Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

2008-09 Annual Report of the Office of the Privacy Commissioner

2008-09 Annual Report of the Office of the Privacy Commissioner| Office of the Australian Information Commissioner - OAIC

(OPC LOGO)

The Operation of the Privacy Act
Annual Report

1 July 2008 – 30 June 2009

Copyright © Commonwealth of Australia 2009

ISSN 1035–3372

The material in this publication constitutes Commonwealth of Australia copyright and is intended for your general use and information. You may download, display, print and reproduce this material in unaltered form only (retaining this notice) for your personal, non-commercial, or educational use or use within your organisation. Apart from any use permitted under the Copyright Act 1968, all other rights are reserved.

Requests and enquiries concerning reproduction and rights should be addressed to Commonwealth Copyright Administration, Attorney-General’s Department, Robert Garran Offices, 3–5 National Circuit, Barton ACT 2600 or posted at www.ag.gov.au/cca.

(OPC LOGO)

Senator the Hon. Joe Ludwig

Special Minister of State
Cabinet Secretary

Parliament House

CANBERRA ACT 2600

Dear Minister

I am pleased to submit to you, for presentation to the Parliament, the Annual Report for the Office of the Privacy Commissioner on the operation of the Privacy Act 1988 for the year ending 30 June 2009.

This report has been prepared in accordance with section 97 of the Privacy Act 1988 and the Requirements for Annual Reports 2008–09.

Yours sincerely

[Signed]

Karen Curtis

Australian Privacy Commissioner

25 August 2009

Contents

  • Letter of Transmittal
  • Contents
  • List of Charts
  • List of Tables
  • User’s Guide
  • Commissioner’s Overview 2008–09
  • About the Office
  • Chapter 1 Respecting Privacy
  • Chapter 2 Promoting Privacy
  • Chapter 3 Protecting Privacy
  • Chapter 4 Management and Accountability
  • Appendix 1 Governing Legislation
  • Appendix 2 Strategic Plan 2007–09
  • Appendix 3 Outcomes and Outputs Structure
  • Appendix 4 Freedom of Information Act Compliance
  • Appendix 5 Commonwealth Disability Strategy Performance Reporting
  • Appendix 6 National Privacy Principles
  • Appendix 7 Information Privacy Principles
  • Financial Statements
  • Glossary
  • List of Charts
  • List of Tables
    • Table 2.1 Sessions and Page Views for the Privacy Website
    • Table 2.2 Australian Privacy Awards Category Winner and Highly Commended
    • Table 3.1 Source of Telephone Enquiries
    • Table 3.2 Breakdown of Issues in Calls Received
    • Table 3.3 Stage at which Complaints Closed
    • Table 3.4 Grounds for Closing Complaints Following an Investigation
    • Table 3.5 Nature of Remedies in Complaints Closed as Adequately Dealt With After Investigation
    • Table 3.6 Basis for Closing Complaints Following Preliminary Enquiries
    • Table 3.7 Nature of Remedies in Complaints Closed as Adequately Dealt With After Preliminary Enquiries
    • Table 3.8 Basis for Closing Complaints Without Investigation or Preliminary Enquiries
    • Table 3.9 Approved Codes under the Privacy Act
    • Table 3.10 ACT Government Audits Commenced and/or Finalised 2008–09
    • Table 3.11 Identity Security Audits Commenced and/or Finalised 2008–09
    • Table 3.12 Customs PNR Audits Commenced and/or Finalised 2008–09
    • Table 3.13 Biometrics for Border Control Audits Commenced 2008–09
    • Table 3.14 2008–2009 Program protocols produced under the voluntary data-matching guidelines
    • Table 4.1 Consultancy Contracts 2008–09
    • Table 4.2 Overview of Staffing Profile as at 30 June 2009
    • Table A3.1 Agency Resources Statement 2008–09
    • Table A3.2 Resources for Outcome 1
    • Table A5.1 Commonwealth Disability Strategy Performance Reporting
      • having the word ‘privacy’ in the title of the new office to reflect the role that privacy plays in the Australian community
      • nominating primary responsibility for specific functions to a specific statutory office holder to promote certainty of application of the law and enhance consistency
      • the composition of the proposed Information Advisory Committee could be broadened to include representatives from such areas as academia, the community, and business and technology.
      • suggesting the recommendation of the Australian Law Reform Commission to amend the Privacy Act to provide an enforceable right of access to, and correction of, an individual’s personal information held by government agencies, could be included in this current suite of amendments
      • adding to the public interest exemption an additional factor which requires the decision maker to have regard to whether the disclosure of a document may adversely impact on an individual’s privacy.
      • the Australian Electoral Commission should limit the amount of personal information about individual donors which is available online
      • the Australian Electoral Commission should develop privacy guidelines for entities that handle individual donors’ personal information and are not covered by the Privacy Act
      • a Privacy Impact Assessment should be conducted, to help identify and address potential privacy issues associated with any proposed reforms to the electoral system.
      • continuing necessity and proportionality of those laws
      • impact of those laws on the privacy of individuals.
      • undertaking a Privacy Impact Assessment (PIA)
      • limiting personal information on the PPS Register to that which is necessary to fulfil the purpose of the PPS Register
      • including privacy protections for individuals in primary legislation
      • clarifying complaint mechanisms about inappropriate searches of the PPS Register.
      • the ACT Department of Justice and Community Safety on potential privacy issues associated with consent to participate in the proposed Wraparound Project dealing with sexual assault matters
      • the ACT Planning and Land Authority on potential privacy issues associated with the collection and use of information from another ACT Government agency. The Office advised on the obligations under the Information Privacy Principles (IPPs), which could apply to the proposed transfer of information
      • the ACT Department of Territory and Municipal Services on a preliminary Privacy Impact Assessment (PIA) for the proposed smartcard ticketing system to be used on ACTION Buses. The Office recommended that a full PIA be conducted on the proposal. The Office continues to work with the Department on the development of the PIA
      • Transport Regulation and Planning in relation to increasing the range of online transactions available to Licensed Motor Vehicle Dealers (LMVDs). The proposal would grant LMVDs greater access to information held on the ACT vehicle registration and driver licence database, rego.act. The Office recommended that the proposal be covered by an agreement and that a PIA be conducted.
      • what an organisation holding personal information about an individual should do if the individual establishes the personal information is incorrect
      • what an organisation should do if there is a disagreement with the individual about a correction to the individual’s personal information.
      • the work of Indigenous health organisations
      • audits of surgical practice
      • privacy and medical research proposals
      • information handling in general medical practice
      • personal information handling by pharmacists
      • offshore transfer of personal information
      • privacy and family history research
      • transfer of medical records
      • non-government agencies working with trafficked people
      • privacy and migration agents
      • privacy and interactions between medical practitioners and drug and alcohol services
      • privacy and social networking on the internet.
      • adopting and incorporating the National Privacy Principles, or future equivalent, by reference in the NRAS legislation
      • assigning the Australian Privacy Commissioner as the privacy complaint-handler for the NRAS
      • conducting Privacy Impact Assessments to assist in identifying any major privacy risks and addressing them early in the project’s development
      • limiting the proposed criminal history checks to the types of offences relevant to public safety or capacity to maintain professional conduct
      • assessing all proposals for secondary uses of personal information under the NRAS against a set of specified criteria
      • collecting information required for statistical purposes in a de-identified form, or if not practicable, de-identifying personal information at the earliest available point
      • identifying a clear workforce planning need for each data item collected under the NRAS
      • consulting the Privacy Commissioner on the development of unique identifiers, including on any proposed safeguards to protect the use of identifiers.
      • the Digital Economy Future Directions project led by the Department of Broadband, Communications and the Digital Economy (see section 1.4.3 for further information)
      • the National e-Authentication Framework being developed by the Australian Government Information Management Office
      • the digital identity management ‘primer’ for policy makers developed by the Organisation for Economic Co-operation and Development’s Working Group for Information Security and Privacy (see section 2.9.2 for further information)
      • electronic health records projects being undertaken by the National E-Health Transition Authority and the National Health and Hospitals Reform Commission respectively (see section 1.7.1 for further information).
      • a reworking of the site’s content structure and navigation to give users easier access to information and resources
      • a complete redesign of the site’s look-and-feel, providing it with a fresh and more visually appealing new look
      • much improved search facility
      • simpler and more flexible Materials and Resources section
      • improved accessibility
      • new Plain English content for some of the most popular content areas.
      • the level of privacy consideration and consultation undertaken in the planning and implementation of their nominated work, project, initiative, campaign or system
      • their success in communicating its privacy-related elements to staff, customers or external audiences
      • the extent of its impact by showing leadership in privacy development, enhancing privacy awareness, facilitating better interaction or trust with stakeholders, enhancing customer satisfaction, and/or reducing privacy incidents and complaints.
      • facilitating increased communication between privacy professionals in the private sector and the Privacy Commissioner, by allowing professionals to meet and engage with and hear from the Commissioner at these events
      • furthering privacy professionals’ knowledge of current privacy concerns
      • disseminating important information by the Office to key privacy professionals
      • promoting networking opportunities among privacy professionals and assist existing networks.
      • the Australian Law Reform Commission’s review of privacy
      • Google StreetView
      • the Fair Work Bill
      • scanning of patrons’ identification by clubs and bars
      • alleged privacy breaches by various organisations.
      • directory of accountability agents (such as privacy commissioners, trust marks) in APEC economies
      • Cooperation Arrangement for cross-border cooperation on privacy enforcement
      • cross-border complaint handling form for use by privacy enforcement authorities in APEC economies.
      • explore establishing an International Privacy/Data Protection Day or Week
      • address the urgent need for protecting privacy in a borderless world, and for reaching a Joint Proposal for setting International Standards on Privacy and Personal Data Protection
      • arrange Representation at Meetings of International Organisations
      • establish a website.
      • A caller from a government agency advised that they had received a subpoena from the Federal Court requesting copies of documents containing personal information. The caller was concerned about the disclosure of this information. The caller was advised that under IPP 11, the Privacy Act allows disclosure of personal information if the disclosure is required or authorised by or under law. Producing information under a subpoena would be considered providing information as required by law and the disclosure would be allowed.
      • A caller wanted to know if she could film supermarket shelves, focusing on packaging, for a documentary she is making on recycling. The caller was advised that the Privacy Act only covers ‘personal information’, which is information that can reasonably identify someone. Her proposed filming did not appear to involve personal information and therefore was not covered by the Act.
      • A caller rang to discuss credit reporting. The caller said that a telecommunications organisation had reactivated her old phone account. The account accrued service charges, and the telecommunications organisation listed a payment default on her credit information file. The caller was advised that credit providers have obligations before they can list a payment default: that the debt must be more than 60 days old, the credit provider must have attempted to collect the debt (specifically by sending a collection notice to the last known address), and the individual must have been notified that their personal information may be passed to a credit reporting agency for defaults. The caller was advised of the Office’s complaint process if she believed that the credit reporting agency had not fulfilled its obligations.
      • A caller advised that a medical specialist had refused to provide her with access to her own personal information. Instead, the specialist said that he would provide the information to the caller’s general practitioner. However, the general practitioner also refused the caller access to the personal information, stating that the documents were addressed to him. The caller was advised about her general right of access to her personal information under NPP 6, possible reasons for refusal of access and costs for access. The caller was also advised of the Office’s complaints process.
      • An enquirer asked if it is necessary for a private sector organisation to have its privacy policy available on its website.
      • A private sector organisation asked about how long it needs to keep the resumes of job applicants.
      • An enquirer asked about what guidelines and legislation cover information on an individual’s consumer credit file.
      • An Australian Government agency asked for advice on its storage obligations for personal information and data breach notifications.
      • An enquirer asked about whether debt collectors can contact family members or friends and disclose personal information when trying to collect a debt.
      • how personal information is collected, held, used or disclosed by large private sector organisations, private sector health service providers and some small businesses under the National Privacy Principles
      • how personal information is handled by Australian and ACT Government agencies according to the Information Privacy Principles
      • credit worthiness information held by credit providers and credit reporting agencies
      • the use of personal tax file numbers by individuals and organisations
      • related legislation, including spent convictions under the Crimes Act 1914 and Australian Government data-matching programs regulated by the Data-matching Program (Assistance and Tax) Act 1990.
      • apologies to complainants
      • staff training and counselling
      • amendments to database systems and records
      • provision of access to records
      • compensation payments.
      • whether an agency or organisation is willing to provide access to records
      • if a particular act or practice is authorised by law
      • whether an organisation may claim the small business operator exemption
      • whether a respondent is an agency or organisation.
      • there was no interference with privacy (s. 41(1)(a))
      • the complaint had not been raised with the respondent before being brought to the Commissioner (s. 40(1A)) or
      • the complainant had not given the respondent sufficient time to deal with the complaint (s. 41(2)(b)).
      • assist individuals, organisations and agencies to decide whether to pursue a complaint, or if personal information is being handled appropriately
      • encourage good privacy practices and compliance with the Privacy Act
      • ensure the Office is accountable and transparent in its processes and decision making.
      • A Betting Agency obtained unauthorised access to consumer credit information files. The Privacy Act limits access to credit information files to credit providers and states that certain intentional unlawful accesses amount to a credit reporting offence. The Commissioner was required, under the Act, to inform the Commissioner of Police that a proscribed credit reporting offence may have been committed in this instance. Once the Commissioner of Police decided not to investigate the matter the Commissioner resumed her investigation. After a full investigation and noting that the Betting Agency ceased accessing credit information files after receiving advice from the Commissioner, the Commissioner formed the view that the Betting Agency had not intentionally breached the Act. The Commissioner subsequently closed this matter under s.41(2)(a) of the Privacy Act on the grounds that the Betting Agency had adequately dealt with this matter. The Commissioner noted that any future access by the Betting Agency to consumer credit information files may be viewed as an intentional contravention of the Act.
      • When contacted by a debt collection agency, a Cleaning Company disclosed the address, financial details and other details about a former employee. The Commissioner took the view that the employee records exemption in the Privacy Act did not apply to the disclosure of this information about a former employee by the Company as the disclosure was not related to the employment relationship. Having formed the view that the disclosure was governed by the Privacy Act, the Commissioner then took the view that the company had interfered with the individual’s privacy. The parties conciliated the matter and the Commissioner closed this matter under s. 41(2)(a) of the Privacy Act on the grounds that the Cleaning Company had adequately dealt with this matter. 
      • An individual was receiving a benefit from a Commonwealth government agency. The individual applied for a change to the benefit but was refused. Dissatisfied with the agency’s decision, they lodged an appeal with the appropriate Tribunal in an effort to have the agency’s decision changed. The individual complained that documents the agency disclosed to the Tribunal were not relevant to the matter being heard. The Commissioner was of the view that the notice issued to the agency by the Tribunal required the agency to provide personal information but allowed the agency to consider what information might be relevant. The Commissioner considered that for information to be relevant to the matter at hand, it should have some bearing on, or be connected to, that same matter.  The Commissioner was satisfied that the agency had properly considered whether all of the information it held about the complainant was relevant to the decision being reviewed by the Tribunal, and had only provided the Tribunal with that information in response to its notice. Consequently, the Commissioner formed the view that the agency had not interfered with the complainant’s privacy because the disclosure of the information was required by law and was therefore authorised under IPP 11(d). The Commissioner closed the complaint under s. 41(1)(a) of the Privacy Act on the basis that the agency had not interfered with the complainant’s privacy.
      • number of people affected and the consequences for those individuals
      • sensitivity of the personal information involved
      • progress of an agency’s or organisation’s own investigation into the matter and
      • likelihood that the investigation will reveal acts or practices that involve systemic interferences with privacy and/or that are unidentified, widespread or ongoing.
      • a call centre was inappropriately recording telephone conversations between customers and staff
      • a real estate agent was unnecessarily collecting Commonwealth identifiers
      • an Australian Government agency improperly disclosed tax file numbers
      • documents from a health service provider were found unsecured in a park
      • individuals’ personal information was accessible from the website of an online business.
      • auditing agency compliance with the Information Privacy Principles – s. 27(1)(h)
      • examining the records of the Commissioner of Taxation in relation to tax file numbers (TFNs) and TFN information – s. 28(1)(d)
      • auditing TFN recipients – s. 28(1)(e)
      • auditing credit information files and credit reports held by credit reporting agencies and credit providers – s. 28A(1)(g).
      • appropriate IPP 2 notifications at the point of collection
      • IPP 4 storage and security issues, including physical security, IT access controls, identity verification and transfers of personal information within agency office locations
      • privacy policies and Personal Information Digest entries (IPP 5)
      • privacy training.
      • EOI document was issued by the relevant source government agency
      • details recorded on the EOI document correspond to the details held by the source government agency
      • document is still valid.
      • appropriate IPP 2 notifications at the point of collection
      • IPP 4 storage and security issues, including Contracted Service Provider issues, physical security and IT system and access control issues.
      • identify privacy controls that govern how personal information is transferred both within and between Australian Government agencies, and external organisations
      • identify the current privacy controls that Australian Government agencies have in place around the use of PSDs, both those issued by an agency to staff and those privately owned by staff
      • identify good privacy practices and policies
      • identify any areas of concern that may need to be addressed across Australian Government agencies
      • inform the development of future guidance material by the Office to assist Australian Government agencies to maintain appropriate policies and procedures to minimise the risks presented by the use of PSDs.
      • existing privacy policies covering the transfers of personal information both within and between agencies
      • type of PSD issued by agencies to staff, controls around their use, training provided to staff and losses/ theft of agency-issued PSDs
      • whether privately owned PSDs are prohibited from use in agencies, hardware and software controls used by the agency, staff training and losses/ theft of privately owned PSDs that had been used to store personal information held by the agency.
      • three-quarters of Australian Government agencies had policies covering the transfer of personal information within their agency (77%), outside their agency (75%) or when staff were working away from their office
      • there were good controls in place across agencies to manage the use of agency-issued PSDs
      • all agencies provided their staff with some type of PSD – most commonly laptops (all), mobile phones (91%), USBs (91%) and PDAs (79%)
      • most agencies (81%) have specific policies covering use of agency-issued PSDs
      • 80% have a policy in place for when an agency-issued PSD is lost or stolen
      • almost all agencies (97%) keep a register of PSDs issued
      • almost two-thirds (63%) require staff to sign an acceptable use type agreement
      • almost two-thirds (63%) also provide training for their staff on use of agency-issued PSDs and relevant security requirements
      • over half of all agencies (58%) have lost or had stolen agency-issued PSDs during the previous 12 months. Over half (58%) reported losses of between 2 and 10 PSDs during the period.
      • 40% of agencies permit the use of all PSDs in the workplace, while a further 37% permit the use of some PSDs
      • just under a quarter (24%) prohibit the use of all privately owned PSDs in the workplace
      • over half of all agencies (55%) have policies around the use of private PSDs in the workplace
      • most agencies (54%) use software controls (e.g. operating system controls) to restrict or control the use of private PSDs
      • some agencies (16%) use hardware controls (such as disabling or blocking USB ports on computers) to restrict private PSD use.
      • the nature of records kept
      • the purpose for which these records are kept
      • the categories of people the information is about
      • the period for which the records are kept
      • who has access to the records and
      • the steps an individual needs to take to gain access to the records.
      • Area Brisbane East (Brisbane), August 2008
      • Area Sydney West (Liverpool), November 2008
      • Area Melbourne East (Mornington), April 2009
      • handling privacy complaints and enquiries about ACT Government agencies
      • providing policy advice
      • carrying out audits
      • providing privacy training on request
      • facilitating a Privacy Contact Officers network.
      • establishing dialogue with Indigenous stakeholders on privacy issues
      • improving awareness of privacy rights in the Indigenous community
      • developing guidance material for agencies and organisations on protecting and respecting the privacy of Indigenous Australians
      • improving and applying cultural awareness and knowledge within the Office
      • creating employment and development opportunities.
      • develop significant policy advice, guidelines or research papers, and will generally consult widely, give reasonable timeframes for feedback, and explain our processes
      • advise complainants of our procedures for handling their complaint, keep them informed of the progress of their complaint and deal with individuals’ requests as quickly as possible
      • assist individuals with their enquiries directly or refer their call to a senior officer if necessary
      • ensure its publications are available on the Office’s website in accessible formats at no charge.
      • Guidelines to the National Privacy Principles
      • Guidelines to the Information Privacy Principles
      • Guidelines for the Use of Data-matching in Commonwealth Administration
      • Guidelines on Privacy in the Private Health Sector
      • Guidelines on Privacy Code Development (part of these guidelines are mandatory)
      • Guidelines on Public Interest Determination Procedure
      • Guidelines for Federal and ACT Government Websites
      • Guidelines on Workplace Email, Web Browsing and Privacy
      • Guidelines for Agencies using Privacy and Public Key Infrastructure to communicate or transact with individuals.
      • Guidelines under Sections 95 and 95A of the Privacy Act 1988.
      • demonstrate leadership in promoting and protecting privacy
      • act with independence, impartiality and integrity
      • value our staff
      • be responsive to our clients
      • work collaboratively with stakeholders.
      • provide advice and assistance to individuals
      • provide advice and assistance to organisations and agencies with responsibilities under the Privacy Act
      • promote privacy through policy advice and educational activities
      • administer the Privacy Act including by investigating individual privacy complaints and systemic issues, and conducting audits.
      • High quality results
      • Increased awareness of privacy choices and obligations within the community
      • Robust relationships
      • A confident and competent workforce.
      • administration matters, including personnel, recruitment, accounts, purchasing, registers, registry, library records and invoices
      • complaint matters, including audits and the investigation, clarification, conciliation and resolution of complaints
      • legal matters, including legal documents, opinions, advice and representations
      • research matters, including research papers in relation to complaints, existing or proposed legislative practices, public education, national inquiries and other relevant issues
      • policy matters, including minutes of meetings, administrative and operational guidelines
      • operational matters, including files on formal inquiries
      • reference materials, including press clippings, survey and research materials, documents relating to conferences, seminars and those contained in the library.
      • be in writing
      • be accompanied by the payment of a $30 application fee
      • include the name and address of the person requesting the information
      • be processed within 30 days of receipt.
    • User’s Guide

      Immediately following this User’s Guide is the Commissioner’s Overview for 2008–09 which includes a summary of significant issues, developments and achievements during the year and an outline of the year ahead for the Office.

      This is followed by About the Office which provides an outline of the Office’s functions and a summary of its 2008–09 activities including key statistics.

      The main chapters are next, followed by the Appendices, Glossary and Index.

      Chapter 1 Respecting Privacy describes the Office’s work in providing advice on the privacy implications of legislation and government and private sector policy proposals that may have a significant impact on the handling of personal information.

      Chapter 2 Promoting Privacy sets out the work the Office completed in promoting and educating client groups on privacy issues. This includes liaising with key stakeholders in the private sector, networking with privacy representatives across Australian and ACT Government departments and agencies, handling media enquiries, maintaining the Office’s website and assisting with speeches and presentations by the Commissioner and members of staff.

      Chapter 3 Protecting Privacy records the work the Office undertook to encourage and enforce compliance with the Privacy Act. This includes handling enquiries, undertaking audits of government agencies, and investigating and conciliating complaints.

      Chapter 4 Management and Accountability contains an overview of the Office’s administrative arrangements, management of human resources and corporate governance.

      The Appendices contain information required under specific legislation together with any other useful material. These can be found following on from Chapter 4.

      The Office of the Privacy Commissioner’s audited Financial Statements for 2008–09 are located immediately following the Appendices. The Glossary and Alphabetical Index can be found at the end of the report.

      ACT Government

      Information that relates directly to ACT Government matters can be found in sections 1.5, 3.8.1.1 and 4.1.3.

      How to find out more

      For enquiries about this report or for copies please contact:

      Director

      Corporate and Public Affairs

      Office of the Privacy Commissioner

      GPO Box 5218

      SYDNEY NSW 2001

      Telephone: + 61 2 9284 9800

      Fax: + 61 2 9284 9666

      Email: privacy@privacy.gov.au

      Website: www.privacy.gov.au

      Enquiries line: 1300 363 992 local call

      TTY: 1800 620 241 no voice calls

      This report is also available on the Office of the Privacy Commissioner’s website at www.privacy.gov.au/materials/types/reports?sortby=29.

      Non-English Speakers

      If you speak a language other than English and need help please call the Translating and Interpreting Service on 131 450 and ask for the Australian Government Office of the Privacy Commissioner on 1300 363 992. This is a free service.

