Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Part 2 Performance

Our performance statement

Introduction

I, Timothy Pilgrim, as the accountable authority of the Office of the Australian Information Commissioner, present the 2015–16 annual performance statements of the Office of the Australian Information Commissioner, as required under paragraph 39(1)(a) of the Public Governance, Performance and Accountability Act 2013 (PGPA Act). In my opinion, these annual performance statements are based on properly maintained records, accurately reflect the performance of the entity, and comply with subsection 39(2) of the PGPA Act.

Purpose

The OAIC is an independent statutory agency, established in November 2010 under the Australian Information Commissioner Act 2010.

The main functions of the OAIC are:

  • privacy functions — ensuring proper handling of personal information in accordance with the Privacy Act and other legislation
  • FOI functions — protecting the public’s right of access to documents under the FOI Act.

Results

Table 1: Performance statement results
Performance criteriaCriteria sourceResult against performance criteria
80% of privacy complaints finalised within 12 months.

Corporate Plan 2015–16:

  • Activity 1.1: Handle privacy complaints.

Portfolio Budget Statements 2015–16:

  • Program 1.1.

Target met:

  • 97.2% of privacy complaints were finalised within 12 months of their receipt.
Privacy assessments completed within 6 months.

Corporate Plan 2015–16:

  • Activity 1.2: Conduct performance assessments.

Portfolio Budget Statements 2015–16:

  • Program 1.1.

Target met:

  • Average time taken to conduct privacy assessments in 2015–16 was 5.7 months.

80% of Commissioner initiated investigations (CIIs) are finalised within 8 months.

80% of data breach notifications handled or escalated to CII within 60 days.

Corporate Plan 2015–16:

  • Activity 1.3: Conduct Commissioner initiated investigations and handle voluntary and mandatory data breach notifications.

Target met:

  • 92.3% of CIIs were finalised within 8 months.
  • 87.1% of voluntary data breach notifications were handled or escalated to CII within 60 days.

The target for mandatory data breach notifications was not met in 2015–16.

  • 54.5% of mandatory data breach notifications were handled or escalated to CII within 60 days.

All data breach notifications were risk-assessed upon receipt.

In 2015–16 there was an increase in mandatory data breach notifications received by the OAIC. Methods for managing this increase are being evaluated.
100% of privacy enquiries finalised within 10 days.

Corporate Plan 2015–16:

  • Activity 1.4: Provide a public information service.

The target was not met in 2015–16:

  • 70% of privacy related written enquiries were finalised within 10 working days. Enquirers were notified of any delay at the time.
  • 100% of phone enquiries were finalised on the day of the call.
In 2015–16 we saw a 34% increase in written enquiries to our office. Written enquiries take longer to process as they are often more complex in nature. This trend towards written enquiries will be evaluated to ensure we have the capacity to respond to the public moving forward.

Key privacy resources are identified, developed and promoted for business, government and the community.

Undertake consultations with stakeholders on significant privacy resources.

Monitor proposed enactments and government programs for privacy impacts.

Provide advice to government agencies and guidance to business on emerging privacy issues.

Corporate Plan 2015–16:

  • Activity 1.5: Assist regulated entities to improve understanding of privacy compliance.

Target met:

  • Issued 230 pieces of advice on privacy issues.
  • Completed over 21 submissions on privacy related topics.
  • Released 25 resources for the public and regulated entities with over five resources opened up for consultation.

New website with enhanced accessibility features launched.

Privacy Awareness Week campaign held with an increase in the number of participating private and public sector partners.

Corporate Plan 2015–16:

  • Activity 1.6: Promote awareness and understanding of privacy rights in the community.

Target met:

  • New website (www.oaic.gov.au) launched in October 2015 with new accessibility features including a keyboard-navigable menu, search suggestions, Vision Australia YouTube player, footnotes and ARIA landmarks.
  • Increase in Privacy Awareness Week partners this year, with 246 private and public sector organisations signing up as partners.

Applications for Public Interest Determinations and Australian Privacy Principle (APP) codes are considered.

Legislative instruments are up to date.

Corporate Plan 2015–16:

Activity 1.7: Develop legislative instruments.

Target met:

  • No applications for Public Interest Determinations or APP codes were received. General advice was provided on these processes.
80% of Information Commissioner FOI reviews finalised within 12 months of their receipt.

Corporate Plan 2015–16:

  • Activity 2.1: Provide a timely and effective Information Commissioner review function.

Portfolio Budget Statements 2015–16:

  • Program 1.1.

Target met:

  • 87% of applications for an Information Commissioner review were finalised within 12 months of receipt.
100% of FOI enquiries finalised within 10 days.

Corporate Plan 2015–16:

  • Activity 2.2: Provide an information service to the community on information access rights.

The target was not met in 2015–16:

  • We responded to 85% of FOI related written enquiries within 10 working days. Enquirers were notified of any delay at the time.
  • 100% of phone enquiries were finalised on the day of the call.
As mentioned previously, in 2015–16 we saw a 34% increase in written enquiries to our office, which take longer to process as they are often more complex in nature. Methods for managing written enquiries are being evaluated for implementation in 2016–17.
Annual staff survey results on people management indicators are maintained or improved.

Corporate Plan 2015–16:

  • Activity 3.1: Excellence in people management.

Results not available yet.

Analysis

We have provided an analysis of our performance throughout the remainder of this chapter.

Back to Contents

Privacy

We regulate the handling of personal information as set out in Australia’s Privacy Act.

Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable.

The Privacy Act includes 13 Australian Privacy Principles (APPs) which set out standards for businesses and government agencies managing personal information.

Australian Privacy Principles

  • APP 1 — Open and transparent management of personal information
  • APP 2 — Anonymity and pseudonymity
  • APP 3 — Collection of solicited personal information
  • APP 4 — Dealing with unsolicited personal information
  • APP 5 — Notification of the collection of personal information
  • APP 6 — Use or disclosure of personal information
  • APP 7 — Direct marketing
  • APP 8 — Cross-border disclosure of personal information
  • APP 9 — Adoption, use or disclosure of government related identifiers
  • APP 10 — Quality of personal information
  • APP 11 — Security of personal information
  • APP 12 — Access to personal information
  • APP 13 — Correction of personal information.

