Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

2005-06 Annual Report of the Office of the Privacy Commissioner

Users Guide Commissioners Overview 2005-06 The year ahead The year in review - a summary Chapter 1 Respecting Privacy 1.1 Review of Performance 1.2 Privacy and the Australian Government 1.2.1 Guide to Privacy Impact Assessments 1.2.2 Department of Human Services Health and Social Services...

pdf2005-06 Annual Report of the Office of the Privacy Commissioner

User's Guide

Commissioner's Overview 2005-06

Chapter 1 Respecting Privacy

Chapter 2 Promoting Privacy

Chapter 3 Protecting Privacy

Chapter 4 Management and Accountability

Appendix 1 The Privacy Act and the Office of the Privacy Commissioner

Appendix 2 Freedom of Information Act Compliance

Appendix 3 Speeches and Presentations

Appendix 4 Commonwealth Disability Strategy Performance Reporting June 2006

Appendix 5 Demographic Information about Complainants

Appendix 6 National Privacy Principles

    Note: seehttp://www.privacy.gov.au/materials/types/infosheets/view/6583

    Appendix 7 Information Privacy Principles

    Financial Statements (PDF only)

    Glossary

    Copyright © Office of the Privacy Commissioner 2006 ISSN 1035-3372

    This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the Office of the Privacy Commissioner.

    Requests and enquiries concerning reproduction, right and content should be addressed to:

    Copyright Officer Corporate and Public Affairs Office of the Privacy Commissioner GPO Box 5218 SYDNEY NSW 2001

    Email: privacy@privacy.gov.au

    User's Guide

    Immediately following this guide, you will find the Commissioner's Overview for 2005-06 which includes a summary of significant issues, developments and achievements during the year, including key statistics as well as an outline for the year ahead for the Office.

    The main chapters follow the Overview and the Annual Report is completed by the various Appendices, Glossary and Index.

    Chapter 1 Respecting Privacydescribes the Office's work for 2005-06 in providing advice on the privacy implications of legislation and government and private sector policy proposals that may have a significant impact on the handling of personal information.

    Chapter 2 Promoting Privacysets out the work the Office completed in promoting and educating key client groups on privacy issues. This includes liaising with key stakeholders in the private sector, networking with privacy contacts across Australian and ACT Government departments and agencies, handling media enquiries and assisting with speeches and presentations by the Commissioner and members of staff.

    Chapter 3 Protecting Privacyrecords the work the Office undertook to encourage and enforce compliance with the Privacy Act. This includes handling enquiries, undertaking audits of Australian and ACT Government agencies, investigating complaints and conciliating disputes.

    Chapter 4 Management and Accountabilitycontains an overview of the Office's administrative arrangements, management of human resources and corporate governance.

    The appendices contain information required under specific legislation together with any other useful material. These can be found following on from Chapter 4.

    The Office of the Privacy Commissioner audited Financial Statements for 2005-06 are located immediately following the Appendices. The Glossary and Alphabetical Index can also be found at the end of the Financial Statements.

    ACT Government

    Information that relates directly to ACT Government matters can be found in sections1.3,3.8.1.1,3.8.2.1and4.1.3.

    How to find out more

    For enquiries about this report or for copies of other Office of the Privacy Commissioner publications, please contact:

    Director Corporate and Public Affairs Office of the Privacy Commissioner GPO Box 5218 SYDNEY NSW 2001

    Telephone: + 61 2 9284 9800 Fax: + 61 2 9284 9666 Email:privacy@privacy.gov.au Website:www.privacy.gov.au Hotline: 1300 363 992 local call TTY: 1800 620 241 no voice calls

    This report is also available on the Office of the Privacy Commissioner's website atwww.privacy.gov.au/publications/index.html#A.

    Non-English Speakers

    If you speak a language other than English and need help please call the Translating and Interpreting Service on 131 450 and ask for the Australian Government Office of the Privacy Commissioner on 1300 363 992. This is a free service.

    Commissioner's Overview 2005-06

    Six years into the 21st century and technology moves on at an incredible rate. A plethora of new terms has evolved to make sense of this new era: the Information Age; the Knowledge Economy; Informationalism; the Digital Revolution; the Intangible Economy … the list goes on. Researchers at the University of California at Berkeley recently estimated that now in the 21st century we can expect five billion gigabytes of new information to be produced yearly. If one gigabyte is a truckload of books, five billion gigabytes is beyond comprehension. Startlingly, only 0.01 per cent of those five billion gigabytes will be paper based; the vast majority of new information instead being produced in magnetic media such as hard disks.1

    A considerable amount of this information will undoubtedly identify individuals. In the Information Age, personal information can be used in ways previously inconceivable in a world of paper documents and this raises a number of questions about privacy. Have our expectations about privacy changed in this new technological climate? Are current laws adequately protecting privacy? How can we ensure the protection of personal information while continuing to enjoy the advantages of electronic record systems, the internet and all manner of new technologies?

    In 2005-06 we saw a number of positive steps towards addressing these important questions. In January, the Australian Law Reform Commission (ALRC) was given a reference by the Attorney-General to undertake a review of Australian privacy legislation in light of rapid technological advances. I was very pleased to see the Government take this step following recommendations I made in my 2005 review of the private sector provisions of the Privacy Act which called for a wider review of privacy laws to ensure the legislation best serves the needs of Australia in the 21st century. The final ALRC report is due to the Attorney-General in March 2008.

    Over the year the Office also made a number of submissions relating to technological issues and initiatives. In 2005 my Office submitted to theUnauthorised Photographs on the Internet and Ancillary Privacy Issues: Discussion Paperwhile in 2006 submissions were made to theReview of the Spam Act 2003undertaken by Department of Communications, Information Technology and the Arts and theAustralian Government e-Authentication Framework for Individuals Discussion Paperreleased by the Australian Government Information Management Office.

    2005-06 also saw the introduction of a number of anti-terrorism measures by the Government which brought to the fore the importance of balancing security with individuals' right to privacy. I believe that laws regulating individual privacy and national security are not mutually exclusive and can be synchronised to deliver safety to Australians in an environment where privacy is respected.

    During the year my Office provided advice on the impact of counter-terror measures on privacy, including submissions to theReview of Security Legislation relating to Terrorismundertaken by the Security Legislation Review Committee in January 2006; theInquiry into the Exposure Draft of the Anti-money Laundering Bill and Counter-terrorism Financing Bill 2005; and theInquiry into the Provisions of the Telecommunications (Interception) Amendment Bill 2006, the latter two both undertaken by the Senate Legal and Constitutional Committee in March 2006.

    A final area of major change in the Australian privacy landscape for 2005-06 came in April, with the Government's announcement of its intention to introduce a health and social services access card. Already, my Office has provided advice to the Government's Draft Smartcard Framework, and we will continue to inform the Government's development and implementation of the access card with a view to ensuring the continued protection and security of Australians' personal information. New technologies, such as smartcards, create challenges to the maintenance of privacy. However, with careful planning and early intervention, privacy safeguards can be built into system design.

    The year ahead

    In May 2006, I welcomed the Government's budget announcement that my Office would be allocated approximately $8.1m in additional funding over the next four years. This increase in resources will make 2006-07 and subsequent years an exciting and productive period for the Office.

    The additional funding will be directed toward three major areas of Office activity. Firstly, it will allow us to effectively implement recommendations made in our review of Office complaint handling processes to ensure that privacy complaints are handled efficiently. Our aim is to reduce the current complaint backlog while enhancing service standards and conciliation techniques.

    Secondly, the funding will allow us to respond to calls from business and industry for greater assistance in meeting their obligations under the Privacy Act. Following on from recommendations made in my 2005 review of the private sector provisions of the Privacy Act, my Office will work closely with business and consumer representatives to develop guidance and educational material to assist organisations and individuals to better understand their rights and responsibilities under the Privacy Act.

    Thirdly, the additional funding will enable my Office to respond to government requests for high level privacy advice in the development of new policy initiatives. Encompassed within the Office's additional funding was $1.3m for Identity Security which includes advising the Government on privacy issues and conducting audits during the implementation of the Document Verification Service. The Office was also allocated $250 000 to assist the Australian Federal Police introduce guidelines in relation to the increased collection of information from closed circuit television (CCTV) systems as set out in theAnti-terrorism Act (No. 2) 2005.Certainly these will be major projects in 2006-07.

    Over the coming year, I am also committed to working with the Government during the design phase of the Health and Social Services Access Card to ensure that p?ivacy impacts are addressed and individual privacy continues to be respected.

    Finally, at an international level, my Office will be contributing to processes to implement the Asia Pacific Economic Cooperation (APEC) Privacy Framework which was endorsed by APEC Ministers in November 2004. This will involve my Office working with other privacy regulators in the region on matters such as the development of strategies to enable the handling of complaints across jurisdictions. Implementation of the APEC Privacy Framework will coincide with Australia hosting APEC in 2007.

    The year in review - a summary

    A brief summary of the Office's performance in 2005-06 is outlined below. A more detailed review of performance is contained in chapters 1 - 4.

    Telephone Enquiries:

    The Office received 19 150 telephone enquiries in 2005-06 compared with 21 108 in 2004-05. This represents a 9% decrease in enquiries received by the Hotline. See section 3.2.1 for further information.

    Written Enquiries:

    The Office received 2316 enquiries by email, post or facsimile in 2005-06 compared with 2094 written enquiries reported in 2004-05. This represents an 11% increase in the number of written enquiries received by the Office from the previous year. See section 3.2.2 for further information.

    Complaints:

    The Office received 1183 complaints in 2005-06 compared with 1275 in 2004-05. This represents an 7% decrease in the number of complaints received by the Office from the previous year. See section 3.3.1 for further

    information. The Office closed 1131 complaints in 2005-06 representing a 2% decrease from the previous year.

    Case Notes:

    The Office published 18 case notes on complaints that were closed during the year. The case notes are prepared to illustrate matters that may have a significant impact on a large number of people. Case notes serve to demonstrate to members of the public how the Commissioner handles complaints. Case notes also serve as a possible indication of the Commissioner's view in relation to aspects of privacy law. See section 3.5 for further information.

    Policy Advices:

    The Office produced 155 advices on significant policy issues; this represents an 11% increase in the number of policy advices the Office prepared in comparison to 2004-05.

    Policy advices include letters and emails to government departments and agencies and private sector organisations on specific proposals, submissions to public consultation processes and Senate inquiries, advice for guidance material published by the Commissioner and advice for inclusion in other reports and published documents.

    Determinations:

    Following the receipt of an application for a further Temporary Public Interest Determination regarding the collection of health information about individuals from Medicare Australia's Prescription Shopping Project Information Service, the Commissioner made two Temporary Public Interest Determinations (TPIDs) in February 2006: Temporary Public Interest Determination No. 2006-1 and Determination No. 2006-1A under section 80B(3) giving general effect to the Temporary Public Interest Determination No 2006-1. The Determinations and the Explanatory Statement are available atwww.privacy.gov.au/law/act/pid/#3.

    The Commissioner also issued three Credit Determinations in 2005-06 including Credit Provider Determination 2006-1 concerning assignees of debt and Credit Provider Determination 2006-2 concerning the classes of credit providers. See section 1.4.3 for further information. The consultation papers covering the three determinations can be found atwww.privacy.gov.au/law/act/credit/#cpd.

    Media:

    148 media enquiries wer? received in 2005-06. This is a decrease in comparison to the number of enquiries for 2004-05 in which the Office received 234 media enquiries.

    Speeches:

    39 speeches and presentations were delivered in 2005-06. The presentations addressed ongoing and emerging privacy issues. Further information on speeches and presentations can be found at section 2.4 and a list of all speeches and presentations delivered by the Office can be found at Appendix 3.

    Complaint Handling Review:

    The Office undertook an internal review of its complaint handling procedures in 2005-06. Key to the review were assessing current complaint handling procedures and developing methods of resolving complaints with quicker turnaround times and greater satisfaction by the parties concerned. The review produced a series of recommendations which are in the process of being implemented. See section 3.1 for further information.

    Submissions:

    In 2005-06, the Commissioner provided 19 submissions to government departments and parliamentary inquiries on policy proposals or Bills before parliament, providing analysis on the privacy implications of the proposal or Bill and offering advice on methods to ensure privacy is appropriately considered and protected.

    The following submissions were made by the Office.

    • Inquiry into the provisions of the Do Not Call Register Bill 2006 and the Do Not Call Register (Consequential Amendments) Bill 2006; Senate Environment, Communications, Information Technology and the Arts Legislation Committee (June 2006).
    • Review of theProceeds of Crime Act 2002; Mr Tom Sherman AO, Independent Reviewer appointed by the Minister for Justice and Customs (May 2006).
    • Improving Identity Check Processes for Pre-paid Mobile Services; Australian Communications and Media Authority (April 2006).
    • Consultation on the Exposure Draft of the Anti-Money Laundering and Counter-Terrorism Financing Bill 2005; Attorney-General's Department (April 2006).
    • Australian Government e-Authentication Framework for Individuals Discussion Paper; Australian Government Information Management Office (AGIMO) (March 2006).
    • Australian Government Draft Smartcard Framework; Australian Government Information Management Office (AGIMO) (March 2006).
    • Review of the National Statement on Ethical Conduct in Human Research; National Health and Medical Research Council (March 2006).
    • Review of Extradition Arrangements; Attorney-General's Department (March 2006).
    • Inquiry into the provisions of the Telecommunications (Interception) Amendment Bill 2006; Senate Legal and Constitutional Legislation Committee (March 2006).
    • Inquiry into the Exposure Draft of the Anti-Money Laundering and Counter-Terrorism Financing Bill 2005; Senate Legal and Constitutional Legislation Committee (March 2006).
    • Review of the Spam Act 2003; Department of Communications, Information Technology and the Arts (February 2006).
    • Review of Security Legislation relating to Terrorism; Security Legislation Review Committee (January 2006).
    • Inquiry into the Australian Citizenship Bill 2005; Senate Legal and Constitutional Legislation Committee (January 2006).
    • Introduction of a Do Not Call Register, Possible Australian Model: Discussion Paper (December 2005).
    • Australian Competition and Consumer Commission consultation regarding the authorisation of the Australian Direct Marketing Association's Direct Marketing Code of Practice (December 2005).
    • Regulatory Taskforce on Reducing the Regulatory Burden on Business (December 2005).
    • Inquiry into the provisions of the Anti-Terrorism Bill (No. 2) 2005 (November 2005).
    • Unauthorised Photographs on the Internet and Ancillary Privacy Issues: Discussion Paper (November 2005).
    • Telecommunications (Use of Integrated P?blic Number Database) Draft Industry Standard 2005 (August 2005).

    Karen Curtis Privacy Commissioner

    1 Peter Lyman & Hal R. Varian,How Much Information? 2003, retrieved fromwww.sims.berkeley.edu/how-much-info-2003on 8 August 2006.

    Letter of Transmission

    The Hon Philip Ruddock MP Attorney-General Parliament House CANBERRA ACT 2600

    Dear Attorney-General

    I am pleased to submit to you, for presentation to the Parliament, the annual report for the Office of the Privacy Commissioner on the operation of thePrivacy Act 1988for the year ended 30 June 2006.

    This report has been prepared in accordance with section 97 of thePrivacy Act 1988.

    Yours sincerely

    Ms Karen Curtis Privacy Commissioner 11 October 2006

    1.1 Review of Performance

    The Office has a significant role in providing advice to Australian Government agencies on new policy proposals and legislative changes to ensure that the privacy of individuals' personal information i? properly taken into account during the development and implementation of the proposals.

    The Office also has a significant role in advising private sector organisations on how they can comply with their obligations under the Act. This is generally done through the issuing of guidelines and other information materials.

    In the reporting period the Office focussed on responding to a large number of government legislative and policy initiatives including several anti-terrorism and serious crime related initiatives, information and communications technology changes and the Department of Human Services Access Card proposal.

