Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

2009-10 Annual Report of the Office of the Privacy Commissioner

missing image file

The Operation of the Privacy Act Annual Report

1 July 2009 – 30 June 2010

Copyright © Commonwealth of Australia 2010

ISSN 1035-3372

The material in this publication constitutes Commonwealth of Australia copyright and is intended for your general use and information. You may download, display, print and reproduce this material in unaltered form only (retaining this notice) for your personal, non-commercial, or educational use or use within your organisation. Apart from any use permitted under the Copyright Act 1968, all other rights are reserved.

Requests and enquiries concerning reproduction and rights should be addressed to Commonwealth Copyright Administration, Attorney-General’s Department, Robert Garran Offices, 3-5 National Circuit, Barton ACT 2600 or posted at
www.ag.gov.au/cca.

missing image file

Senator the Hon Joe Ludwig
Special Minister of State
Cabinet Secretary
Parliament House
CANBERRA ACT 2600

Dear Minister

I am pleased to submit to you, for presentation to the Parliament, the Annual Report for the Office of the Privacy Commissioner on the operation of the Privacy Act 1988 for the year ending 30 June 2010.

This report has been prepared in accordance with section 97 of the Privacy Act 1988, as well as the Requirements for Annual Reports 2009–10.

I certify that the Office has prepared fraud risk assessments and a fraud control plan and has in place appropriate fraud prevention, detection, investigation, reporting and data collection procedures and processes that meet the Office’s specific needs and comply with the Commonwealth Fraud Control Guidelines.

Yours sincerely

Timothy Pilgrim

Privacy Commissioner

31 August 2010

Contents

User’s Guide

Immediately following this User’s Guide, you will find the Privacy Commissioner’s Overview for 2009–10, which includes a summary of significant issues, developments and achievements during the year, and an outline of the year ahead.

This is followed by About the Office, which provides an outline of the Office’s functions and a summary of its 2009–10 activities, including key statistics.

The main chapters then follow, and the Annual Report is concluded by the Appendices, Glossary and Index.

Chapter 1 Respecting Privacy describes the Office’s work in providing advice on the privacy implications of legislation and government and private sector policy proposals that may have a significant impact on the handling of personal information.

Chapter 2 Promoting Privacy sets out the work the Office completed in promoting and educating client groups on privacy issues. This includes liaising with key stakeholders in the private sector, networking with privacy representatives across Australian and ACT Government departments and agencies, handling media enquiries, maintaining the Office’s website and assisting with speeches and presentations by the Privacy Commissioner and members of staff.

Chapter 3 Protecting Privacy records the work the Office undertook to encourage and enforce compliance with the Privacy Act. This includes handling enquiries, undertaking audits of government agencies, monitoring data-matching activities and investigating and conciliating complaints.

Chapter 4 Management and Accountability contains an overview of the Office’s administrative arrangements, management of human resources and corporate governance.

The Appendices contain information required under specific legislation together with other useful material. These can be found following on from Chapter 4.

The Office of the Privacy Commissioner’s audited Financial Statements for 2009–10 are located immediately following the Appendices. The Glossary and Alphabetical Index can be found at the end of the report.

ACT Government

Information that relates directly to ACT Government matters can be found in sections 1.5, 3.7.1.1 and 4.1.3.

How to find out more

For enquiries about this report or for copies please contact:

Director
Corporate and Public Affairs
Office of the Privacy Commissioner
GPO Box 5218
SYDNEY NSW 2001

Telephone: + 61 2 9284 9800

Fax: + 61 2 9284 9666

Email: privacy@privacy.gov.au

Website: www.privacy.gov.au

Enquiries line: 1300 363 992 local call

TTY: 1800 620 241 no voice calls

This report is also available free of charge on the Office of the Privacy Commissioner’s website at www.privacy.gov.au/materials/types/reports?sortby=29.

Non-English Speakers

If you speak a language other than English and need help please call the Translating and Interpreting Service on 131 450 and ask for the Australian Government Office of the Privacy Commissioner on 1300 363 992. This is a free service.

Privacy Commissioner’s Overview 2009–10

The conclusion of the 2009–10 financial year marks the end of a chapter in the Office’s history. The Office began its life in 1989 as a branch of the then Human Rights and Equal Opportunity Commission. In 2000, with the profile of privacy increasing in Australia, the Office moved into the next stage of its development, becoming an independent statutory agency in its own right.

From 1 November 2010, the Office will move into its next phase, as it is integrated as a part of the Office of the Australian Information Commissioner (OAIC). Before I outline the opportunities and challenges that the Office will face in the year ahead, I would like to reflect on the achievements of the past 12 months.

The achievements of the Office over the reporting period are the result of the leadership of the then Privacy Commissioner, Karen Curtis.

Ms Curtis completed her six year term as the Privacy Commissioner on 12 July 2010. Her enthusiasm and dedication significantly contributed to building an Australian culture in which privacy is valued and respected. Milestones achieved under Ms Curtis’ leadership included the review of the private sector provisions in the Privacy Act, the development of the Strategic Plan and Client Service Charter and a greater focus on building relationships with key stakeholders.

Ms Curtis oversaw the establishment of the Privacy Authorities Australia forum, and was a champion for Privacy Awareness Week, which expanded its reach to Canada, Hong Kong and Korea during her term. She also ensured that the Office took the opportunity to shape the future of privacy law in Australia by overseeing our engagement with the Australian Law Reform Commission’s (ALRC) Privacy Inquiry.

Despite the changes on the horizon, during 2009–10 the Office remained firmly focused on achieving high quality results, increasing awareness of privacy choices and obligations, developing robust relationships, and building a confident and competent workforce in line with its Strategic Plan.

The Office again partnered with other data protection authorities from across the Asia-Pacific region to celebrate Privacy Awareness Week (PAW) in May 2010. The theme for PAW was Privacy: It’s In Your Hands. This theme conveyed the message that organisations and agencies have a responsibility to protect individuals’ personal information and that individuals need to think about how they can safeguard their own personal information.

During PAW, the Office launched a range of new guidance material, including information sheets on ID scanning in pubs and clubs and the handling of personal information in emergencies and disasters. It also launched a new module of the Privacy Impact Assessment Guide targeting the private sector. These publications were very well received.

One of the particular highlights of 2009–10 was the launch of the Office’s redeveloped website. The website’s structure and navigation were reworked to improve accessibility, and to create a fresh, modern and visually appealing look.

Another major achievement was the level of engagement the Office had with government, business, community organisations and individuals. The Office entered into a number of new financial memoranda of understanding, including with the Department of Human Services, the Department of Infrastructure, Transport, Regional Development and Local Government and the Australian Transport Safety Bureau, under which it was able to deliver tailored privacy advice and conduct audits.

In addition to these achievements, the Office has continued to deliver on its core functions. It worked hard to ensure that privacy issues were considered in the development of government policy. This is evidenced by the significant increase in the number of submissions the Office made to government departments and parliamentary inquiries.

In a year in which privacy issues often made headlines, the Office dealt with a high volume of privacy enquiries and complaints, and reduced the average length of time required to resolve complaints. It has also substantially expanded its audit program, and for the first time since 2003, it commenced audits into the information-handling practices of credit reporting agencies.

The year ahead

The Australian Information Commissioner Act 2010 and the Freedom of Information Amendment (Reform) Act 2010 passed through Parliament and received Royal Assent in May 2010. A number of the reforms that these Acts will bring about, including the establishment of the OAIC, will take effect on 1 November 2010. The OAIC will be headed by the Australian Information Commissioner, a new statutory position. The other two statutory positions in the OAIC will be the Freedom of Information Commissioner (a new position) and the Privacy Commissioner.

The OAIC will have responsibilities in the areas of privacy, freedom of information and government management of information. Over the last few months, I have been working closely with the Australian Information Commissioner Designate, Professor John McMillan AM, in preparation for the OAIC’s establishment. During that time, I have established an excellent working relationship with Professor McMillan, and I look forward to working with him into the future with the commencement of the OAIC.

In October 2009, the Australian Government released its first stage response to the ALRC’s Report For Your Information: Australian Privacy Law and Practice. The response outlined the Government’s position on 197 of the ALRC’s recommendations. These included the development of a single set of nationally consistent privacy principles, redrafting and updating the Privacy Act, strengthening and clarifying the Privacy Commissioner’s powers and introducing comprehensive credit reporting.

On 24 June 2010, the Government released the exposure draft of the new ‘Australian Privacy Principles’, and referred them to the Senate Finance and Public Administration Committee. It is expected that other parts of the draft legislation will be referred to the Committee as they are drafted, and that the Committee will produce a final report by 1 July 2011. The Office looks forward to engaging with relevant stakeholders as this reform process progresses.

In 2010–11, the Office will continue to raise privacy awareness among businesses, government and individuals. Another key focus during the upcoming year will be on international developments in privacy.

I am committed to continuing to strengthen the Office’s relationships with regional and international privacy enforcement authorities. I look forward to engaging with our partners across the region, through the Asia Pacific Privacy Authorities forum and the Asia Pacific Economic Cooperation (APEC) Privacy Framework, and further afield, through the International Conference of Data Protection and Privacy Commissioners and the Organisation for Economic Co-operation and Development’s Working Party on Information Security and Privacy.

One of the highlights of the upcoming year will be the commencement of the APEC Cross Border Privacy Enforcement Arrangement, which comes into force on 16 July 2010. The Arrangement, of which the Office will be a co-administrator, will provide a framework for privacy regulators to cooperate, and to seek information and advice from each other on cross-border enforcement matters.

I look forward to the period of change that lies ahead. I am confident that the Office can embrace the opportunities that this transition presents, as it embarks upon this new chapter.

Timothy Pilgrim

Privacy Commissioner

About the Office

Privacy Commissioner’s Functions

The Privacy Commissioner has specific statutory functions under ss 27, 28 and 28A of the Privacy Act. These functions include, among other things, investigating possible breaches of the Privacy Act, undertaking audits of agencies or organisations to ensure compliance with the Privacy Act, providing advice to agencies and organisations on matters related to privacy, and promoting and encouraging the adoption of privacy standards in the community.

One of the key responsibilities of the Office is to handle complaints. Individuals who believe that their privacy may have been interfered with by an agency or organisation are able to lodge a complaint with the Office under s 36 of the Privacy Act. The Privacy Commissioner may then undertake preliminary inquiries of the respondent to determine whether there are grounds, and whether the Privacy Commissioner has jurisdiction, to formally open an investigation into the complaint under s 40(1) of the Privacy Act.

Staff members of the Compliance section conciliate between the parties to attempt to adequately resolve the dispute. If the parties are not able to come to a mutually satisfactory agreement, the Privacy Commissioner is able to make a determination under s 52 of the Privacy Act to dismiss the complaint. Alternatively, the Privacy Commissioner is able to find in favour of the complainant and decide upon suitable orders to remedy the breach. The orders are enforceable in the Federal Court or Federal Magistrates Court under s 55A of the Privacy Act.

Generally, a complaint must be in writing. The Office is obliged to provide appropriate assistance to people who require it in order to help formulate and appropriately set out the particulars of a complaint.

Individuals cannot complain to the Privacy Commissioner about organisations which are bound by a privacy code approved by the Privacy Commissioner, when that code has its own code adjudicator. However, individuals may ask the Privacy Commissioner to review a determination made by a code adjudicator under s 18BI of the Privacy Act.

The Privacy Commissioner has the power to launch investigations under s 40(2) of the Privacy Act. These are referred to as own motion investigations (OMIs). The Privacy Commissioner undertakes OMIs where it appears that a breach of the Privacy Act may have occurred and it is thought to be desirable that an OMI be undertaken. For example, where the alleged breach is not limited to one complainant, or in circumstances where the alleged breach raises systemic and/or ongoing issues.

The Office’s Policy section assists the Privacy Commissioner in providing advice on privacy issues, including interpreting the operation of the Privacy Act, to Ministers, Australian and ACT Government agencies, and private sector organisations. The section develops guidance material (such as guidelines, information sheets and FAQs) to help explain the operation of the Privacy Act and the Privacy Commissioner’s functions.

The Policy section examines enactments and proposals from agencies, advising on their potential privacy implications and their overall compliance with the Privacy Act. It assists the Privacy Commissioner in carrying out other functions under the Privacy Act, as well as prescribed functions under the National Health Act 1953, the Telecommunications Act 1977 and the Crimes Act 1914. The section also assists the Privacy Commissioner to contribute to international developments in privacy enforcement, through the Asia Pacific Economic Cooperation Privacy Framework and the Organisation for Economic
Co-operation and Development’s Working Party on Information Security and Privacy.

The Office’s Corporate and Public Affairs section manages the public profile of the Office and the Privacy Commissioner, provides secretariat support and manages the Office’s corporate responsibilities. The section is responsible for developing and maintaining the Office’s website, handling media enquiries, and providing a secretariat role to several committees and networks including the Government Privacy Contact Officer network, Privacy Connections network, Privacy Advisory Committee, the Asia Pacific Privacy Authorities forum and the Privacy Authorities Australia forum. The section also liaises with key stakeholders, including domestic bodies and international authorities, and handles the Office’s corporate governance responsibilities.

Chart 1 Organisational Structure

The year in review – a summary

A brief summary of the Office’s performance in 2009–10 is outlined below. A more detailed review of performance is contained in Chapters 1–4. The Office’s Strategic Plan and our Portfolio Budget Statement outcomes and outputs are in Appendices 2 and 3 respectively.

Telephone Enquiries

The Office received 20 935 telephone enquiries in 2009–10 compared with
21 178 in 2008–09. This represents about a 1% decrease in enquiries received by the Enquiries Line. See section 3.2.1 for further information.

Written Enquiries

The Office received 1909 enquiries by email, post or facsimile in 2009–10 compared with 2078 in 2008–09. This represents a slight decrease in the number of written enquiries received by the Office from the previous year. The Office is committed to responding to 90% of written enquiries in 10 working days. This benchmark was met in 2009–10, with more than 96% of written enquiries responded to in 10 working days or less. See section 3.2.2 for further information.

Complaints

The Office received 1201 complaints in 2009–10 compared with 1089 in 2008–09. This represents a 10% increase in the number of complaints received by the Office from the previous year. See section 3.3.1 for further information. The Office closed 1203 complaints in 2009–10, compared to 1357 in the previous year.

Case Notes

The Office published 27 case notes on complaints that were closed during the year. The case notes are prepared to illustrate matters that may be of interest to the community. Case notes also demonstrate to members of the public how the Privacy Commissioner handles complaints. Case notes also serve as a possible indication of the Privacy Commissioner’s view in relation to aspects of privacy law. See section 3.5 for further information.

Legislative Instruments

During 2009–10 the Privacy Commissioner determined three public interest determination applications and approved genetic disclosure guidelines.

In December 2009, under s 95AA of the Privacy Act, the Privacy

Commissioner approved new guidelines which were developed by the National Health and Medical Research Council. These guidelines permit doctors to disclose information to a genetic relative of a patient without the patient’s consent, but only in situations where they reasonably believe that disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of the patient’s relative. As well, to accompany those guidelines, the Privacy Commissioner issued Temporary Public Interest Determinations (TPIDs) which allow medical practitioners to collect or use the contact details of a patient’s genetic relatives in situations where the guidelines permit the disclosure of information. The guidelines and TPIDs do not require disclosure of information, but rather provide the framework for this to occur in appropriate circumstances. More information is available at www.privacy.gov.au/law/act/genetic.

In May 2010 the Privacy Commissioner issued a TPID to allow the Department of Immigration and Citizenship to disclose a limited set of specific personal information about current and former student visa holders to all police jurisdictions and the Australian Institute of Criminology (AIC). The information will be used in a de-identified form by the AIC to compile a report about the victimisation rate of international students. More information is available at www.privacy.gov.au/law/act/pid#temporary.

Media

The Office received 201 media enquiries in 2009–10. This represents a 33% increase on the 151 media enquiries received in 2008–09. See section 2.7 for further information.

Speeches

In 2009–10, 26 speeches and presentations were delivered. These speeches and presentations largely addressed emerging privacy issues. For further information see section 2.8.

Policy Advices

The Office produced approximately 198 advices on significant policy issues. Policy advices include substantive letters and emails to government departments and agencies and private sector organisations on specific proposals, advice for guidance material published by the Privacy Commissioner and advice for inclusion in other reports and published documents.

Submissions

In 2009–10, the Privacy Commissioner provided 41 submissions to government departments and parliamentary inquiries on policy proposals or legislation, providing analysis on the privacy implications of the proposals and offering advice on methods to ensure privacy is appropriately considered and protected. These submissions are listed in Appendix 6. All Office submissions to public consultations are available at www.privacy.gov.au/materials/types/submissions?sortby=65.

 

Chapter 1 Respecting Privacy

1.1 Review of Performance

During the reporting period, the Office continued its role of providing advice to Australian and ACT Government agencies on new policy proposals, legislative and regulatory changes, and agency practices that may have a significant impact on the handling of personal information.

Much of this advice has focused on the importance of appropriate privacy protections in ensuring community trust and confidence in public administration.

The Office also provided advice to the private sector and to consumers. This advice has included the release of new information sheets, answers to frequently asked questions and the provision of advice in response to specific issues.

A key focus for the year has been to continue liaison with the Department of the Prime Minister and Cabinet in relation to privacy law reform. The Office welcomed the release of the Government’s first stage response to the Australian Law Reform Commission’s (ALRC) Report For Your Information: Australian Privacy Law and Practice (ALRC Report 108) on 14 October 2009, and the release of an exposure draft of the proposed Australian Privacy Principles on 24 June 2010.

The Office also provided detailed guidance to businesses through the release of information sheets on scanning of identity documents (e.g. driver’s licences) in pubs and clubs and on the use or disclosure of genetic information to lessen or prevent a serious threat to the life, health or safety of a patient’s genetic relatives. This guidance material progresses actions identified in the Office’s current Strategic Plan.

In addition to the matters outlined above, the Office made 41 public submissions during the period and provided approximately 198 other pieces of significant advice to agencies and organisations on a large range of privacy issues.

1.2 Privacy Law Reform

The Australian Government released its first stage response to the Australian Law Reform Commission’s (ALRC) Report For Your Information: Australian Privacy Law and Practice (ALRC Report 108) on 14 October 2009.

The response, entitled ‘Enhancing National Privacy Protection’, outlines the Australian Government’s position on 197 of the ALRC’s recommendations relating to:

  • developing a single set of privacy principles
  • redrafting and updating the structure of the Privacy Act
  • addressing the impact of new technologies on privacy
  • strengthening and clarifying the Privacy Commissioner’s powers and functions
  • introducing comprehensive credit reporting and enhanced protections for credit reporting information
  • enhancing and clarifying the protections around the sharing of health information and the ability to use personal information to facilitate research in the public interest.

The Government released an exposure draft of the single set of privacy principles on 24 June 2010. The exposure draft of these new ‘Australian Privacy Principles’ was sent to the Senate Finance and Public Administration Committee. Other parts of the draft legislation, on credit reporting, health information and research and on the powers of the Office, will be provided to the Senate Committee as they are drafted. The Committee is scheduled to produce a final report by 1 July 2011.

More information can be found at www.dpmc.gov.au/privacy/reforms.cfm.

The Office provided substantial input to the ALRC’s inquiry leading up to ALRC Report 108 and subsequently to the Government response. The Office remains committed to promoting privacy regulation that balances the interests of all stakeholders, and which continues to foster an Australian culture that respects and values privacy.

1.3 Office of the Australian Information Commissioner

The Australian Government announced as part of its 2007 election policies that it would reform the Freedom of Information Act 1982 (FOI Act) with the principal objects of promoting a pro-disclosure culture across the Government and building a stronger foundation for more openness in government.

In March 2009, the Government announced further measures to implement freedom of information (FOI) reform which included the establishment of a new Office of the Australian Information Commissioner. The new Office is to be headed by an Australian Information Commissioner (a new statutory position), and include an FOI Commissioner (another new statutory position) and the Privacy Commissioner (an existing statutory position).

In May 2009, the Office made a submission in response to the release of the exposure drafts of the Information Commissioner Bill 2009 and the FOI Amendment (Reform) Bill 2009. In its submission, the Office indicated its broad support for the anticipated reforms outlined in the exposure draft and provided some recommendations to enhance the Information Commissioner Bill.

The Government made a number changes to the draft Bills and introduced the Information Commissioner Bill 2009 and the Freedom of Information Amendment (Reform) Bill 2009 into the Parliament on 26 November 2009. The Bills were referred to the Senate Finance and Public Administration Committee for inquiry. The Senate Finance and Public Administration Committee made its report available on 16 March 2010.

The Australian Information Commissioner Act 2010 and the Freedom of Information Amendment (Reform) Act 2010 passed through the Parliament on 13 May 2010. Both acts received Royal Assent on 31 May 2010. The majority of the measures, including the establishment of the new Office of the Australian Information Commissioner, will commence on 1 November 2010.

The Government allocated funding in the 2009–10 budget of $19.4 million over four years to the Office of the Australian Information Commissioner. On 26 February 2010, the Government appointed Professor John McMillan AO as the Australian Information Commissioner Designate.

1.4 Privacy and the Australian Government

This section discusses the work the Office undertook during the reporting period in relation to Commonwealth legislation and/or Australian Government activity. Please note that some areas of the Office’s work relating to the Australian Government are discussed in other sections of this Chapter.

1.4.1 Service Delivery Reform

Major reforms to the delivery of services by the Australian Government were announced by the Minister for Human Services in December 2009. The Service Delivery Reform (SDR) program is being undertaken within the Human Services Portfolio and is intended to give Australians better access to social, health and welfare services. Some aspects of the reform program, such as the co-location of agencies and the increased coordination and linking of services, will involve changes to the way that individuals’ personal information is handled.

In recognition of the importance of community trust to the success of SDR, the Department of Human Services (DHS) has committed to ensuring that privacy protections are built into the reforms from the outset. DHS has also undertaken to work closely with the Office during all stages of the reform process. During the reporting period, it signed a memorandum of understanding with the Office (see section 4.1.10 for further information).

Since February 2010, the Office has advised DHS on a range of privacy-related aspects of SDR, including an overall approach to privacy and processes for conducting privacy impact assessments. Responsibility remains with DHS to ensure adequate individual choice, control and respect for personal information throughout the reforms, and the Office welcomes DHS’s efforts and the opportunities for input to date. The Privacy Commissioner is also a member of the Interdepartmental Committee set up to advise on SDR and consider the reforms from a whole-of-government perspective.

1.4.2 Welfare Reform

In February 2010, the Office made a submission to the Senate Standing Committee on Community Affairs Inquiry into the Social Security and Other Legislation Amendment (Welfare Reform and Reinstatement of Racial Discrimination Act) Bill 2009 (the Bill). The Bill proposes amendments to several Acts relating to income management arrangements.

The Bill generally gives effect to a scheme of income management that will initially commence in the Northern Territory. If deemed successful, this will be a first step in a future rollout to disadvantaged regions across Australia. The Bill’s aim is to support disengaged and vulnerable welfare recipients in the most disadvantaged locations in Australia.

The Office’s submission to the Senate Inquiry made several recommendations on privacy-related aspects of the Bill, including for the education of community store owners and staff on information privacy; the inclusion of appropriate information handling practices in the licensing conditions for community stores; and the use of privacy impact assessments to assess the impact of measures that may involve additional handling of personal information.

1.4.3 Electoral Reform

In December 2009, the Office made a submission to the Department of the Prime Minister and Cabinet on the Australian Government Electoral Reform Green Paper – Strengthening Australia’s Democracy.

The Green Paper canvassed options to increase participation in elections through the introduction of automatic or online enrolment and updating processes.

The Office supported the consideration given in the Electoral Reform Green Paper to the importance of protecting personal information in enrolment processes and building good privacy practice into the electoral architecture.

The Office made several recommendations to enhance privacy protections, including that:

  • individuals should be able to opt in to such processes and be provided with clear notice about sharing of their information between agencies
  • any data-matching done as part of an automated scheme should have its purpose narrowly defined as maintaining the accuracy of the electoral roll
  • robust identity verification and management processes be built into enrolment processes
  • the range of documents accepted as evidence of identity be expanded to provide flexibility for individuals.

1.4.4 Superannuation Reform Review

In 2009–10, the Australian Government commissioned an independent review of the governance, efficiency, structure and operation of the Australian superannuation system (the Cooper Review).

In December 2009, the Office made a submission to the Cooper Review’s Phase Two: Operation and Efficiency Issues Paper (Issues Paper) which raised the issue of extending the use of Tax File Numbers (TFNs) to promote greater efficiency in the superannuation system.

The use of TFNs is tightly regulated by taxation law and the Privacy Commissioner’s Tax File Number Guidelines. Authorised uses currently include limited purposes under taxation, superannuation and assistance agency (welfare payment) laws. The Office noted that it has no in-principle objections to the proposal to use TFNs in limited circumstances for tracing and consolidating superannuation accounts, provided that the proposal is accompanied by appropriate legal authorisation and strict privacy safeguards.

The Office made a number of suggestions to reduce potential privacy risks, such as:

  • limiting the extension of TFN use to specific purposes outlined in legislation
  • considering the practicality and benefit of giving individuals the option not to participate or to opt out of their TFN being used for such matching
  • clearly delineating what new TFN-handling activities are authorised, to ensure compliance with relevant laws
  • raising awareness among superannuation fund members regarding any changes to the way funds handle their TFN, including prior adequate notice
  • undertaking a privacy impact assessment (PIA).

In March 2010, the Cooper Review produced a preliminary report SuperStream: Bringing the Back Office of Super into the 21st Century. The Office welcomes the report’s recommendations which clarify and enhance privacy protections, including a general recommendation that a PIA be undertaken to help identify and assess any privacy impacts of the SuperStream proposals.

1.4.5 Secrecy

1.4.5.1 Australian Law Reform
Commission review of secrecy

The Office made a submission to the Australian Law Reform Commission’s (ALRC) review of secrecy in August 2009 in which it reiterated views raised in earlier submissions. In particular, the Office suggested that where a secrecy provision regulated personal information, the provision should be required to address its interaction with the Privacy Act in order to clarify areas of uncertainty and overlap. The Office also suggested that privacy impact assessments (PIAs) be undertaken in relation to any new secrecy provision or any significant change to an existing provision.

The ALRC’s report, Secrecy Laws and Open Government (ALRC Report 112), was tabled in Parliament on 11 March 2010. In it, the ALRC recommended that the Australian Government conduct a PIA for a proposed secrecy provision that would require or authorise information-handling practices that significantly detract from the standards set out in the Privacy Act. While the ALRC made no formal recommendation on having secrecy provisions clarify their interaction with the Privacy Act, it did reaffirm earlier recommendations made in its review of privacy law (ALRC Report 108). In that report, the ALRC recommended that proposed laws that intended to rely on the ‘required or authorised by law’ exception in the Privacy Act should state this expressly.

1.4.5.2 Tax laws amendment

In December 2009, the Office made a submission to the Senate Standing Committee on Economics’ (the Committee) inquiry into the Tax Laws Amendment (Confidentiality of Taxpayer Information) Bill 2009.

The Bill amends the secrecy and disclosure provisions applying to taxation information currently spread over many taxation law acts by consolidating and standardising them into a single framework in Schedule 1 of the Taxation Administration Act 1953. The Bill is also intended to provide clarity and certainty to taxpayers, the Australian Taxation Office and users of taxpayer information. It also provides guiding principles to assist in framing any additional disclosure provisions in the future.

The Office welcomed the Bill, stating that exceptions to disclosure will not apply to taxpayer information that is publicly available as a result of a security breach or a breach of another law. It also welcomed the broad range of factors, outlined in the Explanatory Memorandum, that need to be considered when assessing whether the public benefit of disclosure clearly outweighs taxpayer privacy.

1.4.6 Government 2.0 Taskforce

In June 2009, a Government 2.0 Taskforce was established by the Australian Government to explore opportunities for harnessing web 2.0 technologies in the public sector. The work of the Taskforce in the second half of 2009 fell into two main streams:

  • options for encouraging disclosure of public sector information in forms that encourage reuse and removing barriers to disclosure
  • ways to encourage public sector use of web 2.0 tools such as blogs, wikis and social networks to encourage greater participation in government.

The Office made two submissions to the Taskforce on privacy issues that arise in relation to government 2.0 initiatives and also had a staff member seconded to the Taskforce Secretariat.

In particular, the Office suggested that it would be useful to develop guidance on adequate de-identification of public sector data. This would encourage disclosure while protecting privacy. The Taskforce took up this suggestion, recommending in its final report that the Privacy Commissioner develop guidance on the issue. In its submissions, the Office also encouraged options for anonymity for individuals interacting with government blogs and wikis.

The Taskforce delivered its final report in December 2009, and in April 2010, the Government responded to the report, taking up many of the Taskforce’s recommendations. It noted the Taskforce’s recommendation in relation to privacy. The Office continues to monitor developments in this area.

1.4.7 Identity Security

The Privacy Commissioner is a member of the National Identity Security Coordination Group (NISCG) and the Commonwealth Reference Group on Identity Security (CRGIS), convened by the Attorney-General’s Department.

The NISCG convenes a number of working groups. The Office is represented on all of these. There are currently three joint Commonwealth, state and territory working groups under the strategy. They are:

  • Identity and Data working group
  • Biometrics, Authentication and Security Standards working group
  • Identity Management and Disasters working group.

There are four working groups under the Commonwealth Reference Group. Membership of these working groups is limited to Australian Government agencies. The groups are:

  • data-matching
  • biometrics
  • online enrolment and e-verification
  • use of name.

In its role on these working groups, the Office provides advice to Government and key agencies on the privacy implications of their initiatives.

In particular, the Office has focused on the development of the Document Verification Service (DVS).