Enquiries

We assist the public by providing information about privacy issues and privacy law. We provide this assistance via phone, written and in person.

This year there was an 18% rise in enquiries compared to last year. We answered 15,160 phone enquiries and saw written, often email, enquiries grow by 34% (3,912 in total).

e.g.

A health insurance company may have disclosed the details of an individual’s claim, including its reasons for declining, to an unauthorised third party.

A caller to our enquiry service raised concerns about the insurance company’s attempted collection of health records that the individual did not consider relevant to their insurance claim.

We helped the enquirer by letting them know their rights under the Privacy Act and that they had the option to lodge a formal privacy complaint.

Issues

In 2015–16, the most common privacy enquiries to our office were about the use and disclosure of personal information (APP 6) followed by access (APP 12) and data security (APP 11).

The table below sets out all our phone enquiries about the APPs.

Table 2: Phone enquiries about the APPs

Issues

Number

APP 1 — Open and transparent management

135

APP 2 — Anonymity and pseudonymity

13

APP 3 — Collection

1,271

APP 4 — Unsolicited personal information

10

APP 5 — Notification of collection

673

APP 6 — Use or disclosure

2,228

APP 7 — Direct marketing

345

APP 8 — Cross-border disclosure

120

APP 9 — Government identifiers

10

APP 10 — Quality of personal information

138

APP 11 — Security of personal information

1,432

APP 12 — Access to personal information

1,519

APP 13 — Correction

107

APPs — Exemptions

1,290

APPs generally

1,085

We also received a number of questions related to other privacy issues. The table below categorises these enquires.

Table 3: Other privacy phone enquiries*

Issues

Number

Credit reporting

1,015

Spent convictions

162

Data breach notification

103

Tax file numbers

46

My Health Records (eHealth)

31

Territory privacy principles

19

Information privacy principles

6

Data-matching

4

National privacy principles

3

Privacy codes

3

PPS register

2

Healthcare identifier

1

* This list does not include other enquiries outside of our jurisdiction or scope, for example, misdirected phone calls.

e.g.

A retail outlet wanted to introduce credit checks on applicants as part of its recruitment process to find out if someone was bankrupt or had a bad credit history.

We advised an enquirer that the credit reporting provisions would prevent a credit reporting body from disclosing their reports, as the outlet did not appear to meet the legal definition of a ‘credit provider’ and the purpose for collection did not fit any of the permitted disclosures. We also informed the enquirer that businesses should only collect personal information that is reasonably necessary for their functions or activities and were possible, it should be collected directly from the individual.

Complaints

We investigate complaints about acts or practices that may interfere with an individual’s privacy, as defined by the Privacy Act. Typically, privacy complaints are made by individuals who are concerned that an organisation has mishandled their personal information.

We investigate complaints relating to APPs, consumer credit reporting, any registered APP code, and the handling of other information such as tax file numbers, spent convictions, data-matching and healthcare identification information.

During 2015–16, we received 2,128 privacy complaints. This number is lower than last year which saw multiple complaints about a single data breach incident and an increased number of credit complaints. We continued to resolve matters efficiently, with 2,038 privacy complaints closed during the year, an improvement on the previous financial year, where we closed 1,976 complaints.

Issues

The majority of privacy complaints received this year related to the APPs (67%), with credit reporting matters continuing to feature strongly (20%).

The issues most commonly raised in complaints under the APPs were:

  1. use or disclosure of personal information
  2. security of personal information
  3. access to personal information
  4. manner of collection of personal information.

Sectors

We receive complaints across a broad range of sectors. In 2015–16, we received the most complaints from the following six sectors: finance, government, health service providers, credit reporting bodies, telecommunications providers and online services.

The table below shows the most commonly complained about sectors.

Table 4: Privacy complaints by sector

Sector

Number

Finance and superannuation

366

Australian Government

223

Health service providers

200

Telecommunications

153

Credit reporting bodies

151

Online services

120

Retail

111

Utilities

98

Debt collectors

88

Business/professional associations

76

Other

542

e.g.

An individual alleged that a credit reporting body interfered with their privacy by repeatedly including incorrect and misleading information in their credit report. As a consequence, the complainant was refused credit on a number of occasions.

The errors occurred over a number of years and included name, address, gender, employer, as well as incorrect enquiries. A notification was placed on the complainant’s credit report, but the errors continued.

The complainant also alleged that the credit reporting body had mistakenly supplied his twin brother, who had a similar name, with a copy of his credit report.

The matters were resolved by conciliation with the credit reporting body agreeing to provide $6,000 in compensation, reimbursement for a credit monitoring service subscription for four years, a written apology and a dedicated contact point for the individual to call if further issues arose.

Resolving complaints

This year we improved our complaint handling times, with 97.2% of all privacy complaints resolved within 12 months of receipt. The average time taken to close a privacy complaint during this period was 4.9 months.

Most privacy complaints were closed on the basis that the respondent had not interfered with the individual’s privacy, or on the basis that the respondent had adequately dealt with the matter.

The number of complaints resolved as ‘adequately dealt with’ reflects our aim of resolving privacy complaints through conciliation wherever possible. We encourage both parties involved in a complaint to play an active role and participate in discussions and negotiations to try and reach a mutual agreement or outcome.

Outcomes achieved through conciliation often have a broader reach than the individual complainant, and can deliver positive outcomes for other individuals dealing with the same business or agency. For example, to resolve an individual privacy complaint a respondent may implement changes to improve its privacy practices.

The main remedies achieved in complaints
  1. complainant is given access to their personal information
  2. a record or credit file is amended
  3. an apology is provided to the complainant
  4. compensation
  5. the organisation changes its procedures
  6. staff training.

e.g.

