Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

2007-08 Annual Report of the Office of the Privacy Commissioner

The Operation of the Privacy Act Annual Report Users Guide Commissioners Overview 2007-08 About the Office The Year in Review - a Summary Chapter 1 Respecting Privacy 1.1 Review of Performance 1.2 Australian Law Reform Commission Review of Privacy 1.3 Privacy and the Aus...

pdf2007-08 Annual Report of the Office of the Privacy Commissioner

The Operation of the Privacy Act Annual Report

1 July 2007 - 30 June 2008

Copyright © Office of the Privacy Commissioner 2008 ISSN 1035-3372

This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the Office of the Privacy Commissioner.

Requests and enquiries concerning reproduction rights and content should be addressed to:

Copyright Officer Corporate and Public Affairs Office of the Privacy Commissioner GPO Box 5218 SYDNEY NSW 2001

Email: privacy@privacy.gov.au

Senator the Hon. John Faulkner Special Minister of State and Cabinet Secretary Parliament House CANBERRA ACT 2600

Dear Minister

I am pleased to submit to you, for presentation to the Parliament, the Annual Report for the Office of the Privacy Commissioner on the operation of the Privacy Act 1988for the year ending 30 June 2008.

This report has been prepared in accordance with section 97 of the PrivacyAct 1988.

Yours sincerely

Ms Karen Curtis Privacy Commissioner

16 September 2008

User's Guide

Immediately following this User's Guide, you will find the Commissioner's Overview for 2007-08, which includes a summary of significant issues, developments and achievements during the year, and an outline of the year ahead for the Office.

This is followed by About the Office, which provides an outline of the Office's functions and a summary of its 2007-08 activities, including key statistics.

The main chapters then follow, and the Annual Report is concluded by the various Appendices, Glossary and Index.

Chapter 1 Respecting Privacydescribes the Office's work in providing advice on the privacy implications of legislation and government and private sector policy proposals that may have a significant impact on the handling of personal information.

Chapter 2 Promoting Privacysets out the work the Office completed in promoting and educating client groups on privacy issues. This includes liaising with key stakeholders in the private sector, networking with privacy representatives across Australian and ACT Government departments and agencies, handling media enquiries, maintaining the Office's website and assisting with speeches and presentations by the Commissioner and members of staff.

Chapter 3 Protecting Privacyrecords the work the Office undertook to encourage and enforce compliance with the Privacy Act. This includes handling enquiries, undertaking audits of government agencies, and investigating and conciliating complaints.

Chapter 4 Management and Accountabilitycontains an overview of the Office's administrative arrangements, management of human resources and corporate governance.

The Appendices contain information required under specific legislation together with any other useful material. These can be found following on from Chapter 4.

The Office of the Privacy Commissioner's audited Financial Statements for 2007-08 are located immediately following the Appendices. The Glossary and Alphabetical Index can be found at the end of the report.

ACT Government

Information that relates directly to ACT Government matters can be found in sections 1.4 and 4.1.3.

How to find out more

For enquiries about this report or for copies please contact:

Director Corporate and Public Affairs Office of the Privacy Commissioner GPO Box 5218 SYDNEY NSW 2001

Telephone: +61 2 9284 9800 Fax: +61 2 9284 9666 Email: privacy@privacy.gov.au Website: www.privacy.gov.au

Enquiries line: 1300 363 992 local call TTY: 1800 620 241 no voice calls

This report is also available on the Office of the Privacy Commissioner's website at www.privacy.gov.au/materials#A.

Non-English Speakers

If you speak a language other than English and need help please call the Translating and Interpreting Service on 131 450 and ask for the Australian Government Office of the Privacy Commissioner on 1300 363 992. This is a free service.

Commissioner's Overview 2007-08

Significant steps were made during the year to achieve our vision of an Australian community in which privacy is valued and respected. In promoting and protecting privacy, the Office delivered against all of its Strategic Plan 2007-09 goals: high quality results, increased awareness of privacy choices and obligations, robust relationships, and a confident and competent workforce.

The year was one of consolidation as we implemented our goals and strategies. We provided exceptional policy advice and analysis to governments and to the Australian Law Reform Commission (ALRC); we improved our complaint handling processes; we developed an expanded audit program; and we provided better, and more, advice and information to individuals, the community and businesses about their rights and obligations. We had an enhanced international leadership role as we provided the Secretariat to the Asia Pacific Privacy Authorities (APPA) and led three projects under the APEC privacy framework. Our Office also grew in size, and staff have undertaken more training and development.

A highlight for me in 2007-08 was the success of the first international Privacy Awareness Week across APPA, and a particular highlight was meeting the winner of the APPA essay competition for young people. Erica Hei-Yuan Chan, a Melbourne school student, wrote eloquently about privacy and challenged all of us '... to take up the responsibility of what privacy will mean in the 21st century. Because privacy is ultimately, and always has been, an extension of our choice'.

In late 2007, with the change of Government, privacy issues were moved from the Attorney-General's portfolio to the portfolio of the Prime Minister and Cabinet. This change in administrative arrangements has meant that the Office is now in the same portfolio as the other integrity agencies of government. Already this has meant a closer working relationship with some of these agencies and over time it is expected that there will be even greater public policy benefits from being in the same portfolio as the other integrity agencies.

2008 marks the 20th anniversary of the introduction of the Privacy Act. Such an anniversary affords the opportunity to reflect on how our personal information can be transferred at a much more rapid and global rate than anyone would have anticipated in 1988. Twenty years ago, one could not have imagined the sheer range and scope of technologies that were to evolve and how they would influence our daily lives.

It is timely that the ALRC's review of privacy has taken place. In January 2006, the ALRC was commissioned to review Australia's privacy laws and to make recommendations to ensure the laws continue to provide an effective framework for the protection of privacy in Australia. Together with similar reviews being conducted in NSW, Victoria and New Zealand, the review is a clear signal that governments recognise the role of privacy in democratic societies and that laws must be kept up-to-date and relevant to ensure that appropriate protections are given to personal information in the 21st century.

Privacy law reform has been a key issue for my Office during 2007-08. A major achievement of my Office was its 786 page submission to the ALRC's Discussion Paper 72: Review of Australian Privacy Law. The quality of the analysis and arguments in our submission are excellent and I congratulate the members of my staff who were involved for making such a valuable contribution to protecting the privacy of Australians. The ALRC review presents a once-in-a-generation opportunity to influence the shape of privacy law in Australia for many years to come, and my Office's contribution to the debate has been significant.

My Office's suggestions for proposed law reform all seek to enhance existing privacy protections, and are also consistent with my Office's strategic vision of an Australian community in which privacy is valued and respected.

The Year Ahead

In the second half of 2008, the Office will continue to celebrate the 20th anniversary of the passage of the Privacy Act. The Office will mark this milestone in a number of ways. Most significantly, the Office has launched the inaugural Australian Privacy Awards and Australian Privacy Medal programs. The Awards aim to encourage, recognise and reward businesses, government agencies and not-for-profit organisations that engage in good privacy practices. The Medal aims to provide acknowledgement to an individual who has exhibited an outstanding level of achievement in advancing privacy in Australia. The Awards will be presented at a Gala Dinner in Sydney on 27August 2008, during Privacy Awareness Week.

Over the past 20 years, the Act has, I believe, managed to strike a good balance between protecting the privacy of Australians while not being overly burdensome to organisations. The ALRC's review of privacy was handed to Government on 31 May 2008. My Office looks forward to playing a leading role in the development of the whole-of-government response, and then to assisting any parliamentary processes that may occur with the introduction of new legislation.

In 2008-09, the Office will continue to raise privacy awareness among businesses, government and individuals. Our ability to promote privacy understanding and awareness will be enhanced by a major redevelopment of the Office's website, which will be completed during 2008-09. The website redevelopment will make our publications easier to find and improve the layout and accessibility of the Office's online presence.

We will also work to promote privacy via the successful Privacy Awareness Week initiative, which in 2008-09 will again be promoted in coordination with other data protection authorities in the Asia Pacific region.

Another important issue which will occupy the Office during 2008-09 is that of voluntary data breach notification. The Office expects to finalise its guide on handling information security breaches. The mishandling of personal information can result in financial loss and identity theft, but also can result in the embarrassment or humiliation of the individual, or violence towards the individual. In response to requests for advice from government and business and a number of high profile overseas breaches, my Office has developed a draft voluntary guide.

We are reviewing the submissions received during consultation and will release the final Guide during Privacy Awareness Week in August 2008.

When it is finalised, the Guide will assist those with privacy obligations to be prepared for and to respond effectively to an information security breach and to determine when it is appropriate to notify affected individuals about a breach.

During 2008-09, my Office will continue to work towards the vision of an Australian community in which privacy is valued and respected.

Karen Curtis Privacy Commissioner

About the Office

The Privacy Commissioner's Functions

The Privacy Commissioner has specific statutory functions under ss. 27, 28 and 28A of the Privacy Act 1988. These functions include, amongst other things, investigating possible breaches of the Privacy Act, undertaking audits of agencies or organisations to ensure compliance with the Privacy Act, providing advice to agencies and organisations on matters related to privacy, and promoting and encouraging the adoption of privacy standards in the community.

One of the key responsibilities of the Office is to handle complaints .Individuals who believe that their privacy may have been interfered with by an agency or organisation are able to lodge a complaint with the Office under s.36 of the Privacy Act. The Privacy Commissioner may then undertake preliminary enquiries of the respondent to determine whether there are grounds, and whether the Commissioner has jurisdiction, to formally open an investigation into the complaint under s. 40 of the Privacy Act.

Staff members of the Compliance section conciliate between the parties to attempt to adequately resolve the dispute. If the parties are not able to come to a mutually satisfactory agreement, the Privacy Commissioner is able to make a determination under s. 52 of the Privacy Act to dismiss the complaint. Alternatively, the Privacy Commissioner is able to find in favour of the complainant and decide upon suitable orders to remedy the breach. The orders are enforceable in the Federal Court or Federal Magistrates Court under s. 55A of the Privacy Act.

Generally, a complaint must be in writing. The Office is obliged to provide appropriate assistance to people who require it in order to help formulate and appropriately set out the particulars of the complaint.

Individuals cannot complain to the Privacy Commissioner about organisations which are bound by a privacy code approved by the Commissioner, when that code has its own code adjudicator. Individuals may, however, ask the Privacy Commissioner to review a determination made by a code adjudicator under s. 18BI of the Privacy Act.

The Privacy Commissioner has the power to launch investigations under s.40(2) of the Privacy Act, and these are referred to as Own Motion Investigations (OMIs). The Privacy Commissioner undertakes OMIs where it appears that a breach of the Privacy Act may have occurred and it is thought to be desirable that an OMI be undertaken. For example, where the alleged breach is not limited to one complainant, or in circumstances where the alleged breach raises systemic and/or ongoing issues.

The Office's Policy section assists the Privacy Commissioner in providing advice on privacy issues, including interpreting the operation of the Privacy Act, to Ministers, Australian and ACT Government agencies, and organisations. The section develops guidance material (such as guidelines, information sheets and FAQs) to help explain the operation of the Privacy Act and the Privacy Commissioner's functions.

The Policy section examines enactments and proposals from agencies, advising on their potential privacy implications and their overall compliance with the Privacy Act. It also assists the Privacy Commissioner in carrying out other functions under the Privacy Act, as well as prescribed function sunder the National Health Act 1953, the Telecommunications Act 1977and the Crimes Act 1914.

The Office's Corporate and Public Affairs section manages the public profile of the Office and the Privacy Commissioner, provides secretariat support and manages the Office's corporate responsibilities. The section is responsible for developing and maintaining the Office's website, handling media enquiries, and providing a secretariat role to several committees including the Government Privacy Contact Officer (PCO) Steering Committee, Privacy Connections Network, Privacy Advisory Committee, the Asia Pacific Privacy Authorities and the Privacy Authorities Australia forums. The section also liaises with key stakeholders, including domestic bodies and international authorities, and handles the Office's corporate governance responsibilities.

Chart 1 Organisational Structure

chart 1 organisational structure

The Year in Review - a Summary

A brief summary of the Office's performance in 2007-08 is outlined below. A more detailed review of performance is contained in Chapters 1 -4. The Office's Strategic Plan and our Portfolio Budget Statement outcomes and outputs are in Appendix 2.

Telephone Enquiries:

The Office received 18 059 telephone enquiries in 2007-08 compared with17 392 in 2006-07. This represents about a 4% increase in enquiries received by the Enquiries Line. See section 3.2.1 for further information.

Written Enquiries:

The Office received 2168 enquiries by email, post or facsimile in 2007-08 compared with 2182 written enquiries reported in 2006-07. This represents a very slight decrease in the number of written enquiries received by the Office from the previous year. The Office is committed to responding to 90% of written enquiries in ten working days. This benchmark was met in 2007-08, with 94% of written enquiries responded to in ten working days or less. See section 3.2.2 for further information.

Complaints:

The Office received 1126 complaints in 2007-08 compared with 1094 in 2006-07. This represents about a 3% increase in the number of complaints received by the Office from the previous year. See section 3.3.1 for further information. The Office closed 1228 complaints in 2007-08, 18 more than the previous year (1210). See section 3.3.2 for further information.

Case Notes:

The Office published 25 case notes on complaints that were closed during the year. The case notes are prepared to illustrate matters that may be of interest to the community. Case notes also demonstrate to members of the public how the Commissioner handles complaints. Case notes also serve as a possible indication of the Commissioner's view in relation to aspects of privacy law. See section 3.6 for further information.

Legislative Instruments:

In 2007-08, the Privacy Commissioner issued two Public Interest Determinations. These determinations relate to the non-consensual collection of family, social or medical histories of third party health consumers by organisations providing a health service.

In addition, the Privacy Commissioner made a revised set of binding privacy guidelines for the Medicare Benefits and Pharmaceutical Benefits programs. These guidelines are required by s.135AA of the National Health Act 1953.

Media:

190 media enquiries were received in 2007-08. This represents a 44% increase in comparison to the number of enquiries for 2006-07, in which the Office received 132 media enquiries. See section 2.9 for further information.

Speeches:

45 speeches and presentations were delivered in 2007-08. These speeches and presentations addressed ongoing and emerging privacy issues. For further information see section 2.6.

Policy Advices:

The Office produced 115 advices on significant policy issues. This is a decrease in the number of policy advices the Office prepared in comparison to 2006-07. This decrease is primarily a result of the focus placed by the Policy section on preparing its submission to the ALRC's review of privacy, as well as on preparing industry-wide guidance material in the form of information sheets.

Policy advices include letters and emails to government departments and agencies and private sector organisations on specific proposals, advice for guidance material published by the Commissioner and advice for inclusion in other reports and published documents.

The number of submissions made by the Office to public consultation processes is listed separately below.

Submissions:

In 2007-08, the Commissioner provided 17 submissions to government departments and parliamentary inquiries on policy proposals or Bills before parliament, providing analysis on the privacy implications of the proposal or Bill and offering advice on methods to ensure privacy is appropriately considered and protected.

The following submissions were made by the Office:

  1. Consultation on the Draft Principles for Australia's Health System; National Health and Hospitals Reform Commission (May 2008)
  2. Review of the Legislative Instruments Act (2003); Legislative Instruments Act Review Committee (May 2008)
  3. Draft Report on the Control of Chemicals of Security Concern; COAG Review of Hazardous Materials Steering Committee (April 2008)
  4. Telecommunications (Interception and Access) Amendment Bill 2008; Senate Legal and Constitutional Affairs Committee (April 2008)
  5. Consultation Paper for the Draft National Patient Charter of Rights; Australian Commission on Safety and Quality in Health Care (March 2008)
  6. Review of Australia's Consumer Policy Framework, Draft Report; Productivity Commission (February 2008)
  7. Issues Paper No.12 - Inquiry into Automatic Number Plate Recognition Technology; Queensland Parliamentary Travelsafe Committee (February 2008)
  8. Submission to the Australian Law Reform Commission's Review of Privacy - Discussion Paper 72 (December 2007)
  9. Discussion Paper: Unsolicited Commercial Faxes or 'Fax Spam'; Department of Communications, Information Technology and the Arts (September 2007)
  10. Consultation Paper 1 - Invasion of Privacy; NSW Law Reform Commission (September 2007)
  11. Discussion Paper: Options for Reform of the Structure of ACT Tribunals; ACT Department of Justice and Community Safety (September 2007)
  12. Consultation on the second exposure draft of the Human Services (Enhanced Service Delivery) Bill 2007; Australian Government Office of the Access Card (August 2007)
  13. Discussion Paper: Use of Integrated Public Number Database information to provide Location Dependent Carriage Services; Department of Communications, Information Technology and the Arts (August 2007)
  14. Inquiry into the Northern Territory National Emergency Response Bill 2007 & Related Bills; Senate Standing Committee on Legal and Constitutional Affairs (August 2007)
  15. Inquiry into 'Future impact of serious and organised crime on Australian society'; Parliamentary Joint Committee on the Australian Crime Commission (August 2007)
  16. Communications Legislation Amendment (Information Sharing and Datacasting) Bill 2007; Senate Environment, Communications, Information Technology and the Arts Committee (July 2007)
  17. Telecommunications (Interception and Access) Amendment Bill 2007; Senate Legal and Constitutional Affairs Committee (July 2007).

Chapter 1 Respecting Privacy

1.1 Review of Performance

The Office continued its role of providing advice to Australian and ACT Government agencies on new policy proposals, legislative and regulatory changes, and agency practices. Much of this advice has focused on the importance of appropriate privacy protections in ensuring community trust and confidence in public administration. The Office has also provided substantial advice to the private sector and to consumers. This advice has included the release of new information sheets, answers to frequently asked questions and the provision of advices in response to specific issues.

The Office continued its substantial contribution to assisting privacy law reform in Australia. In December 2007, the Office made a 786 page submission to the Australian Law Reform Commission (ALRC) in response to its Discussion Paper 72: Review of Australian Privacy Law.

The Office also released a consultation draft of a proposed voluntary guide for the notification of information security breaches. The Office received 75 submissions on the consultation draft, which will be released as a final document in the second half of 2008. This guide follows the support expressed by the Office in its submission to the ALRC that there should be a mandatory requirement for breach notification in some circumstances.

The Office also provided guidance to businesses that came under coverage of the Privacy Act by virtue of the Anti-Money Laundering and Counter-Terrorism Financing (Transitional Provisions and Consequential Amendments) Act 2006. In addition to establishing a dedicated web page,the Office distributed hardcopy materials to a wide range of affected industry stakeholders.

Following substantial consultation, the provision of additional guidance to the health sector has also been a key outcome for the reporting period. Five new information sheets for health service providers were released in March 2008, along with seven frequently asked questions for health consumers. This guidance material gives effect to a number of recommendations made in the Office's 2005 review of the private sector provisions of the Privacy Act, and progresses actions identified in the Office's current Strategic Plan.

