1 September 2022
Introduction
This report is made pursuant to the reporting requirements set out under section 7.3 of the Memorandum of Understanding (MOU) between the Australian Capital Territory (ACT) and the Office of the Australian Information Commissioner (OAIC) for the provision of privacy services related to the Information Privacy Act 2014 (ACT) (Information Privacy Act).
The Information Privacy Act contains the Territory Privacy Principles (TPPs) which ACT public sector agencies must comply with when collecting and handling personal information (other than personal health information).
This report is for the period 1 July 2021 to 30 June 2022.
The numbered headings below correspond to the reporting requirements set out in the MOU.
7.3 (1) Number of complaints, assessments, written and telephone enquiries
Number of | Total |
|---|---|
(a) Complaints open as at 1 July 2021 | 2 |
(b) Complaints received in 2021–22 | 9 |
(c) Complaints closed in 2021–22 | 5 |
(d) Complaints open as at 30 June 2022 | 6 |
(e) Complaints that resulted in a report to the Minister under section 43 of the Information Privacy Act | n/a |
(f) Complaints about which the Commissioner has given a notice under section 45 of the Information Privacy Act | n/a |
(g) Assessments finalised | 1 |
(h) Written and telephone enquiries about ACT public sector agencies | 12 |
7.3 (1)(h) Summary of issues raised in written and telephone enquiries
Telephone calls
The OAIC received 10 telephone enquiries during the reporting period:
- 8 of the 10 telephone enquiries related to the TPPs:
- 4 individuals called with concerns about disclosures of their personal information by ACT Government agencies. The OAIC provided advice about TPPs 6 and 11, and the OAIC’s complaints process.
- 2 individuals called regarding the collection of their personal information by ACT Government agencies. The OAIC provided advice about TPPs 3 and 5, and the OAIC’s complaints process.
- 1 individual called with concerns that an ACT Government agency was misusing their personal information. The OAIC provided advice on APP 6 and the OAIC’s complaints process.
- 1 private sector organisation called for clarification, noting that they were advised by an ACT Government agency that they were required to comply with the TPPs. The OAIC provided advice on the coverage of the TPPs in the Information Privacy Act and the Australian Privacy Principles (APPs) in the Privacy Act.
- The remaining 2 phone enquiries were either misdirected, or otherwise unrelated to the TPPs.
Written enquiries
The OAIC received 2 written enquiries during this reporting period:
- One individual asked about the ACT COVID-19 public health orders regarding the use of QR Codes and check-in apps, as well as vaccination certificates. The OAIC provided advice on TPP 3.
- The other written enquiry was misdirected, and unrelated to the TPPs.
7.3 (2) For each complaint received in 2021–22, a summary of issues raised and outcomes
Respondent: Access Canberra
Details: The complaint was received on 26 July 2021 and closed on 23 September 2021. The complainant alleged that the respondent had refused to correct their name on their ACT driver’s licence.
This matter was closed under s 39(g)(i) of the Information Privacy Act on the basis that it had been adequately dealt with as the matter was resolved between the parties.
Respondent: Gungahlin Walk-In Clinic
Details: The complaint was received on 4 August 2021 and closed on 9 November 2021. The complainant alleged that the respondent had misused and improperly disclosed their health information.
The OAIC found that the information being complained about in this instance did not fall within the scope of the Information Privacy Act, because the definition of personal information in s 8 does not include personal health information about the individual. This case was closed under s 39(a) of the Information Privacy Act.
Respondent: Forrest Primary School
Details: The complaint was received on 26 November 2021 and closed on 21 April 2022. The complainant alleged that the respondent had improperly disclosed their personal information.
This complaint was closed under s 39(g)(i) of the Information Privacy Act on the basis that the matter had been adequately dealt with by the respondent.
Respondent: CMTEDD - Chief Minister, Treasury and Economic Development Directorate
Details: The complaint was received on 6 March 2022. The complainant alleged that their personal information had been compromised in a data breach by the respondent.
This complaint is currently with our Investigations Team.
Respondent: EPSDD - Environment, Planning and Sustainable Development Directorate
Details: The complaint was received on 28 April 2022. The complainant alleged that the respondent has misused their personal information in the context of forwarding telephone calls.
This complaint is currently with our Early Resolution Team.
Respondent: EPSDD - Environment, Planning and Sustainable Development Directorate
Details: The complaint was received on 4 May 2022 and closed on 18 July 2022. The complainant alleged that the respondent had improperly used their personal information.
The OAIC found that the respondent’s use of the complainant’s personal information was permitted under TPP 6 in this instance. This case was closed under s 39(a) of the Information Privacy Act.
Respondent: Transport Canberra and City Services Directorate
Details: The complaint was received on 3 June 2022. The complainant alleged that the respondent had improperly disclosed their personal information to third parties.
This complaint is currently with our Investigations Team.
