Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Chapter 5: Promote and secure the protection of personal information

Contents

  1. Introduction
  2. Compliance activities
  3. Responding to telephone enquiries
  4. Who is calling?
  5. Who are the National Privacy Principles calls about?
  6. Responding to written enquiries
  7. Responding to complaints
  8. Complaints received during 2010–11
  9. Most Complained About Organisations and Agencies
  10. Complaints closed during 2010–11
  11. Complaints closed following investigations
  12. Nature of remedies achieved by conciliation following investigation
  13. Complaints closed following preliminary inquiries
  14. Nature of remedies achieved following preliminary inquiries
  15. Complaints closed without investigation
  16. Reports of Complaints under Approved Codes
  17. Own Motion Investigations and Data Breach Notifications
  18. Issues in Own Motion Investigations
  19. Issues in Data Breach Notifications
  20. Case Notes
  21. Data-matching
  22. Audits
  23. ACT government audits
  24. Identity Security audits
  25. Australian Customs and Border Protection Audits
  26. Credit audits
  27. Healthcare Identifier audits
  28. Personal Information Digest
  29. Advice
  30. Privacy Law Reform

Back to Contents


Introduction

Privacy issues continued to feature prominently in news headlines in 2010–11. Widespread media reporting of data breaches and the misuse of personal information contributed to a growing recognition that privacy protection is a critical concern in the community.

As the flow of personal information grows exponentially through the use of new technologies that enable personal information to be moved around the globe in seconds, the challenge is for privacy law and principles to adapt and keep pace with the way that personal information is handled by government agencies and private sector organisations. It is in this context that a key focus for the Office of the Australian Information Commissioner (OAIC) during 2010–11 was the proposed reforms to the Privacy Act 1988 (the Privacy Act).

The OAIC also continued to work with Australian and ACT government agencies on new policy proposals, legislative and regulatory changes, and agency practices that may have a significant impact on the handling of personal information. From 1 January 2011, the OAIC also provided these services to the Norfolk Island Administration. Similarly, the OAIC works with business to enhance understanding and implementation of good personal information handling practices.

The OAIC's privacy compliance activities provided important regulatory oversight in relation to individual complaints and systemic issues. The OAIC carried out a range of regulatory functions, such as own motion investigations (OMIs) and audits, aimed at securing the protection of personal information.

Back to Contents

Compliance activities

To ensure that privacy is valued and respected in Australia, the OAIC undertakes a wide range of compliance activities. These include running a telephone and written enquiry service, investigating and resolving individual complaints, conducting audits and data-matching inspections and conducting OMIs.

In 2010–11, the Compliance Branch received 1222 complaints, a small increase over the 1201 received in 2009–10. In addition, the OAIC dealt with 59 OMIs and 56 voluntary data breach notifications. The Compliance Branch reduced the number of audits it undertook during 2010–11 to five, instead focusing additional resources on high-profile OMIs. This included OMIs into two large telecommunications providers and a number of technology companies.

In an OMI the OAIC can gather information about a respondent's privacy practices and work with that agency or organisation to resolve issues of non-compliance and improve their overall privacy practices.

The OAIC publishes case notes as an effective means of providing information about how matters are assessed and how the law applies to issues involving privacy. Twenty-four case notes were published during 2010–11. These can be found at Privacy case notes (www.oaic.gov.au/publications/case_notes.html).

In addition, the Privacy Commissioner published an investigation report about an OMI finalised in 2010–11.

Back to Contents

Responding to telephone enquiries

The OAIC's Enquiries Line (1300 363 992) provides information about privacy issues and privacy law for the cost of a local call. The Enquiries Line answered 20,617 telephone enquiries in 2010–11, which is consistent with the number of calls received in previous years. Of those telephone enquiries, 10,986 specifically related to privacy and the protection of personal information. Other calls related to freedom of information (FOI), the role of the OAIC, privacy or FOI in other jurisdictions, or were administrative in nature.

Back to Contents

Who is calling?

Most callers are individuals seeking information about their privacy rights and advice on how to resolve privacy complaints.

Table 5.1 below illustrates the top 10 types of caller who telephoned the Enquiries Line in 2010-11.

Table 5.1 – Top 10 caller types
Top 10 caller typesTotal
Individual 9012
Business, Professional Associations and Unions 372
Health Service Providers 224
Australian Government 207
Personal Services (such as employment, child care, vets) 190
Real Estate Agents 132
Legal, Accounting and Management Services 98
Clubs, Interest Groups, Theatres, Sports and Media 92
Charities 89
Finance (including Superannuation) 82

Table 5.2 provides a breakdown of issues discussed in the calls received during 2010–11. Almost three quarters of the privacy related calls were about the National Privacy Principles (NPPs). The most frequently discussed issue continued to be the use and disclosure of personal information by private sector organisations, followed by NPP exemptions, improper collection, access and correction and data security.

The number of privacy related calls about Credit Reporting and the Information Privacy Principles (IPPs) remained similar to previous years.

Table 5.2 – Breakdown of issues in privacy calls received
IssuesTotal number of calls
Private Sector Provisions Issues  
NPP 1 - Collection 1581
NPP 2 - Use and Disclosure 2780
NPP 3 - Data Quality 236
NPP 4 - Data Security 787
NPP 5 - Openness (privacy statement) 85
NPP 6 - Access and Correction 1164
NPP 7 - Identifiers 6
NPP 8 - Anonymity 25
NPP 9 - Transborder Data Flows 53
NPP 10 - Sensitive Information Collection 65
NPP Exemptions 1685
Private Sector Provisions (General) 301
Non-Private Sector Provisions Issues  
Credit Reporting 799
IPPs 731
Spent Convictions 136
Tax File Numbers 35
Privacy Codes 8
Individual Health Identifiers 1
Data-matching 2
Privacy (General) 506

Back to Contents

Who are the National Privacy Principles calls about?

Table 5.3 distributes the top 10 NPP telephone enquiries by private sector industry groups. These groups have remained consistent for the last several years.

Table 5.3 – Private sector industry groups and privacy telephone enquiries
Private sector industry groupTotal number of calls
Health Services Providers 1112
Business, Professional Associations and Unions 835
Personal Services (including employment, child care and vets) 813
Real Estate Agents 759
Finance (including superannuation) 622
Telecommunications 527
Retail 344
Debt Collectors/Credit and Tenancy Databases 317
Clubs, Interest Groups, Theatres, Sports and Media 293
Insurance 230

Some examples of calls received during 2010–11 appear below:

  • The caller stated that their private sector employer wanted to place tracking devices in staff mobile phones. The OAIC explained the definition of personal information, advised that the Privacy Act does not regulate tracking devices specifically, and explained the employee records exemption.

  • A caller applied to work at a casino. The job application sought information on applicants' criminal history. The caller asked if the casino was permitted to collect this information, and if the casino could collect information about criminal records from the police. The OAIC explained that the caller was not required to provide any personal information to the casino, but would need to consider the impact this may have on the casino's assessment of their job application. The OAIC also explained relevant collection principles in NPP 1. In some circumstances, it may be considered necessary for a casino's functions and activities for it to collect information about an individual's criminal history when assessing that individual's suitability for employment. The caller was advised that, under the Privacy Act, criminal record information is considered ‘sensitive information', and the collection of that information is regulated by NPP 10. This means that the casino would generally need the individual's consent to collect the information.

