Download the print version

1 July 2019 to 30 June 2020

Introduction

This report is made pursuant to the reporting requirements set out under section 7.3 of the 2018–21 Memorandum of Understanding (MOU) between the Australian Capital Territory (ACT) and the Office of the Australian Information Commissioner (OAIC) for the provision of privacy services related to the Information Privacy Act 2014 (ACT).

The Information Privacy Act contains the Territory Privacy Principles (TPPs) which ACT public sector agencies must comply with in relation to the collection and handling of personal information (other than personal health information).

This report is for the period 1 July 2019 to 30 June 2020.

The numbered headings below correspond to the reporting requirements set out in the MOU.

7.3 (1) Number of complaints, assessments, written and telephone enquiries

Number ofTotal

(a) Complaints open as at 1 July 2020

4

(b) Complaints received in 2019–20

6

(c) Complaints closed in 2019–20

9

(d) Complaints open as at 30 June 2020

1

(e) Complaints that resulted in a report to the Minister under section 43 of the Information Privacy Act

n/a

(f) Complaints about which the Commissioner has given a notice under section 45 of the Information Privacy Act

n/a

(g) Assessments finalised

2

(h) Written and telephone enquiries about ACT public sector agencies

24

7.3  (1)(h) Summary of issues raised in written and telephone enquiries

Telephone calls

The OAIC received 14 telephone enquiries during the reporting period:

  • Four telephone enquiries were about the TPPs:
    • One individual called for information about how to submit a complaint about TPP 13. The OAIC provided advice about the process for submitting the complaint.
    • One individual called for information about how to access information from their daughter’s public school.
  • Two individuals asked for information about how to make a privacy complaint about an ACT Government Agency. The OAIC provided advice about the process for submitting a complaint.
  • One individual sought information about a working with vulnerable people check in the ACT and spent convictions.
  • Nine phone enquiries were misdirected, out of jurisdiction, or otherwise unrelated to privacy and/or the ACT.

Written enquiries

The OAIC received 10 written enquiries during this reporting period:

  • Five written enquiries were about the TPPs:
    • One individual sought information about the security of personal information held by an ACT Government Agency. The OAIC provided information about TPP 11 and the complaints process.
    • One individual sought information about a Parents & Citizens Committee request for access to parents' email addresses held in an ACT Government school database. The OAIC provided information about disclosure of personal information under TPP 6.
    • An enquiry about from a school board seeking confirmation that specific practices are compliant with the TPPs. We advised the OAIC can provide general advice about compliance with the TPPs.
    • One individual enquired about whether a driver’s licence photo is considered to be sensitive information. The OAIC provided information about what constitutes ‘sensitive information’ for the purposes of the Privacy Act and the Information Privacy Act.
    • An agency requested assistance formulating a Privacy Management Plan (PMP) for an ACT government agency. They were referred to the OAIC’s Interactive Privacy Management Plan and information about the requirements of the TPPs.
    • One written enquiry was about freedom of information in the ACT (technically out of jurisdiction). The OAIC advised that the Freedom of Information Act 1982 (Cth) applies to Australian government agencies only and referred them to the appropriate government agency for further information.
    • Four written enquiries were misdirected, out of jurisdiction, or otherwise unrelated to the ACT.

7.3 (2) For each complaint received in 2019-20, a summary of issues raised and outcomes

Respondent: Chief Minister, Treasury and Economic Development Directorate (CP19/02216)

Details: The complaint was received on 26 August 2019 and closed on 3 March 2020. The complainant alleged the respondent had interfered with their privacy by improperly disclosing their personal information as the individual who reported concerns at their workplace.

The OAIC found that the disclosure was permitted as the information was disclosed for the primary purpose for which it was collected. The complaint was closed under s 39(a) and s 39(b) of the Information Privacy Act on the basis that the Commissioner was reasonably satisfied that the act or practice was not an interference with an individual’s privacy, and that the complaint was made more than 12 months after the complainant became aware of the incident.

Respondent: Canberra Hospital (CP19/02690)

Details: The complaint was received on 28 October 2019 and closed on 18 November 2019. The complainant requested access to their health records. The regulation of health records is specifically excluded from the Information Privacy Act under section 8(1)(b).

The complaint was closed under s 39(a) of the Information Privacy Act on the basis that the Commissioner was reasonably satisfied that the act or practice the subject of the complaint was not an interference with an individual’s privacy.

The complainant was advised their complaint should be directed to the ACT Human Rights Commission.

Respondent: ACT Mental Health Consumer Network (CP19/02698)

Details: The complaint was received on 28 October 2019 and closed on 2 December 2019. The complainant requested access to personal information, however, the complaint was closed after the complainant withdrew their complaint.

Respondent: ACT Mental Health Consumer Network (CP19/03054)

Details: The complaint was received on 5 December 2019 and closed on 19 February 2020. The complainant was seeking access to an email, which they claim was sent to the respondent by a third party.