A complaint was made by a relative who held enduring power of attorney for an elderly person who was receiving numerous direct marketing offers. Prior to contacting us, the individual had repeatedly requested to be unsubscribed from marketing communications. The organisation had agreed to cease communication for future campaigns, but advised it was unable to stop the complainant from receiving direct communications for another 45 days due to its automated process.

Meanwhile the elderly individual, who lived alone, continued to make purchases as a result of the marketing offers.

Following our enquiries, the organisation provided a refund of approximately $750 to cover amounts already paid by the elderly individual and cancelled other outstanding product orders. The organisation provided a written apology, and implemented system changes including the redirection of their privacy contact number from an overseas call centre to its Australian office. The organisation also assigned a dedicated staff member to its privacy email address.

This year we commenced the development of an online searchable ‘Conciliated outcomes’ webpage that allows individuals, businesses and agencies to understand the types of outcomes achieved through conciliation. This new online tool will reflect the breadth of privacy issues resolved by our office and will be available at www.oaic.gov.au in the first half of 2016–17.

Community and sector engagement

This year we continued to interact with key industry and community stakeholders about recurring or significant issues arising in complaints. We also engaged with recognised External Dispute Resolution (EDR) schemes. As a part of this engagement, we provided training on the APPs and credit reporting and advised on issues that arose in the handling of complaints by the schemes.

Our focus is on greater community engagement and awareness of the privacy complaint functions of our office and the outcomes it can deliver for individuals who experience interference to their privacy.

Determinations

Under section 52 of the Privacy Act, the Commissioner can make determinations on privacy complaints where conciliation during the complaints process had not resolved the matter. This Commissioner can also make determinations in relation to Commissioner initiated investigations (CII). This year the Commissioner made seven determinations under the Privacy Act.

Interestingly, the majority of the determinations made in 2015–16 involved ‘low tech’ privacy breaches, often resulting from human error or basic failures in business management. These determinations demonstrate that privacy obligations are part of everyday business management.

Examples of determinations made in 2015–16 can be found below.

A full list of our determinations are available on www.oaic.gov.au/privacy-law/determinations

‘IX’ and Business Services Brokers Pty Ltd t/a TeleChoice [2016] AICmr 42 (30 June 2016)

The Commissioner determined that TeleChoice had breached APP 11.1 and APP 11.2 by failing to adequately secure the complainant’s personal information, which she had used to sign up for a TeleChoice mobile phone and phone plan, and failing to destroy or de-identify it when it was no longer required. The individual was informed by a relative that a folder with her name on it had appeared on a televised story about opened shipping containers on publicly accessible land in Hastings, Victoria, which contained TeleChoice customers’ personal information. The individual was provided with proof that her personal information had been subsequently destroyed on the 23 April 2015. She was also provided with an apology and awarded $3,500 in damages.

TeleChoice voluntarily reported the data breach to the OAIC on 24 April 2015 and offered an enforceable undertaking to improve data security measure on 22 October 2015, which our office accepted.

‘IV’ and ‘IW’ [2016] AICmr 41 (27 June 2016)

The Commissioner found that a medical practitioner had breached APP 6.1 and APP 10.2 when he referred to an individual’s ‘delusional depression’ in an email response to the individual which was also sent to six other people. The complainant, who had known the doctor for years through their shared religious community, had previously been treated for anxiety by the doctor. However, during this occasion the complainant was emailing the doctor questions regarding religion, not his medical treatment. The complainant was awarded $10,000 in compensation.

‘IR’ and NRMA Insurance, Insurance Australia Limited [2016] AICmr 37 (27 June 2016)

NRMA was required to review their disclosure practices in relation to certificates of insurance, review their customer information guides, and award $3,000 in compensation to an individual after being found in breach of APP 6.1 and APP 11.1.

The case arose after an individual complained that information about assets she and her husband had insured with NRMA were improperly disclosed in a Certificate of Insurance Home Buildings Renewal for 2014–15, which was sent to an individual she jointly held a home building insurance policy with.

‘HW’ and Freelancer International Pty Limited [2015] AICmr 86 (18 December 2015)

Freelancer International Pty Limited, which operate the Freelancer.com website, was ordered by the Commissioner to pay an individual $20,000 in damages, apologise to the individual and to provide training to staff on information handling procedures after breaching NPP 1.3 and NPP 2.1.

The case found that the organisation had not taken reasonable steps to ensure the individual was aware of why his IP address information was collected, and that the organisation had improperly disclosed the individual’s personal information by publishing identifying information about him on a number of websites.

‘HS’ and AMP Life Ltd [2015] AICmr 81 (17 December 2015)

The Commissioner found that AMP Life Limited (AMP) had breached NPP 1.5 and NPP 4.1, as well as Tax File Number (TFN) Guidelines 2, 5 and 6, by collecting an individual’s personal financial information and disclosing their TFN to a third party, which in this case was the Financial Ombudsman Service (FOS).

AMP was assessing a claim by the individual’s wife, who had income protection insurance with the organisation. During this assessment, they collected his information without taking reasonable steps to inform him. AMP then provided his TFN to the FOS, following a complaint by his wife regarding AMP’s administration of her claim. The complainant was awarded $10,000 and a written apology.

Data breach notifications

We administer a voluntary data breach notification scheme, which allows businesses and agencies to self-report possible privacy breaches.

There is also a mandatory scheme for digital health data breaches. Further information on that scheme can be found in the digital health section of this report.

The number of reported voluntary and mandatory data breaches continued to grow in 2015–16, up 5.1% on the previous year.

Table 5: Voluntary and mandatory data breach notifications

Year

2013-14

2014-15

2015-16

Voluntary

69

110

107

Mandatory

2

7

16

Total

71

117

123

After receiving notifications, where appropriate, we consider each incident and provide best practice privacy advice to the organisation, encourage notifying affected individuals and provide assistance to individuals.

We assist organisations affected by a data breach to:

  1. contain the data breach
  2. reduce the impact of the data breach on affected individuals
  3. minimise the risk of a similar incident happening again.

e.g.

This year we received a voluntary notification from InspectRealEstate, a web app that provides a range of property management services.

Real estate agents that used the web app were targeted by ‘spear phishing’ attacks to obtain their user credentials. The attackers then accessed personal information on the web app and used it to contact people who had applied for a rental property, asking them to send money to ‘secure the property’.

We worked with the owners of the web app who contained the breach, enhanced their security, and encouraged affected real estate agents to notify their affected customers of the scam.

We also worked with staysmartonline.gov.au to publish an alert and inform the community about this issue.

Commissioner initiated investigations

Section 40(2) of the Privacy Act enables an investigation of an incident that may be an interference with privacy to take place on the Commissioner’s own initiative.

This power is used to investigate possible privacy breaches that have come to our attention other than by way of a complaint. Commissioner initiated investigations (CIIs) are often conducted in response to significant community concern or discussion, formal referrals from other government agencies, or in response to notifications from third parties about potentially serious privacy problems.

This year saw an increase in CII activity compared to the last three years. We commenced an investigation or conducted preliminary inquiries in relation to 17 separate incidents.

Table 6: CIIs

Year

Number of CIIs

2013–14

6

2014–15

4

2015–16

17

Enforceable undertakings

Our key objective in undertaking a CII is improving the privacy practices of investigated entities. They are sometimes finalised by way of an ‘enforceable undertaking’ offered by the respondent organisation. This sets out the steps it will take to address the concerns we raised. Two enforceable undertakings were offered in 2015–16.

e.g.

Organica Skin Clinic and Brygon MC Pty Ltd are Queensland-based health services providers. The Commissioner learnt that these companies were sharing customer contact information for marketing purposes, without consent. Organica and Brygon agreed to an enforceable undertaking, where they ceased this practice, established improved privacy policies and procedures in consultation with the OAIC, and rolled out an enhanced privacy training program for their employees.

Cross-border investigations

This year we conducted a number of inquiries and investigations in collaboration with international privacy regulators. The Privacy Act applies to businesses with an ‘Australian link’, which includes many companies that are based overseas but do online business with Australians. The growing importance of the online economy in the lives of everyday Australians means that privacy incidents increasingly cross national borders. To respond to these incidents, we are a signatory to the APEC Cross-border Privacy Enforcement Arrangement (CPEA) and the Global Cross Border Enforcement Cooperation Arrangement (GCBRCA). These allow us to work with overseas privacy regulators to address cross-border privacy issues.

e.g.

Ashley Madison, an online dating website headquartered in Canada, suffered one of the world’s most reported data breaches in 2015 when information about millions of its customers was posted online. In late 2015, the OAIC commenced a joint investigation with the Office of the Privacy Commissioner of Canada to establish whether the company behind Ashley Madison had interfered with the privacy of its users.

To see our joint findings, visit www.oaic.gov.au.

Assessments

This year we assessed a range of sectors including retail, telecommunications, education, government and identity verification. We also assessed a range of health service providers. For more information on our digital health assessments, please see the digital health section of this report.

Private sector

Loyalty programs

This year we looked into the loyalty programs of Australia’s two largest supermarket retailers, Coles and Woolworths. We assessed how Coles’ flybuys and Woolworths’ Rewards loyalty programs managed personal information in accordance with APP 1. The assessment also examined whether Coles and Woolworths provided sufficient notification to individuals regarding the collection of their personal information in accordance with APP 5.

While the findings of the assessment were primarily positive, the results from the assessment attracted significant attention and public discussion. It sparked important conversations about the privacy dimensions of retail loyalty programs generally and improved consumer awareness of this privacy issue.

Document verification service

In response to the expansion of the Document Verification Service (DVS) to private organisations, we completed assessments on two DVS business users, Nimble and DirectMoney. The assessments considered how well the requirements of APP 3, APP 5 and APP 11 were being met. Our assessments found that both Nimble and DirectMoney have practices, procedures and systems in place to safeguard the personal information that they access through the DVS. However, as a result of our assessments, both organisations have taken new and additional measures to enhance their security systems and procedures for protecting personal information.

Telecommunications

Records of disclosure under the Telecommunications Act 1997

We inspected four of the largest telecommunications organisations in Australia to assess their compliance with their record keeping obligations under the Telecommunications Act 1997 (Telecommunications Act). As a part of this assessment, we reviewed the practices of Telstra, Vodafone, Optus and iiNet.

Overall, the four organisations were cooperative and responsive towards the assessment and its findings. Each organisation accepted our recommendations and indicated that they would implement or explore technological changes to implement them.

Specifically, we found that Telstra was complying fully with its records of disclosure obligations. Of the remaining three organisations, Vodafone and Optus were partially complying with their obligations, while we found that iiNet was not compliant with its obligations. Due to these findings, we issued Vodafone, Optus and iiNet with a number of recommendations and we will be following up with them in 2016–17.

Handling of personal information disclosed under the Telecommunications (Interception and Access) Act 1979

After completing the above assessment on records of disclosure, we commenced a second assessment on Telstra, Vodafone, Optus and iiNet. This assessment examined whether the organisations take reasonable steps to protect the personal information held by them when responding to requests for access by law enforcement agencies, as required under the Telecommunications (Interception and Access) Act 1979 (TIA Act) and in accordance with APP 11. We have completed the fieldwork on Telstra and will continue the assessment on Vodafone, Optus and iiNet in 2016–17.

Government

Passenger Name Record

We looked at the new administrative arrangements for the handling of Passenger Name Record (PNR) data by the Department of Immigration and Border Protection (DIBP). Our assessment considered how well the requirements of APP 6 and APP 11 are met by DIBP. Through the assessment, we identified some privacy risks associated with the arrangements for the use, disclosure and security of PNR data and made four recommendations. DIBP has accepted these recommendations.