    In addition the Office made five credit and public interest determinations, registered a Privacy Code revocation and continued to participate in the Australian Government's National Identity Security Strategy.

    1.2 Privacy and the Australian Government

    1.2.1 Guide to Privacy Impact Assessments

    In 2004-05 the Office made available a draft Privacy Impact Assessment (PIA) Guide together with a Privacy Impact Checklist developed by the Information Law Branch of the Attorney-General's Department. The draft PIA Guide has assisted Australian and ACT Government agencies to undertake voluntary PIAs to identify and manage privacy impacts that may be associated with projects that involve the handling of personal information.

    In 2005-06 an increasing number of Australian and ACT Government agencies have been undertaking PIAs. The draft PIA Guide has helped these agencies to recognise privacy issues, build privacy safeguards into their projects at an early stage, and minimise the need for retrospective and reactive privacy measures.

    The Office has provided a number of advices to agencies in relation to the PIA process and the use of the Guide. During the reporting period the Office worked on a revised version of the Guide, taking into account the feedback the Office received about the draft and its practical application.

    The PIA Guide can be found on the Office's website atwww.privacy.gov.au/News-for-PCOs/.

    1.2.2 Department of Human Services Health and Social Services Access Card

    The Office participated in the Australian Government's Interdepartmental Committee (IDC), chaired by the Department of Human Services (DHS), which was charged with examining smart technologies and services for government service delivery.

    Since the conclusion of the IDC, the Office has continued to engage with the DHS by providing advice during the development of a business case and associated Privacy Impact Assessment. As the government progresses the implementation of the access card, the Office will continue to provide advice on privacy issues associated with the project.

    The Office has raised with the Australian Government a multifaceted approach to incorporate fundamental privacy principles into the access card proposal. This approach includes:

    • paying close attention to the design of the system, including in regard to what choices are available to individuals, particularly concerning how their images are handled
    • incorporating technology choices that display privacy-enhancing characteristics
    • enacting appropriate legislation to offer the community assurances that privacy protections apply over all elements of the access card system and
    • having strong oversight measures such as a transparent and accountable process for considering any future uses of the access card system.

    1.2.3 Security Legislation Review

    On 12 October 2005, the Attorney-General established a Committee to review theSecurity Legislation Amendment (Terrorism) Act 2002and other related legislation. Section 4(3) of that legislation requires that the Privacy Commissioner ?e a member of the review Committee. The Committee gave its report to the Attorney-General in April 2006. Over the period of the review the Commissioner's involvement was significant, including over 20 days of briefings and meetings.

    The Office made a submission to this review in January 2006. The Office explained that it had only received a small number of complaints or enquiries relevant to the legislation under review, although it was noted that, given the largely covert nature of the practices in question, many individuals would not be aware of the practices.

    The Office also noted that it conducted two audits, in 2003 and 2004, of the Australian Customs Service's use of certain powers enacted under legislation relevant to the review.

    1.2.4 Anti-terrorism Legislation

    In November 2005, the Office made a submission to the Senate Legal and Constitutional Committee's inquiry into the provisions of the Anti-terrorism Bill (No.2) 2005. The Office expressed the view that there should be an appropriate balance between the need for security and the right to privacy.

    The Office made specific recommendations on the need for greater certainty around review mechanisms for the Bill, as well as making a range of recommendations aimed at ensuring that any new powers concerning the handling of personal information should be accompanied by measures that afford privacy protections. These included:

    • shorter periods for the retention of fingerprints and photographs taken under new powers
    • controls around the use of personal information collected under new electronic tracking and search powers
    • statutory code of practice concerning how personal information collected through optical surveillance may be handled and
    • the use of Privacy Impact Assessments to clarify specific privacy issues, and identity ways of addressing them.

    1.2.5 Identity and Border Security

    In the 2005-06 Budget the Australian Government announced that it would provide funding for the development of a National Identity Security Strategy. The Privacy Commissioner is a member of the Commonwealth Reference Group on Identity Security (CRGIS) convened by the Attorney- General's Department to assist in developing this national strategy including the implementation of two trials:

    • a prototype of an online Document Verification Service (DVS) to check identification documents presented to the Department of Foreign Affairs and Trade (DFAT) and the Department of Immigration and Multicultural Affairs (DIMA) with the agencies responsible for issuing the identification documents
    • a pilot to examine the accuracy of personal information on several existing Australian Government databases to detect false identities and inaccurate records and develop tools for improving the integrity of identity data.

    The Office has attended a number of meetings of the CRGIS and its working groups. As well, the Office facilitated a meeting of the State and Territory Privacy Commissioners to discuss key aspects of the DVS.

    The Office commented on a draft Privacy Impact Assessment prepared by the Attorney-General's Department in relation to the DVS prototype and on a working draft of the 'Integrity of Identity Data Pilot'. The Office also provided comments to the Proof of Identity Working Group regarding a Gold Standard Enrolment Process draft Issues Paper.

    As part of its role on the Authentication Working Group, the Office made submissions on an Australian Government Smartcard Framework and an Australian Government eAuthentication Framework (for individuals dealing online with government agencies). For more information see section 1.2.9.

    During the reporting period the Office continued to provide advice to the Australian Customs Service (Customs), DFAT and DIMA to assist them in addressing privacy issues that may aris? as a result of the introduction of biometric technology into border control processes.

    In particular, the Office liaised with DIMA in respect of proposed amendments to the Citizenship Act and Migration Act that specifically address the collection, use and disclosure of biometric information. The Office also provided advice to Customs on data security in relation to its automated border control system currently under development.

    1.2.6 Law Enforcement

    During the reporting period the Office provided a range of advices concerning law enforcement. This included advice to Australian Government agencies on the application of Information Privacy Principle (IPP) 11 to law enforcement, as well as the Office's interpretation of the 'law enforcement' exemptions contained in the National Privacy Principles (NPPs), particularly where personal information is required from private sector organisations.

    The Office made a submission to a review of foreign extradition arrangements being conducted by the Attorney-General's Department. This submission suggested that the explicit authorisation of an agency's information-handling activities provides a more appropriate arrangement than relying upon the criminal law enforcement exception. It also proposed a number of elements of a privacy framework that could apply to the handling of personal information for extradition.

    In May 2006, the Office made a submission to the independent review of theProceeds of Crime Act 2002. The Office noted that Part 3-3 of that legislation empowers authorised law enforcement officers to compel financial institutions to disclose prescribed personal information. The Office suggested that the review give further consideration to the necessity of such powers being available without judicial oversight.

    1.2.7 Exposure Draft of the Anti-Money Laundering and Counter-Terrorism Financing Bill

    The Office made two submissions concerning the Exposure Draft of the Anti-money Laundering and Counter-terrorism Financing Bill. The first of these submissions, made in March 2006, was to the Senate Legal and Constitutional Committee's inquiry into the Exposure Draft of the Bill. A second submission was made in April 2006 as part of the consultation process being conducted by the Attorney-General's Department into the Exposure Draft of the Bill.

    The Office noted that collection of personal financial information is likely to increase significantly under the Bill and that the privacy protections afforded to how this information was handled may potentially be applied inconsistently across reporting entities and users of the information. The draft Bill was amended to bring all reporting entities under the Privacy Act for matters covered by the Bill.

    The Office noted that Australia's financial transactions reporting regime was introduced as a response to major crime, and that any broadening of the scope of its application will likely raise privacy issues. A number of recommendations were made aimed at ensuring that the handling of this personal information was subject to appropriate privacy regulation.

    The Office also participated in consultative meetings held by the Attorney-General's Department and AUSTRAC.

    1.2.8 Responding to Large Scale Emergencies

    In response to the experience of the Asian tsunami and the Bali bombings which had highlighted some misunderstanding and uncertainty about the scope and operation of the Privacy Act in an emergency or disaster situation, the Office, in its review of the private sector provisions of the Privacy Act, recommended legislative change to clarify the circumstances where disclosures could be allowed in an emergency.

    During 2005 the Office was involved in an Interdepartmental Committee on the issue and in November 2005, the Attorney-General announced that the Privacy Act would be amended to enhance information ex?hange between Australian Government agencies, state and territory governments, nongovernment organisations and the private sector in an emergency or disaster situation.

    1.2.9 Australian Government Information Management Office Frameworks

    The Australian Government Information Management Office (AGIMO), which chairs the Authentication Working Group (AWG) as part of the CRGIS (see section 1.2.5), is developing a number of frameworks for Government and the Office has had engagement with these in the reporting year. The Office is an observer on the AWG.

    The Australian Government Authentication Framework for Individuals (AGAF(I)) is a framework which seeks to set out standards of authentication for individuals dealing online with Government agencies. The Office made a submission to the discussion paper on AGAF(I) in March 2006. The submission supports the approach endorsed by the AGAF(I) to match the level of authentication required with the risk level of a particular transaction.

    The Office met with an external consultant, hired by AGIMO to conduct a Privacy Impact Assessment on the Information Management for Government Employees (IMAGE) Framework, and provided general advice on aspects of the IMAGE proposal. In March 2006, the Office also made a submission to AGIMO in relation to its draft Smartcard Framework.

    The Office's submission on the Smartcard Framework included recommendations that agencies consider the three key areas where potential privacy issues may arise:

    • the electronic personal information stored in the card
    • the personal information displayed on the face of the card and
    • the personal information handled in the infrastructure and supporting systems behind the card.

    The submission also suggested that the Framework endorse the principle of maximising the choice individuals have about whether to use a smartcard, and the extent to which they use it. The submission also suggested that smartcards should only be designed to be identity credentials where there is a clear business case and where the privacy issues related to issuing a verified identity credential have been carefully assessed.

    1.2.10 Closed Circuit Television

    The Office provided advice to the Attorney-General's Department on a draft code of practice on the use of CCTV systems in the mass passenger transport sector for counter-terrorism purposes.1The Code is an initiative of the Council of Australian Governments (COAG) following a special meeting during September 2005, to consider Australia's national counterterrorism arrangements.

    The Office noted that the use of CCTV technology raises significant privacy and civil liberties concerns which must be balanced with the Code's utility as a risk-based counter-terrorism and law enforcement tool. The Office provided advice on strategies to achieve this balance.

    1.3 Privacy and the Australian Capital Territory Government

    In 2005-06 the Office continued to provide advice to ACT Government agencies, for example, in relation to the privacy implications of increasing internal agency data sharing within the Department of Disability, Housing and Community Services and disclosures of personal information to the Australian Mesothelioma Register.

    1.4 Privacy and Business

    1.4.1 Review of the Private Sector Provisions of the Privacy Act

    The Office's report on the operations of the private sector provisions of the Privacy Act,Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, which was completed in March 2005, has continued to shape the Office's responses to new proposals and the way it goes about its work.

    Although the Australian Government has not yet responded to the full report, several government initiatives have implemented?key recommendations of the report.

    The main Government initiative in this regard is the privacy reference to the Australian Law Reform Commission in January 2006: a response to our main recommendation that there be a comprehensive review of privacy legislation.

    In addition, theDo Not Call Register Act 2006passed in June is a positive step towards implementing our recommendation for the establishment of a Do Not Contact Register.

    With the increased resources provided through the budget process from July 2006 onwards the Office will be working to implement those recommendations of the review that relate to the Office's functions.

    1.4.2 Privacy Codes

    Part IIIAA of the Privacy Act provides that organisations can apply to the Privacy Commissioner for approval of a Privacy Code that will replace the National Privacy Principles for organisations bound by that Code.

    General Insurance Information Privacy Code2

    Following a review of the General Insurance Information Privacy Code by the Insurance Council of Australia (ICA), the ICA applied to the Privacy Commissioner to revoke the code. The code was revoked with effect from 30 April 2006. The revocation of the code did not reflect any problems with privacy compliance in the general insurance industry, nor with insurers that were bound by the code.

    The ICA has assured the Office that its commitment to the protection of the personal information of private individuals, which prompted the industry's establishment of the code, will continue among all ICA member companies which had been subject to the code.

    Queensland Club Industry Privacy Code

    In November 2005, Clubs Queensland provided a report on its three-yearly review of the Queensland Club Industry Privacy Code.

    The report found that the code is operating well. The comments received were generally 'suggestions for improvement' and Clubs Queensland is considering whether to vary the code in light of the review.

    1.4.3 Credit Reporting Determinations

    During the reporting period the three credit provider determinations made under the Privacy Act were renewed for short periods. In reviewing the determinations the Commissioner decided to renew them for a short period to allow the Office time to consult with the community about how the determinations have operated and the terms in which any further determinations should be cast.

    Two consultation papers covering the three determinations were released for public comment as part of the review. The consultation papers can be found atwww.privacy.gov.au/law/act/credit/#cpd.

    The Office received 13 submissions which were under analysis at 30 June 2006.

    1.4.4 Tax File Number Guidelines

    During the reporting period there were no changes to the Tax File Number Guidelines issued by the Privacy Commissioner under s. 17 of the Privacy Act. These guidelines, which have the effect of law, regulate the collection, storage, use and security of Tax File Numbers.

    1.4.5 Do Not Call Register

    The Australian Government introduced the Do Not Call Register Bill 2006 and the Do Not Call Register (Consequential Amendments) Bill 2006 during May 2006. Both pieces of legislation were passed by the Australian Parliament in late June 2006. The Register, which is to be managed by the Australian Communications and Media Authority, is scheduled to commence operating in 2007.

    TheDo Not Call Register Act 2006establishes a scheme to enable individuals who have an Australian telephone number to opt-out of receiving certain unsolicited telemarketing calls.

    The Office strongly supports the introduction of the Register, and welcomes the Australian Government taking this step in implementing Recommendation?25 ofGetting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988.

    The provisions of this Act set in place the foundations of a national scheme to protect Australians from intrusive telephone calls.

    The Office contributed to the development and consideration of the Bill through its December 2005 submission to the Department of Communications, Information Technology and the Arts (DCITA), and through its June 2006 submission to the Senate Environment, Communications, Information Technology and the Arts Legislation Committee Inquiry into the Bill.

    1.4.6 Residential Tenancy Databases

    During 2005-06, the Office continued its representation on the joint working party established by the Ministerial Council on Consumer Affairs (MCCA) and the Standing Committee of Attorneys-General (SCAG) to consider the operations of residential tenancy databases and how the various existing regulatory frameworks affect their operations. The Office continued to provide input to this working party, which is chaired by the Australian Government Attorney-General's Department.

    In the report on the review of the private sector provisions of the Privacy Act, the Office made a number of recommendations (Recommendations 14-16) suggesting options for regulating residential tenancy databases, including that the Australian Government should consider making the Privacy Act apply to all residential tenancy databases.

    1.5 Privacy and the Health Sector

    1.5.1 Electronic Health Records

    The Office understands that the national electronic health records (EHR) initiative, HealthConnect, has evolved from being an IT project to a "change management strategy" whereby the Department of Health and Ageing is responsible for managing national coordination.

    The Office maintains that because an individual's willingness to engage in the health sector is affected by their perception of how their personal health information will be used and how much control they have over it, privacy is fundamental to building an effective EHR system.

    Given the sensitivity Australian consumers place on their health information, the Office remains committed to the goal of ensuring appropriate privacy protections for individuals when they participate in e-health initiatives.

    During 2005-06, the NSW Department of Health has begun a pilot of its Healthelink system in the Hunter region. The Office has engaged with NSW Health on this initiative, particularly in regard to any involvement that private sector health service providers may have in the system. Such health service providers will be required to comply with their obligations under the National Privacy Principles when handling personal health information.

    1.5.2 Health Privacy Forum

    The Health Leaders' Forum was renamed the Health Privacy Forum. The Forum remains an informal group, comprising key representatives from the health sector from both the public and private sector. It provides informal advice and information to the Commissioner on health-related privacy issues affecting both the public and private sectors.

    The Health Privacy Forum met three times during 2005-06. Amongst other issues, two key topics for the Forum were the Australian Government proposal for a health and social services access card and progress in electronic health records.