Still in the area of health privacy, the Office completed its major review of the statutory privacy guidelines for the Medicare Benefits and Pharmaceutical Benefits programs. The Privacy Commissioner also issued new Public Interest Determinations (PID) concerning the collection of family medical histories. Both the revised guidelines and the PIDs involved substantial public consultation.

The Office engaged significantly on privacy issues surrounding the Northern Territory Emergency Response initiative. In addition to making a submission on the accompanying legislation, the Office assisted the Australian Government Department of Families, Housing, Community Services and Indigenous Affairs (FaHCSIA) to develop guidance material for businesses and individuals potentially affected by the measures.

In addition to the matters outlined above, the Office made a further 16 public submissions during the period. The Office also provided around 100 other pieces of major advice to agencies and organisations on a large range of privacy issues.

1.2 Australian Law Reform Commission Review of Privacy

ALRC Review

On 20 December 2007, the Office made its submission on the Australian Law Reform Commission's (ALRC) Discussion Paper 72: Review of Australian Privacy Law. This submission responded to each of the 301 proposals and 46 questions in the discussion paper. The 786 page submission is summarised at www.privacy.gov.au/publications/submissions/alrc_72/submission_summary.html.

The Office invested substantial resources in this submission, which followed submissions made to the ALRC in early 2007 on two issues papers, numbers 31 and 32, released as part of the same inquiry.

Consistent with the Office's Strategic Plan action item to maximise the impact of our policy advice through follow-up strategies, the Office provided copies of the submission to around 300 stakeholders. The submission also formed the basis for a number of presentations made to external stakeholders by the Privacy Commissioner and staff, as well as a number of media articles.

This engagement with stakeholders provided an important opportunity to offer guidance on the Office's current interpretation of the Privacy Act, as well as drawing attention to areas of potential law reform. It also aligned with the Office's strategic objective of ensuring effective relationships with stakeholders.

Key issues

In its submission, the Office endorsed the basic framework of the Privacy Act, in that it should continue to provide technology-neutral, principle-based regulation. The Office agreed with the ALRC that there should be one set of principles regulating Australian and ACT Government agencies, as well as the private sector. The Office also agreed in-principle with the ALRC that privacy would be appropriately enhanced in Australia by the introduction of a statutory cause of action for privacy breaches, as well as an obligation requiring the notification of data breaches in certain circumstances.

Credit reporting

There is need to simplify the regulation of credit reporting information. At the same time, the Office believes that further independent research on comprehensive (or 'positive') credit reporting is required to assess its impacts, including how it may affect the handling of personal information.

The Office believes that any reforms to Australia's regulatory regime for credit reporting should not weaken existing privacy protections. The Office has not supported proposals to permit credit reporting information to be used for a wider range of purposes.

Health privacy

The Office supported a number of proposals made by the ALRC, particularly those that would simplify the regulation of health privacy in Australia by clarifying that the Privacy Act applies to the private sector to the exclusion of similar law in the states or territories.

In addition, to address concerns of medical researchers, the Office made proposals to simplify the existing regulatory arrangements for the non-consensual handling of health information for research purposes.

However, the Office expressed concern that some of the discussion paper's proposals would significantly expand the non-consensual handling of personal information for research, while lowering threshold tests that apply to such practices.

Next steps

The ALRC provided its final report to the Attorney-General on 30 May, and it is required to be tabled within 15 parliamentary sitting days of that date. The Office looks forward to considering the ALRC's report when it becomes available and assisting the Australian Government in formulating its response to the report's recommendations. As reflected in its submission, the Office remains committed to promoting privacy regulation that gives due regard to the interests of all stakeholders, and which continues to foster an Australian culture that respects and values privacy.

1.3 Privacy and the Australian Government

This section discusses the work the Office did during the reporting period in relation to Commonwealth legislation and/or Australian Government activity. Please note, however, that some areas of the Office's work relating to the Australian Government are discussed in other sections of this Chapter.

1.3.1 Anti-Money Laundering and Counter-Terrorism Financing

Consistent with its Strategic Plan goal to promote increased awareness of privacy choices and obligations, the Office continued to play an active role in the implementation of new Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) legislation. The Office is represented on industry and government forums, and provides comments on draft guidance material and relevant issues.

During 2007-08, the Office provided comments and general advice to AUSTRAC in relation to a number of its draft guidance notes and rules. The Office's key suggestions were designed to inform and remind organisations that the handling of this personal information will often be subject to Privacy Act regulation.

The Office also developed materials to assist the private sector. In October 2007, the Office released guidance materials including bookmarks, flyers and information addressing frequently asked questions. These materials were targeted at educating small businesses on how they could fulfil their Privacy Act obligations as 'reporting entities' under the AML/CTF legislation. During the reporting period, the Office distributed over 4000 hardcopies of this new guidance material.

AML/CTF reporting obligations for some reporting entities commenced in December 2007, and the Office has provided ongoing advice to AUSTRAC concerning the operation of the reporting obligations. The Office has also provided advice in relation to the second tranche of the AML/CTF legislation, which proposes to extend reporting obligations to some real estate agents, jewellers, and a range of professional and business service providers.

1.3.2 Australian Government Health and Social Services Access Card

The Office made a submission in August 2007 on the previous Australian Government's proposed Health and Social Services Access Card, prior to the new government ending this project. This submission to the Department of Human Services (DHS) related to the second exposure draft of the Human Service (Enhanced Service Delivery) Bill 2007.

In December 2006, the Office entered into a Memorandum of Understanding (MOU) with DHS which allowed for close consultation on privacy-related issues in the development and roll-out of the proposed Health and Social Services Access Card. With the announcement of the end of the project, this MOU was terminated (see section 4.1.5).

1.3.3 E-Government and E-Authentication

It is important to increase the Office's understanding of, and influence within, the online e-government environment. The relationship with the Australian Government Information Management Office (AGIMO) is important to the Office's strategic objective of ensuring effective stakeholder relationships.

The Office has attended meetings and provided comments on the development of various AGIMO projects including the Australian Government Online Service Point and the National e-Authentication Framework. The Office is also an observer on the Authentication Working Group.

1.3.4 Identity Security

As part of the 2006-07 budget, the Office received funding to participate in the development of a National Identity Security Strategy. Through its participation, the Office provides high quality advice to government and key agencies on the privacy implications involved in the development of the national identity security framework.

The Privacy Commissioner is a member of the Commonwealth Reference Group on Identity Security (CRGIS), convened by the Attorney-General's Department (AGD) to assist in developing this national strategy. During the reporting period the Office attended a number of CRGIS meetings.

The Office is also represented on the National Identity Security Coordination Group (NISCG). At the NISCG meeting held on 29 November 2007, the NISCG decided to amalgamate the four working groups into two. These are:

  • Identity and Data Working Group
  • Biometrics Authentication and Security Standards Working Group.

The Office is represented on both these working groups.

Consistent with the aims of the Office's Strategic Plan, membership of the CRGIS, NISCG and its related working groups provides the Commissioner and the Office with opportunities to work collaboratively and build strong relationships with key stakeholders in the federal, state and territory governments and agencies.

The Office is also involved in auditing and other compliance activity associated with identity security measures. In particular, the Office provides an audit function and advice in relation to the Document Verification Service (DVS). In March 2008, the Office undertook an end-to-end audit of the DVS (see section 3.8.1.3). The Office plans to continue its audit activities for the DVS in 2008-09.

1.3.5 Law Enforcement

In August 2007, the Office made a submission to the Parliamentary Joint Committee on the Australian Crime Commission Inquiry into Future impact of serious and organised crime on Australian society.

In this submission, the Office acknowledged the public interest in maintaining the safety and security of the Australian community through effective law enforcement measures and noted that information handling practices that enhance overall data quality support better decision making.

The Office made a number of suggestions to reduce potential privacy risks of sharing information across jurisdictions, including:

  • government agencies not subject to statutory privacy regulation should develop and implement information handling practices that incorporate principles similar to those contained within the Privacy Act
  • proposals to change the way in which cross-jurisdictional databases are used for law enforcement and intelligence purposes should follow thorough and careful assessment of potential privacy impacts.

In its report, the Committee recommended that the Australian Crime Commission give consideration to the extent to which its information handling protocols incorporate, and could be enhanced by, the principles of the Privacy Act.

1.3.6 Northern Territory Emergency Response

In June 2007, the former Australian Government announced the Northern Territory Emergency Response (NTER). The NTER has led to a number of welfare reform measures including income management of some Centrelink benefit recipients in the Northern Territory. Restrictions have also been put in place on the sale of alcohol from take-away liquor outlets in the Northern Territory under the Northern Territory National Emergency Response Act 2007. The Office made a submission on this legislation, noting among other matters that the measures it contained would require the provision of guidance as to how they might be implemented in a manner that minimises adverse impacts on privacy.

Both income management measures and alcohol sales restrictions involve the collection of personal information.

Under an agreement with the Department of Families, Housing, Community Service and Indigenous Affairs (FaHCSIA), the Office has developed privacy guidance for Northern Territory Community Stores (handling personal information about Centrelink income-managed customers) and take-away liquor outlet licensees. This guidance was developed in line with the Office's Strategic Plan action to develop and implement communication plans targeting key audiences and communicating key messages.

Under the small business exemption in the Privacy Act, not all take-away liquor outlets in the Northern Territory are subject to the Privacy Act in the way they handle personal information. The guidance material seeks to encourage such businesses to handle personal information in a way that aligns with good privacy practice.

These publications and other NTER privacy-related materials will be produced and distributed by FaHCSIA. More information about these and other NTER measures is available at www.fahcsia.gov.auand www.centrelink.gov.au.

1.3.7 Personal Property Securities

The Office continues to provide high quality, targeted advice to the Australian Government in the development of the Personal Property Securities Register (PPS Register). The Office has recognised the potential benefits of a PPS Register, though it is important that any privacy issues be fully considered. To promote this, the Office has suggested that the Australian Government conduct a Privacy Impact Assessment for the proposed Register. The Office has also emphasised a number of other matters, including the importance of telling individuals that they may be put on the Register, and the need for appropriate limits on who may access the Register and for what purposes.

1.4 Privacy and the Australian Capital Territory Government

The Office continued to provide quality and timely advice to ACT Government agencies in 2007-08 under its Memorandum of Understanding (see section 4.1.3).

The Office provided comments to the Planning and Land Authority on proposed amendments to the Planning and Development Bill and the collection of information about registered owners of motor vehicles. The Office provided detailed comments to the Department of Justice and Community Safety on its discussion paper Options for Reform of the Structure of ACT Tribunals.

The Office was briefed by the ACT Department of Corrective Services on the use of radio-frequency identification (RFID) or tracking devices in the new ACT prison, the Alexander Maconochie Centre. Inmates will be fitted with RFID bracelets. The device sends out a timed, regulated signal and will trigger an alarm, for example, if an inmate enters a prohibited area. Staff will also be issued with RFID devices fitted with a safety alarm and visitors to the prison will also be monitored.

1.5 Privacy and Business

1.5.1 Review of the Private Sector Provisions of the Privacy Act

During 2007-08, the Office continued to implement the recommendations stemming from the 2005 report on its review of the private sector provisions of the Privacy Act 1988 (reported in Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act(2005)).

Specifically, the Office published five new Privacy Sector Information Sheets for health practitioners and seven frequently asked questions for individuals relating to the health-related recommendations (see section1.6.3).

The Office also published a new Private Sector Information Sheet which reproduced the ten National Privacy Principles from Schedule 3 of the Privacy Act, incorporating the amendments made on 14 September 2006. The Office is currently working on the development of further guidance materials and publications relating to other recommendations from its 2005 report.

The Australian Law Reform Commission's review of privacy law is itself a result of a key recommendation made by the Office in its 2005 report. The Office made a substantial submission to this inquiry in December 2007 (see section 1.2).

1.5.2 Private Sector Advice

Under s. 27(1)(d) of the Privacy Act, one of the Privacy Commissioner's functions is to promote an understanding and acceptance of the National Privacy Principles.

Consistent with this function and with the Office's Strategic Plan goals to work collaboratively and provide quality advice, the Office has continued to provide advice about the operation of the NPPs including on such matters as:

  • the interaction of privacy and content filtering on the internet
  • privacy and employment issues
  • workplace surveillance
  • the use of identifiers to match individuals to missing payments
  • the degree to which industry codes of practice align with privacy obligations and good privacy practice.

In accordance with the Office's strategic commitment to develop private sector communication, the Office took the opportunity to present to a number of conferences and industry bodies during the reporting year. For example, the Office spoke at the Online Social Network and Business Collaboration conference, and presented at an internal fraud networking forum and to a number of international delegations.

The Office also developed a Private Sector Information Sheet on the practice of scanning the identity documents of individuals. Among other things, this guidance highlighted the obligation to allow individuals to interact anonymously wherever possible and, where this is not possible, that only the minimum necessary information should be collected.

1.5.3 Privacy Codes

Part IIIAA of the Privacy Act allows organisations to apply to the Privacy Commissioner for approval of a privacy code that will replace the National Privacy Principles for organisations bound by that code.

There were no new code applications in the current reporting period.

Notably, in its submission to the Australian Law Reform Commission's privacy inquiry, the Office agreed with the proposal that codes approved under Part IIIAA should operate in addition to the proposed Unified Privacy Principles (UPPs) and any guidance provided in the code about complying with the UPPs should contain obligations at least equivalent to the UPPs. This proposal underpins the current requirement that approval of a code is subject to assessing that the provisions of the code are at least equivalent with the NPPs.

Queensland Club Industry Privacy Code

Following a review of its privacy code, Clubs Queensland made an application under s. 18BD(1) of the Privacy Act to vary the code. The Office is working with Clubs Queensland in relation to the variation application.

1.5.4 Credit Reporting

The credit reporting provisions of the Privacy Act were reviewed as part of the Australian Law Reform Commission's (ALRC) review of privacy.

In the Office's December 2007 submission to that review (see section 1.2), the Office recommended that there should be no lessening of existing privacy protections for personal credit information.

The Office agreed with the ALRC's proposal that the credit reporting provisions of the Privacy Act should be repealed and credit reporting regulated by the general provisions of the Privacy Act. In this way, credit reporting would be regulated by the National Privacy Principles or the ALRC's proposed Unified Privacy Principles. Additional obligations specific to credit reporting could then be imposed on credit reporting agencies and credit providers via a binding credit code issued by the Privacy Commissioner, or in regulations such as the ALRC's proposed Privacy (Credit Reporting Information) Regulations.

Further information about the Office's views on reform of the credit reporting provisions in the Privacy Act is available in Part G of the Office's submission to the ALRC, available at www.privacy.gov.au/publications/submissions/alrc_72/PartG.html.

During 2007-08, the Office also responded to the Productivity Commission's Draft Report Review of Australia's Consumer Policy Framework.The Office commented on the role nationally consistent regulation could play in terms of business efficiency and reducing complexity and confusion for businesses and consumers, including in relation to credit reporting regulation.

In line with the Strategic Plan the Office provided advice to government, industry and individual stakeholders about their credit reporting responsibilities and rights. In particular the Office participated in a retail credit industry forum and provided advice to various stakeholders regarding the use of credit reporting information for identity verification purposes.

1.5.5 Tax File Number Guidelines

During 2007-08, there were no changes to the Tax File Number Guidelines issued by the Privacy Commissioner under s.17 of the Privacy Act. These guidelines, which have the effect of law, regulate the collection, storage, use and security of Tax File Numbers (TFNs).

In its response to the ALRC review of privacy, the Office said that it should review the TFN Guidelines in consultation with the Australian Taxation Office and other relevant stakeholders.

1.6 Privacy and the Health Sector

1.6.1 Section 135AA Guidelines Review

On 6 March 2008, the Privacy Commissioner made new legally binding Privacy Guidelines for Medicare Benefits and Pharmaceutical Benefits programs. The Guidelines, registered on the Federal Register of Legislative Instruments, replaced existing Guidelines made in 1993 and came into effect on 1 July 2008.

These Guidelines are made under s.135AA of the National Health Act 1953. Section 27(1)(pa) of the Privacy Act provides that issuing them is a function of the Privacy Commissioner. The Guidelines apply to the way Australian Government agencies handle claims information from the two programs. A breach of the Guidelines is an interference with privacy unders.13 of the Privacy Act. In summary, the Guidelines give effect to the express terms and policy intent of their enabling legislation by:

  • requiring the separate storage of Medicare Benefits and Pharmaceutical Benefits programs claims information
  • specifying the circumstances in which data from the two programs may be linked
  • requiring the de-identification of claims information over five years old
  • specifying the circumstances when old information may be re-identified.

In making the Guidelines, the Privacy Commissioner took into account the need to ensure that such regulation did not impose unnecessary administrative burdens on key agencies.

As required by the enabling legislation and the Legislative Instruments Act 2003, preparation of the new Guidelines was preceded by an extensive consultative process and review involving a range of stakeholders, such a speak health bodies, consumer health and privacy advocacy groups, Medicare Australia and the Department of Health and Ageing.

Further information is available at www.privacy.gov.au/law/other/medical/#2.8.

1.6.2 Public Interest Determinations 10 and 10A

The Privacy Commissioner made Public Interest Determinations 10 ('PID 10') and 10A ('PID 10A') on 6 December 2007 in relation to the non-consensual collection of family, social or medical histories of third party health consumers by organisations providing a health service. In making the determinations, the Commissioner found that the central public interest objective being served by these determinations is the provision of quality health services to health consumers and ultimately safeguarding public health.

The determinations were made under subsections 72(2) and 72(4) of the Privacy Act and are effective from 11 December 2007 to 10 December 2011.

PID 10 permits the applicant to collect health information from an individual (a health consumer), or from a person responsible for the health consumer, about another individual (a third party) non-consensually in circumstances where:

  • the collection of the third party's information into the health consumer's family, social or medical history is necessary for the applicant to provide a health service directly to the health consumer
  • the third party's information is relevant to the health consumer's family, social or medical history
  • the applicant collects the third party's information without obtaining the consent of the third party
  • the third party's information is only collected from a person responsible for the health consumer if the health consumer is physically or legally incapable of providing the information themselves.

The purpose of PID 10A is to give general effect to PID 10. The effect of the determinations under s.16A of the Privacy Act is that the act or practice of an organisation in collecting such information without consent will not be regarded as breaching NPP 10.1.

1.6.3 Health Information Sheets

In March 2008, the Office released new privacy guidance materials for medical practitioners and other health service providers, as well as for health consumers.

The five new Private Sector Information Sheets are intended to assist private sector health service providers to fulfil a range of obligations under the Privacy Act relating to use, disclosure and individual access to health information. Seven frequently asked questions (FAQs) provide health consumers with guidance on the same issues as raised in the new information sheets.

