Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Chapter Six — Privacy law reform and policy

Contents

  1. Overview
  2. Privacy law reform
  3. eHealth
  4. Advice to Australian Government bodies
  5. Advice to ACT agencies
  6. Advice to private sector
  7. Involvement in cross-government forums
  8. Advice to other jurisdictions
  9. New legislative instruments
  10. Public Interest Determinations
  11. Submission list

 Overview

The Office of the Australian Information Commissioner (OAIC) has a role in providing strategic policy advice on personal information handling issues to Australian and ACT Government agencies, the Norfolk Island Administration and private sector organisations. The advice covers the application of the Privacy Act 1988 (Privacy Act), including the Information Privacy Principles (IPP), the National Privacy Principles (NPP), the credit reporting provisions in Part IIIA of the Privacy Act, the Credit Reporting Code of Conduct, and the Tax File Number Guidelines.

With the implementation of the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act), and the passing of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Privacy Amendment Act), the scope of OAIC advice has expanded to cover new privacy obligations arising out of these legislative reforms.

In addition to responding to specific questions from Australian Government agencies, private sector bodies and international forums, the OAIC commenced work to produce an extensive range of legislative instruments and non-binding guidelines required to support the implementation of the reforms.

 Privacy law reform

The Privacy Amendment Act was introduced into Parliament on 23 May 2012 and was passed with amendments on 29 November 2012. The Privacy Amendment Act is a part of the privacy law reform process that began in 2006. It introduces many significant changes to the Privacy Act, which apply to organisations, Australian and Norfolk Island Government agencies. The reform amendments commence on 12 March 2014. These changes are outlined below.

Australian Privacy Principles (APP)

Thirteen new privacy principles will regulate the handling of personal information by both Australian Government agencies and private sector organisations. The APPs replace the existing IPPs that currently apply to Australian Government agencies and the NPPs that currently apply to organisations. Some APPs differ from current principles, including APP 7 on the use and disclosure of personal information for direct marketing, and APP 8 on the cross-border disclosure of personal information.

Enhanced powers

The Australian Information Commissioner will have enhanced powers that include the ability to accept enforceable undertakings, seek civil penalties in the case of serious or repeated privacy breaches, and assess compliance by agencies and organisations compliance with the Privacy Act.

Changes to credit reporting laws

More comprehensive credit reporting will be introduced. Enhanced privacy protections will apply to credit information relating to notification, data quality, access and correction and complaints. Other changes include the introduction of: collection of repayment history information, a simplified and enhanced correction and complaints process, and civil penalties for breaches of certain credit reporting provisions.

The credit reporting reforms in the Privacy Amendment Act will be supplemented by a written code of practice. In December 2012, the Privacy Commissioner requested the Australasian Retail Credit Association (ARCA) to develop a credit reporting code and to apply for the code to be registered. The code registration application was received by the OAIC on 1 July 2013.

Codes

New laws will allow the Australian Information Commissioner to develop and register binding codes that are in the public interest. Codes will not replace the APPs but can provide greater specificity on how the APPs apply in an industry, sector or in relation to a particular technology.

Resources

The OAIC has produced numerous resources to assist agencies and organisations to understand and prepare for the changes. These include guides comparing the APPs to the IPPs and NPPs, and a business resource Credit reporting — what has changed. Throughout 2013 and 2014, the OAIC will develop legislative instruments required for the operation of the legislative scheme and will release other publications aimed at assisting APP entities to understand and apply the changes. For more information on publications see Chapter 4.

 eHealth

The Australian Government announced in May 2010 that it would provide funding for a personally controlled electronic health record (eHealth) system. The system will enable the secure sharing of health information between a registered consumer's registered healthcare provider organisations. The consumer can control who can access their eHealth record.

The 2012–13 financial year was the first year of operation of the PCEHR Act. By the end of the financial year almost 400,000 people had registered for an eHealth record.

In recognition of the special sensitivity of health information, both the PCEHR Act and the related Health Identifiers Act 2010 (HI Act), contain provisions protecting and restricting the collection, use and disclosure of personal health information. The Information Commissioner oversees compliance with those provisions and is the independent regulator of the privacy aspects of the eHealth system.

The OAIC's eHealth activities were carried out under a Memorandum of Understanding (MOU) with the Department of Health and Ageing (DoHA). The current MOU expires on 30 June 2014.