    1.5.3 Prescription Shopping Temporary Public Interest Determination

    In February 2005, an application for a Public Interest Determination was made to the Commissioner regarding the collection of health information about individuals from the Health Insurance Commission's (now Medicare Australia) Prescription Shopping Project Information Service.

    On 10 February 2005, the Privacy Commissioner made Temporary Public Interest Determination No. 2005-1 under section 80A of the Pri?acy Act 1988. The Commissioner also made a Determination giving general effect to this Temporary Public Interest Determination (TPID). These determinations were due to expire on 9 February 2006.

    On 16 January 2006, the applicant confirmed that the circumstances for lodging the initial application remained the same as when the initial instruments were made. The Commissioner considered this matter and decided to issue a further temporary determination with effect to 22 December 2006.

    The Privacy Commissioner would not ordinarily issue a second temporary public interest determination in relation to the same matter. However, the Commissioner decided to do this on the basis that the Attorney-General's Department and the Department of Health and Ageing undertook to pursue legislative amendments to permanently authorise the acts and practices which are temporarily authorised by these two instruments. The Bill to effect these amendments was introduced to the Australian Parliament in June 2006 and will be debated in the Spring 2006 session.

    The Determinations and the Explanatory Statement are available atwww.privacy.gov.au/law/act/pid/#3.

    1.6 Privacy and the Information and Communication Technology Sector

    1.6.1 Telecommunications and E-Marketing Industry Codes

    TheTelecommunications Act 1997provides for the telecommunications and e-marketing industries to develop industry codes. Such codes can be enforced after they are registered with the Australian Communications and Media Authority (ACMA). Where telecommunications or e-marketing industry codes deal with privacy issues, it is a requirement that the Privacy Commissioner be consulted before ACMA registers a code.

    The Office was consulted on 12 Australian Communications Industry Forum (ACIF) codes during the reporting period.

    1.6.2 Telecommunications (Interception) Act

    In March 2006, the Office made a submission to the Senate Legal and Constitutional Legislation Committee Inquiry into the provisions of the Telecommunications (Interception) Amendment Bill 2006. This Bill clarifies protections for stored communications such as emails, SMS messages and voicemail messages, provides for the interception of 'B-party' communications, adds provisions relating to equipment-based interceptions and repeals s. 6(2) of theTelecommunications (Interception) Act 1979.

    The Office made recommendations intended to consolidate the privacy protections in the Telecommunications (Interception) Act, and noted areas of the Bill that may have had unintended consequences in relation to privacy. The Office supported the repeal of s. 6(2) of the Telecommunications (Interception) Act. This section has given rise to confusion in the past about the circumstances under which phone calls may be covertly monitored.

    1.6.3 Spam Act

    In February 2006, the Office made a submission to the Department of Communications, Information Technology and the Arts (DCITA) review of the operation of the Spam Act 2003 and related parts of theTelecommunications Act 1997.

    The Office recommended that changes to the Spam Act should be aimed at enhancing national consistency in privacy-related legislation.

    Footnotes

    1The Code is called A national approach to closed-circuit television:National Code of Practice for CCTV Systems for the Mass Passenger Transport Sector for Counter-Terrorism (2006)

    2See section 3.7 for the s. 97(2A) statement about the operation of theGeneral Insurance Information Privacy Codeup to 30 April 2006 when it was revoked.

    ?

    2.1 Review of Performance

    In 2005-06 the Office's communication strategy focussed on its website as its main communication tool, offering new services and refining its content and functions to provide a source of valuable information for individuals with an interest in privacy.

    This included RSS (Really Simple Syndication) enabling sections of the Office's website, improving the website's search functionality and continuing to upload speeches and media announcements and releases as the Office makes comment. The Office also developed a privacy events calendar allowing organisations hosting privacy related events to have their event listed on the calendar.

    2.2 Privacy Website

    The Office's website continues to be a major focus for the Office's communication activities. In 2005-06 the Office made some enhancements to the website including RSS enabling its 'Latest Uploads' section of the home page and adding a privacy events calendar to inform users of privacy related events taking place globally which is also RSS enabled.

    RSS is an alternative way of viewing webpage content. By RSS enabling the 'Latest Uploads' section of the website, users who download RSS newsreader software are able to easily subscribe to the Office's website, allowing them to automatically receive updated information from the website whenever new material is added.

    The privacy events calendar provides details and links on a no endorsement basis to privacy related events taking place in Australia and overseas. This service is also RSS enabled.

    The Office continues to prepare and publish on the Office's website case notes of finalised complaints that are considered to be of interest to the general public (see section 3.5 for further information). Monthly statistical updates on complaints and enquiries are also loaded to the website atwww.privacy.gov.au/complaints/statistics/.

    The Office's websitewww.privacy.gov.auincreased its traffic from the previous reporting year. Visits to the website increased by 338 959 sessions during 2005-06 compared to the previous year, an increase of 32%. Page views (number of pages people looked at during the session) increased by 1 375 263 (see Table 2.1), an increase of 30%.

    The figures in Table 2.1 show the number of sessions and the number of page views for the privacy website each year for the last three financial years, while Chart 2.1 graphically represents the substantial increase in website traffic since 2001.

    Table 2.1 Page and Session Views for the Privacy Website

    2003-04 2004-05 2005-06 Increase 2004-05 to 2005-06
    Session views 827 391 1 072 361 1 411 320 + 338 959
    Page views 3 892 737 4 561 982 5 937 245 + 1 375 263

    Chart 2.1 Yearly Comparative Results for the Website

    Chart 2.1 Yearly Comparative Results for the Website

    The top six most popular documents on the website for 2005-06 were:

    1. ThePrivacy Act 1988- 290 328
    2. The National Privacy Principles (extracted from the Act) - 86 571
    3. Guidelines on Workplace Email, Web Browsing and Privacy - 67 775
    4. Guidelines for Federal and ACT Government Websites - 40 807
    5. Guidelines to the National Privacy Principles - 27 682
    6. Commonwealth Personal Information Digest 1999 - 20 710.

    2.3 Media

    148 media enquiries were made to the Office during 2005-06. This is down from the 234 enquiries received in 2004-05.

    Some of the key issues to come out of media enquiries included:

    1. Health privacy issues
    2. Workplace surveillance and employee privacy
    3. Direct marketing
    4. General privacy issues
    5. Office functions and activities
    6. Health and Social Services Access Card
    7. Overseas call centre issue
    8. Reverse find directories
    9. Venues scanning identity documents
    10. National identity card.

    Health privacy media enquiries covered a wide range of issues including e-health, access to medical records and the security of medical records. Workplace surveillance and direct marketing were also high on the list, with the direct marketing media enquiries being predominantly around the issue of the Government proposed 'Do Not Call' Register.

    The Office prepared 14 media announcements and releases during 2005-06 and issued these by mediawire or through the Office's media email network 'primedia' (see section 2.5 for further information).

    2.4 Speeches and Presentations

    The Office delivered 39 speeches during 2005-06.

    The number of speeches delivered during the current financial year has remained at a similar level to those given in recent reporting periods.

    To ensure that the Office resources remain directed to priority areas, the Office only undertakes speaking engagements which correspond with key Office objectives. Speeches and presentations were given on a range of subjects including compliance, security and health. A complete list of presentations made by the Commissioner and staff of the Office can be found at Appendix 3. PowerPoint presentations for a number of these speeches are available on the Office's website atwww.privacy.gov.au/materials/types/speeches?sortby=60.

    2.5 Networking for Privacy Solutions

    The Office's Privacy Connections Network receives messages from the Office concerning privacy issues, developments, events, and other privacy related material in an effort to keep its members informed of privacy related developments. The network commenced in 2001 and as at 30 June 2006 had 688 members. The network comprises people from the Australian community who are interested in privacy issues.

    Information about the Privacy Connections Network is available atwww.privacy.?ov.au/about/connections/index.html.

    The Office also has an email list specifically targeting media personnel and media agencies. These members receive the Office's media releases and announcements.

    As at 30 June 2006 the media release and announcement email list had 1135 members. Information about the media release and announcement email list is available atwww.privacy.gov.au/news/subscribe/.

    2.5.1 Privacy Contact Officer Network

    The Office facilitates a network of Privacy Contact Officers (PCOs). PCOs are the designated points of contact in Australian and ACT Government agencies with whom the Office liaises on an ongoing basis.

    The Office views the PCO meetings as a key to maintaining open lines of communication to allow for the exchange of information between the Office and government agencies by keeping each party informed of project developments that have privacy implications.

    The PCO Network is also an effective way for the Office to appropriately refer complaints lodged with the Office about a government agency to the agency itself, thereby creating a more efficient complaints handling process.

    The Office provides a secretariat role to the PCO Network and organises regular PCO meetings, distributes relevant information and develops resource materials. In 2005-06, the Office held four PCO meetings.

    The Office gauges interest in the forums by seeking feedback following each meeting. The meetings continue to receive positive feedback. The Office plans to survey members in 2006-07 to assist in ensuring that the needs of the PCO Network are being met.

    2.6 Privacy Advisory Committee

    The Privacy Advisory Committee (PAC) is established under s. 82 of the Privacy Act. Its members are appointed by the Governor-General. The functions of the PAC are established under s. 83 of the Privacy Act and provide for the PAC to assist the Commissioner in engaging in and promoting community education, and community consultation, in relation to the protection of individual privacy, and advise the Commissioner on matters relevant to their functions.

    The PAC also acts as an external reference point that supports the Commissioner in gaining access to the broad views about privacy in the private sector, government and the community at large. The Office provides a secretariat role to the PAC.

    In particular, this year the PAC assisted by providing the Office with direction on a number of activities including the Office's complaint handling review. PAC members attended the November 2005 Asia Pacific Privacy Authorities Forum (see section 2.7.1 for further information) at which they briefed the forum on their role and the benefits of the committee for the Office.

    There are currently six members of the PAC. In February 2006, the terms of two of the members, Mr Peter Coroneos and Associate Professor John M. O'Brien, expired. Subsequently, both members were reappointed for additional three-year terms. Following his appointment as Human Rights Commissioner in December 2005, Mr Graeme Innes AO resigned from the PAC. The Government is currently considering his replacement.

    2.7 International Liaison

    2.7.1 Asia Pacific Privacy Authorities

    The Asia Pacific Privacy Authorities (APPA) forum is a regional forum that includes the Office, the State and Territory Privacy Commissioners in Australia (NSW, Victoria and the Northern Territory), together with the Privacy Commissioners of New Zealand and Hong Kong. The Korean Republic is also a member.

    The forum, which was previously known as the Privacy Agencies of New Zealand and Australia plus Hong Kong and Korea, meets biannually and is hosted with a rotating venue and host. APPA meetings are an important opportunity to discuss international privacy developments and emerging issues of releva?ce to APPA affiliates. Further, the forum provides an opportunity for regional Commissioners to exchange knowledge and experiences about privacy regulation across the different jurisdictions. The forum met twice in 2005-06, in November 2005 in Melbourne and in May 2006 in Sydney.

    In November 2005 the APPA forum established a Statement of Objectives and resolved that members agreed to closer cooperation on issues of mutual interest and continued development of joint projects. During the year the members of the forum commenced a joint promotions initiative which will be reported on in the 2006-07 annual report.

    2.7.2 27th International Conference on Privacy and Personal Data Protection

    In September 2005, the Privacy Commissioner attended the 27th International Conference on Privacy and Personal Data Protection in Montreux, Switzerland. During the conference, the Commissioner spoke at'The importance of self-regulation in the implementation of data protection principles'.The subject of the Commissioner's presentation wasThe Australian Private Sector Experiencein which the Commissioner examined the success of self-regulation in the private sector before the introduction of the National Privacy Principles (NPPs) and the subsequent co-regulatory experience since the introduction of the NPPs. The session explored issues pertaining to regulatory regimes, their comparative effectiveness and the Australian experience of privacy compliance.

    At the conference, the Commissioner also presented a speech at the Privacy Laws and Business Roundtable. The Commissioner's speech provided an outline of privacy law in Australia, with particular regard to the Review of the Private Sector Provisions of the Privacy Act and other contemporary privacy issues.

    3.1 Review of Performance

    The Privacy Commissioner protects the privacy of Australians through compliance activities that include offering a telephone enquiries service, resolving individual privacy complaints, conducting investigations and audits, and monitoring data-matching activities.

    The Office's compliance focus in 2005-06 was on the resolution of individual complaints. The Office aims to resolve cases in ways which are fair, open and engender stakeholder confidence.

    As mentioned earlier in this report, the Office is to receive an increase in funding of approximately $8.1m over four years. One of the first priorities will be to ensure that the Office's complaints handling systems and practices are working well and that individuals' complaints are handled in a timely and effective way. The additional funding will enable an improvement in turnaround times and the removal of the current backlog.

    In addition to its work on individual complaints, the Office also assessed 90 incidents that may have indicated privacy breaches affecting individuals or systemic privacy breaches. Where indicated on the basis of a risk assessment, formal investigations or other actions, including providing advice, were instituted.

    While, as noted above, the Office currently has a limited audit program, it did complete all audits planned under specific funding arrangements established by Memoranda of Understanding (MOUs) (see section 4.1). It also finalised arrangements to publish most audit reports on its website (see section 3.8).

    3.2 Responding to Enquiries

    3.2.1 Telephone Enquiries

    The Office operates a cost of a local call telephone enquiry service (1300 363 992), which provides general advice about privacy issues and privacy law. It answered 19 150 telephone enquiries in ?005-06, 9% less than the 21 108 received in 2004-05. While there are calls from organisations or agencies seeking advice about how to comply with their obligations under the Privacy Act, most calls were from individuals seeking advice about how to deal with possible interferences with their privacy.

    Table 3.1 below shows a break-down of issues that calls were received about during 2005-06.

    Table 3.1 Telephone Enquiries

    Issue
    Credit Reporting 1279
    Data-matching 30
    Information Privacy Principles 905
    Spent Convictions 190
    Tax File Numbers 49
    Privacy General 3612
    Privacy Issues Outside Jurisdiction 689
    Sub-total 6754
    Private Sector Provisions
    NPP 1 - Collection 1439
    NPP 2 - Use and Disclosure 3804
    NPP 3 - Data Quality 180
    NPP 4 - Data Security 625
    NPP 5 - Openness 153
    NPP 6 - Access and Correction 1408
    NPP 7 - Identifiers 23
    NPP 8 - Anonymity 7
    NPP 9 - Transborder Data Flows 90
    NPP 10 - Sensitive Information 47
    NPP Exemptions 2000
    Private Sector Provisions (General) 571
    Sub-total 10 347
    Unrelated to Privacy 2049
    TOTAL 19 150

    Of the total calls received most related to the National Privacy Principles (54%). Of these, use and disclosure of personal information was the area of greatest concern (37%) with 2701 of these being about inappropriate disclosures of personal information. Other categories of concern were collection of personal information (14%) and access to and correction of personal information (14%).

    Callers were also concerned about issues relating to the private sector that did not fall within jurisdiction. Of the 2000 enquiries received in this category, employment matters rated highly (43%) as did the practices of small business operators (21%).

    Chart 3.1 below distributes telephone enquiries by industry sector.

    Chart 3.1 Industry Sectors to which Telephone Enquiries relate 2005-06

    Chart 3.1 Industry Sectors to which Telephone Enquiries relate 2005-06

    A sample of calls received appears below.

    • A caller rang distressed because a finance company had rung the caller's nominated contact person and disclosed details about his loan. The caller thought this was unnecessary because the loan was only in arrears by 14 days, the finance company had his address and phone number and he had previously left a message for the finance company to ring him.
    • A number of callers advised that their doctor's landlord had changed the locks of the doctor's surgery because of nonpayment of rent for the premises. The landlord had assumed control of all the medical records of the patients and was charging a fee of $55 an hour to access their medical files.
    • A caller watched a TV program on identity theft and became concerned about an incident that had occurred some time previously. As he was leaving a restaurant he had received a phone call offering him a credit card. He had provided personal information over the phone including where he worked, how much he earned, his name, address and phone number and his driver's licence number, but subsequently did not hear anything from the company. When he rang the company's advertised number he was told that there was no record of any contact with him.