Contractual arrangements in relation to regional processing centres

We commenced an assessment on DIBP’s privacy arrangements for Regional Processing Centres, including:

  • general governance and privacy frameworks under APP 1
  • how DIBP meets its security obligations under APP 11, including through the use of contractual measures as required under s 95B of the Privacy Act.

The assessment will be completed during the 2016–17 financial year.

Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014

During the year, we undertook three assessments on a range of new powers which DIBP was recently afforded by Schedules 5, 6 and 7 of the Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014. The assessment on Schedule 7 was completed in 2015–16. The assessments on Schedule 5 and 6 will be completed in 2016–17.

Each of the three assessments consider how personal information is handled through border clearance processes at Australian international airports. This includes:

  • biometric information collected by SmartGates (Schedule 5)
  • the Advanced Passenger Processing data exchanged between airlines and DIBP (Schedule 6)
  • the seizure of bogus documents (Schedule 7).

A number of recommendations were made to DIBP as a part of the assessment on Schedule 7. DIBP is already taking measures to respond to the recommendations.

Comcare

We undertook an assessment on Comcare to see how it collects and handles personal and sensitive information from claimants and providers through workers’ compensation claims under the Safety, Rehabilitation and Compensation Act 1988 (SRC Act).

We focused on Comcare’s collection of personal information (APP 3), the notifications provided to individuals around the time of collection (APP 5) and the general governance and privacy framework put in place by Comcare (APP 1). The assessment will be completed during the 2016–17 financial year.

Universal Student Identifier

Under our memorandum of understanding with the Department of Education and Training, who are acting through the Student Identifiers Office (the Registrar), we agreed to undertake an assessment of the Student Identifier Registrar’s maintenance and handling of student identifiers and associated personal information in accordance with the Student Identifiers Act 2014 and the Privacy Act. The assessment looks at how the Registrar is managing personal information in accordance with APP 1 and APP 5. The assessment will be finalised in 2016–17.

ACT Government

ACT Revenue Office

Under our memorandum of understanding with the ACT Government, we undertook an assessment to examine the ACT Revenue Office’s handling of personal information against

Territory Privacy Principles (TPP) 11. The assessment found that the ACT Revenue Office has good access control practices for its IT systems, which limits access to those that require the information, as well as monitoring these controls. We noted some areas for potential improvement in relation to the ACT Revenue Office’s policies and governance and made a number of recommendations. The ACT Revenue Office is implementing measures with set target dates to address the recommendations.

Data-matching

We perform a number of functions to ensure that government agencies understand their privacy requirements and adopt best privacy practice when undertaking data-matching activities.

Data-matching is the process of bringing together data sets that come from different sources and comparing those data sets with the intention of producing a match. A number of government agencies use data-matching to detect non-compliance, identify instances of fraud and to recover debts owed to the Australian Government. For example, the Australian Taxation Office (ATO) may match tax return data with data provided by banks to identify individuals or businesses that may be under-reporting income or turnover.

Government agencies that carry out data-matching activities must comply with the Privacy Act. Data-matching raises privacy risks because it involves analysing personal information about large numbers of people, the majority of whom are not under suspicion.

Statutory data-matching

The Commissioner has statutory responsibilities under the Data-matching Program (Assistance and Tax) Act 1990 (Data-matching Act). The Data-matching Act authorises the use of tax file numbers in data-matching activities undertaken by the Department of Human Services (DHS), the Department of Veterans’ Affairs and the ATO. In previous years, we have conducted inspections of DHS’ data-matching records to ensure compliance with the requirements of the Data-matching Act. This year we focused on providing advice and planning oversight of the data-matching activities outside of the Data-matching Act. These new activities formed part of the Enhanced Welfare Payment Integrity initiative.

Enhanced Welfare Payment Integrity

The Enhanced Welfare Payment Integrity — non-employment income data-matching measure was announced in the 2015–16 Mid-Year Economic and Fiscal Outlook (MYEFO). It increases DHS’ capability to conduct data-matching to identify non-compliance by welfare recipients. We received additional funding under this measure to provide regulatory oversight of these new data-matching activities.

We have been working closely with DHS to design and implement an effective oversight regime to provide assurance to the public and the Australian Government that privacy risks are being addressed. We gave advice on a range of privacy matters, including providing information about when and how DHS should conduct a privacy impact assessment for new projects and ensuring they have an appropriate privacy management framework in place to support the new initiative.

Data-matching under the voluntary guidelines

We administer the Guidelines on Data-matching in Australian Government Administration, which are voluntary guidelines to assist government agencies with adopting appropriate privacy practices when undertaking data-matching activities that are not covered by the Data-matching Act. This year we reviewed 12 data-matching program protocols submitted by matching agencies including the ATO, DHS and the Clean Energy Regulator.

The Commissioner approved eight requests for exemption from certain requirements of the Guidelines. A list of the exemptions that we approved can be found on www.oaic.gov.au.

Advice for businesses and agencies

Our teams provide advice for businesses and government agencies on their obligations under the Privacy Act. We also assist businesses and agencies achieve best practice in their approach to privacy management.

This year we issued over 230 pieces of advice on a variety of issues, including:

  • anti-money laundering and counter-terrorism financial regimes
  • privacy in law enforcement and intelligence context
  • the mandatory data breach notification scheme
  • telecommunications sector security reforms
  • External Dispute Resolution (EDR) schemes
  • credit reporting laws
  • health data linkage
  • privacy implications of new technologies.

We also drafted over 21 submissions throughout the year on issues such as:

  • mandatory data breach notification
  • the Productivity Commission’s inquiry into a national education evidence base
  • inquiry into the external scrutiny of the Australian Tax Office
  • information sharing relating to the protection of children and vulnerable adults.

Our full list of public submissions can be found on www.oaic.gov.au.