The Office had also undertaken to conduct two audits per calendar year on various aspects of the DVS. However, the Office and the Attorney-General’s Department agreed to carry out only one audit this financial year. This audit examined Centrelink’s handling of error messages in its role as the Hub Manager of the DVS and was conducted on 17 May 2010 (see section 3.7.1.2 for more information).

1.4.8 Review of Part 1D of the Crimes Act 1914

The Privacy Commissioner was a member of the committee, chaired by Mr Peter Ford, that was responsible for conducting an independent review of Part 1D of the Crimes Act 1914. In February 2009, the Office made a submission to the Attorney-General’s Department regarding this review.

Part 1D regulates forensic procedures undertaken in relation to the investigation of crimes, missing persons and unknown deceased persons, including identifying disaster victims.

The Office made a number of recommendations associated with the proposed reforms including:

  • recommendations about improving notices to individuals about how their DNA sample will be used
  • that consideration be given to establishing a separate register for victims’ profiles, given the sensitivities associated with these profiles
  • that the Crimes Act make clear that the destruction of forensic material encompasses both the physical destruction of the sample and the permanent de-identification of the profile.

1.4.9 Personal Property Securities Register

In 2009–10, the Office continued to provide advice to the Attorney-General’s Department (AGD) on the development of the personal property securities scheme.

The scheme aims to harmonise Australia’s personal property securities laws in one national law and establish a national online Personal Property Securities Register (PPS Register).

In July 2009, AGD released its privacy impact assessment (PIA) into the operation of the scheme, including the PPS Register. The Office provided comments to AGD on relevant issues during the development of the PIA.

In July 2009, the Office also made a submission to the Senate Legal and Constitutional Affairs Committee’s (the Committee) inquiry into the Personal Property Securities Bill 2009 (PPS Bill). In August 2009, the Deputy Privacy Commissioner and the Director, Policy appeared before the Committee in relation to the PPS Bill.

The Office noted that it supported all the recommendations of the PIA. The Office also made a number of suggestions for amending the PPS Bill and the accompanying Explanatory Memorandum to clarify the complaint mechanisms about inappropriate searches of the PPS Register.

In August 2009, the Committee released its report on the PPS Bill. The Report recommended that the PPS Bill be passed subject to the Government addressing concerns raised in the submissions to the inquiry. The Government substantially accepted the findings of the PIA, the Committee’s Report and the Office’s submission.

In November 2009, the Office made a submission to the Committee’s inquiry into the Personal Property Securities (Consequential Amendments) Bill 2009 (PPS Amendments Bill). The Office noted its support for amendments to the Privacy Act made under the PPS Amendments Bill, which relate to certain acts involving the PPS Register being interferences with privacy. The Office played an active role in the development of the amendments through comments to AGD.

In November 2009, Parliament passed the PPS Bill and the PPS Amendments Bill and in December 2009 both Bills received royal assent. The Personal Property Securities Act 2009 and the Personal Property Securities (Consequential Amendments) Act 2009 will apply after the registration of PPS commences, expected to be in May 2011.

1.4.10 Spent Convictions

In January 2009, the Office made a submission to the Attorney-General’s Department in relation to the Draft Model Spent Convictions Bill 2008 (the Model Bill). The Spent Convictions Act 2009 (SA) was passed and received royal assent in December 2009, but has not yet commenced.

The Office suggested that the Model Bill include provision for individuals to complain to a privacy or information commissioner or other relevant authority. The Office also suggested that the Privacy Commissioner should have the power to assess and advise on proposed exclusions to the spent convictions scheme.

The Office notes that neither of these suggestions have been adopted in the Spent Convictions Act, although the Model Bill included a drafting note to the effect that a complaint avenue to a privacy commissioner may be considered.

The Office considers that having a Privacy Commissioner with the power to assess and advise on proposed exclusions to a spent convictions scheme would provide an important oversight mechanism for ensuring that exclusions are appropriate. The omission of a role for Privacy or Information Commissioners in the Model Bill lessens the privacy protections for individuals.

In September 2009, the Office made a submission to the Senate Legal and Constitutional Affairs Committee in relation to the Crimes Amendment (Working With Children—Criminal History) Bill 2009. The amendment sought to create an exception to the spent convictions provisions in the Crimes Act 1914 requiring the disclosure of spent, pardoned and quashed convictions for the purposes of undertaking background checks on persons working or seeking to work with children. The Deputy Privacy Commissioner and the Director, Policy subsequently appeared before the Committee in public hearings in November 2009.

The Office provided detailed suggestions in relation to ensuring that background screening units do not take account of irrelevant criminal history information, handle this information securely and do not use or disclose it for an irrelevant purpose, including that screening units be covered by appropriate privacy laws or guidelines.

In October 2009, the Office made a submission to the ACT Department of Disability, Housing and Community Services in relation to the discussion paper, A Working with Vulnerable People Checking System for the ACT. The Office suggested that the scope and type of personal information collected and used for background checks (including information normally excluded under the Spent Convictions Scheme) be limited to ensure that only necessary and relevant information is collected.

1.4.11 Body Scanning

During 2008, the Office of Transport Security (OTS), as part of their Aviation Security Screening Review, consulted the Office about the proposal to trial body scanning technology for use at Australian airports to detect liquids, aerosols, gels and other dangerous goods.

The Office provided some advice to the OTS about privacy impact assessments and trialling of these new technologies. This advice emphasised that implementing good privacy practices was important in gaining community confidence.

During the 2008 trial of body scanning technologies, staff from the Office visited Sydney International Airport to view the operation of a backscatter x-ray screening device on volunteer passengers. The Office formed the view that it was unlikely that the scanned images would constitute personal information as the system, as viewed, was set up so that the images were not linked with other identifying information.

On 9 February 2010, the Government announced it would be introducing body scanners into Australian international airports as one of a range of measures to improve Australia’s aviation security.

The Office has entered into a Memorandum of Understanding with the OTS, under which it will provide specific advice about privacy enhancing technologies and practices that may be adopted in the body scanning process.

1.4.12 Cockpit Voice Recorder Inquiry

In 2009, the Civil Aviation Act 1988 was amended by the Aviation Legislation Amendment (2008 Measures No. 2) Act 2009.

Amendments under s 4 of the Aviation Legislation Amendment Act required the Privacy Commissioner to examine the privacy implications for flight crew members of the provisions of the Civil Aviation Act relating to the copying or disclosure of Cockpit Voice Recorder information for maintenance purposes. The Privacy Commissioner was also required to produce a written report to the Minister for Infrastructure, Transport, Regional Development and Local Government, the Hon Anthony Albanese MP, by 26 June 2010 about the first 12 months of the operation of the provisions.

The Office met a range of stakeholders to determine the privacy implications of these amendments, and provided a report to Minister Albanese on 22 June 2010.

The Office found that industry maintenance practices in general do not involve the copying or disclosure of Cockpit Voice Recorder information. The Office has recommended that clear guidelines be established regarding:

  • when flight crew should be provided with written notification of Cockpit Voice Recording maintenance activities
  • what training should be provided to maintenance crew to satisfy requirements in the Civil Aviation Regulations 1988
  • what complaint mechanisms are available to flight crew members in relation to the handling of Cockpit Voice Recording information during maintenance checks.

1.4.13 Territories Law Reform Bill 2010

The Territories Law Reform Bill 2010 (the Bill) amends the Norfolk Island Act 1979 to implement significant reforms aimed at improving governance structures and strengthening accountability mechanisms for Norfolk Island.

In relation to privacy, the Bill proposes that Norfolk Island public sector agencies adhere to the Information Privacy Principles (IPPs) contained in s 14 of the Privacy Act in the same manner as Australian Government public sector agencies.

The Office was consulted in the development and drafting of the Bill and provided input into specific provisions of the Bill through that process.

On 18 March 2010, the Senate referred the Bill to the Joint Standing Committee on the National Capital and External Territories for inquiry. The Committee delivered its report on 11 May 2010, recommending that the Bill be passed by the Senate.

1.5 Privacy and the Australian Capital Territory Government

The Office continued to provide advice to Australian Capital Territory(ACT) Government agencies in 2009–10 under a Memorandum of Understanding (see section 4.1.3 for more information). The Office provided comments to the following agencies:

  • The Department of Disability, Housing and Community Services on its Discussion Paper, A Working with Vulnerable People Checking System for the ACT. The Office made several suggestions intended to enhance community confidence in the personal information handling that would occur under the proposal. This included the suggestion that a privacy impact assessment (PIA) be conducted for the proposed background checking system.
  • The Department of Territory and Municipal Services in relation to proposed amendments to the Domestic Animals Act 2000 (ACT) to facilitate the disclosure of the names and addresses of owners of dogs involved in attacks. The Office noted that such a provision should be well defined, clarify the purposes for disclosure, and limit disclosures to when they are necessary.
  • The ACT Planning and Land Authority in relation to the proposed Planning and Development Amendment Bill (No. 2) (ACT). The Office advised on the obligations under the Information Privacy Principles arising from the transfer of personal information from another ACT Government agency to the ACT Planning and Land Authority, noting in particular that any exchange of information should be limited to that which is necessary to fulfil the purpose of the Bill.
  • The ACT Planning and Land Authority on proposed amendments to the ACT building and safety laws to facilitate information sharing between regulatory agencies for the purposes of public safety. The Office suggested that any such authorisation be narrowly drafted and expressly identify the purposes for which the information can be exchanged between agencies.
  • The ACT Department of Education and Training on its Access to Student Records Policy and internal implementation procedures. The Office suggested that a PIA be conducted, and that the policy provide further guidance on the definition of parental responsibility to ensure access is granted appropriately. The Office also suggested a case-by-case approach to assessing children to determine their capacity to be involved in decisions about how their information is handled.
  • ACT Treasury in relation to ensuring the proposed model Occupational Licensing National Law Act 2010 (ACT) is compliant with the Privacy Act. The Office suggested that the public register should collect, use and disclose the minimum amount of personal information necessary, and that appropriate notice be provided to licensees regarding the collection, storage, use and disclosure of their personal information.

1.6 Privacy and Business

1.6.1 Information Sheets

The Office released three new information sheets during the reporting period.

Information Sheet (Private Sector) 30 – ID Scanning in clubs and pubs provides compliance tips and examples for clubs and pubs when they copy, scan or collect personal information about their patrons.

Information Sheet (Private and Public Sectors) 1 – Emergencies and Disasters discusses how the Privacy Act applies to the handling of personal information in declared emergencies or disasters.

Information Sheet (Private Sector) 29 – Use or disclosure of genetic information in the private health sector addresses the issue of use and disclosure of genetic information by private sector health service providers. In particular, it provides guidance on how health professionals could use and disclose a patient’s genetic information to lessen or prevent a serious threat to the life, health or safety of the patient’s relatives.

These information sheets are available at
www.privacy.gov.au/materials/types/infosheets?sortby=32.

1.6.2 Private Sector Advice

Under s 27(1)(d) of the Privacy Act, one of the Privacy Commissioner’s functions is to promote an understanding and acceptance of the National Privacy Principles (NPPs).

In line with this function and with its Strategic Plan, the Office aims to work collaboratively and provide quality advice. The Office has continued to provide advice about the operation of the NPPs including on such matters as:

  • personal information handling by welfare organisations
  • privacy of patient records during practitioner assessments
  • implementation of smart meters and development of smart grids
  • social networking
  • reporting obligations under the Anti-Money Laundering and Counter-Terrorism Financing legislation
  • use of personal information by real estate agents, landlords and lessors.

Further, in accordance with its strategic commitment to develop private sector communication, the Office took the opportunity to present papers to a number of conferences and industry bodies, including the Biometrics Institute of Australia and the Australian Finance Conference, during the reporting period.

The Office also produced a range of information sheets for businesses and materials for consumers (see sections 1.6.1, 1.10 and 2.5 for more information).

1.6.3 Privacy Codes

Part IIIAA of the Privacy Act allows organisations to apply to the Privacy Commissioner for approval of a privacy code that will replace the National Privacy Principles for organisations bound by that code.

During the reporting period there were no new code applications. The Biometrics Institute Privacy Code (the Code), which was approved by the Privacy Commissioner in July 2006 and took effect from 1 September 2006, was reviewed.

In September 2009, the Biometrics Institute issued a report on the review of the Code. The review’s key recommendation was that any redrafting of the Code await the reforms to the Privacy Act. The Office agreed with the recommendation.

For information on complaints under privacy codes, see section 3.4.

1.6.4 Credit Reporting

In October 2009, the Australian Government released its first stage response to recommendations made by the Australian Law Reform Commission (ALRC) in its report on privacy law and practice, For Your Information: Australian Privacy Law and Practice (ALRC Report 108). As part of its response, the Government indicated it would put in place a new framework for comprehensive credit reporting, subject to additional protections.

Current provisions to regulate consumer credit reporting information are set out in Part IIIA of the Privacy Act. Amendments to the Privacy Act will be required to implement the new credit reporting framework. The proposed framework will include five new ‘comprehensive’ data elements:

  • The type of each credit account opened
  • The date on which each credit account was opened
  • The current limit of each open credit account
  • The date on which each credit account was closed
  • The individual’s repayment performance history (showing whether they have met their repayment obligations over the prior two years, and if not, the number of monthly repayment cycles in arrears).

In 2009–10, the Department of the Prime Minister and Cabinet has coordinated a consultation process on implementing the credit reporting changes. Consultations have involved a range of stakeholders from the consumer credit industry and consumer representative organisations. The Office has contributed to these consultations, including at a credit reporting forum hosted by Senator the Hon Joe Ludwig, Special Minister of State, in April 2010.

The Office also undertook audits of certain credit reporting agencies. For further information on see section 3.7.1.5.

1.6.5 Tax File Number Guidelines

The Tax File Number Guidelines 1992 (TFN Guidelines) regulate the collection, use, disclosure and storage of Tax File Numbers (TFNs). The binding TFN Guidelines were issued by the Privacy Commissioner under s 17 of the Privacy Act.

In 2009–10, the Office began a review of the TFN Guidelines. The main aims of the review are to:

  • bring the terminology up-to-date, including references to agencies and legislation
  • make the TFN Guidelines easier to read, understand and interpret
  • incorporate any relevant parts of the advisory Commissioner’s Notes either into the Guidelines themselves or accompanying guidance material
  • maintain the existing purpose and intent that underlies the TFN Guidelines (to protect individuals’ privacy by restricting the use of and ensuring the careful handling of TFNs).

To assist the review, the Office prepared a consultation draft in December 2009 and sought the preliminary views of key Australian Government agencies. These agencies were the Treasury, the Australian Taxation Office, the Australian Prudential Regulation Authority, the Department of the Prime Minister and Cabinet and the Department of Human Services.

The Office is currently preparing for a broader round of public consultation scheduled to occur in the second half of 2010.

1.6.6 Do Not Call Register

During January 2010, the Office made a submission to the Senate Standing Committee on Environment, Communications and the Arts regarding amendments to Do Not Call Register legislation by the Do Not Call Register Legislation Amendment Bill 2009. The Do Not Call Register, established in May 2007, is a list of phone numbers of people who have registered their desire not to be called by telemarketers. Telemarketers risk fines if they contact numbers listed on the Register.

The Office’s submission supported the extension of the Register to the phone and fax numbers of all business, government and emergency service operators (previously only domestic numbers were eligible for listing in the Register). The Office also encouraged the introduction of greater technological neutrality to the legislation, and suggested that an opt-in approach to telemarketing calls (rather than the existing opt-out regime) would further enhance privacy.

The Bill was passed and the Act received royal assent in May 2010.

1.6.7 ID Scanning

Consistent with the Privacy Commissioner’s function to promote an understanding and acceptance of the National Privacy Principles and the Office’s Strategic Plan goal to increase awareness of privacy choices and obligations within the community, the Office has provided advice to individuals and organisations in relation to the practice of scanning identity documents.

The Office is currently investigating a number of complaints involving scanning of identity documents. A focus for many identity document scanning complaints is whether the collection of all the data items is ‘necessary’ for the organisation to perform its functions or activities. Some identity documents include sensitive information that is unlikely to be necessary (e.g. donor status on a driver’s licence). The Office has also undertaken own motion investigations into organisations that offer identity document scanning services to clubs and hotels.

In May 2010, the Office also released a new information sheet for private sector hospitality organisations like clubs and pubs that are covered by the Privacy Act and are collecting personal information using scanning devices, or considering using scanning devices. The information sheet encourages organisations to balance using technology for business purposes and protecting individual privacy by only collecting necessary information, limiting the use or disclosure of the information, and deleting the information when it is no longer necessary.

1.6.8 Smart Infrastructure

In November 2009, the Australian Government commissioned the House Standing Committee on Infrastructure, Transport, Regional Development and Local Government (the Committee) to undertake an inquiry into smart infrastructure.

The terms of reference for the inquiry direct the Committee to “make recommendations on ways to maximise the potential benefits to Australian communities of embedding appropriate and relevant technologies into Australia’s infrastructure, including, but not limited to, the transport, communications, energy and water sectors”. The terms of reference specify that the Committee have regard to the privacy issues that may be relevant.

The Committee held a conference on 12 March 2010 to open discussion on the key issues. The Privacy Commissioner gave a keynote address which raised a number of privacy considerations that arise in relation to smart infrastructure.

The term ‘smart infrastructure’ broadly refers to the use of information and communications technology to enhance the operation and use of infrastructure. For example, in the energy setting, smart grids and smart meters will be able to deliver detailed information about energy usage in individual homes.

Smart systems have the potential to impact on privacy because they generate information about the behaviour of individuals. As the Privacy Commissioner outlined in her speech, smart grid information, particularly when used in conjunction with the rich data created by smart appliances, could reveal anything from how often the washing machine is used, to unusual hours when the lights are on.

This seemingly innocuous information may sound harmless, but when combined and collected over time, it can paint a detailed picture of an individual’s comings, goings and day-to-day activities.

The Privacy Commissioner’s main message to the conference was that privacy should be built in early to smart systems to ensure that individuals feel comfortable with how their information is collected and used. The Office continues to monitor the Committee’s progress on smart infrastructure.

1.6.9 National Broadband Network

In July 2009, the Office made a short submission to the Senate Select Committee on the National Broadband Network (NBN). The Office noted that the NBN initiative proposes to connect 90% of Australian homes, workplaces and schools with optical fibre-to-the-premises and to provide all other premises with next generation wireless and satellite technologies.

The Office suggested that consideration be given to undertaking a privacy impact assessment to identify and recommend options for managing, minimising or avoiding any privacy impacts from the NBN proposal.

1.7 Privacy and the Health Sector

During the reporting period, the Office maintained its active interest in the development of e-health initiatives as they relate to the collection and handling of personal information. It acknowledged the potentially important role that effective e-health information systems can play in promoting better health outcomes for Australians in its submissions to government during the year.

While acknowledging these benefits, the Office suggested the potential risks to privacy can be minimal if privacy is considered at an early stage in the design of proposed systems.

The Office is of the view that gaining the trust and confidence of individuals in e-health record systems and other e-health initiatives is vital to their success. While many individuals are likely to welcome in principle the benefits associated with e-health systems, there may be reluctance to participate if key privacy protections are lacking.

There has been significant progress in e-health initiatives during the reporting period. In November 2009, the Australian Health Ministers’ Conference finalised a policy proposal for the national e-health system. An important step in the implementation of the national e-health system is the introduction of a system of unique healthcare identifiers to identify individuals seeking healthcare, and the professionals and organisations who provide care.

1.7.1 Individual Healthcare Identifiers

The Office continued to engage with the Department of Health and Ageing (DoHA), the National E-Health Transition Authority (NEHTA) and other relevant stakeholders about privacy issues relating to the development of healthcare identifiers and the national e-health system.

In all its submissions on electronic health record related initiatives, the Office has consistently said that the development of these initiatives must be underpinned by enabling legislation and supported by strong privacy safeguards.

In August 2009, the Office made a submission to the Australian Health Ministers’ Conference (AHMC) on Healthcare Identifiers and Privacy: Discussion Paper on Proposals for Legislative Support. The submission set out concerns regarding potential privacy risks in relation to the Healthcare Identifiers Service database and the risks associated with linking data using healthcare identifiers. Given these concerns, the Office welcomed the proposal that enabling legislation containing specific provisions, including sanctions and remedies, would govern the Healthcare Identifiers Service.

In December 2009, DoHA released the Exposure Draft and Release Note for the Healthcare Identifiers Bill 2010. The Bill would establish the Healthcare Identifiers Service which will assign unique individual healthcare identifiers for all individuals receiving healthcare in Australia and individual and organisational healthcare providers.

The Bill was referred to a Senate Committee in February 2010. The Office made a submission and the Privacy Commissioner appeared before the Committee in March 2010.

In its submission, the Office told the Committee that it believes the Bill provides an appropriate privacy framework to support the establishment of the Healthcare Identifiers Service. The Bill clearly sets out the purposes for which healthcare identifiers can be collected, used and disclosed, and limits those purposes to activities related to managing or communicating health information in a healthcare context. It also imposes security obligations on healthcare providers and provides the Office with proactive oversight powers.

In March 2010, the Minister for Health and Ageing released exposure draft regulations for comment. In its submission, the Office expressed the view that the proposed regulations enhance the privacy framework provided in the Bill to support the establishment of the Healthcare Identifiers Service and the use of healthcare identifiers. In particular, the regulations provide rules about requesting healthcare identifiers from the service operator and requirements for maintaining records about requests.

The Healthcare Identifiers Act 2010 came into force on 29 June 2010 and the Healthcare Identifiers Service commenced operation on 1 July 2010. More information is available at www.privacy.gov.au/law/other/healthid.

In the 2010 Budget, the Australian Government announced funding of $466.7 million for the development of person-controlled electronic health records by 1 July 2012. The Office will continue to work with DoHA, NEHTA and other relevant stakeholders as the national e-health system develops.

1.7.2 Section 95AA Guidelines

In December 2009, the Privacy Commissioner approved guidelines developed and issued by the National Health and Medical Research Council (NHMRC) following extensive consultation. The guidelines clarify the circumstances in which genetic information may be used or disclosed without consent.

The requirement for the guidelines arose from amendments made by the Privacy Legislation Amendment Act 2006. Among other things, those amendments introduced an additional exception to National Privacy Principle (NPP) 2, NPP 2.1(ea), to regulate how genetic information can be used and disclosed.

The exception under NPP 2.1(ea) allows for the use of genetic information or disclosure of genetic information to an individual’s genetic relatives, without the individual’s consent, if the organisation reasonably believes that this is necessary to lessen or prevent a serious threat to the life, health or safety of the relative. In the case of disclosure, the recipient must be a genetic relative of the individual.

A health practitioner relying on exception NPP 2.1(ea) to use or disclose genetic information must comply with the guidelines. The guidelines establish when, by whom and in what manner, use or disclosure of genetic information may take place without the patient’s consent.

In circumstances where a decision has been made to disclose genetic information to a patient’s genetic relative, such collection or use of the relative’s contact details would generally need the consent of the relative. The Privacy Commissioner recognised that it would generally be impractical to gain consent of the relative in these circumstances and in December 2009 issued a Temporary Public Interest Determination (TPID) to allow this collection or use.

The TPID came into force on 15 December 2009, and will be effective for a period of 12 months. The Australian Government has indicated in its response to the Australian Law Reform Commission’s review of privacy that it intends to amend the Privacy Act to permit the collection or use of a genetic relative’s contact details in these circumstances.

The Office also developed guidance material relating to genetic information and privacy issues, including an information sheet for health practitioners and frequently asked questions for individuals.

1.7.3 National Registration and Accreditation Scheme

The Office supports the development of the National Registration and Accreditation Scheme (NRAS) for the health professions. The Office considers that privacy has an integral part to play in the NRAS. In particular, the Office believes that the NRAS should protect practitioners’ privacy through sound information handling practices.

In June 2009, an exposure draft of the second stage legislation underlying the NRAS, the Health Practitioner Regulation National Law 2009 (the Bill), was released. In July 2009, the Office made a submission to the Australian Health Workforce Ministerial Council on the exposure draft of the Bill, recommending that further privacy protections be included in Scheme.

1.8 Privacy and the Information and Communications Technology Sector

During the reporting period, the Office provided input into a number of projects and initiatives relating to information and communications technology. These included making submissions and having a staff member seconded to the Government 2.0 Taskforce (see section 1.4.6 for further information) and engaging with the Australian Communications and Media Authority in relation to privacy issues arising from telecommunications industry codes.

1.8.1 Telecommunications and E-Marketing Industry Codes

Under s 112 of the Telecommunications Act 1997, telecommunications industry bodies and associations may develop industry codes which, if found to be satisfactory, may be registered by the Australian Communications and Media Authority (ACMA). Under s 117(1)(j) of the Telecommunications Act, where a code involves privacy issues (as defined in s 113(3)(f)), the industry body developing the code needs to satisfy ACMA that the Privacy Commissioner has been consulted.

ACMA sought the Privacy Commissioner’s comments on the following two codes:

  • Handling of Life Threatening and Unwelcome Communications Industry Code
  • Mobile Number Portability Code.

The Privacy Commissioner advised ACMA that she had been consulted and is satisfied with both codes.

1.9 Voluntary Information Security Breach Notification Guide

The Office’s Guide to Handling Personal Information Security Breaches (the Guide) was released in 2008 and continues to be utilised by government agencies and organisations. This voluntary Guide provides advice about the key steps and factors to consider when responding to an information security breach. It includes guidance on when it may be appropriate to notify individuals affected by a breach and/or the Privacy Commissioner. The Guide also encourages agencies and organisations to analyse the cause of the breach to prevent similar breaches from occurring. 

The Australian Law Reform Commission (ALRC), in its final report on privacy—For Your Information: Australian Privacy Law and Practice (ALRC Report 108), recommended that the Privacy Act be amended to include a requirement for notification of data breaches in certain circumstances. The Australian Government intends to address this recommendation in its second tranche of privacy reforms.

Following the release of the Guide, a number of agencies and organisations have voluntarily reported information security breaches to the Privacy Commissioner. In these circumstances, the Office refers agencies and organisations to the Guide to assist them to respond and contain the breach, and prevent a reoccurrence. The Office is monitoring how agencies and organisations use the Guide to assess the strengths and weaknesses that may have a bearing on the development of legislative data breach provisions.

For information on security breaches reported to the Office in 2009–10, see section 3.6.

1.10 Other Information Materials

As part of Privacy Awareness Week (see section 2.4), the Office produced a pocket guide on privacy and mobile phones called Mobilise Your Mobile Phone Privacy, which outlined the key privacy and security factors to consider when using phones. This guidance material was developed to respond to the rise of smart phones and the particular privacy risks associated with sophisticated mobile technology.

In particular, the pocket guide provides information on mobile phone security settings, phone trackability, m-commerce and other specific issues related to smart phones, such as safe use of ‘apps’ and protecting privacy when disposing of phones. It is available at www.privacy.gov.au/topics/technologies.

Chapter 2 Promoting Privacy

2.1 Review of Performance

Privacy Awareness Week (PAW) was a major feature of the Office’s promotional and educational work in 2009–10. The theme for PAW 2010 was Privacy: It’s in Your Hands. The week provided an excellent opportunity to highlight privacy obligations of agencies and organisations, promote ways that individuals can protect their privacy, and develop strategic partnerships with other bodies that have an interest in promoting privacy.

Another significant achievement in 2009–10 was the launch of the Office’s new website. Key features of the new website include a reworked content structure and navigation, a much improved search facility, and a new look-and-feel. The Office received very positive feedback about the new website throughout the reporting period.

The Office also released a number of key publications in the reporting period, including a Privacy Impact Assessment Guide to assist organisations identify and manage privacy risks, as well as publications about ID scanning in clubs and pubs, and how individuals can protect their privacy when using mobile phones. The Office continued to promote privacy awareness among young people with the wide distribution of the private i publication.

The reporting period also saw ongoing efforts to provide privacy compliance professionals with the knowledge and resources to enhance privacy awareness and compliance within their own organisation or agency. The Office continued to facilitate the Privacy Connections network for professionals in the private sector, and a network for Privacy Contact Officers from Australian and ACT Government agencies.

The Office has also maintained its efforts in facilitating media liaison and producing privacy news publications PriNet and Privacy Matters. The Office continues to serve as the secretariat for the Asia Pacific Privacy Authorities forum, play an active role in Privacy Authorities Australia, and contribute to a number of working groups as part of the International Conference of Data Protection and Privacy Commissioners.

2.2 Privacy Website

The Office’s website (www.privacy.gov.au) plays a very important role in helping the Office achieve the goals set out in its Strategic Plan. The website continues to be the critical hub for the communication of the Office’s privacy messages. The site is kept up-to-date with information relating to the activities of the Office, provides privacy information produced by the Office and links to other privacy information sources.

The Office also designs, develops and maintains the Asia Pacific Privacy Authorities’ Privacy Awareness Week website
(www.privacyawarenessweek.org).

Website redevelopment

On 31 July 2009, the Office launched a major redevelopment of its website to ensure that it remains effective as the Office’s central communications hub. The redevelopment was significant, involving a review of all aspects of the website, which had its last major redevelopment in 2001.

Some of the improvements to the new site include:

  • a reworking of the site’s content structure and navigation to give users easier access to information and resources
  • a complete redesign of the site’s look-and-feel, providing it with a fresh and more visually appealing new look
  • much improved search facility
  • simpler and more flexible Materials and Resources section
  • improved accessibility
  • new plain English content for some of the most popular content areas.

Feedback on the new website has been very positive. Many have noted how much easier information is to find, and how much the look and feel of the website has improved.

Website traffic

Table 2.1 shows the number of sessions and page views for the privacy website for each of the last three financial years.