    3.2.2 Written Enquiries

    In addition to enquiries received via the telephone enquiry service, the Office received 2316 written enquiries by email, post and facsimile. This is an 11% increase on the 2094 reported in 2004-05. Of the written enquiries received this year, 1441 or 62% were specifically about the operation of the private sector provisions.

    3.3 Responding to Complaints

    The Privacy Commissioner may accept complaints from individuals about acts or practices that may be an interference with their privacy. This can include complaints about:

    • how personal information is handled by Australian and ACT Government agencies under the IPPs
    • how personal information is held by all large private sector organisations, all private sector health service providers and some small businesses under the NPPs
    • credit worthiness information held by credit reporting agencies and credit providers
    • personal tax file numbers used by individuals and organisations
    • matters under related legislation including under theCrimes Act 1914regulating the handling of information about old minor convictions and theData-matching Program (Assistance and Tax) Act 1990regulating the conduct of Australian Government data-matching programs.

    3.3.1 Complaints received during 2005-06

    In 2005-06 the Office received a total of 1183 complaints across all areas of its jurisdiction (1275 were received in 2004-05).

    The nature of complaints varied considerably. Some examples are listed below:

    • a complainant alleged that a medical specialist sent correspondence to a work address after specifically being requested not to, had also inappropriately discussed the matter with the complainant's GP, and had denied the complainant access to the document without giving a reason
    • a company which maintained a database of information about tenants as a risk management tool for the housing sector, listed inaccurate information on the database, affecting the complainant's ability to obtain housing
    • a complainant alleged that a financial institution disclosed personal information to the complainant's ex-spouse, with significant emotional and financial consequences
    • a complainant disputed a default listing made to a credit reporting agency on the grounds that notice had not first been given that a listing might be made, and that no action had been taken to first recover the debt.

    The spread of complaints received in relation to the various jurisdictions of the Privacy Act is set out in Chart 3.2 below. Complaints relating to the private sector in relation to possible breaches of the NPPs c?ntinue to dominate.

    Chart 3.2 Percentage of Complaints received by Privacy Act Jurisdiction

    Chart 3.2 Percentage of Complaints received by Privacy Act Jurisdiction

    The matters most frequently raised in complaints as a percentage of total complaints received is set out in Chart 3.3 below. Percentages exceed 100 due to complaints containing more than one issue.

    Chart 3.3 Percentage of Complaints received by Key Issue

    Chart 3.3 Percentage of Complaints received by Key Issue

    Chart 3.4 sets out the number of complaints received by sector (for the twelve sectors regarding which most complaints are made).

    Chart 3.4 Complaints received by Sector

    Chart 3.4 Complaints received by Sector

    3.3.2 Complaints closed during 2005-06

    The Office closed 1131 complaints in 2005-06. This was 1% less than the 1144 complaints closed in 2004-05.

    About 11% of matters were closed following a formal investigation and, where appropriate, through reaching a conciliated resolution to the matters that gave rise to the complaint. In other cases, matters were finalised after the Privacy Commissioner made preliminary enquiries which may have included a conciliation process or which revealed that there was an interference with privacy or that the matter was not within jurisdiction. In many cases the Privacy Commissioner declined the matter, for example because:

    • the complainant had not given the respondent a chance to resolve the matter as required by the Privacy Act or
    • the Commissioner did not have jurisdiction because the respondent was a state government body, or a small business excluded from the Privacy Act.

    Table 3.2 below summarises the stage at which complaints were closed and the average time the Office took to finalise the complaint.

    Table 3.2 Stage at which Complaints Closed

    Stage at which complaint closed Number of matters Average time to finalise (months/years)
    Formal investigations - s. 40(1) 124 1 year 6 months
    Preliminary inquiries - s. 42 333 6 months
    Declined to investigate - s. 41 674 1 month
    Total 1131

    The Office aims to finalise all complaints within 12 months of receipt. While it meets this target on the average duration for all complaints, formal investigations currently take longer than this due to the current complaint backlog.

    3.3.2.1 Complaints closed following investigations

    The Privacy Commissioner may investigate acts or practices that may be a breach of privacy and, if appropriate, endeavour to conciliate a resolution to the matters that gave rise to the complaint.

    Following an investigation, and conciliation if appropriate, the Privacy Commissioner may decide not to investigate a matter further if satisfied that the matter has been adequately dealt with by the respondent or that there is no interference with privacy, or may decide to make a determination in relation to a complaint under s. 52.

    In 2005-06 the Privacy Commissioner closed 124 or 11% of complaints following a formal investigation of the matters that gave rise to a complaint. Table 3.3 below sets out the grounds the Privacy Commissioner relied on to close these complaints. The matters mentioned her? are greater than the total number of complaints closed as in some cases there is more than one ground for closing a matter. In about 50% of cases the Privacy Commissioner formed the view that the complaint was likely to be upheld and proceeded to conciliation.

    The resolutions agreed between the parties in these cases include:

    • provision of access to records
    • correction of records
    • apologies
    • changes to systems
    • amounts of compensation ranging from less than $500 to $20 000.

    There were no determinations made in 2005-06.

    Table 3.3 Grounds for Declining to Investigate Complaints Further Following an Investigation

    NPPs IPPs Credit Spent convictions TFNs Total
    No interference with privacy - s. 41(1)(a) 30 9 10 0 0 49
    Respondent has adequately dealt with matter - s. 41(2)(a) 42 8 21 1 1 73
    Other (for example, withdrawn) 15 6 5 0 0 26
    Total 87 23 36 1 1 148

    3.3.2.2 Nature of remedies achieved by conciliation following investigation

    Table 3.4 below sets out in more detail the outcomes of the complaints closed as adequately dealt with following a formal investigation and conciliation process. In reading the table it is important to note that the total does not necessarily equate to the total number of complaints as there may be more than one resolution for a particular complaint.

    It is worth noting that financial compensation was a feature in 27% of the complaints closed following conciliation. These complaints represent 2.5% of the total complaints received in 2005-06.

    Table 3.4 Nature of Remedies in Complaints Closed as Adequately Dealt With after Investigation

    NPPs IPPS Credit TFNs Spent Convictions. Total
    Record corrected 8 0 19 0 1 28
    Apology 7 4 1 0 1 13
    Changed procedure 7 3 3 0 0 13
    Access provided 11 0 1 0 0 12
    Other 6 5 0 0 0 11
    Compensation - up to $500 3 1 2 1 1 8
    Compensation - $501 - $2000 6 1 1 0 0 8
    Compensation - $2001 - $20,000 5 0 3 0 0 8
    Compensation - confidential settlement 2 1 2 0 0 5
    Total 55 15 32 1 3 106

    3.3.2.3 Complaints closed following preliminary enquiries

    The Privacy Act provides for the Privacy Commissioner to conduct preliminary enquiries with the respondent or other parties to a complaint, to determine whether the Commissioner has the power to investigate or should exercise discretion not to investigate a matter further. Preliminary enquiries may seek to establish, for example, if:

    • an organisation may claim the small business operator exemption
    • an agency or organisation is willing to provide access to records or
    • a particular act or practice is authorised by law.

    In 2005-06 the Privacy Commissioner closed 333 or 29% of complaints following preliminary enquiries. Table 3.5 below sets out the grounds the Privacy Commissioner relied on to close these complaints. Note that the figures are greater than total complaints closed because some cases are closed for more than one reason.

    Table 3.5 Basis for Closing Complaints Following Preliminary Enquiries

    NPPs IPPs Credit Other TFNs Spent Convictions. Total
    40(1A) complaint not raised with respondent 11 1 3 2 0 0 17
    41(1)(a) no interference with privacy* 113 16 14 4 1 0 148
    41(1)(c) aware of complaint for over 12 months 3 0 0 0 1 0 4
    41(1)(d) frivolous, vexatious, misconceived or lacking in substance 2 0 1 0 0 0 3
    41(1)(e) is being dealt with under another law 0 2 0 0 0 0 2
    41(1)(f) another law is more appropriate 0 1 0 0 0 0 1
    41(2)(a) respondent has adequately dealt with matter 85 3 23 3 0 0 114
    41(2)(b) respondent has not had adequate opportunity to deal with matter 9 1 5 1 0 0 16
    Other (for example, withdrawn) 43 5 5 0 1 0 54
    Total 266 29 51 10 3 0 359

    * This includes matters that fall outside the Commissioner's jurisdiction, for example the respondent is a state government body.

    In the course of conducting preliminary enquiries, the Privacy Commissioner may find that the respondent had adequately dealt with the matter, or may be able to conciliate a resolution to the matters that gave rise to the complaint. Table 3.6 below summarises the remedies achieved following preliminary enquiries.

    It is worth noting that financial compensation was a feature in 11% of the complaints closed following conciliation. These complaints represent 1% of the total complaints received in 2005-06.

    Table 3.6 Nature of Remedies in Complaints Closed as Adequately Dealt With after Preliminary Enquiries

    NPPs IPPS Credit TFNs Spent Convictions. Total
    Access provided 47 0 1 0 0 48
    Record corrected 18 0 16 0 0 34
    Other 10 2 5 0 0 17
    Apology 6 0 3 0 0 9
    Changed procedures 6 0 1 0 0 7
    Compensation - confidential settlement 4 1 0 1 0 6
    Compensation - up to $500 5 0 0 0 0 5
    Compensation - $501 - $2000 2 0 1 0 0 3
    Total 98 3 27 1 0 129

    3.3.2.4 Complaints closed without investigation

    In 2005-06 the Privacy Commissioner closed 674 or 60% of complaints by exercising discretions not to investigate a matter. Table 3.7 below sets out the grounds the Privacy Commissioner relied on to close these complaints.

    Notably, for all types of complaints, more were closed on the basis that there was no interference with privacy (s. 41(1)(a)) than for another reason. Complaints were also frequently closed on the basis that the complainant had not first raised the matter with the respondent (s. 40(1A)).

    Other common grounds for closing a complaint were that the respondent had not yet had an adequate opportunity to consider the matter (s. 41(2)(b)) or the respondent had dealt adequately with the complaint (s. 41(2)(a)). In cases where the Office considered there was no interference with privacy

    (s. 41(1)(a)), this may have been, in the case of IPP complaints, because the act or practice was authorised by law, or in the case of credit complaints, that the respondent followed the proper procedure before listing a default on?an individual's consumer credit information file.

    Table 3.7 Basis for Closing Complaints without Investigation

    NPPs IPPs Credit Other TFN Spent Convictions. Total
    40(1A) complaint not raised with respondent 73 31 23 3 0 1 131
    41(1)(a) no interference with privacy* 185 36 27 98 1 0 347
    41(1)(c) aware of complaint for over 12 months 5 2 1 2 0 0 10
    41(1)(d) frivolous, vexatious, misconceived or lacking in substance 10 6 2 5 0 0 23
    41(1)(e) is being dealt with under another law 5 1 0 0 0 0 6
    41(1)(f) another law is more appropriate 4 3 0 1 0 0 8
    41(2)(a) respondent has adequately dealt with matter 22 1 5 0 0 0 28
    41(2)(b) respondent has not had adequate opportunity to deal with matter 60 12 17 3 0 0 92
    Other (for example, withdrawn) 19 3 5 2 0 0 29
    Total 383 95 80 114 1 1 674

    * This includes matters that fall outside the Commissioner's jurisdiction, for example the respondent is a state government body.

    3.3.2.5 Compliance issues in NPP complaints

    Chart 3.5 below sets out the issues raised in complaints against private sector organisations where the Commissioner found a compliance issue and, following conciliation, closed the matter as having been adequately dealt with. The issues raised most frequently relate to misuse, inappropriate disclosure or the provision of access.

    Chart 3.5 NPP Complaints Resolved by the Respondent Following Investigation by the Office

    Chart 3.5 NPP Complaints Resolved by the Respondent Following Investigation by the Office

    3.3.2.6 Compliance issues in IPP complaints

    Chart 3.6 below sets out the issues raised in complaints against Australian and ACT Government agencies where the respondent took action following preliminary enquiries or a formal investigation by the Office. It is important to note here that the number of complaints is quite small and therefore may not reliably indicate trends.

    Chart 3.6 IPP Complaints Resolved by the Respondent Following Investig?tion by the Office

    Chart 3.6 IPP Complaints Resolved by the Respondent Following Investigation by the Office

    3.3.2.7 Compliance issues in Credit Reporting complaints

    Chart 3.7 below sets out the issues in complaints against credit providers or credit reporting agencies where the respondent took action following preliminary enquiries or a formal investigation by the Office.

    The most significant issue in these matters was where the individual concerned disputed the validity of a default listing on a consumer credit information file, for example because they had not been advised that a listing would be made, or the credit provider had not first tried to recover the amount outstanding. Where the Office confirmed that the listing had been made without following proper procedures the resolution generally involved removal of the default listing.

    Chart 3.7 Credit Reporting Complaints Resolved by the Respondent Following Investigation by the Office

    Chart 3.7 Credit Reporting Complaints Resolved by the Respondent Following Investigation by the Office

    3.4 Own Motion Investigations

    Section 40(2) of the Privacy Act allows the Commissioner to investigate a possible interference with privacy if the Commissioner thinks it desirable, without first receiving a complaint from an individual. The Office calls such investigations 'own motion' investigations.

    3.4.1 Issues in Own Motion Investigations

    During 2005-06 the Office became aware of 90 new matters that may have involved interferences with privacy. These matters were brought to the attention of the Office through incidents reported in the media, individuals calling the telephone enquiries line or writing to the Office about an issue of concern affecting either them or other people, and agencies or organisations 'self-reporting' breaches or advising of possible breaches by other organisations.

    The Office decided on the basis of its risk assessment criteria to open formal investigations into 11 of these matters. In the majority of other cases where the Office decided not to investigate, it still made contact with the respondents to alert them to the issue and in some cases to recommend a course of action. The risk assessment criteria the Office uses in deciding whether to investigate include the:

    • sensitivity of the personal information involved
    • number of people affected and the consequences for those individuals
    • likelihood that the investigation will reveal acts or practices that involve systemic interferences with privacy and/or that are widespread
    • progress of an agency or organisation's own investigation into the matter
    • nature of any proposed resolution and
    • necessity for the Office to be satisfied that the investigation is complete and/or proposed resolutions are implemented.

    The situations the Office investigated included:

    • information received suggesting that an organisation was publishing individuals' financial information on its website in an unsecured manner
    • information received suggesting that an organisation had disposed of records containing sensitive health information in an inappropriate and unsecured manner
    • information received suggesting that an organisation was collecting unnecessary personal information through an overseas contractor and that a service contract specifying how the information should be handled was not in place
    • information suggesting that a government agency had disclosed employee information for research purposes without consent and
    • information suggesting that a government agency had insufficient security controls around the authorised access t? its databases by another government agency.

    3.4.2 Outcomes of Own Motion Investigations

    In the majority of cases investigated where the Commissioner found the allegations to be substantiated, the respondent dealt with the issues of concern, either on their own initiative or following the Office's suggestions. The action taken has included:

    • advice to people affected
    • apologies
    • retrieval and appropriate disposal of records
    • change in practice, for example greater website security
    • change in procedures.

    3.5 Case Notes

    The Commissioner regularly publishes case notes that describe, in de-identified form, the issues and outcomes in selected complaints. In providing this insight into how privacy principles are being applied the Commissioner aims to:

    • ensure the Office is accountable and transparent in its processes and decision making
    • assist the public to know if their personal information is being handled appropriately, or assist them to decide whether to pursue a complaint
    • provide a more certain and predictable environment for the development of policies and procedures and
    • encourage compliance with the Privacy Act and good privacy practice.

