Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Part 2 Performance

Our performance statement

Introduction

I, Timothy Pilgrim, as the accountable authority of the Office of the Australian Information Commissioner, present the 2016–17 annual performance statements of the Office of the Australian Information Commissioner, as required under paragraph 39(1)(a) of the Public Governance, Performance and Accountability Act 2013 (PGPA Act). In my opinion, these annual performance statements are based on properly maintained records, accurately reflect the performance of the entity, and comply with subsection 39(2) of the PGPA Act.

Results

Challenge 1: Promote, uphold and shape Australian information privacy rights

Activity 1: Handle privacy complaints
Performance criteria Criteria source Result against performance criteria

80% of privacy complaints finalised within 12 months.

Ensure the timeliness and quality of complaint resolution.

Portfolio Budget Statements 2016–17: Program 1.1

Corporate Plan 2016–17

Target met:

  • 95% of privacy complaints were finalised within 12 months of their receipt
  • 22% increase in the number of complaints closed in 2016–17, compared to 2015–16 (2485 cf. 2038)
  • Average time taken to close privacy complaints was 4.7 months

The OAIC ensured the quality of complaint resolution by:

  • Handling privacy complaints in line with our Privacy regulatory action policy and Guide to privacy regulatory action
  • Undertaking regular staff training including, in 2016–17, providing training with the assistance of external trainers on mental health and resilience, report and letter writing, conciliation, administrative law, investigations and interviewing techniques. Key staff also undertook Resolution Institute mediation training
  • Encouraging staff to participate in complaints-handling networks and events, including the Complaint Handlers Information Sharing and Liaison seminars, the International Association of Privacy Professionals (iappANZ) conference, Privacy Awareness Week activities, investigations symposium, and the Australian Government Leadership Network conference
  • Meeting regularly with staff to discuss matters of significance across the teams, and to ensure consistency of decision making.

The ‘Resolving complaints’ section on page 63 provides case studies that demonstrate the quality of our complaint resolution, and information about the initiatives we put in place in 2016–17 to ensure the continued timeliness of our complaints resolution.

Resolve the majority of complaints by conciliation with both parties. Corporate Plan 2016–17

Target not met:

  • 36% of complaints were closed on the basis that the respondent had adequately dealt with the matter.

The number of complaints resolved as ‘adequately dealt with’ reflects our aim of resolving privacy complaints through conciliation wherever possible. We encourage both parties involved in a complaint to play an active role in discussions and negotiations to try and reach a mutual agreement or outcome.

Where the OAIC considers it is reasonably possible that a complaint may be conciliated successfully, the Privacy Act 1988 requires that there must be a reasonable attempt to conciliate (s40A(1)).

In 2016–17, all privacy staff in the OAIC’s Dispute Resolution branch received conciliation training. A number of staff also attended mediation training and are working towards accreditation as mediators with the Resolution Institute.

The ‘Resolving complaints’ section on page 63 contains more information about our approach to complaint resolution, including conciliation and other potential outcomes to complaints.

Raise awareness about our complaints handling function. Corporate Plan 2016–17

Target met:

  • Engaged with the media and the community on social media about the right to make a privacy complaint. Over 189 media and 242 social media mentions were achieved throughout the year
  • Reached out to the community at public events, including Seniors’ Day at the Sydney Royal Easter Show, and at OAIC organised events held in Brisbane, Melbourne and Hobart
  • Information provided to stakeholders who contacted our Enquiries Line
  • Our ‘How do I make a privacy complaint?’ webpage was viewed 31% more times in 2016–17, compared to 2015–16.

The ‘Communication and collaboration’ (page 27), 'Community and sector engagement’ (page 66) and 'Reaching our audiences' (page 81) sections provides more information about our work in this area.

 

Activity 2: Conduct privacy assessments
Performance criteria Criteria source Result against performance criteria
The median time for the completion of assessments is within 6 months.

Portfolio Budget Statements 2016–17: Program 1.1

Corporate Plan 2016–17

Target not met:

  • Median time taken to complete privacy assessments in 2016–17 was 7.1 months

In 2016–17, the OAIC focused its privacy assessments on open and transparent management of personal information and security of personal information. All of these assessments required a comprehensive and in-depth review of policy documents, interviews with staff and site inspection. As a result, the time taken to complete assessments in 2016–17 was longer than the planned performance target of six months, which generally anticipates a range of assessment complexity.

Provide a professional, independent and systematic appraisal of how well government agencies and businesses comply with the Privacy Act. Corporate Plan 2016–17

Target met:

The OAIC undertook professional, independent and systematic assessments in line with our Privacy regulatory action policy and Guide to privacy regulatory action. We took a risk-based and proportionate approach to selecting assessment targets. Assessment staff collaborated, via regular meetings, training and information sharing, to ensure that assessment processes were consistent and predictable. Lessons learned from assessments and feedback from assessment targets were communicated back to the team to continually improve assessment processes in the future.

The ‘Assessments’ section on page 71 provides more detailed information about the outcomes of the OAIC’s 2016–17 assessment program.

Entities change practices to ensure compliance with the Privacy Act. Corporate Plan 2016–17

Target met:

  • 100% of recommendations were accepted or planned for action by assessment targets

Examples of how our assessments changed the practices of entities can be found in the ‘Assessments’ section on page 71.

Key learnings from assessments are incorporated into our guidance and educational materials. Corporate Plan 2016–17

Target met:

Assessment findings were communicated to stakeholders, including OAIC staff, through assessment reports. Where appropriate, these were also referenced in media releases published on the OAIC’s website, and in speeches and presentations by OAIC Executive and staff.

Findings from assessments have been incorporated into our guidance materials where relevant.

 

Activity 3: Conduct Commissioner-initiated investigations and handle voluntary and mandatory data breach notifications
Performance criteria Criteria source Result against performance criteria
80% of Commissioner-initiated investigations (CIIs) are finalised within 8 months.

Portfolio Budget Statements 2016–17: Program 1.1

Corporate Plan 2016–17

Target met:

  • 84% of CIIs were finalised within 8 months

Despite the 70% increase in CII case numbers from the 2015–2016 financial year, the OAIC met its target, reflecting the OAIC’s commitment to working with respondents to resolve issues of non-compliance and improve privacy practices. More information about CIIs is on page 70.

80% of voluntary data breach notifications are processed or escalated to CII within 60 days.

Portfolio Budget Statements 2016–17: Program 1.1

Corporate Plan 2016–17

Target met:

  • 92% of voluntary data breach notifications were closed within 60 days

Despite the increase in voluntary data breach notifications from the 2015–2016 financial year, the OAIC met its target, reflecting the OAIC’s focus on providing timely guidance to agencies and businesses that have experienced a data breach incident. More information about data breach notifications is available on page 68.

80% of mandatory digital health data breach notifications are processed or escalated to CII within 60 days.

Portfolio Budget Statements 2016–17: Program 1.1

Corporate Plan 2016–17

Target not met:

  • 54% of mandatory digital health data breach notifications were closed within 60 days.

All data breach notifications were risk-assessed upon receipt.

In 2016–17, there was a 118% increase in mandatory digital health data breach notifications received by the OAIC, compared to 2015–16. The OAIC, in consultation with the Australian Digital Health Agency and the Department of Human Services, has identified new methods for managing this increase.

Increase awareness about the voluntary data breach notification scheme with the OAIC. Corporate Plan 2016–17

Target met:

The number of reported voluntary data breaches increased 17% on the previous year.

The OAIC informed stakeholders about the voluntary data breach notification scheme through media releases and media statements, social media and information provided by our Enquiries line.

The OAIC’s Data breach notification — A guide to handling personal information security breaches was viewed on our website 29% more times in 2016–17, compared to 2015–16.

The OAIC is now focusing its efforts on raising awareness of the new mandatory Notifiable Data Breaches scheme, which will commence on 22 February 2018.

See the ‘Data breach notifications’ section on page 68 for more information on these schemes.

Key learnings are incorporated into our guidance and educational materials. Corporate Plan 2016–17

Target met:

CII findings were communicated to stakeholders, including OAIC staff, through CII reports, enforceable undertakings and media releases published on the OAIC’s website, and in speeches and presentations by OAIC Executive and staff.

Entities change practices and implement recommendations from enforceable undertakings and determinations. Corporate Plan 2016–17

Target met:

One CII respondent offered an enforceable undertaking in 2016–17. The enforceable undertaking set out steps that the respondent agreed to take to address the concerns raised by the OAIC in its CII. Implementation of these steps by the respondent led to changes in practices relating to information retention and an improvement in privacy policies and procedures.

The Information Commissioner did not make any CII determinations in 2016–17.

See the ‘Commissioner-initiated investigations’ section on page 70 for more information on the CII powers under the Privacy Act and the outcomes of the CIIs that the OAIC conducted in 2016–17.

 

Activity 4: Provide a public information service
Performance criteria Criteria source Result against performance criteria
90% of written enquiries are finalised within 10 working days.

Portfolio Budget Statements 2016–17: Program 1.1

Corporate Plan 2016–17

Target not met:

  • 78% of written enquiries were finalised within 10 working days.

While this represents an improvement on the 2015–16 response rate of 70% finalised within 10 working days, staff turnover and a change in procedures affected our ability to meet this target in 2016–17.

See the ‘Enquiries’ section on page 57 for more information.

Note: The published Portfolio Budget Statements 2016–17 noted 100% as the criteria but this was an oversight and revised in the Corporate Plan 2016–17.

Raise public awareness about our information services for privacy related matters. Corporate Plan 2016–17

Target met:

The OAIC promoted its information services for privacy related matters through outreach activities and community events, social media, in media statements and on our website. In 2016–17, this included attending Sydney Gay and Lesbian Mardi Gras Fair Day, Seniors’ Day at the Sydney Royal Easter Show, Multicultural Expo at Erina, NSW and anti-poverty week.

Our privacy information services achieved over 2,156 media mentions and 552 social media mentions throughout the year.

 

Activity 5: Assist businesses and agencies to improve their understanding of privacy compliance and promote privacy best practice
Performance criteria Criteria source Result against performance criteria

Key privacy resources are identified, developed and promoted for business, government and the community.

Consultations are undertaken with stakeholders on significant privacy resources.

Portfolio Budget Statements 2016–17: Program 1.1

Corporate Plan 2016–17

Target met:

In 2016–17, the OAIC developed seven privacy resources for business and government, including a What is personal information guide, a Privacy Impact Assessment eLearning program and two videos highlighting the importance of privacy for start-up businesses. The OAIC consulted with stakeholders on these resources.

These resources were promoted through our Privacy Professionals’ Network, the OAIC website and during Privacy Awareness Week.

See the ‘Resources’ section on page 78 for more information about these resources.

Proposed enactments and government programs are monitored for privacy impacts.

Advice is provided to government agencies and guidance to business on emerging privacy issues.

Portfolio Budget Statements 2016–17: Program 1.1

Corporate Plan 2016–17

Target met:

The OAIC completed 15 submissions and issued 144 pieces of advice on privacy related topics.