The information sheets and FAQs were developed following consultation with a wide range of health professionals, consumer bodies and privacy organisations. This consultation was consistent with the objectives of the Office's Strategic Plan to increase awareness of privacy choices and obligations, and to build effective relationships with key stakeholders.

The information sheets address key health privacy issues raised by stakeholders in the private healthcare sector. The guidance material gives effect to recommendations made in the Office's 2005 report Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act1988. Progressing these recommendations is also an action under the Office's Strategic Plan.

These information sheets and accompanying FAQs cover:

  • reasonable fees that can be charged for patients to access their records
  • use and disclosure of health information for managing a health service
  • sharing health information within a treating team
  • sharing health information with relatives of an incapacitated patient
  • denial of access to health information due to a serious threat to life or health.

As part of releasing the new guidance materials, the Office sought to ensure that they were well publicised in the sector. To this end, the Office has provided over 1000 hard copies of each information sheet to a wide range of peak industry bodies, consumers groups, government agencies, and both large and small health service providers. The Privacy Commissioner also met with a number of groups in the sector to discuss the new guidance materials, along with other issues.

1.6.4 Electronic Health

The Office continued to engage with relevant bodies, such as the National eHealth Transition Authority (NEHTA), Medicare Australia, the Australian Institute of Health and Welfare, as well as state and territory government bodies, on matters related to electronic health records.

The Office reiterated its position on the national Shared Electronic Health Records (SEHR) scheme and the national Unique Healthcare Identifier (UHI) scheme in its final submission to the Australian Law Reform Commission's (ALRC) review of privacy in December 2007. The Office supported the ALRC's proposal that the UHI and SEHR schemes should be established under specific enabling legislation, with the legislation addressing information privacy issues including:

  • the nomination of an agency or organisation with clear responsibility for managing the respective systems, including the personal information contained in the systems
  • the eligibility criteria, rights and requirements for participation in the UHI and SEHR schemes by health consumers and health service providers, including consent requirements
  • permitted and prohibited uses and linkages of personal information
  • permitted and prohibited uses of UHIs and sanctions in relation to misuse
  • safeguards in relation to the use of UHIs; for example, that it is not necessary to use a UHI in order to access health services.

These measures would help ensure that a highly reliable health care identifier would not be widely adopted outside of the health sector, including as a de facto national identity number.

Proposals such as a national EHR and UHI can only be effectively implemented where community trust is maintained, including by getting privacy right. Failing to establish or maintain consumer confidence has potential to impact consumer take-up and acceptance of these new technologies, thus challenging their clinical benefits and cost effectiveness.

1.6.5 Section 95AA Guidelines

The Privacy Legislation Amendment Act 2006introduced National Privacy Principle 2.1(ea). The amendment gives organisations the discretion to use or disclose genetic information about an individual to a genetic relative where it is considered necessary to lessen or prevent a serious threat (whether or not the threat is imminent) to the genetic relative's life, health or safety.

Any use or disclosure must be in accordance with guidelines made by the National Health and Medical Research Council (NHMRC) under s. 95AA of the Privacy Act and approved by the Privacy Commissioner.

In April 2007, the NHMRC convened a working group to develop the guidelines. The Office has continued working with the NHMRC in 2007-08 (participating in the working group as an observer) as it develops the guidelines.

1.7 Privacy and the Information and Communications Technology Sector

1.7.1 Telecommunications Interception Legislation

In April 2008, the Office made a submission to the Senate Legal and Constitutional Affairs Committee, in relation to the Telecommunications (Interception and Access) Amendment Bill 2008 (the Bill). TheTelecommunications (Interception and Access) Act 1979(the TIA Act) specifies the circumstances in which it is lawful for law enforcement agencies and the Australian Security Intelligence Organisation (ASIO) to intercept communications under the authority of a warrant, subject to reporting and accountability mechanisms.

The Office noted in its submission that a primary policy objective of the TIA Act is to protect the privacy of individuals who use the Australian telecommunications system. The Office also noted that in recent years there have been a number of amendments to telecommunications interception legislation and that these amendments have resulted in an incremental expansion of powers regarding interception.

In its submission, the Office recommended that:

  • consideration be given to amending the Bill to contain more rigorous parameters around the network protection provisions, for example, in relation to secondary use of data and the destruction of data no longer needed
  • the proposed amendments relating to multiple telecommunication device-based warrants be modified to require that each of these devices be named on the warrant
  • the issuer of the warrant must be satisfied that each of those devices is used or likely to be used by the named person
  • each device can be uniquely and accurately identified for the purpose of interception.

The Office also reiterated its view that the operation of the TIA Act should be subject to overall independent review at least every five years.

1.7.2 Telecommunications and E-Marketing Industry Codes

The Telecommunications Act 1997provides for the telecommunications and e-marketing industries to develop industry codes. Such codes can been forced after they are registered with the Australian Communications and Media Authority (ACMA). Where telecommunications or e-marketing industry codes deal with privacy issues, it is a requirement that the Privacy Commissioner be consulted before ACMA registers a code.

The Office was consulted by Communications Alliance in relation to theULLS Ordering, Provisioning and Customer Transfer Code. The Office provided comments on collection, notice to individuals and issues related to the disclosure of personal information and the transfer of telecommunications services between providers.

1.8 Voluntary Information Security Breach Notification Guide

On 15 April 2008, the Office released a draft Voluntary Information Security Breach Notification Guide ('the draft guide') for a two month consultation period. A consultation paper, including the draft guide, was sent to all Australian Government departments and a range of agencies, as well as a large number of businesses, industry groups, and community or consumer bodies.

The draft guide draws on similar guides developed by the Offices of the Information and Privacy Commissioner of British Columbia, Ontario and Alberta, the Office of the Privacy Commissioner of Canada, and the Office of the Privacy Commissioner of New Zealand.

The volume of data transfer occurring across national and international borders, portable information devices and flexible working environments have increased the risk of large amounts of personal information being compromised. The need to develop such a guide was a response to the increased risk of data breaches, and the Office's strategic commitment to identify evolving and emerging technology issues.

The Office expects that this guide will also help to inform any advice it gives to the Australian Government should it decide to pursue a statutory notification requirement.

The Office is of the view that notifying individuals of a breach to the security of their personal information allows individuals to take steps to protect their personal information. Notification can also enhance an agency or organisation's transparency and openness with individuals - an important part of consumer trust and confidence.

The Office's draft guide suggests that notification should occur if the breach creates a real risk of serious harm to individuals affected by the breach. This approach to notification is consistent with the approach recommended by the Australian Law Reform Commission (ALRC) in its review of privacy.

In addition, in its Discussion Paper 72, the ALRC proposed that mandatory breach notification be introduced to the Privacy Act. The Office supported mandatory breach notification in certain circumstances.

The Office developed the draft guide to respond to requests for guidance from organisations and agencies. Developing the guide has also provided the Office with an opportunity to examine the issue of breach notification and consider how it might best operate in practice. The Office intends to finalise the guide in the second half of 2008.

1.9 Automatic Number Plate Recognition

The Office made a submission to the Queensland Parliamentary Travelsafe Committee inquiry into the use of Automatic Number Plate Recognition (ANPR) technology by law enforcement agencies in Queensland to promote road safety.The Office also met with the Travelsafe Committee to discuss its submission.

In its submission, the Office stated that the main privacy challenge around the use of ANPR technology is ensuring a balance between appropriate law enforcement measures, which might include ANPR technology, and the protection of individuals' privacy. Among other matters, the Office also suggested that careful consideration be given to the potential for this technology to collect, track and store detailed information about individuals and combine this with other databases to build rich 'data trails'.

The Office recommended that potential uses of personal information collected using ANPR be specified in law and that any expansion of these uses be subject to appropriate parliamentary scrutiny. The Office also recommended that the handling of such information be accompanied by consistent and clear rules, protocols or laws determining privacy protection. Such measures should include accountability and oversight systems that provide complaint handling mechanisms for individuals.

The Office has also engaged with CrimTrac regarding its scoping work for national ANPR technology across jurisdictions. The Office has suggested that matters such as the privacy implications of different models, together with compliance issues under the Privacy Act, should be addressed as part of a Privacy Impact Assessment.

Chapter 2 Promoting Privacy

2.1 Review of Performance

In 2007-08, the most significant new activity overseen by the Office's Corporate and Public Affairs section was the launch of the inaugural Australian Privacy Awards and Australian Privacy Medal. This new initiative, coinciding with the 20th anniversary of the Privacy Act, aims to recognise and reward organisations, agencies and individuals for their positive contributions to privacy. Significant interest was forthcoming in relation to this new initiative as a method of showcasing and rewarding excellence in privacy practice. The presentation of the inaugural Awards and Medal is to occur in August 2008.

In addition, the Office has worked closely with other privacy regulators in the Asia Pacific region to expand the activities undertaken by organisations and agencies as part of the annual Privacy Awareness Week. Privacy Awareness Week also saw the Office release a number of helpful publications on privacy issues, most notably the results of the 2007 Community Attitudes Survey. The survey results will assist the Office and others in understanding how Australians are thinking about privacy and the handling of their personal information. The results of the survey will help inform the work of the Office for the next three years.

As well as successfully undertaking these two significant and resource intensive activities, the Office initiated a substantial re-energising of the Privacy Connections and the government Privacy Contact Officers' networks. The Office also initiated a Privacy Authorities Australia forum for privacy regulators, or privacy policy units (where a jurisdiction does not have a privacy regulator).

During 2007-08, the Office also migrated the Office's electronic records and intranet systems to the Microsoft SharePoint 2007 platform, and progressed the redevelopment of its website. The website is the main communication tool the Office uses to provide information to the public, businesses and agencies. During the reporting period, the Office undertook significant analysis of its requirements for an improved website and then advertised a tender in April 2008. By 30 June 2008, the Office had selected a preferred tenderer and entered into contract negotiations for the redevelopment of the website. These achievements met many of the strategies and actions set out in the Office's 2007-09 Strategic Plan, including:

  • developing programs to recognise and reward best practice
  • re-energising the PCO and Privacy Connections networks
  • developing international linkages
  • ensuring that effective relationships, partnerships and networks are at the core of how we operate internally and externally
  • reviewing and developing systems that support internal and external networks and relationships.

2.2 Privacy Awards and Medal

On 9 April 2008, Senator the Hon John Faulkner, Special Minister of State and Cabinet Secretary, launched the Office's inaugural Australian Privacy Awards and Australian Privacy Medal programs. The Awards seek to recognise and reward agencies and organisations that engage in good privacy practices. The Medal aims to recognise an individual who has shown an outstanding level of achievement in the privacy field in Australia.

The 2008 Awards are in four categories:

  • Large Business Award - for businesses with more than 100 employees
  • Microsoft Small-medium Business Award - for businesses with less than 100 employees
  • Community and NGO Award - for not-for-profit organisations, such as charities, NGOs, industry bodies, advocacy organisations, and social, cultural, sporting or community groups
  • Symantec Government Award - for any government agency at a local, state or national level.

In addition, a Grand Award will be presented to the overall winner.

The nomination period will conclude on 9 July 2008, and the 2008 Awards and Medal are to be presented at a gala dinner in Sydney on 27 August 2008, during Privacy Awareness Week.

The Office secured the sponsorship of the following organisations for the 2008 Awards program: Symantec (Major Sponsor), Microsoft (Major Sponsor), Clayton Utz (Executive Sponsor), and Australian Finance Conference (Sponsor).

The Awards and Medal will be further reported on in 2008-09.

2.3 Privacy Awareness Week

In conjunction with members of the Asia Pacific Privacy Authorities (APPA), the Office celebrated Privacy Awareness Week (PAW) from 26 August -1 September 2007.

The week was an opportunity for organisations and agencies covered by privacy legislation in the APPA member jurisdictions to promote privacy awareness to their staff, customers and to the wider community.

A major promotion undertaken by the APPA members was the International Privacy Competition for secondary school students. The competition required students to submit a written piece of work based on the 2007 PAW theme, 'privacy is your business.' An Australian student, Erica Hei-Yuan Chan, was awarded the first prize.

During PAW 2007, the Office also released the results of the 2007 Community Attitudes Survey and a Private Sector Information Sheet on ID scanning. A number of significant promotional and information products were also distributed to government, business and individuals.

The 2007-09 Strategic Plan highlights the goal of increased awareness of privacy choices and obligations within the community, and the Office's annual involvement in PAW is a key factor in achieving this goal. The collaboration of APPA members, and Australian business, government and NGOs to promote PAW also contributes to building robust relationships, another goal of the Strategic Plan.

PAW 2008 will be held in the week of 24-30 August and will continue to be an APPA-wide promotion. The Office maintains APPA's Privacy Awareness Week website at www.privacyawarenessweek.org.

2.4 Community Attitudes Survey

In early 2007, the Office commissioned the Wallis Consulting Group Pty Ltd to undertake a research study of Australians' attitudes towards privacy, and the results were released in August 2007 during Privacy Awareness Week.

Following on from previous studies undertaken in the early 1990s, 2001 and 2004, the survey was aimed at gauging public opinion and awareness on a range of issues relating to the use and handling of personal information by business and government organisations.

Specifically, the study sought to:

  • provide input into the Office's response to the Australian Law Reform Commission's Discussion Paper on its review into privacy law
  • assist in the Office's policy and compliance work, particularly in informing thinking on issues raised through the survey
  • inform the Office's communications work, particularly in identifying issues and audiences that require a focused response or level of pro-activity in terms of the Office's educational work
  • provide information on privacy trends and developments for the Office's stakeholders
  • track changes in community attitudes since the last research and to use this information as a benchmark for future studies.

The study involved telephone interviews with a representative sample of 1503 Australians, as well as a verification study in which three questions from the main study were asked on the NewsPoll Omnibus. The survey's 47 questions covered the following areas:

  • attitudes to providing personal information
  • levels of trust in organisations handling personal information
  • knowledge of the Privacy Act and the Privacy Commissioner
  • the handling of personal information by business and government departments
  • health information and privacy
  • employee privacy
  • the internet
  • identity theft
  • closed circuit television.

The results of the study showed that there have been significant changes since the last study in 2004. Australians have become more concerned about various aspects of privacy in their everyday lives, such as providing personal information online (50% are more concerned than they were two year sago). At the same time, they have become more trusting of certain things, such as their dealings with government agencies (73%, up from 64% in 2004) and health service providers (91%, up from 89% in 2004).

With regard to Australians' familiarity with privacy laws, 69% are aware that federal privacy laws exist, compared to 60% in 2004, 43% in 2001 and 36% in 1994. A majority of Australians are aware that the Privacy Act covers the activities of Australian Government departments (94%) and large businesses (72%) and charities (72%). However, some also believe incorrectly that the Privacy Act covers state government departments (87%) and businesses based overseas (35%). 45% of Australians are aware of the existence of the Privacy Commissioner, compared to 34% in 2004.

The study's report can be found at www.privacy.gov.au/aboutprivacy/attitudes/#1b.A synopsis of the results appears in the Winter 2007 edition of Privacy Mattersat www.privacy.gov.au/materials/types/newsletters/view/6262#ps.

2.5 Privacy Website

The Office's website (www.privacy.gov.au) features very prominently in the Office's 2007-09 Strategic Plan. The website continues to be the critical hub for the communication of the Office's privacy messages. The site is kept up-to-date with information relating to the activities of the Office, provides key privacy information generated by the Office and links to other privacy information sources. The Office also manages the design and development of APPA's Privacy Awareness Week website (www.privacyawarenessweek.org).

To ensure that the Office's website continues to play the role of communications hub effectively, the Office has commenced a major redevelopment of the website. This is considered to be an important project, especially since the last major website redevelopment was completed when the private sector provisions commenced in 2001.

Key goals of the redevelopment are to:

  • provide better access to documents and information
  • generate a user interface that is suitable for a range of audience groups
  • create a portal for all the Office's privacy messages
  • build a site content system that is easily maintained.

The Office's current website increased its traffic from the previous reporting period. Individual visits to the website increased by 41 911 sessions during 2007-08 (a 2% increase). Page views (the number of pages looked at during sessions) increased by 2 241 289 (a 36% increase).

It appears that the Office's website may have been affected by 'fraudulent' traffic to the site during the reporting period, resulting in a larger than expected increase in page views. The Office is unable to accurately identify the percentage of this 'fraudulent' traffic. However, in 2008-09, the website will be rebuilt and this will provide the Office with an opportunity to improve the way visits to the website are counted in the next financial year and beyond.

The figures in Table 2.1 show the number of sessions and the number of page views for the privacy website each year for the last three financial years.

Table 2.1 Page and Session Views for the Privacy Website

2005-06 2006-07 2007-08 Variation 2006-07 to 2007-08
Session 1 411 320 1 953 316 1 995 227 + 41 911
Page view 5 937 245 6 183 973 8 425 262 + 2 241 289

2.6 Speeches

During 2007-08, the executive and senior staff of the Office delivered 45 speeches or presentations. The speeches and presentations covered a range of privacy-related issues including the Australian Law Reform Commission's review of privacy, anti-money laundering and data breach notification.

A selection of these speeches and presentations are available on the Office's website at www.privacy.gov.au/materials/types/speeches?sortby=60.

2.7 Publications

The Office released a number of important new publications and other materials during 2007-08.

A major release was the March 2008 publication of five new Private Sector Information Sheets, which provided targeted privacy guidance in the medical field (see section 1.6.3). These were accompanied by seven related frequently asked questions (FAQs), the aim of which was to make this important information more accessible and easier to understand for a variety of audiences. This release was a key action in advancing the Office's strategy of developing guidance material to assist the private sector.

In December 2007, the Office released ten social networking FAQs. These FAQs issued advice to Australians (especially teenagers) about protecting their personal information on these sites. They were issued in response to growing community concerns about the potential privacy risks associated with social networking websites.

As part of Privacy Awareness Week in August 2007, the Office released a Private Sector Information Sheet on ID Scanning, as well as eight associated FAQs. These publications issued advice to pubs, clubs and other organisations that scan people's ID documents about their obligations under the Privacy Act.

The Office's focus on developing privacy information in the user-friendly FAQ format is part of its Strategic Plan strategy to use more targeted, integrated communication strategies. The full collection of the Office's FAQs is available at www.privacy.gov.au/faq/.

The Office produced a range of other publications, including a draft Voluntary Information Security Breach Notification Guide (see section 1.8), and various materials relating to the Anti-Money Laundering and Counter-Terrorism Financing legislation (including bookmarks and FAQ factsheets: see section 1.3.1).

The Office also continued to publish Privacy Matters- its accessible and easy-to-read quarterly newsletter, which keeps stakeholders up-to-date with important Office-related and other privacy developments. The newsletter complements the work the Office already does through its various stakeholder networking strategies (see section 2.8), and assists the Office in its Strategic Plan goal of increasing awareness of privacy choices and obligations within the community.