Major OAIC eHealth projects in 2012–13 included:

  • commencement of an audit program to ensure that personal information records are maintained in accordance with the Privacy Act and the related PCEHR Act and HI Act
  • publication of PCEHR enforcement guidelines that set out the Information Commissioner's approach to the exercise of enforcement and investigative powers under the PCEHR Act and Privacy Act
  • publication of consumer fact sheets about privacy and eHealth
  • development of an eHealth complaint handling and information sharing arrangement between the OAIC and state and territory privacy and health regulators
  • establishment of internal processes and documentation to prepare for the OAIC's regulatory role under the PCEHR Act
  • OAIC staff training on the eHealth privacy regulatory framework.

More information on this MOU can be found in Appendix 5.

 Advice to Australian Government bodies

Policy advice to Australian Government bodies includes advice to parliamentary committees, substantive correspondence on specific proposals, privacy advice for inclusion in agency guidance material and advice for inclusion in other reports or published documents. A selection of the policy advices prepared in 2012–13 appears below.

Advice to the Senate Legal and Constitutional Affairs Committee on the Privacy Amendment (Privacy Alerts) Bill 2013

On 29 May 2013, the Privacy Amendment (Privacy Alerts) Bill 2013 (the Bill) was introduced to the House of Representatives. On 18 June 2013, the Senate referred the Bill to the Senate Legal and Constitutional Affairs Committee for inquiry and report. The Bill aims to establish a framework for the mandatory notification by regulated entities of serious data breaches to the Information Commissioner and to affected individuals.

The OAIC provided comments to the inquiry, strongly supporting the need for mandatory data breach legislation. The OAIC cited the apparent under-reporting of data breaches under the current voluntary regime, and noted the benefits of mandatory data breach notification. The benefits include helping affected individuals to mitigate potential harm, helping rebuild public trust in the entities affected, and limiting the costs associated with a data breach.

The Senate Legal and Constitutional Affairs Committee recommended that the Senate pass the Bill.

Advice to the Department of Families, Housing, Community Services and Indigenous Affairs regarding privacy considerations for the National Disability Insurance Scheme Bill

The Department of Families, Housing, Community Services and Indigenous Affairs sought feedback from the OAIC on the draft Rules for the protection and disclosure of information (draft rules), made for the purposes of ss 58 and 67 of the National Disability Insurance Scheme Act 2013 (Cth) (NDIS Act).

The OAIC advice noted that the rules would play a critical role in regulating the exercise of disclosure powers in the NDIS Act, and suggested a number of ways that the draft rules could be amended to strengthen privacy protections. In particular, the rules should prescribe disclosures that are in the public interest rather than leaving that question open. They could also provide more detail regarding when personal information may be disclosed by the NDIS agency to state and territory bodies, to ensure reasonable limits on disclosure of information for purposes unconnected to the primary reason the information was collected.

The OAIC noted that a privacy-sensitive approach to the NDIS, that placed the individual at the centre of decisions about the handling of their personal information, would foster community trust. This would also greatly contribute to the stated objectives of the NDIS, that people with a disability are able to exercise choice and control in pursuing their goals and planning and receiving support.

Advice to the Department of Broadband, Communications and the Digital Economy on the telecommunications recommendations of the Australian Law Reform Commission

In September 2012, the Department of Broadband, Communications and the Digital Economy (DBCDE) sought the OAIC's views on the Australian Law Reform Commission's (ALRC) report, For your information: Australian Privacy Law and Practice. The report examined the extent to which the Privacy Act and related laws provide an effective framework for the protection of privacy in Australia, including a significant discussion on telecommunications.

The OAIC provided comments to DBCDE on 20 recommendations relating to the handling of personal information in the telecommunications sector. The OAIC supported the majority of the ALRC's recommendations.

Advice to the Australian Government Information Management Office on the Big Data Strategy

The OAIC has been represented on the Big Data Working Group, a multi-agency initiative of the Australian Government Information Management Office (AGIMO), since its inception in February 2013. Through the Big Data Working Group, the OAIC has provided comments and advice on the development of the Australian Government's Big Data Strategy. The Strategy was nearing completion at the end of the reporting year.

The OAIC urged that data be seen within the Strategy as a national asset, and that privacy be reframed as an enabler in terms of customer confidence. The OAIC has also been integral to ensuring the inclusion of the principles of Privacy by Design in the Strategy.

