You are here: Home > Publications and resources > Reports > Annual Report 2010-11 > Chapter 5

Annual Report 2010–11

Chapter 5: Promote and secure the protection of personal information

Privacy issues continued to feature prominently in news headlines in 2010–11. Widespread media reporting of data breaches and the misuse of personal information contributed to a growing recognition that privacy protection is a critical concern in the community.

As the flow of personal information grows exponentially through the use of new technologies that enable personal information to be moved around the globe in seconds, the challenge is for privacy law and principles to adapt and keep pace with the way that personal information is handled by government agencies and private sector organisations. It is in this context that a key focus for the Office of the Australian Information Commissioner (OAIC) during 2010–11 was the proposed reforms to the Privacy Act 1988 (the Privacy Act).

The OAIC also continued to work with Australian and ACT government agencies on new policy proposals, legislative and regulatory changes, and agency practices that may have a significant impact on the handling of personal information. From 1 January 2011, the OAIC also provided these services to the Norfolk Island Administration. Similarly, the OAIC works with business to enhance understanding and implementation of good personal information handling practices.

The OAIC's privacy compliance activities provided important regulatory oversight in relation to individual complaints and systemic issues. The OAIC carried out a range of regulatory functions, such as own motion investigations (OMIs) and audits, aimed at securing the protection of personal information.

Compliance activities

To ensure that privacy is valued and respected in Australia, the OAIC undertakes a wide range of compliance activities. These include running a telephone and written enquiry service, investigating and resolving individual complaints, conducting audits and data-matching inspections and conducting OMIs.

In 2010–11, the Compliance Branch received 1222 complaints, a small increase over the 1201 received in 2009–10. In addition, the OAIC dealt with 59 OMIs and 56 voluntary data breach notifications. The Compliance Branch reduced the number of audits it undertook during 2010–11 to five, instead focusing additional resources on high-profile OMIs. This included OMIs into two large telecommunications providers and a number of technology companies.

In an OMI the OAIC can gather information about a respondent's privacy practices and work with that agency or organisation to resolve issues of non-compliance and improve their overall privacy practices.

The OAIC publishes case notes as an effective means of providing information about how matters are assessed and how the law applies to issues involving privacy. Twenty-four case notes were published during 2010–11. These can be found at www.oaic.gov.au/publications/case_notes.html.

In addition, the Privacy Commissioner published an investigation report about an OMI finalised in 2010–11.

Responding to telephone enquiries

The OAIC's Enquiries Line (1300 363 992) provides information about privacy issues and privacy law for the cost of a local call. The Enquiries Line answered 20,617 telephone enquiries in 2010–11, which is consistent with the number of calls received in previous years. Of those telephone enquiries, 10,986 specifically related to privacy and the protection of personal information. Other calls related to freedom of information (FOI), the role of the OAIC, privacy or FOI in other jurisdictions, or were administrative in nature.

Who is calling?

Most callers are individuals seeking information about their privacy rights and advice on how to resolve privacy complaints.

Table 5.1 below illustrates the top 10 types of caller who telephoned the Enquiries Line in 2010-11.

Table 5.1 – Top 10 caller types
Top 10 caller types	Total
Individual	9012
Business, Professional Associations and Unions	372
Health Service Providers	224
Australian Government	207
Personal Services (such as employment, child care, vets)	190
Real Estate Agents	132
Legal, Accounting and Management Services	98
Clubs, Interest Groups, Theatres, Sports and Media	92
Charities	89
Finance (including Superannuation)	82

Table 5.2 provides a breakdown of issues discussed in the calls received during 2010–11. Almost three quarters of the privacy related calls were about the National Privacy Principles (NPPs). The most frequently discussed issue continued to be the use and disclosure of personal information by private sector organisations, followed by NPP exemptions, improper collection, access and correction and data security.

The number of privacy related calls about Credit Reporting and the Information Privacy Principles (IPPs) remained similar to previous years.

Table 5.2 – Breakdown of issues in privacy calls received
Issues	Total number of calls
Private Sector Provisions Issues
NPP 1 - Collection	1581
NPP 2 - Use and Disclosure	2780
NPP 3 - Data Quality	236
NPP 4 - Data Security	787
NPP 5 - Openness (privacy statement)	85
NPP 6 - Access and Correction	1164
NPP 7 - Identifiers	6
NPP 8 - Anonymity	25
NPP 9 - Transborder Data Flows	53
NPP 10 - Sensitive Information Collection	65
NPP Exemptions	1685
Private Sector Provisions (General)	301
Non-Private Sector Provisions Issues
Credit Reporting	799
IPPs	731
Spent Convictions	136
Tax File Numbers	35
Privacy Codes	8
Individual Health Identifiers	1
Data-matching	2
Privacy (General)	506

Who are the National Privacy Principles calls about?

Table 5.3 distributes the top 10 NPP telephone enquiries by private sector industry groups. These groups have remained consistent for the last several years.

Table 5.3 – Private sector industry groups and privacy telephone enquiries
Private sector industry group	Total number of calls
Health Services Providers	1112
Business, Professional Associations and Unions	835
Personal Services (including employment, child care and vets)	813
Real Estate Agents	759
Finance (including superannuation)	622
Telecommunications	527
Retail	344
Debt Collectors/Credit and Tenancy Databases	317
Clubs, Interest Groups, Theatres, Sports and Media	293
Insurance	230

Some examples of calls received during 2010–11 appear below:

The caller stated that their private sector employer wanted to place tracking devices in staff mobile phones. The OAIC explained the definition of personal information, advised that the Privacy Act does not regulate tracking devices specifically, and explained the employee records exemption.
A caller applied to work at a casino. The job application sought information on applicants' criminal history. The caller asked if the casino was permitted to collect this information, and if the casino could collect information about criminal records from the police. The OAIC explained that the caller was not required to provide any personal information to the casino, but would need to consider the impact this may have on the casino's assessment of their job application. The OAIC also explained relevant collection principles in NPP 1. In some circumstances, it may be considered necessary for a casino's functions and activities for it to collect information about an individual's criminal history when assessing that individual's suitability for employment. The caller was advised that, under the Privacy Act, criminal record information is considered ‘sensitive information', and the collection of that information is regulated by NPP 10. This means that the casino would generally need the individual's consent to collect the information.
A real estate agent called, stating that an owner of a property that the agent manages had asked to be told the race of the current tenant. The agent refused to tell the owner the tenant's race, relying on the Privacy Act. The owner asked the agent which specific section in the Act prevented disclosure in this case. The OAIC discussed NPPs 1, 2 and 10, noting that personal information that is collected for one purpose should not be used or disclosed for other purposes unless an exception in the Act applies.
The caller had a default listing on their credit file. The caller subsequently repaid the outstanding debt, and wanted to know whether the listing should be removed. The OAIC discussed the credit reporting provisions in the Privacy Act, noting that if the default was correctly listed, it may remain on the caller's credit file for five years. However, the credit file should note that the debt has been repaid.
A caller stated that a news article published on the internet by a media organisation contained their personal information, including information about a court case. The OAIC discussed the media exemption.
A caller was refused access to the medical records of her deceased son, for ‘privacy reasons'. The OAIC told the caller that the Privacy Act does not regulate the handling of information about deceased people. This means that the Privacy Act would not prevent a health service provider from providing the caller with the deceased son's medical records.