Subscription to Privacy Mattersis available through the Office's website at www.privacy.gov.au/news/newsletter/. Most of the Office's other publications are also available online at www.privacy.gov.au/materials.

2.8 Networks

2.8.1 Privacy Connections

During 2007-08, the Office continued to re-energise its Privacy Connections network of privacy professionals in the private sector. In July 2007, the Office hosted well-attended forums in Brisbane, Canberra and Melbourne with Peter Cullen, the US-based Chief Privacy Strategist of Microsoft, and Privacy Commissioner Karen Curtis as the keynote speakers. In Sydney, the speakers included Mr Cullen, Ms Curtis and the then Attorney-General, the Hon Philip Ruddock MP.

April 2008 saw the launch of the Office's inaugural Australian Privacy Awards and Australian Privacy Medal (see section 2.2) at a Privacy Connections function held in Sydney. The keynote address was delivered by Senator the Hon John Faulkner, Special Minister of State and Cabinet Secretary.

In late May and early June 2008, workshops were held in Sydney, Melbourne and Brisbane for privacy professionals in the general insurance sector. Hosted in association with the Insurance Council of Australia, the workshops featured an assessment of simulated privacy complaints in the sector. The workshops sought to assist participants in refining their understanding of approaches to complaint handling within a privacy context, improving their knowledge of the way in which the National Privacy Principles can be applied in practical circumstances, and gaining an insight into the Office's complaint handling procedures. Further forums and workshops have been planned for 2008-09.

In 2007-08, the scope of the PriNet electronic list (providing news of privacy developments), which had previously been open to Privacy Connections members only, was broadened to allow any member of the public to subscribe. However, Privacy Connections members continue to receive electronic updates of events and issues affecting them. The network had 846 members as at 30June 2008.

Information about Privacy Connections is available at www.privacy.gov.au/business/privacyconnections/.

2.8.2 Government Privacy Contact Officer Network

The Office manages a network of Privacy Contact Officers (PCOs) from Australian and ACT Government agencies and hosts four meetings a year. The meetings enhance the Office's relationship with other government agencies as they enable PCOs to meet directly with the Commissioner and hear about the Office's activities, priorities and initiatives, such as Privacy Awareness Week.

In order to meet the Office's Strategic Plan's goal of increased awareness of privacy choices and obligations within the community, the Office has reviewed this network. The network has been tailored to play an educative role in informing PCOs of their compliance obligations and discussing international developments in privacy regulation. This year featured significant discussion on key aspects of the Office's submission to the Australian Law Reform Commission's review of privacy.

The Office invited external speakers to address the PCOs, including the Commonwealth Ombudsman and the Merit Protection Commissioner, as well as long-term PCOs.

The network provides a crucial link between agencies and the Office for the purposes of managing privacy complaints as PCOs play an important role in Australian and ACT Government agencies, information and privacy compliance obligations.

2.8.3 Privacy and Consumer Advocates

The Office met privacy and consumer advocates twice during the reporting period. A range of matters were discussed, including the Australian Law Reform Commission's review of privacy and international developments on policy development.

2.9 Media

The Office received 190 media enquiries during 2007-08. This is up 44% from the 132 enquiries received in 2006-07. Of the 190 enquiries, 118 were from print media, 33 from radio stations, 12 from television, 26 from news websites, and one from a news agency.

The enquiries concerned a range of privacy-related issues, with the most common including:

  • social networking websites
  • Australian Law Reform Commission's review of privacy
  • employers monitoring staff, particularly emails
  • scanning of patrons' identification by clubs and bars
  • alleged privacy breaches by various organisations
  • the former proposed Health and Social Services Access Card
  • data breach notification
  • the Office's Community Attitudes Survey.

In most cases, background information on the issue or a comment was supplied to the journalist. Interviews were also conducted on various radio stations and television programs.

Publications in which articles by the Privacy Commissioner or other staff members have appeared in 2007-08 include the Herald Sun,Australian Doctor, The Senior, Education Today,Canberra Times (Public Sector Informant), Marketing Magazine,World Data Protection Report, Consumer Directions, Real Estate Magazine, Education Technology Solutions, and Xpress -Business SA.

The Office prepared 25 media releases during 2007-08.

The Office has an email list for the distribution of media releases. Information about the list is available at www.privacy.gov.au/news/subscribe/.

2.10 International Liaison

2.10.1 Asia Pacific Economic Cooperation

In 2004, the Asia Pacific Economic Cooperation (APEC) Privacy Framework was adopted by APEC leaders, in recognition of the importance of developing effective privacy protections that avoid barriers to information flows and ensure continued trade and economic growth in the APEC region.

In September 2007, APEC economies endorsed a 'pathfinder' for international implementation of the APEC Privacy Framework. The APEC Data Privacy Pathfinder(the Pathfinder) seeks to facilitate development of a framework for accountable flows of personal information across borders, focusing on the use of cross-border privacy rules by organisations. The Pathfinder also aims to support this cross-border privacy rules system with a framework of cross-border cooperation in the enforcement of information privacy.

The APEC Data Privacy Pathfinder Implementation Work Plan consists of nine key projects, three of which are being led by the Office. Those three projects include the development of:

  • a directory of accountability agents (such as privacy commissioners, trust marks and so on) in APEC
  • a framework for cross-border cooperation on privacy enforcement
  • a cross-border complaint handling form for use by privacy enforcement authorities in APEC.

During 2008, the Office developed draft documents for these projects, in consultation with the project working groups. These drafts will be discussed at the next meeting of the Data Privacy Subgroup to be held in Lima, Peru in August 2008.

2.10.2 Organisation for Economic Cooperation and Development

The Office engages internationally through the Organisation for Economic Cooperation and Development (OECD) Working Party on Information Security and Privacy (WPISP). This is in conjunction with the whole-of government work it does on identity security domestically (see section 1.3.4). The Office engaged with WPISP on the issue of identity security during this reporting period. The Deputy Privacy Commissioner, Timothy Pilgrim, also attended the WPISP meeting in Ottawa, Canada, in September 2007.

The Office also engages on the issue of identity security and, more recently, on digital identity management through its membership of these groups, other formal arrangements such as MOUs, and by making submissions on papers and proposals about identity management and security.

The Office has also provided comments to the Department of Broadband, Communications and the Digital Economy for input into OECD initiatives, such as in relation to the internet economy.

2.10.3 Asia Pacific Privacy Authorities

The Asia Pacific Privacy Authorities (APPA) forum membership now include the Privacy Commissioners from: Australia (including NSW, Victoria and the NT), New Zealand, Hong Kong, South Korea and Canada (including the province of British Columbia).

APPA meets biannually and is hosted with a rotating venue and host. The meetings are an important opportunity to discuss international privacy developments and emerging issues of relevance to APPA affiliates. Commissioners also have the opportunity to exchange knowledge and experiences regarding privacy regulation across different jurisdictions.

In November 2007, the Office of the Privacy Commissioner New Zealand, hosted the 28th APPA Forum in Wellington. At this meeting, it was agreed that the Office would act as the APPA secretariat for the following 12 month period. The Office undertook a key role as secretariat in the organisation of the 29th APPA Forum, hosted by KISA in Seoul, Korea in June 2008.

Participation in APPA has facilitated the growth of significant relationships between the Office and other privacy authorities. Maintaining robust relationships is one of the key goals of our Strategic Plan.

The Office hosts the APPA webpage at www.privacy.gov.au/aboutus/international/appa/.

2.10.4 29th International Conference of Data Protection and Privacy Commissioners

In September 2007, the Privacy Commissioner and Deputy Privacy Commissioner attended the 29th International Conference of Data Protection and Privacy Commissioners held in Montreal, Canada. The theme of the conference was 'Terra Incognita'.

Resolutions were made at the conference on matters including the need for global standards for safeguarding passenger data, and the development of international standards for new and existing technologies. For more information, see the conference website at www.privacyconference2007.gc.ca.

2.11 Privacy Advisory Committee

The Privacy Advisory Committee (PAC) is established under s. 82 of the Privacy Act and members are appointed by the Governor-General. The PAC's function, as outlined in s. 83 of the Privacy Act, is to advise the Commissioner on matters relevant to her functions and to engage in and promote protection of individual privacy in the private sector, government and community.

The PAC maintains an active interest in the implementation of the Office's Strategic Plan and provides feedback and advice on the goals and activities that are undertaken. In 2007-08, the PAC was directly involved in a number of Office activities. Members were consulted on the website redevelopment tendering process and had input into the tender selection. They provided support to the Office through their promotion of Privacy Connections events, and contributed to the development of the Privacy Awards and Medal programs and the Client Service Charter. The PAC assisted in the tender selection for the Community Attitudes Survey and was heavily involved in the development of the survey questions (see section 2.4). The PAC also provided input into the Office's submission to the Australian Law Reform Commission's review of privacy.

In addition to the Commissioner, there are currently six members of the PAC. In May this year, the appointments of Ms Suzanne Pigdon, Ms Joan Sheedy and Dr Bill Pring were renewed until 1 May 2010. Other members include Associate Professor John O'Brien, Peter Coroneos and Robin Banks.

2.12 Privacy Authorities Australia

With the steady expansion of APPA membership (including to Canada and British Columbia) it became clear during the reporting period that there was a need for a more focused grouping of the Australian federal, state and territory jurisdictions. This group would include either a statutory officeholder responsible for personal information protection, or the relevant government privacy policy area where the jurisdiction does not have such a statutory officer.

An initial meeting of this group was held in Canberra in April 2008 to settle terms of reference and to discuss issues of mutual interest. This meeting was accompanied by an extensive briefing from the Chief Executive Officer of CrimTrac, Mr Ben McDevitt, on the work of that agency. It was determined that the group should be called Privacy Authorities Australia and that it will meet at least twice a year. The Office will undertake the secretariat role for the group for an initial period of two years.

Chapter 3 Protecting Privacy

3.1 Review of Performance

The Office's compliance focus in 2007-08 has been directed by the Strategic Plan, particularly in terms of fulfilling the four goals of high quality results, increased community awareness, robust relationships and a competent workforce.

In achieving high quality results, the Compliance section has implemented recommendations from its complaint handling review, leading to the elimination of delays in commencing preliminary enquiries and investigations. Complaint handling processes continue to be improved, with service standards being drafted and trialled. As well, more extensive and effective 'real time' conciliation via teleconferencing and face-to-face sessions has been introduced.

The Office has undertaken more 'own motion' investigations as part of proactive approach to dealing with systemic privacy issues. This work will continue in 2008-09. The Office's audit program has included examination of Biometrics for Border Control, Identity Security (Document Verification Service) and some ACT Government agencies, as well as assisting the Australian National Audit Office in aspects of its work.

The Compliance section has contributed to improving community awareness through a variety of means, including participation in the development of new information sheets, regular participation in government Privacy Contact Officer meetings and conducting education/information sessions and workshops.The publishing of 25 case notes during the year helped increase awareness and provided guidance, for both complainants and respondents, in understanding the way in which the Office approaches issues.

The Office has continued to meet with a variety of agencies and organisations during the reporting period, with the aim of strengthening its relationships. Meetings have been held with industry groups and individual organisations, as well as government agencies. In addition, the adoption of a Client Service Charter formed an important part of our relationship with complainants and respondents.

A significant activity has been the delivery of training for staff, improving further the level and mix of skills within the Compliance section. High quality advice provided to individuals and organisations coupled with more efficient complaint resolution are aided by our internal training and development strategies.

3.2 Responding to Enquiries

3.2.1 Telephone Enquiries

The Office's telephone enquiry service (1300 363 992) provides information about privacy issues and privacy law for the cost of a local call. The enquiry service answered 18 059 telephone enquiries in 2007-08. This is about 4% more than the 17 392 received in 2006-07.

Who is calling?

As was the case over the past few years, the vast majority of calls are from individuals seeking information about their privacy rights and advice about how to resolve privacy complaints.

Table 3.1 below illustrates the types of callers who telephoned the Privacy Enquiries Line in 2007-08.

Table 3.1 Source of Telephone Enquiries

Individuals 15 147
Health Service Providers 380
Australian Government 310
Real Estate 293
Legal, Accounting and Management Services 231
Business and Professional Associations 192
Finance 179
State Government 148
Charities 138
Employment Services 113

What are calls about?

Of the calls received this year, 49% related to the National Privacy Principles (NPPs). This is 5% less than the number of NPP calls received in 2006-07. The most frequently discussed issue was the use and disclosure of personal information by private sector organisations. This has been a consistent theme over recent years. A third of the calls about the private sector provision concerned use and disclosure, the same proportion as the last reporting period. The proportion of calls about Credit Reporting and the Information Privacy Principles (IPPs) remained steady.

Table 3.2 shows a breakdown of issues discussed in calls received during2007-08.

Table 3.2 Breakdown of Issues in Calls Received

Private Sector Provisions Issues
NPP 1 - Collection 1571
NPP 2 - Use and Disclosure 2968
NPP 3 - Data Quality 203
NPP 4 - Data Security 576
NPP 5 - Openness Issues (privacy statement) 127
NPP 6 - Access and Correction 1152
NPP 7 - Identifiers 12
NPP 8 - Anonymity 10
NPP 9 - Transborder Data Flows 74
NPP 10 - Sensitive Information 115
NPP Exemptions 1492
Private Sector Provisions (General) 661
Sub-total 8961
Non-Private Sector Provisions Issues
Credit Reporting 1014
Surveillance 397
Data-matching 34
IPPs 750
Spent Convictions 145
Tax File Numbers 63
Privacy (General) 3488
Sub-total 5891
Unrelated to privacy 3207
Total 18 059

Who are National Privacy Principles calls about?

Chart 3.1 below distributes the NPP telephone enquiries by private sector industry groups.

Chart 3.1 Private Sector Industry Groups to which Telephone Enquiries Relate

image of chart 3.1

Some examples of calls received during 2007-08 appear below.

  • A caller advised that an individual claiming to be a government official attended her property and demanded to view her power bill. The caller asked to view the individual's ID and discovered that the person was in fact a sales representative for a power company. The caller asked whether this was allowable under the Privacy Act. The caller was advised about NPP 1.2, unfair and unlawful collection of personal information, and given information about the Office's complaint process.
  • A caller rang seeking advice as to whether a psychiatrist can disclose a 14 year old's health information to a parent. The caller was advised that the Privacy Act does not differentiate between young people and adults, but rather the individual's capacity to make an informed decision will determine if they will be responsible for the decisions about how their personal information is managed.
  • A caller from a government agency asked whether it was possible to collect and use photographs of individuals for the agency's promotional purposes. The obligation of providing individuals with an IPP 2 notice upon the collection of their information was discussed. The caller was advised that seeking an individual's express consent to use and disclose their personal information in that manner is good privacy practice.
  • A caller rang asking for advice on how to get a marketing organisation to stop sending her marketing material. The caller was advised that it would depend on how and why the marketing organisation obtained her personal information. If collected for the primary purpose of direct marketing, the organisation would not be obliged under the Privacy Act to stop sending her the material. However, if the direct marketing was a secondary purpose of collection, the organisation would need to provide her with the option not to receive further marketing materials. The caller was advised to contact the organisation and determine where her information had been gathered from, before considering a complaint.
  • A caller advised that he went to a seminar about applying for a tradesman's licence. He had previously applied for registration and been refused. The trainer in the seminar used his application to show people how not to apply for registration. The application contained numerous pieces of the caller's personal information. The trainer didn't know the caller was at the training. The caller's personal information was given to the training organisation by an industry association. The caller was given information about NPP 2.1, disclosure of personal information, and advised about the Office's complaint process.

3.2.2 Written Enquiries

The Office responds to requests for information that are received by email, letter or fax. The Office received 2168 written enquiries in 2007-08, which is a small decrease on the number received in 2006-07 (2182).

The Office is committed to responding to 90% of written enquiries in 10 working days. This benchmark was met in 2007-08, with 94% of written enquiries responded to in 10 working days or less.

67% of the written enquiries answered in 2007-08 related to the private sector provisions. This is a 9% increase on the number of private sector written enquiries received in 2006-07 (58%).

Examples of the written enquiries received in 2007-08 appear below.

  • A contracted service provider to an Australian Government agency asked about its obligations in providing individuals with notices when collecting personal information.
  • An enquirer asked about how organisations are authorised to send unsolicited direct marketing mail.
  • An enquirer asked about who is entitled to their Tax File Number.
  • An enquirer asked about obtaining access to information held by her health service provider. The provider had claimed it was not covered by the Privacy Act.
  • An enquirer asked about the steps required to correct the personal information held about her by her bank.

3.3 Responding to Complaints

Allegations about acts or practices that may be an interference with the privacy of an individual can be accepted by the Privacy Commissioner as complaints. This can, for example, include complaints about:

  • how personal information is collected, held, used or disclosed by large private sector organisations, private sector health service providers and some small businesses under the National Privacy Principles
  • how personal information is handled by Australian and ACT Government agencies according to the Information Privacy Principles
  • credit worthiness information held by credit providers and credit reporting agencies
  • the use of personal tax file numbers by individuals and organisations
  • related legislation, including spent convictions under the Crimes Act 1914 and Australian Government data-matching programs regulated by the Data-matching Program (Assistance and Tax) Act 1990.

3.3.1 Complaints Received During 2007-08

In 2007-08, the Office received a total of 1126 complaints across all areas of its jurisdiction. This is about a 3% increase on the previous year (1094 were received in 2006-07).

Complaints related to a wide variety of issues. Examples of complaints and their outcomes can be found on the Office's website at www.privacy.gov.au/law/apply/determinations/.

The percentage of complaints received about each Privacy Act jurisdictionis given in Chart 3.2. As has been the case since the Privacy Commissioner's role was extended to the private sector, the private sector continues to bethel jurisdiction most commonly complained about.

Chart 3.2 Percentage of Complaints Received by Privacy Act Jurisdiction

image of chart 3.2

The particular issues that are most regularly complained about as a percentage of total complaints received in 2007-08 are described in Chart

3.3. Please note that the percentages exceed 100% as some complaints contain more than one issue.

Chart 3.3 Key Issues in Complaints

image of chart 3.3

The most commonly complained about IPP issue was use and disclosure, which made up 41% of IPP allegations. The next most common IPP allegation involved security, making up 17% of allegations. The collection of personal information was the third most frequent IPP issue, making up 15% of allegations.

It is interesting to note that the most common issues raised in IPP complaints once again mirror the most common concerns raised in NPP complaints. That is to say, that in relation to both IPP and NPP complaints the most frequently raised concerns in 2007-08 were about (in order) use or disclosure, security and collection.

