Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Chapter Seven — Privacy compliance

Overview

The Office of the Australian Information Commissioner (OAIC) undertakes a wide range of activities to ensure that privacy is valued and respected in Australia. These include running a telephone and written enquiry service, investigating and resolving individual complaints, conducting assessments, data-matching inspections, Commissioner initiated investigations (CIIs) and receiving and reviewing data breach notifications (DBNs). The OAIC also works with agencies and organisations to provide strategic policy advice (see Chapter Six).

In 2013–14, the OAIC received 4239 privacy complaints, an increase of 183.3% over the 1496 received in 2012–13. This is a significant increase over previous years and appears to arise from changes in the credit related provisions of the Privacy Act and complaints from people affected by several well publicised data breaches in both the public and private sectors. Additionally, the OAIC received 71 voluntary DBNs, a 16.4% increase on the number of DBNs received in 2012–13.

Six CIIs (previously named own motion investigations) were commenced and work was undertaken on 13 assessments (previously known as audits).

Table 7.1 shows the total number of privacy complaints received and finalised by the OAIC since the commencement of operations on 1 November 2010.

Table 7.1 OAIC privacy complaints received and closed since 2010
 
2010–11
(From 1 November)
2011–12
2012–13
2013–14
Total number of privacy complaints
Received
780
1357
1496
4239
7872
Closed
775
1383
1504
2617
6279

Back to Contents

Responding to privacy enquiries

The OAIC's enquiries line (1300 363 992) provides information about privacy issues and privacy law for the cost of a local call. The OAIC's enquiries line also responds to written enquiries received by post, email or fax.

Telephone enquiries

In 2013–14, the enquiries line answered 16,491 telephone calls, 9998 of which related to privacy matters that were within the OAIC's jurisdiction. A further 1739 enquiries were received about privacy matters that were out of jurisdiction.

Most callers were individuals seeking information about their privacy rights and how to resolve privacy complaints.

Table 7.2 sets out the top 10 types of callers who telephoned the enquiries line in 2013–14.

Table 7.2 Top 10 privacy caller types
Top 10 privacy caller types
Number of calls
Individuals
7230
Business and professional associations
877
Health service providers
298
Real estate agents
241
Legal, accounting and management services
206
Australian Government
171
Finance (including superannuation)
112
Charities
111
Personal services (including employment, child care, vets)
106
Education
70

Tables 7.3.1–7.3.4 provide a breakdown of issues discussed in the calls received during 2013–14. More than half (52%) of the privacy-related calls were about the National Privacy Principles (NPPs), and a further 43% were about the Australian Privacy Principles (APPs) which came into force in March 2014. Calls about the Information Privacy Principles (IPPs) made up a small proportion of the calls.

The most frequently discussed issue in 2013–14 was credit reporting including the handling of credit worthiness information (primarily due to the commencement of new rules relating to credit worthiness as part of the privacy reforms that commenced in March 2014), followed by use and disclosure of personal information, and NPP exemptions.

Table 7.3.1 Breakdown of issues discussed: APPs
Issues
Number of calls
APP 1 — Open and transparent management
167
APP 2 — Anonymity and pseudonymity
11
APP 3 — Collection
409
APP 4 — Collection of unsolicited personal information
22
APP 5 — Notification of collection
242
APP 6 — Use or disclosure
743
APP 7 — Direct marketing
121
APP 8 — Cross-border disclosure
52
APP 9 — Government identifiers
7
APP 10 — Quality of personal information
53
APP 11 — Security of personal information
403
APP 12 — Access to personal information
449
APP 13 — Correction
32
APPs — Exemptions
647
APPs generally
920
Table 7.3.2 Breakdown of issues discussed: IPPs
Issues
Number of calls
IPPs 1, 2, and 3 — Collection
68
IPP 4 — Data security
45
IPP 5 — Privacy statement
19
IPPs 6 and 7 — Access and correction
18
IPPs 8 and 9 — Accuracy and relevance
23
IPPs 10 and 11 — Use and disclosure
158
IPPs generally
31
Table 7.3.3 Breakdown of issues discussed: NPPs
Issues
Number of calls
NPP 1 — Collection
899
NPP 2 — Use and disclosure
1324
NPP 3 — Data quality
115
NPP 4 — Data security
691
NPP 5 — Openness (privacy statement)
45
NPP 6 — Access and correction
807
NPP 7 — Identifiers
3
NPP 8 — Anonymity
9
NPP 9 — Transborder data flows
31
NPP 10 — Sensitive information collection
32
NPPs — Exemptions
1012
NPPs generally
214
Table 7.3.4 Breakdown of issues discussed: Other
Issues
Number of calls
Credit reporting
1438
Data breach notification
43
Data-matching
4
Healthcare identifiers
1
Personally controlled electronic health records
6
Privacy codes
2
Privacy law reforms
789
Spent convictions
99
Tax file numbers
53

Table 7.4 lists the 10 private sector industry groups that were most enquired about in NPP telephone enquiries. This pattern has been generally consistent for several years with business and professional associations being the industry group most enquired about.

Table 7.4 Top 10 privacy sector industry
Private sector industry group
Number of telephone enquiries
Business and professional associations
1324
Health service providers
710
Real estate agents
457
Finance (including superannuation)
301
Telecommunications
244
Retail
203
Insurance
167
Personal services (including employment, child care, vets)
135
Online services
117
Debt Collectors
103

Following are some examples of calls received during 2013–14.

  • A caller asked about the definition of 'use' versus 'disclosure'. The enquirer was provided with information on NPP 2 (use and disclosure) and NPP 9 (transborder data flows), as the caller's organisation offers a cloud computing service and has locations overseas. The caller also enquired about the differences between the NPPs and the APPs. The enquirer was referred to the OAIC publication that compares the APPs to the NPPs and other law reform publications. It was also suggested that the caller subscribe to the OAIC's Privacy Connections newsletter to receive notification of further guidance on the reforms.

