Telstra’s response to the OAIC’s Privacy Regulatory Action
Policy and Guide to Undertaking Privacy Impact Assessments
Introduction
Telstra would like to thank the OAIC for providing these comprehensive documents for review. With the
recent amendments, including the strengthening of the regulatory and enforcement powers conferred on
the Australian Information Commissioner and the increased awareness around the need to incorporate
privacy into the design of business initiatives, both these papers are important to our business.
Privacy Regulatory Action Policy
General Comment
Telstra would like to congratulate the OAIC on the drafting of the Regulatory Action Policy. It is a detailed
outline of the OAIC’s intention of how it will take regulatory action and clearly a great deal of effort has
gone into outlining the goals, principles and responses.
Telstra understands the need for this policy, but like our industry body, the Australian Communications
Alliance, we are concerned about the broad scope of this document. We suggest the policy would benefit
from more guidance by the OAIC on:
-
Events or thresholds that would trigger regulatory action by the OAIC, and
Guidance on the approach in which regulatory action will be taken.
We are also concerned about the impact that this will have on the collaborative workings between
businesses and the OAIC. We acknowledge the scope of the new regulatory and enforcement powers,
but believe that the OAIC should balance those powers with its commitments to its preferred regulatory
approach, which is to work with entities to encourage compliance and best practice privacy practices. The
focus on taking action should not be at the expense of collaboration, especially as privacy enters into a
new era where technology impacting privacy is evolving at a rapid rate, cyber threats are increasing and
customer expectations around privacy are increasingly maturing. Collaboration is essential given the
necessary sharing of information. Telstra therefore is seeking clarity as to how the OAIC intends to work
with entities.
Telstra has cooperated extensively with the OAIC when it has taken regulatory action in the past. We
respect the OAIC’s regulatory powers and have worked extensively to provide commitments to remediate
any identified weaknesses in our privacy control framework. Our feedback from this experience which
may support the finalisation of this policy includes:
-
The OAIC needs to balance its regulatory powers with respect to its resources. Telstra has been
subjected to investigations stemming from regulatory action which have lasted over years.
Leaving investigations open for such long periods of time creates an additional administrative
burden and can create confusion for our customers when the final conclusions are made public.
In addition, timely investigations especially in relation to core processes would assist entities in
implementing any necessary changes to process to reduce the potential detrimental impacts to
future customers. In this respect, we believe the draft policy should consider a commitment to
taking regulatory action in a timely manner that is not unduly burdensome on businesses.
-
Paragraph 22 of the draft policy states “...conducting an assessment of whether personal
information is being maintained and handled in accordance with applicable privacy legislative
obligations, such as the Australian Privacy Principles in the Privacy Act (s 33C). Through such an
assessment, the OAIC would identify privacy risks and areas of non-compliance, and may make
recommendations for how the entity might reduce those risks or address areas of noncompliance”. In our experience when regulatory action has resulted in findings of noncompliance, the OAIC has not elaborated on findings associated with a “failure to take reasonable
steps”. In Telstra’s view, this output resulting from the regulatory action does not support our
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | PRINTED 09/02/16
FINAL FOR APPROVAL| TELSTRA UNRESTRICTED | TELSTRA-ID-SYSTEM GENERATED IF EDMS | TELSTRA’S RESPONSE TO THE OAIC’S PRIVACY REGULATORY
ACTION POLICY AND GUIDE TO UNDERTAKING PRIVACY IMPACT ASSESSMENTS
PAGE 1/3
business or our customers as there is no clear reasonableness benchmark. In this respect, we
believe the draft policy would benefit from the OAIC outlining:
o
what sources of information it will access in interpreting whether an entity has taken
“reasonable steps” with regards to taking regulatory action (paragraph 35), and
o
how it will communicate to the public information around findings related to “a failure to
take reasonable steps” including what it deems are the reasonable steps that needed to
have been taken (subject to matters of confidentiality) (paragraph 54).