Chart 3.4 shows the number of complaints made about each of the 10 most commonly complained about sectors. Once again, the finance sector continues to be the most frequently complained about industry. The Office's continuing view is that this is due to the volume of personal information transactions conducted by the sector and a reflection of the fact that the sector is bound by both the NPPs and the Credit Reporting provisions.

Chart 3.4 Complaints by Government and Industry Sector

image of chart 3.4

3.3.2 Complaints Closed during 2007-08

Acts or practices that may be a breach of privacy can be investigated by the

Privacy Commissioner. Where appropriate, the Commissioner may attempt to conciliate a resolution of the matters which led to the complaint.

If the Commissioner is satisfied that a matter has been adequately dealt with, or if there has not been an interference with privacy, the Commissioner may decide not to investigate the matter any further. Otherwise, the Commissioner may make a determination about a complaint under s. 52 of the Privacy Act.

In 2007-08, the Office closed 1228 complaints, 18 more than the 1210 complaints closed in 2006-07.

The Office investigated more complaints under s. 40(1) of the Privacy Act and chose to summarily dismiss fewer complaints than in 2006-07. Table

3.3 provides more information about the stage at which complaints were closed.

The Office aims to finalise all complaints within 12 months of receiving them. In 2007-08, complaints were closed in an average of eight months.

Table 3.3 Stage at which Complaints Closed

Investigation - s. 40(1) 18%
Preliminary enquiries - s. 42 35%
Decline to investigate - s. 41 47%
Total 100%

3.3.2.1 Complaints closed following investigations

In 2007-08, the Privacy Commissioner closed 18% of complaints following an investigation of the matter under s. 40(1) of the Privacy Act. The Privacy Commissioner came to the view that the complaint would likely be upheld in about 45% of these cases. Common resolutions after the investigation proceeded to conciliation included:

  • apologies to complainants
  • staff training and counselling
  • amendments to database systems and records
  • provision of access to records
  • compensation payments.

There were no determinations made in 2007-08. A determination is a legal decision or finding made by the Commissioner, as a consequence of which the Privacy Act's enforcement powers (ss. 52-62) are activated. A determination may dismiss the complaint or find that the complaint has been substantiated, and make declarations about action needed (including that conduct should cease or not be repeated), the nature of redress and compensation, or that no further action is needed.

Table 3.4 shows the grounds for declining to investigate complaints further following an investigation. Please note complaints can have more than one jurisdiction issue, therefore the number of complaints listed below exceeds the number of investigations closed in 2007-08.

Table 3.4 Grounds for Closing Complaints Following an Investigation

NPPs IPPs Credit Spent Convictions TFNs ACT IPPSs Total
No interference with privacy - s. 41(1)(a) 58 20 12 0 1 0 91
Is being dealt with under another law - s. 41(1)(e) 2 2 0 0 0 0 4
Respondent has adequately dealt with complaint - s. 41(2)(a) 63 9 21 1 0 2 96
Respondent has not had adequate opportunity to deal with matter - s. 41(2)(b) 7 0 0 0 0 0 7
Other (for example, withdrawn) 29 17 6 3 4 0 59
Total 159 48 39 4 5 2 257

Overall, the Commissioner found that about 40% of the National Privacy Principle complaints and about half of Credit Reporting complaints investigated under s. 40(1) of the Privacy Act were substantiated. The Commissioner was less likely to find a complaint substantiated after investigating allegations about the Information Privacy Principles, with less than 20% of these complaints upheld.

In response to the Strategic Plan's goal to have a competent and confident workforce, an increase in staff numbers and training has had a positive impact on the increased numbers of completed investigations in 2007-08.

3.3.2.2 Nature of remedies achieved by conciliation following investigation

Table 3.5 provides more detail on the outcome of complaints that were closed as adequately dealt with following investigation under s. 40(1) of the Privacy Act. Please note that more than one resolution may have been reached for a particular complaint, meaning that the total listed in Table 3.5 is not equal to the total number of complaints.

Table 3.5 Nature of Remedies in Complaints Closed as Adequately Dealt With After Investigation

NPPs IPPs Credit Spent convictions ACT IPPs Other Total
Records amended 11 0 13 0 0 0 24
Apology 17 4 3 1 0 0 25
Changed procedures 9 1 5 0 1 0 16
Access provided 14 0 0 0 0 0 14
Other remedy 21 4 4 1 1 1 32
Compensation - up to $500 5 2 2 0 0 0 9
Compensation - $501 - $2000 9 2 3 0 0 0 14
Compensation - $2001 - $20 000 12 1 2 0 2 0 17
Compensation - confidential settlement 4 0 1 0 0 0 5
Total 102 14 33 2 4 1 156

Compensation was the most common remedy in investigated complaints, followed by 'Other' remedies. 'Other' remedies include outcomes such as staff training, staff counselling, or remedies as part of a confidential settlement. The third most common outcome was an apology. Compensation was paid in just under 30% of investigations.

3.3.2.3 Complaints closed following preliminary enquiries

The Privacy Act authorises the Privacy Commissioner to conduct preliminary enquiries to determine whether the Commissioner has the power to investigate or should exercise a discretion not to investigate a matter further. For instance, a preliminary enquiry may seek to determine:

  • whether an agency or organisation is willing to provide access to records
  • if a particular act or practice is authorised by law
  • whether an organisation may claim the small business operator exemption
  • whether a respondent is an agency or organisation.

In 2007-08, the Commissioner closed 35% of complaints after preliminary enquiries. This was roughly the same proportion as in 2006-07. Table 3.6 provides more detail on the basis for closing complaints following preliminary enquiries. Please note that complaints can have more than one jurisdiction issue, therefore the number of complaints listed below exceeds the number of preliminary enquiries closed in 2007-08.

Table 3.6 Basis for Closing Complaints Following Preliminary Enquiries

NPPs IPPs Credit TFNs ACT IPPs Other Total
Not the privacy of the complainant - s. 36(1) 4 0 0 0 0 0 4
Complaint not raised with respondent - s. 40(1A) 17 4 2 0 0 2 25
No interference with privacy* - s. 41(1)(a) 145 24 34 0 0 10 213
Aware of complaint for over 12 months - s. 41(1)(c) 0 0 2 0 0 0 2
Frivolous, vexatious, misconceived or lacking in substance - s. 41(1)(d) 4 3 1 0 0 0 8
Is being dealt with under another law - s. 41(1)(e) 0 2 0 0 0 1 3
Another law is more appropriate - s. 41(1)(f) 3 3 0 0 0 0 6
Respondent has adequately dealt with the matter - s. 41(2)(a) 121 7 33 1 2 1 165
Respondent has not had adequate opportunity to deal with matter - s. 41(2)(b) 8 2 6 0 0 1 17
Other (for example, withdrawn) 30 4 9 0 0 0 43
Total 332 49 87 1 2 15 486

* This includes matters that fall outside the Commissioner's jurisdiction, for example the respondent is a state government body.

As was the case in 2006-07, the most common reason for closing complaints after preliminary enquiries was due to a finding that the individual's privacy had not been interfered with (44%). This is an increase from 2006-07 (39%).

3.3.2.4 Nature of remedies achieved following preliminary enquiries

In the process of conducting preliminary enquiries, the Commissioner may find that the respondent has adequately dealt with the matter, or may be able to resolve the cause of the complaint through conciliation. Table 3.7 gives further detail about the types of resolutions achieved following preliminary enquiries. Please note that more than one resolution may have been remedied for a particular complaint, meaning the total listed in Table

Table 3.7 Nature of Remedies in Complaints Closed as Adequately Dealt With After Preliminary Enquiries

NPPs IPPs Credit TFN Guidelines ACT IPPs Other Total
Records amended 37 1 30 0 0 0 68
Apology 25 2 2 1 1 0 31
Changed procedures 11 2 3 0 0 0 16
Other remedy 33 5 3 0 1 0 42
Access provided 29 1 0 0 0 1 31
Compensation - confidential settlement 2 0 0 0 0 0 2
Compensation - up to $500 6 0 1 0 0 0 7
Compensation- $501 - $2000 4 0 1 0 0 0 5
Compensation - $2001 - $20 000 5 0 2 0 2 0 9
Compensation - $20 000+ 1 0 0 0 0 0 1
Total 153 11 42 1 4 1 212

Amendment of records was the most common resolution following preliminary enquiries. The second most common outcome was an 'other' remedy, which includes outcomes such as staff training, staff counselling, or remedies as part of a confidential settlement. Compensation was paid in about 11% of complaints.

3.3.2.5 Complaints closed without investigation

In 2007-08, the Privacy Commissioner closed 47% of complaints by exercising a discretion not to investigate (or 'decline') the complaint without investigating or making preliminary enquiries.

The most common reasons for closing complaints without investigation were:

  • there was no interference with privacy (s. 41(1)(a))
  • the complaint had not been raised with the respondent before being brought to the Commissioner (s. 40(1A)) or the complainant had not given the respondent sufficient time to deal with the complaint (s. 41(2)(b)).

Table 3.8 shows, in more detail, the grounds upon which these complaints were closed without investigation. Please note that complaints can have more than one jurisdiction issue, therefore the number of complaints listed below exceeds the number of complaints closed without investigation in 2007-08.

Table 3.8 Basis for Closing Complaints Without Investigation

NPPs IPPs Credit ACT IPPs Other Total
Not the privacy of the complainant - s. 36(1) 20 1 0 0 16 37
Did not specify a respondent - s. 36(5) 2 0 0 0 7 9
Complaint not raised with respondent - s. 40(1A) 62 20 19 0 4 105
No interference with privacy* - s. 41(1)(a) 89 26 23 2 66 206
Aware of complaint for over 12 months - s. 41(1)(c) 8 1 9 0 0 18
Frivolous, vexatious, misconceived or lacking in substance - s. 41(1)(d) 7 4 6 1 8 26
Is being dealt with under another law - s. 41(1)(e) 1 1 1 0 2 5
Another law is more appropriate - s. 41(1)(f) 5 6 0 0 0 11
Respondent has adequately dealt with the matter - s. 41(2)(a) 15 2 5 0 0 22
Respondent has not had adequate opportunity to deal with matter - s. 41(2)(b) 48 10 16 1 2 77
Other (for example, withdrawn) 7 3 1 0 11 22
Total 264 74 80 4 116 538

* This includes matters that fall outside the Commissioner's jurisdiction, for example the respondent is a state government body.

3.3.2.6 Compliance issues in National Privacy Principle complaints

The issues raised in complaints against private sector organisations that the Privacy Commissioner investigated and were closed as adequately dealt with, are set out in Chart 3.5. Please note that complaints can have more than one issue, therefore the total number of issues will exceed the total number of complaints.

Chart 3.5 Issues in NPP Complaints Resolved by the Respondent

image of chart 3.5

This year has seen another change in the most common NPP compliance issues. The most frequent issue in complaints resolved by private sector organisations during 2007-08 concerned data security. In 2006-07, the most common issue was refusal of access to personal information. The next most common issues for complaints resolved by private sector organisations in2007-08 concerned the improper disclosure of individuals' personal information and refusal of access to personal information.

3.3.2.7 Compliance issues in Information Privacy Principle complaints

The issues raised in complaints against Australian and ACT Government agencies, where the agency took action after preliminary enquiries or a formal investigation by the Privacy Commissioner, are set out in Chart 3.6. Please note that complaints can have more than one issue, therefore the total number of issues can exceed the total number of complaints.

Chart 3.6 Issues in IPP Complaints Resolved by the Respondent

image of chart 3.6

In 2007-08 disclosure (IPP 11) continues to be the most prevalent IPP complaint issue, and the issue of use (IPP 10) remains steady. However, security (IPP 4) and access (IPP 6) issues have risen since 2006-07. Other complaint issues have remained relatively constant between 2006-07 and 2007-08.

3.3.2.8 Compliance issues in Credit Reporting complaints

The issues raised in complaints against credit providers or credit reporting agencies, where the respondent took action following preliminary enquiries or a formal investigation by the Privacy Commissioner, are set out in Chart 3.7. Please note that complaints can have more than one issue, therefore the total number of issues will exceed the total number of complaints.

Chart 3.7 Issues in Credit Reporting Complaints Resolved by the Respondent

image of chart 3.7

As has been the trend for many years, the most commonly raised and corroborated Credit Reporting issue is the improper listing of payment defaults on an individual's consumer credit information file. The number of credit reporting complaints resolved by the respondent where a listing was disputed has slightly increased since 2006-07 from 31 to 33.

The number of complaints resolved by the respondent, where issues of the accuracy of consumer credit information files and reports arose, remains steady since 2006-07. Accuracy issues include where a credit reporting agency links an individual's credit file with a credit file record of another person.

Complaints resolved by respondents involving issues under the 'other ' category remain constant since 2006-07. Issues in this category include where a credit provider discloses information about an individual from a credit report.

3.4 Reports of Complaints under Approved Codes

The Privacy Act allows for organisations or groups of organisations to develop privacy codes. If approved by the Privacy Commissioner, these codes replace the National Privacy Principles as the legally enforceable privacy standards for those organisations. At 30 June 2008, there were three approved privacy codes (see Table 3.9).

Table 3.9 Approved Codes under the Privacy Act

Code Title Code Adjudicator Monitoring / Reporting Responsibility Date Came into Effect
Queensland Club Industry Privacy Code Privacy Commissioner Clubs Queensland and the Privacy Commissioner 23 August 2002
Market and Social Research Privacy Code Privacy Commissioner Association of Market and Social Research Organisations and the Privacy Commissioner 1 September 2003
Biometrics Institute Privacy Code Privacy Commissioner Biometrics Institute and the Privacy Commissioner 1 September 2006

The Privacy Commissioner is the code adjudicator for each of the codes listed above. There were no complaints handled by the Office under any of the approved codes in 2007-08.

The Privacy Commissioner is required to maintain a register of approved codes under s. 18BG of the Privacy Act. The register can be found on the Office's website at www.privacy.gov.au/business/codes/.

3.5 Complaints and Enquiries Statistics on www.privacy.gov.au

Statistical information published on the Office's website gives an overview of complaints and enquiries received by the Office. Updates published on the Office's website include the number of complaints, telephone and written enquiries received.

These are available at www.privacy.gov.au/complaints/statistics/.

3.6 Case Notes

The Privacy Commissioner publishes case notes describing, in de-identified form, the issues and outcomes of selected complaints. The purpose of these case notes is to provide an insight into how privacy principles are being applied, in order to:

  • assist individuals, organisations and agencies to decide whether to pursue a complaint, or if personal information is being handled appropriately
  • encourage good privacy practices and compliance with the Privacy Act
  • ensure the Office is accountable and transparent in its processes and decision making.

In 2007-08, the Office published 25 case notes about complaints under the National Privacy Principles, Information Privacy Principles and other areas of the Privacy Act.

Some situations illustrated by the case notes include:

  • The improper disclosure of a guest's personal information by a hotel. The Commissioner considered whether the disclosure was permitted by NPP 2.1. The disclosure was not permitted. The hotel offered the complainant a written apology, an explanation of the steps it took to investigate the matter, and a goodwill gesture of a voucher for one night's complimentary accommodation to the complainant. It also advised the complainant that it had reaffirmed to employees the importance of adherence to their privacy policy. The complainant accepted this offer. The Commissioner closed the complaint under s. 41(2)(a) of the Privacy Act on the grounds that the hotel had adequately dealt with the complaint.
  • A student (the complainant) sought access to their personal information held by a private school (the respondent). The student was asked to leave the school as a result of an investigation carried out by the school. The school argued that providing the complainant with access to the investigation documents would amount to an interference with the privacy of other individuals as the individuals in question had provided that information on the understanding that their details would not be revealed to the complainant for fear of reprisal. After reviewing the relevant documents, the Commissioner formed the view that the school had not interfered with the complainant's privacy by refusing to give access to the investigation document as providing access would have had an unreasonable impact on the privacy of other individuals. In relation to the remaining documents, the Commissioner was satisfied that the complaint had been adequately dealt with by the school having provided the complainant with access to those documents, and so the complaint was closed under s. 41(2)(a) of the Privacy Act.
  • An Australian Government agency failed to keep personal information secure. The complainant, a former employee of a government agency, complained that their information had been accessed by another employee of the agency. The employee, for reasons unrelated to their employment, used the records to locate where the complainant was living. The Privacy Commissioner opened an investigation into the matter under s. 40(1) of the Privacy Act. The agency advised that it had investigated the matter internally, and found that there had been an unauthorised access by an employee to the complainant's personal record. Given the inadequacy of the steps taken to prevent unauthorised access, the Commissioner took the view that the agency had not taken reasonable steps in the particular circumstances to protect the complainant's personal information in accordance with IPP 4(a). The Commissioner conciliated the matter under s. 27(1)(a) of the Privacy Act and an agreement between the parties was reached. The complainant accepted a confidential settlement for costs associated with the complainant's change of name and place of residence.

The case notes are accessible on the Office's website at www.privacy.gov.au/law/apply/determinations/,in the CCH Federal Privacy Handbook, and on the Australasian Legal Information Institute (Austlii) website at www.austlii.edu.au/au/cases/cth/PrivCmrA.

3.7 Own Motion Investigations

Section 40(2) of the Privacy Act gives the Privacy Commissioner the power to investigate a possible interference with privacy without first receiving a complaint from an individual, if the Commissioner considers it desirable to do so. The Office calls these matters 'own motion' investigations.

3.7.1 Issues in Own Motion Investigations

During 2007-08, 81 new matters involving alleged interferences with privacy were brought to the attention of the Office by agencies and organisations reporting their own data breaches to the Office, media coverage, calls to the Privacy Enquiries line, or individuals writing to the Office. This compares to 55 matters in 2006-07.

The Office uses risk assessment criteria to determine whether to investigate a matter. These criteria include the:

  • number of people affected and the consequences for those individuals
  • sensitivity of the personal information involved
  • progress of an agency or organisation's own investigation into the matter
  • likelihood that the investigation will reveal acts or practices that involve systemic interferences with privacy and/or that are unidentified, widespread or ongoing.

The allegations considered by the Office in 2007-08 included that:

  • an Australian Government agency was improperly disclosing spent convictions information
  • an insurer's website was hacked and it was feared that personal information might have been compromised
  • an Australian Government agency erroneously carbon copied instead of blind carbon copied emails to a large number of email addresses
  • documents from a finance company were found discarded in a rubbish bin by a member of the public
  • laptop computers that may have contained personal information were stolen from an Australian Government agency.

3.7.2 Outcomes of Own Motion Investigations

Where the Privacy Commissioner found the allegations to be substantiated, the respondent dealt with the issue raised, either under their own initiative or with the Office's suggestions.

Actions taken have included written notifications to affected individuals, apologies, retrieval and appropriate disposal of records, changes in procedures, staff training and redesign of information-handling systems.