  • A caller stated that when they applied to a credit provider for a car loan the provider had advised that credit checks would not be performed as part of the process. However, the individual then received an alert from a credit reporting body stating that their credit file had been accessed. When the caller contacted the credit provider, it admitted that 'due to human error' it failed to have the individual sign its disclosure notice.

    The caller was advised by the OAIC that a credit provider is not required to obtain an individual's consent to access their credit file. However, a credit provider is required to advise the individual that it may provide their personal information to a credit reporting body in order to access the credit file. The caller was also advised on the OAIC's privacy complaints process.

  • A caller advised that they were in the process of starting up a small photography business that will photograph local sporting events, publish those images online and provide individuals with the option to purchase those photographs. The enquirer asked about their privacy obligations.

    The caller was provided with information about the small business operator exemption, noting that if the organisation is considered to be trading in personal information without consent, then it will not be able to claim this exemption, irrespective of the annual turnover.

    The caller was also provided with advice on the NPPs generally, with specific reference to collection notification, use and disclosure, and access requirements. It was suggested that the enquirer consider whether it is practicable for the organisation to seek consent, as well as what steps the organisation will take if an individual does not consent, withdraws their consent or raises privacy concerns. The caller was advised that best practice would be to have a process in place to deal with such matters.

Written enquiries

In 2013–14, the OAIC received 3789 written enquiries; 2141 related to privacy matters that were within the OAIC's jurisdiction and a further 314 enquiries were about privacy matters out of jurisdiction.

The OAIC is committed to responding to 90% of written enquiries within 10 working days. This benchmark was not met in 2013–14, with 71% of privacy related written enquiries responded to within 10 working days. This result was due to a significant increase in written enquiries received, within a short timeframe, about the privacy reforms. Enquirers were notified of any delay at the time.

In 2013–14, 36% of privacy related written enquiries were about the APPs and a further 29% related to the NPPs. This combined total of 65% is consistent with the 2012–13 figure for enquiries about the NPPs which was 64%.

Back to Contents

Complaints

The OAIC can investigate complaints about acts or practices that may be an interference with an individual's privacy. These can include allegations that:

  • personal information has been collected, held, used or disclosed by an organisation in contravention of the APPs (previously the NPPs)
  • personal information has been handled by an Australian Government agency in a manner that does not comply with the APPs (previously the IPPs)
  • credit-worthiness information held by credit providers and credit reporting agencies has been mishandled
  • Tax File Numbers (TFNs) have been mishandled by individuals or organisations
  • personal information has not been managed in accordance with spent conviction, data matching or healthcare identifier legislation.

Complaints received during 2013–14

In 2013–14, the OAIC received a total of 4239 complaints relating to privacy, on a wide variety of issues. As stated above, this is a significant increase over previous years and appears to arise from changes in the credit related provisions of the Privacy Act 1988 (Privacy Act) and complaints from people affected by two particular data breaches in the public and private sector.

In 2013–14, 1813 of the total number of complaints received (or 42.7%) were about credit related issues. About 25% of complaints were about the NPPs and another 25% about the IPPs. Given the commencement of the new privacy laws on 12 March 2014, only a small number of complaints (163) had been received by 30 June 2014 that raised issues under the APPs.

Table 7.5 outlines the relevant parts of the Privacy Act that were the subject of complaints. The number of complaints that related to parts of the Privacy Act exceeds the total number of complaints and the percentages exceed 100% because a complaint can relate to more than one part of the Privacy Act.

Table 7.5 Part of the Privacy Act subject of complaints
Key issue
Number of complaints that include key issue
%
Credit reporting
1813
42.7
NPPs
1064
25.1
IPPs
1035
24.4
APPs
163
3.8
Not in jurisdiction
157
3.7

Table 7.6.1 sets out the issues complained about under the NPPs, IPPs and APPs and Table 7.6.2 sets out other issues in complaints. Both tables display each issue as a percentage of total complaints received in 2013–14. The percentage of complaints column exceeds 100% because a complaint can raise more than one issue. The most commonly complained about issues in 2013–14 were use and disclosure, access to personal information and security of personal information.

Table 7.6.1 Issues in complaints: NPPs, IPPs and APPs
Issue
NPPs
Number of complaints
NPPs
% of complaints
IPPs
Number of complaints
IPPS
% of complaints
APPs
Number of complaints
APPS
% of complaints
Openness and transparency
3
0.1
n/a
n/a
3
0.1
Anonymity and pseudonymity
1
0.02
n/a
n/a
2
0.05
Collection
171
4.0
32
0.8
42
1.0
Unsolicited personal information
n/a
n/a
n/a
n/a
1
0.02
Notification of collection
0
0
6
0.1
7
0.2
Use or disclosure
704
16.6
1020
24
100
2.4
Direct marketing
n/a
n/a
n/a
n/a
10
0.2
Cross-border disclosure
4
0.1
n/a
n/a
0
0
Government identifiers
0
0
n/a
n/a
1
0.02
Quality of personal information
168
4
7
0.1
7
0.2
Security of personal information
162
3.8
920
21.7
39
0.9
Access to personal information
191
4.5
2
0.05
66
1.6
Correction
0
0
8
0.2
1
0.02
Information kept by record keeper
n/a
n/a
1
0.02
n/a
n/a
Table 7.6.2 Issues in complaints: Other
Issue
Number of Complaints
%
Credit reporting
2028
47.8
Data matching
2
0.05
Healthcare identifiers
4
0.1
Not in jurisdiction
172
4.1
Spent convictions
1
0.02
TFN
9
0.2

Most complained about sectors

Table 7.7 shows the number of complaints made about each of the 10 most commonly complained about industry sectors. As in 2012–13, the finance sector continues to be the most frequently complained about industry. Complaints against Government were high but reflect a large number of individual complaints received about a single issue related to one government agency. For example in 2013–14, the OAIC received a large number of complaints against the Department of Immigration and Border Protection from people affected by a data breach that occurred in February 2014. The large number of complaints regarding credit reporting bodies is related to the introduction of changed credit provisions in the reforms to the Privacy Act introduced in March 2014.