Table 2.1 Sessions and Page Views for the Privacy Website

 

2007–08

2008–09

2009–10

Variation 2008–09 to 2009–10

Sessions

1 995 227

1 491 269

1 653 538

+ 162 269

Page views

8 425 262

7 392 718

11 716 030

+ 4 323 312

As reported in previous annual reports, the Office’s website statistics are from time to time affected by illegitimate traffic to the site. During this reporting period, the Office’s website registered an unusually high number of downloads over a period of a few months. The traffic was caused by a specific search engine ‘robot’ which downloaded unnecessary and disproportionate amounts of website content. Action by the Office identified the problem and implemented a technical fix, after which the website statistics returned to a normal pattern.

As a result of the incident, the website experienced an unexpected increase in its website statistics for that period, but were otherwise relatively normal. Overall, sessions (i.e. individual visits to the website) increased by 162 269 during 2009–10 (a 10.9% increase). Page views (i.e. the number of pages looked at during sessions) increased by 4 323 312 (a 58.5% increase).

The Office will closely monitor its website statistics to ensure that incidents such as these are kept to a minimum.

2.3 Privacy Awards and Medal

The Australian Privacy Awards and Australian Privacy Medal were developed by the Office in 2008 as a way of acknowledging, rewarding and encouraging good privacy practices across the public and private sectors.

Following the success of the inaugural event in 2008, the Office hosted the Awards and Medal in 2009. The Awards were open to Australian small, medium and large businesses, community groups, not for profit organisations, non-government organisations and government agencies at a local, state and national level.

The gala presentation dinner was held in Sydney on 12 November 2009, and was attended by privacy professionals and representatives from the corporate, public and community sectors and the media. The master of ceremonies was journalist and television presenter Hugh Riminton, and the event featured a welcome by the Privacy Commissioner and a keynote address by Senator the Hon Joe Ludwig, Special Minister of State and Cabinet Secretary.

Awards were presented in four categories, with a Grand Award presented to the most outstanding entry from any of the categories. Award entrants were asked to nominate their overall work or a privacy-related project, initiative, campaign or system. They were required to address three judging criteria in their nominations:

  • how privacy considerations featured in the nominated work, project, initiative, campaign or system’s implementation
  • how well the privacy-related elements were communicated to staff, customers or external audiences
  • how privacy protection was enhanced through leadership in privacy development, privacy awareness, better interaction or trust with stakeholders, customer satisfaction, and/or reducing privacy incidents and complaints.

The judging panel assessed each nomination according to these criteria and selected a category winner and a ‘highly commended’ nomination. Table 2.2 sets out the winners, those named as highly commended and other finalists.

Table 2.2 Australian Privacy Awards Winners, Highly Commended and Finalists

Category

Winner

Highly commended

Other finalists

Grand Award

Victorian Department of Justice

   

Symantec Government Award

Australian Customs and Border Protection Service

Australian Government Human Services Portfolio, Mildura Rural City Council

CrimTrac, Social Security Appeals Tribunal, Victorian Department of Justice

Large Business Award

Australian Health Management

PayPal

National Australia Bank

Small-Medium Business Award

Loyalty Pacific—FlyBuys

Space-Time Research

Verify

Community and NGO Award

Association of Market and Social Research Organisations

Public Interest Advocacy Centre

Biometrics Institute, Windermere Child & Family Services


The judging panel selected Dr Roger Clarke as the recipient of the Australian Privacy Medal. Dr Clarke was awarded the Medal for his service to the privacy field for more than three decades.

The members of the judging panel were:

  • Karen Curtis, Australian Privacy Commissioner
  • John Carroll, Partner, Clayton Utz
  • Craig Scroggie, Vice President and Managing Director Pacific Region, Symantec
  • Suzanne Pigdon, Privacy Advisory Committee member.

The Office secured sponsorship totalling $50 000 from the following organisations for the 2009 Awards program: Symantec (Major Sponsor), Clayton Utz (Executive Sponsor), Google (Executive Sponsor), Child Support Agency (Sponsor) and Microsoft (Sponsor).

2.4 Privacy Awareness Week

Privacy Awareness Week (PAW) is an annual promotion coordinated by the members of the Asia Pacific Privacy Authorities (APPA). The week provides an opportunity for organisations and agencies in APPA jurisdictions to promote awareness of privacy rights and responsibilities to staff, clients, and the wider community. PAW 2010 was celebrated from 2–8 May 2010.

The theme for PAW 2010 was Privacy: It’s in Your Hands. This theme highlighted that agencies and organisations have privacy responsibilities and obligations when dealing with personal information. The week also promoted practical things that individuals can do to protect their personal information.

This year the Office established a number of partnerships with agencies and organisations to engage and strengthen relationships in the lead up to PAW. This approach allowed the Office to promote the week and its key messages broadly. Agencies and organisations were invited to nominate as a PAW 2010 partner. Partners were acknowledged on the PAW website. Fifty agencies and organisations partnered with the Office for PAW 2010.

For PAW 2010, the Office produced a publication aimed at educating consumers about the privacy protections that can be adopted when using a mobile phone. Named Mobilise Your Mobile Phone Privacy, the publication was developed in partnership with the Australian Communications and Media Authority and the Department of Broadband, Communications and the Digital Economy. The product was released during PAW and will continue to be distributed.

The Office, together with APPA members, released an online identity theft tool. The tool was originally released by the Norwegian Data Inspectorate and was adapted for use in APPA jurisdictions. The tool gives individuals an insight into their vulnerability to identity theft. The tool also includes tips on how people can protect their identity and where to find more information.

The Office also launched a number of guidance materials, including information sheets on scanning of identity documents in pubs and clubs, handling personal information in emergencies and disasters, and a Privacy Impact Assessment Guide with a new section for the private sector.

PAW serves to increase awareness of privacy choices and obligations within the community, assisting the Office to meets its goals set out in its Strategic Plan. It also gives the Office the opportunity to develop robust relationships with Australian organisations, agencies, non-government organisations and the wider community, while strengthening the Office’s formal links with APPA members. The Office maintains APPA’s PAW website at www.privacyawarenessweek.org.

2.5 Publications

The Office released a number of new publications and other materials during 2009–10.

As noted in section 2.4, a major release was the Privacy Impact Assessment Guide. The Guide was launched during PAW 2010 by Senator the Hon Joe Ludwig, Special Minister of State and Cabinet Secretary. The Guide includes a new section for the private sector that assists organisations identify privacy risks and recommends a number of options for dealing with those risks.

Another major release during PAW 2010 was the Mobilise Your Mobile Phone Privacy quick-reference guide, designed to encourage Australians to think about privacy and security when using their mobile phones. (See section 2.4 for further information).

The Office also released three new Information Sheets. (See section 1.6.1 for further information).

The Office continued to publish its accessible and easy-to-read quarterly newsletter, Privacy Matters, which keeps stakeholders up-to-date with important Office-related and other privacy developments. The newsletter complements the work the Office already does through its various stakeholder networking strategies and assists the Office in its Strategic Plan goal of increasing awareness of privacy choices and obligations within the community.

Subscription to Privacy Matters is available through the Office’s website at www.privacy.gov.au/news/subscribe. The Office’s publications are available online at www.privacy.gov.au/materials.

2.5.1 Targeting Youth

During 2009–10, a major campaign was undertaken to distribute and promote the publication private i, a magazine-style booklet promoting privacy awareness among 18–24 year olds. The publication was launched by the Office in May 2009.

The Office approached a wide variety of agencies and organisations that provide services to young people to seek their assistance in promoting and distributing private i. As a result of these efforts, interest in the booklet has been strong, and the Office reprinted it three times to meet the demand, with a total of 65 000 copies printed.

Major points of promotion and distribution have included the following:

  • Australian and state government offices for youth, youth advocacy groups, and privacy regulators in Australian states and overseas jurisdictions have provided online links and promoted private i to their networks, placed information in newsletters, and distributed hard copies.
  • Government agencies that have dealings with young people, including Centrelink, Medicare, the ATO, and state roads and traffic authorities, have placed information and links to private i in their online materials.
  • Thirty-eight universities have distributed more than 17 000 copies to students through placement in student orientation packs, in library foyers and at campus contact points. Many of these universities also promoted the publication via links on their intranets, websites and student publications. Over 11 300 copies have been distributed by privacy contact officers across 52 TAFE head offices, institutes and colleges nationally, and almost 6000 copies have been distributed by libraries at 45 TAFE colleges.
  • Student Marketing Australia, a company that direct markets to tertiary students, distributed 6000 copies by hand at 15 metropolitan and regional university campuses across all states and territories.
  • The Australian Government and state government departments of education have placed information about private i in resources they provide to teachers. The ACT Department of Education and Training has distributed 5000 copies to every state school teacher.

The publication has been viewed by over 100 000 people, either in hard copy or online, and the Office continues to receive requests for copies.

2.6 Networks

2.6.1 Privacy Connections

The Office continues to facilitate the Privacy Connections network for professionals in the private sector. The network is a forum for:

  • encouraging increased communication between privacy professionals in the private sector and the Privacy Commissioner
  • furthering privacy professionals’ knowledge of current privacy concerns
  • disseminating important information by the Office to key privacy professionals
  • promoting networking opportunities among privacy professionals.

On 6 May 2010, the Office held a Privacy Connections networking event in Sydney as part of its Privacy Awareness Week 2010 activities. The highlight of the event was the launch of the private sector module of the Office’s Privacy Impact Assessment Guide. Sixty-five people attended from across the corporate and not-for-profit fields.

Privacy Connections had 746 members as at 30 June 2010. Information about Privacy Connections is available at www.privacy.gov.au/business/privacyconnections.

2.6.2 Government Privacy Contact Officer Network

The Office manages a network of Privacy Contact Officers (PCOs) from Australian and ACT Government agencies and hosts four meetings a year. The meetings enhance the Office’s relationship with government agencies as they enable PCOs to meet directly with the Privacy Commissioner and hear about the Office’s activities and other privacy related issues, such as privacy law reform.

The network plays an important role in meeting the Office’s Strategic Plan goal of cultivating robust relationships. The network has been tailored to play an educative role in informing PCOs of their compliance obligations and discussing international developments in privacy regulation.

Attendance has been consistent over the reporting period with approximately 70 people attending each meeting, highlighting continued interest in the network.

The Office invited external speakers to address the PCOs, including representatives from the Department of the Prime Minister and Cabinet, the Department of Health and Ageing, the Victorian Department of Justice and the Public Interest Advocacy Centre.

The network provides a crucial link between agencies and the Office, particularly for the purposes of managing privacy complaints and discussing ways to enhance privacy cultures in agencies.

2.6.3 Privacy and Consumer Advocates

The Office held meetings with privacy and consumer advocates in November 2009 and March 2010. A range of matters were discussed, including the proposed Office of the Australian Information Commissioner, the Government’s response to the Australian Law Reform Commission’s report on privacy law and developments in the Office’s policy, compliance and corporate and public affairs areas.

2.7 Media

The Office received 201 media enquiries during 2009–10. This is up significantly from the 151 enquiries received in 2008–09. Of the 201 enquiries, 105 were from print media, 43 from radio stations, 12 from television, and 41 from news websites.

The enquiries concerned a range of privacy-related issues, with the most common including:

  • scanning of identity documents by pubs and clubs
  • e-health and the proposed Individual Health Identifier
  • privacy breaches by agencies and organisations
  • online social networking
  • new technologies and privacy
  • airport scanners.

In most cases, background information on the issue or a comment was supplied to the journalist. Interviews were also conducted on various radio stations and television programs.

The Office prepared 24 media releases during 2009–10. The Office has email lists for the distribution of media releases and for privacy-related news. There were 3482 subscribers to the media release email list and 1431 subscribers to the privacy news list as at 30 June 2010. Information about the lists is available at www.privacy.gov.au/news/subscribe.

2.8 Speeches

A key goal of the Office’s Strategic Plan is to increase awareness of privacy choices and obligations within the community. Speeches are an important element of achieving this goal. During 2009–10, the executive and senior staff of the Office delivered 26 speeches or presentations. The speeches and presentations covered a range of privacy-related issues including e-health, fraud, privacy and new technologies, biometrics and privacy law reform.

A selection of speeches delivered during the reporting period is available at www.privacy.gov.au/materials/types/speeches?sortby=60.

2.9 International Liaison

2.9.1 Asia Pacific Economic Cooperation

In 2004, the Asia Pacific Economic Cooperation (APEC) Privacy Framework was adopted by APEC leaders, in recognition of the importance of developing effective privacy protections that avoid barriers to information flows and ensure continued trade and economic growth in the APEC region.

In September 2007, APEC economies endorsed the APEC Data Privacy Pathfinder (the Pathfinder) to guide international implementation of the Privacy Framework. The Pathfinder facilitates development of a framework for accountable flows of personal information across borders, focusing on the use of cross-border privacy rules by organisations. The Pathfinder also aims to support this system of cross-border privacy rules with a Cross Border Privacy Enforcement Arrangement (the Arrangement). The Arrangement will provide a framework for privacy regulators to cooperate, and to seek information and advice from each other on cross-border enforcement matters.

The Pathfinder Implementation Work Plan consists of nine key projects, two of which are being led by Australia, through the Department of the Prime Minister and Cabinet. The APEC Data Privacy Sub-group (DPS) expects that all Pathfinder projects will be completed and endorsed in late 2010.

The Arrangement will come into force early in the next reporting period. The Australian Privacy Commissioner, the New Zealand Privacy Commissioner, the US Federal Trade Commission and the APEC Secretariat will be co-administrators of the Arrangement. The co-administrators will be responsible for conducting preliminary checks on membership applications from privacy enforcement authorities that wish to participate in the Arrangement.

2.9.2 Organisation for Economic Co-operation and Development

During the reporting period, the Office provided input to the Organisation for Economic Co-operation and Development’s (OECD) Working Party on Information Security and Privacy (WPISP) via the Department of Broadband, Communications and the Digital Economy.

On 8–9 March 2010, the WPISP held a special meeting in Paris to mark the 30th anniversary of the 1980 adoption of the OECD Privacy Guidelines. Former justice of the Australian High Court, and chair of the Expert Group created to develop the OECD Guidelines in the 1970s, the Hon Michael Kirby AC CMG, delivered a speech at the anniversary meeting.

The WPISP’s current focus includes law enforcement cooperation and the development of a policy framework for privacy law enforcement cooperation to be accompanied by a set of practical tools. These commitments build on a 2007 OECD recommendation setting out a framework for international cooperation in the enforcement of privacy laws. Earlier this year, WPISP member countries, including Australia, completed a WPISP Questionnaire on the Implementation of the OECD Recommendation on Privacy Law Enforcement Co-operation. The responses to the Questionnaire will form the basis of an implementation report, which was due to be submitted to the OECD Council in June 2010.

Planning is underway for a roundtable on the ‘economics of privacy’, to be held in Paris in December 2010.

2.9.3 Asia Pacific Privacy Authorities

Members of the Asia Pacific Privacy Authorities (APPA) forum include the Privacy and Information Commissioners of Australia (including NSW, Victoria and the Northern Territory), New Zealand, Hong Kong, South Korea and Canada (including British Columbia).

APPA meets biannually. The meetings are an important opportunity to discuss international privacy developments and emerging issues of relevance to APPA members. Commissioners also have the opportunity to exchange knowledge and experiences regarding privacy regulation across different jurisdictions.

In December 2009, the 32nd APPA Forum was hosted by State Records of South Australia in Adelaide. At this meeting, members resolved to adopt an APPA Secondment Framework which aims to increase regional collaboration, including the greater mobility of staff between privacy authorities. Members also agreed to develop an interactive online ID theft self-test tool as a joint promotional product for Privacy Awareness Week 2010 (see section 2.4 for further information).

In June 2010, the 33rd Forum was held in Darwin, hosted by the Office of the Information Commissioner, Northern Territory. During this meeting, the members resolved to broaden APPA membership to include other jurisdictions and privacy authorities. The Forum also considered developments in the area of smart infrastructure, issues surrounding the use of social media by privacy regulators, and emerging technologies. Members resolved to continue to monitor these developments, and to share strategies for enhancing privacy protection across the region.

Participation in APPA has facilitated the growth of significant relationships between the Office and other privacy authorities, one of the key goals of our Strategic Plan.

The Office currently serves as the APPA secretariat and hosts the APPA webpage at www.privacy.gov.au/aboutus/international/appa.

2.9.4 31st International Conference of Data Protection and Privacy Commissioners

In November 2009, the Privacy Commissioner attended the 31st International Conference of Data Protection and Privacy Commissioners in Madrid, Spain. The theme of the conference was ‘Privacy: Today is Tomorrow’.

The Privacy Commissioner was the moderator of a panel discussion entitled ‘Oops! Where Did I leave My Computer? Prevention and Reaction to Security Breaches’.

Resolutions were made at the conference on matters including the concept of an International Privacy Association and the development of an official Conference website. The Office is an active participant on a number of the resolutions (see section 2.9.4.1 for further information).

To view the panel discussion or for more information, see the conference website at www.privacyconference2009.org.

2.9.4.1 International Working Groups

The Office participated in four working groups established under resolutions of the 29th and 30th International Conference of Data Protection and Privacy Commissioners, including to:

  • explore establishing an International Privacy/Data Protection Day or Week
  • address the urgent need for protecting privacy in a borderless world, and for reaching a Joint Proposal for setting International Standards on Privacy and Personal Data Protection
  • arrange representation at meetings of international organisations
  • establish a website.

The Office led the Working Group that explored the possibility of an International Privacy/Data Protection Day or Week. The Working Group conducted a survey of all data protection authorities accredited to the International Conference (the Conference) to establish when the most practicable time for such an event would be. The Working Group proposed a resolution at the 2009 Conference that an annual, international celebration of privacy and data protection be celebrated during October or November. Unfortunately, this resolution was not adopted.

The Spanish Data Protection Authority chairs the Working Group examining the urgent need for protecting privacy in a borderless world, and for reaching a Joint Proposal for setting International Standards on Privacy and Personal Data Protection. This Working Group prepared the Draft International Standards on the Protection of Privacy with Regard to the Processing of Personal Data (the Draft Standards), which aim to provide a set of principles, rights, obligations and procedures to facilitate an internationally uniform approach to the processing of personal data in the public and private sectors. The Conference adopted a resolution welcoming the Draft Standards as a new step towards the development of a binding international instrument.

The Steering Group on representation at meetings of international organisations is chaired by the New Zealand Privacy Commissioner’s Office. This group is seeking to identify opportunities to promote principles of data protection and privacy at an international level, and explore the usefulness of obtaining observer representation at meetings of committees or working groups of relevant international organisations.

During the reporting period, the Conference was granted observer status for:

  • the APEC Data Privacy Sub-group July 2009 meeting in Singapore
  • the Council of Europe Consultative Committee on Convention No 108
  • the OECD Working Party on Information Security and Privacy.

The Steering Group is now working to establish a process for approving international organisations as observers to the Conference’s closed session.

The Website Working Group was chaired by the Office of the Information and Privacy Commissioner of British Columbia. The Working Group identified that the Organisation for Economic Co-operation and Development (OECD) may be willing to enter into a website service provider agreement with the Conference. The Conference adopted a resolution, co-sponsored by Australia, directing the Working Group to take all necessary steps to enter into an agreement with the OECD.

By participating in the International Conference and its related working groups, the Office is developing important relationships with international privacy forums, and working to address privacy issues at an international level. These are key aims of the Office’s 2007–10 Strategic Plan.

More information about the 31st International Conference and its resolutions is located at www.privacyconference2009.org. The 32nd International Conference will be held in Jerusalem, Israel, in October 2010.

2.10 Privacy Advisory Committee

The Privacy Advisory Committee (PAC) is established under s 82 of the Privacy Act and members are appointed by the Governor-General. The PAC’s function, as outlined in s 83 of the Privacy Act, is to advise the Privacy Commissioner on matters relevant to his or her functions and to engage in and promote protection of individual privacy in the private sector, government and community.

The PAC maintains an active interest in the implementation of the Office’s Strategic Plan and provides feedback and advice on the goals and activities that are undertaken. During the reporting period, the PAC has provided independent advice to the Office on initiatives including the distribution of Privacy Awareness Week promotional materials.

In February 2010, the PAC made a submission to the Senate Finance and Public Administration Legislation Committee Inquiry into the Freedom of Information Amendment (Reform) Bill 2009 and the Australian Information Commissioner Bill 2009.

In addition to the Privacy Commissioner, there are currently three members of the PAC. In October 2009, Robin Banks’ appointment was renewed until 1 November 2011. The other members are Associate Professor John O’Brien and Professor Christine O’Keefe. The terms of Dr William Pring, Ms Suzanne Pigdon and Ms Joan Sheedy expired on 1 May 2010. During their time on the Committee, each of these individuals provided valuable insight that assisted the Office in its consideration of a broad spectrum of privacy related issues.

2.11 Privacy Authorities Australia

Privacy Authorities Australia (PAA) is a group of Australian privacy authorities that meets on a regular basis to promote best practice and consistency of privacy policies and laws. The group was formed in April 2008 as a way to share information and promote privacy within Australia.

PAA membership includes privacy representatives from all states and territories and the Department of the Prime Minister and Cabinet as well as the Australian Privacy Commissioner. One meeting was held during the reporting period. Topics discussed included Automated Number Plate Recognition and the Emergency Telephone Warning System. Hosting and secretariat responsibilities are undertaken on a rotational basis.

The forum is an important mechanism for the Office to maintain key relationships with privacy regulators and other representatives who have a role in dealing with privacy issues in their jurisdiction.

Chapter 3 Protecting Privacy

3.1 Review of Performance

As an integral part of the Privacy Commissioner’s role in protecting privacy, the Office undertakes a wide range of compliance activities. These include a telephone and written enquiry service, investigating and resolving individual complaints, audit and data-matching activities and conducting ‘own motion’ investigations.

Under the guidance of the Privacy Commissioner, the Office expanded its compliance work during 2009–10. The Office received 1201 complaints, an increase over the 1089 received in 2008–09. In addition, ‘own motion’ investigations (including voluntary data breach notifications) totalled 117.

Nine audits were undertaken, a significant increase on the number of audits undertaken in previous years. This included three audits of credit reporting agencies – an important part of the proactive approach being developed by the Office. Audit work is primarily focused on assisting agencies and organisations to test and improve their systems, enhancing privacy outcomes for individuals.

The Office continued to publish case notes on its website as an effective means of providing information about how matters are assessed and how the law applies to issues involving privacy. Twenty-seven case notes were published during 2009–10.

An information sheet for the private sector, entitled ‘ID scanning in clubs and pubs’ was published during 2009–10, because clubs and pubs are increasingly using technology to electronically capture identity information about individuals. Collecting identity information in this way raises privacy concerns. There is a balance between using technology for business purposes and protecting individual privacy. As a result of several complaints and ‘own motion’ investigations, the Office published the information sheet to assist organisations to consider the privacy aspects of using scanning technology.

The Office continues to focus on staff development and training and stakeholder engagement to ensure best practice complaint handling, investigation and resolution.

3.2 Responding to Enquiries

3.2.1 Telephone Enquiries

The Office’s Privacy Enquiries Line (1300 303 992) provides information about privacy issues and privacy law for the cost of a local call. The enquiry service answered 20 935 telephone enquiries in 2009–10. This is consistent with the number of calls received in previous years.

Who is calling?

The vast majority of calls continue to be from individuals seeking information about their privacy rights and advice about how to resolve privacy complaints.

Table 3.1 below illustrates the top 10 types of caller who telephoned the Privacy Enquiries Line in 2009–10.

Table 3.1 Source of Telephone Enquiries

Individuals

17 667

Health Service Providers

391

Australian Government

382

Legal, Accounting and Management Services

253

Real Estate

224

State Government

178

Finance

151

Charities

123

Personal and Other Services – General

115

Retail

75

What are calls about?

Table 3.2 shows a breakdown of issues discussed in calls received during 2009–10. Of the calls received that related to privacy, more than two-thirds were about the National Privacy Principles (NPPs). The most frequently discussed issue continues to be the use and disclosure of personal information by private sector organisations. These are followed by calls relating to the NPP exemptions, improper collection and access and correction. There has been an increase in calls that are unrelated to privacy.

The proportion of calls about Credit Reporting and the Information Privacy Principles (IPPs) remained fairly steady with only modest changes.

Table 3.2 Breakdown of Issues in Calls Received

Private Sector Provisions Issues

 

NPP 1 - Collection

1427

NPP 2 - Use and Disclosure

2670

NPP 3 - Data Quality

268

NPP 4 - Data Security

732

NPP 5 - Openness Issues (privacy statement)

130

NPP 6 - Access and Correction

1301

NPP 7 - Identifiers

8

NPP 8 - Anonymity

10

NPP 9 - Transborder Data Flows

35

NPP 10 - Sensitive Information

135

NPP Exemptions

1692

Private Sector Provisions (General)

1102

Sub-total

9510

Non-Private Sector Provisions Issues

 

Credit Reporting

862

Surveillance

376

Data-matching

21

IPPs

731

Spent Convictions

115

Tax File Numbers

105

Privacy (General)

2281

Anti-Money Laundering

12

Do Not Call Register

74

Sub-total

4577

Unrelated to privacy

6848

Total

20 935

Who are National Privacy Principles calls about?

Chart 3.1 distributes the top 10 NPP telephone enquiries by private sector industry groups. These groups have been consistent for the last several years.

Chart 3.1 Private Sector Industry Groups to which Telephone Enquiries Relate

 

Some example of calls received during 2009–10 appear below.

  • The caller had a mobile phone contract. The caller took the phone to the service provider’s store for repairs and was given a loan phone. The loan phone had at least 100 phone numbers, names and videos on it. As this personal information did not belong to the caller, they could not lodge an individual complaint. The caller was advised of the Office’s own motion investigation powers.
  • A caller advised that after purchasing petrol from a service station, the attendant copied down the caller’s driver licence and credit card details. The attendant stated that this information was for the credit card company. The Office discussed necessary collection principles under NPP 1, and explained the Office’s complaint-handling processes if the caller believed the collection was unnecessary.
  • A caller was concerned that their private sector employer intended to introduce fingerprint scanning to record employees’ attendance at work, and that it would only be applied to the younger female staff and no other staff members. The Office discussed the employee records exemption, and also suggested that the caller contact the Australian Human Rights Commission to discuss the issue of only collecting the information from female staff members.
  • A caller from an Australian Government agency rang seeking advice about disclosing the personal information of an ex-employee. A state government agency had contacted the Australian Government agency to confirm details about the ex-employee. The Australian Government agency wished to disclose the personal information to assist the state government agency, but did not have the consent of the individual. The caller was advised of their obligations under IPPs 10 and 11.
  • A caller advised that on their behalf, their solicitor requested access to their personal information from a doctor. The doctor stated that they would charge $50 per page for access. The caller complained and the doctor then refused to provide access. The caller was advised about access and charges for access under NPP 6, and the Office’s complaints procedure.
  • A caller rang to discuss a situation in which a debt collector called various relatives of a person in debt, including minors. The Office explained the obligations of the debt collector regarding disclosure of personal information under NPP 2, and the Office’s complaint process. The Office also referred the caller to the Australian Competition and Consumer Commission for information regarding the debt collector’s conduct.
  • The caller had applied for a home loan with a bank. The loan amount changed once during the application process. After the loan was approved, the caller applied for a business overdraft with the same bank but was declined, apparently because of the amount of applications for credit on their credit file. The caller obtained a copy of their credit file and found that the bank had listed eight applications for credit for the home loan. The caller was advised of the credit reporting provisions, NPP 3, and the Office’s complaints process.

3.2.2 Written Enquiries

The Office responds to requests for information that are received by email, letter or fax. The Office received 1909 written enquiries in 2009–10, which is a slight decrease on the number received in 2008–09 (2078).

The Office is committed to responding to 90% of written enquiries in 10 working days. This benchmark was met in 2009–10, with 96% of written enquiries responded to in 10 working days or less.

In 2009–10, 71% of written enquiries related to the private sector provisions. This is an increase on private sector written enquiries received in 2008–09 (65%).

Examples of the written enquiries received in 2009–10 appear below.

  • An enquirer sought access to their medical records from birth until the present. The enquirer was provided information on how to seek access from private health service providers and the time period limitations on access, and given appropriate referrals to assist with access from state agencies.
  • A marriage celebrant asked for information about their privacy obligations. They were advised about the application of the National Privacy Principles (NPPs) to small businesses and referred to relevant material on the Office’s website.
  • An enquirer believed an agency held inaccurate personal information about them and that this was adversely affecting their ability to get assistance from the agency. The enquirer was informed about the agency’s Information Privacy Principle (IPP) 6 and 7 obligations, and provided with information on how to make a complaint.
  • An organisation asked about reasonable timeframes for responding to access requests, and the form in which access must be given. The organisation was advised about their NPP 6 obligations.
  • An enquirer asked if a complaint could be referred to the Office if the complainant was unsure of the organisation’s turnover. The enquirer was advised that this was an issue the Office would establish, by undertaking preliminary inquiries to ascertain if the organisation was bound by the Privacy Act.

3.3 Responding to Complaints

Allegations about acts or practices that may be an interference with the privacy of an individual can be accepted by the Privacy Commissioner as complaints. This can include complaints about:

  • how personal information is collected, held, used or disclosed by large private sector organisations, private sector health service providers and some small businesses under the National Privacy Principles
  • how personal information is handled by Australian and ACT Government agencies under the Information Privacy Principles
  • credit worthiness information held by credit providers and credit reporting agencies
  • the use of personal tax file numbers by individuals and organisations
  • related legislation, including spent convictions under the Crimes Act 1914 (Cth) and Australian Government data-matching programs regulated by the Data-matching Program (Assistance and Tax) Act 1990 (Cth).

3.3.1 Complaints received during 2009–10

In 2009–10, the Office received a total of 1201 complaints across all areas of its jurisdiction. This is a notable increase on the previous year (1089 were received in 2008–09).

