Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Chapter Seven — Privacy policy and law reform

Contents

  1. Overview
  2. Advice to Australian Government agencies
  3. Advice to Australian Capital Territory Government agencies
  4. Advice to Norfolk Island Government agencies
  5. Advice to private sector organisations
  6. OAIC involvement in cross-government forums
  7. Advice to other jurisdictions
  8. New legislative instruments
  9. Public Interest Determinations
  10. Amendment of the Privacy Act and expansion of the OAIC’s jurisdiction
  11. Submissions
  12. eHealth

Overview

A statutory role of the Information Commissioner under the Privacy Act 1988 (Privacy Act) (s 27(1)(d)) is to promote an understanding and acceptance of both the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs). One way this function is discharged is to provide policy advice on personal information handling issues to Australian and ACT Government agencies, the Norfolk Island Administration and private sector organisations.

Back to page contents | Back to report contents

Advice to Australian Government agencies

Policy advice to Australian Government agencies includes substantive correspondence on specific proposals, privacy advice for inclusion in agencies’ guidance material and advice for inclusion in other reports or published documents.

During 2011–12 a range of policy advice was provided to Australian Government agencies. A selection of the advice appears below.

Advice to The Treasury on superannuation reforms

On 1 July 2011, the Government commenced the implementation of superannuation reforms (known as the SuperStream measures). These reforms include the extended use of an individual’s tax file number (TFN) as the primary identifier of a member’s superannuation accounts and to assist individuals and trustees to locate and consolidate lost accounts. The SuperStream measures stem from the review of the governance, efficiency, structure and operation of the Australian superannuation system (known as the Cooper Review).

The Office of the Australian Information Commissioner (OAIC) provided comments to The Treasury on those reforms as they related to the handling of individuals’ personal information, and specifically, their TFN. The OAIC’s comments included a recommendation that any proposal involving the handling of TFNs be considered in light of the requirements of the Tax File Number Guidelines issued under s 17 of the Privacy Act.

Advice to Department of Human Services on Service Delivery Reform

The Department of Human Services (DHS) is undertaking a transformation program known as Service Delivery Reform (SDR). This transformation program is intended to give Australians better access to social, health and welfare services. Some aspects of the program, such as the co-location of agencies and the increased coordination and linking of services, will involve changes to the way that individuals’ personal information is handled.

The OAIC provides privacy advice to DHS in relation to the SDR agenda under a Memorandum of Understanding (MOU). The MOU assists DHS to respond to privacy matters arising from the implementation of SDR. More information about the MOU can be found in Appendix 5.

The OAIC has advised DHS on a range of privacy-related aspects of SDR, including various privacy impact assessments. The OAIC also conducted an on site visit of a co-located DHS office. The Privacy Commissioner is a member of the inter-departmental committee set up to advise on SDR and consider the reforms from a whole-of-government perspective.

Advice to Attorney General’s Department on the Privacy Amendment (Enhancing Privacy Protection) Bill 2012

On 23 May 2012, the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (the Bill) was introduced into the Australian Parliament. The Bill has been referred to the House Standing Committee on Social Policy and Legal Affairs and the Senate Legal and Constitutional Affairs Legislation Committee for further consideration.

The Bill:

  • introduces the Australian Privacy Principles (APPs) to both agencies and organisations in place of the NPPs and IPPs in the current Privacy Act
  • allows more comprehensive credit reporting and provides enhanced protections for credit related personal information
  • introduces new provisions on privacy codes
  • provides additional functions and powers for the Commissioner.

The introduction of the Bill into the Australian Parliament is an important step in the law reform process that commenced with the release of the Australian Law Reform Commission Report 108, For Your Information: Australian Privacy Law and Practice (2008). The OAIC continues to participate in the law reform process and liaise closely with the Attorney-General’s Department in relation to its progress.

Advice to the Essential Services Commission (Victoria) on a Privacy Impact Assessment about smart metering

Smart meters are digital electricity meters connected via a wireless network. Such meters collect electricity consumption information in real time for analysis by electricity providers.

The OAIC provided comments to the Essential Services Commission (Victoria) on their draft Privacy Impact Assessment of a smart metering infrastructure project in Victoria.

