Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Chapter Five — Privacy advice and law

On this page

  1. Overview
  2. Privacy law reform
    1. Enhanced powers
    2. Privacy management framework
    3. Updates to Australian Privacy Principles guidelines
    4. External dispute resolution schemes
    5. Additional privacy law resources
  3. eHealth
  4. Advice and submissions to Australian Government agencies and parliamentary committees
    1. Data retention
    2. Foreign Fighters Act 2014
    3. Migration Amendment (Enhancing Biometrics Integrity) Bill 2015
    4. Options for improving the unclaimed bank account and life insurance money provisions
    5. My Aged Care
    6. Section 95 guidelines and national statement on ethical conduct in human research
    7. Advice to EDR schemes
    8. Advice on Department of Human Services privacy impact assessment
    9. Australian Bureau of Statistics surveys
  5. Advice to ACT public sector agencies
    1. ACT privacy law reform
    2. Guidance about TPP privacy policies
  6. Advice to the private sector
    1. Sending personal information overseas
    2. Technology and internet privacy
    3. Telecommunications industry codes
    4. Electronic transfer of prescription services
    5. Storing patient details and treatment notes in the cloud
    6. Sale of pharmacy businesses
    7. Advice on credit reporting laws
  7. Involvement in cross-government forums
    1. The National Identity Security Coordination Group
    2. National Biometrics Interoperability Framework Steering Committee
    3. AUSTRAC Privacy Consultative Committee
  8. Advice to other jurisdictions
    1. Comments on draft health privacy guidance released by the NSW Privacy Commissioner
    2. Bali Process Regional Support Office
    3. NSW Department of Justice
  9. Legislative instruments
    1. Codes
    2. Public interest determinations
    3. Privacy (Tax File Number) Rule 2015
  10. Submissions list
    1. Finance
    2. Health
    3. National security and law enforcement
    4. Telecommunications
    5. Copyright
    6. Human rights

Overview

The Office of the Australian Information Commissioner (OAIC) provides strategic policy advice on the application of the Privacy Act 1988 (Privacy Act) to Australian Government agencies, the Norfolk Island Administration and private sector organisations.

The OAIC also provides advice to Australian Capital Territory (ACT) public sector agencies about the application of the Information Privacy Act 2014 (ACT) (Information Privacy Act), which commenced on 1 September 2014. Prior to this date, ACT public sector agencies were subject to the Privacy Act.

The 2014–15 financial year was the first full year of operation of the privacy law reforms made by the Privacy Amendment (Enhancing Privacy Protection) Act 2012. In 2013–14, the OAIC's advice and guidance focused on preparing organisations and agencies for the commencement of the privacy reforms. Throughout 2014–15, the OAIC worked to promote privacy as a tool to enhance customer trust and confidence, and emphasised the need for organisations and agencies to build privacy into their business-as-usual processes. The OAIC developed a range of guidance documents to assist entities, including the Privacy management framework, a tool to help organisations and agencies ensure compliance with Australian Privacy Principle 1.2 and embed a culture of privacy into their everyday processes, and policy documents that explain how the OAIC exercises its expanded regulatory powers.

The 2014–15 year was a busy year for privacy advice. The OAIC published 32 pieces of guidance material, conducted seven public consultations, provided 197 pieces of external policy advice, made 36 submissions on legislative or other formal policy development processes and made six legislative instruments. Examples of this output are described below.

The OAIC continued to conduct work in the eHealth area as the independent regulator of privacy aspects of the Personally Controlled Electronic Health Records (PCEHR) system and the Healthcare Identifiers (HI) service.

Back to Contents

Privacy law reform

On 12 March 2014, significant amendments to the Privacy Act came into force. These amendments included the replacement of the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs) with the Australian Privacy Principles (APPs), the amendment of the Part IIIA credit reporting provisions, and new regulatory powers for the OAIC.

The OAIC has produced a comprehensive range of guidelines and legislative instruments to assist agencies, organisations and the public to understand their privacy obligations and rights. Additionally, the OAIC responded to specific privacy enquiries from Australian Government agencies, private sector bodies, not-for-profits and individuals.

Enhanced powers

The privacy reforms that commenced on 12 March 2014 gave the Australian Information Commissioner (Information Commissioner) new enforcement powers. During 2014–15, the OAIC published two key documents that explain the OAIC's range of privacy regulatory powers and its approach to using these powers: the Privacy regulatory action policy and the Guide to privacy regulatory action.

These documents explain the circumstances in which the OAIC will use its regulatory powers and the manner in which it will exercise them.

Privacy regulatory action policy

The Privacy regulatory action policy explains the OAIC's approach to using its privacy regulatory powers and communicating information publicly. It sets out information including:

  • the OAIC's goal of, and guiding principles for, taking privacy regulatory action
  • the OAIC's approach to regulatory action
  • how the OAIC decides whether to take regulatory action, in a particular situation
  • when privacy regulatory actions may be publicly communicated.

The policy explains that when taking regulatory action the OAIC is guided by the principles of independence, accountability, proportionality, consistency, timeliness and transparency.

The draft policy was released for a period of public exposure in March 2014. The OAIC received comments from various stakeholders, including peak industry bodies. The Privacy Commissioner launched the policy on 17 November 2014.

Guide to privacy regulatory action

The Guide to privacy regulatory action sets out a detailed explanation of how the OAIC will exercise its privacy regulatory powers and the procedural steps the OAIC will take in using these powers. This guide expands on the principles set out in the Privacy regulatory action policy. It consists of eight chapters, which each explain one of the OAIC's key privacy regulatory functions, for example, privacy complaints handling processes, data breach incidents and Commissioner initiated investigations, enforceable undertakings, determinations, and privacy assessments.

The OAIC released a draft of the Guide to privacy regulatory action for public exposure in late 2014, and received comments from a wide range of stakeholders. The OAIC published the final version of this guide on 30 June 2015.

Privacy management framework

To mark the start of Privacy Awareness Week (PAW) 2015, the OAIC launched a new Privacy management framework (Framework). The Framework includes four steps that organisations and agencies are expected to take to meet their ongoing obligations under APP 1.2, which requires organisations and agencies to take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs. The Framework encourages entities to establish a privacy management plan that will help them implement the four steps outlined in the Framework and meet their goals and objectives for managing privacy.

The Framework emphasises that good privacy management stems from good privacy governance. It encourages entities to ensure that their leadership and governance arrangements create a culture of privacy that values personal information. The Framework also emphasises that good privacy management requires the development and implementation of robust and effective privacy practices, procedures and systems.

The Framework encourages entities to go beyond 'tick-box' compliance, and commit to good privacy practices. To do this, it suggests a number of actions that entities should commit to, depending on their particular circumstances, including their size, resources and business model.

Updates to Australian Privacy Principles guidelines

The APP guidelines were released in February 2014. The APP guidelines are the primary guidance to assist organisations and agencies interpret and comply with the APPs.

In April 2015, the OAIC issued updates to the APP guidelines. These updates were made following feedback from stakeholders received during the first year of the privacy reforms.

Changes were made to four chapters of the APP guidelines. The changes clarified some aspects of the guidance, and responded to issues such as the introduction of separate privacy legislation in the ACT.

External dispute resolution schemes

External dispute resolution (EDR) schemes receive complaints about EDR member organisations from individuals, and provide independent dispute resolution services to resolve those complaints. The Privacy Act recognises the benefit of individuals bringing their complaints to an EDR scheme that has extensive experience in a particular industry before it is brought to the OAIC, if necessary.

The Information Commissioner can recognise EDR schemes for the purposes of the Privacy Act. Under the Privacy Act, credit providers must be a member of a recognised EDR scheme to be able to disclose information to credit reporting bodies. In order to be recognised, EDR schemes must demonstrate their accessibility, independence, fairness, accountability, efficiency and effectiveness. During the reporting period the Privacy Commissioner recognised one EDR scheme, bringing the total number of recognised EDR schemes to eight. The Privacy Commissioner also commenced the process of recognising a ninth scheme.

Additional privacy law resources

The OAIC updated a number of its privacy resources over the year, many of which were released during PAW 2015. These included Privacy fact sheet 8: Ten tips to protect your privacy and Privacy business resource 9: Ten tips to protect your customers' personal information. More information about these resources can be found in Chapter Four: Communication and engagement.

Guide to securing personal information: 'Reasonable steps' to protect personal information

In January 2015, the OAIC released the Guide to securing personal information: 'Reasonable steps' to protect personal information. This publication is based on the former Guide to information security. The Guide to securing personal information reflects the amendments to the Privacy Act and incorporates the OAIC's increased experience regarding personal information security matters since the first version of the guide was released in April 2013.

The Guide to securing personal information is intended for use by organisations and agencies covered by the Privacy Act. It covers the 'reasonable steps' that they have to take under the Privacy Act to protect the personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. The Guide to securing personal information includes strategies that organisations and agencies should consider to secure the personal information they hold.

Data breach notification guide: A guide to handling personal information security breaches

The OAIC updated this resource in August 2014 to reflect the requirements of the amended Privacy Act. The Data breach notification guide: A guide to handling personal information security breaches provides general guidance for organisations and agencies responding to a data breach involving personal information.

Sending personal information overseas

In May 2015, the OAIC released new business and agency resources on sending personal information overseas. These resources explore some key privacy concepts and issues to assist organisations and agencies to understand and comply with the APPs when sending personal information overseas.

Back to Contents

eHealth

The 2014–15 financial year was the third year of operation of the PCEHR system, established under the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act). This year was also the fifth year of the HI service, an important foundation for the PCEHR system and eHealth generally. The HI service is established under the Healthcare Identifiers Act 2010 (HI Act).

The handling of individuals' personal information is at the core of both the PCEHR system and the HI service. In recognition of the special sensitivity of health information, both the PCEHR and HI Acts contain provisions protecting and restricting the collection, use and disclosure of personal information. The OAIC administers those provisions as the independent regulator of the privacy aspects of the PCEHR system and HI service.

The OAIC's eHealth activities were carried out under a memorandum of understanding (MOU) with the Department of Health. In accordance with the MOU, the OAIC carried out a full program of eHealth related work, including:

  • commencing three assessments relating to the PCEHR system and HI service, and completing four assessments that were commenced in the previous reporting period
  • responding to eight mandatory data breach notifications in relation to the PCEHR system (including seven notifications received in 2014–15 and continuing work on one notification received in the previous reporting period)
  • reviewing and developing guidance materials for a range of audiences
  • providing advice to a range of stakeholders on privacy compliance obligations in relation to the PCEHR system
  • monitoring developments in eHealth and the PCEHR system.

In addition, the OAIC provided advice to the Department of Health on privacy issues raised by proposed changes to the PCEHR Act and HI Act, and the Australian Government's decision to trial the use of opt-out participation arrangements ahead of a possible move to a national opt-out eHealth record system. This included preparing a submission in response to the Department of Health's Electronic Health Records and Healthcare Identifiers: Legislation Discussion Paper. A separate annual report on the OAIC's eHealth activities is available on the OAIC's website.

More information about the OAIC's assessments and responses to mandatory data breach notifications in relation to the PCEHR system can be found in Chapter Six: Privacy compliance. More information on the MOU with the Department of Health can be found in Appendix 4.

Back to Contents

Advice and submissions to Australian Government agencies and parliamentary committees

The OAIC provided privacy advice and submissions to Australian Government agencies and parliamentary committees, including on the management of personal information through legislation, and on specific policy proposals. A selection of the privacy advices and submissions provided in 2014–15 appear below.

Data retention

The OAIC made a written submission to the Joint Parliamentary Committee on Intelligence and Security (Joint Committee) in relation to its inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (Data Retention Bill). The Privacy Commissioner also appeared before the Joint Committee to give evidence at public hearings held on 29 January 2015. The Data Retention Bill, which was subsequently passed on 26 March 2015, will introduce a mandatory requirement for Australian telecommunications service providers to collect and retain specified telecommunications data (commonly known as 'metadata') for a minimum period of two years when it commences on 13 October 2015. The OAIC submission emphasised that this scheme could have significant impacts on individual privacy. The OAIC suggested that the Joint Committee consider the necessity and proportionality of the measures proposed in the Data Retention Bill, to ensure that the scheme struck an appropriate balance between the privacy interests of individuals and the needs of law enforcement and security agencies in carrying out their functions and activities.

The Australian Government supported all of the Joint Committee's final recommendations on the reforms, some of which reflected recommendations or suggestions made by the OAIC. In particular, the Australian Government agreed to amend the Data Retention Bill to require that all service providers covered by the data retention scheme comply with the Privacy Act, and made a commitment to introduce a mandatory data breach notification scheme by the end of 2015. The OAIC continues to engage with the Australian Government in relation to implementation of the reforms.

Foreign Fighters Act 2014

The OAIC also made a written submission to the Joint Committee's inquiry into the Counter-Terrorism Legislation Amendment (Foreign Fighters) Bill 2014, which was subsequently passed by Parliament on 30 October 2014. In its Advisory Report on this Bill, the Joint Committee recommended that the Privacy Commissioner undertake an assessment of the data collected and stored by the Department of Immigration and Border Protection (DIBP) and Australian Customs and Border Protection Service under that legislation, with a report to be provided to the Attorney-General by 30 June 2015.

The OAIC has been liaising with DIBP to give effect to this recommendation. As the collection of personal information under the Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014 (Foreign Fighters Act) has not yet fully commenced, the OAIC will conduct these privacy assessments in the 2015–16 financial year.

The OAIC has also been working with DIBP as it conducts a series of privacy impact assessments (PIAs) on the changes that are currently being implemented under schedules five, six and seven of the Foreign Fighters Act. In June 2015, the OAIC provided feedback on the final version of the schedule five PIA. The OAIC has also received a draft version of the PIA on schedule seven of the Foreign Fighters Act.

Consistent with the Joint Committee's recommendation, the Privacy Commissioner wrote to the Attorney-General to inform him of this work and the expected timeframe for completing the privacy assessments.

Migration Amendment (Enhancing Biometrics Integrity) Bill 2015

The OAIC made a written submission to the Senate Legal and Constitutional Affairs Committee (LCA Committee) in relation to its inquiry into the Migration Amendment (Strengthening Biometrics Integrity) Bill 2015 (Biometrics Bill). The Biometrics Bill seeks to consolidate DIBP's existing powers to collect biometric information under the Migration Act 1958 (Migration Act) into a single broad discretionary power. The OAIC's submission noted that the Biometrics Bill could have significant impacts on individual privacy, particularly for non-citizens. To ensure that the privacy impact of the Biometrics Bill is minimised, the OAIC suggested the LCA Committee consider whether the new power to collect biometric information could be drafted more narrowly, while still enabling DIBP to carry out its functions and activities under the Migration Act.

The LCA Committee recommended that the PIA prepared by DIBP in relation to the Biometrics Bill be made publicly available, a recommendation supported by the OAIC.

Options for improving the unclaimed bank account and life insurance money provisions

The OAIC made a submission to the Treasury in response to its discussion paper on options for improving legislative provisions concerning unclaimed bank account and life insurance money. Among other things, the OAIC suggested that the Treasury consider whether it is appropriate to continue to make publicly available all of the personal information required to be collected by the Australian Securities and Investments Commission for the purpose of reuniting individuals with their unclaimed money. The Treasury addressed this issue in the exposure draft of the legislation.

My Aged Care

The Department of Social Services (DSS) sought input from the OAIC in relation to the My Aged Care Gateway (Gateway), which is a key initiative of the reforms to the aged care system that DSS is leading. The purpose of the Gateway is to provide a central coordination point for the delivery of Commonwealth funded aged care services. The OAIC reviewed information provided by DSS and met with Departmental officers to discuss the reforms, as well as general privacy issues. The OAIC also provided DSS with a number of best practice privacy suggestions to address privacy issues that may arise in relation to the Gateway.

Section 95 guidelines and national statement on ethical conduct in human research

Under the Privacy Act, the National Health and Medical Research Council (NHMRC) may, with the approval of the Information Commissioner, issue guidelines that relate to the protection of privacy by agencies in the conduct of medical research (s 95). The OAIC worked with the NHMRC to develop amendments to the existing guidelines, and the Information Commissioner approved the revised guidelines.

In addition, the OAIC provided advice to the NHMRC on sections of its National Statement on Ethical Conduct in Human Research. In particular, the advice focused on appropriate consent models when personal information is handled for the purposes of human research.

Advice to EDR schemes

During the reporting period, the OAIC liaised with recognised EDR schemes in response to specific requests for advice on privacy issues impacting the schemes. The OAIC also developed policies for EDR schemes to assist them to comply with the Guidelines for recognising EDR schemes. In consultation with the recognised EDR schemes the OAIC developed a policy for schemes to report on serious or repeated interferences with privacy, or systemic privacy issues.

Advice on Department of Human Services privacy impact assessment

The OAIC and the Department of Human Services (DHS) entered into a service MOU to cover the 2014–15 financial year. Under this MOU, the OAIC provided dedicated privacy advice and assistance to DHS on the interpretation and management of personal information privacy obligations relating to the administration and delivery of its payments and services. This included providing advice on DHS's 'Tell us once' phase one PIA.

More information about this MOU can be found at Appendix 4.

Australian Bureau of Statistics surveys

The Australian Bureau of Statistics sought comment from the OAIC on several of its surveys, including the 2016 Census of Population and Housing, the 2015–16 Household Income and Expenditure Survey and the 2015 Survey of Disability, Ageing and Carers. The OAIC reviewed the material and provided a number of comments and best practice privacy suggestions in relation to the collection of personal information from survey participants.

Back to Contents

Advice to ACT public sector agencies

The OAIC provides advice to ACT public sector agencies on privacy issues under an MOU. The MOU also includes a commitment by the OAIC to conduct one assessment of an ACT public sector agency per financial year. More information about the OAIC's assessment program can be found in Chapter Six: Privacy compliance. More information about this MOU can be found at Appendix 4. A separate annual report on the OAIC's activities under this MOU is available on the OAIC's website.

ACT privacy law reform

A significant focus for the OAIC during 2014–15 was to provide advice to enable ACT public sector agencies to understand their obligations under the Information Privacy Act, which commenced on 1 September 2014.

The Information Privacy Act includes a set of Territory Privacy Principles (TPPs), which cover the collection, use, storage and disclosure of personal information, and an individual's right to access and correct that information. The TPPs are similar to the APPs.

The OAIC developed a range of privacy resources to assist the general public and ACT public sector agencies to understand their privacy rights and responsibilities. These included:

  • Privacy fact sheet 42: Australian Capital Territory Privacy Principles
  • Privacy fact sheet 43: Making a privacy complaint under the Territory Privacy Principles
  • Privacy agency resource 3: Information Privacy Act 2014 — Checklist for ACT agencies
  • TPP quick reference tool.

Guidance about TPP privacy policies

Every ACT public sector agency that is bound by the Information Privacy Act is required to have a clearly expressed and up-to-date TPP privacy policy that describes how it manages personal information.

Advice was sought by a number of ACT public sector agencies on their updated TPP privacy policies. The OAIC reviewed the privacy policies and provided comments and best practice privacy suggestions, taking into account the requirements of TPP 1.

Back to Contents

Advice to the private sector

The OAIC works collaboratively with business and not-for-profits to promote understanding and acceptance of the new privacy laws and the APPs. During 2014–15, the OAIC provided advice to private sector organisations on a variety of matters.

Sending personal information overseas

A number of law firms, industry groups and businesses requested advice from the OAIC regarding obligations under APP 8 and s 16C of the Privacy Act when sending personal information overseas. APP 8 and s 16C create a framework for the cross-border disclosure of personal information. This framework generally requires an entity to ensure that an overseas recipient will handle an individual's personal information in accordance with the APPs, and makes the entity accountable if the overseas recipient mishandles the information.

In response to these enquiries, the OAIC advised that the APPs do not prevent an entity from sending personal information overseas. However, the OAIC set out a range of matters that entities need to carefully consider to ensure compliance with the APPs.

To further promote understanding and compliance with APP 8 and s 16C of the Privacy Act, the OAIC produced an agency resource and a business resource on sending personal information overseas.

Technology and internet privacy

The OAIC liaises with a wide range of private sector organisations on technology and internet privacy issues. The OAIC maintains relationships with a number of large global technology companies including Facebook, Google, Microsoft and Apple, and Australian telecommunications providers such as Optus, Telstra and Vodafone.

In December 2014, in collaboration with 23 other global privacy enforcement authorities, the OAIC wrote to Apple, Google, Samsung, Microsoft, Nokia, BlackBerry, and Amazon.com, asking them to make links to privacy policies mandatory for mobile apps that collect personal information.

The OAIC also provided guidance to organisations that experienced data breaches. Further information about the OAIC's data breach work is contained in Chapter Six: Privacy compliance.

Telecommunications industry codes

The Information Commissioner must be consulted during the development or revision of telecommunications industry codes that have an impact on privacy. During 2014–15, the OAIC liaised with Communications Alliance, Australia's primary telecommunications industry body, as it developed and revised a number of codes.

For example, the OAIC made recommendations to Communications Alliance during the development of the Copyright Notice Scheme Industry Code, to ensure that the bodies established to administer that scheme are covered by the Privacy Act, and are therefore obliged to protect and handle personal information gathered under the scheme in accordance with the APPs.

Electronic transfer of prescription services

The OAIC responded to a request for advice about how the APPs apply to the use and disclosure of health information to send a patient prescription through an 'electronic transfer of prescriptions' (eTP) service. The OAIC provided advice about how the exceptions in APP 6 might apply to permit prescription information to be handled in this way, including the exceptions relating to consent and reasonable expectation. The OAIC also provided advice about using an eTP service to upload prescription information to a patient's PCEHR.

Storing patient details and treatment notes in the cloud

The OAIC responded to a request for advice from the private healthcare sector about the use of cloud-based applications for storing patient details and treatment notes, and the use of offshore back-ups. The advice noted that, while the APPs do not prevent an entity from storing personal information on a local or overseas cloud service, the entity should carefully consider the steps that need to be taken to ensure compliance with the APPs.

The advice outlined the key APPs for consideration, including the APPs dealing with security, use and disclosure, access, correction, cross-border disclosure of personal information, and open and transparent management of personal information.

Sale of pharmacy businesses

The OAIC provided advice on what the APPs require in relation to personal information when a community pharmacy changes ownership. The OAIC's advice covered the obligations of the old owner when disclosing personal information, and the obligations of the new owner when collecting personal information, including the need to obtain customers' consent, and to provide customers with adequate notice under APP 5.

Advice on credit reporting laws

The OAIC continued to engage with participants in the Australian consumer credit reporting system regarding their obligations under Part IIIA of the Privacy Act.

Back to Contents

Involvement in cross-government forums

The OAIC is a member of several cross-government committees and forums. The OAIC engages with other members and state and territory government agencies to provide advice on the privacy obligations relevant to that committee or forum.

The National Identity Security Coordination Group

The OAIC is a member of the National Identity Security Coordination Group (NISCG), coordinated by the Attorney-General's Department. The NISCG consists of representatives from the Australian and state and territory government agencies with key roles in identity management. The NISCG was established to coordinate and implement the National Identity Security Strategy. The OAIC provides privacy advice to this group.

National Biometrics Interoperability Framework Steering Committee

The OAIC continued to participate in the National Biometrics Interoperability Framework Steering Committee. The purpose of this Committee is to guide the biometric centres of expertise, to manage and oversee the National Biometric Interoperability Framework (NBIF), and to promote biometric interoperability across the Australian Government. The OAIC provides policy advice on the privacy considerations to be taken into account in the development of the NBIF, and other biometrics projects.

AUSTRAC Privacy Consultative Committee

The OAIC is a member of the AUSTRAC Privacy Consultative Committee, an advisory committee to the AUSTRAC Chief Executive Officer (CEO). The Privacy Consultative Committee comprises revenue, law enforcement, privacy, and civil liberties representatives to promote understanding of issues and develop positions concerning related matters. The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) requires the AUSTRAC CEO to have regard to privacy, and consult with the OAIC in performing functions under the AML/CTF Act. The Privacy Consultative Committee is one of the means by which the AUSTRAC CEO fulfils these obligations.

Back to Contents

Advice to other jurisdictions

The OAIC provides advice to other jurisdictions as part of its activities, both internationally and domestically.

During 2014–15, the OAIC continued to participate actively in a number of international privacy and data protection forums. Participation in these forums enables the OAIC to build collaborative relationships and remain aware of emerging international privacy protection issues.

Comments on draft health privacy guidance released by the NSW Privacy Commissioner

The OAIC made a submission to the NSW Information and Privacy Commission's (IPC) public consultation on its draft health privacy guidance. The OAIC also met with officers from the NSW IPC to discuss the draft guidance in more detail. The OAIC was interested to engage with the NSW IPC on this matter as private sector health service providers in NSW are covered by both Australian and NSW privacy legislation. The OAIC's comments sought to ensure that private sector providers in NSW were aware of, and complied with, legislation in both jurisdictions.

Bali Process Regional Support Office

The OAIC provided advice to the Regional Support Office of the Bali Process on the Regional Biometric Data Exchange Solution, which aims to facilitate greater information exchange between Bali Process members. The OAIC's advice related to the application of the APPs against the policy framework, which incorporates a number of cross-jurisdictional privacy considerations. The OAIC also offered suggestions to enhance the proposed privacy protections.

NSW Department of Justice

The OAIC actively engaged with the NSW Department of Justice about the interaction between the Privacy Act and Part 13A of the Crimes (Domestic and Personal Violence) Act 2007 (NSW) (Part 13A). The OAIC provided advice about the application of the Privacy Act and Part 13A to entities sharing personal information, and the circumstances in which an exception to the Privacy Act might apply, including where the collection, use or disclosure of personal information is required or authorised by law, or where one of the permitted general situations in s 16A of the Privacy Act applies.

Back to Contents

Legislative instruments

Under the Privacy Act, the Information Commissioner has power to make certain legislative instruments. When making those legislative instruments, the Information Commissioner is required to comply with the requirements of the Legislative Instruments Act 2003. All legislative instruments finalised during 2014–15 are publicly available on the Federal Register of Legislative Instruments.

Codes

The Privacy Act allows the OAIC to register binding APP codes that are in the public interest. APP codes do not replace the relevant provisions of the Privacy Act, but operate in addition to the requirements of the APPs. In 2014–15 the OAIC registered the first APP code since the commencement of the privacy reforms.

Privacy (Market and Social Research) Code 2014

The OAIC registered the Privacy (Market and Social Research) Code 2014 (Market research code) on 28 November 2014. The Market research code sets out how the APPs are to be applied, and complied with, by members of the Association of Market and Social Research Organisations (AMSRO) in relation to the collection, retention, use, disclosure and destruction of personal information in market and social research. The OAIC worked closely with AMSRO during the development of the Market research code.

Public interest determinations

Part VI of the Privacy Act gives the Information Commissioner the power to make a determination that an act or practice that may constitute a breach of an APP or an approved APP code shall be regarded as not breaching the APP or approved code for the purposes of the Privacy Act. The Information Commissioner can make a determination only if satisfied that the public interest in the act or practice occurring substantially outweighs the public interest in the adherence to the APP or registered code. This is known as a public interest determination (PID).

The Information Commissioner may also make a temporary public interest determination (TPID) to operate for up to 12 months, if an urgent determination is required.

International Money Transfers

On 25 February 2015, the Privacy Commissioner issued three PIDs related to International Money Transfers (IMT). These determinations replace the temporary determinations made in 2014, which permit ANZ, the Reserve Bank of Australia and all authorised deposit-taking institutions within the meaning of theBanking Act 1959 to disclose the personal information of a beneficiary of an IMT to an overseas financial institution when processing an IMT, without breaching the APPs. The PIDs will have effect for five years.

Contestability Review TPIDs

On 16 March 2015, the Privacy Commissioner issued a TPID in response to an application from Comcare. A similar TPID was also issued on 25 March 2015, in response to an application from the Department of Veterans' Affairs.