Advice to the Attorney-General's Department on the Privacy Impact Assessment for the exchange of criminal history information between Australian and New Zealand

In July 2012, Australia and New Zealand commenced a six-month trial to test more systematic processes for the exchange of criminal history information for employment vetting purposes. The trial was later extended for a further six months to July 2013. For the period of the trial, New Zealand was able to seek criminal records from all Australian states and territories, while Queensland was able to seek criminal records from New Zealand.

The OAIC provided advice to the Attorney-General's Department (AGD) on the draft Privacy Impact Assessment (PIA) developed for this project. The OAIC recommended that the draft PIA be amended to clearly outline which laws would apply to the information at each stage of the process, including which privacy regimes would protect the personal information that is held by the Queensland Government and New Zealand employers. The OAIC also recommended that AGD make the PIA available to the public, in the interests of transparency and openness. The PIA is now publicly available on AGD's website.

Advice to the Department of Industry, Innovation, Climate Change, Science, Research and Tertiary Education on establishing the Unique Student Identifiers Scheme

In accordance with an MOU between the OAIC and the Department of Industry, Innovation, Climate Change, Science, Research and Tertiary Education (DIICCSRTE), the OAIC provided ongoing advice on establishing the Unique Student Identifier (USI) Scheme. The intention of theUSI Scheme is to establish a framework to allow vocational education and training (VET) students to obtain a comprehensive and authoritative transcript of their VET achievements online.

The OAIC commented on the drafting instructions for the enabling legislation, and on a number of drafts of the Student Identifiers Bill 2013 (Student Identifiers Bill). The OAIC made submissions to DIICCSRTE's public consultations on the legislative package for the USI Scheme, and to the inquiry into the Student Identifiers Bill by the Senate Standing Committee on Education, Employment and Workplace Relations.

The Senate Standing Committee on Education, Employment and Workplace Relations recommended that the Senate pass theStudent Identifiers Bill.

Advice to the Australian Security and Investments Commission on the disclosure of personal information on the Business Names Register

The Australian Security and Investments Commission (ASIC) manages the Business Names Register to record and publish the address of the principal place of a business, and an address for service of legal documents. If the address for service is a residential address, the full residential address is published on the register.

The OAIC contacted ASIC to outline the potential privacy risks that publishing residential addresses may pose to sole traders and individuals who operate small businesses. The OAIC recommended that consideration be given to providing additional mechanisms by which businesses do not have to provide a physical address as an address for service.

Advice to the Department of Health and Ageing in relation to a range of eHealth privacy matters

An MOU between the OAIC and DoHA was signed on 29 November 2012. The MOU provides that the OAIC will deliver an independent regulatory service in relation to privacy and management of personal and health information in relation to the eHealth record system and the Healthcare Identifier (HI) Service. Under the MOU, the OAIC has provided privacy policy advice to DoHA on a range of matters including Assisted Registration, use of pseudonyms and privacy notices and statements.

Further information regarding the activities performed by OAIC under the MOU can be found in Appendix 5.

Advice to the Department of Human Services

An MOU between the OAIC and the Department of Human Services (DHS) was signed on 4 February 2013. Under the MOU the OAIC provides dedicated privacy policy advice and assistance to DHS on Service Delivery Reform and general privacy issues.

The DHS Service Delivery Reform (SDR) program is intended to give Australians better access to social, health and welfare services. Some aspects of the program, such as the increased coordination and linking of services, will involve changes to the way that individuals' personal information is handled.

The Privacy Commissioner is a member of the inter-departmental committee set up to advise on SDR and consider the reforms from a whole-of-government perspective. The OAIC has provided advice on privacy impact assessments related to SDR, including the Tell Us Once and Single View of Customer service offerings. The OAIC also provided input into the privacy impact assessment drafted by DHS for the new Australia.gov.au authenticated portal, myGov.

More information about the MOU can be found at Appendix 5.

Advice to the Australian Customs and Border Protection Service

The OAIC provided advice in May 2013 to the Australian Customs and Border Protection Service (Customs) on a draft PIA of European Union sourced passenger name record data (PNR Project).

In the OAIC's view, an effective PIA:

  • clearly describes the personal information flows in a project
  • analyses the possible privacy impacts of these flows
  • explains how these impacts will be addressed, including identifying possible alternative approaches
  • demonstrates that an appropriate balance has been achieved in considering the interests of the relevant agency, the broader community and the individual.

The PNR Project involves the collection and use of a large amount of information about individuals entering Australia and, where necessary, will involve the disclosure and use of the information by many different agencies.

The OAIC's advice set out areas where the PIA could be improved, through further clarification or explanation of the privacy impacts of the PNR Project and further identification of the risks and consideration of strategies to mitigate those risks.

Submission to the Australian Prudential Regulation Authority on the Draft Prudential Practice Guide — Managing Data Risk (PPG235)

The Australian Prudential Regulation Authority (APRA) sought public comment on their Draft Prudential Practice Guide (PPG235), which aims to assist financial institutions in managing data risk. The OAIC provided comments on the draft guide, strongly supporting the introduction of guidance for boards, senior management, risk management, business and technical specialists in the financial sector. The OAIC broadly outlined ways in which the draft guide may benefit from amendments to provide further information on privacy obligations.

Advice to the Australian Communications and Media Authority regarding best practice guidance to Carriage Service Providers on handling customer information

The Australian Communications and Media Authority sought advice on privacy issues from the OAIC in July 2012, for inclusion in their best practice guidance toCarriage Service Providers. The OAIC provided policy advice on the operation of the Privacy Act and privacy issues, including guidance on best practice when dealing with privacy breaches.

 Advice to ACT agencies

The OAIC provides advice to ACT Government agencies on privacy issues under an MOU, including the following issues in 2012–13. More information about the MOU can be found in Appendix 5.

Advice to ACT Fire & Rescue regarding their intention to participate in a research study by Monash University on the health and mortality rate of fire fighters

ACT Fire & Rescue sought advice from the OAIC regarding their intention to participate in a research study by Monash University on the health and mortality rate of fire fighters. Specifically, advice was sought about the provisions in the Privacy Act which allow for personal information to be disclosed without consent for research purposes. ACT Fire & Rescue also sought advice on whether a Public Interest Determination (PID) was necessary for these purposes.

The OAIC advised that the disclosure of personal information by ACT Fire & Rescue to Monash University for the study would be an act done in the course of medical research. This would fall within s 95 of the Privacy Act. Consequently, if ACT Fire & Rescue was satisfied that the research had been approved by a Human Research Ethics Committee, the committee had applied the s 95 Guidelines, and had determined that the personal information can be disclosed without consent, a PID would not be required.

Advice to ACT Justice and Community Safety Directorate on their review of the Workplace Privacy Act 2011

In September 2012, the ACT Justice and Community Safety Directorate (JACS) called for comments on their review of the Workplace Privacy Act 2011 (Workplace Privacy Act). The Workplace Privacy Act regulates the collection and use of surveillance information in the workplace and aims to provide a clear framework for the conduct of any surveillance, consistent with the right to privacy under the Human Rights Act 2004 (ACT).

The OAIC made a submission to JACS noting key privacy matters absent from the Workplace Privacy Act that may be considered as part of the review. The OAIC noted that the Workplace Privacy Act does not contain a provision for ensuring that the privacy impact of proposed workplace surveillance is reasonable and necessary in the circumstances. In addition, the OAIC noted that it is unclear what mechanisms are available to individuals who wish to complain about matters regarding surveillance conducted under the Workplace Privacy Act.

 Advice to private sector

The OAIC works collaboratively with business in promoting an understanding and acceptance of the NPPs, and the Australian Privacy Principles (APP), which will apply from March 2014. During 2012–13, the OAIC provided advice to a number of private sector entities, including on the following matters.

Advice to the mobile applications developers industry

Responding to the increasing number of Australians now using mobile devices, the OAIC initiated the development of a guide for developers of mobile applications (apps). The guide draws on work done in Canada and the United States of America, but is optimised for the Australian legislative and regulatory framework. The guide focuses on best practice and includes a two-page checklist for app developers that will also be published as a standalone document.

The OAIC conducted a round of both targeted and general consultations and received submissions from industry, government and the general public. Many of the recommendations from these submissions have been incorporated into the final version of the guide. The guide for developers of mobile applications is expected to be published later in 2013.

Market and Social Research Privacy Code

The Market and Social Research Privacy Code was made under Part IIIAA of the Privacy Act, and is administered by the Association of Market and Social Research Organisations (AMSRO). The Privacy Amendment Act introduced a new Part IIIB to govern privacy codes. After 12 March 2014, existing codes such as the Market and Social Research Privacy Code will no longer be registered codes under the Privacy Act.