Advice to Australian Government Information Management Office on better practice cloud computing guides

The OAIC provided privacy advice to the Australian Government Information Management Office (AGIMO) for a series of better practice guides about cloud computing being prepared by AGIMO. The guides cover the following topics:

  • privacy and cloud computing for Australian Government agencies[2]
  • negotiating the cloud — legal issues in cloud computing agreements[3]
  • financial considerations for government use of cloud computing.[4]

Advice to the Office of Transport Security on the introduction of passenger body scanning for aviation security purposes

The OAIC provided policy advice, under an MOU, to the Office of Transport Security (OTS) on the introduction of external body scanners into Australian international airports for use in aviation security screening. The OAIC facilitated stakeholder consultation conducted by OTS and provided comment on the OTS Privacy Impact Assessment. More information about the MOU can be found in Appendix 5.

Advice to the Australian Customs and Border Protection Service

The OAIC provided policy advice, under an MOU, on a range of initiatives being progressed by the Australian Customs and Border Protection Service. This included advice relating to the handling of Passenger Name Record data and the use of body scanning technology to detect internal drug concealments.

Back to page contents | Back to report contents

Advice to Australian Capital Territory Government agencies

The OAIC provides advice to ACT Government agencies on privacy issues under an MOU. During 2011–12 the OAIC provided comments to ACT Government agencies on a range of issues including:

  • the introduction of point-to-point speed cameras in the ACT
  • the feasibility of establishing the position of an Officer of the Parliament
  • the provision of support services to assist young people between the ages of 18 and 25 years transitioning to out of home care
  • the draft Crimes (Child Sex Offenders) Amendment Bill 2012.

More information about the MOU can be found in Appendix 5.

Back to page contents | Back to report contents

Advice to Norfolk Island Government agencies

Under the Norfolk Island Act 1979, Norfolk Island Government agencies are required to adhere to the IPPs in the same manner as Australian Government agencies. These requirements came into effect on 1 January 2011.

In February 2012, the Australian Information Commissioner travelled to Norfolk Island and provided a half day information session on the general application of the IPPs for Norfolk Island government agencies. The Commissioner also met with the Norfolk Island Legislative Assembly and addressed a community meeting.

Back to page contents | Back to report contents

Advice to private sector organisations

The OAIC works collaboratively with business in promoting an understanding and acceptance of the NPPs. During 2011–12, the OAIC provided advice about the operation of the NPPs, including on the following matters.

The application of the NPPs in relation to Foreign Account Tax Compliance Act requirements

The OAIC provided advice to private sector organisations such as the Banking and Financial Services Corporate Tax Managers Network, on the application of the NPPs in the context of an organisation’s Foreign Account Tax Compliance Act (FATCA) obligations. FATCA is a United States law which will require foreign financial institutions to enter into agreements with the United States Government and report information about financial accounts held by US persons.

Telecommunications Consumer Protections Code

The Telecommunications Consumer Protections Code (TCP Code) is a code of conduct approved by the Australian Communications and Media Authority (ACMA) specifying the obligations of all Carriage Service Providers who supply telecommunications products to customers in Australia. The OAIC provided comments to Communications Alliance, the telecommunications industry body that develops and reviews such industry codes, as part of the review of the TCP Code.

The Privacy Commissioner provided Communications Alliance with a Certificate of Mandatory Consultation in relation to the TCP Code that Communications Alliance submitted to the ACMA for approval.

Market and Social Research Privacy Code

The Market and Social Research Privacy Code was made under Part IIIAA of the Privacy Act, and is administered by the Association of Market and Social Research Organisations (AMSRO).

The OAIC provided advice to AMSRO regarding the scheduled review of the Code. The review will occur during the 2012–13 financial year.

Submissions and advice to Google

The OAIC acted on behalf of the Technology Working Group of the Asia Pacific Privacy Authorities (APPA), to investigate and examine the privacy ramifications of Google’s new privacy policy. Google’s new policy involved the introduction of a single privacy policy for the majority of Google’s various services, following a public notification and consultation process.

The OAIC made submissions and provided oral advice to Google regarding the consolidation of its privacy policies and the introduction of new products. This advice was provided with a view to helping Google achieve better privacy practice.

The OAIC also received regular briefings from Google regarding products in development and new products.

Submissions and advice to Facebook

The OAIC made submissions and provided oral advice to Facebook about changes to its Data use policy and Statement of rights and responsibilities. This advice was provided with a view to helping Facebook to achieve better privacy practice.

The OAIC also received regular briefings from Facebook regarding products in development and new products.

General advice on the application of the NPPs to non-profit organisations

The OAIC presented several information sessions to non-profit organisations about their obligations under the NPPs in relation to activities such as service provision and fundraising.