Responding to written enquiries

The OAIC responds to requests for information that are received by email, letter or fax. The OAIC received 1909 written enquiries in 2010–11, of which 1721 were privacy related. The OAIC is committed to responding to 90% of written enquiries within 10 working days. This benchmark was met in 2010–11, with 94% of privacy related written enquiries responded to within 10 working days.

In 2010-11, 67% of privacy related written enquiries concerned the private sector provisions. This is a small decrease compared to 2009–10 (71%).

Responding to complaints

The OAIC can investigate complaints about acts or practices that may be an interference with an individual's privacy. These can include allegations that:

personal information has been collected, held, used or disclosed by an organisation in contravention of the National Privacy Principles (NPPs)
personal information has been handled by Australian, ACT and Norfolk Island government agencies in a manner that does not comply with the Information Privacy Principles (IPPs)
creditworthiness information held by credit providers and credit reporting agencies has been mishandled
tax file numbers (TFNs) have been mishandled by individuals or organisations
personal information has not been managed in accordance with spent convictions, data matching or Healthcare Identifier legislation.

Complaints received during 2010–11

In 2010–11 the OAIC received a total of 1222 complaints relating to privacy, on a wide variety of issues.

The percentage of complaints received about each area of jurisdiction is given in Table 5.4. As has been the case since the OAIC's role was extended to the private sector, the private sector continues to be the jurisdiction most commonly complained about, with over half of all complaints relating to the NPPs. There has been a small decrease in complaints about credit reporting and an increase in complaints where the OAIC found that it had no jurisdiction.

Table 5.4 – Percentage of Complaints Received by Privacy Act Jurisdiction
Jurisdiction	Number	%*
NPPs	703	57.5
None	210	17.2
Credit reporting	195	16.0
IPPs	144	11.8
ACT IPPs	4	0.3
TFN	4	0.3
Spent convictions	1	0.1

*The percentages in Table 5.4 exceed 100% as some complaints contain more than one issue.

The particular issues complained about as a percentage of total complaints received in 2010–11 are described in Table 5.5.

Table 5.5 – Key Issues in Complaints
Issues	Number	%*
NPP use and disclosure	340	27.8
Credit reporting	238	19.5
None	210	17.2
NPP data security	192	15.8
NPP collection	179	14.6
NPP access and correction	148	12.1
IPP use and disclosure	123	10.1
NPP data quality	112	9.2
IPP collection	37	3.0
IPP data security	32	2.7
NPP Other	19	1.6
IPP access and correction	18	1.5
IPP accuracy	14	1.1
TFN	4	0.3
Spent convictions	1	0.1

* The percentages exceed 100% as some complaints contain more than one issue.

The most commonly complained about issues in both NPP and IPP complaints were use and disclosure, followed by data security and improper collection. Credit reporting complaints have fallen 3.2 percentage points from the previous financial year. There has been an increase in complaints over which the OAIC has no jurisdiction and an increase in NPP complaints relating to data security.

Table 5.6 shows the number of complaints made about each of the 10 most commonly complained about sectors. The finance sector continues to be the most frequently complained about industry. After an increase last year, the debt collector and credit reporting agency sector has fallen from the second to the third most commonly complained about sector.

Table 5.6 – Ten most commonly complained about sectors
Sector	Number of complaints
Finance	189
Australian Government	150
Debt Collectors, Credit and Tenancy Databases	131
Telecommunications	127
Health Service Providers	92
Personal and Other Services	52
Retail	43
Landlords, Real Estate Agents and Developers	40
State Government	36
Insurance	35

Most Complained About Organisations and Agencies

Table 5.7 below lists the most complained about organisations and agencies.

The fact that an organisation or agency has been the subject of a complaint does not necessarily mean that the organisation or agency has been found to be in breach of the Privacy Act. Many of these organisations and agencies carry out high numbers of transactions involving personal information, and the number of complaints received about them may represent only a small percentage of those transactions.

Table 5.7 – Most complained about organisations and agencies
Top respondents	Number of complaints received
Veda Advantage Information Services and Solutions Ltd	77
Telstra Corporation Ltd	54
The Child Support Agency	34
Commonwealth Bank of Australia	26
Centrelink	25
Singtel Optus Pty Ltd	22
Vodafone Hutchison Australia Pty Ltd	17
Health Services Union	13
ANZ Bank Ltd	12
Australian Taxation Office	12
Facebook	12

Complaints closed during 2010–11

The OAIC can investigate acts or practices that may be a breach of privacy. Where appropriate, an attempt will be made to resolve a complaint through conciliation.

If the OAIC is satisfied that a matter has been adequately dealt with, or if there has not been an interference with privacy, it may decide not to investigate the matter any further. Otherwise, the Information Commissioner or Privacy Commissioner may make a determination about a complaint under s 52 of the Privacy Act.

In 2010–11, the OAIC closed 1167 complaints, which was slightly less than the number closed in 2010–11.

The OAIC investigated a smaller percentage of complaints under s 40(1) of the Privacy Act and chose to summarily dismiss more complaints than in 2009–10. The increase in summary dismissals is partly reflected by the increased number of complaints over which the OAIC found that it had no jurisdiction.

Table 5.8 provides more information about the stage at which complaints were closed.

The OAIC aims to finalise all complaints within 12 months of receiving them. In 2010–11, complaints were closed in an average of four months, which is a two month improvement from the previous financial year.

Table 5.8 – Stage at which complaints were closed
Stage closed	Number	%*
Total	1167
Decline	664	56.9%
Preliminary inquiries	375	32.1%
Investigation	128	17.2%

*Complaints can have more than one jurisdiction issue and therefore the number of complaints listed exceeds the number of investigations closed in 2010–11

Complaints closed following investigations

In 2010–11, the OAIC closed 11% of complaints following an investigation under s 40(1) of the Privacy Act.

There were no determinations made in 2010–11. A determination is a legal decision or finding made by a Commissioner, as a consequence of which the Privacy Act's enforcement powers (ss 54–62) are activated.

Table 5.9 shows the grounds for declining to investigate complaints further following an investigation.