* This case is related to the complaint described below.
Respondent: Transport Canberra and City Services Directorate
Details: The complaint was received on 3 June 2022. The complainant alleged that the respondent had improperly disclosed their personal information to third parties.
This complaint is currently with our Investigations Team.
* This case is related to the complaint described above.
Respondent: Transport Canberra and City Services Directorate
Details: The complaint was received on 9 June 2022. The complainant alleged that the respondent failed to protect their personal information.
This case is currently with our Early Resolution team.
7.3 (3) For each finalised assessment, a summary of the outcomes
Assessments finalised as at 30 June 2022
The OAIC finalised 1 assessment in the 2021–22 reporting period.
Housing ACT
This assessment followed up a 2018 assessment which examined whether Housing and Community Services ACT (Housing ACT) was:
- using and disclosing personal information in accordance with its TPP 6 obligations
- taking reasonable steps to secure its personal information holdings as required by TPP 11.
In the 2018 assessment, the OAIC made 10 recommendations to address privacy risks including in relation to documenting privacy policies and procedures, data breach response, managing privacy risk and IT and physical security.
The scope of the 2020-21 assessment focused on Housing ACT’s implementation of the recommendations from the 2018 assessment. While Housing ACT had made progress implementing some of the recommendations from the 2018 assessment, the OAIC found 7 of the recommendations were either not implemented or only partially implemented.
In the follow-up assessment, the OAIC identified several medium-level privacy risks and made 9 recommendations. In addition to fully implementing the outstanding recommendations, the OAIC made additional recommendations for Housing ACT to:
- regularly review and update privacy policies and procedures
- regularly review refresher privacy training
- regularly review and test its data breach response plan.
Housing ACT accepted 8 of the OAIC’s recommendations in full and one recommendation in principle. The assessment report was published on the OAIC’s website on 1 June 2022.
Future assessments as at 30 June 2021
Under the 2021-24 MoU, the OAIC will conduct 2 assessments over the 3-year term. During 2021-22 the OAIC held preliminary discussions with the ACT’s Justice and Community Services Directorate about the scope of the first of these assessments.
7.3 (4) Information about any complaints that have not yet been finalised
Respondent: CMTEDD - Chief Minister, Treasury and Economic Development Directorate
Details: The complaint was received on 6 March 2022. The complainant alleged that their personal information had been compromised in a data breach by the respondent.
This complaint is currently with our Investigations Team.
Respondent: EPSDD - Environment, Planning and Sustainable Development Directorate
Details: The complaint was received on 28 April 2022. The complainant alleged that the respondent has misused their personal information in the context of forwarding telephone calls.
This complaint is currently with our Early Resolution Team.
Respondent: Transport Canberra and City Services Directorate
Details: The complaint was received on 3 June 2022. The complainant alleged that the respondent had improperly disclosed their personal information to third parties.
This complaint is currently with our Investigations Team.
* This case is related to the complaint described below.
Respondent: Transport Canberra and City Services Directorate
Details: The complaint was received on 3 June 2022. The complainant alleged that the respondent had improperly disclosed their personal information to third parties.
This complaint is currently with our Investigations Team.
* This case is related to the complaint described above.
Respondent: Transport Canberra and City Services Directorate
Details: The complaint was received on 9 June 2022. The complainant alleged that the respondent failed to protect their personal information.
This case is currently with our Early Resolution team.
7.3 (5) Details of formal reports and recommendations made to ACT public sector agencies as a result of complaints or other investigations
No formal reports or recommendations other than in relation to the above assessments were provided during the reporting period.
7.3 (6) Any other information about the management of complaints or significant issues, including an analysis of systemic issues and common themes that have come to the Commissioner’s attention during the year
OAIC advice to ACT Integrity Commission
The OAIC reviewed a draft of the Integrity Commission (Information) Guidelines 2021 (the draft Guidelines) prepared by the ACT Integrity Commission. Under s 299 of the Integrity Commission Act 2018 (ACT), the ACT Integrity Commission (the Commission) is required to consult with the Information Commissioner before making guidelines about the handling of information under the Act. In August 2021, the Information Commissioner wrote to the ACT Integrity Commissioner with advice on additional matters that could be addressed in the draft Guidelines to assist staff to adopt good information handling and security practices, including by outlining how staff are expected to handle personal information throughout the information lifecycle.
Acronyms and abbreviations
| ACT | Australian Capital Territory |
| APPs | Australian Privacy Principles |
| Cth | Commonwealth |
| Housing ACT | Housing and Community Services ACT |
| Information Privacy Act | Information Privacy Act 2014 (ACT) |
| MOU | Memorandum of Understanding |
| OAIC | Office of the Australian Information Commissioner |
| Privacy Act | Privacy Act 1988 (Cth) |
| TPPs | Territory Privacy Principles[1] |
Footnote
[1] Schedule 1 of the Information Privacy Act.