Back to page contents | Back to report contents

OAIC involvement in cross-government forums

The National Identity Security Coordination Group

The OAIC is a member of the National Identity Security Coordination Group (NISCG), coordinated by the Attorney-General’s Department. The NISCG consists of representatives from the Australian and state and territory government agencies with key roles in identity management. The NISCG was established to coordinate and implement the National Identity Security Strategy. The OAIC is also a member of the Commonwealth Reference Group (CRG), which was established to facilitate a whole-of-Commonwealth contribution to the National Identity Security Strategy. The OAIC provides privacy policy advice to these groups.

The Cyber White Paper Inter-Departmental Committee

The OAIC participated in the Inter Departmental Committee (IDC) convened by the Department of the Prime Minister and Cabinet (DPMC) regarding the Government’s Cyber White Paper (CWP). The OAIC provided advice to the IDC regarding the privacy and information policy implications of initiatives proposed under the CWP. The OAIC also made a submission in response to a public discussion paper developed by DPMC, Connecting with Confidence.

Australian Transaction Reports and Analysis Centre Privacy Consultative Committee

The OAIC is a member of the Australian Transaction Reports and Analysis Centre (AUSTRAC) Privacy Consultative Committee, an advisory Committee to the AUSTRAC CEO that brings together revenue, law enforcement, privacy and civil liberties representatives to promote understanding of issues and develop positions concerning privacy, civil liberties and related matters. The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) requires the AUSTRAC CEO to have regard to privacy, and consult with the Information Commissioner in performing his functions under the AML/CTF Act. The Privacy Consultative Committee is one of the means by which the AUSTRAC CEO fulfills these obligations.

Back to page contents | Back to report contents

Advice to other jurisdictions

The OAIC also provides advice to other jurisdictions as part of its international engagement activities. During 2011–12, as part of its role as one of the administrators of the Asia-Pacific Economic Community Cross-border Privacy Enforcement Arrangement (APEC CPEA), the OAIC assisted with the approval of 15 Japanese Privacy Enforcement agencies to membership of the APEC CPEA. For more information on APEC CPEA see Chapter 4.

The OAIC also liaised with the Canadian Office of the Privacy Commissioner about privacy issues related to aviation security body scanning.

The OAIC participated in a number of international privacy and data protection forums. These forums enable international privacy protection authorities to build collaborative relationships, which are becoming more important in light of the increasing prevalence of transnational data protection issues. For example, as noted above, the OAIC provided advice to Google on the consolidation of its privacy policies on behalf of the Technology Working Group of the APPA.

In addition to engaging with privacy and data protection authorities in other jurisdictions, the OAIC provided policy advice to the Australian Government in relation to the protection of personal information, in the context of a number of international negotiations.

Back to page contents | Back to report contents

New legislative instruments

Under the Privacy Act, the Information Commissioner has the power to make certain legislative instruments. When making those legislative instruments, the Commissioner is required to comply with the requirements of the Legislative Instruments Act 2003.

Legislative instruments that were made in 2011–12 included the following.

Tax File Number Guidelines

The OAIC conducted a review of the Tax File Number Guidelines 1992 (TFN Guidelines) which regulate the collection, use, disclosure and storage of tax file numbers (TFNs). The TFN Guidelines were issued by the Privacy Commissioner under s 17 of the Privacy Act.

The OAIC conducted a public consultation process from August to September 2011 on proposed revisions to the TFN Guidelines intended to enhance their clarity, language and presentation, without changing their policy intent.

The review of the TFN Guidelines concluded with the registration of the new Tax File Number Guidelines 2011 on the Federal Register of Legislative Instruments on 20 December 2011.

Credit provider determinations

The Privacy Act empowers the Information Commissioner to determine that particular organisations or agencies are credit providers for the purposes of the Privacy Act.

The following three credit provider determinations expired in 2011:

  • Credit Provider Determination No. 2006–3 (Assignees)
  • Credit Provider Determination No. 2006–4 (Classes of Credit Providers)
  • Credit Provider Determination No. 2006–5 (Indigenous Business Australia)

The Privacy Commissioner reviewed these credit provider determinations to ascertain whether to make new determinations. The review included a public consultation.

Revised determinations were registered on the Federal Register of Legislative Instruments on 15 August 2011.