  • A real estate agent called, stating that an owner of a property that the agent manages had asked to be told the race of the current tenant. The agent refused to tell the owner the tenant's race, relying on the Privacy Act. The owner asked the agent which specific section in the Act prevented disclosure in this case. The OAIC discussed NPPs 1, 2 and 10, noting that personal information that is collected for one purpose should not be used or disclosed for other purposes unless an exception in the Act applies.

  • The caller had a default listing on their credit file. The caller subsequently repaid the outstanding debt, and wanted to know whether the listing should be removed. The OAIC discussed the credit reporting provisions in the Privacy Act, noting that if the default was correctly listed, it may remain on the caller's credit file for five years. However, the credit file should note that the debt has been repaid.

  • A caller stated that a news article published on the internet by a media organisation contained their personal information, including information about a court case. The OAIC discussed the media exemption.

  • A caller was refused access to the medical records of her deceased son, for ‘privacy reasons'. The OAIC told the caller that the Privacy Act does not regulate the handling of information about deceased people. This means that the Privacy Act would not prevent a health service provider from providing the caller with the deceased son's medical records.

Back to Contents

Responding to written enquiries

The OAIC responds to requests for information that are received by email, letter or fax. The OAIC received 1909 written enquiries in 2010–11, of which 1721 were privacy related. The OAIC is committed to responding to 90% of written enquiries within 10 working days. This benchmark was met in 2010–11, with 94% of privacy related written enquiries responded to within 10 working days.

In 2010-11, 67% of privacy related written enquiries concerned the private sector provisions. This is a small decrease compared to 2009–10 (71%).

Back to Contents

Responding to complaints

The OAIC can investigate complaints about acts or practices that may be an interference with an individual's privacy. These can include allegations that:

  • personal information has been collected, held, used or disclosed by an organisation in contravention of the National Privacy Principles (NPPs)

  • personal information has been handled by Australian, ACT and Norfolk Island government agencies in a manner that does not comply with the Information Privacy Principles (IPPs)

  • creditworthiness information held by credit providers and credit reporting agencies has been mishandled

  • tax file numbers (TFNs) have been mishandled by individuals or organisations

  • personal information has not been managed in accordance with spent convictions, data matching or Healthcare Identifier legislation.

Back to Contents

Complaints received during 2010–11

In 2010–11 the OAIC received a total of 1222 complaints relating to privacy, on a wide variety of issues.

The percentage of complaints received about each area of jurisdiction is given in Table 5.4. As has been the case since the OAIC's role was extended to the private sector, the private sector continues to be the jurisdiction most commonly complained about, with over half of all complaints relating to the NPPs. There has been a small decrease in complaints about credit reporting and an increase in complaints where the OAIC found that it had no jurisdiction.

Table 5.4 – Percentage of Complaints Received by Privacy Act Jurisdiction
JurisdictionNumber%*
NPPs 703 57.5
None 210 17.2
Credit reporting 195 16.0
IPPs 144 11.8
ACT IPPs 4 0.3
TFN 4 0.3
Spent convictions 1 0.1

[*] The percentages in Table 5.4 exceed 100% as some complaints contain more than one issue.

The particular issues complained about as a percentage of total complaints received in 2010–11 are described in Table 5.5.

Table 5.5 – Key Issues in Complaints
IssuesNumber%*
NPP use and disclosure 340 27.8
Credit reporting 238 19.5
None 210 17.2
NPP data security 192 15.8
NPP collection 179 14.6
NPP access and correction 148 12.1
IPP use and disclosure 123 10.1
NPP data quality 112 9.2
IPP collection 37 3.0
IPP data security 32 2.7
NPP Other 19 1.6
IPP access and correction 18 1.5
IPP accuracy 14 1.1
TFN 4 0.3
Spent convictions 1 0.1

[*] The percentages exceed 100% as some complaints contain more than one issue.

The most commonly complained about issues in both NPP and IPP complaints were use and disclosure, followed by data security and improper collection. Credit reporting complaints have fallen 3.2 percentage points from the previous financial year. There has been an increase in complaints over which the OAIC has no jurisdiction and an increase in NPP complaints relating to data security.

Table 5.6 shows the number of complaints made about each of the 10 most commonly complained about sectors. The finance sector continues to be the most frequently complained about industry. After an increase last year, the debt collector and credit reporting agency sector has fallen from the second to the third most commonly complained about sector.

Table 5.6 – Ten most commonly complained about sectors
SectorNumber of complaints
Finance 189
Australian Government 150
Debt Collectors, Credit and Tenancy Databases 131
Telecommunications 127
Health Service Providers 92
Personal and Other Services 52
Retail 43
Landlords, Real Estate Agents and Developers 40
State Government 36
Insurance 35

Back to Contents

Most Complained About Organisations and Agencies

Table 5.7 below lists the most complained about organisations and agencies.

The fact that an organisation or agency has been the subject of a complaint does not necessarily mean that the organisation or agency has been found to be in breach of the Privacy Act. Many of these organisations and agencies carry out high numbers of transactions involving personal information, and the number of complaints received about them may represent only a small percentage of those transactions.

Table 5.7 – Most complained about organisations and agencies
Top respondentsNumber of complaints received
Veda Advantage Information Services and Solutions Ltd 77
Telstra Corporation Ltd 54
The Child Support Agency 34
Commonwealth Bank of Australia 26
Centrelink 25
Singtel Optus Pty Ltd 22
Vodafone Hutchison Australia Pty Ltd 17
Health Services Union 13
ANZ Bank Ltd 12
Australian Taxation Office 12
Facebook 12

Back to Contents

Complaints closed during 2010–11

The OAIC can investigate acts or practices that may be a breach of privacy. Where appropriate, an attempt will be made to resolve a complaint through conciliation.

If the OAIC is satisfied that a matter has been adequately dealt with, or if there has not been an interference with privacy, it may decide not to investigate the matter any further. Otherwise, the Information Commissioner or Privacy Commissioner may make a determination about a complaint under s 52 of the Privacy Act.

In 2010–11, the OAIC closed 1167 complaints, which was slightly less than the number closed in 2010–11.

The OAIC investigated a smaller percentage of complaints under s 40(1) of the Privacy Act and chose to summarily dismiss more complaints than in 2009–10. The increase in summary dismissals is partly reflected by the increased number of complaints over which the OAIC found that it had no jurisdiction.

Table 5.8 provides more information about the stage at which complaints were closed.

The OAIC aims to finalise all complaints within 12 months of receiving them. In 2010–11, complaints were closed in an average of four months, which is a two month improvement from the previous financial year.

