APP CODE FOR COMMONWEALTH AGENCIES
On 1 July 2018, the Privacy (Australian Government Agencies – Governance) APP Code 2017 (the Code) commenced. The Code is designed to enhance the privacy accountability and capability of agencies and is in line with a shift towards a more proactive and vigilant approach to privacy.
The Code is specific to Commonwealth Government Agencies and applies in addition to their obligations arising from the Privacy Act 1988(Cth) and the Australian Privacy Principles (APPs).
The Code requires all agencies to:
- implement a privacy management plan;
- have at least one designated Privacy Officer;
- appoint a designated Privacy Champion;
- conduct privacy training in staff induction; and
- conduct privacy impact assessments for all high privacy risk projects.
Privacy Management Plans
The purpose of a Privacy Management Plan is to set specific and measurable goals and targets to meet and track compliance with that agency’s privacy obligations. In addition to developing and implementing the Plan, agencies are also required to assess and document their performance against the Plan annually.
Privacy Officer and Privacy Champion
Agencies must appoint at least one designated Privacy Officer and one designated Privacy Champion. Both the Privacy Officer and Privacy Champion oversee and implement the agency’s Privacy Management Plan.
The Privacy Officer/s will be responsible for the maintenance, monitoring and measurement of privacy activities both internally and externally.
The Privacy Champion is required to be a senior official within the agency whose role is to promote an agency culture of privacy protection and values, spearheading broader strategic goal setting. The Privacy Champion may also fill the role of Privacy Officer.
Agencies are expected to provide adequate support, training and assistance to ensure that the Privacy Officer and Privacy Champion understand and are able to comply with their roles. Each agency should have a clear position description for these roles. Agencies must also provide the Office of the Australian Information Commission with the contact details of their Privacy Officer.
Staff Training
All new employees who have access to personal information must undergo privacy training as part of their induction to an agency. This includes training new employees on the agency’s privacy values to ensure the employee understands their obligations when it comes to observing those values in their work.
In addition, agencies must take reasonable steps to provide privacy education and training to its employees annually.
Privacy Impact Assessments
A Privacy Impact Assessment (PIA), must be undertaken for all projects that are deemed to be “high risk”. Projects are considered “high risk” under the Code if they involve the handling of personal information in a way that is new or different. A PIA assesses the impact a new project or system may have on personal information held by an agency. The PIA is required to address risk mitigation strategies to ensure that personal information held is not subject to a negative privacy impact.
All agencies should now be taking steps to ensure compliance with the Code and ensure that designated Privacy Officers and Privacy Champions are equipped with the appropriate knowledge to understand their role and fulfil their function.
Griffin Legal’s privacy law specialists can assist your agency to:
- prepare and implement a privacy management plan;
- train Privacy Officers and Privacy Champions on their role and obligations;
- conduct privacy training for all new staff inductions;
- conduct privacy impact assessments; and
provide advice on your agency’s privacy law obligations.