Communications
Like the Australian Communications Alliance, we are concerned of the possibility that the OAIC may
publicise regulatory action without consulting or giving advanced warning to the entity under ‘The OAIC’s
approach to communication privacy regulatory action’. This seems to be in contradiction to the
constructive approach of the ‘Working with entities’ section, and takes away the opportunity from the entity
to investigate, assess and respond prior to a statement being published by the OAIC. Telstra is
committed to the highest level of customer service and, in circumstances where customers have been
impacted, would require the opportunity to contact such customers to inform them of the situation. The
suggested approach by the OAIC could unnecessarily cause concern by the public and damage
relationships and the trust Telstra has formed with its customers.
Prioritising matters for privacy regulatory action
Telstra believes that clear guidance should be provided as to when and how discretion will be used to
select and target matters for regulatory action and what factors would influence such a prioritisation. We
believe that where the OAIC decides to undertake an assessment of an entity where it is funded to do so,
that there is transparency as to where that funding has come from and why the particular entity was
chosen for an assessment.
The OAIC has indicated in the policy that it will be transparent and accountable for its regulatory action
through a range of review and appeal rights. However, details of how it intends to be transparent appears
to be missing from the policy in general and there is no information about the review and appeal rights
mentioned.
We understand and support the need for a body to protect personal information of individuals.
Notwithstanding, there is a concern that the OAIC will fail to conduct preliminary investigations and
reasonably substantiate an alleged breach of privacy before contacting the accused entity and initiating an
investigation. The OAIC needs to be aware and take into consideration that a large amount of time and
resources are invested into responding to queries initiated by a regulatory body. When those allegations
are not initially investigated and are discovered to be unfounded, there is a significant and unnecessary
burden placed on the entity in question. This includes not only a financial burden but also a personal
burden to its employees and an inevitable impact on the customer as resources are focused away from
daily functions. We propose that there be guidelines detailed in the policy for the OAIC to follow to ensure
it reasonably validates an allegation before it contacts the entity in question.
Guide to Undertaking Privacy Impact Assessments
General Comment
Even though there are good take-outs for entities to consider in their approach to conducting a Privacy
Impact Assessment, the Guide to Undertaking Privacy Impact Assessments is very detailed and
prescriptive and we would suggest the Guide be limited to high level principles making it more practical
and flexible for entities to use, particularly as the Privacy Act applies to such a broad range of entities.
Entities should be allowed the freedom to customise their Privacy Impact Assessments targeting their
specific range of products or services they provide or functions they undertake, this will allow for a more
valuable assement in protecting our privacy, rather than an mind-set that entities need to go through a
check list which might not effectively cater for the functions of that entity.
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | PRINTED 09/02/16
FINAL FOR APPROVAL| TELSTRA UNRESTRICTED | TELSTRA-ID-SYSTEM GENERATED IF EDMS | TELSTRA’S RESPONSE TO THE OAIC’S PRIVACY REGULATORY
ACTION POLICY AND GUIDE TO UNDERTAKING PRIVACY IMPACT ASSESSMENTS
PAGE 2/3
We are concerned with the intent of the Guide to Undertaking Privacy Impact Assessments and the use of
the Guide by regulators (including the OAIC) for investigations into privacy complaints or privacy
breaches. We strongly suggest that a statement of intent be included in the Guide, explicitly stating that
the principles are a guide only and not to be used by a regulator to assess whether an entity has
conducted an appropriate Privacy Impact Assessment or not, thus ensuring regulators understand the
purpose of the Guide and uses the Guide appropriately.
If more detail is required for agencies, agency applicable inclusions should be clearly highlighted as such.
Feel free to contact me if there are items raised that you would like to discuss.
Yours sincerely,
Ben Carr
Chief Privacy Officer
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | PRINTED 09/02/16
FINAL FOR APPROVAL| TELSTRA UNRESTRICTED | TELSTRA-ID-SYSTEM GENERATED IF EDMS | TELSTRA’S RESPONSE TO THE OAIC’S PRIVACY REGULATORY
ACTION POLICY AND GUIDE TO UNDERTAKING PRIVACY IMPACT ASSESSMENTS
PAGE 3/3