The respondent provided access to the email and the complaint was closed as adequately dealt with by the respondent under s 39(g)(i).

Respondent: ACT Health (CP20/00012)

Details: The complaint was received on 3 January 2020 and closed on 8 January 2020. The complainant alleged the respondent improperly disclosed their health information to third parties on two occasions.

Privacy complaints in the ACT are regulated by the Information Privacy Act. However, the regulation of health records is specifically excluded from the Information Privacy Act under section 8(1)(b).

The complaint was closed under s 39(a) of the Information Privacy Act on the basis that the Commissioner was reasonably satisfied that the act or practice the subject of the complaint was not an interference with an individual’s privacy.

Respondent: ACT Health (CP20/01026)

Details: The complaint was received on 25 May 2020 and closed on 3 June 2020. The complainant claimed the respondent refused access to the complainant’s health information under TPP 12.

Privacy complaints in the ACT are regulated by the Information Privacy Act. However, the regulation of health records is specifically excluded from the Information Privacy Act under section 8(1)(b).

The complaint was closed under s 39(a) of the Information Privacy Act on the basis that the Commissioner was reasonably satisfied that the act or practice the subject of the complaint was not an interference with an individual’s privacy.

Summary of issues raised, and outcomes of complaints received in 2018-19 and closed in 2019-20

Respondent: ACT Government Community Services Directorate (CP18/03367)

Details: The complaint was received in the previous reporting period, on 20 November 2018, and closed on 20 November 2019.

The complainant alleged the respondent interfered with his privacy by improperly soliciting his personal information in the form of six months of bank statements, as part of his application for Social Housing Assistance, and returning his documents by regular mail.

The complaint was closed under s 39(a) of the Information Privacy Act on the basis that the act or practice complained of was not an interference with privacy, as:

  • Under TPP 3.1 the respondent did not ‘collect’ the complainant’s bank statements for inclusion in its records; and
  • Under TPP 5 the respondent took reasonable steps to notify the complainant of its collection of personal information.

Respondent: Transport Canberra and City Services Directorate (CP18/03375)

Details: The complaint was received in the previous reporting period, on 21 November 2018, and closed on 17 April 2020.

The complainant claimed the respondent did not take appropriate action under TPP 11 in response to an allegation that the respondent’s staff inappropriately collected and read mail addressed to the complainant.

Following preliminary inquiries, the complaint was closed on the basis that:

  • Under s 39(a) of the Information Privacy Act, there was no evidence that the respondent had interfered with the complainant’s privacy by not taking reasonable steps to protect the complainant’s personal information under TPP 11, and
  • Under s 39(f) of the Information Privacy Act, an investigation of the complaint was not warranted having regard to all the circumstances.

Respondent: Legal Aid ACT (CP18/03568)

Details: The complaint was received in the previous reporting period, on 10 December 2018, and closed on 22 April 2020.

The complainant claimed the respondent sent correspondence regarding their Legal Aid application to the wrong postal address and email address. The complainant had moved homes shortly after submitting their application and had not notified the respondent of this change.

The OAIC declined to investigate the complaint on the basis that:

  • Under s39(a) of the Information Privacy Act, the act or practice complained of was not an interference with privacy
  • Under s39(f) of the Information Privacy Act, an investigation of the complaint was not warranted
  • Under s 40(2)(a) of the Information Privacy Act, the complainant did not comply with a reasonable request made by the OAIC in dealing with the complaint.

In this matter there was no breach of TPP 6 as the email was not successfully delivered, and sending written correspondence to the complainant’s address was for the primary purpose for which it was collected, being to respond to their application for Legal Aid.

There was also no breach of TPP 10 as it was reasonable in the circumstances for the respondent to assume the email and postal address it held about the complainant was accurate and up-to-date.

The email address entered incorrectly was as a result of human error, not incorrect information held on the respondent’s system. The complainant did not advise the respondent that they had moved to a new home eight days after submitting their application for Legal Aid.

7.3 (3) For each finalised assessment, a summary of the outcomes

Assessments finalised as at 30 June 2020

The OAIC finalised two assessments in the 2019-20 reporting period. These assessments were initiated in earlier reporting periods.

Housing ACT

This assessment examined whether Housing and Community Services ACT (Housing ACT) was:

  • using and disclosing personal information in accordance with its TPP 6 obligations
  • taking reasonable steps to secure its personal information holdings as required by TPP 11.

The scope of the assessment focused on how Housing ACT maintains and handles personal information related to the provision of social housing and related services.

As part of the assessment, OAIC staff reviewed relevant policies and procedures and interviewed staff in February 2018. This assessment found that Housing ACT staff were aware of the sensitivity of personal information. The OAIC also observed some ICT system and physical security specific policies and procedures, which were supported by informal knowledge sharing.

