It is still unclear how big of an impact the General Data Protection Regulation (GDPR) will have on the Australian public sector. Just weeks away from enforcement, confusion remains around the reach of GDPR and the obligations of public sector agencies.
Provisions in the regulation suggest some areas of the public sector may be exempt based on public interest or foreign immunity. But some public agencies are likely to be affected, particularly those with commercial operations involving data of EU citizens.
The GDPR confusion and Australia’s own looming privacy regulations means 2018 is set to be an interesting year for privacy in the Australian public sector.
At the federal level, GDPR is the remit of the Attorney General’s Department. Several Government departments referred enquiries on their GDPR preparation to the Attorney General’s Department, which provided this statement;
“The question of whether the European Union General Data Protection Regulation (GDPR) applies to Australian Government agencies needs to be considered on a case-by-case basis, as the legal doctrine of foreign state immunity holds that foreign states are generally entitled to be granted immunity from the jurisdictions of courts of another state, subject to some exceptions,” a spokesperson from the attorney General’s department said.
According to the spokesperson, the Australian Information Commissioner (OAIC) – Australia’s privacy watchdog – is advising government agencies to seek their own legal advice where they are considering if GDPR applies to its activities, “particularly where those activities are of a commercial nature”.
Currently the OAIC’s public advice on how the sector may be effected by GDPR extends to this document, which echoes the Attorney General’s Department’s advice. It also paints an unclear picture.
Domestic privacy duties
Regardless of GDPR’s reach, compliance would place public sector agencies well to meet their obligations under the new Australian Government Agencies Privacy Code, which takes effect 1st July 2018. According to the OAIC the code mirrors privacy requirements in jurisdictions around the world, including GDPR.
Siteimprove managing director APAC, Jay Mahoney, said both the international and domestic regulations will have a complementary effect on compliance.
“We are predicting The Australian Government Agencies Privacy Code, which is essentially GDPR in Australia, will speed up the GDPR urgency and should create a ripple effect to the private sector as the public demand their data is protected,” said Mahoney.
The new domestic code requires certain Australian government agencies to move towards a best practice approach to privacy, including appointing privacy officers, developing a privacy management plan and undertaking regular privacy impact assessments.
“Many Australian enterprise organisations and some government agencies are making a start towards domestic and GDPR compliance, but more urgency is needed,” Mahoney said.
GDPR requirements remain unclear
At the state level, some GDPR preparations are underway. Both the NSW and Victorian privacy commissioners are preparing guidelines for their respective public agencies. At the time of publication, neither document had been released.
That is a potential problem, according to Mike Pym, deputy chair at the Australian Information Industry Association, who says the opportunity to become GDPR complaint is “fading rapidly at a practical level”.
“Even if you started today, you’re very unlikely to be compliant by the 25th of May.”
Pym urged those in the public sector to follow the Attorney General’s Department’s advice and seek legal advice on their status under GDPR. But even that task is complex. “The piece of advice that’s being requested is a very complicated piece of advice about constitutional law and sovereign immunity,” Pym said.
“[If affected] they really better get their skates on and start putting into place a compliance program,” Pym says, as at this stage most public sector agencies are likely underprepared for GDPR.
“I think part of that is because of the enormity of the task of being prepared,” Pym said.
“The requirements are so stringent [that] it’s very difficult for even simple organisations to be able to comply, and the regulation itself is relatively complicated and there’s a few grey areas. As usual the lawyers can’t agree on everything and for what it actually means.”
According to Pym, it’s imperative all organisation affected by GDPR be proactive because the penalties are so severe. GDPR breaches can result in penalties of €20 million or 4 per cent of global turnover, whichever is higher. And while he suspects IT companies will be the early targets, the public sector is also potentially at risk.
About the author
SiteImprove is a corporate member of the Which-50 Digital Intelligence Unit. Members provide their insights and analysis for the benefit of our readers. Membership fees apply.