See the ‘Advice for businesses and agencies’ section on page 76 for more information about these submissions and advices.

 

Activity 6: Promote awareness and understanding of privacy rights in the community
Performance criteria Criteria source Result against performance criteria
Privacy Awareness Week campaign is held, with an increase in the number of participating private and public sector entities and an increase in wider community engagement.

Portfolio Budget Statements 2016–17: Program 1.1

Corporate Plan 2016–17

Target met:

Privacy Awareness Week (PAW) was held from 14–20 May 2017. The number of PAW partners increased by 49% from 2016, with 369 private and public sector organisations signing up as partners. There were over 250 media mentions including 20 broadcast media interviews, which equated to 31 hours of airtime.

See the ‘Awareness’ section on page 81 for more information about the OAIC’s PAW activities.

Understand and respond to the needs of culturally and linguistically diverse (CALD) communities so we can assist and educate all Australians about their privacy rights. Corporate Plan 2016–17

Target met:

The OAIC continued to ensure a high quality of service for individuals from CALD communities.

The OAIC engaged in outreach activities that targeted CALD communities, including a multicultural expo and anti-poverty week where we distributed resources, interacted with CALD communities, and developed relationships with other organisations and agencies that deliver services to CALD communities.

We translated five of our resources and information materials into 11 languages for our website, and distributed these at our outreach events.

The OAIC welcomed the Federation of Ethnic Communities’ Councils of Australia as a member of the Consumer Privacy Network in September 2016.

The OAIC established a Diversity Committee which oversees the development and delivery actions against the Multicultural Access and Equity Plan.

The needs of CALD communities are considered at regular meetings of the OAIC’s Publications Forum.

 

Activity 7: Develop legislative instruments
Performance criteria Criteria source Result against performance criteria

Applications for Public Interest Determinations and Australian Privacy Principle codes are considered.

Legislative instruments are appropriate and up-to-date.

Portfolio Budget Statements 2016–17: Program 1.1

Corporate Plan 2016–17

Target met:

No applications for Public Interest Determinations or APP codes were received in 2016–17. General advice was provided on these processes.

On 18 May 2017, the Information Commissioner announced that the OAIC would develop an Australian Public Service (APS) Privacy Governance Code, in collaboration with the Department of Prime Minister & Cabinet. The Privacy Code will play a key role in building public trust in the APS, supporting the Australian Government’s public data agenda and enhance privacy governance and capability.

Developing the Privacy Code and supporting materials for agencies will be a major project for the OAIC in 2017–18 in preparation for it coming into effect on 1 July 2018.

 

Challenge two: Promote and uphold Australian information access rights

Activity 1: Provide a timely and effective Information Commissioner review function
Performance criteria Criteria source Result against performance criteria

80% of Information Commissioner reviews are completed within 12 months.

Reduction of the number of matters over 12 months old.

Increase the number of matters finalised by informal resolution without proceeding to a decision.

Build on the existing jurisprudence which shapes the FOI jurisdiction.

Portfolio Budget Statements 2016–17: Program 1.1

Corporate Plan 2016–17

Two of the three targets were met:

  • 86% of applications for an Information Commissioner review were finalised within 12 months of receipt. (Target met)
  • The matters over 12 months old increased from 14 to 18. This happened in the context of the significant increase in number of IC reviews received (632 applications in 2016–17 which is a 24% increase from 2015–16) (Target not met)
  • There was an Increase in the number of matters finalised by informal resolution without proceeding to decision: 185 in 2015–16 and 238 in 2016–17. (Target met).
  • Decisions by the Commissioner under s 55K of the FOI Act are published on the OAIC’s website, referenced in Guidelines issued under s 93A of the FOI Act and publicised in our OAICnet and OAICicon newsletters.

See the ‘Information Commissioner reviews section on page 85 for more information.

 

Activity 2: Provide promotion and information to the Australian community on information access rights
Performance criteria Criteria source Result against performance criteria
90% of written enquiries are finalised within 10 working days.

Portfolio Budget Statements 2016–17: Program 1.1

Corporate Plan 2016–17

Target not met:

  • 88% of written enquiries were finalised within 10 working days. Enquirers were notified of any delay at the time.

While this represents an improvement on the 2015–16 response rate of 85% finalised within 10 working days, staff turnover and a change in procedures affected our ability to meet this target in 2016–17.

Note: The published Portfolio Budget Statements 2016–17 noted 100% as the criteria but this was an oversight and revised in the Corporate Plan 2016–17.

Raise public awareness about FOI rights and our information service. Corporate Plan 2016–17

Target met:

The OAIC raised awareness about FOI rights and our information service through outreach activities and community events such as Seniors Day at the Royal Easter Show, social media, in media statements and on our website. In 2016–17, this resulted in over 622 media mentions and 77 social media mentions of the OAIC’s FOI information service.

See the ‘Enquiries’ section on page 85 for more information.

 

Activity 3: Assist government agencies and ministers with FOI advice and maintain guidelines and resources to promote best practices
Performance criteria Criteria source Result against performance criteria

Key resources and guidelines under the FOI Act revised where necessary.

Consultations are undertaken with stakeholders where relevant.

Engage with government agencies and the public on FOI matters.

Corporate Plan 2016–17

Target met:

In 2016–17, we met with various government agencies on a regular basis, and our Executive team delivered presentations at a number of conferences and meetings throughout the year.

The Information Commissioner reissued Parts 1, 2, 4–6 and 10–12 of the Guidelines under s 93A of the FOI Act which agencies and ministers must have regard to when performing a function or exercising a power under the FOI Act (FOI Guidelines).

See the ‘Awareness’ section on page 92 for more information about these activities.

Understand and respond to the needs of CALD communities so we can assist and educate all Australians about their FOI rights. Corporate Plan 2016–17

Target met:

The OAIC continued to ensure a high quality of service for individuals from CALD communities.

The OAIC engaged in outreach activities that targeted CALD communities, including a multicultural expo and anti-poverty week where we distributed resources, interacted with CALD communities, and developed relationships with other organisations and agencies that deliver services to CALD communities.

We translated four of our resources and information materials into 11 languages for the website and distributed these at our outreach events.

The OAIC established a Diversity Committee which oversees the development and delivery actions against the Multicultural Access and Equity Plan.

The needs of CALD communities are considered at regular meetings of the OAIC’s Publications Forum.

 

Activity 4: Handle FOI complaints and investigations
Performance criteria Criteria source Result against performance criteria

80% of FOI complaints finalised within 12 months.

Ensure the timeliness and quality of complaint resolutions.

Portfolio Budget Statements 2016–17: Program 1.1

Corporate Plan 2016–17

Target met:

  • 100% of FOI complaints finalised during the year were completed within 12 months of receipt
  • Average time taken to close FOI complaints was 3 months.

The OAIC ensured the quality of complaint resolution by:

  • Handling FOI complaints in line with Part 11 of our FOI Guidelines
  • Undertaking regular staff training including, in 2016–17, a managing unreasonable complainant behaviours course
  • Encouraging staff to participate in complaints-handling networks and events, including the Complaint Handlers Information Sharing and Liaison seminars.
Uphold the effectiveness of FOI processing within agencies. Corporate Plan 2016–17

Target met:

When we conduct IC reviews, investigate complaints and process extension of time applications we gain valuable insights into how agencies are processing FOI requests. As part of our functions, in particular, our complaint function, we provide advice and guidance to agencies about best practice FOI processing.

Part 3 of our FOI Guidelines assists agencies to effectively process FOI requests. We also provide ad hoc advice to agencies when contacted (agencies often approach case officers directly, rather than through enquiries.

In 2016–17, we did not undertake any Commissioner-initiated investigations.

 

Challenge three: Develop the personal information management capabilities of Australian businesses and government agencies

Activity 1: Promote the relationship between strong privacy governance and improved business effectiveness
Performance criteria Criteria source Result against performance criteria
Develop advice, guidance and promotion on the business and government agency advantages of proactive privacy-by-design management approaches. Corporate Plan 2016–17

Target met:

The OAIC released a Privacy Impact Assessment (PIA) eLearning program during Privacy Awareness Week in May 2017. Undertaking a PIA for a new project or policy is a central part of ensuring a privacy-by-design approach. As of 30 June 2017, the course had been completed 167 times.

On 18 May 2017, the Australian Information and Privacy Commissioner announced that the OAIC would develop an Australian Public Service (APS) Privacy Governance Code. A key requirement of the Privacy Code is for Australian Government agencies to undertake a PIA for high risk projects. The OAIC will be developing guidance on this requirement in 2017–18.

The OAIC’s Executive team delivered speeches at 22 privacy engagements aimed at businesses and government agencies.

 

Activity 2: Assess education and training capacity and market demand
Performance criteria Criteria source Result against performance criteria

Assess current gaps and risks in public and private sector knowledge of privacy management.

Develop business case analysis for the OAIC’s engagement and service delivery to address known gaps or opportunities, including on a fee basis.

Determine forward programs for projects.

Corporate Plan 2016–17

Target met:

In the second half of 2016–17, the OAIC focused on building the privacy management capability of the Australian Public Service. This included the announcement that the OAIC will develop an Australian Public Service (APS) Privacy Governance Code, for implementation on 1 July 2018.

As part of the OAIC’s work to assist agencies to prepare for the Privacy Code, we surveyed learning and development professionals in agencies to determine what privacy training is currently undertaken by staff, and what further support and resources are required. The OAIC has fed this feedback into its forward program of work for 2017–18.

Back to Contents

Analysis

As outlined in the Performance Statements, the OAIC had a total of twenty-nine performance criterion under our three main goals. We met the target for twenty-four of these criterion.

Overall, the OAIC achieved what we set out to do.

  • We promoted, upheld and shaped Australian information privacy rights.
  • We promoted and upheld Australian information access rights.
  • We developed the personal information management capabilities of Australian businesses and government agencies.

We have provided a detailed analysis of our performance throughout the remainder of this chapter.

Back to Contents

Privacy

The Privacy Act 1988 (Privacy Act) requires government agencies and private sector organisations to follow a set of rules when collecting, using and storing individuals’ personal information.

Personal information is any information that is about an individual. The most obvious example is a name. Other examples include address, date of birth, photo of their face or even a record of opinion and views. Anything that is about an identifiable individual is personal information.

Whether it’s filling in a form or using a digital device, government agencies and private sector organisations have to respect personal information.

The Privacy Act includes 13 Australian Privacy Principles (APPs) which set out standards for businesses and government agencies managing personal information.

Australian Privacy Principles

APP 1 — Open and transparent management of personal information

APP 2 — Anonymity and pseudonymity

APP 3 — Collection of solicited personal information

APP 4 — Dealing with unsolicited personal information

APP 5 — Notification of the collection of personal information

APP 6 — Use or disclosure of personal information

APP 7 — Direct marketing

APP 8 — Cross-border disclosure of personal information

APP 9 — Adoption, use or disclosure of government related identifiers

APP 10 — Quality of personal information

APP 11 — Security of personal information

APP 12 — Access to personal information

APP 13 — Correction of personal information

Enquiries

We provide information about privacy issues and privacy law to the public.