Complaints related to a wide variety of issues. Examples of complaints and their outcomes can be found on the Office’s website at www.privacy.gov.au/materials/types/casenotes?sortby=59.

The percentage of complaints received about each area of jurisdiction is given in Chart 3.2. As has been the case since the Privacy Commissioner’s role was extended to the private sector, the private sector continues to be the jurisdiction most commonly complained about, with over half of all complaints relating to the NPPs. There has also been an increase in complaints about credit reporting and an increase in complaints where the Office has no jurisdiction.

Please note that the percentages exceed 100% as some complaints contain more than one issue.

Chart 3.2 Percentage of Complaints Received by Privacy Act Jurisdiction

The particular issues complained about as a percentage of total complaints received in 2009–10 are described in Chart 3.3. Please note that the percentages exceed 100% as some complaints contain more than one issue.

Chart 3.3 Key Issues in Complaints

The most commonly complained about NPP issue remains use and disclosure, followed by improper collection and data security. Credit reporting complaints have also maintained their level. However, there has been an increase in complaints over which we have no jurisdiction and more generally a decline in NPP complaints relating to data security.

The common issues in IPP complaints largely mirror those in NPP complaints, with the most commonly complained about IPP issue being improper use and disclosure, which made up nearly half of the IPP allegations. Security issues were the next most common IPP issue at 19% followed by improper collection with 12%.

Chart 3.4 shows the number of complaints made about each of the 10 most commonly complained about sectors. The finance sector continues to be the most frequently complained about industry. However, the debt collector and credit reporting agency sector has become the second most complained about industry for the first time. This is likely to be a reflection of consumers’ growing awareness of credit reporting in a difficult economic climate.

There has also been an increase in misdirected complaints against state government agencies, which for the first time enters the top 10 most complained about industries.

Chart 3.4 Complaints by Government and Industry Sector

3.3.2 Complaints closed during 2009–10

Acts or practices that may be a breach of privacy can be investigated by the Privacy Commissioner. Where appropriate, the Privacy Commissioner may attempt to conciliate a resolution of the matters which led to the complaint.

If the Privacy Commissioner is satisfied that a matter has been adequately dealt with, or if there has not been an interference with privacy, the Privacy Commissioner may decide not to investigate the matter any further. Otherwise, the Privacy Commissioner may make a determination about a complaint under s 52 of the Privacy Act.

In 2009–10, the Office closed 1203 complaints, which, while less than the number closed in 2008–09, nonetheless keeps ahead of the number of complaints received.

The Office investigated a similar percentage of complaints under s 40(1) of the Privacy Act and chose to summarily dismiss more complaints than in
2008–09. Table 3.3 provides more information about the stage at which complaints were closed. The increase in summary dismissals is in line with the increased number of complaints over which the Office has no jurisdiction.

The Office aims to finalise all complaints within 12 months of receiving them. In 2009–10, complaints were closed in an average of six months, which is a two month improvement from the previous financial year.

Table 3.3 Stage at which Complaints Closed

Investigation – s 40(1)

15.4%

Preliminary inquiries – s 42

33.2%

Decline to investigate – s 41

51.4%

Total

100%

3.3.2.1 Complaints closed following investigations

In 2009–10, the Privacy Commissioner closed 15.4% of complaints following an investigation of the matter under s 40(1) of the Privacy Act.

There were no determinations made in 2009–10. A determination is a legal decision or finding made by the Privacy Commissioner, as a consequence of which the Privacy Act’s enforcement powers (ss 54–62) are activated.

Table 3.4 shows the grounds for declining to investigate complaints further following an investigation. Please note complaints can have more than one jurisdictional issue, therefore the number of complaints listed exceeds the number of investigations closed in 2009–10.

Table 3.4 Grounds for Closing Complaints Following an Investigation

 

NPPs

IPPs

Credit

Spent Convictions

TFNs

ACT IPPs

Total

No interference with privacy – s 41(1)(a)

41

27

17

1

0

1

87

Respondent has adequately dealt with complaint – s 41(2)(a)

47

17

13

2

1

0

80

Respondent has not had adequate opportunity to deal with matter –
s 41(2)(b)

2

0

3

1

0

0

6

Other (for example, withdrawn)

19

8

8

0

0

0

35

Total

109

52

41

4

1

1

208


The Office has been focusing where possible on resolving cases through conciliation at an early stage of investigation. Respondents took steps to resolve the complaint in 38% of cases. Over half of these were conciliated before the Privacy Commissioner needed to form a view on whether the complaint would ultimately have been upheld.

Common resolutions after the investigation proceeded to conciliation included:

  • apologies to complainants
  • staff training and counselling
  • amendments to database systems and records
  • changes to procedures
  • provision of access to records
  • compensation payments.

Overall, the respondent took steps to resolve the complaint in 43% of NPP complaints following conciliation. The Privacy Commissioner formed a view that the complaint would have been upheld in 16% of NPP complaints before they were conciliated.

More than half of the IPP complaints were closed following investigation on the basis that there was no interference with privacy, while 31% of credit reporting complaints investigated under s 40(1) of the Privacy Act were conciliated following investigation.

3.3.2.2 Nature of remedies achieved by conciliation following investigation

Table 3.5 provides more detail on the outcome of complaints that were closed as adequately dealt with following investigation under s 40(1) of the Privacy Act. Please note that more than one resolution may have been reached for a particular complaint, meaning that the total listed in Table 3.5 is not equal to the total number of complaints.

Table 3.5 Nature of Remedies in Complaints Closed as Adequately Dealt With After Investigation

 

NPPs

IPPs

Credit

Spent
convictions

TFN

Other

Total

Records amended

9

3

6

1

0

0

19

Apology

24

11

4

1

1

0

41

Changed procedures

10

8

0

1

1

1

21

Access provided

8

0

0

0

0

0

8

Staff training*

6

4

0

1

0

0

11

Counselled staff*

2

2

1

0

1

0

6

Other remedy*

9

1

3

0

0

0

13

Compensation - up to $1000

6

5

0

0

0

0

11

Compensation - $1001–$5000

7

2

3

0

0

0

12

Compensation - $5001–$10 000

1

4

0

0

0

0

5

Compensation - $10 001+

0

0

0

0

0

0

0

Compensation - confidential settlement

1

0

0

0

0

0

1

Total

83

40

17

4

3

1

148


*Staff training and counselled staff were reported under ‘other remedy’ in previous reports. Together those three categories remain the second most common outcome.

Compensation remains the third most common remedy, and was paid in fewer than 16% of investigations. Apologies remain the most common remedy in investigated complaints for NPP and IPP complaints.

3.3.2.3 Complaints closed following preliminary inquiries

The Privacy Act authorises the Privacy Commissioner to conduct preliminary inquiries to determine whether the Privacy Commissioner has the power to investigate or should exercise a discretion not to investigate a matter further. For instance, a preliminary inquiry may seek to determine:

  • whether an agency or organisation is willing to provide access to records
  • if a particular act or practice is authorised by law
  • whether an organisation may claim the small business operator exemption
  • whether a respondent is an agency or organisation.

In 2009–10, the Privacy Commissioner closed 33.2% of complaints after preliminary inquiries. Table 3.6 provides more detail on the basis for closing complaints following preliminary inquiries. Please note that complaints can have more than one jurisdiction issue, therefore the number of complaints listed below exceeds the number of preliminary inquiries closed in 2009–10.

Table 3.6 Basis for Closing Complaints Following Preliminary Inquiries

 

NPPs

IPPs

Credit

TFNs

ACT IPPs

Other

Total

Not the privacy of the complainant – s 36(1)

4

0

2

0

0

2

8

Did not specify a respondent – s 36(5)

3

0

0

0

0

0

3

Complaint not raised with respondent – s 40(1A)

12

5

3

0

0

2

22

No interference with privacy* – s 41(1)(a)

157

25

42

2

0

5

231

Frivolous, vexatious, misconceived or lacking in substance – s 41(1)(d)

1

0

4

0

0

0

5

Is being dealt with under another law – s 41(1)(e)

0

0

0

0

0

0

0

Respondent has adequately dealt with the matter – s 41(2)(a)

100

8

23

1

1

7

140

Respondent has not had adequate opportunity to deal with matter –
s 41(2)(b)

6

0

8

0

0

1

15

Other (for example, withdrawn)

24

3

10

0

0

0

37

Total

307

41

92

3

1

17

461


* This includes matters that fall outside the Privacy Commissioner’s jurisdiction, for example, if the respondent is a state government body.

The most common reason for closing complaints after preliminary inquiries continues to be a finding that the individual’s privacy had not been interfered with, which occurred in just over half the complaints.

3.3.2.4 Nature of remedies achieved following preliminary inquiries

In the process of conducting preliminary inquiries, the Privacy Commissioner may find that the respondent has adequately dealt with the matter, or may be able to resolve the complaint through conciliation. Table 3.7 gives further detail about the types of resolutions achieved following preliminary inquiries. Please note that more than one resolution may have been achieved for a particular complaint, meaning the total listed in Table 3.7 is not equal to the total number of complaints.

Table 3.7 Nature of Remedies in Complaints Closed as Adequately Dealt With After Preliminary Inquiries

 

NPPs

IPPs

Credit

TFN
Guidelines

ACT IPPs

Other

Total

Records amended

26

2

18

0

0

3

49

Apology

21

3

2

0

0

1

27

Changed procedures

13

0

0

0

0

1

14

Access provided

24

1

1

0

0

3

29

Staff training*

8

1

1

0

0

0

10

Counselled staff*

7

2

2

0

0

0

11

Other remedy*

14

4

7

1

1

1

28

Compensation
- up to $1000

13

0

1

0

0

1

15

Compensation
- $1001–$5000

5

0

0

0

0

0

5

Compensation
- $5001–$10 000

0

0

0

0

0

0

0

Compensation
- $10 001+

0

0

0

0

0

0

0

Compensation
- confidential settlement

4

0

0

0

0

0

4

Total

135

13

32

1

1

10

192


*Staff training and counselled staff were reported under ‘other remedy’ in previous reports.

Amendment of records continued to be the most common resolution following preliminary inquiries, followed by access to records and other remedies. Compensation was paid in less than 5% of complaints resolved at the preliminary inquiries stage.

3.3.2.5 Complaints closed without investigation

In 2009–10, the Privacy Commissioner closed 51.4% of complaints by exercising a discretion not to investigate (or ‘decline’) the complaint without investigating or making preliminary inquiries.

The most common reasons for closing complaints without investigation were:

  • there was no interference with privacy (s 41(1)(a))
  • the complaint had not been raised with the respondent before being brought to the Privacy Commissioner (s 40(1A))
  • the complainant had not given the respondent sufficient time to deal with the complaint (s 41(2)(b)).

Table 3.8 shows, in more detail, the grounds upon which these complaints were closed without investigation. Please note that complaints can have more than one jurisdiction issue, therefore the number of complaints listed below exceeds the number of complaints closed without investigation in 2009–10.

Table 3.8 Basis for Closing Complaints Without Investigation or Preliminary Inquiries

 

NPPs

IPPs

Credit

ACT IPPs

Other

TFN

Total

Not the privacy of the complainant – s 36(1)

36

8

5

0

59

0

108

Did not specify a respondent – s 36(5)

6

1

3

0

21

0

31

Complaint not raised with respondent – s 40(1A)

67

14

23

0

1

7

112

No interference with privacy* – s 41(1)(a)

114

28

50

0

75

1

268

Aware of complaint for over 12 months – s 41(1)(c)

5

10

6

0

0

1

22

Frivolous, vexatious, misconceived or lacking in substance – s 41(1)(d)

11

4

1

0

0

0

16

Is being dealt with under another law – s 41(1)(e)

6

2

0

0

0

0

8

Another law is more appropriate – s 41(1)(f)

2

7

0

0

0

2

11

Respondent has adequately dealt with the matter – s 41(2)(a)

12

3

6

0

0

1

22

Respondent has not had adequate opportunity to deal with matter – s 41(2)(b)

30

13

17

0

0

2

62

Other (for example, withdrawn)

4

1

2

0

4

0

11

Total

293

91

113

0

160

14

671


*This includes matters that fall outside the Privacy Commissioner’s jurisdiction, for example, if the respondent is a state government body.

3.3.2.6 Compliance issues in National Privacy Principle complaints

The issues raised in complaints against private sector organisations that the Privacy Commissioner investigated and closed as adequately dealt with, are set out in Chart 3.5. Please note that complaints can have more than one issue, therefore the total number of issues will exceed the total number of complaints.

Chart 3.5 Issues in NPP Complaints Resolved by the Respondent

 

This year has again seen a change in the most common NPP compliance issues with the most frequent issue in complaints resolved by private sector organisations being data security. Improper use and improper disclosure of personal information were the next most common issues.

3.3.2.7 Compliance issues in Information Privacy Principle complaints

The issues raised in complaints against Australian and ACT Government agencies, where the agency took action after preliminary inquiries or a formal investigation by the Privacy Commissioner, are set out in Chart 3.6. Please note that complaints can have more than one issue, therefore the total number of issues can exceed the total number of complaints.

Chart 3.6 Issues in IPP Complaints Resolved by the Respondent

 

In 2009–10 disclosure (IPP 11) and security (IPP 4) continued to be the most prevalent IPP complaint issues. However, the issue of access and amendment of personal information has also increased in prominence. This is despite the fact that the Privacy Act will defer to the access regime established under the Freedom of Information Act 1982 (Cth). Other complaint issues have remained relatively constant.

3.3.2.8 Compliance issues in credit reporting complaints

The issues raised in complaints against credit providers or credit reporting agencies, where the respondent took action following preliminary inquiries or a formal investigation by the Privacy Commissioner, are set out in Chart 3.7. Please note that complaints can have more than one issue, therefore the total number of issues will exceed the total number of complaints.

Chart 3.7 Issues in Credit Reporting Complaints Resolved by the Respondent

 

Overall, credit reporting complaints resolved by the respondent have decreased. However, disputed default listings and inaccuracy of a consumer credit file remain the most commonly raised and corroborated credit reporting issue. Accuracy issues include where a credit reporting agency links an individual’s credit file with another person’s credit file. The number of credit reporting complaints resolved by the respondent where a listing was disputed has remained steady.

Complaints under the ‘other’ category include where a credit provider discloses information about an individual from a credit report.

3.4 Reports of Complaints under Approved Codes

The Privacy Act allows for organisations or groups of organisations to develop privacy codes. If approved by the Privacy Commissioner, these codes replace the NPPs as the legally enforceable privacy standards for those organisations. At 30 June 2010, there were three approved privacy codes (see Table 3.9).

Table 3.9 Approved Codes under the Privacy Act

Code Title

Code Adjudicator

Monitoring / Reporting Responsibility

Date Came into Effect

Queensland Club Industry Privacy Code

Privacy Commissioner

Clubs Queensland and the Privacy Commissioner

23 August 2002

Market and Social Research Privacy Code

Privacy Commissioner

Association of Market and Social Research Organisations and the Privacy Commissioner

1 September 2003

Biometrics Institute Privacy Code

Privacy Commissioner

Biometrics Institute and the Privacy Commissioner

1 September 2006


The Privacy Commissioner is the code adjudicator for each of the codes listed above. There were no complaints handled by the Office under any of the approved codes in 2009–10.

The Privacy Commissioner is required to maintain a register of approved codes under s 18BG of the Privacy Act. The register can be found on the Office’s website at www.privacy.gov.au/business/codes/.

3.5 Case Notes

The Privacy Commissioner publishes case notes describing, in de-identified form, the issues and outcomes of selected complaints. The purpose of these case notes is to provide an insight into how privacy principles are being applied to:

  • assist individuals, organisations and agencies to decide whether to pursue a complaint, or if personal information is being handled appropriately
  • encourage good privacy practices and compliance with the Privacy Act
  • ensure the Office is accountable and transparent in its processes and decision making.

In 2009–10, the Office published 27 case notes about complaints under the National Privacy Principles (NPPs), Information Privacy Principles (IPPs) and other areas of the Privacy Act.

Situations illustrated by the case notes include the following.

  • An Australian Government agency disclosed an individual’s new address and change of name to the individual’s ex-partner. The individual had changed their name and moved house due to domestic violence fears and had contacted the agency requesting the information remain confidential. The ex-partner contacted the individual, addressing the individual by the new name. The individual’s ex-partner said they knew the individual’s new name and new address because the information was contained in a letter received from the agency. The agency took the view that it should not have disclosed the complainant’s personal information. The matter was conciliated, with both parties agreeing on a settlement which involved financial compensation. The Privacy Commissioner closed the matter under s 41(2)(a) of the Privacy Act on the grounds that the agency had adequately dealt with the matter.
  • A finance company sought to deny an individual access to their personal information on the basis that the request was frivolous and vexatious. The Privacy Commissioner formed the view that the request for access was a repeat request for information that had been previously provided. Although noting that NPP 6 does not require individuals to have a specific ‘purpose’ for requesting access to their personal information, the Privacy Commissioner considered the purpose for requesting access in this case was relevant to the finance company’s claim that the request was vexatious. The complainant and the finance company had been involved in court proceedings several years previously. Given the repeated requests for access were substantially, if not solely, a means of obtaining documents to revisit the earlier litigation and pursue an unrelated grievance, the Privacy Commissioner formed the view that the finance company could rely on NPP 6.1(d) to deny the complainant access as the request was vexatious. The Privacy Commissioner closed the complaint under s 41(1)(a) of the Privacy Act on the grounds that the finance company had not interfered with the complainant’s privacy.
  • A telecommunications company listed a payment default on an individual’s consumer credit file. The individual claimed they did not owe a debt to the telecommunications company, and that the default was listed in error. Records kept by the telecommunications company confirmed the individual had not paid an outstanding balance on their account. The account had also been outstanding for at least 60 days before the telecommunications company listed the payment default. The telecommunications company had notified the individual of the overdue amount and that a default might be listed with a credit reporting agency if the individual did not pay their account. In the course of the Privacy Commissioner’s investigation, the telecommunications company became aware that it had listed the incorrect amount on the individual’s consumer credit information file. In response, the telecommunications company offered to remove the default listing from the individual’s credit information file, and to cancel the debt. The Privacy Commissioner formed the view that the telecommunications company had properly listed the debt and closed this aspect of the complaint under s 41(1)(a) of the Privacy Act. The Privacy Commissioner formed the view that the telecommunications company had adequately dealt with the issue of listing the incorrect amount by removing the default and cancelling the debt and closed this aspect under s 41(2)(a) of the Privacy Act.
  • An individual complained that an insurance company was issuing a claim form that required individuals to agree that the company ‘may disclose to anybody any information about you’. The Privacy Commissioner commenced an own motion investigation under s 40(2) of the Privacy Act. The Privacy Commissioner advised the insurance company that the terms under which it was seeking individuals’ consent to disclose their personal information were very broad. The Privacy Commissioner’s view was that to rely on such consent where there is no clear purpose for personal information to be disclosed would be inconsistent with NPP 2.1. The Privacy Commissioner’s investigation prompted the insurance company to remove the broad terms from the form. The Privacy Commissioner ceased the own motion investigation into the matter because the insurance company had adequately dealt with the matter.
  • An Australian Government agency engaged the services of a health service provider to assess an individual’s suitability for continuing employment with the agency. The agency provided the health service provider with information about the individual, including details of the individual’s old criminal convictions. The Privacy Commissioner formed the view that the conviction information was spent under the Crimes Act 1914 (Cth) and that the health service provider had relied upon the spent conviction information in its report. As a result of the complaint, the health service provider took action to increase awareness of, and compliance with, the spent convictions scheme throughout its organisation and in the health sector in general. The service provider distributed information about the scheme to its employees, arranged for information about the scheme to be included in a publication read by a large number of health service providers and forwarded information about the scheme to the relevant professional body. The individual was satisfied with the service provider’s actions and the Privacy Commissioner closed the investigation under s 85ZZC(2)(c)(i) of the Crimes Act 1914 (Cth).

The case notes are accessible on the Office’s website at www.privacy.gov.au/materials/types/casenotes?sortby=59, in the CCH Federal Privacy Handbook, and on the Australasian Legal Information Institute (AustLII) website at
www.austlii.edu.au/au/cases/cth/PrivCmrA.

3.6 Own Motion Investigations and Data Breach Notifications

Section 40(2) of the Privacy Act gives the Privacy Commissioner the power to investigate a possible interference with privacy without first receiving a complaint from an individual, if the Privacy Commissioner considers it desirable. The Office calls these investigations ‘own motion’ investigations (OMIs).

A data breach notification (DBN) occurs when an organisation or agency informs the Office that personal information in its possession or control has been subject to loss or unauthorised access, use, disclosure, copying or modification. While there is no specific obligation in the Privacy Act for agencies or organisations to report data breaches to the Office, many agencies and organisations do so as part of good privacy practice. The Office has published a Guide to Handling Personal Information Security Breaches which provides advice on when to report a DBN (see section 1.9).

Reporting a DBN to the Office and taking follow-up action can help agencies and organisations to ensure they meet their obligations under the Privacy Act, particularly Information Privacy Principle (IPP) 4 and National Privacy Principle (NPP) 4.

In conducting OMIs and responding to DBNs, the Office is also performing its function under s 27(d) of the Privacy Act of promoting an understanding and acceptance of the IPPs and the NPPs. There was a total of 117 OMI and DBN matters in 2009–10. This compares to 83 matters in 2008–09.

3.6.1 Issues in Own Motion Investigations

During 2009–10, 73 new matters involving alleged interferences with privacy were brought to the attention of the Office. The source of this information was varied, and included calls to the Privacy Enquiries Line, individuals writing to the Office and systemic issues identified through complaints or media coverage.

The Office took steps to contact the organisation or agency involved in the alleged act or practice in about 78% of cases. The Office uses risk assessment criteria to determine whether to investigate a matter on its own motion. These criteria include the:

  • number of people affected and the consequences for those individuals
  • sensitivity of the personal information involved
  • progress of an agency’s or organisation’s own investigation into the matter and
  • likelihood that the investigation will reveal acts or practices that involve systemic interferences with privacy and/or that are unidentified, widespread or ongoing.

The allegations raised in OMIs in 2009–10 included that:

  • documents belonging to a finance company were found in a public place
  • facsimiles containing health information were received by a third party in error
  • personal information from an organisation’s online health service was accessible to others via an online search engine
  • an agency had inadequate procedures for updating personal information
  • a clause in an organisation’s standard contract gave broad and unnecessary authority to disclose personal information.

3.6.2 Issues in Data Breach Notifications

The Office received 44 voluntary Data Breach Notifications (DBNs) in 2009–10.

The Office contacts each agency or organisation that reports a DBN to assist it to identify appropriate steps to take in relation to the breach, including preventing a future breach. Where the entity has already taken steps, the adequacy of the entity’s actions is assessed. Where the Office considers the steps to be inadequate, it works with the entity to assist it to apply better privacy practice. In cases where the Office is not satisfied with the voluntary action taken by the agency or organisation to resolve the matter, the Office will open an own motion investigation.

Incidents reported to the Office via DBNs in 2009–10 included that:

  • documents containing personal information had been lost in transit
  • a former employee downloaded names from a website, in breach of terms and conditions, then provided that list to the organisation’s clients for marketing purposes
  • a staff member’s private residence was subject to a break-in and a personal laptop, containing customer person information, was stolen
  • documents containing personal information were discovered in the back of disused furniture sold at auction
  • the ‘to’ field was used to send a group email rather than the ‘bcc’ field.

3.6.3 Outcomes of Own Motion Investigations and Data Breach Notifications

The majority of cases investigated where the Privacy Commissioner found the allegations to be substantiated resulted in the respondent dealing with the issue raised, either under their own initiative or in accordance with the Office’s recommendations.

Actions taken have included system reviews and alterations, written notifications to affected individuals, apologies, retrieval of records, changes in standard operating procedures and staff training.

3.7 Audits

Under the Privacy Act, the Privacy Commissioner has the power to conduct privacy audits of Australian and ACT Government agencies, as well as some other organisations in certain circumstances. These audits help to determine and improve the level of compliance with the Privacy Act. The Office conducts audits to promote best privacy practice and to reduce privacy risks across agencies. The Privacy Commissioner’s audit powers include:

  • auditing agency compliance with the Information Privacy Principles – s 27(1)(h)
  • examining the records of the Commissioner of Taxation in relation to tax file numbers (TFNs) and TFN information – s 28(1)(d)
  • auditing TFN recipients – s 28(1)(e)
  • auditing credit information files and credit reports held by credit reporting agencies and credit providers – s 28A(1)(g).

The Privacy Commissioner does not have an audit function in relation to compliance with the National Privacy Principles by private sector organisations, unless at the request of the organisation under s 27(3).

The number of audits carried out by the Office has varied over the life of the Privacy Act depending on the nature and volume of privacy complaints and other priorities of the Office. In recent years the Office undertook audits where it had received specific funding to do so. This year, the Office has expanded the audit program to credit information audits.

An audit is a snapshot of personal information handling practices relating to the auditee at a particular time and place. Auditees are encouraged to consider audit findings broadly, and recognise that the issues identified may foster improvements beyond the audited program alone.

The Office’s audit teams emphasise that the audit is an educative process and compliance with the Privacy Act is seen as part of good management practice. Audits have been the catalyst for organisational improvements to data security, accuracy of information, staff training and disclosure policies.

The Office is progressively uploading finalised audit reports to its website.

3.7.1 Audit Activities in 2009–10

3.7.1.1 ACT Government Audits

The Office currently has a Memorandum of Understanding with the ACT Government (see section 4.1.3 for further information) which includes a commitment by the Office to conduct at least two audits of ACT Government agencies per financial year. The Office selects audit targets based on a risk assessment analysis which takes into account previous audits and audit findings, complaints against ACT Government agencies, the amount of personal information held by an agency and the sensitivity of, and risk to, that information.

Table 3.10 shows details of the ACT Government audits commenced and/or finalised by the Office in 2009–10.

Table 3.10 ACT Government Audits Commenced and/or Finalised 2009–10

Agency

Audit Scope

Commenced

Finalised

Department of Disability, Housing and Community Services

Complaint, property and registration files, information technology and personnel records

December 2008

December 2009

ACT Corrective Services (part of ACT Justice & Community Safety)

Prisoner records held by the Alexander Maconochie Centre

September 2009

March 2010

ACT Shared Services

Records held in the Shared Human Resource Services Section

October 2009

January 2010


The Office found that these agencies were generally compliant with their obligations under the Information Privacy Principles (IPPs). However, the auditors made recommendations where privacy risks were identified or where better privacy practices could be introduced.

Common audit recommendations included:

  • improving notification procedures to ensure compliance with IPP 2
  • providing ongoing privacy training to staff
  • reviewing collection practices to ensure compliance with IPPs 1–3
  • implementing data security policies and practices that ensure compliance with IPP 4, including considering whether proactive auditing should be introduced
  • ensuring that the annual Personal Information Digest, which must be provided to the Office in accordance with IPP 5, is a comprehensive record of all classes of information held by the agency.

The Alexander Maconochie Centre held concerns regarding the publication of the final report, citing operational security issues. Therefore, the Office agreed to publish an abridged version of the final report on its website.

3.7.1.2 Identity Security audits

The Office provides ongoing privacy advice to Government and key agencies in respect of projects delivered under the Australian Government’s National Identity Security Strategy (NISS). One project under the NISS relates to the National Document Verification Service (DVS).

The DVS system allows authorised government agencies to verify, online and in real time, the authenticity of an individual’s Evidence of Identity (EOI) documents sourced from another government agency, when enrolling for benefits and services. Agencies using the DVS are able to verify that the:

  • EOI document was issued by the relevant source government agency
  • details recorded on the EOI document correspond to the details held by the source government agency
  • document is still valid.

Lead responsibility for the development of the DVS rests with the Attorney-General’s Department.

Table 3.11 shows details of the Identity Security audits commenced and/or finalised by the Office in 2009–10.

Table 3.11 Identity Security Audits Commenced and/or Finalised 2009–10

Agency

Audit Scope

Commenced

Finalised

Department of Immigration and Citizenship

Collection, use, disclosure and security of personal information during DVS transactions undertaken as a ‘User’ and ‘Issuer’ agency

December 2008

April 2010

Attorney-General’s Department

Review of guidance material developed to guide ‘User’ and ‘Issuer’ agency implementation of the DVS

May 2009

May 2010

Centrelink

Review of Centrelink’s role as the operator of the DVS Hub

May 2010

In progress

The audit of the Department of Immigration and Citizenship found that the personal information handled by the agency in respect of the National DVS was generally compliant with the Information Privacy Principles (IPPs) in the Privacy Act. However, in terms of best privacy practice, the auditors recommended the agency consider:

  • introducing proactive auditing of some operational processes
  • implementing a process to ensure that personal information from DVS transactions is included in its Personal Information Digest, in accordance with the requirements under IPP 5.

The audit of guidance material developed by the Attorney-General’s Department for the National DVS found that it specified personal information handling practices that meet User and Issuer agencies’ obligations under the Privacy Act.

The auditors recommended that the guidance could deal with end-to-end compliance issues relating to the use of the National DVS. For example, it was suggested that Issuer and User agencies be reminded about providing notice about the use and disclosure of personal information during the verification process. It was also recommended that agencies participating in the National DVS agree to comply with the guidelines as a condition of using the Service.

3.7.1.3 Australian Customs and Border Protection Service Audits

The Office currently has an agreement with the Australian Customs and Border Protection Service (Customs) (see section 4.1.9 for further information) to provide ongoing policy advice and conduct two audits per financial year of various aspects of Customs’ use of Passenger Name Record (PNR) data.

Table 3.12 shows details of the PNR audits commenced and/or finalised by the Office in 2009–10 under this agreement.

