Others expressed the view that an extended audit power is necessary to maintain public confidence in the Commissioner’s role.[133]

47.91 The OPC Review did not recommend, however, that the Commissioner be given the power to audit organisations. While recognising that a private sector audit power may increase community confidence in the efficacy of the Privacy Act and give the OPC additional power to identify systemic issues and to monitor responses, the OPC concluded that it would have resource implications and may be a more appropriate role for private consultants to perform.[134] The OPC Review recommended instead that it would ‘consider promoting privacy audits’ by organisations, such as by providing information on the value of auditing as evidence of compliance in the event of complaints, and by developing and providing privacy audit training.[135] In contrast, the Senate Committee privacy inquiry urged the introduction of OPC private sector auditing powers.[136]

Private sector audits in other jurisdictions

47.92 The Canadian Privacy Commissioner has power to conduct audits of private sector organisations under the Personal Information Protection and Electronic Documents Act 1985 (Canada).[137] This Act provides that the Canadian Privacy Commissioner may, on reasonable notice and at any reasonable time, audit the personal information management practices of an organisation if the Commissioner has reasonable grounds to believe that the organisation is contravening particular provisions of the Act.[138]

47.93 The UK Information Commissioner’s power to conduct audits on private sector organisations has a limitation, similar to that of the OPC—it can only be done with the organisation’s consent.[139] The UK Information Commissioner has consistently called for stronger powers to allow his Office to carry out inspections and audits of organisations without the organisation’s consent, arguing that the requirement for consent ‘fetters’ the power to conduct audits and inspections and ‘limits proactive oversight and the deterrent effect of possible inspection in areas where there may be real risks to compliance’.[140]

Submissions and consultations

47.94 In DP 72, the ALRC identified support in submissions and consultations for the Commissioner’s existing audit powers. Stakeholders also generally supported introducing a private sector audit power, although there were those who favoured extending the Commissioner’s power without limitation (similar to the power to audit agencies) and those in favour of extending it with some qualification—for example, restricting its use to where there is evidence of some widespread or systemic issues in the organisation or industry.[141]

47.95 In DP 72, the ALRC proposed that the audit power be extended to the private sector, without qualifying the power.[142]

47.96 There was support for the proposal from a number of stakeholders.[143] The Australian Lawyers Alliance, for example, suggested that the fact that the Commissioner has not conducted any audits to date demonstrates the current regime has not been highly successful.[144]

47.97 A number of organisations, however, opposed the proposal on the basis that a general audit power was unnecessary, would create a compliance burden and is inconsistent with an outcomes-based regulatory approach.[145] Stakeholders from the financial services industry noted that their businesses already are subject to a number of notification, self-audit or audit requirements from other regulators, such as the Australian Securities and Investments Commission (ASIC), the Australian Prudential Regulation Authority, the Australian Transaction Reports and Analysis Centre and state and territory fair trading agencies.[146] It was argued that the resources required to comply with an audit power would be high, and disproportionate to the likely benefits to consumers. Avant submitted that ‘in light of a system to hear complaints about breaches of the Privacy Act having spot-audits is unnecessary over regulation’.[147]

47.98 A large number of stakeholders were supportive of introducing a qualified audit power.[148] The OPC recommended the introduction of a qualified audit power (expanding on its ‘own motion’ investigation functions) to allow the Office to audit organisations where the Privacy Commissioner had reasonable grounds to believe that the organisation was engaging in practices that:

  • posed new and significant risks to personal information they hold; or

  • contravened the privacy principles in the Act or a commitment made in resolution to a complaint or own motion investigation.