This year there was a 12% decrease in enquiries on the previous year. We answered 13,301 telephone calls and saw written enquiries decrease by 11% (3,478 in total). We assisted 14 in–person enquiries.

While enquiries have decreased, privacy complaints have increased by 17% (see page 59).

In the past the OAIC received a broad range of enquiries. This year, increased community awareness about privacy has meant the office is receiving less enquiries in total but they are now more specific to privacy and what is covered under the Privacy Act. In addition, in line with increased awareness, individuals are increasingly more comfortable with exercising their right to lodge a complaint.

Note: As a part of our MOU with the ACT Government we continued to provide privacy services to ACT public sector agencies including handling privacy complaints in relation to the Information Privacy Act 2014 and its Territory Privacy Principles (TPPs).

Case study: Permitted health situations in relation to the disclosure of health information

An individual sought advice regarding their request to a private hospital for the release of information about their son, who was being treated for depression and has since gone missing.

The hospital refused to disclose that information to the individual on the grounds that it would be an interference with the son’s privacy. The parents were not able to request access as they were not authorised to step into the shoes of the individual and exercise their privacy rights on their behalf (they did not hold any power of attorney).

We discussed the use or disclosure of personal information (APP 6) in the circumstances, and referred to s 16B which outlines the permitted health situations in relation to the disclosure of health information i.e. the disclosure of health information would be made to a responsible person (in this case, a parent) for the individual. We noted that s 16B would provide the hospital with the circumstances for when such a disclosure would be permitted.

We also advised the caller that they may wish to provide the OAIC’s phone number to the hospital, should it wish to discuss APP 6 with us directly.

Issues

In 2016–17 the most common privacy enquiries to our office were about the use and disclosure of someone’s personal information (APP 6) followed by access (APP 12) and data security (APP 11).

Table 1: Phone enquiries about the APPs
Issues Number
APP 1 — Open and Transparent Management 76
APP 2 — Anonymity and Pseudonymity 27
APP 3 — Collection 1182
APP 4 — Unsolicited Personal Information 7
APP 5 — Notification of Collection 538
APP 6 — Use or Disclosure 1765
APP 7 — Direct Marketing 299
APP 8 — Cross–border Disclosure 88
APP 9 — Government Identifiers 6
APP 10 — Quality of Personal Information 108
APP 11 — Security of Personal Information 1214
APP 12 — Access to Personal Information 1362
APP 13 — Correction 153
APPs — Exemptions 960
APPs generally 1009

We also received a number of questions related to other privacy issues.

The table below categorises these enquiries.

Table 2: Other privacy phone enquiries
Issues Number of calls
Credit reporting 889
Data breach notification 138
Data–matching 7
Healthcare Identifier 1
Information Privacy Principles 4
My Health Records (digital health) 5
National Privacy Principles 8
PPS Register 1
Privacy codes 1
Spent convictions 172
Tax file numbers 46
Territory Privacy Principles 30

Complaints

In 2016–2017 we continued to provide an efficient complaints service, investigating complaints about acts or practices that may be an interference with an individual’s privacy, as defined in the Privacy Act.

Generally, the OAIC receives complaints from individuals who are concerned an entity has mishandled their personal information. We aim to resolve complaints between the parties wherever possible, and continue to see strong outcomes for the parties from this process.

We investigate privacy complaints under the APPs, as well as matters relating to consumer credit reporting and registered APP codes. We also investigate the handling of other information such as tax file numbers, spent convictions, healthcare identifiers, student identifiers, and information used for data-matching.

In 2016–17, we received 2,494 privacy complaints, an increase of 17% on the previous year. This increase indicates a growing awareness of privacy issues and the role of the OAIC within the community.

Despite the increase in complaints, the OAIC closed 2,485 complaints during the period, an overall improvement of 22% from 2015–16 when we closed 2,038 complaints.

Note: As a part of our MOU with the ACT Government we continued to provide privacy services to ACT public sector agencies including handling privacy complaints in relation to the Information Privacy Act 2014 and its Territory Privacy Principles (TPPs).

The last decade

Over the last ten years we have seen a steady increase in the number of complaints received (see Figure 1). We expect this trend to continue, particularly with the introduction of the notifiable data breach scheme in 2018.

Figure 1: Complaints received per month — July 2007 to present

Graph showing a steady increase in the number of complaints received per month over the last ten years. Link to long text description follows image.

Figure 2: Complaints closed per month - January 2007 to present

Graph showing a steady increase in the number of complaints closed per month over the last ten years. Link to long text description follows image.

* Note that two large class complaints have been excluded from these graphs

Issues

The overwhelming majority of privacy complaints we receive, 70.5%, are about the handling of personal information under the APPs.

The most common issues raised in complaints about the APPs were:

  1. use and disclosure of personal information
  2. security of personal information
  3. access to personal information
  4. collection of personal information
  5. quality of personal information

In 2016–17, 16% of the complaints we received were about credit reporting. This is the lowest percentage of complaints about credit reporting since significant changes were made to the credit reporting provisions in the Privacy Act in 2014. This reflects the increased role of external dispute resolution schemes in resolving credit reporting complaints.

The trend of growing complaint numbers is no longer associated with a rise in credit related complaints, the reform of the Act, or an influx of larger multiple or class complaints. Rather, it indicates a growing trend of individuals being aware of their privacy rights, and exercising these rights.

More information is available in Appendix C.

Sectors

Privacy complaints cover a broad range of sectors. In 2016–17, the top six sectors we received complaints about were:

  1. Finance
  2. Health service providers
  3. Australian Government
  4. Telecommunications
  5. Credit reporting bodies
  6. Retail

The table below shows the most commonly complained about sectors:

Sector Number of complaints
Finance (incl superannuation) 364
Health service providers 278
Australian Government 253
Telecommunications 204
Credit Reporting Bodies 147
Retail 129
Utilities 114
Online services 107
Insurance 94
Business/Professional Associations 88

Case study: Disclosure by an insurance company

The complainant was involved in a car accident. The other driver engaged the respondent for insurance purposes.

The respondent attempted to contact the complainant about the accident. The complainant’s mother answered the phone. The respondent disclosed the specifics of the accident to the complainant’s mother, despite the respondent being aware that it was not speaking with the complainant.

The matter resolved by the complainant and the respondent entering into a deed of release, and the respondent paying $1,500 compensation.

Resolving complaints

In 2016–17, we improved the average time taken to close a complaint from 4.9 months in 2015–16, to 4.7 months in 2016–2017. During 2016–2017, 95% of all privacy complaints were resolved within 12 months of receipt. This is consistent with our result in 2015–2016 when 97% of our privacy complaints were resolved within 12 months.

The majority of privacy complaints continue to be closed on the basis that the respondent has not interfered with the individual’s privacy, or the respondent has adequately dealt with the matter. Complaints resolved as ‘adequately dealt with’ are indicative of our overall aim to resolve complaints through conciliation.

We also have other grounds on which we may decline a complaint, including that there is no reasonable likelihood the complaint will be resolved by conciliation, and that no further investigation is warranted in the circumstances. These decline powers were introduced in 2014 to assist the OAIC in the exercise of its powers under the Act.

We continue to assist the parties to resolve matters, and provide staff with on-going training in conciliation and facilitated negotiation, so they can help guide both parties through our conciliation process. We encourage parties to play an active role in conciliation and to participate in joint discussions to try and reach a mutual agreement, which can result in greater satisfaction with our process for both parties.

More information is available in Appendix C.

Case study: Improper collection of credit information

The complainant discovered that his former employer, the respondent, had accessed his credit file despite the complainant having no credit relationship with the respondent. The complainant was engaged in a legal dispute with the respondent at this time, and was concerned as to how the information obtained from his credit file might impact the dispute.

The respondent acknowledged that it did obtain information from the complainant’s credit file for the purpose of dealing with the dispute, and that it should have obtained the information through other channels. The respondent had initially offered to apologise and change its procedures, but the complainant was not satisfied.

The complaint resolved through conciliation. The respondent agreed to provide $1,000 in financial compensation and a written explanation of the events that occurred.

In 2016–17, we experienced a 17% increase in the number of privacy complaints we received. The OAIC team has explored creative solutions for reducing its response and processing times, in order to meet the challenge of rising complaint numbers.

For example, in the latter months of the reporting period, our privacy investigations team commenced piloting an early resolution scheme, which aims to bring the parties together at the early stages of our process, before party positions become entrenched.

This trial has reduced our initial response times and contributed to the increase in the number of privacy complaints closed, allowing us to meet the increase in the number of complaints received.

Outcomes achieved through conciliation often have a broader impact, delivering positive outcomes for not only the individual who brought the complaint to us, but for other individuals dealing with the same business or agency.

Case study: Disclosure of TFN information

The complainant’s accountant disclosed tax returns, including the complainant’s tax file number (TFN) to the complainant’s former partner. While the OAIC did not have jurisdiction over the respondent for the APP issues, we investigated the TFN matter, and found the respondent did not have appropriate steps in place to protect the complainant’s TFN information.

The OAIC conciliated the complaint, and the parties agreed to settle the matter on the basis the respondent took specific steps to ensure the security of the complainant’s personal information and provided $5,000 compensation.

Case study: Disclosure of information by a health service provider

The complainant attended group counselling sessions run by the respondent. The complainant alleged the respondent inappropriately collected their personal information during these group sessions, without the complainant’s knowledge, and then disclosed this information to their former partner. The complaint resolved by conciliation. The respondent agreed to provide an apology, compensation of approximately $5,000 and a refund of fees to resolve the matter. The respondent also made substantial changes to its practices in relation to the notification it provided to participants in such sessions.

Case study: Access to personal information — medical records

The complainant requested access to their medical records held by the respondent, a medical centre. Six months elapsed between the complainant making this request and receiving the medical records. When the complainant received these records, they noted they were incomplete, and also appeared to include records of other individuals.

The OAIC made inquiries with the respondent, and it explained that at the time the complainant’s request was made, it was transitioning to a new practice manager. The respondent apologised for its handling of the request, and provided further education and training to the staff involved about their privacy obligations. The respondent also implemented measures to ensure personal information is not inadvertently disclosed to the wrong patients. The OAIC provided the respondent with additional information about access to personal information (APP 12) to assist it to improve its practices. The complainant was satisfied with this outcome, and that the respondent had made changes to its processes to prevent an issue like this recurring.

Community and sector engagement

An important part of our role is interacting with key industry and community stakeholders, including other Commonwealth and state government bodies and external dispute resolution schemes, about recurring or significant issues arising in complaints. In 2016–17 we attended a number of community outreach events promoting awareness of the privacy complaint functions of our office, and the ways in which individuals can access or protect their personal information.

