Annual Report 2010–11
Chapter 5: Promote and secure the protection of personal information
Privacy issues continued to feature prominently in news headlines in 2010–11. Widespread media reporting of data breaches and the misuse of personal information contributed to a growing recognition that privacy protection is a critical concern in the community.
As the flow of personal information grows exponentially through the use of new technologies that enable personal information to be moved around the globe in seconds, the challenge is for privacy law and principles to adapt and keep pace with the way that personal information is handled by government agencies and private sector organisations. It is in this context that a key focus for the Office of the Australian Information Commissioner (OAIC) during 2010–11 was the proposed reforms to the Privacy Act 1988 (the Privacy Act).
The OAIC also continued to work with Australian and ACT government agencies on new policy proposals, legislative and regulatory changes, and agency practices that may have a significant impact on the handling of personal information. From 1 January 2011, the OAIC also provided these services to the Norfolk Island Administration. Similarly, the OAIC works with business to enhance understanding and implementation of good personal information handling practices.
The OAIC's privacy compliance activities provided important regulatory oversight in relation to individual complaints and systemic issues. The OAIC carried out a range of regulatory functions, such as own motion investigations (OMIs) and audits, aimed at securing the protection of personal information.
To ensure that privacy is valued and respected in Australia, the OAIC undertakes a wide range of compliance activities. These include running a telephone and written enquiry service, investigating and resolving individual complaints, conducting audits and data-matching inspections and conducting OMIs.
In 2010–11, the Compliance Branch received 1222 complaints, a small increase over the 1201 received in 2009–10. In addition, the OAIC dealt with 59 OMIs and 56 voluntary data breach notifications. The Compliance Branch reduced the number of audits it undertook during 2010–11 to five, instead focusing additional resources on high-profile OMIs. This included OMIs into two large telecommunications providers and a number of technology companies.
In an OMI the OAIC can gather information about a respondent's privacy practices and work with that agency or organisation to resolve issues of non-compliance and improve their overall privacy practices.
The OAIC publishes case notes as an effective means of providing information about how matters are assessed and how the law applies to issues involving privacy. Twenty-four case notes were published during 2010–11. These can be found at www.oaic.gov.au/publications/case_notes.html.
In addition, the Privacy Commissioner published an investigation report about an OMI finalised in 2010–11.
Responding to telephone enquiries
The OAIC's Enquiries Line (1300 363 992) provides information about privacy issues and privacy law for the cost of a local call. The Enquiries Line answered 20,617 telephone enquiries in 2010–11, which is consistent with the number of calls received in previous years. Of those telephone enquiries, 10,986 specifically related to privacy and the protection of personal information. Other calls related to freedom of information (FOI), the role of the OAIC, privacy or FOI in other jurisdictions, or were administrative in nature.
Who is calling?
Most callers are individuals seeking information about their privacy rights and advice on how to resolve privacy complaints.
Table 5.1 below illustrates the top 10 types of caller who telephoned the Enquiries Line in 2010-11.
|Top 10 caller types||Total|
|Business, Professional Associations and Unions||372|
|Health Service Providers||224|
|Personal Services (such as employment, child care, vets)||190|
|Real Estate Agents||132|
|Legal, Accounting and Management Services||98|
|Clubs, Interest Groups, Theatres, Sports and Media||92|
|Finance (including Superannuation)||82|
Table 5.2 provides a breakdown of issues discussed in the calls received during 2010–11. Almost three quarters of the privacy related calls were about the National Privacy Principles (NPPs). The most frequently discussed issue continued to be the use and disclosure of personal information by private sector organisations, followed by NPP exemptions, improper collection, access and correction and data security.
The number of privacy related calls about Credit Reporting and the Information Privacy Principles (IPPs) remained similar to previous years.
|Issues||Total number of calls|
|Private Sector Provisions Issues|
|NPP 1 - Collection||1581|
|NPP 2 - Use and Disclosure||2780|
|NPP 3 - Data Quality||236|
|NPP 4 - Data Security||787|
|NPP 5 - Openness (privacy statement)||85|
|NPP 6 - Access and Correction||1164|
|NPP 7 - Identifiers||6|
|NPP 8 - Anonymity||25|
|NPP 9 - Transborder Data Flows||53|
|NPP 10 - Sensitive Information Collection||65|
|Private Sector Provisions (General)||301|
|Non-Private Sector Provisions Issues|
|Tax File Numbers||35|
|Individual Health Identifiers||1|
Who are the National Privacy Principles calls about?
Table 5.3 distributes the top 10 NPP telephone enquiries by private sector industry groups. These groups have remained consistent for the last several years.
|Private sector industry group||Total number of calls|
|Health Services Providers||1112|
|Business, Professional Associations and Unions||835|
|Personal Services (including employment, child care and vets)||813|
|Real Estate Agents||759|
|Finance (including superannuation)||622|
|Debt Collectors/Credit and Tenancy Databases||317|
|Clubs, Interest Groups, Theatres, Sports and Media||293|
Some examples of calls received during 2010–11 appear below:
- The caller stated that their private sector employer wanted to place tracking devices in staff mobile phones. The OAIC explained the definition of personal information, advised that the Privacy Act does not regulate tracking devices specifically, and explained the employee records exemption.
- A caller applied to work at a casino. The job application sought information on applicants' criminal history. The caller asked if the casino was permitted to collect this information, and if the casino could collect information about criminal records from the police. The OAIC explained that the caller was not required to provide any personal information to the casino, but would need to consider the impact this may have on the casino's assessment of their job application. The OAIC also explained relevant collection principles in NPP 1. In some circumstances, it may be considered necessary for a casino's functions and activities for it to collect information about an individual's criminal history when assessing that individual's suitability for employment. The caller was advised that, under the Privacy Act, criminal record information is considered ‘sensitive information', and the collection of that information is regulated by NPP 10. This means that the casino would generally need the individual's consent to collect the information.
- A real estate agent called, stating that an owner of a property that the agent manages had asked to be told the race of the current tenant. The agent refused to tell the owner the tenant's race, relying on the Privacy Act. The owner asked the agent which specific section in the Act prevented disclosure in this case. The OAIC discussed NPPs 1, 2 and 10, noting that personal information that is collected for one purpose should not be used or disclosed for other purposes unless an exception in the Act applies.
