Strengthening organisational accountability and introducing the controller/processor distinction

The proposals of the Attorney General's Privacy Act Review Report (Report) in this area signal a new approach to delineating responsibility over and liability for the handling of personal information, balancing and clarifying the obligations of different types of processor organisations with imposing more onerous obligations on these organisations. In some circumstances, this will also include non-APP entities which are not currently subject to the Privacy Act/APPs.

Following on from our previous four articles with respect to the Report (see list of articles below), this article addresses the Report’s proposals regarding ‘organisational accountability’ and the introduction into Australian law of the concepts of (and a distinction between) ‘controllers’ and ‘processors’ of personal information. These proposals are in line with the Report’s broad objective to shift Australia’s privacy regime to better align with the GDPR.

1. Organisational accountability

In order to improve organisational accountability, the Report proposes that:

• APP entities must determine and record the purposes for which they wish to collect, use and disclose personal information. If an APP entity wishes to use or disclose personal information for a secondary purpose, this purpose must also be recorded at or before the time such use is undertaken.
   
• Expressly require that APP entities appoint a senior employee to be responsible for privacy within the entity (i.e. as a Privacy Officer). This may be an existing member of staff who also undertakes other duties.

While it does not seem very much of an obligation to require APP entities to determine, before collection, the purposes for which they collect personal information, in practice it imposes a requirement that entities anticipate and consider the legality of the various particular instances and situations in which collection occurs and what is being collected and why. This will take considerable effort on the part of affected organisations, requiring significant mapping of current and future operations, products, services and functions (and how these relate to their lawful collection and handling of personal information).

This proposal is distinct from the current requirement to notify individuals of the personal information about them that is being collected and what it will be used for at the time of collection. This proposal involves the creation and maintenance of internal records noting (and having considered) all purposes for which an organisation collects, uses and discloses personal information and, therefore, whether such are permitted/lawful for that organisation in the circumstances. By requiring organisations to have such records, this proposal anticipates that such records can then act as a helpful resource for future compliance (e.g. the modification of what personal information is collected and the development of new privacy notices and policies) and, dare we say it, ‘evidence’ for the OAIC in any investigation or complaint.

In its submission to the Discussion Paper, the OAIC argued that this would ensure entities have specific and limited collection purposes in mind going forward as opposed to the more broad and open-ended approaches (i.e. ‘it would be nice to know X’) currently embraced. It was noted by other submissions to the Discussion Paper, the requirement of internal purpose(s) recording does not seem distinct enough from the ‘behind the scenes’ efforts involved in preparing an organisation’s privacy policy and notices. However, these submissions appear to have missed the potential practical consequences noted above.

Appointing a Privacy Officer (another proposal aimed at addressing organisational accountability) will also help with the onerous task of implementing the Report’s many proposals (if enacted). The Report envisions that this proposal will provide organisations with a ‘point person’ (or team) dedicated to assisting with and being responsible for both the initial implementation of privacy-related changes and continuing privacy compliance. This is also aimed at centralising privacy obligations within organisations and minimising the risk that compliance falls to the wayside. Again, as regards any OAIC investigations or complaints, this will be the person with whom the OAIC will liaise (and expect to know the answers to its questions). While such an approach is current best practice, if enacted this will see a ‘Privacy Officer’ become mandatory.

2. Introduction of ‘controllers’ and ‘processors’

The Report proposes the introduction of a GDPR-style distinction between the types of entities responsible for processing/handling personal information. In particular, the Report proposes introducing the concepts of ‘controllers’ and ‘processors’ into the Act. Pending removal of the small business exemption, a non-APP entity (e.g. current exempt small business) that processes information on behalf of a controller will be subject to at least key requirements of the Act/APPs in relation to its processing of personal information as a ‘processor’ (i.e. by standard contractual clauses that the controller is required to impose).

The introduction of this GDPR-style distinction and allocation of different responsibilities and obligations to each is a significant move away from the current approach to entities handling personal information – which extends the Privacy Act and APPs equally without distinction (subject only to exemptions) to all those who process/handle personal information. That is, under current Australian privacy law a ‘processor’ subject to the Privacy Act is subject to the same obligations as their ‘controller’. The Report notes that this current cover-all approach has led to problems in circumstances where APP entities holding personal information as, what would be known under the GDPR as, ‘processors’ are removed from the individuals to whom the personal information relates (and thus are hindered in their efforts to meet their APP obligations).

By distinguishing between ‘controllers’ and ‘processers’ the Report states that responsibilities of entities in a contractual relationship involving the handling of personal information becomes far clearer and promotes greater future compliance. However, pending removal of the small business exemption (i.e. those below $3m annual turnover), the introduction of a ‘processor’ category may have the practical effect of extending the Privacy Act and APPs to those entities currently exempt from complying with the Privacy Act.

This proposal also has a practical effect not raised in the Report. It will, if enacted, shift a large degree of responsibility for privacy compliance of ‘processors’ to the ‘controllers’, as it has under the GDPR. That is, controllers must ensure that their processors meet and comply (using standard contractual clauses, among other things) with their privacy obligations. This shifts a significant amount of the oversight of and responsibilities for privacy compliance away from the OAIC to the controllers. While this is an attractive proposition for the OAIC, controllers will face a significant burden under this new compliance oversight of their processors responsibility.

Next Steps

As these proposals will, if enacted, constitute a significant organisational change, we suggest businesses review and consider the above and now begin to identify and evaluate how they will implement them and any relevant flow-on considerations.

In providing the above as an overview of some of the key proposals of the Report, our aim is to raise awareness and alert you to what we perceive as the implications of these key proposals. However, please do not hesitate to reach out if you wish to discuss in more detail any proposals of the Report, their potential impact on you or if we can be of any assistance.

To read the first 4 articles in the series, please see below:

Article 1

Article 2

Article 3

Article 4