We also worked on improving lines of communication with key respondents, particularly in the early resolution phase. We have successfully established a direct referral process with some key respondents. As a result, we have seen a number of matters resolving between the parties with minimal intervention by the OAIC. We will continue to expand these efforts in 2017–2018.

During the year we also increased media and social media coverage about our complaints handling function with targeted messaging around the complaints process.

Photo of two staff members at OAIC stall

OAIC staff members promoting privacy at the Sydney Gay and Lesbian Mardi Gras Fair Day

Determinations

Under section 52 of the Privacy Act, the Commissioner can make determinations on privacy complaints where conciliation during the complaints process had not resolved the matter. The Commissioner can also make determinations in relation to Commissioner-initiated investigations (CII).

This year, the Commissioner made nine determinations under the Privacy Act, two more than in any previous year. These determinations will have educational and precedent value for government agencies, business, the community and other key stakeholders.

For example, ‘LS’ and ‘LT’ (Privacy) was the first determination about access to personal information since amendments to the Privacy Act commenced on 12 March 2014. This determination clarifies obligations under APP 12, access to personal information, and is of particular use to health service providers and individuals seeking access to medical records.

The first determination about fairness and lawfulness of the means of collection was made in ‘LP’ and The Westin Sydney (Privacy) concerning APP 3.5.

Financial Rights Legal Centre Inc. & Others and Veda Advantage Information Services and Solutions Ltd, and ‘KB’ and Veda Advantage Information Services and Solutions Ltd, are useful examples of the application of credit reporting reforms of 2014, including the Privacy (Credit Reporting) Code 2014.

Other determinations made in 2016–17, such as ‘LB’ and Comcare (Privacy), relate to the unauthorised disclosure of personal information and failure to take reasonable steps to protect personal information. The awards reflect the significant impact the mishandling of personal information can have on an individual in some circumstances.

A list of the OAIC’s 2016–17 determinations are below. Links to the decisions are available on www.oaic.gov.au/privacy-law/determinations.

  • ‘LU’ and Department of Defence (Privacy) [2017] AICmr 61 (26 June 2017)
  • ‘LS’ and ‘LT’ (Privacy) [2017] AICmr 60 (26 June 2017)
  • ‘LP’ and The Westin Sydney (Privacy) [2017] AICmr 53 (7 June 2017)
  • ‘LB’ and Comcare (Privacy) [2017] AICmr 28 (24 March 2017)
  • ‘LA’ and Department of Defence (Privacy) [2017] AICmr 25 (17 March 2017)
  • Financial Rights Legal Centre Inc. & Others and Veda Advantage Information Services and Solutions Ltd [2016] AICmr 88 (9 December 2016)
  • ‘KB’ and Veda Advantage Information Services and Solutions Ltd [2016] AICmr 81 (25 November 2016)
  • ‘KA’ and Commonwealth Bank of Australia Limited [2016] AICmr 80 (25 November 2016)
  • ‘JO’ and Comcare [2016] AICmr 64 (21 September 2016)

Data breach notifications

In February 2017 the passing of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established a mandatory Notifiable Data Breaches (NDB) scheme that applies to agencies and businesses covered by the Privacy Act.

The NDB scheme reflects developments in the European Union, North America and the Asia Pacific, where privacy protections in many countries and provinces currently include, or propose to include mandatory data breach notification, so that individuals can take protective action in the event of a serious data breach.

From 22 February 2018, organisations covered by the Privacy Act will be required to notify individuals who are likely to be at risk of serious harm. The OAIC must also be notified. Our responsibilities under the NDB scheme include:

  • Receiving notifications about data breaches.
  • Promoting compliance with the scheme, including taking regulatory action in response to instances of non-compliance.
  • Raising awareness about the NDB scheme among stakeholders and the broader community, about how the scheme strengthens the protection of personal information.

In May 2017 we commenced targeted consultation with key industry representatives (including the telecommunications, financial, insurance and health sectors) and Australian government agencies, to help develop our guidance about the NDB scheme. In June we released draft guidance for public consultation covering:

  • Entities covered by the NDB scheme
  • Identifying eligible data breaches
  • Notifying individuals about an eligible data breach
  • Australian Information Commissioner’s role in the NDB scheme.

In the coming financial year we will develop further resources ahead of the scheme commencing on 22 February 2018.

We continued to administer a voluntary data breach notification scheme that allows businesses and agencies to self-report possible privacy breaches to the OAIC. We also administer a mandatory scheme for digital health data breaches. Further information on that scheme can be found in the digital health section of this report.

After receiving notifications, where appropriate, we consider each incident and provide best practice privacy advice to the organisation, encourage notifying affected individuals and provide assistance to individuals.

We assist organisations affected by a data breach to:

  1. contain the data breach
  2. reduce the impact of the data breach on affected individuals
  3. minimise the risk of a similar incident happening again.
Table 3: Voluntary data breach notifications and mandatory digital health data breach notifications
Year 2014–15 2015–16 2016–17
Voluntary notifications 110 107 114
Mandatory notifications (digital health data) 7 16 35
Total 117 123 149

In 2016–2017, the number of reported data breaches continued to grow, with voluntary notifications up 29% on the previous year.

The increase in voluntary notifications can be explained, at least in part, by the OAIC raising awareness this year on the voluntary data breach notification scheme which encourages voluntary notification of affected individuals by entities that have experienced a data breach, and provides guidance on how to notify the OAIC of the issue.

Case study: Personal information sent to third party

In 2016 we received a voluntary data breach notification from the National Australia Bank (NAB) advising that, due to a coding error in its systems, emails containing individuals’ personal information were accidentally sent to a third party. The individuals affected had been dealing with NAB’s Migrant Banking team, and the recipient of the emails was a website hosted offshore.

The OAIC worked with the UK Information Commissioner’s Office in examining this matter.

In response to this incident, NAB corrected its systems to contain the breach and prevent recurrence. It also notified affected individuals.

Commissioner-initiated investigations

Section 40(2) of the Privacy Act enables an investigation of an incident that may be an interference with privacy to take place on the Commissioner’s own initiative. This power is used to investigate possible privacy breaches that have come to our attention other than by way of an individual privacy complaint.

Commissioner-initiated investigations (CIIs) are often conducted in response to significant community concern or discussion, formal referrals from other government agencies, or in response to notifications from third parties about potentially serious privacy problems. Our key objective in undertaking a CII is improving the privacy practices of investigated entities.

This year saw another increase in CII activity compared to previous years. We commenced an investigation or conducted preliminary inquiries in relation to 26 incidents. In some incidents, more than one respondent was identified which is reflected in the number of CIIs.

In considering a respondent’s information handling practices, procedures and systems that may have affected the likelihood and extent of a data breach, the Commissioner may decide to discontinue an investigation where he is satisfied that no breach has occurred, or if the breach has been adequately dealt with by the respondent and that no further regulatory action is warranted in the circumstances.

Table 4: CIIs
Year Number of CIIs
2014–15 4
2015–16 17
2016–17 29

Despite the 70% increase in CII case numbers from the 2015–2016 financial year, the OAIC met its target (finalising 84% of CIIs within eight months) reflecting the OAIC’s commitment to working with respondents to resolve issues of non-compliance and improve privacy practices.

Case study: Disclosure of membership list

The OAIC investigated allegations concerning the disclosure of the Maritime Union of Australia’s (MUA) membership list to the Glen Lazarus Team. The investigation found that a MUA employee accidently left an extract of a membership list, limited to one or two hard copy pages of information, behind at the Glen Lazarus Team political party premises. In response to the incident, MUA committed to a number of actions to ensure the protection of its membership list in the future, and its overall management of personal information. Given the amount of personal information disclosed, the steps MUA took at a state and national level to prevent a similar incident from recurring, the Commissioner considered that the matter was adequately dealt with by the MUA.

The Privacy Act also provides the Commissioner with the power to accept an ‘enforceable undertaking’ offered by a respondent to resolve the matter. One enforceable undertaking was offered in 2015–2016 following a CII.

Case study: Online dating data breach

Ashley Madison, an online dating website headquartered in Canada, suffered one of the world’s most reported data breaches in 2015 when information about millions of its customers was posted online. Following a joint investigation with the Office of the Privacy Commissioner of Canada, the company behind Ashley Madison, Avid Life Media, agreed to an enforceable undertaking to cease its practice of retaining indefinitely personal information of users, establish a retention schedule, improve privacy policies and procedures in consultation with the OAIC, and roll out an enhanced privacy training program for their employees.

Assessments

This year we assessed a range of sectors including loyalty programs, identity verification, telecommunications, education and government. We also conducted assessments in the digital health sector. For more information on our digital health assessments, see page 79.

Each of these assessments required a comprehensive and in-depth review of policy documents, interviews with staff and site inspection. The complexity of this year’s assessment program was higher than previous years. Consequently, the median time for the completion of assessments was in excess of the six month target.

However, we did meet the target of 100% of the OAIC’s recommendations being accepted or planned for action by assessment targets.

Loyalty programs

Following the completion of two assessments which looked into the loyalty programs of Australia’s two largest supermarket retailers, Coles and Woolworths, this year we commenced two new assessments of loyalty programs in Australia. These assessments examine how personal information is managed in accordance with APP 1. The assessments also look at whether sufficient notification to individuals is provided regarding the collection of their personal information in accordance with APP 5. Fieldwork for both assessments has been completed and the assessments will be finalised, and made public, during the 2017–18 financial year.

Identity verification

Following the completion of two assessments of Document Verification Service (DVS) business users, Nimble and DirectMoney, this year we commenced two new assessments of Gateway Service Providers (GSPs) to the DVS. The assessments examine how personal information collected through the DVS arrangement is handled by GSPs in accordance with APP 3, APP 5, and APP 11. Both assessments will be finalised during the 2017–18 financial year.

Telecommunications

Records of disclosure under the Telecommunications Act 1997

Last year, we undertook inspections of the top four telecommunications organisations across Australia (Telstra, Optus, Vodafone and iiNet) to assess their compliance with their record keeping obligations under the Telecommunications Act 1997 (Telecommunications Act). We issued Vodafone, Optus and iiNet with a number of recommendations, which were accepted by each organisation.

This year we followed up the implementation of our recommendations. Vodafone and Optus informed us that they had implemented our recommendations. Due to concerns identified last year in relation to iiNet’s maintenance of these records, we conducted a follow-up inspection of iiNet’s record-keeping activities in November 2016. Our inspection found that iiNet has now taken steps to ensure that it is meeting its record keeping obligations for records of disclosures under the Telecommunications Act. This inspection was finalised in February 2017.

Handling of personal information disclosed under the Telecommunications (Interception and Access) Act 1979

After completing the above assessment on records of disclosure, we commenced a second assessment on Telstra, Vodafone, Optus and iiNet. This assessment examined whether the organisations take reasonable steps to protect the personal information held by them when responding to requests for access by law enforcement agencies, as required under the Telecommunications (Interception and Access) Act 1979 (TIA Act) and in accordance with APP 11. We have finalised our assessment of Telstra, Vodafone and Optus. Our assessment of iiNet will be completed in 2017–18.