Table 7.7 Ten most commonly complained about sectors
Sector
Number of complaints
Finance (including superannuation)
1532
Australian Government
1049
Credit reporting bodies
507
Telecommunications
192
Health service providers
110
Online services
100
Retail
97
Debt collectors
78
Utilities
70
Insurance
60

Organisations and agencies with the largest numbers of complaints

The most complained about organisations and agencies are listed in Table 7.8.

Many of these organisations and agencies carry out high numbers of transactions involving personal information, and the number of complaints may represent only a small percentage of those transactions.

The fact that an organisation or agency has been the subject of a complaint does not necessarily mean that the organisation or agency has been found to be in breach of the Privacy Act. In some cases, a high number of complaints may be received about a single issue affecting a large number of people.

Table 7.8 Organisations and agencies with the largest number of complaints
Organisation
Number of complaints
Department of Immigration and Border Protection
904
Veda Advantage Information Services and Solutions Ltd
484
Cbus Superannuation
340
ANZ Bank Limited
104
Commonwealth Bank of Australia Limited
82
Telstra Corporation Limited
82
Westpac Banking Corporation
77
National Australia Bank Limited
76
St George Bank Limited
61
Department of Human Services
56

Complaints closed during 2013–14

In 2013–14, the OAIC closed 2617 complaints, an increase of 74% on the number of complaints closed in 2012–13.

One of the OAIC's deliverables (see Chapter 2) is to finalise 80% of all privacy complaints within 12 months of receipt. In 2013–14, 97.5% of complaints were finalised within 12 months. In 2013–14, complaints were closed in an average of 2.8 months, an improvement on the previous financial year average of 3.7 months. Despite the 183.3% increase in complaints received in 2013–14, the OAIC is pleased to report that timeliness has been maintained.

The OAIC can investigate acts or practices that may be an interference with privacy. Where appropriate, an attempt will be made to resolve a complaint through conciliation.

The OAIC may decide not to investigate the matter or to cease an investigation if it is satisfied that a matter has been adequately dealt with or there has not been an interference with privacy. Otherwise, a Commissioner may make a determination about a complaint under s 52 of the Privacy Act. Table 7.9 provides more information about the stage at which complaints were closed.

Table 7.9 Stage at which complaints were closed
Stage closed
Number of complaints
%
Without investigation
1693
64.7
Preliminary inquiries
641
24.5
Investigation
283
10.8
Total
2617
100

Complaints closed without investigation

In 2013–14, the OAIC closed 64.7% of complaints without investigation. Where a complaint is closed without investigation the OAIC contacts the applicant to explain the reason for the decision not to investigate and, where appropriate, applicants will be referred to an organisation or agency that may be able to assist them.

The most common reasons for not investigating complaints were:

  • no interference with privacy (s 41(1)(a))
  • complaint had not been raised with the respondent before being brought to the OAIC (s 40(1A))
  • complaint was not within jurisdiction, the individual lodging the complaint was not complaining about the handling of their own personal information, or a respondent was not specified (s 36)
  • complainant had not given the respondent sufficient time to deal with the complaint (s 41(2)(b)).

Reasons for closing complaints

Once the OAIC has confirmed that it has jurisdiction to investigate a complaint it tries, where possible, to resolve it at an early stage of the resolution process. The OAIC may find that the respondent has adequately dealt with the matter, or the OAIC may be able to resolve the complaint through conciliation. In limited situations the Commissioner may make a determination. Table 7.10 provides reasons for closing complaints under the Privacy Act, either with or without investigation. The total number of issues by jurisdiction exceeds the number of complaints closed because a complaint may raise more than one issue.

Of note is the high number of credit matters closed on the basis there was no interference with privacy. This is reflected in the increased number of complaints received prior to the changes to the credit reporting provisions introduced in March 2014 and the large number of people who sought to address concerns with their credit reports prior to those changes coming in to effect.

Table 7.10 Reasons for closing complaints by jurisdiction
Reasons
APPs
NPPs
IPPs
Credit reporting
TFN or Spent convictions
Health-care Identifiers
No jurisdiction
Total
s 36
1
20
9
5
0
0
104
139
s 41(1)(a)
4
311
93
1213
4
1
37
1663
s 40(1A)
1
39
14
44
0
1
0
99
s 41(1)(c)
0
12
2
13
0
0
0
27
s 41(1)(d)
4
26
2
55
0
0
0
87
s 41(1)(e)
0
7
0
2
0
0
1
10
s 41(1)(f)
0
11
1
1
0
0
0
13
s 41(2)(a)
2
231
26
101
2
0
1
363
s 41(2)(b)
2
16
1
14
0
0
0
33
s 52
0
1
0
0
0
0
0
1
Other
10
128
19
82
1
0
3
243
Total
24
802
167
1530
7
2
146
2678

Key:

s 36 — not the privacy of the complainant or no respondent specified, no jurisdiction

s 41(1)(a) — no interference with privacy

s 40(1A) — complaint not raised with respondent

s 41(1)(c) — aware of alleged breach for more than 12 months

s 41(1)(d) — frivolous, vexatious, misconceived, lacks substance

s 41(1)(e) — dealt with under another law

s 41(1)(f) — another law is more appropriate

s 41(2)(a) — respondent has adequately dealt with the matter

s 41(2)(b) — respondent has not had an opportunity to deal with the complaint

s 52 — Determination made by the Privacy Commissioner

Other — for example, withdrawn

A high proportion of total complaints received related to personal information held by credit providers as allowed by both the pre and post reform credit related provisions. A large number of these matters were declined as they did not raise an issue of substance under the Privay Act. Credit related complaints are often resolved through conciliation by updating credit information, removing incorrectly listed defaults or debts or unlinking credit files that have been incorrectly linked. In some cases the resolution may include financial compensation where a complainant has incurred financial disadvantage.