      Commissioner’s Overview 2008–09

      It has been a goal orientated year for the Office with all areas focused on achieving high quality results, increased awareness of privacy choices and obligations, developing robust relationships, and building a confident and competent workforce in line with the Office’s 2007–09 Strategic Plan.

      It has also been a proactive year for the Office. We have been on the front foot on issues such as the handling of data security breaches, the use of portable storage devices (PSDs) in government and rewarding good privacy practices throughout Australia.

      My Office has delivered on its core functions dealing with a high volume of privacy enquiries and complaints, and responding to a broad range of issues involving the handling of personal information. This year there has been a focus on legislative reform, particularly in the areas of credit and health.

      Data breaches have the potential to affect consumer trust, so how business and government respond to a breach can be critical to maintaining that trust. In August 2008 my Office released a Guide to handling personal information security breaches for use by businesses, agencies and non-government organisations. Its aim was prevention but it also addressed responding to a data breach. While the Guide is voluntary, it represents good practice in handling breaches, and I encourage all organisations and agencies to read it and consider its use.

      Complementing this guidance, my Office also commissioned research into the use of PSDs, such as laptops and USBs, by Australian Government agencies. This proactive step by my Office was in recognition of the increased use of PSDs for the transfer and storage of personal information. The findings will assist us to assess privacy risks associated with PSDs given their growing use and reports of data breaches around the world. We want to assist government agencies in preventing breaches from occurring here in Australia and were encouraged to see that the majority of government agencies surveyed do have controls in place to protect personal information from being mishandled.

      Privacy Awareness Week provides an opportunity for my Office to remind the Australian community of their privacy rights and responsibilities. A key activity was a ‘Privacy in Practice’ seminar for privacy professionals. We also focused on youth with the launch of a dedicated youth privacy publication, private i, an animated video and a privacy youth portal.

      We are encouraged by the improved privacy practices around the nation so in 2008 I introduced the Australian Privacy Awards and Australian Privacy Medal. The awards and medal recognise good privacy practice and the inaugural event was held in August last year.

      A personal highlight was being able to publicly congratulate those that engage in good privacy practices and it was an honour to be able to present the inaugural Australian Privacy Medal to the Honourable Michael Kirby for his outstanding achievement in the field of privacy over the last 30 years.

      In Mr Kirby’s acceptance speech he explained how privacy “is something integral to our personality, essential to our home, our families and our very identity”. Such comments leave no doubt that our personal information deserves to be ‘valued and respected’ – which is consistent with our vision statement and the Office’s Strategic Plan.

      The Year Ahead

      In March 2009, the then Special Minister of State and Cabinet Secretary, Senator John Faulkner announced details of proposed major reforms to the structure of privacy and freedom of information (FOI) regulation in Australia, and released the draft Freedom of Information Amendment (Reform) and Information Commissioner Bills.

      The Bills would implement an election commitment of the Government to foster a pro-disclosure environment by establishing an Office of the Information Commissioner and introducing numerous significant changes to the FOI Act.

      It is proposed that an Information Commissioner would head the Office of the Information Commissioner, have overall responsibility for FOI and privacy, and be supported by a new Freedom of Information Commissioner and the existing Privacy Commissioner.

      It is expected that the Office of the Information Commissioner will be up and running by early 2010.

      I look forward to playing a leading role during this period of transition and ensuring that the privacy of Australians remains an important public policy consideration.

      It is expected that some of these reforms will occur in conjunction with the Government’s response to the Australian Law Reform Commission’s review into privacy. The Government’s response will be in a phased approach and it is anticipated that phase one will be released in late 2009.

      My Office looks forward to continuing to assist in the development of the whole-of-government response, and then in assisting any parliamentary processes that may occur with the introduction of new legislation.

      In 2009–10, the Office will continue to raise privacy awareness among businesses, government and individuals. Our ability to promote privacy understanding and awareness will be enhanced by a major publications review, launch of the Office’s redeveloped website, and continued application of plain English principles in our materials and resources.

      I look forward to facing the challenges that are inevitable during a period of transition as they bring with them an opportunity to further enhance Australia’s privacy regime.

      Karen Curtis

      Australian Privacy Commissioner

      About the Office

      Privacy Commissioner’s Functions

      The Privacy Commissioner has specific statutory functions under ss. 27, 28 and 28A of the Privacy Act 1988. These functions include, amongst other things, investigating possible breaches of the Privacy Act, undertaking audits of agencies or organisations to ensure compliance with the Privacy Act, providing advice to agencies and organisations on matters related to privacy, and promoting and encouraging the adoption of privacy standards in the community.

      One of the key responsibilities of the Office is to handle complaints. Individuals who believe that their privacy may have been interfered with by an agency or organisation are able to lodge a complaint with the Office under s. 36 of the Privacy Act. The Privacy Commissioner may then undertake preliminary enquiries of the respondent to determine whether there are grounds, and whether the Commissioner has jurisdiction, to formally open an investigation into the complaint under s. 40 of the Privacy Act.

      Staff members of the Compliance Section conciliate between the parties to attempt to adequately resolve the dispute. If the parties are not able to come to a mutually satisfactory agreement, the Privacy Commissioner is able to make a determination under s. 52 of the Privacy Act to dismiss the complaint. Alternatively, the Privacy Commissioner is able to find in favour of the complainant and decide upon suitable orders to remedy the breach. The orders are enforceable in the Federal Court or Federal Magistrates Court under s. 55A of the Privacy Act.

      Generally, a complaint must be in writing. The Office is obliged to provide appropriate assistance to people who require it in order to help formulate and appropriately set out the particulars of the complaint.

      Individuals cannot complain to the Privacy Commissioner about organisations which are bound by a privacy code approved by the Commissioner, when that code has its own code adjudicator. Individuals may, however, ask the Privacy Commissioner to review a determination made by a code adjudicator under s. 18BI of the Privacy Act.

      The Privacy Commissioner has the power to launch investigations under s. 40(2) of the Privacy Act, and these are referred to as ‘Own Motion’ Investigations (OMIs). The Privacy Commissioner undertakes OMIs where it appears that a breach of the Privacy Act may have occurred and it is thought to be desirable that an OMI be undertaken. For example, where the alleged breach is not limited to one complainant, or in circumstances where the alleged breach raises systemic and/or ongoing issues.

      The Office’s Policy Section assists the Privacy Commissioner in providing advice on privacy issues, including interpreting the operation of the Privacy Act, to Ministers, Australian and ACT Government agencies, and private sector organisations. The section develops guidance material (such as guidelines, information sheets and FAQs) to help explain the operation of the Privacy Act and the Privacy Commissioner’s functions.

      The Policy Section examines enactments and proposals from agencies, advising on their potential privacy implications and their overall compliance with the Privacy Act. It also assists the Privacy Commissioner in carrying out other functions under the Privacy Act, as well as prescribed functions under the National Health Act 1953, the Telecommunications Act 1977 and the Crimes Act 1914.

      The Office’s Corporate and Public Affairs Section manages the public profile of the Office and the Privacy Commissioner, provides secretariat support and manages the Office’s corporate responsibilities. The section is responsible for developing and maintaining the Office’s website, handling media enquiries, and providing a secretariat role to several committees and networks including the Government Privacy Contact Officer Network, Privacy Connections Network, Privacy Advisory Committee, the Asia Pacific Privacy Authorities and the Privacy Authorities Australia forums. The section also liaises with key stakeholders, including domestic bodies and international authorities, and handles the Office’s corporate governance responsibilities.

      Chart 1 Organisational Structure
      Organisational Structure

      Year in Review – a Summary

      A brief summary of the Office’s performance in 2008–09 is outlined below. A more detailed review of performance is contained in Chapters 1–4. The Office’s Strategic Plan and our Portfolio Budget Statement outcomes and outputs are in Appendix 2.

      Telephone Enquiries

      The Office received 21 178 telephone enquiries in 2008–09 compared with 18 059 in 2007–08. This represents about a 17% increase in enquiries received by the Enquiries Line. See section 3.2.1 for further information.

      Written Enquiries

      The Office received 2078 enquiries by email, post or facsimile in 2008–09 compared with 2168 written enquiries reported in 2007–08. This represents a slight decrease in the number of written enquiries received by the Office from the previous year. The Office is committed to responding to 90% of written enquiries in ten working days. This benchmark was met in 2008–09, with 97% of written enquiries responded to in ten working days or less. See section 3.2.2 for further information.

      Complaints

      The Office received 1089 complaints in 2008–09 compared with 1126 in 2007–08. This represents a slight decrease in the number of complaints received by the Office from the previous year. See section 3.3.1 for further information. The Office closed 1357 complaints in 2008–09, 129 more than the previous year (1228). See section 3.3.2 for further information.

      Case Notes

      The Office published 18 case notes on complaints that were closed during the year. The case notes are prepared to illustrate matters that may be of interest to the community. Case notes also demonstrate to members of the public how the Commissioner handles complaints. Case notes also serve as a possible indication of the Commissioner’s view in relation to aspects of privacy law. See section 3.6 for further information.

      Legislative Instruments

      The Privacy Commissioner approved a variation to the Queensland Club Industry Code of Practice which took effect on 1 May 2009. The code has been in operation since August 2002 and deals with the handling of personal information of club members and patrons. The variation gives effect to a review of the Code undertaken by the Code administrator, Clubs Queensland. The variation corrects typographical errors, deletes examples and incorporates other minor changes.

      Media

      151 media enquiries were received in 2008–09. See section 2.7 for further information.

      Speeches

      41 speeches and presentations were delivered in 2008–09. These speeches and presentations largely addressed emerging privacy issues. For further information see section 2.8.

      Policy Advices

      The Office produced over 150 advices on significant policy issues. Policy advices include letters and emails to government departments and agencies and private sector organisations on specific proposals, advice for guidance material published by the Commissioner and advice for inclusion in other reports and published documents.

      Submissions

      In 2008–09, the Commissioner provided 30 submissions to government departments and parliamentary inquiries on policy proposals or legislation, providing analysis on the privacy implications of the proposals and offering advice on methods to ensure privacy is appropriately considered and protected. All Office submissions to public consultations are available at:
      www.privacy.gov.au/materials/types/submissions?sortby=65.

      The following submissions were made:

      1. Inquiry into Cyber Crime and its Impact on Australian Consumers; Submission to the House of Representatives Standing Committee on Communications (June 2009)

      2. Inquiry into the AusCheck Amendment Bill 2009; Submission to the

      Senate Legal and Constitutional Affairs Committee (June 2009)

      3. Consumer Voices: Sustaining advocacy and research in Australia’s new consumer policy framework’ issues paper; Submission to the Treasury (June 2009)

      4. Draft National Consumer Credit Reform legislation; Submission to the Commonwealth Treasury (May 2009)

      5. Review of Consumer-Related Industry Code Processes - Part 6 Telecommunications Act 1997; Submission to the Department of Broadband, Communications and the Digital Economy (May 2009)

      6. Person-controlled Electronic Health Records - Supplementary Paper; Submission to the National Health and Hospitals Reform Commission (May 2009)

      7. Exposure Draft of the Information Commissioner Bill 2009 and the Freedom of Information Amendment (Reform) Bill 2009; Submission to the Department of the Prime Minister and Cabinet (May 2009)

      8. Inquiry into the National Registration and Accreditation Scheme for doctors and other health workers; Submission to the Senate Community Affairs Committee (April 2009)

      9. Increased MBS Compliance Audits Initiative; Submission to the Senate Standing Committee on Community Affairs Inquiry (April 2009)

      10. Exposure Draft - Tax Laws Amendment (Confidentiality of Taxpayer Information) Bill 2009 and Explanatory Memorandum; Submission to the Commonwealth Treasury (April 2009)

      11. Exposure drafts of the Queensland Right to Information and Information Privacy Bills; Submission to the Queensland Government (April 2009)

      12. Australian Law Reform Commission’s Review of Secrecy Laws - Issues Paper 34; Submission to the Australian Law Reform Commission (February 2009)

      13. Australian Government Electoral Reform Green Paper - Donations, Funding and Expenditure; Submission to the Department of Prime Minister and Cabinet (February 2009)

      14. Digital Economy Future Directions: Consultation Paper; Submission to the Department of Broadband, Communications and the Digital Economy (February 2009)

      15. Inquiry into the Fair Work Bill 2008; Submission to the Senate Education, Employment and Workplace Relations Committee (January 2009)

      16. Draft Model Spent Convictions Bill 2008; Submission to the Australian Government Attorney-General’s Department (January 2009)

      17. Inquiry into the Freedom of Information (Removal of Conclusive Certificates and Other Measures) Bill 2008; Submission to the Senate Finance and Public Administration Committee (January 2009)

      18. National Registration and Accreditation Scheme for the Health Professions (NRAS): Proposed arrangements for information sharing and privacy; Submission to the Australian Health Ministers’ Advisory Council (December 2008)

      19. Exposure Draft Personal Property Securities Bill 2008; Submission to the Senate Legal and Constitutional Affairs Committee (December 2008)

      20. Personal Property Securities Regulations Discussion Paper; Submission to the Attorney-General’s Department (November 2008)

      21. Inquiry into the Migration Legislation Amendment (Worker Protection) Bill 2008: Submission to the Senate Legal and Constitutional Affairs Committee (October 2008)

      22. Consultation Paper 3 - Privacy Legislation in NSW; Submission to the NSW Law Reform Commission (October 2008)

      23. Northern Territory Emergency Response Review; Submission to the Review Board (September 2008)

      24. Inquiry into the Independent Reviewer of Terrorism Laws Bill 2008 [No. 2]; Submission to the Senate Legal and Constitutional Affairs Committee (September 2008)

      25. Eligibility requirements for registration on the Do Not Call Register; Submission to the Department of Broadband, Communications and the Digital Economy (September 2008)

      26. Inquiry into whistleblowing protections within the Australian Government public sector; joint submission by the Australian Public Service Commission, the Office of the Privacy Commissioner and the National Archives of Australia to the House of Representatives Standing Committee on Legal and Constitutional Affairs (August 2008)

      27. Consultation on Personal Property Securities Bill and Commentary (Consultation Draft); Submission to the Attorney-General’s Department (August 2008)

      28. Review of Code of Banking Practice; Submission to the Review of the Australian Bankers’ Association Code of Banking Practice (August 2008)

      29. Consultation on the Privacy Blueprint for the Individual Electronic Health Record; Submission to the National E-Health Transition Authority (August 2008)

      30. Australian Government E-security Review; Submission to the Attorney-General’s Department (August 2008)

      Respecting Privacy

      1.1 Review of Performance

      The Office continued its role of providing advice to Australian and ACT Government agencies on new policy proposals, legislative and regulatory changes, and agency practices that may have a significant impact on the handling of personal information. Much of this advice has focused on the importance of appropriate privacy protections in ensuring community trust and confidence in public administration. The Office also provided advice to the private sector and to consumers. This advice has included the release of new information sheets, answers to frequently asked questions and the provision of advices in response to specific issues.

      A key focus has been to continue working with the Department of the Prime Minister and Cabinet to develop the Australian Government’s response to the Australian Law Reform Commission’s Privacy Report 108.

      In August 2008, the Office released a voluntary guide for the notification of information security breaches. This guide assists organisations and agencies by providing general guidance on key steps and factors to consider when responding to personal information security breaches.

      The Office also provided detailed guidance to businesses through the release of two information sheets on the data quality and access and correction privacy principles. This guidance material progresses actions identified in the Office’s current Strategic Plan.

      In addition to the matters outlined above, the Office made 30 public submissions during the period. The Office also provided around 150 other pieces of major advice to agencies and organisations on a large range of privacy issues.

      1.2 Australian Law Reform Commission Review of Privacy

      On 31 January 2006, the Australian Law Reform Commission (ALRC) received Terms of Reference from the Australian Attorney-General for an inquiry into the extent to which the Privacy Act and related laws continue to provide an effective framework for the protection of privacy in Australia.

      The final report of the ALRC was made publicly available by the Australian Government on 11 August 2008.

      The Office provided substantial input to the ALRC’s inquiry and remains committed to promoting privacy regulation that balances the interests of all stakeholders, and which continues to foster an Australian culture that respects and values privacy.

      Since the release of the ALRC’s privacy report in August 2008 the Office has been actively engaged with the Department of the Prime Minister and Cabinet in its deliberations which will inform the Australian Government’s response to the ALRC report. This has included participating in a range of stakeholder consultations undertaken by the Department and assisted the Department in relation to the health privacy proposals by convening the Office’s Health Privacy Forum in February 2009 to discuss the issues.

      The Office has also seconded a senior policy officer to the Department to assist in this process.

      1.3 Proposed Office of the Information Commissioner

      In March 2009, the Government announced further measures to implement Freedom of Information (FOI) Reform which included the establishment of a new Office of the Information Commissioner. The new Office would be headed by an Information Commissioner (a new statutory position), and include an FOI Commissioner (another new statutory position) and the Privacy Commissioner (an existing statutory position).

      In May 2009 the Office made a submission in response to the release of the exposure drafts of the Information Commissioner Bill 2009 and the FOI Amendment (Reform) Bill 2009. In its submission, the Office indicated its broad support for the anticipated reforms outlined in the exposure draft and provided some recommendations to enhance the Information Commissioner Bill.

      These recommendations included:

      The Office also provided several recommendations in relation to the FOI Amendment (Reform) Bill including:

      1.4 Privacy and the Australian Government

      This section discusses the work the Office did during the reporting period in relation to Commonwealth legislation and/or Australian Government activity. Please note, however, that some areas of the Office’s work relating to the Australian Government are discussed in other sections of this Chapter.

      1.4.1 Secrecy Laws

      In February 2009, the Office made a submission to the Australian Law Reform Commission’s Review of Secrecy Laws – Issues Paper 34.

      The submission focused on the impact that secrecy laws have on the handling of personal information as well as the interaction between secrecy laws and the Privacy Act.

      Among other things the Office recommended that a secrecy provision which regulates personal information should address its interaction with the Privacy Act.  The Office also recommended that where an agency identifies a need to require or authorise the handling of personal information where that handling would otherwise breach the Privacy Act, the agency should have a clear and appropriate policy basis for doing so.

      In April 2009 the Office made a submission to the Treasury on proposed changes to taxation secrecy laws in the exposure draft Tax Laws Amendment (Confidentiality of Taxpayer Information) Bill 2009 and corresponding explanatory material.

      The Office noted its support for the consolidation and standardisation of existing taxation secrecy provisions as this would assist individuals to be confident that their taxpayer information is being handled appropriately.

      The Office made several specific suggestions to enhance privacy protections under the exposure draft Bill, including that particular provisions should not override the protections afforded to publicly available personal information in the Privacy Act. The Office also suggested that the exposure draft Bill clarify whether an exception to the taxation secrecy provisions overrides the use and disclosure principles in the Privacy Act.

      1.4.2 Electoral Reform

      In February 2009, the Office made a submission to the Department of the Prime Minister and Cabinet on the Australian Government Electoral Reform Green Paper – Donations, Funding and Expenditure.

      In its submission, the Office supported the Australian Government’s plan detailed in the Green Paper, to facilitate a more transparent, open and accountable electoral system.

      The Office made several suggestions to enhance privacy protections associated with the proposed reforms including:

      1.4.3 Digital Economy

      During 2008–09, the Office continued to advise on privacy and the digital economy and ecommerce. This included participating in domestic initiatives such as the Department of Broadband, Communications and the Digital Economy’s (DBCDE) Future Directions project (described below) and international initiatives led by the Asia Pacific Economic Cooperation and Organisation for Economic Cooperation and Development subgroups (see sections 2.9.1 and 2.9.2 for further information).

      In February 2009, the Office made a submission to DBCDE’s Digital Economy Future Directions – Consultation Paper. Stakeholder comments on the Consultation Paper are part of the development of a ‘roadmap’ for the future of the digital economy in Australia. In its submission, the Office offered advice on how good personal information handling and therefore good privacy practice could be embedded in the development of the digital economy and so foster trust and further growth.

      The Office encouraged DBCDE to promote a multi-faceted approach to enhancing privacy in the development of the digital economy to supplement the protections offered by the Privacy Act. A multi-faceted approach could include: educating individuals about protecting their information when using digital technologies; harnessing privacy enhancing technologies; and participating in international agreements and initiatives between jurisdictions.

      The Office also encouraged DBCDE to promote privacy enhancing technologies in recognition of their importance in generating trust and furthering Australia’s participation in the digital economy.

      1.4.4 Industrial Relations Legislation

      In January 2009, the Office made a submission to the Senate Education, Employment and Workplace Relations Committee Inquiry into the Fair Work Bill 2008. The Office noted that the Fair Work Bill was intended to provide a balanced framework for cooperative and productive workplace relations.

      The Office recommended that organisations with permits to enter workplaces under the Fair Work Bill that would ordinarily fall outside the jurisdiction of the Privacy Act, should be brought under the Privacy Act’s coverage. The Office also suggested ways in which the Fair Work Bill could clarify and enhance the privacy protections applying to personal information collected and handled under the ‘right of entry’ and ‘protected action ballot’ provisions of the Fair Work Bill.

      A number of the Office’s recommendations were incorporated into the Fair Work Act 2009 to strengthen the legislation’s privacy protections. The Office also provided assistance to the Workplace Ombudsman in the production of a best practice guide on workplace privacy.

      1.4.5 Identity Security

      The Privacy Commissioner is a member of the National Identity Security Coordination Group (NISCG) and the Commonwealth Reference Group on Identity Security (CRGIS), convened by the Attorney-General’s Department.

      The Office is also a participant on many of the National Identity Security Strategy working groups.

      As part of its role on these working groups, the Office provides advice to Government and key agencies on the privacy implications of their initiatives.

      In particular, the Office has focused on the development of the Document Verification Service (DVS). This included undertaking two audits of the DVS in December 2008 and May 2009.

      As well, in September 2008, the Office made a submission to the Senate Standing Committee on Legal and Constitutional Affairs regarding its inquiry into the Independent Reviewer of Terrorism Laws Bill 2008 [No. 2].

      The Office submitted that a standing Independent Reviewer may be well placed to ensure continuity in the review and oversight of terrorism-related laws including through the systematic following-up of review findings.

      The Office specifically suggested that in assessing the “operation, effectiveness and implications of laws relating to terrorist acts” the proposed Independent Reviewer should be required to consider with respect to circumstances at the time, the:

      1.4.6 Anti-Money Laundering and Counter-Terrorism Financing

      Consistent with its Strategic Plan goal to promote increased awareness of privacy choices and obligations, the Office continued to play an active role in the implementation of the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) legislation. The Office is represented on industry and government forums, and provides comments on draft guidance material and relevant issues.

      During 2008–09, the Office provided comments and general advice to AUSTRAC in relation to a number of its draft guidance notes and rules. The Office’s key suggestions were designed to inform and remind organisations that the handling of this personal information will often be subject to Privacy Act regulation.

      The Office has guidance materials, including bookmarks, flyers and information addressing frequently asked questions, to assist the private sector. These materials are targeted at educating small businesses on how they could fulfil their Privacy Act obligations as ‘reporting entities’ under the AML/CTF legislation.

      1.4.7 Northern Territory Emergency Response

      In June 2007, the Northern Territory Emergency Response (NTER) was announced. The NTER led to a number of welfare reform measures including income management of some Centrelink benefit recipients in the Northern Territory. Restrictions were also put in place on the sale of alcohol from take-away liquor outlets in the Northern Territory under the Northern Territory National Emergency Response Act 2007.

      In June 2008, the Government initiated an independent review of the NTER. The Office made a submission to the review which noted the need for a robust privacy framework including training, education, and procedures to be set in place for the NTER measures. The submission also noted that good privacy practice requires that agencies and organisations, in meeting their privacy obligations, may need to take extra steps to ensure appropriate handling of Indigenous Australians’ personal information under the measures.

      1.4.8 Personal Property Securities Register

      In 2008–09, the Office continued to provide advice to the Attorney-General’s Department (AGD) in relation to the development of the proposed personal property securities scheme.

      The scheme aims to harmonise Australia’s personal property securities laws in one national law and to establish a national online Personal Property Securities Register (PPS Register).

      In August 2008, the Office commented on the consultation draft of a Personal Properties Securities Bill (the Bill) and also provided comments on a discussion paper for regulations to be made under the Bill.

      In December 2008 the Office made a submission to the Senate Legal and Constitutional Affairs Committee’s (the Committee) inquiry into the Bill. In January 2009, the Office appeared before the Committee’s inquiry into the Bill.