Government

Passenger Name Record

Under our memorandum of understanding with the Department of Immigration and Border Protection (DIBP) we commenced a Passenger Name Record (PNR) data related assessment which followed up the implementation of recommendations made in a previous assessment undertaken in 2015. The 2015 assessment looked at the new administrative arrangements for the handling of PNR data by DIBP and considered how well the requirements of APP 6 and APP 11 were met by DIBP. The 2015 assessment made four recommendations associated with the arrangements for the use, disclosure and security of PNR data. DIBP accepted these recommendations. This year’s assessment also includes consideration of DIBP’s practices concerning the destruction and de-identification of PNR data. We have completed the fieldwork for this year’s assessment and it will be finalised during the 2017–18 financial year.

Contractual arrangements in relation to regional processing centres

Last year, we commenced an assessment on DIBP’s privacy arrangements for Regional Processing Centres, including:

  • general governance and privacy frameworks under APP 1
  • how DIBP meets its security obligations under APP 11, including through the use of contractual measures as required under s 95B of the Privacy Act.

We have completed the fieldwork for this assessment. The assessment will be finalised during the 2017–18 financial year.

Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014

We completed assessments on Schedule 5 and Schedule 6 of the Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014 (Foreign Fighters Act) during the 2016–17 financial year. These assessments considered how personal information is handled through border clearance processes at Australian international airports, including biometric information collected by SmartGates (Schedule 5) and the Advanced Passenger Processing (AdPP) data exchanged between airlines and DIBP (Schedule 6).

We made six recommendations to DIBP as part of the assessment on Schedule 5, and four recommendations as part of the assessment on Schedule 6. DIBP accepted all of these recommendations.

We commenced three further assessments that considered how personal information was being handled by DIBP under the Foreign Fighters Act which will be finalised during the 2017–18 financial year.

  • An assessment of the security arrangements that are in place to protect personal information after its collection by SmartGates (Schedule 5).
  • An assessment of the steps that a third party provider to DIBP is taking to secure personal information collected through AdPP (schedule 6). This assessment will be finalised during the 2017–18 financial year.
  • An assessment of the procedures DIBP has in place to respond to an individual’s request for access to their personal information that was collected by SmartGates, in accordance with APP 12 (Schedule 5).
Comcare

Last year, we undertook an assessment on Comcare to see how it collects and handles personal and sensitive information from claimants and providers through workers’ compensation claims under the Safety, Rehabilitation and Compensation Act 1988 (SRC Act).

We focused on Comcare’s collection of personal information (APP 3), the notifications provided to individuals around the time of collection (APP 5) and the general governance and privacy framework put in place by Comcare (APP 1). The final report was issued in September 2016. We made two recommendations and Comcare is taking steps to implement these recommendations.

Tax file numbers

Under the Privacy (Tax File Number) Rule 2015 which regulates the collection, storage, use, disclosure, security and disposal of individuals’ Tax File Number (TFN) information, six specified Australian Government agencies (Commissioner of Taxation/Australian Taxation Office, Australian Prudential Regulation Authority, Department of Human Services, Department of Education and Training, Department of Veterans’ Affairs and the Department of Social Services) have obligations to make a range of information publicly available in relation to how TFN information is to be handled. This year we commenced an assessment which looked at how well the agencies meet their obligations. The assessment was conducted through a desktop review of each agency’s website and a targeted survey questionnaire sent to each agency. The assessment will be finalised during the 2017–18 financial year.

Universal Student Identifier

Under our memorandum of understanding with the Department of Education and Training, acting through the Student Identifiers Registrar (the Registrar), we undertook an assessment of the Registrar’s maintenance and handling of student identifiers and associated personal information in accordance with the Student Identifiers Act 2014 and the Privacy Act. The assessment looked at how the Registrar is managing personal information in accordance with APP 1 and APP 5. We made four recommendations which were all agreed to by the Registrar.

ACT Government

Access Canberra

Under our memorandum of understanding with the ACT Government, we commenced an assessment to examine Access Canberra’s handling of personal information against the requirements of Territory Privacy Principles (TPP) 1 and 5. We have completed the fieldwork for this assessment and it will be finalised during the 2017–18 financial year.

Data-matching

We perform a number of functions to ensure that government agencies understand their privacy requirements and adopt best privacy practice when undertaking data-matching activities.

Data-matching is the process of bringing together data sets that come from different sources and comparing those data sets with the intention of producing a match. A number of government agencies use data-matching to detect non-compliance, identify instances of fraud and to recover debts owed to the Australian Government. For example, the Australian Taxation Office (ATO) may match tax return data with data provided by banks to identify individuals or businesses that may be under-reporting income or turnover.

Government agencies that carry out data-matching activities must comply with the Privacy Act. Data-matching raises privacy risks because it involves analysing personal information about large numbers of people, the majority of whom are not under suspicion.

Statutory data-matching

The Commissioner has statutory responsibilities under the Data-matching Program (Assistance and Tax) Act 1990 (Data-matching Act). The Data-matching Act authorises the use of tax file numbers in data-matching activities undertaken by the Department of Human Services (DHS), the Department of Veterans’ Affairs and the ATO. In previous years, we have conducted inspections of DHS’ data-matching records to ensure compliance with the requirements of the Data-matching Act. Agencies have relied less on matching using the tax file number, consequently this year we focused on providing advice and planning oversight of the data-matching activities outside of the Data-matching Act.

Enhanced Welfare Payment Integrity

The Enhanced Welfare Payment Integrity — non-employment income data-matching measure was announced in the 2015–16 Mid-Year Economic and Fiscal Outlook (MYEFO). It increases DHS’ capability to conduct data-matching to identify non-compliance by welfare recipients. We received additional funding under this measure to provide regulatory oversight of these new data-matching activities.

We have been working with DHS to design and implement an effective oversight regime to provide assurance to the public and the Australian Government that privacy risks are being addressed. We gave advice on a range of privacy matters, including providing feedback on privacy impact assessments and assisting DHS in ensuring they have an appropriate privacy management framework in place to support the new initiative.

Data-matching under the voluntary guidelines

We administer the Guidelines on Data-matching in Australian Government Administration (Guidelines), which are voluntary guidelines to assist government agencies with adopting appropriate privacy practices when undertaking data-matching activities that are not covered by the Data-matching Act. This year we reviewed ten data-matching program protocols submitted by matching agencies including the ATO, DHS and the Australian Transaction Reports and Analysis Centre (AUSTRAC).

The Commissioner approved four requests for exemption from certain requirements of the Guidelines. A list of the exemptions that we approved can be found on www.oaic.gov.au.

Advice for businesses and agencies

Our teams provide advice for businesses and government agencies on their obligations under the Privacy Act. We also assist businesses and agencies achieve best practice in their approach to privacy management.

This year we issued advice on a variety of issues including:

  • adoption, use and disclosure of government related identifiers
  • Australian Public Service (APS) Privacy Governance Code
  • credit reporting
  • data breach notification requirements
  • de-identification and re-identification
  • digital identity systems
  • direct marketing
  • External Dispute Resolution schemes
  • family safety initiatives
  • Government data matching
  • higher education proposals affecting handling of information about students
  • law enforcement and national security (Anti-Money Laundering and Counter-Terrorism Financing Act 2006 regulation)
  • new and emerging technologies
  • online communications and privacy
  • privacy and big data
  • privacy and international agreements
  • telecommunications (including telecommunications sector security reforms).

We also drafted submissions on issues such as:

  • the National Digital Health Strategy
  • Data Availability and Use
  • Elder Abuse
  • genomics
  • inquiry into the 2016 Census
  • the National Cancer Screening Register
  • criminal justice
  • consent and privacy
  • telecommunications, including
    • access to retained telecommunications data in civil proceedings
    • access to customer information in the Integrated Public Number Database (IPND)
    • identity checks for prepaid mobile phones
  • drones and privacy
  • automated vehicles
  • the Anti-Money Laundering and Counter-Terrorism Financing regulatory framework review
  • the Telecommunications Sector Security Review.

Case study: The National Cancer Screening Register

In the lead up to the implementation of the National Cancer Screening Register, the OAIC was involved in a number of aspects of this initiative. The OAIC engaged with the Department of Health on the Privacy Impact Assessment undertaken during the early stages of policy development and reviewed draft legislation relating to the Register.

The OAIC also made a submission to, and appeared before, the Senate Community Affairs Legislation Committee Inquiry. Recommendations made by the OAIC were adopted and implemented. In particular, given the nature of the Register and the sensitive health information it would contain, this included added privacy protections through data breach requirements.

Case study: The Australian Law Reform Commission’s inquiry into elder abuse

In early 2016, the Australian Government announced an Inquiry for the Australian Law Reform Commission (ALRC) on ‘Protecting the Rights of Older Australians from Abuse.’ The OAIC engaged in this Inquiry by making two submissions to the ALRC over the course of the year. Our submissions recommended ways in which proposed initiatives to address elder abuse could best balance the privacy rights of older Australians with the important objective of safeguarding older Australians from certain forms of abuse.

The ALRC’s final report, published in June 2017, referred to and endorsed a number of the OAIC’s recommendations and comments, highlighting the OAIC’s role in shaping Australian privacy rights across a wide range of significant policy issues. We also liaised with the Age Discrimination Commissioner on this issue.

Submissions can be read in full on the OAIC website.

Resources

We published a number of new resources, guides and fact sheets in 2016–17.

In preparation for the implementation of the European Union’s General Data Protection Regulation (GDPR) and Notifiable Data Breaches (NDB) scheme we published guidance to assist Australian businesses to understand the new requirements.

We provided a self-assessment checklist to assist service providers in considering their privacy obligations under the Data Retention Scheme.

We published Privacy business resource 19: Direct Marketing outlining how the requirements in the Do Not Call Register Act 2006 (DNCR Act) and the Spam Act 2003 (Spam Act) apply when an organisation direct markets to an individual.

Promoting a key message that understanding good privacy practices is vital to a successful business, we created videos and guidance for start-up businesses.

For individuals we published two fact sheets on health information: Privacy fact sheet 49: Health information and your privacy and Privacy fact sheet 50: Accessing and correcting your health information.

We also commenced work on developing a series of multimedia resources for healthcare providers to help them understand their privacy obligations and the mandatory data breach notification requirements under the My Health Records Act.

eLearning course on conducting a privacy impact assessment (PIA)

This year, the OAIC launched a new eLearning course on conducting a privacy impact assessment (PIA). Based on the OAIC’s Guide to undertaking privacy impact assessments, the course is interactive taking the user through a variety of activities to help them understand the privacy impact assessment process.

Launched during Privacy Awareness Week 2017, there were 67 course completions by the end of the first week. There has been extremely positive feedback with a rating of 9.4 out of 10 by users and 100 per cent commenting that they would recommend it. As of 30 June 2017, the course had been completed 167 times.