Nature of remedies achieved in complaints

Many complaints about alleged interferences with privacy are resolved informally by the OAIC's dispute resolution team. Table 7.11 provides further detail about the types of remedies achieved. The total number of remedies listed in Table 7.11 exceeds the total number of complaints as more than one remedy may have resulted for a particular complaint.

Table 7.11 Complaints closed with a remedy obtained
Remedy
APPs
NPPs
IPPs
Credit reporting
Spent convictions and TFN
Total
Access provided
1
91
0
9
0
101
Apology
0
42
13
5
1
61
Changed procedures
0
19
6
2
1
28
Compensation up to $1000
0
8
0
5
1
14
Compensation $1001 to $5000
0
11
5
2
0
18
Compensation $5001 to $10,000
0
4
3
1
1
9
Compensation over $10,001
0
5
3
0
0
8
Counselled staff
0
10
4
0
0
14
Other remedy
0
35
4
21
0
60
Record amended
1
57
3
47
1
109
Staff training
0
13
4
0
0
17
Total
2
295
45
92
5
439

Case study: Complaint about the disclosure of a credit file by a credit reporting agency

The OAIC received a complaint from an individual after they became aware that a third party had requested a copy of their credit file from a credit reporting agency and this was provided. The credit reporting agency was unable to locate a file to fulfil this request at first, but provided a credit file held under the complainant's previous name.

The complainant became aware of this disclosure, and advised the credit reporting agency that her current credit file and credit files under her other names contained inaccurate information. In response to the complaint, the credit reporting agency investigated the matter and outlined the matches of information between the files, including driver's licence, and made corrections to her credit files.

The complainant was not satisfied with this response and sought further corrections to her credit file, an apology and compensation for the disclosure of her information to a third party. The matter was resolved by conciliation and the respondent agreed to pay $5000, made a written apology and made further corrections to her credit file.

Case study: Complaint about a disclosure from a financial services company

The OAIC received a complaint after a financial services company changed the complainant's account password and provided the password and unique customer number to the complainant's relative. The complainant's relative accessed the complainant's accounts online.

The financial services company investigated the matter and acknowledged that human error had occurred and apologised to the complainant. The complainant was not satisfied with this response. The matter was resolved by conciliation and the respondent agreed to pay $5000, and revised the steps it takes to protect the personal information it holds, including conducting appropriate identity checks.

Case study: Complaint about the retention of information and use for another purpose

The complainant advised the OAIC that she had made an insurance claim. The insurance company advised her that it required seven years of medical information to process the claim. The complainant consented on the basis that the information would only be used for that purpose and would be destroyed once the claim was processed. After the claim was processed, the insurance company advised it would retain the information for use in future claims.

The complaint was resolved by the company returning any hard copy information it held about the complainant and by agreeing to delete the medical information it held in electronic form.

Case study: Complaint about notice of possible disclosure of information

The complainant received a notice from the respondent agency to produce information relating to the complainant's tenant. The respondent subsequently disclosed to the tenant that the complainant was the informer. The complainant claimed the tenant became abusive and refused to vacate the property.

The respondent stated that the disclosure to the tenant was authorised by Commonwealth law, however the respondent did not notify the complainant that the tenant would be notified that information had been provided by the complainant. The matter was resolved through conciliation and the complainant accepted $2000 in compensation.

Complaints under privacy codes

Up until 11 March 2014 the Privacy Act allowed for organisations or groups of organisations to develop privacy codes to replace the NPPs as the legally enforceable privacy standards for those organisations.

Two NPP codes were in force until 11 March 2014:

  • Queensland Club Industry Privacy Code
  • Market and Social Research Privacy Code.

The OAIC did not receive any complaints under either of these codes in 2013–14.

From 12 March 2014 any APP entity or group of APP entities can develop a code of practice about information privacy (APP code) and seek registration by the Information Commissioner. For more information about APP codes see Chapter 6.

Back to Contents

Determinations

The Privacy Commissioner made one determination in 2013–14: 'BO' and AeroCare Pty Ltd [2014] AICmr 32 (8 April 2014).

The complainant has a disability, a vision impairment, and at the time of the events had recently undergone treatment for a medical condition and surgery. The complainant was travelling by plane with a sighted guide from Queensland to Melbourne. The complainant and his associate checked in at the counter at the airport and then went to the gate area to wait to board the flight.

The complainant alleged that while he was seated in this public area and among other passengers he was approached by someone who asked him a range of personal and intrusive questions about his disabilities and fitness to travel. The complainant says the person did not introduce themselves or offer to take him somewhere more private for the discussion.

The complainant said AeroCare had interfered with his privacy by:

  • collecting his personal medical information in an unreasonable and intrusive manner, by asking him a number of personal medical questions in the departure lounge of the airport
  • disclosing his personal medical information to third parties in the departure lounge of the airport
  • failing to advise him of the reason for the collection of his personal information.

The Privacy Commissioner found that the respondent had breached

  • NPP 1.2 by collecting the complainant's personal information in an unreasonably intrusive way
  • NPP 1.3 by failing to take reasonable steps to ensure that the complainant was aware of the reasons it was collecting his personal information
  • NPP 4.1 by disclosing the personal information of the complainant.

The Privacy Commissioner considered the evidence provided by the complainant about the distress, hurt and humiliation he had experienced.

AeroCare was ordered to pay $8500 in compensation for non-economic loss, to apologise in writing to the complainant and to review staff training in the handling of sensitive personal information. The Privacy Commissioner also required AeroCare to report on the results of that review within six months.

Back to Contents

Commissioner initiated investigations

Section 40(2) of the Privacy Act enables the Information Commissioner to investigate a possible interference with privacy without first receiving a complaint from an individual, if the Information Commissioner considers an investigation to be desirable. These investigations are called 'Commissioner initiated investigations' (CIIs). Prior to the amendments to the Privacy Act made under the Privacy Amendment (Enhancing Privacy Protection) Act 2012 on 12 March 2014, these investigations were known as 'own motion investigations', or OMIs.