    In 2005-06 the Office published 18 case notes about complaints under the NPPs, IPPs and other areas of the Privacy Act jurisdiction. This compares to 22 case notes published in the previous financial year.

    The cases selected for publishing as case notes either:

    • demonstrate a new interpretation of the Privacy Act or associated legislation
    • illustrate systemic issues
    • illustrate the application of the law to a particular industry or
    • illustrate situations in which the Commissioner may decline to investigate complaints.

    The case notes are accessible through a number of sources. They are published on the Office's website atwww.privacy.gov.au/law/apply/determinations/, in theCCH Federal Privacy Handbook, and on the Australasian Legal Information Institute (Austlii) website atwww.austlii.edu.au.

    3.6 Complaints and Enquiries Statistics on www.privacy.gov.au

    In addition to the descriptions of specific complaints published as case notes the Commissioner also publishes statistical information giving an overview of complaints and enquiries to the Office. Monthly updates published on the website include:

    • the number of complaints, telephone and written enquiries received and
    • the number of NPP complaints closed according to issue type.

    The statistics are available atwww.privacy.gov.au/complaints/statistics/.

    3.7 Reports of Complaints under Approved Codes

    The Privacy Act provides for organisations or groups of organisations to develop privacy codes that, if approved by the Commissioner, replace the NPPs as the legally enforceable privacy standards for those organisations. As at 30 June 2006 there are two approved codes, and these are listed in Table 3.8 below.

    Table 3.8 Approved Codes under the Privacy Act

    Name of Code Code Adjudicator Monitoring/Reporting Responsibility
    Market and Social Research Privacy Code Privacy Commissioner Association of Market Research Organisations and the Privacy Commissioner
    Queensland Club Industry Privacy Code Privacy Commissioner Clubs Queensland and the Privacy Commissioner

    The General Insurance Information Privacy Code (the Insurance Code) was also in force during the reporting period, but was revoked in April 2006. The Insurance Code included an alternative complaint handling process, as permitted by the Privacy Act. This being the case, a report on the operation of the code and details of complaints finalised under the code must be provided to the Commissioner each year. The Office received a report on the operation of the Insurance Code from its Code Adjudicator, Insurance Ombudsman Service Ltd, covering the 2004-05 period.

    There were seven privacy complaints received during that period. The Code Adjudicator reported compliance monitoring activities, including receiving reports on the nature of privacy complaints handled by code members and taking action following the identification of a systemic issue. In this case, the organisation was encouraged to improve training on the handling of privacy complaints.

    3.8 Audits

    The Privacy Commissioner has powers under the Privacy Act to conduct privacy audits of Australian and ACT Government agencies and some organisations in certain circumstances. Audits are a key method for determining and improving the extent of compliance with the Privacy Act. The focus for the Office in conducting audits is to bring about systemic change in the reduction of privacy risks and to promote best privacy practice.

    The Commissioner's audit powers are set out in several sections of the Privacy Act:

    • auditing agency compliance with the Information Privacy Principles - s. 27(1)(h)
    • examining the records of the Commissioner of Taxation in relation to tax file numbers (TFNs) and TFN information - s. 28(1)(d)
    • auditing TFN recipients - s. 28(1)(e)
    • auditing credit information files and credit reports held by credit reporting agencies and credit providers - s. 28A(1)(g).

    The Commissioner does not have an audit function in relation to compliance with the National Privacy Principles by private sector organisations, unless at the request of the organisation under section 27(3).

    The number of audits carried out by the Office has varied over the life of the Privacy Act depending on the nature of privacy complaints and other priorities of the Office. In 2005-06 the Office only undertook audits where it had received specific funding to do so. This is consistent with the approach taken by the Office since 2002-03 when the Commissioner decided to redirect the Office's resources as a result of the significant increase in complaint numbers.

    In an effort to promote transparency in the Office's audit work and to help promote good privacy practice, the Office has published the finalised reports of audits of Australian and ACT Government agencies undertaken since 1 July 2002 on its website (seewww.privacy.gov.au/law/apply/audit). Some audit reports have classified content and as such have been withheld from publication or have been published in an abridged form.

    3.8.1 Audits Commenced in 2005-06

    3.8.1.1 ACT Government Audits

    The Office currently has a Memorandum of Understanding with the ACT Government (see section 4.1.3) which includes a commitment by the Office to conduct two audits of ACT Government agencies per financial year. The Office selects audit targets based on a risk assessment analysis which takes into account previous audits and audit findings, complaints against ACT Government agencies, the amount of personal information held by an agency and the sensitivity of and risk to that information.

    Table 3.9 below shows audits of ACT Government agencies commenced by the Office in 2005-06 under this arrangement.

    Table 3.9 ACT Audits Commenced 2005-06

    ?
    Agency Audit Scope Commenced
    ACT Office of the Community Advocate Client Records 26 October 2005
    ACT Department of Corrective Services Staff and Client Records 21 February 2006

    3.8.1.2 Biometrics for Border Control Audits

    The Office has been allocated additional funding over four years (2005-06 to 2008-09) as a component of theDevelopment of Biometrics for Border Controlprogram involving the Department of Foreign Affairs and Trade (DFAT), the Australian Customs Service (Customs) and the Department of Immigration and Multicultural Affairs (DIMA). The broad objective of this program is to develop and implement biometric systems to enhance identity management at the border and to increase the efficiency of border processing. The Office has committed to undertake three audits per year of key projects in the Biometrics for Border Control program.

    Table 3.10 below shows audits of Biometrics for Border Control projects commenced by the Office in 2005-06 under this funding.

    Table 3.10 Biometrics for Border Control Audits Commenced 2005-06

    Agency Audit Scope Commenced
    DIMA Identity Services Repository (System Design) 26 October 2005
    DFAT ePassport (Follow-up Audit) 14 March 2006

    The Office had scheduled an audit of another DIMA project for 2005-06. However, as DIMA is not as advanced in the project development as anticipated this audit has been postponed until 2006-07.

    3.8.1.3 Identity Security Audits

    In 2005-06 the Office received funding to provide privacy advice and oversight in respect of projects to be delivered under the Australian Government's National Identity Security Strategy. As part of its oversight activity, the Office undertook an audit of the Document Verification Service Prototype convened by the Attorney-General's Department (AGD) which involves data exchange between Centrelink, DIMA, DFAT and a number of state agencies.

    Table 3.11 below shows identity security audits commenced by the Office in 2005-06.

    Table 3.11 Identity Security Audits Commenced 2005-06

    Agency Audit Scope Commenced
    AGD, Centrelink, DIMA, DFAT Document Verification Service Prototype 1 June 2006

    3.8.2 Audits Finalised in 2005-06

    3.8.2.1 ACT Government Audits

    In the reporting period, the Office finalised its privacy audits of the following ACT Government agencies:

    Table 3.12 ACT Audits Finalised 2005-06

    Agency Audit Scope Commenced
    ACT Department of Disability, Housing and Community Services Client Records and Bushfire Database 14 April 2004
    ACT Department of Justice and Community Safety - Register General's Office Client and Staff Records 20 January 2005
    ACT Treasury First Home Owners Grant: Client Records 1?February 2005

    The Office generally found that the agencies had appropriate privacy controls in place to ensure a satisfactory level of compliance with the IPPs. However, the auditors made recommendations where insufficient privacy controls were identified or where better privacy practice could be instituted.

    Common audit findings included:

    • lack of appropriate security controls for paper records, such as use of locked cabinets for storage of personal information and appropriate file tracking systems
    • lack of appropriate security controls for electronic records such as 'need-to-know' access controls and standardised screen locks
    • inadequate or sporadic staff training in privacy
    • provision of insufficient notice to individuals when collecting their personal information
    • unnecessary retention of personal information creating increased risk of inappropriate access to or use and disclosure of personal information.

    The Office made recommendations to address these and other findings. Generally, the recommendations made were accepted by the agencies involved.

    Final reports for audits of the ACT Department of Disability, Housing and Community Services and the ACT Department of Justice and Community Safety - Register General's Office are available from the Office's website (seewww.privacy.gov.au/law/apply/audit).

    Following discussions with ACT Treasury, the Commissioner has agreed to withhold the audit report for the First Home Owners Grant on the grounds that the release of information regarding the process by which applications for first home owner grants are scrutinised may undermine investigations into fraudulent applications.

    3.8.2.2 Biometrics for Border Control Audits

    In the reporting period, the Office finalised the following Biometrics for Border Control audit:

    Agency Audit Scope Commenced
    Department of Foreign Affairs and Trade and the Australian Customs Service ePassport and SmartGate Trials 4 April 2005

    The Office made four recommendations in this audit relating to data security and notification. All four recommendations were accepted by DFAT and Customs. The audit report for this audit has been published on the Office's website (seewww.privacy.gov.au/law/apply/audit).

    3.9 Personal Information Digest

    Each year, the Commissioner compiles and publishes the Personal Information Digest (PID) containing descriptions of the types of personal information held by each Australian and ACT Government agency. To assist people to ascertain what personal information the Government holds, the Privacy Act requires agencies to maintain a record setting out:

    • the nature of records kept
    • the purpose for which they are kept
    • the categories of people the information is about
    • the period for which the records are kept
    • who has access to the records and
    • the steps a person must take to gain access to those records.

    Agencies must provide these records to the Commissioner in June of each year. The Office published the PID for the period ending June 2005 on its website.

    The ACT Department of Justice and Community Safety (JACS) compiled the ACT PID and the final documents were published on the websites of both JACS and this Office.

    Both PIDs are available atwww.privacy.gov.au/government/digests/.

    3?10 Monitoring Government Comparisons of Data Sets

    Data-matching is a process by which large data sets of personal information from different sources are brought together and compared for the purpose of identifying discrepancies.

    For example, Centrelink and the Australian Taxation Office (ATO) undertake regular data-matching to identify where individuals have provided different income information to Centrelink than to the ATO. Discrepancies are investigated and recovery action may be taken if it is established that the individual has under-declared their income to Centrelink or the ATO and has been paid an incorrect rate of income support or tax as a result.

    Data-matching raises significant privacy issues as it involves analysing information about large numbers of people the vast majority of whom have done nothing wrong and are not under suspicion. The Office performs a number of functions designed to ensure that government agencies undertaking data-matching activities minimise the impact on individuals' privacy. The Commissioner has statutory responsibilities under theData-matching Program (Assistance and Tax) Act 1990(the Data-matching Act) and theGuidelines for the Conduct of the Data-matching Program(the statutory data-matching guidelines). The Commissioner also oversees the operation of theGuidelines for the Use of Data-matching in Commonwealth Administration(1998) which are voluntary guidelines developed to assist agencies in undertaking data-matching programs that are not subject to the Data-matching Act in a privacy sensitive manner.

    3.10.1 Matching under theData-matching Program (Assistance and Tax) Act 1990and statutory data-matching guidelines

    The Data-matching Act provides for the use of tax file numbers in data matching processes undertaken by a special unit within Centrelink (the data-matching agency) on behalf of Centrelink, the Department of Veterans' Affairs (DVA) and the Australian Taxation Office (ATO). The aim of the program is to detect overpayments, taxation non-compliance and the receipt of duplicate payments.

    The Data-matching Act and the statutory data-matching guidelines specify the type of personal information that can be used, how the data can be processed and how the results can be used. They also require that individuals are provided with the opportunity to dispute or explain the match and require that individuals have avenues for redress.

    The Data-matching Act makes the Commissioner responsible for monitoring the conduct of the statutory data-matching program. Section 3.10.1.1 outlines the inspection work undertaken by the Office for this purpose. Centrelink, the ATO and DVA are also required under the Data-matching Act to report to Parliament on the results of data-matching activities carried out under the Act. These reports are published separately by each agency.

    3.10.1.1 Inspections

    During 2005-06 the Office inspected Centrelink's handling of a sample of data-matching cases in three regions. The regions inspected were as follows:

    • Area Central and Northern Queensland, August 2005
    • Area North Central Victoria, April 2006
    • Area South East Victoria, April 2006.

    One hundred cases were inspected at the Area Central and Northern Queensland Office in Townsville and 60 cases were inspected at both the Area North Central Victoria Office in Box Hill, Melbourne and Area South East Victoria Office in Mornington. At the completion of the inspections, a report was prepared and provided to Centrelink outlining the findings. The Office found that Centrelink's processes and procedures for statutory data-matching were largely compliant with the requirements of the Data-matching Act.

    3.10.2 Matching under the Guidelines for the Use of Data-matching in Commonwealth Administration (the voluntary data-matching guidelines)

    Ma?y Australian government agencies, including Centrelink, ATO and DVA also carry out data-matching activities that are not subject to the Data-matching Act but operate under other laws which authorise the use and disclosure of personal information for this purpose. The Privacy Commissioner has issued voluntary data-matching guidelines to assist agencies in undertaking such data-matching activities with due regard for the privacy of the individuals whose personal information is matched.

    The voluntary data-matching guidelines require that:

    • action against individuals is not taken solely on the basis of automated processes
    • that individuals identified have the opportunity to question the results
    • that programs are only initiated where justified and
    • that programs are monitored and evaluated regularly.

    The guidelines also require agencies to prepare a description of the data-matching activity, called a program protocol, which should be provided to the Privacy Commissioner for comment prior to commencement and, once finalised, should be made publicly available.

    In the last financial year, the Privacy Commissioner received a total of 19 program protocols regarding non-statutory data-matching for consideration. This is the same as the number received in 2004-05. As in previous years, most program protocols were received from the ATO. The ATO conducts a significant amount of data-matching as part of its taxation compliance initiatives. In the reporting period, protocols were also received from Centrelink and DVA. A brief summary of each protocol received in 2005-06 is provided in Table 3.13 below.

    3.10.2.1 Proposals seeking exemption from compliance with the voluntary data-matching guidelines

    Paragraph 26 of the voluntary data-matching guidelines allows agencies to seek exemption from compliance with certain aspects of the guidelines where the agency believes it to be in the public interest.

    In 2005-06, the Office received five new requests for exemption from compliance with aspects of the voluntary data-matching guidelines.

    The Commissioner approved a request from Centrelink for exemption from the publication and notification aspects of the data-matching guidelines in relation to a data-matching program aimed at the identification of identity fraud. The Commissioner accepted that publishing details of the data-matching program and providing notice to individuals identified through the matching process prior to investigation of the potential fraud may undermine that investigation.

    The Office has also received four related requests from the ATO for an extension of the length of time for which information collected during the data-matching process can be retained. These requests are currently under consideration.

    Details of the exemptions sought are included in the program descriptions provided in Table 3.13 below. The Office has also published full details of recently approved exemptions on the data-matching page of the Office's website atwww.privacy.gov.au/law/other/datamatch/. Exemptions granted to the publication and notification requirements are not included on the website.

    Table 3.13 2005-06 Program Protocols produced under the Voluntary Data-matching Guidelines

    Matching Agency Source Agencies Name of the Program Protocol Description of the Program Protocol Received Date
    ATO WorkCover NSW WorkCover NSW Data Matching Protocol Identification of non-compliance with registration, lodgement and payment obligations under taxation law. The ATO will match business names and addressed registered with WorkCover NSW wi?h its own records. This may include personal information. August 2005
    ATO Real Property Data Matching Information from Real Property Data with information from the ATO Database Identification of those individuals that may be completely outside of the tax system. Client education in the correct treatment, completion and assessment of their CGT obligations matching of transferee and transferor details of property title transactions held by Real Property Data with ATO data. September 2005
    ATO
    • PMI Mortgage Insurance Ltd
    • GE Mortgage Insurance Company Propriety Limited trading as Genworth Financial
    • St George Bank Limited
    • Australia and New Zealand Banking Group Limited
    • Westpac Banking Corporation
    • Suncorp-Metway Limited
    Low Doc Loans Data Matching Identification of individuals who are under reporting their income levels to the ATO by matching income data held by financial institutions with income data held by the ATO. September 2005
    ATO Office of Consumer and Business Affairs - South Australia. Trades Compliance Project Identification of trades people registered with the South Australian Office of Business and Consumer Affairs who may not be complying with their taxation obligations. September 2005
    ATO Legal Profession Registering Authorities Matching information from the Judiciary Lists and professional legal practitioner membership lists with information from the ATO database. Identification of tax non-compliance amongst members of the legal profession. To facilitate analysis of the lodgement and payment compliance of taxpayers within the legal profession. October 2005
    ATO WorkCover Queensland WorkCover Queensland Data Matching Protocol Identification of non-compliance with registration, lodgement and payment obligation under taxation law. The ATO will match business names and addressed registered with WorkCover Queensland with its own records. This may include personal information. November 2005
    ATO All state and territory roads and traffic authorities Luxury Vehicle Project Identification of high wealth individuals who are failing to meet their taxation obligations by comparing the value of the assets they acquire, which indicate conspicuous wealth, against the ATO's holdings on taxpayer records. In this instance the indication of conspicuous wealth is the purchase or acquisition of a motor vehicle with a sale price or valuation of $70,000 or more. February 2006
    ATO
    • Link Market Services Ltd
    • Computershare Ltd
    • Australian Stock Exchange Ltd
    Share Data Data Matching Project Identification of income tax and GST non-compliance. The Commissioner is currently considering a request from the ATO for exemption from aspects of the voluntary guidelines relating to data retention in respect of this program. March 2006
    ATO 22 state and territory government revenue and fisheries agencies Fishing Industry Project Identification of taxation non-compliance of persons involved in t?e commercial fisheries industry. The Commissioner is currently considering a request from the ATO for exemption from aspects of the voluntary guidelines relating to data retention in respect of this program. March 2006
    ATO Foreign Investment Review Board Foreign Resident Data Matching Project Identification of taxation non-compliance of foreign residents in Australia. The Commissioner is currently considering a request from the ATO for exemption from aspects of the voluntary guidelines relating to data retention in respect of this program. March 2006
    ATO
    • Queensland Residential Tenancies Authority
    • NSW Office of Fair Trading
    • Victorian Residential Tenancies Bond Authority
    Residential Tenancies Authorities Data Matching Project Identification of non-compliance in relation to CGT, rental income disclosures and the GST. The Commissioner is currently considering a request from the ATO for exemption from aspects of the voluntary guidelines relating to data retention in respect of this program. March 2006
    ATO All state and territory maritime authorities and the Australian Maritime Safety Authority Marine Vessels Program Identification of high wealth individuals who are failing to meet their taxation obligations by comparing the value of the assets they acquire, which indicate conspicuous wealth, against the ATO's holdings on taxpayer records. In this instance the indication of conspicuous wealth is the purchase or acquisition of a luxury marine vessel. June 2006
    AUSTRAC Australian Taxation Office and other agencies authorised under ss. 27 and 27A of theFinancial Transaction Reports Act 1988 Autosearch Generic Protocol This is a generic program protocol that describes the process by which agencies authorised under ss. 27 and 27A of theFinancial Transaction Reports Act 1988provide data to AUSTRAC to be matched against information from AUSTRAC's databases. November 2005
    Centrelink Centrelink Internal Fraud Program (details withheld) The program is designed to identify fraudulent or otherwise inappropriate uses of Centrelink systems by Centrelink staff members. To maintain the integrity of the program, Centrelink has sought exemption from the publication and notification requirements under the guidelines. The Office is continuing to monitor the operation of this program. June 2005 - carried over from 2004-05.
    Centrelink Australian Electoral Commission and the Health Insurance Commission Marriage Like Relationships matching with AEC and HIC Identification of marriage like relationships by matching Centrelink customers receiving Parenting Payment Single allowance with Australian Electoral Commission and Heath Insurance Commission records. July 2005
    Centrelink Source agency withheld: protected information Identity Matching Program (details withheld: protected information) Identification of individuals who may be using false identities to claim Centrelink income benefits. The program is designed to match customer identity details with identity details held by the source agency. The data-matching program is a component of Centrelink's fraud prevention strategy. To maintain the integrity of the program, specific details regarding t?e source agency and matching process are not publicly available, with information relating to the program classified as protected. March 2006
    Centrelink ATO Matching information from the ATO's taxpayer records with information from Centrelink debt records This is a continuation of a data-matching program conducted annually by Centrelink with ATO to allow Centrelink to identify, intercept and garnishee tax refunds paid to clients with a Social Security, Family Assistance or Student Assistance debt. Centrelink has previously been granted an exemption from the guidelines allowing tax returns to be garnisheed immediately after a debtor is identified in a matched process, with individuals subsequently provided with the opportunity to dispute the debt. June 2006
    DVA ATO Matching information from the ATO client database with the DVA client database Identification of income support recipients who have failed to disclose their involvement in a private trust or company. September 2005
    DVA ASIC Matching information from the Australian Securities and Investments Commission public database called 'ASCOT' with the DVA client database Identification of individuals who, by failing to declare their interests in private companies or trusts, are receiving benefits from the DVA to which they may not be entitled. March 2006

    4.1 Administrative Arrangements

    4.1.1 Human Rights and Equal Opportunity Commission Memorandum of Understanding

    The Office has a Memorandum of Understanding with the Human Rights and Equal Opportunity Commission (HREOC) that establishes an agreed level of corporate support. This includes payroll, recruitment services and general personnel support, financial, legal and support services, and information technology support. The Office also sub-lets premises from HREOC.

    4.1.2 Attorney-General's Department Memorandum of Understanding

    The Office has a non-financial Memorandum of Understanding with the Attorney-General's Department. This Memorandum was established in 2000-01 and sets out an agreed basis for policy and operational coordination between the Department and the Office. Representatives from both agencies meet monthly. The benefits of the arrangements include open lines of communication to keep each party informed of relevant activities and developments, and improved advice to Ministers and other key stakeholders.

    4.1.3 ACT Government Memorandum of Understanding

    The Office continues a Memorandum of Understanding (MOU) with the ACT Government. The MOU has been in place since 1 July 2000 and the current MOU will expire on 30 June 2008. Under the MOU, the Office fulfils advisory, education and compliance roles including audits, and reports half-yearly and annually on activities undertaken in relation to the ACT Government. In 2005-06, in return for these services, the Office received $94 987, as set out in the financial statements. Further information regarding advice provided to ACT government agencies can be found at section 1.3.

    4.1.4 Department of Health and Ageing Memorandum of Understanding

    The Office had a Memorandum of Understanding (MOU), beginning in 2003-04, with the Australian Government Department of Health and Ageing (DoHA). This MOU concluded on 30 June 2005, at which time DoHA agreed to a six month extension to 31 December 2005.

    Under this six month MOU, DoHA provided the Office with resources ($100 000) to advise on privacy related issues, including HealthConnect. This MOU also allowed other agencies within the portfolio to seek advice from the Office. Agencies expressly mentioned in the MOU include the Health Insurance Commission and the Australian Council for Safety and Quality in Health Care, though other portfolio agencies have sought and received advice on privacy matters.

    DoHA advised the Office on 25 November 2005 that it would not be continuing with this MOU.

    4.1.5 Centrelink

    The Office continued to undertake its responsibilities under the Data-matching Act throughout 2005-06. The Office received an annual funding of $372 976 from Centrelink to support the costs of monitoring the conduct of the data-matching program. Further data-matching information can be found at section 3.10.

    4.1.6 Department of Human Services

    The Office received funding from the Department of Human Service (DHS) on two occasions in 2005-06. The first agreement provided resources ($11 666) to enable the Office to participate in the Australian Government's Interdepartmental Committee charged with considering the use of smart technologies for service delivery.

    A second agreement provided the Office with resources ($35 000) to provide privacy policy advice to DHS during the development of a business case for a health and social services smart card. The agreement was for the period 22 November 2005 to 28 February 2006.

    4.1.7 Medicare Australia Memorandum of Understanding

    The Office has a Memorandum of Understanding (MOU) with Medicare Australia. Under th?s MOU, Medicare Australia provides the Office with resources ($130 000 per annum for the period 1 July 2005 to 30 June 2007) to provide advice and undertake work on privacy related projects relevant to Medicare Australia.

    4.1.8 NSW Privacy Memorandum of Understanding

    In December 2005, the Office entered into a Memorandum of Understanding (MOU) with the Office of the NSW Privacy Commissioner (Privacy NSW) to provide a framework for cooperation in undertaking their respective responsibilities when those responsibilities overlap and to take advantage of opportunities to assist each other in joint training, education, promotion and enforcement activities.

    4.2 Corporate Services

    4.2.1 Purchasing

    The Office's purchasing procedures comply with the Australian Government Procurement Guidelines issued by the Department of Finance and Administration. They address a wide range of purchasing situations, allowing managers to be flexible when making purchasing decisions while complying with the Australian Government's core procurement principle of value for money.

    There was no competitive tendering and contracting during 2005-06 that resulted in a transfer of provider from a Commonwealth supplier of goods or services to a non-government body.

    4.2.2 Audit Committee

    Consistent with the principles of good corporate governance and the requirements of the Financial Management and Accountability Act 1997, the Office maintains an audit committee to advise the Privacy Commissioner on the agency's compliance with external reporting requirements and the effectiveness and efficiency of internal control and risk management mechanisms in place within the Office. The audit committee met four times during the reporting period.

    4.2.3 Certification of Fraud Measures

    The Office has a fraud risk assessment and fraud control plan including procedures and processes in place to assist in the process of fraud prevention, detection, investigation and reporting in line with the Commonwealth Fraud Control Guidelines.

    4.2.4 Consultants

    The Office uses consultancy services where there is a need to access skills and expertise not available within the human resources of the agency. In 2005-06 the Office did not engage any reportable consultancy services.

    Please note that in section 6.2.3 of the 2003-04 Annual Report, consultancy service costs were incorrectly reported as $57 750. The correct figure should have been $63 525.

    4.2.5 Advertising and Market Research

    No market research was undertaken by the Office during 2005-06.

    4.2.6 Ecologically Sustainable Development and Environmental Performance

    The Office uses energy saving methods in its operation and endeavours to make the best use of resources. The Office has implemented a number of environmental initiatives to ensure issues of environmental impact are addressed. Waste paper, cardboard, printer cartridges and other recyclable materials are recycled subject to the availability of appropriate recycling schemes. Preference is given to environmentally sound products when purchasing office supplies. Purchase/leasing of 'Energy Star' rated office machines and equipment is encouraged, as are machines with 'power save' features.

    4.3 Management of Human Resources

    4.3.1 Staffing Overview

    The Office's average staffing level for 2005-06 was 41 staff with a turnover of approximately 8% for ongoing staff. An overview of the Office's staffing profile as at 30 June 2006 is summarised in Table 4.1.

    Table 4.1 Overview of Staffing Profile as at 30 June 2006

    Classification Male Female Full Time Part Time Total Ongoing Total Non-ongoing
    Statutory Office Holder - 1 1 - - 1
    SES Band 1 1 - 1 - 1 -
    EL 2 ($81,860-$94,278) 1 1 2 - 2 -
    EL 1 ($70,976-$77,834) 3 4 7 - 7 -
    APS 6 ($56,742-$63,598) 7 9 15 1 14 2
    APS 5 ($51,260-$55,365) 3 4 6 1 5 2
    APS 4 ($45,958-$49,901) 7 3 6 4 4 6
    APS 3 ($41,236-$44,506) 1 2 2 1 3 -
    APS 2 ($37,200-$40,147) - - - - - -
    APS 1 ($31,990-$35,355) - - - - - -
    Total 23 24 40 7 36 11

    4.3.2 Workplace Relations and Employment

    Staff in the Office are employed under s. 22 of thePublic Service Act 1999. Staff are covered by the Office of the Privacy Commissioner Certified Agreement 2006-2009 which was certified by the Australian Industrial Relations Commission in March 2006 and is in operation until March 2009. The Agreement is comprehensive and was certified under s. 70LJ of theWorkplace Relations Act 1996. The number of Office employees covered by the Agreement as at 30 June 2006 was 43, including both ongoing and non-ongoing staff.

    Productivity savings funded a 13.5% salary increase to staff, delivered in three instalments over the life of the Agreement. The Agreement maintains core employment conditions and supports family friendly policies. The Agreement enhanced paid parental leave, access to extended leave following maternity or parental leave and access to part-time employment until children reach school age. The Agreement also introduced a Healthy Lifestyle Allowance to encourage staff to undertake healthy activities. New allowances were introduced for staff undertaking roles such as fire warden or health and safety representative. Employer superannuation contributions were made consistent for all new staff regardless of the fund they choose to join. Salary progression within classification levels continues to be subject to performance assessment. Salary ranges are reflected in Table 4.1.

    The Office has three staff covered by Australian Workplace Agreements, including one Senior Executive Service (SES) staff member.

    4.3.3 Performance Management and Staff Development

    The Office's Performance Management Scheme provides a framework to manage and develop staff to achieve corporate objectives. The scheme provid?s regular and formal assessment of an employee's work performance and allows for access to training and skill development. During the year, the Australian Public Service Commission provided training on the scheme to new staff and supervisors.

    The Office's Certified Agreement recognises the need to provide adequate training for staff to support workplace changes. This is especially relevant with changes in the information technology area where staff are provided with relevant and ongoing training.

    Training is identified through an individual's training and development plan in conjunction with the Performance Management Scheme. Training encompasses a range of development activities including professional development courses, on-the-job training and the opportunity to represent the organisation at seminars and other fora.

    As part of the Office's staff development strategy, staff are provided with support under a Studies Assistance policy. The policy provides for access to study leave where study is relevant to the work of the Office, an individual's work responsibilities and where it assists with career development.

    4.3.4 Workplace Diversity and Equal Employment Opportunity

    The Office recognises that diversity in staff is one of its greatest assets and is committed to valuing and promoting the principles of workplace diversity through work practices. The Office participates in a joint Workplace Diversity Committee with the Human Rights and Equal Opportunity Commission. Throughout the year the Office promoted and supported events including International Women's Day, NAIDOC week and Harmony Day. Other strategies under the plan focus on family friendly workplace policies which were enhanced in the recent Certified Agreement. The Committee continues to work towards achieving results in the Diversity Plan.

    4.3.5 Occupational Health and Safety

    The Office and the Human Rights and Equal Opportunity Commission are co-located and cooperate over Occupational Health and Safety (OH&S) issues. The Office's Health and Safety representative is a member of the joint agencies OH&S Committee. This committee also includes corporate support staff and meetings are held regularly throughout the year.

    It is the policy of the Office to promote and maintain the highest degree of health, safety and wellbeing of all staff. The Office monitors health and safety though the OH&S Committee. Minutes of the OH&S Committee are placed on the Office's intranet and any issues that require action are brought to the attention of management.

    A risk assessment undertaken during the reporting period did not identify any major risks to health and safety, only minor issues of workstation setup for some staff. New ergonomic chairs were supplied to all staff during the year. Several staff had a workstation assessment by a qualified physiotherapist.

    A software program called 'WorkPace' assists staff in taking regular pause breaks through the day. The Office also offers support to staff through the promotion of QUIT smoking programs and flu vaccinations. There have been no dangerous accidents or occurrences reported over the last year.

    The Office continues to provide staff with access to counselling services through its Employee Assistance Program. This is a free and confidential service for staff and their families to provide counselling on personal and work related problems if required.

    4.3.6 Commonwealth Disability Strategy

    All Australian Government agencies are required to report annually against the Commonwealth Disability Strategy (CDS) performance framework. The Office's report against the CDS is laid out at Appendix 4. Full details on the CDS can be found on the Department of Family and Community Services website atwww.facs.gov.au/disability/cds. Through the CD? the Government seeks to ensure its policies, programs and services are as accessible to people with disabilities as they are to all other Australians.

    Privacy Commissioner's Functions

    The Privacy Commissioner has specific statutory functions under ss. 27, 28 and 28A of the Privacy Act 1988. These functions include, amongst other things, investigating possible breaches of the Privacy Act, undertaking audits of agencies or organisations to ensure compliance with the Privacy Act, providing advice to agencies and organisations on matters related to privacy, and promoting and encouraging the adoption of privacy standards in the community.