Very simple process - I had thought that a PIA was this overly complicated process but this course broke it down very simply. …Thanks - this was immensely useful.

PIA eLearning user

Digital health

Many Australians view their health information as being particularly sensitive. This sensitivity has been recognised in the My Health Records Act 2012 (My Health Records Act) and HI Act, which regulate the collection, use and disclosure of information, and give the Australian Information Commissioner a range of enforcement powers. This sensitivity is also recognised in the Privacy Act which treats health information as ‘sensitive information’.

Assessments

We conducted three assessments during the reporting period, two of which commenced in the previous financial year.

An assessment was made of the My Health Record System Operator’s implementation of recommendations made by the OAIC in its previous audit of the System Operator against Information Privacy Principle 4. The previous audit examined how the System Operator protected personal information held on the National Repositories Service. We made three recommendations, all of which were agreed to by the System Operator.

We conducted an assessment into the handling of personal information by the Australian Health Practitioner Regulation Agency (AHPRA) in its role as the national registration authority for healthcare practitioners. The assessment focused on AHPRA’s handling of healthcare identifiers and associated identifying information under APPs 10 (data quality) and 11 (security). We made four recommendations, all of which were agreed to by AHPRA.

We also conducted an assessment of the Department of Human Services as a contractor to the My Health Record System Operator for services related to the My Health Record system. In particular, the assessment focused on DHS’s privacy management and governance arrangements under APP 1.2. Fieldwork was conducted in late March 2016 and the assessment will be finalised in the 2017–18 financial year.

Mandatory data breach notifications

We are responsible for mandatory data breach notifications under s 75 of the My Health Records Act.

This year we received six data breach notifications from the My Health Record System Operator. These notifications related to unauthorised My Health Record access by a third party.

We also received 29 notifications from the Chief Executive of Medicare in their capacity as a registered repository operator under s 38 of the My Health Records Act.

  • Nine of these notifications involved separate breaches related to intertwined Medicare records of individuals with similar demographic information. This resulted in Medicare providing data to the incorrect individual’s My Health Record.
  • Twenty notifications, involving 123 separate breaches, resulted from findings under the Medicare compliance program. In these instances, certain Medicare claims made in the name of a healthcare recipient but not by that healthcare recipient were uploaded to their My Health Record.

For further information, refer to the Annual Report of the Australian Information Commissioner’s activities in relation to digital health 2016–17.

Legislative instruments

Under the Privacy Act, the Commissioner has powers to make certain legislative instruments. These legislative instruments must comply with the requirements of the Legislation Act 2003. They are publicly available on the Federal Register of Legislative Instruments.

No legislative instruments were made during this reporting period.

The Commissioner has specific obligations under section 17 and paragraph 28A(1)(d) of the Privacy Act, to issue rules concerning the collection, storage, use, and security of tax file number information, and to monitor compliance with these rules. In July 2016 we commenced targeted assessments of selected agencies’ compliance with the Privacy (Tax File Number) Rule 2015 (TFN Rule). We anticipate finalising our TFN Rule assessments in the 2017–18 financial year.

We also administer the Privacy (Credit Reporting) Code 2014 (CR Code), which regulates the handling of consumer credit reporting information in Australia. In April 2017, the Commissioner initiated an independent review of the operation of the CR Code, as required by paragraph 24.3 of the CR Code. We then commenced a tender process to engage a consultant to undertake the review. The review will be conducted and finalised in the 2017–18 financial year.

At the end 2016–17, the Commissioner announced the development of a new Australian Public Service (APS) Privacy Code. For more information on the APS Code, please see page 96.

Awareness

This year we continued to raise awareness about privacy rights for individuals, and also helped Australian businesses and government agencies understand their privacy obligations.

Privacy…is about transparency, security, and choice. It’s about organisations being up-front about their personal information handling practices so that individuals can make informed choices about how they share their information. And it’s about respecting customer trust by maintaining strong security and information handling practices throughout the life cycle of personal data.

Timothy Pilgrim PSM, Australian Information and Privacy Commissioner, in Welcome to Privacy Awareness Week. A message from the Commissioner 15 May 2017

Reaching our audiences

This year we focused significant effort on assisting Australian businesses to understand the new requirements for the European Union’s General Data Protection Regulation (GDPR) and Notifiable Data Breaches (NDB) scheme both of which come into effect in 2018.

We also promoted the importance of good privacy practice to start-up businesses.

Reaching the community was also a focus for the OAIC this year — through targeted events and social media activity.

Privacy Awareness Week

Privacy Awareness Week (PAW) is the OAIC’s flagship event, the core purpose of which is to promote and raise awareness of privacy issues and the importance of protecting personal information.

This year’s event was the most successful ever:

  • 49 per cent increase in PAW partners, 369 compared to 246 in 2016
  • Over 250 mainstream media mentions (compared to 68 in 2016)
  • Over 2,000 social mentions with 21.0K impressions of the OAIC’s tweets during the week
  • 457 people signed up to use the Privacy Impact Assessment (PIA) eLearning resource which was released during PAW
  • 132 privacy professionals registered to attend the ACAPS industry debrief event
  • More than 50 people registered to attend the ‘Growing up digital’ event which featured the eSafety Commissioner.

Speaking engagements

This year we participated in 22 speaking engagements aimed at privacy professionals.

Media

One of our aims this year was to increase media coverage about the public’s awareness of privacy.

We achieved this as demonstrated by the below:

  • 40% more media enquiries than 2015–16
  • Over 250 mainstream media mentions during PAW (compared to 68 in 2016)
  • Over 20 broadcast media interviews with the Commissioner during PAW.

The below graph shows the increase in reporting of privacy, and the spike when issues of community concern are covered.

Graph 1: General privacy — media exposure

Bar graph showing an increase in reporting of privacy in January to June 2017. Link to long text description follows image.

Digital

The top six pages viewed on the OAIC website reflected the growing awareness of privacy amongst the community, Australian government agencies and businesses.

  • Privacy Impact Assessment (PIA) eLearning Program
  • Definition of ‘personal information’
  • Notifiable Data Breach scheme
  • Direct marketing - APP 7 for businesses
  • Start-ups and privacy
  • Data retention self-assessment checklist.

Back to Contents

FOI

Provides a legally enforceable right of access to government documents.

It applies to Australian Government ministers and most agencies, although the obligations of agencies and ministers are different.

Individuals have rights under the FOI Act to request access to government documents. The FOI Act also requires government agencies to publish specified categories of information, it also allows them to proactively release other information.

Enquiries

We respond to enquiries from the public on FOI issues and our Information Commissioner review function. This year we saw a slight decrease in these enquiries from 2015–16, with the total for 2016–17 being 2,062. We answered 1,454 phone calls, 599 emails and nine in–person enquiries.

Approximately 48% of all enquiries about FOI matters related to general processes for FOI applicants, including how to make an FOI request or complaint, or seek review of an FOI decision.

The OAIC experienced a significant increase in IC reviews — a 24% increase over 2015–16.

Table 5: Top FOI enquiry by issues[*]
Issue Number[*]
General processes 989
Jurisdiction 865
Processing by agency 135
Agency statistics 133
Access to general information 20
Access to personal information 17
Amendment and annotation 6
Vexatious application 5
Information Publication Scheme 3

[*] There may be more than one issue in each enquiry

Information Commissioner reviews

In an Information Commissioner review (IC review), the Information Commissioner is able to review decisions made by Australian government agencies and ministers, including decisions:

  • refusing to grant access to documents wholly or in part
  • that requested documents do not exist or cannot be found
  • granting access to documents, where a third party has a right to object (for example, if a document contains their personal information)
  • to impose charges for access to documents, including decisions refusing to waive or reduce charges
  • refusing to amend or annotate records of personal information.

This year we experienced a significant increase in IC reviews, receiving 632 applications for review — a 24% increase over 2015–16 (when the number of applications received was 37% higher than the previous year).

Despite the significant increase in the number of applications, the OAIC was able to finalise 515 IC reviews (a 13% increase compared to 2015–16 when 454 reviews were finalised). Of the 515 IC reviews finalised in 2016–17, 86% were finalised within 12 months, exceeding the intended outcome of 80% completed within 12 months.

The OAIC encourages resolution of IC reviews by agreement between the parties where possible. In 2016–17, 411 IC reviews were finalised without a formal decision being made (80% of all IC reviews finalised).

In 2016–17, 13 IC review were finalised by agreement under s 55F (by way of written agreement between the parties to the IC review), a 40% increase over 2015–16. Two hundred and twenty-four IC reviews were finalised after the applicant withdrew their request for IC review following action taken by the agency to resolve the applicant’s concerns (such as by releasing information informally) or following an appraisal by the OAIC of the merits of their case.

The Information Commissioner made 104 formal decisions under s 55K of the FOI Act during 2016–17 (20% of all IC reviews finalised). Although 63% of these decisions (65 decisions) affirmed the decision under review, 26% of those (17 decisions) had been revised under s 55G of the FOI Act during the IC review, giving greater access to the documents sought. The Information Commissioner set aside 22% (23 decisions) and varied 15% (16 decisions) of the reviewable decisions.

The decisions published by the Information Commissioner are an important feature of the OAIC’s work. They help agencies interpret the FOI Act and provide guidance on the exercise of their powers and functions. The OAIC adopts a practical approach to its decision making and to its role in helping agencies meet their obligations under the FOI Act.

All decisions are published on the AustLII website as part of the Australian Information Commissioner (AICmr) series.

Some Information Commissioner decisions made during 2016–17 are highlighted below.

‘LI’ and Department of Education and Training (Freedom of information) [2017] AICmr 41 (10 May 2017)

The applicant sought access to documents relating to the Building Education Revolution program relating to a primary school in Yarraville. The Department granted partial access to the documents sought. However in his review application, the applicant contended the Department held, or should hold, further documents.

The Information Commissioner affirmed the Department’s decision, finding that the Department had taken all reasonable steps to find the requested documents. The Information Commissioner also found that documents stored by a third party, the Block Grant Authority (the BGA), were not ‘documents of an agency’ under s 4(1) of the FOI Act or documents in the Department’s constructive possession.

With regard to the nature and timing of the relationship between the Department and the BGA, the Information Commissioner found that the Department was not obliged to take contractual measures to enable access to documents stored by the BGA in accordance with s 6C of the FOI Act. The evidence indicated there was a funding agreement between the Department and the BGA which commenced in 2009. Section 6C only applies to contracts entered into on or after 1 November 2010.

Tristan Masterson and the Murray-Darling Basin Authority (Freedom of information) [2017] AICmr 57 (22 June 2017)

The applicant sought access to documents containing information about aircraft wreckage in and around Lake Victoria (NSW), including the location of aircraft wreckage.

The Information Commissioner considered whether disclosing an extract from a database containing information about Aboriginal cultural heritage items and locations would or could be reasonably expected to have a substantial adverse impact on the proper and efficient conduct of the Murray-Darling Basin Authority’s (the MDBA) operations in Lake Victoria for the purposes of s 47E(d) of the FOI Act and, if so, whether giving Mr Masterson access to the documents, would, on balance, be contrary to the public interest.

The Information Commissioner considered whether the predicted effect of disclosure could reasonably be expected to occur with regard to the particulars of the predicted effect detailed by the MBDA in its reasons for decision and submissions.

The Information Commissioner was satisfied that disclosure of the database extract would, or could reasonably be expected to, have a substantial adverse effect on the proper and efficient conduct of the MDBA’s operations and that the public interest factors against disclosure outweighed the factors in favour of disclosure.

Sea Shepherd Australia and Department of Immigration and Border Protection (Freedom of information) [2017] AICmr 48 (23 May 2017)

The Information Commissioner set aside a decision of the Department of Immigration and Border Protection which found that audio-visual footage of whaling activities taken from an Australian government vessel was exempt from disclosure on the basis that disclosure would, or could reasonably be expected to, damage the Commonwealth’s international relations (s 33(a)(iii) of the FOI Act).

Noting the Australian government’s publicly available submission to the International Court of Justice in the Whaling in the Antarctic proceedings, the Commissioner was satisfied that information was available in the public domain about the subject matter of the documents and the issue of whaling generally. In addition, the Commissioner considered the passage of time since the records came into existence in early 2008 to be significant.

Complaints

Under s 69 of the FOI Act the Information Commissioner has power to investigate agency actions relating to the handling of FOI matters.

Following the Australian Government’s decision to disband the OAIC as announced in the 2014–15 budget, the FOI complaints handling function was transferred to the Commonwealth Ombudsman between 1 November 2014 and 30 June 2016. The OAIC resumed investigating FOI complaints from 1 July 2016 following the Government’s announcement that all functions would remain with the OAIC.

In 2016–17, the OAIC received 36 FOI complaints and closed 18. Delay is one of the most complained about aspects of agency handling of FOI matters. When an agency exceeds the statutory timeframe to process an FOI request, they are ‘deemed’ to have refused the request for access. This gives rise to a right to seek IC review of the access refusal decision.

The OAIC is of the view that making an FOI complaint is not the appropriate mechanism when IC review is available, unless there is a special reason for undertaking an investigation and the matter can be dealt with more appropriately and effectively as a complaint. As a result, after consulting the applicant, the OAIC generally treats complaints about agency delay as an application for IC review of a deemed refusal because it allows the Information Commissioner to review the decision the agency ultimately makes without the applicant needing to make a new IC review application. This approach accounts for the relatively small number of FOI complaints in 2016–17.

Extensions of time

The FOI Act sets out timeframes within which agencies and ministers must process FOI requests.

If a decision on a request is not made within the statutory timeframe, the agency or minister is deemed to have made a decision refusing the request and the FOI applicant can apply for IC review of that deemed decision.

The Information Commissioner can grant an extension of time to enable government agencies or ministers to process a complex or voluminous FOI request, or when there was a deemed decision to refuse a request for documents or to amend or annotate a personal record. An extension granted after a deemed decision can provide a supervised timeframe for an agency or minister to finalise the request.

Table 6: Overview of FOI extensions of time notifications and requests received
Year 2013–14 2014–15 2015–16 2016–17
Received 2,437 4,393 5,605 4,412
Closed 2,456 4,384 5,602 4,420

We endeavour to respond to extension of time applications from agencies and ministers within five working days. This year we finalised 94% of extension of time applications within five working days.

Table 7: Notifications and extension of time requests finalised
Request Type 2013–14 2014–15 2015–16 2016–17
s 15AA 1,898 3,900 5,171 3,808
s 15AB 362 249 283 453
s 15AC 132 177 102 112
s 54B 1 0 0 0
s 54D 31 33 30 29
s 54T 32 25 16 18
Total 2,457 4,384 5,602 4,420

s 15AA — notification of agreement between agency and applicant to extend time

s 15AB — extension of time for complex or voluminous request

s 15AC — extension of time where deemed refusal of FOI request

s 54B — extension of time for internal review request

s 54D — extension of time where deemed affirmation of original decision on internal review

s 54T — extension of time for person to apply for IC review.

The extension of time provisions are an important feature of the FOI Act. They encourage less formal and more interactive engagement between agencies and applicants about the scope of FOI requests and the expected processing times. The notification process required under s 15AA ensures agencies have generally given realistic consideration to the reasons for delay before seeking an extension of time.

In deciding whether to grant an extension of time, the OAIC considers the impact this might have on an applicant. However, while this is a relevant consideration, it is not determinative.

Vexatious applicant declarations

The Information Commissioner has the power to declare a person to be a vexatious applicant if he is satisfied that the grounds set out in s 89L of the FOI Act exist. Making a vexatious applicant declaration is not something the Information Commissioner undertakes lightly, but its use may be appropriate at times. A declaration by the Information Commissioner can be reviewed by the AAT.

During 2016–17, the Information Commissioner received seven applications from agencies under s 89K seeking to have a person declared a vexatious applicant. Seven applications were finalised in 2016–17, with two declarations being made, four refused and one found to be invalid. These declarations are also published on the AustLII website as part of the Australian Information Commissioner (AICmr) series.

Department of Employment and ‘JI’ [2016] AICmr 56 (31 August 2016)

Over nearly two years, the respondent engaged in 67 separate FOI access actions with the Department of Employment.

The respondent’s justifications for repeatedly engaging in access actions were her assertions that fraudulent records had been created and held by various organisations and Government agencies and she felt ‘an enormous inaccuracy in the record system.’ As further justification, the respondent explained she has been trying to ‘correct’ the records for almost 25 years and that the process is not yet complete for her.

In determining the respondent to be a vexatious applicant, the Commissioner considered the number, frequency and nature of her access actions, and the fact that she has not made reasonable attempts to moderate her behaviour, or limit the administrative impact that her access actions are having on the Department

In balancing the respondent’s rights under the FOI Act, against the principle that those rights should not be abused, the Commissioner imposed a declaration on the respondent restricting her ability to make requests under the FOI Act to the Department for a period of 12 months.

The respondent then sought review of the Commissioner’s declaration in the Administrative Appeals Tribunal (AAT) (see Morris and Australian Information Commissioner (Freedom of information) [2017] AATA 363 (22 March 2017)).

In affirming the Commissioner’s declaration, the AAT found that some of the applicant’s access actions were an abuse of process in and of themselves, because a number revisited matters that had previously been decided without offering further evidence or a reasonable explanation why the request should be reconsidered.

The AAT considered the terms of the Commissioner’s declaration ‘entirely appropriate and well founded’ given the various factors in the case; including that the Commissioner’s declaration balanced rights under the FOI Act, with the proper and efficient functioning of the Departments use of its resources.

Awareness

Guidelines

In December 2016, the Information Commissioner issued revised guidelines under s 93A of the FOI Act, which Australian Government ministers and agencies must have regard to when performing a function or exercising a power under the FOI Act. The revised parts include:

  • Part 1 — Introduction to the Freedom of Information Act 1982
  • Part 2 — Scope of application of the Freedom of Information Act
  • Part 4 — Charges for providing access
  • Part 5 — Exemptions
  • Part 6 — Conditional exemptions
  • Part 10 — Review by the Information Commissioner
  • Part 11 — Complaints and investigations
  • Part 12 — Vexatious applicant declarations

Events

The OAIC participated in various activities throughout the year to raise awareness about accessing government information and the role of the OAIC and its processes. We delivered presentations to stakeholders on the OAIC’s IC review and FOI complaints process and participated in the Australian Government Solicitor’s FOI Practitioners’ Forums.

Media

The Information Commissioner issued a joint media release with the Australian Information Access Commissioners regarding International Right to Know Day on 28 September 2016 and the 25th anniversary of freedom of information 2 December 2016.

Access to information and participation in government processes contributes to the transparency of government – promoting better decision making, accountability, and greater public trust. This is the key contribution freedom of information makes to our modern demogratic governments.

Joint Media Statement — 250th Anniversary of Global Freedom of Information — 2 December 2016

FOI processing statistics received from agencies and Ministers

More statistical tables related to agencies and Ministers FOI processing are available in Appendix D to this report. The full dataset for 2016–17 is published at: http://data.gov.au/dataset/freedom-of-information-statistics

Numbers of FOI requests received

The number of FOI requests received by agencies and Ministers increased by just over 4% in 2016–17 compared to 2015–16. This rate of increase was slower than between 2015–16 and the previous year.

Table 8: Total FOI requests received 2010–11 to 2016–17 and the percentage increase from the previous year
Year2010‑112011‑122012‑132013‑142014‑152015‑162016‑17
Total FOI requests 23,605 24,764 24,944 28,463 35,550 37,996 39,519
Percentage increase from previous year   4.91% 0.73% 14.11% 24.90% 6.88% 4.01%

Numbers of FOI requests received by different agencies

In 2016–17, the Department of Immigration and Border Protection (DIBP), the Department of Human Services (DHS) and the Department of Veterans’ Affairs continued to receive the majority of FOI requests (73% of requests received by all agencies and Ministers). The vast majority of the requests to these three agencies are from individuals seeking access to documents containing their own personal information (97% of the requests received by these agencies).

In 2016–17, three agencies moved into the top 20 ranking by numbers of FOI requests received, namely; the Northern Australian Infrastructure Facility (NAIF), established on 1 July 2016, the Immigration Assessment Authority (IAA) and the Commonwealth Ombudsman.

The three agencies that were in the top 20 list in 2015–16 that did not make the 2016–17 list were Australia Post, which saw a 56.3% reduction in requests and the Trade Marks Office and Comcare, despite those two agencies receiving increases in requests of 11% and 8% respectively.

Of the agencies that continued to be in the top 20 in 2016–17, the Department of Health (DOH) and the Australian Transaction Reports and Analysis Centre (AUSTRAC) experienced an increase in the total number of requests received since the previous year, by 24% and 19% respectively. The Australian Securities and Investments Commission (ASIC) and the Department of the Prime Minister and Cabinet (DPMC) saw a reduction in the total number of requests received, by 20% and 14% respectively.

Requests for personal information and for other information

A request for personal information means a request for documents that contain information about a person who can be identified (usually the applicant, though not necessarily). A request for ‘other’ information means a request for all other documents, such as documents concerning policy development and government decision making.

In 2016–17, 32,383 requests (82% of all requests) were for documents containing personal information. This represents a slight decrease in comparison to the proportion of requests for personal information last year, which accounted for 87% of all requests received by agencies.

FOI requests finalised

Despite seeing an increase in the total number of requests received in 2016–17, the number of matters finalised by agencies and Ministers increased by 4.1%.