Table 5.8 – Stage at which complaints were closed
Stage closedNumber%*
Total 1167  
Decline 664 56.9%
Preliminary inquiries 375 32.1%
Investigation 128 17.2%

[*] Complaints can have more than one jurisdiction issue and therefore the number of complaints listed exceeds the number of investigations closed in 2010–11

Back to Contents

Complaints closed following investigations

In 2010–11, the OAIC closed 11% of complaints following an investigation under s 40(1) of the Privacy Act.

There were no determinations made in 2010–11. A determination is a legal decision or finding made by a Commissioner, as a consequence of which the Privacy Act's enforcement powers (ss 54–62) are activated.

Table 5.9 shows the grounds for declining to investigate complaints further following an investigation.

Table 5.9 – Grounds for declining to investigate complaints further following an investigation
Grounds for closing following investigationNPPsIPPsCreditTotal
Total 101 18 40 159
No interference with privacy – s  41(1)(a) 34 10 11 55
Respondent has adequately dealt with the complaint – s 41(2)(a) 39 3 11 53
Respondent has not had opportunity to deal with complaint – s 41(2)(b) 6 3 4 13
Other (for example withdrawn or being dealt with under another law) 22 2 14 38

The OAIC tried where possible to resolve cases through conciliation at an early stage of investigation. Respondents took steps to resolve the complaint in 33% of cases. Over two thirds of these were conciliated before the OAIC formed a view on whether the complaint should be upheld.

Common resolutions after the investigation proceeded to conciliation included:

  • apologies to complainants
  • staff training and counselling
  • amendments to database systems and records
  • changes to procedures
  • provision of access to records
  • compensation payments.

Overall, the respondent took steps to resolve the complaint in 39% of NPP complaints following conciliation.

More than half of the IPP complaints were closed following investigation on the basis that there was no interference with privacy, while 28% of credit reporting complaints investigated under s 40(1) of the Privacy Act were conciliated following investigation.

Back to Contents

Nature of remedies achieved by conciliation following investigation

Table 5.10 provides more detail on the outcome of complaints that were closed on the basis that they had been adequately dealt with by the respondent following an investigation by the OAIC under s 40(1) of the Privacy Act.

Apologies are the most common remedy, followed by the amendment of records and compensation.

Table 5.10 – Nature of remedies in complaints closed as adequately dealt with after investigation
Remedies in cases closed as adequately dealt with after investigationNPPsIPPsCreditTotal
Total* 68 9 14 91
Access provided 9 - 1 10
Apology 17 2 1 20
Changed procedures 10 2 - 12
Counselled staff 3 - - 3
Other remedy 9 2 1 12
Record amended 9 - 7 16
Staff training 1 1 1 3
Compensation        
Up to $1000 4 1 3 8
$1001–$5000 4 1 - 5
$5001–$10,000 1 - - 1
$10,001+ 1 - - 1

[*] More than one resolution may have been reached for a particular complaint. Therefore, the total listed in Table 5.10 is not equal to the total number of complaints

Back to Contents

Complaints closed following preliminary inquiries

The Privacy Act authorises the OAIC to conduct preliminary inquiries to determine whether to investigate a complaint or exercise the discretion not to investigate a matter further. For instance, a preliminary inquiry may seek to determine:

  • whether an agency or organisation is willing to provide access to records
  • if a particular act or practice is authorised by law
  • whether an organisation may claim the small business operator exemption
  • whether a respondent is an agency or organisation that is subject to the Privacy Act.

In 2010–11, the OAIC closed 32.1% of complaints after preliminary inquiries. Table 5.11 provides more detail on the basis for closing complaints following preliminary inquiries. Please note that complaints can have more than one jurisdiction issue. Therefore, the number of complaints listed below exceeds the number of preliminary inquiries closed in 2010–11.

Table 5.11 – Grounds for closing complaints after preliminary inquiries
GroundsJurisdictionTotal
NPPsIPPsCreditNoneTFN
Not the privacy of the complainant or no respondent specified – s 36 11   1 5   17
No interference with privacy – s 41(1)(a) 140 26 44 13 1 224
Complaint not raised with respondent –  s 40(1A) 4 5 3 4   16
Frivolous, vexatious, misconceived, lacks substance – s 41(1)(d) 2         2
Currently investigated under other Commonwealth or State Act – s 41(1)(e) 4 3 1     8
Respondent has adequately dealt with the matter – s 41(2)(a) 90 12 17 4   123
Respondent has not had an opportunity to deal with the complaint – s 41(2)(b) 7 4 1     12
Other (for example withdrawn) 16 4 11 1   32
Total 274 54 78 27 1 434

The most common reason for closing a complaint after preliminary inquiries continued to be a finding that the individual's privacy had not been interfered with, which was the finding in just over half of the complaints.

Back to Contents

Nature of remedies achieved following preliminary inquiries

In conducting preliminary inquiries the OAIC may find that the respondent has adequately dealt with the matter, or may be able to resolve the complaint through conciliation. Table 5.12 gives further detail about the types of resolutions achieved following preliminary inquiries. (More than one resolution may have been achieved for a particular complaint, meaning the total listed in Table 5.12 is not equal to the total number of complaints.)

Amendment of records continued to be the most common resolution following preliminary inquiries, followed by apologies and access to records. Compensation was paid in 14% of complaints resolved at the preliminary inquiries stage.

Back to Contents

Complaints closed without investigation

In 2010–11, the OAIC closed 56.9% of complaints by exercising a discretion not to investigate a complaint, or not to make preliminary inquiries.

The most common reasons for closing complaints without investigation were:

  • there was no interference with privacy (s 41(1)(a))

  • the complaint was not a privacy complaint because it was not about the individual complaining, did not specify a respondent or was not about privacy (s 36)

  • the complaint had not been raised with the respondent before being brought to the OAIC (s 40(1A))

  • the complainant had not given the respondent sufficient time to deal with the complaint (s 41(2)(b)).

Table 5.13 shows, in more detail, the grounds upon which these complaints were closed without investigation.

Table 5.12 – Nature of remedies in complaints closed as adequately dealt with after preliminary inquiries
RemedyNPPsIPPsCredit ReportingTotal
Access provided 25     25
Apology 23 6 1 30
Changed procedures 12 5 2 19
Compensation        
Up to $1000 9 1 1 11
$1001-$5000 7 1 1 9
$5001-$10,000        
$10,001+        
Confidential settlement   1   1
Counselled staff 2 2   4
Other remedy 10 2   12
Record amended 19 3 14 36
Staff training 4 1   5
Total 111 22 19 152
Table 5.13 – Basis for closing complaints without investigation or preliminary inquiries*
Reasons for decliningNPPsIPPsCredit ReportingNoneTotal
Not the privacy of the complainant or no respondent specified, no jurisdiction – s 36 48 12 6 154 220
No interference with privacy – s 41(1)(a) 126 33 46 14 219
Complaint not raised with respondent – s 40(1A) 73 13 13 5 104
Aware of alleged breach for more than 12 months – s 41(1)(c) 19 4 4 1 28
Frivolous, vexatious, misconceived, lacks substance – s 41(1)(d) 4 1     5
Is being dealt with under another law – s 41(1)(e) 10 1   2 13
Another law is more appropriate – s 41(1)(f) 2 9   5 16
Respondent has adequately dealt with the matter – s 41(2)(a) 12 7 4 1 24
Respondent has not had opportunity to deal with complaint – s 41(2)(b) 31 12 19 2 64
Other (For example withdrawn ) 6 1 3 1 11
Total 331 93 95 185 704

[*] Complaints can have more than one jurisdiction issue. Therefore, the number of complaints listed below exceeds the number of complaints closed without investigation in 2010–11.