      The Office noted that the PPS Register would include personal information relating to the financial and credit affairs of a large number of individuals and had the potential to raise a number of privacy-related issues. The Office made a number of suggestions to reduce potential privacy risks, such as:

      In March 2009, the Committee released its report on the Bill. The Report recommended that a PIA be conducted by an independent consultant. Any issues raised by the Office’s submission not considered by the PIA should be considered by the AGD, and a response to those issues be provided to the Office in writing or made public.

      The Office has continued to play an active role by providing comments to the consultants developing the PIA and to the AGD on relevant issues.

      1.4.9 Spent Convictions

      In January 2009, the Office made a submission to the Attorney-General’s Department in relation to the Draft Model Spent Convictions Bill 2008.

      The Office recommended that the proposed spent convictions scheme should enable individuals to complain to a relevant privacy oversight body if they believe information about a spent conviction has been mishandled. The Office also suggested that the Australian Privacy Commissioner, or equivalent Privacy or Information Commissioner in the relevant jurisdiction, should have power to assess and advise on proposed exclusions to the scheme.

      1.4.10 Whistleblowing

      In August 2008, the Australian Public Service Commission, the Office of the Privacy Commissioner and the National Archives of Australia made a joint submission to the House of Representatives Standing Committee on Legal and Constitutional Affairs inquiry into whistleblowing protections within the Australian Government public sector.

      The submission made recommendations for improving the current whistleblowing processes. The Office commented on relevant privacy issues.

      1.5 Privacy and the Australian Capital Territory Government

      The Office continued to provide advice to Australian Capital Territory (ACT) Government agencies in 2008–09 under its Memorandum of Understanding (see section 4.1.3 for further information). The Office provided comments to:

      1.6 Privacy and Business

      1.6.1 National Privacy Principle Information Sheets

      In May 2009, the Office released new privacy guidance materials for private sector organisations and consumers.

      Two information sheets were released to assist private sector organisations meet their obligations under National Privacy Principles (NPPs) 3 and 6. Private Sector Information Sheet 28 – NPP 3 Data Quality provides organisations with advice about NPP 3 obligations including key factors to consider in planning how to manage data quality. In addition, the Office has revised Private Sector Information Sheet 4 – NPP 6 Access and Correction to include advice explaining:

      The Office also published six frequently asked questions (FAQs) that provide consumers with guidance on access and correction under NPP 6. The Office released FAQs for consumers about personal information that may be collected, used or disclosed by real estate agents, property managers or landlords.

      The information sheets and FAQs were developed following consultation with a range of private sector organisations, consumer bodies, industry groups and privacy organisations. This consultation was consistent with the Office’s Strategic Plan commitment to increase awareness of privacy choices and obligations, and to build effective relationships with key stakeholders.

      The Office released the guidance material during Privacy Awareness Week to ensure it was well publicised. To this end, the Office has provided copies of the information sheets and FAQs to a range of private sector organisations, consumer bodies, industry groups and privacy organisations. The guidance material is also accessible through the Office’s website at www.privacy.gov.au.

      This guidance material gives effect to recommendations made in the Office’s 2005 report Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988. Progressing these recommendations is also an action under the Office’s Strategic Plan.

      1.6.2 Private Sector Advice

      Under s. 27(1)(d) of the Privacy Act, one of the Privacy Commissioner’s functions is to promote an understanding and acceptance of the National Privacy Principles.

      Consistent with this function and with the Office’s Strategic Plan aims to work collaboratively and provide quality advice, the Office has continued to provide advice about the operation of the NPPs including on such matters as:

      As well, in accordance with the Office’s strategic commitment to develop private sector communication, the Office took the opportunity to present to a number of conferences and industry bodies during the reporting year. For example, the Office spoke at the Health Privacy Futures conference and presented to general practitioners at a divisional level meeting. The Office also presented to ‘moderators’ working with an innovative online youth advisory group established to advise government on cyber safety for young people.

      As well, the Office produced a range of information sheets for businesses and frequently asked questions for consumers. Some of these are outlined in section 1.10.

      1.6.3 Privacy Codes

      Part IIIAA of the Privacy Act allows organisations to apply to the Privacy Commissioner for approval of a privacy code that will replace the National Privacy Principles for organisations bound by that code.

      During the reporting period there were no new code applications but one approved Code was varied. The Queensland Club Industry Privacy Code (the code) was first approved on 7 August 2002. The code sets out the obligations of code subscribers in relation to the handling of personal information of club members and patrons. The Commissioner approved the application to vary the code on 22 April 2009. The purpose of the variation to the code was to give effect to the review of the code undertaken by the code proponent Clubs Queensland. The variation took effect on 1 May 2009.

      1.6.4 Credit Reporting

      The Office attended consultative meetings with industry representatives in November 2008 and separately with privacy advocates in December 2008 to discuss the credit reporting recommendations in the Australian Law Reform Commission’s Privacy Report 108. The consultative meetings were hosted by the Department of the Prime Minister and Cabinet.

      In May 2009, the Office made a submission to the Treasury on the draft National Consumer Credit Reform legislation. The Office made suggestions to enhance and clarify certain aspects of the draft legislation to ensure the proposed national consumer credit regulatory framework contained appropriate privacy protections.

      1.6.5 Tax File Number Guidelines

      During 2008–09, there were no changes to the Tax File Number Guidelines issued by the Privacy Commissioner under s. 17 of the Privacy Act. These guidelines, which have the effect of law, regulate the collection, storage, use and security of tax file numbers.

      1.6.6 Do Not Call Register

      In September 2008, the Office made a submission to the Department of Broadband, Communications and the Digital Economy review of the Do Not Call Register (DNCR).

      In that, the Office stated that any interference with privacy in this context is most pronounced with private or domestic phone numbers, which are already covered by the DNCR. However, similar risks may apply to other numbers, such as those of small businesses, particularly where those numbers are also used for private or domestic purposes. The Office suggested that the protections of the DNCR should be extended to these numbers. The Office also suggested that the DNCR include faxes in its scope, particularly for private and domestic faxes.

      The Office noted that the private sector provisions of the Privacy Act will continue to operate alongside the provisions of the DNCR Act and the Australian Communications and Media Authority (ACMA) Industry Standard for the making of telemarketing and research calls. This means that organisations bound by the Privacy Act must continue to comply with that Act, as well as the ACMA Industry Standard when making, or causing telemarketing calls to be made.

      1.6.7 Identity Scanning

      Consistent with the Privacy Commissioner’s function to promote an understanding and acceptance of the National Privacy Principles (NPPs) and the Office’s Strategic Plan goal to increase awareness of privacy choices and obligations within the community, the Office has provided advice to individuals and organisations in relation to the practice of scanning identity (ID) documents.

      The Office has generally noted that while the scanning of ID documents is not in itself necessarily an interference with privacy, an organisation covered by the Privacy Act may be in breach of its obligations under the Privacy Act if it fails to comply with the NPPs in its handling of personal information. When organisations are considering scanning identity documents they should consider carefully their obligations, particularly to only collect necessary information and to hold information for only as long as it is needed. In large scale projects the Office encourages businesses to consider conducting a Privacy Impact Assessment (PIA) to ensure that privacy risks are identified and mitigated prior to implementation of any new proposal.

      The Office has also received a number of complaints and enquiries regarding ID Scanning. The main focus for most ID scanning enquiries and complaints is whether the collection of all the data items on an ID document are ‘necessary’ for the organisation to perform one or more of its functions or activities.

      Some ID documents have significant and sensitive information (e.g. donor status) that is unlikely to be necessary. There are also concerns about inappropriate exchange of information between organisations and whether there are reasonable security measures in place to destroy the information when it is no longer needed.

      1.7 Privacy and the Health Sector

      The Office convened a meeting of the Privacy Commissioner’s Health Privacy Forum in February 2009 to assist the Department of the Prime Minister and Cabinet seek views on the Australian Law Reform Commission’s (ALRC) recommendations on health and research.

      During the reporting period the Office maintained its active interest in the development of e-health initiatives as they relate to the collection and handling of personal information. It acknowledged the potentially important role that effective e-health information systems can play in promoting better health outcomes for Australians in its submissions to government during the year.

      While acknowledging these benefits the Office suggests the potential risks to privacy can be minimal by considering privacy at an early stage in the design of proposed systems.

      The Office is of the view that gaining the trust and confidence of individuals in e-health record systems and other e-health initiatives is vital to their success. While many individuals are likely to welcome in-principle the benefits associated with e-health systems, there may be reluctance to participate if key privacy protections are lacking.

      1.7.1 Electronic Health Records

      The Office continued to engage with the Department of Health and Ageing, state and territory government agencies and other relevant bodies, such as the National E-Health Transition Authority (NEHTA) and Medicare Australia, on matters related to electronic health records.

      In July 2008, NEHTA released a Privacy Blueprint for a proposed Individual Electronic Health Record (the Blueprint). The Blueprint set out privacy protections for a national individual electronic health record (IEHR) system. The Office made a submission on the Blueprint welcoming the attention paid to privacy as part of the IEHR’s system development.

      The Office supported the express consent approach for enrolment of individuals in the system, as well as the provision to be able to consent to specific episodes of care to be entered into an IEHR record.

      The Office also suggested that further attention could be given to some key issues including: enabling legislation for the system; choice for individuals as to who may access their IEHR; choice for individuals regarding limiting access to particularly sensitive information (‘sealed envelope’ option); the availability of audit records for individuals; and management of secondary uses of IEHR information, particularly for uses beyond medical research.

      In February 2009, the Office attended a forum on the Deloitte National E-Health Strategy and, in April 2009, it met with NEHTA to discuss current and future developments in e-health, including progress on pilot projects to trial e-health record systems of medication management and hospital discharge and referrals.

      In April 2009, the National Health and Hospitals Reform Commission released a supplementary paper, to its Interim Report, on ‘person-controlled electronic health records’.

      The Office made a submission on the supplementary paper, which welcomed the emphasis on voluntary participation and the recognition of the critical importance of privacy in e-health information systems.

      The Office’s submission also suggested a number of issues that would benefit from further consideration, including the capacity of consumers to control access to information which they regard as particularly sensitive. The Office emphasised that the legislative framework should encompass safeguards for consumer participation in the e-health system including providing that it is not necessary to activate an e-health record in order to access health services, Medicare or health insurance payments.

      The Office considers that a robust and comprehensive framework for privacy protection comprising the four key elements of design, technology, legislation and oversight should underpin the national e-health information system. The Office will continue to engage on the privacy aspects of e-health including through involvement in the consultations on electronic health identifiers and the national health privacy framework for e-health that are expected in the second half of 2009.

      1.7.2 Section 95AA Guidelines

      The Privacy Legislation Amendment Act 2006 introduced National Privacy Principle 2.1(ea). The amendment gives organisations the discretion to use or disclose genetic information about an individual to a genetic relative where it is considered necessary to lessen or prevent a serious threat (whether or not the threat is imminent) to the genetic relative’s life, health or safety.

      Any use or disclosure must be in accordance with guidelines issued by the National Health and Medical Research Council (NHMRC) and approved by the Privacy Commissioner under s. 95AA of the Privacy Act.

      The Office continued working with the NHMRC in 2008–09 as it developed the guidelines.

      1.7.3 National Registration and Accreditation Scheme

      In December 2008, the Office made a submission to the Australian Health Ministers’ Advisory Council (AHMAC) in relation to the proposed arrangements for information sharing and privacy for the National Registration and Accreditation Scheme for the health professions (NRAS).

      The Office also participated in the NRAS public forum held in November 2008. In April 2009, the Office made a further submission to the Senate Community Affairs Committee regarding the NRAS proposal and, in June 2009, participated in a national forum on the exposure draft second stage legislation for the NRAS.

      The Office noted in its submissions that privacy has an integral part to play in the NRAS. In particular, the Office believes that the NRAS should protect practitioners’ privacy through sound information handling practices.

      In its submission, the Office recommended:

      1.7.4 Medicare Australia Compliance Audits

      During 2008–09, Medicare Australia and the Department of Health and Ageing (DoHA) consulted with the Office at various stages throughout the development of the Increased Medicare Compliance Audits Initiative (IMCA initiative), which was a 2007–08 budget measure.

      In April 2009, the Office made a submission to the Senate Standing Committee on Community Affairs Inquiry into the IMCA initiative. That submission focused on privacy and information-handling matters. In particular, the submission addressed proposed powers for Medicare Australia to require health service providers to produce information in limited circumstances during an audit, including patients’ health information, to verify the provider’s Medicare Benefits Schedule (MBS) claims.

      In May 2009, the Office made a submission to DoHA on the Privacy Impact Assessment (PIA) on the IMCA initiative, jointly conducted by DoHA and Medicare Australia. The Office welcomed the undertaking of the PIA, and supported the intent of the PIA’s 10 recommendations, including further PIAs as the IMCA initiative develops. The Office also welcomed the decision to release the PIA to assist public scrutiny of the IMCA initiative, in addition to the ongoing consultations with professional, consumer and privacy groups.

      1.8 Privacy and the Information and Communications Technology Sector

      During the reporting period, the Office provided input into a number of projects and initiatives related to information and communications technology (ICT). Some of these initiatives included:

      Finally, the Office released guidance material during 2008–09 related to ICT. In particular, the Office published two information sheets: Interaction between the Privacy Act and the Spam Act and Portable storage devices and personal information handling. These information sheets are available on the Office’s website at
      www.privacy.gov.au/materials/types/infosheets?sortby=32.

      1.8.1 Telecommunications and E-Marketing Industry Codes

      The Telecommunications Act 1997 allows the telecommunications and e-marketing industries to develop industry codes. The codes are enforceable after they are registered with the Australian Communications and Media Authority (ACMA). Where telecommunications or e-marketing industry codes deal with privacy issues, it is a requirement that the Privacy Commissioner be consulted before ACMA registers the code.

      During the reporting period, the Office was consulted by the Communications Alliance in relation to the Mobile premium services industry code. The Office provided comments on privacy complaint handling, notice of collection of personal information and direct marketing.

      The Office was consulted by the Internet Industry Association (IIA) on the Internet industry spam code of practice. The Office provided comments on privacy complaint handling, disclosure of personal information and good privacy practice generally.

      Also in June 2009, IIA held a workshop on the development of a code for Internet Service Providers which the Office attended. The code is at an early stage of development and the Office anticipates further involvement in the development of the code in the second half of 2009.

      1.9 Voluntary Information Security Breach Notification Guide

      On 25 August 2008, the Office released its Guide to handling personal information security breaches (the Guide). This voluntary Guide sets out what the Office believes are the key steps and factors for agencies and organisations to consider when responding to a personal information security breach. This includes when it may be appropriate to notify individuals (and in some cases the Privacy Commissioner) of a breach.

      The Guide was released following an open consultation on a draft version during which the Office received 75 submissions from stakeholders.

      Since the Guide’s introduction the Office has received data breach notifications from private sector organisations and from government agencies. The Office has received positive feedback from business and government on the Guide with one agency using the Office’s Guide reporting that they received positive feedback from a client about how they dealt with a data breach.

      In its final report on privacy – For your information: Australian Privacy Law and Practice – the Australian Law Reform Commission recommended that the Privacy Act be amended to require notification of data breaches in certain circumstances. The Government intends to address this recommendation in the second tranche of privacy reforms. Until that time, the Office will continue to monitor the operation of the voluntary Guide and assess strengths and weaknesses that may have a bearing on the future development of legal provisions.

      The Office’s Guide to handling personal information security breaches is available at
      www.privacy.gov.au/materials/types/guidelines/view/6478.

      1.10 Information Sheets and FAQs

      The Office released seven Information Sheets for businesses and government agencies and two sets of frequently asked questions (FAQs) for individuals. Real estate FAQs were developed in response to common enquiries the Office had received about information handling practice within that industry. The other guidance material has been developed in response to issues raised by stakeholders during the Office’s Private Sector Review.

      The Information Sheets and FAQs were developed with the assistance of targeted stakeholder consultation. The feedback was generally positive, with stakeholders reporting that they considered the advice was clear and useful and that the examples were topical and well-considered. The guidance is summarised below.

      Spam and the Privacy Act (Information Sheet 26)

      This information sheet clarifies the interaction between the Privacy Act and the Spam Act 2003. It provides advice on the handling of personal information in electronic direct marketing activities. The information sheet also helps marketing businesses to better understand their obligations when it comes to privacy and spam messages.

      Data Quality – NPP 3 (Information Sheet 28)

      NPP 3 says that an organisation must take reasonable steps to make sure that the personal information it collects, uses and discloses is accurate, complete and up-to-date. This information sheet illustrates the key factors that organisations can consider when managing data quality, taking account of context and circumstances.

      Access and Correction – NPP 6 (Information Sheet 4 and FAQs)

      Under NPP 6, individuals can access information organisations hold about them and can have that information corrected if it is not accurate. The Information Sheet and FAQs provide guidance to businesses and individuals about establishing whether information is incorrect, correcting information, and providing access.

      Real Estate (FAQs)

      These FAQs help individuals understand what practices by real estate agents are covered by the Privacy Act. They explain how real estate agents can collect, disclose, provide access to, and correct their personal information. They also explain what residential tenancy database operators are required to do under the Privacy Act.

      Portable Storage Devices and Personal Information Handling

      As part of its role in responding to evolving and emerging technologies, the Office has released Public Sector Information Sheet 3: Personal Information Handling and Portable Storage Devices. Portable storage devices (PSDs) include USB keys, laptops/ notebooks, personal digital assistants (e.g. Pocket PC, Palm, BlackBerry), and devices with in-built accessible storage (e.g.MP3 players, iPods, mobile phones).

      The information sheet was developed following a survey on PSD use conducted on behalf of the Office. This indicated that PSDs are widely used across Australian Government agencies and that there is some room for agencies to improve their practices in this area. 

      The information sheet assists agencies to better manage personal information that may be stored or handled on PSDs in the work environment and while working remotely. It also aims to help agencies covered by the Privacy Act to meet their storage and security obligations under the Information Privacy Principles.

      The information sheet was released by Senator the Hon John Faulkner, Cabinet Secretary and Special Minister of State, at a Breakfast Briefing for senior executives from both the public and private sectors during Privacy Awareness Week 2009. The information sheet is available on the Office’s website, and the Office is also providing hard copies to agencies that participated in the survey.

      Promoting Privacy

      2.1 Review of Performance

      Initiatives to promote privacy awareness among young people were a major feature of the Office’s promotional and educational work during 2008–09. This is in line with the Office’s commitment in its Strategic Plan to develop integrated strategies targeting key audiences such as youth.

      The Office developed a publication, private i, a 12-page magazine-style booklet that blends attractive imagery and layout with content that is straightforward and of practical relevance to the age group. A major campaign will be undertaken in the second half of 2009 to ensure its widespread distribution and promotion to young adults nationally.

      During 2008–09, the Office also worked closely with its colleagues in the Asia Pacific Privacy Authorities (APPA) to produce an animated video for youth, warning of the dangers of social networking websites. Both private i and the video are available on the Office’s new youth portal, which also includes additional articles on privacy issues relevant to youth, links to guidance materials on youth privacy concerns, and teacher resources to accompany the animated video.

      The reporting period also saw ongoing efforts to provide privacy compliance professionals with the knowledge and resources to enhance privacy awareness and compliance within their own organisation or agency. This is in line with the goal in the Office’s Strategic Plan to create “increased awareness of privacy choices and obligations within the community”.

      In May 2009, the Office hosted for the first time a one day seminar for both private and public sector professionals, offering practical insights into contemporary privacy concerns. Additionally, the Office issued a range of publications providing guidance to privacy practitioners, held forums and workshops for privacy contact officers, and distributed promotional and other materials to organisations and agencies to assist them in their Privacy Awareness Week activities. The Office’s Government Privacy Contact Officer Network in particular has seen strong growth, with large attendances at its quarterly meetings.

      Recognising the good privacy practices of organisations and agencies was another feature of 2008–09, with the hosting of the inaugural Australian Privacy Awards and Medal. The first of their kind in the world, the Awards meet the Office’s Strategic Plan’s goal commitment to acknowledging, rewarding and encouraging good privacy practices across businesses, government agencies, and the not for profit sector. The Medal honours an individual who has made a substantial achievement to the privacy field. There were many nominations and a strong level of interest from across the community in the programs, and the Office hopes to build on the success with its second Awards and Medal programs in 2009.

      The Office has also maintained its efforts in facilitating media liaison, producing privacy news publications PriNet and Privacy Matters, and overseeing the redevelopment of the Office’s website (to launch in the second half of 2009). The Office continues to serve as the secretariat for APPA, to play an active role in Privacy Authorities Australia, and to contribute to a number of working groups under the aegis of the International Conference of Data Protection and Privacy Commissioners.

      2.2 Privacy Website

      The Office’s website (www.privacy.gov.au) plays a very important role in helping the Office achieve the goals set out in its 2008–09 Strategic Plan. The website continues to be the critical hub for the communication of the Office’s privacy messages. The site is kept up-to-date with information relating to the activities of the Office, provides privacy information generated by the Office and links to other privacy information sources. The Office also designs, develops and maintains the Asia Pacific Privacy Authorities’ Privacy Awareness Week website (www.privacyawarenessweek.org).

      Website redevelopment

      To ensure that the website remains effective as the Office’s central communications hub, the Office was, at the end of the reporting period, in the final stage of testing its newly redeveloped website. This has been a significant and important project, especially since the last major website redevelopment was completed when the private sector provisions commenced in 2001.

      Some of the improvements to the new site include:

      Website traffic

      It was reported in the last Annual Report that the Office’s website may have been affected by ‘fraudulent’ traffic to the site, resulting in an unexpected increase in the reported page views. During this reporting period, the Office implemented a number of mitigation measures which have reduced this fraudulent traffic significantly, resulting instead in a larger than expected decrease in page views. The Office has been unable to accurately identify the percentage of traffic that was fraudulent. However, with the launch of its new website, the Office expects to be able to improve the way website statistics are collated in 2009–10 and beyond.

      Table 2.1 shows the number of sessions and page views for the privacy website for each of the last three financial years.

      Table 2.1 Sessions and Page Views for the Privacy Website

       

      2006–07

      2007–08

      2008–09

      Variation 2007–08 to 2008–09

      Sessions

      1 953 316

      1 995 227

      1 491 269

      - 503 958

      Page views

      6 183 973

      8 425 262

      7 392 718

      - 1 032 544

      As noted above measures taken to mitigate fraudulent traffic resulted in a larger than expected decrease in the website statistics. Sessions (i.e. individual visits to the website) decreased by 503 958 during 2008–09 (a 25% decrease). Page views (i.e. the number of pages looked at during sessions) decreased by 1 032 544 (a 12% decrease). It is possible that the fraudulent activity may have had an impact on statistics reported in previous annual reports.

      2.3 Privacy Awards and Medal

      The Australian Privacy Awards and Australian Privacy Medal were developed by the Office in 2008 as a way of acknowledging, rewarding and encouraging good privacy practices across the public and private sectors.

      The Awards and Medal were presented at a gala dinner in Sydney on 27 August 2008, during Privacy Awareness Week, which was attended by privacy professionals and representatives from the corporate, public and community sectors and the media. The event featured a keynote address by Senator the Hon John Faulkner, Cabinet Secretary, a video message from High Court Justice Michael Kirby, and a welcome by Karen Curtis, the Australian Privacy Commissioner.

      Awards were presented in four categories, with a Grand Award presented to the most outstanding entry from any of the categories. Award entrants were asked to nominate their overall work or a privacy-related project, initiative, campaign or system. They were required to address three judging criteria in their nominations. These were:

      The judging panel assessed each nomination according to these criteria, and selected a category winner and a ‘highly commended’ nomination. Table 2.2 shows winning entries and who received a ‘highly commended’.

      Table 2.2 Australian Privacy Awards Category Winner and Highly Commended

      Category

      Winner

      Highly commended

      Grand Award

      Medicare Australia

       

      Symantec Government Award

      Child Support Agency

      Kingston City Council (Victoria)

      Large Business Award

      Telstra Corporation

      Sony Australia

      Microsoft Small-Medium Business Award

      Data Solutions Australia

      StudentNet

      Community and NGO Award

      NSW Branch of the Australian Dental Association

      Australian Privacy Foundation

      The judging panel also selected a recipient for the Medal. The Hon Justice Michael Kirby AC CMG was awarded the Medal for outstanding achievement in advancing privacy in Australia for more than 30 years.

      The members of the judging panel were: the Privacy Commissioner Karen Curtis, Craig Scroggie, Vice President and Managing Director Pacific Region of Symantec Corporation, and Privacy Advisory Committee members John O’Brien and Joan Sheedy.

      The Office secured sponsorship totalling $47 500 from the following organisations for the 2008 Awards program: Symantec (Major Sponsor), Microsoft (Major Sponsor), Clayton Utz (Executive Sponsor), and Australian Finance Conference (Sponsor).

      Following on from the high level of interest in the inaugural Australian Privacy Awards and the Australian Privacy Medal in 2008, the Office is again hosting the programs in 2009. They were launched at a luncheon in Sydney with the Hon Michael Kirby AC CMG, on 6 May 2009, during Privacy Awareness Week. The 2009 Awards and Medal are open to small, medium and large sized businesses, community groups, not for profit organisations, non-government organisations, and government agencies at a local, state and national level. Nominations close in August 2009 and presentations will be made to the winners at a gala dinner in November.

      A total of $40 000 was secured for sponsorship of the 2009 Awards from Symantec (Major Sponsor), Clayton Utz (Executive Sponsor), Microsoft (Sponsor), and the Child Support Agency (Sponsor).

      The 2009 Awards and Medal will be further reported on in 2009–10.

      2.4 Privacy Awareness Week

      Privacy Awareness Week (PAW) is an annual promotion coordinated by the members of the Asia Pacific Privacy Authorities (APPA). The week provides an opportunity for organisations and agencies in APPA jurisdictions to promote awareness of privacy rights and responsibilities to staff, clients, and the wider community. During 2008–09, the Office celebrated PAW from 24–30 August 2008, and again from 3–9 May 2009. PAW was moved from August to May to allow APPA members from the northern hemisphere to increase their participation in the initiative.

      During PAW 2008, the Office released its Guide to Handling Personal Information Security Breaches, along with private sector information sheets for organisations on the interaction between the Privacy Act and the Spam Act. A step-by-step guide to conducting internal investigations of privacy complaints for organisations and Australian and ACT Government agencies was also released.

      As part of celebrating 20 years of the Australian Privacy Act, the inaugural Privacy Awards gala dinner was held during PAW 2008 (see separate report at section 2.3).

      To celebrate PAW 2008, APPA members conducted an international privacy competition as a joint initiative. The competition was targeted at secondary school students and asked them to create and submit a two minute video about privacy and what it means to them. The winners were selected by the APPA Commissioners for their excellent communication of privacy issues that affect young people. Entrants from Hong Kong were awarded prizes for first, second and third place. The APPA Commissioners were very impressed by the variety and professionalism of many of the entries and really enjoyed gaining some insight into how young people view privacy.

      For PAW 2009, the Office produced a magazine-style publication for young people, entitled private i, and held a successful Privacy in Practice seminar in Sydney for compliance, risk management, and legal and regulatory affairs professionals (see sections 2.4.1 and 2.4.2 for further information).

      The Office also released a number of guidance materials, including information sheets on data quality, and access and correction of personal information for private sector organisations, while a series of FAQs on correction of personal information and dealing with real estate agents were produced for individuals. The Office released its report on the use of portable storage devices in the Australian public sector, and an information sheet on handling portable storage devices for the public sector (see section 3.9 for further information).

      The APPA members again decided to target young people in their joint initiative for 2009, producing an animated video warning of the consequences of uploading personal information online. The key message of the video was “Think before you upload. Once it’s out there, it’s everywhere!”

      PAW serves to increase awareness of privacy choices and obligations within the community, assisting the Office to meet its goals set out in 2007–09 Strategic Plan. It also gives the Office the opportunity to develop robust relationships with Australian organisations, agencies, NGOs and the wider community, while strengthening the Office’s formal links with APPA members.

      An International Working Group is currently exploring the possibilities for establishing an International Privacy/Data Protection Day or Week (see section 2.9.4.1 for further information). The Office will celebrate PAW 2010 in the first week of May, and the event will continue to be an APPA-wide initiative. The Office maintains APPA’s PAW website at
      www.privacyawarenessweek.org.

      2.4.1 Targeting Youth

      During 2008–09, the Office launched a major privacy awareness initiative tailored to young people, recognising that this audience generally has a comparatively low level of privacy awareness. Research undertaken both internationally and locally shows that young people do value their privacy, but many neglect to take the necessary precautions to safeguard their personal information. In Australia, the Office’s Community Attitudes Survey 2007 found that young people (18–24) are less aware of the Privacy Commissioner and privacy laws than older Australians. It also revealed that younger people are more trusting of organisations and are more willing to provide them with their personal details. The importance of this audience as a focus for the Office is highlighted in its Strategic Plan 2007–09, which includes the action item of ‘Developing and implementing communication plans targeting key audiences, for example, young people’.

      The Office launched its publication for 18–24 year olds, private i in May 2009, during Privacy Awareness Week. Consisting of a hard copy magazine-style booklet, as well as an electronic copy on the Office’s youth portal, private i addresses a range of privacy issues of relevance to young adults and seeks to build awareness of the Office and its website as a resource for young people. Issues covered include: online social networking, identity theft, the scanning of identity documents at pubs and clubs, ‘blacklists’, online shopping, dealing with telemarketers, and responding to requests for personal information.

      The publication will be distributed via a number of online and hard copy communication channels.

      The Office also produced an animated video for youth in conjunction with other members of the Asia Pacific Privacy Authorities. Launched during Privacy Awareness Week 2009, the video warns of the consequences of uploading personal information online. The key message of the video is: “Think before you upload. Once it’s out there, it’s everywhere!”

      Both private i and the animated video are available at
      www.privacy.gov.au/topics/youth.

      2.4.2 Privacy in Practice Seminar

      The Office hosted a seminar on 6 May 2009 during Privacy Awareness Week, to provide compliance legal and regulatory affairs, and risk management professionals with practical insights into promoting and enhancing privacy compliance. Held in Sydney, the seminar brought together some 180 professionals from across the private and public sectors for an intensive, full-day event aimed at enhancing compliance techniques.

      Presentations were delivered by privacy practitioners, regulators and consultants, and provided key approaches to and practical examples of best practice in privacy. Topics included: Privacy Impact Assessments, training and motivating staff in privacy, data breach notification, selling privacy to stakeholders, and dealing with the Office.

      The keynote address was delivered by the Hon Michael Kirby AC CMG, who also launched the 2009 Australian Privacy Awards and Medal programs (see section 2.3 for further information).

      The Office received $4 950 in sponsorship from the National Australia Bank for the seminar.

      2.5 Publications

      The Office released a number of new publications and other materials during 2008–09.

      As part of Privacy Awareness Week (PAW) in August 2008, a major release was the Guide to Handling Personal Information Security Breaches. The Guide provided targeted privacy advice to businesses, agencies and non-government organisations about preventing and, if necessary, responding to a data breach. The Guide was developed following extensive consultation with a range of stakeholders and incorporates illustrative examples to assist in circumstances such as whether notification is an appropriate response. See section 1.9 for further information. 

      As outlined in section 2.4.1, community attitudes research conducted by the Office in 2007 showed that 18–24 year olds are less familiar with their privacy rights than older Australians, and all too few are armed with the knowledge to exercise their privacy rights. In response to this, the Office launched a magazine-style publication for young adults during PAW in May 2009. The publication, private i, was produced to help educate young people about privacy. The publication and youth portal can be accessed at: www.privacy.gov.au. See section 2.4.1 for further information.

      During PAW 2009, the Office also released a report on portable storage devices and Australian Government agencies. The research findings were launched by Senator the Hon John Faulkner, the then Special Minister of State and Cabinet Secretary, at a forum for senior public servants. Conducted by Orima Research on behalf of the Office during March and April 2009, the research involved a survey of 94 Australian Government agencies (see section 3.9 for further information).

      The Office also continued to publish Privacy Matters - its accessible and easy-to-read quarterly newsletter, which keeps stakeholders up-to-date with important Office-related and other privacy developments. The newsletter complements the work the Office already does through its various stakeholder networking strategies and assists the Office in its Strategic Plan goal of increasing awareness of privacy choices and obligations within the community.

      Subscription to Privacy Matters is available through the Office’s website at www.privacy.gov.au/news/subscribe.

      The Office produced a range of other publications, including information sheets and answers to frequently asked questions on a variety of privacy-related topics (see section 1.10 for further information). All of the Office’s other publications are available online at www.privacy.gov.au/materials.

      2.6 Networks

      2.6.1 Privacy Connections

      As part of its Privacy Connections network for privacy professionals in the private sector, the Office continues to hold events in various cities featuring prominent speakers addressing privacy-related issues.

      The events assist in:

      In September 2008, the Office, in association with the Australian Insurance Law Association – WA Branch, held a workshop in Perth for compliance professionals in the insurance sector at which case studies were presented.

      A seminar was held for compliance professionals on 6 May 2009, during Privacy Awareness Week, providing practical insights into promoting and enhancing privacy compliance (see section 2.4.2 for further information).

      Privacy Connections had 711 members as at 30 June 2009. Information about Privacy Connections is available at
      www.privacy.gov.au/business/privacyconnections.

      2.6.2 Government Privacy Contact Officer Network

      The Office manages a network of Privacy Contact Officers (PCOs) from Australian and ACT Government agencies and hosts four meetings a year. The meetings enhance the Office’s relationship with other government agencies as they enable PCOs to meet directly with the Commissioner and hear about the Office’s activities and other privacy related issues, such as privacy law reform.

      The network plays an important role in meeting the Office’s Strategic Plan goal of cultivating robust relationships. The network has been tailored to play an educative role in informing PCOs of their compliance obligations and discussing international developments in privacy regulation.

      Attendance has been consistent over the reporting period at approximately 70 people per meeting, highlighting a continued interest of the network.

      The Office invited external speakers to address the PCOs, including representatives from Medicare Australia, the Department of the Prime Minister and Cabinet and the Child Support Agency.

      The network provides a crucial link between agencies and the Office, particularly for the purposes of managing privacy complaints and discussing ways to enhance privacy cultures in agencies.

      2.6.3 Privacy and Consumer Advocates

      The Office held meetings with privacy and consumer advocates in November 2008 and June 2009. A range of matters were discussed, including developments from the Office’s policy, compliance and corporate and public affairs areas, and the Government’s response to the Australian Law Reform Commission’s report on privacy law and the proposed Office of the Information Commissioner.

      2.7 Media

      The Office received 151 media enquiries during 2008–09. This is down from the 190 enquiries received in 2007–08. Of the 151 enquiries, 88 were from print media, 45 from radio stations, 12 from television, and 6 from news websites.

      The enquiries concerned a range of privacy-related issues, with the most common including:

      In most cases, background information on the issue or a comment was supplied to the journalist. Interviews were also conducted on various radio stations and television programs.

      The Office prepared 26 media releases during 2008–09.

      The Office has email lists for the distribution of media releases and for privacy-related news. There were 2512 subscribers to the media release email list and 1164 subscribers to the privacy news list as at 30 June 2009. Information about the lists is available at
      www.privacy.gov.au/news/subscribe.

      2.8 Speeches

      A key goal of the Office’s Strategic Plan is to increase awareness of privacy choices and obligations within the community. Speeches are an important element of achieving this goal.

      During 2008–09, the executive and senior staff of the Office delivered 41 speeches or presentations. The speeches and presentations covered a range of privacy-related issues including privacy law reform, the Government’s proposed changes to privacy in Australia, anti-money laundering and data breach notification.

      2.9 International Liaison

      2.9.1 Asia Pacific Economic Cooperation

      In 2004, the Asia Pacific Economic Cooperation (APEC) Privacy Framework was adopted by APEC leaders, in recognition of the importance of developing effective privacy protections that avoid barriers to information flows and ensure continued trade and economic growth in the APEC region.

      In September 2007, APEC economies endorsed a ‘pathfinder’ for international implementation of the APEC Privacy Framework. The APEC Data Privacy Pathfinder (the Pathfinder) facilitates development of a framework for accountable flows of personal information across borders, focusing on the use of cross-border privacy rules by organisations. The Pathfinder also aims to support this cross-border privacy rules system with a framework of cross-border cooperation in the enforcement of information privacy.

      The Pathfinder Implementation Work Plan consists of nine key projects, three of which are being led by the Office. Those three projects include the development of a:

      During 2008–09, the Office continued the development of draft documents for these three projects, in consultation with the project working groups. These drafts will be submitted for endorsement at the next meeting of the Data Privacy Subgroup to be held in Singapore in July 2009.

      2.9.2 Organisation for Economic Cooperation and Development

      During the reporting period, the Office provided input to the Organisation for Economic Cooperation and Development’s (OECD) Working Party on Information Security and Privacy (WPISP) via the Department of Broadband, Communications and the Digital Economy.

      WPISP has been doing work to highlight to policy makers the importance of managing digital identities in a secure, efficient, privacy-protective, and interoperable manner. Part of this work has involved the development by WPISP of a ‘primer’ for policy makers on the management and protection of digital identities. The Office provided input into the development of the primer and will continue to engage in the identity management work of WPISP.

      The Office also provided input into the development of ‘country factsheets’ by the OECD’s Public Governance Committee. The factsheets cover recent developments and practices in the public governance of OECD countries. The Office provided information about the review of the Privacy Act by the Australian Law Reform Commission.

      2.9.3 Asia Pacific Privacy Authorities

      Members of the Asia Pacific Privacy Authorities (APPA) forum include the Privacy and Information Commissioners of Australia (including NSW, Victoria and the NT), New Zealand, Hong Kong, South Korea and Canada (including British Columbia).

      APPA meets biannually and is hosted with a rotating venue and host. The meetings are an important opportunity to discuss international privacy developments and emerging issues of relevance to APPA members. Commissioners also have the opportunity to exchange knowledge and experiences regarding privacy regulation across different jurisdictions.

      In November 2008, the Office of the Victorian Privacy Commissioner hosted the 30th APPA Forum in Melbourne. At this meeting, a joint APPA project was initiated to develop a video for youth on social networking and privacy. This video was launched during Privacy Awareness Week in May 2009 (see section 2.4 for further information).

      The 31st Forum was held in June 2009, hosted by the Office of the Privacy Commissioner for Personal Data, Hong Kong. During this meeting the members renewed APPA’s Statement of Objectives to better reflect the co-operative aims of the forum, recognising the ever-changing needs of a dynamic and more globalised region.

      The Forum focused on developments in complaint-handling practices, employee monitoring in the workplace, and new technologies. Members resolved to continue to monitor these developments, and to share strategies for enhancing privacy protection and compliance across the region.

      Participation in APPA has facilitated the growth of significant relationships between the Office and other privacy authorities, one of the key goals of our Strategic Plan.

      The Office currently serves as the APPA secretariat and hosts the APPA webpage at www.privacy.gov.au/aboutus/international/appa.

      2.9.4 30th International Conference of Data Protection and Privacy Commissioners

      In October 2008, the Privacy Commissioner attended the 30th International Conference of Data Protection and Privacy Commissioners held in Strasbourg, France. The theme of the conference was ‘Protecting privacy in a borderless world’.

      The Privacy Commissioner was the moderator of a panel discussion titled ‘Security: towards a worldwide identification database’.

      Resolutions were made at the conference on matters including privacy protection in social networking services, exploring the establishment of an international privacy day or week and the establishment of a steering group on representation at meetings of international organisations. The Office is an active participant on a number of the resolutions (see section 2.9.4.1 for further information).

      To view the panel discussion or for more information, see the conference website at www.privacyconference2008.org.

      2.9.4.1 International Working Groups

      The Office is participating in four working groups established under resolutions adopted at the 29th and 30th International Conferences of Data Protection and Privacy Commissioners, including to:

      The Office is chairing the working group to explore establishing an international privacy/data protection day or week. As part of its efforts to identify a suitable date or dates for the initiative, the working group is consulting with privacy and data protection authorities and other external stakeholders. Based on the findings of this consultation, the working group will recommend to the next Conference a designated day or week, as well as suggestions for its coordination and scope.

      The working group examining the urgent need for protecting privacy in a borderless world, and for reaching a joint proposal for setting international standards on privacy and personal data protection, is being chaired by the Spanish Data Protection Authority. The Office has been involved in the work of this group mainly through the provision of comments on draft proposals.

      The steering group on representation at meetings of international organisations is being chaired by the New Zealand Privacy Commissioner’s office. This group is seeking to identify opportunities to promote principles of data protection and privacy at an international level, and explore the usefulness of obtaining observer representation (and, if appropriate, obtaining such representation) at meetings of committees or working groups of relevant international organisations.

      The website working group continues its mandate from the 29th International Conference, working towards the establishment of a permanent website for ongoing use by the Conference. The group, chaired by the British Columbian Office of the Information and Privacy Commissioner’s office, is working towards recommending a suitable platform for the website, and securing financial contributions from Conference members to cover maintenance costs.

      By participating in the International Conference and its related working groups, the Office is developing important relationships with international privacy forums, and works to address privacy issues at an international level. These are key aims of the Office’s 2007–09 Strategic Plan.

      For more information about the 30th International Conference and its resolutions, see the 2008 conference website at
      www.privacyconference2008.org.

      The 31st International Conference of Data Protection and Privacy Commissioners will be held in Madrid in November 2009.

      2.10 Privacy Advisory Committee

      The Privacy Advisory Committee (PAC) is established under s. 82 of the Privacy Act and members are appointed by the Governor-General. The PAC’s function, as outlined in s. 83 of the Privacy Act, is to advise the Commissioner on matters relevant to her functions and to engage in and promote protection of individual privacy in the private sector, government and community.

      The PAC maintains an active interest in the implementation of the Office’s Strategic Plan and provides feedback and advice on the goals and activities that are undertaken. During the reporting period the PAC has provided independent advice to the Office on a number of initiatives, including activities for Privacy Awareness Week, such as the Privacy in Practice seminar, the development and distribution methods for a dedicated youth publication, as well as advice on information sheets.

      In addition to the Privacy Commissioner, there are currently six members of the PAC. In March this year, Professor Christine O’Keefe was appointed and Associate Professor John O’Brien’s appointment was renewed. Both terms expire on 27 March 2011. Other members include Ms Joan Sheedy, Dr William Pring, Ms Suzanne Pigdon and Ms Robin Banks. Mr Peter Coroneos’ term expired on 17 November 2008. He served as a PAC member since 2002, and during his time on the Committee provided useful insight into the Office’s considerations of information communication technologies and their impact on privacy.

      2.11 Privacy Authorities Australia

      Privacy Authorities Australia (PAA) is a group of Australian privacy authorities who meet on a formal and regular basis to promote best practice and consistency of privacy policies and laws. The group was formed in April 2008 as a way to share information and promote privacy within Australia.

      PAA membership includes privacy representatives from all states and territories, as well as the Australian Privacy Commissioner and the Department of the Prime Minister and Cabinet. Two meetings were held during the reporting period. Topics discussed include data sharing issues and national consistency of privacy laws. Each jurisdiction rotates the hosting and secretariat responsibilities.

      The forum is an important mechanism for the Office to maintain key relationships with privacy regulators and other representatives who have a role in dealing with privacy issues in their jurisdiction.

      Chapter 3 Protecting Privacy

      3.1 Review of Performance

      The Privacy Commissioner’s role in protecting privacy is underpinned by a range of compliance activities, including a telephone and written enquiry service, investigating and resolving individual complaints, audit and data-matching activities and conducting ‘own motion’ investigations.

      During 2008–09 the Office sought to expand its activities particularly in audit work and ‘own motion’ investigations. The Office’s audit work is primarily focused on assisting agencies to test and improve their systems to enhance privacy outcomes for individuals.

      A particular initiative during the reporting period was our audit/survey of the use of portable storage devices (PSDs) by Australian Government agencies covered by the Privacy Act. The survey was undertaken in view of the increasing use of PSDs in Australia and reports of large scale breaches overseas involving loss of laptops, CDs and USB keys. (See section 3.9 for further information).

      ‘Own motion’ investigations allow the Office to be more proactive – identifying potential issues that may impact adversely on privacy and working with organisations and agencies to minimise those impacts. Issues the subject of ‘own motion’ investigations have been identified through contacts from individuals, the media and our own work in examining trends and developments, particularly in the wider uses of technology.

      Complaints from individuals continue to be a significant focus of our compliance activities. An increased number of telephone calls were taken during the year in review, while written enquiries and complaints remained at a level similar to the previous reporting period.

      The Office has also developed an information sheet (Private Sector Information Sheet 27), which is a step-by-step guide to handling privacy complaints for organisations. The information sheet is available on the Office’s website.

      Public Sector Information Sheet 2 provides a similar step-by-step guide for Australian and ACT Government agencies covered by the Privacy Act, and is also available on the Office’s website.

      The Office has continued to focus on staff development and training and stakeholder relationships, to help ensure best practice complaint handling, investigation and resolution.

      3.2 Responding to Enquiries

      3.2.1 Telephone Enquiries

      The Office’s telephone enquiry service (1300 363 992) provides information about privacy issues and privacy law for the cost of a local call. The enquiry service answered 21 178 telephone enquiries in 2008–09. This is a 17% increase on the 18 059 calls received in 2007–08.

      Who is calling?

      The vast majority of calls continue to be from individuals seeking information about their privacy rights and advice about how to resolve privacy complaints.

      Table 3.1 below illustrates the top 10 types of callers who telephoned the Privacy Enquiries Line in 2008–09.

      Table 3.1 Source of Telephone Enquiries

      Individuals

      17 894

      Health Service Providers

      404

      Australian Government

      384

      Legal, Accounting and Management Services

      301

      Real Estate

      248

      Finance

      165

      Personal and Other Services – General

      160

      State Government

      153

      Charities

      119

      Retail

      113

      What are calls about?

      Table 3.2 shows a breakdown of issues discussed in calls received during 2008–09.

      Of the calls received that related to privacy, about two-thirds of them are about the National Privacy Principles (NPPs). The most frequently discussed issue continues to be the use and disclosure of personal information by private sector organisations. There has been an increase in calls relating to access and correction of information, general application of the private sector provisions and the NPP exemptions as well as calls unrelated to privacy.

      The proportion of calls about Credit Reporting and the Information Privacy Principles (IPPs) remained fairly steady with only modest changes.

      Table 3.2 Breakdown of Issues in Calls Received

      Private Sector Provisions Issues

       

      NPP 1 - Collection

      1363

      NPP 2 - Use and Disclosure

      2536

      NPP 3 - Data Quality

      236

      NPP 4 - Data Security

      768

      NPP 5 - Openness Issues (privacy statement)

      159

      NPP 6 - Access and Correction

      1206

      NPP 7 - Identifiers

      17

      NPP 8 - Anonymity

      6

      NPP 9 - Transborder Data Flows

      50

      NPP 10 - Sensitive Information

      114

      NPP Exemptions

      1806

      Private Sector Provisions (General)

      1186

      Sub-total

      9447

      Non-Private Sector Provisions Issues

       

      Credit Reporting

      936

      Surveillance

      439

      Data-matching

      52

      IPPs

      852

      Spent Convictions

      139

      Tax File Numbers

      57

      Privacy (General)

      3565

      Anti-Money Laundering

      16

      Do Not Call Register

      91

      Sub-total

      6147

      Unrelated to privacy

      5584

      Total

      21 178

      Who are National Privacy Principles calls about?

      Chart 3.1 distributes the top 10 NPP telephone enquiries by private sector industry groups.

      Chart 3.1 Private Sector Industry Groups to which Telephone Enquiries Relate

      chart 3.1

      Some examples of calls received during 2008–09 appear below.

      3.2.2 Written Enquiries

      The Office responds to requests for information that are received by email, letter or fax. The Office received 2078 written enquiries in 2008–09, which is a slight decrease on the number received in 2007–08 (2168).

      The Office is committed to responding to 90% of written enquiries in 10 working days. This benchmark was met in 2008–09, with 97% of written enquiries responded to in 10 working days or less.

      65% of the written enquiries answered in 2008–09 related to the private sector provisions. This is comparable with the private sector written enquiries received in 2007–08 (67%).

      Examples of the written enquiries received in 2008–09 appear below.

      3.3 Responding to Complaints

      Allegations about acts or practices that may be an interference with the privacy of an individual can be accepted by the Privacy Commissioner as complaints. This can, for example, include complaints about:

      3.3.1 Complaints received during 2008–09

      In 2008–09, the Office received a total of 1089 complaints across all areas of its jurisdiction. This is a slight decrease on the previous year (1126 were received in 2007–08).

      Complaints related to a wide variety of issues. Examples of complaints and their outcomes can be found on the Office’s website at
      www.privacy.gov.au/materials/types/casenotes?sortby=59.

      The percentage of complaints received about each Privacy Act jurisdiction is given in Chart 3.2. As has been the case since the Privacy Commissioner’s role was extended to the private sector, this sector continues to be the jurisdiction most commonly complained about, with nearly 60% of all complaints relating to the private sector. Please note that the percentages exceed 100% as some complaints contain more than one issue.

      Chart 3.2 Percentage of Complaints Received by Privacy Act Jurisdiction

      chart 3.2

      The particular issues that are most regularly complained about as a percentage of total complaints received in 2008–09 are described in Chart 3.3. Please note that the percentages exceed 100% as some complaints contain more than one issue.

      Chart 3.3 Key Issues in Complaints

      chart 3.3

      The most commonly complained about IPP issue continues to be use and disclosure, which made up 36% of IPP allegations. However, there was a reversal in the next two categories. The collection of personal information is the second most common IPP allegation this year, making up 18% of allegations, when it had only been third last year. Security dropped from second place to the third most common IPP issue with 14% of allegations.

      It is interesting to note that the most common issues raised in IPP complaints no longer mirror the most common concerns in NPP complaints. In NPP complaints, security complaints still outnumber complaints about collection of personal information.

      Chart 3.4 shows the number of complaints made about each of the 10 most commonly complained about sectors. The finance sector continues to be the most frequently complained about industry. The Office’s continuing view is that this is due to the volume of personal information transactions conducted by the sector and a reflection of the fact that the sector is bound by both the NPPs and the Credit Reporting provisions.

      There has also been an increase in complaints against Health Service Providers (up from 82 in 2007–08 to 116 in 2008–09) and a decrease in complaints against debt collectors and credit and tenancy databases (down from 121 in 2007–08 to 100 in 2008–09).

      Chart 3.4 Complaints by Government and Industry Sector

      chart 3.4

      3.3.2 Complaints closed during 2008–09

      Acts or practices that may be a breach of privacy can be investigated by the Privacy Commissioner. Where appropriate, the Commissioner may attempt to conciliate a resolution of the matters which led to the complaint.

      If the Commissioner is satisfied that a matter has been adequately dealt with, or if there has not been an interference with privacy, the Commissioner may decide not to investigate the matter any further. Otherwise, the Commissioner may make a determination about a complaint under s. 52 of the Privacy Act.

      In 2008–09, the Office closed 1357 complaints, 129 more than the 1228 complaints closed in 2007–08.

      The Office investigated more complaints under s. 40(1) of the Privacy Act and chose to summarily dismiss fewer complaints than in 2007–08. Table 3.3 provides more information about the stage at which complaints were closed.

      The Office aims to finalise all complaints within 12 months of receiving them. In 2008–09, complaints were closed in an average of eight months.

      Table 3.3 Stage at which Complaints Closed

      Investigation – s. 40(1)

      26%

      Preliminary enquiries – s. 42

      33%

      Decline to investigate – s. 41

      41%

      Total

      100%

      3.3.2.1 Complaints closed following investigations

      In 2008–09, the Privacy Commissioner closed 26% of complaints following an investigation of the matter under s. 40(1) of the Privacy Act. The Privacy Commissioner came to the view that the complaint would likely be upheld in about 46% of these cases. Common resolutions after the investigation proceeded to conciliation included:

      Table 3.4 Grounds for Closing Complaints Following an Investigation

       

      NPPs

      IPPs

      Credit

      Spent Convictions

      TFNs

      ACT IPPs

      Total

      No interference with privacy – s. 41(1)(a)

      95

      39

      31

      1

      0

      2

      168

      Respondent has adequately dealt with complaint – s. 41(2)(a)

      114

      22

      25

      1

      0

      1

      163

      Respondent has not had adequate opportunity to deal with matter – s. 41(2)(b)

      3

      1

      3

      0

      0

      0

      7

      Other (for example, withdrawn)

      32

      5

      18

      0

      0

      1

      56

      Total

      244

      67

      77

      2

      0

      4

      394


      There were no determinations made in 2008–09. A determination is a legal decision or finding made by the Commissioner, as a consequence of which the Privacy Act’s enforcement powers (ss. 52–62) are activated. A determination may dismiss the complaint or find that the complaint has been substantiated, and make declarations about action needed (including that conduct should cease or not be repeated), the nature of redress and compensation, or that no further action is needed.

      Table 3.4 shows the grounds for declining to investigate complaints further following an investigation. Please note complaints can have more than one jurisdiction issue, therefore the number of complaints listed below exceeds the number of investigations closed in 2008–09.

      Overall, the Commissioner found that about 61% of the National Privacy Principle complaints and about 57% of Credit Reporting complaints investigated under s. 40(1) of the Privacy Act were substantiated. The Commissioner was less likely to find a complaint substantiated after investigating allegations about the Information Privacy Principles, with less than 41% of these complaints upheld. Overall there was a notable increase in substantiated complaints across all sectors from 2007–08 with substantiated NPP complaints up from 40%, credit reporting up from 50% and IPPs up from 20%.

      Staff training and greater efficiencies have had a positive impact on the increased numbers of completed investigations in 2008–09.

      3.3.2.2 Nature of remedies achieved by conciliation following investigation

      Table 3.5 provides more detail on the outcome of complaints that were closed as adequately dealt with following investigation under s. 40(1) of the Privacy Act. Please note that more than one resolution may have been reached for a particular complaint, meaning that the total listed in Table 3.5 is not equal to the total number of complaints.

      Table 3.5 Nature of Remedies in Complaints Closed as Adequately Dealt With After Investigation

       

      NPPs

      IPPs

      Credit

      Spent
      convictions

      ACT IPPs

      Other

      Total

      Records amended

      15

      3

      15

      0

      1

      1

      35

      Apology

      53

      18

      2

      1

      0

      1

      75

      Changed procedures

      26

      3

      2

      1

      0

      0

      32

      Access provided

      23

      0

      2

      0

      0

      0

      25

      Staff training*

      16

      0

      0

      0

      0

      0

      16

      Counselled staff*

      8

      3

      0

      0

      0

      0

      11

      Other remedy*

      22

      10

      6

      1

      0

      0

      39

      Compensation -
      up to $500

      16

      1

      2

      0

      0

      0

      19

      Compensation -
      $501 − $2000

      14

      2

      2

      0

      0

      0

      18

      Compensation - $2001 − $20 000

      12

      1

      0

      0

      0

      0

      13

      Compensation
      $20 000+

      2

      0

      0

      0

      0

      0

      2

      Compensation - confidential settlement

      2

      1

      1

      0

      0

      0

      4

      Total

      209

      42

      32

      3

      1

      2

      289

      *These three headings were reported together under the heading ‘Other remedy’ in the Office’s 2007−08 Annual Report.

      This year saw a change of most common remedy in investigated complaints with a significant increase in the number of apologies for NPP and IPP complaints. This became the most common remedy this year.

      Staff training and counselled staff were reported under ‘other remedy’ in last year’s report. Together those three categories remain the second most common outcome. This year, compensation dropped to the third most common remedy. Compensation was paid in just under 20% of investigations, a drop from last year’s 30%.

      3.3.2.3 Complaints closed following preliminary enquiries

      The Privacy Act authorises the Privacy Commissioner to conduct preliminary enquiries to determine whether the Commissioner has the power to investigate or should exercise a discretion not to investigate a matter further. For instance, a preliminary enquiry may seek to determine:

      In 2008–09, the Commissioner closed 33% of complaints after preliminary enquiries. Table 3.6 provides more detail on the basis for closing complaints following preliminary enquiries. Please note that complaints can have more than one jurisdiction issue, therefore the number of complaints listed below exceeds the number of preliminary enquiries closed in 2008–09.

      Table 3.6 Basis for Closing Complaints Following Preliminary Enquiries

       

      NPPs

      IPPs

      Credit

      TFNs

      ACT IPPs

      Other

      Total

      Not the privacy of the complainant – s. 36(1)

      8

      1

      0

      0

      0

      1

      10

      Did not specify a respondent – s. 36(5)

      3

      0

      0

      0

      0

      0

      3

      Complaint not raised with respondent –
      s. 40(1A)

      10

      4

      5

      0

      0

      0

      19

      No interference with privacy* – s. 41(1)(a)

      177

      31

      27

      0

      2

      10

      247

      Frivolous, vexatious, misconceived or lacking in substance – s. 41(1)(d)

      1

      2

      0

      0

      1

      0

      4

      Is being dealt with under another law – s. 41(1)(e)

      8

      0

      3

      0

      0

      0

      11

      Respondent has adequately dealt with the matter – s. 41(2)(a)

      105

      11

      48

      0

      0

      1

      165

      Respondent has not had adequate opportunity to deal with matter –
      s. 41(2)(b)

      17

      1

      12

      0

      0

      0

      30

      Other (for example, withdrawn)

      31

      1

      15

      1

      0

      2

      50

      Total

      360

      51

      110

      1

      3

      14

      539

      * This includes matters that fall outside the Commissioner’s jurisdiction, for example the respondent is a state government body.

      The most common reason for closing complaints after preliminary enquiries continues to be a finding that the individual’s privacy had not been interfered with (46%).

      3.3.2.4 Nature of remedies achieved following preliminary enquiries

      In the process of conducting preliminary enquiries, the Commissioner may find that the respondent has adequately dealt with the matter, or may be able to resolve the cause of the complaint through conciliation. Table 3.7 gives further detail about the types of resolutions achieved following preliminary enquiries. Please note that more than one resolution may have been remedied for a particular complaint, meaning the total listed in Table 3.7 is not equal to the total number of complaints.

      Table 3.7 Nature of Remedies in Complaints Closed as Adequately Dealt With After Preliminary Enquiries

       

      NPPs

      IPPs

      Credit

      TFN
      Guidelines

      ACT IPPs

      Other

      Total

      Records amended

      25

      4

      36

      0

      0

      0

      65

      Apology

      22

      4

      2

      0

      0

      0

      28

      Changed procedures

      10

      1

      1

      0

      0

      0

      12

      Access provided

      38

      1

      1

      0

      0

      1

      41

      Staff training*

      2

      1

      0

      0

      0

      0

      3

      Counselled staff*

      3

      0

      0

      0

      0

      0

      3

      Other remedy*

      17

      3

      13

      0

      0

      2

      35

      Compensation – confidential settlement

      0

      0

      0

      0

      0

      0

      0

      Compensation – up to $500

      10

      1

      0

      0

      0

      0

      11

      Compensation – $501 – $2000

      4

      1

      0

      0

      0

      0

      5

      Compensation – $2001 – $20 000

      4

      0

      3

      0

      0

      0

      7

      Compensation – $20 000+

      0

      0

      0

      0

      0

      0

      0

      Total

      135

      16

      56

      0

      0

      3

      210

      *These three were reported together under the heading ‘Other remedy’ in the 2007–08 Annual Report.

      Amendment of records continued to be the most common resolution following preliminary enquiries. Staff training and counselled staff were reported under ‘other remedy’ in last year’s report. Together those three categories remain the second most common outcome. Compensation was paid in approximately 15% of complaints.

      3.3.2.5 Complaints closed without investigation

      In 2008–09, the Privacy Commissioner closed 41% of complaints by exercising a discretion not to investigate (or ‘decline’) the complaint without investigating or making preliminary enquiries.

      The most common reasons for closing complaints without investigation were:

      Table 3.8 shows, in more detail, the grounds upon which these complaints were closed without investigation. Please note that complaints can have more than one jurisdiction issue, therefore the number of complaints listed below exceeds the number of complaints closed without investigation in 2008–09.

      Table 3.8 Basis for Closing Complaints Without Investigation or Preliminary Enquiries

       

      NPPs

      IPPs

      Credit

      ACT IPPs

      Other

      TFN

      Total

      Not the privacy of the complainant – s. 36(1)

      30

      5

      1

      0

      28

      0

      64

      Did not specify a respondent – s. 36(5)

      2

      2

      0

      0

      15

      0

      19

      Complaint not raised with respondent – s. 40(1A)

      67

      25

      14

      0

      3

      1

      110

      No interference with privacy* – s. 41(1)(a)

      112

      35

      18

      1

      66

      0

      232

      Aware of complaint for over 12 months – s. 41(1)(c)

      5

      2

      4

      0

      0

      0

      11

      Frivolous, vexatious, misconceived or lacking in substance – s. 41(1)(d)

      1

      3

      1

      0

      5

      0

      10

      Is being dealt with under another law – s. 41(1)(e)

      5

      0

      1

      0

      0

      0

      6

      Another law is more appropriate – s. 41(1)(f)

      6

      6

      0

      0

      3

      0

      15

      Respondent has adequately dealt with the matter – s. 41(2)(a)

      18

      2

      4

      0

      0

      0

      24

      Respondent has not had adequate opportunity to deal with matter –
      s. 41(2)(b)

      50

      11

      10

      0

      4

      0

      75

      Other (for example, withdrawn)

      7

      1

      4

      0

      2

      0

      14

      Total

      303

      92

      57

      1

      126

      1

      580

      * This includes matters that fall outside the Commissioner’s jurisdiction, for example the respondent is a state government body.

      3.3.2.6 Compliance issues in National Privacy Principle complaints

      The issues raised in complaints against private sector organisations that the Privacy Commissioner investigated and closed as adequately dealt with, are set out in Chart 3.5. Please note that complaints can have more than one issue, therefore the total number of issues will exceed the total number of complaints.

      Chart 3.5 Issues in NPP Complaints Resolved by the Respondent

      chart 3.5


      Data security is again the most common NPP compliance issue in complaints resolved by private sector organisations during 2008–09.  The next most common issues are improper use and improper disclosure of personal information, followed by data quality. Of interest, is the increase in complaints around refusal of access to personal information in health records up from only 15 complaints last year.

      3.3.2.7 Compliance issues in Information Privacy Principle complaints

      The issues raised in complaints against Australian and ACT Government agencies, where the agency took action after preliminary enquiries or a formal investigation by the Privacy Commissioner, are set out in Chart 3.6. Please note that complaints can have more than one issue, therefore the total number of issues can exceed the total number of complaints.

      Chart 3.6 Issues in IPP Complaints Resolved by the Respondent

      chart 3.6


      In 2008–09 disclosure (IPP 11) and security (IPP 4) continue to be the most prevalent IPP complaint issues. However the issue of improper collection has increased in prominence. Other complaint issues have remained relatively constant.

      3.3.2.8 Compliance issues in credit reporting complaints

      The issues raised in complaints against credit providers or credit reporting agencies, where the respondent took action following preliminary enquiries or a formal investigation by the Privacy Commissioner, are set out in Chart 3.7. Please note that complaints can have more than one issue, therefore the total number of issues will exceed the total number of complaints.

      Chart 3.7 Issues in Credit Reporting Complaints Resolved by the Respondent

      chart 3.7

      For the first time, disputed default listings and inaccuracy of a consumer credit file have tied for the most commonly raised and corroborated credit reporting issue. This is due to a slight increase in the number of complaints resolved by the respondent, where the issue was the accuracy of consumer credit information files. Accuracy issues include where a credit reporting agency links an individual’s credit file with a credit file record of another person.The number of credit reporting complaints resolved by the respondent where a listing was disputed has remained steady.

      Complaints under the ‘other’ category remain constant. Issues in this category include where a credit provider discloses information about an individual from a credit report.

      3.4 Reports of Complaints under Approved Codes

      The Privacy Act allows for organisations or groups of organisations to develop privacy codes. If approved by the Privacy Commissioner, these codes replace the National Privacy Principles as the legally enforceable privacy standards for those organisations. At 30 June 2009, there were three approved privacy codes (see Table 3.9).

      Table 3.9 Approved Codes under the Privacy Act

      Code Title

      Code Adjudicator

      Monitoring / Reporting Responsibility

      Date Came into Effect

      Queensland Club Industry Privacy Code

      Privacy Commissioner

      Clubs Queensland and the Privacy Commissioner

      23 August 2002

      Market and Social Research Privacy Code

      Privacy Commissioner

      Association of Market and Social Research Organisations and the Privacy Commissioner

      1 September 2003

      Biometrics Institute Privacy Code

      Privacy Commissioner

      Biometrics Institute and the Privacy Commissioner

      1 September 2006

      The Privacy Commissioner is the code adjudicator for each of the codes listed above. There were no complaints handled by the Office under any of the approved codes in 2008–09.

      The Privacy Commissioner is required to maintain a register of approved codes under s. 18BG of the Privacy Act. The register can be found on the Office’s website at www.privacy.gov.au/business/codes.

      3.5 Complaints and Enquiries Statistics on www.privacy.gov.au

      Statistical information published on the Office’s website gives an overview of complaints and enquiries received by the Office. Updates published on the Office’s website include the number of complaints, telephone and written enquiries received.

      These are available at www.privacy.gov.au/complaints/statistics.

      3.6 Case Notes

      The Privacy Commissioner publishes case notes describing, in
      de-identified form, the issues and outcomes of selected complaints. The purpose of these case notes is to provide an insight into how privacy principles are being applied in order to:

      In 2008–09, the Office published 18 case notes about complaints under the National Privacy Principles, Information Privacy Principles and other areas of the Privacy Act.

      Some situations illustrated by the case notes include:

      The case notes are accessible on the Office’s website at
      www.privacy.gov.au/materials/types/casenotes?sortby=59,
      in the CCH Federal Privacy Handbook, and on the Australasian Legal Information Institute (Austlii) website at
      www.austlii.edu.au/au/cases/cth/PrivCmrA.

      3.7 Own Motion Investigations

      Section 40(2) of the Privacy Act gives the Privacy Commissioner the power to investigate a possible interference with privacy without first receiving a complaint from an individual, if the Commissioner considers it desirable. The Office calls these investigations ‘own motion’ investigations.

      3.7.1 Issues in Own Motion Investigations

      During 2008–09, 83 new matters involving alleged interferences with privacy were brought to the attention of the Office. The source of this information was varied, and included calls to the Privacy Enquiries line, individuals writing to the Office, systemic issues identified through complaints or media coverage. This compares to 81 matters in 2007–08. The Office took steps to contact the organisations and agencies involved in the alleged act or practice in about 72% of cases.

      The Office uses risk assessment criteria to determine whether to investigate a matter. These criteria include the:

      The allegations investigated by the Office in 2008–09 included that:

      3.7.2 Outcomes of Own Motion Investigations

      The majority of cases investigated where the Privacy Commissioner found the allegations to be substantiated resulted in the respondent dealing with the issue raised, either under their own initiative or with the Office’s suggestions.

      Actions taken have included written notifications to affected individuals, apologies, retrieval of records, changes in procedures, and staff training.

      3.8 Audits

      Under the Privacy Act, the Privacy Commissioner has powers to conduct privacy audits of Australian and ACT Government agencies, as well as some other organisations in certain circumstances. These audits assist in determining and improving the degree of compliance with the Privacy Act. The Office conducts audits to promote best privacy practice and to reduce privacy risks across agencies.

      The Commissioner’s audit powers are set out in several sections of the Privacy Act:

      The Commissioner does not have an audit function in relation to compliance with the National Privacy Principles by private sector organisations, unless at the request of the organisation under s. 27(3).

      The number of audits carried out by the Office has varied over the life of the Privacy Act depending on the nature and volume of privacy complaints and other priorities of the Office. In 2008–09 the Office undertook audits where it had received specific funding to do so. This is consistent with the approach taken by the Office since 2002–03.

      In an effort to promote transparency in the Office’s audit work and to help promote good privacy practice, the Office has published the finalised reports of audits of Australian and ACT Government agencies undertaken since 1 July 2002 on its website (see www.privacy.gov.au/law/apply/audit). Some audit reports have classified content and as such have been withheld from publication or have been published in an abridged form.

      3.8.1 Audit Activities in 2008–09

      3.8.1.1 ACT Government Audits

      The Office currently has a Memorandum of Understanding with the ACT Government (see section 4.1.3 for further information) which includes a commitment by the Office to conduct at least two audits of ACT Government agencies per financial year. The Office selects audit targets based on a risk assessment analysis which takes into account previous audits and audit findings, complaints against ACT Government agencies, the amount of personal information held by an agency and the sensitivity of, and risk to, that information.

      Table 3.10 shows audits of ACT Government agencies commenced and/or finalised by the Office in 2008–09 under this arrangement.

      Table 3.10 ACT Government Audits Commenced and/or Finalised 2008–09

      Agency

      Audit Scope

      Commenced

      Finalised

      Department of Education and Training

      Student records (including student counselling and behavioural records)

      February 2008

      August 2008

      ACT Public Trustee

      Client records, information technology, and physical security

      November 2008

      May 2009

      ACT Human Rights Commission

      Complaint files, information technology, physical security and personnel records

      November 2008

      May 2009

      Department of Disability, Housing and Community Services

      Complaint, property and registration files, information technology and personnel records

      December 2008

      In progress

      The Office found that the agencies generally had an appropriate level of compliance with the Information Privacy Principles. However, where privacy risks were identified or where better privacy practice could be instituted, the auditors made recommendations concerning those aspects of the agencies’ operations.

      Common audit recommendations covered:

      The majority of the Office’s recommendations were accepted by the audited agencies.

      3.8.1.2 Identity Security audits

      Under the Australian Government’s National Identity Security Strategy (NISS), the Office provides ongoing privacy advice to Government and key agencies in respect of projects delivered under the NISS. One project under the NISS relates to the National Document Verification Service (DVS).

      The DVS system allows authorised government agencies to verify, online and in real time, the authenticity of an individual’s Evidence of Identity (EOI) documents sourced from another government agency, when enrolling for benefits and services. Agencies using the DVS are able to verify that the:

      Lead responsibility for the development of the DVS rests with the Attorney-General’s Department.  The National DVS Project Plan specifies that at least two aspects of the DVS system would be subject to a privacy audit by the Office during 2008–09.

      Table 3.11 shows details of the Identity Security audits commenced and/or finalised by the Office in 2008–09.

      Table 3.11 Identity Security Audits Commenced and/or Finalised 2008–09

      Agency

      Audit Scope

      Commenced

      Finalised

      Dept. of Foreign Affairs and Trade

      Dept. of Immigration and Citizenship

      ACT Births, Deaths and Marriages

      ACT Road User Services

      Centrelink

      Collection, storage, use, disclosure and security of personal information by ‘Issuer’ and ‘User’ agencies.

      Collection, storage, use, disclosure and security of personal information by Centrelink as DVS Hub operator, and security relating to the provision of messaging services for the DVS Hub.

      February 2008

      February 2009

      Dept. of Immigration and Citizenship

      Collection, use, disclosure and security of personal information during DVS transactions undertaken as a ‘User’ and ‘Issuer’ agency.

      December 2008

      In progress

      Attorney-General’s Department

      Review of guidance material developed to guide ‘User’ and ‘Issuer’ agency implementation of the DVS.

      May 2009

      In progress

      The finalised audit revealed that the personal information handled by the Department of Foreign Affairs and Trade, the Department of Immigration and Citizenship, the ACT Department of Births, Deaths and Marriages, ACT Road User Services and Centrelink in respect of the National DVS was generally compliant with the Information Privacy Principles in the Privacy Act.

      A number of recommendations were made for each participating agency to consider in terms of reducing possible future risks to privacy.

      3.8.1.3 Australian Customs Service Audits

      The Office currently has an agreement with the Australian Customs Service (see section 4.1.9 for further information) to provide ongoing policy advice and conduct two audits per financial year of various aspects of Customs’ use of Passenger Name Record (PNR) data.

      Table 3.12 shows details of the PNR audits commenced and/or finalised by the Office in 2008–09 under this agreement.

      Table 3.12 Customs PNR Audits Commenced and/or Finalised 2008–09

      Agency

      Audit Scope

      Commenced

      Finalised

      Australian Customs

      Pre-flight assessment processing

      February 2009

      In progress

      Australian Customs

      Service requests for information

      June 2009

      In progress

      3.8.1.4 Biometrics for Border Control Audits

      The Office has been allocated funding under the Biometrics for Border Control program, which involves the Department of Foreign Affairs and Trade, Australian Customs Service and the Department of Immigration and Citizenship.