Table 3.12 Customs PNR Audits Commenced and/or Finalised 2009–10

Agency

Audit Scope

Commenced

Finalised

Customs

Pre-flight assessment processing

February 2009

December 2009

Customs

Service requests for information

June 2009

January 2010

Customs

Customs’ compliance with the IPPs in handling PNR data at Sydney and Cairns airports

February 2010

In progress

Customs

Customs’ compliance with the IPPs in handling PNR data

May 2010

In progress

The completed and ongoing audits of Customs PNR data provide a comprehensive review of the way Customs handles this data. The completed audits revealed that Customs was generally compliant in terms of its handling of personal information involved in PNR processes. However, the auditors made a number of suggestions to Customs about best privacy practice improvements.

Customs held concerns regarding the publication of the final report, citing operational security issues. Therefore, the Office agreed to publish an abridged version of the final report on its website.

3.7.1.4 Biometrics for Border Control Audits

The Office has been allocated funding under the Biometrics for Border Control program, which involves the Department of Foreign Affairs and Trade, Customs and the Department of Immigration and Citizenship (DIAC).

The broad objective of this program is to develop and implement biometric systems to enhance identity management at the border and to increase the efficiency of border processing.

Table 3.13 shows audits of Biometrics for Border Control projects commenced and/or finalised by the Office in 2009–10 under this funding.

Table 3.13 Biometrics for Border Control Audits Commenced and Finalised 2009–10

Agency

Audit Scope

Commenced

Finalised

Department of Immigration and Citizenship

Collection, storage, use, disclosure and security of personal information in the proposed exchange of identity data between DIAC and DFAT through the System for People project

November 2009

June 2010


The audit found that the agency’s handling of personal and biometric information under the System for People project was consistent with its obligations under the Information Privacy Principles.

The auditors made one recommendation. This recommendation was that DIAC ensure that its Personal Information Digest accurately reflects the exchange of personal information with the Department of Foreign Affairs and Trade.

3.7.1.5 Credit Information Audits

The Office began a number of credit information audits in 2009–10. The relaunch of this audit program is an important step in monitoring the compliance of credit providers and credit reporting agencies with the credit provisions contained in the Privacy Act.

Credit information audits are a proactive compliance mechanism. The intention is for the credit information audit program to be an advisory exercise as well as an enforcement activity. These audits encourage all credit providers and credit reporting agencies to view compliance as integral to their operations.

The Privacy Commissioner’s credit information audit functions are set out in s 28A of the Privacy Act. Part IIIA of the Privacy Act governs the handling of individuals’ credit reports and related information by credit reporting agencies and credit providers. The aim of the audits is to obtain evidence to assess whether credit information is maintained in accordance with Part IIIA and the Credit Reporting Code of Conduct. The Office does this by examining the practices and records of credit reporting agencies and credit providers to ensure that they are:

  • not using personal information in those records for unauthorised purposes
  • taking adequate steps to prevent unauthorised disclosure of those records.

Table 3.14 shows audits of credit reporting agencies commenced by the Office in 2009–10.

Table 3.14 Credit Information Audits Commenced 2009–10

Agency

Audit Scope

Commenced

Finalised

Tasmanian Collection Service

Complaint handling
Cross-referencing of files
Security issues

March 2010

In progress

Dun and Bradstreet

Complaint handling
Cross-referencing of files
Security issues

April 2010

In progress

Veda Advantage

Complaint handling
Cross-referencing of files
Security issues

April 2010

In Progress

3.8 Personal Information Digest

To help people understand what personal information is held by each Australian and ACT Government agency, Information Privacy Principle 5.3 in s 14 of the Privacy Act requires agencies to keep a record detailing:

  • the nature of records kept
  • the purpose for which these records are kept
  • the categories of people the information is about
  • the period for which the records are kept
  • who has access to the records and
  • the steps an individual needs to take to gain access to the records.

These explanatory records must be provided to the Privacy Commissioner in June of each year, and are subsequently compiled and published as the Personal Information Digest (PID).

The ACT Department of Justice and Community Safety (JACS) compiled the ACT PID and the final documents were published on the JACS website and the Office’s website. The Office published the PID for Australian Government agencies for the period ending June 2010 on its website at
www.privacy.gov.au/government/digests.

3.9 Monitoring Government Data-matching

Data-matching is the process of bringing together large data sets of personal information from different sources and comparing them in order to identify any discrepancies. For example, the Australian Taxation Office (ATO) may undertake a data-match to identify retailers that may be operating outside the tax system or who may be under-reporting turnover. This may include identifying individuals.

The process involves analysing information about large numbers of people, the majority of whom are not under suspicion. This means that data-matching raises a number of privacy issues. To ensure that government agencies minimise their impact on individuals’ privacy while data-matching, the Office performs a number of functions.

The Privacy Commissioner has statutory responsibilities under the
Data-matching Program (Assistance and Tax) Act 1990 (the Data-matching Act) and the Guidelines for the Conduct of the Data-matching Program (the statutory data-matching guidelines). Additionally, the Privacy Commissioner oversees the functioning of the Guidelines for the Use of Data-matching in Commonwealth Administration (1998), which are voluntary guidelines to assist agencies not subject to the Data-matching Act, to perform data-matching programs in a privacy sensitive way.

3.9.1 Matching under the Data-matching Program (Assistance and Tax) Act 1990 and statutory data-matching guidelines

In order to detect overpayments, taxation non-compliance and the receipt of duplicate payments, the Data-matching Program (Assistance and Tax) Act 1990 (the Data-matching Act) provides for the use of tax file numbers in data-matching processes undertaken by a special unit within Centrelink (the data-matching agency). The data-matching agency runs matches on behalf of Centrelink, the Department of Veterans’ Affairs (DVA) and the Australian Taxation Office (ATO).

The Data-matching Act and the Guidelines for the Conduct of the Data-matching Program (the statutory data-matching guidelines) outline the type of personal information that can be used, and how it can be processed. They also provide individuals with the opportunity to dispute or explain any matches, and require that individuals have means for redress.

The Data-matching Act requires Centrelink, DVA and the ATO to report to Parliament on the results of any data-matching activities carried out under the Act. These reports are published separately by each agency.

The Data-matching Act also makes the Privacy Commissioner responsible for monitoring the functioning of the statutory data-matching program. To this end, the Office runs inspections (see section 3.9.1.1 for further information).

3.9.1.1 Inspections

During 2009–10 the Office inspected Centrelink’s handling of a sample of data-matching cases at three regional Business Integrity Sites. The regions inspected were:

  • Centrelink Area Melbourne North Central (Box Hill), April 2010
  • Centrelink Area South Australia (Port Adelaide), May 2010
  • Centrelink Area Central North Queensland (Townsville), June 2010.

Representatives of the Office, with the assistance of Centrelink and regional staff, conduct inspections and reviews of a sample (usually 100) of customer records which have been through the data-matching process. At the completion of each of the inspections, a report is prepared and provided to Centrelink outlining the findings.

The Office found that Centrelink’s processes and procedures for statutory data-matching were generally compliant with the requirements of the
Data-matching Program (Assistance and Tax) Act 1990. Additionally, the area offices’ procedures were also assessed as being generally compliant with the requirements of the Privacy Act in the handling of this information.

3.9.2 Matching under the Guidelines for the Use of Data-matching in Commonwealth Administration (the voluntary data-matching guidelines)

Many Australian Government agencies also carry out data-matching activities that are not subject to the Data-matching Program (Assistance and Tax) Act 1990, but run under different laws authorising the use and disclosure of personal information for data-matching purposes. To assist agencies performing such data-matching activities to have proper regard for the privacy of individuals, the Privacy Commissioner has issued voluntary data-matching guidelines called the Guidelines for the Use of Data-matching in Commonwealth Administration (1998).

These voluntary guidelines require that programs are regularly monitored and evaluated, that individuals identified have the opportunity to dispute the results, and that action against individuals is not taken solely on the basis of automated processes.

Agencies are also required to prepare a description of the data-matching activity (a ‘program protocol’). Before the activity is commenced, the program protocol should be submitted to the Privacy Commissioner for comment, and once it has been finalised, the program protocol should be made available to the public.

In 2009–10, the Privacy Commissioner received 10 program protocols for proposed non-statutory data-matching activities. A summary of these protocols is outlined in Table 3.15.

Table 3.15 – 2009–10 Program protocols produced under the voluntary data-matching guidelines

Matching Agency

Source Agencies

Name of the Program Protocol

Description of the Program Protocol

Received Date

Centrelink

State Land Titles Offices

State Government Held Land Titles Data

Centrelink proposes to match data with State Government held Land Titles data to detect customers failing to declare real estate assets.

September 2009

Australian Taxation Office (ATO)

Commonwealth Bank

National Australia Bank

Westpac

ANZ Bank

Merchant Payment Cards Data Matching Project

The ATO proposes to match the merchant card (credit card and EFTPOS) data provided by financial institutions against the ATO’s taxpayer records. This work will initially focus on cash economy businesses operating in the business to consumer markets.

December 2009

ATO

Boral Limited

CSR Limited

Lafarge Plasterboard Pty Ltd

Plasterers Data Matching Project

The ATO proposes to match the data provided by the major suppliers of plasterboard and cornices against the ATO’s taxpayer records with a view to identifying undeclared cash income, high risk non-lodgers and those required to be registered but have failed to do so.

January 2010

ATO

ATO

ATO Staff Members Lodgement Obligations

The ATO proposes to identify and address any non-compliance with tax obligations by ATO staff, and update ATO records so that the Special Interest Indicator which is applied to staff is accurately recorded.

January 2010

ATO

Numerous Australian banks

Numerous subsidiaries and branches of international banks that operate in Australia

Numerous credit/debit card providers

Banking Transparency Strategy Data Matching Project

The ATO proposes to match the data provided by a range of domestic and foreign banks, as well as other financial institutions, who facilitate offshore transactions and on behalf of Australian taxpayers against the ATO’s taxpayer records.

February 2010

ATO

Roads and Traffic Authority, NSW

Queensland Transport

Vic Roads

Tasmanian Department of Infrastructure, Energy and Resources

Transport SA

West Australian Department for Planning and Infrastructure

Northern Territory Department of Planning and infrastructure (Transport Division)

ACT Road Transport Authority, Road User Services, Urban Services

Motor Vehicle Data Matching Project

The ATO proposes to match the data provided by the State and Territory motor vehicle registering bodies against the ATO’s taxpayer records with a view to identifying those who may not be meeting their tax obligations.

March 2010

ATO

Department of Immigration and Citizenship (DIAC)

DIAC and ATO Student and Temporary Working Visa Data Matching Protocol

The ATO proposes to match data provided by DIAC against its taxpayer records to identify non compliance with income tax, goods and services tax, and superannuation obligations, by student and temporary visas holders.

May 2010

ATO

Centrelink

Education Tax Refund Data Matching Project

The ATO proposes to match Family Tax Benefit data from Centrelink to identify taxpayers who have incorrectly lodged the Education Tax Refund and indentify those who are non-compliant with their tax return lodgement and payment of outstanding debts.

May 2010

Centrelink

ATO

Tax Garnishee Project 2010/2011

Centrelink proposes to match individuals who owe a debt to Centrelink with ATO clients who receive a tax refund that financial year.

May 2010

ATO

EBay Australia Pty Ltd

Trading Post Australia Pty Ltd

Data Matching Privacy Protocol – Online Selling Sites

The ATO proposes to match data with online selling sites to identify individuals who may not meet registration, reporting, lodgement and payment obligations.

June 2010

Chapter 4 Management and Accountability

4.1 Administrative Arrangements

4.1.1 Australian Human Rights Commission Memorandum of Understanding

The Office has a Memorandum of Understanding with the Australian Human Rights Commission (AHRC, formerly called the Human Rights and Equal Opportunity Commission) which covers the provision of corporate services. The Office paid $833 231 for these services in 2009–10. This includes financial, administrative, information technology, human resources and legal services. The Office also sub-lets premises in Sydney from the AHRC under this arrangement.

4.1.2 Department of the Prime Minister and Cabinet Memorandum of Understanding

The Office has a non-financial Memorandum of Understanding with the Department of the Prime Minister and Cabinet. The Memorandum sets out an agreed basis for policy and operational coordination between the Department and the Office. Representatives from both agencies meet monthly. The benefits of the arrangement include open communication to keep each party informed of relevant activities and developments, and improved advice to Ministers and other key stakeholders.

4.1.3 ACT Government Memorandum of Understanding

The Office has had a Memorandum of Understanding with the ACT Government since 1 July 2000. The current Memorandum has been signed for the period 1 July 2008–30 June 2011. Under the Memorandum, the Office provides a number of privacy services to the ACT Government including:

  • handling privacy complaints and enquiries about ACT Government agencies
  • providing policy advice
  • carrying out audits
  • providing privacy training on request
  • facilitating a Privacy Contact Officers network.

In 2009–10, the Office received $104 343 for the provision of these services. Further information regarding advice provided to ACT Government agencies can be found at section 1.5.

4.1.4 Centrelink

The Office continued to undertake its responsibilities under the Data-matching Program (Assistance and Tax) Act 1990 throughout 2009–10. The Office received annual funding of $339 069 from Centrelink to support the costs of monitoring the conduct of the data-matching program. For further information on data-matching see section 3.9.

4.1.5 Medicare Australia Memorandum of Understanding

The Office renewed its Memorandum of Understanding with Medicare Australia for a period of 12 months. Under the Memorandum, the Office gives advice and undertakes work on privacy-related projects relevant to Medicare Australia, using resources provided by Medicare Australia. The term of the current agreement is from 1 July 2009 to 30 June 2010. The Office received $119 955 under the Memorandum in 2009–10.

4.1.6 NSW Privacy Memorandum of Understanding

The Office had a non-financial Memorandum of Understanding with the Office of the NSW Privacy Commissioner which provided a framework for cooperation in undertaking responsibilities when those responsibilities overlapped, and for taking advantage of opportunities to assist each other in joint training, education, promotion and enforcement activities. While the term of this Memorandum has come to an end, both parties continue to honour the arrangement. The Office will renew a formal arrangement once the Office of the Australian Information Commissioner is established.

4.1.7 Commonwealth Ombudsman Memorandum of Understanding

An ongoing non-financial Memorandum of Understanding exists between the Privacy Commissioner and the Commonwealth Ombudsman to allow for greater cooperation between their Offices when dealing with privacy related complaints.

The Memorandum provides for the exchange of relevant information where both Offices are considering the same issue and also offers the option of undertaking a joint investigation where a complaint falls under the jurisdiction of both Offices. Further, it enables referral of complaints to the other Office where appropriate and with consent. The Memorandum has been in place since November 2006.

4.1.8 Office of the New Zealand Privacy Commissioner Memorandum of Understanding

The Office currently has a non-financial Memorandum of Understanding with the New Zealand Office of the Privacy Commissioner. The Memorandum enables cooperation between the two Offices on privacy related issues and the sharing of information related to surveys, research projects, promotional campaigns, education and training programs, and techniques in investigating privacy violations and regulatory strategies.

The Memorandum stems in part from the APEC Privacy Framework, OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, and the Asia Pacific Privacy Authorities Forum, all of which advocate the forming of cooperative arrangements between privacy regulators.

The Memorandum has been in place since September 2006 and was renewed for a further two years in August 2008.

4.1.9 Australian Customs and Border Protection Service

The Office signed an agreement with the Australian Customs and Border Protection Service (Customs) in May 2008 to provide over the following four years ongoing privacy advice as well as undertake two audits a year of various aspects of Customs’ use of Passenger Name Record data. The Office receives annual funding of $110 187 from Customs to support the costs of this work.

4.1.10 Department of Human Services Memorandum of Understanding

The Office has an agreement with the Department of Human Services to provide privacy advice in relation to the Government’s Service Delivery Reform Agenda and to respond to privacy matters arising from the implementation of Service Delivery Reform. The term of the agreement is from 1 February 2010 to 31 January 2011. The Office received $187 500 in 2009–10 for the provision of these services.

4.1.11 Australian Transport Safety Bureau

The Office undertook a review of certain provisions of the Civil Aviation Act 1988 during 2009–10. The Office received funding of $55 374 from the Australian Transport Safety Bureau to support the costs of this review. For further information on the review, see section 1.4.12.

4.1.12 Department of Infrastructure, Transport, Regional Development and Local Government

In June 2010, the Office signed an agreement with the Department of Infrastructure, Transport, Regional Development and Local Government to provide privacy advice in relation to the development and implementation of body scanning technology in Australian international airports. The Office received $185 000 under the agreement in 2009–10. The term of the agreement is from 9 June 2010 to 8 June 2011.

4.2 Corporate Services

4.2.1 Audit Committee

Consistent with Australian Securities Exchange principles of good corporate governance and the requirements of the Financial Management and Accountability Act 1997, the Office maintains an audit committee to advise the Privacy Commissioner on its compliance with external reporting requirements and the effectiveness and efficiency of its internal control and risk management mechanisms. The audit committee met four times during the reporting period.

4.2.2 Purchasing

The Office’s purchasing procedures comply with the Australian Government Procurement Guidelines issued by the Department of Finance and Deregulation. They address a wide range of purchasing situations, allowing managers flexibility when making purchasing decisions provided arrangements comply with the Australian Government’s core procurement principle of value for money.

4.2.3 Certification of Fraud Measures

The Office has prepared a fraud risk assessment and fraud control plan, and has included procedures and processes to assist with fraud prevention, detection, investigation and reporting in line with the Commonwealth Fraud Control Guidelines.

4.2.4 Consultants

The Office uses consultancy services where there is a need to access special skills and expertise not available within the agency.

During 2009–10, no consultancy contracts were entered into. One ongoing consultancy contract was active during 2009–10 involving total actual expenditure of $41 802 (including GST). This part-performed consultancy with Ice Media Pty Ltd was for the redevelopment of the Office’s website.

Information on expenditure on contracts and consultancies is available on the AusTender website at www.tenders.gov.au.

4.2.5 Grants Program

The Office of the Privacy Commissioner does not have a grants program.

4.2.6 Advertising and Market Research

The Office was contracted with Orima Research Pty Ltd to undertake a survey of portable storage device usage across government agencies during the reporting period. Total payments of $15 000 (including GST) were made to Orima Research for undertaking the survey.

In addition, the Office paid $20 353 (including GST) to Z Asia Pty Ltd for the production of privacy awareness material. See section 1.10 for more information.

The Office paid $30 120 (including GST) on non campaign advertising (recruitment and event promotion) during the reporting period.

No advertising campaigns were undertaken by the Office during the reporting period.

4.2.7 Ecologically Sustainable Development and Environmental Performance

The role and activities of the Office do not directly link with ecologically sustainable development issues or impact significantly on the environment.

The Office uses energy saving equipment and practices to minimise waste. The Office has implemented a number of environmental initiatives to ensure operating practices with environmental impacts are addressed. Major energy consuming services such as air conditioning and lighting are switched off outside working hours. In addition, waste products such as paper, cardboard, printer cartridges and other recyclable materials are recycled subject to the availability of appropriate recycling schemes. Preference is given to environmentally sound products when purchasing office supplies. Purchase/leasing of Energy Star rated office machines and equipment is encouraged, as are machines with power save features.

During 2009–10, the Office and its staff participated in the Earth Hour initiative, which was held on 27 March 2010.

4.3 Management of Human Resources

4.3.1 Staffing Overview

The Office’s average staffing level for 2009–10 was 60 staff, with a turnover of approximately 20% for ongoing staff. Twelve ongoing staff either resigned or transferred to other Australian Government agencies. Thirteen new ongoing staff were employed.

As at 30 June 2010, the Office had a total of 61 staff, including both ongoing and non-ongoing employees. An overview of the Office’s staffing profile as at
30 June 2010 is summarised in Table 4.1. There were no casual staff employed as at 30 June 2010.

Table 4.1 Overview of Staffing Profile as at 30 June 2010

Classification

Male

Female

Full Time

Part Time

Total Ongoing

Total Non-ongoing

Total

Statutory Office Holder

0

1

1

0

0

1

1

SES Band 2 

1

0

1

0

1

0

1

SES Band 1

1

0

1

0

1

0

1

EL 2 ($93 416–$107 587)

2

4

3

3

6

0

6

EL 1 ($80 996–$88 822)

4

4

6

2

8

0

8

APS 6 ($64 751–$72 576)

11

21

28

4

31

1

32

APS 5 ($58 497–$63 181)

1

3

4

0

4

0

4

APS 4 ($52 445–$56 946)

2

4

5

1

6

0

6

APS 3 ($47 057–$50 789)

1

1

1

1

2

0

2

APS 2 ($42 451–$45 815)

0

0

0

0

0

0

0

APS 1 ($36 506–$41 391)

0

0

0

0

0

0

0

Total

23

38

50

11

59

2

61

4.3.1.1 Secondments and Workforce Plan

One goal of the Office’s Workforce Plan is to encourage staff development through secondments, both internally and externally. During 2009–10, numerous staff members were seconded to other sections in the Office, and seven staff members were seconded or offered leave without pay to work in external agencies. These external secondments provide valuable professional experience for the Office’s staff, and in return, these staff offer privacy expertise to the agencies to which they have been seconded.

Agencies to which the Office’s staff were seconded in 2009–10 included the Civil Aviation Safety Authority, the Anti-Discrimination Board of NSW, the Australian Human Rights Commission, the Department of Health and Ageing, the NSW Department of Premier and Cabinet and the Attorney-General’s Department.

4.3.2 Workplace Relations and Employment

Staff members at the Office are employed under s 22 of the Public Service Act 1999. The Office of the Privacy Commissioner Certified Agreement 2009–11 was negotiated with staff and the Community and Public Sector Union. It was certified by the Australian Industrial Relations Commission on 30 June 2009. The Agreement is a variation and extension of the previous Agreement, and will be in operation until 30 June 2011.

The Agreement provides for 16 weeks of paid maternity leave, six weeks of paid parental leave, new community volunteering leave and access to extended leave following maternity or parental leave. The Office also supports access to part-time employment up until an employee’s child reaches school age. Salary progression within classification levels is subject to performance assessment.

Salary ranges for the current Certified Agreement are shown in Table 4.2.

The Office had eight staff covered by Australian Workplace Agreements or section 24.1 determinations during the reporting period, including two Senior Executive Service staff members.

4.3.3 Performance Management and Staff Development

The Office’s Performance Management Scheme provides a framework to manage and develop staff to achieve corporate objectives. Under the scheme, there is regular and formal assessment of an employee’s work performance, and positive and constructive feedback, professional development experiences and various skills-based training opportunities.

The Office’s Certified Agreement recognises the need to provide adequate training for staff to support workplace changes. This is especially important with changes in the information technology area, which require that staff are provided with relevant and ongoing training.

Professional development needs are identified through an individual’s training and development plan, in conjunction with the Performance Management Scheme. These development activities may include external professional development courses, in-house group training sessions, individual or team based on-the-job training, and the opportunity to represent the organisation at seminars and other forums.

The Office’s staff development strategy incorporates a study assistance policy. The policy provides for support where study is relevant to the work of the Office and an employee’s work responsibilities, and where it assists with professional or career development. In 2009–10, eight staff were supported to undertake formal external study through study leave, examination leave and/or financial assistance. Additional support is provided to staff who are working towards their first tertiary qualification, in recognition of the challenges some groups experience accessing tertiary education. Financial assistance for approved students was enhanced under the new Certified Agreement.

The Office provided performance pay to five employees during 2009–10. The average performance payment was $5600, and the range of payments was $1500–$11 500. The total amount of performance payments was $28 000.

4.3.4 Workplace Diversity and Equal Employment Opportunity

The Office recognises that diversity in staff is one of its greatest assets, and is committed to valuing and promoting the principles of workplace diversity through work practices. The Office participates in a joint Workplace Diversity Committee with the Australian Human Rights Commission. Throughout the year, the Office promoted and supported events including International Women’s Day, NAIDOC Week, National Reconciliation Week, National Sorry Day and Harmony Day. Other strategies in place focus on flexible and family-friendly workplace policies. During 2009–10, 15 ongoing staff had part-time arrangements in place.

During the reporting period, the Office continued to work towards the priorities outlined in the Workplace Diversity Plan for 2009–13 to ensure that diversity in the workplace remains a priority for the Office.

The Office’s Reconciliation Action Plan (see section 4.4.1) has strategies which link with the Office’s Workplace Diversity Plan.

4.3.5 Occupational Health and Safety

The Office and the Australian Human Rights Commission are co-located and share expertise and resources on Occupational Health and Safety (OH&S) issues. The Office’s Health and Safety Representative is a member of the joint agencies’ OH&S Committee (the Committee) and a new representative was appointed and trained in 2009–10.

The Office is committed to promoting preventative health and safety strategies to ensure the health, safety and wellbeing of staff. Health and safety issues are monitored, addressed and/or referred through to the Committee, and minutes of Committee meetings are placed on the Office’s intranet.

An annual physical inspection of the workplace is conducted and reviewed by the Committee to ensure that there is an opportunity for direct employee consultation, and that any hazards are identified and addressed. There have been no significant incidents reported in the last year.

All new staff are provided with OH&S information upon commencement, and ongoing support and assistance on OH&S and ergonomic issues is provided to all staff.

The Office’s commitment to staff health and wellbeing, onsite and offsite, continued, with workplace assessments for the resolution of ergonomic issues, access to a software program which encourages staff to take regular breaks throughout the day, and access to preventative health information sessions. The Office offers support to staff through QUIT smoking programs, flu vaccinations and its Healthy Lifestyle Allowance.

The Office provides a Healthy Lifestyle Allowance under the Certified Agreement to promote health and fitness as a means of achieving work/life balance, and improving the health and wellbeing of its employees. The Office continues to provide staff with access to counselling services through its Employee Assistance Program. This is a free and confidential service to provide staff and their families with counselling on personal and work related problems, if required. No systemic issues have been identified through this service.

4.4 Diversity Strategies

The Office is committed to developing and implementing strategies which help it to better provide advice and services to people from culturally and linguistically diverse backgrounds, and people with disabilities. The Reconciliation Action Plan, Commonwealth Disability Strategy and Access and Equity Report assist in pursuing this objective.

4.4.1 Reconciliation Action Plan

The Office’s Reconciliation Action Plan (RAP) was developed in consultation with Reconciliation Australia and is available on the Office’s website at www.privacy.gov.au/materials/types/plans/view/5891.

The RAP initiative was developed by Reconciliation Australia to help organisations and agencies identify and develop business practices that contribute to the wellbeing and quality of life of Indigenous Australians.

The Office’s Plan, which involved staff input from all sections of the Office, identifies five Key Reconciliation Result Areas:

  • establishing dialogue with Indigenous stakeholders on privacy issues
  • improving awareness of privacy rights in the Indigenous community
  • developing guidance material for agencies and organisations on protecting and respecting the privacy of Indigenous Australians
  • improving and applying cultural awareness and knowledge within the Office
  • creating employment and development opportunities.

During 2009–10, the Office worked towards several of the actions identified in its RAP, including celebrating National Reconciliation Week and NAIDOC Week in collaboration with Indigenous community members and relevant agencies, and will continue to do so in 2010–11. The Office continued to advertise employment vacancies in Indigenous media.

4.4.2 Commonwealth Disability Strategy

The Commonwealth Disability Strategy (CDS) provides Australian Government agencies with a framework to assist them to develop and deliver policies, programs and services which are accessible for people with disabilities. This framework requires all Australian Government agencies to provide data on their performance against the framework in their respective annual reports.

The Office’s report against the CDS framework is at Appendix 5. Full details on the CDS can be found on the Department of Families, Housing, Community Services and Indigenous Affairs website at www.fahcsia.gov.au/sa/disability/pubs/policy/Documents/cds/default.htm.

The CDS is part of the Australian Government’s vision for an Australian society where all Australians can live, work and participate fully in community life.

4.4.3 Access and Equity Report

The Access and Equity Report is an Australian Government initiative which is coordinated by the Department of Immigration and Citizenship. The report is based on agencies reporting on their performance in providing accessible services to people from culturally and linguistically diverse backgrounds. The Office reports on what it does and plans to do to make privacy-related information more accessible to the community. The Office will continue to report as required for the 2008–10 reporting period. The report covering the period 2006–08 is available at www.immi.gov.au/about/reports/access-equity/index.htm.

4.5 Client Service Charter

The Office published a Client Service Charter (the Charter) in March 2008, and updated it in June 2010. The standards set in the Charter relate to accessibility, quality, courteous and helpful service, openness and privacy and confidentiality.

These standards also state that the Office will:

  • develop significant policy advice, guidelines or research papers, and will generally consult widely, give reasonable timeframes for feedback, and explain our processes
  • advise complainants of our procedures for handling their complaint, keep them informed of the progress of their complaint and deal with individuals’ requests as quickly as possible
  • assist individuals with their enquiries directly or refer their call to a senior officer if necessary
  • ensure its publications are available on the Office’s website in accessible formats at no charge.

A Client Service Charter Information Sheet is sent out with our first contact letter to complainants and respondents in matters the Office is investigating.

The full document is available in hard copy from the Office or can be downloaded from the Office’s website at www.privacy.gov.au/materials/types/infosheets/view/5889.

Appendix 1

Governing legislation

The Privacy Act 1988

The Privacy Act gives effect to article 17 of the International Covenant on Civil and Political Rights and to the OECD’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The Privacy Act establishes the method by which personal information about individuals can be collected and stored, specifies the permissible uses of that information, and limits the circumstances in which that information can be disclosed. It also sets out a mechanism by which individuals can gain access to, and amend where appropriate, the personal information about them held by agencies and organisations.

The Privacy Act protects personal information under four main sets of requirements.