- The caller had a default listing on their credit file. The caller subsequently repaid the outstanding debt, and wanted to know whether the listing should be removed. The OAIC discussed the credit reporting provisions in the Privacy Act, noting that if the default was correctly listed, it may remain on the caller's credit file for five years. However, the credit file should note that the debt has been repaid.
- A caller stated that a news article published on the internet by a media organisation contained their personal information, including information about a court case. The OAIC discussed the media exemption.
- A caller was refused access to the medical records of her deceased son, for ‘privacy reasons'. The OAIC told the caller that the Privacy Act does not regulate the handling of information about deceased people. This means that the Privacy Act would not prevent a health service provider from providing the caller with the deceased son's medical records.
Responding to written enquiries
The OAIC responds to requests for information that are received by email, letter or fax. The OAIC received 1909 written enquiries in 2010–11, of which 1721 were privacy related. The OAIC is committed to responding to 90% of written enquiries within 10 working days. This benchmark was met in 2010–11, with 94% of privacy related written enquiries responded to within 10 working days.
In 2010-11, 67% of privacy related written enquiries concerned the private sector provisions. This is a small decrease compared to 2009–10 (71%).
Responding to complaints
The OAIC can investigate complaints about acts or practices that may be an interference with an individual's privacy. These can include allegations that:
- personal information has been collected, held, used or disclosed by an organisation in contravention of the National Privacy Principles (NPPs)
- personal information has been handled by Australian, ACT and Norfolk Island government agencies in a manner that does not comply with the Information Privacy Principles (IPPs)
- creditworthiness information held by credit providers and credit reporting agencies has been mishandled
- tax file numbers (TFNs) have been mishandled by individuals or organisations
- personal information has not been managed in accordance with spent convictions, data matching or Healthcare Identifier legislation.
Complaints received during 2010–11
In 2010–11 the OAIC received a total of 1222 complaints relating to privacy, on a wide variety of issues.
The percentage of complaints received about each area of jurisdiction is given in Table 5.4. As has been the case since the OAIC's role was extended to the private sector, the private sector continues to be the jurisdiction most commonly complained about, with over half of all complaints relating to the NPPs. There has been a small decrease in complaints about credit reporting and an increase in complaints where the OAIC found that it had no jurisdiction.
*The percentages in Table 5.4 exceed 100% as some complaints contain more than one issue.
The particular issues complained about as a percentage of total complaints received in 2010–11 are described in Table 5.5.
|NPP use and disclosure||340||27.8|
|NPP data security||192||15.8|
|NPP access and correction||148||12.1|
|IPP use and disclosure||123||10.1|
|NPP data quality||112||9.2|
|IPP data security||32||2.7|
|IPP access and correction||18||1.5|
* The percentages exceed 100% as some complaints contain more than one issue.
The most commonly complained about issues in both NPP and IPP complaints were use and disclosure, followed by data security and improper collection. Credit reporting complaints have fallen 3.2 percentage points from the previous financial year. There has been an increase in complaints over which the OAIC has no jurisdiction and an increase in NPP complaints relating to data security.
Table 5.6 shows the number of complaints made about each of the 10 most commonly complained about sectors. The finance sector continues to be the most frequently complained about industry. After an increase last year, the debt collector and credit reporting agency sector has fallen from the second to the third most commonly complained about sector.
|Sector||Number of complaints|
|Debt Collectors, Credit and Tenancy Databases||131|
|Health Service Providers||92|
|Personal and Other Services||52|
|Landlords, Real Estate Agents and Developers||40|
Most Complained About Organisations and Agencies
Table 5.7 below lists the most complained about organisations and agencies.
The fact that an organisation or agency has been the subject of a complaint does not necessarily mean that the organisation or agency has been found to be in breach of the Privacy Act. Many of these organisations and agencies carry out high numbers of transactions involving personal information, and the number of complaints received about them may represent only a small percentage of those transactions.
|Top respondents||Number of complaints received|
|Veda Advantage Information Services and Solutions Ltd||77|
|Telstra Corporation Ltd||54|
|The Child Support Agency||34|
|Commonwealth Bank of Australia||26|
|Singtel Optus Pty Ltd||22|
|Vodafone Hutchison Australia Pty Ltd||17|
|Health Services Union||13|
|ANZ Bank Ltd||12|
|Australian Taxation Office||12|
Complaints closed during 2010–11
The OAIC can investigate acts or practices that may be a breach of privacy. Where appropriate, an attempt will be made to resolve a complaint through conciliation.
If the OAIC is satisfied that a matter has been adequately dealt with, or if there has not been an interference with privacy, it may decide not to investigate the matter any further. Otherwise, the Information Commissioner or Privacy Commissioner may make a determination about a complaint under s 52 of the Privacy Act.
In 2010–11, the OAIC closed 1167 complaints, which was slightly less than the number closed in 2010–11.
The OAIC investigated a smaller percentage of complaints under s 40(1) of the Privacy Act and chose to summarily dismiss more complaints than in 2009–10. The increase in summary dismissals is partly reflected by the increased number of complaints over which the OAIC found that it had no jurisdiction.
Table 5.8 provides more information about the stage at which complaints were closed.
The OAIC aims to finalise all complaints within 12 months of receiving them. In 2010–11, complaints were closed in an average of four months, which is a two month improvement from the previous financial year.
*Complaints can have more than one jurisdiction issue and therefore the number of complaints listed exceeds the number of investigations closed in 2010–11
Complaints closed following investigations
In 2010–11, the OAIC closed 11% of complaints following an investigation under s 40(1) of the Privacy Act.
There were no determinations made in 2010–11. A determination is a legal decision or finding made by a Commissioner, as a consequence of which the Privacy Act's enforcement powers (ss 54–62) are activated.
Table 5.9 shows the grounds for declining to investigate complaints further following an investigation.
|Grounds for closing following investigation||NPPs||IPPs||Credit||Total|
|No interference with privacy – s 41(1)(a)||34||10||11||55|
|Respondent has adequately dealt with the complaint – s 41(2)(a)||39||3||11||53|
|Respondent has not had opportunity to deal with complaint – s 41(2)(b)||6||3||4||13|
|Other (for example withdrawn or being dealt with under another law)||22||2||14||38|
The OAIC tried where possible to resolve cases through conciliation at an early stage of investigation. Respondents took steps to resolve the complaint in 33% of cases. Over two thirds of these were conciliated before the OAIC formed a view on whether the complaint should be upheld.
Common resolutions after the investigation proceeded to conciliation included:
- apologies to complainants
- staff training and counselling
- amendments to database systems and records
- changes to procedures
- provision of access to records
- compensation payments.
Overall, the respondent took steps to resolve the complaint in 39% of NPP complaints following conciliation.
More than half of the IPP complaints were closed following investigation on the basis that there was no interference with privacy, while 28% of credit reporting complaints investigated under s 40(1) of the Privacy Act were conciliated following investigation.
Nature of remedies achieved by conciliation following investigation
Table 5.10 provides more detail on the outcome of complaints that were closed on the basis that they had been adequately dealt with by the respondent following an investigation by the OAIC under s 40(1) of the Privacy Act.
Apologies are the most common remedy, followed by the amendment of records and compensation.
|Remedies in cases closed as adequately dealt with after investigation||NPPs||IPPs||Credit||Total|
|Up to $1000||4||1||3||8|
*More than one resolution may have been reached for a particular complaint. Therefore, the total listed in Table 5.10 is not equal to the total number of complaints
Complaints closed following preliminary inquiries
The Privacy Act authorises the OAIC to conduct preliminary inquiries to determine whether to investigate a complaint or exercise the discretion not to investigate a matter further. For instance, a preliminary inquiry may seek to determine:
- whether an agency or organisation is willing to provide access to records
- if a particular act or practice is authorised by law
- whether an organisation may claim the small business operator exemption
- whether a respondent is an agency or organisation that is subject to the Privacy Act.
In 2010–11, the OAIC closed 32.1% of complaints after preliminary inquiries. Table 5.11 provides more detail on the basis for closing complaints following preliminary inquiries. Please note that complaints can have more than one jurisdiction issue. Therefore, the number of complaints listed below exceeds the number of preliminary inquiries closed in 2010–11.
|Not the privacy of the complainant or no respondent specified – s 36||11||-||1||5||-||17|
|No interference with privacy – s 41(1)(a)||140||26||44||13||1||224|
|Complaint not raised with respondent – s 40(1A)||4||5||3||4||-||16|
|Frivolous, vexatious, misconceived, lacks substance – s 41(1)(d)||2||-||-||-||-||2|
|Currently investigated under other Commonwealth or State Act – s 41(1)(e)||4||3||1||-||-||8|
|Respondent has adequately dealt with the matter – s 41(2)(a)||90||12||17||4||-||123|
|Respondent has not had an opportunity to deal with the complaint – s 41(2)(b)||7||4||1||-||-||12|
|Other (for example withdrawn)||16||4||11||1||-||32|
The most common reason for closing a complaint after preliminary inquiries continued to be a finding that the individual's privacy had not been interfered with, which was the finding in just over half of the complaints.
Nature of remedies achieved following preliminary inquiries
In conducting preliminary inquiries the OAIC may find that the respondent has adequately dealt with the matter, or may be able to resolve the complaint through conciliation. Table 5.12 gives further detail about the types of resolutions achieved following preliminary inquiries. (More than one resolution may have been achieved for a particular complaint, meaning the total listed in Table 5.12 is not equal to the total number of complaints.)
Amendment of records continued to be the most common resolution following preliminary inquiries, followed by apologies and access to records. Compensation was paid in 14% of complaints resolved at the preliminary inquiries stage.
Complaints closed without investigation
In 2010–11, the OAIC closed 56.9% of complaints by exercising a discretion not to investigate a complaint, or not to make preliminary inquiries.
The most common reasons for closing complaints without investigation were:
- there was no interference with privacy (s 41(1)(a))
- the complaint was not a privacy complaint because it was not about the individual complaining, did not specify a respondent or was not about privacy (s 36)
- the complaint had not been raised with the respondent before being brought to the OAIC (s 40(1A))
- the complainant had not given the respondent sufficient time to deal with the complaint (s 41(2)(b)).
Table 5.13 shows, in more detail, the grounds upon which these complaints were closed without investigation.
|Up to $1000||9||1||1||11|
|Reasons for declining||NPPs||IPPs||Credit Reporting||None||Total|
|Not the privacy of the complainant or no respondent specified, no jurisdiction – s 36||48||12||6||154||220|
|No interference with privacy – s 41(1)(a)||126||33||46||14||219|
|Complaint not raised with respondent – s 40(1A)||73||13||13||5||104|
|Aware of alleged breach for more than 12 months – s 41(1)(c)||19||4||4||1||28|
|Frivolous, vexatious, misconceived, lacks substance – s 41(1)(d)||4||1||-||-||5|
|Is being dealt with under another law – s 41(1)(e)||10||1||-||2||13|
|Another law is more appropriate –s 41(1)(f)||2||9||-||5||16|
|Respondent has adequately dealt with the matter – s 41(2)(a)||12||7||4||1||24|
|Respondent has not had opportunity to deal with complaint – s 41(2)(b)||31||12||19||2||64|
|Other (For example withdrawn )||6||1||3||1||11|
*Complaints can have more than one jurisdiction issue. Therefore, the number of complaints listed below exceeds the number of complaints closed without investigation in 2010–11.
|Code Title||Code Adjudicator||Monitoring / Reporting Responsibility||Date Came into Effect|
|Code Title||Code Adjudicator||Monitoring / Reporting Responsibility||Date Came into Effect|
|Queensland Club Industry Privacy Code||Australian Information Commissioner||Clubs Queensland and the Information Commissioner||23 August 2002|
|Market and Social Research Privacy Code||Australian Information Commissioner||Association of Market and Social Research Organisations and the Information Commissioner||1 September 2003|
|Biometrics Institute Privacy Code||Australian Information Commissioner||Biometrics Institute and the Information Commissioner||1 September 2006|
Reports of Complaints under Approved Codes
The Privacy Act allows for organisations or groups of organisations to develop privacy codes. A code approved by the Information Commissioner replaces the NPPs as the legally enforceable privacy standards for those organisations. At 30 June 2011, there were three approved privacy codes in force (see Table 5.14).
The Information Commissioner is the code adjudicator for each of the codes listed above. There were no complaints handled by the OAIC under any of the approved codes in 2010–11.
The Information Commissioner is required to maintain a register of approved codes under s 18BG of the Privacy Act. The register can be found on the OAIC's website at www.privacy.gov.au/business/codes/.
Own Motion Investigations and Data Breach Notifications
Section 40(2) of the Privacy Act enables the Information Commissioner to investigate a possible interference with privacy without first receiving a complaint from an individual, if the Information Commissioner considers an investigation to be desirable. These investigations are called own motion investigations (OMIs).