      The broad objective of this program is to develop and implement biometric systems to enhance identity management at the border and to increase the efficiency of border processing.

      Table 3.13 shows audits of Biometrics for Border Control projects commenced and/or finalised by the Office in 2008–09 under this funding.

      Table 3.13 Biometrics for Border Control Audits Commenced and/or Finalised 2008–09

      Agency

      Audit Scope

      Commenced

      Finalised

      Australian Customs

      Smartgate Automated Border Processing

      March 2008

      May 2009

      Dept of Immigration and Citizenship

      Collection and use of biometric identifiers in the Detention Centre Rollout project

      May 2008

      June 2009

      The audits found that each agency’s handling of personal and biometric information under relevant projects was appropriate and consistent with each agency’s obligations under the Information Privacy Principles.

      Common audit recommendations covered:

      The majority of the Office’s recommendations were accepted by audited agencies.

      3.9 Portable Storage Devices Survey

      In early 2009, the Office commissioned Orima Research Pty Ltd to conduct an online survey of Australian Government agencies to identify how agencies are addressing the risks that portable storage devices (PSDs) pose to the management of personal information in the workplace.

      PSDs are small, lightweight, portable, easy to use electronic devices, which are capable of storing and transferring large volumes of data. A PSD may be either exclusively used for data storage (e.g. portable external hard drives, CDs/DVDs, USB keys) or may be capable of a range of other functions (e.g. laptops/notebooks, personal digital assistants (PDAs) such as Pocket PC, Palm, BlackBerry, and devices with in-built accessible storage such as MP3 players, iPods, and mobile phones).

      The survey was undertaken in the context of the increasing use of PSDs in Australia and reports of large scale breaches overseas involving loss of laptops, CDs and USB keys.

      The main objectives of the survey were to:

      The survey also provided a benchmark measure against which the future performance of Australian Government agency use of PSDs and their personal information handling practices can be compared.

      Survey data was collected between 10 March and 6 April 2009. The survey received a very positive response from agencies, with a total of 94 survey returns received out of 118 agencies that were sent survey invitations, representing a response rate of 80%.

      The survey questionnaire contained 99 questions and covered issues around:

      The results of the survey showed that:

      The use of privately owned PSDs in the workplace posed the greatest risk to the secure handling of personal information for agencies:

      The report outlining the results of the Portable Storage Devices and Australian Government Agencies: Personal Information Survey 2009 (PSD survey) was released during Privacy Awareness Week in May 2009. The report can be found at www.privacy.gov.au/materials/types/reports?filterby=Other_Reports&sortby=29.

      The Office also developed guidance material to assist Australian Government agencies to better manage the risks posed by PSDs.
      The Public Sector Information Sheet 3 – Personal information handling and portable storage devices can be found at www.privacy.gov.au/materials/types/infosheets/view/6867.

      3.10 Personal Information Digest

      To help people understand what personal information is held by each Australian and ACT Government agency, Information Privacy Principle 5.3 in s. 14 of the Privacy Act requires agencies to keep a record detailing:

      These explanatory records must be provided to the Privacy Commissioner in June of each year, and are subsequently compiled and published as the Personal Information Digest (PID).

      The ACT Department of Justice and Community Safety (JACS) compiled the ACT PID and the final documents were published on the JACS website and the Office’s website. The Office published the PID for Australian Government agencies for the period ending June 2009 on its website at www.privacy.gov.au/government/digests.

      3.11 Government Data-matching

      Data-matching is the process of bringing together large data sets of personal information from different sources and comparing these data sets in order to identify any discrepancies.

      For example the Australian Taxation Office (ATO) may undertake a data-match to identify retailers that may be operating outside the tax system or who may be under-reporting turnover. This may include identifying individuals.

      The process involves analysing information about large numbers of people, the majority of whom are not under suspicion. This means that data-matching raises a number of privacy issues. To ensure that government agencies minimise their impact on individuals’ privacy while data-matching, the Office performs a number of functions.

      The Privacy Commissioner has statutory responsibilities under the Data-matching Program (Assistance and Tax) Act 1990 (the Data-matching Act) and the Guidelines for the Conduct of the Data-matching Program (the statutory data-matching guidelines).

      Additionally, the Commissioner oversees the functioning of the Guidelines for the Use of Data-matching in Commonwealth Administration (1998), which are voluntary guidelines to assist agencies not subject to the Data-matching Act, to perform data-matching programs in a privacy sensitive way.

      3.11.1 Matching under the Data-matching Program (Assistance and Tax) Act 1990 and statutory data-matching guidelines

      In order to detect overpayments, taxation non-compliance and the receipt of duplicate payments, the Data-matching Program (Assistance and Tax) Act 1990 (the Data-matching Act) provides for the use of tax file numbers in data-matching processes undertaken by a special unit within Centrelink (the data-matching agency). The data-matching agency runs matches on behalf of Centrelink, the Department of Veterans’ Affairs (DVA) and the Australian Taxation Office (ATO).

      The Data-matching Act and the Guidelines for the Conduct of the Data-matching Program (the statutory data-matching guidelines) outline the type of personal information that can be used, how it can be processed and how the results can be used. They also require that individuals be provided with the opportunity to dispute or explain any matches, and require that individuals have means for redress.

      The Data-matching Act requires Centrelink, DVA and the ATO to report to Parliament on the results of any data-matching activities carried out under the Act. These reports are published separately by each agency. The Data-matching Act also makes the Commissioner responsible for monitoring the functioning of the statutory data-matching program. To this end, the Office runs inspections (see section 3.11.1.1 for further information)

      3.11.1.1 Inspections

      During 2008–09 the Office inspected Centrelink’s handling of a sample of data-matching cases in three regions. The regions inspected were as follows:

      Representatives of the Office, with the assistance of Centrelink and regional staff, conduct inspections and reviews of a sample (usually 100) of customer records which have been through the data-matching process. At the completion of each of the inspections, a report is prepared and provided to Centrelink outlining the findings.

      The Office found that Centrelink’s processes and procedures for statutory data-matching were generally compliant with the requirements of the Data-matching Act. Additionally, the Area offices’ procedures were also assessed as being generally compliant with the requirements of the Privacy Act in the handing of this information.

      3.11.2 Matching under the Guidelines for the Use of Data-matching in Commonwealth Administration (the voluntary data-matching guidelines)

      Many Australian government agencies also carry out data-matching activities that are not subject to the Data-matching Act but run under different laws authorising the use and disclosure of personal information for data-matching purposes. To assist agencies performing such data-matching activities to have proper regard for the privacy of individuals, the Privacy Commissioner has issued voluntary data-matching guidelines called the Guidelines for the Use of Data-matching in Commonwealth Administration (1998).

      These voluntary guidelines require that programs are regularly monitored and evaluated, that individuals identified have the opportunity to dispute the results, and that action against individuals is not taken solely on the basis of automated processes.

      Agencies are also required to prepare a description of the data-matching activity (a ‘program protocol’). Before the activity is commenced, the program protocol should be submitted to the Privacy Commissioner for comment and, once it has been finalised, the program protocol should be made available to the public.

      In 2008–09, the Privacy Commissioner received 13 program protocols for proposed non-statutory data-matching activities. A summary of these protocols is outlined in Table 3.14.

      Table 3.14 – 2008–2009 Program protocols produced under the voluntary data-matching guidelines

      Matching Agency

      Source Agencies

      Name of the Program Protocol

      Description of the Program Protocol

      Received Date

      Department of Veterans’ Affairs (DVA)

      DVA

      Australian Securities and Investment Commission (ASIC)

      Matching Information from the ASIC Public Database called ‘ASCOT’ with the DVA Client Database.

      To match ASIC data against DVA special pension recipients data to verify entitlements.

      July 2008

      Australian Tax Office (ATO)

      New South Wales Office of State Revenue
      NSW Department of Lands
      State Revenue Office of Victoria
      ACT Planning and Land Authority
      ACT Registrar General – Land Titles Office
      Northern Territory Treasury
      Northern Territory Department of Planning and Infrastructure
      Northern Territory Registrar General – Land Titles Office
      Queensland Office of State Revenue
      Queensland Department of Natural Resources, Mines and Water
      Tasmanian Department of Primary Industries and Water
      Tasmania State Revenue Office
      Revenue SA
      South Australian Land Services Group
      Western Australian Office of State Revenue

      State and Territory Government Revenue and Land Titles Offices Data Matching Program Protocol

      To identify and address non-compliance with taxation obligations and increase ATO research and analytics in the real property market.

      August 2008

      ATO

      Foreign Investment Review Board

      Foreign Resident Data Matching Program Protocol

      To identify and address non-compliance with taxation obligations and increase ATO research and analytics capability in the real property market as it relates to non-residents.

      August 2008

      ATO

      Queensland Residential Tenancies Authority

      New South Wales Office of Fair Trading

      Victorian Residential Tenancies Bond Authority

      Residential Tenancies Authorities Data Matching Program Protocol

      To identify and address non-compliance with taxation obligations in relation to rental income, capital gains tax and goods and services tax.

      August 2008

      ATO

      Link Market Services Limited

      Computershare Limited

      Australian Securities Exchange Limited

      Registries Limited

      Advanced Share Registry Services Pty Ltd

      Security Transfer Registrars Pty Ltd

      Share Data Matching Program Protocol

      To systemically develop an understanding of the share market and to confirm that entities generally are correctly complying with their taxation obligations relating to share market transactions.

      August 2008

      ATO

      Registrar of Racehorses

      Two auctioneers:

      William Inglis & Son

      Magic Millions

      ATO Thoroughbreds Project – to identify individuals that have purchased (a share in) a racehorse.

      To match data from the source agencies against ATO data to identify individuals with a share in a racehorse. To identify possible high-wealth individuals to allow the ATO to review those individuals under the HWI program.

      August 2008

      Centrelink

      Source agency withheld: protected information

      Identity Matching Program (details withheld: protected information)

      To match customer identity details with identity details held by the source agency for the purpose of identifying individuals who may be using false identities to claim Centrelink income benefits.

      September 2008

      ATO

      BHP Billiton

      Rio Tinto

      Xstrata Limited

      Newmont Australia Holdings Pty Ltd

      Exxon Mobil Australia Pty Ltd

      Anglo Coal Holdings Australia Ltd

      Woodside Petroleum Ltd

      Worley Parsons

      Barrick Gold

      Newcrest Mining

      OZ Minerals

      Compliance levels of entities associated with the Mining Industry Data Matching Project

      To match data provided by mining companies and contracting companies in the mining industry against the ATO’s taxpayer records.

      February 2009

      ATO

      NSW Roads and Traffic Authority

      Vic Roads

      Transport SA

      Dept of Infrastructure Energy and Resources (Tas)

      Department for Planning and Infrastructure (WA)

      Northern Territory Department of Planning and Infrastructure (Transport Division)

      ACT Road Transport Authority

      Motor Vehicle Data Matching Project

      ATO is looking to implement Data Matching Protocol for people buying motor vehicles with a purchase price over
      $10000 to ensure they are meeting their tax obligations.

      March 2009

      ATO

      Various labour hire firms, placement agencies and computer consultancies.

      Entities with personal services income that contract through labour hire firms, placement agencies or computer consultancies – Data Matching Project

      To improve compliance with tax obligations of taxpayers, ATO will match data provided by labour hire firms, placement agencies or computer consultancies. The focus will be on personal services income.

      March 2009

      ATO

      WorkCover SA
      WorkCover WA
      WorkCover QLD
      WorkCover NT
      WorkCover ACT
      WorkCover Tas
      WorkCover NSW
      WorkCover Vic

      WorkCover – Data Update Data Matching Protocol May 2009

      To match business information with state workcover authorities to ensure compliance with tax obligations.

      May 2009

      ATO

      eBay Australia Ltd
      Oztion Auctions
      AuctionBidz
      Aussiebid
      Bang 4 Bucks
      BidMate Online Auctions
      BidSell Auctions
      Ozbid Online Auctions
      Allbids
      Empire auctions
      Trading Post

      Data Matching- Program Protocol Online auction selling and ATO

      Matching individuals and business who may be at risk of not voluntarily complying with their tax obligations.

      May 2009

      Centrelink

      ATO

      Tax Garnishee Project 2009

      To match individuals who owe a debt to Centrelink with ATO clients who are receiving a tax refund that financial year.

      May 2009

      Management and Accountability

      4.1 Administrative Arrangements

      4.1.1 Australian Human Rights Commission Memorandum of Understanding

      The Office has a Memorandum of Understanding with the Australian Human Rights Commission (AHRC, formerly called the Human Rights and Equal Opportunity Commission) which covers the provision of corporate services. The Office paid $833 182 for these services in
      2008–09. This includes financial, administrative, information technology, human resources, legal and library services. The Office also sub-lets premises in Sydney from the AHRC under this arrangement.

      4.1.2 Department of the Prime Minister and Cabinet Memorandum of Understanding

      The Office has a non-financial Memorandum of Understanding with the Department of the Prime Minister and Cabinet.

      The Memorandum sets out an agreed basis for policy and operational coordination between the Department and the Office. Representatives from both agencies meet monthly. The benefits of the arrangement include open communication to keep each party informed of relevant activities and developments, and improved advice to Ministers and other key stakeholders.

      4.1.3 ACT Government Memorandum of Understanding

      The Office has had a Memorandum of Understanding with the ACT Government since 1 July 2000. The current Memorandum has been signed for the period 1 July 2008–30 June 2011. Under the Memorandum, the Office provides a number of privacy services to the ACT Government including:

      In 2008–09, the Office received $101 947 for the provision of these services. Further information regarding advice provided to ACT Government agencies can be found at section 1.5.

      4.1.4 Centrelink

      The Office continued to undertake its responsibilities under the Data-matching Program (Assistance and Tax) Act 1990 throughout 2008–09. The Office received annual funding of $339 069 from Centrelink to support the costs of monitoring the conduct of the data-matching program. For further information on data-matching see section 3.11.

      4.1.5 Medicare Australia Memorandum of Understanding

      The Office has a Memorandum of Understanding with Medicare Australia. Under the Memorandum, the Office gives advice and undertakes work on privacy-related projects relevant to Medicare Australia, using resources provided by Medicare Australia. The term of the current agreement is from 1 July 2007–30 June 2009. $118 182 was received in 2008–09.

      4.1.6 NSW Privacy Memorandum of Understanding

      The Office currently has a non-financial Memorandum of Understanding with the Office of the NSW Privacy Commissioner which provides a framework for cooperation in undertaking their respective responsibilities when those responsibilities overlap, and to take advantage of opportunities to assist each other in joint training, education, promotion and enforcement activities. The Memorandum has been in place since December 2005.

      4.1.7 Commonwealth Ombudsman Memorandum of Understanding

      An ongoing non-financial Memorandum of Understanding exists between the Privacy Commissioner and the Commonwealth Ombudsman to allow for greater cooperation between their Offices when dealing with privacy-related complaints.

      The Memorandum provides for the exchange of relevant information where both Offices are considering the same issue and also offers the option of undertaking a joint investigation where a complaint falls under the jurisdiction of both Offices. Further, it enables referral of complaints to the other Office where appropriate and with consent.

      The two Offices hold annual meetings to discuss the effectiveness of the agreement. The Memorandum has been in place since November 2006.

      4.1.8 Office of the New Zealand Privacy Commissioner Memorandum of Understanding

      The Office currently has a non-financial Memorandum of Understanding with the New Zealand Office of the Privacy Commissioner. The Memorandum enables cooperation between the two Offices on privacy-related issues and the sharing of information related to surveys, research projects, promotional campaigns, education and training programs, and techniques in investigating privacy violations and regulatory strategies.

      The Memorandum stems in part from the APEC Privacy Framework, OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, and the Asia Pacific Privacy Authorities Forum, all of which advocate the forming of cooperative arrangements between privacy regulators.

      The Memorandum has been in place since September 2006 and was resigned for a further three years in August 2008.

      4.1.9 Australian Customs Service

      The Office signed an agreement with the Australian Customs Service (Customs) in May 2008 to provide over the following four years ongoing privacy advice as well as undertake two audits a year of various aspects of Customs’ use of Passenger Name Record data. The Office receives annual funding of $110 187 from Customs to support the costs of this work.

      4.1.10 Department of Health and Ageing Memorandum of Understanding

      The Office signed an agreement with the Department of Health and Ageing (DoHA) in June 2008 to under work during the first half of 2008–09. Under the agreement, the Office provided privacy-related advice as part of the development of a national framework to address illicit drug use in sport. The Office received funding from DoHA of $58 794.

      4.2 Corporate Services

      4.2.1 Audit Committee

      Consistent with Australian Securities Exchange principles of good corporate governance and the requirements of the Financial Management and Accountability Act 1997, the Office maintains an audit committee to advise the Privacy Commissioner on its compliance with external reporting requirements and the effectiveness and efficiency of its internal control and risk management mechanisms. The audit committee met four times during the reporting period.

      4.2.2 Purchasing

      The Office’s purchasing procedures comply with the Australian Government Procurement Guidelines issued by the Department of Finance and Deregulation. They address a wide range of purchasing situations, allowing managers flexibility when making purchasing decisions provided arrangements comply with the Australian Government’s core procurement principle of value for money.

      4.2.3 Certification of Fraud Measures

      The Office has prepared a fraud risk assessment and fraud control plan, and has included procedures and processes to assist with fraud prevention, detection, investigation and reporting in line with the Commonwealth Fraud Control Guidelines.

      4.2.4 Consultants

      The Office uses consultancy services where there is a need to access specialty skills and expertise not available within the agency.

      During 2008–09, one new consultancy contract was entered into involving total actual expenditure of $109 610 (including GST). There were no active part-performed consultancy contracts from prior years.

      Table 4.1 Consultancy Contracts 2008–09

      Consultant
      Name

      Description

      Contract Price

      Actual Payments

      Selection Process (1)

      Justification (2)

      icemedia Pty Ltd

      Redevelopment of the website for the Office of the Privacy Commissioner

      $109 610

      $67 983

      Open Tender

      B

      TOTAL

       

      $109 610

      $67 983

         

      (1) Explanation of selection process terms drawn from the Commonwealth Procurement Guidelines (December 2008):

      Open Tender: A procurement procedure in which a request for tender is published inviting all businesses that satisfy the conditions for participation to submit tenders. Public tenders are generally sought from the Australian Government AusTender internet site.

      (2) Justification for decision to use consultancy:

      A – skills currently unavailable within the agency

      B – need for specialised or professional skills

      C – need for independent research or assessment.

      Information on expenditure on contracts and consultancies is also available on the AusTender website at www.tenders.gov.au.

      4.2.5 Grants Programs

      The Office of the Privacy Commissioner does not have a grants program.

      4.2.6 Advertising and Market Research

      The Office contracted Orima Research Pty Ltd to undertake a survey of portable storage device usage across government agencies during the reporting period. Total payments of $22 000 (including GST) were made to Orima Research for undertaking the survey.

      The Office paid $15 245 (including GST) on non campaign advertising (recruitment and event promotion) during the reporting period.

      4.2.7 Ecologically Sustainable Development and Environmental Performance

      The role and activities of the Office do not directly link with the principles of ecologically sustainable development or impact on the environment other than through its business operations in the consumption of resources required to sustain its operations.

      The Office uses energy saving methods in its operation and endeavours to make the best use of resources. The Office has implemented a number of environmental initiatives to ensure operating practices with environmental impacts are addressed. Major energy consuming services such as air conditioning and lighting are switched off outside working hours. In addition, waste products such as paper, cardboard, printer cartridges and other recyclable materials are recycled subject to the availability of appropriate recycling schemes. Preference is given to environmentally sound products when purchasing office supplies. Purchase/leasing of Energy Star rated office machines and equipment is encouraged, as are machines with power save features.

      During 2008–09, the Office and its staff participated in the Earth Hour initiative, which was held on 28 March 2009.

      4.3 Management of Human Resources

      4.3.1 Staffing Overview

      The Office’s average staffing level for 2008–09 was 65 staff, with a turnover of approximately 15% for ongoing staff. Nine ongoing staff either resigned or transferred to other Australian Government agencies. Six ongoing staff were employed.

      As at 30 June 2009, the Office had a total of 64 staff, including both ongoing and non-ongoing employees. An overview of the Office’s staffing profile as at 30 June 2009 is summarised in Table 4.2. The number of part-time staff excludes casual staff employed as at 30 June 2009.

      Table 4.2 Overview of Staffing Profile as at 30 June 2009

      Classification

      Male

      Female

      Full Time

      Part Time

      Total Ongoing

      Total Non-ongoing

      Total

      Statutory Office Holder

      0

      1

      1

      0

      0

      1

      1

      SES Band 2

      1

      0

      1

      0

      1

      0

      1

      SES Band 1

      1

      0

      1

      0

      1

      0

      1

      EL 2
      ($89 393 - $102 954)

      1

      4

      4

      1

      5

      0

      5

      EL 1
      ($77 508 - $84 997)

      4

      4

      7

      1

      8

      0

      8

      APS 6
      ($61 963 - $69 451)

      14

      15

      25

      4

      27

      2

      29

      APS 5
      ($55 978 - $60 460)

      1

      5

      6

      0

      6

      0

      6

      APS 4
      ($50 187 - $54 494)

      4

      7

      8

      3

      7

      4

      11

      APS 3
      ($45 031 - $48 602)

      1

      1

      1

      1

      2

      0

      2

      APS 2
      ($40 623 - $43 842)

      0

      0

      0

      0

      0

      0

      0

      APS 1
      ($34 934 - $38 609)

      0

      0

      0

      0

      0

      0

      0

      Total

      27

      37

      54

      10

      57

      7

      64

      4.3.1.1 Secondments and Workforce Plan

      One aspect of the Office’s Workforce Plan is to encourage staff development through secondments both internally and externally. During 2008–09, six staff members were seconded to other sections within the Office and three staff members were seconded to external agencies.

      Of the three staff seconded to external agencies, two were seconded to the Privacy and Freedom of Information Policy Branch at the Department of the Prime Minister and Cabinet to help with the Government’s response to the Australian Law Reform Commission’s privacy review. The other was seconded to the New Zealand Office of the Privacy Commissioner to assist with a research project on CCTV. This cross-Tasman secondment was carried out under the Asia Pacific Privacy Authorities (APPA) secondment guidelines which were developed to foster cooperation between APPA members.

      4.3.2 Workplace Relations and Employment

      Staff members at the Office are employed under s. 22 of the Public Service Act 1999. The Office of the Privacy Commissioner Certified Agreement 2009–2011 was negotiated with staff and the Community and Public Sector Union and was certified by the Australian Industrial Relations Commission on 30 June 2009. This Agreement is a variation and extension of the previous Agreement and will be in operation until
      30 June 2011.

      The proposed Agreement provides for 16 weeks paid maternity leave, six weeks paid parental leave, new community volunteering leave and access to extended leave following maternity or parental leave. The Office also supports access to part-time employment up until the child reaches school age. Salary progression within classification levels is subject to performance assessment. Salary ranges for the current Certified Agreement are reflected in Table 4.2.

      The Office had six staff covered by Australian Workplace Agreements during the reporting period including two Senior Executive Service (SES) staff members.

      4.3.3 Performance Management and Staff Development

      The Office’s Performance Management Scheme provides a framework to manage and develop staff to achieve corporate objectives. Under the scheme there is regular and formal assessment of an employee’s work performance, and positive and constructive feedback, professional development experiences and various skills-based training opportunities.

      The Office’s Certified Agreement recognises the need to provide adequate training for staff to support workplace changes. This is especially relevant with changes in the information technology area, where staff are provided with relevant and ongoing training. Training in information technology was a priority for the reporting period, with staff across all sections attending training sessions in relation to software
      roll-outs.

      Professional development needs are identified through an individual’s training and development plan, in conjunction with the Performance Management Scheme. These development activities may include external professional development courses, in-house group training sessions, individual or team based on-the-job training and the opportunity to represent the organisation at seminars and other forums.

      The Office’s staff development strategy incorporates a Studies Assistance policy. The policy provides for support where study is relevant to the work of the Office, an individual’s work responsibilities and where it assists with professional or career development. In 2008–09, 12 staff were supported to undertake formal external study through study leave, examination leave and/or financial assistance. Additional support is provided to staff who are working towards their first tertiary qualification, in recognition of the challenges some groups experience accessing tertiary education. Financial assistance for approved students was enhanced under the new Certified Agreement.