The OAIC made ten recommendations in response to privacy risks including those relating to the use of personal information and the absence of formal training, the lack of a data breach response plan, and not taking reasonable steps to protect personal information it handles. The recommendations include that Housing ACT should:

  • create written policies and procedures for the handling pf personal information
  • implement regular privacy training
  • establish clear privacy governance mechanisms
  • review its privacy risk management processes
  • improve its ICT security by implementing additional security measures
    • conduct a threshold assessment and if necessary, a full privacy impact assessment on the digitisation of hardcopy client files.

In addition, the OAIC recommended that Housing ACT must, as a priority, take steps to develop and implement a data breach response plan.

Housing ACT accepted all the OAIC’s recommendations.

The report for this assessment was published on the OAIC’s website on 20 December 2019.

Privacy policy evaluation of ten agencies

The assessment examined the privacy policies of ten ACT public sector agencies to determine whether the policies met the requirements of TPPs 1.3, 1.4 and 1.5.

The agencies included in the assessment were: Access Canberra, ACT Corrective Services, Public Trustee and Guardian, Elections ACT, Legal Aid ACT, ACT Revenue Office, Canberra Health Services, Victim Support ACT, Transport Canberra, and the Community Services Directorate.

OAIC staff notified each agency of the assessment by letter on 9 May 2019 and requested information about their privacy policies. OAIC staff reviewed the privacy policies as they appeared online between 27 and 30 May 2019.

In December 2019, each agency was provided with an individual report containing recommendations for their consideration and comment. The OAIC received responses to the recommendations from all ten agencies and all recommendations were accepted in full.

A consolidated report summarising the high-level findings across all agencies noted that all ten ACT agencies had their privacy policy available online and noted areas for improvement in relation to:

  • the readability of the privacy policies
  • the inclusion of review dates on privacy policies the inclusion of contact details for individuals to submit a privacy query or complaint in privacy policies
  • the inclusion of certain content required under TPP 1.4 regarding the way agencies handle personal information
    • improving the online availability and accessibility of the privacy policies. The consolidated report was published on the OAIC’s website on 30 June 2020.

Ongoing assessments as at 30 June 2020

Access Canberra

In current reporting period, the OAIC initiated an assessment in relation to:

  • the implementation of five recommendations made in an OAIC assessment of Access Canberra undertaken in 2017. These recommendations related to risks associated with Access Canberra’s handling of personal information in accordance with TTPs 1 and 5 for vehicle registrations and applications for working with vulnerable people; and
    • the handling of personal information collected in applications for birth, death and marriage registrations and certificates in accordance with TPPs 1 and 5.

As part of the assessment, OAIC staff have reviewed relevant policies and procedures and interviewed staff. An assessment report was being drafted as at 30 June 2020.

7.3 (4) Information about any complaints that have not yet been finalised

Respondent: Independent Competition and Regulatory Commission (CP17/00779)

Details: The complaint was received on 7 April 2017. Under the TPPs the complainant alleges that the respondent interfered with their privacy by inappropriately collecting sensitive information, not providing appropriate notice and by failing to take reasonable steps to ensure the personal information it collected about them was accurate. The complainant also alleges the respondent may not have a privacy policy.

7.3 (5) Details of formal reports and recommendations made to ACT public sector agencies as a result of complaints or other investigations

No formal reports or recommendations other than in relation to the above assessments were provided during the reporting period.

7.3 (6) Any other information about the management of complaints or significant issues, including an analysis  of systemic issues and common themes that have come to the Commissioner’s attention during the year

OAIC advice to Chief Minister, Treasury and Economic Development Directorate

Verbal policy advice was provided in August 2019 in relation to child protection and privacy.

Written policy advice was provided in April 2020 in relation to requests for consent from individuals to share personal information contained on the ACT Government’s casual job register with other agencies.

OAIC advice to ACT Justice and Community Safety Directorate

The OAIC provided advice on 30 March 2020 regarding establishment of the National Privacy COVID-19 Team and sought information and feedback regarding information sharing mechanisms for ACT public sector agencies in response to COVID-19.

The OAIC provided advice on 13 May 2020 regarding the responsible collection and handling of personal information as COVID-19 restrictions were eased. The OAIC sought feedback on its draft guidance for businesses collecting personal information.

Acronyms and abbreviations

ACT     Australian Capital Territory
Cth Commonwealth
FOI Freedom of Information
Housing ACT Housing and Community Services ACT
Information Privacy Act Information Privacy Act 2014 (ACT)
MOU  Memorandum of Understanding
OAIC Office of the Australian Information Commissioner
Privacy Act Privacy Act 1988 (Cth)
TPPs Territory Privacy Principles[1]

Footnote

[1] Schedule of the Information Privacy Act.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia