MOU with the ACT for the provision of privacy services: Annual report 2020–21

Download the print version

23 February 2022

Introduction

This report is made pursuant to the reporting requirements set out under section 7.3 of the 2018–21 Memorandum of Understanding (MOU) between the Australian Capital Territory (ACT) and the Office of the Australian Information Commissioner (OAIC) for the provision of privacy services related to the Information Privacy Act 2014 (ACT).

The Information Privacy Act contains the Territory Privacy Principles (TPPs) which ACT public sector agencies must comply with when collecting and handling personal information (other than personal health information).

This report is for the period 1 July 2020 to 30 June 2021.

The numbered headings below correspond to the reporting requirements set out in the MOU.

7.3 (1) Number of complaints, assessments, written and telephone enquiries

7.3 (1)(h) Summary of issues raised in written and telephone enquiries

Telephone calls

The OAIC received 4 telephone enquiries during the reporting period:

• All 4 telephone enquiries were about the TPPs:
• One individual called with concerns about how an ACT Government agency collects, uses and stores personal information. The OAIC provided advice about TPPs 3, 6 and 11.
• 3 individuals called about disclosures by ACT Government agencies. The OAIC provided advice about TPP 6 and the process for submitting a complaint.

Written enquiries

The OAIC received 2 written enquiries during this reporting period:

• Both of the written enquiries were misdirected, out of jurisdiction, or otherwise unrelated to the TPPs.

7.3 (2) For each complaint received in 2020–21, a summary of issues raised and outcomes

Respondent: Access Canberra

Details: The complaint was received on 13 July 2020 and closed on 8 March 2021. The complainant alleged the respondent had interfered with their privacy by improperly disclosing their personal information.

The OAIC found that the disclosure did not occur. The complaint was closed under s 39(a) of the Information Privacy Act on the basis that the Commissioner was reasonably satisfied that the act or practice was not an interference with the individual’s privacy.

Respondent: Community Services Directorate

Details: The complaint was received on 28 October 2020 and closed on 15 April 2021. The complainant alleged the respondent had interfered with their privacy by improperly disclosing their personal information, and by failing to take reasonable steps to protect their personal information.

The complaint was closed under s 39(g)(i) of the Information Privacy Act on the basis that the Commissioner was reasonably satisfied that the respondent has dealt, or is dealing, adequately with the complaint.

Respondent: ACT Human Rights Commission

Details: The complaint was received on 10 February 2021 and closed on 25 March 2021. The complainant alleged the respondent had interfered with their privacy by improperly collecting their personal information (TPP 3.5).

The complaint was closed under s 39(a) of the Information Privacy Act on the basis that the Commissioner was reasonably satisfied that the act or practice was not an interference with the individual’s privacy.

7.3 (3) For each finalised assessment, a summary of the outcomes

Assessments finalised as at 30 June 2021

The OAIC finalised one assessment in the 2020–21 reporting period. This assessment was initiated in an earlier reporting period.

Access Canberra

This assessment examined:

• the implementation of 5 recommendations made in an OAIC assessment of Access Canberra undertaken in 2017. These recommendations related to risks associated with Access Canberra’s handling of personal information, in accordance with TTPs 1 and 5, for vehicle registrations and applications for working with vulnerable people
• the handling of personal information collected in applications for birth, death and marriage registrations and certificates in accordance with TPPs 1 and 5.

As part of the assessment, OAIC staff reviewed relevant policies and procedures and interviewed staff.

The assessment found Access Canberra has made some progress towards implementing measures to mitigate privacy risks identified during the 2017 assessment. However, Access Canberra had either not or only partially implemented actions to address the OAIC’s 5 recommendations from the 2017 assessment. The assessment also identified new privacy risks in relation to Access Canberra’s management of personal information.