      4.3.4 Workplace Diversity and Equal Employment Opportunity

      The Office recognises that diversity in staff is one of its greatest assets and is committed to valuing and promoting the principles of workplace diversity through work practices. The Office participates in a joint Workplace Diversity Committee with the Australian Human Rights Commission. Throughout the year, the Office promoted and supported events including International Women’s Day, NAIDOC Week, Harmony Day and National Families Week. Other strategies under the plan focus on flexible and family friendly workplace policies. Nine ongoing staff had part-time arrangements in place during the financial year.

      During the reporting period the Office created a new Workplace Diversity Plan for the period 2009–13 to ensure that diversity in the workplace remains a priority for the Office. The Committee also developed a Calendar of Events to ensure that opportunities to celebrate and acknowledge various events are undertaken with respect, creativity and forward planning.

      The Office’s Reconciliation Action Plan (see section 4.4.1) has strategies which link with the Office’s Workplace Diversity Plan.

      4.3.5 Occupational Health and Safety

      The Office of the Privacy Commissioner and the Australian Human Rights Commission are co-located and share expertise and resources on Occupational Health and Safety (OH&S) issues. The Office’s Health and Safety representative is a member of the joint agencies’ OH&S Committee (the Committee). This Committee also includes corporate support staff and meetings are held regularly throughout the year.

      The Office is committed to promoting preventative health and safety strategies to ensure the health, safety and wellbeing of staff. Health and safety issues are monitored, addressed and/or referred through the Committee and minutes of the Committee are placed on the Office’s intranet.

      A hazards survey is conducted annually and reviewed by the Committee. There have been no dangerous accidents or occurrences reported over the last year.

      All new staff are provided with OH&S information upon commencement and ongoing support and assistance on OH&S and ergonomic issues is provided to all staff.

      The Office’s commitment to staff health and wellbeing, onsite and offsite, continued with workplace assessments for the resolution of ergonomic issues, access to a software program which encourages staff to take regular breaks throughout the day, and access to preventative/informative health information sessions. The Office offers support to staff through QUIT smoking programs, flu vaccinations and a Healthy Lifestyle Program.

      The Office provides a Healthy Lifestyle Allowance under the Certified Agreement to promote health and fitness as a means of achieving work/life balance and improving the health and wellbeing of our employees.

      The Office continues to provide staff with access to counselling services through its Employee Assistance Program. This is a free and confidential service for staff and their families to provide counselling on personal and work related problems if required. No systemic issues have been identified through this service.

      4.4 Diversity Strategies

      The Office is committed to developing and implementing strategies which help the Office to better provide advice and services to people from culturally and linguistically diverse backgrounds, and people with disabilities. The Reconciliation Action Plan, Commonwealth Disability Strategy and Access and Equity Report assist in pursuing this objective.

      4.4.1 Reconciliation Action Plan

      The Office’s Reconciliation Action Plan (RAP) was developed in consultation with Reconciliation Australia and is available on the Office’s website at www.privacy.gov.au/materials/types/plans/view/5891.

      The RAP initiative was developed by Reconciliation Australia to help organisations and agencies identify and develop business practices that contribute to the wellbeing and quality of life of Indigenous Australians.

      The Office’s Plan which involved staff input from all sections of the Office identifies five Key Reconciliation Result Areas:

      During 2008–09, the Office worked towards several of the actions identified in its RAP, and will continue to do so in 2009–10.  Initiatives included attending a NAIDOC festival to increase privacy awareness in Indigenous communities, giving a presentation on health privacy obligations to an Aboriginal health clinic, and advertising vacancies in Indigenous media.

      4.4.2 Commonwealth Disability Strategy

      The Commonwealth Disability Strategy (CDS) provides Australian Government agencies with a framework to assist them to develop and deliver policies, programs and services which are accessible for people with disabilities. This framework requires all Australian Government agencies to provide data on their performance against the framework in their respective annual reports.

      The Office’s report against the CDS framework is at Appendix 5. Full details on the CDS can be found on the Department of Families, Housing, Community Services and Indigenous Affairs website at www.fahcsia.gov.au/sa/disability/pubs/policy/Documents/cds/default.htm.

      The CDS is part of the Australian Government’s vision for an Australian society where all Australians can live, work and participate fully in community life.

      4.4.3 Access and Equity Report

      The Access and Equity Report is an Australian Government initiative which is coordinated by the Department of Immigration and Citizenship. The report is based on agencies reporting on their performance in providing accessible services to people from culturally and linguistically diverse backgrounds. The Office reported on what it does and plans to do to make privacy-related information more accessible to the community. The report covering the period 2006–08 is available at
      www.immi.gov.au/about/reports/access-equity/index.htm.

      4.5 Client Service Charter

      The Office published a Client Service Charter (the Charter) in March 2008. The standards set in the Charter relate to accessibility, quality, courteous and helpful service, openness and privacy and confidentiality. These standards also state that the Office will:

      A Client Service Charter Information Sheet is sent out with our first contact letter to complainants and respondents in matters the Office is investigating.

      The full document is available in hard copy from the Office or can be downloaded from the Office’s website at
      www.privacy.gov.au/materials/types/infosheets/view/5889.

      Appendix 1

      Governing Legislation

      The Privacy Act 1988

      The Privacy Act gives effect to article 17 of the International Covenant on Civil and Political Rights and to the OECD’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The Privacy Act establishes the method by which personal information about individuals can be collected and stored, specifies the permissible uses of that information, and limits the circumstances in which that information can be disclosed. It also sets out a mechanism by which individuals can gain access to, and amend where appropriate, the personal information about them held by agencies and organisations.

      The Privacy Act protects personal information under four main sets of requirements.

      The National Privacy Principles (NPPs) (see Appendix 6) regulate the way private sector organisations handle personal information. These principles cover the collection, storage, use, disclosure and access obligations of organisations covered by the Privacy Act. In general the NPPs apply to all businesses and non-government organisations with a turnover of $3 million or more, all health service providers and a limited range of small businesses.

      The Information Privacy Principles (IPPs) (see Appendix 7) regulate the way most Australian and ACT Government agencies handle personal information. These principles cover the collection, storage, use, disclosure and access obligations of those agencies covered by the Privacy Act.

      Individuals’ Tax File Number (TFN) provisions: the Privacy Act prevents TFNs from being used as a de facto national identification system and gives individuals the right to withhold this information. Where a TFN is provided, its use is limited to tax-related, assistance agency and superannuation purposes. Under the Privacy Act, the Privacy Commissioner issues and enforces legally binding guidelines.

      Part IIIA of the Privacy Act places strict safeguards on the handling of individuals’ consumer credit information by the credit industry. These provisions recognise the sensitivity of credit-worthiness information and the implications for individuals should credit information be mishandled. Strict penalties apply if these provisions are breached.

      Subordinate Legislation

      Privacy in Australia is further regulated by subordinate legislation including those mentioned below.

      Privacy (Private Sector) Regulations 2001, which set out the standards under s. 18BB(3)(a)(i) of the Privacy Act that need to be met before a privacy code can be approved by the Privacy Commissioner, and prescribe specific agencies, state authorities and organisations for particular purposes under the Privacy Act.

      Privacy Regulations 2006, which exempt the secrecy provisions of the Census and Statistics Act 1905 from the provisions in the Privacy Act (Part VIA) which relate to allowable disclosures during emergencies.

      Privacy codes developed by organisations and approved by the Privacy Commissioner under Part IIIAA of the Privacy Act can replace the National Privacy Principles for particular organisations or activities if they enhance or are equivalent to those principles.

      Mandatory guidelines under the Privacy Act, for example the Tax File Number Guidelines issued under s. 17 of the Privacy Act.

      Public Interest Determinations and Temporary Public Interest Determinations under Part VI of the Privacy Act.

      Credit Reporting Determinations under Part IIIA of the Privacy Act.

      The Credit Reporting Code of Conduct issued under s. 18A of the Privacy Act.

      The Privacy Act and the subordinate legislation are supported by advisory guidelines issued by the Office, including:

      In addition, the Privacy Commissioner has approved binding guidelines issued by the National Health and Medical Research Council:

      Other Legislation

      The role of the Privacy Commissioner is further defined by legislated responsibilities that are set out in the following legislation.

      Part VIIC of the Crimes Act 1914, the Commonwealth Spent Convictions Scheme, which provides protection for individuals with old minor convictions in certain circumstances (the Privacy Commissioner has the power to investigate breaches of the legislation, and is also required to provide advice to the Attorney-General in relation to exemptions under the scheme).

      The Data-matching Program (Assistance and Tax) Act 1990, which regulates data-matching between the Australian Taxation Office and the assistance agencies to detect overpayment and ineligibility for assistance (under this Act, the Privacy Commissioner is responsible for issuing mandatory guidelines for protecting privacy, investigating complaints and monitoring agency compliance).

      The National Health Act 1953, under which the Privacy Commissioner is required to issue guidelines covering the storage, use, disclosure and retention of individuals’ claim information under the Pharmaceutical Benefits Scheme and the Medicare program.

      The Telecommunications Act 1997, under which the Privacy Commissioner has certain monitoring and compliance functions.

      Appendix 2

      Strategic Plan 2007–09

      Our Vision:

      An Australian community in which privacy is valued and respected.

      Our Purpose:

      To promote and protect privacy in Australia.

      Our Values:

      As an Australian Government agency the Office of the Privacy Commissioner is committed to upholding the APS Values and Code of Conduct. In particular we will:

      Context:

      The Office of the Privacy Commissioner is established under the Privacy Act 1988 to:

      Goals:

      Goals and Strategies with Actions for 2009

      GOALS

      STRATEGIES

      ACTIONS for 2009

      High quality results

      Build our policy and strategic analysis capacity

      Continue the development of opportunities for collaborative work.

      Further develop the targeted research program begun in 2008 to inform the Office’s policy work and promote consideration of privacy issues.

       

      Identify and focus our Office’s work on areas of maximum impact

      Identify new, and build on existing, partnership opportunities to maximise our ability to advise on key policy issues.

       

      Increase our influence through quality advice and information

      Develop standards for excellence in customer service and promote Client Service Charter.

       

      Manage our resources effectively, flexibly and efficiently

      All sections to prioritise their work for maximum effect and develop work plans for 2009-10.

      Maximise the impact of our policy advice through follow-up strategies.

       

      Deliver fair, transparent, efficient and effective complaint handling

      Provide a timely complaint resolution service.

      Ensure consistency in decision making.

      Utilise the range of compliance mechanisms under the Privacy Act.

       

      Increase our focus on systemic information handling issues

      Identify key privacy compliance issues and target systemic issues accordingly.

       

      Harness and utilise knowledge gained from day-to-day activities to inform our strategic work

      Identify key privacy compliance issues in Complaint Handling Audit and Data Matching.

       

      Ensure robust work practice and information systems support our core business

      Further develop continuous improvement systems.

      Review and enhance internal work processes, including the development of documentation and training to support both technical, administrator and user needs of the Office’s internal information management system ‘The Hub’.

      Review and build on our knowledge sharing and management systems, specifically the redevelopment of the Office’s contact management systems and electronic mailing lists.

       

      Build our capacity to respond to evolving and emerging technology

      Identify evolving and emerging technology issues.

      Develop greater capacity in technology issues.

      Increased awareness of privacy choices and obligations within the community

      Communicate effectively with more targeted integrated strategies

      Develop an online portal and magazine for young adults to be released during PAW 2009.

       

      Harness existing communication channels to maximum effect, especially emerging popular mediums.

      Progress the development and implementation of communication plans targeting key audiences, such as youth, and communicating key messages.

       

      Utilise the media to deliver the privacy message

      Further develop and implement media strategy with media outlets.

      Seek opportunities to contribute to relevant media, particularly during key promotional events such as PAW and the Privacy Awards.

       

      Ensure that material published by the Office is up-to-date, accurate and targeted at identified key audiences

      Update publications and other written material in accordance with the findings of the Publications Review.

       

      Ensure that the website as the Office’s key communication channel is up-to-date and accurate

      Launch redeveloped website in accordance with the Office’s Communications Strategy and stakeholder feedback to optimise accessibility.

       

      Develop guidance material to assist the private sector

      Utilise Compliance data to identify need for new guidance material and prepare material.

      Advance remaining recommendations from the Private Sector Review.

       

      Re-energise PCO and Privacy Connections Networks

      Continue to host forums, seminars and workshops for Privacy Connections members.

      Continue to host meetings for the Government PCO Network and consider opportunities to work with the network outside of the regular quarterly meetings.

       

      Develop programs to recognise and reward best practice

      Develop and implement Privacy Awards.

      Robust relationships

      Ensure that effective relationships, partnerships and networks are at the core of how we operate internally and externally

      Nurture, manage and build on existing relationships.

      Review and measure the success of our relationships.

      Review and develop systems that support internal and external networks and relationships.

      Develop and support staff to manage internal and external relationships.

      Review existing Communications Plan to address internal and external communication needs.

       

      Develop formal links with external parties where appropriate and useful to maximise influence and understanding

      Provide quality and timely advice and services under our MOUs.

      Identify, build and manage new relationships.

      Further develop private sector communications, eg: case study workshops.

      Continue to develop international linkages, particularly APPA and APEC.

      A confident and competent workforce

      Attract well qualified staff

      Build a reputation as a ‘preferred employer’.

       

      Retain our staff through commitment to training and development, career development, conditions of service, and work-life balance

      Finalise Workforce Plan and begin implementation of key actions within that plan including:

      An assessment of our skills base and a training needs analysis to focus our learning and development strategies

      Review career development framework for all staff

      Establish a secondment program with other agencies and within the Office

      Examine and adopt a range of recruitment and retention strategies

      Promote and improve knowledge sharing

      Review Statement of Duties and Selection Criteria

      Review Performance Agreements and Performance Management Scheme, including consideration of a 360° Feedback Scheme.

       

      Acquire and develop our skills base to respond to emerging issues including technology

      Identify skills requiring development.

      Provide training and development opportunities.

      Appendix 3

      Outcomes and Outputs Structure

      The Office’s outcome statement, as set out in the Portfolio Budget Statement, is:

      An Australian culture in which privacy is respected, promoted and protected.

      There is one output for the Office’s outcome:

      Complaint handling, compliance and monitoring, and education and promotion.

      Contributions to the Office’s outcome:

      Output Group 1.1: Complaint handling, compliance and monitoring and education and promotion

      Key performance indicators

      2008–09 target

      Adherence to Client Service Charter standards.

      Client Service Charter standards are met.

      Targeted information available that informs the community, including business and government, of their rights and responsibilities in respect of the Office’s jurisdictional responsibilities.

      Information is easily accessible and available to all members of the community.

      Preparation of advice, reports and submissions on significant privacy-related issues.

      Advice, reports and submissions on significant privacy-related issues considered and valued.

      Audits improve the privacy practices and procedures of agencies and organisations.

      Agencies and organisations satisfied that audits improve their privacy practices and procedures.

      Number of complaints finalised within 12 months of receipt and number of written enquiries answered within 10 days.

      80% of complaints finalised within 12 months of receipt and 90% of written enquiries answered within 10 days.

      Time taken to finalise audits.

      Audits finalised within 6 months of commencement.

      Number of visits to the website and number of pages viewed on the website.

      >1 million visits to the website and >5 million pages viewed on the website.

      Table A3.1 Agency Resource Statement 2008–09

       

      Actual Available Appropriations for 2008-09

      Payments Made 2008-09
      $’000

      Balance Remaining

       

      (a)

      (b)

      (a-b)

      Ordinary Annual Services1 Departmental appropriation

           

      Prior year departmental appropriation

      1,836

      1,093

      743

      Departmental appropriation

      6444

      6,444

      -

      Appropriations to take account of recoverable GST (FMA section 30A

      183

      183

      -

      S.31 Relevant agency receipts

      706

      706

      -

      Total

      9,169

      8,426

      743 

      Total ordinary annual services

      9,169

      8,426

       

      Total Resourcing and Payments

       9,169

      8,426

       

      1 Appropriation Bill (No.1) 2008-09

             

      Table A3.2 Resources for Outcome 1 - The protection of individuals’ personal information through investigating complaints and inquiring into potential privacy interferences, advice to government, audits of personal information handling practices, community education, and research.

       

      Budget *2008-09

      Actual Expenses 2008-09

      Variation

       

      $’000

      $’000

      $’000

       

      (a)

      (b)

      (a)-(b)

      Output Group 1.1: Complaint handling, compliance and monitoring and education and promotion

           

      Departmental Outputs

           

      Ordinary Annual Services
      (appropriation Bill No.1)

      6,444

      6,444

      0

      Revenues from independent sources (section 31)

      850

      906

      (56)

      Expenses not requiring appropriation in the Budget year

      474

      619

      (145)

      Subtotal for Output Group 1.1

      7,768

      7,969

      (201)

      Total for Outcome 1

       

       

       

      Departmental

       7,768

      7,969

      (201)

      Average staffing level (number)

       

       65

       

      * Full-year budget, including any subsequent adjustment made to the 2008-09 Budget

      Appendix 4

      Freedom of Information Act Compliance

      The Freedom of Information Act 1983 (FOI Act) gives the general public legal access to government documents. Information on the Office’s FOI procedures can be found under the heading Freedom of Information procedures below.

      Section 8 of the FOI Act requires each Australian Government agency, including this Office, to publish information about the way the Office is organised, together with its functions, powers and arrangements for public participation in the work of the agency. The Office is also required to publish the categories of documents that the Office holds and how members of the public can gain access to them.

      Authority and legislation


      The Office is established, and the Privacy Commissioner’s functions and powers are conferred, by the Privacy Act 1988. Information regarding the Office’s functions and powers are set out in the introductory section.

      Number of formal requests for information


      During 2008–09, the Office received 18 requests for access to documents under the FOI Act. In these requests, the applicants sought access to documents concerning their privacy complaint.

      Avenues for public participation


      The Office uses the following processes and consultative bodies to assist the participation by persons or bodies outside the Australian Government administration in the policy-making functions of the Office or in its administration of various schemes and enactments.

      The Office has a Strategic Plan (see Appendix 2) which commits it to developing robust relationships with external stakeholders, and to ensuring that effective relationships, partnerships and networks are at the core of the Office’s internal and external operations.

      Part VII of the Privacy Act provides for the establishment of the Privacy Advisory Committee to advise the Commissioner on relevant matters, recommend material to the Commissioner for inclusion in guidelines and, subject to direction by the Commissioner, engage in community education and consultation.
      The Privacy Commissioner’s Health Privacy Forum is an informal group of senior stakeholders from the health sector to assist the Commissioner on matters of health privacy.

      The Office coordinates the government Privacy Contact Officer (PCO) network to facilitate the resolution of privacy issues within Australian and ACT Government agencies and provide training and expertise to those agencies. The PCO network meets four times per year.

      The Privacy Connections network plays a similar role in the private sector and regular forums are held for network members across Australia.

      The Compliance Section conducts customer surveys to assess the quality of the service it provides, and to look for ways to improve its service.

      The Commissioner also has legislative requirements to consult. For example, the provisions relating to making a public interest determination require the production of a draft determination and the invitation of interested parties to attend a conference (ss. 75 and 76). Similarly, the Commissioner needs to be satisfied that there has been an adequate opportunity for the public to comment before approving a proposed privacy code (s. 18BB(2)(f)).

      The Office conducted consultation on a number of matters during the year, including in relation to developing new guidance material and while making legislative instruments.

      The Office invites public consultation from individuals and organisations through its website.

      Categories of documents


      Documents held by the Office relate to:

      Freedom of Information procedures

      Initial enquiries regarding access to documents from the Office of the Privacy Commissioner should be directed to the Freedom of Information Officer by either telephoning (02) 9284 9800 or writing to:

      Freedom of Information Officer
      Office of the Privacy Commissioner
      GPO Box 5218
      Sydney NSW 2001.

      Procedures for dealing with FOI requests are detailed in s. 15 of the FOI Act. A valid request must:

      Some documents are exempt from public perusal under the FOI Act. Where documents are not accessible by the applicant, valid reasons will be provided. The Office’s decisions about accessibility of documents may be reviewed by the Administrative Appeals Tribunal.

      Facilities for obtaining physical access

      The Office provides copies of the requested documents by mail to the enquiring party, subject to exceptions established under the FOI Act.

      The Office will also consider requests from parties to view hard copies of the requested documents in person at the Office.

      Appendix 5

      Commonwealth Disability Strategy Performance Reporting

      Table A5.1 Commonwealth Disability Strategy Performance Reporting

      Policy adviser role

      Performance Indicator

      Performance Measure

      Current level of performance (2008–2009)

      Goals for 2009–2010

      Actions for 2009–2010

      1. New or revised policy / program proposals assess impact on the lives of people with disabilities prior to decision.

      Percentage of new or revised policy / program proposals that document that the impact of the proposal was considered prior to the decision making stage.

      The Office provides advice on the policy/program/legislative activities of other agencies from a privacy perspective.

      Submissions are loaded on the Office’s website where possible.

      In a significant number of advices, particularly where new technologies are being considered, the privacy of people with disabilities is factored into the discussion.

      Where the Office is preparing new guidance or legislative material consultations will include groups representing people with disabilities where possible.

      Review the national peak bodies listing available on the CDS website and consider liaising with these bodies during consultations processes.

      2. People with disabilities are included in consultation about new or revised policy / program proposals.

      Percentage of consultations about new or revised policy / program proposals that are developed in consultation with people with disabilities.

      The Office seeks to have representative bodies, including those from associations of people with disabilities, actively involved in consultations on privacy issues, including in relation to privacy impact assessments of proposals undertaken by other government agencies.

      Where the Office is preparing new guidance or legislative material consultations will include groups representing people with disabilities where possible.

      Update the Office’s guidelines on conducting community consultations to include advice on consulting with people with disability by January 2010.

      Undertake targeted consultation with relevant groups representing people with disabilities when developing new guidance material.

      Encourage other agencies which are developing policies that may impact on privacy of people with disabilities to undertake consultation with representative groups.

      3. Public announcements of new, revised or proposed policy / program initiatives are available in accessible formats for people with disabilities in a timely manner.

      Percentage of new, revised or proposed policy / program announcements available in a range of accessible formats.

      Time taken in providing announcements in accessible formats.

      Simultaneous to public release, 100% of information about new Office initiatives is available on a W3C compliant website. Other formats can be made available on request.

      The Office’s PriNet email news list had 1164 subscribers as at 30 June 2009. Disability groups are members of this network. Membership is also open to members of the public who may have disabilities. Email messages to the network are sent in plain text accessible format.

      100% of customers requesting information in accessible formats (other than electronic) will be advised of the expected delivery date of their preferred format within ten days of the request.

      A greater number of national peak disability bodies will be represented on the Office’s email distribution list.

      Maintain a log of all requests for information in accessible formats and the timeframes involved, by June 2010.

      Approach national peak disability bodies listed on CDS website and invite them to subscribe to the Office’s email list by February 2010.

      Regulator role

      Performance Indicator

      Performance Measure

      Current level of performance (2008–2009)

      Goals for 2009–2010

      Actions for 2009–2010

      1. Publicly available information on regulations and quasi-regulations is available in accessible formats for people with disabilities.

      Percentage of publicly available information on regulations and quasi-regulations requested and provided in:

      • accessible electronic formats
      • accessible formats other than electronic.

      Average time taken to provide accessible material in:

      • electronic format
      • formats other than electronic.

      100% of Office information is available on its W3C compliant website. The Office is also redeveloping its website, which will also be W3C compliant.

      All material can be made available in other formats on request.

      Office services are accessible via website, phone and TTY.

      Electronic access is immediate, via website.

      Average turnaround for requests for electronic information is within the day; hard copy information 2–3 days.

      Some requests may require that we use external service providers. In these cases, the turnaround to provide information in accessible formats may be impacted.

      The majority of Office staff have attended Plain English training, and apply these skills in the preparation of the Office’s written materials.

      100% of requests for electronic information to be fulfilled within ten days.

      100% of customers requesting information in accessible formats (other than electronic) will be advised of the expected delivery date of their preferred format within ten days of the request.

      Information provided on the Office’s website will be regularly reviewed to ensure compliance with web standards.

      Clarifying the effect of the Privacy Act in relation to communications relay services for people with disabilities.

      Maintain a log of all requests for information in accessible formats and the timeframes involved, by June 2010.

      Review website in line with accessibility standards to ensure it is up-to-date.

      Plain English training for all new staff.

      Develop a series of FAQs on the National Relay Service and privacy issues.

      2. Publicly available regulatory compliance reporting is available in accessible formats for people with disabilities.

      Percentage of publicly available information on regulations and quasi-regulations requested and provided in:

      • accessible electronic formats
      • accessible formats other than electronic.

      Average time taken to provide accessible material in:

      • electronic format
      • formats other than electronic.

      100% of Office information is available on its W3C compliant website. The Office is also redeveloping its website, which will also be W3C compliant.

      All material can be made available in other formats on request.

      Office services are accessible via website, phone and TTY.

      Electronic access is immediate, via website. Average turnaround for requests for electronic information is within the day; hard copy information 2–3 days.

      Some requests may require that we use external service providers. In these cases, the turnaround to provide information in accessible formats may be impacted.

      The majority of Office staff have attended Plain English training, and apply these skills in the preparation of the Office’s written materials.

      100% of requests for electronic information to be fulfilled within ten days.

      100% of customers requesting information in accessible formats (other than electronic) will be advised of the expected delivery date of their preferred format within ten days of the request.

      Information provided on the Office’s website is reviewed regularly to ensure compliance with web standards.

      Ensure that relevant staff are aware of procedures for handling a request for information in accessible formats, by February 2010.

      Maintain a log of all requests for information in accessible formats and the timeframes involved by June 2010.

      Review website in line with accessibility standards to ensure it is up-to-date.

      Provider role

      Performance Indicator

      Performance Measure

      Current level of performance (2008–2009)

      Goals for 2009–2010

      Actions for 2009–2010

      1. Providers have established mechanisms for quality improvement and assurance.

      Evidence of quality improvement and assurance systems in operation.

      The Office has an enquiries line and a website link which gives individuals the opportunity to lodge complaints/grievances with the Office.

      The Office collects regular demographic information on clients to assist with identifying target groups who access services. During 2008–09, 23% of respondents accessing the Office’s services indicated that they had a disability.*

      To identify strategies to better meet the needs of people with disability, especially in terms of:

      • Flexible and appropriate complaint handling and service provision
      • Courteous and prompt customer service.

      Assess ways to better meet the needs of people with disability in the two key areas listed by June 2010.

      Monitor the proportion of complainants with a disability accessing the Office’s complaints services to help inform further improvements to the service.

      2. Providers have an established service charter that specifies the roles of the provider and consumer and service standards which address accessibility for people with disabilities.

      Established service charter that adequately reflects the needs of people with disabilities in operation.

      The Office has a Client Service Charter which outlines the service standards that it seeks to achieve. The service standards include a standard on accessibility and provide information on TTY for individuals with a hearing impairment or speech difficulties. The Charter outlines steps for individuals who are dissatisfied with the Office’s performance against the standards, and welcomes feedback and suggestions for improvement.

      All Office complaints information and brochures are available on the website in accessible electronic format. Information about the complaints process and legislation is available in plain English format on the Office website. The W3C compliant website is updated regularly.

      Office information is available in alternative formats upon request.

      Client Service Charter to be reviewed to ensure that it addresses the needs of people with a disability, particularly in relation to:

      • Flexible and appropriate complaint handling and service provision
      • Courteous and prompt customer service.

      Website to provide clearer guidance regarding options for access to information for people with a disability.

      Review and amend as appropriate the Office’s Client Service Charter by June 2010.

      Assess website feedback received and ensure that any feedback about the site’s accessibility is considered and addressed promptly where appropriate.

      Review current information provided under the website’s accessibility tab and provide further information on access to information in accessible formats by February 2010.

      3. Complaints / grievance mechanisms, including access to external mechanisms, in place to address concerns raised about performance.

      Established complaints / grievance mechanisms, including access to external mechanisms, in operation.

      The Office uses a current complaints information referral list to ensure callers with disabilities can be referred to appropriate advocacy groups, if required.

      The Office has an enquiries line and a website link which gives individuals the opportunity to lodge complaints/grievances with the Office.

      Email, TTY and a national 1300 number at the cost of a local call are all available.

      Premises are accessible.

      Section 36(4) of the Privacy Act requires the Commissioner to provide appropriate assistance to complainants where they have difficulty in lodging a complaint. This includes giving appropriate assistance to people with disabilities.

      To identify any issues around the accessibility of the Office’s complaints handling process for people with disability and develop strategies to address these issues.

      Increase staff awareness of issues faced by people with a disability.

      Review the Office’s Client Service Charter and complaints handling process and advise on potential barriers for people with disability by June 2010.

      Undertake specific training for staff to increase their awareness of issues relating to people with a disability by June 2010.

         

      During 2008–09, all compliance staff attended targeted training provided by a peak advocacy group on better assisting clients living with mental illness.

      When dealing with requests for access to personal information, organisations are also advised to consider issues of accessibility.

      No complaints have been received regarding access to the Office’s complaint handling service or premises.

         

      *Due to the voluntary nature and the low response rate of the survey the data does not necessarily give an accurate representation.

      Appendix 6

      National Privacy Principles

      1 Collection

      1.1 An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities.

      1.2 An organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.

      1.3 At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of:

      (a) the identity of the organisation and how to contact it; and

      (b) the fact that he or she is able to gain access to the information; and

      (c) the purposes for which the information is collected; and

      (d) the organisations (or the types of organisations) to which the organisation usually discloses information of that kind; and

      (e) any law that requires the particular information to be collected; and

      (f) the main consequences (if any) for the individual if all or part of the information is not provided.

      1.4 If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.

      1.5 If an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in subclause 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.

      2 Use and disclosure

      2.1 An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless:

      (a) both of the following apply:

      (i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;

      (ii) the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or

      (b) the individual has consented to the use or disclosure; or

      (c) if the information is not sensitive information and the use of the information is for the secondary purpose of direct marketing:

      (i) it is impracticable for the organisation to seek the individual’s consent before that particular use; and

      (ii) the organisation will not charge the individual for giving effect to a request by the individual to the organisation not to receive direct marketing communications; and

      (iii) the individual has not made a request to the organisation not to receive direct marketing communications; and

      (iv) in each direct marketing communication with the individual, the organisation draws to the individual’s attention, or prominently displays a notice, that he or she may express a wish not to receive any further direct marketing communications; and

      (v) each written direct marketing communication by the organisation with the individual (up to and including the communication that involves the use) sets out the organisation’s business address and telephone number and, if the communication with the individual is made by fax, telex or other electronic means, a number or address at which the organisation can be directly contacted electronically; or

      (d) if the information is health information and the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety:

      (i) it is impracticable for the organisation to seek the individual’s consent before the use or disclosure; and

      (ii) the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph; and

      (iii) in the case of disclosure—the organisation reasonably believes that the recipient of the health information will not disclose the health information, or personal information derived from the health information; or

      (e) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent:

      (i) a serious and imminent threat to an individual’s life, health or safety; or

      (ii) a serious threat to public health or public safety; or

      (ea) if the information is genetic information and the organisation has obtained the genetic information in the course of providing a health service to the individual:

      (i) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety (whether or not the threat is imminent) of an individual who is a genetic relative of the individual to whom the genetic information relates; and

      (ii) the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95AA for the purposes of this subparagraph; and

      (iii) in the case of disclosure—the recipient of the genetic information is a genetic relative of the individual; or

      (f) the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or

      (g) the use or disclosure is required or authorised by or under law; or

      (h) the organisation reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of an enforcement body:

      (i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;

      (ii) the enforcement of laws relating to the confiscation of the proceeds of crime;

      (iii) the protection of the public revenue;

      (iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;

      (v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.

      Note 1: It is not intended to deter organisations from lawfully co-operating with agencies performing law enforcement functions in the performance of their functions.

      Note 2: Subclause 2.1 does not override any existing legal obligations not to disclose personal information. Nothing in subclause 2.1 requires an organisation to disclose personal information; an organisation is always entitled not to disclose personal information in the absence of a legal obligation to disclose it.

      Note 3: An organisation is also subject to the requirements of National Privacy Principle 9 if it transfers personal information to a person in a foreign country.

      2.2 If an organisation uses or discloses personal information under paragraph 2.1(h), it must make a written note of the use or disclosure.

      2.3 Subclause 2.1 operates in relation to personal information that an organisation that is a body corporate has collected from a related body corporate as if the organisation’s primary purpose of collection of the information were the primary purpose for which the related body corporate collected the information.

      2.4 Despite subclause 2.1, an organisation that provides a health service to an individual may disclose health information about the individual to a person who is responsible for the individual if:

      (a) the individual:

      (i) is physically or legally incapable of giving consent to the disclosure; or

      (ii) physically cannot communicate consent to the disclosure; and

      (b) a natural person (the carer) providing the health service for the organisation is satisfied that either:

      (i) the disclosure is necessary to provide appropriate care or treatment of the individual; or

      (ii) the disclosure is made for compassionate reasons; and

      (c) the disclosure is not contrary to any wish:

      (i) expressed by the individual before the individual became unable to give or communicate consent; and

      (ii) of which the carer is aware, or of which the carer could reasonably be expected to be aware; and

      (d) the disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (b).

      2.5 For the purposes of subclause 2.4, a person is responsible for an individual if the person is:

      (a) a parent of the individual; or

      (b) a child or sibling of the individual and at least 18 years old; or

      (c) a spouse or de facto spouse of the individual; or

      (d) a relative of the individual, at least 18 years old and a member of the individual’s household; or

      (e) a guardian of the individual; or

      (f) exercising an enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual’s health; or

      (g) a person who has an intimate personal relationship with the individual; or

      (h) a person nominated by the individual to be contacted in case of emergency.

      2.6 In subclause 2.5:

      child of an individual includes an adopted child, a step-child and a foster-child, of the individual.

      parent of an individual includes a step-parent, adoptive parent and a foster-parent, of the individual.

      relative of an individual means a grandparent, grandchild, uncle, aunt, nephew or niece, of the individual.

      sibling of an individual includes a half-brother, half-sister, adoptive brother, adoptive sister, step-brother, step-sister, foster-brother and foster-sister, of the individual.

      3 Data quality

      An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.

      4 Data security

      4.1 An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

      4.2 An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under National Privacy Principle 2.

      5 Openness

      5.1 An organisation must set out in a document clearly expressed policies on its management of personal information. The organisation must make the document available to anyone who asks for it.

      5.2 On request by a person, an organisation must take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.

      6 Access and correction

      6.1 If an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual, except to the extent that:

      (a) in the case of personal information other than health information—providing access would pose a serious and imminent threat to the life or health of any individual; or

      (b) in the case of health information—providing access would pose a serious threat to the life or health of any individual; or

      (c) providing access would have an unreasonable impact upon the privacy of other individuals; or

      (d) the request for access is frivolous or vexatious; or

      (e) the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings; or

      (f) providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or

      (g) providing access would be unlawful; or

      (h) denying access is required or authorised by or under law; or

      (i) providing access would be likely to prejudice an investigation of possible unlawful activity; or

      (j) providing access would be likely to prejudice:

      (i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; or

      (ii) the enforcement of laws relating to the confiscation of the proceeds of crime; or

      (iii) the protection of the public revenue; or

      (iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or

      (v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders;

      by or on behalf of an enforcement body; or

      (k) an enforcement body performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.

      6.2 However, where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process, the organisation may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.

      Note: An organisation breaches subclause 6.1 if it relies on subclause 6.2 to give an individual an explanation for a commercially sensitive decision in circumstances where subclause 6.2 does not apply.

      6.3 If the organisation is not required to provide the individual with access to the information because of one or more of paragraphs 6.1(a) to (k) (inclusive), the organisation must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.

      6.4 If an organisation charges for providing access to personal information, those charges:

      (a) must not be excessive; and

      (b) must not apply to lodging a request for access.

      6.5 If an organisation holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up-to-date, the organisation must take reasonable steps to correct the information so that it is accurate, complete and up-to-date.

      6.6 If the individual and the organisation disagree about whether the information is accurate, complete and up-to-date, and the individual asks the organisation to associate with the information a statement claiming that the information is not accurate, complete or up-to-date, the organisation must take reasonable steps to do so.

      6.7 An organisation must provide reasons for denial of access or a refusal to correct personal information.

      7 Identifiers

      7.1 An organisation must not adopt as its own identifier of an individual an identifier of the individual that has been assigned by:

      (a) an agency; or

      (b) an agent of an agency acting in its capacity as agent; or

      (c) a contracted service provider for a Commonwealth contract acting in its capacity as contracted service provider for that contract.

      7.1A However, subclause 7.1 does not apply to the adoption by a prescribed organisation of a prescribed identifier in prescribed circumstances.
      Note: There are prerequisites that must be satisfied before those matters are prescribed: see subsection 100(2).

      7.2 An organisation must not use or disclose an identifier assigned to an individual by an agency, or by an agent or contracted service provider mentioned in subclause 7.1, unless:

      (a) the use or disclosure is necessary for the organisation to fulfil its obligations to the agency; or

      (b) one or more of paragraphs 2.1(e) to 2.1(h) (inclusive) apply to the use or disclosure; or

      (c) the use or disclosure is by a prescribed organisation of a prescribed identifier in prescribed circumstances.

      Note: There are prerequisites that must be satisfied before the matters mentioned in paragraph (c) are prescribed: see subsections 100(2) and (3).

      7.3 In this clause:

      identifier includes a number assigned by an organisation to an individual to identify uniquely the individual for the purposes of the organisation’s operations. However, an individual’s name or ABN (as defined in the A New Tax System (Australian Business Number) Act 1999) is not an identifier.

      8 Anonymity

      Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.

      9 Transborder data flows

      An organisation in Australia or an external Territory may transfer personal information about an individual to someone (other than the organisation or the individual) who is in a foreign country only if:

      (a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles; or

      (b) the individual consents to the transfer; or

      (c) the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual’s request; or

      (d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or

      (e) all of the following apply:

      (i) the transfer is for the benefit of the individual;

      (ii) it is impracticable to obtain the consent of the individual to that transfer;

      (iii) if it were practicable to obtain such consent, the individual would be likely to give it; or

      (f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles.

      10 Sensitive information

      10.1 An organisation must not collect sensitive information about an individual unless:

      (a) the individual has consented; or

      (b) the collection is required by law; or

      (c) the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns:

      (i) is physically or legally incapable of giving consent to the collection; or

      (ii) physically cannot communicate consent to the collection; or

      (d) if the information is collected in the course of the activities of a non-profit organisation—the following conditions are satisfied:

      (i) the information relates solely to the members of the organisation or to individuals who have regular contact with it in connection with its activities;

      (ii) at or before the time of collecting the information, the organisation undertakes to the individual whom the information concerns that the organisation will not disclose the information without the individual’s consent; or

      (e) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.

      10.2 Despite subclause 10.1, an organisation may collect health information about an individual if:

      (a) the information is necessary to provide a health service to the individual; and

      (b) the information is collected:

      (i) as required or authorised by or under law (other than this Act); or

      (ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation.

      10.3 Despite subclause 10.1, an organisation may collect health information about an individual if:

      (a) the collection is necessary for any of the following purposes:

      (i) research relevant to public health or public safety;

      (ii) the compilation or analysis of statistics relevant to public health or public safety;

      (iii) the management, funding or monitoring of a health service; and

      (b) that purpose cannot be served by the collection of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained; and

      (c) it is impracticable for the organisation to seek the individual’s consent to the collection; and

      (d) the information is collected:

      (i) as required by law (other than this Act); or

      (ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation; or

      (iii) in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph.

      10.4 If an organisation collects health information about an individual in accordance with subclause 10.3, the organisation must take reasonable steps to permanently de-identify the information before the organisation discloses it.

      10.5 In this clause:

      non-profit organisation means a non-profit organisation that has only racial, ethnic, political, religious, philosophical, professional, trade, or trade union aims.

      Appendix 7

      Information Privacy Principles
      Principle 1 - Manner and purpose of collection of personal information

      1. Personal information shall not be collected by a collector for inclusion in a record or in a generally available publication unless:

      (a) the information is collected for a purpose that is a lawful purpose directly related to a function or activity of the collector; and

      (b) the collection of the information is necessary for or directly related to that purpose.

      2. Personal information shall not be collected by a collector by unlawful or unfair means.

      Principle 2 - Solicitation of personal information from individual concerned

      Where:

      (a) a collector collects personal information for inclusion in a record or in a generally available publication; and

      (b) the information is solicited by the collector from the individual concerned;

      the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, before the information is collected or, if that is not practicable, as soon as practicable after the information is collected, the individual concerned is generally aware of:

      (c) the purpose for which the information is being collected;

      (d) if the collection of the information is authorised or required by or under law - the fact that the collection of the information is so authorised or required; and

      (e) any person to whom, or any body or agency to which, it is the collector’s usual practice to disclose personal information of the kind so collected, and (if known by the collector) any person to whom, or any body or agency to which, it is the usual practice of that first mentioned person, body or agency to pass on that information.

      Principle 3 - Solicitation of personal information generally

      Where:

      (a) a collector collects personal information for inclusion in a record or in a generally available publication; and

      (b) the information is solicited by the collector:

      the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is collected:

      (c) the information collected is relevant to that purpose and is up to date and complete; and

      (d) the collection of the information does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.

      Principle 4 - Storage and security of personal information

      A record-keeper who has possession or control of a record that contains personal information shall ensure:

      (a) that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and

      (b) that if it is necessary for the record to be given to a person in connection with the provision of a service to the record-keeper, everything reasonably within the power of the record-keeper is done to prevent unauthorised use or disclosure of information contained in the record.

      Principle 5 - Information relating to records kept by record-keeper

      1. A record-keeper who has possession or control of records that contain personal information shall, subject to clause 2 of this Principle, take such steps as are, in the circumstances, reasonable to enable any person to ascertain:

      (a) whether the record-keeper has possession or control of any records that contain personal information; and

      (b) if the record-keeper has possession or control of a record that contains such information:

      (i) the nature of that information;

      (ii) the main purposes for which that information is used; and

      (iii) the steps that the person should take if the person wishes to obtain access to the record.

      2. A record-keeper is not required under clause 1 of this Principle to give a person information if the record-keeper is required or authorised to refuse to give that information to the person under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.

      3. A record-keeper shall maintain a record setting out:

      (a) the nature of the records of personal information kept by or on behalf of the record-keeper;

      (b) the purpose for which each type of record is kept;

      (c) the classes of individuals about whom records are kept;

      (d) the period for which each type of record is kept;

      (e) the persons who are entitled to have access to personal information contained in the records and the conditions under which they are entitled to have that access; and

      (f) the steps that should be taken by persons wishing to obtain access to that information.

      4. A record-keeper shall:

      (a) make the record maintained under clause 3 of this Principle available for inspection by members of the public; and

      (b) give the Commissioner, in the month of June in each year, a copy of the record so maintained.

      Principle 6 - Access to records containing personal information

      Where a record-keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record, except to the extent that the record-keeper is required or authorised to refuse to provide the individual with access to that record under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.

      Principle 7 - Alteration of records containing personal information

      1. A record-keeper who has possession or control of a record that contains personal information shall take such steps (if any), by way of making appropriate corrections, deletions and additions as are, in the circumstances, reasonable to ensure that the record:

      (a) is accurate; and

      (b) is, having regard to the purpose for which the information was collected or is to be used and to any purpose that is directly related to that purpose, relevant, up to date, complete and not misleading.

      2. The obligation imposed on a record-keeper by clause 1 is subject to any applicable limitation in a law of the Commonwealth that provides a right to require the correction or amendment of documents.

      3. Where:

      (a) the record-keeper of a record containing personal information is not willing to amend that record, by making a correction, deletion or addition, in accordance with a request by the individual concerned; and

      (b) no decision or recommendation to the effect that the record should be amended wholly or partly in accordance with that request has been made under the applicable provisions of a law of the Commonwealth;

      the record-keeper shall, if so requested by the individual concerned, take such steps (if any) as are reasonable in the circumstances to attach to the record any statement provided by that individual of the correction, deletion or addition sought.

      Principle 8 - Record-keeper to check accuracy etc of personal information before use

      A record-keeper who has possession or control of a record that contains personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date and complete.

      Principle 9 - Personal information to be used only for relevant purposes

      A record-keeper who has possession or control of a record that contains personal information shall not use the information except for a purpose to which the information is relevant.

      Principle 10 - Limits on use of personal information

      1. A record-keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless:

      (a) the individual concerned has consented to use of the information for that other purpose;

      (b) the record-keeper believes on reasonable grounds that use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person;

      (c) use of the information for that other purpose is required or authorised by or under law;

      (d) use of the information for that other purpose is reasonably necessary for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue; or

      (e) the purpose for which the information is used is directly related to the purpose for which the information was obtained.

      2. Where personal information is used for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue, the record-keeper shall include in the record containing that information a note of that use.

      Principle 11 - Limits on disclosure of personal information

      1. A record-keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless:

      (a) the individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that information of that kind is usually passed to that person, body or agency;

      (b) the individual concerned has consented to the disclosure;

      (c) the record-keeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person;

      (d) the disclosure is required or authorised by or under law; or

      (e) the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue.

      2. Where personal information is disclosed for the purposes of enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the purpose of the protection of the public revenue, the record-keeper shall include in the record containing that information a note of the disclosure.

      3. A person, body or agency to whom personal information is disclosed under clause 1 of this Principle shall not use or disclose the information for a purpose other than the purpose for which the information was given to the person, body or agency.

      Financial Statements

      The Financial Statements are not available in this HTML version, however they are available in the PDF version found at the top of this page. If you require the information in another format contact us.   

      Glossary

      AAT

      Administrative Appeals Tribunal

      ABN

      Australian Business Number

      ACMA

      Australian Communications and Media Authority

      AGIMO

      Australian Government Information Management Office

      AGD

      Attorney-General’s Department

      AHMAC

      Australian Health Ministers’ Advisory Council

      AHRC

      Australian Human Rights Commission

      ALRC

      Australian Law Reform Commission

      AML/CTF

      Anti-Money Laundering and Counter-Terrorism Financing

      APEC

      Asia Pacific Economic Cooperation

      APPA

      Asia Pacific Privacy Authorities

      APS

      Australian Public Service

      ASIC

      Australian Securities and Investments Commission

      ATO

      Australian Taxation Office

      Austlii

      Australasian Legal Information Institute

      AUSTRAC

      Australian Transaction and Reports Analysis Centre

      CDS

      Commonwealth Disability Strategy

      COAG

      Council of Australian Governments

      CRGIS

      Commonwealth Reference Group on Identity Security

      Customs

      Australian Customs Service

      DBCDE

      Department of Broadband, Communications and the Digital Economy

      DFAT

      Department of Foreign Affairs and Trade

      DHS

      Department of Human Services

      DIAC

      Department of Immigration and Citizenship

      DNCR

      Do Not Call Register

      DoHA

      Department of Health and Ageing

      DVA

      Department of Veterans’ Affairs

      DVS

      Document Verification Service

      EOI

      Evidence of Identity

      FAQs

      frequently asked questions

      FOI

      Freedom of Information

      GST

      goods and services tax

      HWI

      high wealth individuals

      ID

      identity

      IIA

      Internet Industry Association

      IEHR

      individual electronic health records

      IMCA

      Increased Medicare Compliance Audits

      IPPs

      Information Privacy Principles

      ISPs

      Internet Service Providers

      JACS

      Justice and Community Safety (ACT Department of)

      LMVDs

      Licensed Motor Vehicle Dealers

      MBS

      Medicare Benefits Schedule

      MOU

      Memorandum of Understanding

      NEHTA

      National E-Health Transition Authority

      NHMRC

      National Health and Medical Research Council

      NISCG

      National Identity Security Coordination Group

      NISS

      National Identity Security Strategy

      NPPs

      National Privacy Principles

      NRAS

      National Registration and Accreditation Scheme

      NTER

      Northern Territory Emergency Response

      OECD

      Organisation for Economic Cooperation and Development

      OH&S

      Occupational Health and Safety

      OMI

      Own Motion Investigation

      PAC

      Privacy Advisory Committee

      PAW

      Privacy Awareness Week

      PCO

      Privacy Contact Officer

      PIA

      Privacy Impact Assessment

      PID

      Personal Information Digest or Public Interest Determination

      PNR

      Passenger Name Record

      PPS

      Personal Properties Securities

      PSDs

      portable storage devices

      RAP

      Reconciliation Action Plan

      SES

      Senior Executive Service

      TFN

      tax file number

      WPISP

      Working Party on Information Security and Privacy