The TPIDs enabled the agencies to disclose the personal information contained in a limited number of claims files to professional services firm Ernst & Young without breaching their APP obligations. The disclosure of the files was for the purpose of undertaking a review of the Commonwealth's insurable risk portfolio by Ernst & Young on behalf of the Departments of Finance and Employment. The TPIDs included a number of important privacy protections. In particular, only a limited number of claims files were permitted to be disclosed to Ernst & Young to meet the objectives of the review. Ernst & Young was also only permitted to view the personal information in the claims files on site and was not permitted to copy the information or otherwise incorporate it into its own records. The TPIDs expired on 22 May 2015.

Privacy (Tax File Number) Rule 2015

The OAIC registered the Privacy (Tax File Number) Rule 2015 (TFN Rule) on 4 March 2015, replacing the previous Tax File Number Guidelines 2011 (TFN guidelines). The TFN Rule is made under s 17 of the Privacy Act and regulates the collection, storage, use, disclosure, security and disposal of individuals' Tax File Number information. A breach of the TFN Rule is an interference with privacy under the Privacy Act. The OAIC consulted with DHS as part of the development of the TFN Rule, however, wider public consultation was not considered necessary as the changes to the TFN Rule sought only to clarify existing arrangements in the TFN guidelines.

Back to Contents

Submissions list

In 2014–15, the OAIC made several submissions to inquiries being undertaken by parliamentary committees and government agencies. The published submissions made by the OAIC during 2014–15 are listed below.

Finance

  • Consultation on the exposure draft of the Banking Laws Amendment (Unclaimed Money) Bill 2015 — submission to the Treasury
  • Financial System Inquiry Final Report — submission to the Treasury
  • Consultation on Australian Retail Credit Association Authorisation A91482 — submission to the Australian Competition & Consumer Commission
  • Financial System Inquiry Interim Report — submission to the Financial System Inquiry
  • Discussion Paper: Options for improving the Unclaimed Bank Account and Life Insurance Money Provisions — submission to the Treasury

Health

  • Electronic health records and healthcare identifiers: Legislation discussion paper — submission to the Department of Health
  • Draft determination on Medicines Australia Limited's application for re-authorisation — submission to the Australian Competition & Consumer Commission
  • Pathology and diagnostic imaging in the Personally Controlled Electronic Health Record system — submission to the Department of Health
  • Draft Principles for Accessing and Using Publicly Funded Data — submission to the National Health and Medical Research Council
  • Draft privacy guidance for NSW health service providers — submission to the NSW Information and Privacy Commission

National security and law enforcement

  • Inquiry into the Migration Amendment (Strengthening Biometrics Integrity) Bill 2015 — submission to the Senate Legal and Constitutional Affairs Committee
  • Inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 — submission to the Parliamentary Joint Committee on Intelligence and Security
  • Inquiry into the Australian Citizenship and Other Legislation Amendment Bill 2014 — submission to the Senate Legal and Constitutional Affairs Committee
  • Inquiry into the Counter-Terrorism Legislation Amendment (Foreign Fighters) Bill 2014 — submission to the Parliamentary Joint Committee on Intelligence and Security
  • Inquiry into the National Security Legislation Amendment Bill 2014 — submission to the Parliamentary Joint Committee on Intelligence and Security
  • Inquiry into financial crime — submission to the Parliamentary Joint Committee on Law Enforcement

Telecommunications

  • Draft Calling Number Display Guideline — submission to the Communications Alliance
  • Review of the Commercial Television Industry Code of Practice — submission to Free TV Australia
  • Proposed amendments to the Telecommunications (Service Provider — Identity Checks for Prepaid Mobile Carriage Services) Determination 2013 — submission to the Australian Communications and Media Authority
  • Draft Copyright Notice Scheme Industry Code — submission to the Communications Alliance
  • Online copyright infringement discussion paper — submission to the Attorney-General's Department

Human rights

  • Issues Paper 46: Traditional Rights and Freedoms — Encroachments by Commonwealth Laws — submission to the Australian Law Reform Commission
  • Discussion Paper on Rights and Responsibilities 2014 — submission to the Australian Human Rights Commission
  • Discussion Paper 81: Equality, capacity and disability in Commonwealth laws — submission to the Australian Law Reform Commission

Back to Contents