-
On this page
Introduction
This report is made pursuant to the reporting requirements set out under section 7.3 of the Memorandum of Understanding (MOU) between the Australian Capital Territory (ACT) and the Office of the Australian Information Commissioner (OAIC) for the provision of privacy services related to the Information Privacy Act 2014 (ACT) (Information Privacy Act).
The Information Privacy Act contains the Territory Privacy Principles (TPPs) which ACT public sector agencies must comply with when collecting and handling personal information (other than personal health information).
This report is for the period 1 July 2022 to 30 June 2023.
The numbered headings below correspond to the reporting requirements set out in the MOU.
7.3 (1) Number of complaints, assessments, written and telephone enquiries
Number of | Total |
---|---|
(a) Complaints open as at 1 July 2022 | 6 |
(b) Complaints received in 2022-23 | 12 |
(c) Complaints closed in 2022-23 | 8 |
(d) Complaints open as at 30 June 2023 | 10 |
(e) Complaints that resulted in a report to the Minister under section 43 of the Information Privacy Act | N/A |
(f) Complaints about which the Commissioner has given a notice under section 45 of the Information Privacy Act | N/A |
(g) Assessments finalised | 0 |
(h) Written and telephone enquiries about ACT public sector agencies | 2 |
7.3 (1)(h) Summary of issues raised in written and telephone enquiries
Telephone calls
The OAIC received 2 telephone enquiries during the reporting period:
- Both of the telephone enquiries related to the TPPs:
− 1 individual called with concerns about the accuracy and security of their personal information held by ACT Government agencies. The OAIC provided advice about TPPs 10 and 11, and the OAIC’s complaints process.
− 1 individual called regarding an alleged disclosure of inaccurate personal information about them by ACT Government agencies. The OAIC provided advice about TPPs 6, 10, and 13, and the OAIC’s complaints process.
Written enquiries
The OAIC received no written enquiries during this reporting period.
7.3 (2) For each complaint received in 2022-23, a summary of issues raised and outcomes
Respondent: Child and Youth Protection Services
Details: The complaint was received on 13 August 2022. The complainant alleges that the respondent failed to ensure the accuracy of the personal information it collected, used, and disclosed about them.
This complaint is currently moving through the OAIC’s complaint handling process.
Respondent: Canberra Health Services
Details: The complaint was received on 13 August 2022. The complainant alleges that the respondent failed to correct their personal information, and disclosed inaccurate personal information to third parties.
This complaint is currently moving through the OAIC’s complaint handling process.
Respondent: The Office of the Director of Public Prosecutions
Details: The complaint was received on 10 September 2022 and closed on 4 April 2023. The complainant alleged that the respondent improperly disclosed their personal information.
This complaint was closed following conciliation.
Respondent: Access Canberra
Details: The complaint was received on 8 October 2022. The complainant alleges that the respondent failed to ensure the security of their personal information, which was disclosed in a data breach by a different entity.
This complaint is currently moving through the OAIC’s complaint handling process.
Respondent: Child and Youth Protection Services
Details: The complaint was received on 27 October 2022. The complainant alleges that the respondent improperly disclosed their personal information.
This complaint is currently moving through the OAIC’s complaint handling process.
Respondent: ACT Health
Details: The complaint was received on 15 November 2022 and closed on 9 January 2023. The complainant alleged that the respondent’s new digital health records system did not protect their health records appropriately.
The OAIC found that the respondent’s handling of the complainant’s information did not meet the definition of ‘personal information’ under the Information Privacy Act. This complaint was closed under s 39(a) of the Information Privacy Act.
Respondent: Justice and Community Safety Directorate
Details: The complaint was received on 27 November 2022. The complainant alleges that the respondent improperly disclosed their personal information, which was also inaccurate.
This complaint is currently moving through the OAIC’s complaint handling process..
Respondent: ACT Education Directorate
Details: The complaint was received on 30 November 2022 and closed on 6 June 2023. The complainant alleged that the respondent failed to provide them with the option to receive content/correspondence anonymously, and failed to notify them that it was collecting personal information when it delivered content to them via an online method.
This complaint was closed following conciliation.
Respondent: Major Projects Canberra
Details: The complaint was received on 11 January 2023 and closed on 30 January 2023. The complainant alleged that the respondent improperly disclosed their personal information.
The OAIC found that the respondent had adequately dealt with this matter and the complaint was closed under s 39(g)(i) of the Information Privacy Act.
Respondent: Canberra Health Services
Details: The complaint was received on 10 February 2023 and closed on 29 March 2023. The complainant alleged that the respondent improperly disclosed their personal information.
This complaint was closed following conciliation.
Respondent: Canberra Health Services
Details: The complaint was received on 30 March 2023. The complainant alleges that the respondent improperly disclosed their personal information.
This complaint is currently moving through the OAIC’s complaint handling process.