When conducting a CII the OAIC can gather information about a respondent's privacy practices, and can work with that agency or organisation to resolve issues of non-compliance and improve their overall privacy practices.

During 2013–14, six new matters involving alleged interferences with privacy were assessed for investigation as OMIs (as all were received before 12 March 2014). The OAIC opened investigations into five of these matters. These matters came to the OAIC's attention from a variety of sources, including emails and letters from individuals and systemic issues identified through complaints, data breach notifications or as a result of media coverage.

The OAIC uses its own risk assessment criteria to determine whether to open an investigation. This includes consideration of the following factors:

  • the number of people affected and the possible consequences for those individuals
  • the sensitivity of the personal information involved
  • the progress of an agency's or organisation's own investigation into the matter and consideration of the actions taken by the entity in response
  • the likelihood that the investigation will reveal acts or practices that involve systemic interferences with privacy and/or that are unidentified.

Table 7.12 shows the total number of matters that were assessed for investigation in 2013–14 and the two preceding financial years.

Table 7.12 Matters assessed for investigation by year
Year
Number of matters assessed for investigation
2013–14
6
2012–13
13
2011–12
37

Table 7.13 shows a breakdown of the most common issues that arose in OMIs in 2013–14. The main compliance issues related to data protection, especially in relation to the adequacy of database security arrangements to prevent targeted hacking attacks that can lead to online disclosure of personal information.

Examples of incidents investigated in 2013–14 include:

  • a telecommunications company that inadvertently made spreadsheets of customer data, including silent line customers, publicly available on the internet
  • a dating website network whose webservers were attacked, resulting in the theft of the personal information of millions of users worldwide, including 254,000 Australian users
  • a security credentials company that failed to adequately secure its website, resulting in unauthorised access to applications for security credentials
  • a medical centre that stored paper medical records relating to former patients in a garden shed at an unoccupied site.
Table 7.13 Issues in OMIs opened in 2013–14
Issues
Number of investigations
NPP 2 — improper use or disclosure
3
NPP 4.1 — data protection issues
5
NPP 4.2 — data retention issues
4

Investigation reports

A number of issues that came to the attention of the OAIC in 2013–14 were matters of significant public concern. To promote community confidence and transparency of its regulatory activities, the OAIC published the following investigation reports that are available on the OAIC's website:

  • Cupid Media Pty Ltd (June 2014)
  • Multicard Pty Ltd (May 2014)
  • Telstra Corporation Limited (March 2014)
  • AAPT and Melbourne IT (October 2013).

Back to Contents

Data breach notifications

A data breach notification (DBN) occurs when an organisation or agency informs the OAIC that personal information in its possession or control has been subject to loss or unauthorised access, use, disclosure, modification or other misuse.

There is no specific obligation in the Privacy Act for agencies or organisations to report data breaches to the OAIC. The OAIC encourages agencies and organisations to apply the advice set out in the OAIC guide, Data breach notification: A guide to handling personal information security breaches, including notifying the OAIC of data breaches.

However, s 75 of the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) requires organisations and agencies to make mandatory DBNs to the OAIC in certain circumstances.

In 2013–14, the OAIC received 71 voluntary DBNs, a 16.4% increase from the number of DBNs received in 2012–13. While there is no specific obligation to report DBNs (other than those under s 75 of the PCEHR Act), many agencies and organisations do so as good privacy practice and as part of taking reasonable security steps.

In 2013–14, the OAIC received two mandatory DBNs under s 75 of the PCEHR Act. The OAIC also liaised with the Department of Health about other incidents relating to the PCEHR system which did not meet the criteria for mandatory DBN under the PCEHR Act. More information is available in the OAIC's Annual report of the Information Commissioner's activities in relation to eHealth 2013–14.

Reporting a DBN to the OAIC and taking follow-up action can help agencies and organisations ensure they meet their obligations under the Privacy Act. The OAIC's preferred regulatory approach is to work with entities to encourage compliance and best privacy practice. As such, the OAIC's enquiries into DBN incidents primarily focus on the data security measures that the entity had in place when the incident occurred and the steps taken to improve security practices in future to achieve the best privacy outcome for affected individuals. When considering the data security measures in place the OAIC has regard to its Guide to information security.

The OAIC may take no further action if it considers that the reporting entity had taken appropriate steps to respond to the data breach, including mitigating harm to affected individuals.

In cases where the OAIC is not satisfied with the voluntary action taken by the agency or organisation to resolve the matter, or where the nature of the breach warrants further action, a CII may be opened.

Issues in data breach notifications

Incidents reported to the OAIC through DBNs in 2013–14 included:

  • email and mail-out errors resulting in customers receiving the personal information of other customers
  • the theft of secured personal information or storage device due to criminal activities, such as break and enter offences
  • loss or misplacement of storage devices containing personal information
  • improper disposal of paper records, leading to unauthorised disclosure of personal information
  • improper implementation of websites, or failure to properly test, leading to unauthorised disclosure of personal information via the internet
  • malicious hacking of secured systems, leading to unauthorised access to personal information.

Typically, the actions taken by entities in response to a data breach included system reviews and modification, written notifications to affected individuals, apologies, retrieval of records, changes in standard operating procedures and changes to systems and staff training.

Back to Contents

Data-matching

Monitoring government data-matching

Data-matching is the process of bringing together large data sets of personal information from different sources and comparing the data sets to identify any discrepancies. For example, the Australian Taxation Office (ATO) may undertake a data-match to identify retailers that may be operating outside the tax system or who may be under-reporting turnover. This process may include identifying individuals.

Data-matching involves analysing information about large numbers of people, the majority of whom are not under suspicion. This means that data-matching raises privacy issues. To ensure that government agencies have proper regard to privacy principles when undertaking data-matching, the OAIC performs a number of functions.

