Scheduled maintenance of the CDR platform is scheduled on Monday 29 April between 12pm to 1pm. Form submissions cannot be submitted during this time.

Introduction

This report is made pursuant to the reporting requirements set out under section 7.3 of the Memorandum of Understanding (MOU) between the Australian Capital Territory (ACT) and the Office of the Australian Information Commissioner (OAIC) for the provision of privacy services related to the Information Privacy Act 2014 (ACT) (Information Privacy Act).

The Information Privacy Act contains the Territory Privacy Principles (TPPs) which ACT public sector agencies must comply with when collecting and handling personal information (other than personal health information).

This report is for the period 1 July 2022 to 30 June 2023.

The numbered headings below correspond to the reporting requirements set out in the MOU.

7.3 (1) Number of complaints, assessments, written and telephone enquiries

Number of

Total

(a) Complaints open as at 1 July 2022

6

(b) Complaints received in 2022-23

12

(c) Complaints closed in 2022-23

8

(d) Complaints open as at 30 June 2023

10

(e) Complaints that resulted in a report to the Minister under section 43 of the Information Privacy Act

N/A

(f) Complaints about which the Commissioner has given a notice under section 45 of the Information Privacy Act

N/A

(g) Assessments finalised

0

(h) Written and telephone enquiries about ACT public sector agencies

2

7.3 (1)(h) Summary of issues raised in written and telephone enquiries

Telephone calls

The OAIC received 2 telephone enquiries during the reporting period:

  • Both of the telephone enquiries related to the TPPs:

− 1 individual called with concerns about the accuracy and security of their personal information held by ACT Government agencies. The OAIC provided advice about TPPs 10 and 11, and the OAIC’s complaints process.

− 1 individual called regarding an alleged disclosure of inaccurate personal information about them by ACT Government agencies. The OAIC provided advice about TPPs 6, 10, and 13, and the OAIC’s complaints process.

Written enquiries

The OAIC received no written enquiries during this reporting period.

7.3 (2) For each complaint received in 2022-23, a summary of issues raised and outcomes

Respondent: Child and Youth Protection Services

Details: The complaint was received on 13 August 2022. The complainant alleges that the respondent failed to ensure the accuracy of the personal information it collected, used, and disclosed about them.

This complaint is currently moving through the OAIC’s complaint handling process.

Respondent: Canberra Health Services

Details: The complaint was received on 13 August 2022. The complainant alleges that the respondent failed to correct their personal information, and disclosed inaccurate personal information to third parties.

This complaint is currently moving through the OAIC’s complaint handling process.

Respondent: The Office of the Director of Public Prosecutions

Details: The complaint was received on 10 September 2022 and closed on 4 April 2023. The complainant alleged that the respondent improperly disclosed their personal information.

This complaint was closed following conciliation.

Respondent: Access Canberra

Details: The complaint was received on 8 October 2022. The complainant alleges that the respondent failed to ensure the security of their personal information, which was disclosed in a data breach by a different entity.

This complaint is currently moving through the OAIC’s complaint handling process.

Respondent: Child and Youth Protection Services

Details: The complaint was received on 27 October 2022. The complainant alleges that the respondent improperly disclosed their personal information.

This complaint is currently moving through the OAIC’s complaint handling process.

Respondent: ACT Health

Details: The complaint was received on 15 November 2022 and closed on 9 January 2023. The complainant alleged that the respondent’s new digital health records system did not protect their health records appropriately.

The OAIC found that the respondent’s handling of the complainant’s information did not meet the definition of ‘personal information’ under the Information Privacy Act. This complaint was closed under s 39(a) of the Information Privacy Act.

Respondent: Justice and Community Safety Directorate

Details: The complaint was received on 27 November 2022. The complainant alleges that the respondent improperly disclosed their personal information, which was also inaccurate.

This complaint is currently moving through the OAIC’s complaint handling process..

Respondent: ACT Education Directorate

Details: The complaint was received on 30 November 2022 and closed on 6 June 2023. The complainant alleged that the respondent failed to provide them with the option to receive content/correspondence anonymously, and failed to notify them that it was collecting personal information when it delivered content to them via an online method.

This complaint was closed following conciliation.

Respondent: Major Projects Canberra

Details: The complaint was received on 11 January 2023 and closed on 30 January 2023. The complainant alleged that the respondent improperly disclosed their personal information.

The OAIC found that the respondent had adequately dealt with this matter and the complaint was closed under s 39(g)(i) of the Information Privacy Act.

Respondent: Canberra Health Services

Details: The complaint was received on 10 February 2023 and closed on 29 March 2023. The complainant alleged that the respondent improperly disclosed their personal information.

This complaint was closed following conciliation.

Respondent: Canberra Health Services

Details: The complaint was received on 30 March 2023. The complainant alleges that the respondent improperly disclosed their personal information.

This complaint is currently moving through the OAIC’s complaint handling process.