A data breach notification (DBN) occurs when an organisation or agency informs the OAIC that personal information in its possession or control has been subject to loss or unauthorised access, use, disclosure, copying or modification. While there is no specific obligation in the Privacy Act for agencies or organisations to report data breaches to the OAIC, many agencies and organisations do so as good privacy practice. The OAIC directs agencies and organisations to apply the advice set out in the Guide to Handling Personal Information Security Breaches, produced in 2008 by the former Office of the Privacy Commissioner, when responding to a data breach. The Guide includes information about when to report a data breach to the OAIC or affected individuals.
Reporting a DBN to the OAIC and taking follow-up action can help agencies and organisations to ensure they meet their obligations under the Privacy Act and particularly Information Privacy Principle (IPP) 4, National Privacy Principle (NPP) 4 and Part IIIA of the Privacy Act. The nature of DBNs mean that the OAIC's investigation of these incidents primarily focuses on the data security measures agencies and organisations had in place when the incident occurred and the steps taken to improve such practices as a result of a DBN.
By conducting OMIs and responding to DBNs, the Information Commissioner is fulfilling the function he has under s 27(d) of the Privacy Act of promoting an understanding and acceptance of the IPPs and the NPPs. There were a total of 59 OMIs and 56 DBN matters in 2010–11. This compares to 73 OMIs and 44 DBN matters in 2010–11.
Issues in Own Motion Investigations
During 2010–11, 59 new matters involving alleged interferences with privacy were assessed for investigation as OMIs. These matters came to the OAIC's attention from a variety of sources including telephone calls to the Enquiries Line, emails and letters from individuals, and systemic issues identified through complaints or as a result of media coverage.
The OAIC uses its own risk assessment criteria to determine whether to investigate a matter on its own motion. These criteria include the:
- number of people affected and the possible consequences for those individuals
- sensitivity of the personal information involved
- progress of an agency's or organisation's own investigation into the matter and consideration of the actions taken by the entity in response
- likelihood that the investigation will reveal acts or practices that involve systemic interferences with privacy and/or that are unidentified.
Table 5.15 shows a breakdown of the most common issues that arose in OMIs in 2010–11. Overwhelmingly, the main compliance issues that arose related to data security and improper use and disclosure of personal information. It is often the case that these issues go hand in hand. That is, if organisations and agencies fail to have appropriate data security measures in place, this deficiency can result in personal information being improperly used or disclosed.
Specifically, the allegations raised in OMIs opened in 2010–11 included that:
- documents containing customer information had been discarded in a public bin, including tax file number information and health information
- personal information was being disclosed without appropriate identification and authentication practices being in place
- the personal information of customers was publicly accessible on the internet
- system vulnerabilities resulted in hacking incidents which led to information about customers, including financial information, being stolen.
|Credit provider – accuracy 18G(a)||3|
|Credit provider – failed to give notice s 18E(8)(c)||1|
|Credit reporting agency – improper disclosure s 18K(1)||3|
|Credit reporting agency – not permitted contents s 18E(1)||1|
|IPP 4 – inadequate security measures||2|
|NPP 1.1 – unnecessary collection||8|
|NPP 1.2 – unlawful/unfair collection||2|
|NPP 1.3 – bundled consent form||1|
|NPP 1.3 – insufficient notice||6|
|NPP 1.5 – inadequate notice||4|
|NPP 10 – sensitive information collection||2|
|NPP 2.1 – improper use or disclosure||17|
|NPP 3 – data quality issues||6|
|NPP 4 – data security issues||37|
|NPP 5 – openness issues||1|
|NPP 6.1 – refused access (non health)||2|
|NPP 7 – used agency identifier||1|
|NPP 8 – anonymity not offered||1|
|TFN – security||1|
A number of issues that came to the attention of the OAIC in 2010–11 were matters of significant public concern. To promote community confidence and also to increase the transparency of its compliance activities, the OAIC commenced the publication of reports of investigations into high profile matters or where there was a public interest in doing so. The first of these was in relation to the OAIC's investigation of Vodafone Hutchison Australia. Investigation reports are available on the OAIC's website at www.oaic.gov.au/publications/reports.html. The OAIC intends to continue to publish investigation reports, where appropriate.
Of the OMI matters closed in 2010–11, in 26% of cases the OAIC decided not to formally investigate the allegations raised. Typically, the OAIC might discontinue an OMI if it discovers that the respondent is not within its jurisdiction or the issues are not systemic in nature. The OAIC conducted an investigation but did not find that the allegations of non-compliance were substantiated in 27% of cases. In the remaining 48% of cases, the OAIC worked with the agencies and organisations involved to improve their practices so that issues of non-compliance were resolved. For example, the investigation into Vodafone Hutchison Australia resulted in it providing an undertaking to the Information Commissioner to improve its data security measures, report back about its IT security review and provide an update about the progress of its implementation.
Issues in Data Breach Notifications
The OAIC received 56 voluntary Data Breach Notifications (DBNs) in 2010–11, a 21% increase from the number of DBNs received in 2010–11.
The OAIC assesses each DBN to assess if further action is required by the agency or organisation to appropriately respond to the breach. The OAIC may take no further action if the agency or organisation has contained the breach by recovering the information or has taken steps that mitigate further impact on individuals affected by the breach, such as notifying relevant authorities and individuals and taking steps to review and improve data security practices. Where the OAIC considers that inadequate steps have been taken or the agency or organisation is still assessing the source and impact of the breach and the overall response that is required, it will work with the entity to assist it to apply best privacy practice. In cases where the OAIC is not satisfied with the voluntary action taken by the agency or organisation to resolve the matter, it will open an OMI.
Incidents reported to the OAIC through DBNs in 2010–11 included that:
- documents containing personal information were faxed to the wrong fax number
- an email containing personal information was sent to a public email address
- a system error occurred allowing customers to access other customers' accounts
- a computer containing customer records was stolen from a company's premises.
Typically, the actions taken by entities in response to a DBN include system reviews and alterations, written notifications to affected individuals, apologies, retrieval of records, changes in standard operating procedures and staff training.
The OAIC publishes case notes describing, in de-identified form, the issues and outcomes of selected complaints and investigations. The purpose of these case notes is to provide an insight into how privacy principles are being applied. This can:
- assist individuals, organisations and agencies to decide whether to pursue a complaint, or if personal information is being handled appropriately
- encourage good privacy practices and compliance with the Privacy Act
- demonstrate accountability and transparency in the OAIC's processes and decision making.
In 2010–11, the former Office of the Privacy Commissioner (OPC) and the OAIC published 22 case notes about complaints under the National Privacy Principles (NPPs), Information Privacy Principles (IPPs) and other areas of the Privacy Act. These can be accessed in full at www.oaic.gov.au/publications/case_notes.html.
Case study: Own Motion Investigation v Airline  PrivCmrA 12
After booking a flight online an individual received an email from the airline containing personal information about another traveller. Information disclosed included the second individual's name, address, financial information, flight details and the full name and address of a third individual booked on the flight.
By the time the Privacy Commissioner had commenced an own motion investigation the airline had already acknowledged that the disclosure had occurred and that it had not complied with NPP 2. The investigation therefore focused on the airline's compliance with NPP 4.1, which deals with data security. The airline discovered the incident occurred as a result of an overloaded server.
The Commissioner formed the view that at the time of the incident the airline's IT system was not sufficient to comply with NPP 4.1. It was noted that, as a result of the incident and the Commissioner's investigation, the source of the problem was identified and additional processes were put in place to prevent the problem recurring.
Monitoring Government Data-matching
Data-matching is the process of bringing together large data sets of personal information from different sources and comparing them to identify any discrepancies. For example, the Australian Taxation Office (ATO) may undertake a data-match to identify retailers that may be operating outside the tax system or who may be under-reporting turnover. This may include identifying individuals.
The process involves analysing information about large numbers of people, the majority of whom are not under suspicion. This means that data-matching raises privacy issues. To ensure that government agencies have proper regard to privacy principles when undertaking data-matching, the OAIC performs a number of functions.
The Information Commissioner has statutory responsibilities under the Data-matching Program (Assistance and Tax) Act 1990 (the Data-matching Act) and the Guidelines for the Conduct of the Data-matching Program (the statutory data-matching guidelines). Additionally, the Information Commissioner oversees the functioning of the Guidelines for the Use of Data-matching in Commonwealth Administration, which are voluntary guidelines to assist agencies not subject to the Data-matching Act to perform data-matching programs in a privacy sensitive way.
Matching under the Data-matching Act and statutory data-matching guidelines
To detect overpayments, taxation non-compliance and the receipt of duplicate payments, the Data-matching Act provides for the use of tax file numbers in data-matching processes undertaken by a special unit within Centrelink (the data-matching agency). The data-matching agency runs matches on behalf of Centrelink, the Department of Veterans' Affairs (DVA) and the ATO.
The Data-matching Act and the statutory data-matching guidelines outline the type of personal information that can be used, and how it can be processed. They also provide individuals with the opportunity to dispute or explain any matches, and require that individuals have means for redress.
The Data-matching Act requires Centrelink, DVA and the ATO to report to Parliament on the results of any data-matching activities carried out under the Act. These reports are published separately by each agency.
The Data-matching Act also makes the Information Commissioner responsible for monitoring the functioning of the statutory data-matching program. The OAIC discharges this function by running data-matching inspections.
During 2010-11 the OAIC inspected Centrelink's handling of a sample of data-matching cases at three regional Business Integrity Sites. The regions inspected were:
- Centrelink Area South West, New South Wales (Griffith), October 2010
- Centrelink Area Hunter, New South Wales (Wallsend), December 2010
- Centrelink Area Toowoomba, Queensland (Toowoomba), May 2011.
Representatives of the OAIC, with the assistance of Centrelink and regional staff, conduct inspections and reviews of a sample (usually 100) of customer records which have been through the data-matching process. At the completion of each inspection, a report is prepared and provided to Centrelink outlining the findings.
The OAIC found that Centrelink's processes and procedures for statutory data-matching were generally compliant with the requirements of the Data-matching Act. Additionally, the area offices' procedures were also assessed as being generally compliant with the requirements of the Privacy Act in the handling of this information.
Matching under the Guidelines for the Use of Data-matching in Commonwealth Administration
Many Australian Government agencies also carry out data-matching activities that are not subject to the Data-matching Act, but are run under different laws authorising the use and disclosure of personal information for data-matching purposes. To assist agencies performing such data-matching activities to have proper regard to the privacy of individuals, the Information Commissioner has issued voluntary data-matching guidelines called the Guidelines for the Use of Data-matching in Commonwealth Administration.
These voluntary guidelines require that programs are regularly monitored and evaluated, that individuals identified have the opportunity to dispute the results, and that action against individuals is not taken solely on the basis of automated processes.
Agencies are also required to prepare a description of the data-matching activity (a ‘program protocol'). Before the activity is commenced, the program protocol should be submitted to the Information Commissioner for comment, and once it has been finalised, the program protocol should be made available to the public.
In 2010–11 the Information Commissioner received five program protocols for proposed non-statutory data-matching activities. A summary of these protocols is outlined in Table 5.16.
|Matching Agency||Source Agencies||Name of Program Protocol||Description of the Program Protocol||Received Date|
|Australian Taxation Office||Department of Climate Change and Energy Efficiency, State, Territory and Australian Government education authorities, and various building companies||Nation Building, Economic Stimulus||Match data provided by State and Territory education departments and building companies authorised under the Home Insulation Program and Building the Education Revolution Scheme to identify and address issues of non-compliance with taxation obligations||August 2010|
|Australian Taxation Office||State and Territory Government Revenue and Land Titles Offices||State and Territory Government Revenue||Match data from State and Territory Revenue and Land Titles Offices to identify and address non-compliance with taxation obligations and increase Australian Taxation Office research and analytics in the real property market||August 2010|
|Australian Taxation Office||State and Territory Motor Registries||Motor Vehicles Data Matching Program||Match data from State and Territory Motor Registries to identify and address issues of non-reporting and under reporting of luxury car tax revenue||September 2010|
|Australian Taxation Office||Seven large financial institutions||Credit and Debit Card Privacy Protocol||Identify individuals and businesses not complying with reporting registration, lodgement and payment obligations relating to cash and card income||August 2010|
|Australian Taxation Office||Various labour hire and placement agencies and computer consultancies||Personal Services Income Contracts||To improve taxation compliance of individuals employed under agency and consultancy arrangements, and businesses involved in that industry.||November 2010|
Review of performance
Under the Privacy Act the Information Commissioner has the power to conduct privacy audits of Australian and ACT Government agencies, as well as some other organisations in certain circumstances. These audits help to determine and improve the level of compliance with the Privacy Act. The OAIC conducts audits to promote best privacy practice and to reduce privacy risks across agencies. The Information Commissioner's audit powers include:
- auditing agency compliance with the Information Privacy Principles – s 27(1)(h)
- examining the records of the Commissioner of Taxation in relation to tax file numbers (TFNs) and TFN information – s 28(1)(d)
- auditing TFN recipients – s 28(1)(e)
- auditing credit information files and credit reports held by credit reporting agencies and credit providers – s 28A(1)(g).