Table 5.14 – Approved privacy codes
Code TitleCode AdjudicatorMonitoring / Reporting ResponsibilityDate Came into Effect
Queensland Club Industry Privacy Code Australian Information Commissioner Clubs Queensland and the Information Commissioner 23 August 2002
Market and Social Research Privacy Code Australian Information Commissioner Association of Market and Social Research Organisations and the Information Commissioner 1 September 2003
Biometrics Institute Privacy Code Australian Information Commissioner Biometrics Institute and the Information Commissioner 1 September 2006

Back to Contents

Reports of Complaints under Approved Codes

The Privacy Act allows for organisations or groups of organisations to develop privacy codes. A code approved by the Information Commissioner replaces the NPPs as the legally enforceable privacy standards for those organisations. At 30 June 2011, there were three approved privacy codes in force (see Table 5.14). The Information Commissioner is the code adjudicator for each of the codes listed above. There were no complaints handled by the OAIC under any of the approved codes in 2010–11.

The Information Commissioner is required to maintain a register of approved codes under s 18BG of the Privacy Act. The register can be found on the OAIC's website at www.privacy.gov.au/business/codes/.

Back to Contents

Own Motion Investigations and Data Breach Notifications

Section 40(2) of the Privacy Act enables the Information Commissioner to investigate a possible interference with privacy without first receiving a complaint from an individual, if the Information Commissioner considers an investigation to be desirable. These investigations are called own motion investigations (OMIs).

A data breach notification (DBN) occurs when an organisation or agency informs the OAIC that personal information in its possession or control has been subject to loss or unauthorised access, use, disclosure, copying or modification. While there is no specific obligation in the Privacy Act for agencies or organisations to report data breaches to the OAIC, many agencies and organisations do so as good privacy practice. The OAIC directs agencies and organisations to apply the advice set out in the Guide to Handling Personal Information Security Breaches, produced in 2008 by the former Office of the Privacy Commissioner, when responding to a data breach. The Guide includes information about when to report a data breach to the OAIC or affected individuals.

Reporting a DBN to the OAIC and taking follow-up action can help agencies and organisations to ensure they meet their obligations under the Privacy Act and particularly Information Privacy Principle (IPP) 4, National Privacy Principle (NPP) 4 and Part IIIA of the Privacy Act. The nature of DBNs mean that the OAIC's investigation of these incidents primarily focuses on the data security measures agencies and organisations had in place when the incident occurred and the steps taken to improve such practices as a result of a DBN.

By conducting OMIs and responding to DBNs, the Information Commissioner is fulfilling the function he has under s 27(d) of the Privacy Act of promoting an understanding and acceptance of the IPPs and the NPPs. There were a total of 59 OMIs and 56 DBN matters in 2010–11. This compares to 73 OMIs and 44 DBN matters in 2010–11.

Back to Contents

Issues in Own Motion Investigations

During 2010–11, 59 new matters involving alleged interferences with privacy were assessed for investigation as OMIs. These matters came to the OAIC's attention from a variety of sources including telephone calls to the Enquiries Line, emails and letters from individuals, and systemic issues identified through complaints or as a result of media coverage.

The OAIC uses its own risk assessment criteria to determine whether to investigate a matter on its own motion. These criteria include the:

  • number of people affected and the possible consequences for those individuals

  • sensitivity of the personal information involved

  • progress of an agency's or organisation's own investigation into the matter and consideration of the actions taken by the entity in response

  • likelihood that the investigation will reveal acts or practices that involve systemic interferences with privacy and/or that are unidentified.

Table 5.15 shows a breakdown of the most common issues that arose in OMIs in 2010–11. Overwhelmingly, the main compliance issues that arose related to data security and improper use and disclosure of personal information. It is often the case that these issues go hand in hand. That is, if organisations and agencies fail to have appropriate data security measures in place, this deficiency can result in personal information being improperly used or disclosed.

Specifically, the allegations raised in OMIs opened in 2010–11 included that:

  • documents containing customer information had been discarded in a public bin, including tax file number information and health information

  • personal information was being disclosed without appropriate identification and authentication practices being in place

  • the personal information of customers was publicly accessible on the internet

  • system vulnerabilities resulted in hacking incidents which led to information about customers, including financial information, being stolen.

Table 5.15 – Issues in OMIs opened in 2010–11
IssuesNumber
Credit provider – accuracy 18G(a) 3
Credit provider – failed to give notice s 18E(8)(c) 1
Credit reporting agency – improper disclosure s 18K(1) 3
Credit reporting agency – not permitted contents s 18E(1) 1
IPP 4 – inadequate security measures 2
NPP 1.1 – unnecessary collection 8
NPP 1.2 – unlawful/unfair collection 2
NPP 1.3 – bundled consent form 1
NPP 1.3 – insufficient notice 6
NPP 1.5 – inadequate notice 4
NPP 10 – sensitive information collection 2
NPP 2.1 – improper use or disclosure 17
NPP 3 – data quality issues 6
NPP 4 – data security issues 37
NPP 5 – openness issues 1
NPP 6.1 – refused access (non health) 2
NPP 7 – used agency identifier 1
NPP 8 – anonymity not offered 1
TFN – security 1
Total 99

A number of issues that came to the attention of the OAIC in 2010–11 were matters of significant public concern. To promote community confidence and also to increase the transparency of its compliance activities, the OAIC commenced the publication of reports of investigations into high profile matters or where there was a public interest in doing so. The first of these was in relation to the OAIC's investigation of Vodafone Hutchison Australia. Investigation reports are available on the OAIC's website at www.oaic.gov.au/publications/reports.html. The OAIC intends to continue to publish investigation reports, where appropriate.

Of the OMI matters closed in 2010–11, in 26% of cases the OAIC decided not to formally investigate the allegations raised. Typically, the OAIC might discontinue an OMI if it discovers that the respondent is not within its jurisdiction or the issues are not systemic in nature. The OAIC conducted an investigation but did not find that the allegations of non-compliance were substantiated in 27% of cases. In the remaining 48% of cases, the OAIC worked with the agencies and organisations involved to improve their practices so that issues of non-compliance were resolved. For example, the investigation into Vodafone Hutchison Australia resulted in it providing an undertaking to the Information Commissioner to improve its data security measures, report back about its IT security review and provide an update about the progress of its implementation.

Back to Contents

Issues in Data Breach Notifications

The OAIC received 56 voluntary Data Breach Notifications (DBNs) in 2010–11, a 21% increase from the number of DBNs received in 2010–11.

