-
On this page
Purpose of the Guide to privacy regulatory action
The Guide to privacy regulatory action consists of different chapters, each relating to a regulatory power under the Privacy Act 1988 (Cth) (Privacy Act), the My Health Records Act 2012 (Cth) (My Health Records Act), the Consumer Data Right (CDR) scheme set out in Part IVD of the Competition and Consumer Act 2010 (Cth) (Competition and Consumer Act), the Digital ID Act 2024 (Digital ID Act) and other legislation that confers functions relating to privacy on the Commissioner.[1] Each chapter includes information about the legislative framework, purpose and procedural steps for exercising the regulatory power.
The purpose of this guide is to:
- be a source of information for entities about the Office of the Australian Information Commissioner’s (OAIC’s) exercise of particular regulatory powers
- provide OAIC staff with practical guidance about exercising a particular regulatory power
- promote consistency and transparency in the OAIC’s exercise of its regulatory powers
- facilitate efficient and effective regulatory action.
Other documents relating to regulatory powers
The Guide to privacy regulatory action is one of a suite of documents that relate to the OAIC’s use of its regulatory powers:
- The Privacy regulatory action policy explains the OAIC’s approach to using its regulatory powers under the Privacy Act and other legislation, and communicating information publicly. This includes the considerations the OAIC will take into account in deciding when to take privacy regulatory action and what action to take. This document also explains the principles which will guide the OAIC when taking regulatory action, and the circumstances in which information about regulatory activity may be communicated publicly. The chapters in this guide should be read in conjunction with the policy.
- The My Health Records (Information Commissioner Enforcement Powers) Guidelines 2016 (My Health Records Enforcement Guidelines) is a registered legislative instrument which explains the OAIC’s approach to using its enforcement powers in its role as regulator of the My Health Record system. These guidelines are made by the Commissioner under s 111 of the My Health Records Act.
- The CDR regulatory action policy explains the OAIC’s approach to using its regulatory powers in relation to the CDR scheme. Like the Privacy regulatory action policy, the CDR regulatory action policy outlines the matters the OAIC will consider when deciding to take regulatory action, the principles it is guided by, and the circumstances in which information about regulatory activity may be communicated publicly. The CDR regulatory action policy can also be read in conjunction with the joint Australian Competition and Consumer Commission (ACCC) and OAIC Compliance and Enforcement Policy for the Consumer Data Right (ACCC and OAIC Compliance and Enforcement Policy).
- The Digital ID Regulatory Strategy describes how the OAIC uses its regulatory powers to build trust and confidence in Digital ID and make identity verification in Australia more secure and privacy-protective. It also sets out specific areas the OAIC will focus its proactive regulatory powers on.
- Some of the OAIC’s guidance material relates to the OAIC’s regulatory powers. This is designed to provide targeted information about specific regulatory powers to the OAIC’s various stakeholders, including complainants and regulated entities.
Regulatory powers available
As outlined in the Privacy regulatory action policy and the My Health Records Enforcement Guidelines, the Privacy Act, My Health Records Act, Part IVD of the Competition and Consumer Act and the Digital ID Act all confer a range of enforcement and other regulatory powers on the Commissioner, which are based on an escalation model. These include the following powers:
- directing an agency (but not an organisation) to give the Commissioner a privacy impact assessment (Privacy Act s 33D)
- monitoring, or conducting an assessment of, whether personal information, CDR data, or personal information within the meaning of the Digital ID Act, is being maintained and handled by an entity as required by law (Privacy Act ss 28A and 33C; Competition and Consumer Act s 56ER)
- requiring an entity being assessed by the OAIC to give information or produce a document (Privacy Act s 33C)
- requiring an entity to give information, produce a document or answer questions relating to an actual or suspected eligible data breach or relating to compliance with notification obligations relating to an eligible data breach (Privacy Act s 26WU)
- conciliating a complaint (Privacy Act s 40A)
- investigating a matter (either in response to a complaint (Privacy Act s 40(1)) or on the Commissioner’s own initiative (Privacy Act s 40(2)), and various related powers including to decline to investigate a complaint (s 41), to refer the matter and discontinue an investigation where certain offences may have been committed (s 49), and to refer a complaint to a specified alternative complaint body (s 50) (see generally Privacy Act Part V)
- sharing information or documents with enforcement bodies, alternative complaint bodies and other privacy authorities (including overseas privacy authorities) for the purpose of the Commissioner or the receiving body exercising powers or performing functions or duties (Privacy Act s 33A; Digital ID Act s 43)
- disclosing certain information if it is in the public interest to do so (Privacy Act ss 33B)
- reporting to the Minister in certain circumstances such as following an investigation, monitoring activity or assessment (Privacy Act ss 30 and 32), or report to the Minister, the ACCC or the Data Standards Chair in relation to assessments conducted under the CDR scheme (Competition and Consumer Act s 56ER(3))
- accepting an enforceable undertaking (Privacy Act s 80V; My Health Records Act s 80; Competition and Consumer Act s 56EW; Digital ID Act s 125)
- bringing proceedings to enforce an enforceable undertaking (Privacy Act s 80V; My Health Records Act s 80; Competition and Consumer Act s 56EW; Digital ID Act s 125)
- making a determination (Privacy Act s 52)
- bringing proceedings to enforce a determination (Privacy Act ss 55A and 62)
- issuing an infringement notice for failing to provide information, answer a question or produce a document or record when required to do so (Privacy Act ss 66(1) and s 80UB; Regulatory Powers Act Part 5; Digital ID Act s 124)
- seeking an injunction (Privacy Act s 80W; My Health Records Act s 81; Competition and Consumer Act s 56EX; Digital ID Act s 126)
- applying to the court for a civil penalty order (Privacy Act s 80U; My Health Records Act s 79; Competition and Consumer Act s 56EU; Digital ID Act s 123)
- directing an entity to make a notification under the Notifiable Data Breaches scheme (NDB scheme) (Privacy Act s 26WR) or CDR scheme (Competition and Consumer Act s 56ES), or declaring the notification is not required or can be delayed (Privacy Act s 26WQ).