The Information Commissioner has statutory responsibilities under the Data-matching Program (Assistance and Tax) Act 1990 (Data-matching Act) and the Guidelines for the Conduct of the Data-matching Program (statutory data-matching guidelines). Additionally, the Information Commissioner oversees the functioning of the Guidelines on Data Matching in Australian Government Administration, which are voluntary guidelines to assist agencies to undertake data-matching activities that are not covered by the Data-matching Act in a privacy sensitive way.

Matching under the Data-matching Act and statutory data-matching guidelines

To detect overpayments, taxation non-compliance, and the receipt of duplicate payments, the Data-matching Act provides for the use of tax file numbers in data-matching processes undertaken by a special Centrelink Program unit within the Department of Human Services (DHS). This unit runs matches on behalf of DHS, the Department of Veterans' Affairs (DVA) and the ATO.

The Data-matching Act and the statutory data-matching guidelines outline the types of personal information that can be used, and how it can be processed. The Data-matching Act and guidelines also provide individuals with the opportunity to dispute or explain any matches, and require that individuals have a means of redress.

The Data-matching Act requires DHS, DVA and the ATO to report to Parliament on the results of any data-matching activities carried out under that Act. These reports are published separately by each agency.

The Data-matching Act also provides that the Information Commissioner is responsible for monitoring the functioning of the statutory data-matching program. The OAIC discharges this function by running data-matching inspections.

Inspections

During 2013–14, the OAIC undertook three inspections of DHS customer records identified for review under the Data-matching Act. The inspections assessed the appropriateness of DHS's handling of data-match review information against its obligations under both the Data-matching Act and the Privacy Act. The inspections were undertaken at the following DHS premises:

  • Queanbeyan, NSW (August 2013)
  • Surry Hills, NSW (November 2013)
  • Queanbeyan, NSW (April 2014).

Each inspection reviewed a sample of one hundred data-match review cases. At the completion of each inspection, the OAIC prepared a report to the National Manager of the Business Integrity Division, DHS.

While the OAIC found that Centrelink's processes and procedures for statutory data-matching were generally compliant with the requirements of the Data-matching Act and the Privacy Act, the OAIC identified some areas of risk and made recommendations to improve practices.

Matching under the Guidelines for the Use of Data-Matching in Commonwealth Administration

Many Australian Government agencies also carry out data-matching activities that are not subject to the Data-matching Act, but which are run under different laws authorising the use and disclosure of personal information for data-matching purposes.

In June 2014, the Information Commissioner issued revised voluntary data-matching guidelines called the Guidelines on Data-Matching in Australian Government Administration (Voluntary data-matching guidelines). The voluntary data-matching guidelines replace the previous Guidelines for the Use of Data-Matching in Commonwealth Administration, which were issued in 1998, and reflect the changes associated with the reforms to the Privacy Act.

The Voluntary data-matching guidelines set out a range of considerations for Australian Government agencies to address when undertaking data-matching activities, including requirements that programs are regularly monitored and evaluated, that individuals identified have the opportunity to dispute the results and that action against individuals is not taken solely on the basis of automated processes.

Agencies are also required to prepare a description of the data-matching activity (a 'program protocol'). Before the activity is commenced, the program protocol should be submitted to the Information Commissioner for comment, and once it has been finalised, the program protocol should be made available to the public.

In 2013–14, the Information Commissioner received seven program protocols for proposed data-matching activities by Australian Government agencies. A summary of these protocols is outlined below.

Matching agency: Australian Taxation Office

Carer Allowance Data-Matching Program (October 2013)

The purpose of the protocol is to match carer allowance and carer health care card data against tax return data to verify taxpayers' eligibility for claimed tax offsets.

Source agency: Department of Human Services — Centrelink.

Credit and Debit Card Data Matching Program (November 2013)

The purpose of the protocol is to match merchant debit and credit card data against taxpayer records to identify businesses not meeting their registration, reporting, lodgement and payment obligations.

Source agencies:

  • American Express Australia Limited
  • ANZ Group Limited
  • Bank of Queensland Limited
  • Bendigo and Adelaide Bank Limited
  • BWA Merchant Services Pty Ltd
  • Commonwealth Bank of Australia
  • Diners Club Australia
  • National Australia Bank Limited
  • St George Bank
  • Westpac Banking Corporation.

Local Government Payments Data-Matching Program (January 2014)

The purpose of the protocol is to match taxable grants and payments made by local government entities (councils and shires) against taxpayer records to identify non-compliance with taxation obligations.

Source agencies: local government council and shire authorities throughout Queensland, New South Wales, Victoria, Tasmania, South Australia, Western Australia and the Northern Territory.

Online Selling Data-Matching Program (2012 and 2013 financial years) (March 2014)

The purpose of the protocol is to match online sales data with taxpayer records to identify taxpayers who did not report or under reported income in the 2012 and 2013 financial years.

Source agency: eBay Australia and New Zealand Pty Ltd.

Medicare Levy Exemption Data-Matching Program (May 2014)

The purpose of the protocol is to match Medicare data against taxpayer records to ensure individuals are complying with their Medicare levy obligations.

Source agency: Department of Human Services — Medicare.

Matching agency: Comcare

Injured Worker Data-Matching Program Protocol (October 2013)

The purpose of the protocol is to match taxpayer records against Comcare's records to ensure that recipients of incapacity payments are claiming the correct entitlements.

Source agency: Australian Taxation Office.

Matching agency: Department of Human Services

Department of Human Services New Compliance Data Sources Data-Matching with the Department of Education (May 2014)

The purpose of the protocol is to match Family Day Care educators and operators data against welfare payment records to identify individuals who are receiving unreported income while still collecting welfare payments.

Source agency: Department of Education.

Back to Contents

Assessments

Prior to 12 March 2014 the Information Commissioner had the power to conduct privacy audits of Australian and ACT Government agencies, as well as some private sector organisations in certain circumstances. These audit powers included:

  • auditing agency compliance with the IPPs — s 27(1)(h)
  • examining the records of the Commissioner of Taxation in relation to TFNs and TFN information — s 28(1)(d)
  • auditing TFN recipients — s 28(1)(e)
  • auditing credit information files and credit reports held by credit reporting agencies and credit providers — s 28A(1)(g).