Back to page contents | Back to report contents

Public Interest Determinations

Part VI of the Privacy Act gives the Information Commissioner the power to make a determination that an act or practice of an Australian or ACT Government agency, or a private sector organisation, which may constitute a breach of an IPP, a NPP or an approved privacy code, shall be regarded as not breaching that principle or approved code for the purposes of the Act. This is known as a Public Interest Determination (PID).

In October 2011, the OAIC received two applications for PIDs.

Collection of family, social and medical histories

The application concerned the collection by health service providers of third party health information that is relevant to a patient’s family or social medical histories, without the third party’s consent. In the absence of a determination, such acts or practices may be in breach of the Privacy Act.

PIDs 12 and 12A permit a specific health service provider to collect third party health information from an individual (or a person ‘responsible’ for an individual) without the third party’s consent, for inclusion in the individual’s family, social or medical history.

In effect, this application replaced the existing PIDs 10 and 10A, which had been in effect since December 2007. The Privacy Commissioner made the determinations on 29 November 2011.

Uniting Care Wesley Adelaide

The application concerned the collection and disclosure of personal information without consent in limited and specific circumstances, to improve outcomes for children and young people at risk of serious harm. The application sought to enable implementation of the South Australian Information Sharing Guidelines for Promoting the Safety and Wellbeing of Children (SA Government 2008). These guidelines aim to improve early intervention outcomes by providing a consistent and structured framework for service coordination.

PIDs 13 and 13A permits a specific organisation to disclose and collect personal information to improve outcomes for children and young people at risk of serious harm. The Privacy Commissioner made the determinations on 7 February 2012.

Revocation of the Biometric Institute Privacy Code

On 1 February 2012, the Privacy Commissioner received a letter from the Biometrics Institute requesting that the Commissioner revoke the Biometrics Institute Privacy Code on his own initiative.

To assist the public to consider the Institute’s request, the OAIC issued a consultation paper. An instrument revoking the approval of the Biometrics Institute Privacy Code was registered on the Federal Register of Legislative Instruments on 16 April 2012 and took effect from 17 April 2012.

For more information on privacy codes see Chapter 6.

Back to page contents | Back to report contents

Amendment of the Privacy Act and expansion of the OAIC’s jurisdiction

In 2011–12, a number of Acts amended the Privacy Act, conferred additional functions and powers on the Information Commissioner, and expanded the acts or practices that may be an interference with the privacy of an individual for the purposes of the Privacy Act.

The amendments in 2011–12 included the following.

Personal Property Securities Act 2009

The Personal Property Securities Register (PPS Register) commenced on 30 January 2012. The PPS Register allows lenders and businesses to register their security interests over personal property. Registrations on the PPS Register include data about personal property and may contain the name and date of birth of individuals. Persons can search the PPS Register for limited purposes.

The Personal Property Securities Act 2009 (PPS Act) established the PPS Register, and the Personal Property Securities (Consequential Amendments) Act 2009 inserted new ss 28B and 49A in the Privacy Act. Those sections set out the Information Commissioner’s power to investigate interferences with an individual’s privacy in relation to the PPS Register.

Under the PPS Act, the following will be an interference with the privacy of an individual under the Privacy Act:

  • a breach of the requirement for notice to be given to an individual in relation to the addition, amendment or removal of information from the PPS Register, or
  • an unauthorised search of the PPS Register or use of the personal information obtained as a result.

Those acts may therefore be the subject of a complaint or an investigation by the Commissioner under the Privacy Act. The interference with privacy covers any entity or individual, whether or not they are otherwise subject to the Privacy Act.

Personally Controlled Electronic Health Records Act 2012

The Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) established the national personally controlled electronic health (eHealth) record system, which commenced on 1 July 2012. The PCEHR Act provides a regulatory framework for the system, including the establishment of the system operator who is responsible for the operation of the eHealth record system. The PCEHR Act also implements a privacy regime specific to the eHealth record system which generally operates concurrently with Commonwealth, state and territory privacy laws.

The PCEHR Act provides that a collection, use or disclosure of personal information which is not authorised by the legislation is both a contravention of the PCEHR Act and an interference with the privacy of the individual under the Privacy Act. The Act also imposes mandatory data breach notification obligations on the System Operator, repository operators and portal operators.

The PCEHR Act includes a new role for the OAIC as the system’s independent Commonwealth privacy regulator. During 2011–12, the OAIC undertook significant preparatory work for this role, which will include investigating complaints about the mishandling of health information in an eHealth record, and conducting own motion investigations. The Act establishes a range of new investigative and enforcement powers to assist the Commissioner to undertake this role.