  • The National Privacy Principles (NPPs) (see Appendix 7) regulate the way private sector organisations handle personal information. These principles cover the collection, storage, use, disclosure and access obligations of organisations covered by the Privacy Act. In general the NPPs apply to all businesses and non-government organisations with a turnover of $3 million or more, all health service providers and a limited range of small businesses.
  • The Information Privacy Principles (IPPs) (see Appendix 8) regulate the way most Australian and ACT Government agencies handle personal information. These principles cover the collection, storage, use, disclosure and access obligations of those agencies covered by the Privacy Act.
  • Individuals’ Tax File Number (TFN) provisions: the Privacy Act prevents TFNs from being used as a de facto national identification system and gives individuals the right to withhold this information. Where a TFN is provided, its use is limited to tax-related, assistance agency and superannuation purposes. Under the Privacy Act, the Privacy Commissioner issues and enforces legally binding guidelines.
  • Part IIIA of the Privacy Act places strict safeguards on the handling of individuals’ consumer credit information by the credit industry. These provisions recognise the sensitivity of creditworthiness information and the implications for individuals should credit information be mishandled. Strict penalties apply if these provisions are breached.

Subordinate Legislation

Privacy in Australia is further regulated by subordinate legislation including those listed below.

  • Privacy (Private Sector) Regulations 2001, which set out the standards under s 18BB(3)(a)(i) of the Privacy Act that need to be met before a privacy code can be approved by the Privacy Commissioner, and prescribe specific agencies, state authorities and organisations for particular purposes under the Privacy Act.
  • Privacy Regulations 2006, which exempt the secrecy provisions of the Census and Statistics Act 1905 from the provisions in the Privacy Act (Part VIA) which relate to allowable disclosures during emergencies.
  • Privacy codes developed by organisations and approved by the Privacy Commissioner under Part IIIAA of the Privacy Act can replace the National Privacy Principles for particular organisations or activities if they enhance or are equivalent to those principles.
  • Mandatory guidelines under the Privacy Act, for example the Tax File Number Guidelines issued under s 17 of the Privacy Act.
  • Public Interest Determinations and Temporary Public Interest Determinations under Part VI of the Privacy Act.
  • Credit Reporting Determinations under Part IIIA of the Privacy Act.
  • The Credit Reporting Code of Conduct issued under s 18A of the Privacy Act.

The Privacy Act and the subordinate legislation are supported by advisory guidelines issued by the Office, including:

  • Guidelines to the National Privacy Principles
  • Guidelines to the Information Privacy Principles
  • Guidelines for the Use of Data-matching in Commonwealth Administration
  • Guidelines on Privacy in the Private Health Sector
  • Guidelines on Privacy Code Development (part of these guidelines are mandatory)
  • Guidelines on Public Interest Determination Procedure
  • Guidelines for Federal and ACT Government Websites
  • Guidelines on Workplace Email, Web Browsing and Privacy
  • Guidelines for Agencies using Privacy and Public Key Infrastructure to communicate or transact with individuals.

In addition, the Privacy Commissioner has approved binding guidelines issued by the National Health and Medical Research Council:

  • Guidelines under ss 95, 95A and 95AA of the Privacy Act 1988.

Other Legislation

The role of the Privacy Commissioner is further defined by legislated responsibilities that are set out in the following legislation.

  • Part VIIC of the Crimes Act 1914, the Commonwealth Spent Convictions Scheme, which provides protection for individuals with old minor convictions in certain circumstances (the Privacy Commissioner has the power to investigate breaches of the legislation, and is also required to provide advice to the Attorney-General in relation to exemptions under the scheme).
  • The Data-matching Program (Assistance and Tax) Act 1990, which regulates data-matching between the Australian Taxation Office and the assistance agencies to detect overpayment and ineligibility for assistance (under this Act, the Privacy Commissioner is responsible for issuing mandatory guidelines for protecting privacy, investigating complaints and monitoring agency compliance).
  • The National Health Act 1953, under which the Privacy Commissioner is required to issue guidelines covering the storage, use, disclosure and retention of individuals’ claim information under the Pharmaceutical Benefits Scheme and the Medicare program.
  • The Telecommunications Act 1997, under which the Privacy Commissioner has certain monitoring and compliance functions.

Appendix 2

Strategic Plan 2007–10

Our Vision:

An Australian community in which privacy is valued and respected.

Our Purpose:

To promote and protect privacy in Australia.

Our Values:

As an Australian Government agency the Office of the Privacy Commissioner is committed to upholding the APS Values and Code of Conduct. In particular we will:

  • demonstrate leadership in promoting and protecting privacy
  • act with independence, impartiality and integrity
  • value our staff
  • be responsive to our clients
  • work collaboratively with stakeholders.

Context:

The Office of the Privacy Commissioner is established under the Privacy Act 1988 to:

  • provide advice and assistance to individuals
  • provide advice and assistance to organisations and agencies with responsibilities under the Privacy Act
  • promote privacy through policy advice and educational activities
  • administer the Privacy Act including by investigating individual privacy complaints and systemic issues, and conducting audits.

Goals:

  • High quality results
  • Increased awareness of privacy choices and obligations within the community
  • Robust relationships
  • A confident and competent workforce.

Goals and Strategies with Actions for 2010

Goals

Strategies

Actions for 2010

High quality results

Build our policy and strategic analysis capacity

Continue the development of opportunities for collaborative work.

Continue the targeted research program to inform the Office’s policy work.

 

Identify and focus our Office’s work on areas of maximum impact

Identify new, and build on existing, partnership opportunities to maximise our ability to advise on key policy issues.

 

Increase our influence through quality advice and information

Develop standards for excellence in customer service and continue to promote the Client Service Charter.

Identify and use opportunities to target advice to key stakeholders.

 

Manage our resources effectively, flexibly and efficiently

All sections to prioritise their work for maximum effect and continue to execute their 2009-10 work plans.

Maximise the impact of our policy advice through follow-up strategies.

Constructively contribute to integration of the Office into the proposed Office of the Information Commissioner.

 

Deliver fair, transparent, efficient and effective complaint handling

Provide a timely complaint resolution service.

Ensure consistency in decision making.

Utilise the range of compliance mechanisms under the Privacy Act.

 

Increase our focus on systemic information handling

Identify key privacy compliance issues and target systemic issues accordingly.

 

Harness and utilise knowledge gained from day to day activities to inform our strategic work

Identify key privacy compliance issues in complaint handling, audit and data matching and target strategic work accordingly.

 

Ensure robust work practice and information systems support our core business

Further develop continuous improvement systems.

Review and enhance internal work processes, including improving training on and support for the technical, administrator and user needs of the Office’s internal Information Management system ‘The Hub’.

Review, build on and improve the effectiveness of our knowledge sharing and management systems.

 

Build our capacity to respond to evolving and emerging technology

Identify evolving and emerging technology issues.

Develop greater capacity in technology issues.

Increased awareness of privacy choices and obligations within the community

Communicate effectively with more targeted integrated strategies

Target members of the Australian public who may not be as familiar with our messages as others (e.g. seniors).

 

Harness existing communication channels to maximum effect, especially emerging popular mediums.

Make additions and improvements to our online youth portal.

Examine further options for using social media to target key audiences such as youth and communicate key messages.

 

Utilise the media to deliver the privacy message

Further develop and implement media strategy with media outlets.

Seek opportunities to contribute to relevant media, particularly during key promotional events such as PAW.

 

Ensure that material published by the Office is up-to-date, accurate and targeted at identified key audiences

Update publications and other written material in accordance with the findings of the Publications Review.

Update publications and other written material in line with the Office’s Style Guide.

 

Ensure that the website, as the Office’s key communication channel, is up-to-date and accurate

Continue to improve and promote the Office’s redeveloped website to leverage its improvements and new features.

 

Develop guidance material to assist the private sector

Utilise Compliance data to identify need for new guidance material and prepare material.

 

Re-energise PCO and Privacy Connections Networks

Continue to host forums, seminars, workshops and product launches for Privacy Connections members.

Continue to host engaging meetings for the Government PCO Network and consider opportunities to work with the network outside of the regular quarterly meetings.

 

Develop programs to recognise and reward best practice

Promote the positive privacy messages and practices highlighted by the Privacy Awards.

Robust relationships

Ensure that effective relationships, partnerships and networks are at the core of how we operate internally and externally

Nurture, manage and build on existing relationships.

Review and measure the success of our relationships.

Review and develop systems that support internal and external networks and relationships.

Develop and support staff to manage internal and external relationships.

Continue to improve and update our Communications Plan to address internal and external communication needs.

 

Develop formal links with external parties where appropriate and useful to maximise influence and understanding

Provide quality and timely advice and services under our MOUs.

Identify, build and manage new relationships.

Further develop private sector communications, eg: case study workshops.

Continue to develop international linkages with other privacy forums, particularly APPA, Privacy Authorities Australia, the International Conference and APEC.

Focus on partnerships during PAW 2010 to encourage joint privacy activities.

A confident and competent workforce

Attract well qualified staff

Build a reputation as a ‘preferred employer’.

Manage the transition of staff to the new Office of the Information Commissioner.

 

Retain our staff through commitment to training and development, career development, conditions of service, and work-life balance

Finalise Workforce Plan and begin implementation of key actions within that plan including:

an assessment of our skills base and a training needs analysis to focus our learning and development strategies

Review career development framework for all staff

Establish a secondment program with other agencies and within the Office

Examine and adopt a range of recruitment and retention strategies

Promote and improve knowledge sharing

Review Statement of Duties and Selection Criteria

Review Performance Agreements and Performance Management Scheme, including consideration of a 360° Feedback Scheme.

 

Acquire and develop our skills base to respond to emerging issues including technology

Identify skills requiring development.

Provide training and development opportunities.

Appendix 3

Outcomes and Outputs Structure

The Office’s outcome statement, as set out in the Portfolio Budget Statement, is:

An Australian culture in which privacy is respected, promoted and protected.

There is one output for the Office’s outcome:

Complaint handling, compliance and monitoring, and education and promotion.

Contributions to the Office’s Outcome

Key Performance Indicators

2009–10 Target

Adherence to Client Service Charter standards

Client Service Charter standards are met

Targeted information available that informs the community, including business and government, of their rights and responsibilities in respect of the Office’s jurisdictional responsibilities

Information is easily accessible and available to all members of the community

Preparation of advice, reports and submissions on significant privacy-related issues

Advice, reports and submissions on significant privacy-related issues considered and valued

Audits improve the privacy practices and procedures of agencies and organisations

Agencies and organisations satisfied that audits improve their privacy practices and procedures

Number of complaints finalised within 12 months of receipt and number of written enquiries answered within 10 days

80% of complaints finalised within 12 months of receipt and 90% of written enquiries answered within 10 days

Time taken to finalise audits

Audits finalised within six months of commencement

Number of visits to the website and number of pages viewed on the website

More than 1 million visits to the website and more than 5 million pages viewed on the website

Trend Information

Over the past three years, the Office has met all of its key performance indicators except its target to finalise audits within six months of commencement.

In 2009–10, the Office was able to reduce the average time taken to finalise an audit to 9.1 months. This was achieved despite a significant increase in the Office’s audit program and other proactive compliance activities undertaken by the Office in 2009–10. This reduction is a slight improvement from the figure of 9.5 months in 2008–09.

The Office will continue to work to reduce the amount of time it takes to complete audits.

Table A3.1 Agency Resource Statement 2009–10

 

Actual Available Appropriations for 2009-10
$’000

Payments Made 2009-10
$’000

Balance Remaining
2009-10

 

(a)

(b)

(a-b)

Ordinary Annual Services1 Departmental appropriation

     

Prior year departmental appropriation

743

25

718

Departmental appropriation

6,470 

6,470

-

Appropriations to take account of recoverable GST (FMA section 30A)

117

117

-

S.31 Relevant agency receipts

1,204

1,204

-

Total

8,534

7,816 

718

Total ordinary annual services

8,534 

7,816 

 

Total Resourcing and Payments

 8,534

7,816 

 

Total resourcing

8,534 

7,816 

 

Total net resourcing for Office of the Privacy Commissioner

 8,534

7,816

 

1 Appropriation Bill (No.1) 2009-10 and Appropriation Bill (No.3) 2009-10.

       

v

Table A3.2 Resources for Outcome 1 - The protection of individuals’ personal information through investigating complaints and inquiring into potential privacy interferences, advice to government, audits of personal information handling practices, community education, and research.

Expenses and Resources for Outcome 1

Outcome 1: The protection of individuals’ personal information through investigating complaints and inquiring into potential privacy interferences, advice to government, audits of personal information handling practices, community education, and research

Budget *
2009-10

Actual Expenses 2009-10

Variation 2009-10 

$’000

$’000

$’000

 

(a)

(b)

(a)-(b)

Program 1.1: Complaint handling, compliance and monitoring and education and promotion

     

Departmental expenses

     

Ordinary annual services (Appropriation Bill No. 1 & 3)

6,444

6,444

0

Revenues from independent sources (Section 31)

850

906

(56)

Expenses not requiring appropriation in the Budget year

474

619

(145)

Total for Program 1.1

7,768

7,969

(201)

Outcome 1 Totals by appropriation type

 

 

 

Departmental expenses

 7,768

7,969

(201)

Ordinary annual services (Appropriation Bill No. 1 & 3)

6,470

6,470

-

Revenues from independent sources (Section 31)

850

1,152

(302)

Expenses not requiring appropriation in the Budget year

24

37

(13)

Total expenses for Outcome 1

7,344

7,635

(315)

Average Staffing Level (number)

2008-09

2009-10

 
 

65

60

 

* Full-year budget, including any subsequent adjustment made to the 2008-09 Budget

Appendix 4

Freedom of Information Act Compliance

The Freedom of Information Act 1982 (FOI Act) gives the general public legal access to government documents. Information on the Office’s FOI procedures can be found under the heading Freedom of Information procedures below.

Section 8 of the FOI Act requires each Australian Government agency, including this Office, to publish information about the way it is organised, together with its functions and powers, and arrangements for public participation in the work of the agency. The Office is also required to publish the categories of documents that it holds and how members of the public can gain access to them.

Authority and legislation

The Office is established, and the Privacy Commissioner’s functions and powers are conferred, by the Privacy Act. Information regarding the Office’s functions and powers is set out in the ‘About the Office’ section on page 4.

Number of formal requests for information

During 2009–10, the Office received 13 requests for access to documents under the FOI Act. All applicants wanted access to documents concerning their own privacy complaint.

Avenues for public participation

The Office uses the following processes and consultative bodies to assist the participation by persons or bodies outside the Australian Government in the policy-making functions of the Office or in its administration of various schemes and acts.

  • The Office has a Strategic Plan (see Appendix 2) which commits it to developing robust relationships with external stakeholders, and to ensuring that effective relationships, partnerships and networks are at the core of the Office’s internal and external operations.
  • Part VII of the Privacy Act provides for the establishment of the Privacy Advisory Committee to advise the Commissioner on relevant matters, recommend material to the Commissioner for inclusion in guidelines and, subject to direction by the Commissioner, engage in community education and consultation.
  • The Office coordinates the government Privacy Contact Officer (PCO) network to facilitate the resolution of privacy issues within Australian and ACT Government agencies and provide training and expertise to those agencies. The PCO network meets four times per year.
  • The Privacy Connections network plays a similar role in the private sector and regular forums are held for network members across Australia.
  • The Compliance section conducts customer surveys to assess the quality of the service it provides, and to look for ways to improve its service.
  • The Commissioner has a legislative requirement to consult. For example, the provisions relating to making a public interest determination require the production of a draft determination and the invitation of interested parties to attend a conference (ss 75 and 76). Similarly, the Commissioner needs to be satisfied that there has been an adequate opportunity for the public to comment before approving a proposed privacy code (s 18BB(2)(f)).
  • The Office conducted consultation on a number of matters during the year, including in relation to developing new guidance material.
  • The Office invites public consultation from individuals and organisations through its website.

Categories of documents

Documents held by the Office relate to:

  • administration matters, including personnel, recruitment, accounts, purchasing, registers, registry and invoices
  • complaint matters, including audits and the investigation, clarification, conciliation and resolution of complaints
  • legal matters, including legal documents, opinions, advice and representations
  • research matters, including research papers in relation to complaints, existing or proposed legislative practices, public education, national inquiries and other relevant issues
  • policy matters, including minutes of meetings, administrative and operational guidelines
  • operational matters, including files on formal inquiries
  • reference materials, including press clippings, survey and research materials and documents relating to conferences and seminars.

Freedom of information procedures

Initial enquiries regarding access to documents from the Office of the Privacy Commissioner should be directed to the Freedom of Information Officer by either telephoning (02) 9284 9800 or writing to:

Freedom of Information Officer
Office of the Privacy Commissioner
GPO Box 5218
Sydney NSW 2001.

Procedures for dealing with FOI requests are detailed in s 15 of the FOI Act. A valid request must:

  • be in writing
  • be accompanied by the payment of a $30 application fee
  • include the name and address of the person requesting the information
  • be processed within 30 days of receipt.

Some documents are exempt from public perusal under the FOI Act. Where documents are not accessible by the applicant, valid reasons will be provided. The Office’s decisions on access to documents may be reviewed by the Administrative Appeals Tribunal.

Facilities for obtaining physical access

The Office provides copies of the requested documents by mail to the enquiring party, subject to exceptions established under the FOI Act.

The Office will also consider requests from parties to view hard copies of the requested documents in person at the Office.

Appendix 5

Commonwealth Disability Strategy Performance Reporting

Table A5.1 Commonwealth Disability Strategy Performance Reporting

Policy adviser role

Performance Indicator

Performance Measure

Current level of performance
(2009–2010)

Goals for 2010–2011

Actions for 2010–2011

1. New or revised policy / program proposals assess impact on the lives of people with disabilities prior to decision.

Percentage of new or revised policy / program proposals that document that the impact of the proposal was considered prior to the decision making stage.

The Office provides advice on the policy/program/legislative activities of other agencies from a privacy perspective.

Submissions are loaded on the Office’s website where possible.

In a significant number of advices, particularly where new technologies are being considered, the privacy of people with disabilities is factored into the discussion.

Where the Office is preparing new guidance or legislative material, consultations will include groups representing people with disabilities where possible.

Review the national peak bodies listing available on the CDS website and consider liaising with these bodies during consultations processes.

2. People with disabilities are included in consultation about new or revised policy / program proposals.

Percentage of consultations about new or revised policy / program proposals that are developed in consultation with people with disabilities.

The Office seeks to have representative bodies, including those from associations of people with disabilities, actively involved in consultations on privacy issues, including in relation to privacy impact assessments of proposals undertaken by other government agencies.

Where the Office is preparing new guidance or legislative material consultations will include groups representing people with disabilities where possible.

Update the Office’s guidelines on conducting community consultations to include advice on consulting with people with disabilities.

Undertake targeted consultation with relevant groups representing people with disabilities when developing new guidance material.

Encourage other agencies which are developing policies that may impact on privacy of people with disabilities to undertake consultation with representative groups.

3. Public announcements of new, revised or proposed policy / program initiatives are available in accessible formats for people with disabilities in a timely manner.

Percentage of new, revised or proposed policy / program announcements available in a range of accessible formats.

Time taken in providing announcements in accessible formats.

Simultaneous to public release, 100% of information about new Office initiatives is available on a W3C compliant website. Other formats can be made available on request.

The Office’s PriNet email news list had 1431 subscribers as at 30 June 2010. Disability groups are members of this network. Membership is also open to members of the public who may have disabilities. Email messages to the network are sent in plain text accessible format.

100% of customers requesting information in accessible formats (other than electronic) will be advised of the expected delivery date of their preferred format within ten days of the request.

A greater number of national peak disability bodies will be represented on the Office’s email distribution list.

Maintain a log of all requests for information in accessible formats and the timeframes involved.

Approach national peak disability bodies listed on CDS website and invite them to subscribe to the Office’s email list.

Regulator role

Performance Indicator

Performance Measure

Current level of performance (2009–2010)

Goals for 2010–2011

Actions for 2010–2011

1. Publicly available information on regulations and quasi-regulations is available in accessible formats for people with disabilities.

Percentage of publicly available information on regulations and quasi-regulations requested and provided in:

accessible electronic formats

accessible formats other than electronic.

Average time taken to provide accessible material in:

electronic format

formats other than electronic.

The Office launched a major redevelopment of its website during the reporting period. The new website, which is W3C compliant, incorporates greatly improved accessibility as one of its highest priority requirements. A link outlining the site’s accessibility features has been included in the new site.

All material can be made available in other formats on request.

Office services are accessible via website, phone and TTY.

Electronic access is immediate, via website.

100% of requests for electronic information to be fulfilled within 10 days.

100% of customers requesting information in accessible formats (other than electronic) will be advised of the expected delivery date of their preferred format within 10 days of the request.

Information provided on the Office’s website will be regularly reviewed to ensure compliance with web standards.

Clarifying the effect of the Privacy Act in relation to communications relay services for people with disabilities.

Maintain a log of all requests for information in accessible formats and the timeframes involved.

Review website in line with accessibility standards to ensure it is up-to-date.

Plain English training for all new staff.

Develop a series of FAQs on the National Relay Service and privacy issues.

   

Turnaround for requests for electronic information and hard copy information is less than 10 working days (although may be much shorter).

Some requests may require that we use external service providers. In these cases, the turnaround to provide information in accessible formats may be impacted.

The majority of Office staff have attended plain English training, and apply these skills in the preparation of the Office’s written materials.

   

2. Publicly available regulatory compliance reporting is available in accessible formats for people with disabilities.

Percentage of publicly available information on regulations and quasi-regulations requested and provided in:

accessible electronic formats

accessible formats other than electronic.

Average time taken to provide accessible material in:

electronic format

formats other than electronic.

The Office launched a major redevelopment of its website during the reporting period. The new website, which is W3C compliant, incorporates greatly improved accessibility as one of its highest priority requirements. A link outlining the site’s accessibility features has been included in the new site.

All material can be made available in other formats on request.

Office services are accessible via website, phone and TTY.

Electronic access is immediate, via website. Turnaround for requests for electronic information and hard copy information is less than 10 working days (although maybe much shorter).

Some requests may require that we use external service providers. In these cases, the turnaround to provide information in accessible formats may be impacted.

100% of requests for electronic information to be fulfilled within 10 days.

100% of customers requesting information in accessible formats (other than electronic) will be advised of the expected delivery date of their preferred format within 10 days of the request.

Information provided on the Office’s website is reviewed regularly to ensure compliance with web standards.

Ensure that relevant staff are aware of procedures for handling a request for information in accessible formats.

Maintain a log of all requests for information in accessible formats and the timeframes involved.

Review website in line with accessibility standards to ensure it is up-to-date.

   

The majority of Office staff have attended plain English training, and apply these skills in the preparation of the Office’s written materials.

   

Provider role

Performance Indicator

Performance Measure

Current level of performance (2009–2010)

Goals for 2010–2011

Actions for 2010–2011

1. Providers have established mechanisms for quality improvement and assurance.

Evidence of quality improvement and assurance systems in operation.

The Office has an enquiries line and a website link which gives individuals the opportunity to lodge complaints/grievances with the Office.

The Office collects regular demographic information on clients to assist with identifying target groups who access services. During 2009–10, 26% of respondents accessing the Office’s services indicated that they had a disability.*

To identify strategies to better meet the needs of people with disability, especially in terms of:

flexible and appropriate complaint handling and service provision

courteous and prompt customer service.

Assess ways to better meet the needs of people with disability in the two key areas listed.

Monitor the proportion of complainants with a disability accessing the Office’s complaints services to help inform further improvements to the service.

2. Providers have an established service charter that specifies the roles of the provider and consumer and service standards which address accessibility for people with disabilities.

Established service charter that adequately reflects the needs of people with disabilities in operation.

The Office has a Client Service Charter which outlines the service standards that it seeks to achieve. The Charter was reissued in plain English, to make it easier to read and understand, in May 2010.

The service standards include a standard on accessibility and provide information on TTY for individuals with a hearing impairment or speech difficulties. The Charter outlines steps for individuals who are dissatisfied with the Office’s performance against the standards, and welcomes feedback and suggestions for improvement.

All Office complaints information and brochures are available on the website in accessible electronic format. Information about the complaints process and legislation is available in plain English format on the Office website. The W3C compliant website is updated regularly.

Office information is available in alternative formats upon request.

Client Service Charter to be reviewed to ensure that it addresses the needs of people with a disability, particularly in relation to:

flexible and appropriate complaint handling and service provision

courteous and prompt customer service.

Website to provide clearer guidance regarding options for access to information for people with a disability.

Review and amend as appropriate the Office’s Client Service Charter.

Assess website feedback received and ensure that any feedback about the site’s accessibility is considered and addressed promptly where appropriate.

Review current information provided under the website’s accessibility tab and provide further information on access to information in accessible formats.

3. Complaints / grievance mechanisms, including access to external mechanisms, in place to address concerns raised about performance.

Established complaints / grievance mechanisms, including access to external mechanisms, in operation.

The Office uses a current complaints information referral list to ensure callers with disabilities can be referred to appropriate advocacy groups, if required.

The Office has an enquiries line and a website link which gives individuals the opportunity to lodge complaints/grievances.

Email, TTY and a national 1300 number at the cost of a local call are all available.

Premises are accessible.

To identify any issues around the accessibility of the Office’s complaints handling process for people with disability and develop strategies to address these issues.

Increase staff awareness of issues faced by people with a disability.

Review the Office’s Client Service Charter and complaints handling process and advise on potential barriers for people with disability.

Undertake specific training for staff to increase their awareness of issues relating to people with a disability.

   

Section 36(4) of the Privacy Act requires the Commissioner to provide appropriate assistance to complainants if they have difficulty in lodging a complaint. This includes giving appropriate assistance to people with disabilities.

When dealing with requests for access to personal information, organisations are also advised to consider issues of accessibility.

No complaints have been received regarding access to the Office’s complaint handling service or premises.

   

* Due to the voluntary nature and the low response rate of the survey, the data does not necessarily give an accurate representation.

Appendix 6

Submissions

In 2009–10, the Office provided 41 submissions to government departments and parliamentary inquiries on policy proposals or legislation, providing analysis on the privacy implications of the proposals and offering advice on methods to ensure privacy is appropriately considered and protected. These submissions were:

1. Consultation Paper 1, Family Violence - Improving Legal Frameworks; Submission to the Australian Law Reform Commission (June 2010)

2. Exposure Draft - Policy Outlines for the New Model of Income Management; Submission to Department of Families, Housing, Community Services and Indigenous Affairs (June 2010)

3. Enhanced Mobile Location Information for the Emergency Call Service; Submission to Australian Communications and Media Authority consultation on a Proposal to Amend the Telecommunications (Emergency Call Service) Determination 2009 (June 2010)

4. Inquiry into the future direction and role of the Scrutiny of Bills Committee; Submission to the Senate Standing Committee for the Scrutiny of Bills (April 2010)

5. Draft Regulations for the Healthcare Identifiers Service; Submission to the Department of Health and Ageing (April 2010)

6. Inquiry into the Territories Law Reform Bill 2010; Submission to the Joint Standing Committee on the National Capital and External Territories (March 2010)

7. Healthcare Identifiers Bill 2010 and Healthcare Identifiers (Consequential Amendments) Bill 2010; Submission to the Senate Standing Committee on Community Affairs (March 2010)

8. Discussion Paper Five: Developing an Information and Communications Technology (ICT) Strategic Plan for Clinical Trials; Submission to the Department of Innovation, Industry, Science and Research (February 2010)

9. Toward a Stronger and More Efficient IP Rights System: Consultation Paper; Submission to IP Australia (February 2010)

10. Review of Part 1D of the Crimes Act 1914; Submission to the
Attorney-General’s Department (February 2010)

11. Social Security and Other Legislation Amendment (Welfare Reform and Reinstatement of Racial Discrimination Act) Bill 2009; Submission to the Senate Standing Committee on Community Affairs (February 2010)

12. Do Not Call Register Legislation Amendment Bill 2009; Submission to the Senate Standing Committee on Environment, Communications and the Arts (January 2010)

13. Exposure Draft - Healthcare Identifiers Bill 2010; Submission to the Department of Health and Ageing (January 2010)

14. Inquiry into the Tax Laws Amendment (Confidentiality of Taxpayer Information) Bill 2009; Submission to the Senate Standing Committee on Economics (December 2009)

15. Review into the Governance, Efficiency, Structure and Operation of Australia’s Superannuation System; Submission to the Review Panel on the Phase Two: Operation and Efficiency - Issues Paper (December 2009)

16. Draft report: Engage Getting on with Government 2.0; Submission to the Government 2.0 Taskforce (December 2009)

17. Australian Government Electoral Reform Green Paper - Strengthening Australia’s Democracy; Submission to the Department of the Prime Minister and Cabinet (December 2009)

18. Discussion Paper: Do Not Call Register Statutory Review; Submission to Department of Broadband, Communications and the Digital Economy (November 2009)

19. Model Occupational Health and Safety Legislation; Submission to Safe Work Australia (November 2009)

20. Personal Property Securities (Consequential Amendments) Bill 2009; Submission to the Senate Legal and Constitutional Affairs Committee (November 2009)

21. Better Dealings with Government: Innovation in Payments and Information Services - Discussion Paper for Industry Consultation; Submission to the Department of Human Services (October 2009)

22. Draft Internet Industry Association eSecurity Code of Practice; Submission to the Internet Industry Association (October 2009)

23. Telecommunications (Interception and Access) Amendment Bill 2009 - Network Protection; Submission to the Senate Standing Committee on Legal and Constitutional Affairs (October 2009)

24. Discussion Paper - A Working with Vulnerable People Checking System for the ACT; Submission to the ACT Department of Disability, Housing and Community Services (October 2009)

25. Crimes Amendment (Working With Children – Criminal History) Bill 2009; Submission to the Senate Legal and Constitutional Affairs Committee (September 2009)

26. Exposure Draft - Extradition and Mutual Assistance in Criminal Matters Legislation Amendment Bill 2009; Submission to the Attorney-General’s Department (August 2009)

27. Healthcare identifiers and privacy: Discussion paper on proposals for legislative support; Submission to the Australian Health Ministers’ Conference (August 2009)

28. Towards Government 2.0: Issues Paper; Submission to Government 2.0 Taskforce (August 2009)

29. Exposure Draft of the Telecommunications (Interception and Access) Amendment Bill 2009 - Network Protection; Submission to the Attorney-General’s Department (August 2009)

30. Crimes Legislation Amendment (Serious and Organised Crime) Bill 2009 [Provisions]; Submission to the Senate Legal and Constitutional Affairs Committee (August 2009)

31. Australian Law Reform Commission’s Review of Secrecy Laws - Discussion Paper 74; Submission to the Australian Law Reform Commission (August 2009)

32. Access to Share Registers; Submission to the Treasury (August 2009)

33. Personal Property Securities Bill 2009 [Provisions]; Submission to the Senate Legal and Constitutional Affairs Committee (July 2009)

34. Draft Annual Review of Regulatory Burdens; Submission to the Productivity Commission (July 2009)

35. National Security Legislation Monitor Bill; Submission to the Senate Standing Committee on Finance and Public Administration (July 2009)

36. Telecommunications Legislation Amendment (National Broadband Network Measures No. 1) Bill 2009; Submission to the Senate Standing Committee on Environment (July 2009)

37. Exposure Draft of the Health Practitioner Regulation National Law (Bill B); Submission to the Senate Community Affairs Committee (July 2009)

38. Exposure Draft of the Health Practitioner Regulation National Law (Bill B); Submission to the Australian Health Workforce Ministerial Council (July 2009)

39. National Consumer Credit Protection Bill; Submission to the Senate Economics Legislation Committee (July 2009)

40. National Broadband Network; Submission to the Senate Select Committee on NBN (July 2009)

41. Surveillance in Public Places; Submission to the Victorian Law Reform Commission (July 2009).

Appendix 7

National Privacy Principles

Principle 1 – Collection

1.1 An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities.

1.2 An organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.

1.3 At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of:

(a) the identity of the organisation and how to contact it; and

(b) the fact that he or she is able to gain access to the information; and

(c) the purposes for which the information is collected; and

(d) the organisations (or the types of organisations) to which the organisation usually discloses information of that kind; and

(e) any law that requires the particular information to be collected; and

(f) the main consequences (if any) for the individual if all or part of the information is not provided.