7.3 (3) For each finalised assessment, a summary of the outcomes

Assessments finalised as at 30 June 2023

Data Breach Response Plan Assessment

The OAIC conducted an assessment of the data breach response plans for each ACT government directorate. The OAIC considers having a data breach response plan focused on reducing the impact of a breach is a reasonable step towards compliance with TPP 11. TPP 11 requires an ACT public sector agency that holds personal information to take reasonable steps to protect the information from misuse, interference or loss and from unauthorised access, modification or disclosure.

Under the Notifiable Data Breaches (NDB) scheme, any organisation or agency the Privacy Act 1988 (Cth) covers must notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved. If an ACT public sector agency experiences an eligible data breach involving tax file number information, it must notify affected individuals and the OAIC.[1] However, the OAIC understands that it is ACT Government policy to voluntarily report any significant privacy data breaches to the OAIC, even where tax file number information is not involved in the breach.

The scope of this assessment was limited to examining whether the directorate:

  • had a plan to respond to data breaches, that reflects the OAIC’s best practice guidance, as a reasonable step under TPP 11
  • had taken steps to operationalise the data breach response plan including training, testing, escalation, notification and governance.

Across all assessments, the OAIC made 11 recommendations to address privacy risks, including in relation to:

  • having an approved data breach response plan
  • considering the use of external expertise following a data breach
  • documenting data breach response team processes and details.

The OAIC provided draft assessment reports to the 7 directorates on 16 June 2023. We finalised the assessment reports for 4 of the directorates in the reporting period. The remaining 3 assessment reports were finalised by early August 2023.

At the time of writing, these recommendations have been accepted in full by the respective directorates. Following finalisation of all assessments, a summary report of the will be published on the OAIC website.

Future assessments as at 30 June 2023

Under the 2021-24 MOU, the OAIC will conduct 2 assessments over the 3-year term. Early in 2023-24 the OAIC will hold preliminary discussions with the ACT’s Justice and Community Services Directorate about the scope of the second of these assessments.

7.3 (4) Information about any complaints that have not yet been finalised

Respondent: Chief Minister, Treasury and Economic Development Directorate

Details: The complaint was received on 6 March 2022. The complainant alleged that their personal information had been compromised in a data breach by the respondent.

This complaint is currently moving through the OAIC’s complaint handling process.

Respondent: Transport Canberra and City Services Directorate

Details: The complaint was received on 3 June 2022. The complainant alleged that the respondent improperly disclosed their personal information to third parties.

This complaint is currently moving through the OAIC’s complaint handling process.

* This case is related to the complaint described below.

Respondent: Transport Canberra and City Services Directorate

Details: The complaint was received on 3 June 2022. The complainant alleged that the respondent improperly disclosed their personal information to third parties.

This complaint is currently moving through the OAIC’s complaint handling process.

* This case is related to the complaint described above.

Respondent: Child and Youth Protection Services

Details: The complaint was received on 13 August 2022. The complainant alleges that the respondent failed to ensure the accuracy of the personal information it collected, used, and disclosed about them.

This complaint is currently moving through the OAIC’s complaint handling process.

Respondent: Canberra Health Services

Details: The complaint was received on 13 August 2022. The complainant alleges that the respondent failed to correct their personal information, and disclosed inaccurate personal information to third parties.

This complaint is currently moving through the OAIC’s complaint handling process.

Respondent: Access Canberra

Details: The complaint was received on 8 October 2022. The complainant alleges that the respondent failed to ensure the security of their personal information, which was disclosed in a data breach by a different entity.

This complaint is currently moving through the OAIC’s complaint handling process.

Respondent: Child and Youth Protection Services

Details: The complaint was received on 27 October 2022. The complainant alleges that the respondent improperly disclosed their personal information.

This complaint is currently moving through the OAIC’s complaint handling process.

Respondent: Justice and Community Safety Directorate

Details: The complaint was received on 27 November 2022. The complainant alleges that the respondent improperly disclosed their personal information, which was also inaccurate.

This complaint is currently moving through the OAIC’s complaint handling process.

Respondent: Canberra Health Services

Details: The complaint was received on 30 March 2023. The complainant alleges that the respondent improperly disclosed their personal information.

This complaint is currently moving through the OAIC’s complaint handling process.

7.3 (5) Details of formal reports and recommendations made to ACT public sector agencies as a result of complaints or other investigations

Not applicable.

7.3 (6) Any other information about the management of complaints or significant issues, including an analysis of systemic issues and common themes that have come to the Commissioner’s attention during the year

Advice to ACT Integrity Commission

The OAIC received a request for policy advice from the ACT Integrity Commission in respect of the Commission’s privacy processes. The OAIC is currently assisting the Commission with this request.

Acronyms and abbreviations

ACT                                                            Australian Capital Territory

APPs Australian Privacy Principles

Cth Commonwealth

Housing ACT                                         Housing and Community Services ACT

Information Privacy Act                  Information Privacy Act 2014 (ACT)

MOU                                                          Memorandum of Understanding

OAIC                                                          Office of the Australian Information Commissioner

Privacy Act                                            Privacy Act 1988 (Cth)

TPPs                                                          Territory Privacy Principles[2]

[1] See Privacy Act 1988 (Cth), s 26WE(1)(d).

[2] Schedule 1 of the Information Privacy Act.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia