Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

2006-07 Annual Report of the Office of the Privacy Commissioner

Users Guide ACT Government How to find out more Non-English Speakers Commissioners Overview 2006-07 The year ahead The year in review - a summary Chapter 1 Respecting Privacy 1.1 Review of Performance 1.2 Australian Law Reform Commission Review of Privacy 1.3 Privacy...

pdf2006-07 Annual Report of the Office of the Privacy Commissioner

User's Guide

Commissioner's Overview 2006-07

Chapter 1 Respecting Privacy

Chapter 2 Promoting Privacy

Chapter 3 Protecting Privacy

Chapter 4 Management and Accountability

Appendices

Appendix 1 The Privacy Act and the Office of the Privacy Commissioner

Appendix 2 Freedom of Information Act Compliance

Appendix 3 Speeches and Presentations

Appendix 4 Commonwealth Disability Strategy Performance Reporting June 2006

Appendix 5 Demographic Information about Complainants

Appendix 6 National Privacy Principles

Appendix 7 Information Privacy Principles

Appendix 8 Strategic Plan 2007-09

Financial Statements (PDF only)

Glossary

Copyright
© Office of the Privacy Commissioner 2007 ISSN 1035-3372

This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the Office of the Privacy Commissioner.

Requests and enquiries concerning reproduction, right and content should be addressed to:

Copyright Officer Corporate and Public Affairs Office of the Privacy Commissioner GPO Box 5218 SYDNEY NSW 2001

Email: privacy@privacy.gov.au

 

User''s Guide

Immediately following this guide, you will find the Commissioner''s Overview for 2006-07 which includes a summary of significant issues, developments and achievements during the year, key statistics, and an outline for the year ahead for the Office.

The main chapters follow the Overview and the Annual Report is concluded by the various Appendices, Glossary and Index.

Chapter 1 Respecting Privacy describes the Office''s work for 2006-07 in providing advice on the privacy implications of legislation and government and private sector policy proposals that may have a significant impact on the handling of personal information.

Chapter 2 Promoting Privacy sets out the work the Office completed in promoting and educating key client groups on privacy issues. This includes liaising with key stakeholders in the private sector, networking with privacy representatives across Australian and ACT Government departments and agencies, handling media enquiries, maintaining the Office''s website and assisting with speeches and presentations by the Commissioner and members of staff.

Chapter 3 Protecting Privacy records the work the Office undertook to encourage and enforce compliance with the Privacy Act. This includes handling enquiries, undertaking audits of government agencies, investigating complaints and conciliating disputes.

Chapter 4 Management and Accountability contains an overview of the Office''s administrative arrangements, management of human resources and corporate governance.

The Appendices contain information required under specific legislation together with any other useful material. These can be found following on from Chapter 4.

The Office of the Privacy Commissioner''s audited Financial Statements for 2006-07 are located immediately following the Appendices. The Glossary and Alphabetical Index can be found at the end of the report.

ACT Government

Information that relates directly to ACT Government matters can be found in sections 1.4, 3.8.1.1, 3.8.2.1 and 4.1.3.

How to find out more

For enquiries about this report or for copies of other Office of the Privacy Commissioner publications, please contact:

Director Corporate and Public Affairs Office of the Privacy Commissioner GPO Box 5218 SYDNEY   NSW   2001

Telephone:    + 61 2 9284 9800          + 61 2 9284 9666 Email:        privacy@privacy.gov.au Website:      www.privacy.gov.au

Enquiries line:      1300 363 992  local call TTY:          1800 620 241  no voice calls

This report is also available on the Office of the Privacy Commissioner''s website at www.privacy.gov.au/materials#A.

Non-English Speakers

If you speak a language other than English and need help, please call the Translating and Interpreting Service on 131 450 and ask for the Australian Government Office of the Privacy Commissioner on 1300 363 992. This is a free service.

Commissioner''s Overview 2006-07

2006-07 was a year characterised by strategic analysis, reflection on the operation of the law and looking to the future.

Two projects in particular capture this. One was my Office''s submission to the Australian Law Reform Commission (ALRC) review of privacy. The other was our development of a new Strategic Plan to guide our operations over the next three years.

Our substantial submission to the ALRC review of privacy crystallises our thoughts on what the future of privacy regulation in Australia should look like. This submission brings together my Office''s position on issues as varied as the privacy principles, technology, transborder data flows, exemptions to the Privacy Act, health and telecommunications, to name a few.

A central theme of the submission was that any reform of Australia''s privacy laws should aim to enhance regulatory consistency and reduce complexity. Nationally consistent privacy legislation will reduce compliance difficulties for agencies and organisations and empower individuals to understand and exercise their privacy rights without confusion.

Currently, the Privacy Act contains two sets of privacy principles. One set applies to Australian and ACT Government agencies and the other to the private sector. I believe that a technology-neutral, principles-based approach remains the best way to regulate personal information handling in the context of rapid technological change. However, my Office has suggested that these two sets of principles should be replaced by a single set of principles to reduce regulatory complexity.

Further information about the ALRC review of privacy is available in section 1.2 of this report.

The second project that caused the Office to look to the future was our development of a new Strategic Plan; a project vital to all aspects of our operations.

For me, a Strategic Plan is essential to the success of an agency. It focuses the agency''s energies and gives a clear and steady direction to its many operations and functions. 

Our strategic planning process involved the whole Office and I am very pleased with the outcome, which is a plan that combines high standards and goals with practical actions for achieving those goals.

Our vision, as articulated in our new Strategic Plan, is of ''an Australian community in which privacy is valued and respected''. This simple but powerful vision lies at the heart of all our efforts to promote, protect and encourage respect for that simple but powerful value: privacy.

Many have commented on the upheaval we have seen in the past few decades (particularly in the realm of information technology) and how this has impacted on privacy and the way we make ourselves known to the world. But what hasn''t changed is that we will still need privacy to live full, autonomous and free lives.

Our Strategic Plan heralds the next instalment of our work to promote and protect this important value. The Plan is attached to this Annual Report at Appendix 8.

The new Strategic Plan and our submission to the ALRC review of privacy were major pieces of work for 2006-07. However there were many significant projects undertaken by my Office during the year.

During 2006-07 my Office continued to work closely with the Office of Access Card and the Consumer and Privacy Taskforce to provide advice on the privacy framework surrounding the proposed Health and Social Services Access Card.

In 2006-07, the Office also implemented many of the recommendations made in its Complaint Handling Review in an ongoing effort to reduce the complaint backlog and enhance our service standards and conciliation techniques.

In 2006, my Office joined with state and territory privacy regulators to promote ''Privacy Awareness Week''. During the week, the Office released a number of promotional items and hosted an event at which the Attorney-General launched the Office''s new layered privacy policy, and Privacy Impact Assessment Guide.

In November 2006, my Office also marked the five year anniversary of the National Privacy Principles (NPPs). My Office hosted a function which offered a chance both to look back at how the NPPs had performed and to look forward. This event is, I hope, the first of many Privacy Connections events hosted by the Office to raise privacy awareness in the private sector.

The year ahead

In 2007-08, the Office will continue to host Privacy Connections events across Australia to raise awareness in the private sector about privacy obligations under the Privacy Act. These events will likely involve speakers from the Office as well as guest speakers sharing their knowledge of information handling in their organisations.

We will also work to promote privacy via the Privacy Awareness Week initiative, which in 2007 will be promoted in coordination with other data protection authorities in the Asia Pacific region.

In 2007, the Office will be releasing the results of community attitudes research it has commissioned. This research seeks to find out what individuals think about privacy in different contexts. The research will help the Office to ''tune in'' to community expectations about privacy and will be vital for ensuring that Office operations and activities match the needs of key stakeholders.

During the reporting period, the Office undertook to audit all of its publications to check for accuracy and currency. In 2007-08 the Office will update publications based on the findings of the audit. Our aim is to have guidance material available to stakeholders that is clear, up-to-date, accessible, and written in plain English.

Tying in closely with the publications review is the redevelopment of the Office''s website which will be progressed in the coming year. The website redevelopment seeks to make our publications easy to find and improve the layout and accessibility of the Office''s online presence.

With many of the recommendations implemented from the Office''s Complaint Handling Review, the Office will move to taking a more proactive approach to encouraging compliance with the Privacy Act and look to address systemic privacy issues.

In 2007-08, the Office looks forward to participating in the next phase of the ALRC review of privacy. The ALRC is due to release a discussion paper in 2007 and then its final report in 2008. The Office will continue to consult with the ALRC during this period to ensure the best outcome for privacy legislation in Australia.

And finally, the Office is committed to implementing the actions and goals encompassed in its new Strategic Plan and work towards the vision of ''an Australian community in which privacy is valued and respected''.

The year in review - a summary

A brief summary of the Office''s performance in 2006-07 is outlined below. A more detailed review of performance is contained in chapters 1 - 4.

Telephone Enquiries:

The Office received 17 392 telephone enquiries in 2006-07 compared with 19 150 in 2005-06. This represents a 9% decrease in enquiries received by the Enquiries Line. See section 3.2.1 for further information.

Written Enquiries:

The Office received 2182 enquiries by email, post or facsimile in 2006-07compared with 2316 written enquiries reported in 2005-06. This representsa 6% decrease in the number of written enquiries received by the Office from the previous year. See section 3.2.2 for further information.

Complaints:

The Office received 1094 complaints in 2006-07 compared with 1183 in 2005-06. This represents an 8% decrease in the number of complaints received by the Office from the previous year. See section 3.3.1 for further information. The Office closed 1210 complaints in 2006-07, representing a 7% increase from the previous year.

Case Notes:

The Office published 24 case notes on complaints that were closed during the year. The case notes are prepared to illustrate matters that may have a significant impact on a large number of people. Case notes serve to demonstrate to members of the public how the Commissioner handles complaints. Case notes also serve as a possible indication of the Commissioner''s view in relation to aspects of privacy law. See section 3.5 for further information.

Determinations:

In 2006-07, the Office renewed three credit provider determinations. See section 1.5.3 for further information.

On 23 December 2006, Temporary Public Interest Determinations (TPIDs) issued by the Privacy Commissioner, which allowed health practitioners to collect patients'' health information from the Prescription Shopping Information Service without consent, and without breaching NPP 10, expired. Amendments to the Privacy Act in 2006 removed the need for further TPIDs in this area. See section 1.6.3 for further information.

Complaint Handling Review:

As signalled in last year''s Annual Report, and in line with Recommendation 42 of the Office''s 2005 report, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, the Office has reviewed its complaint handling processes. A series of changes were recommended, and these changes have either been implemented, or are close to final implementation. Key changes include:

  • clarifying our conciliation process
  • new respondent and complainant response timeframes
  • developing strategies to proactively pursue responses
  • updating the Complaint Handling Manual
  • drafting Determination guidelines and
  • designing and implementing a uniform training program for Compliance Section staff.

Where changes directly affect complainants and respondents the Office has given stakeholders clear notice of the changes. For example, the Office announced the reduction in timeframes in the Office''s newsletter Privacy Matters and amended timeframes on its website. The impact of changes will be evaluated after they have been in operation for a reasonable period. This is likely to be within 12-18 months. See section 3.1 for further information about the Office''s compliance activities.

Media:

132 media enquiries were received in 2006-07. This represents an 11% decrease in comparison to the number of enquiries for 2005-06, in which the Office received 148 media enquiries. See section 2.3 for further information.

Speeches:

26 speeches and presentations were delivered in 2006-07. The presentations addressed ongoing and emerging privacy issues. Further information on speeches and presentations can be found at section 2.4 and a list of all speeches and presentations delivered by the Office can be found at Appendix 3.

Policy Advices:

The Office produced 163 advices on significant policy issues. This represents a 20% increase in the number of policy advices the Office prepared in comparison to 2005-06.

Policy advices include letters and emails to government departments and agencies and private sector organisations on specific proposals, advice for guidance material published by the Commissioner and advice for inclusion in other reports and published documents.

The number of submissions made by the Office to public consultation processes is listed separately below.

Submissions:

In 2006-07, the Commissioner provided 32 submissions to government departments and parliamentary inquiries on policy proposals or Bills before parliament, providing analysis on the privacy implications of the proposal or Bill and offering advice on methods to ensure privacy is appropriately considered and protected.

The following submissions were made by the Office:

  • Research Study into Public Support for Science and Innovation; Productivity Commission (August 2006)
  • Extradition and Mutual Assistance Treaties with Malaysia; Joint Standing Committee on Treaties (August 2006)
  • Consultation on the second exposure draft of the Anti-Money Laundering and Counter-Terrorism Funding Bill 2006; Attorney-General''s Department (August 2006)
  • Consultation on the Australian Government Health and Social Services Access Card - Discussion Paper Number 1; Department of Human Services: Access Card Consumer and Privacy Taskforce (August 2006)
  • Industry Standard for the Making of Telemarketing Calls - Discussion Paper; Australian Communications and Media Authority (September 2006)
  • Review of the Taxation Secrecy and Disclosure Provisions - Discussion Paper; Treasury (September 2006)
  • Inquiry into the Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006; Senate Legal and Constitutional Affairs Committee (October 2006)
  • Review of Australia''s Mutual Assistance Law and Practice; Attorney-General''s Department (October 2006)
  • Families, Community Services and Indigenous Affairs and Veterans'' Affairs Legislation Amendment (2006 Budget Measures) Bill 2006; Senate Standing Committee on Legal and Constitutional Affairs (November 2006)
  • Queensland Law Reform Commission Guardianship Review Stage 1 - Confidentiality in the Guardianship System: Public Justice, Private Lives; Queensland Law Reform Commission (November 2006)
  • Inquiry into the Anti-Money Laundering and Counter-Terrorism Financing Bill 2006 and the Anti-Money Laundering and Counter-Terrorism Financing (Transitional Provisions and Consequential Amendments) Bill 2006; Senate Legal and Constitutional Affairs Committee (November 2006)
  • Consultation on the Exposure Draft of the Human Services (Enhanced Service Delivery) Bill 2007; Office of Access Card (January 2007)
  • Telecommunications (Do Not Call Register) (Telemarketing and Research Calls) Draft Industry Standard 2006; Australian Communications and Media Authority (January 2007)
  • Review of the law on Personal Property Securities, Discussion Paper 1, Registration and Search Issues; Attorney-General''s Department (February 2007)
  • Exposure Draft of the Telecommunications (Interception and Access) Amendment Bill 2007; Attorney-General''s Department (February 2007)
  • Inquiry into the AusCheck Bill 2006; Senate Legal and Constitutional Affairs Committee (February 2007)
  • Inquiry into the AusCheck Bill 2006 - Questions on Notice Supplementary Submission; Senate Legal and Constitutional Affairs Committee (February 2007)
  • Australian Law Reform Commission Review of Privacy - Issues Paper 31; Australian Law Reform Commission (February 2007)
  • Inquiry into the Human Services (Enhanced Service Delivery) Bill 2007; Senate Finance and Public Administration Committee (February 2007)
  • Draft Consolidated Anti-Money Laundering and Counter-Terrorism Financing Rules; AUSTRAC (March 2007)
  • Consultation Draft Telecommunications Integrated Public Number Database Scheme 2007; Australian Communications and Media Authority (March 2007)
  • Consultation on the Privacy Blueprint - Unique Health Identifiers (Version 1.0); National E-Health Transition Authority (March 2007)
  • Draft of Telecommunications Integrated Public Number Database Legislative Instruments 2007; Department of Communications, Information Technology and the Arts (March 2007)
  • Consultation on the Australian Government Health and Social Services Access Card - Discussion Paper Number 2; Department of Human Services: Access Card Consumer and Privacy Taskforce (March 2007)
  • Government Agency Coercive Information-Gathering Powers, Draft Report; Administrative Review Council (March 2007)
  • Australian Law Reform Commission Review of Privacy - Issues Paper 32: Credit Reporting Provisions; Australian Law Reform Commission (April 2007)
  • Consultation on the Australian Government Health and Social Services Access Card - Discussion Paper Number 3 on Registration; Department of Human Services: Access Card Consumer and Privacy Taskforce (April 2007)
  • Consultation on Australian Government Smartcard Framework (version 0.12), Standards and Model Specification (''Part c''); Australian Government Information Management Office (April 2007)
  • Consultation on Australian Government Smartcard Framework Part d (Working Draft Version 2.0); Australian Government Information Management Office (May 2007)
  • Research Calls on Sundays; Australian Communications and Media Authority (May 2007)
  • Legal Professional Privilege and Commonwealth Investigatory Bodies - Issues Paper 33; Australian Law Reform Commission (June 2007)
  • Consultation on Model Offences to Combat Identity Crime 2007; Model Criminal Law Officers'' Committee of the Standing Committee of Attorneys-General (June 2007).

Karen Curtis Privacy Commissioner

 

 

1.1     Review of Performance

The Office''s work in reviewing new policy and legislative proposals during 2006-07 was extensive, with an increased number of new proposals involving the handling of personal information being analysed and commented on by the Office. The Office''s involvement with many of these proposals is detailed in the following sections.

The most significant of the proposals, the Health and Social Services Access Card (the Access Card), required considerable resources of the Office during the reporting period. To take account of this, the Department of Human Services entered into a Memorandum of Understanding (MOU) to provide the Office with additional resourcing to allow appropriate work on the various consultation papers and to allow the Office to engage in a number of government working groups on the Access Card.

During the year the Office also worked closely with the Department of Immigration and Citizenship, under an MOU, to assist the Department in relation to incorporating the knowledge and use of the Information Privacy Principles more effectively into its administrative practices.

These two MOUs, together with a number of other initiatives to build relationships with government agencies and businesses, reflect the Office''s goal of building and developing robust relationships as reflected in the 2007-09 Strategic Plan.

The other significant piece of policy work undertaken by the Office in 2006-07 was the development of our two submissions to the Australian Law Reform Commission (ALRC) review of privacy. This work meant drawing on the whole of the organisation''s resources and the extensive knowledge of its officers.

Undertaking the development or confirmation of the Office''s position on each of the ALRC''s 142 questions was a very significant task but the result is a comprehensive document detailing much of the Office''s understanding of the current law and our analysis of where it works well and what could be improved.

Altogether the Office made 32 public submissions during the reporting period, including the 474-page submission to the ALRC and several other substantial submissions, for example in relation to the proposed Access Card and the Anti-Money Laundering and Counter-Terrorism Financing legislation. In terms of numbers of submissions alone this year saw a 70% increase on 2005-06.

During the reporting period the Office also released a number of reports and information products. These included the Report on the Review of the Privacy Guidelines for the Handling of Medicare and PBS Claims Information (the section 135AA guidelines), the Review Report on the Credit Reporting Assignees and Classes Determinations, the finalised Privacy Impact Assessment Guide and an Information Sheet on the Prescription Shopping Information Service.

In addition, during the reporting period the Privacy Commissioner approved the Biometrics Institute Privacy Code and a minor variation to the Market and Social Research Privacy Code, and renewed three credit provider determinations.

The 32 submissions completed during the reporting period together with the various review reports, credit determinations and the information sheet have greatly assisted the Office to achieve the 2007-09 Strategic Plan goals of high quality results and increased awareness of privacy choices and obligations within the community.

1.2     Australian Law Reform Commission Review of Privacy

In response to the release of the Australian Law Reform Commission(ALRC) Review of Privacy - Issues Paper 31 (IP31), all sections of the Office were involved in the research and preparation of a comprehensive submission. Many of the recommendations from the Office''s 2005 report, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 were discussed and developed further.

In February 2007 the Office made a 474-page submission to the ALRC. The submission identified a wide range of issues in areas as diverse as health, technology and telecommunications.

While acknowledging that the existing principles in the Privacy Act are generally operating well, the Office made numerous suggestions to improve Australian privacy regulation. Amongst its suggestions, the Office called for a merging of the two sets of privacy principles in the Privacy Act to create a new single set of principles, as well as greater national consistency in privacy regulation.

As well, in order to create optimal privacy protection for people''s health information and help to clarify health service provider obligations, the Office suggested that the Privacy Act should ''cover the field'' in regulating health service providers in the private sector.

In relation to new technologies, the Office made a number of suggestions including:

  • the Privacy Act should remain technology neutral to allow for sufficient regulatory flexibility
  • in certain circumstances, organisations should be required to notify customers of a security breach that has made their personal information vulnerable
  • biometric information should be classified as sensitive information under the Privacy Act to ensure that it is afforded a higher level of privacy protection than other forms of personal information.

In response to the ALRC''s second issues paper, ALRC Review of Privacy - Issues Paper 32: Credit Reporting Provisions (IP32), the Office made a second detailed submission in April 2007.

The Office noted that the regulation of personal credit information could be improved to reduce complexity while still maintaining strong privacy protections. As a way of achieving this, the Office recommended that the existing credit reporting provisions could be repealed and replaced by the National Privacy Principles operating in tandem with a binding code.

The Office also suggested to the ALRC that the Privacy Commissioner be provided with additional options for dealing with breaches depending on the type and seriousness of the breach. In particular, the Office submitted that the Privacy Commissioner should be given stronger powers to handle systemic issues within the credit industry and issues arising from industry practice. Additionally, the Office recommended that independent research be undertaken into the impact that comprehensive credit reporting would have in Australia.

Overall, the Office''s response to IP32 reflected a continuing commitment to helping Australians retain choice and control over the use of their personal credit information.

The complete Office submissions to the two ALRC issues papers can be found at:

The Office will continue to be closely engaged in the ALRC''s review, which is expected to be completed in early 2008.

1.3     Privacy and the Australian Government

This section discusses the work the Office did during the reporting period in relation to Commonwealth legislation and/or Australian Government activity.

Please note however that some areas of the Office''s work relating to the Australian Government are discussed in other sections of this Chapter (for example, 1.5 Business; 1.6 Health; 1.7 Information and Communications Technology).

1.3.1   Guide to Privacy Impact Assessments

In August 2006 the Office launched the Privacy Impact Assessment (PIA) Guide. The Attorney-General, the Hon. Philip Ruddock MP, was present to launch the document.

The PIA Guide is intended to assist Australian and ACT Government agencies to determine the impact new organisational proposals could have on privacy. The PIA Guide enables agencies to critically examine and assess their project''s capacity to comply with the Privacy Act, as well as inform agencies about broader privacy issues raised by the project. While the PIA Guide has been targeted at agencies, private sector organisations could also find it useful.

The Office has provided advice to agencies on the PIA process and received feedback that the Guide has assisted agencies to critically examine and assess their project''s capacity to comply with the Privacy Act, to build privacy safeguards into their projects at an early stage and minimise the need for retrospective and reactive privacy measures.

The PIA Guide can be found on the Office''s website at www.privacy.gov.au/publications/pia06/index.html.

1.3.2   Australian Government Health and Social Services Access Card

The Office made three submissions to the Minister for Human Services'' Access Card Consumer and Privacy Taskforce. These were made in response to the discussion papers released by the Taskforce concerning, respectively, the broad policy and implementation of the Access Card, the storage of optional and voluntary health information on the Access Card, and registration for the Access Card. These submissions are available at www.privacy.gov.au/materials/archive/other/view/5895.

The Office proposed that ensuring adequate privacy protections will be important to promoting community trust and confidence in the Access Card system (comprising the card itself, as well as associated infrastructure and functions). The Office noted that a robust privacy framework is dependent on ensuring that reliance is not placed on one form of privacy protection. The Office suggested that such protections should be multifaceted, incorporating:

  • fundamental system design, including card design, system architecture and the parameters governing what information is collected and what information flows are possible
  • technological measures, including, but not limited to, data security initiatives, as well as measures to minimise the degree to which existing systems become increasingly integrated, a consequence of which may be new and potentially privacy invasive flows of personal information
  • legislative measures, including defining the extent of the functions of the Access Card, proscribing purposes that fall outside those functions and introducing sanctions for misusing any aspect of the system or the personal information it handles and
  • oversight mechanisms that promote confidence in the system by assuring the community that the operation of the system is subject to stringent accountability measures, including provision for audit and independent complaint handling.

In December 2006 the Office entered into an agreement in the form of a Memorandum of Understanding with the Department of Human Services (see section 4.1.5) which allows for close consultation on privacy-related issues in the development and roll-out of the Access Card.

Under the agreement, the Office will provide advice to the Department on the privacy implications of the Access Card system, participate in site visits with registration authorities to observe and analyse the privacy aspects of the registration process, and assist in the development of privacy-related information and educational materials.

1.3.3   Department of Immigration and Citizenship

The Office entered into a Memorandum of Understanding (MOU) with the Department of Immigration and Citizenship (DIAC) for 2006-07 (see section 4.1.7). Entering into the MOU was one aspect of DIAC''s change management strategies following the intensive policy review undertaken after the release of the Palmer and Comrie reports.

DIAC identified the need to assess and improve the manner in which it addressed privacy issues in fulfilling its statutory functions. Recognising the benefits of close cooperation with the Office on privacy issues, and without compromising the independence of the Office, DIAC entered into the MOU to provide the Office with funding to allow dedicated resources to be deployed to assist DIAC in its objective.

Under the MOU the Office provided advice to DIAC on the development of various guidance and training materials in the reporting period. This included advice on Privacy Impact Assessments and Checklists, privacy guidelines for staff, training scenarios and Information Privacy Principle (IPP) Flowcharts specifically related to IPP 11 disclosure obligations.

More information about Privacy Impact Assessments and Checklists is available at www.privacy.gov.au/publications/pia06/index.html.

1.3.4   Australian Government Information Management Office - Australian Government Smartcard Framework

The Office made submissions on Part c of the Australian Government Smartcard Framework which deals with Standards and Model Specification in April 2007, and Part d of the Framework, the Smartcard Implementation Guide in May 2007.

The Office''s comments in these two submissions primarily related to the management of interoperability for a particular smartcard project, while minimising the risk of function creep. The Office suggested that careful consideration should be given to the necessity of collecting and retaining personal information, including the creation and display of identifiers, in any smartcard project whether this information was intended to be on the smartcard, the chip or on the supporting systems. The Office also noted that the success of a smartcard project is likely to be linked to user acceptance and adoption of the smartcard, which can be assisted by good privacy practices.

1.3.5   Identity and Border Security

In the 2006-07 Budget, the Office received funding to allow it to participate in the development of a National Identity Security Strategy. The Privacy Commissioner is a member of the Commonwealth Reference Group on Identity Security (CRGIS) convened by the Attorney-General''s Department to assist in developing this national strategy. The Office has attended a number of meetings of the CRGIS and its working groups during 2006-07.

The Privacy Commissioner is also represented on the National Identity Security Coordination Group (NISCG). In 2006-07 the Office attended a number of meetings of the NISCG and provided comments on the development of an Inter-Governmental Agreement (IGA).

The Prime Minister, Premiers and Chief Ministers signed the IGA at the Council of Australian Governments (COAG) meeting on 13 April 2007. At that meeting, COAG also noted the progress made to date in giving effect to the six elements of the Strategy, and acknowledged the value of this work as reference documents for Australian Government agencies.

Information on the IGA can be found at www.coag.gov.au/meetings/130407.

There are five working groups under the CRGIS framework. These include working groups on the Document Verification Service (DVS), Integrity of Identity Data, Authentication, Security Standards for Proof of Identity and Proof of Identity.

The current funding is tied to the Office''s work in the Identity Security area, particularly in relation to the DVS. The Office has member status on the DVS Working Group. In 2006-07 the Office published on its website the final Audit report on the DVS prototype pilot completed in 2005-06. The Office also commented on the Privacy Impact Assessment (PIA) prepared by the Attorney-General''s Department in relation to the DVS.

The Privacy Commissioner is also represented as a member on the Integrity of Identity Data Working Group. During the reporting period the Office provided comment on the Memorandum of Understanding between the Attorney-General''s Department, the Australian Taxation Office and participating agencies for the Integrity of Identity Data Pilot and the PIA for the Integrity of Identity Data Pilot.

The Privacy Commissioner is not represented on the Authentication Working Group, which is a part of the CRGIS governance framework, but has observer status on this working group. However, related to this, during the reporting period the Office made submissions on the Australian Government Smartcard Framework (see section 1.3.4) and provided comment on amendments to the Public Key Infrastructure Gatekeeper Framework and comments on the Australian Government e-Authentication Framework (to cover government transactions with individuals).

1.3.6   Law Enforcement

The Anti-Terrorism Act (No.2) 2005 requires the Australian Federal Police to develop three sets of guidelines for the collection, use, handling, retention and disposal of personal information in relation to:

  • the police powers to stop, question and search
  • the expansion to the Australian Federal Police powers to obtain information and
  • optical surveillance.

The Office received funding to assist the Australian Federal Police, in consultation with the Attorney-General''s Department, to develop guidelines.

The Office has commenced consultation with the Australian Federal Police on this and expects the guidelines will be completed in 2007-08.

1.3.7   AusCheck

In February 2007, the Office made a submission to and appeared before the Senate Legal and Constitutional Affairs Committee''s inquiry into the AusCheck Bill 2006. The Bill established the regulatory framework around the creation of a centralised Australian Government managed background checking service to be known as ''AusCheck''.

The Office noted that the establishment of a background checking service that was a prerequisite to obtaining or maintaining employment would involve the collection and handling of significant amounts of personal information, including potentially sensitive information. Consequently, the Office submitted that the Bill could be enhanced by providing more details regarding the:

  • purposes for which AusCheck''s background checking function may be applied
  • breadth of information that may be collected and assessed during a background check
  • use and disclosure of the information collected. Following the Committee''s inquiry, the AusCheck Bill 2006 was subsequently amended and reflected several of the Office''s recommendations, including:
  • a reduction in the initially broad scope of the purposes that the AusCheck scheme may be used for
  • a clarification that the authorisation of the collection, use and disclosure of personal information should be for the purposes of AusCheck''s function or purposes directly related to AusCheck''s function and
  • an explicit provision requiring that the use and disclosure of personal information be limited to that which is directly necessary and to the extent necessary, for security identification card verification.

On 28 March 2007, the AusCheck Act 2007 was passed and on 7 June 2007, the AusCheck Regulations 2007 were made.

During the reporting period, AusCheck also made a request for a partial exclusion from the federal Spent Convictions Scheme. In fulfilling her statutory function under s. 85ZZ(1)(b) of the Crimes Act 1914, the Commissioner examined the request and provided advice to the Minister for Justice and Customs regarding whether the exclusion should be granted. The amendment was subsequently granted by the Minister for Justice and Customs and the Crimes Regulations 1990 were amended on 7 June 2007.

1.3.8   Anti-Money Laundering and Counter-Terrorism Financing

On 24 August 2006, the Office made a submission to the Attorney-General''s Department on the second exposure draft of the Anti-Money Laundering and Counter-Terrorism Financing Bill 2006.

The Office has continued to note that collection of personal financial information is likely to increase significantly under the Bill. Therefore, while recognising the potential benefits to the community of measures to address money laundering and terrorism financing, the appropriate balance must be achieved.

Also as previously noted by the Office, Australia''s financial transactions reporting regime was introduced as a response to major crime and any broadening of the scope of its application may raise privacy issues.

Accordingly, the Office made a number of recommendations aimed at ensuring that adequate privacy protections be applied consistently across reporting entities and users of the information, and that the handling of this personal information was subject to appropriate privacy regulation.

More specifically, the recommendations made by the Office included those listed below.

  • A separate process should be undertaken to consider the issue of whether Australian Government agencies, other than the traditional law enforcement agencies, should be able to have direct access to AUSTRAC information for purposes unrelated to anti-money laundering and counter-terrorism financing.
  • The Bill needs to ensure that information collected by AUSTRAC that is passed on to state and territory government agencies will be subject to adequate privacy protection. Not all states and territories have enacted privacy legislation, which means there is a lack of uniformity in the protections and the remedies available.
  • There should be limits on how long the information collected under this legislation should be kept by reporting entities and government agencies.

The Office also recommended that a Privacy Impact Assessment (PIA) be conducted on the operation of this legislation.

A company engaged by the Attorney-General''s Department, Salinger & Co, released its PIA regarding the second exposure draft of the Bill on 15 September 2006. This document is available from the Attorney-General''s Department website.

In November 2006, the Office made a submission to the Senate Legal and Constitutional Affairs Committee''s Inquiry into the Anti-Money Laundering and Counter-Terrorism Financing Bill 2006 and the Anti-Money Laundering and Counter-Terrorism Financing (Transitional Provisions and Consequential Amendments) Bill 2006.

The Office continues to play an active role in the development of Anti-Money Laundering and Counter-Terrorism Financing legislation through its membership on industry and government forums, producing guidance material and providing comments on relevant issues.

During the reporting period the Office received funding of approximately $1.8 million over four years to provide guidance and assistance to small business operators to meet their obligations under anti-money laundering legislation, and to conduct auditing and compliance activity.

1.3.9   Emergencies and Disasters

In September 2006, the Office made a submission to the Senate Legal and Constitutional Affairs Committee''s Inquiry into the Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006.

The Bill clarified the legal basis for disclosure of personal information in the event of an emergency or disaster. The Office made some suggestions for improvements to give more definition of the circumstances under which the provisions could operate. These suggestions included:

  • the inclusion of criteria as to what constitutes a disaster or emergency
  • the clarification of ''permitted purpose'' as ''a purpose directly related to'' the emergency or disaster and
  • stronger mechanisms to ensure that normal processes protecting personal information disclosures and uses are resumed as soon as possible.

The Bill was passed with two amendments. The first amendment limited ''permitted purpose'' to a purpose that ''directly'' relates to the Commonwealth''s response to an emergency or disaster. The second imposed a maximum period of 12 months to a declaration of emergency. The new provisions are found in Part VIA of the Privacy Act.

After the Bill passed, Regulations were made under the Privacy Act on 13 December 2006. These exempt the secrecy provisions of the Census and Statistics Act 1905 from Part VIA of the Privacy Act. These Regulations confirm that data collected by the Australian Bureau of Statistics for statistical purposes will only be used for statistical purposes.

1.3.10 Government Agency Coercive Information-Gathering Powers

The Office made a submission to the Administrative Review Council''s draft Report into Government Agency Coercive Information-Gathering Powers in March 2007.

The Office''s comments primarily related to the Office''s experience in promoting an understanding of the Information Privacy Principles (IPPs) and National Privacy Principles (NPPs) and investigating complaints about acts or practices of agencies or organisations that may breach an IPP or NPP.

The Office suggested that the Council may wish to consider the issue of coercive information-gathering from a broader privacy perspective, giving more prominence to the privacy obligations and interests of organisations, agencies and individuals and clarifying the role of the IPPs and the NPPs in its report.

1.3.11 Taxation Secrecy and Disclosure Provisions Review

In September 2006, the Office made a submission to the Treasury on the Review of the Taxation Secrecy and Disclosure Provisions.

The secrecy provisions in tax legislation provide protections for personal (taxpayer) information in addition to those protections already provided by the Information Privacy Principles in the Privacy Act. The Office expressed concern that any proposal to reduce privacy safeguards currently offered by the secrecy provisions could risk a lessening in community confidence, and therefore any proposal to amend the protections should be approached with care.

1.3.12 Personal Property Securities

In February 2007 the Office provided comments to the Attorney-General''s Department in relation to the Standing Committee of Attorneys-General (SCAG) review of Australian personal property securities law. The review aims to develop a national register that will consolidate all security interests that are created by a contractual agreement and which are held over personal property.

The Office noted that the proposed national register would include personal information relating to the financial and credit affairs of a large number of individuals and had the potential to raise a number of privacy-related issues. The Office made a number of suggestions to reduce potential privacy risks. These suggestions included:

  • a Privacy Impact Assessment should be undertaken
  • only those individuals or entities that have a demonstrated need to access information on the database should be able to do so
  • personal information on the register should be minimised wherever possible and
  • mechanisms should be developed to ensure that faulty listings do not remain on the register indefinitely.

The personal property securities review is continuing. In the 2007-08 budget $113.3 million over five years was allocated to harmonise Australia''s personal property securities laws in one Commonwealth Act and develop a single national online register of personal property securities interests.

The Office will continue to provide advice to the Australian Government on the development of the register.

1.3.13 Mutual Assistance and Extradition

In October 2006, the Office made a submission to the review conducted by the Attorney-General''s Department regarding Australia''s mutual assistance law and practice. This submission reiterated the comments of the Office''s earlier March 2006 submission regarding the review of extradition arrangements conducted by the Attorney-General''s Department.

The Office noted that there is a need for clarity and certainty regarding how an individual''s personal information may be handled pursuant to extradition or mutual assistance matters to ensure that it is afforded appropriate privacy protections. This certainty would likely be best achieved by the enactment of clear legislative authority for such exchanges.

Specifically, the Office also commented on the following issues raised by the review:

  • grounds for refusal to provide personal information where the requesting country''s arrangements for handling that information do not offer privacy protections substantially similar to those applying in Australia
  • handling of DNA samples and information from persons without consent should be subject to a form of judicial oversight and consideration should be given to the protections afforded that information in the new jurisdiction before disclosing
  • provision of information from the DNA Database and DNA matching
  • handling of telecommunications interception material and surveillance device material.

The Office looks forward to the further opportunity for engagement on these issues.

1.4     Privacy and the Australian Capital Territory Government

In 2006-07 the Office continued to provide advice to ACT Government agencies. The Office provided detailed comments to the Department of Health on the obligations surrounding the collection of personal information in the implementation of a Health Management Plan for Pandemic Influenza and comments to the Department of Disability Housing and Community Services on the exposure draft for the Children and Young People Amendment Bill 2007. The Office also engaged with the Department of Health on the issue of iris scanning.

The Office also reviewed the exposure draft of the Planning and Development Bill 2006, providing comments to the ACT Planning and Land Authority (the Authority) on the Authority''s legal requirement to collect personal information and the manner in which that information was to be disclosed. The Office provided further comment to the Authority on the Planning and Development (Consequential Amendment) Bill 2007.

1.5     Privacy and Business

1.5.1   Review of the Private Sector Provisions of the Privacy Act

In November 2006, the Office welcomed the Australian Government''s response to its 2005 report Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (the Office''s 2005 report). The response is available at www.ag.gov.au/www/agd/agd.nsf/Page/Privacy_GovernmentresponsestoPrivacyActreports.

In its response, the Government either accepted, noted or referred to the Australian Law Reform Commission (ALRC) for further discussion, 81 of the 85 recommendations that were made in the Office''s 2005 report.

The Office notes that three of the key recommendations in its 2005 report had already been taken up by the Government prior to the release of its response to the report. These include the:

-  establishment of a wide-ranging review by the ALRC into Australia''s privacy-related legislative framework (see section 1.2) -  creation of a Do Not Call Register for telemarketing calls and -  extension of Privacy Act coverage to all residential tenancy database operators.

During the reporting period, the work of the Office continued to be shaped by the recommendations in its 2005 report. In particular, the Office made two comprehensive submissions to the ALRC review of privacy. As noted, the ALRC review is a response to a key recommendation made by the Office in its 2005 report.

In addition, the Office is currently working to implement those recommendations in its 2005 report concerning the Office''s functions. Specifically, work has been commenced on the development of guidance materials and publications that relate to particular recommendations.

The Office has also progressed planning to give effect to various health-related recommendations of the Review during the first half of 2007-08.

1.5.2   Privacy Codes

Part IIIAA of the Privacy Act allows organisations to apply to the Privacy Commissioner for approval of a Privacy Code that will replace the National Privacy Principles for organisations bound by that Code.

Biometrics Institute Privacy Code

On 19 July 2006 the Privacy Commissioner approved the Biometrics Institute Privacy Code under s. 18BB of the Privacy Act. The code came into operation on 1 September 2006 and is available on the Biometrics Institute website at www.biometricsinstitute.org.

Market and Social Research Privacy Code

Following a review of the Market and Social Research Privacy Code, the Association of Market and Social Research Organisations (AMSRO) made an application to vary the code under s. 18BD(1) of the Privacy Act. The Privacy Commissioner approved this variation under s. 18BD(2), to take effect on 30 June 2007.

Queensland Club Industry Privacy Code

Following a review of the Queensland Club Industry Privacy Code, Clubs Queensland made an application to vary the code under s. 18BD(1) of the Privacy Act. The Office is currently reviewing this application.

More information, including the Register of Approved Privacy Codes, can be found on the Office''s website at www.privacy.gov.au/business/codes/.

1.5.3   Credit Reporting

Credit Provider Determinations

In the previous reporting period, three credit provider determinations made under the Privacy Act were renewed for short periods to allow the Office time to consult with the community about how these determinations have operated and the terms in which any further determinations should be cast. As part of this review, two consultation papers covering the three determinations were released for public comment.

In the current reporting period, the Office analysed the submissions received during the consultation process and produced a report relating to one of the consultation papers. This report on the review of Determination No. 2006-3 Assignees (the Assignees Determination) and Determination No. 2006-4 Classes of Credit Providers (the Classes Determination) is available at www.privacy.gov.au/materials/types/reports/view/6031.

The consultation on the operation of the third determination, Determination No. 2006-5 (Indigenous Business Australia) (the IBA Determination), and the experience of the Office demonstrated that the IBA Determination had operated effectively and provided unanimous support for the renewal of the IBA Determination.

Consequently, the three determinations were renewed.

Issues Paper 32 - Review of Privacy: Credit Reporting Provisions

In December 2006, the Australian Law Reform Commission (ALRC) published its Issues Paper 32 - Review of Privacy: Credit Reporting Provisions (IP32) as part of its wider review of privacy regulation in Australia. The Office made a submission to IP32 in April 2007. See section 1.2 for further information.

1.5.4   Tax File Number Guidelines

During the reporting period there were no changes to the Tax File Number Guidelines issued by the Privacy Commissioner under s. 17 of the Privacy Act. These guidelines, which have the effect of law, regulate the collection, storage, use and security of Tax File Numbers.

1.5.5   Research and Data-Holding

The Office has commented on a number of research and data holding initiatives through consultative relationships and its membership on various committees and working groups. In particular the Office has made a contribution to the National Data Network, the Prime Minister''s Science Education and Innovation Council and the Productivity Commission''s research study.

The National Data Network

The National Data Network (NDN) provides a distributed library of data holdings relevant to policy analysis and research. These data holdings remain held and controlled by their Custodian organisations.

During the reporting period, the Office has been involved with the NDN Working Group and NDN Interim Governing Board. These bodies have been involved in the development of a framework of policies and procedures to support the data sharing activities and creation of privacy-preserving data management tools.

The Office played an integral role in securing the agreement from the NDN Interim Governing Board to complete Privacy Impact Assessments as part of any data-sharing pilots.

In view of the significant privacy objectives that have been achieved, the Deputy Privacy Commissioner resigned from the Working Group and the Interim Governing Board on 28 May 2007. The Office will maintain its engagement with NDN on a consultative basis.

The Prime Minister''s Science Education and Innovation Council

The Prime Minister''s Science Education and Innovation Council (PMSEIC) was establish in 1997 and its function is to provide the Australian Government with independent advice on issues of science, engineering and innovation and relevant aspects of education and training. The Council meets in June and December each year to discuss and report on relevant issues. The Office has made submissions and provided comment on specific research issues impacting privacy.

In September, the Office responded to an issues paper produced by the PMSEIC Working Group which was seeking to assess the opportunities and risks of creating a national database for research purposes. The PMSEIC final report, including recommendations, was presented at the PMSEIC December meeting. Recommendation 8 supported the Office''s general advice in reference to the need for health research agencies to develop best practice policies, practices and methodologies while protecting privacy. The report examined and identified privacy regulation and its future impacts.

It is expected that the Office will have ongoing engagement with PMSEIC in the future, on a consultative basis.

During the reporting period the Office responded to the Research Study into Public Support for Science and Innovation undertaken by the Productivity Commission. The Office made a submission in August 2006 with the following emphases:

  • how to balance individuals'' right to choice in relation to the use of their health information against the public interest of conducting research
  • the need to provide guidelines about de-identification in terms of information used for research and
  • the Office''s commitment to work with the National Health and Medical Research Council to simplify guidelines for health research ethics committees in terms of the section 95AA Guidelines (see section 1.6.4). 

1.6     Privacy and the Health Sector

1.6.1   Electronic Health Records

The Office engaged with a number of bodies, including state government entities, on matters related to electronic health records. The Office also discussed electronic health records in its submission to the Australian Law Reform Commission (ALRC) review of privacy (See section 1.2). The Office noted that such systems have the potential to vastly increase the capacity to collect, store, copy, transmit, share and modify health information, including in ways not expected by individuals. Accordingly, electronic health records systems should only be pursued where accompanied by legislative measures that clearly set out and limit their operation and scope.

In March 2007, the Office made a submission to the National E-Health Transition Authority on its Privacy Blueprint for Unique Health Identifiers. The Office noted that a challenge for such identifiers is to ensure that such a highly reliable identifier is not used for purposes beyond the health system and the clinical care of individuals. If such identifiers were used expansively outside of the health system, particularly in ways the community may be uncomfortable with, then the trust individuals place in the system may be undermined. This was a view also expressed in Chapter 8 of the Office''s submission to the ALRC review of privacy.

1.6.2   Section 135AA Guidelines Review

The section 135AA Guidelines (the Guidelines) are issued by the Privacy Commissioner under section 135AA of the National Health Act 1953 and issuing the Guidelines is a function of the Privacy Commissioner under s. 27(1)(pa) of the Privacy Act. The Guidelines apply to the handling of information obtained by any Australian Government agency in connection with a claim under the Medicare Benefits Program or the Pharmaceutical Benefits Scheme (PBS).

The Office released its Report on the Review of the Privacy Guidelines for the Handling of Medicare and PBS claims information on 1 August 2006. The Report makes 25 findings on matters related to the Guidelines. Some of these findings require new Guidelines or changes to the Guidelines, while others describe the Office''s interpretation of matters relevant to the Guidelines.

The key findings are:

  • an additional permitted linkage for claims information for the purpose of an individual accessing their record (see Finding 2)
  • the prohibition against storing Medicare and PBS claims information should apply to all agencies (see Finding 23)
  • changes should be made to the periods for which Medicare Australia may retain claims information in linked and unlinked form (see Findings 6, 7 and 8)
  • some changes are required in relation to how the Department of Health and Ageing may handle claims information (see Findings 14-21).

The Office has commenced the development of new Guidelines that reflect the findings of this review. The Office is liaising with Medicare Australia and the Department of Health and Ageing and is proposing to issue the new Guidelines during 2007-08.

1.6.3   Prescription Shopping Information Service

On 14 September 2006, the Australian Parliament enacted the Privacy Legislation Amendment Act 2006, amending the National Health Act 1953 and the Privacy Act, to ensure that medical practitioners can continue to collect patients'' health information that is available through Medicare Australia''s Prescription Shopping Information Service (PSIS), without being in breach of the Privacy Act.

This practice had previously been the subject of two Temporary Public Interest Determinations issued by the Privacy Commissioner.

On 4 May 2007, the Privacy Commissioner released a new Information Sheet on the Privacy Act and the PSIS. The Information Sheet was developed in consultation with Medicare Australia and a number of other health and privacy stakeholders. It is intended to provide private sector medical practitioners with guidance on their obligations when using the PSIS. The Information Sheet is available at www.privacy.gov.au/materials/types/infosheets/view/6551.

1.6.4   Section 95AA Guidelines

In response to the 2003 report by the Australian Law Reform Commission (ALRC) and the Australian Health Ethics Committee of the National Health and Medical Research Council (NHMRC) entitled Essentially Yours: The Protection of Human Genetic Information in Australia, the Privacy Legislation Amendment Act 2006 introduced National Privacy Principle 2.1(ea). This amendment creates a discretion for organisations to use or disclose genetic information about an individual where necessary to lessen or prevent a serious threat to the life, health or safety (whether or not the threat is imminent) of a genetic relative.

Any use or disclosure must be in accordance with guidelines made by the NHMRC under s. 95AA of the Privacy Act, and approved by the Privacy Commissioner. Prior to the guidelines being submitted for approval, the Office will work with the NHMRC as it progresses their development.

1.7     Privacy and the Information and Communications Technology Sector

1.7.1   Do Not Call Register

The Government launched the Do Not Call Register in May 2007. The Office strongly supported the introduction of this register. It is a partial response to Recommendation 25 of the Office''s 2005 report: Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988.

In the reporting period, the Office also played an active role in the implementation of the register through its consultations with the Do Not Call Taskforce on the draft Determinations, Standards and Ministerial instruments. In September 2006, the Office provided a submission to the Australian Communications and Media Authority''s Industry Standard for the Making of Telemarketing Calls Discussion Paper. In addition, the Deputy Privacy Commissioner served as a member of the Do Not Call Register Scheme Steering Committee.

1.7.2   Integrated Public Number Database

In March 2007, the Office made a submission to the Australian Communications and Media Authority (ACMA) on the consultation draft of the Telecommunications Integrated Public Number Database Scheme 2007 (the Scheme). The Telecommunications Amendment (Integrated Public Number Database) Act 2006 (the IPND Amendment Act) requires ACMA to, by legislative instrument, develop a scheme for granting authorisation enabling access to and use of the information in the IPND for specified purposes, such as for the purposes of producing a public number directory or for research.

The Department of Communications, Information Technology and the Arts (DCITA), on behalf of the Minister, has responsibility for drafting legislative instruments. There are seven instruments that may be made by the Minister. DCITA has produced draft instruments for additional Public Number Directory requirements, additional Public Number Directory information, Criteria for Deciding Applications, Permitted Research, and Conditions of Authorisation.

In March 2007, the Office made a submission to DCITA on these draft legislative instruments relating to IPND access arrangements published for comment by DCITA under the IPND Amendment Act. The Office also met with DCITA representatives to discuss issues raised in the Office''s submission.

The Office submitted that permitted use of the IPND for research should only be non-commercial rather than ''primarily non-commercial''. The Office also recommended that DCITA define how the public interest of proposed research would be determined and proposed that IPND access users should opt in to coverage under the National Privacy Principles.

The finalised instruments allow researchers'' access to the IPND for primarily non-commercial purposes. However, examples defining the terms ''primarily'' and ''non-commercial'' are provided in the Explanatory Statement to assist ACMA in administering the Scheme. The instruments also allow ACMA to impose specific privacy obligations on IPND data users. The Scheme came into force on 15 May 2007.

1.7.3   Telecommunications and E-Marketing Industry Codes

The Telecommunications Act 1997 provides for the telecommunications and e-marketing industries to develop industry codes. Such codes can be enforced after they are registered with the Australian Communications and Media Authority (ACMA). Where telecommunications or e-marketing industry codes deal with privacy issues, it is a requirement that the Privacy Commissioner be consulted before ACMA registers a code.

In 2006, the Australian Communications Industry Forum (ACIF) and Service Providers Association Inc (SPAN) merged to form the telecommunications industry body Communications Alliance Ltd (Communications Alliance). Communications Alliance now handles the ACIF process for developing documentary outputs, including industry codes. The Office was consulted by Communications Alliance on eight ACIF codes during the reporting period. One of the codes currently under development, the Telecommunications Consumer Protection Code, is intended to consolidate the industry approach to issues covered by six ACIF codes.

1.7.4   Telecommunications Interception legislation

In February 2007, the Office made a submission to the Attorney-General''s Department on the exposure draft of the Telecommunications (Interception and Access) Amendment Bill 2007 (the Bill).

The Bill is the second stage of the Australian Government''s legislative program to implement the recommendations from the Review of the Regulation of Access to Communications under the Telecommunications (Interception) Act 1979 conducted by Mr Anthony S Blunn AO (the Blunn Review).

One of the key recommendations of the Blunn Review was that interception activity of law enforcement agencies and civil enforcement bodies should be consolidated under one legislative regime. The Bill was the second stage in the implementation of that recommendation, following the introduction of the Telecommunications (Interception) Amendment Act 2006.

In its submission, the Office recommended that:

  • the voluntary disclosure provisions could be made clearer in relation to content and call data to reduce the risk of carriers committing inadvertent breaches
  • there is merit in defining call data, or giving examples in the proposed Amendment Bill as to what might be considered ''information or document'' as opposed to ''contents or substance of a communication''
  • further guidance be provided where the privacy of telecommunications users needs to be taken into account when making decisions and
  • the operation of the Telecommunications (Interception) Amendment Act 2006 should be subject to overall independent review, including key stakeholder and public consultation, at least every five years.

A Bill was introduced into parliament on 14 June 2007 and was referred to the Senate Legal and Constitutional Affairs Committee for inquiry and report by 1 August 2007. In terms of the Office''s previous comments, the Explanatory Memorandum accompanying the Bill now defines the distinction between call data and ''information and documents''.

 

 

2.1     Review of Performance

In 2006-07 the Office revised its Communications Strategy in line with its Budget commitments and goals set out in the Office''s 2007-09 Strategic Plan (see Appendix 8 and the Commissioner''s Overview for further information). The Office''s increased funding has allowed its communications unit to progress a range of projects and initiatives aimed at assisting organisations and individuals to better understand their rights and responsibilities under the Privacy Act.

An important communications focus for the Office is facilitating networking and working closely with key stakeholders to promote a broader understanding of privacy. This year the Office:

  • re-energised the Privacy Connections network of privacy professionals in the private sector (see section 2.7.1)
  • worked with the Privacy and Information Commissioners of New South Wales, Victoria and the Northern Territory to participate in the first national Privacy Awareness Week (see section 2.7.3) and
  • launched an international privacy themed writing competition targeting youth with the Commissioners of the Asia Pacific Privacy Authorities forum (see section 2.9.1).

2006-07 also saw the introduction of the Office''s Privacy Matters newsletter (see section 2.5.1). The newsletter is an important tool for the Office, allowing it to communicate important information to stakeholders on a regular basis throughout the year. In addition to downloads from the website, subscriptions to the newsletter have increased steadily, with the newsletter now reaching over 600 subscribers.

A significant undertaking for the Office is the review of its publications. During the year the Office audited its existing material with the aim of identifying and correcting any inaccurate or outdated material (see section 2.5.2).

As its main communication tool, the Office recognises the value of maintaining and improving the content and services delivered through its website. With this in mind, the Office commenced work on the redevelopment of the website, looking at ways of meeting the needs of its current users and offering services and refining content to attract new users (see section 2.2.1). The redevelopment of the website will continue into the next reporting period and will ensure that the website continues to be a valuable source of information for users with an interest in privacy.

2.2     Privacy Website

The Office''s website (www.privacy.gov.au) again features very prominently in the Office''s new 2007-08 Communications Strategy and 2007-09 Strategic Plan. The website continues to be the critical hub for the communication of the Office''s privacy messages.

2.2.1   Website Redevelopment

To ensure that the Office''s website continues to play the role of communications hub effectively, the Office has embarked on a project to redevelop the website. This is considered to be an important project, especially since the last major website redevelopment was completed when the private sector provisions commenced in 2001.

In the reporting period, the Office conducted a range of consultations including:

  • website and intranet-based external and internal user surveys between December 2006 and April 2007
  • email-based survey sent to a wide range of domestic and international Office stakeholders, including informal discussions where appropriate
  • focus groups and other informal discussions with internal users and
  • discussions with a range of other participants who have detailed experience in website redevelopments or familiarity with the Office''s website.

The Office''s focus is now on developing and implementing an action plan which aims to put into place many of the recommendations received during these consultations.

2.2.2   Website Usage

The Office's website (www.privacy.gov.au) increased its traffic from the previous reporting year. Visits to the website increased by 541 996 sessions during 2006-07 compared to the previous year, an increase of 38%. Page views (number of pages people looked at during the session) increased by 246 728, an increase of 4%. The figures in Table 2.1 show the number of sessions and the number of page views for the privacy website each year for the last three financial years, while Chart 2.1 graphically represents the substantial increase in website traffic since 2001.

Table 2.1 Page and Session Views for the Privacy Website

 

2004-05

2005-06

2006-07

Increase 2005-06 to 2006-07

Session

1 072 361

1 411 320

1 953 316

+ 541 996

Page view

4 561 982

5 937 245

6 183 973

+ 246 728

Chart 2.1 Yearly Comparative Results for the Website

2.2.3   Layered Privacy Policy

In Privacy Awareness Week 2006 (see section 2.7.3), the Attorney-General launched the Office''s new Privacy Policy. The new Policy adopts a layered notice format to enhance the ease with which people can access and understand it. The Policy is available on the Office''s website, and provides browsers with both a condensed snapshot, as well as a full explanation, of the Policy.

The condensed version of the Policy uses clear simple language and includes the most important information that individuals usually need and want to know about the Office''s personal information handling practices. Individuals wanting further information can easily link to the Office''s full Privacy Policy.

The Policy is also intended to serve as a model for other agencies and organisations. It is available at www.privacy.gov.au/materials/.

2.3     Media

132 media enquiries were made to the Office during 2006-07. This is down 11% from the 148 enquiries received in 2005-06. Of the 132 enquiries, 84 were from print media, 29 from radio stations, ten from television, eight from news websites, and one from a news agency.

The enquiries concerned a range of privacy-related issues, with the most common including:

  • scanning of patrons'' identification by clubs and bars
  • alleged privacy breaches by various organisations
  • incidents involving access by staff of government agencies to client records
  • companies transferring client data to overseas centres for processing
  • doctors'' use of overseas transcription services
  • the Health and Social Services Access Card
  • the disclosure of financial transactions by SWIFT (the Society of Worldwide Interbank Financial Telecommunication) to law enforcement agencies
  • privacy concerns resulting from online technologies.

In most cases, background information on the issue or a comment was supplied to the journalist. Interviews were also conducted on various radio stations and television programs.

The Office prepared 31 media announcements and releases during 2006-07.

The Office has an email list specifically targeting media personnel and media agencies. Members of the email list receive the Office''s media releases and announcements. Information about the list is available at www.privacy.gov.au/news/subscribe/.

2.4     Speeches and Presentations

The Office delivered 26 speeches during 2006-07. These speeches were on a number of key issues including the Australian Law Reform Commission''s review of privacy, information technology, privacy and business and the Office''s new Strategic Plan 2007-09. The Commissioner also gave a number of speeches around Australia in conjunction with the Privacy Connections events hosted by the Office (see section 2.7.1).

A complete list of speeches and presentations made by the Commissioner and Office staff can be found at Appendix 3. Supporting papers and PowerPoint presentations for a number of these speeches are available on the Office''s website at www.privacy.gov.au/materials/types/speeches?sortby=60.

2.5     Publications

The Office developed a number of new publications over 2006-07 including its new quarterly newsletter, Privacy Matters (see section 2.5.1). In Privacy Awareness Week 2006 (see section 2.7.3), the Attorney-General launched the Office''s Privacy Impact Assessment Guide developed for use by public sector agencies (see section 1.3.1), and the Office''s new layered Privacy Policy (see section 2.2.3). Also in Privacy Awareness Week, the Office released two ''Ten Steps'' guides which provided ten practical steps that individuals and organisations could take to protect their own and other people''s personal information.

In 2007 the Office released a new information sheet on the Prescription Shopping Information Service and the Privacy Act (see section 1.6.3).

Most of the Office''s publications are available online at www.privacy.gov.au/materials.

2.5.1   Privacy Matters Newsletter

In September 2006, the Office launched its quarterly privacy newsletter Privacy Matters. The purpose of the newsletter is to provide an accessible and easy-to-read publication that keeps interested stakeholders up-to-date with important Office-related compliance, policy, public affairs and other privacy developments.

The newsletter is an initiative which implements Recommendation 50 of the Office''s 2005 Report, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988. It complements the work the Office already does through its various stakeholder networking strategies (see section 2.7), and further assists the Office in its Strategic Plan purpose of promoting and protecting privacy in Australia.

The Office aims for each issue of the newsletter to have as its primary focus one or two significant feature articles covering privacy matters of current importance. The newsletter also keeps subscribers informed of other privacy-related events and matters of interest, both within the Office and in the broader community.

The Office intends to continue producing Privacy Matters on a quarterly basis throughout the next reporting period. Subscription to the newsletter is available by visiting the Office''s website at www.privacy.gov.au/news/newsletter/.

2.5.2   Publications Review

In 2007 the Office commenced a comprehensive review of its existing publications to ensure that Office guidance material continues to best meet the needs of its stakeholders.

The publications review aims to identify and correct any inaccurate or outdated material, ensure that Office guidance material is presented in clear and understandable language, and address gaps in content. As part of this review, the Office intends to develop systems for the management of Office publications to facilitate their upkeep into the future.

The Office has recently completed an audit of existing publications and will shortly commence implementing updates identified in this process.

2.6     Community Attitudes Survey

In early 2007, the Office commenced work on a research study to ascertain community attitudes towards privacy issues. It commissioned the Wallis Consulting Group to undertake the quantitative study, which follows on from similar research the Office carried out in 2001 and 2004. The project will be completed and reported on in 2007-08.

2.7     Networking for Privacy Solutions

2.7.1   Privacy Connections

In line with Recommendation 50 of the Office''s 2005 Report, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, the related Budget commitment, and the Office''s 2007-09 Strategic Plan (Goal 2: increased awareness of privacy choices and obligations within the community), the Office undertook during 2006-07 to re-energise its Privacy Connections network of privacy professionals in the private sector. In this respect, it hosted a series of well-attended forums, allowing an opportunity for privacy professionals to network, to meet and engage with the Privacy Commissioner, and to learn about various privacy issues and developments both in Australia and abroad.

In November 2006 a breakfast forum was held in Sydney to mark five years since the introduction of the private sector provisions of the Privacy Act. Keynote speakers included the Attorney-General, the Hon. Philip Ruddock MP, the Privacy Commissioner, and Suzanne Pigdon, the former Privacy and Customer Advocacy Manager of the Coles Myer Group and a member of the Office''s Privacy Advisory Committee. Corporate breakfasts were also held in May 2007 with the Privacy Commissioner and Ms Pigdon in both Adelaide and Perth, in association with those states'' chambers of commerce.

Further events have been scheduled for early in 2007-08 in Brisbane, Canberra, Melbourne and Sydney, with Mr Peter Cullen, the US-based Chief Privacy Strategist of Microsoft, as the keynote speaker.

Privacy Connections members also receive electronic updates from the Office on a range of privacy issues, developments and events. The network commenced in 2001 and as at 30 June 2007 had 1841 members. Information about Privacy Connections is available at www.privacy.gov.au/business/privacyconnections/.

2.7.2   Privacy Contact Officer Network

The Office manages a network of Privacy Contact Officers (PCOs) from Australian and ACT Government agencies. The Office hosts four PCO meetings a year to provide PCOs with an opportunity to network and to hear from speakers on a range of privacy-related issues. These meetings also enable PCOs to meet with Office staff and regularly hear from the Commissioner on the Office''s activities and initiatives.

During 2006-07, the Office has used this forum to inform PCOs of changes to the Office''s approach to complaint handling, key aspects of the Office''s submission to the Australian Law Reform Commission (ALRC) review of privacy, and international developments in privacy regulation.

The Office has also invited external speakers to address PCOs including a senior legal officer at the ALRC to provide an update on its review of privacy, an adviser to the Attorney-General to discuss privacy from a ministerial officer''s perspective, a member of the Privacy Advisory Committee, and individual PCOs.

In December 2006, the Office presented a ''Privacy Checklist'' to the network that the Office developed to help PCOs effectively handle privacy complaints, and the PCOs were surveyed for their feedback on this resource. The Office also consulted with the network on Privacy Awareness Week 2007 and the resources and activities they would like to see promoted during this event.

In general the PCO Network provides a crucial link between agencies and the Office for the purposes of managing privacy complaints and the Office continues to promote the important role of the PCO as an internal agency contact point for information about privacy compliance obligations.

2.7.3   Privacy Awareness Week

The Office celebrated Privacy Awareness Week from 27 August - 2 September 2006. The Office collaborated with Privacy Victoria, Privacy NSW and the Office of the Information Commissioner, Northern Territory to promote the event.

The week was an opportunity to encourage organisations and agencies covered by the Privacy Act to promote privacy awareness among staff and customers.

During Privacy Awareness Week the Attorney-General launched two key documents produced by the Office: the Privacy Impact Assessment (PIA) Guide (see section 1.3.1) and the Layered Privacy Policy (see section 2.2.3). Guides were also released setting out ''Ten Steps'' on how to protect personal information for individuals, agencies, and organisations and privacy quizzes were developed to encourage individuals, agencies and organisations to examine their general knowledge and understanding of privacy.

The Office is continuing its involvement in Privacy Awareness Week in 2007 through joint promotions and activities with the Asia Pacific Privacy Authorities (APPA) (see section 2.9.1), as well as its own Privacy Awareness Week calendar of events.

Privacy Awareness Week will be held from 26 August - 1 September in 2007. The Office''s promotional activities leading up to and throughout Privacy Awareness Week will contribute to the Office''s goal of increased awareness of privacy choices and obligations within the community as outlined in the Office''s 2007-09 Strategic Plan.

2.8     Privacy Advisory Committee

The Privacy Advisory Committee (PAC) is established under s. 82 of the Privacy Act. Its members are appointed by the Governor-General. The functions of the PAC are established under s. 83 of the Privacy Act and provide for the PAC to assist the Commissioner in engaging in and promoting community education and consultation, in relation to the protection of individual privacy.

The PAC also advises the Commissioner on matters relevant to his/her functions. They act as an external reference point that supports the Commissioner in gaining access to the broad views about privacy in the private sector, government and the community at large.

This year, the PAC has been actively involved in a number of Office activities. Members of the PAC had significant input into the development of the Community Attitudes Survey (see section 2.6), including participation in the tender evaluation and content review committees.

The PAC members provided support to the Office through their promotion of the Privacy Connections network events (see section 2.7.1). Suzanne Pigdon, a member of the PAC, was a keynote speaker at three events and provided attendees with information and advice on privacy from a business perspective.

PAC members also attended the 2006 Asia Pacific Privacy Authorities Forum (see section 2.9.1) and the Asia-Pacific Economic Cooperation (APEC) Data Privacy Seminar.

There are currently six members of the PAC. Ms Robin Banks was appointed as a PAC member in November 2006 replacing Mr Graeme Innes AM who resigned in December 2006.

2.9     International Liaison

2.9.1   Asia Pacific Privacy Authorities

The Asia Pacific Privacy Authorities (APPA) forum is a regional forum that includes this Office, the State and Territory Privacy Commissioners in Australia (NSW, Victoria and the Northern Territory), together with the Privacy Commissioner of New Zealand, the Privacy Commissioner for Personal Data of Hong Kong and the Korean Information Security Agency.

The Forum meets biannually and is hosted with a rotating venue and host. In June 2007 the 27th APPA forum was hosted by the Office in Cairns to coincide with the APEC Senior Officials Meetings and Data Privacy Seminars. At this meeting the APPA membership was broadened to include the Information and Privacy Commissioner of British Columbia, Canada.

APPA meetings are an important opportunity to discuss international privacy developments and emerging issues of relevance to APPA affiliates. The Forum provides an opportunity for Commissioners to exchange knowledge and experiences about privacy regulation across different jurisdictions. At the 27th APPA forum it was agreed that a Working Party be established to look at the possibility of developing guidelines for the protection of individuals'' privacy rights in relation to the use of biometrics.

At the 26th APPA forum hosted in November 2006 by the Office of the Privacy Commissioner for Personal Data, Hong Kong, the APPA members agreed to jointly undertake Privacy Awareness Week (see section 2.7.3) in 2007. As a result an international privacy themed competition was launched in April 2007 targeting secondary students. Publicity for the competition has included a joint media release, the production of a website (www.privacyawarenessweek.org) and a mail out to secondary schools across Australia, Hong Kong and New Zealand which included an introductory letter, poster and promotional booklet. Promotional material was translated into Chinese to ensure the competition was accessible to entrants from the jurisdictions involved. The Commissioners will announce the competition winners during Privacy Awareness Week 2007 (26 August - 1 September 2007).

As outlined in the Office''s 2007-09 Strategic Plan, robust relationships are at the core of how the Office operates. Developing international linkages, particularly through the APPA forum, is one way in which the Office achieves this. APPA is an effective forum that the Office will continue to develop and sustain through future joint initiatives.

2.9.2   28th International Conference of Data Protection and Privacy Commissioners

In November 2006, Deputy Privacy Commissioner Timothy Pilgrim attended the 28th International Conference of Data Protection and Privacy Commissioners held in London. The theme of the conference was ''A Surveillance Society?'', with speakers addressing a range of issues related to surveillance and how to balance public safety with individual privacy rights.

At the conference a resolution proposed by the New Zealand Privacy Commissioner and co-sponsored by the Australian Privacy Commissioner was adopted. This resolution recommended that attention be given to improving conference organisation arrangements with a view to ensuring the continued viability of annual conferences. With the adoption of the resolution, a working group was established to examine existing organisational arrangements and suggest options for improvement.

The New Zealand Privacy Commissioner is chair of the working group which encompasses four subgroups; the Hosting Subgroup, the Host Selection Subgroup, the Website Subgroup and the Participant Expectations Subgroup.

Fourteen data protection authorities are participating in the working group with this Office acting as chair of the Hosting Subgroup and co-chair of the Website Subgroup.

The working group is due to report its findings to the 29th Conference to be held in Canada in September 2007.

 

 

3.1     Review of Performance

The Privacy Commissioner protects the privacy of Australians through a wide range of compliance activities, including a telephone and written enquiry service, the resolution of individual privacy complaints, conducting audits and investigations, and monitoring data-matching activities.

While the Office''s compliance focus in 2006-07 continued to be on resolving individual complaints, it also undertook a number of audits. The Office strives to resolve cases in an open and fair way that builds the confidence of our stakeholders. The Office has applied considerable effort to managing complaints in line with Recommendation 42 of the Office''s 2005 Report Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988.

In the Office''s last annual report, it was noted that the Office was to receive an increase in funding over the next four years, and that one of the first priorities would be to invest in our complaint handling systems and practices. Effective complaint handling practices have been a clear focus in 2006-07. The Office has continued to evaluate and refine practices to ensure they worked well and that individual complaints were handled in a timely and effective manner.

The Office has restructured its Compliance section to facilitate a transition from being primarily a reactive regulator to an increasingly proactive regulator. To ensure best practice complaint handling and investigation, the Office has a renewed focus on staff training, staff development and stakeholder relationships.

2006-07 also signalled the return of the Office''s audit program into Australian Government agencies, with the Office embarking on its first Australian Government agency audit in almost three years. The Office also continued its data-matching and ''own motion'' work. The Office this year increased its production of case notes. It produced 24 case notes to assist individuals, organisations and agencies understand its investigative processes and application of the Privacy Act.

3.2     Responding to Enquiries

3.2.1   Telephone Enquiries

The Office''s telephone enquiry service (1300 363 992) provides information about privacy issues and privacy law for the cost of a local call.

Since 1 July 2001 the enquiry service has answered over 120 000 telephone calls. The enquiry service answered 17 392 telephone enquiries in 2006-07. This is 9% less than the 19 150 received in 2005-06. The Office expects that more people are finding it convenient and effective to search for information online which may suggest a reason for the decreasing number of calls to the enquiry service.

Who is calling?

Continuing the trend that the Office has seen over the past few years, the vast majority of calls are from individuals seeking information about their privacy rights and advice about how to resolve privacy complaints.

Table 3.1 below illustrates the types of people who called the Privacy Enquiries Line in 2006-07.

Table 3.1 Source of Telephone Enquiries

Individuals

13 505

Health Service Providers

415

Real Estate

327

Legal, Accounting and Management Services

299

Federal Government

289

Finance

231

State Government

219

Business and Professional Associations

217

Retail

139

Employment Services

137

What are calls about?

Of the calls received this year, 54% related to the National Privacy Principles (NPPs). This mirrors the proportion of calls received in relation to the NPPs in 2005-06. The most frequently discussed issue was the use and disclosure of personal information by private sector organisations. This has been a consistent theme over the last four years. Use and disclosure calls made up 33% of calls about the private sector provision in 2006-07, a slight decrease on last year''s 37%. Notably, there has been a significant increase in the number of calls about Tax File Numbers, with calls received this year almost doubling the number received in 2005-06. The proportion of calls about Credit Reporting and the Information Privacy Principles (IPPs) remained steady.

Table 3.2 shows a breakdown of issues discussed in calls received during 2006-07.

Table 3.2 Breakdown of issues in calls received

Private Sector Provisions Issues

 

NPP 1 - Collection 

1337

NPP 2 - Use and Disclosure 

3160

NPP 3 - Data Quality 

131

NPP 4 - Data Security 

762

NPP 5 - Openness 

120

NPP 6 - Access and Correction 

1068

NPP 7 - Identifiers 

14

NPP 8 - Anonymity 

5

NPP 9 - Transborder Data Flows 

45

NPP 10 - Sensitive Information 

77

NPP Exemptions 

1788

Private Sector Provisions (General) 

927

Sub-total 

9434

Non-Private Sector Provisions Issues 

Credit Reporting 

1088

Data-matching 

16

IPPs 

800

Spent Convictions 

181

Tax File Numbers 

93

Privacy (General) 

4039

Sub-total 

6217

Unrelated to privacy 

1741

TOTAL 

17 392

Who are National Privacy Principles calls about?

Chart 3.1 below distributes the NPP telephone enquiries by private sector industry groups.

A sample of calls received during 2006-07 appears below.

  • A caller rang seeking general information about how her business should comply with the NPPs. The caller was provided with information about how the NPPs might apply and what kinds of things she should be doing when collecting and using her customer information in fulfilling product orders.
  • A caller joined a personal introduction service. The service disclosed his personal information to numerous people, and disclosed others'' personal information to him. The caller was concerned because the service never explained that this type of disclosure would take place. The caller was provided with information about the relevant law and the Office''s complaint procedures.
  • A caller rang asking how to access a deceased person''s information. The caller was advised that the Privacy Act does not apply to information about deceased individuals and that the Office was unfortunately unable to assist.
  • A caller from New South Wales sought a copy of a strata roll held by an Owners'' Corporation and was denied a copy on ''privacy grounds''. In New South Wales, strata legislation allows people on the strata roll to have a copy of the roll. The caller was advised that this may be a lawful disclosure by the Owners'' Corporation under NPP 2, in particular NPP 2.1(g), if authorised by law and, in that case, the Privacy Act would permit the disclosure.
  • A caller put his computer in for repair and was told by the repairer that the hard drive had crashed and needed to be replaced. The caller authorised the repair and collected his computer from the repairer. The caller subsequently received a call from a person who had her own computer fixed by the same repairer, and upon taking it home found all of the caller''s personal information on her new hard drive. The caller suspected his original hard drive had been on-sold before the data on the hard drive was deleted. The caller claimed his old hard drive had all his work material on it, including personal address and contact details for his family, bank accounts and passwords, amongst other things. The caller was advised to raise the matter with the repairer by complaining. The caller was provided with information about the small business operator exemption. The caller undertook to contact the repairer and get back to the Office with any necessary complaint.

3.2.2   Written Enquiries

The Office also responds to requests for information that are received by email, letter or fax. The Office received 2182 written enquiries in 2006-07 which is a 6% decrease on the number received in 2005-06 (2316).

The Office is committed to responding to 90% of written enquiries in ten working days. This benchmark was met in 2006-07.

Over half (58%) of the written enquiries answered in 2006-07 related to the private sector provisions.

A sample of the written enquiries received in 2006-07 appears below.

  • An enquirer asked if it is permissible for an agency to use, with an individual''s written consent, their Police Records Check result, obtained in the recruitment process, in the security clearance process.
  • An enquirer asked about the data security obligations of a private sector organisation.
  • An enquirer asked whether photographing a building required the owner''s permission.
  • An employer asked if they could monitor staff emails.
  • An enquirer asked about the definition of ''personal information'' as it appears in the Privacy Act.

3.3     Responding to Complaints

Allegations about acts or practices that may be an interference with the privacy of an individual can be accepted by the Privacy Commissioner as complaints. This can, for example, include complaints about:

  • how personal information is gathered, held, used or disclosed by large private sector organisations, private sector health service providers and some small businesses under the National Privacy Principles
  • how personal information is handled by Australian and ACT Government agencies according to the Information Privacy Principles
  • credit worthiness information held by credit providers and credit reporting agencies
  • the use of personal tax file numbers by individuals and organisations and
  • related legislation, including ''spent convictions'' under the Crimes Act 1914 and Australian Government data-matching programs regulated by the Data-matching Program (Assistance and Tax) Act 1990.

3.3.1   Complaints received during 2006-07

In 2006-07, the Office received a total of 1094 complaints across all areas of its jurisdiction. This is an 8% decrease on the previous year (1183 were received in 2005-06).

Complaints related to a wide variety of issues. Examples of complaints and their outcomes can be found on the Office''s website at www.privacy.gov.au/law/apply/determinations/.

The number of complaints received about each Privacy Act jurisdiction is given in Chart 3.2. Please note that complaints can have more than one jurisdiction issue, therefore the number of complaints listed in this chart exceeds the number of complaints received in 2006-07. As has been the case since the Privacy Commissioner''s role was extended to the private sector, the private sector continues to be the jurisdiction most commonly complained about.

The particular issues that are most regularly complained about as a percentage of total complaints received in 2006-07 are described in Chart 3.3. Please note that the percentages exceed 100% as some complaints contain more than one issue.

The most commonly complained about IPP issue was the improper use or disclosure of personal information, which makes up 43% of IPP allegations. The next most common allegation involved the unlawful or improper collection of personal information, making up 15% of allegations. The security of personal information was the third most frequent issue, making up 13% of allegations.

It is interesting to note that the most common issues raised in IPP complaints mirror the most common concerns raised in NPPs complaints. That is to say, that in relation to both IPP and NPP complaints the most frequently raised concerns in 2006-07 were about (in order) use or disclosure, collection and security.

Chart 3.4 shows the number of complaints made about each of the 12 most commonly complained about sectors. The finance sector continues to be the most frequently complained about industry. The Office expects that this is due to the large number of finance providers, the volume of personal information transactions conducted by the sector and a reflection of the fact that the sector is bound by both the NPPs and the Credit Reporting provisions.

3.3.2   Complaints closed during 2006-07

Acts or practices that may be a breach of privacy may be investigated by the Privacy Commissioner. Where appropriate, the Commissioner may attempt to conciliate a resolution of the matters which led to the complaint.

If the Commissioner is satisfied that a matter has been adequately dealt with, or if there has not been an interference with privacy, the Commissioner may decide not to investigate the matter any further. Otherwise, the Commissioner may make a determination about a complaint under s. 52 of the Privacy Act.

In 2006-07, the Office closed 1210 complaints, 7% more than the 1131 complaints closed in 2005-06.

The Office investigated slightly more complaints under s. 40(1) of the Privacy Act than the previous year. This year it chose to make preliminary enquiries into 7% more complaints and chose to summarily dismiss 8% less complaints than in 2005-06. Table 3.3 provides more information about the stage at which complaints were closed.

The Office aims to finalise all complaints within 12 months of receiving them. In 2006-07 complaints were closed in an average of eight months.

Table 3.3 summarises the stage at which complaints were closed.

Table 3.3 Stage at which Complaints Closed

Decline to investigate - s. 41

52%

Preliminary enquiries - s. 42

36%

Formal investigation - s. 40(1)

12%

Total

100 %

3.3.2.1           Complaints closed following investigations

In 2006-07, the Privacy Commissioner closed 12% of complaints following an investigation of the matter under s. 40(1) of the Privacy Act. The Privacy Commissioner came to the view that the complaint would likely be upheld in about 50% of these cases. Common resolutions after the investigation proceeded to conciliation included:

  • apologies to complainants
  • changes to database systems
  • correction of records
  • provision of access to records and
  • amounts of compensation ranging from less than $500 to $20 000.

There were no determinations made in 2006-07. A determination is a legal decision or finding made by the Commissioner, as a consequence of which the Privacy Act''s enforcement powers (ss. 52-62) are activated. A determination may dismiss the complaint or find that the complaint has been substantiated, and make declarations about action needed (including that conduct should cease or not be repeated), the nature of redress and compensation, or that no further action is needed.

Table 3.4 shows the grounds for declining to investigate complaints further following an investigation. Please note complaints can have more than one jurisdiction issue, therefore the number of complaints listed below exceeds the number of investigations closed in 2006-07.

Table 3.4 Grounds for Declining to Investigate Complaints Further Following an Investigation

 

NPPs

IPPs

Credit

Spent convictions

TFNs

ACT IPPs

Service Provider

Total

No interference with privacy - s. 41(1)(a)

29

11

10

0

0

1

1

52

Respondent has adequately dealt with matter - s. 41(2)(a)

53

5

17

0

0

0

1

76

Other (for example, withdrawn)

20

8

10

0

1

0

0

39

Total

102

24

37

0

1

1

2

16

In very general terms, the Commissioner found that about half of both the National Privacy Principles and Credit Reporting complaints investigated under s. 40 of the Privacy Act were substantiated. The Commissioner was less likely to find a complaint substantiated after investigating allegations about the Information Privacy Principles, with only approximately 20% of these complaints upheld.

3.3.2.2           Nature of remedies achieved by conciliation following investigation

Table 3.5 provides more detail on the outcome of complaints that were closed as adequately dealt with following investigation under s. 40(1) of the Privacy Act. As in Table 3.4, more than one resolution may have been reached for a particular complaint, meaning that the total listed in Table 3.5 is not equal to the total number of complaints.

Table 3.5 Nature of Remedies in Complaints Closed as Adequately Dealt With After Investigation

 

NPPs

IPPS

Credit

Service Providers

Total

Record amended

15

1

12

0

28

Apology

12

2

4

0

18

Changed procedure

4

2

1

1

8

Access provided

6

0

0

0

6

Other

10

1

0

0

11

Compensation - up to $500

12

1

3

0

16

Compensation - $501 - $2000

9

0

3

0

12

Compensation - $2001 - $20 000

3

1

1

0

5

Compensation - confidential settlement

1

1

0

0

2

Total

72

9

24

1

106

Compensation was the most common resolution in investigated complaints. Compensation was paid in just over 30% of these complaints. The majority of payments were under $2000. The second most common outcome was the amendment of records.

3.3.2.3           Complaints closed following preliminary enquiries

The Privacy Act gives the Privacy Commissioner powers to conduct preliminary enquiries to determine whether the Commissioner has the power to investigate or should exercise a discretion not to investigate a matter further. For instance, a preliminary enquiry may seek to determine:

  • whether an agency or organisation is willing to provide access to records
  • if a particular act or practice is authorised by law
  • whether an organisation may claim the small business operator exemption or
  • whether a respondent is an agency or organisation.

In 2006-07 the Commissioner closed 36% of complaints after preliminary enquiries. Table 3.6 provides more detail on the basis for closing complaints following preliminary enquiries. Please note that complaints can have more than one jurisdiction issue, therefore the number of complaints listed below exceeds the number of preliminary enquiries closed in 2006-07.

Table 3.6 Basis for Closing Complaints Following Preliminary Enquiries

  NPPs IPPs Credit ACT IPPs Other TFNs Contract Service Providers Total

Complaint not raised with respondent - s. 40(1A)

17

2

2

0

0

0

0

21

No interference with privacy* - s. 41(1)(a)

145

22

19

0

3

2

1

192

Aware of complaint for over 12 months-s. 41(1)(c)

2

0

0

0

0

0

0

2

Frivolous, vexatious, misconceived or lacking in substance - s. 41(1)(d)

2

2

0

0

0

0

0

4

Is being dealt with under another law-s. 41(1)(e)

1

2

0

0

0

0

0

3

Another law is more appropriate - s. 41(1)(f)

2

1

1

0

0

0

0

4

Respondent has adequately dealt with matter - s. 41(2)(a)

120

7

32

1

3

0

1

164

Respondent has not had adequate opportunity to deal with matter - s. 41(2)(b)

18

3

4

0

0

0

0

25

Other (for example, withdrawn)

46

7

20

0

4

0

0

77

Total

353

46

78

1

10

2

2

492

* This includes matters that fall outside the Commissioner''s jurisdiction, for example the respondent is a state government body.

As was the case in 2005-06, the most common reason for closing complaints after preliminary enquiries was due to a finding that the individual''s privacy had not been interfered with. This is in contrast to the complaints that were investigated, where the most common outcome was that the complaint was substantiated. Interestingly, in contrast to this overall trend, Credit Reporting complaints that were the subject of preliminary enquiries were more likely to be substantiated than unsubstantiated.

3.3.2.4           Nature of remedies achieved following preliminary enquiries

In the process of conducting preliminary enquiries, the Commissioner may find that the respondent has adequately dealt with the matter, or may be able to resolve the cause of the complaint through conciliation. Table 3.7 gives further detail about the types of resolutions achieved following preliminary enquiries. Please note that complaints can have more than one remedy.

Table 3.7 Nature of Remedies in Complaints Closed as Adequately Dealt With After Preliminary Enquiries

 

NPPs

IPPS

Credit

Contracted Service Providers

ACT IPPs

Other

Total

Access provided

39

0

0

0

0

1

40

Compensation - up to $500

6

1

0

0

0

0

7

Compensation - $501 - $2000

9

2

1

0

0

0

12

Compensation - confidential settlement

5

0

5

0

0

0

10

Other

28

0

2

0

1

0

31

Apology

24

5

1

1

0

1

32

Record amended

37

2

25

0

0

2

66

Changed procedures

10

0

0

0

0

0

10

Total

158

10

34

1

1

4

20

Compensation was an outcome in only 14% of complaints closed after preliminary enquiries. The most popular resolution was the amendment of records. In addition, a significant proportion of these matters were resolved after the provision of access, which reflects the volume of preliminary enquiries that involved complaints about access to records.

3.3.2.5           Complaints closed without investigation

In 2006-07, the Privacy Commissioner closed 52% of complaints by exercising discretions not to investigate (or ''decline'') the complaint. Table 3.8 gives a listing of the grounds the Commissioner relied on to close these complaints.

The most common reasons for closing complaints without investigation were:

  • the complaint had not been raised with the respondent before being brought to the Commissioner (s. 40(1A)) or the complainant had not given the respondent sufficient time to deal with the complaint (s. 41(2)(b)) or
  • there was no interference with privacy (s. 41(1)(a)).

Compared with 2005-06, there was a 12% decrease in the number of complaints closed due to no interference with privacy. The decrease was spread evenly across the categories of complaints, indicating a general trend rather than any specific clustering of ''other'' cases.

Table 3.8 shows the basis for closing complaints without investigation. Please note that complaints can have more than one jurisdiction issue, therefore the number of complaints listed below exceeds the number of complaints closed without investigation in 2006-07.

Table 3.8 Basis for Closing Complaints without Investigation

 

NPPs

IPPs

Credit

Other

ACT IPPs

TFN

Total

Complaint not raised with respondent - s. 40(1A)

99

19

17

8

0

1

144

No interference with privacy* - s. 41(1)(a)

154

25

16

66

2

1

264

Aware of complaint for over 12 months - s. 41(1)(c)

2

2

1

0

0

0

5

Frivolous, vexatious, misconceived or lacking in substance - s. 41(1)(d)

4

6

2

6

0

0

18

Is being dealt with under another law - s. 41(1)(e)

3

1

0

0

0

0

4

Another law is more appropriate - s. 41(1)(f)

2

8

0

0

0

0

10

Respondent has adequately dealt with matter - s. 41(2)(a)

15

3

5

1

0

0

24

Respondent has not had adequate opportunity to deal with matter - s. 41(2)(b)

62

10

18

3

0

1

94

Other (for example, withdrawn)

73

14

27

10

0

3

127

Total

414

88

86

94

2

6

690

* This includes matters that fall outside the Commissioner''s jurisdiction, for example the respondent is a state government body.

3.3.2.6           Compliance issues in National Privacy Principle complaints

The issues raised in complaints against private sector organisations that the Privacy Commissioner investigated and were closed as adequately dealt with, are set out in Chart 3.5. Please note that complaints can have more that one issue, therefore the total number of issues can exceed the total number of complaints.

This year has seen a change in the most common National Privacy Principle (NPP) compliance issues. In 2006-07, the most frequently substantiated complaints against private sector organisations involved the refusal of access to personal information. This was despite the fact that the most commonly complained about NPP issue was the use and disclosure of personal information (see Chart 3.3). In 2005-06, the most frequently substantiated NPP complaint was about use and disclosure.

3.3.2.7           Compliance issues in Information Privacy Principle complaints

The issues raised in complaints against Australian and ACT Government agencies, where the agency took action after preliminary enquiries or a formal investigation by the Privacy Commissioner, are set out in Chart 3.6. Please note that complaints can have more than one issue, therefore the total number of issues can exceed the total number of complaints.

2006-07 has also seen a change in the most common Information Privacy Principle (IPP) compliance issues. Compared with 2005-06, the issues of disclosure (IPP 11) and use (IPP 10) rose in frequency, while security (IPP 4) dropped slightly. It is important to note that the question of access is commonly dealt with under Freedom of Information (FOI) legislation and is therefore not a common issue in IPP complaints.

3.3.2.8           Compliance issues in Credit Reporting complaints

The issues raised in complaints against credit providers or credit reporting agencies, where the respondent took action following preliminary enquiries or a formal investigation by the Privacy Commissioner, are set out in Chart 3.7. Please note that complaints can have more that one issue, therefore the total number of issues can exceed the total number of complaints.

As has been the trend for many years, the most commonly raised and corroborated Credit Reporting issue is the improper listing of payment defaults.

3.4     Own Motion Investigations

Section 40(2) of the Privacy Act gives the Privacy Commissioner the power to investigate a possible interference with privacy without first receiving a complaint from an individual, if the Commissioner considers it desirable. The Office calls these investigations ''own motion'' investigations.

3.4.1   Issues in Own Motion Investigations

During 2006-07, 55 new matters involving alleged interferences with privacy were brought to the attention of the Office by media coverage, calls to the Privacy Enquiries line, or individuals writing to the Office. The Office took steps to contact the organisation involved in the alleged act or practice in about 85% of cases.

The Office uses risk assessment criteria to determine whether to investigate a matter. These criteria include the:

  • number of people affected and the consequences for those individuals
  • sensitivity of the personal information involved
  • progress of an agency or organisation''s own investigation into the matter and
  • likelihood that the investigation will reveal acts or practices that involve systemic interferences with privacy and/or that are widespread.

The allegations considered by the Office in 2006-07 included that:

  • an organisation left records containing personal information on public transport
  • a government agency was collecting personal information unrelated to its employment requirements as part of its recruitment process
  • an organisation was conducting direct marketing under the guise of social research
  • personal information may have been improperly disclosed by an enforcement body
  • the security of personal information stored and accessed on certain websites had been compromised and
  • an Australian Government agency improperly disclosed Tax File Numbers.

3.4.2   Outcomes of Own Motion Investigations

The majority of cases investigated where the Privacy Commissioner found the allegations to be substantiated resulted in the respondent dealing with the issue raised, either under their own initiative or with the Office''s suggestions.

Actions taken have included apologies, retrieval and appropriate disposal of records, and change in procedures.

3.5     Case Notes

The Privacy Commissioner regularly publishes case notes describing, in de-identified form, the issues and outcomes of selected complaints. The purpose of these case notes is to provide an insight into how privacy principles are being applied, in order to:

  • assist individuals, organisations and agencies in deciding whether to pursue a complaint, or to decide if personal information is being handled appropriately
  • encourage good privacy practices and compliance with the Privacy Act and
  • ensure the Office is accountable and transparent in its processes and decision making.

In 2006-07, the Office published 24 case notes about complaints under the National Privacy Principles, Information Privacy Principles and other areas of the Privacy Act. This compares with 18 case notes published in 2005-06.

Some situations illustrated by the case notes include:

  • a government agency accessing information regarding a third party in relation to an investigation the agency was undertaking
  • the improper disclosure of personal information by an investigator retained by an insurance company and
  • a patient seeking access to medical records which had been withheld as part of a legal case.

The case notes are accessible on the Office''s website at www.privacy.gov.au/law/apply/determinations/, in the CCH Federal Privacy Handbook, and on the Australasian Legal Information Institute (Austlii) website at www.austlii.edu.au/au/cases/cth/PrivCmrA.

3.6     Complaints and Enquiries Statistics on www.privacy.gov.au

Statistical information is published by the Office to give an overview of complaints and enquiries received by the Office in a more generalised and wide-ranging form than the published case notes. Quarterly updates published on the Office''s website include the number of complaints, telephone and written enquiries received, and the number of National Privacy Principle complaints closed according to issue type.

These are available at www.privacy.gov.au/complaints/statistics/.

3.7     Reports of Complaints under Approved Codes

The Privacy Act allows for organisations or groups of organisations to develop privacy codes. If approved by the Privacy Commissioner, these codes replace the National Privacy Principles as the legally enforceable privacy standards for those organisations. As at 30 June 2007 there were three approved privacy codes (see Table 3.9).

Table 3.9 Approved Codes under the Privacy Act

Code Title

Code Adjudicator

Monitoring / Reporting Responsibility

Date Came into Effect

Queensland Club Industry Privacy Code

Privacy Commissioner

Clubs Queensland and the Privacy Commissioner

23 August 2002

Market and Social Research Privacy Code

Privacy Commissioner

Association of Market and Social Research Organisations and the Privacy Commissioner

1 September 2003

Biometrics Institute Privacy Code

Privacy Commissioner

Biometrics Institute and the Privacy Commissioner

1 September 2006

The Privacy Commissioner is the code adjudicator for each of the codes listed above. There were no complaints handled by the Office under any of the approved codes in 2006-07.

The Privacy Commissioner is required to maintain a register of approved codes under s. 18BG of the Privacy Act. The register can be found on the Office''s website at www.privacy.gov.au/business/codes/.

3.8     Audits

Under the Privacy Act, the Privacy Commissioner has powers to conduct privacy audits of Australian and ACT Government agencies, as well as some other organisations in certain circumstances. These audits are crucial to determining and improving the degree of compliance with the Privacy Act. The Office conducts audits to promote best privacy practice and to reduce privacy risks across agencies.

The Commissioner''s audit powers are set out in several sections of the Privacy Act:

  • auditing agency compliance with the Information Privacy Principles - s. 27(1)(h)
  • examining the records of the Commissioner of Taxation in relation to tax file numbers (TFNs) and TFN information - s. 28(1)(d)
  • auditing TFN recipients - s. 28(1)(e)
  • auditing credit information files and credit reports held by credit reporting agencies and credit providers - s. 28A(1)(g).

The Commissioner does not have an audit function in relation to compliance with the National Privacy Principles by private sector organisations, unless at the request of the organisation under s. 27(3).

The number of audits carried out by the Office has varied over the life of the Privacy Act depending on the nature and volume of privacy complaints and other priorities of the Office. In 2006-07 the Office mainly undertook audits where it had received specific funding to do so. This is consistent with the approach taken by the Office since 2002-03 when the Commissioner decided to redirect the Office''s resources as a result of the significant increase in complaint numbers. However, 2006-07 also signalled the return of the audit program into Australian Government agencies.

In an effort to promote transparency in the Office''s audit work and to help promote good privacy practice, the Office has published the finalised reports of audits of Australian and ACT Government agencies undertaken since 1 July 2002 on its website (see www.privacy.gov.au/law/apply/audit). Some audit reports have classified content and as such have been withheld from publication or have been published in an abridged form.

3.8.1   Audits Commenced in 2006-07

3.8.1.1           ACT Government Audits

The Office currently has a Memorandum of Understanding with the ACT Government (see section 4.1.3) which includes a commitment by the Office to conduct two audits of ACT Government agencies per financial year. The Office selects audit targets based on a risk assessment analysis which takes into account previous audits and audit findings, complaints against ACT Government agencies, the amount of personal information held by an agency and the sensitivity of, and risk to, that information.

Table 3.10 below shows audits of ACT Government agencies commenced by the Office in 2006-07 under this arrangement.

Table 3.10 ACT Audits Commenced 2006-07

Agency

Audit Scope

Commenced

ACT Department of Territory and Municipal Services

Client Records

February 2007

University of Canberra

Staff and Student Records

June 2007

3.8.1.2           Biometrics for Border Control Audits

The Office has been allocated additional funding over four years (2005-06 to 2008-09) as a component of the Biometrics for Border Control program involving the Department of Foreign Affairs and Trade, the Australian Customs Service (Customs) and the Department of Immigration and Citizenship (DIAC). The broad objective of this program is to develop and implement biometric systems to enhance identity management at the border and to increase the efficiency of border processing. The Office has committed to undertake three audits per year of key projects in the Biometrics for Border Control program.

Table 3.11 below shows audits of Biometrics for Border Control projects commenced by the Office in 2006-07 under this funding.

Table 3.11 Biometrics for Border Control Audits Commenced 2006-07

Agency

Audit Scope

Commenced

Customs

SmartGate (System Design)

August 2006

DIAC

eHealth System

June 2007

The Office had scheduled a post-implementation audit of the Customs SmartGate project during 2006-07. However, the project was not ready to be audited and the audit has been postponed until 2007-08.

3.8.1.3           Australian Government Audits

During 2006-07 the Office commenced an audit of one Australian Government agency, the Australian National University, under s. 27(1)(h) of the Privacy Act. The purpose of the audit was to assess the agency''s compliance with the Information Privacy Principles in its handling of personnel case files, personnel recruitment files and student records, and other records as appropriate.

3.8.2  Audits Finalised in 2006-07

3.8.2.1           ACT Government Audits

In 2006-07, the Office finalised privacy audits of the ACT Government agencies shown in Table 3.12 below.

Table 3.12 ACT Government Audits Finalised 2006-07

Agency

Audit Scope

Finalised

ACT Office of the Community Advocate

Client Records

July 2006

ACT Corrective Services

Client and Staff Records

November 2006

The Office found that the agencies generally had appropriate privacy controls in place to ensure a satisfactory level of compliance with the Information Privacy Principles. However, where insufficient privacy controls were identified or where better privacy practice could be instituted, the auditors made recommendations concerning those aspects of the agencies'' operations.

Common audit findings covered:

  • the lack of appropriate database audit trail capacities to monitor access and amendment of client records
  • the need for better security controls for electronic records such as ''need-to-know'' access controls and regular password change prompts
  • a requirement to provide better privacy training for both new and existing staff in terms of keeping records of personal information
  • a need for clear policies regarding data retention and storage/transit of personal information
  • a need to improve notices provided to individuals when collecting their personal information and
  • the need to ensure the agency did not retain unnecessary personal information.

Generally, the audited agencies accepted the Office''s recommendations.

3.8.2.2           Identity Security Audits

In 2005-06 the Office received funding to provide privacy advice and oversight in respect of projects to be delivered under the Australian Government''s National Identity Security Strategy (see section 1.3.5). As part of its oversight activity, the Office undertook an audit of the Document Verification Service (DVS) Prototype convened by the Attorney-General''s Department (AGD).

The DVS is an online system which allows authorised Australian, state and territory Government agencies to verify the details of documents presented to them as proof of identity with the data recorded in the register of the corresponding document-issuing agencies.

The audit was commenced in June 2006 and finalised in May 2007. The Office made seven recommendations in this audit relating to clarification of roles between the parties, data security (encryption), handling of personal information by recipients and provider agencies and the development of specific guidelines in the handling of DVS data.

These recommendations were provided to the participating agencies for consideration in the future development of a Privacy Impact Assessment for the National DVS being conducted by the AGD.

3.9     Personal Information Digest

To help people understand what personal information is held by each Australian and ACT Government agency, Information Privacy Principle 5.3 in s. 14 of the Privacy Act requires agencies to keep a record detailing:

  • the nature of records kept
  • the purpose for which these records are kept
  • the categories of people the information is about
  • the period for which the records are kept
  • who has access to the records and
  • the steps an individual needs to take to gain access to the records.

These explanatory records must be provided to the Privacy Commissioner in June of each year, and are subsequently compiled and published as the Personal Information Digest (PID).

The ACT Department of Justice and Community Safety (JACS) compiled the ACT PID and the final documents were published on the JACS website and the Office''s website. The Office published the PID for Australian Government agencies for the period ending June 2006 on its website at www.privacy.gov.au/government/digests/.

3.10   Monitoring Government Comparisons of Data Sets

Data-matching is the process of bringing together large data sets of personal information from different sources and comparing these data sets in order to identify any discrepancies.

For example the Australian Taxation Office (ATO) may undertake a data-match to identify retailers that may be operating outside the tax system or who may be under-reporting turnover. This may include identifying individuals.

The process involves analysing information about large numbers of people, the majority of whom are not under suspicion. This means that data''matching raises a number of privacy issues. To ensure that government agencies minimise their impact on individuals'' privacy while data-matching, the Office performs a number of functions. The Privacy Commissioner has statutory responsibilities under the Data-matching Program (Assistance and Tax) Act 1990 (the Data-matching Act) and the Guidelines for the Conduct of the Data-matching Program (the statutory data-matching guidelines). Additionally, the Commissioner oversees the functioning of the Guidelines for the Use of Data-matching in Commonwealth Administration (1998), which are voluntary guidelines to assist agencies not subject to the Data-matching Act, to perform data-matching programs in a privacy sensitive way.

3.10.1 Matching under the Data-matching Program (Assistance and Tax) Act 1990 and statutory data-matching guidelines

In order to detect overpayments, taxation non-compliance and the receipt of duplicate payments, the Data-matching Program (Assistance and Tax) Act 1990 (the Data-matching Act) provides for the use of tax file numbers in data-matching processes undertaken by a special unit within Centrelink (the data-matching agency). The data-matching agency runs matches on behalf of Centrelink, the Department of Veterans'' Affairs (DVA) and the Australian Taxation Office (ATO).

The Data-matching Act and the Guidelines for the Conduct of the Data-matching Program (the statutory data-matching guidelines) outline the type of personal information that can be used, how it can be processed and how the results can be used. They also require that individuals be provided with the opportunity to dispute or explain any matches, and require that individuals have means for redress.

The Data-matching Act requires Centrelink, DVA and the ATO to report to parliament on the results of any data-matching activities carried out under the Act. These reports are published separately by each agency. The Data''matching Act also makes the Commissioner responsible for monitoring the functioning of the statutory data-matching program. To this end, the Office runs inspections (see section 3.10.1.1).

3.10.1.1         Inspections

During 2006-07 the Office inspected Centrelink''s handling of a sample of data-matching cases in three regions. The regions inspected were as follows:

  • Area South Australia, September 2006
  • Area Pacific Central, December 2006
  • Area Hunter, March 2007.

Representatives of the Office, with the assistance of Centrelink and regional staff, conduct inspections and reviews of a sample (usually 100) of customer records which have been through the data-matching process. At the completion of each of the inspections, a report is prepared and provided to Centrelink outlining the findings. The Office found that Centrelink''s processes and procedures for statutory data-matching were largely compliant with the requirements of the Data-matching Act.

3.10.2 Matching under the Guidelines for the Use of Data-matching in Commonwealth Administration (the voluntary data-matching guidelines)

Many Australian government agencies also carry out data-matching activities that are not subject to the Data-matching Act but run under different laws authorising the use and disclosure of personal information for data-matching purposes. To assist agencies performing such data-matching activities to have proper regard for the privacy of individuals, the Privacy Commissioner has issued voluntary data-matching guidelines called the Guidelines for the Use of Data-matching in Commonwealth Administration (1998).

These voluntary guidelines require that programs are regularly monitored and evaluated, that individuals identified have the opportunity to dispute the results, and that action against individuals is not taken solely on the basis of automated processes.

Agencies are also required to prepare a description of the data-matching activity (a ''program protocol''). Before the activity is commenced, the program protocol should be submitted to the Privacy Commissioner for comment and, once it has been finalised, the program protocol should be made available to the public.

In 2006-07, the Privacy Commissioner received 13 program protocols for proposed non-statutory data-matching activities. A summary of these protocols is outlined in Table 3.13.

Matching Agency

Source Agencies or Organisations

Name of the Program Protocol

Description of the Program Protocol

Received Date

ATO

Civil Aviation and Safety Authority Australian Sports Rotorcraft Association Recreational Aviation Australia

Aircraft Project Program Protocol

Identifies high wealth individuals who fail to meet their taxation obligations. The protocol sought to identify owners of aircraft who may have failed to lodge tax returns or under-reported their taxable income.

August 2006

ATO

BarterCard providers

Barter Industry Program Protocol

Update of 2004 program protocol to review data from later periods.

September 2006

ATO

Racing NSW

Horse Racing Data Matching Program Protocol

Update of 2003 program protocol extending the program to review 2003-04 and 2004­05 financial year periods.

September 2006

ATO

Various shopping centre operators (e.g. Westfield,Stockland etc).

Shopping Centre Retailers Data Matching Program Protocol

Identifies retailers that may be operating outside the tax system or who may beunder-reporting turnover. This may include identifying individuals.

September 2006

ATO

Victorian Taxi Directorate Queensland Transport

Taxi Industry Data Matching Program Protocol

Identifies taxi drivers who may have failed to register for GST or declare income.

September 2006

ATO

WorkCover WA, Tas, NT and ACT

WorkCover WA, Tas, NT and ACT Data Matching Program Protocol

Identifies non-compliance with registration, lodgement and payment obligations under taxation law. The protocol matched business names and addresses registered with WorkCover WA, Tas, NT and ACT with its own records. This may include personal information.

November 2006

ATO

Telstra Corporation Ltd News Limited John Fairfax Holdings Limited Carsales.com.au Limited Just Magazines Group

Internet Trading, Print Media Advertising and Motor Vehicle Publications Data Matching Project

To improve compliance with taxation obligations, the protocol matches sales data provided by key internet trading, print media advertising and motor vehicle publications with ATO taxpayer records.

December 2006

ATO

Various market operators located in NSW, Victoria and Queensland

Market Stall Holders Data Matching Project

To improve compliance with taxation obligations, the protocol matches data provided by around 21 market operators (and the entities that operate stalls in these markets) with ATO taxpayer records.

December 2006

Centrelink

Stage 1: ATO

Stage 2: Identified external agencies

Spousal Indicator Matching with External Agencies

Identifies Centrelink customers who are receiving single-rate benefits who are married or in a marriage-like relationship. At least 8 identified external agencies will participate in Stage 2 (e.g. Medicare, Australian Electoral Commission, Land Titles Offices)

December 2006

Centrelink

Centrelink

Commonwealth Bank of Australia (CBA)

Bank Account Verification - Proof of Concept Trial

To ensure payment integrity is maintained, the protocol matched specified Centrelink and CBA customer records to identify if Centrelink customers eligibility for payments had changed on the grounds of variations in income or asset details.

December 2006

Centrelink

Relevant Overseas Authority

Death matching with International Agencies

Identifies deceased Centrelink customers who have died overseas and continue to be paid.

March 2007

Centrelink

ATO

Tax Garnishee Project

Identifies ATO clients with a Centrelink debt for the purpose of intercepting their tax refund or available credit by a garnishee notice from Centrelink.

May 2007

Centrelink

Income Stream Providers (ISPs)

Improved Administration of Income Streams

Revision of 2005 program protocol to increase the usefulness of the protocol for Income Stream Providers (ISPs) participating in the data-matching activity.

June 2007

 

 

4.1     Administrative Arrangements

4.1.1   Human Rights and Equal Opportunity Commission Memorandum of Understanding

The Office has a Memorandum of Understanding with the Human Rights and Equal Opportunity Commission (HREOC) which establishes an arrangement for the provision of corporate services. The Office paid $878 086 for these services in 2006-07. This includes payroll, recruitment services and general personnel support, finance, legal and support services, and information technology support. The Office also sub-lets premises from HREOC.

4.1.2   Attorney-General''s Department Memorandum of Understanding

The Office has a non-financial Memorandum of Understanding with the Attorney-General''s Department. This Memorandum was established in 2000-01 and sets out an agreed basis for policy and operational coordination between the Department and the Office. Representatives from both agencies meet monthly. The benefits of the arrangements include open lines of communication to keep each party informed of relevant activities and developments, and improved advice to Ministers and other key stakeholders.

4.1.3   ACT Government Memorandum of Understanding

The Office continues to have a Memorandum of Understanding with the ACT Government. The relationship has been in place since 1 July 2000 and the current Memorandum will expire on 30 June 2008. Under the Memorandum, the Office fulfils advisory, education and compliance roles including audits, and reports half-yearly and annually on activities undertaken in relation to the ACT Government. In 2006-07, in return for these services the Office received $94 987, as set out in the financial statements. Further information regarding advice provided to ACT Government agencies can be found at section 1.4.

4.1.4   Centrelink

The Office continued to undertake its responsibilities under the Data-matching Program (Assistance and Tax) Act 1990 throughout 2006-07. Under an agreement with Centrelink, the Office receives annual funding of $331 875 to support the costs of monitoring the conduct of the data-matching program. For further information on data-matching see section 3.10.

4.1.5   Department of Human Services Memorandum of Understanding

In December 2006 the Office entered into a Memorandum of Understanding with the Department of Human Services (DHS) which allows for close consultation on privacy-related issues in the development and roll-out of the proposed Health and Social Services Access Card. Under the terms of the Memorandum, DHS has agreed to provide the Office with $375 000 per year for the term of the agreement (1 July 2006 to 30 June 2010). For more information see section 1.3.2.

4.1.6   Medicare Australia Memorandum of Understanding

The Office has a Memorandum of Understanding with Medicare Australia. Under the Memorandum, Medicare Australia provides the Office with resources ($130 000 per annum for the period 1 July 2005 to 30 June 2007) to provide advice and undertake work on privacy-related projects relevant to Medicare Australia.

4.1.7   Department of Immigration and Citizenship Memorandum of Understanding

The Office had a Memorandum of Understanding with the Department of Immigration and Citizenship (DIAC) during the reporting period. Under the Memorandum DIAC provided the Office with resources ($350 000 for the period 1 July 2006 to 30 June 2007) to give advice on privacy-related projects. For more information see section 1.3.3.

4.1.8   NSW Privacy Memorandum of Understanding

In December 2005 the Office entered into a non-financial Memorandum of Understanding with the Office of the NSW Privacy Commissioner to provide a framework for cooperation in undertaking their respective responsibilities when those responsibilities overlap, and to take advantage of opportunities to assist each other in joint training, education, promotion and enforcement activities.

4.1.9   Commonwealth Ombudsman Memorandum of Understanding

In November 2006, a non-financial Memorandum of Understanding was established between the Privacy Commissioner and the Commonwealth Ombudsman to allow for greater cooperation between their offices when dealing with privacy-related complaints.

The Memorandum allows for the exchange of relevant information where both Offices are considering the same issue and also offers the option of undertaking a joint investigation where a complaint falls under the jurisdiction of both Offices. Further, it enables referral of complaints to the other office where appropriate and with consent.

The two Offices will hold annual consultations to discuss the effectiveness of the agreement.

4.1.10 Office of the New Zealand Privacy Commissioner Memorandum of Understanding

The Office entered a non-financial Memorandum of Understanding with the New Zealand Office of the Privacy Commissioner in September 2006. The Memorandum enables cooperation between the two offices on privacy-related issues and the sharing of information related to surveys, research projects, promotional campaigns, education and training programs, and techniques in investigating privacy violations and regulatory strategies.

The Memorandum stems in part from the APEC Privacy Framework, OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, and the Asia Pacific Privacy Authorities Forum, all of which advocate the forming of cooperative arrangements between privacy regulators.

The current Memorandum will expire in September 2008.

4.2     Corporate Services

4.2.1   Audit Committee

Consistent with ASX principles of good corporate governance and the requirements of the Financial Management and Accountability Act 1997, the Office maintains an audit committee to advise the Privacy Commissioner on the agency''s compliance with external reporting requirements and the effectiveness and efficiency of internal control and risk management mechanisms in place within the Office. The audit committee met four times during the reporting period.

4.2.2   Purchasing

The Office''s purchasing procedures comply with the Australian Government Procurement Guidelines issued by the Department of Finance and Administration. They address a wide range of purchasing situations, allowing managers to be flexible when making purchasing decisions while complying with the Australian Government''s core procurement principle of value for money.

There was no competitive tendering and contracting during 2006-07 that resulted in a transfer of provider from a Commonwealth supplier of goods or services to a non-government body.

4.2.3   Certification of Fraud Measures

The Office has a fraud risk assessment and fraud control plan including procedures and processes in place to assist in the process of fraud prevention, detection, investigation and reporting in line with the Commonwealth Fraud Control Guidelines.

4.2.4   Consultants

The Office uses consultancy services where there is a need to access skills and expertise not available within the human resources of the agency. During 2006-07 one new consultancy contract was entered into involving total actual expenditure including GST of $84 709. There were no active part-performed consultancy contracts from prior years.

Table 4.1 Consultancy Contracts 2006-07

Consultant Name

Description

Contract Price

Selection Process

Justification

Wallis Consulting Group Pty Ltd

Research into community attitudes towards privacy in Australia

$84 709

Select Tender

A,B

TOTAL

 

$84 709

 

 

Information on expenditure on contracts and consultancies is also available on the AusTender website at www.tenders.gov.au.

4.2.5   Advertising and Market Research

As noted in section 4.2.4, a contract for the provision of research into community attitudes towards privacy was entered into in 2006-07. The total value of the contract was $84 709 including GST. During 2006-07 a total of $12 706 (including GST) was paid out to the contractor under the contract.

4.2.6   Ecologically Sustainable Development and Environmental Performance

The role and activities of the Office do not directly link with the principles of ecologically sustainable development or impact on the environment other than through its business operations in the consumption of resources required to sustain its operations.

The Office uses energy saving methods in its operation and endeavours to make the best use of resources. The Office has implemented a number of environmental initiatives to ensure issues of environmental impact are addressed. Major energy consuming services such as air conditioning and lighting are switched off outside working hours. In addition waste products such as paper, cardboard, printer cartridges and other recyclable materials are recycled subject to the availability of appropriate recycling schemes. Preference is given to environmentally sound products when purchasing office supplies. Purchase/leasing of ''Energy Star'' rated office machines and equipment is encouraged, as are machines with ''power save'' features.

During 2006-07 the Office and its staff participated in the Earth Hour initiative, which was held on Saturday 31 March 2007.

4.3     Management of Human Resources

4.3.1   Staffing Overview

There was an increase in staffing through the year as a result of increased funding. An additional Senior Executive Service position was created and filled at the Band 2 level as a result of a restructure in the Office. The Office''s average staffing level for 2006-07 was 52.13 staff with a turnover of approximately 21% for ongoing staff. Ten ongoing staff either resigned or transferred to other Commonwealth agencies. Twenty-five ongoing staff were employed. The increase was largely in the Compliance section to deal with the increased workload.

As at 30 June 2007 the Office had a total of 63 staff, including both ongoing and non-ongoing employees. An overview of the Office''s staffing profile as at 30 June 2007 is summarised in Table 4.2. The number of part-time staff also includes casual staff employed as at 30 June 2007.

Table 4.2 Overview of Staffing Profile as at 30 June 2007

Classification

Male

Female

Full Time

Part Time

Total Ongoing

Total Non-ongoing

Total

Statutory Office Holder

''

1

1

''

''

1

1

SES Band 2

1

''

1

''

1

''

1

SES Band 1

1

''

1

''

1

''

1

EL 2 ($85,544 - $98,521)

1

3

4

''

4

''

4

EL 1 ($74,170 - $81,337)

4

5

8

1

9

''

9

APS 6 ($59,295 - $66,460)

10

12

19

3

20

2

22

APS 5 ($53,567 - $57,856)

6

8

12

2

10

4

14

APS 4 ($48,026 - $52,147)

2

4

3

3

4

2

6

APS 3 ($43,092 - $46,509)

3

2

2

3

3

2

5

APS 2 ($38,874 - $41,954)

''

''

''

''

''

''

''

APS 1 ($33,430 - $36,946)

''

''

''

''

''

''

''

Total

28

35

51

12

52

11

63

4.3.2   Workplace Relations and Employment

Staff members at the Office are employed under s. 22 of the Public Service Act 1999. Staff members are covered by the Office of the Privacy Commissioner Certified Agreement 2006-2009 which was certified by the Australian Industrial Relations Commission in March 2006 and is in operation until March 2009. The Agreement is comprehensive and was certified under s. 70LJ of the Workplace Relations Act 1996. The number of Office employees covered by the Agreement as at 30 June 2007 was 56, including both ongoing and non-ongoing staff.

The current Agreement provides for 14 weeks paid maternity leave, four weeks paid parental leave, and access to extended leave following maternity or parental leave. The Office also supports access to part-time employment up until the child reaches school age. Salary progression within classification levels is subject to performance assessment. Salary ranges are reflected in Table 4.2.

The Office had seven staff covered by Australian Workplace Agreements during the reporting period, including two Senior Executive Service (SES) staff members.

4.3.3   Performance Management and Staff Development

The Office''s Performance Management Scheme provides a framework to manage and develop staff to achieve corporate objectives. The Scheme provides regular and formal assessment of an employee''s work performance and allows for access to training and skill development.

The Office''s Certified Agreement recognises the need to provide adequate training for staff to support workplace changes. This is especially relevant with changes in the information technology area where staff are provided with relevant and ongoing training. Training in investigation and conciliation was a priority for the year and staff in the Compliance area attended training sessions.

Training is identified through an individual''s training and development plan in conjunction with the Performance Management Scheme. Training encompasses a range of development activities including professional development courses, on-the-job training and the opportunity to represent the organisation at seminars and other forums.

As part of the Office''s staff development strategy, staff members are provided with support under a Studies Assistance policy. The policy provides for access to study leave where study is relevant to the work of the Office, an individual''s work responsibilities and where it assists with career development.

4.3.4   Workplace Diversity and Equal Employment Opportunity

The Office recognises that diversity in staff is one of its greatest assets and is committed to valuing and promoting the principles of workplace diversity through work practices. The Office participates in a joint Workplace Diversity Committee with the Human Rights and Equal Opportunity Commission. Throughout the year the Office promoted and supported events including International Women''s Day, NAIDOC Week and Harmony Day. Other strategies under the plan focus on family friendly workplace policies. Five ongoing staff had part-time arrangements in place. The Committee continues to work towards achieving results in the Workplace Diversity Plan.

The Office''s Reconciliation Action Plan (see section 4.3.5) was developed during the year and the strategies developed will link in with the Office''s Workplace Diversity Plan.

4.3.5   Reconciliation Action Plan

During the reporting period the Office developed a Reconciliation Action Plan. The Reconciliation Action Plan initiative was developed by Reconciliation Australia to help organisations and agencies identify and develop business practices that contribute to the wellbeing and quality of life of Indigenous Australians.

The Office''s draft Plan, which involved staff input from all sections of the Office, identified five Key Reconciliation Result Areas:

  • establishing dialogue with Indigenous stakeholders on privacy issues
  • improving awareness of privacy rights in the Indigenous community
  • developing guidance material for agencies and organisations on protecting and respecting the privacy of Indigenous Australians
  • improving and applying cultural awareness and knowledge within the Office
  • creating employment and development opportunities.

During National Reconciliation Week (27 May - 3 June 2007), the Office hosted an afternoon tea at which the Privacy Commissioner presented the Office''s draft Plan to staff. At the event, the Director of the Social Justice Unit at the Human Rights and Equal Opportunity Commission also spoke to staff about reconciliation.

In 2006-07, the Office began consulting with Reconciliation Australia on the draft version of the Plan. In 2007-08, the Office will finalise the Plan and make it available on the Office''s website.

4.3.6   Occupational Health and Safety

The Office and the Human Rights and Equal Opportunity Commission are co-located and cooperate over Occupational Health and Safety (OH&S) issues. The Office''s Health and Safety representative is a member of the joint agencies'' OH&S Committee (the Committee). This Committee also includes corporate support staff and meetings are held regularly throughout the year.

It is the policy of the Office to promote and maintain the highest degree of health, safety and wellbeing of all staff. The Office monitors health and safety though the Committee. Minutes of the Committee are placed on the Office''s intranet and any issues that require action are brought to the attention of management.

Personnel staff have been trained as case managers and regularly attend Comcare forums and training as required.

Ongoing assistance and support on OH&S and ergonomic issues is provided to new and existing staff. Assessments are completed as required for staff who identify particular ergonomic issues. A software program called ''WorkPace'' assists staff in taking regular pause breaks through the day. The Office also offers support to staff through the promotion of health programs such as flu vaccinations. The Office provides a Healthy Lifestyle Allowance under the Certified Agreement to promote health and fitness as a means of achieving work/life balance and improving the health and wellbeing of our employees.

The Office continues to provide staff with access to counselling services through its Employee Assistance Program. This is a free and confidential service for staff and their families to provide counselling on personal and work related problems if required. No systemic issues have been identified through this service.

A hazards survey is conducted annually and the Committee monitors any OH&S issues that arise. There have been no dangerous accidents or occurrences reported over the last year.

Work has begun on the development of new Health and Safety Management Administrative plans (HSMAs) as a result of changes to the Safety Rehabilitation Compensation and Other Legislation Amendment Act 2007 which came into effect on 13 April 2007.

4.3.7   Commonwealth Disability Strategy

All Australian Government agencies are required to report annually against the Commonwealth Disability Strategy (CDS) performance framework. The Office''s report against the CDS is at Appendix 4. Full details on the CDS can be found on the Department of Family and Community Services website at www.facsia.gov.au/disability/cds/index.htm. Through the CDS the Government seeks to ensure its policies, programs and services are as accessible to people with disabilities as they are to all other Australians.

 

 

Appendix 1 The Privacy Act and the Office of the Privacy Commissioner

Privacy Commissioner''s Functions

The Privacy Commissioner has specific statutory functions under ss. 27, 28 and 28A of the Privacy Act 1988. These functions include, amongst other things, investigating possible breaches of the Privacy Act, undertaking audits of agencies or organisations to ensure compliance with the Privacy Act, providing advice to agencies and organisations on matters related to privacy, and promoting and encouraging the adoption of privacy standards in the community.

One of the key responsibilities of the Office is to handle complaints. Individuals who believe that their privacy may have been interfered with by an agency or organisation are able to lodge a complaint with the Office under s. 36 of the Privacy Act. The Privacy Commissioner may then undertake preliminary enquiries of the respondent to determine whether there are grounds, and whether the Commissioner has jurisdiction, to formally open an investigation into the complaint under s. 40 of the Privacy Act.

Staff members of the Compliance section conciliate between the parties to attempt to adequately resolve the dispute. If the parties are not able to come to a mutually satisfactory agreement, the Privacy Commissioner is able to make a determination under s. 52 of the Privacy Act to dismiss the complaint. Alternatively, the Privacy Commissioner is able to find in favour of the complainant and decide upon suitable orders to remedy the breach. The orders are enforceable in the Federal Court or Federal Magistrates Court under s. 55A of the Privacy Act.

Generally, a complaint must be in writing. The Office is obliged to provide appropriate assistance to people who require it in order to help formulate and appropriately set out the particulars of the complaint.

Individuals cannot complain to the Privacy Commissioner about organisations which are bound by a privacy code approved by the Commissioner, when that code has its own code adjudicator. Individuals may, however, ask the Privacy Commissioner to review a determination made by a code adjudicator under s. 18BI of the Privacy Act.

The Privacy Commissioner has the power to launch investigations under s. 40(2) of the Privacy Act, and these are referred to as Own Motion Investigations (OMIs). The Privacy Commissioner undertakes OMIs where it appears that a breach of the Privacy Act may have occurred and it is thought to be desirable that an OMI be u ndertaken. For example, where the alleged breach is not limited to one complainant, or in circumstances where the alleged breach raises systemic and/or ongoing issues.

The Office''s Policy section assists the Privacy Commissioner in providing advice on privacy issues, including interpreting the operation of the Privacy Act, to Ministers, Australian and ACT Government agencies, and organisations. The section develops guidance material (such as guidelines, information sheets and FAQs) to help explain the operation of the Privacy Act and the Privacy Commissioner''s functions.

The Policy section examines enactments and proposals from agencies, advising on their potential privacy implications and their overall compliance with the Privacy Act. It also assists the Privacy Commissioner in carrying out other functions under the Privacy Act, as well as prescribed functions under the National Health Act 1953, the Telecommunications Act 1977 and the Crimes Act 1914.

The Office''s Corporate and Public Affairs section manages the public profile of the Office and the Privacy Commissioner, provides secretariat support and manages the Office''s corporate responsibilities. The unit is responsible for developing and maintaining the Office''s website, handling media enquiries, assisting with the provision of Privacy Act training and providing a secretariat role to several committees including the Privacy Contact Officer Steering Committee, Privacy Advisory Committee and Asia Pacific Privacy Authorities forum. The section also liaises with key stakeholders, including domestic bodies and international authorities, and handles the Office''s corporate governance responsibilities.

Privacy Act

The Privacy Act gives effect to article 17 of the International Covenant on Civil and Political Rights and to the OECD''s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The Privacy Act establishes the method by which personal information about individuals can be collected and stored, specifies the permissible uses of that information, and limits the circumstances in which that information can be disclosed. It also sets out a mechanism by which individuals can gain access to, and amend where appropriate, the personal information about them held by agencies and organisations.

The Privacy Act protects personal information under four main sets of requirements.

  • The National Privacy Principles (NPPs) (see Appendix 6) regulate the way private sector organisations handle personal information. These principles cover the collection, storage, use, disclosure and access obligations of organisations covered by the Privacy Act. In general the NPPs apply to all businesses and non-government organisations with a turnover of $3 million or more, all health service providers and a limited range of small businesses.
  • The Information Privacy Principles (IPPs) (see Appendix 7) regulate the way most Australian and ACT Government agencies handle personal information. These principles cover the collection, storage, use, disclosure and access obligations of those agencies covered by the Privacy Act.
  • Individuals'' Tax File Number (TFN) provisions: the Privacy Act prevents TFNs from being used as a de facto national identification system and gives individuals the right to withhold this information. Where a TFN is provided, its use is limited to tax-related, assistance agency and superannuation purposes. Under the Privacy Act, the Privacy Commissioner issues and enforces legally binding guidelines.
  • Part IIIA of the Privacy Act places strict safeguards on the handling of individuals'' consumer credit information by the credit industry. These provisions recognise the sensitivity of credit-worthiness information and the implications for individuals should credit information be mishandled. Strict penalties apply if these provisions are breached.

Subordinate Legislation

Privacy in Australia is further regulated by subordinate legislation including those listed below.

  • Privacy (Private Sector) Regulations 2001, which set out the standards under s. 18BB(3)(a)(i) of the Privacy Act that need to be met before a privacy code can be approved by the Privacy Commissioner, and prescribe specific agencies, state authorities and organisations for particular purposes under the Privacy Act.
  • Privacy Regulations 2006, which exempt the secrecy provisions of the Census and Statistics Act 1905 from the provisions in the Privacy Act (Part VIA) which relate to allowable disclosures during emergencies.
  • Privacy codes developed by organisations and approved by the Privacy Commissioner under Part IIIAA of the Privacy Act can replace the National Privacy Principles for particular organisations or activities if they enhance or are equivalent to those principles.
  • Mandatory guidelines under the Privacy Act, for example the Tax File Number Guidelines issued under s. 17 of the Privacy Act.
  • Public Interest Determinations and Temporary Public Interest Determinations under Part VI of the Privacy Act.
  • Credit Reporting Determinations under Part IIIA of the Privacy Act.
  • The Credit Reporting Code of Conduct issued under s. 18A of the Privacy Act.

The Privacy Act and the subordinate legislation are supported by advisory guidelines issued by the Office, including:

  • Guidelines to the National Privacy Principles
  • Guidelines to the Information Privacy Principles
  • Guidelines for the Use of Data-matching in Commonwealth Administration
  • Guidelines on Privacy in the Private Health Sector
  • Guidelines on Privacy Code Development (part of these guidelines are mandatory)
  • Guidelines on Public Interest Determination Procedure
  • Guidelines for Federal and ACT Government Websites
  • Guidelines on Workplace Email, Web Browsing and Privacy
  • Guidelines for Agencies using Privacy and Public Key Infrastructure to communicate or transact with individuals.

In addition, the National Health and Medical Research Council (NHMRC) has issued the following binding guidelines after consulting with the Privacy Commissioner:

  • Guidelines under Sections 95 and 95A of the Privacy Act 1988.

Other Legislation

The role of the Privacy Commissioner is further defined by legislated responsibilities that are set out in the following legislation.

  • Part VIIC of the Crimes Act 1914, the Commonwealth Spent Convictions Scheme, which provides protection for individuals with old minor convictions in certain circumstances (the Privacy Commissioner has the power to investigate breaches of the legislation, and is also required to provide advice to the Attorney-General in relation to exemptions under the scheme).
  • The Data-matching Program (Assistance and Tax) Act 1990, which regulates data-matching between the Australian Taxation Office and the assistance agencies to detect overpayment and ineligibility for assistance (under this Act, the Privacy Commissioner is responsible for issuing mandatory guidelines for protecting privacy, investigating complaints and monitoring agency compliance).
  • The National Health Act 1953, under which the Privacy Commissioner is required to issue guidelines covering the storage, use, disclosure and retention of individuals'' claim information under the Pharmaceutical Benefits Scheme and the Medicare program.
  • The Telecommunications Act 1997, under which the Privacy Commissioner has certain monitoring and compliance functions.

Outcomes and Outputs Structure

The Office''s outcome statement, as set out in the Portfolio Budget Statement, is:

An Australian culture in which privacy is respected, promoted and protected.

There is one output for the Office''s outcome:

Complaint handling, compliance and monitoring, and education and promotion.

There are two performance measures:

Quality

  • Majority of complainants and respondents surveyed satisfied that complaint handling service was timely and impartial.
  • Majority of enquirers surveyed satisfied with advice provided by Hotline and in written response.
  • 80% of complaints finalised within 12 months of receipt, 90% of written enquiries answered within ten days.
  • Agencies and organisations satisfied that audits improve their privacy practices and procedures.
  • Audits finalised within 6 months of commencement.
  • Targeted information available that informs the community, including business and government, of their rights and responsibilities in respect of the Office''s jurisdictional responsibilities.

Quantity

  • Close 1300 complaints, respond to 2000 written enquiries, and answer 20 000 calls.
  • 3 audits commenced.
  • >800 000 visits to the website.
  • >3.5 million pages viewed on the website.

Table A1.1 Resources for Outcomes

 

Budget 2006-07 $''000

Actual Expenses 2006-07 $''000

Budget 2007-08$''000

Total Administrative Expenses      

Price of Department Outputs Output Group 1.1 Complaint handling, compliance and monitoring, and education and promotion

7358

6833

7805

Subtotal Output Group 1.1

7358

6833

7805

Revenue from Government (Appropriation) for Departmental Outputs

6486

6486

6931

Revenue from other Sources

872

347

874

Total price of Outputs

7358

6833

7805

Total for Outcome 1 (Total price of Outputs and Administered Expenses)

7358

6833

7805

 

Actual 2006-07

Estimated Actual 2007-08

Average Staffing Level

52

56

 

Appendix 2 Freedom of Information Act Compliance

The Freedom of Information Act 1983 (FOI Act) gives the general public legal access to government documents. For information on the Office''s procedures see Freedom of Information procedures on page 87.

Section 8 of the FOI Act requires each Australian Government agency, including this Office, to publish information about the way the Office is organised, together with its functions, powers and arrangements for public participation in the work of the agency. The Office is also required to publish the categories of documents that the Office holds and how members of the public can gain access to them.

Organisation

The Office''s organisational structure is provided in Chart A1.1 in Appendix 1.

Authority and legislation

The Office is established, and the Privacy Commissioner''s functions and powers are conferred, by the Privacy Act 1988. Information regarding the Office''s functions and powers are set out in Appendix 1.

Number of formal requests for information

During 2006-07, the Office received 14 requests for access to documents under the FOI Act. Twelve requests related to access to documents concerning individual privacy. Two requests related to documents concerning the functions and activities of this Office.

Avenues for public participation

The Office uses the following processes and consultative bodies to assist the participation by persons or bodies outside the Commonwealth administration in the policy-making functions of the Office or in its administration of various schemes and enactments.

  • The Office has a Strategic Plan (see Appendix 8) which commits it to developing robust relationships with external stakeholders, and to ensuring that effective relationships, partnerships and networks are at the core of the Office''s internal and external operations.
  • Part VII of the Privacy Act provides for the establishment of the Privacy Advisory Committee to advise the Commissioner on relevant matters, recommend material to the Commissioner for inclusion in guidelines and, subject to direction by the Commissioner, engage in community education and consultation.
  • The Privacy Commissioner''s Health Privacy Forum is an informal group of senior stakeholders from the health sector to assist the Commissioner on matters of health privacy.
  • The Office coordinates the Privacy Contact Officer (PCO) Network to facilitate the resolution of privacy issues within Australian and ACT Government agencies and provide training and expertise to those agencies. The PCO network meets four times per year.
  • The Privacy Connections network plays a similar role in the private sector and regular forums are held for network members across Australia.
  • The Office meets on an informal basis with representatives of privacy and consumer non-government organisations to discuss privacy matters affecting the Australian community.
  • The Compliance section conducts customer surveys to determine levels of service and customer satisfaction. A survey was conducted in 2004-05. Although initially scheduled for 2006-07, this survey will now be carried out again in 2007-08.
  • The Commissioner also has legislative requirements to consult. For example the provisions relating to making a public interest determination require the production of a draft determination and the invitation of interested parties to attend a conference (ss. 75 and 76). Similarly, the Commissioner needs to be satisfied that there has been an adequate opportunity for the public to comment before approving a proposed privacy code (s. 18BB(2)(f)).
  • The Office invites public consultation from individuals and organisations through its website.

Categories of documents

Documents held by the Office relate to:

  • administration matters, including personnel, recruitment, accounts, purchasing, registers, registry, library records and invoices
  • complaint matters, including audits and the investigation, clarification, conciliation and resolution of complaints
  • legal matters, including legal documents, opinions, advice and representations
  • research matters, including research papers in relation to complaints, existing or proposed legislative practices, public education, national inquiries and other relevant issues
  • policy matters, including minutes of meetings, administrative and operational guidelines
  • operational matters, including files on formal inquiries and
  • reference materials, including press clippings, survey and research materials, documents relating to conferences, seminars and those contained in the library.

Freedom of Information procedures

Initial enquiries regarding access to documents from the Office of the Privacy Commissioner should be directed to the Freedom of Information Officer by either telephoning (02) 9284 9800 or writing to:

Freedom of Information Officer Office of the Privacy Commissioner GPO Box 5218 Sydney NSW 2001.

Procedures for dealing with FOI requests are detailed in s. 15 of the FOI Act. A valid request must:

  • be in writing
  • be accompanied by the payment of a $30 application fee
  • include the name and address of the person requesting the information and
  • be processed within 30 days of receipt.

Some documents are exempt from public perusal under the FOI Act. Where documents are not accessible by the applicant, valid reasons will be provided. The Office''s decisions about accessibility of documents may be reviewed by the Administrative Appeals Tribunal.

Facilities for obtaining physical access

The Office provides copies of the requested documents by mail to the enquiring party, subject to exceptions established under the FOI Act.

The Office will also consider requests from parties to view hard copies of the requested documents in person at the Office.

 

Appendix 3 Speeches and Presentations

Karen Curtis, Privacy Commissioner

2006

25 July         Personal Property Securities - Policy Development Workshop, Sydney

29 August       Privacy Awareness Week Launch, Sydney

1 September     Privacy Contact Officer Network Meeting, Canberra

18 September    Launch of DIMA/OPC Memorandum of Understanding, Canberra

24 October      Australian Regulatory Reform Evolution Conference, Canberra

23 November     Privacy Connections Corporate Breakfast, Sydney

23 November     ACMA Information Communications Entertainment Conference, Canberra

1 December      Privacy Contact Officer Network Meeting, Canberra

2007

23 March        Administrative Review Council, Canberra

27 March        Privacy Professionals Network, Sydney

10 May          Privacy Connections Corporate Breakfast, Adelaide

11 May          Privacy Connections Corporate Breakfast, Perth

1 June          Privacy Contact Officer Network Meeting, Canberra

25 June         Second Technical Assistance Seminar on International Implementation of the APEC Privacy Framework, Cairns

Staff of the Office of the Privacy Commissioner

2006

27 July         Advertising, Marketing and Media Summit, Melbourne

28 July         Little Sisters of the Poor, Melbourne

10 August       DIMA Compliance Officer Pilot Training Program, Canberra

1 September     Privacy Contact Officer Network Meeting, Canberra

12 September    ACMA International Training Program, Melbourne

1 December      Privacy Contact Officer Network Meeting, Canberra

2007

2 March         Privacy Contact Officer Network Meeting, Canberra (2 presentations)

31 May          OSHC Worldcare ''The Application of the Privacy Act to the International Student Industry'', Melbourne

1 June          Privacy Contact Officer Network Meeting, Canberra (3 presentations)

 

Appendix 4 Commonwealth Disability Strategy Performance Reporting June 2007

Table A4.1 Commonwealth Disability Strategy Performance Reporting June 2007

Policy adviser role

Performance Indicator

Performance Measure

Current level of performance(2006-07)

1. New or revised policy / program proposals assess impact on the lives of people with disabilities prior to decision.

Percentage of new or revised policy / program proposals that document that the impact of the proposal was considered prior to the decision making stage.

The Office provides advice on the policy/program/legislative activities of other agencies from a privacy perspective. Submissions are made available on the Office''s website where possible.

In a significant number of advices provided, particularly where new technologies are being considered, the privacy of people with disabilities is factored into the discussion. During the reporting period, the Office''s submissions to the Australian Law Reform Commission review of privacy and the Department of Human Services regarding the proposed Access Card addressed privacy issues specific to people with a disability.

The Office seeks to have representative bodies actively involved in consultation, including in privacy impact assessments of proposals. A consideration for the Office is how the privacy rights of individuals with disabilities are being met. To aid this assessment, the Office surveys and collects demographic information relating to complainants (see Appendix 5).

During 2006-07 the Office received 105 responses to the survey. Of these, 28 respondents indicated they had a disability.

2. People with disabilities are included in consultation about new or revised policy / program proposals.

Percentage of consultations about new or revised policy / program proposals that are developed in consultation with people with disabilities.

Where the Office undertakes consultations, groups representing the interests of people with disabilities are invited to participate.

During consultation processes the Office considers the needs of people with disabilities.

Public consultation events all occur in accessible venues.

3. Public announcements of new, revised or proposed policy / program initiatives are available in accessible formats for people with disabilities in a timely manner.

Percentage of new, revised or proposed policy / program announcements available in a range of accessible formats.

Time taken in providing announcements in accessible formats.

Simultaneous to public release 100% of information about new Office initiatives is available on a W3C compliant website. Other formats are available on request.

A staff member undertook training in 2006-07 with the specific purpose of ensuring that the Office''s website is fully accessible to all visitors.

All material is available in other formats on request.

The Privacy Connections network had 1841 members as at 30 June 2007. Disability peak groups are members of this network. Membership is also open to members of the public who may have disabilities. Members are offered the opportunity to sign up to an email subscription. Email messages to the network are sent in plain text accessible formats.

Regulator role

Performance Indicator

Performance Measure

Current level of performance (2006-07)

1. Publicly available information on regulations and quasi-regulations is available in accessible formats for people with disabilities.

Percentage of publicly available information on regulations and quasi-regulations requested and provided in:

  • accessible electronic formats; and
  • accessible formats other than electronic.

Average time taken to provide accessible material in:

  • electronic format; and
  • formats other than electronic.

Section 36(4) of the Privacy Act requires the Commissioner to provide appropriate assistance to complainants where they have difficulty in lodging a complaint. This includes giving appropriate assistance to people with disabilities.

100% of Office information is available on its W3C compliant website.

All material is available in other formats on request.

Office services are accessible via website, phone and TTY.

Electronic access is immediate, via website. Average turnaround for requests for electronic information is within the day; hard copy information a couple of days.

Some requests may require that we use external service providers. In these cases the turnaround to provide information in accessible formats may be impacted.

2. Publicly available regulatory compliance reporting is available in accessible formats for people with disabilities.

Percentage of publicly available information on regulations and quasi-regulations requested and provided in:

  • accessible electronic formats; and
  • accessible formats other than electronic.

Average time taken to provide accessible material in:

  • electronic format; and
  • formats other than electronic.

100% of Office information is available on its W3C compliant website.

All material is available in other formats on request.

Office services are accessible via website, phone and TTY.

Electronic access is immediate, via website. Average turnaround for requests for electronic information is within the day; hard copy information a couple of days.

Some requests may require that we use external service providers. In these cases the turnaround to provide information in accessible formats may be impacted.

Provider role

Performance Indicator

Performance Measure

Current level of performance (2006-07)

1. Providers have established mechanisms for quality improvement and assurance.

Evidence of quality improvement and assurance systems in operation.

The Office has an enquiries line and a website link which gives individuals the opportunity to lodge complaints/grievances with the Office.

The Office generally conducts customer satisfaction surveys to determine the level of customer satisfaction with the Office''s services. Although originally scheduled for 2006-07, this survey will be carried out again in 2007-08.

2. Providers have an established service charter that specifies the roles of the provider and consumer and service standards which address accessibility for people with disabilities.

Established service charter that adequately reflects the needs of people with disabilities in operation.

The Office does not have an agency-wide service charter but has complaint handling service standards in place as this is a major client focus.

All Office complaints information and brochures are available on the website in accessible electronic format. Information about complaints process and legislation is available in plain English format on the Office website. The website is updated regularly.

Office information is available in alternative formats upon request.

3. Complaints / grievance mechanisms, including access to external mechanisms, in place to address concerns raised about performance.

Established complaints / grievance mechanisms, including access to external mechanisms, in operation.

The Office uses a current complaints information referral list to ensure callers with disabilities can be referred to appropriate advocacy groups.

The Office has an enquiries line and a website link which gives individuals the opportunity to lodge complaints/grievances with the Office.

Email, TTY and a national 1300 number at the cost of a local call are all available.

Premises are accessible.

Section 36(4) of the Privacy Act requires the Commissioner to provide appropriate assistance to complainants where they have difficulty in lodging a complaint. This includes giving appropriate assistance to people with disabilities.

When dealing with requests for access to personal information, organisations are advised to consider issues of accessibility.

No complaints have been received regarding access to the Office complaint handling service or premises.

Employer role

Performance Indicator

Performance Measure

Current level of performance (2006-07)

1. Employment policies, procedures and practices comply with the requirements of the Disability Discrimination Act 1992.

Number of employment policies, procedures and practices that meet the requirements of the Disability Discrimination Act 1992.

The Office promotes and supports APS values.

The Office''s Certified Agreement (CA) contains reference to Workplace Diversity principles. Most of the Office''s policies on employment are contained within the CA.

The Workplace Diversity Plan (jointly participated in by the Office and the Human Rights and Equal Opportunity Commission) outlines strategies to maximise employment opportunities for people with disabilities. On induction all new staff are provided with a copy of the plan.

The email/internet policy is reviewed annually. It specifically prohibits the inappropriate use of email that may demean people with disabilities.

There were no formal complaints/grievances made by staff with regard to current work practices.

2. Recruitment information for potential job applicants is available in accessible formats on request.

Percentage of recruitment information requested and provided in:

  • accessible electronic formats; and
  • accessible formats other than electronic.

Average time taken to provide accessible information in:

  • electronic formats; and
  • formats other than electronic.

100% compliance providing accessible formats for recruitment material.

Recruitment information is able to be provided in any format.

All recruitment material is on the Office''s W3C compliant website.

Advertisements in press advise that information is available at contact phone number, by TTY phone and on the Office''s website.

The Office website meets the criteria for accessibility as outlined in the Government Online Strategy and the Deputy Disability Commissioner has advised in the process.

There were no requests for Braille in 2006-07.

3. Agency recruiters and managers apply the principle of reasonable adjustment.

Percentage of recruiters and managers provided with information on reasonable adjustment.

Selection guidelines include information on reasonable adjustment and guidelines for interviewing staff with disabilities.

Recruitment action is managed internally and not outsourced, and all committees are provided with selection information on reasonable adjustment.

4. Training and development programs consider the needs of staff with disabilities.

Percentage of training and development programs that consider the needs of staff with disabilities.

Due to the small number of staff in the Office, training is coordinated by each of the unit managers under the Office''s Performance Management Scheme. The majority of training is provided off-site with external providers and any in-house training programs recognise the needs of people with disabilities.

Training nomination forms include specific requirements that may be needed such as:

  • wheelchair access
  • accessible toilets/parking
  • a hearing device
  • sign language interpreter
  • an attendant
  • a support person
  • information in Braille, audio cassette, large print, ASCII format.

5. Training and development programs include information on disability issues as they relate to the content of the program.

Percentage of training and development programs that include information on disability issues as they relate to the program.

As noted above training is coordinated by each individual section.

Induction includes information on Workplace Diversity and relevant legislation, including the DDA.

The Complaint Handling section of HREOC conducts training and information on disability issues for staff of HREOC and the Office.

6. Complaint / grievance mechanism, including access to external mechanisms, in place to address issues and concerns by staff.

Established complaints / grievance mechanisms, including access to external mechanisms in operation.

There is an established process in the Office''s Certified Agreement for complaints/grievances, which includes access to external review through the Australian Public Service Commission.

All staff are advised of access to the Office''s Employee Assistance Program and encouraged to use this service when needed. This free service provides counselling and support for staff and their families.

Note: Accessible electronic formats include ASCII (or .txt) files and html for the website. Non electronic accessible formats include Braille, audio cassette, large print and easy English. Other ways of making information available include video captioning and Auslan interpreters.

 

Appendix 5 Demographic Information about Complainants

In 2006-07 the Office continued collecting detailed demographic information about complainants. The Office invites all complainants to voluntarily respond to a survey. While the response rate is low, the Office will continue to use the information to improve its accessibility and other services to complainants. Below are a series of tables which provide a summary of the responses received in 2006-07 compared to the results received in 2005-06.

Due to the voluntary nature of the survey, the information gathered may not necessarily give an accurate representation of the relative proportions of demographic categories of complainants.

Table A5.1 Gender of complainants

   

2005-06

 

2006-07

Female

53

44.9%

53

50.5%

Male

65

55.1%

52

49.5%

Total

118

100%

105

100%

Table A5.2 Complainants'' access to the internet

   

2005-06

 

2006-07

Nil Return

0

0.0%

0

0.0%

No

23

19.5%

17

16.2%

Yes

95

80.5%

88

83.8%

Total

118

100%

105

100%

Table A5.3 Country of birth of complainants

   

2005-06

 

2006-07

Australia

83

70.3%

73

69.5%

Great Britain

14

11.9%

8

7.6%

New Zealand

7

5.9%

3

2.9%

Other

14

11.9%

21

20.0%

Total

118

100%

105

100%

Table A5.4 Main language spoken at home

   

2005-06

 

2006-07

English

115

97.5%

103

98.1%

Other

3

2.5%

2

1.9%

Total

118

100%

105

100%

Table A5.5 Location of complainants

   

2005-06

 

2006-07

Capital City

81

68.6%

72

68.6%

Country Town

18

15.3%

13

12.4%

Major regional centre

18

15.3%

19

18.0%

Rural

1

0.8%

1

1.0%

Total

118

100%

105

100%

Table A5.6 Aboriginal or Torres Strait Islander background of complainants

   

2005-06

 

2006-07

Aboriginal/Torres Strait Islander

2

1.7%

1

1.0%

Non-Aboriginal/ Torres Strait Islander

116

98.3%

103

98.0%

Did not comment

0

0.0%

1

1.0%

Total

118

100%

105

100%

Table A5.7 Level of education completed by complainants

   

2005-06

 

2006-07

Bachelor/Post Graduate Degree

47

39.8%

38

36.2%

Diploma/Advanced Diploma

21

17.8%

24

22.9%

Study not leading to a qualification

4

3.4%

2

1.9%

Year 10 or below

29

24.6%

22

20.9%

Year 12

16

13.6%

19

18.1%

Nil Return

1

0.8%

0

0.0%

Total

118

100%

105

100%

Table A5.8 Age range of complainants

   

2005-06

 

2006-07

19-29 years

12

10.2%

12

11.4%

30-39 years

20

16.9%

17

16.2%

40-49 years

39

33.1%

41

39.0%

50-59 years

27

22.9%

17

16.2%

60-69 years

15

12.7%

13

12.4%

70-79 years

3

2.5%

4

3.8%

80-89 years

2

1.7%

1

1.0%

Total

118

100%

105

100%

Table A5.9 Complainants with a disability

   

2005-06

 

2006-07

No Disability

80

67.8%

77

73.3%

Medical

10

8.5%

7

6.7%

Sensory

4

3.4%

2

1.9%

Psychiatric

6

5.1%

5

4.8%

Movement

12

10.2%

9

8.5%

Other

5

4.2%

5

4.8%

No Comment

1

0.8%

0

0.0%

Total

118

100%

105

100%

Table A5.10 Source of knowledge about the Office of the Privacy Commissioner

   

2005-06

 

2006-07

A Legal Centre/Lawyer

11

9.3%

14

13.3%

Another Community Organisation

8

6.8%

0

0.0%

Family member/friend/support person/associate

8

6.8%

14

13.3%

Government agency (not the agency complained about)

16

13.6%

17

16.2%

Our website www.privacy.gov.au

9

7.6%

15

14.3%

Other

30

25.4%

14

13.3%

Internet

8

6.8%

6

5.7%

Media

13

11.0%

14

13.3%

The organisation/government agency complained about

10

8.5%

7

6.7%

Telephone book

5

4.2%

4

3.8%

Total

118

100%

105

100%

Table A5.11 Annual income range of complainants

   

2005-06

 

2006-07

$0 - $25 000

42

35.6%

26

24.7%

$25 001 - $50 000

31

26.3%

32

30.5%

$50 001 - $75 000

16

13.6%

23

21.9%

$75 001 or more

27

22.9%

24

22.9%

Nil Return

2

1.7%

0

0.0%

Total

118

100%

105

100%

 

Appendix 6 National Privacy Principles

The National Privacy Principles as set out in Schedule 3 of the Privacy Act 1988. See NPPs

 

Appendix 7 Information Privacy Principles

The Information Privacy Principles as set out in s. 14 of the Privacy Act 1988. See IPPs

 

Appendix 8 Strategic Plan 2007-09

Our Vision:

An Australian community in which privacy is valued and respected.

Our Purpose:

To promote and protect privacy in Australia.

Our Values:

As an Australian Government agency the Office of the Privacy Commissioner is committed to upholding the APS Values and Code of Conduct. In particular we will:

  • demonstrate leadership in promoting and protecting privacy
  • act with independence, impartiality and integrity
  • value our staff
  • be responsive to our clients
  • work collaboratively with stakeholders.

Context:

The Office of the Privacy Commissioner is established under the Privacy Act 1988 to:

  • provide advice and assistance to individuals
  • provide advice and assistance to organisations and agencies with responsibilities under the Privacy Act
  • promote privacy through policy advice and educational activities
  • administer the Privacy Act including by investigating individual privacy complaints and systemic issues, and conducting audits.

GOALS

STRATEGIES

ACTIONS for 2007

High quality results

  • Build our policy and strategic analysis capacity

  • Identify and focus our policy and analysis effort on areas of maximum impact

  • Increase our influence through quality advice and information

  • Manage our resources effectively and efficiently

  • Deliver fair, transparent, efficient and effective privacy complaint handling

  • Increase our focus on systemic privacy issues

  • Harness and utilise knowledge gained from day to day activities to inform our strategic work

  • Ensure robust work practice and information systems support our core business

  • Build our capacity to respond to evolving and emerging technology

  • Identify partnership opportunities to maximise our ability to advise on key policy issues

  • Maximise the impact of our policy advice through follow-up strategies

  • Implement recommendations from the Private Sector Review

  • Implement recommendations from the Complaint Handling Review

  • Eliminate backlog of complaints

  • Identify key privacy compliance issues

  • Expand our audit program

  • Review our approach to data matching and monitoring

  • Review and build on our knowledge management systems

Increased awareness of privacy choices and obligations within the community

  • Communicate effectively with more targeted integrated strategies

  • Harness existing communication channels to maximum effect especially pop culture medium

  • Utilise the media to deliver the privacy message

  • Ensure that material published by the Office is up-to-date, accurate and targeted at identified key audiences

  • Ensure that the website as the Office''s key communication channel is up-to-date and accurate

  • Develop guidance material to assist the private sector

  • Re-energise PCO and Privacy Connections Networks

  • Implement recommendations from Private Sector Review

  • Develop and implement communication plans targeting key audiences, for example, young people, industry sectors, regional, disadvantaged, people from a Non English Speaking Background

  • Develop and implement media strategy

  • Review content and structure of our publications and other written material

  • Review content and design of website

  • Review and develop services provided to PCO and Privacy Connections Networks, including the provision of training

  • Develop programs to recognise and reward best practice

Robust relationships

  • Ensure that effective relationships, partnerships and networks are at the core of how we operate internally and externally

  • Develop formal links with external parties where appropriate and useful to maximise influence and understanding

  • Nurture, manage and review existing relationships

  • Identify, build and manage new relationships

  • Train and support staff to manage internal and external relationships

  • Further develop the private sector communications program

  • Provide quality and timely advice and services under our MOUs

  • Develop international linkages particularly APPA and APEC

  • Review and develop systems that support internal and external networks and relationships

  • Review and measure the success of our relationships

A confident and competent workforce

  • Attract well qualified staff

  • Retain our staff through commitment to training and development, career development, conditions of service, and work-life balance

  • Acquire and develop our skills base to respond to emerging issues including technology

  • Develop a Workforce Plan that:

    • Includes learning and development strategies based on an assessment of our skills base and a training needs analysis

    • Reviews career development framework for all staff

    • Establishes a secondment program with other agencies and within the Office

    • Examines a range of recruitment and retention strategies

    • Promotes and improves knowledge sharing

 

AAT

Administrative Appeals Tribunal

ACMA

Australian Communications and Media Authority

ACCC

Australian Competition and Consumer Commission

ACIF

Australian Communications Industry Forum

ADR

Alternative Dispute Resolution

AGAF(I)

Australian Government Authentication Framework for Individuals

AGD

Attorney-General's Department

AGIMO

Australian Government Information Management Office

ALRC

Australian Law Reform Commission

ANZELA

Australia and New Zealand Education Law Association

APPA

Asia Pacific Privacy Authorities

APS

Australian Public Service

Austlii

Australasian Legal Information Institute

AWG

Authentication Working Group

APEC

Asia-Pacific Economic Cooperation

ASIC

Australian Securities and Investments Commission

ATO

Australian Taxation Office

AUSTRAC

Australian Transaction Reports and Analysis Centre

CA

Certified Agreement

CCMA

Customer Contact Management Association

CDS

Commonwealth Disability Strategy

CRGIS

Commonwealth Reference Group on Identity Security

CCTV

Closed circuit television

Customs

Australian Customs Service

DCITA

Department of Communications, Information Technology and the Arts

DFAT

Department of Foreign Affairs and Trade

DHS

Department of Human Services

DIMA

Department of Immigration and Multicultural Affairs

DoHA

Department of Health and Ageing

DVA

Department of Veterans' Affairs

DVS

Document Verification Service

EHR

electronic health records

FOI

Freedom of Information

HIC

Health Insurance Commission

HREOC

Human Rights and Equal Opportunity Commission

ICA

Insurance Council of Australia

IPPs

Information Privacy Principles

IMAGE

Information Management for Government Employees (IMAGE)

JIG

Joint Initiatives Group

MCCA

Ministerial Council on Consumer Affairs

MOU

Memorandum of Understanding

NHMRC

National Health and Medical Research Council

NPPs

National Privacy Principles

OECD

Organisation for Economic Cooperation and Development

OH&S

Occupational Health and Safety

OMI

Own Motion Investigation

PAC

Privacy Advisory Committee

PCO

Privacy Contact Officer

PIA

Privacy Impact Assessment

PID

Personal Information Digest

RSS

Really Simple Syndication

RTDs

residential tenancy databases

SCAG

Standing Committee of Attorneys-General

SES

Senior Executive Service

TFN

tax file number

TPID

Temporary Public Interest Determination