Resources

We assist businesses and agencies to comply with the Privacy Act by producing resources and materials. We also issue tops and helpful guides to improve individuals’ understanding and wareness of their privacy rights.

This year we released 25 resources and we also released an additional seven for consultation.

These resources included:

  • Emergencies and disasters
  • Guide to developing a data breach response plan
  • Keeping records of disclosures under the Telecommunications Act 1997
  • Application of the Australian Privacy Principles to the private sector
  • Does my small business need to comply with the Privacy Act?
  • Guide to big data and the Australian Privacy Principles consultation
  • Start-up businesses
  • Dealing with requests for access and corrections to personal information
  • Ten privacy tips for parents and carers
  • Youth infographic on protecting your privacy.

Digital health

This year we continued our role as the independent regulator for the privacy aspects of the My Health Record system and the Healthcare Identifiers service.

We saw significant changes to the My Health Record system, with the commencement of the opt-out trials in the Nepean Blue Mountains and Northern Queensland areas. This involved a My Health Record being automatically created for all residents unless they chose to opt-out of having a record.

For further information, refer to the Annual Report of the Australian Information Commissioner’s activities in relation to digital health 2015–16.

Advice

This year we engaged in the policy, legislative and development process for digital health by:

  • drafting a submission to the Senate Standing Committee on Community Affairs on the Health Legislation Amendment (eHealth) Bill 2015 on potential privacy issues. In the submission, we also highlighted the importance of a fair and easy to use opt-out process and an effective public awareness campaign
  • providing feedback on the Department of Health’s communication materials for the My Health Record system
  • commenting on a privacy impact assessment which considered the privacy implications of the opt-out trials. We also reviewed the My Health Record system’s draft privacy policy and collection notice.

Resources

We developed a number of fact sheets and created website information for individuals living in the My Health Record opt-out trial areas including specific information for young people in the trial regions.

Assessments

While we engaged extensively with the Department of Health in the lead up to and during the opt-out trials, our assessment work provided opportunities to engage directly with healthcare providers and peak bodies in the health sector on digital health issues.

In total, we conducted five assessments during the period. Two of our assessments focused on general practice (GP) clinics.

  • The first assessment was on controls applied by these healthcare providers for their staff to access the My Health Record system.
  • The second assessment involved reviewing the privacy policies of 40 random GP clinics. For this assessment, we examined whether the policies reflected the clinics’ use of the My Health Record system and individual healthcare identifiers.

During the year, we also conducted a ‘check-up’ to see if our recommendations were being implemented for protecting personal information held on the National Repositories Service. The results of this check-up will be available in 2016–17.

e.g.

This year we worked collaboratively with Australia’s peak medical groups to improve privacy practices for GP clinics across the country. This was following our GP assessment of 40 random GP clinics.

The Australian Medical Association, Royal Australian College of General Practitioners, the Australian College of Rural and Remote Medicine and the Australian Association of Practice Management came together with the OAIC to provide practical support to their members, to deliver open and transparent privacy policies within their practices. We welcome this as a benchmark example of how regulators and industry groups can work together to improve community and consumer outcomes.

Mandatory data breach notifications

We are responsible for mandatory data breach notifications under s 75 of the My Health Records Act 2012 (My Health Records Act).

This year we received three data breach notifications from the System Operator. The first related to incorrect linkage of MyGov accounts, where a number of individuals were being linked to the health records of other individuals. The second and third notifications related to unauthorised My Health Record access by a third party.

We also received 13 notifications from the Chief Executive of Medicare in their capacity as a registered repository operator under s 38 of the My Health Records Act.

  • Five of these notifications involved separate breaches related to intertwined Medicare records of individuals with similar identifying information. This resulted in Medicare providing data to the incorrect individual.
  • Eight notifications, involving 86 separate breaches, resulted from findings under the Medicare compliance program. In these instances, Medicare claims that a number of records that did not belong to the correct individuals were uploaded to their digital health records.

Legislative instruments

Under the Privacy Act, the Commissioner has powers to make certain legislative instruments. The legislative instruments must comply with the requirements of the Legislation Act 2003. They are publicly available on the Federal Register of Legislative Instruments.

No legislative instruments were made during this reporting period.

Awareness

We raise awareness about privacy rights to ensure the community is well informed and able to access them. These activities also help Australian businesses and government agencies understand their privacy obligations.

Privacy Awareness Week

Privacy Awareness Week is an Asia-Pacific wide promotion of privacy and data protection rights; and the OAIC’s signature awareness raising event.

In 2016, the United Nations (UN) Special Rapporteur on the right to privacy, Professor Joseph Cannataci, was a guest of the OAIC for Privacy Awareness Week — marking the first visit to Australia of an UN Rapporteur for the right to privacy.

This year’s Privacy Awareness Week achievements included:

  • attracting 246 Privacy Awareness Week partners
  • creating a dedicated campaign website, www.oaic.gov.au/paw2016/
  • drawing national media attention to the value of privacy as a fundamental right and vital governance concern
  • attracting 217 attendees to the annual Business Breakfast
  • addressing 700+ business and community attendees at events throughout the week, across Sydney, Melbourne and Canberra
  • attracting 84,836 views on Twitter
  • attracting 43,000 Facebook video views
  • developing a new and simple guide for parents and carers to help them protect children’s
  • privacy online, which was made available to all government and non-government schools.

Other events

Our Executive team delivered over 50 presentations this year to a range of stakeholders across a variety of industries and stakeholder groups.

The Commissioner also visited Perth in May 2016 to speak at a series of events to raise privacy awareness in Western Australia, including an address to Edith Cowan University. This visit coincided with the launch of our Privacy Professionals’ Network.

Outreach

We developed a range of communication materials throughout the year to assist the public understand their privacy rights and to educate businesses and agencies about their obligations under the Privacy Act. During the year, we focused on promoting resources for children, parents and carers and young people.