    One of the key responsibilities of the Office is to handle complaints. Individuals who believe that their privacy may have been interfered with by an agency or organisation are able to lodge a complaint with the Office under s. 36 of the Privacy Act. The Privacy Commissioner may then undertake preliminary enquiries of the respondent to determine whether there are grounds, and whether the Commissioner has jurisdiction, to formally open an investigation into the complaint under s. 40 of the Privacy Act.

    Staff of the Compliance section facilitate a conciliation between the parties to attempt to adequately resolve the dispute. If the parties are not able to come to a mutually satisfactory agreement, the Privacy Commissioner is able to make a determination under s. 52 of the Privacy Act to dismiss the complaint. Alternatively, the Privacy Commissioner is able to find in favour of the complainant and decide upon suitable orders to remedy the breach. The orders are enforceable in the Federal Court or Federal Magistrates Court under s. 55A of the Privacy Act.

    Generally, a complaint must be in writing. The Office is obliged to provide appropriate assistance to people who require it in order to help formulate and appropriately set out the parti?ulars of the complaint.

    Individuals cannot complain to the Privacy Commissioner about organisations which are bound by a privacy code approved by the Commissioner, when that code has its own code adjudicator. Individuals may, however, ask the Privacy Commissioner to review a determination made by a code adjudicator under s. 18BI of the Privacy Act.

    The Privacy Commissioner has the power to launch investigations under s. 40(2) of the Privacy Act, and these are referred to as Own Motion Investigations (OMIs). The Privacy Commissioner undertakes OMIs where it appears that a breach of the Privacy Act may have occurred and it is thought to be desirable that an OMI be undertaken. For example, where the alleged breach is not limited to one complainant, or in circumstances where the alleged breach raises systemic and/or ongoing issues.

    The Office's Policy section assists the Privacy Commissioner in providing advice on privacy issues, including interpreting the operation of the Privacy Act, to Ministers, Australian and ACT Government agencies, and organisations. The section develops guidance material (such as guidelines, information sheets and FAQs) to help explain the operation of the Privacy Act and the Privacy Commissioner's functions.

    The Policy section examines enactments and proposals from agencies, advising on their potential privacy implications and their overall compliance with the Privacy Act. It also assists the Privacy Commissioner in carrying out other functions under the Privacy Act, as well as prescribed functions under the National Health Act, the Telecommunications Act and the Crimes Act.

    The Office's Corporate and Public Affairs section manages the public profile of the Office and the Privacy Commissioner, provides secretariat support and manages the Office's corporate responsibilities. The unit is responsible for developing and maintaining the Office's website, handling media enquiries, assisting with the provision of Privacy Act training and providing a secretariat role to several committees including the Privacy Contact Officer (PCO) Steering Committee, Privacy Advisory Committee and Asia Pacific Privacy Authorities Forum. The section also liaises with key stakeholders, including domestic bodies and international authorities, and handles the Office's corporate governance responsibilities.

    Chart A1.1 Organisational Structure

    Organisation chart

    Privacy Act

    The Privacy Act gives effect to Article 17 of the International Covenant on Civil and Political Rights and to the OECD's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The Privacy Act establishes the method by which personal information about individuals can be collected and stored, specifies the permissible uses of that information, and limits the circumstances in which that information can be disclosed. It also sets out a mechanism by which individuals can gain access to, and amend where appropriate, the personal information about them held by agencies and organisations.

    The Privacy Act protects personal information under four sets of requirements:

    • The Information Privacy Principles (IPPs) at Appendix 7 set out strict safeguards for any personal information that is handled by Australian and ACT Government agencies. These rules cover the collection, storage, use and disclosure of this information. They also provide for individual access to and correction of their own personal information.
    • Individuals' Tax File Numbers (TFNs): the Privacy Act prevents TFNs from being used as a de facto national identification system and gives individuals the right to withhold this information. Where a TFN is provided, its use is limited to tax-related, assistance agency and superannuation purposes. Unde? the Privacy Act, the Privacy Commissioner issues and enforces legally binding guidelines.
    • Part IIIA of the Privacy Act places strict safeguards on the handling of individuals' consumer credit information by the credit industry. These provisions recognise the sensitivity of credit worthiness information and the implications for individuals should credit information be mishandled. Strict penalties apply if these provisions are breached.
    • The National Privacy Principles (NPPs) at Appendix 6 regulate the way private sector organisations handle personal information unless they are replaced by a code approved by the Commissioner under s. 18BB of the Privacy Act. These principles cover the collection, storage, use, disclosure and access obligations of organisations.

    Subordinate Legislation

    Privacy in Australia is further regulated by subordinate legislation including:

    • Privacy (Private Sector) Regulations 2001, which set out the standards under s. 18BB(3)(a)(i) of the Privacy Act that need to be met before a privacy code can be approved by the Privacy Commissioner, and prescribe specific agencies, state authorities and organisations for particular purposes under the Privacy Act.
    • Privacy codes approved by the Privacy Commissioner to replace the National Privacy Principles for particular organisations or activities.
    • Mandatory guidelines under the Privacy Act, for example theTax File Number Guidelinesissued under s. 17 of the Privacy Act or guidelines issued under s. 18BF(1)(b) of the Privacy Act relating to code approval.
    • Public Interest Determinations and Temporary Public Interest Determinations under Part VI of the Privacy Act.
    • Credit Reporting Determinations issued under s. 11B(1)(b)(v)(B) of the Privacy Act.
    • Credit Reporting Code of Conduct issued under s. 18A of the Privacy Act.

    These are supported by non-binding advisory guidelines issued by the Office, such as:

    • Guidelines for the Use of Data-matching in Commonwealth Administrationissued under s. 27(1)(e) of the Privacy Act.
    • Guidelines to the National Privacy Principles.
    • Guidelines on Privacy in the Private Health Sector.
    • Code Development Guidelines(parts of these guidelines are mandatory).
    • Guidelines for Federal and ACT Government Websites.
    • Guidelines on Workplace Email, Web Browsing and Privacy.
    • Privacy and Public Key Infrastructure: Guidelines for Agencies using PKI to communicate or transact with individuals.

    In addition, the National Health and Medical Research Council (NHMRC) has issued the following binding guidelines after consulting with the Privacy Commissioner:

    • Guidelines Under Section 95 of the Privacy Act 1988.
    • Guidelines approved under Section 95A of the Privacy Act 1988.

    Other Legislation

    The role of the Privacy Commissioner is further defined by legislated responsibilities that are set out in the following Acts of Parliament:

    • Part VIIC of theCrimes Act 1914, the Commonwealth Spent Convictions Scheme, which provides protection for individuals with old minor convictions in certain circumstances (the Privacy Commissioner has the power to investigate breaches of the legislation, and is also required to provide advice to the Attorney-General in relation to exemptions under the scheme).
    • TheData-matching Program (Assistance and Tax) Act 1990, which regulates data-matching between the Australian Taxation Office and the assistance agencies to detect overpayment and ineligibility for assistance (under the Act, the P?ivacy Commissioner is responsible for issuing guidelines for protecting privacy, investigating complaints and monitoring agency compliance).
    • TheNational Health Act 1953, under which the Privacy Commissioner is required to issue guidelines covering the storage, use, disclosure and retention of individuals' claim information under the Pharmaceutical Benefits Scheme and the Medicare program.
    • TheTelecommunications Act 1997, under which the Privacy Commissioner has certain monitoring and compliance functions.

    Outcomes and Outputs Structure

    The Office's outcome statement, as set out in the Portfolio Budget Statement, is:

    An Australian culture in which privacy is respected, promoted and protected.

    There is one output for the Office's outcome:

    Complaint handling, compliance and monitoring, and education and promotion.

    There are two performance measures:

    Quality

    • Majority of complainants and respondents surveyed satisfied that complaint handling service was timely and impartial.
    • Majority of enquirers surveyed satisfied with advice provided by Hotline and in written response.
    • 80% of complaints finalised within 12 months of receipt, 90% of written enquiries answered within 10 days.
    • Agencies and organisations satisfied that audits improve their privacy practices and procedures.
    • Audits finalised within 6 months of commencement.
    • Targeted information available that informs the community, including business and government, of their rights and responsibilities in respect of the Office's jurisdictional responsibilities.

    Quantity

    • Close 1300 complaints, respond to 2000 written enquiries, and answer 20 000 calls.
    • 3 audits commenced.
    • >800 000 visits to the website.
    • >3.5 million pages viewed on the website.

    Table A1.1 Resources for Outcomes

    Budget 2005-06 $'000 Actual Expenses 2005-06 $'000 Budget 2006-07 $'000
    Total Administrative Expenses - - -
    Price of Department Outputs Output Group 1.1 Complaint handling, compliance and monitoring, and education and promotion 4975 4944 7046
    Subtotal Output Group 1.1 4975 4944 7046
    Revenue from Government (Appropriation) for Departmental Outputs 4156 4156 6282
    Revenue from other Sources 819 788 764
    Total price of Outputs 4975 4944 7046
    Total for Outcome 1 (total price of Outputs and Administered Expenses) 4975 4944 7046
    Actual 2005-06 Estimated Actual 2005-06
    Average Staffing Level 41 54

    TheFreedom of Information Act 1982(FOI Act) gives the general public legal access to government documents. For information on the Office's procedures seeFreedom of Information procedureson page 73.

    Section 8 of the FOI Act requires each Australian Government agency, including this Office, to publish information about the way the Office is organised, together with its functions, powers and arrangements for public participation in the work of the agency. The Office is also required to publish the categories of documents that the Office holds and how members of the public can gain access to them.

    Organisational structure

    The Office's organisational structure is provided in Chart A1.1 in Appendix 1.

    Authority and legislation

    The Office is established, and the Privacy Commissioner's functions and powers are conferred, by thePrivacy Act 1988. Information regarding the Office's functions and powers are set out in Appendix 1.

    Number of formal requests for information

    During 2005-06, the Office received five requests for access to documents under the FOI Act. The requests all related to access to documents relating to individual privacy complaints.

    Avenues for public participation

    The Office uses the following processes and consultative bodies to assist the participation by persons or bodies outside the Commonwealth administration in the policy-making functions of the Office or in its administration of various schemes and enactments.

    • The Office invites public consultation from individuals and organisations through its website atwww.privacy.gov.au/aboutus/consultations.
    • The Office has a strategic plan which includes developing networks of influence across the community, empowering the community to make privacy choices and providing leadership in privacy thinking.
    • Part VII of the Privacy Act provides for the establishment of the Privacy Advisory Committee to advise the Commissioner on relevant matters, recommend material to the Commissioner for inclusion in guidelines and, subject to direction by the Commissioner, engage in community education and consultation.
    • The Privacy Commissioner's Health Privacy Forum is an informal group of senior stakeholders from the health sector to assist the Commissioner on matters of health privacy.
    • The Office coordinates the Privacy Contact Officer (PCO) Network to facilitate the resolution of privacy issues within Australian and ACT Government agencies and provide training and expertise to those agencies. The PCO network meets four times per year.
    • The Office meets on an informal basis with representatives of privacy and consumer non-government organisations to discuss privacy matters affecting the Australian community.
    • The Privacy Connections Network is a group of people from across all sectors of the Australian community connected together to exchange, discuss and develop good privacy practices and solutions.
    • The Compliance area conducts customer surveys to determine levels of service and customer satisfaction. A survey was conducted in 2004-05 and this survey will be repeated in 2006-07.
    • The Commissioner also has legislative requirements to consult. For example, the provisions relating ?o the making of a public interest determination require the production of a draft determination and inviting interested parties to attend a conference (ss. 75 and 76 of the Privacy Act). Similarly, the Commissioner needs to be satisfied that there has been an adequate opportunity for the public to comment before approving a proposed privacy code (s. 18BB(2)(f)).

    Categories of documents

    Documents held by the Office relate to:

    • administration matters, including personnel, recruitment, accounts, purchasing, registers, registry, library records and invoices
    • compliance matters, including audits, and the investigation, clarification, conciliation and resolution of complaints
    • legal matters, including legal documents, opinions, advice and representations
    • research matters, including research papers in relation to complaints, existing or proposed legislative practices, public education, national inquiries and other relevant issues
    • policy matters, including minutes of meetings, administrative and operational guidelines
    • operational matters, including files on formal inquiries
    • reference materials, including press clippings, survey and research materials, documents relating to conferences, seminars and those contained in the library.

    Freedom of Information procedures

    Initial enquiries regarding access to the Office's documents should be directed to the Freedom of Information Officer by either telephoning (02) 9284 9800 or writing to:

    Freedom of Information Officer Office of the Privacy Commissioner GPO Box 5218 Sydney NSW 2001

    Procedures for dealing with FOI requests are detailed in s.15 of the FOI Act. A valid request must:

    • be in writing
    • be accompanied by a payment of a $30 application fee
    • include the name and address of the person requesting the information
    • be processed within 30 days of receipt.

    Some documents are exempt from public perusal under the FOI Act. Where documents are not accessible by the applicant, valid reasons will be provided. The Office's decisions about accessibility of documents may be reviewed by the Administrative Appeals Tribunal.

    Facilities for obtaining physical access

    The Office provides copies of the requested documents by mail to the enquiring party, subject to exceptions established under the FOI Act.

    The Office will also consider requests from parties to view hard copies of the requested documents in person at the Office.

    Karen Curtis, Privacy Commissioner

    2005

    12 July Safeguarding Australia Conference, Canberra 20 July Australian Credit Forum Luncheon, Sydney 28 July Standing Committee of Attorneys-General (SCAG), Canberra

    16 August Department of Human Services, Canberra

    19 August Administrative Review Council Meeting, Canberra

    2 September Privacy Contact Officer Meeting, Canberra

    13 September Privacy Laws and Business Roundtable, Montreux, Switzerland

    15 September 27th International Data Protection Commissioners' Conference, Montreux, Switzerland

    16 November 12th Meeting of the Privacy Victoria Network and Shared Issues in Privacy Forum, Melbourne

    25 November Australian Court Administrators' Group - Courts and Tribunals Annual Conference, Sydney

    2 December Privacy Contact Officer N?twork Meeting, Canberra

    2006

    3 March Privacy Contact Officer Network Meeting, Canberra

    30 March Keynote Speech to Privacy Issues Forum, New Zealand 28 April Administrative Appeals Tribunal (AAT): Presentation to Professional Development Session,Sydney

    17 May Australian Graduate School of Management Symposium, Sydney

    17 May New South Wales Privacy and FOI Network Meeting,Sydney

    31 May Presentation at Staff Induction Training, Sydney

    2 June Privacy Contact Officer Network Meeting, Canberra

    15 June Institute of Public Administration Australia, Breakfast Seminar, Canberra

    5 September University of New South Wales, Masters of Laws Students

    7 September UNICEF Australia, Sydney

    9 September Customer Contact Management Association (CCMA) Luncheon, Melbourne

    14 October Alternative Dispute Resolution (ADR) Seminar on Privacy and Complaint Handling for Joint Initiatives Group (JIG)

    25 October Computer Audit, Control and Security Conference, Perth

    26 October Department of Defence Biannual Fraud Forum for Commonwealth Fraud Investigation Agencies, Canberra

    16 November Australian Communications and Media Authority (ACMA) International Conference, Sydney

    2 December Privacy Contact Officer Network Meeting, Canberra (two presentations)

    15 December Better Health IT Conference, Melbourne

    3 March Privacy Contact Officer Network Meeting, Canberra (three presentations)

    4 April Consumers' Health Forum of Australia Electronic Health Records Consumer Representatives Meeting, Sydney

    29 May Consumers' Health Forum of Australia E-Health National Information Workshop, Canberra

    2 June Privacy Contact Officer Network Meeting, Canberra (two presentations)

    22 June Australia and New Zealand Education Law Association (ANZELA) Seminar, Sydney

    Table A4.1 Commonwealth Disability Strategy Performance Reporting June 2006

    Policy Adviser Role

    Performance Indicator Performance Measure Current level of performance (2005-06)

    1. New or revised policy/program proposals assess impact on the lives of people with disabilities prior to decision.

    Percentage of new or revised policy/program proposals that document that the impact of the proposal was considered prior to the decision making stage.

    Submissions are made available on the Office's website where possible.

    The Office provides advice on the policy/program/legislative activities of other agencies from a privacy perspective. In a significant number of advices provided, particularly where new technologies are being considered, the privacy of people with disabilities is factored into the discussion. The Office seeks to have representative bodies actively involved in consultation, including in privacy impact assessments of proposals.

    A consideration for the Office is how the privacy rights of individuals with disabilities are being met. To aid this assessment, the Office surveys and collects demographic information relating to complainants.

    During the period 1 July 2005 to 30 June 2006 the Office received 118 responses to the survey. Of these 37 (31.4 %) of respondents indicated they had a disability.

    2. People with disabilities are included in consultation about new or revised policy/program proposals.

    Percentage of consultations about new or revised policy/program proposals that are developed in consultation with people with disabilities.

    Where the Office undertakes consultations, groups representing the interests of people with disabilities are invited to participate.

    During consultation processes the Office considers the needs of individuals with disabilities.

    Public consultation events all occur in accessible venues.

    During 2005-06 the Deputy Disability Commissioner was a member of the Office's Privacy Advisory Committee, which advises the Privacy Commissioner on privacy issues. In January 2006 following his appointment as the Human Rights Commissioner Mr Graeme Innes AO resigned from the committee.

    3. Public announcements of new, revised or proposed policy/ program initiatives are available in accessible formats for people with disabilities in a timely manner.

    Percentage of new, revised or proposed policy/ program announcements available in a range of accessible formats.

    Time taken in providing announcements in accessible formats.

    Simultaneously to public release 100% of information about new Office initiatives is available on a W3C compliant website. Other formats are available on request.

    All material is available in other formats on request.

    The Privacy Connections Network had 688 members as of 30 June 2006.

    Disability peak groups are members, membership is also open to members of the public who may have disabilities. Members are offered the opportunity to sign up to an email subscription. Messages to the network are sent in plain text accessible formats.

    Regulator Role

    Performance Indicator Performance Measure Current level of performance (2005-06)

    1. Publicly available information on regulations and quasi-regulations is available in accessible formats for people with disabilities.

    Percentage of publicly available information on regulations and quasi-regulations requested and provided in:

    • accessible electronic formats; and
    • accessible formats other than electronic.

    Average time taken to provide accessible material in:

    • electronic format; and
    • formats other than electronic.

    100% of Office information is available on its W3C compliant website.

    All material is available in other formats on request.

    Office services are accessible via website, phone and TTY.

    Electronic access is immediate, via website. Average turnaround for requests for electronic information is within the day; hard copy information a couple of days.

    Some requests may require that we use external service providers. In these cases the turnaround to provide information in accessible formats may be impacted.

    2. Publicly available regulatory compliance reporting is available in accessible formats for people with disabilities.

    Percentage of publicly available information on regulations and quasi-regulations requested and provided in:

    • accessible electronic formats; and
    • accessible formats other than electronic?

    Average time taken to provide accessible material in:

    • electronic format; and
    • formats other than electronic.

    100% of Office information is available on its W3C compliant website.

    All material is available in other formats on request.

    Office services are accessible via website, phone and TTY.

    Electronic access is immediate, via website. Average turnaround for requests for electronic information is within the day; hard copy information a couple of days.

    Some requests may require that we use external service providers. In these cases the turnaround to provide information in accessible formats may be impacted.

    Provider Role

    Performance Indicator Performance Measure Current level of performance (2005-06)

    1. Providers have established mechanisms for quality improvement and assurance.

    Evidence of quality improvement and assurance systems in operation.

    The Office has a complaints/feedback hotline and a website link which gives individuals the opportunity to lodge complaints/grievances with the Office.

    The Office generally conducts customer satisfaction surveys to determine the level of customer satisfaction with the Office's services. During 2005-06 the Office was unable to conduct this survey but plans to undertake this survey again in 2006-07.

    2. Providers have an established service charter that specifies the roles of the provider and consumer and service standards which address accessibility for people with disabilities.

    Established service charter that adequately reflects the needs of people with disabilities in operation.

    The Office does not have an agency wide service charter but has complaint handling service standards in place as this is a major client focus.

    All Office complaints information and brochures are available on the website in accessible electronic format. Information about the complaints process and legislation is available in plain English format on the Office website. The website is updated regularly.

    Office information available in alternative formats on request.

    3. Complaints / grievance mechanism, including access to external mechanisms, in place to address issues and concerns raised about performance.

    Established complaints/grievance mechanisms, including access to external mechanisms, in operation.

    The Office uses a current complaints information referral list to ensure callers with disabilities can be referred to appropriate advocacy groups.

    The Office has a complaints/feedback hotline and a website link which gives individuals the opportunity to lodge complaints/grievances with the Office.

    Email, TTY and a National 1300 number at the cost of a local call available.

    Premises are accessible.

    Section 36(4) of the Privacy Act requires the Commissioner to provide appropriate assistance to complainants where they have difficulty in lodging a complaint.

    When dealing with requests for access to personal information, organisations are advised to consider issues of accessibility.

    No complaints have been received regarding access to the Office complaint handling service or premises.

    Emplo?er Role

    Performance Indicator Performance Measure Current level of performance (2004-06)

    1. Employment policies and procedures comply with the requirements of theDisability Discrimination Act 1992.

    Number of employment policies, procedures and practices that meet the requirements of theDisability Discrimination Act 1992.

    The Office promotes and supports APS values.

    The Office's Certified Agreement (CA) contains reference to Workplace Diversity principles. Most of the Office's policies on employment are contained within the CA.

    The Workplace Diversity Plan (jointly participated in by the Office and HREOC) outlines strategies to maximise employment opportunities for people with disabilities. On induction all new staff are provided with a copy of the plan.

    The email/internet policy is reviewed annually. It specifically refers to the inappropriate use of email that may demean people with disabilities.

    There were no formal complaints/grievances made by staff with disabilities with regard to current work practices.

    2. Recruitment information for potential job applicants is available in accessible formats on request.

    Percentage of recruitment information requested and provided in:

    • accessible electronic formats; and
    • accessible formats other than electronic.

    Average time taken to provide accessible information in:

    • electronic formats; and
    • formats other than electronic.

    100% compliance providing accessible formats for recruitment material.

    Recruitment information is able to be provided in any format.

    All recruitment material is on the Office's website.

    Advertisements in press advise that information is available at contact phone number, by TTY phone and on the Office's website.

    The Office website meets the criteria for accessibility as outlined in the Government Online Strategy and the Deputy Disability Commissioner has advised in the process.

    There were no requests for Braille during 2005-06.

    3. Agency recruiters and managers apply the principle of 'reasonable adjustment'.

    Percentage of recruiters and managers provided with information on 'reasonable adjustment'.

    Selection guidelines include information on 'reasonable adjustment' and guidelines for interviewing staff with disabilities.

    Recruitment action is managed internally and not outsourced and all committees are provided with selection information on 'reasonable adjustment'.

    4. Training and development programs consider the needs of staff with disabilities.

    Percentage of training and development programs that consider the needs of staff with disabilities.

    Due to the small number of staff in the Office, training is coordinated by each of the unit managers under the Office's Performance Management Scheme. The majority of training is provided off-site with external providers and any in-house training programs recognise the needs of people with disabilities.

    Training nomination forms include specific requirements that may be needed such as:

    • wheelchair access
    • acce?sible toilets/parking
    • a hearing device
    • sign language interpreter
    • an attendant
    • a support person
    • information in Braille, audio cassette, large print, ASCII format.

    5. Training and development programs include information on disability issues as they relate to the content of the program.

    Percentage of training and development programs that include information on disability issues as they relate to the program.

    As noted above training is coordinated by each individual section.

    Induction includes information on Workplace Diversity and relevant legislation, including the DDA.

    The Complaint Handling section of HREOC conducts training and information on disability issues for staff of HREOC and the Office.

    6. Complaint/ grievance mechanism, including access to external mechanisms, in place to address issues and concerns by staff.

    Established complaints/ grievance mechanisms, including access to external mechanisms in operation.

    There is an established process in the Office's Certified Agreement for complaints/grievances, which includes access to external review through the Australian Public Service Commission.

    All staff are advised of access to the Office's Employee Assistance Program and encouraged to use this service when needed. This free service provides counselling and support for staff and their families.

    100% compliance with provision of access to complaints/grievance mechanisms.

    Note: Accessible electronic formats include ASCII (or .txt) files and html for the website. Non electronic accessible formats include Braille, audio cassette, large print and easy English. Other ways of making information available include video captioning and Auslan interpreters.

    In 2005-06 the Office continued collecting detailed demographic information of complainants. The Office invites all complainants to respond to the survey. While the response rate is low, the Office will continue to use the information to improve its accessibility and other services to complainants. Below are a series of tables which provide a summary of the responses received in 2005-06 compared to the results received in 2004-05.

    Table A5.1 Gender of complainants

    2004-05 2005-06
    Female 40 43.0% 53 44.9%
    Male 53 57.0% 65 55.1%
    Total 93 100% 118 100%

    Table A5.2 Complainants' access to the Internet

    2004-05 2005-06
    Nil return 3 3.2% 0 0.0%
    No 22 23.7% 23 19.5%
    Yes 68 23.1% 95 80.5%
    Total 93 100% 118 100%

    Table A5.3 Main language spoken at home

    2004-05 2005-06
    English 83 89.2% 115 97.5%
    Other 10 10.8% 3 2.5%
    Total 93 100% 118 100%

    Table A5.4 Country of birth of complainants

    2004-05 2005-06
    Australia 60 64.5% 83 70.3%
    Great Britian 16 17.2% 14 11.9%
    New Zealand 0 0.0% 7 5.9%
    Other 17 18.3% 14 11.9%
    Total 93 100% 118 100%

    Table A5.5 Location of complainants

    2004-05 2005-06
    Capital City 58 62.4% 81 68.6%
    Country Town 14 15.1% 18 15.3%
    Major regional centre 18 19.4% 18 15.3%
    Rural 3 3.1% 1 0.8%
    Total 93 100% 118 100%

    Table A5.6 Aboriginal or Torres Strait Islander background of complainants

    2004-05 2005-06
    Did not comment 3 3.2% 0 0.0%
    Aboriginal/ Torres Strait Islander 1 1.1% 2 1.7%
    Non Aboriginal? Torres Strait Islander 89 95.7% 116 98.3%
    Total 93 100% 118 100%

    Table A5.7 Level of education completed by complainants

    2004-05 2005-06
    Nil Return 3 3.2% 1 0.8%
    Postgraduate Degree 12 12.9% 11 9.3%
    Bachelor Degree 15 16.1% 36 30.5%
    Diploma/Advanced Diploma 13 14.0% 21 17.8%
    Study not leading to a qualification 2 2.2% 4 3.4%
    Year 10 or below 32 34.4% 29 24.6%
    Year 12 16 17.2% 16 13.6%
    Total 93 100% 118 100%

    Table A5.8 Age range of complainants

    2004-05 2005-06
    19-29 years 7 7.5% 12 10.2%
    30-39 years 23 24.7% 20 16.9%
    40-49 years 29 31.2% 39 33.1%
    50-59 years 17 18.3% 27 22.9%
    60-69 years 12 12.9% 15 12.7%
    70-79 years 3 3.2% 3 2.5%
    80-89 years 2 2.2% 2 1.7%
    Total 93 100% 118 100%

    Table A5.9 Complainants with a disability

    2004-05 2005-06
    No comment 0 0.0% 1 0.8%
    No Disability 58 62.4% 80 67.8%
    Medical 13 14.0% 10 8.5%
    Sensory 7 7.5% 4 3.4%
    Psychiatric 2 2.2% 6 5.1%
    Movement 11 11.8% 12 10.2%
    Other 2 2.1% 5 4.2%
    Total 93 100% 118 100%

    Table A5.10 Source of knowledge about the Office of the Privacy Commissioner

    2004-05 2005-06
    A legal Centre/Laywer 7 7.5% 11 9.3%
    Another Community Organisatoin 7 7.5% 8 6.8%
    Family member/freind/support person/associate 11 11.8% 8 6.8%
    Government agency (not the government agency I complained about) 7 7.5% 16 13.6%
    Internet 4 4.3% 8 6.8%
    Media 3 3.2% 13 11.0%
    Other 23 24.9% 28 23.8%
    Our websitewww.privacy.gov.au 11 11.8% 9 7.6%
    Pamplet/leaflet 5 5.4% 1 0.8%
    State or Territory Privacy Commissioner 4 4.3% 1 0.8%
    Telephone book 4 4.3% 5 4.2%
    The organisation/government agency Icomplained about told me 7 7.5% 10 8.5%
    Total 93 100% 118 100%

    Table A5.11 Annual income range of caomplainants

    2004-05 2005-06
    Nil Return 5 5.4% 2 1.7%
    $0 - $25,000 26 28.0% 42 35.6%
    $25,001 - $50,000 36 38.7% 31 26.3%
    $50,001 - $75,000 15 16.1% 16 13.6%
    $75,001 or more 11 11.8% 27 22.9%
    Total 93 100% 118 100%

    The National Privacy Principles as set out in Schedule 3 of the Privacy Act 1988

    The Information Privacy Principles as set out in s. 14 of the Privacy Act 1988

    AATAdministrative Appeals TribunalACMAAustralian Communications and Media AuthorityACCCAustralian Competition and Consumer CommissionACIFAustralian Communications Industry ForumADRAlternative Dispute ResolutionAGAF(I)Australian Government Authentication Framework for IndividualsAGDAttorney-General's DepartmentAGIMOAustralian Government Information Management OfficeALRCAustralian Law Reform CommissionANZELAAustralia and New Zealand Education Law AssociationAPPAAsia Pacific Privacy AuthoritiesAPSAustralian Public ServiceAustliiAustralasian Legal Information InstituteAWGAuthentication Working GroupAPECAsia-Pacific Economic CooperationASICAustralian Securities and Investments CommissionATOAustralian Taxation OfficeAUSTRACAustralian Transaction Reports and Analysis CentreCACertified AgreementCCMACustomer Contact Management AssociationCDSCommonwealth Disability StrategyCRGISCommonwealth Reference Group on Identity SecurityCCTVClosed circuit televisionCustomsAustralian Customs ServiceDCITADepartment of Communications, Information Technology and the ArtsDFATDepartment of Foreign Affairs and TradeDHSDepartment of Human ServicesDIMADepartment of Immigration and Multicultural AffairsDoHADepartment of Health and AgeingDVADepartment of Veterans' AffairsDVSDocument Verification ServiceEHRelectronic health recordsFOIFreedom of InformationHICHealth Insurance CommissionHREOCHuman Rights and Equal Opportunity CommissionICAInsurance Coun?il of AustraliaIPPsInformation Privacy PrinciplesIMAGEInformation Management for Government Employees (IMAGE)JIGJoint Initiatives GroupMCCAMinisterial Council on Consumer AffairsMOUMemorandum of UnderstandingNHMRCNational Health and Medical Research CouncilNPPsNational Privacy PrinciplesOECDOrganisation for Economic Cooperation and DevelopmentOH&SOccupational Health and SafetyOMIOwn Motion InvestigationPACPrivacy Advisory CommitteePCOPrivacy Contact OfficerPIAPrivacy Impact AssessmentPIDPersonal Information DigestRSSReally Simple SyndicationRTDsresidential tenancy databasesSCAGStanding Committee of Attorneys-GeneralSESSenior Executive ServiceTFNtax file numberTPIDTemporary Public Interest Determination