Back to page contents | Back to report contents

Submissions

In 2011–12 the OAIC made 31 submissions to inquiries being undertaken by parliamentary committees and government agencies. All submissions may be found on the OAIC’s website.

Some examples of submissions made during 2011–12 are listed below.

Cyber issues

Inquiry into Cybercrime Legislation Amendment Bill 2011; submission to the Joint Select Committee on Cyber-Safety

Connecting with Confidence: A Public Discussion Paper; submission to the Department of the Prime Minister and Cabinet

Privacy law reform

Issues Paper — A Commonwealth statutory cause of action for serious invasion of privacy; submission to the Attorney-General’s Department

Communications and media convergence

Convergence Review: Emerging Issues Paper; submission to Convergence Review

Independent Inquiry into Media and Media Regulation; submission to the Inquiry

Council of Australian Governments (COAG) reform agenda

Draft Rail Safety National Law 2011; submission to the National Transport Commission

National Health Reform Amendment (Independent Hospital Pricing Authority) Bill 2011; submission to Senate Finance and Public Administration Committee

Future COAG Regulatory Reform Agenda Stakeholder Consultation Paper; submission to the COAG Business Regulation and Competition Working Group Secretariat

Aviation security

Consultation draft ‘Implementation of Body Scanners: Privacy Impact Assessment’; submission to Office of Transport Security

Inquiry into the Aviation Transport Security Amendment (Screening) Bill 2012; submission to the Senate Committee on Rural and Regional Affairs and Transport

Personally controlled electronic health records

Personally Controlled Electronic Health Record System: Legislation Issues Paper; submission to the Department of Health and Ageing

Exposure Draft Personally Controlled Electronic Health Records Bill 2011; submission to the Department of Health and Ageing

Inquiry into the provisions of the Personally Controlled Electronic Health Records Bill 2011 and a related bill; submission to the Senate Standing Committee on Community Affairs.

Back to page contents | Back to report contents

eHealth

In May 2010, the Australian Government announced that $466.7 million would be allocated to fund the creation of the personally controlled electronic health (eHealth) record system over two years. The system was developed as part of the national eHealth program to drive improvements in quality, safety and access to health and medical care. Individuals have been able to register for an eHealth record since July 2012.

The OAIC actively worked to ensure that privacy protections were of primary consideration during the construction of the eHealth record system. The OAIC made submissions to the Department of Health and Ageing (DoHA) on the Draft Concept of Operations relating to the introduction of a PCEHR system in June 2011, the Personally Controlled Electronic Health Record System: Legislation Issues Paper in August 2011 and the Exposure Draft Personally Controlled Electronic Health Records Bill 2011 in October 2011. In January 2012, the OAIC also made a submission to the Senate Community Affairs Legislation Committee on the Personally Controlled Electronic Health Records Bill and the Consequential Amendments Bill.

In January 2012, the OAIC agreed to a MOU with DoHA. This document set out a range of activities for the OAIC to perform in preparation for its role as the Commonwealth privacy regulator of the eHealth record system. To carry out the work under the MOU the OAIC established a dedicated eHealth policy team. During 2011–12, the team developed guidance material, provided privacy advice to DoHA and other stakeholders, worked with DoHA and other regulators towards an agreed protocol for the referral and handling of eHealth record complaints, updated the OAIC’s information technology systems to effectively deliver the Commissioner’s new functions, monitored developments in eHealth, provided training to OAIC staff, and updated the OAIC’s information resources. The OAIC also established a compliance team to carry out the investigations and enforcement activities relating to the eHealth record system.

The guidance developed by the OAIC about the eHealth record system can be found on the OAIC website.

Further work developing guidance and compliance systems for the eHealth record system, including with state and territory regulators, is planned for 2012–13.

Back to page contents | Back to report contents


Footnotes

[2] Australian Government Information Management Office Privacy and Cloud Computing for Australian Government Agencies — Better Practice Guide, 2012, AGIMO website www.finance.gov.au/e-government/strategy-and-governance/cloud-computing.html.

[3] Australian Government Information Management Office Negotiating the cloud — legal issues in cloud computing agreements — Better Practice Guide, 2012, AGIMO website www.finance.gov.au/e-government/strategy-and-governance/cloud-computing.html.

[4] Australian Government Information Management Office Financial considerations for Government use of cloud computing — Better Practice Guide, 2012, AGIMO website www.finance.gov.au/e-government/strategy-and-governance/cloud-computing.html.

Back to Contents