Digital

We completed an upgrade to our website and had 930,447 unique visitors throughout the year. The website upgrade included new accessibility features including a keyboard-navigable menu, search suggestions, Vision Australia YouTube player, footnotes and ARIA landmarks.

Media

We saw a continued increase in awareness about our office, privacy and FOI in the media throughout the year. The OAIC had 4,920 media mentions, while privacy featured in approximately 2,848 stories and FOI in 1,408.

Back to Contents

FOI

Provides a legally enforceable right of access to government documents.

It applies to Australian Government ministers and most agencies, although the obligations of agencies and ministers are different.

Individuals have rights under the FOI Act to request access to government documents. The FOI Act also requires government agencies to publish specified categories of information, it also allows them to proactively release other information.

Enquiries

We assisted the public with their enquiries on FOI issues and our Information Commissioner (IC) review function. This year we saw a significant increase in these enquiries, which totalled 2,483. We answered 1,854 phone calls, 624 emails and five in-person enquiries.

Approximately 44% of all enquiries about FOI matters related to general processes for FOI applicants, including how to make an FOI request or complaint, or how to seek a review of an FOI decision.

Table 7: Top FOI enquiry by issues*

Issue

Number*

Jurisdiction

1,323

General processes

1,085

Processing by agency

146

Access to general information

14

Access to personal information

12

Agency statistics

10

Information Publication Scheme

9

Vexatious application

6

Amendment and annotation

3

*There may be more than one issue in each enquiry

Complaints and Commissioner initiated investigations

One of our FOI functions is to investigate the actions of government relating to the handling of FOI matters. This can be either in response to a complaint or on the Commissioner’s own initiative. Following the Australian Government’s decision to disband the OAIC and the associated reduction in the OAIC’s resources in the Budget 2014–15, the Commonwealth Ombudsman handled FOI complaints from 1 November 2014 through to 30 June 2016. We will resume the investigation of complaints and undertake Commissioner initiated investigations from 1 July 2016.

Information Commissioner reviews

Under the FOI Act, the Commissioner is able to review decisions made by government agencies and ministers, including decisions:

  • refusing to grant access to documents
  • about requested documents that do not exist or cannot be found
  • granting access to documents, where a third party has a right to object, for example, if a document contains their personal information
  • about charges imposed in relation to access requests
  • refusing to amend or annotate records of personal information.

This year we experienced a significant increase in Information Commissioner (IC) reviews, with 510 applications received for review — a 36.5% increase from the previous year. Building on our improved processes and drawing on the body of legal precedence developed, we finalised 454 IC reviews. This is down compared to the previous reporting year. However, of those completed, 87% were finalised within 12 months of receipt, exceeding our 80% benchmark. Of the IC reviews closed during the reporting period, 84% (212) were finalised within six months.

Resolution

This year we continued to explore and implement appropriate alternative dispute resolution (ADR) mechanisms, this resulted in 374 review applications (82%) finalised without proceeding to a formal IC review decision. We have a strong focus on resolving applications for review by agreement between the parties where possible.

For 2015–16, 10 matters were finalised by agreement under s 55F of the FOI Act and 175 reviews were finalised after the applicant withdrew their request for IC review, following action taken by the government agency to resolve the applicant’s concerns, such as releasing information informally, making a revised decision, or following an appraisal by our office of the merits of their case.

Only 18% of applications proceeded to a decision by the Commissioner under s 55K of the FOI Act.

These decisions serve a dual purpose:

  • to ensure that the correct or preferable decision is made by the government agency or minister
  • to contribute to the evolving body of law that shapes the FOI jurisdiction, which assists government agencies that are subject to the FOI Act to not only comply with their obligations under that Act, but to also achieve best practice.

We are in a unique position to develop consistency across agencies that is informed by the pro-disclosure objectives of the FOI Act and the practical realities of FOI processing. We bring this practical approach to seeking agreed resolutions, decision-making and to our role in assisting government agencies in meeting their FOI obligations.

Decisions

Examples of decisions that the Commissioner has made during 2015–16 can be found on the following page.

A full list is available at www.oaic.gov.au/freedom-of-information.

Australian Broadcasting Corporation and Australian Fisheries Management Authority [2016] AICmr 43 (29 June 2016)

The Commissioner found that some information about the design of fishing nets used by the fishing vessel, the Geelong Star, as well as video footage and photographs relating to its fishing activities, were not exempt under the FOI Act.

The Australian Fisheries Management Authority (AFMA) originally found that various documents contain trade secrets and commercially valuable information which if released, would adversely affect the lawful business affairs of the fishing vessel. However, the Commissioner found that only some of these documents contained commercially valuable information and were exempt under s 47(1)(b).

The Commissioner’s decision is currently on appeal to the Administrative Appeals Tribunal (AAT).

Australian Associated Press Pty Ltd and Department of Immigration and Border Protection [2016] AICmr 25 (22 April 2016)

The Commissioner varied the decision of the Department of Immigration and Border Protection. The Commissioner decided that the Joint Review of Operation Sovereign Borders Vessel Positioning — December 2013–January 2014 was exempt in part under the legal professional privilege exemption (s 42), certain operations of government agencies exemption (s 47E(d)) and personal privacy exemption (s 47F) of the FOI Act. However, the Commissioner considered two footnotes as more appropriately exempt under s 47E(d).

Given his findings that the material was exempt under these provisions, the Commissioner found that it was not necessary to consider whether the material was also exempt under the damage to national security exemption and the damage to international relations exemption of the FOI Act.

Patrick Healy and Australia Post [2016] AICmr 23 (20 April 2016)

The Commissioner set aside the decision of Australia Post that two digital videos of CCTV footage were exempt under the personal privacy exemption of the FOI Act (s 47F).

In the first video the applicant’s face was clearly shown; as a result, the Commissioner decided that the footage was not unreasonable to disclose. The Commissioner also found that it would be against the public interest to disclose the second video as it provided the personal information of other individuals depicted.