AMSRO contacted the OAIC to indicate that they intend to register a new code in accordance with the Privacy Amendment Act. The OAIC provided advice to AMSRO on the process for developing and registering a code under the Privacy Amendment Act.

Advice to Google

The OAIC wrote to Google in February 2013 regarding the disclosure, to product sellers and providers, of personal information of individuals who purchase apps and other services through the Google Play service. The OAIC recommended that Google more clearly and consistently explain how it manages personal information across its suite of policy and disclosure documents, particularly in terms of Google Play and the Google Wallet mobile phone payment system.

In addition, and in conjunction with a number of Privacy and Data Protection Commissioners from other countries, the OAIC wrote to Google in June 2013, expressing concern about the development of the Google Glass wearable computing device. The Commissioners urged Google to better engage with data protection authorities about the product. Specifically, the Commissioners asked Google to address concerns about what information Google collects through Google Glass, what information it shares with third parties and what privacy safeguards Google and application developers are putting in place.

The OAIC also received regular briefings from Google regarding products in development and new products during the course of 2012–13.

Submissions and advice to Facebook

The OAIC continued to make submissions and provide verbal advice to Facebook about changes to its Data Use Policy and Statement of Rights and Responsibilities. This advice was provided with a view to helping Facebook achieve better privacy practice. The OAIC also received regular briefings from Facebook regarding products in development and new products during the course of 2012–13.

Advice to a Human Research Ethics Committee about the collection, use and disclosure of health information for research purposes

The OAIC provided advice to a member of a Human Research Ethics Committee regarding the provisions in the Privacy Act that allow for health information to be collected, used and disclosed for research purposes, and how these provisions apply to data linkage. Advice was provided about the application of the IPPs and the NPPs in relation to research involving data linkage using health information and other personal information, including de-identified information. The OAIC also provided advice on the progress of privacy law reform in this area.

Advice to Mental Health Law Centre (WA) Inc. on their draft Plain English guide to accessing medical records

The Mental Health Law Centre of Western Australia sought feedback from the OAIC on its draft Plain English guide to accessing medical records. The OAIC provided comments predominantly on access and privacy rights under the Privacy Act, including circumstances where the Privacy Act may apply in addition to (or in the absence of) the Mental Health Act 1996 (WA). In addition to commenting on the guide, the OAIC explained reforms to the Privacy Act, in particular the implementation of the APPs.

Advice to Information and Privacy Commission NSW regarding individuals' access to records previously held by a health provider

The OAIC wrote to the Information and Privacy Commission New South Wales regarding an issue the Commission raised about the Australian Health Practitioner Regulation Agency. The issue related to individuals who are trying to seek access to records previously held by a provider that has sold or transferred their business, been disqualified or died. The OAIC advised that clarifying provider obligations in the event of practice closures, and changes to practitioner status, would improve certainty for providers and patients alike. The OAIC suggested that there may be an opportunity to deal with this issue if privacy health reforms are proposed by the Australian Government.

Advice to Communications Alliance on the Monitoring of Voice Communications

The OAIC provided comments in connection with the scheduled review of the Participant Monitoring of Voice Communications Industry Guideline (Guideline 516) and the Monitoring of Voice Communications for Network Operation and Maintenance Industry Guideline (Guideline 517). Both guidelines seek to provide guidance to carriers and Carriage Service Providers (CSPs) on the practical application of interception and privacy legislation to the listening to, and recording of, voice communications.

The OAIC provided general comments on the guidelines to ensure compliance with the Privacy Act and to help minimise adverse privacy outcomes. The OAIC noted that the guidelines provide a useful and detailed approach to position carriers and CSPs to better understand their obligations under the NPPs. The OAIC advised that the guidelines will need to be reviewed with the introduction of the APPs.

 Involvement in cross-government forums

Arrangement with state and territory health and privacy regulators regarding eHealth record system complaints and sharing information

The OAIC conducted an extensive consultation with state and territory health and privacy regulators throughout 2012–13 regarding the handling of eHealth complaints and sharing eHealth information. The consultation process included cross-jurisdictional teleconferences and individual meetings with regulators. The OAIC subsequently developed an Information sharing and complaints referral arrangement (the Arrangement) between the OAIC and state and territory health and privacy regulators.