Other than audits conducted using the above powers, the Information Commissioner could audit a private sector organisation only where the organisation requested this under s 27(3) of the Privacy Act.

Under the reforms to the Privacy Act, made by the Privacy Amendment (Enhancing Privacy Protection) Act 2012, audits are now known as 'assessments'. Under s 33C of the Privacy Act, from 12 March 2014 the Information Commissioner now has the power to conduct assessments of agencies and organisations in relation to:

  • the Australian Privacy Principles — s 33C(1)(a)(i)
  • a registered APP code — s 33C(1)(a)(ii)
  • credit information files and credit reports held by credit reporting agencies and credit providers — s 33C(1)(b)
  • tax file number recipients — s 33C(1)(c)
  • data matching programs — s 33C(1)(d)
  • claims information associated with the Medicare Benefits Scheme and the Pharmaceutical Benefits Scheme — s 33C(1)(e).

Additionally, s 28A(1)(c) of the Privacy Act gives the Commissioner the ability to examine the records of the Commissioner of Taxation in relation to tax file numbers and tax file number information.

The Commissioner also has the power under s 309 of the Telecommunications Act 1997 to monitor compliance with certain record keeping requirements of telecommunications organisations.

In 2013–14, the OAIC commenced four audits or assessments and finalised two under the Privacy Act. The OAIC also completed one audit and continued to progress a second audit which had both commenced in the previous financial year. These totals do not include audits and assessments relating to eHealth, which are discussed separately below.

Audits and assessments help to determine and improve the level of compliance with the Privacy Act. The OAIC conducts audits and assessments to promote best privacy practice and to reduce privacy risks across agencies.

An audit or assessment is a snapshot of personal information handling practices relating to the entity at a particular time and place. Entities are encouraged to consider audit and assessment findings broadly, and recognise that the issues identified may foster improvements beyond the particular aspect of their business operations subject to the audit or assessment.

OAIC audits and assessments are educative processes that seek to demonstrate that compliance with the Privacy Act is part of good management practice. Audits and assessments have been the catalyst for improvements to agencies' data security, accuracy of information, staff training and disclosure policies.

The OAIC generally publishes finalised audit and assessment reports on its website.

ACT government audits

The OAIC currently has a Memorandum of Understanding (MOU) with the ACT Government, which includes a commitment by the OAIC to conduct one audit of an ACT Government agency per financial year. The OAIC selects audit targets based on a risk assessment analysis that takes into account factors which include previous audits and audit findings, complaints about ACT Government agencies, the amount of personal information held by an agency and the sensitivity of, and risks to, that information.

In 2013–14, the OAIC finalised two ACT Government audits.

ACT Education and Training Directorate

This OAIC audit commenced in the 2012–13 financial year, and examined the Education and Training Directorate's revised policy and guidelines with respect to third party access to student records (where the student is under 18 years), including where the personal information accessed is sensitive in nature. The audit fieldwork was undertaken in late June 2013 and the report was finalised and published on the OAIC website in December 2013.

Canberra Institute of Technology

The OAIC audit examined the Canberra Institute of Technology's collection of student information, the notifications provided to students during collection and the security safeguards in place to protect student information held. The audit fieldwork was undertaken in early December 2013, and the final report was finalised and published on the OAIC website in April 2014.

Identity security audits

The OAIC provided privacy advice to key agencies about projects delivered under the Australian Government's National Identity Security Strategy (NISS). One project under the NISS relates to the National Document Verification Service (DVS).

The DVS system allows authorised government agencies and specific organisations (that is, DVS 'users') to verify, online and in real time, the authenticity of an individual's Evidence of Identity (EOI) documents sourced from another government agency (that is, DVS 'issuers'). Agencies using the DVS are able to verify that:

  • the EOI document was issued by the relevant source government agency
  • details recorded on the EOI document correspond to the details held by the source government agency
  • the document is still valid.

The lead responsibility for the development of the DVS rests with the Attorney-General's Department.

In 2013–14, the OAIC undertook two identity security audits related to the DVS and are explained below.

Australian Taxation Office

The OAIC commenced an audit of the ATO's use of the DVS system, to ensure the accuracy and completeness of personal information. The audit fieldwork was undertaken in late July 2013 and a draft report issued in May 2014. The finalisation of the report was ongoing as at 30 June 2014.

Department of Human Services (Medicare)

The OAIC commenced an assessment of security issues and the collection of personal information by the Department of Human Services (Medicare) in its role as a DVS issuer agency, and with regard to its obligations under the Australian Privacy Principles. The audit fieldwork was undertaken in March 2014 and the report was ongoing as at 30 June 2014.

Australian Customs and Border Protection audits

The OAIC has an MOU with the Australian Customs and Border Protection Service (ACBPS) to conduct one audit each year of an aspect of ACBPS handling and use of Passenger Name Record (PNR) data. The MOU also has regard to an agreement between the Australian Government and the European Union (EU) for the provision of PNR data to the ACBPS, which contains provision for the OAIC to conduct oversight and accountability functions in relation to ACBPS handling of EU-sourced PNR data.

Where appropriate, the audit teams made recommendations in relation to privacy practices, and also made observations in relation to ACBPS' separate obligations under the agreement with the EU. The OAIC does not publish all ACBPS PNR audit reports on the OAIC website as some reports contain information that may affect the operational security of ACBPS.

In 2013–14, the OAIC commenced and finalised one PNR audit carried forward (with the agreement of ACBPS) from the 2012–13 financial year. The OAIC also commenced one PNR assessment under the 2013–14 MOU agreement.

Passenger Name Record: Implementation of Recommendations

The OAIC audit examined how the ACBPS had addressed all prior audit recommendations made by the OAIC (and former Office of the Privacy Commissioner) since 2008, at both the Passenger Analysis Unit in Canberra and in Airport Operations rooms located in selected international airports around Australia. The audit fieldwork was undertaken in January 2014, with the final report issued in June 2014. The audit was published on the OAIC website in July 2014.