3.8 Audits

Under the Privacy Act, the Privacy Commissioner has powers to conduct privacy audits of Australian and ACT Government agencies, as well as some other organisations in certain circumstances. These audits are crucial to determining and improving the degree of compliance with the Privacy Act. The Office conducts audits to promote best privacy practice and to reduce privacy risks across agencies.

The Commissioner's audit powers are set out in several sections of the Privacy Act:

  • auditing agency compliance with the Information Privacy Principles - s. 27(1)(h)
  • examining the records of the Commissioner of Taxation in relation to tax file numbers (TFNs) and TFN information - s. 28(1)(d)
  • auditing TFN recipients - s. 28(1)(e)
  • auditing credit information files and credit reports held by credit reporting agencies and credit providers - s. 28A(1)(g).

The Commissioner does not have an audit function in relation to compliance with the National Privacy Principles by private sector organisations, unless at the request of the organisation under s. 27(3).

The number of audits carried out by the Office has varied over the life of the Privacy Act, depending on the nature and volume of privacy complaints and other priorities of the Office. In 2007-08, the Office generally undertook audits where it had received specific funding to do so. This is consistent with the approach taken by the Office since 2002-03 when the Commissioner decided to redirect the Office's resources as a result of the significant increase in complaint numbers. However, it did finalise one audit of a Government agency; see Table 3.15.

In an effort to promote transparency in the Office's audit work and to help promote good privacy practice, the Office has published the finalised reports of audits of Australian and ACT Government agencies undertaken since 1 July 2002 on its website (see www.privacy.gov.au/government/audits). Some audit reports have classified content and as such have been withheld from publication or have been published in an abridged form.

3.8.1 Audits Commenced in 2007-08

3.8.1.1 ACT Government audits

The Office currently has a Memorandum of Understanding with the ACT Government (see section 4.1.3) which includes a commitment by the Office to conduct two audits of ACT Government agencies per financial year. The Office selects audit targets based on a risk assessment analysis which takes into account previous audits and audit findings, complaints against ACT Government agencies, the amount of personal information held by an agency and the sensitivity of, and risk to, that information.

Table 3.10 below shows audits of ACT Government agencies commenced by the Office in 2007-08 under this arrangement.

Table 3.10 ACT Audits Commenced 2007-08

Agency Audit Scope Commenced
ACT Planning and Land Authority Territory Leases, Development Applications, Construction Licensing and Personnel Records February 2008
ACT Department of Education and Training Student records (including student counselling, behavioural and medical records) February 2008

3.8.1.2 Biometrics for Border Control audits

The Office has been allocated additional funding as a component of the Biometrics for Border Controlprogram involving the Department of Foreign Affairs and Trade, the Australian Customs Service (Customs) and the Department of Immigration and Citizenship (DIAC). The broad objective of this program is to develop and implement biometric systems to enhance identity management at the border and to increase the efficiency of border processing.

During 2007-08, the Office has worked with the relevant agencies to provide targeted privacy advice and guidance for a number of projects that have been developed, or are being implemented, under this program. The Office has also consulted with the relevant agencies in relation to the revised implementation plan for the initiative, covering key project activities required to the end of the funding period in June 2009.

The identification of suitable targets for the Office to audit has been challenging during 2007-08 due to some delays experienced with the implementation of some programs by the relevant agencies.

Table 3.11 below shows audits of Biometrics for Border Control projects commenced by the Office in 2007-08.

Table 3.11 Biometrics for Border Control Audits Commenced2007-08

Agency Audit Scope Commenced
Customs Smartgate Automated Border Processing System March 2008
DIAC Detention Centre Rollout May 2008

3.8.1.3 Identity Security audits

In 2005-06, the Office received additional funding to enable its ongoing participation in the development of the Australian Government's National Identity Security Strategy (NISS). The funding enables the Office to provide ongoing privacy advice to Government and key agencies and oversight in respect of projects to be delivered under the NISS. As part of its oversight activity, the Office undertook an audit of the National Document Verification Service (DVS).

The DVS is an online system which allows authorised Australian, state and territory Government agencies to verify the details of documents presented to them as proof of identity with the data recorded in the register of the corresponding document-issuing agencies.

Table 3.12 below shows details of the Identity Security audit commenced by the Office in 2007-08.

Table 3.12 Identity Security Audits Commenced 2007-08

Agency Audit Scope Commenced
Department of Foreign Affairs and Trade Department of Immigration and Citizenship ACT Births, Deaths and Marriages ACT Road User Services Centrelink The auditors focused on the personal information handling practices of agencies participating in the National Document Verification Service. The auditors considered how privacy risks revealed at the initial stages of implementation of the National DVS could be addressed at this early stage. February 2008

3.8.2 Audits Finalised in 2007-08

3.8.2.1 ACT Government audits

In 2007-08, the Office finalised privacy audits of the ACT Government agencies shown in Table 3.13 below.

Table 3.13 ACT Government Audits Finalised 2007-08

Agency Audit Scope Finalised
University of Canberra Student Services, University records, Library records, Human Resources and Information Technology records
 
December 2007
ACT Department of Municipal Services (ACT RTA) Registrations, Public Vehicle Operator Licensing, Call Centre records, IT services February 2008
ACT Planning and Land Authority Territory Leases, Development Applications, Construction Licensing and Personnel records May 2008

The Office found that the agencies generally had appropriate levels of compliance with the Information Privacy Principles (IPPs). However, where insufficient privacy controls were identified or where better privacy practice could be instituted, the auditors made recommendations concerning those aspects of the agencies' operations.

Common audit findings covered issues such as:

  • IPP 2 - notification at collection
  • IPP 4 - storage and security
  • IPP 7 - alteration of personal information records
  • IPP 8 - accuracy
  • IPPs 10-11 - use and disclosure.

Generally, the audited agencies accepted the Office's recommendations.

3.8.2.2 Biometrics for Border Control audits

In 2007-08, the Office finalised the Biometrics for Border Control privacy audit shown in Table 3.14 below.

Table 3.14 Biometrics for Border Control Audits Finalised 2007-08

Agency Audit Scope Finalised
Department of Immigration and Citizenship Collection and use of biometric identifiers using the eHealth2 system June 2008

The Office found that the agency had an appropriate level of compliance with the Information Privacy Principles in the collection, storage and use of personal and biometric information.

3.8.2.3 Australian Government audits

In 2007-08, the Office finalised one privacy audit of an Australian Government agency as shown in Table 3.15 below.

Table 3.15 Australian Government Audits Finalised 2007-08

Agency Audit Scope Finalised
Australian National University

Student Services, Staff records, University Records, Faculty records, Health and Disability records

June 2008

The majority of the issues related to the agency's practice of creating copies of primary staff or student files (known as 'shadow files') which are held across a number of different areas of the agency, and the associated problems that this practice appears to present the agency in maintaining compliance with the requirements of the Privacy Act.

Other issues related to physical security (e.g. insecure storage of personal information), inconsistent IPP 2 notifications at the point of data collection and concern about the inability of individuals to access all of their personal information held by the agency on request.

The agency accepted the audit recommendations.

3.9 Personal Information Digest

To help people understand what personal information is held by each Australian and ACT Government agency, Information Privacy Principle 5.3 in s.14 of the Privacy Act requires agencies to keep a record detailing:

  • the nature of records kept
  • the purpose for which these records are kept
  • the categories of people the information is about
  • the period for which the records are kept
  • who has access to the records
  • the steps an individual needs to take to gain access to the records.

These explanatory records must be provided to the Privacy Commissioner in June of each year, and are subsequently compiled and published as the Personal Information Digest (PID).

The ACT Department of Justice and Community Safety (JACS) compiled the ACTPID and the final documents were published on the JACS website and the Office's website. The Office published the PID for Australian Government agencies for the period ending June 2007 on its website at www.privacy.gov.au/government/digests/.

3.10 Complainant Service Quality Survey

This survey was conducted in May and June 2008 with the aim of gathering complainants' opinions about the Office's current complaint handling process.The Office interviewed 100 individual complainants. The responses to the survey will be used to make improvements to the complaint handling process.

3.11 Monitoring Government Data-matching

Data-matching is the process of bringing together large data sets of personal information from different sources and comparing these data sets in order to identify any discrepancies.

For example, the Australian Taxation Office (ATO) can undertake a data-match to identify individuals who may be failing to comply with taxation obligations.

The process involves analysing information about large numbers of people to assess whether individuals are complying with the requirements of government programs and reporting obligations. This means that data-matching raises a number of privacy issues.

To ensure that government agencies conducting data-matching programs minimise their impact on individuals' privacy, the Office performs a number of functions.

The Privacy Commissioner has statutory responsibilities under the Data-matching Program (Assistance and Tax) Act 1990(the Data-matching Act) and the Guidelines for the Conduct of the Data-matching Program(the statutory data-matching guidelines).

Additionally, the Commissioner oversees the manner in which government agencies apply the requirements of the Guidelines for the Use of Data-matching in Commonwealth Administration(1998). These voluntary guidelines assist agencies not subject to the Data-matching Act, to perform data-matching programs in a privacy sensitive way.

3.11.1 Matching under the Data-matching Program (Assistance and Tax) Act 1990and statutory data-matching guidelines

In order to detect overpayments, taxation non-compliance and the receipt of duplicate payments, the Data-matching Program (Assistance and Tax) Act 1990(the Data-matching Act) provides for the use of tax file numbers in data-matching.

Centrelink is the data-matching agency, and it undertakes data-matches on the data it holds, and on behalf of the Department of Veterans' Affairs (DVA) and the Australian Taxation Office (ATO).

The Data-matching Act and the Guidelines for the Conduct of the Data-matching Program(the statutory data-matching guidelines) outline the type of personal information that can be used, how it can be processed and how the results can be used. They also require that individuals be provided with the opportunity to dispute or explain any matches, and require that individuals have means for redress.

The Data-matching Act requires Centrelink, DVA and the ATO to report to Parliament on the results of any data-matching activities carried out under the Act. These reports are published separately by each agency. The Data-matching Act also makes the Commissioner responsible for monitoring the functioning of the statutory data-matching program. To this end, the Office runs inspections (see section 3.11.1.1).

3.11.1.1 Inspections

During 2007-08, the Office inspected Centrelink's handling of a sample of data-matching cases in two regions.

  • Area South West (Queanbeyan), August 2007
  • Area West Victoria (Sunshine), April 2008.

Representatives of the Office, with the assistance of Centrelink head office and regional staff, conduct inspections and reviews of a sample (100) of customer records which have been through the data-matching process. At the completion of each of the inspections, a report is prepared and provided to Centrelink outlining the findings.

In both inspections, the Office found that the Centrelink Area Office staff's processes and procedures for implementing the statutory data-matching actions met the requirements of the Data-matching Act. Additionally, the Area Office's procedures were also assessed as meeting the requirements of the Privacy Act in the handling of this information.

The inspection of the Area West Victoria (Sunshine) site records identified a potential problem with the processing of at least four data-match cycles by the Central Office Data-Matching Area.

Centrelink has been asked to review the identified records and timing of the steps of the data-matching cycles, and advise the Office of the outcomes of the investigation.

3.11.2 Matching under the Guidelines for the Use of Data-matching in Commonwealth Administration (the voluntary data-matching guidelines)

Many Australian Government agencies also carry out data-matching activities that are not subject to the Data-matching Program (Assistance and Tax) Act 1990(the Data-matching Act). Instead, these activities maybe run under different laws which authorise the use and disclosure of personal information for data-matching purposes.

Because data-matching involves analysing information about large numbers of people, it raises significant privacy issues, including the possibility of false matches being made, or drawing wrong conclusions from matches whether correct or incorrect.

To assist agencies performing such data-matching activities to have proper regard for the privacy of individuals whose information is being matched, the Privacy Commissioner has issued voluntary data-matching guidelines called the Guidelinesfor the Use of Data-matching in Commonwealth Administration(1998).

These voluntary guidelines require that, where the head of an agency considers that it would be appropriate in the public interest to conduct a data-matching program, the individuals identified for further administrative action as a result of that program have the opportunity to dispute the results, and also that action against individuals is not taken solely on the basis of automated processes.

Agencies are required to prepare a description of the data-matching activity (a 'program protocol'). Before the activity is commenced, the program protocol should be submitted to the Privacy Commissioner for comment and, once it has been finalised, the program protocol should be made available to the public prior to the data-matching occurring.

Under the guidelines, the Commissioner may also ask agencies for reports about their data-matching activities.

In 2007-08, the Privacy Commissioner received 13 program protocols for proposed non-statutory data-matching activities. A summary of these protocols is outlined in Table 3.16.

Table 3.16 2007-08 Program Protocols produced under the Voluntary Data-matching Guidelines

Matching Agency Source Agencies or Organisations Name of the Program Protocol Description of the Program Protocol Received Date
Centrelink Department of Health and Ageing Centrelink Avoiding Debt for Carers Program Protocol To compare Department of Health and Ageing records with Centrelink Carer Payment and Carer Allowance records to identify cases where care givers or care receivers are living in an aged care facility on an ongoing basis. July 2007
Australian Sports Anti- Doping Authority Medical Health Practitioner Human Growth Hormone Prescription Protocol To match athlete data with client, customer and product purchase data obtained from a non-governmental medical organisation, to identify suspected non-compliance with the National Anti-Doping Scheme (NAD Scheme). July 2007
ATO Various external source organisations (52) Personal Services Income (PSI) Data Matching Protocol To identify personal services income (PSI) payments made to entities (company, partnership or trust) by labour hire firms, placement agencies and computer consultancies. The data will be sourced from labour hire firms, placement agencies and computer consultancies and matched against Tax Office taxpayer records. August 2007
Child Support Agency (CSA) CSA and Department of Veterans Affairs' (DVA) Child Support Scheme Reforms (Stage 3) CSA/DVA Data Matching Protocol The objective of the program is to identify mutual CSA/DVA customers, and ensure that the relevant DVA payments are taken into account when assessing child support payments. September 2007
Centrelink Source agency withheld Identity Matching Program (details withheld) The program is designed to match customer identity details with identity details held by the source agency for the purposes of identifying individuals who may be receiving Centrelink benefits while possessing funds exceeding the income and asset test or under multiple names. The data-matching program is a component of Centrelink's fraud prevention strategy. To maintain the integrity of the program, specific details regarding the source agency and matching process are not publicly available, with information relating to the program classified as 'in-confidence'. December 2007
ATO Building Commission (VIC) and NSW Office of Fair Trading Owner Builders Data Matching Program The program is primarily intended to address the risk of non-reporting cash income by trades people, sub-contractors and taxpayers in the building and construction industry (small to medium enterprise). January 2008
ATO Link Market Services Ltd Computershare Ltd Australian Securities Exchange Ltd Registries Ltd Advanced Share Registry Services Pty Ltd Security Transfer Registrars Pty Ltd Share Data Matching Program Protocol The program is intended to confirm that entities generally are correctly complying with their taxation obligations relating to share market transactions. While income tax obligations (e.g. Capital Gains Tax) are the primary focus, issues around Goods and Services Tax will also be considered. April 2008
ATO Victorian Police Licensing Services Division New South Wales Police Security Industry Registry Northern Territory Office of Racing, Gaming and Licensing ACT Department of Fair Trading Tasmanian Office of Consumer Affairs Queensland Department of Fair Trading Western Australia Police Commercial Agents South Australia Office of Consumer and Business Affairs Security Industry Data Matching Project The program is intended to identify and address issues of non-compliance with taxation obligations across the security industry. Data sourced from security licensing bodies will be matched against ATO records. This work will focus on the security firms and then their subcontractors. Approximately 200 000 records relating to registered entities within the security industry from all governing bodies will be matched. May 2008
ATO All State and Territory roads and traffic authorities Luxury Vehicle Data Matching Project Identification of high wealth individuals who may be failing to meet their taxation obligations, by comparing the value of the assets they acquire (indicating conspicuous wealth) against ATO taxpayer records. May 2008
ATO Centrelink Tax Evasion Referral Centre (TERC) - Centrelink Data Matching Project To improve compliance with taxation obligations, the ATO proposes to match data provided by Centrelink's TERC against ATO taxpayer records. The work will initially focus on tax evasion referrals provided by Centrelink. Approximately 10 000 records will be matched in a 12 month period. May 2008
ATO eBay Australia Pty Ltd eBay Supplier Data Matching Project The protocol is for a proposed matching of ATO data with personal information obtained from eBay Australia Pty Ltd(eBay) in order to identify enterprises that are trading in Australia that are not complying with their overall taxation obligations. The project matches entities whose annual supply of goods on eBay is in excess of $50 000 for the 2004-05, 2005-06 and 2006-07 years and $75 000 for the 2007-08 financial years. June 2008
ATO NSW Maritime Authority Maritime Safety Queensland Marine Safety Victoria Marine and Safety Tasmania SA Department for Transport,Energy and Infrastructure(Safety and Regulation Division) WA Department for Planning and Infrastructure (Marine Safety) Marine Vessels Data Matching Project The ATO proposes to match the data provided by state marine vessel registering bodies against ATO taxpayer records. The intention of the project is to identify taxpayers who have purchased a high-value vessel and who have not lodged tax returns or who may not have declared all of their income. In this instance, the ownership of a commercial or recreational marine vessel may be an indicator of conspicuous unreported wealth. June 2008
Centrelink ATO Tax Garnishee Project 2008 To identify ATO clients with a Centrelink debt for the purpose of intercepting their tax refund or available credit by a garnishee notice from Centrelink. June 2008

Chapter 4 Management and Accountability

4.1 Administrative Arrangements

4.1.1 Human Rights and Equal Opportunity Commission Memorandum of Understanding

The Office has a Memorandum of Understanding with the Human Rights and Equal Opportunity Commission (HREOC) which establishes an arrangement for the provision of corporate services. The Office paid $856 651 for these services in 2007-08. This includes financial, administrative, information technology, human resources, legal and library services. The Office also sub-lets premises from HREOC.

4.1.2 Department of Prime Minister and Cabinet Memorandum of Understanding

The Office has a non-financial Memorandum of Understanding with the Department of Prime Minister and Cabinet. This Memorandum was established after the Prime Minister announced in December 2007 that privacy issues would move from the Attorney-General's portfolio to the Prime Minister and Cabinet portfolio.

The Memorandum sets out an agreed basis for policy and operational coordination between the Department and the Office. Representatives from both agencies meet monthly. The benefits of the arrangements include open lines of communication to keep each party informed of relevant activities and developments, and improved advice to Ministers and other key stakeholders.

Prior to the change to administrative arrangements, the Office had a similar non-financial Memorandum of Understanding with the Attorney-General's Department. This Memorandum was terminated in December 2007.