Contraventions of certain provisions of the My Health Records Act are ‘interferences with privacy’ for the purposes of the Privacy Act and the OAIC may investigate those contraventions either under the Privacy Act (using the investigative provisions in Part V of the Privacy Act) or under the My Health Records Act. The My Health Records Enforcement Guidelines provide guidance about the OAIC’s approach to investigating these My Health Records Act contraventions.
Section 56ET(3) of the Competition and Consumer Act extends the application of the OAIC’s regulatory powers under Part V of the Privacy Act to include the enforcement of the CDR privacy safeguards and privacy or confidentiality related CDR Rules under the CDR scheme. Therefore, the Commissioner can investigate an act or practice that may be a breach of the CDR privacy safeguards and privacy or confidentiality related CDR Rules under the CDR scheme.
Under section 38 of the Digital ID Act, accredited entities are required to comply with s 136 and the Digital ID privacy safeguards in Division 2 of the Digital ID Act. Any contravention of these safeguards or s 136, constitutes an interference with the privacy of an individual for the purposes of the Privacy Act. The OAIC may investigate those contraventions using the investigative provisions in Part V of the Privacy Act. Sections 39, 40 and 41 of the Digital ID Act also provide that all accredited entities must comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act unless they are covered by a comparable State or Territory scheme.
It is open to the OAIC to use a combination of privacy regulatory powers to address a particular matter.
Regulatory action principles
The Privacy regulatory action policy sets out the principles which will guide the OAIC when it takes privacy regulatory action. These principles are independence, accountability, proportionality, consistency, timeliness and transparency.
The CDR regulatory action policy and the ACCC and OAIC Compliance and Enforcement Policy set out the principles which will guide the OAIC when it takes regulatory action in relation to the CDR scheme. These principles are accountability, efficiency, fairness, proportionality and transparency.
The Digital ID Regulatory Strategy describes how the OAIC uses its regulatory powers to build tryst and confidence in Digital ID and make identity verification in Australia more secure and privacy-protective. It also sets out specific areas the OAIC will focus its proactive regulatory powers on.
The OAIC will take regulatory action in accordance with the principles set out in the Privacy regulatory action policy and, where relevant, the CDR regulatory action policy, the Digital ID Regulatory Strategy and the My Health Records Enforcement Guidelines.
Importantly, when taking privacy regulatory action, the OAIC will act consistently with general principles of good decision making, as explained in the Best Practice Guides published by the Administrative Review Council in 2007.[2] In particular, the OAIC will act fairly and in accordance with principles of natural justice (or procedural fairness).
In addition, in any litigation, the OAIC will act in accordance with its obligations to act as a model litigant in accordance with the Legal Services Directions 2017.
Approach to using regulatory powers and selecting appropriate action
An investigation may be commenced by the OAIC into a suspected or alleged interference with privacy, either on receipt of a complaint or as a Commissioner initiated investigation (CII).
Following a complaint investigation or CII, the Commissioner may decide to take enforcement action against an entity. The available enforcement powers escalate from less serious to more serious options.
The Privacy regulatory action policy, the CDR regulatory action policy, My Health Records Enforcement Guidelines and the Digital ID Regulatory Strategy provide further guidance about how the OAIC decides whether to take privacy or CDR regulatory action and what action to take, including:
- the steps the OAIC can use to facilitate legal and best practice compliance
- the factors taken into account in deciding when to take privacy or CDR regulatory action, and what action to take
- the sources of information the OAIC will consider in seeking to identify both systemic issues and serious issues that can be targeted for privacy or CDR regulatory action.
When making a decision as to whether or not to exercise a regulatory power, the OAIC will be guided by the Privacy regulatory action policy, the CDR regulatory action policy, My Health Records Enforcement Guidelines or Digital ID Regulatory Strategy as appropriate. This guide is not intended to prescribe the circumstances in which the OAIC will exercise its regulatory powers nor the way it will use them. However, it should provide broad guidance to regulated entities as to the OAIC’s approach to the exercise of its regulatory powers.
[1] For example, Part VIIC Division 5 of the Crimes Act 1914 (Cth) confers on the Commissioner regulatory powers in relation to spent convictions.
[2] The Administrative Review Council Best Practice Guides are published at Other ARC publications.