1.4 If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.

1.5 If an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in subclause 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.

Principle 2 – Use and disclosure

2.1 An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless:

(a) both of the following apply:

(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;

(ii) the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or

(b) the individual has consented to the use or disclosure; or

(c) if the information is not sensitive information and the use of the information is for the secondary purpose of direct marketing:

(i) it is impracticable for the organisation to seek the individual’s consent before that particular use; and

(ii) the organisation will not charge the individual for giving effect to a request by the individual to the organisation not to receive direct marketing communications; and

(iii) the individual has not made a request to the organisation not to receive direct marketing communications; and

(iv) in each direct marketing communication with the individual, the organisation draws to the individual’s attention, or prominently displays a notice, that he or she may express a wish not to receive any further direct marketing communications; and

(v) each written direct marketing communication by the organisation with the individual (up to and including the communication that involves the use) sets out the organisation’s business address and telephone number and, if the communication with the individual is made by fax, telex or other electronic means, a number or address at which the organisation can be directly contacted electronically; or

(d) if the information is health information and the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety:

(i) it is impracticable for the organisation to seek the individual’s consent before the use or disclosure; and

(ii) the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph; and

(iii) in the case of disclosure—the organisation reasonably believes that the recipient of the health information will not disclose the health information, or personal information derived from the health information; or

(e) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent:

(i) a serious and imminent threat to an individual’s life, health or safety; or

(ii) a serious threat to public health or public safety; or

(ea) if the information is genetic information and the organisation has obtained the genetic information in the course of providing a health service to the individual:

(i) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety (whether or not the threat is imminent) of an individual who is a genetic relative of the individual to whom the genetic information relates; and

(ii) the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95AA for the purposes of this subparagraph; and

(iii) in the case of disclosure—the recipient of the genetic information is a genetic relative of the individual; or

(f) the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or

(g) the use or disclosure is required or authorised by or under law; or

(h) the organisation reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of an enforcement body:

(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;

(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;

(iii) the protection of the public revenue;

(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;

(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.

Note 1: It is not intended to deter organisations from lawfully co-operating with agencies performing law enforcement functions in the performance of their functions.

Note 2: Subclause 2.1 does not override any existing legal obligations not to disclose personal information. Nothing in subclause 2.1 requires an organisation to disclose personal information; an organisation is always entitled not to disclose personal information in the absence of a legal obligation to disclose it.

Note 3: An organisation is also subject to the requirements of National Privacy Principle 9 if it transfers personal information to a person in a foreign country.

2.2 If an organisation uses or discloses personal information under paragraph 2.1(h), it must make a written note of the use or disclosure.

2.3 Subclause 2.1 operates in relation to personal information that an organisation that is a body corporate has collected from a related body corporate as if the organisation’s primary purpose of collection of the information were the primary purpose for which the related body corporate collected the information.

2.4 Despite subclause 2.1, an organisation that provides a health service to an individual may disclose health information about the individual to a person who is responsible for the individual if:

(a) the individual:

(i) is physically or legally incapable of giving consent to the disclosure; or

(ii) physically cannot communicate consent to the disclosure; and

(b) a natural person (the carer) providing the health service for the organisation is satisfied that either:

(i) the disclosure is necessary to provide appropriate care or treatment of the individual; or

(ii) the disclosure is made for compassionate reasons; and

(c) the disclosure is not contrary to any wish:

(i) expressed by the individual before the individual became unable to give or communicate consent; and

(ii) of which the carer is aware, or of which the carer could reasonably be expected to be aware; and

(d) the disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (b).

2.5 For the purposes of subclause 2.4, a person is responsible for an individual if the person is:

(a) a parent of the individual; or

(b) a child or sibling of the individual and at least 18 years old; or

(c) a spouse or de facto partner of the individual; or

(d) a relative of the individual, at least 18 years old and a member of the individual’s household; or

(e) a guardian of the individual; or

(f) exercising an enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual’s health; or

(g) a person who has an intimate personal relationship with the individual; or

(h) a person nominated by the individual to be contacted in case of emergency.

2.6 In subclause 2.5:

child: without limiting who is a child of an individual for the purposes of this clause, each of the following is the child of an individual:

(a) an adopted child, stepchild, exnuptial child or foster child of the individual; and

(b) someone who is a child of the individual within the meaning of the Family Law Act 1975.

de facto partner has the meaning given by the Acts Interpretation Act 1901.

parent: without limiting who is a parent of an individual for the purposes of this clause, someone is the parent of an individual if the individual is his or her child because of the definition of child in this subclause.

relative of an individual means a grandparent, grandchild, uncle, aunt, nephew or niece, of the individual.

sibling of an individual includes a half-brother, half-sister, adoptive brother, adoptive sister, step-brother, step-sister, foster-brother and foster-sister, of the individual.

stepchild: without limiting who is a stepchild of an individual for the purposes of this clause, someone is the stepchild of an individual if he or she would be the individual’s stepchild except that the individual is not legally married to the individual’s de facto partner.

2.7 For the purposes of the definition of relative in subclause 2.6, relationships to an individual may also be traced to or through another individual who is:

(a) a de facto partner of the first individual; or

(b) the child of the first individual because of the definition of child in that subclause.

2.8 For the purposes of the definition of sibling in subclause 2.6, an individual is also a sibling of another individual if a relationship referred to in that definition can be traced through a parent of either or both of them.

Principle 3 – Data quality

An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.

Principle 4 – Data security

4.1 An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

4.2 An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under National Privacy Principle 2.

Principle 5 – Openness

5.1 An organisation must set out in a document clearly expressed policies on its management of personal information. The organisation must make the document available to anyone who asks for it.

5.2 On request by a person, an organisation must take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.

Prinicple 6 – Access and correction

6.1 If an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual, except to the extent that:

(a) in the case of personal information other than health information—providing access would pose a serious and imminent threat to the life or health of any individual; or

(b) in the case of health information—providing access would pose a serious threat to the life or health of any individual; or

(c) providing access would have an unreasonable impact upon the privacy of other individuals; or

(d) the request for access is frivolous or vexatious; or

(e) the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings; or

(f) providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or

(g) providing access would be unlawful; or

(h) denying access is required or authorised by or under law; or

(i) providing access would be likely to prejudice an investigation of possible unlawful activity; or

(j) providing access would be likely to prejudice:

(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; or

(ii) the enforcement of laws relating to the confiscation of the proceeds of crime; or

(iii) the protection of the public revenue; or

(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or

(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders;

by or on behalf of an enforcement body; or

(k) an enforcement body performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.

6.2 However, where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process, the organisation may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.

Note: An organisation breaches subclause 6.1 if it relies on subclause 6.2 to give an individual an explanation for a commercially sensitive decision in circumstances where subclause 6.2 does not apply.

6.3 If the organisation is not required to provide the individual with access to the information because of one or more of paragraphs 6.1(a) to (k) (inclusive), the organisation must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.

6.4 If an organisation charges for providing access to personal information, those charges:

(a) must not be excessive; and

(b) must not apply to lodging a request for access.

6.5 If an organisation holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up-to-date, the organisation must take reasonable steps to correct the information so that it is accurate, complete and up-to-date.

6.6 If the individual and the organisation disagree about whether the information is accurate, complete and up-to-date, and the individual asks the organisation to associate with the information a statement claiming that the information is not accurate, complete or up-to-date, the organisation must take reasonable steps to do so.

6.7 An organisation must provide reasons for denial of access or a refusal to correct personal information.

Principle 7 – Identifiers

7.1 An organisation must not adopt as its own identifier of an individual an identifier of the individual that has been assigned by:

(a) an agency; or

(b) an agent of an agency acting in its capacity as agent; or

(c) a contracted service provider for a Commonwealth contract acting in its capacity as contracted service provider for that contract.

7.1A However, subclause 7.1 does not apply to the adoption by a prescribed organisation of a prescribed identifier in prescribed circumstances.

Note: There are prerequisites that must be satisfied before those matters are prescribed: see subsection 100(2).

7.2 An organisation must not use or disclose an identifier assigned to an individual by an agency, or by an agent or contracted service provider mentioned in subclause 7.1, unless:

(a) the use or disclosure is necessary for the organisation to fulfil its obligations to the agency; or

(b) one or more of paragraphs 2.1(e) to 2.1(h) (inclusive) apply to the use or disclosure; or

(c) the use or disclosure is by a prescribed organisation of a prescribed identifier in prescribed circumstances.

Note: There are prerequisites that must be satisfied before the matters mentioned in paragraph (c) are prescribed: see subsections 100(2)
and (3).

7.3 In this clause:

identifier includes a number assigned by an organisation to an individual to identify uniquely the individual for the purposes of the organisation’s operations. However, an individual’s name or ABN (as defined in the A New Tax System (Australian Business Number) Act 1999) is not an identifier.

Principle 8 – Anonymity

Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.

Principle 9 – Transborder data flows

An organisation in Australia or an external Territory may transfer personal information about an individual to someone (other than the organisation or the individual) who is in a foreign country only if:

(a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles; or

(b) the individual consents to the transfer; or

(c) the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual’s request; or

(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or

(e) all of the following apply:

(i) the transfer is for the benefit of the individual;

(ii) it is impracticable to obtain the consent of the individual to that transfer;

(iii) if it were practicable to obtain such consent, the individual would be likely to give it; or

(f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles.

Principle 10 – Sensitive information

10.1 An organisation must not collect sensitive information about an individual unless:

(a) the individual has consented; or

(b) the collection is required by law; or

(c) the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns:

(i) is physically or legally incapable of giving consent to the collection; or

(ii) physically cannot communicate consent to the collection; or

(d) if the information is collected in the course of the activities of a non-profit organisation—the following conditions are satisfied:

(i) the information relates solely to the members of the organisation or to individuals who have regular contact with it in connection with its activities;

(ii) at or before the time of collecting the information, the organisation undertakes to the individual whom the information concerns that the organisation will not disclose the information without the individual’s consent; or

(e) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.

10.2 Despite subclause 10.1, an organisation may collect health information about an individual if:

(a) the information is necessary to provide a health service to the individual; and

(b) the information is collected:

(i) as required or authorised by or under law (other than this Act); or

(ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation.

10.3 Despite subclause 10.1, an organisation may collect health information about an individual if:

(a) the collection is necessary for any of the following purposes:

(i) research relevant to public health or public safety;

(ii) the compilation or analysis of statistics relevant to public health or public safety;

(iii) the management, funding or monitoring of a health service; and

(b) that purpose cannot be served by the collection of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained; and

(c) it is impracticable for the organisation to seek the individual’s consent to the collection; and

(d) the information is collected:

(i) as required by law (other than this Act); or

(ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation; or

(iii) in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph.

10.4 If an organisation collects health information about an individual in accordance with subclause 10.3, the organisation must take reasonable steps to permanently de-identify the information before the organisation discloses it.

10.5 In this clause:

non-profit organisation means a non-profit organisation that has only racial, ethnic, political, religious, philosophical, professional, trade, or trade union aims.

Appendix 8

Information Privacy Principles

Principle 1 – Manner and purpose of collection of personal information 

1. Personal information shall not be collected by a collector for inclusion in a record or in a generally available publication unless:

(a) the information is collected for a purpose that is a lawful purpose directly related to a function or activity of the collector; and

(b) the collection of the information is necessary for or directly related to that purpose.

2. Personal information shall not be collected by a collector by unlawful or unfair means.

Principle 2 – Solicitation of personal information from individual concerned 

Where:

(a)  a collector collects personal information for inclusion in a record or in a generally available publication; and

(b)  the information is solicited by the collector from the individual concerned;

the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, before the information is collected or, if that is not practicable, as soon as practicable after the information is collected, the individual concerned is generally aware of:

(c)  the purpose for which the information is being collected;

(d)  if the collection of the information is authorised or required by or under law—the fact that the collection of the information is so authorised or required; and

(e)  any person to whom, or any body or agency to which, it is the collector’s usual practice to disclose personal information of the kind so collected, and (if known by the collector) any person to whom, or any body or agency to which, it is the usual practice of that first-mentioned person, body or agency to pass on that information.

Principle 3 – Solicitation of personal information generally 

Where:

(a)  a collector collects personal information for inclusion in a record or in a generally available publication; and

(b)  the information is solicited by the collector;

the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is collected:

(c)  the information collected is relevant to that purpose and is up to date and complete; and

(d)  the collection of the information does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.

Principle 4 – Storage and security of personal information 

A record-keeper who has possession or control of a record that contains personal information shall ensure:

(a)  that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and

(b)  that if it is necessary for the record to be given to a person in connection with the provision of a service to the record-keeper, everything reasonably within the power of the record-keeper is done to prevent unauthorised use or disclosure of information contained in the record.

Principle 5 – Information relating to records kept by record-keeper 

1.  A record-keeper who has possession or control of records that contain personal information shall, subject to clause 2 of this Principle, take such steps as are, in the circumstances, reasonable to enable any person to ascertain:

(a)  whether the record-keeper has possession or control of any records that contain personal information; and

(b)  if the record-keeper has possession or control of a record that contains such information:

(i)  the nature of that information;

(ii)  the main purposes for which that information is used; and

(iii)  the steps that the person should take if the person wishes to obtain access to the record.

2.  A record-keeper is not required under clause 1 of this Principle to give a person information if the record-keeper is required or authorised to refuse to give that information to the person under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.

3.  A record-keeper shall maintain a record setting out:

(a)  the nature of the records of personal information kept by or on behalf of the record-keeper;

(b)  the purpose for which each type of record is kept;

(c)  the classes of individuals about whom records are kept;

(d)  the period for which each type of record is kept;

(e)  the persons who are entitled to have access to personal information contained in the records and the conditions under which they are entitled to have that access; and

(f)  the steps that should be taken by persons wishing to obtain access to that information.

4.  A record-keeper shall:

(a)  make the record maintained under clause 3 of this Principle available for inspection by members of the public; and

(b)  give the Commissioner, in the month of June in each year, a copy of the record so maintained.

Principle 6 – Access to records containing personal information 

Where a record-keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record, except to the extent that the record-keeper is required or authorised to refuse to provide the individual with access to that record under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.

Principle 7 – Alteration of records containing personal information 

1.  A record-keeper who has possession or control of a record that contains personal information shall take such steps (if any), by way of making appropriate corrections, deletions and additions as are, in the circumstances, reasonable to ensure that the record:

(a)  is accurate; and

(b)  is, having regard to the purpose for which the information was collected or is to be used and to any purpose that is directly related to that purpose, relevant, up to date, complete and not misleading.

2.  The obligation imposed on a record-keeper by clause 1 is subject to any applicable limitation in a law of the Commonwealth that provides a right to require the correction or amendment of documents.

3.  Where:

(a)  the record-keeper of a record containing personal information is not willing to amend that record, by making a correction, deletion or addition, in accordance with a request by the individual concerned; and

(b)  no decision or recommendation to the effect that the record should be amended wholly or partly in accordance with that request has been made under the applicable provisions of a law of the Commonwealth;

the record-keeper shall, if so requested by the individual concerned, take such steps (if any) as are reasonable in the circumstances to attach to the record any statement provided by that individual of the correction, deletion or addition sought.

Principle 8 – Record-keeper to check accuracy etc. of personal information
before use 

A record-keeper who has possession or control of a record that contains personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date and complete.

Principle 9 – Personal information to be used only for relevant purposes 

A record-keeper who has possession or control of a record that contains personal information shall not use the information except for a purpose to which the information is relevant.

Principle 10 – Limits on use of personal information 

1.  A record-keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless:

(a)  the individual concerned has consented to use of the information for that other purpose;

(b)  the record-keeper believes on reasonable grounds that use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person;

(c)  use of the information for that other purpose is required or authorised by or under law;

(d)  use of the information for that other purpose is reasonably necessary for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue; or

(e)  the purpose for which the information is used is directly related to the purpose for which the information was obtained.

2.  Where personal information is used for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue, the record-keeper shall include in the record containing that information a note of that use.

Principle 11 – Limits on disclosure of personal information 

1.  A record-keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless:

(a)  the individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that information of that kind is usually passed to that person, body or agency;

(b)  the individual concerned has consented to the disclosure;

(c)  the record-keeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person;

(d)  the disclosure is required or authorised by or under law; or

(e)  the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue.

2.  Where personal information is disclosed for the purposes of enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the purpose of the protection of the public revenue, the record-keeper shall include in the record containing that information a note of the disclosure.

3.  A person, body or agency to whom personal information is disclosed under clause 1 of this Principle shall not use or disclose the information for a purpose other than the purpose for which the information was given to the person, body or agency.

Appendix 9

List of requirements

Ref*

Section of Annual Report

Description

Requirement

A.4

Page iii

Letter of transmittal

Mandatory

A.5

Page v

Table of contents

Mandatory

A.5

Page 173

Index

Mandatory

A.5

Page 171

Glossary

Mandatory

A.5

Page x

Contact officer(s)

Mandatory

A.5

Page x

Internet home page address and Internet address for report

Mandatory

9.1

Page 1

Review by departmental secretary

Mandatory

9.2

Page 1 and sections 1.1, 2.1, 3.1

Summary of significant issues and developments

Suggested

9.2

Pages 139–70

Overview of department’s performance and financial results

Suggested

9.2

Page 2

Outlook for following year

Suggested

9.3

N/A

Significant issues and developments – portfolio

Portfolio departments – suggested

10

Page 4

Overview description of department

Mandatory

10.1

Page 4

Role and functions

Mandatory

10.1

Page 5

Organisational structure

Mandatory

10.1

Appendix 3

Outcome and program structure

Mandatory

10.2

N/A

Where outcome and program structures differ from PB Statements/PAES or other portfolio statements accompanying any other additional appropriation bills (other portfolio statements), details of variation and reasons for change

Mandatory

10.3

N/A

Portfolio structure

Portfolio departments – mandatory

11.1

Appendix 3

Review of performance during the year in relation to programs and contribution to outcomes

Mandatory

11.1

Appendix 3

Actual performance in relation to deliverables and KPIs set out in PB Statements/PAES or other portfolio statements

Mandatory

 

4.1.1

Performance of purchaser/ provider arrangements

If applicable, suggested

11.1

N/A

Where performance targets differ from the PBS/ PAES,

details of both former and new targets, and reasons for the change

Mandatory

11.1

1.1, 2.1, 3.1, Appendix 3

Narrative discussion and analysis of performance

Mandatory

11.1

Appendix 3

Trend information

Mandatory

11.1

N/A

Significant changes in nature of principal functions/ services

Suggested

11.1

-

Factors, events or trends influencing departmental performance

Suggested

11.1

-

Contribution of risk management in achieving objectives

Suggested

11.1

4.4

Social justice and equity impacts

Suggested

11.2

4.5

Performance against service charter customer service standards, complaints data, and the department’s response to complaints

If applicable, mandatory

11.3

Page 139–70

Discussion and analysis of the department’s financial performance

Mandatory

11.3

-

Discussion of any significant changes from the prior year or from budget.

Suggested

11.4

Appendix 3

Agency resource statement and summary resource tables by outcomes

Mandatory

11.5

N/A

Developments since the end of the financial year that have affected or may significantly affect the department’s operations or financial results in future

If applicable, mandatory

12.1

4.2

Statement of the main corporate governance practices in place

Mandatory

12.1

-

Names of the senior executive and their responsibilities

Suggested

12.1

-

Senior management committees and their roles

Suggested

12.1

Appendix 2

Corporate and operational planning and associated performance reporting and review

Suggested

12.1

-

Approach adopted to identifying areas of significant financial or operational risk

Suggested

12.1

Page iii

Agency heads are required to certify that their agency comply with the Commonwealth Fraud Control Guidelines.

Mandatory

12.1

-

Policy and practices on the establishment and maintenance of appropriate ethical standards

Suggested

12.1

-

How nature and amount of remuneration for SES officers is determined

Suggested

12.2

N/A

Significant developments in external scrutiny

Mandatory

12.2

N/A

Judicial decisions and decisions of administrative tribunals

Mandatory

12.2

N/A

Reports by the Auditor-General, a Parliamentary Committee or the Commonwealth Ombudsman

Mandatory

12.3

4.3

Assessment of effectiveness in managing and developing human resources to achieve departmental objectives

Mandatory

12.3

4.3.1

Workforce planning, staff turnover and retention

Suggested

12.3

4.3.2

Impact and features of enterprise or collective agreements, determinations, common law contracts and AWAs

Suggested

12.3

4.3.3

Training and development undertaken and its impact

Suggested

12.3

4.3.5

Occupational health and safety performance

Suggested

12.3

-

Productivity gains

Suggested

12.3

4.3.1

Statistics on staffing

Mandatory

12.3

4.3.2

Enterprise or collective agreements, determinations, common law contracts and AWAs

Mandatory

12.3

4.3.3

Performance pay

Mandatory

12.4

N/A

Assessment of effectiveness of assets management

If applicable, mandatory

12.5

4.2.2

Assessment of purchasing against core policies and principles

Mandatory

12.6

4.2.4

The annual report must include a summary statement detailing the number of new consultancy services contracts let during the year; the total actual expenditure on all new consultancy contracts let during the year (inclusive of GST); the number of ongoing consultancy contracts that were active in the reporting year; and the total actual expenditure in the reporting year on the ongoing consultancy contracts (inclusive of GST). The annual report must include a statement noting that information on contracts and consultancies is available through the AusTender website.

(Additional information as in Attachment D to be available on the Internet or published as an appendix to the report. Information must be presented in accordance with the pro forma as set out in Attachment D.)

Mandatory

12.7

N/A

Absence of provisions in contracts allowing access by the Auditor-General

Mandatory

12.8

N/A

Contracts exempt from the AusTender

Mandatory

12.9

Appendix 5

Report on performance in implementing the Commonwealth Disability Strategy

Mandatory

13

Page 139–70

Financial Statements

Mandatory

14.1

4.3.5

Occupational health and safety (section 74 of the Occupational Health and Safety Act 1991)

Mandatory

14.1

Appendix 4

Freedom of Information (subsection 8(1) of the Freedom of Information Act 1982)

Mandatory

14.1

4.2.6

Advertising and Market Research (Section 311A of the Commonwealth Electoral Act 1918) and statement on advertising campaigns

Mandatory

14.1

4.2.7

Ecologically sustainable development and environmental performance (Section 516A of the Environment Protection and Biodiversity Conservation Act 1999)

Mandatory

14.2

4.2.5

Grant programs

Mandatory

14.3

N/A

Correction of material errors in previous annual report

If applicable, mandatory

F

Appendix 9

List of Requirements

Mandatory

 

Financial Statements

fin1.jpg
letter.jpg
fin3.jpg
fin4.jpg
fin5.jpg
fin6.jpg
fin7.jpg
fin8.jpg
fin9.jpg
fin10.jpg
fin11.jpg
fin12.jpg
fin13.jpg
fin14.jpg
fin15.jpg
fin16.jpg
fin17.jpg
fin18.jpg
fin19.jpg
fin20.jpg
fin21.jpg
fin22.jpg
fin23.jpg
fin24.jpg
fin25.jpg
fin26.jpg
fin27.jpg
fin28.jpg
fin29.jpg
fin30.jpg
fin31.jpg
fin32.jpg

Glossary

ABN Australian Business Number

ACMA Australian Communications and Media Authority

ACT Australian Capital Territory

AGD Attorney-General’s Department

AHMC Australian Health Ministers’ Conference

AHRC Australian Human Rights Commission

AIC Australian Institute of Criminology

ALRC Australian Law Reform Commission

APEC Asia Pacific Economic Cooperation

APPA Asia Pacific Privacy Authorities

APS Australian Public Service

ATO Australian Taxation Office

AustLII Australasian Legal Information Institute

CDS Commonwealth Disability Strategy

CRGIS Commonwealth Reference Group on Identity Security

Customs Australian Customs and Border Protection Service

Cth Commonwealth

DBN data breach notification

DFAT Department of Foreign Affairs and Trade

DHS Department of Human Services

DIAC Department of Immigration and Citizenship

DoHA Department of Health and Ageing

DPS Data Privacy Sub-group

DVA Department of Veterans’ Affairs

DVS Document Verification Service

EL Executive Level

EOI Evidence of Identity

EFTPOS Electronic Funds Transfer at Point of Sale

FAQs frequently asked questions

FOI Freedom of Information

GST goods and services tax

ICT Information and Communications Technology

ID identity

IPPs Information Privacy Principles

IP Intellectual Property

JACS Justice and Community Safety (ACT Department of)

MOU Memorandum of Understanding

NBN National Broadband Network

NEHTA National E-Health Transition Authority

NHMRC National Health and Medical Research Council

NISCG National Identity Security Coordination Group

NISS National Identity Security Strategy

NPPs National Privacy Principles

NRAS National Registration and Accreditation Scheme

NSW New South Wales

OAIC Office of the Australian Information Commissioner

OECD Organisation for Economic Co-operation and Development

OH&S Occupational Health and Safety

OMI Own Motion Investigation

OTS Office of Transport Security

PAA Privacy Authorities Australia

PAC Privacy Advisory Committee

PAW Privacy Awareness Week

PCO Privacy Contact Officer

PIA Privacy Impact Assessment

PID Personal Information Digest

PNR Passenger Name Record

PPS Personal Properties Securities

RAP Reconciliation Action Plan

SA South Australia

SDR Service Delivery Reform

SES Senior Executive Service

TAFE Technical and Further Education

TFN tax file number

TPIDs Temporary Public Interest Determinations

WPISP Working Party on Information Security and Privacy

Index

A

access and correction of information, 46, 47, 50, 52, 61, 124–26

Access and Equity Report, 90

Access to Students Records Policy (ACT), 21

accountability, 80–91

ACT
see Australian Capital Territory

address, contact, ix

administrative arrangements 80–3

Administrative Appeals Tribunal, 105

advertising and market research, 84

advisory guidelines, 93

advocates, privacy and consumer, 38

airport scanners, 18–19, 39

Alexander Maconochie Centre, 70

Anti–Discrimination Board of NSW, 87

anti–money laundering, 47

Anti–Money Laundering and Counter–Terrorism Financing legislation, 22

apologies, 55, 56, 58, 68

appropriation, government, 101

see also finance/funding

Approved codes, 22, 63, 83

Asia Pacific Economic Cooperation (APEC), 39–40, 98
Cross Border Privacy Enforcement Arrangement, 3, 39
Data Privacy Pathfinder, 39–40
Data Privacy Sub–group (DPS), 40, 42
Privacy Framework, 3, 4, 82

Asia Pacific Privacy Authorities (APPA), 3, 5, 31, 35, 40–1, 82, 98
membership, 40
Secondment Framework, 41
32nd forum, 41
33rd forum, 41
website, 32, 35

Association of Market and Social Research Organisations, 34

Attorney–General’s Department (AGD), 15, 16, 17, 87, 94
identity security audit, 70, 71
submissions to, 17, 116, 118

Audit Committee, 83

audit report, independent, 140–1

audits, 2, 45, 68–73
ACT Government, 69–70
Attorney–General’s Department, 70
Australian Customs and Border Protection Service, 71–2
Biometrics for Border Control, 72
Centrelink, 70
commenced and/or finalised, 69, 70, 71, 71, 72
credit information, 68, 72–3, 92
credit reporting, 2, 23, 45, 68, 72–3
definition of, 68
Department of Immigration and Citizenship, 70
Document Verification Service, 70
identity security, 70–1
Information Privacy Principles, 68, 69, 71, 72
Passenger Name Record data, 71–2
powers under the Privacy Act, 4, 68, 73
published, 70, 72
timeliness, 100–1