7.3 (3) For each finalised assessment, a summary of the outcomes
Assessments finalised as at 30 June 2023
Data Breach Response Plan Assessment
The OAIC conducted an assessment of the data breach response plans for each ACT government directorate. The OAIC considers having a data breach response plan focused on reducing the impact of a breach is a reasonable step towards compliance with TPP 11. TPP 11 requires an ACT public sector agency that holds personal information to take reasonable steps to protect the information from misuse, interference or loss and from unauthorised access, modification or disclosure.
Under the Notifiable Data Breaches (NDB) scheme, any organisation or agency the Privacy Act 1988 (Cth) covers must notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved. If an ACT public sector agency experiences an eligible data breach involving tax file number information, it must notify affected individuals and the OAIC.[1] However, the OAIC understands that it is ACT Government policy to voluntarily report any significant privacy data breaches to the OAIC, even where tax file number information is not involved in the breach.
The scope of this assessment was limited to examining whether the directorate:
- had a plan to respond to data breaches, that reflects the OAIC’s best practice guidance, as a reasonable step under TPP 11
- had taken steps to operationalise the data breach response plan including training, testing, escalation, notification and governance.
Across all assessments, the OAIC made 11 recommendations to address privacy risks, including in relation to:
- having an approved data breach response plan
- considering the use of external expertise following a data breach
- documenting data breach response team processes and details.
The OAIC provided draft assessment reports to the 7 directorates on 16 June 2023. We finalised the assessment reports for 4 of the directorates in the reporting period. The remaining 3 assessment reports were finalised by early August 2023.
At the time of writing, these recommendations have been accepted in full by the respective directorates. Following finalisation of all assessments, a summary report of the will be published on the OAIC website.
Future assessments as at 30 June 2023
Under the 2021-24 MOU, the OAIC will conduct 2 assessments over the 3-year term. Early in 2023-24 the OAIC will hold preliminary discussions with the ACT’s Justice and Community Services Directorate about the scope of the second of these assessments.
7.3 (4) Information about any complaints that have not yet been finalised
Respondent: Chief Minister, Treasury and Economic Development Directorate
Details: The complaint was received on 6 March 2022. The complainant alleged that their personal information had been compromised in a data breach by the respondent.
This complaint is currently moving through the OAIC’s complaint handling process.
Respondent: Transport Canberra and City Services Directorate
Details: The complaint was received on 3 June 2022. The complainant alleged that the respondent improperly disclosed their personal information to third parties.
This complaint is currently moving through the OAIC’s complaint handling process.
* This case is related to the complaint described below.
Respondent: Transport Canberra and City Services Directorate
Details: The complaint was received on 3 June 2022. The complainant alleged that the respondent improperly disclosed their personal information to third parties.
This complaint is currently moving through the OAIC’s complaint handling process.
* This case is related to the complaint described above.
Respondent: Child and Youth Protection Services
Details: The complaint was received on 13 August 2022. The complainant alleges that the respondent failed to ensure the accuracy of the personal information it collected, used, and disclosed about them.
This complaint is currently moving through the OAIC’s complaint handling process.
Respondent: Canberra Health Services
Details: The complaint was received on 13 August 2022. The complainant alleges that the respondent failed to correct their personal information, and disclosed inaccurate personal information to third parties.
This complaint is currently moving through the OAIC’s complaint handling process.
Respondent: Access Canberra
Details: The complaint was received on 8 October 2022. The complainant alleges that the respondent failed to ensure the security of their personal information, which was disclosed in a data breach by a different entity.
This complaint is currently moving through the OAIC’s complaint handling process.
Respondent: Child and Youth Protection Services
Details: The complaint was received on 27 October 2022. The complainant alleges that the respondent improperly disclosed their personal information.
This complaint is currently moving through the OAIC’s complaint handling process.
Respondent: Justice and Community Safety Directorate
Details: The complaint was received on 27 November 2022. The complainant alleges that the respondent improperly disclosed their personal information, which was also inaccurate.
This complaint is currently moving through the OAIC’s complaint handling process.
Respondent: Canberra Health Services
Details: The complaint was received on 30 March 2023. The complainant alleges that the respondent improperly disclosed their personal information.
This complaint is currently moving through the OAIC’s complaint handling process.
7.3 (5) Details of formal reports and recommendations made to ACT public sector agencies as a result of complaints or other investigations
Not applicable.
7.3 (6) Any other information about the management of complaints or significant issues, including an analysis of systemic issues and common themes that have come to the Commissioner’s attention during the year
Advice to ACT Integrity Commission
The OAIC received a request for policy advice from the ACT Integrity Commission in respect of the Commission’s privacy processes. The OAIC is currently assisting the Commission with this request.
Acronyms and abbreviations
ACT Australian Capital Territory
APPs Australian Privacy Principles
Cth Commonwealth
Housing ACT Housing and Community Services ACT
Information Privacy Act Information Privacy Act 2014 (ACT)
MOU Memorandum of Understanding
OAIC Office of the Australian Information Commissioner
Privacy Act Privacy Act 1988 (Cth)
TPPs Territory Privacy Principles[2]
[1] See Privacy Act 1988 (Cth), s 26WE(1)(d).
[2] Schedule 1 of the Information Privacy Act.