Table 5.9 – Grounds for declining to investigate complaints further following an investigation
Grounds for closing following investigation	NPPs	IPPs	Credit	Total
Total	101	18	40	159
No interference with privacy – s 41(1)(a)	34	10	11	55
Respondent has adequately dealt with the complaint – s 41(2)(a)	39	3	11	53
Respondent has not had opportunity to deal with complaint – s 41(2)(b)	6	3	4	13
Other (for example withdrawn or being dealt with under another law)	22	2	14	38

The OAIC tried where possible to resolve cases through conciliation at an early stage of investigation. Respondents took steps to resolve the complaint in 33% of cases. Over two thirds of these were conciliated before the OAIC formed a view on whether the complaint should be upheld.

Common resolutions after the investigation proceeded to conciliation included:

apologies to complainants
staff training and counselling
amendments to database systems and records
changes to procedures
provision of access to records
compensation payments.

Overall, the respondent took steps to resolve the complaint in 39% of NPP complaints following conciliation.

More than half of the IPP complaints were closed following investigation on the basis that there was no interference with privacy, while 28% of credit reporting complaints investigated under s 40(1) of the Privacy Act were conciliated following investigation.

Nature of remedies achieved by conciliation following investigation

Table 5.10 provides more detail on the outcome of complaints that were closed on the basis that they had been adequately dealt with by the respondent following an investigation by the OAIC under s 40(1) of the Privacy Act.

Apologies are the most common remedy, followed by the amendment of records and compensation.

Table 5.10 – Nature of remedies in complaints closed as adequately dealt with after investigation
Remedies in cases closed as adequately dealt with after investigation	NPPs	IPPs	Credit	Total
Total*	68	9	14	91
Access provided	9	-	1	10
Apology	17	2	1	20
Changed procedures	10	2	-	12
Counselled staff	3	-	-	3
Other remedy	9	2	1	12
Record amended	9	-	7	16
Staff training	1	1	1	3
Compensation
Up to $1000	4	1	3	8
$1001–$5000	4	1	-	5
$5001–$10,000	1	-	-	1
$10,001+	1	-	-	1

*More than one resolution may have been reached for a particular complaint. Therefore, the total listed in Table 5.10 is not equal to the total number of complaints

Complaints closed following preliminary inquiries

The Privacy Act authorises the OAIC to conduct preliminary inquiries to determine whether to investigate a complaint or exercise the discretion not to investigate a matter further. For instance, a preliminary inquiry may seek to determine:

whether an agency or organisation is willing to provide access to records
if a particular act or practice is authorised by law
whether an organisation may claim the small business operator exemption
whether a respondent is an agency or organisation that is subject to the Privacy Act.

In 2010–11, the OAIC closed 32.1% of complaints after preliminary inquiries. Table 5.11 provides more detail on the basis for closing complaints following preliminary inquiries. Please note that complaints can have more than one jurisdiction issue. Therefore, the number of complaints listed below exceeds the number of preliminary inquiries closed in 2010–11.

Grounds	Jurisdiction
Grounds	NPPs	IPPs	Credit	None	TFN	Total
Total	274	54	78	27	1	434
Not the privacy of the complainant or no respondent specified – s 36	11	-	1	5	-	17
No interference with privacy – s 41(1)(a)	140	26	44	13	1	224
Complaint not raised with respondent – s 40(1A)	4	5	3	4	-	16
Frivolous, vexatious, misconceived, lacks substance – s 41(1)(d)	2	-	-	-	-	2
Currently investigated under other Commonwealth or State Act – s 41(1)(e)	4	3	1	-	-	8
Respondent has adequately dealt with the matter – s 41(2)(a)	90	12	17	4	-	123
Respondent has not had an opportunity to deal with the complaint – s 41(2)(b)	7	4	1	-	-	12
Other (for example withdrawn)	16	4	11	1	-	32

The most common reason for closing a complaint after preliminary inquiries continued to be a finding that the individual's privacy had not been interfered with, which was the finding in just over half of the complaints.

Nature of remedies achieved following preliminary inquiries

In conducting preliminary inquiries the OAIC may find that the respondent has adequately dealt with the matter, or may be able to resolve the complaint through conciliation. Table 5.12 gives further detail about the types of resolutions achieved following preliminary inquiries. (More than one resolution may have been achieved for a particular complaint, meaning the total listed in Table 5.12 is not equal to the total number of complaints.)

Amendment of records continued to be the most common resolution following preliminary inquiries, followed by apologies and access to records. Compensation was paid in 14% of complaints resolved at the preliminary inquiries stage.

Complaints closed without investigation

In 2010–11, the OAIC closed 56.9% of complaints by exercising a discretion not to investigate a complaint, or not to make preliminary inquiries.

The most common reasons for closing complaints without investigation were:

there was no interference with privacy (s 41(1)(a))
the complaint was not a privacy complaint because it was not about the individual complaining, did not specify a respondent or was not about privacy (s 36)
the complaint had not been raised with the respondent before being brought to the OAIC (s 40(1A))
the complainant had not given the respondent sufficient time to deal with the complaint (s 41(2)(b)).

Table 5.13 shows, in more detail, the grounds upon which these complaints were closed without investigation.

Table 5.12 – Nature of remedies in complaints closed as adequately dealt with after preliminary inquiries
Remedy	NPPs	IPPs	Credit Reporting	Total
Total	111	22	19	152
Access provided	25	-	-	25
Apology	23	6	1	30
Changed procedures	12	5	2	19
Compensation
Up to $1000	9	1	1	11
$1001–$5000	7	1	1	9
$5001–$10,000	-	-	-	-
$10,001+	-	-	-	-
Confidential settlement	-	1	-	1
Counselled staff	2	2	-	4
Other remedy	10	2	-	12
Record amended	19	3	14	36
Staff training	4	1	-	5

Table 5.13 – Basis for closing complaints without investigation or preliminary inquiries*
Reasons for declining	NPPs	IPPs	Credit Reporting	None	Total
Total	331	93	95	185	704
Not the privacy of the complainant or no respondent specified, no jurisdiction – s 36	48	12	6	154	220
No interference with privacy – s 41(1)(a)	126	33	46	14	219
Complaint not raised with respondent – s 40(1A)	73	13	13	5	104
Aware of alleged breach for more than 12 months – s 41(1)(c)	19	4	4	1	28
Frivolous, vexatious, misconceived, lacks substance – s 41(1)(d)	4	1	-	-	5
Is being dealt with under another law – s 41(1)(e)	10	1	-	2	13
Another law is more appropriate –s 41(1)(f)	2	9	-	5	16
Respondent has adequately dealt with the matter – s 41(2)(a)	12	7	4	1	24
Respondent has not had opportunity to deal with complaint – s 41(2)(b)	31	12	19	2	64
Other (For example withdrawn )	6	1	3	1	11

*Complaints can have more than one jurisdiction issue. Therefore, the number of complaints listed below exceeds the number of complaints closed without investigation in 2010–11.