47.99 In the OPC’s view:

this approach allows pro-active assistance to be provided to organisations seeking to introduce new technologies or projects, and to have the power to appropriately react when the Office is made aware of situations where particular risks or practices of concern have been identified such as significant systemic breaches.[149]

47.100 The OPC also suggested that use of the word ‘audit’ may have inherent negative connotations—characterising the relationship between the OPC and the organisation as that of ‘police officer and suspect’. In the OPC’s view, this could undermine efforts to encourage organisations to recognise the inherent value in good privacy practice and the role of the OPC in assisting organisations in this regard. The OPC suggested that the use of the term ‘privacy performance assessment’ might reflect this approach better.[150]

47.101 Some stakeholders did not support audits of organisations in principle, but argued that if they were to be used, then this should be only where the OPC has reasonable grounds to suspect that an organisation is not complying with the Privacy Act.[151] In the view of Australian Unity, however, the OPC’s own motion investigation powers would better serve the purpose of investigating an organisation where a real suspicion about compliance existed.[152] Telstra also expressed the concern that a ‘spot audit’ power

may complicate the overall enforcement approach if the Privacy Commissioner could undertake an audit to address situations where there is a reasonable belief that the organisation is engaging in non-compliant acts or practices. There is a real risk that a spot audit would compromise own motion investigations and create a lot of uncertainty for organisations around the purposes or function of any audit by the Privacy Commissioner.[153]

47.102 The Australasian Compliance Institute stated that, if the OPC were granted an ‘own motion’ power, then it would support the audit power being used as an educative tool to assist organisations to identify areas for improvement within their privacy compliance frameworks.[154] The Department of Human Services, while giving support to the proposal, agreed that audits should be focused on education and prevention, rather than the imposition of penalties.[155]

ALRC’s view

47.103 The OPC’s audit functions are an important part of its compliance activities. The power to conduct audits is one of the few proactive regulatory tools vested in the OPC, in that it allows the Commissioner to monitor an agency or organisation’s compliance with the Privacy Act before, and in the absence of, evidence of non-compliance, with the aim of preventing such non-compliance occurring in the future. It also allows the Commissioner to identify systemic issues and bring about systemic change, and to use information gathered in an audit to target educational materials and programs.[156]

47.104 The ALRC supports the OPC’s suggestion that audits should be referred to as ‘Privacy Performance Assessments’ (PPAs) to emphasise the educational and non-confrontational nature of the process.

Own motion investigations

47.105 It is important to maintain a clear distinction between the Commissioner’s PPA functions under the Act, which are educative and preventative, and the power to conduct an own motion investigation.

47.106 Where the OPC has a reasonable belief that an organisation is engaging in practices that contravene the privacy principles in the Act, then the appropriate power to investigate such conduct is the own motion investigation power. The point of the own motion investigation power is to allow the Commissioner to investigate an act or practice that may be an interference with privacy of an individual.[157] It is not appropriate for the Commissioner to respond to such circumstances by undertaking a process with a purely educational focus. In addition, the distinction between an own motion investigation and a PPA will be much clearer if the ALRC’s recommended compliance order power is implemented, which would empower the Commissioner to issue an order following an own motion investigation.[158] These issues are discussed further in Chapter 50.

47.107 Where the Commissioner is of the view that the act or practice that is breaching the settlement conditions is also an interference with privacy—where, for example, an organisation has continued a practice that the Commissioner has previously investigated and found to be in breach of the Privacy Act—then it would be more appropriate and effective to launch a new own motion investigation, rather than to conduct a PPA, so that the Commissioner can issue a compliance order (which can be enforced in the Federal Court), or an enforcement action to be commenced in the Federal Court, if a determination or compliance notice has already been issued.

Audit function

47.108 In relation to private sector audits, there is some consensus among stakeholders that the Privacy Commissioner should have a power to conduct a PPA of organisations to assess compliance with the NPPs. The difference of opinion arises as to when the Commissioner should be able to exercise the power, and, in particular, whether the Commissioner should have a wide or a qualified power.

47.109 The real value of PPAs lies in their proactive nature—they can be used to take a snapshot of the level of compliance in an agency or organisation or across an industry. The presence of an audit power can act as an important preventative measure, as ‘the existence of the audit functions and programs encourages organisations subject to the Act to take compliance seriously’.[159]

47.110 The Commissioner should be empowered, therefore, to conduct a PPA on the levels of compliance in organisations more generally, as he or she is currently empowered to do in relation to agencies.