The OAIC assesses each DBN to assess if further action is required by the agency or organisation to appropriately respond to the breach. The OAIC may take no further action if the agency or organisation has contained the breach by recovering the information or has taken steps that mitigate further impact on individuals affected by the breach, such as notifying relevant authorities and individuals and taking steps to review and improve data security practices. Where the OAIC considers that inadequate steps have been taken or the agency or organisation is still assessing the source and impact of the breach and the overall response that is required, it will work with the entity to assist it to apply best privacy practice.

In cases where the OAIC is not satisfied with the voluntary action taken by the agency or organisation to resolve the matter, it will open an OMI.

Incidents reported to the OAIC through DBNs in 2010–11 included that:

  • documents containing personal information were faxed to the wrong fax number
  • an email containing personal information was sent to a public email address
  • a system error occurred allowing customers to access other customers' accounts
  • a computer containing customer records was stolen from a company's premises.

Typically, the actions taken by entities in response to a DBN include system reviews and alterations, written notifications to affected individuals, apologies, retrieval of records, changes in standard operating procedures and staff training.

Back to Contents

Case Notes

The OAIC publishes case notes describing, in de-identified form, the issues and outcomes of selected complaints and investigations. The purpose of these case notes is to provide an insight into how privacy principles are being applied. This can:

  • assist individuals, organisations and agencies to decide whether to pursue a complaint, or if personal information is being handled appropriately
  • encourage good privacy practices and compliance with the Privacy Act
  • demonstrate accountability and transparency in the OAIC's processes and decision making.

In 2010–11, the former Office of the Privacy Commissioner (OPC) and the OAIC published 22 case notes about complaints under the National Privacy Principles (NPPs), Information Privacy Principles (IPPs) and other areas of the Privacy Act. These can be accessed in full at www.oaic.gov.au/publications/case_notes.html.

Case study: Own Motion Investigation v Airline [2010] PrivCmrA 12

After booking a flight online an individual received an email from the airline containing personal information about another traveller. Information disclosed included the second individual's name, address, financial information, flight details and the full name and address of a third individual booked on the flight.

By the time the Privacy Commissioner had commenced an own motion investigation the airline had already acknowledged that the disclosure had occurred and that it had not complied with NPP 2. The investigation therefore focused on the airline's compliance with NPP 4.1, which deals with data security. The airline discovered the incident occurred as a result of an overloaded server.

The Commissioner formed the view that at the time of the incident the airline's IT system was not sufficient to comply with NPP 4.1. It was noted that, as a result of the incident and the Commissioner's investigation, the source of the problem was identified and additional processes were put in place to prevent the problem recurring.

Back to Contents

Data-matching

Monitoring Government Data-matching

Data-matching is the process of bringing together large data sets of personal information from different sources and comparing them to identify any discrepancies. For example, the Australian Taxation Office (ATO) may undertake a data-match to identify retailers that may be operating outside the tax system or who may be under-reporting turnover. This may include identifying individuals.

The process involves analysing information about large numbers of people, the majority of whom are not under suspicion. This means that data-matching raises privacy issues. To ensure that government agencies have proper regard to privacy principles when undertaking data-matching, the OAIC performs a number of functions.

The Information Commissioner has statutory responsibilities under the Data-matching Program (Assistance and Tax) Act 1990 (the Data-matching Act) and the Guidelines for the Conduct of the Data-matching Program (the statutory data-matching guidelines). Additionally, the Information Commissioner oversees the functioning of the Guidelines for the Use of Data-matching in Commonwealth Administration, which are voluntary guidelines to assist agencies not subject to the Data-matching Act to perform data-matching programs in a privacy sensitive way.

Matching under the Data-matching Act and statutory data-matching guidelines

To detect overpayments, taxation non-compliance and the receipt of duplicate payments, the Data-matching Act provides for the use of tax file numbers in data-matching processes undertaken by a special unit within Centrelink (the data-matching agency). The data-matching agency runs matches on behalf of Centrelink, the Department of Veterans' Affairs (DVA) and the ATO.

The Data-matching Act and the statutory data-matching guidelines outline the type of personal information that can be used, and how it can be processed. They also provide individuals with the opportunity to dispute or explain any matches, and require that individuals have means for redress.

The Data-matching Act requires Centrelink, DVA and the ATO to report to Parliament on the results of any data-matching activities carried out under the Act. These reports are published separately by each agency.

The Data-matching Act also makes the Information Commissioner responsible for monitoring the functioning of the statutory data-matching program. The OAIC discharges this function by running data-matching inspections.

Inspections

During 2010-11 the OAIC inspected Centrelink's handling of a sample of data-matching cases at three regional Business Integrity Sites. The regions inspected were:

  • Centrelink Area South West, New South Wales (Griffith), October 2010
  • Centrelink Area Hunter, New South Wales (Wallsend), December 2010
  • Centrelink Area Toowoomba, Queensland (Toowoomba), May 2011.

Representatives of the OAIC, with the assistance of Centrelink and regional staff, conduct inspections and reviews of a sample (usually 100) of customer records which have been through the data-matching process. At the completion of each inspection, a report is prepared and provided to Centrelink outlining the findings.

The OAIC found that Centrelink's processes and procedures for statutory data-matching were generally compliant with the requirements of the Data-matching Act. Additionally, the area offices' procedures were also assessed as being generally compliant with the requirements of the Privacy Act in the handling of this information.

Matching under the Guidelines for the Use of Data-matching in Commonwealth Administration

Many Australian Government agencies also carry out data-matching activities that are not subject to the Data-matching Act, but are run under different laws authorising the use and disclosure of personal information for data-matching purposes. To assist agencies performing such data-matching activities to have proper regard to the privacy of individuals, the Information Commissioner has issued voluntary data-matching guidelines called the Guidelines for the Use of Data-matching in Commonwealth Administration.

These voluntary guidelines require that programs are regularly monitored and evaluated, that individuals identified have the opportunity to dispute the results, and that action against individuals is not taken solely on the basis of automated processes.

Agencies are also required to prepare a description of the data-matching activity (a ‘program protocol'). Before the activity is commenced, the program protocol should be submitted to the Information Commissioner for comment, and once it has been finalised, the program protocol should be made available to the public.

In 2010–11 the Information Commissioner received five program protocols for proposed non-statutory data-matching activities. A summary of these protocols is outlined in Table 5.16.