Other than audits conducted by using the above powers, the Information Commissioner may only audit a private sector organisation if the organisation requests this under s 27(3) of the Privacy Act.
The number of audits carried out by the former OPC and OAIC has varied depending on the nature and volume of privacy complaints and other priorities of the OAIC. In past years, the OAIC had expanded its audit program by undertaking additional audits, including three credit information audits.
In 2010–11 the OAIC conducted five audits, a reduction from 2010–11. In part, this reduction resulted from planned audits being deferred by agencies. Additional resources were focused on high profile own motion investigations which required more extensive information-gathering and analysis.
An audit is a snapshot of personal information handling practices relating to the auditee at a particular time and place. Auditees are encouraged to consider audit findings broadly, and recognise that the issues identified may foster improvements beyond the audited program alone.
The OAIC's audit teams emphasise that an audit is an educative process and compliance with the Privacy Act is part of good management practice. Audits have been the catalyst for improvements to agencies' data security, accuracy of information, staff training and disclosure policies.
The OAIC is progressively uploading finalised audit reports to its website.
ACT government audits
The OAIC currently has a Memorandum of Understanding with the ACT Government (see Appendix 6 for further information) which includes a commitment by the OAIC to conduct up to two audits of ACT Government agencies per financial year. The OAIC selects audit targets based on a risk assessment analysis which takes into account previous audits and audit findings, complaints against ACT Government agencies, the amount of personal information held by an agency and the sensitivity of, and risk to, that information.
Table 5.17 shows details of the ACT Government audits commenced and/or finalised by the OAIC in 2010–11.
Australian Federal Police – ACT Policing branch
Number plate recognition (NPR) technology known as RAPID (Recognition and Analysis of Plates Identified). The audit examined the agency's processes for the collection, storage and security, accuracy, and use and disclosure of personal information.
Office for Children, Youth and Family Support (Care and Protection Services)
The audit examined the processes of Care and Protection Services for handling client personal information, including the collection, storage and security, quality, use and disclosure of this information.
The OAIC found that these agencies were generally compliant with their obligations under the IPPs. However, the auditors made recommendations where privacy risks were identified or where better privacy practice could be introduced.
Audit recommendations included improving notification procedures to ensure compliance with IPP 2 and developing and implementing a data destruction policy in keeping with IPP 4.
Identity Security audits
The OAIC provided privacy advice to key agencies in respect of projects delivered under the Australian Government's National Identity Security Strategy (NISS). One project under the NISS related to the National Document Verification Service (DVS).
The DVS system allows authorised government agencies to verify, online and in real time, the authenticity of an individual's Evidence of Identity (EOI) documents sourced from another government agency, when enrolling for benefits and services. Agencies using the DVS are able to verify that:
- the EOI document was issued by the relevant source government agency
- details recorded on the EOI document correspond to the details held by the source government agency, and
- the document is still valid.
The OAIC found that Centrelink was generally compliant with its obligations under the Information Privacy Principles in terms of its role as the operator of the DVS Hub.
Review of Centrelink's role as the operator of the DVS Hub
Department of Foreign Affairs and Trade
Collection, use, disclosure and security of personal information during DVS transactions undertaken as an Issuer agency
Australian Customs and Border Protection Audits
The OAIC currently has an agreement with the Australian Customs and Border Protection Service (Customs) (see Appendix 6 for further information) to provide ongoing policy advice and conduct up to two audits per financial year of various aspects of Customs' use of Passenger Name Record (PNR) data.
In 2010–11 the planned audits of PNR data were deferred and, instead, additional policy advice was provided to Customs. One of the PNR audits commenced in 2010–11 was finalised in July 2010 and the other is in progress.
The audit team considered that Customs' handling of personal information was generally compliant with the Privacy Act. However, a number of best privacy practice recommendations were made including that Customs review practices around the notification of urgent alerts to airport staff, and the handling of those alerts and associated information by staff in public areas. The auditors also recommended that Customs review access by contractors to secure areas and review all contracts to ensure that IPP obligations are included those contracts. Customs has requested, due to the classified content of the material in this particular report, that it would not be appropriate to publish either the full report or an abridged version. The Commissioner agreed not to publish the report.
The OAIC began a number of credit information audits in 2010–11. Undertaking credit audits is an important component in monitoring the compliance of credit providers and credit reporting agencies with the credit provisions contained in the Privacy Act.
Credit information audits are a proactive compliance mechanism. The intention is for the credit information audit program to be an advisory exercise as well as an enforcement activity. These audits encourage all credit providers and credit reporting agencies to view compliance as integral to their operations.
The Information Commissioner's credit information audit functions are set out in s 28A of the Privacy Act. Part IIIA of the Privacy Act governs the handling of individuals' credit reports and related information by credit reporting agencies and credit providers. The aim of the audits is to obtain evidence to assess whether credit information is maintained in accordance with Part IIIA and the Credit Reporting Code of Conduct. The OAIC does this by examining the practices and records of credit reporting agencies and credit providers to ensure that they are not using personal information in those records for unauthorised purposes, and are taking adequate steps to prevent unauthorised disclosure of those records.
|Tasmanian Collection Service|| Complaint handling
Cross-referencing of files
Dun and Bradstreet
Cross-referencing of files
Cross-referencing of files
The completed and ongoing audits have provided valuable information to the OAIC about credit reporting volumes, industry practice and compliance with credit reporting obligations. The auditors made some recommendations and a number of suggestions about:
- the need for transparency of ‘duplicate matching' programs
- proactive monitoring of access to credit reporting files
- improving procedures for staff about complaint handling and data security.
The credit reporting agencies expressed reservations regarding the publication of the final reports, citing concerns about commercial-in-confidential material. In recognition of these concerns, the OAIC has not published the reports on its website.
