Over the past few months, I have visited over 40 government agencies to talk about privacy. In many cases I’ve been impressed by the depth of knowledge that exists across the sector on this topic, although there is still much work to be done.
My primary focus as Government Chief Privacy Officer is to increase privacy awareness and capability across the state sector. Where government agencies might have lagged behind the private sector in the past, I now see them gaining ground in privacy management and practice. In some cases, they are exerting influence beyond their immediate environment.
Identification of risks, breaches and near misses is a core component of good practice for privacy management and governance. I’m a huge believer in ‘you manage what you measure’ so it just makes sense that good feedback loops to management will lead to continuous improvement in privacy practice.
As I’ve met with each agency, I have requested that my office be kept informed of material breaches on a voluntary basis. This is to ensure we are able to provide the right support, tools and guidance to achieve the desired sector-wide lift in capability.
I have also advocated for voluntary reporting to the regulator, the Office of the Privacy Commissioner (OPC), because I believe anything that increases a regulator’s ability to understand the issues affecting its sector is helpful. At a practical level, both the OPC and my office can provide advice, support and counsel to manage breaches effectively.
My office also has a role in informing the wider state sector on ‘lessons learned’.
Current privacy legislation supports voluntary reporting of breaches to the Privacy Commissioner, but does not mandate it. This will change when proposed amendments to the Privacy Act come into effect and agencies will be obliged legally to report material breaches to the OPC, and in some instances to inform affected individuals. That government has committed to this legislative reform is evidence of the support that exists for the Privacy Commissioner to exercise his regulatory powers.
While I’m very proud to say that some of our large public sector agencies are already leading the way with voluntary reporting to the OPC, I will be welcoming this law change because I believe it reinforces best practice.
Russell Burnard is the Government Chief Privacy Officer.