Table 5.16 – Program protocols produced under the voluntary data matching guidelines
Matching AgencySource AgenciesName of Program ProtocolDescription of the Program ProtocolReceived Date
Australian Taxation Office Department of Climate Change and Energy Efficiency, State, Territory and Australian Government education authorities, and various building companies Nation Building, Economic Stimulus Match data provided by State and Territory education departments and building companies authorised under the Home Insulation Program and Building the Education Revolution Scheme to identify and address issues of non-compliance with taxation obligations August 2010
Australian Taxation Office State and Territory Government Revenue and Land Titles Offices State and Territory Government Revenue Match data from State and Territory Revenue and Land Titles Offices to identify and address non-compliance with taxation obligations and increase Australian Taxation Office research and analytics in the real property market August 2010
Australian Taxation Office State and Territory Motor Registries Motor Vehicles Data Matching Program Match data from State and Territory Motor Registries to identify and address issues of non-reporting and under reporting of luxury car tax revenue September 2010
Australian Taxation Office Seven large financial institutions Credit and Debit Card Privacy Protocol Identify individuals and businesses not complying with reporting registration, lodgement and payment obligations relating to cash and card income August 2010
Australian Taxation Office Various labour hire and placement agencies and computer consultancies Personal Services Income Contracts To improve taxation compliance of individuals employed under agency and consultancy arrangements, and businesses involved in that industry. November 2010

Back to Contents

Audits

Review of performance

Under the Privacy Act the Information Commissioner has the power to conduct privacy audits of Australian and ACT Government agencies, as well as some other organisations in certain circumstances. These audits help to determine and improve the level of compliance with the Privacy Act. The OAIC conducts audits to promote best privacy practice and to reduce privacy risks across agencies. The Information Commissioner's audit powers include:

  • auditing agency compliance with the Information Privacy Principles – s 27(1)(h)

  • examining the records of the Commissioner of Taxation in relation to tax file numbers (TFNs) and TFN information – s 28(1)(d)

  • auditing TFN recipients – s 28(1)(e)

  • auditing credit information files and credit reports held by credit reporting agencies and credit providers – s 28A(1)(g).

Other than audits conducted by  using the above powers, the Information Commissioner may only audit a private sector organisation if the organisation requests this under s 27(3) of the Privacy Act.

The number of audits carried out by the former OPC and OAIC has varied depending on the nature and volume of privacy complaints and other priorities of the OAIC. In past years, the OAIC had expanded its audit program by undertaking additional audits, including three credit information audits.

In 2010–11 the OAIC conducted five audits, a reduction from 2010–11. In part, this reduction resulted from planned audits being deferred by agencies. Additional resources were focused on high profile own motion investigations which required more extensive information-gathering and analysis.

An audit is a snapshot of personal information handling practices relating to the auditee at a particular time and place. Auditees are encouraged to consider audit findings broadly, and recognise that the issues identified may foster improvements beyond the audited program alone.

The OAIC's audit teams emphasise that an audit is an educative process and compliance with the Privacy Act is part of good management practice. Audits have been the catalyst for improvements to agencies' data security, accuracy of information, staff training and disclosure policies.

The OAIC is progressively uploading finalised audit reports to its website.

Back to Contents

ACT government audits

The OAIC currently has a Memorandum of Understanding with the ACT Government (see Appendix 6 for further information) which includes a commitment by the OAIC to conduct up to two audits of ACT Government agencies per financial year. The OAIC selects audit targets based on a risk assessment analysis which takes into account previous audits and audit findings, complaints against ACT Government agencies, the amount of personal information held by an agency and the sensitivity of, and risk to, that information.

Table 5.17 shows details of the ACT Government audits commenced and/or finalised by the OAIC in 2010–11.

Table 5.17 – ACT Government audits commenced and/or finalised 2010–11
AgencyAudit ScopeCommencedStatus
Australian Federal Police – ACT Policing branch Number plate recognition (NPR) technology known as RAPID (Recognition and Analysis of Plates Identified).  The audit examined the agency’s processes for the collection, storage and security, accuracy, and use and disclosure of personal information.  September 2010 In progress
Office for Children, Youth and Family Support (Care and Protection Services) The audit examined the processes of Care and Protection Services for handling client personal information, including the collection, storage and security, quality, use and disclosure of this information. November 2010  In progress

The OAIC found that these agencies were generally compliant with their obligations under the IPPs. However, the auditors made recommendations where privacy risks were identified or where better privacy practice could be introduced.

Audit recommendations included improving notification procedures to ensure compliance with IPP 2 and developing and implementing a data destruction policy in keeping with IPP 4.

Back to Contents

Identity Security audits

The OAIC provided privacy advice to key agencies in respect of projects delivered under the Australian Government's National Identity Security Strategy (NISS). One project under the NISS related to the National Document Verification Service (DVS).

The DVS system allows authorised government agencies to verify, online and in real time, the authenticity of an individual's Evidence of Identity (EOI) documents sourced from another government agency, when enrolling for benefits and services. Agencies using the DVS are able to verify that:

  • the EOI document was issued by the relevant source government agency

  • details recorded on the EOI document correspond to the details held by the source government agency, and

  • the document is still valid.

The OAIC found that Centrelink was generally compliant with its obligations under the Information Privacy Principles in terms of its role as the operator of the DVS Hub.

Table 5.18 – Identity Security audits commenced and/or finalised by the OAIC in 2010–11
AgencyAudit ScopeCommenced Finalised
Centrelink Review of Centrelink’s role as the operator of the DVS Hub May 2010 June 2011
Department of Foreign Affairs and Trade Collection, use, disclosure and security of personal information during DVS transactions undertaken as an Issuer agency November 2010 In progress

Back to Contents

Australian Customs and Border Protection Audits

The OAIC currently has an agreement with the Australian Customs and Border Protection Service (Customs) (see Appendix 6 for further information) to provide ongoing policy advice and conduct up to two audits per financial year of various aspects of Customs' use of Passenger Name Record (PNR) data.

In 2010–11 the planned audits of PNR data were deferred and, instead, additional policy advice was provided to Customs. One of the PNR audits commenced in 2010–11 was finalised in July 2010 and the other is in progress.

The audit team considered that Customs' handling of personal information was generally compliant with the Privacy Act. However, a number of best privacy practice recommendations were made including that Customs review practices around the notification of urgent alerts to airport staff, and the handling of those alerts and associated information by staff in public areas. The auditors also recommended that Customs review access by contractors to secure areas and review all contracts to ensure that IPP obligations are included those contracts. Customs has requested, due to the classified content of the material in this particular report, that it would not be appropriate to publish either the full report or an abridged version. The Commissioner agreed not to publish the report.

Back to Contents

Credit audits

The OAIC began a number of credit information audits in 2010–11. Undertaking credit audits is an important component in monitoring the compliance of credit providers and credit reporting agencies with the credit provisions contained in the Privacy Act.

Credit information audits are a proactive compliance mechanism. The intention is for the credit information audit program to be an advisory exercise as well as an enforcement activity. These audits encourage all credit providers and credit reporting agencies to view compliance as integral to their operations.

The Information Commissioner's credit information audit functions are set out in s 28A of the Privacy Act. Part IIIA of the Privacy Act governs the handling of individuals' credit reports and related information by credit reporting agencies and credit providers. The aim of the audits is to obtain evidence to assess whether credit information is maintained in accordance with Part IIIA and the Credit Reporting Code of Conduct. The OAIC does this by examining the practices and records of credit reporting agencies and credit providers to ensure that they are not using personal information in those records for unauthorised purposes, and are taking adequate steps to prevent unauthorised disclosure of those records.

