47.117 A possible alternative or addition to the Commissioner’s power to conduct PPAs would be the imposition of a requirement on agencies or organisations to undertake self-auditing.[166] The Corporations Act 2001 (Cth) model of financial reporting and audits was suggested as a possible model. That model includes an obligation on corporations to self-audit, to report periodically to ASIC, and to be subject to audit by ASIC. By analogy, organisations subject to the federal privacy regime could be required to self-audit privacy compliance and, if requested by the OPC, report to the Commissioner on their compliance.[167] The Commissioner could then conduct a PPA on such organisations as the Commissioner chooses, without being required to assess every organisation.

47.118 There is some movement towards self-auditing for privacy in the United States. While some regimes, particularly those relating to the private sector, ‘do not explicitly require the formal conduct and report of an audit, auditing is generally necessary in order to be in full compliance’.[168]

Submissions and consultations

47.119 In DP 72, the ALRC identified both support and opposition from stakeholders for requiring self-auditing for privacy compliance.[169]

47.120 While the ALRC did not propose that a self-audit requirement be introduced into the Act, it recognises that in some situations the UPPs may require a self-audit in order to be in full compliance with the principles. Prior to the Privacy Act being redrafted however, it was thought that instituting a self-audit requirement would be premature.

47.121 Before such a requirement can be considered, there needs to be uniformity in the privacy regimes across Australia.[170] The ALRC was also concerned that a requirement to self-audit may improve levels of compliance only if results are reported and the OPC has the time and resources to monitor self-audit reports produced and conduct spot audits to verify the self-auditing process. This would place a large compliance burden on agencies and organisations, and require significant use of OPC resources. It would also be particularly onerous for small businesses, if the ALRC’s recommendation to abolish the small business exemption were implemented.[171]

47.122 The ALRC did not receive further comments in response to DP 72 in relation to this issue.

ALRC’s view

47.123 For the reasons outlined above, the ALRC has concluded that agencies and organisations should not be required to self-audit and report on privacy compliance.[172] The OPC should continue, however, to educate agencies and organisations on the value of self-auditing, including to ensure compliance with the recommended ‘Openness’ principle.[173] The OPC also should clarify situations where it will regard a self-audit policy as a reasonable step to take to ensure the protection of personal information held, in compliance with the recommended ‘Data Security’ principle.[174]

[166] M Crompton and R McKenzie, Consultation PC 3, Sydney, 24 February 2006. See also M Crompton, ‘Respecting People, Their Individuality and Their Personal Information: The Key to Connected Government, Now and in the Future’ (Paper presented at Public Services Summit, Stockholm, 9 December 2005). See also Baycorp Advantage, Consultation PC 2, Sydney, 24 February 2006.

[167] A stakeholder to the Senate Committee privacy inquiry suggested a ‘self-audit-self-regulatory process’ as a more efficient way to deal with complaints: Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [6.21].

[168] C Easter, ‘Auditing for Privacy’ (2006) 2 I/S: A Journal of Law and Policy for the Information Society 879, 880.

[169] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [44.101]­–[44.111].

[170] In Ch 3, the ALRC makes several recommendations in this regard.

[171] Rec 35–1.

[172] This view was supported in submissions: Law Council of Australia, Submission PR 527, 21 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Avant Mutual Group Ltd, Submission PR 421, 7 December 2007.

[173] In particular, self-auditing can help agencies and organisations ensure that they have an adequate Privacy Policy in place. See also Ch 24. A similar suggestion was made in Veda Advantage, Submission PR 163, 31 January 2007.

[174] See Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.