Table 5.14 – Approved privacy codes
Code Title	Code Adjudicator	Monitoring / Reporting Responsibility	Date Came into Effect
Code Title	Code Adjudicator	Monitoring / Reporting Responsibility	Date Came into Effect
Queensland Club Industry Privacy Code	Australian Information Commissioner	Clubs Queensland and the Information Commissioner	23 August 2002
Market and Social Research Privacy Code	Australian Information Commissioner	Association of Market and Social Research Organisations and the Information Commissioner	1 September 2003
Biometrics Institute Privacy Code	Australian Information Commissioner	Biometrics Institute and the Information Commissioner	1 September 2006

Reports of Complaints under Approved Codes

The Privacy Act allows for organisations or groups of organisations to develop privacy codes. A code approved by the Information Commissioner replaces the NPPs as the legally enforceable privacy standards for those organisations. At 30 June 2011, there were three approved privacy codes in force (see Table 5.14).

The Information Commissioner is the code adjudicator for each of the codes listed above. There were no complaints handled by the OAIC under any of the approved codes in 2010–11.

The Information Commissioner is required to maintain a register of approved codes under s 18BG of the Privacy Act. The register can be found on the OAIC's website at www.privacy.gov.au/business/codes/.

Own Motion Investigations and Data Breach Notifications

Section 40(2) of the Privacy Act enables the Information Commissioner to investigate a possible interference with privacy without first receiving a complaint from an individual, if the Information Commissioner considers an investigation to be desirable. These investigations are called own motion investigations (OMIs).

A data breach notification (DBN) occurs when an organisation or agency informs the OAIC that personal information in its possession or control has been subject to loss or unauthorised access, use, disclosure, copying or modification. While there is no specific obligation in the Privacy Act for agencies or organisations to report data breaches to the OAIC, many agencies and organisations do so as good privacy practice. The OAIC directs agencies and organisations to apply the advice set out in the Guide to Handling Personal Information Security Breaches, produced in 2008 by the former Office of the Privacy Commissioner, when responding to a data breach. The Guide includes information about when to report a data breach to the OAIC or affected individuals.

Reporting a DBN to the OAIC and taking follow-up action can help agencies and organisations to ensure they meet their obligations under the Privacy Act and particularly Information Privacy Principle (IPP) 4, National Privacy Principle (NPP) 4 and Part IIIA of the Privacy Act. The nature of DBNs mean that the OAIC's investigation of these incidents primarily focuses on the data security measures agencies and organisations had in place when the incident occurred and the steps taken to improve such practices as a result of a DBN.

By conducting OMIs and responding to DBNs, the Information Commissioner is fulfilling the function he has under s 27(d) of the Privacy Act of promoting an understanding and acceptance of the IPPs and the NPPs. There were a total of 59 OMIs and 56 DBN matters in 2010–11. This compares to 73 OMIs and 44 DBN matters in 2010–11.

Issues in Own Motion Investigations

During 2010–11, 59 new matters involving alleged interferences with privacy were assessed for investigation as OMIs. These matters came to the OAIC's attention from a variety of sources including telephone calls to the Enquiries Line, emails and letters from individuals, and systemic issues identified through complaints or as a result of media coverage.

The OAIC uses its own risk assessment criteria to determine whether to investigate a matter on its own motion. These criteria include the:

number of people affected and the possible consequences for those individuals
sensitivity of the personal information involved
progress of an agency's or organisation's own investigation into the matter and consideration of the actions taken by the entity in response
likelihood that the investigation will reveal acts or practices that involve systemic interferences with privacy and/or that are unidentified.

Table 5.15 shows a breakdown of the most common issues that arose in OMIs in 2010–11. Overwhelmingly, the main compliance issues that arose related to data security and improper use and disclosure of personal information. It is often the case that these issues go hand in hand. That is, if organisations and agencies fail to have appropriate data security measures in place, this deficiency can result in personal information being improperly used or disclosed.

Specifically, the allegations raised in OMIs opened in 2010–11 included that:

documents containing customer information had been discarded in a public bin, including tax file number information and health information
personal information was being disclosed without appropriate identification and authentication practices being in place
the personal information of customers was publicly accessible on the internet
system vulnerabilities resulted in hacking incidents which led to information about customers, including financial information, being stolen.

**Table 5.15 – Issues in OMIs opened in 2010–11**
Issues	Number
Credit provider – accuracy 18G(a)	3
Credit provider – failed to give notice s 18E(8)(c)	1
Credit reporting agency – improper disclosure s 18K(1)	3
Credit reporting agency – not permitted contents s 18E(1)	1
IPP 4 – inadequate security measures	2
NPP 1.1 – unnecessary collection	8
NPP 1.2 – unlawful/unfair collection	2
NPP 1.3 – bundled consent form	1
NPP 1.3 – insufficient notice	6
NPP 1.5 – inadequate notice	4
NPP 10 – sensitive information collection	2
NPP 2.1 – improper use or disclosure	17
NPP 3 – data quality issues	6
NPP 4 – data security issues	37
NPP 5 – openness issues	1
NPP 6.1 – refused access (non health)	2
NPP 7 – used agency identifier	1
NPP 8 – anonymity not offered	1
TFN – security	1
Total	99

A number of issues that came to the attention of the OAIC in 2010–11 were matters of significant public concern. To promote community confidence and also to increase the transparency of its compliance activities, the OAIC commenced the publication of reports of investigations into high profile matters or where there was a public interest in doing so. The first of these was in relation to the OAIC's investigation of Vodafone Hutchison Australia. Investigation reports are available on the OAIC's website at www.oaic.gov.au/publications/reports.html. The OAIC intends to continue to publish investigation reports, where appropriate.

Of the OMI matters closed in 2010–11, in 26% of cases the OAIC decided not to formally investigate the allegations raised. Typically, the OAIC might discontinue an OMI if it discovers that the respondent is not within its jurisdiction or the issues are not systemic in nature. The OAIC conducted an investigation but did not find that the allegations of non-compliance were substantiated in 27% of cases. In the remaining 48% of cases, the OAIC worked with the agencies and organisations involved to improve their practices so that issues of non-compliance were resolved. For example, the investigation into Vodafone Hutchison Australia resulted in it providing an undertaking to the Information Commissioner to improve its data security measures, report back about its IT security review and provide an update about the progress of its implementation.

Issues in Data Breach Notifications

The OAIC received 56 voluntary Data Breach Notifications (DBNs) in 2010–11, a 21% increase from the number of DBNs received in 2010–11.

The OAIC assesses each DBN to assess if further action is required by the agency or organisation to appropriately respond to the breach. The OAIC may take no further action if the agency or organisation has contained the breach by recovering the information or has taken steps that mitigate further impact on individuals affected by the breach, such as notifying relevant authorities and individuals and taking steps to review and improve data security practices. Where the OAIC considers that inadequate steps have been taken or the agency or organisation is still assessing the source and impact of the breach and the overall response that is required, it will work with the entity to assist it to apply best privacy practice. In cases where the OAIC is not satisfied with the voluntary action taken by the agency or organisation to resolve the matter, it will open an OMI.

Incidents reported to the OAIC through DBNs in 2010–11 included that:

documents containing personal information were faxed to the wrong fax number
an email containing personal information was sent to a public email address
a system error occurred allowing customers to access other customers' accounts
a computer containing customer records was stolen from a company's premises.

Typically, the actions taken by entities in response to a DBN include system reviews and alterations, written notifications to affected individuals, apologies, retrieval of records, changes in standard operating procedures and staff training.

Case Notes

The OAIC publishes case notes describing, in de-identified form, the issues and outcomes of selected complaints and investigations. The purpose of these case notes is to provide an insight into how privacy principles are being applied. This can:

assist individuals, organisations and agencies to decide whether to pursue a complaint, or if personal information is being handled appropriately
encourage good privacy practices and compliance with the Privacy Act
demonstrate accountability and transparency in the OAIC's processes and decision making.

In 2010–11, the former Office of the Privacy Commissioner (OPC) and the OAIC published 22 case notes about complaints under the National Privacy Principles (NPPs), Information Privacy Principles (IPPs) and other areas of the Privacy Act. These can be accessed in full at www.oaic.gov.au/publications/case_notes.html.

Case study: Own Motion Investigation v Airline [2010] PrivCmrA 12

After booking a flight online an individual received an email from the airline containing personal information about another traveller. Information disclosed included the second individual's name, address, financial information, flight details and the full name and address of a third individual booked on the flight.

By the time the Privacy Commissioner had commenced an own motion investigation the airline had already acknowledged that the disclosure had occurred and that it had not complied with NPP 2. The investigation therefore focused on the airline's compliance with NPP 4.1, which deals with data security. The airline discovered the incident occurred as a result of an overloaded server.

The Commissioner formed the view that at the time of the incident the airline's IT system was not sufficient to comply with NPP 4.1. It was noted that, as a result of the incident and the Commissioner's investigation, the source of the problem was identified and additional processes were put in place to prevent the problem recurring.

Data-matching

Monitoring Government Data-matching

Data-matching is the process of bringing together large data sets of personal information from different sources and comparing them to identify any discrepancies. For example, the Australian Taxation Office (ATO) may undertake a data-match to identify retailers that may be operating outside the tax system or who may be under-reporting turnover. This may include identifying individuals.

The process involves analysing information about large numbers of people, the majority of whom are not under suspicion. This means that data-matching raises privacy issues. To ensure that government agencies have proper regard to privacy principles when undertaking data-matching, the OAIC performs a number of functions.

The Information Commissioner has statutory responsibilities under the Data-matching Program (Assistance and Tax) Act 1990 (the Data-matching Act) and the Guidelines for the Conduct of the Data-matching Program (the statutory data-matching guidelines). Additionally, the Information Commissioner oversees the functioning of the Guidelines for the Use of Data-matching in Commonwealth Administration, which are voluntary guidelines to assist agencies not subject to the Data-matching Act to perform data-matching programs in a privacy sensitive way.

Matching under the Data-matching Act and statutory data-matching guidelines

To detect overpayments, taxation non-compliance and the receipt of duplicate payments, the Data-matching Act provides for the use of tax file numbers in data-matching processes undertaken by a special unit within Centrelink (the data-matching agency). The data-matching agency runs matches on behalf of Centrelink, the Department of Veterans' Affairs (DVA) and the ATO.

The Data-matching Act and the statutory data-matching guidelines outline the type of personal information that can be used, and how it can be processed. They also provide individuals with the opportunity to dispute or explain any matches, and require that individuals have means for redress.

The Data-matching Act requires Centrelink, DVA and the ATO to report to Parliament on the results of any data-matching activities carried out under the Act. These reports are published separately by each agency.

The Data-matching Act also makes the Information Commissioner responsible for monitoring the functioning of the statutory data-matching program. The OAIC discharges this function by running data-matching inspections.

Inspections

During 2010-11 the OAIC inspected Centrelink's handling of a sample of data-matching cases at three regional Business Integrity Sites. The regions inspected were:

Centrelink Area South West, New South Wales (Griffith), October 2010
Centrelink Area Hunter, New South Wales (Wallsend), December 2010
Centrelink Area Toowoomba, Queensland (Toowoomba), May 2011.

Representatives of the OAIC, with the assistance of Centrelink and regional staff, conduct inspections and reviews of a sample (usually 100) of customer records which have been through the data-matching process. At the completion of each inspection, a report is prepared and provided to Centrelink outlining the findings.

The OAIC found that Centrelink's processes and procedures for statutory data-matching were generally compliant with the requirements of the Data-matching Act. Additionally, the area offices' procedures were also assessed as being generally compliant with the requirements of the Privacy Act in the handling of this information.

Matching under the Guidelines for the Use of Data-matching in Commonwealth Administration

Many Australian Government agencies also carry out data-matching activities that are not subject to the Data-matching Act, but are run under different laws authorising the use and disclosure of personal information for data-matching purposes. To assist agencies performing such data-matching activities to have proper regard to the privacy of individuals, the Information Commissioner has issued voluntary data-matching guidelines called the Guidelines for the Use of Data-matching in Commonwealth Administration.

These voluntary guidelines require that programs are regularly monitored and evaluated, that individuals identified have the opportunity to dispute the results, and that action against individuals is not taken solely on the basis of automated processes.

Agencies are also required to prepare a description of the data-matching activity (a ‘program protocol'). Before the activity is commenced, the program protocol should be submitted to the Information Commissioner for comment, and once it has been finalised, the program protocol should be made available to the public.

In 2010–11 the Information Commissioner received five program protocols for proposed non-statutory data-matching activities. A summary of these protocols is outlined in Table 5.16.

**Table – 5.16 Program protocols produced under the voluntary data matching guidelines**
Matching Agency	Source Agencies	Name of Program Protocol	Description of the Program Protocol	Received Date
Australian Taxation Office	Department of Climate Change and Energy Efficiency, State, Territory and Australian Government education authorities, and various building companies	Nation Building, Economic Stimulus	Match data provided by State and Territory education departments and building companies authorised under the Home Insulation Program and Building the Education Revolution Scheme to identify and address issues of non-compliance with taxation obligations	August 2010
Australian Taxation Office	State and Territory Government Revenue and Land Titles Offices	State and Territory Government Revenue	Match data from State and Territory Revenue and Land Titles Offices to identify and address non-compliance with taxation obligations and increase Australian Taxation Office research and analytics in the real property market	August 2010
Australian Taxation Office	State and Territory Motor Registries	Motor Vehicles Data Matching Program	Match data from State and Territory Motor Registries to identify and address issues of non-reporting and under reporting of luxury car tax revenue	September 2010
Australian Taxation Office	Seven large financial institutions	Credit and Debit Card Privacy Protocol	Identify individuals and businesses not complying with reporting registration, lodgement and payment obligations relating to cash and card income	August 2010
Australian Taxation Office	Various labour hire and placement agencies and computer consultancies	Personal Services Income Contracts	To improve taxation compliance of individuals employed under agency and consultancy arrangements, and businesses involved in that industry.	November 2010

Audits

Review of performance

Under the Privacy Act the Information Commissioner has the power to conduct privacy audits of Australian and ACT Government agencies, as well as some other organisations in certain circumstances. These audits help to determine and improve the level of compliance with the Privacy Act. The OAIC conducts audits to promote best privacy practice and to reduce privacy risks across agencies. The Information Commissioner's audit powers include:

auditing agency compliance with the Information Privacy Principles – s 27(1)(h)
examining the records of the Commissioner of Taxation in relation to tax file numbers (TFNs) and TFN information – s 28(1)(d)
auditing TFN recipients – s 28(1)(e)
auditing credit information files and credit reports held by credit reporting agencies and credit providers – s 28A(1)(g).