The Commissioner decided it was reasonable for Australia Post to prepare an edited copy of the second video, where the other individuals depicted were pixelated, as pixilation is considered a deletion of the images and is consistent with previous IC review decisions.

Maurice Blackburn and Department of Immigration and Border Protection [2015] AICmr 85 (18 December 2015)

The applicant sought access to the names of departmental officers in a 10-page email chain, contending that this information would provide context to the Department of Immigration and Border Protection’s refusal to allow a doctor to enter the Christmas Island detention centre.

The Commissioner found that where a departmental employees’ name is included in a document because of their usual duties or responsibilities, it is not unreasonable to disclose the name unless special circumstances exist.

The Commissioner explained that the agency needs to identify the special circumstances that may exist, rather than assume the information is exempt. Whether or not it is unreasonable to disclose the names of the officers will depend on the circumstances of each case, including whether or not the applicant is likely to disseminate the names.

Linton Besser and Department of Employment [2015] AICmr 67 (15 October 2015)

The Commissioner decided to set aside three decisions of the Department of Employment to conclude that disclosing the business affairs of service providers would not be unreasonable in this case.

The information relates to an investigation into service provider fraud of the Government’s jobs assistance program, which the Department of Employment found to be exempt under s 47G(1)(a). The Commissioner referred to the Administrative Appeals Tribunal decision of Bell and Secretary, Department of Health (Freedom of Information) [2015] AATA 494 (Bell) and an analysis of the public interest designed by Forgie DP to determine whether disclosure is unreasonable.

The Commissioner decided that ‘given the size of the program and the amount of public money recovered following the investigations’ it would not be unreasonable to disclose the information. The Commissioner did not agree with the Department of Employment that disclosure would affect the department’s ability to obtain information or cooperation, pointing to the obligations imposed on the service providers under the employment services deed and the settled expectation that ‘professional public servants are expected to express their views honestly and forthrightly in discharging their duties’.

Vexatious applicant declarations

The Commissioner has the power to declare a person to be a vexatious applicant, if he is satisfied that the grounds set out in s 89L of the FOI Act exist. A vexatious applicant declaration is not an action undertaken lightly, but its use may be appropriate at times. A declaration by the Information Commissioner can be reviewed by the AAT.

During 2015–16, seven applications were received from government agencies seeking to have a person declared a vexatious applicant. Five applications were finalised in 2015–16: two declarations were made and three applications were refused.

Registrar of Indigenous Corporations and ‘IO’ [2016] AICmr 34 (3 June 2016)

The Commissioner found a person to be a vexatious applicant under s 89K of the FOI Act in relation to the Registrar of Indigenous Corporations (the Registrar). In this case, the Registrar relied on the grounds set out by s 89L(1)(a) of the FOI Act — that the person has ‘repeatedly engaged in access actions; and the repeated engagement involves an abuse of the process for the access action.’

The individual had, since 4 March 2015, made 71 FOI requests, 70 requests for internal review and five IC review requests (these were the repeated ‘access actions’). The Registrar asserted that the repeated actions by the person had unreasonably interfered with the operations of the Registrar’s office.

The Commissioner considered whether the Registrar’s FOI administration had contributed to the respondent’s conduct. While there were issues, including acknowledging requests and delays in statutory processing times, the Commissioner ultimately found that the response of the individual was not proportionate to these deficiencies or the reasonable actions of a FOI applicant.

The Commissioner decided that the Registrar was not required to process outstanding requests made on or after 9 November 2015 — the date the individual was advised that the Registrar was considering the application. This was because of the large volume and complexity of the outstanding requests and the small size of the agency, which would have made processing the requests excessively burdensome. Not making such an order would allow the abuse of process to continue.

The Commissioner further decided that for a period of 12 months any FOI requests made by the individual would need to be approved by the OAIC.

Extensions of time

The FOI Act sets out timeframes within which government agencies and ministers must process FOI requests.

The Commissioner can grant various extension of time requests to enable government agencies or ministers to process complex or voluminous FOI request. The Commissioner also receives notification of extensions of time where the agency has agreement from the applicant. This year we received 5,605 extension of time notifications and requests and finalised 5,602.

We endeavour to respond to extension of time requests from government agencies within five working days and this year we ensured that 86% of extension of time requests were processed within that timeframe.

Table 8: Overview of FOI extension of time notifications and requests received

Year

2013-14

2014-15

2015-16

Received

2,437

4,393

5,605

Closed

2,456

4,384

5,602

Notifications and extension of time requests finalised

Request type

2013-14

2014-15

2015-16

s 15AA

1,898

3,900

5,171

s 15AB

362

249

283

s 15AC

132

177

102

s 54B

1

0

0

s 54D

31

33

30

s 54T

32

25

16

Total

2,457

4,384

5,602

s 15AA — notification of agreement between agency and applicant to extend time — no action is taken by the OAIC other than to register agreement

s 15AB — extension of time for complex or voluminous request

s 15AC — extension of time where deemed refusal of FOI request

s 54B — extension of time for internal review request

s 54D — extension of time where deemed affirmation of original decision on internal review

s 54T — extension of time for person to apply for IC review.

Awareness

In 2015–16 we met with various government agencies on a regular basis to discuss Information Commissioner reviews, including the Department of Defence, Department of Prime Minister and Cabinet, Department of Human Services, Department of Immigration and Border Protection and the Australian Federal Police.

Our Executive team also delivered presentations at the Department of Human Services’ FOI Conference and regularly participated in Australian Government Solicitor’s FOI Practitioners forums throughout the year.

Following the Australian Government’s decision to disband the OAIC and the associated reduction in the OAIC’s resources, the development of guidelines issued under s 93A of the FOI Act was handled by the Attorney-General’s Department. We will resume this function from 1 July 2016.

Agencies

Statistical reports from agencies in relation to FOI processing are available in Appendix D of this report. During this reporting period the Attorney-General’s Department collected this information.

Back to Contents