47.111 In addition, where the Commissioner is concerned that the organisation is engaging in practices that pose new and significant risks, but does not think that the acts or practices currently constitute an interference with privacy, then the Commissioner could, and should, undertake a PPA. Even where the risk identified may be speculative and may not have eventuated, it would be appropriate to use the PPA power, as such a power has an educational focus.

47.112 PPAs also could have a role to play following a complaint settlement or determination, or the issuance of a compliance notice.[160] In particular, it may be valuable for the Commissioner to undertake pre-emptive ‘spot’ PPAs to assess whether the organisation is abiding by the terms of the settlement, determination or compliance notice—or to require the organisations themselves to undertake such audits. This is analogous to an undertaking under s 87B of the Trade Practices Act 1974 (Cth), which may include agreement by the company to have its compliance program independently audited for a number of years and provide the audit report to the Australian Competition and Consumer Commission (ACCC).[161]

47.113 The ALRC’s approach is consistent with the current position of audits on the compliance spectrum—that is, they are considered primarily educative and there are no penalties attached to a poor privacy audit (unless there is some evidence of deliberate wrongdoing).[162]

47.114 The ALRC does not agree that PPAs are inconsistent with principles-based regulation. A PPA does not involve the Commissioner mandating the steps that an organisation must take to comply with the Act. Rather, the Commissioner is assessing whether the steps the organisation has decided to take meet the objectives of the principles.

Audit manuals

47.115 If the Commissioner’s audit function were expanded to include private sector audits, it would be valuable for the OPC to develop an audit manual for organisations (or amend the existing IPP Manual) to provide further detail on the processes involved in an audit. In addition, the audit manuals should clarify when the results of an audit will be used in an educative and collaborative manner, and when they may lead to sanctions. Audit manuals should be updated to reflect the OPC’s current expectations as to the levels of compliance to be achieved by agencies and organisations.[163]

Consolidating audit functions

47.116 Consistently with the ALRC’s recommendation that the Privacy Act be amended to achieve greater logical consistency, simplicity and clarity,[164] the audit functions of the Commissioner should be consolidated. Given the ALRC’s recommendation to introduce Unified Privacy Principles (UPPs),[165] audit functions for agencies and organisations could be combined and could include TFN and credit reporting auditing. References to agencies or organisations would include agencies or organisations in their capacity as TFN recipients and as credit providers or credit reporting agencies, as applicable.

Recommendation 47-6 The Privacy Act should be amended to empower the Privacy Commissioner to conduct ‘Privacy Performance Assessments’ of the records of personal information maintained by organisations for the purpose of ascertaining whether the records are maintained according to the model Unified Privacy Principles, privacy regulations, rules and any privacy code that binds the organisation.

[122] Office of the Privacy Commissioner, Audit Information (2007) <www.privacy.gov.au/government/audits
/index.html> at 15 May 2008.

[123] Office of the Privacy Commissioner, Privacy Audit Manual—Part I (Information Privacy Principles) (1995), 5. See also Office of the Privacy Commissioner, Privacy Audit Manual—Part II (Tax File Number Guidelines) (1995); Office of the Privacy Commissioner, Privacy Audit Manual—Part III (Credit Information) (1995).

[124]Privacy Act 1988 (Cth) ss 27(1)(h), 27(1)(h).

[125] Ibid s 28(1)(d), 28(1)(e), 28(1)(h).

[126] Ibid s 28A(1)(g), 28A(1)(j). Note, the Commissioner also has a monitoring role under the Telecommunications Act 1997 (Cth), which is discussed further in Part J.

[127] Office of the Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2006–30 June 2007 (2007), 60.

[128] Ibid, 60.

[129]Privacy Act 1988 (Cth) s 27(3).

[130] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 157.

[131] See Ibid, 145; Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [6.35], [6.39].

[132] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 133.

[133] Ibid, 145.

[134] Ibid, 157.

[135] Ibid, rec 39.

[136] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [7.56].

[137] The Canadian Privacy Commissioner also has power to conduct audits on government bodies: Privacy Act RS 1985, c P-21 (Canada) ss 37–39.