The Arrangement establishes a protocol for referring and handling eHealth complaints where there is overlapping or concurrent jurisdiction, or where a complaint is made to the wrong regulator. As at 30 June 2013, the Queensland Office of the Information Commissioner, the ACT Health Services Commissioner, the Victorian Office of the Health Services Commissioner and the South Australian Health and Community Services Complaints Commissioner were parties to the Arrangement.

The National Identity Security Coordination Group

The OAIC is a member of the National Identity Security Coordination Group (NISCG), coordinated by the AGD. The NISCG consists of representatives from the Australian and state and territory government agencies with key roles in identity management. The NISCG was established to coordinate and implement the National Identity Security Strategy. The OAIC is also a member of the Commonwealth Reference Group on Identity Security (CRG), which was established to facilitate a whole-of-Government contribution to the National Identity Security Strategy. The OAIC provides privacy policy advice to these groups.

National Biometrics Interoperability Framework Steering Committee

As a result of the OAIC's interaction with the National Biometrics Interoperability Framework, in June 2013 the OAIC was invited to participate in the National Biometrics Interoperability Framework Steering Committee (the Steering Committee). The purpose of the Steering Committee is to guide the biometric centres of expertise managing and overseeing the National Biometric Interoperability Framework. The Steering Committee also seeks to promote biometric interoperability across the Australia Government. The OAIC provided policy advice on the privacy considerations to be taken into account in the development of the National Biometrics Interoperability Framework, and other biometrics projects, as well as informing the Steering Committee on future development of biometric rules under the Privacy Amendment Act.

Australian Transaction Reports and Analysis Centre Privacy Consultative Committee

The OAIC is a member of the Australian Transaction Reports and Analysis Centre (AUSTRAC) Privacy Consultative Committee, an advisory committee to the AUSTRAC Chief Executive Officer (CEO). The Privacy Consultative Committee comprises revenue, law enforcement, privacy and civil liberties representatives to promote understanding of issues and develop positions concerning privacy, civil liberties and related matters. The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) requires the AUSTRAC CEO to have regard to privacy, and consult with the Information Commissioner in performing his functions under the AML/CTF Act. The Privacy Consultative Committee is one of the means by which the AUSTRAC CEO fulfils these obligations.

 Advice to other jurisdictions

The OAIC provides advice to other jurisdictions as part of its activities, both internationally and domestically. During 2012–13, the OAIC participated in a number of international privacy and data protection forums. These forums enable international privacy protection authorities to build collaborative relationships. These are becoming more important in light of the increasing prevalence of transnational data protection issues.

In addition to engaging with privacy and data protection authorities in other jurisdictions, the OAIC provided policy advice to the Australian Government in relation to the protection of personal information, in the context of a number of international negotiations.

Global Privacy Enforcement Network Privacy Sweep

In May 2013, the OAIC participated in the first International Internet Privacy Sweep, along with 19 other privacy enforcement authorities — all members of the Global Privacy Enforcement Network (GPEN). The theme of the sweep was 'Privacy Practice Transparency'. From 6–12 May 2013, sweep participants dedicated resources to analyse websites and mobile applications in a coordinated effort to assess privacy issues related to the theme. More information about the sweep can be found in Chapter 4.

Trans-Pacific Partnership Free Trade Agreement

The Trans-Pacific Partnership (TPP), also known as the Trans-Pacific Strategic Economic Partnership Agreement or TPP agreement, is a multilateral free trade agreement that aims to integrate the economies of the Asia-Pacific region. Membership of the TPP includes Brunei, Chile, New Zealand, Singapore, Vietnam, Malaysia, Peru, United States, and Australia.

The OAIC provided advice to the Australian Government representatives on the privacy considerations of the e-commerce chapter of the TPP. Most recently, the OAIC provided advice on the TPP's interaction with the Privacy Amendment Act in preparation for the latest round of negotiation discussions.

Advice to the Northern Territory Information Commissioner on handling personal information in emergency and disaster situations

In June 2013, the Northern Territory Information Commissioner contacted the OAIC seeking advice on balancing the protection of personal information and the disclosure and use of information in situations to assist victims in emergencies and disasters.

The OAIC advised the Northern Territory Information Commissioner of exemptions and safeguards in the Privacy Act that address emergency situations. Sections 80J and 80K allow Australian Government agencies, state and territory authorities, private sector organisations and non-government organisations to collect, use and disclose personal information during a declared emergency or disaster. The OAIC also highlighted that under the Privacy Amendment Act, agencies and organisation will be able to collect, use and disclose information if they reasonably believe that it is reasonably necessary to assist in locating a person who has been reported as missing, and the collection, use or disclosure complies with rules made by the Information Commissioner.