Healthcare Identifier audits
The Healthcare Identifiers Act 2010 (the HI Act) established the Healthcare Identifier Service (HI Service), which commenced on 1 July 2010. The HI Service is part of Medicare.
The functions of the HI Service are to:
- assign and issue individual healthcare identifiers (IHIs) for all individuals who have, are or will be provided with healthcare and to healthcare providers (HPI-Is) and healthcare provider organisations (HPI-Os)
- allow those authorised to access the HI Service to retrieve healthcare identifiers
- keep the information associated with healthcare identifiers up-to-date and accurate, including deactivating or retiring health identifiers when they are no longer needed.
Under s 29(3) of the HI Act, the Information Commissioner has the power to audit the handling of healthcare identifiers assigned to individuals and individual healthcare providers.
The OAIC received funding in 2010–11 under an Exchange of Letters agreement with the Department of Health and Ageing to undertake up to two healthcare identifier audits as well providing policy advice and other compliance activities. (See Appendix 6 for further information about healthcare identifiers and the Exchange of Letters agreement).
The process of assigning IHIs.
Policies and procedure
s governing the handling of identifiers
General record keeping
Collection processes relating to the assignment of healthcare provider identifiers. Processes undertaken when conducting batch searches of healthcare identifier information
Personal Information Digest
To help people understand what personal information is held by each Australian and ACT government agency, Information Privacy Principle 5.3 in s 14 of the Privacy Act requires agencies to keep a record detailing:
- the nature of records kept
- the purpose for which these records are kept
- the categories of people the information is about
- the period for which the records are kept
- who has access to the records
- the steps an individual needs to take to gain access to the records.
These explanatory records must be provided to the OAIC in June of each year, and are subsequently compiled and published as the Personal Information Digest (PID).
The ACT Department of Justice and Community Safety (JACS) compiled the ACT PID and the final documents were published on the JACS website. The OAIC published the PID for Australian Government agencies for the period ending June 2011 on its website at www.privacy.gov.au/government/digests.
Australian Government Agencies
The OAIC provides policy advice on personal information handling issues to Australian and ACT government agencies and the Norfolk Island Administration under various arrangements including memorandums of understanding (MOU) and through participation in working groups. These policy advices include substantive correspondence on specific proposals, advice for guidance material and advice for inclusion in other reports and published documents. Topics on which advices have been provided to Australian Government agencies include the following.
In February 2010, the Australian Government announced a package of measures to strengthen aviation security including the introduction of body scanning technology at international passenger screening points within Australia to detect items on a person or within their clothing. The OAIC provides privacy advice to the Office of Transport Security (OTS) under an MOU in relation to the development and implementation of body scanning technology in Australian international airports. During 2010–11, activities undertaken by the former OPC and the OAIC included the facilitation of a roundtable discussion on 22 September 2010 with the OTS and relevant stakeholders to identify privacy issues arising for specific interest groups and the provision of advice on the process of OTS undertaking a privacy impact assessment.
Service delivery reform
The Service Delivery Reform (SDR) program is undertaken within the Human Services Portfolio and is intended to give Australians better access to social, health and welfare services. Some aspects of the reform program, such as the co-location of agencies and the increased coordination and linking of services, will involve changes to the way that individuals' personal information is handled. The OAIC has entered into an MOU with the Department of Human Services (DHS) to provide privacy advice in relation to the SDR agenda and respond to privacy matters arising from the implementation of SDR.
The former OPC and the OAIC have advised DHS on a range of privacy-related aspects of SDR, including the SDR Implementation Plan and various privacy impact assessments relating to aspects of the SDR. An OAIC representative is also a member of the inter-departmental committee set up to advise on SDR and consider the reforms from a whole-of-government perspective.
The Healthcare Identifiers Service (HI Service), which is part of Medicare, assigns Healthcare Identifiers to individuals (IHIs) and to healthcare providers at individual and organisational provider level. It maintains a database of all assigned HIs, and will disclose IHIs to authorised healthcare providers when they request a patient's IHI. The HI Service allows authorised users to access the HI Service database to collect IHIs.
Under an Exchange of Letters agreement with the Department of Health and Ageing (DoHA), the OAIC receives funding for advice, guidance, liaison and other activities to support the appropriate use and handling of healthcare identifiers. As part of this agreement, in July 2010 the former OPC published on its website 13 frequently asked questions for individuals about IHIs. The OAIC has also provided advice in response to a series of questions posed by NSW Health and is currently preparing two draft information sheets advising private and state and territory healthcare providers about their compliance obligations. The information sheets are being prepared in consultation with DoHA, Medicare Australia, the National E-Health Transition Authority (NEHTA) and industry groups. The consultation process was still underway on 30 June 2011.
Personally Controlled Electronic Health Records
The Personally Controlled Electronic Health Record (PCEHR) system will enable an individual's health records to be shared electronically between their healthcare providers, through a network of connected systems. The PCEHR will be able to be accessed by the individual and authorised healthcare providers.
The OAIC has been working with DoHA and NEHTA to ensure that privacy protections are built in to the PCEHR scheme early in the project. The OAIC made a submission to DoHA in relation to the draft Concept of Operations for the PCEHR system design on 15 June 2011.
Cloud computing refers to internet-based computing, where information is stored and processed on remote servers accessed via the internet, in the ‘cloud', and the end user interacts with the information using an internet browser. The OAIC participated in the Department of Immigration and Citizenship (DIAC) Cloud Computing Consultative Committee which has been established to provide high-level oversight with regard to the utilisation of cloud computing or similar technology to enhance the delivery of online client services by DIAC. It has also provided comments on the consultation draft of the Cloud Computing Strategic Direction Paper released by the Australian Government Information Management Office in January 2011.
Government 2.0 Taskforce
The OAIC continues to participate on the Gov 2.0 steering committee and takes an active interest in government engagement in Gov 2.0 initiatives.
In 2010–11 the OAIC had input into the development of the Australian Government Information Management Office checklist for the Publication of Public Sector Information. The OAIC also provided comment to the Australian Public Service Commission on draft guidelines for making public comment and participating online.
The former OPC and the OAIC has been a member of the National Identity Security Coordination Group (NISCG) and the Commonwealth Reference Group on Identity Security (CRGIS), convened by the Attorney-General's Department (AGD). The NISCG convenes a number of working groups. The OAIC is represented on all of these groups.
In its role on these working groups the OAIC provides advice to government and key agencies on the privacy implications of their initiatives.