[138]Personal Information Protection and Electronic Documents Act 2000 SC 2000, c 5 (Canada). Guidance on the circumstances that may lead to an audit is provided in Office of the Privacy Commissioner of Canada, A Guide for Businesses and Organizations: Your Privacy Responsibilities—Canada's Personal Information Protection and Electronic Documents Act (2004) <www.privcom.gc.ca/information/guide_e
.asp> at 14 May 2008, 25.

[139]Data Protection Act 1998 (UK) s 51(7).

[140] United Kingdom Government Information Commissioner’s Office, Evidence Submitted to the Home Affairs Committee Inquiry into ‘The Surveillance Society?’ 23 April 2007, 7. These calls were also made following the loss of over 25 million records by Her Majesty’s Revenue and Customs Service in November 2007. See, eg, R Blakely, ‘Data “Fiasco” Leads to Call for Law Changes’, Times Online (Online), 20 November 2007, <business.timesonline.co.uk>.

[141] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Ch 44.

[142] Ibid, Proposal 44–6.

[143] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Lawyers Alliance, Submission PR 528, 21 December 2007; Federation of Community Legal Centres (Vic), Submission PR 509, 21 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; National Children’s and Youth Law Centre, Submission PR 491, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; P Youngman, Submission PR 394, 7 December 2007.

[144] Australian Lawyers Alliance, Submission PR 528, 21 December 2007.

[145] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Confidential, Submission PR 536, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[146] Investment and Financial Services Association, Submission PR 538, 21 December 2007; Avant Mutual Group Ltd, Submission PR 421, 7 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007; National Australia Bank, Submission PR 408, 7 December 2007.

[147] Avant Mutual Group Ltd, Submission PR 421, 7 December 2007.

[148] Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Investment and Financial Services Association, Submission PR 538, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Confidential, Submission PR 519, 21 December 2007; Financial Planning Association of Australia, Submission PR 496, 19 December 2007; Insurance Council of Australia, Submission PR 485, 18 December 2007; National Australia Bank, Submission PR 408, 7 December 2007.

[149] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[150] Ibid.

[151] Insurance Council of Australia, Submission PR 485, 18 December 2007; Avant Mutual Group Ltd, Submission PR 421, 7 December 2007; Australian Unity Group, Submission PR 381, 6 December 2007;

[152] Australian Unity Group, Submission PR 381, 6 December 2007.

[153] Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[154] Australasian Compliance Institute, Submission PR 419, 7 December 2007.

[155] Australian Government Department of Human Services, Submission PR 541, 21 December 2007.

[156] See Office of the Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2004–30 June 2005 (2005), 50. See also Office of the Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2006–30 June 2007 (2007), 60.

[157] See s 40(2).

[158] Rec 50–1.

[159] See Office of the Privacy Commissioner, Audit Information (2007) <www.privacy.gov.au/government/
audits/index.html> at 15 May 2008.

[160] Rec 50–1.

[161] Australian Competition and Consumer Commissioner, Section 87B of the Trade Practices Act: A Guideline on the Australian Competition and Consumer Commission’s Use of Enforceable Undertakings (1999), 7.

[162] The TFN Manual explains that, if any evidence of deliberate breaches of the Guidelines are detected by the auditors, the matter will be referred to the relevant authority for consideration of further action: Office of the Privacy Commissioner, Privacy Audit Manual—Part II (Tax File Number Guidelines) (1995), 4.

[163] The ALRC notes that the manuals reflect the Commissioner’s expectations at the time the Manuals were published, which may now be outdated. For example, the Credit Reporting Manual sets out that, as credit reporting provisions have only been in force since 1992, the ‘Commissioner has taken the view that credit providers should be given the benefit of the doubt where instances of breach are detected. In any case only in clearly culpable circumstances would further action be taken’. See Office of the Privacy Commissioner, Privacy Audit Manual—Part I (Information Privacy Principles) (1995), [1.6.1]–[1.6.2].

[164] Rec 5–2.

[165] Rec 18–2.