 New legislative instruments

Under the Privacy Act, the Information Commissioner has the power to make certain legislative instruments. When making those legislative instruments, the Information Commissioner is required to comply with the requirements of the Legislative Instruments Act 2003.

PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013

On 20 June 2013, the PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013 (PCEHR Guidelines) were registered on the Federal Register of Legislative Instruments. The PCEHR Guidelines were made under s111 of the PCEHR Act, which requires the Information Commissioner to formulate, and have regard to, guidelines relating to enforcement powers. These Guidelines set out the Information Commissioner's general approach to exercising his or her powers under the PCEHR Act and related powers under other Acts such as the Privacy Act. As the independent regulator of privacy aspects of the PCEHR system, the Information Commissioner has a range of enforcement powers including:

  • using existing Privacy Act investigative and enforcement mechanisms, including conciliation of complaints and formal determinations
  • seeking an injunction to restrain or require particular conduct
  • accepting enforceable undertakings
  • seeking a civil penalty order from a Court.

The PCEHR Guidelines explain the Information Commissioner's general approach to the exercise of these enforcement powers and investigative powers under both the PCEHR Act and the Privacy Act, in relation to the eHealth system.

 Public Interest Determinations

Part VI of the Privacy Act gives the Information Commissioner the power to make a determination that an act or practice of an Australian or ACT Government agency, or a private sector organisation, which may constitute a breach of an IPP, a NPP or an approved privacy code, shall be regarded as not breaching that principle or approved code for the purposes of the Privacy Act. This is known as a Public Interest Determination (PID).

No formal PID applications were received in the period of 2012–13.

 Submission list

In 2012–13, the OAIC published 37 privacy submissions to inquiries being undertaken by parliamentary committees and government agencies. All submissions can be found on the OAIC's website. Examples of submissions made during 2012–13 are listed below.

Privacy law reform

  • Inquiry into the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 —submission to the Senate Standing Committee on Legal and Constitutional Affairs
  • Inquiry into Privacy Amendment (Privacy Alerts) Bill 2013 — submission to the Senate Standing Committee on Legal and Constitutional Affairs
  • Discussion Paper: Australian Privacy Breach Notification — submission to the Attorney-General's Department
  • Review of theWorkplace Privacy Act 2011 (ACT) — submission to the ACT Justice and Community Safety Directorate

Data

  • Draft Prudential Practice Guide PPG 235 on Managing Data Risk — submission to the Australian Prudential Regulation Authority
  • Comments on Cabinet submission: A Plan to Improve Collection and Coordination of Firm-Level Data
  • Notice and Consent in a World of Big Data: Microsoft Global Privacy Summit Summary Report and Outcomes — submission to Microsoft

National security

  • Inquiry into Potential Reforms of National Security Legislation — submission to the Joint Parliamentary Committee on Intelligence and Security
  • Council of Australian Governments' review of Australian anti-terror legislation —submission to Council of Australian Governments

Cyber issues

  • Consultation paper — Review of the effectiveness of an online database for small amount lenders — submission to Australian Securities and Investments Commission

Council of Australian Governments reform agenda

  • Inquiry into the National Disability Insurance Scheme Bill 2012 — submission to Senate Standing Committee on Community Affairs

Migration

  • Inquiry into the Migration Amendment (Health Care for Asylum Seekers) Bill 2012 — submission to Senate Standing Committee on Social Policy and Legal Affairs

Telecommunications

  • International mobile roaming — proposed standard — submission to the Australian Communications and Media Authority
  • Telecommunications (Interception and Access) (Requirements for Authorisations, Notifications and Revocations) Amendment Determination 2012 — submission to the Attorney-General's Department
  • Proposed determination under section 183(2) of the Telecommunications (Interception and Access) Act 1979 (Cth) — submission to Attorney-General's Department
  • Telecommunications (Service Provider – Identity Checks for Prepaid Mobile Carriage Services) Determination 2013 (the draft 2013 Determination) — submission to the Australian Communications and Media Authority

Education

  • Consultation on the legislative package for the Unique Student Identifier — submission to the Department of Industry, Innovation, Climate Change, Science, Research and Tertiary Education
  • Inquiry into the Student Identifiers Bill 2013 — submission to the Senate Standing Committee on Education, Employment and Workplace Relations.