4.1.3 ACT Government Memorandum of Understanding

The Office has had a Memorandum of Understanding with the ACT Government since 1 July 2000. The Memorandum in place for the 2007-08 financial year expired on 30 June 2008 and a new Memorandum has been signed for the period 1 July 2008 - 30 June 2010. Under the Memorandum, the Office provides a number of privacy services to the ACT Government including:

  • handling privacy complaints and enquiries about ACT Government agencies
  • providing policy advice
  • carrying out audits
  • privacy training
  • facilitating a Privacy Contact Officers network.

In 2007-08, the Office received $109 158 for the provision of these services. Further information regarding advice provided to ACT Government agencies can be found at section 1.4.

4.1.4 Centrelink

The Office continued to undertake its responsibilities under the Data-matching Program (Assistance and Tax) Act 1990throughout 2007-08. The Office received annual funding of $372 976 from Centrelink to support the costs of monitoring the conduct of the data-matching program. For further information on data-matching see section 3.11.

4.1.5 Department of Human Services Memorandum of Understanding

In 2007-08, the Office had a Memorandum of Understanding with the Department of Human Services (DHS) to allow for close consultation on privacy-related issues in the development and roll-out of the proposed Health and Social Services Access Card. Following the decision of the new government not to proceed with the proposed Access Card, this Memorandum was terminated effective 31 December 2007. The Office received $206 250 funding whilst the Memorandum was in place. For more information see section 1.3.2.

4.1.6 Medicare Australia Memorandum of Understanding

The Office has a Memorandum of Understanding with Medicare Australia. Under the Memorandum, Medicare Australia provides the Office with resources to provide advice and undertake work on privacy-related projects relevant to Medicare Australia. The term of the agreement is from 1 July 2007 - 30 June 2009. $118 182 was received in 2007-08.

4.1.7 NSW Privacy Memorandum of Understanding

The Office currently has a non-financial Memorandum of Understanding with the Office of the NSW Privacy Commissioner which provides a framework for cooperation in undertaking their respective responsibilities when those responsibilities overlap, and to take advantage of opportunities to assist each other in joint training, education, promotion and enforcement activities. The Memorandum has been in place since December 2005.

4.1.8 Commonwealth Ombudsman Memorandum of Understanding

An ongoing non-financial Memorandum of Understanding exists between the Privacy Commissioner and the Commonwealth Ombudsman to allow for greater cooperation between their offices when dealing with privacy-related complaints.

The Memorandum provides for the exchange of relevant information where both Offices are considering the same issue and also offers the option of undertaking a joint investigation where a complaint falls under the jurisdiction of both Offices. Further, it enables referral of complaints to the other office where appropriate and with consent.

The two Offices hold annual meetings to discuss the effectiveness of the agreement. The Memorandum has been in place since November 2006.

4.1.9 Office of the New Zealand Privacy Commissioner Memorandum of Understanding

The Office currently has a non-financial Memorandum of Understanding with the New Zealand Office of the Privacy Commissioner. The Memorandum enables cooperation between the two offices on privacy-related issues and the sharing of information related to surveys, research projects, promotional campaigns, education and training programs, and techniques in investigating privacy violations and regulatory strategies.

The Memorandum stems in part from the APEC Privacy Framework, OECD Guidelines Governing the Protection of Privacy and Trans border Flows of Personal Data, and the Asia Pacific Privacy Authorities Forum, all of which advocate the forming of cooperative arrangements between privacy regulators.

The current Memorandum has been in place since September 2006 and will expire in September 2008. A new Memorandum will be signed early in the new reporting period.

4.1.10 Department of Families, Housing, Community Services and Indigenous Affairs

Under an agreement with the Department of Families, Housing, Community Services and Indigenous Affairs, the Office received $20 000 to develop guidance for licensees and community stores in the Northern Territory. For further information see section 1.3.6.

4.1.11 Australian Customs Service

The Office signed an agreement with the Australian Customs Service (Customs) during the reporting period. Under the agreement, the Office will provide advice as well as undertake two audits a year of various aspects of Customs' use of Passenger Name Record data. The Office will receive annual funding of $110 187 from Customs to support the cost of this project.

4.1.12 Department of Health and Ageing Memorandum of Understanding

The Office signed an agreement with the Department of Health and Ageing (DoHA) in June 2008. Under the agreement, the Office will provide privacy-related advice as part of the development of a national framework to address illicit drug use in sport. The Office will receive funding from DoHA of $58 794 over three months, ending on 30 September 2008.

4.2 Corporate Services

4.2.1 Audit Committee

Consistent with Australian Securities Exchange principles of good corporate governance and the requirements of the Financial Management and Accountability Act 1997, the Office maintains an audit committee to advise the Privacy Commissioner on its compliance with external reporting requirements and the effectiveness and efficiency of its internal control and risk management mechanisms. The audit committee met four times during the reporting period.

4.2.2 Purchasing

The Office's purchasing procedures comply with the Australian Government Procurement Guidelines issued by the Department of Finance and Deregulation. They address a wide range of purchasing situations, allowing managers to be flexible when making purchasing decisions while complying with the Australian Government's core procurement principle of value for money.

There was no competitive tendering and contracting during 2007-08 that resulted in a transfer of provider from a Commonwealth supplier of goods or services to a non-government body.

4.2.3 Certification of Fraud Measures

The Office has a fraud risk assessment and fraud control plan, including procedures and processes in place to assist with fraud prevention, detection, investigation and reporting in line with the Commonwealth Fraud Control Guidelines.

4.2.4 Consultants

The Office generally uses consultancy services where there is a need to access skills and expertise not available within the agency.

During 2007-08, one new consultancy contract was entered into involving total actual expenditure of $65 095 (including GST). There were no active part-performed consultancy contracts from prior years.

In addition, a consultancy from the last reporting period (Wallis Consulting Group Pty Ltd) was active during 2007-08. A total of $78 549 (including GST) was paid out during the year.

Table 4.1 Consultancy Contracts 2007-08

Consultant Name Description Contract Price Actual Payments Selection Process Justification*
Sharepoint Gurus Pty Ltd Migration of electronic records into new version of Sharepoint $65 095 $63 360 Select Tender A, B
TOTAL $65 095 $63 360

* Justifications for consultancy: A - skills currently unavailable within the agency B - need for specialised or professional skills C - need for independent research or assessment.

Information on expenditure on contracts and consultancies is also available on the AusTender website at www.tenders.gov.au.

4.2.5 Advertising and Market Research

As noted in section 4.2.4, a contract for the provision of research into community attitudes towards privacy was entered into in 2006-07. The total value of the contract was $84 709 (including GST). During 2007-08, a total of $78 549 (including GST) was paid out to the contractor under the contract.

4.2.6 Ecologically Sustainable Development and Environmental Performance

The role and activities of the Office do not directly link with the principles of ecologically sustainable development or impact on the environment other than through its business operations in the consumption of resources required to sustain its operations.

The Office uses energy saving methods in its operation and endeavours to make the best use of resources. The Office has implemented a number of environmental initiatives to ensure operating practices with environmental impacts are addressed. Major energy consuming services such as airconditioning and lighting are switched off outside working hours. In addition, waste products such as paper, cardboard, printer cartridges and other recyclable materials are recycled subject to the availability of appropriate recycling schemes. Preference is given to environmentally sound products when purchasing office supplies. Purchase/leasing of Energy Star rated office machines and equipment is encouraged, as are machines with power save features.

During 2007-08, the Office and its staff participated in the Earth Hour initiative, which was held on 29 March 2008.

4.3 Management of Human Resources

4.3.1 Staffing Overview

The Office's average staffing level for 2007-08 was 62 staff, with a turnover of approximately 10% for ongoing staff. Seven ongoing staff either resigned or transferred to other Australian Government agencies. Fourteen ongoing staff were employed.

As at 30 June 2008, the Office had a total of 69 staff, including both ongoing and non-ongoing employees. An overview of the Office's staffing profile as at 30 June 2008 is summarised in Table 4.2. The number of part-time staff excludes casual staff employed as at 30 June 2008.

Table 4.2 Overview of Staffing Profile as at 30 June2008

Classification Male Female Full Time Part Time Total Ongoing Total Non-ongoing Total
Statutory Office Holder - 1 1 - - 1 1
SES Band 2 1 - 1 - 1 - 1
SES Band 1 1 - 1 - 1 - 1
EL 2 ($89 393-$102 954) 1 3 4 - 4 - 4
EL 1 ($77 508-$84 997) 5 4 8 1 9 - 9
APS 6 ($61 963-$69 451) 15 18 31 2 30 3 33
APS 5 ($55 978-$60 460) 2 7 9 - 6 3 9
APS 4 ($50 187-$54 494) 2 6 5 3 6 2 8
APS 3 ($45 031-$48 602) 1 2 2 1 3 - 3
APS 2 ($40 623-$43 842) - - - - - - -
APS 1 ($34 934-$38 609) - - - - - - -
Total 28 41 62 7 60 9 69

4.3.2 Workplace Relations and Employment

Staff members at the Office are employed under s. 22 of the Public Service Act 1999. The Office of the Privacy Commissioner Certified Agreement 2006-2009is in operation until March 2009. The Agreement is comprehensive and was certified under s. 70LJ of the Workplace Relations Act 1996. The number of Office employees covered by the Agreement as at 30 June 2008 was 62, including both ongoing and non-ongoing staff.

The current Agreement provides for 14 weeks paid maternity leave, four weeks paid parental leave, and access to extended leave following maternity or parental leave. The Office also supports access to part-time employment up until the child reaches school age. Salary progression within classification levels is subject to performance assessment. Salary ranges are reflected in Table 4.2.

The Office had six staff covered by Australian Workplace Agreements during the reporting period, including two Senior Executive Service (SES) staff members.

4.3.3 Performance Management and Staff Development

The Office's Performance Management Scheme provides a framework to manage and develop staff to achieve corporate objectives. The scheme provides regular and formal assessment of an employee's work performance, and provides positive and constructive feedback, professional development experiences and various skills-based training opportunities.

The Office's Certified Agreement recognises the need to provide adequate training for staff to support workplace changes. This is especially relevant with changes in the information technology area, where staff are provided with relevant and ongoing training. Training in information technology was a priority for the reporting period, with staff across all sections attending training sessions in relation to new operating system and software roll-outs.

Professional development needs are identified through an individual 's training and development plan, in conjunction with the Performance Management Scheme. These development activities may include external professional development courses, in-house group training sessions, individual or team based on-the-job training and the opportunity to represent the organisation at seminars and other forums.

The Office's staff development strategy incorporates a Studies Assistance policy. The policy provides for support where study is relevant to the work of the Office, an individual's work responsibilities and where it assists with professional or career development. In 2007-08, seven staff were supported to undertake formal external study through study leave, examination leave and/or financial assistance. Additional support is provided to staff who are working towards their first tertiary qualification, in recognition of the challenges some groups experience accessing tertiary education.

4.3.4 Workplace Diversity and Equal Employment Opportunity

The Office recognises that diversity in staff is one of its greatest assets and is committed to valuing and promoting the principles of workplace diversity through work practices. The Office participates in a joint Workplace Diversity Committee with the Human Rights and Equal Opportunity Commission. Throughout the year, the Office promoted and supported events including International Women's Day, NAIDOC Week and Harmony Day. Other strategies under the Workplace Diversity plan focus on flexible and family friendly workplace policies. Eight ongoing staff had part-time arrangements in place. The Committee will commence a review of the plan in the second half of 2008.

The Committee is also developing a Calendar of Events for 2008 to ensure that opportunities to celebrate and acknowledge various events are undertaken with care, creativity and forward planning.

The Office's Reconciliation Action Plan (see section 4.4.1) has strategies which link in with the Office's Workplace Diversity Plan.

4.3.5 Occupational Health and Safety

The Office and the Human Rights and Equal Opportunity Commission are co-located and cooperate over Occupational Health and Safety (OH&S) issues. The Office's Health and Safety representative is a member of the joint agencies' OH&S Committee (the Committee). This Committee also includes corporate support staff and meetings are held regularly throughout the year.

It is the policy of the Office to promote and maintain the highest degree of health, safety and wellbeing of all staff. The Office monitors health and safety though the Committee. Minutes of the Committee are placed on the Office's intranet and any issues that require action are brought to the attention of management.

During the year, as a result of changes to the Safety Rehabilitation Compensation and Other Legislation Amendment Act 2007, new Health and Safety Management Arrangements (HSMAs) were developed in consultation with the Committee and staff. In addition, supplementary supporting documents are being developed to enhance the practical implementation of the HSMAs.

All new staff are provided with OH&S information upon commencement and ongoing support and assistance on OH&S and ergonomic issues is provided to all staff.

The Office's commitment to staff health and wellbeing, onsite and offsite, continued with workplace assessments for the resolution of ergonomic issues, access to a software program which encourages staff to take regular breaks throughout the day, and access to preventative/informative health information sessions. The Office offers support to staff through QUIT smoking programs, flu vaccinations and a Healthy Lifestyle Program.

The Office provides a Healthy Lifestyle Allowance under the Certified Agreement to promote health and fitness as a means of achieving work/life balance and improving the health and wellbeing of our employees.

The Office continues to provide staff with access to counselling services through its Employee Assistance Program. This is a free and confidential service for staff and their families to provide counselling on personal and work related problems if required. No systemic issues have been identified through this service.

A hazards survey is conducted annually and the Committee monitors any OH&S issues that arise. There have been no dangerous accidents or occurrences reported over the last year.

4.4 Diversity Strategies

The Office is committed to developing and implementing strategies which help the Office to better provide advice and services to people from culturally and linguistically diverse backgrounds, and people with disabilities. The Reconciliation Action Plan, Commonwealth Disability Strategy and Access and Equity report are important documents in pursuing this objective.

4.4.1 Reconciliation Action Plan

During the reporting period, the Office consulted with Reconciliation Australia in relation to its Reconciliation Action Plan (RAP). The RAP is finalised and is available on the Office's website at www.privacy.gov.au/materials/types/plans/view/5891.

The Reconciliation Action Plan initiative was developed by Reconciliation Australia to help organisations and agencies identify and develop business practices that contribute to the wellbeing and quality of life of Indigenous Australians.

The Office's Plan, which involved staff input from all sections of the Office, identifies five Key Reconciliation Result Areas:

  • establishing dialogue with Indigenous stakeholders on privacy issues
  • improving awareness of privacy rights in the Indigenous community
  • developing guidance material for agencies and organisations on protecting and respecting the privacy of Indigenous Australians
  • improving and applying cultural awareness and knowledge within the Office
  • creating employment and development opportunities.

During 2007-08, the Office commenced with the actions identified in the Plan, and will continue to do so in 2008-09.

4.4.2 Commonwealth Disability Strategy

All Australian Government agencies are required to report annually against the Commonwealth Disability Strategy (CDS) performance framework. The Office's report against the CDS is at Appendix 4. Full details on the CDS can be found on the Department of Families, Housing, Community Services and Indigenous Affairs website at www.fahcsia.gov.au/disability/cds/index.htm. Through the CDS, the Australian Government seeks to ensure its policies, programs and services are as accessible to people with disabilities as they are to all other Australians.

4.4.3 Access and Equity Report

The Access and Equity report is an Australian Government initiative which is coordinated by the Department of Immigration and Citizenship. The report is based on agencies reporting on their performance in providing accessible services to people from culturally and linguistically diverse backgrounds. The report covering the period 2007-08 will be available in the next reporting period. For more information go to www.immi.gov.au/about/reports/access-equity/index.htm.

4.5 Client Service Charter

The Office published a Client Service Charter (the Charter) in March 2008. The standards set in the Charter relate to accessibility, quality, courteous and helpful service, openness and privacy and confidentiality. These standards also state that the Office will:

  • develop significant policy advice, guidelines or research papers, and will generally consult widely, give reasonable timeframes for feedback, and explain our processes
  • advise complainants of our procedures for handling their complaint, keep them informed of the progress of their complaint and deal with individuals' requests as quickly as possible
  • assist individuals with their enquiries directly or refer their call to a senior officer if necessary
  • ensure its publications are available on the Office's website in accessible formats at no charge.

A Client Service Charter Information Sheet is sent out with our first contact letter to complainants and respondents in matters the Office is investigating.

The full document is available in hard copy from the Office or can be downloaded from the Office's website at www.privacy.gov.au/materials/types/infosheets/view/5889.

Appendix 1 Governing Legislation

The Privacy Act 1988

The Privacy Act gives effect to article 17 of the International Covenant on Civil and Political Rights and to the OECD's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The Privacy Act establishes the method by which personal information about individuals can be collected and stored, specifies the permissible uses of that information, and limits the circumstances in which that information can be disclosed. It also sets out a mechanism by which individuals can gain access to, and amend where appropriate, the personal information about them held by agencies and organisations.

The Privacy Act protects personal information under four main sets of requirements.

  • The National Privacy Principles (NPPs) (see Appendix 5) regulate the way private sector organisations handle personal information. These principles cover the collection, storage, use, disclosure and access obligations of organisations covered by the Privacy Act. In general the NPPs apply to all businesses and non-government organisations with a turnover of $3 million or more, all health service providers and a limited range of small businesses.
  • The Information Privacy Principles (IPPs) (see Appendix 6) regulate the way most Australian and ACT Government agencies handle personal information. These principles cover the collection, storage, use, disclosure and access obligations of those agencies covered by the Privacy Act.
  • Individuals' Tax File Number (TFN) provisions: the Privacy Act prevents TFNs from being used as a de facto national identification system and gives individuals the right to withhold this information. Where a TFN is provided, its use is limited to tax-related, assistance agency and superannuation purposes. Under the Privacy Act, the Privacy Commissioner issues and enforces legally binding guidelines.
  • Part IIIA of the Privacy Act places strict safeguards on the handling of individuals' consumer credit information by the credit industry. These provisions recognise the sensitivity of credit-worthiness information and the implications for individuals should credit information be mishandled. Strict penalties apply if these provisions are breached.

Subordinate Legislation

Privacy in Australia is further regulated by subordinate legislation including those listed below.

  • Privacy (Private Sector) Regulations 2001, which set out the standards under s. 18BB(3)(a)(i) of the Privacy Act that need to be met before a privacy code can be approved by the Privacy Commissioner, and prescribe specific agencies, state authorities and organisations for particular purposes under the Privacy Act.
  • Privacy Regulations 2006, which exempt the secrecy provisions of the Census and Statistics Act 1905from the provisions in the Privacy Act (Part VIA) which relate to allowable disclosures during emergencies.
  • Privacy codes developed by organisations and approved by the Privacy Commissioner under Part IIIAA of the Privacy Act can replace the National Privacy Principles for particular organisations or activities if they enhance or are equivalent to those principles.
  • Mandatory guidelines under the Privacy Act, for example the Tax File Number Guidelines issued under s. 17 of the Privacy Act.
  • Public Interest Determinations and Temporary Public Interest Determinations under Part VI of the Privacy Act.
  • Credit Reporting Determinations under Part IIIA of the Privacy Act.
  • The Credit Reporting Code of Conduct issued under s. 18A of the Privacy Act.