Table 5.19 – Progress of the credit reporting audits undertaken by the OAIC in 2010–11
AgencyAudit ScopeCommencedFinalised
Tasmanian Collection Service Complaint handling
Cross-referencing of files
Security issues
March 2010 December 2010
Dun and Bradstreet Complaint handling
Cross-referencing of files
Security issues
April 2010 November 2010
Veda Advantage Complaint handling
Cross-referencing of files
Security issues
April 2010 In progress

The completed and ongoing audits have provided valuable information to the OAIC about credit reporting volumes, industry practice and compliance with credit reporting obligations. The auditors made some recommendations and a number of suggestions about:

  • the need for transparency of ‘duplicate matching' programs
  • proactive monitoring of access to credit reporting files
  • improving procedures for staff about complaint handling and data security.

The credit reporting agencies expressed reservations regarding the publication of the final reports, citing concerns about commercial-in-confidential material. In recognition of these concerns, the OAIC has not published the reports on its website.

Back to Contents

Healthcare Identifier audits

The Healthcare Identifiers Act 2010 (the HI Act) established the Healthcare Identifier Service (HI Service), which commenced on 1 July 2010. The HI Service is part of Medicare. The functions of the HI Service are to:

  • assign and issue individual healthcare identifiers (IHIs) for all individuals who have, are or will be provided with healthcare and to healthcare providers (HPI-Is) and healthcare provider organisations (HPI-Os)

  • allow those authorised to access the HI Service to retrieve healthcare identifiers

  • keep the information associated with healthcare identifiers up-to-date and accurate, including deactivating or retiring health identifiers when they are no longer needed.

Under s 29(3) of the HI Act, the Information Commissioner has the power to audit the handling of healthcare identifiers assigned to individuals and individual healthcare providers.

The OAIC received funding in 2010–11 under an Exchange of Letters agreement with the Department of Health and Ageing to undertake up to two healthcare identifier audits as well providing policy advice and other compliance activities. (See Appendix 6 for further information about healthcare identifiers and the Exchange of Letters agreement).

Table 5.20 – Healthcare identifier audits commenced and/or finalised by the OAIC in 2010–11
AgencyAudit ScopeCommencedFinalised
Medicare Australia The process of assigning IHIs.
Policies and procedures governing the handling of identifiers
General record keeping
October 2010 In progress
Medicare Australia Collection processes relating to the assignment of healthcare provider identifiers. Processes undertaken when conducting batch searches of healthcare identifier information June 2011 In progress

Back to Contents

Personal Information Digest

To help people understand what personal information is held by each Australian and ACT government agency, Information Privacy Principle 5.3 in s 14 of the Privacy Act requires agencies to keep a record detailing:

  • the nature of records kept
  • the purpose for which these records are kept
  • the categories of people the information is about
  • the period for which the records are kept
  • who has access to the records
  • the steps an individual needs to take to gain access to the records.

These explanatory records must be provided to the OAIC in June of each year, and are subsequently compiled and published as the Personal Information Digest (PID).

The ACT Department of Justice and Community Safety (JACS) compiled the ACT PID and the final documents were published on the JACS website. The OAIC published the PID for Australian Government agencies for the period ending June 2011 on its website at www.privacy.gov.au/government/digests.

Back to Contents

Advice

Australian Government Agencies

The OAIC provides policy advice on personal information handling issues to Australian and ACT government agencies and the Norfolk Island Administration under various arrangements including memorandums of understanding (MOU) and through participation in working groups. These policy advices include substantive correspondence on specific proposals, advice for guidance material and advice for inclusion in other reports and published documents. Topics on which advices have been provided to Australian Government agencies include the following.

Body scanning

In February 2010, the Australian Government announced a package of measures to strengthen aviation security including the introduction of body scanning technology at international passenger screening points within Australia to detect items on a person or within their clothing. The OAIC provides privacy advice to the Office of Transport Security (OTS) under an MOU in relation to the development and implementation of body scanning technology in Australian international airports. During 2010–11, activities undertaken by the former OPC and the OAIC included the facilitation of a roundtable discussion on 22 September 2010 with the OTS and relevant stakeholders to identify privacy issues arising for specific interest groups and the provision of advice on the process of OTS undertaking a privacy impact assessment.

Service delivery reform

The Service Delivery Reform (SDR) program is undertaken within the Human Services Portfolio and is intended to give Australians better access to social, health and welfare services. Some aspects of the reform program, such as the co-location of agencies and the increased coordination and linking of services, will involve changes to the way that individuals' personal information is handled. The OAIC has entered into an MOU with the Department of Human Services (DHS) to provide privacy advice in relation to the SDR agenda and respond to privacy matters arising from the implementation of SDR.

The former OPC and the OAIC have advised DHS on a range of privacy-related aspects of SDR, including the SDR Implementation Plan and various privacy impact assessments relating to aspects of the SDR. An OAIC representative is also a member of the inter-departmental committee set up to advise on SDR and consider the reforms from a whole-of-government perspective.

Healthcare identifiers

The Healthcare Identifiers Service (HI Service), which is part of Medicare, assigns Healthcare Identifiers to individuals (IHIs) and to healthcare providers at individual and organisational provider level. It maintains a database of all assigned HIs, and will disclose IHIs to authorised healthcare providers when they request a patient's IHI. The HI Service allows authorised users to access the HI Service database to collect IHIs.

Under an Exchange of Letters agreement with the Department of Health and Ageing (DoHA), the OAIC receives funding for advice, guidance, liaison and other activities to support the appropriate use and handling of healthcare identifiers. As part of this agreement, in July 2010 the former OPC published on its website 13 frequently asked questions for individuals about IHIs. The OAIC has also provided advice in response to a series of questions posed by NSW Health and is currently preparing two draft information sheets advising private and state and territory healthcare providers about their compliance obligations. The information sheets are being prepared in consultation with DoHA, Medicare Australia, the National E-Health Transition Authority (NEHTA) and industry groups. The consultation process was still underway on 30 June 2011.

Personally Controlled Electronic Health Records

The Personally Controlled Electronic Health Record (PCEHR) system will enable an individual's health records to be shared electronically between their healthcare providers, through a network of connected systems. The PCEHR will be able to be accessed by the individual and authorised healthcare providers. The OAIC has been working with DoHA and NEHTA to ensure that privacy protections are built in to the PCEHR scheme early in the project. The OAIC made a submission to DoHA in relation to the draft Concept of Operations for the PCEHR system design on 15 June 2011.

Cloud computing

Cloud computing refers to internet-based computing, where information is stored and processed on remote servers accessed via the internet, in the ‘cloud', and the end user interacts with the information using an internet browser. The OAIC participated in the Department of Immigration and Citizenship (DIAC) Cloud Computing Consultative Committee which has been established to provide high-level oversight with regard to the utilisation of cloud computing or similar technology to enhance the delivery of online client services by DIAC. It has also provided comments on the consultation draft of the Cloud Computing Strategic Direction Paper released by the Australian Government Information Management Office in January 2011.

Government 2.0 Taskforce

The OAIC continues to participate on the Gov 2.0 steering committee and takes an active interest in government engagement in Gov 2.0 initiatives.