Passenger Name Record: Melbourne Airport Operations

The OAIC assessment examined how the ACBPS Melbourne international airport operations room handled PNR data (including data sourced from the EU) in accordance with its security obligations under APP 11. The audit fieldwork was undertaken in May 2014 and was ongoing as at 30 June 2014.

eHealth audits and assessments

The Personally Controlled Electronic Health Records Act 2012 (Cth) (PCEHR Act) establishes the personally controlled electronic health record (PCEHR) system. The PCEHR System Operator is currently the Secretary of the Department of Health. The OAIC has various enforcement and investigative powers in respect of the PCEHR system, under both the PCEHR Act and the Privacy Act.

The Healthcare Identifiers Act 2010 (HI Act) established the Healthcare Identifier Service (HI service), which commenced on 1 July 2010. The HI service is part of the Department of Human Services. Under s 29(3) of the HI Act, the Information Commissioner has the power to audit the handling of healthcare identifiers assigned to individuals and individual healthcare providers.

The OAIC's eHealth audit and assessment activities were carried out under its MOU with Health (discussed in Chapter Six). During 2013–14, the OAIC began five audits/assessments relating to the PCEHR system and HI service, and continued with two audits begun in the 2012–13 period. In 2013–14, the OAIC completed three of these audits/assessments, with the remaining audits/assessments in the final stages at 30 June 2014. These are described in more detail below.

PCEHR system: PCEHR System Operator audits

The OAIC undertook two audits of the PCEHR System Operator.

The first audit, which commenced in May 2013, considered the System Operator's policies and procedures for the collection of personal information during the PCEHR consumer registration process. The purpose of this audit was to assess whether the System Operator's policies and procedures were consistent with its obligations under IPPs 1 to 3. At 30 June 2014, the OAIC was awaiting final comments from the System Operator on the audit report.

The second audit examined the storage and security of personal information held in the National Repositories Service. The National Repositories Service is the database system which holds eHealth records, and includes information such as shared health summaries, event summaries, discharge summaries, specialist letters, consumer entered health summaries and consumer notes.

The objective of the audit was to consider whether the System Operator had taken reasonable steps to protect personal information held in the National Repositories Service from loss, unauthorised access, use, modification or disclosure or other misuse. The audit commenced in November 2013. At 30 June 2014, the OAIC was awaiting final comments from the System Operator on the audit report.

PCEHR system: Assisted registration policies assessment

This assessment reviewed the assisted registration policies of ten healthcare provider organisations undertaking assisted registration. Under the PCEHR (Assisted Registration) Rules 2012, healthcare provider organisations are permitted to provide services to assist consumers to register for an eHealth record. These organisations are required to have policies in place setting out certain matters relating to the conduct of assisted registration, including the authorisation and training of employees, recording of consumer consent and processes for consumer identification.

The assessment considered how these policies addressed the privacy obligations set out in APPs 3 and 11, relating to the collection and security of personal information. The assessment commenced in February 2014. At 30 June 2014, the OAIC was awaiting final comments from the System Operator on the assessment report.

PCEHR system: Western Sydney Medicare Local assessment

This assessment considered Western Sydney Medicare Local (WSML) assisted registration practices. The objective of this assessment was to assess the extent to which WSML, in the course of conducting assisted registration, handled personal information in accordance with APP 3 (collection), APP 5 (notice of collection) and APP 11 (security of personal information). The assessment commenced in March 2014. At 30 June 2014, the OAIC was awaiting final comments from the System Operator on the assessment report.

PCEHR system: Calvary Health Care ACT assessment

This assessment reviewed Calvary Health Care ACT's (Calvary) privacy policy and privacy collection notice, including as they relate to the PCEHR system and HI service. The objective of the assessment was to assess Calvary's privacy policy and collection notice to determine Calvary's readiness for and compliance with the requirements under APPs 1 and 5. The assessment commenced in February 2014 and was finalised in June 2014.

HI service: HI Service Operator audits

The OAIC undertook two audits of the HI Service Operator.

The first audit, which commenced in May 2013, focused on the HI Service Operator's collection, use and disclosure of Individual Healthcare Identifiers and Healthcare Provider Identifiers–Individual (HPI-I) and associated identifying information. The purpose of the audit was to assess whether the Service Operator's handling of HI information was in accordance with the IPPs, the HI Act and the Healthcare Identifiers Regulations 2010 (HI Regulations). The audit was finalised in April 2014.

The second audit considered the HI Service Operator's storage and security of personal information held on the database of HPI-Is. The objective of this audit was to assess the extent to which the Service Operator maintained records in accordance with the IPPs, specifically IPP 4, and the relevant terms of the HI Act and the HI Regulations which relate to the storage and security of personal information pertaining to HPI–Is. The audit commenced in October 2013 and was finalised in June 2014.

HI service: Calvary Health Care ACT assessment

This assessment reviewed Calvary's privacy policy and privacy collection notice, including as they relate to the HI service.

More information is available in the OAIC's Annual report of the Information Commissioner's activities in relation to eHealth 2013–14.

Back to Contents

Personal Information Digest and APP 1

Prior to 12 March 2014, IPP 5.3 of the Privacy Act required each Australian Government agency covered by the Privacy Act, to keep a record detailing:

  • the nature of records of personal information kept by the agency
  • the purpose for which these records are kept
  • the categories of people the information is about
  • the period for which the records are kept
  • who has access to the records
  • the steps an individual needs to take to gain access to the records.

These records were provided to the OAIC in June of each year, and subsequently compiled and published as the 'Personal Information Digest'. With the commencement of the Privacy Act reforms on 12 March 2014, these requirements have been replaced by the requirements in APP 1, which include an agency having a clearly expressed and up-to-date APP privacy policy about how it manages personal information and for the policy to be freely available (usually on its website).

Back to Contents