The assessment identified 15 medium-level privacy risks, resulting in 7 recommendations. These recommendations relate to:

• privacy staffing
• governance
• privacy training
• privacy risk management, including that Access Canberra establish mechanisms for properly documenting, identifying, reporting, and managing privacy risks associated with its business units
• review of existing ICT security plans
• review of privacy notifications for the collection of personal information to ensure compliance with the TPPs
• policies and procedures, including that Access Canberra:
• review and update existing policies and procedures and implement mechanisms to monitor the currency of all policies and procedures going forward
• develop a Privacy Management Plan
• conduct a privacy threshold assessment for new projects that handle personal information, followed, if necessary, by a privacy impact assessment
• finalise a data breach response plan.

The OAIC also made 2 suggestions to assist Access Canberra to further enhance privacy protective measures that may apply to its processes.

Access Canberra accepted all of the OAIC’s recommendations in full or in part.

The report for this assessment was published on the OAIC’s website on 30 April 2021.

Ongoing assessments as at 30 June 2021

Housing ACT

This assessment follows up an assessment completed in 2019–20 which examined whether Housing and Community Services ACT (Housing ACT) was:

• using and disclosing personal information in accordance with its TPP 6 obligations
• taking reasonable steps to secure its personal information holdings as required by TPP 11.

The scope of this assessment focuses on Housing ACT’s implementation of the recommendations from the assessment completed in 2019–20. At that time the OAIC made 10 recommendations in response to privacy risks, including those relating to the use of personal information and the absence of formal training, the lack of a data breach response plan, and not taking reasonable steps to protect personal information. The recommendations from the assessment completed in 2019–20 included that Housing ACT should:

• create written policies and procedures for the handling of personal information
• implement regular privacy training
• establish clear privacy governance mechanisms
• review its privacy risk management processes
• improve its ICT security by implementing additional security measures
• conduct a threshold assessment and, if necessary, a full privacy impact assessment of the digitisation of hardcopy client files.

The OAIC also recommended in the assessment completed in 2019-20 that Housing ACT must, as a priority, take steps to develop and implement a data breach response plan. Housing ACT accepted all of the recommendations.

As part of the current follow up assessment, OAIC staff reviewed relevant policies and procedures and interviewed staff in March 2021.  An assessment report was being drafted by the OAIC as at 30 June 2021.

7.3 (4) Information about any complaints that have not yet been finalised

Respondent: Independent Competition and Regulatory Commission

Details: The complaint was received on 7 April 2017. Under the TPPs the complainant alleges that the respondent interfered with their privacy by inappropriately collecting sensitive information, not providing appropriate notice, and failing to take reasonable steps to ensure the personal information it collected about them was accurate. The complainant also alleges the respondent may not have a privacy policy.

Respondent: Child and Youth Protection Services

Details: The complaint was received on 30 April 2021. Under the TPPs the complainant alleges that the respondent interfered with their privacy by improperly disclosing their personal information.

7.3 (5) Details of formal reports and recommendations made to ACT public sector agencies as a result of complaints or other investigations

No formal reports or recommendations other than in relation to the above assessments were provided during the reporting period.

7.3 (6) Any other information about the management of complaints or significant issues, including an analysis of systemic issues and common themes that have come to the Commissioner’s attention during the year

OAIC advice to ACT Transport Canberra and City Services Directorate

The OAIC reviewed a privacy impact assessment (PIA) prepared by the Transport Canberra and City Services Directorate (TCCS) about the potential implementation of a mobile device detection camera system in the ACT.

The OAIC provided written policy advice to TCCS in March 2021 around additional mitigation measures that TCCS could consider adopting in relation to privacy policy updates, security of personal information, due diligence in relation to third-party contractors, and cross-border disclosure of personal information. The policy advice also provided general guidance about the PIA process.

OAIC advice to ACT Integrity Commission

The OAIC is reviewing a draft of the Integrity Commission (Information) Guidelines 2021 prepared by the ACT Integrity Commission, as required under s 299 of the Integrity Commission Act 2018 (ACT). The Commission is required to make guidelines about the handling of information under the Integrity Commission Act, and under subsection 299(2) of the Integrity Commission Act must consult with the Information Commissioner before making the guidelines.

Acronyms and abbreviations