Other than audits conducted by using the above powers, the Information Commissioner may only audit a private sector organisation if the organisation requests this under s 27(3) of the Privacy Act.

The number of audits carried out by the former OPC and OAIC has varied depending on the nature and volume of privacy complaints and other priorities of the OAIC. In past years, the OAIC had expanded its audit program by undertaking additional audits, including three credit information audits.

In 2010–11 the OAIC conducted five audits, a reduction from 2010–11. In part, this reduction resulted from planned audits being deferred by agencies. Additional resources were focused on high profile own motion investigations which required more extensive information-gathering and analysis.

An audit is a snapshot of personal information handling practices relating to the auditee at a particular time and place. Auditees are encouraged to consider audit findings broadly, and recognise that the issues identified may foster improvements beyond the audited program alone.

The OAIC's audit teams emphasise that an audit is an educative process and compliance with the Privacy Act is part of good management practice. Audits have been the catalyst for improvements to agencies' data security, accuracy of information, staff training and disclosure policies.

The OAIC is progressively uploading finalised audit reports to its website.

ACT government audits

The OAIC currently has a Memorandum of Understanding with the ACT Government (see Appendix 6 for further information) which includes a commitment by the OAIC to conduct up to two audits of ACT Government agencies per financial year. The OAIC selects audit targets based on a risk assessment analysis which takes into account previous audits and audit findings, complaints against ACT Government agencies, the amount of personal information held by an agency and the sensitivity of, and risk to, that information.

Table 5.17 shows details of the ACT Government audits commenced and/or finalised by the OAIC in 2010–11.

**Table 5.17 – ACT Government audits commenced and/or finalised 2010–11**
Agency	Audit Scope	Commenced	Status
Australian Federal Police – ACT Policing branch	Number plate recognition (NPR) technology known as RAPID (Recognition and Analysis of Plates Identified). The audit examined the agency's processes for the collection, storage and security, accuracy, and use and disclosure of personal information.	September 2010	In progress
Office for Children, Youth and Family Support (Care and Protection Services)	The audit examined the processes of Care and Protection Services for handling client personal information, including the collection, storage and security, quality, use and disclosure of this information.	November 2010	In progress

The OAIC found that these agencies were generally compliant with their obligations under the IPPs. However, the auditors made recommendations where privacy risks were identified or where better privacy practice could be introduced.

Audit recommendations included improving notification procedures to ensure compliance with IPP 2 and developing and implementing a data destruction policy in keeping with IPP 4.

Identity Security audits

The OAIC provided privacy advice to key agencies in respect of projects delivered under the Australian Government's National Identity Security Strategy (NISS). One project under the NISS related to the National Document Verification Service (DVS).

The DVS system allows authorised government agencies to verify, online and in real time, the authenticity of an individual's Evidence of Identity (EOI) documents sourced from another government agency, when enrolling for benefits and services. Agencies using the DVS are able to verify that:

the EOI document was issued by the relevant source government agency
details recorded on the EOI document correspond to the details held by the source government agency, and
the document is still valid.

The OAIC found that Centrelink was generally compliant with its obligations under the Information Privacy Principles in terms of its role as the operator of the DVS Hub.

**Table 5.18 – Identity Security audits commenced and/or finalised by the OAIC in 2010–11**
Agency	Audit Scope	Commenced	Finalised
Centrelink	Review of Centrelink's role as the operator of the DVS Hub	May 2010	June 2011
Department of Foreign Affairs and Trade	Collection, use, disclosure and security of personal information during DVS transactions undertaken as an Issuer agency	November 2010	In progress

Australian Customs and Border Protection Audits

The OAIC currently has an agreement with the Australian Customs and Border Protection Service (Customs) (see Appendix 6 for further information) to provide ongoing policy advice and conduct up to two audits per financial year of various aspects of Customs' use of Passenger Name Record (PNR) data.

In 2010–11 the planned audits of PNR data were deferred and, instead, additional policy advice was provided to Customs. One of the PNR audits commenced in 2010–11 was finalised in July 2010 and the other is in progress.

The audit team considered that Customs' handling of personal information was generally compliant with the Privacy Act. However, a number of best privacy practice recommendations were made including that Customs review practices around the notification of urgent alerts to airport staff, and the handling of those alerts and associated information by staff in public areas. The auditors also recommended that Customs review access by contractors to secure areas and review all contracts to ensure that IPP obligations are included those contracts. Customs has requested, due to the classified content of the material in this particular report, that it would not be appropriate to publish either the full report or an abridged version. The Commissioner agreed not to publish the report.

Credit audits

The OAIC began a number of credit information audits in 2010–11. Undertaking credit audits is an important component in monitoring the compliance of credit providers and credit reporting agencies with the credit provisions contained in the Privacy Act.

Credit information audits are a proactive compliance mechanism. The intention is for the credit information audit program to be an advisory exercise as well as an enforcement activity. These audits encourage all credit providers and credit reporting agencies to view compliance as integral to their operations.

The Information Commissioner's credit information audit functions are set out in s 28A of the Privacy Act. Part IIIA of the Privacy Act governs the handling of individuals' credit reports and related information by credit reporting agencies and credit providers. The aim of the audits is to obtain evidence to assess whether credit information is maintained in accordance with Part IIIA and the Credit Reporting Code of Conduct. The OAIC does this by examining the practices and records of credit reporting agencies and credit providers to ensure that they are not using personal information in those records for unauthorised purposes, and are taking adequate steps to prevent unauthorised disclosure of those records.

**Table 5.19 – Progress of the credit reporting audits undertaken by the OAIC in 2010–11**
Agency	Audit Scope	Commenced	Finalised
Tasmanian Collection Service	Complaint handling Cross-referencing of files Security issues	March 2010	December 2010
Dun and Bradstreet	Complaint handling Cross-referencing of files Security issues	April 2010	November 2010
Veda Advantage	Complaint handling Cross-referencing of files Security issues	April 2010	In progress

The completed and ongoing audits have provided valuable information to the OAIC about credit reporting volumes, industry practice and compliance with credit reporting obligations. The auditors made some recommendations and a number of suggestions about:

the need for transparency of ‘duplicate matching' programs
proactive monitoring of access to credit reporting files
improving procedures for staff about complaint handling and data security.

The credit reporting agencies expressed reservations regarding the publication of the final reports, citing concerns about commercial-in-confidential material. In recognition of these concerns, the OAIC has not published the reports on its website.

Healthcare Identifier audits

The Healthcare Identifiers Act 2010 (the HI Act) established the Healthcare Identifier Service (HI Service), which commenced on 1 July 2010. The HI Service is part of Medicare.

The functions of the HI Service are to:

assign and issue individual healthcare identifiers (IHIs) for all individuals who have, are or will be provided with healthcare and to healthcare providers (HPI-Is) and healthcare provider organisations (HPI-Os)
allow those authorised to access the HI Service to retrieve healthcare identifiers
keep the information associated with healthcare identifiers up-to-date and accurate, including deactivating or retiring health identifiers when they are no longer needed.

Under s 29(3) of the HI Act, the Information Commissioner has the power to audit the handling of healthcare identifiers assigned to individuals and individual healthcare providers.

The OAIC received funding in 2010–11 under an Exchange of Letters agreement with the Department of Health and Ageing to undertake up to two healthcare identifier audits as well providing policy advice and other compliance activities. (See Appendix 6 for further information about healthcare identifiers and the Exchange of Letters agreement).

**Table 5.20 – Healthcare identifier audits commenced and/or finalised by the OAIC in 2010–11**
Agency	Audit Scope	Commenced	Finalised
Medicare Australia	The process of assigning IHIs. Policies and procedure s governing the handling of identifiers General record keeping	October 2010	In progress
Medicare Australia	Collection processes relating to the assignment of healthcare provider identifiers. Processes undertaken when conducting batch searches of healthcare identifier information	June 2011	In progress

Personal Information Digest

To help people understand what personal information is held by each Australian and ACT government agency, Information Privacy Principle 5.3 in s 14 of the Privacy Act requires agencies to keep a record detailing:

the nature of records kept
the purpose for which these records are kept
the categories of people the information is about
the period for which the records are kept
who has access to the records
the steps an individual needs to take to gain access to the records.

These explanatory records must be provided to the OAIC in June of each year, and are subsequently compiled and published as the Personal Information Digest (PID).

The ACT Department of Justice and Community Safety (JACS) compiled the ACT PID and the final documents were published on the JACS website. The OAIC published the PID for Australian Government agencies for the period ending June 2011 on its website at www.privacy.gov.au/government/digests.

Advice

Australian Government Agencies

The OAIC provides policy advice on personal information handling issues to Australian and ACT government agencies and the Norfolk Island Administration under various arrangements including memorandums of understanding (MOU) and through participation in working groups. These policy advices include substantive correspondence on specific proposals, advice for guidance material and advice for inclusion in other reports and published documents. Topics on which advices have been provided to Australian Government agencies include the following.

Body scanning

In February 2010, the Australian Government announced a package of measures to strengthen aviation security including the introduction of body scanning technology at international passenger screening points within Australia to detect items on a person or within their clothing. The OAIC provides privacy advice to the Office of Transport Security (OTS) under an MOU in relation to the development and implementation of body scanning technology in Australian international airports. During 2010–11, activities undertaken by the former OPC and the OAIC included the facilitation of a roundtable discussion on 22 September 2010 with the OTS and relevant stakeholders to identify privacy issues arising for specific interest groups and the provision of advice on the process of OTS undertaking a privacy impact assessment.

Service delivery reform

The Service Delivery Reform (SDR) program is undertaken within the Human Services Portfolio and is intended to give Australians better access to social, health and welfare services. Some aspects of the reform program, such as the co-location of agencies and the increased coordination and linking of services, will involve changes to the way that individuals' personal information is handled. The OAIC has entered into an MOU with the Department of Human Services (DHS) to provide privacy advice in relation to the SDR agenda and respond to privacy matters arising from the implementation of SDR.

The former OPC and the OAIC have advised DHS on a range of privacy-related aspects of SDR, including the SDR Implementation Plan and various privacy impact assessments relating to aspects of the SDR. An OAIC representative is also a member of the inter-departmental committee set up to advise on SDR and consider the reforms from a whole-of-government perspective.

Healthcare identifiers

The Healthcare Identifiers Service (HI Service), which is part of Medicare, assigns Healthcare Identifiers to individuals (IHIs) and to healthcare providers at individual and organisational provider level. It maintains a database of all assigned HIs, and will disclose IHIs to authorised healthcare providers when they request a patient's IHI. The HI Service allows authorised users to access the HI Service database to collect IHIs.

Under an Exchange of Letters agreement with the Department of Health and Ageing (DoHA), the OAIC receives funding for advice, guidance, liaison and other activities to support the appropriate use and handling of healthcare identifiers. As part of this agreement, in July 2010 the former OPC published on its website 13 frequently asked questions for individuals about IHIs. The OAIC has also provided advice in response to a series of questions posed by NSW Health and is currently preparing two draft information sheets advising private and state and territory healthcare providers about their compliance obligations. The information sheets are being prepared in consultation with DoHA, Medicare Australia, the National E-Health Transition Authority (NEHTA) and industry groups. The consultation process was still underway on 30 June 2011.

Personally Controlled Electronic Health Records

The Personally Controlled Electronic Health Record (PCEHR) system will enable an individual's health records to be shared electronically between their healthcare providers, through a network of connected systems. The PCEHR will be able to be accessed by the individual and authorised healthcare providers.

The OAIC has been working with DoHA and NEHTA to ensure that privacy protections are built in to the PCEHR scheme early in the project. The OAIC made a submission to DoHA in relation to the draft Concept of Operations for the PCEHR system design on 15 June 2011.

Cloud computing

Cloud computing refers to internet-based computing, where information is stored and processed on remote servers accessed via the internet, in the ‘cloud', and the end user interacts with the information using an internet browser. The OAIC participated in the Department of Immigration and Citizenship (DIAC) Cloud Computing Consultative Committee which has been established to provide high-level oversight with regard to the utilisation of cloud computing or similar technology to enhance the delivery of online client services by DIAC. It has also provided comments on the consultation draft of the Cloud Computing Strategic Direction Paper released by the Australian Government Information Management Office in January 2011.

Government 2.0 Taskforce

The OAIC continues to participate on the Gov 2.0 steering committee and takes an active interest in government engagement in Gov 2.0 initiatives.

In 2010–11 the OAIC had input into the development of the Australian Government Information Management Office checklist for the Publication of Public Sector Information. The OAIC also provided comment to the Australian Public Service Commission on draft guidelines for making public comment and participating online.