Table 9: Overview of FOI requests received and dealt with between 2014–15 and 2016–17
FOI requests processing by all agencies 2014–15 2015–16 2016–17 % +/–
On hand at the beginning of the year 2,397 4,505 5,395 + 19.8
Received during the year 35,550 37,996 39,519 + 4.0
Total requiring determination [1] 37,947 42,501 44,914 + 5.7
Withdrawn 3,641 3,203 3,844 + 20
Transferred 729 731 763 + 4.4
Determined [2] 29,000 33,173 34,029 + 2.6
Finalised [3] 33,370 37,107 38,636 + 4.1
On hand at the end of the year 4,577 5,394 6,278 + 16.4

[1] Addition of on hand at the beginning of the year and received during the year.

[2] Covers access granted in full, part or refused.

[3] The sum of withdrawn, transferred and determined.

Table 10: FOI requests determined
Year 2015–16 2016–17
Decision Personal Other Total Personal Other Total
Granted in full 17,764 790 18,554 18,040 837 18,877
Granted in part 9,848 1,458 11,306 10,180 1,587 11,767
Refused 1,835 1,478 3,313 1,899 1,486 3,385
Total 29,447 3,726 33,173 30,119 3,910 34,029

Use of exemptions in FOI decisions

The personal privacy exemption (s 47F) of the FOI Act remains the most commonly used exemption in FOI decisions (47.9% of all exemptions claimed).

Reliance on the ‘certain operations of agencies’ exemption (s 47E) of the FOI Act increased significantly from 2014–15 to 2015–16, from 13.9% to 19.8% but has declined slightly in 2016–17,
to 18.5%.

Reliance on the documents affecting enforcement of law and protection of public safety exemption (s 37) of the FOI Act continued to decrease, from 12.2% in 2014–15 to 8.8% in 2015–16, and to 6.6% in 2016–17.

Agency costs in processing FOI requests

The total reported cost attributable to processing FOI requests in 2016–17 was $44.787 million, an increase of 8.8% on the previous year’s total of $41.152 million. This increase outstrips the increase of 2.6% in requests determined in 2016–17, however the average cost per request determined, which rose by 6% to $1,316, is the second lowest since 2008–09.

Back to Contents

Develop the personal information management capabilities of Australian businesses and government agencies

Our third challenge for 2016–17 was to continue to develop the personal information management capabilities of Australian businesses and government agencies.

This year our activities focused on promoting the relationship between strong privacy governance and improved business effectiveness; and taking steps to build the privacy management capability of the Australian Public Service.

Australian Public Service (APS) Privacy Governance Code

This year, the OAIC initiated the development of an Australian Public Service (APS) Privacy Governance Code, which was announced jointly in May 2017 with the Secretary of the Department of Prime Minister and Cabinet.

The Privacy Code will apply to all Australian Government agencies and will support the Australian Government’s data innovation agenda by strengthening the existing privacy capability of agencies and enhancing privacy governance across the APS.

Australian Government agencies are now operating in a complex personal information management environment. Data is acquired compulsorily from individuals in many cases, and there is a growing emphasis on maximising the utility of government data and ensuring that it can be shared efficiently and consistently with the community’s expectations.

It is in this context that the Privacy Code is being developed to help build public trust and confidence in the Australian Government’s information-handling practices and proposed new uses of data.

The Privacy Code will require all agencies to:

  • have a privacy management plan
  • appoint a designated privacy officer
  • appoint a senior official as a ‘Privacy Champion’ to provide cultural leadership and promote the value of personal information
  • undertake a written Privacy Impact Assessment for all ‘high risk’ projects or initiatives that involve personal information
  • take steps to enhance internal privacy capability, including by undertaking any necessary training and conducting regular internal audits of personal information-handling practices.

The requirements of the Privacy Code will be flexible and scalable, and take account of the agency’s size, and the sensitivity and amount of personal information it handles.

The OAIC has been collaborating with agencies, and developing a range of resources and training tools to support agencies when the Privacy Code comes into effect on 1 July 2018. This includes the release of the Privacy Impact Assessment (PIA) eLearning program during Privacy Awareness Week.

We have also surveyed learning and development professionals in agencies to determine what privacy training is currently undertaken by staff, and what further support and resources are required. The findings will form part of the OAIC’s program of work for 2017–18.

Building capability

Many of the general privacy activities the OAIC undertakes (as outlined in the Privacy section of this report) are focused on developing personal information capabilities of Australian businesses, government agencies and communities – including guidance, advice, resources and assessment, as well as developing the Privacy Code.

Our Privacy Impact Assessment (PIA) eLearning program will support agencies in preparation for the Privacy Code coming into effect on 1 July 2018.

Of note, in preparation for the implementation of the European Union’s General Data Protection Regulation (GDPR) and Notifiable Data Breaches (NDB) scheme we published guidance to assist Australian businesses to understand the new requirements.

Back to Contents

Long text descriptions

Figure 1: Complaints received per month — July 2007 to present

Figure 1 shows the number of complaints received per month (July 2007 to present). The graph shows a steady increase in the number of complaints received, with a spike in 2014. Note that two large class complaints have been excluded from this graph.

Month Number of
complaints received
Jul 2007 49
Aug 2007 64
Sep 2007 58
Oct 2007 90
Nov 2007 124
Dec 2007 58
Jan 2008 86
Feb 2008 87
Mar 2008 70
Apr 2008 95
May 2008 99
Jun 2008 108
Jul 2008 90
Aug 2008 108
Sep 2008 101
Oct 2008 108
Nov 2008 78
Dec 2008 65
Jan 2009 90
Feb 2009 88
Mar 2009 102
Apr 2009 76
May 2009 91
Jun 2009 89
Jul 2009 121
Aug 2009 98
Sep 2009 100
Oct 2009 85
Nov 2009 93
Dec 2009 77
Jan 2010 88
Feb 2010 93
Mar 2010 126
Apr 2010 100
May 2010 104
Jun 2010 105
Jul 2010 115
Aug 2010 112
Sep 2010 110
Oct 2010 104
Nov 2010 106
Dec 2010 73
Jan 2011 112
Feb 2011 87
Mar 2011 113
Apr 2011 92
May 2011 98
Jun 2011 99
Jul 2011 97
Aug 2011 120
Sep 2011 123
Oct 2011 115
Nov 2011 125
Dec 2011 89
Jan 2012 103
Feb 2012 127
Mar 2012 124
Apr 2012 99
May 2012 125
Jun 2012 111
Jul 2012 146
Aug 2012 135
Sep 2012 125
Oct 2012 115
Nov 2012 115
Dec 2012 130
Jan 2013 144
Feb 2013 139
Mar 2013 112
Apr 2013 102
May 2013 137
Jun 2013 96
Jul 2013 124
Aug 2013 194
Sep 2013 218
Oct 2013 244
Nov 2013 345
Dec 2013 145
Jan 2014 251
Feb 2014 404
Mar 2014 351
Apr 2014 257
May 2014 261
Jun 2014 215
Jul 2014 151
Aug 2014 180
Sep 2014 155
Oct 2014 172
Nov 2014 275
Dec 2014 125
Jan 2015 130
Feb 2015 158
Mar 2015 193
Apr 2015 122
May 2015 180
Jun 2015 166
Jul 2015 156
Aug 2015 181
Sep 2015 207
Oct 2015 155
Nov 2015 180
Dec 2015 191
Jan 2016 147
Feb 2016 152
Mar 2016 180
Apr 2016 182
May 2016 193
Jun 2016 182
Jul 2016 191
Aug 2016 253
Sep 2016 167
Oct 2016 237
Nov 2016 218
Dec 2016 170
Jan 2017 167
Feb 2017 221
Mar 2017 271
Apr 2017 153
May 2017 216
Jun 2017 213

Back to Figure 1

Figure 2: Complaints closed per month — January 2007 to present

Figure 2 shows the number of complaints closed per month (July 2007 to present). The graph shows a steady increase in the number of complaints closed, with a spike in 2014. Note that two large class complaints have been excluded from this graph.

Month Number of
complaints closed
Jul 2007 54
Aug 2007 27
Sep 2007 26
Oct 2007 23
Nov 2007 103
Dec 2007 80
Jan 2008 80
Feb 2008 84
Mar 2008 70
Apr 2008 87
May 2008 101
Jun 2008 115
Jul 2008 88
Aug 2008 121
Sep 2008 90
Oct 2008 108
Nov 2008 89
Dec 2008 117
Jan 2009 86
Feb 2009 123
Mar 2009 134
Apr 2009 133
May 2009 119
Jun 2009 127
Jul 2009 117
Aug 2009 123
Sep 2009 113
Oct 2009 106
Nov 2009 85
Dec 2009 88
Jan 2010 67
Feb 2010 82
Mar 2010 124
Apr 2010 77
May 2010 82
Jun 2010 116
Jul 2010 68
Aug 2010 119
Sep 2010 129
Oct 2010 71
Nov 2010 112
Dec 2010 90
Jan 2011 75
Feb 2011 86
Mar 2011 110
Apr 2011 76
May 2011 102
Jun 2011 124
Jul 2011 101
Aug 2011 138
Sep 2011 136
Oct 2011 111
Nov 2011 118
Dec 2011 110
Jan 2012 74
Feb 2012 113
Mar 2012 133
Apr 2012 110
May 2012 151
Jun 2012 87
Jul 2012 149
Aug 2012 111
Sep 2012 87
Oct 2012 126
Nov 2012 112
Dec 2012 115
Jan 2013 129
Feb 2013 188
Mar 2013 108
Apr 2013 121
May 2013 150
Jun 2013 108
Jul 2013 139
Aug 2013 154
Sep 2013 158
Oct 2013 202
Nov 2013 198
Dec 2013 252
Jan 2014 247
Feb 2014 230
Mar 2014 234
Apr 2014 268
May 2014 280
Jun 2014 256
Jul 2014 221
Aug 2014 185
Sep 2014 169
Oct 2014 167
Nov 2014 161
Dec 2014 158
Jan 2015 110
Feb 2015 144
Mar 2015 188
Apr 2015 146
May 2015 152
Jun 2015 174
Jul 2015 163
Aug 2015 129
Sep 2015 160
Oct 2015 339
Nov 2015 167
Dec 2015 149
Jan 2016 114
Feb 2016 161
Mar 2016 176
Apr 2016 165
May 2016 124
Jun 2016 191
Jul 2016 152
Aug 2016 189
Sep 2016 208
Oct 2016 209
Nov 2016 181
Dec 2016 193
Jan 2017 179
Feb 2017 176
Mar 2017 241
Apr 2017 172
May 2017 308
Jun 2017 277

Back to Figure 2

Graph 1: General privacy — media exposure

Graph 1 is a comparison of media coverage between the 2015–16 and 2016–17 financial years. It shows the increase in reporting of privacy, and the spike when issues of community concern are covered.

Month 2015-16 2016-17
July 955 935
August 1040 4000
September 528 799
October 2680 694
November 1430 1070
December 1400 1260
January 1230 4620
February 904 2080
March 1330 2100
April 894 1360
May 829 1210
June 875 923

Back to Graph 1

Back to Contents