In 2010–11 the OAIC had input into the development of the Australian Government Information Management Office checklist for the Publication of Public Sector Information. The OAIC also provided comment to the Australian Public Service Commission on draft guidelines for making public comment and participating online.

Identity Security

The former OPC and the OAIC has been a member of the National Identity Security Coordination Group (NISCG) and the Commonwealth Reference Group on Identity Security (CRGIS), convened by the Attorney-General's Department (AGD).  The NISCG convenes a number of working groups. The OAIC is represented on all of these groups.

In its role on these working groups the OAIC provides advice to government and key agencies on the privacy implications of their initiatives.

Australian Capital Territory Government Agencies

The OAIC provides advice to ACT Government agencies on privacy issues under an MOU. During 2010–11 the OAIC provided comments to ACT Government agencies on a range of issues including:

  • ACT Policing Arrangement with the Australian Federal Police
  • Draft review of the Terrorism (Extraordinary Temporary Powers) Act 2006
  • A legislative scheme for the enforcement of court fines
  • The definition of ‘authorised by law' in the context of Information Privacy Principle 11.1(d).

In several cases, the OAIC recommended conducting a privacy impact assessment to identify and manage privacy risks associated with the matter.

Norfolk Island Government Agencies

The Territories Law Reform Act 2010 (the TLR Act) amends the Norfolk Island Act 1979 to implement significant reforms aimed at improving governance structures and strengthening accountability mechanisms for Norfolk Island. This legislation was assented to on 10 December 2010. In relation to privacy, the TLR Act obliges Norfolk Island public sector agencies to adhere to the IPPs in the same manner as Australian Government agencies. These requirements came into effect on 1 January 2011.

In early 2011, the OAIC provided advice to the Chief Executive Officer of the Norfolk Island Administration regarding the implementation of privacy legislation.

Private sector organisations

Under s 27(1)(d) of the Privacy Act, one of the Information Commissioner's functions is to promote an understanding and acceptance of the National Privacy Principles (NPPs). In line with this function, the OAIC aims to work collaboratively with business. The OAIC has continued to provide advice about the operation of the NPPs including on the following matters.

The application of the NPPs to private sector health service providers

The OAIC has provided advice on the application of the NPPs to personal information handling by private sector health service providers including the Optometrist Association of Australia and Alzheimer's Australia.

Emergency Call Service Requirements Code

The Emergency Call Service Requirements Code is an industry code approved by the Australian Communications and Media Authority which specifies the obligations of carriers and carriage service providers to customers, emergency service organisations and emergency call persons. The OAIC provided comments to Communications Alliance (the telecommunications industry body that develops and reviews such industry codes) as part of the review of the Emergency Call Service Requirements Code.

Google

Following the OAIC's own motion investigation into Google's collection of Wi-Fi data by its Street View cars, Google undertook to conduct a privacy impact assessment on Street View and supply a copy to the OAIC. The OAIC provided comments on the privacy impact assessment which highlighted a number of areas where it could be strengthened to enhance privacy protections.

Other jurisdictions

The OAIC also provides advice to other jurisdictions as part of its international engagement activities. During 2010–11 the OAIC has provided advice to the Hong Kong Commissioner for Data Reporting about the handling of credit reporting data under the Privacy Act. The OAIC has also provided comments to the New Zealand Ministry of Agriculture and Forestry on a privacy impact assessment it conducted for its proposal to screen aviation security images taken in Australian airports, for biosecurity purposes before passengers arrive in New Zealand.

Submissions

In 2010–11, the OAIC made 20 submissions to inquiries being undertaken by parliamentary committees and government inquiries. All submissions may be found in full at the OAIC's and former OPC's websites, respectively: www.oaic.gov.au/publications/submissions.html and www.privacy.gov.au/materials/types/submissions. Following are examples of these submissions.

Cyber safety issues

Inquiry into Cyber Safety issues Affecting Children and Young People, Submission to the Joint Select Committee on Cyber Safety

The adequacy of protections for the privacy of Australians online, Submission to the Senate Standing Committee on the Environment, Communications and the Arts

Privacy Law Reform

Inquiry into Exposure Drafts of Australian Privacy Amendment Legislation (APPs), Submission to the Senate Finance and Public Administration Committee

Credit Reporting, Submission to the Senate Finance and Public Administration Committee

Credit reform

Green Paper on National Credit Reform, Submission to the Department of the Treasury

Service Delivery reform

Human Services Legislation Amendment Bill 2010, Submission to the Senate Community Affairs Legislation Committee

Inquiry into Family violence and Commonwealth law

Issues Papers on family violence and Commonwealth law, Submissions to the ALRC

e-health

Draft Concept of Operations: Relating to the introduction of a personally controlled electronic health record (PCEHR) system, Submission to the Department of Health and Ageing

Law enforcement and national security

Telecommunications Interception and Intelligence Services Legislation and Amendment Bill 2010, Submission to the Senate Legal and Constitutional Affairs Committee

Combating the Financing of People Smuggling and Other Measures Bill 2010 

Exposure Draft – Combating the Financing of People Smuggling and Other Measures Bill 2010, Submission to the Attorney-General's Department

Combating the Financing of People Smuggling and Other Measures Bill 2011, Submission to the Senate Standing Committee on Legal and Constitutional Affairs

Proposed extradition and mutual assistance reforms, Submission to the Attorney-General's Department

Back to Contents

Privacy Law Reform

The Privacy Act is undergoing reform following the release of Australian Law Reform Commission (ALRC) Report 108, For Your Information: Australian Privacy Law and Practice (2008). In this report the ALRC recommended 295 changes to improve Australia's privacy framework. Due to the large number of recommendations, the Australian Government is responding to the ALRC's recommendations in stages. There was significant progress in 2010–11.

On 24 June 2010, the Government released an exposure draft of legislation containing a single set of privacy principles, intended to cover both the public and private sectors. It is proposed that these principles, known as the Australian Privacy Principles (APPs), would replace the existing Information Privacy Principles and the National Privacy Principles. The Government tabled the APPs in the Senate for referral to the Senate Finance and Public Affairs Committee (the Committee) for public consultation.

In August 2010, the former Office of the Privacy Commissioner made a detailed submission to the Committee in relation to the Australian Privacy Principles Exposure Draft and Companion Guide. The Committee held public hearings on 25 November 2010.

The Committee released the first part of its report relating to the APPs in June 2011. Its recommendations adopt or address many of the recommendations contained in the submission from the former OPC.

Another element of privacy law reform being addressed in the Government's first-stage response concerns the ALRC's recommendations relating to the introduction of comprehensive credit reporting and enhanced protections for credit reporting information. The Government referred exposure draft credit reporting provisions to the Senate for tabling and referral to the Committee on 31 January 2011.

The OAIC made a submission to the Committee in relation to the Credit Reporting Exposure Draft and Companion Guide in March 2011. The Privacy Commissioner appeared before the Committee in May 2011. The OAIC continues to liaise closely with the Department of the Prime Minister and Cabinet on the next stages of the privacy law reform process. More information about privacy law reform can be found at www.dpmc.gov.au/privacy/reforms.cfm

Back to Contents