Australian Capital Territory Government Agencies
The OAIC provides advice to ACT Government agencies on privacy issues under an MOU. During 2010–11 the OAIC provided comments to ACT Government agencies on a range of issues including:
- ACT Policing Arrangement with the Australian Federal Police
- Draft review of the Terrorism (Extraordinary Temporary Powers) Act 2006
- A legislative scheme for the enforcement of court fines
- The definition of ‘authorised by law' in the context of Information Privacy Principle 11.1(d).
In several cases, the OAIC recommended conducting a privacy impact assessment to identify and manage privacy risks associated with the matter.
Norfolk Island Government Agencies
The Territories Law Reform Act 2010 (the TLR Act) amends the Norfolk Island Act 1979 to implement significant reforms aimed at improving governance structures and strengthening accountability mechanisms for Norfolk Island. This legislation was assented to on 10 December 2010. In relation to privacy, the TLR Act obliges Norfolk Island public sector agencies to adhere to the IPPs in the same manner as Australian Government agencies. These requirements came into effect on 1 January 2011.
In early 2011, the OAIC provided advice to the Chief Executive Officer of the Norfolk Island Administration regarding the implementation of privacy legislation.
Private sector organisations
Under s 27(1)(d) of the Privacy Act, one of the Information Commissioner's functions is to promote an understanding and acceptance of the National Privacy Principles (NPPs). In line with this function, the OAIC aims to work collaboratively with business. The OAIC has continued to provide advice about the operation of the NPPs including on the following matters.
The application of the NPPs to private sector health service providers
The OAIC has provided advice on the application of the NPPs to personal information handling by private sector health service providers including the Optometrist Association of Australia and Alzheimer's Australia.
Emergency Call Service Requirements Code
The Emergency Call Service Requirements Code is an industry code approved by the Australian Communications and Media Authority which specifies the obligations of carriers and carriage service providers to customers, emergency service organisations and emergency call persons. The OAIC provided comments to Communications Alliance (the telecommunications industry body that develops and reviews such industry codes) as part of the review of the Emergency Call Service Requirements Code.
Following the OAIC's own motion investigation into Google's collection of Wi-Fi data by its Street View cars, Google undertook to conduct a privacy impact assessment on Street View and supply a copy to the OAIC. The OAIC provided comments on the privacy impact assessment which highlighted a number of areas where it could be strengthened to enhance privacy protections.
The OAIC also provides advice to other jurisdictions as part of its international engagement activities. During 2010–11 the OAIC has provided advice to the Hong Kong Commissioner for Data Reporting about the handling of credit reporting data under the Privacy Act. The OAIC has also provided comments to the New Zealand Ministry of Agriculture and Forestry on a privacy impact assessment it conducted for its proposal to screen aviation security images taken in Australian airports, for biosecurity purposes before passengers arrive in New Zealand.
In 2010–11, the OAIC made 20 submissions to inquiries being undertaken by parliamentary committees and government inquiries. All submissions may be found in full at the OAIC's and former OPC's websites, respectively: www.oaic.gov.au/publications/submissions.html and www.privacy.gov.au/materials/types/submissions. Following are examples of these submissions.
Cyber safety issues
Inquiry into Cyber Safety issues Affecting Children and Young People, Submission to the Joint Select Committee on Cyber Safety
The adequacy of protections for the privacy of Australians online, Submission to the Senate Standing Committee on the Environment, Communications and the Arts
Privacy Law Reform
Inquiry into Exposure Drafts of Australian Privacy Amendment Legislation (APPs), Submission to the Senate Finance and Public Administration Committee
Credit Reporting, Submission to the Senate Finance and Public Administration Committee
Green Paper on National Credit Reform, Submission to the Department of the Treasury
Service Delivery reform
Human Services Legislation Amendment Bill 2010, Submission to the Senate Community Affairs Legislation Committee
Inquiry into Family violence and Commonwealth law
Issues Papers on family violence and Commonwealth law, Submissions to the ALRC
Draft Concept of Operations: Relating to the introduction of a personally controlled electronic health record (PCEHR) system, Submission to the Department of Health and Ageing
Law enforcement and national security
Telecommunications Interception and Intelligence Services Legislation and Amendment Bill 2010, Submission to the Senate Legal and Constitutional Affairs Committee
Combating the Financing of People Smuggling and Other Measures Bill 2010
Exposure Draft – Combating the Financing of People Smuggling and Other Measures Bill 2010, Submission to the Attorney-General's Department
Combating the Financing of People Smuggling and Other Measures Bill 2011, Submission to the Senate Standing Committee on Legal and Constitutional Affairs
Proposed extradition and mutual assistance reforms, Submission to the Attorney-General's Department
Privacy Law Reform
The Privacy Act is undergoing reform following the release of Australian Law Reform Commission (ALRC) Report 108, For Your Information: Australian Privacy Law and Practice (2008). In this report the ALRC recommended 295 changes to improve Australia's privacy framework. Due to the large number of recommendations, the Australian Government is responding to the ALRC's recommendations in stages. There was significant progress in 2010–11.
On 24 June 2010, the Government released an exposure draft of legislation containing a single set of privacy principles, intended to cover both the public and private sectors. It is proposed that these principles, known as the Australian Privacy Principles (APPs), would replace the existing Information Privacy Principles and the National Privacy Principles. The Government tabled the APPs in the Senate for referral to the Senate Finance and Public Affairs Committee (the Committee) for public consultation.
In August 2010, the former Office of the Privacy Commissioner made a detailed submission to the Committee in relation to the Australian Privacy Principles Exposure Draft and Companion Guide. The Committee held public hearings on 25 November 2010.
The Committee released the first part of its report relating to the APPs in June 2011. Its recommendations adopt or address many of the recommendations contained in the submission from the former OPC.
Another element of privacy law reform being addressed in the Government's first-stage response concerns the ALRC's recommendations relating to the introduction of comprehensive credit reporting and enhanced protections for credit reporting information. The Government referred exposure draft credit reporting provisions to the Senate for tabling and referral to the Committee on 31 January 2011.
The OAIC made a submission to the Committee in relation to the Credit Reporting Exposure Draft and Companion Guide in March 2011. The Privacy Commissioner appeared before the Committee in May 2011.
The OAIC continues to liaise closely with the Department of the Prime Minister and Cabinet on the next stages of the privacy law reform process.
More information about privacy law reform can be found at www.dpmc.gov.au/privacy/reforms.cfm