Identity Security

The former OPC and the OAIC has been a member of the National Identity Security Coordination Group (NISCG) and the Commonwealth Reference Group on Identity Security (CRGIS), convened by the Attorney-General's Department (AGD). The NISCG convenes a number of working groups. The OAIC is represented on all of these groups.

In its role on these working groups the OAIC provides advice to government and key agencies on the privacy implications of their initiatives.

Australian Capital Territory Government Agencies

The OAIC provides advice to ACT Government agencies on privacy issues under an MOU. During 2010–11 the OAIC provided comments to ACT Government agencies on a range of issues including:

ACT Policing Arrangement with the Australian Federal Police
Draft review of the Terrorism (Extraordinary Temporary Powers) Act 2006
A legislative scheme for the enforcement of court fines
The definition of ‘authorised by law' in the context of Information Privacy Principle 11.1(d).

In several cases, the OAIC recommended conducting a privacy impact assessment to identify and manage privacy risks associated with the matter.

Norfolk Island Government Agencies

The Territories Law Reform Act 2010 (the TLR Act) amends the Norfolk Island Act 1979 to implement significant reforms aimed at improving governance structures and strengthening accountability mechanisms for Norfolk Island. This legislation was assented to on 10 December 2010. In relation to privacy, the TLR Act obliges Norfolk Island public sector agencies to adhere to the IPPs in the same manner as Australian Government agencies. These requirements came into effect on 1 January 2011.

In early 2011, the OAIC provided advice to the Chief Executive Officer of the Norfolk Island Administration regarding the implementation of privacy legislation.

Private sector organisations

Under s 27(1)(d) of the Privacy Act, one of the Information Commissioner's functions is to promote an understanding and acceptance of the National Privacy Principles (NPPs). In line with this function, the OAIC aims to work collaboratively with business. The OAIC has continued to provide advice about the operation of the NPPs including on the following matters.

The application of the NPPs to private sector health service providers

The OAIC has provided advice on the application of the NPPs to personal information handling by private sector health service providers including the Optometrist Association of Australia and Alzheimer's Australia.

Emergency Call Service Requirements Code

The Emergency Call Service Requirements Code is an industry code approved by the Australian Communications and Media Authority which specifies the obligations of carriers and carriage service providers to customers, emergency service organisations and emergency call persons. The OAIC provided comments to Communications Alliance (the telecommunications industry body that develops and reviews such industry codes) as part of the review of the Emergency Call Service Requirements Code.

Google

Following the OAIC's own motion investigation into Google's collection of Wi-Fi data by its Street View cars, Google undertook to conduct a privacy impact assessment on Street View and supply a copy to the OAIC. The OAIC provided comments on the privacy impact assessment which highlighted a number of areas where it could be strengthened to enhance privacy protections.

Other jurisdictions

The OAIC also provides advice to other jurisdictions as part of its international engagement activities. During 2010–11 the OAIC has provided advice to the Hong Kong Commissioner for Data Reporting about the handling of credit reporting data under the Privacy Act. The OAIC has also provided comments to the New Zealand Ministry of Agriculture and Forestry on a privacy impact assessment it conducted for its proposal to screen aviation security images taken in Australian airports, for biosecurity purposes before passengers arrive in New Zealand.

Submissions

In 2010–11, the OAIC made 20 submissions to inquiries being undertaken by parliamentary committees and government inquiries. All submissions may be found in full at the OAIC's and former OPC's websites, respectively: www.oaic.gov.au/publications/submissions.html and www.privacy.gov.au/materials/types/submissions. Following are examples of these submissions.

Cyber safety issues

Inquiry into Cyber Safety issues Affecting Children and Young People, Submission to the Joint Select Committee on Cyber Safety

The adequacy of protections for the privacy of Australians online, Submission to the Senate Standing Committee on the Environment, Communications and the Arts

Privacy Law Reform

Inquiry into Exposure Drafts of Australian Privacy Amendment Legislation (APPs), Submission to the Senate Finance and Public Administration Committee

Credit Reporting, Submission to the Senate Finance and Public Administration Committee

Credit reform

Green Paper on National Credit Reform, Submission to the Department of the Treasury

Service Delivery reform

Human Services Legislation Amendment Bill 2010, Submission to the Senate Community Affairs Legislation Committee

Inquiry into Family violence and Commonwealth law

Issues Papers on family violence and Commonwealth law, Submissions to the ALRC

e-health

Draft Concept of Operations: Relating to the introduction of a personally controlled electronic health record (PCEHR) system, Submission to the Department of Health and Ageing

Law enforcement and national security

Telecommunications Interception and Intelligence Services Legislation and Amendment Bill 2010, Submission to the Senate Legal and Constitutional Affairs Committee

Combating the Financing of People Smuggling and Other Measures Bill 2010

Exposure Draft – Combating the Financing of People Smuggling and Other Measures Bill 2010, Submission to the Attorney-General's Department

Combating the Financing of People Smuggling and Other Measures Bill 2011, Submission to the Senate Standing Committee on Legal and Constitutional Affairs

Proposed extradition and mutual assistance reforms, Submission to the Attorney-General's Department

Privacy Law Reform

The Privacy Act is undergoing reform following the release of Australian Law Reform Commission (ALRC) Report 108, For Your Information: Australian Privacy Law and Practice (2008). In this report the ALRC recommended 295 changes to improve Australia's privacy framework. Due to the large number of recommendations, the Australian Government is responding to the ALRC's recommendations in stages. There was significant progress in 2010–11.

On 24 June 2010, the Government released an exposure draft of legislation containing a single set of privacy principles, intended to cover both the public and private sectors. It is proposed that these principles, known as the Australian Privacy Principles (APPs), would replace the existing Information Privacy Principles and the National Privacy Principles. The Government tabled the APPs in the Senate for referral to the Senate Finance and Public Affairs Committee (the Committee) for public consultation.

In August 2010, the former Office of the Privacy Commissioner made a detailed submission to the Committee in relation to the Australian Privacy Principles Exposure Draft and Companion Guide. The Committee held public hearings on 25 November 2010.

The Committee released the first part of its report relating to the APPs in June 2011. Its recommendations adopt or address many of the recommendations contained in the submission from the former OPC.

Another element of privacy law reform being addressed in the Government's first-stage response concerns the ALRC's recommendations relating to the introduction of comprehensive credit reporting and enhanced protections for credit reporting information. The Government referred exposure draft credit reporting provisions to the Senate for tabling and referral to the Committee on 31 January 2011.

The OAIC made a submission to the Committee in relation to the Credit Reporting Exposure Draft and Companion Guide in March 2011. The Privacy Commissioner appeared before the Committee in May 2011.

The OAIC continues to liaise closely with the Department of the Prime Minister and Cabinet on the next stages of the privacy law reform process.

More information about privacy law reform can be found at www.dpmc.gov.au/privacy/reforms.cfm