AusTender, 84

Australian Business Number (ABN), 127

Australian Capital Territory (ACT) ix, 20–1
Alexander Maconochie Centre, 70
audits, 69–70
Corrective Services, 69
Department of Disability, Housing and Community Services, 20, 69
Department of Education and Training, 21, 37
Department of Justice and Community Safety, 69, 74
Department of Territory and Municipal Services, 20
Memorandum of Understanding, 20, 69, 80–1
Personal Information Digest, 74
Planning and Land Authority, 20, 21
Road Transport Authority, 78
Road User Services, 78
Shared Services, 69
Treasury, 21
Urban Services, 78

Australian Communications and Media Authority (ACMA), 29, 35

Australian Competition and Consumer Commission, 49

Australian Customs and Border Protection Service
audit funding, 82
audits, 71–2, 82
Biometrics for Border Control, 72
Memorandum of Understanding, 82
Passenger Name Record (PNR) data, 71–2, 82
Privacy Award, 34

Australian Finance Conference, 22

Australian Government sector, 11–20, 52, 53

Australian Health Management, 34

Australian Health Ministers’ Conference, 26, 27

Australian Health Workforce Ministerial Council, 28

Australian Human Rights Commission, 48, 87, 88
Memorandum of Understanding, 80

Australian Information Commissioner, 2, 11

Australian Information Commissioner Act 2010 (Cth), 2, 10

Australian Information Commissioner Bill 2009, 43

Australian Institute of Criminology, 7

Australian Law Reform Commission (ALRC), 1
For Your Information: Australian Privacy Law and Practice (Report 108), 2, 9, 14, 23, 28, 30, 38
review of secrecy laws, 14
Secrecy Laws and Open Government (Report 112), 14
submissions to, 116, 118

Australian National Audit Office (ANAO), 140–1

Australian Privacy Awards and Medal, 33–4

Australian Privacy Principles, exposure draft of new, 3, 9, 10

Australian Prudential Regulation Authority, 24

Australian Securities Exchange, 83

Australian Taxation Office (ATO), 24, 36, 74, 75, 94
data–matching protocols, 77, 78, 79

Australian Transport Safety Bureau, 83

Aviation Legislation Amendment (2008 Measures No. 2) Act 2009 (Cth), 19

Aviation Security Screening Review, 18

awards and medal, privacy, 33–4

Australian Workplace Agreements, 87

B

banks, 77, 78
see also credit reporting; finance sector

Biometrics, Authentication and Security Standards working group, 15

Biometrics Institute of Australia, 22
Privacy Code, 63
review of privacy code, 22

biometrics working group, 16

blogs and wikis, 15

body scanning, 18–19, 43
trial, 19

breaches, data
investigations, 4, 54–6
notification of, 30, 66
voluntary guide to handling, 29, 30, 66
see also complaints

British Columbia, Office of the Information and Privacy Commissioner, 43

building and safety laws (ACT), 21

business sector, 9, 21–6, 33, 34
see also Privacy Connections network; private sector

C

Cairns Airport, 71

case notes, 6, 63–6
number published, 6, 45, 64

case studies, 48–9, 64–6

Census and Statistics Act 1905 (Cth), 93

Centrelink, 36, 75
data–matching program, funding, 81
data–matching program protocols, 77, 79
identity security audit, 16, 70
inspections, 75–6
Memorandum of Understanding, 81
tax garnishee project, 79

Certified Agreement, 87, 88, 89

Child Support Agency, 24

children, 18, 21, 123–4
part time employment and, 87

Civil Aviation Act 1988 (Cth), 19,

Civil Aviation Regulations 1988, 19

Civil Aviation Safety Authority, 87

Clarke, Dr Roger, 34

Clayton Utz, 34

Client Service Charter, 90–1, 94, 100

clubs and pubs, 1, 9, 21, 25, 31, 35, 38, 45

Cockpit Voice Recorder Inquiry, 19

code adjudicator, 4, 63

Code of Conduct, Credit Reporting 73, 93

codes, approved, 4, 22, 63, 73

Commissioner’s Overview 1–3

Commonwealth Disability Strategy, 89, 90, 106–15
policy adviser role, 106–8
provider role, 112–20
regulator role, 109–12

Commonwealth Ombudsman, Memorandum of Understanding, 81–2

Commonwealth Reference Group on Identity Security (CRGIS), 15

Community and Public Sector Union, 87

compensation, 55, 56, 58, 64

complaints, 6, 50–63
basis for closing, following preliminary enquiries, 57
closed, 6, 53–4
closed following investigations, 54
closed following preliminary enquiries, 56–7
closed without investigation, 59–60
compliance issues, 60–1, 62–3
credit reporting, 51, 52
by Government and Industry Sector, 53
grounds for closing following investigation, 54
ID scanning, 24–5
investigations, 52, 54
issues, 61, 62
by Privacy Act jurisdiction, 51
received, 6, 45, 50–3
remedies achieved by conciliation following investigation, 55–6
remedies achieved following preliminary enquiries, 58
remedies following OMIs and DBNs, 68
resolutions after investigation proceeded to conciliation, 55
resolved by the respondent, 55, 61, 62
statistics, 60–2
summary dismissals, 53
timeliness of resolution, 2, 53, 96
under approved codes, 63

compliance, 45, 71, 96
credit providers, 62–3
IPP complaints, 61–2
NPP complaints, 60–1
see also audits

Compliance section, 4, 104

conciliation, 4, 53, 54, 68
remedies achieved, 55–6

conferences
Australian Finance Conference, 22
Australian Health Ministers’ Conference, 26, 27
International Conference of Data Protection and Privacy Commissioners, 3, 31, 41, 42–3, 98
private sector, 22
smart infrastructure, 25

consultants, 84

contact details, OPC, ix

Cooper Review, 13–4

Corporate and Public Affairs section, 5
contact details, ix

Council of Europe Consultative Committee on Convention No 108, 42

credit reporting, 10, 23, 49, 52, 64–5
audits, 2, 23, 45, 68, 72–3
case notes, 64–5
complaints, 48, 49, 51, 52, 53, 54, 55, 56, 57, 58, 60, 62–3, 64–5
compliance issues, 62–3
enquiries, 47, 48
forum, 23
information, 10, 65, 68, 72–3, 92
new framework, 23
Privacy Act, 23
response to ALRC Report 108, 23
statistics, 47, 48, 51, 52, 53, 54, 55, 56, 57, 58, 60

Credit Reporting Code of Conduct, 73, 93

Credit Reporting Determinations, 93

Crimes Act 1914 (Cth), 5
review of Part 1D, 16
spent convictions provisions, 18, 50, 65, 94

Crimes Amendment (Working With Children – Criminal History) Bill 2009, 18

Cross Border Privacy Enforcement Arrangement, 3, 39

Curtis, Karen, 1
see also Privacy Commissioner

D

data breach notifications (DBNs), 45, 66
incidents, 67
outcomes, 68

data–matching, government, 74–9
Australian Taxation Office, 74, 75, 77–9
Centrelink, 75
Department of Immigration and Citizenship, 79
Department of Veterans’ Affairs, 75
enquiries, 47
inspections, 75–6
statutory guidelines, 74, 75
voluntary guidelines, 74–5, 76
program protocols, 76, 77–9

Data–matching Program (Assistance and Tax) Act 1990 (Cth), 50, 74, 75–6, 94

data–matching working group, 16

debt collectors, 48, 49, 52, 53

de–identification of data, 7, 15, 16, 63

Department of Broadband, Communications and the Digital Economy, 35

Department of Disability, Housing and Community Services (ACT), 18, 20

Department of Finance and Deregulation, 83

Department of Foreign Affairs and Trade, 72

Department of Health and Ageing (DoHA), 26, 38, 87

Department of Human Services (DHS), 11–2, 24
Memorandum of Understanding, 11, 82

Department of Immigration and Citizenship, 7, 70, 71, 72, 79, 90

Department of Territory and Municipal Services (ACT), 20

Department of the Prime Minister and Cabinet, 9, 13, 23, 24, 38, 40, 44
Memorandum of Understanding, 80

Department of Veterans’ Affairs, 75

disadvantaged population, 12, 18, 20, 89–90

diversity strategies, 89–90

DNA samples, 16

Do Not Call Register, 47

Do Not Call Register Legislation Amendment Bill 2009, 24

Document Verification Service (DVS), 70, 71, 97

dog owners, 20

Domestic Animals Act 2000 (ACT), 20

driver’s licences, 9, 25

Dun and Bradstreet, 73

E

ecologically sustainable development, 84–5

Education Tax Refund, 79

e–health system, national, 26, 38

electoral reform, 12–3

electronic health records, 26, 27

emergencies and disasters, 21, 93

enquiries
contact details, ix
examples of, 48–9
industry sector related to, 48
main issues, 46–7, 49
media, 7, 38–9
source, 46
telephone, 6, 46–9
written, 6, 49–51
see also complaints

enquiries telephone line, ix, 46

environmental performance, 84

equal employment opportunity, 88

Evidence of Identity (EOI), 70

ex–employees, information about, 48

exemptions
employee records, 48
NPP, 46, 47
small business operator, 57
Spent Convictions Scheme, 94

external scrutiny, 83
Australian National Audit Office, 140–1

F

Family Tax Benefit, 79

Federal Court, 4

Federal Magistrates Court, 4

finance/funding
appropriations, 101
Australian Transport Safety Bureau, 83
Biometrics for Border Control, 72
electronic health records, 27
financial statements, 142–70
Office of the Australian Information Commissioner, 9
payment to Australian Human Rights Commission, 80
payments received from
ACT Government, 21
Australian Customs and Border Protection Service, 82
Australian Transport Safety Bureau, 83
Centrelink, 81
Department of Human Services, 82
Department of Infrastructure, Transport, Regional Development and Local Government, 83
Medicare Australia, 91
resources, 118–19, 101

finance sector, 48, 52, 53, 54, 67, 77, 78

Financial Management and Accountability Act 1997 (Cth), 83

financial statements, 142–70

fingerprint scanning, 48

flight crew, 19

fraud control, 83

Freedom of Information Act 1982 (Cth), 103–5
categories of documents, 104
contact officer, 105
number of requests, 103
procedures, 105
reform, 10

Freedom of Information Amendment (Reform) Act 2010 (Cth), 2, 10

Freedom of Information Amendment (Reform) Bill 2009, 11, 43

Freedom of Information Commissioner, 2, 10

frequently asked questions (FAQs), 9, 28

functions, Privacy Commissioner’s, 4–4

G

genetic disclosure guidelines, 6–7, 9, 21, 27–8

Google, 34

Government 2.0 Taskforce, 15, 29

grants program, 84

Green Paper – Strengthening Australia’s Democracy, 12–3

Guide to the Annual Report, viii–ix

Guide to Handling Personal Information Security Breaches, 29, 66

guidelines
advisory (privacy), 93
binding guidelines, 94
fraud control, 83
genetic disclosure, 7, 27–28
OECD, 40, 82, 92
procurement, 83
statutory data–matching, 74
tax file number, 13, 23–4, 51, 58
voluntary data–matching, 74–5

Guidelines for the Conduct of the Data–matching Program, 74, 75

Guidelines for the Use of Data–matching in Commonwealth Administration, 76

Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, 82, 92

H

Handling of Life Threatening and Unwelcome Communications Industry Code, 29

hazards or significant incidents, 88

Health Practitioner Regulation National Law 2009, 28

health sector, 26–8
e–health, 26, 38
electronic health records, 26, 27
genetic information, 6–7, 9, 21, 27–28
health service providers, 53, 65
Individual Health Identifiers, 26–7, 38
medical practice/practitioners, 7, 22, 28, 49
medical records, 22, 27, 49, 61, 67
medical research, 8, 10, 37–8
Medicare and PBS, 94
National Registration and Accreditation Scheme, 28
private, 21, 49
see also National Health Act 1953 (Cth)

Healthcare Identifiers Act 2010 (Cth), 27

Healthcare Identifiers and Privacy: Discussion Paper on Proposals for Legislative Support, 27

Healthcare Identifiers Bill 2010, 27

Healthcare Identifiers Service, 27, 38

High Court, 40

House Standing Committee on Infrastructure, Transport, Regional Development and Local Government, 25

human resources, 85–9

I

Ice Media Pty Ltd, 84

identifiers, healthcare, 26–7, 38

Identity and Data working group, 15

Identity Management and Disasters working group, 15

identity security, 15–6
audits, 70–1
Commonwealth Reference Group on Identity Security (CRGIS), 15
documents, scanning, 9, 21, 24–5, 35, 38
Evidence of Identity (EOI), 70
National Identity Security Coordination Group (NISCG), 15
National Identity Security Strategy (NISS), 70
online tool, identity theft, 35, 41
use of name working group, 16

identity verification, 70

income management arrangements, 12

Indigenous community, 89–90

industry codes, 29

industry sector
complaints about, 43
telephone enquiries about, 48

information and communications technology sector, 29

Information Commissioner, Australian, 1, 2, 10, 11, 38, 81, 96

Information Commissioner Bill 2009, 11

Information Privacy Principles (IPPs), 130–4
access, 132
accuracy, 133
alteration, 132–3
audits, 68, 69, 71, 72
case notes, 64
collection, 130
complaints, 51, 52, 55, 61–2
compliance issues, 61–2
disclosure, 134
issues in complaints, 62
Privacy Act, 72
relevance, 133
solicitation, 130–1
telephone enquiries, 46, 47, 48
use, 133–4
written enquiries, 50

information sheets, 21, 25, 36

infrastructure, smart, 25, 41

Inquiry into the Social Security and Other Legislation Amendment (Welfare Reform and Reinstatement of Racial Discrimination Act) Bill 2009, 12

inspections, Centrelink, 75–6

insurance sector, 53, 65

International Conference of Data Protection and Privacy Commissioners, 3, 31, 41

International Covenant on Civil and Political Rights, 92

international liaison, 39–43
working groups, 42–3
see also Asia Pacific Economic Cooperation; Asia Pacific Privacy Authorities; International Conference of Data Protection and Privacy Commissioners; Organisation for Economic Development

International Privacy Association, proposed, 41

International Privacy/Data Protection Day or Week, 42

International Standards on Privacy and Personal Data Protection, draft, 42

international students, 7, 79

investigations, 4, 54–6
own motion, 45, 48, 66–8

J

Joint Standing Committee on the National Capital and External Territories, 20

K

key performance indicators, 100

Kirby, the Hon Michael, 40

L

land titles, 77

landlords and lessors, 22

law reform
credit reporting, 23
genetic disclosure, 27
privacy, 9–10, 23
response to ALRC Report 108, 2, 9–10, 23, 28, 38
secrecy laws, 14

legislation
governing, 92–4, 103
Privacy Act, 92
subordinate (privacy), 5, 93–4
see also Australian Law Reform Commission; names of Acts

letter of transmittal, iii

licensed premises, 1, 9, 21, 25, 31, 35, 38, 45

Loyalty Pacific – FlyBuys, 34

M

management and accountability, 80–91

market research, 84

Market and Social Research Privacy Code, 63

McMillan, Professor John, 2, 11

medal, privacy, 33–4

media, 31, 38–9
email lists, 39
enquiries, 7, 38
enquiry issues, 38–9
releases, 39

Medicare Australia, 36, 94
Memorandum of Understanding, 81

Memoranda of Understanding, 2, 98
ACT Government, 20, 69, 80
Australian Customs and Border Protection Service, 82
Australian Human Rights Commission, 80
Australian Transport Safety Bureau, 83
Commonwealth Ombudsman, 81
Department of Human Services (DHS), 11, 82
Department of Infrastructure, Transport, Regional Development and Local Government, 83
Department of the Prime Minister and Cabinet, 80
Medicare Australia, 81
Office of the NSW Privacy Commissioner, 81
Office of the New Zealand Privacy Commissioner, 82
Office of Transport Security (OTS), 19

Microsoft, 34

Minister for Health and Ageing, 37

Minister for Human Services, 11

Minister for Infrastructure, Transport, Regional Development and Local Government, 19

Mobile Number Portability Code, 29

mobile phone contract, 48

Mobilise Your Mobile Phone Privacy, 30, 35, 36

motor vehicle registrations, 77

N

National Broadband Network (NBN), 26

National E–Health Transition Authority (NEHTA), 26, 27

National Health Act 1953 (Cth), 5, 94

National Health and Medical Research Council, 83
genetic disclosure guidelines, 7, 27–8

National Identity Security Coordination Group (NISCG), 15

National Identity Security Strategy (NISS), 70

National Privacy Principles (NPPs), 119–29
access and correction, 46, 47, 50, 52, 61, 124–26
anonymity, 47, 61
case notes, 64, 65
collection, 47, 52, 61, 119
complaints, 51, 52, 55
compliance issues, 60–1
data quality, 47, 50, 52, 61, 124
data security, 47, 52, 61, 124
examples of telephone enquiries, 48
exceptions, 28
exemptions, 46, 47
identifiers, 47, 61, 126–7
industry groups to which telephone enquiries relate, 46, 48
improper collection, 46, 52, 61
improper disclosure, 61
improper use, 61
issues, 61
non–private sector, 47
openness, 47, 61, 124
Privacy Act, 22, 92
private sector, 47, 51
sensitive information, 47, 61, 128–9
transborder data flows, 47, 127
use and disclosure, 46, 47, 52, 119–23
see also privacy codes

National Registration and Accreditation Scheme (NRAS), 28

National Relay Service, 109

networks, 37–8
privacy and consumer advocates, 38
Privacy Connections, 5, 31, 37, 98
Privacy Contact Officers, 5, 31, 38, 103–4

New South Wales (NSW), 78, 87
Office of the Privacy Commissioner, 40, 91

New Zealand, Office of the Privacy Commissioner, 40, 42
Memorandum of Understanding, 82

non–English speakers, ix

Norfolk Island Act 1979 (Cth), 19

Northern Territory, 12, 41, 78

Norwegian Data Inspectorate, 35

NSW Department of Premier and Cabinet, 87

NSW Roads and Traffic Authority, 78

O

occupational health and safety, 88–9
significant incidents, 78

Occupational Licensing National Law Act 2010 (ACT), 21

Office of the Australian Information Commissioner (OAIC), 1, 10–11, 81, 96
funding, 11
role, 2

Office of the Privacy Commissioner (the Office)
administrative arrangements, 80–3
Certified Agreement, 87, 88, 89
Client Service Charter, 90–1
Compliance Section, 4, 84
contact details, ix
Corporate and Public Affairs Section, 5
corporate services, 80
diversity strategies, 89–90
functions, 22, 24, 66, 73, 74–5, 94
governing legislation, 92–4, 103
human resources management, 85–91
integration into OAIC, 1, 97, 99
Memorandum of Understanding AHRC, 80
organisational structure, 5
Policy Section, 4–5
secretariat role, 5, 31, 41
see also Privacy Act 1988 (Cth); Privacy Commissioner

Office of the Privacy Commissioner Certified Agreement 2009–11, 87, 88, 89

Office of Transport Security (OTS), 18
Memorandum of Understanding, 19

online electoral enrolment, 12–3

online enrolment and e–verification working group, 16

online selling sites, 79

online tool, identity theft, 35, 41

organisation chart, 5

Organisation for Economic Co–operation and Development (OECD), 40
Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, 82, 92
website provider for International Conference, proposed, 43
Working Party on Information Security and Privacy (WPISP), 3, 4, 40, 42

Orima Research Pty Ltd, 84

outcomes and outputs structure, 100–102

outlook, 2–3

overview, 1–3

own motion investigations (OMIs), 4, 25, 45, 48, 66–8
issues, 67
outcomes, 68
Privacy Act, 4, 66
risk assessment criteria, 66–7

P

patient records, 22, 27, 49, 61

performance, 9–91
Commonwealth Disability Strategy, 106–115
indicators, 100
review, 9, 31, 45
summary, 6–8
patient records, 14

Performance Management Scheme, 87–8

Personal Information Digest, 70, 71, 74

Personal Property Securities (Consequential Amendments) Act 2009 (Cth), 17

Personal Property Securities (Consequential Amendments) Bill 2009, 17

Personal Property Securities Act 2009 (Cth), 17

Personal Property Securities Bill 2009 (PPS Bill), 17

Personal Property Securities Register (PPS Register), 17

Pharmaceutical Benefits Scheme, 94

Phase Two: Operation and Efficiency Issues Paper, 13

phones, mobile, 29, 30, 31

Pilgrim, Timothy (Privacy Commissioner’s overview), 1–3

Planning and Development Amendment Bill (No. 2) (ACT), 20

plasterers data–matching project, 77

policy advice(s), 71, 80, 90, 95, 96
number of, 7

Policy section, 4–5

portable security devices, 68, 84

Portfolio Budget Statement, 100
outcomes and output structure, 100–102

preliminary inquiries, 56–8

presentations, 7

PriNet, 31, 108

Privacy Act 1988 (Cth), 92
amendment, proposed, 10
audit powers, 4, 68, 73
complaints, 4
credit information, 23, 73, 92
credit reporting, 23, 92
enforcement powers, 4, 54
own motion investigation powers, 4, 66
Privacy Advisory Committee, 43
privacy codes, 22
Privacy Impact Assessment Guide, new provision, 35, 36
private sector provisions, 1, 22, 92, 93
promotion of understanding, 66
statutory functions of the Office of the Privacy Commissioner, 4–5
subordinate legislation, 93
tax file numbers, 23, 68, 92

Privacy Advisory Committee (PAC), 5, 43, 103
function, 43
members, 43

Privacy Authorities Australia (PAA), 5, 31, 44, 98
establishment, 44
members, 44

Privacy Awards and Medal, 33–4, 98

Privacy Awareness Week (PAW), 30, 31, 35
partnerships, 35, 98
theme, 31, 35

privacy codes, 4, 22, 63, 93

Privacy Commissioner, 5
Assistant, 5
Deputy, 5, 17
functions and powers, 4–5
overview, 1–3
retiring, 1
see also Office of the Privacy Commissioner

Privacy Connections network, 5, 31, 37, 98, 103–104
number of members, 37

Privacy Contact Officers (PCO) network, 5, 31, 38, 103–104

Privacy Impact Assessment Guide, 1, 31, 36
launch of private sector module, 37

Privacy Impact Assessments (PIA), 12, 13, 14, 17, 18, 20, 21, 26, 35

Privacy Legislation Amendment Act 2006 (Cth), 28

Privacy Matters, 31, 36

privacy principles
see Information Privacy Principles; National Privacy Principles
see also Australian Privacy Principles, exposure draft of new

Privacy (Private Sector) Regulations 2001, 93

privacy professionals, 33, 37

Privacy Regulations 2006, 93

private i, 36, 37

private sector, viii, 1, 31, 37, 98
advice to, 5, 9, 22
complaints, 51, 60–1
information sheets, new, 21, 25, 45
industry group to which complaints relate, 53
industry group to which telephone enquiries relate, 48
Privacy Act, 1, 22, 92, 93
Privacy Connections network, 5, 31, 37, 98, 103–104
Privacy Impact Assessment Guide, new section, 35, 36, 37
privacy medal and awards, 33–4
telephone enquiries about, 46, 47, 48
written enquiries about, 49
see also National Privacy Principles; privacy codes

procurement, 83

program protocols, voluntary data–matching, 77–9

promotion of privacy, 31–44

protecting privacy, 45–79

public affairs, 5
see also media

public consultation, 8, 24

Public Interest Advocacy Centre, 34, 38

Public Interest Determinations, 6

public participation, 103–104

Public Service Act 1999 (Cth), 87

publications, 1, 31, 35–6
viewing, 36

purchasing, 83

purpose, OPC, 95

Q

Queensland Club Industry Privacy Code, 63

Queensland Transport, 78

R

records, 55, 56, 58, 64, 68, 69, 73, 75, 131–3
Access to Students Records Policy (ACT), 21
employee, 48
patient records, 22, 27, 48, 61
Personal Information Digest, 74
taxpayer, 77, 78, 79

real estate agents, 22, 48

real estate assets, 77

Reconciliation Action Plan, 88, 89–90

remedies, 55, 56, 58, 68

research, 10, 90, 96, 104
medical/health, 5, 10, 27–8
portable security devices, 84

residential tenancy databases, 47

resources summary, 101–102

respecting privacy, 9–29

retail sector, 46, 48, 53, 74

risk management, 66, 68, 83

risks, privacy, 13, 26, 27, 30, 31, 36, 68, 69

S

scanning
body, 18–19, 39
ID, 24–25, 31, 38, 45

Secrecy Laws and Open Government, 14

secrecy review, 14

security breaches, 39
voluntary guide, 29–30

Senate Finance and Public Administration Committee, 3, 9, 11

Senate Finance and Public Administration Legislation Committee, 43

Senate Legal and Constitutional Affairs Committee, 17, 18

Senate Select Committee on the National Broadband Network, 26

Senate Standing Committee on Community Affairs, 12

Senate Standing Committee on Economics, 14

Service Delivery Reform (SDR), 11–12
Interdepartmental Committee, 12

service station, petrol purchase, 48

smart infrastructure, 22, 25, 31

smart meters and smart grids, 11, 25

smart phones, 30

social networking, 22, 39, 41

South Australia, 41, 78

Spain
Data Protection Authority, 42

Special Minister of State and Cabinet Secretary, 23, 33, 36

speeches and presentations, 39
number of, 7

spent convictions, 17–8, 65
proposed exclusions, 18

Spent Convictions Act 2009 (SA), 17

staff, 85–91
average level, 85
Certified Agreement, 87, 88
counselling services, 89
development and training, 45, 98, 99
Employee Assistance Program, 89
equal employment opportunity, 88
Healthy Lifestyle Allowance, 89
leave, 88
overview, 85–7

part–time, 86, 87, 88
performance management, 87–8, 99
performance pay, 88
professional development, 88
profile, 86
recruitment, 84, 85, 99
safety, 88–9
salary ranges, 86
secondments, 86–7, 99
SES, 86
study assistance, 87–88
training, 87
turnover, 85
workforce plan, 86–7, 99
workplace diversity, 88
Workplace Agreements, Australian, 87
workplace relations, 87

State government sector, 52, 53, 77

states and territories, 37, 44, 78, 87

statistics
case notes, 6, 64
complaints, 6, 50–63
data breach notifications, 66, 67
freedom of information, 103
legislative instruments, 6
media enquiries, 38
own motion investigations, 66
policy advices, 7
speeches, 7, 39
staffing, 85, 86
submissions, 8
telephone enquiries, 6, 46, 47, 48
website visits, 32
written enquiries, 6, 49

Strategic Plan, 9, 22, 24, 31, 35, 36, 38, 39, 41, 43, 95–9, 103
goals and strategies with actions for 2010, 96–9

structure, organisational, 5

Student Marketing Australia, 37

students, 37
visa holders, 7, 79

submissions to government departments and parliamentary inquiries
list of, 116–24
number of, 8, 9

summary, year in review, 6–9

superannuation system review, 13–4

SuperStream: Bringing the Back Office of Super into the 21st Century, 14

surveillance, 47

Sydney International Airport, 19, 71

Symantec, 34

System for People project, 72

systemic issues, 66, 96

T

Tasmania
Department of Infrastructure, Energy and Resources, 78
Tasmanian Collection Service, 73

Tax File Number Guidelines, 13, 23–4, 51, 58, 93
review of, 23–4

tax file numbers
complaints, 50, 51, 52, 54, 56, 57, 58, 60
data–matching processes, 75
enquiries, 47
Privacy Act, 68, 72
superannuation reform review, 13–4

Tax Garnishee Project, 79

Tax Laws Amendment (Confidentiality of Taxpayer Information) Bill 2009, 14–5

Taxation Administration Act 1953 (Cth), 14

taxpayer privacy, 14–5

technologies, new, 10, 15, 18–19, 25, 26, 29, 30, 33, 41, 97, 99
Government 2.0 Taskforce, 15, 29

Telecommunications Act 1977 (Cth), 5, 10, 94

telecommunications sector, 29, 48, 52, 64–5
Do Not Call Register, 24, 47
e–marketing, 29
industry codes, 29
mobile phone pocket guide, 30, 35, 36
NBN network, 26

telemarketing, 24

telephone enquiries, 6, 46–49
examples, 48–9
by industry group related to, 48
issues, 46–7
source, 46

telephone number, privacy enquiries, 1

Temporary Public Interest Determinations (TPIDs), 7, 28

tenancy databases, 48, 53

Territories Law Reform Bill 2010, 19–20

timeliness, 2, 49, 53, 100–101

Translating and Interpreting Service, ix

transmittal letter, iii

Treasury, Australian Government, 24

U

universities, 37

US Federal Trade Commission, 40

user’s guide to annual report, viii–ix

V

values, 95

Veda Advantage, 73

vehicle registrations, 78

Victoria, 78
Department of Justice, 34, 38

vision, 95

voluntary data breach notifications, 29–30, 45

voluntary data–matching guidelines, 74–5, 76
program protocols, 76, 77–9

W

web 2.0 technologies, 15, 29

website, Privacy, 31–2
address, 1
illegitimate traffic, 33
number of sessions and page views, 32–3
redevelopment and launch, 2, 31–2, 84
statistical information, 32–3, 100
see also website addresses throughout report

welfare organisations, 22

welfare reform, 12

welfare services, 11, 13

Western Australia, 78

workforce
see staff

Working Party on Information Security and Privacy (WPISP), 9, 5, 40, 42

A Working with Vulnerable People Checking System for the ACT, 18, 20

workplace diversity, 88

workplace relations, 87

workshops, 98

written enquiries, 6, 49–50

Y

young people, 36–7
international students, 7, 79
online portal, 97
private i, 31, 36, 37
social networking sites, 22, 39, 41
students, 7, 21, 37
see also children

Z

Z Asia Pty Ltd, 84