The Privacy Act and the subordinate legislation are supported by advisory guidelines issued by the Office, including:

  • Guidelines to the National Privacy Principles
  • Guidelines to the Information Privacy Principles
  • Guidelines for the Use of Data-matching in CommonwealthAdministration
  • Guidelines on Privacy in the Private Health Sector
  • Guidelines on Privacy Code Development(part of these guidelines are mandatory)
  • Guidelines on Public Interest Determination Procedure
  • Guidelines for Federal and ACT Government Websites
  • Guidelines on Workplace Email, Web Browsing and Privacy
  • Guidelines for Agencies using Privacy and Public Key Infrastructure to communicate or transact with individuals.

In addition, the National Health and Medical Research Council has issued the following binding guidelines after consulting with the Privacy Commissioner:

- Guidelines under Sections 95 and 95A of the Privacy Act1988.

Other Legislation

The role of the Privacy Commissioner is further defined by legislated responsibilities that are set out in the following legislation:

Part VIIC of the Crimes Act 1914, the Commonwealth Spent Convictions Scheme, which provides protection for individuals with old minor convictions in certain circumstances (the Privacy Commissioner has the power to investigate breaches of the legislation, and is also required to provide advice to the Attorney-General in relation to exemptions under the scheme).

The Data-matching Program (Assistance and Tax) Act 1990, which regulates data-matching between the Australian Taxation Office and the assistance agencies to detect over payment and ineligibility for assistance (under this Act, the Privacy Commissioner is responsible for issuing mandatory guidelines for protecting privacy, investigating complaints and monitoring agency compliance).

The National Health Act 1953, under which the Privacy Commissioner is required to issue guidelines covering the storage, use, disclosure and retention of individuals' claim information under the Pharmaceutical Benefits Scheme and the Medicare program.

The Telecommunications Act 1997, under which the Privacy Commissioner has certain monitoring and compliance functions.

Appendix 2 Strategic Plan / Outcomes and Outputs Structure

Strategic Plan 2007-09 Our Vision:

An Australian community in which privacy is valued and respected.

Our Purpose:

To promote and protect privacy in Australia.

Our Values:

As an Australian Government agency the Office of the Privacy Commissioner is committed to upholding the APS Values and Code of Conduct. In particular we will:

  • demonstrate leadership in promoting and protecting privacy
  • act with independence, impartiality and integrity
  • value our staff
  • be responsive to our clients
  • work collaboratively with stakeholders.

Context:

The Office of the Privacy Commissioner is established under the Privacy Act 1988to:

  • provide advice and assistance to individuals
  • provide advice and assistance to organisations and agencies with responsibilities under the Privacy Act
  • promote privacy through policy advice and educational activities
  • administer the Privacy Act including by investigating individual privacy complaints and systemic issues, and conducting audits.

Goals:

  • High quality results
  • Increased awarenessof privacy choices and obligations within the community
  • Robust relationships
  • A confident and competent workforce.

Goals and Strategies with Actions for 2008

GOALS STRATEGIES ACTIONS for 2008
High quality results Build our policy and strategic analysis capacity
  • Develop opportunities for collaborative work.
  • Initiate a targeted research program to inform the Office's policy work and promote consideration of privacy issues.
Identify and focus our Office's work on areas of maximum impact
  • Identify partnership opportunities to maximise our ability to advise on key policy issues.
Increase our influence through quality advice and information
  • Develop standards for excellence in customer service.
Manage our resources effectively, flexibly and efficiently
  • All sections to develop and prioritising their work for maximum effect.
  • Maximise the impact of our policy advice through follow-up strategies.
Deliver fair, transparent, efficient and effective complaint handling
  • Provide a timely complaint resolution service.
  • Ensure consistency in decision making.
  • Utilise the range of compliance mechanisms under the Privacy Act.
Increase our focus on systemic information handling issues
  • Identify key privacy compliance issues and target systemic issues accordingly.
Harness and utilise knowledge gained from day-to-day activities to inform our strategic work
  • Identify key privacy compliance issues in Complaint Handling Audit and Data Matching.
Ensure robust work practice and information systems support our core business
  • Further develop continuous improvement systems.
  • Review and enhance internal work processes.
  • Review and build on our knowledge sharing and management systems.
Build our capacity to respond to evolving and emerging technology
  • Identify evolving and emerging technology issues.
  • Develop greater capacity in technology issues.
Increased awarenessof privacy choices and obligations within the community Communicate effectively with more targeted integrated strategies
  • Develop a specialist publication for young adults.
Harness existing communication channels to maximum effect, especially emerging popular mediums.
  • Progress the development and implementation of communication plans targeting key audiences and communicating key messages.
Utilise the media to deliver the privacy message
  • Further develop and implement media strategy.
Ensure that material published by the Office is up-to-date, accurate and targeted at identified key audiences
  • Update publications and other written material in accordance with the findings of the Publications Review.
Ensure that the website as the Office's key communication channel is up-to-date and accurate
  • Redevelop website in accordance with the Office's Communications Strategy and stakeholder feedback to optimise accessibility.
Develop guidance material to assist the private sector
  • Utilise Compliance data to
     identify need for new guidance material and prepare material.
  • Implement remaining recommendations from the Private Sector Review.
Re-energise PCO and Privacy Connections Networks
  • Review and develop services provided to PCO and Privacy Connections Networks.
Develop programs to recognise and reward best practice
  • Develop and implement Privacy Awards.
Robust relationships Ensure that effective relationships, partnerships and networks are at the core of how we operate internally and externally
  • Nurture, manage and build on existing relationships.
  • Review and measure the success of our relationships. Review and develop systems that support internal and external networks and relationships.
  • Develop and support staff to manage internal and external relationships.
  • Commence development of Communications Plan to address internal and external communication needs.
Develop formal links with external parties where appropriate and useful to maximise influence and understanding
  • Provide quality and timely advice and services under our MOUs.
  • Identify, build and manage new relationships.
  • Further develop private sector communications, eg: case study workshops.
  • Continue to develop international linkages, particularly APPA and APEC.
A confident and competent workforce Attract well qualified staff
  • Build a reputation as a 'preferred employer'.
Retain our staff through commitment to training and development, career development, conditions of service, and work-life balance
  • Finalise Workforce Plan and begin implementation of key actions within that plan including:
    • an assessment of our skills base and a training needs analysis to focus our learning and development strategies
    • Review career development framework for all staff
    • Establish a secondment program with other agencies and within the Office
    • Examine and adopt a range of recruitment and retention strategies
    • Promote and improve knowledge sharing
    • Review Statement of Duties and Selection Criteria
    • Review Performance Agreements and Performance Management Scheme, including consideration of a 360° Feedback Scheme.
Acquire and develop our skills base to respond to emerging issues including technology Identify skills requiring development.
  • Provide training and development opportunities.

Outcomes and Outputs Structure

The Office's outcome statement, as set out in the Portfolio Budget Statement, is:

An Australian culture in which privacy is respected, promoted and protected.

There is one output for the Office's outcome:

Complaint handling, compliance and monitoring, and education and promotion.

There are two performance measures:

Quality

  • Majority of complainants and respondents surveyed satisfied that complaint handling service was timely and impartial.
  • Majority of enquirers surveyed satisfied with advice provided by Hotline and in written response.
  • 80% of complaints finalised within 12 months of receipt, 90% of written enquiries answered within ten days.
  • Agencies and organisations satisfied that audits improve their privacy practices and procedures.
  • Audits finalised within 6 months of commencement.
  • Targeted information available that informs the community, including business and government, of their rights and responsibilities in respect of the Office's jurisdictional responsibilities.

Quantity

  • Close 1300 complaints, respond to 2000 written enquiries, andanswer 20 000 calls.
  • 3 audits commenced.
  • >800 000 visits to the website.
  • >3.5 million pages viewed on the website.

Table A2.1 Resources for Outcomes

Budget 2007-08 $'000 Actual Expenses 2007-08 $'000 Budget 2008-09 $'000
Total Administrative Expenses - - -
Price of Department Outputs Output Group 1.1 Complaint handling, compliance and monitoring, and education and promotion 7640 8185 7318
Subtotal Output Group 1.1 6899 8185 7318
Revenue from Government (Appropriation) for Departmental Outputs 6899 6899 6444
Revenue from other Sources 741 836 874
Cash reserves applied to a revenue deficiency - 450 -
Total price of Outputs 7640 8185 7318
Total for Outcome 1 (Total price of Outputs and Administered Expenses) 7640 8185 7318
Actual 2007-08 Estimated Actual 2008-09
Average Staffing Level 62 58

Appendix 3 Freedom of Information Act Compliance

The Freedom of Information Act 1983(FOI Act) gives the general public legal access to government documents. Information on the Office's FOI procedures can be found under the heading Freedom of Information procedureson page 94.

Section 8 of the FOI Act requires each Australian Government agency, including this Office, to publish information about the way the Office is organised, together with its functions, powers and arrangements for public participation in the work of the agency. The Office is also required to publish the categories of documents that the Office holds and how members of the public can gain access to them.

Authority and legislation

The Office is established, and the Privacy Commissioner's functions and powers are conferred, by the Privacy Act 1988. Information regarding the Office's functions and powers are set out in pages 4 and 5 of this Annual Report.

Number of formal requests for information

During 2007-08, the Office received nine requests for access to documents under the FOI Act. Eight applicants wanted access to documents concerning their own complaint. One applicant asked for statistical information on complaints the Office had received.

Avenues for public participation

The Office uses the following processes and consultative bodies to assist the participation by persons or bodies outside the Australian Government administration in the policy-making functions of the Office or in its administration of various schemes and enactments.

  • The Office has a Strategic Plan (see Appendix 2) which commits it to developing robust relationships with external stakeholders, and to ensuring that effective relationships, partnerships and networks are at the core of the Office's internal and external operations.
  • Part VII of the Privacy Act provides for the establishment of the Privacy Advisory Committee to advise the Commissioner on relevant matters, recommend material to the Commissioner for inclusion in guidelines and, subject to direction by the Commissioner, engage in community education and consultation.
  • The Privacy Commissioner's Health Privacy Forum is an informal group of senior stakeholders from the health sector to assist the Commissioner on matters of health privacy.
  • The Office coordinates the government Privacy Contact Officer (PCO) network to facilitate the resolution of privacy issues within Australian and ACT Government agencies and provide training and expertise to those agencies. The PCO network meets four times per year.
  • The Privacy Connections network plays a similar role in the private sector and regular forums are held for network members across Australia.
  • The Compliance section conducts customer surveys to assess the quality of the service it provides, and to look for ways to improve its service (see section 3.10).
  • The Commissioner also has legislative requirements to consult. For example, the provisions relating to making a public interest determination require the production of a draft determination and the invitation of interested parties to attend a conference (ss. 75 and 76). Similarly, the Commissioner needs to be satisfied that there has been an adequate opportunity for the public to comment before approving a proposed privacy code (s. 18BB(2)(f)).
  • The Office conducted consultation on a number of matters during the year, including in relation to developing new guidance material and while making legislative instruments.
  • The Office invites public consultation from individuals and organisations through its website.

Categories of documents

Documents held by the Office relate to:

  • administration matters, including personnel, recruitment, accounts, purchasing, registers, registry, library records and invoices
  • complaint matters, including audits and the investigation, clarification, conciliation and resolution of complaints
  • legal matters, including legal documents, opinions, advice and representations
  • research matters, including research papers in relation to complaints, existing or proposed legislative practices, public education, national inquiries and other relevant issues
  • policy matters, including minutes of meetings, administrative and operational guidelines
  • operational matters, including files on formal inquiries
  • reference materials, including press clippings, survey and research materials, documents relating to conferences, seminars and those contained in the library.

Freedom of Information procedures

Initial enquiries regarding access to documents from the Office of the Privacy Commissioner should be directed to the Freedom of Information Officer by either telephoning (02) 9284 9800 or writing to:

Freedom of Information Officer Office of the Privacy Commissioner GPO Box 5218 Sydney NSW 2001.

Procedures for dealing with FOI requests are detailed in s. 15 of the FOI Act. A valid request must:

  • be in writing
  • be accompanied by the payment of a $30 application fee
  • include the name and address of the person requesting the information
  • be processed within 30 days of receipt.

Some documents are exempt from public perusal under the FOI Act. Where documents are not accessible by the applicant, valid reasons will be provided. The Office's decisions about accessibility of documents may be reviewed by the Administrative Appeals Tribunal.

Facilities for obtaining physical access

The Office provides copies of the requested documents by mail to the enquiring party, subject to exceptions established under the FOI Act.

The Office will also consider requests from parties to view hard copies of the requested documents in person at the Office.

Appendix 4 Commonwealth Disability Strategy Performance Reporting June 2008

Table A4.1 Commonwealth Disability Strategy Performance Reporting June 2008

Policy adviser role

Performance Indicator

Performance Measure

Current level of performance (2007-08)

1. New or revised policy / program proposals assess impact on the lives of people with disabilities prior to decision.

Percentage of new or revised policy / program proposals that document that the impact of the proposal was considered prior to the decision making stage.

The Office provides advice on the policy/program/ legislative activities of other agencies from a privacy perspective. Submissions are made available on the Office's website where possible.

In a significant number of advices provided, particularly where new technologies are being considered, the privacy of people with disabilities is factored into the discussion. During the reporting period, the Office's submissions to the Australian Law Reform Commission review of privacy addressed privacy issues specific to people with a disability.

The Office seeks to have representative bodies actively involved in consultation, including in privacy impact assessments of proposals.

A consideration for the Office is how the privacy rights of individuals with disabilities are being met. To aid this assessment, the Office surveys and collects demographic information relating to complainants.

During 2007-08, the Office received 127 responses to the survey. Of these, 40 respondents indicated that they had a disability.

2. People with disabilities are included in consultation about new or revised policy / program proposals.

Percentage of consultations about new or revised policy / program proposals that are developed in consultation with people with disabilities.

Where the Office undertakes consultations, groups representing the interests of people with disabilities are invited to participate.

During consultation processes, the Office considers the needs of people with disabilities.

Public consultation events all occur in accessible venues.

3. Public announcements of new, revised or proposed policy / program initiatives are available in accessible formats for people with disabilities in a timely manner.

Percentage of new, revised or proposed policy / program announcements available in a range of accessible formats.

Time taken in providing announcements in accessible formats.

Simultaneous to public release, 100% of information about new Office initiatives is available on a W3C compliant website. Other formats are available on request.

The Office's PriNet email notifier had 995 subscribers as at 30 June 2008. Disability peak groups are members of this network. Membership is also open to members of the public who may have disabilities. Members are offered the opportunity to sign up to an email subscription. Email messages to the network are sent in plain text accessible format.

Regulator role

Performance Indicator

Performance Measure

Current level of performance (2007-08)

1. Publicly available information on regulations and quasi-regulations is available in accessible formats for people with disabilities.

Percentage of publicly available information on regulations and quasi-regulations requested and provided in:

  • accessible electronic formats
  • accessible formats other than electronic.
Average time taken to provide accessible material in:
  • electronic format
  • formats other than electronic.

Section 36(4) of the Privacy Act requires the Commissioner to provide appropriate assistance to complainants where they have difficulty in lodging a complaint. This includes giving appropriate assistance to people with disabilities.

100% of Office information is available on its W3C compliant website.

All material is available in other formats on request.

Office services are accessible via website, phone and TTY.

Electronic access is immediate, via website. Average turnaround for requests for electronic information is within the day; hard copy information a couple of days.

Some requests may require that we use external service providers. In these cases, the turnaround to provide information in accessible formats may be impacted.

All Office staff have been scheduled to attend Plain English training early in the next reporting period.

2. Publicly available regulatory compliance reporting is available in accessible formats for people with disabilities.

Percentage of publicly available information on regulations and quasi-regulations requested and provided in:

  • accessible electronic formats
  • accessible formats other than electronic.

Average time taken to provide accessible material in:

  • electronic format
  • formats other than electronic.

100% of Office information is available on its W3C compliant website.

All material is available in other formats on request.

Office services are accessible via website, phone and TTY.

Electronic access is immediate, via website. Average turnaround for requests for electronic information is within the day; hard copy information a couple of days.

Some requests may require that we use external service providers. In these cases, the turnaround to provide information in accessible formats may be impacted.

All Office staff have been scheduled to attend Plain English training early in the next reporting period.

Provider role

Performance Indicator

Performance Measure

Current level of performance (2007-08)

1. Providers have established mechanisms for quality improvement and assurance.

Evidence of quality improvement and assurance systems in operation.

The Office has an enquiries line and a website link which give individuals the opportunity to lodge complaints/grievances with the Office.

The Office conducts customer satisfaction surveys to determine the level of customer satisfaction with the Office's services. The most recent survey was conducted during May and June 2008. Complainants were asked a series of questions, including whether they thought staff explained things in ways that were easy to understand. The Office is finalising the survey results.

2. Providers have an established service charter that specifies the roles of the provider and consumer and service standards which address accessibility for people with disabilities.

Established service charter that adequately reflects the needs of people with disabilities in operation.

The Office introduced its Client Service Charter during 2008. The Charter outlines the service standards that the Office seeks to achieve. The service standards include a standard on accessibility and provide information on TTY for individuals with a hearing impairment or speech difficulties. The Charter outlines steps for individuals who are dissatisfied with the Office's performance against the standards, and states that the Office welcomes feedback and suggestions for improvement.

All Office complaints information and brochures are available on the website in accessible electronic format. Information about complaints process and legislation is available in plain English format on the Office website. The website is updated regularly.

Office information is available in alternative formats upon request.

3. Complaints / grievance mechanisms, including access to external mechanisms, in place to address concerns raised about performance.

Established complaints / grievance mechanisms, including access to external mechanisms, in operation.

The Office uses a current complaints information referral list to ensure callers with disabilities can be referred to appropriate advocacy groups.

The Office has an enquiries line and a website link which gives individuals the opportunity to lodge complaints/grievances with the Office.

Email, TTY and a national 1300 number at the cost of a local call are all available.

Premises are accessible.

Section 36(4) of the Privacy Act requires the Commissioner to provide appropriate assistance to complainants where they have difficulty in lodging a complaint. This includes giving appropriate assistance to people with disabilities.

When dealing with requests for access to personal information, organisations are advised to consider issues of accessibility.

No complaints have been received regarding access to the Office's complaint handling service or premises.

Appendix 5 National Privacy Principles

The National Privacy Principles as set out in Schedule 3 of the Privacy Act1988. See www.privacy.gov.au/materials/types/infosheets/view/6583

Appendix 6 Information Privacy Principles

The Information Privacy Principles as set out in s. 14 of the Privacy Act 1988. See www.privacy.gov.au/materials/types/infosheets/view/6541