Search This Blog

Thursday, May 14, 2020

Privacy Commissioner and OAIC expected to do more on the smell of the same oily rag?

The Office of Australian Information Commissioner was asked again to do more with no additional resources, something it should be used to by now after six years of practice. That's since since the Abbott government had an unsuccessful crack at abolishing the Commission and successive governments in the years since kept the lid closed or just slightly ajar (with some additional privacy resources in last year's budget to go with earlier expansions of its role) on the moneybox. 
But wait-despite no one on the government side deviating from the script during debate the Attorney General told Shadow Attorney General Dreyfus separately his department is checking with the OAIC to ensure they have adequate resources.
(Perhaps too much to hope that the check might also dig into the issue of stretched OAIC Freedom of Information resources that include one commissioner instead of three as legislated, and to deal with something like a 90% increase in FOI review applications over the last four years that now form a long,long queue, and non existent resources for Information Policy functions.)
The OAIC issue arose as the Privacy Amendment (Public Health Contact Information) Bill 2020 sailed through both houses when Parliament sat this week.
The bill, as passed by the House of Representatives on Wednesday, passed the Senate this morning without amendment. 
Labor in the Senate did not support amendments put by the Greens and Centre Alliance citing the urgency of getting the legislation in place as quickly as possible.

Speakers in both houses drew attention to the extra responsibilities the bill places on the Privacy Commissioner and her office the OAIC, particularly this exchange in a committee hearing last week 
Senator Keneally: in light of the new and important oversight responsibilities that the draft bill would confer on the Privacy Commissioner, will the government be providing the Privacy Commissioner with any additional resources?
Ms Chidgey (Attorney General’s Department): There's no intention to provide additional resources. The Privacy Commissioner is able to undertake this work within their existing resources.
Shadow Attorney General Mark Dreyfus unsuccessfully moved a motion in the House that included a call call on the government to "provide additional funding to the (OAIC) and appoint a standalone privacy commissioner “to ensure that the commissioner is able to properly perform the important oversight functions provided for in this bill.” 

He spoke to this part of the motion thus:
"Another issue that I raised with the Attorney-General during discussion about this bill relates to the funding of the Office of the Australian Information Commissioner. In short, I do not think that the evidence of the Attorney-General's Department at last Wednesday's COVID-19 Senate select committee hearing that the commissioner requires no additional resources to fulfil her new oversight responsibilities is credible.In fact, it is incredible. You do not have to take my word for it. Just last October, the Information Commissioner told Senate estimates that her office is already underresourced.The Attorney-General has advised me that his department is engaging with the commissioner to ensure that she has the necessary resources to perform the important oversight functions provided for in this bill, the Privacy Amendment (Public Health Contact Information) Bill 2020. While I welcome that engagement and look forward to receiving an update over coming days or weeks, there is no question in my mind that additional funding is urgently required. The only question is how much.
It is also important to remember that for years the government has refused to appoint a standalone information commissioner, a standalone freedom of information commissioner or a standalone privacy commissioner. Instead, one person currently occupies all three of these important and demanding roles. As I've said repeatedly, this is unacceptable. In light of the new responsibilities that this bill would confer on the Office of the Australian Information Commissioner, now more than ever the government needs to appoint a standalone, dedicated privacy commissioner. The appointment of a full-time and properly resourced privacy commissioner rather than a commissioner forced to split her time between three different and demanding roles would make a further valuable contribution to building public confidence in the COVIDSafe app. It should not take a public health crisis for the government to show that it takes seriously the privacy of Australians.
Additional responsibilities for the Privacy Commissioner arise because as explained in the second reading speech:
  • The bill ensures COVIDSafe app data must  be treated as 'personal information' under the Privacy Act, by virtue of section 94Q. This automatically applies a range of existing Privacy Act protections to COVIDSafe app data, including privacy policy, notification, and security obligations. 
  • The commissioner will be able to undertake a formal assessment of whether an entity subject to the Privacy Act, or a state or territory health authority handling COVIDSafe app data, is complying with the requirements in this bill. And to deal with complaints.
  • The commissioner will also have discretion to refer matters that may constitute a breach of a state or territory privacy law to the responsible state or territory privacy regulator. 
  •  The commissioner will provide regular public reports on the performance and exercise of her new powers and functions under part VIIIA.
  • The bill applies the existing Notifiable Data Breaches Scheme for which the commissioner is responsible to COVIDSafe app data under section 94S. The bill requires the administrator of the National COVIDSafe Data Store, or a state or territory health authority handling COVIDSafe app data, to notify the commissioner of any data breach involving COVIDSafe app data. The commissioner will then have the power to require the breach to be notified to affected individuals.The notification requirement would be automatic in the event of a data breach, which is much stronger than the protection in the Privacy Act's existing data breach notification requirements. 
Somewhere in there in there is also a COVIDSafe Privacy Advisory Committee, including the various Privacy Commissioners, to provide collective advice to the National Cabinet and the public regarding the operation of COVIDSafe.
The Commissioner welcomed changes to the act-no mention of the resources issue
Should be a snack really.

No comments:

Post a Comment