Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

MOU with the Australian Capital Territory for the provision of privacy services — 2017–18 Annual Report

pdfPrintable version253.55 KB

1 July 2017 – 30 June 2018

On this page

  1. Introduction
  2. 7.3 (1) Number of complaints, assessments, written and telephone enquiries
    1. 7.3 (1)(h) Summary of issues raised in written and telephone enquiries
  3. 7.3 (2) For each complaint received in 2017–18, a summary of issues raised and outcomes.
    1. Respondent: ACT Health (CP17/01923)
    2. Respondent: Chief Minister, Treasury and Economic Development Directorate (CP17/02012)
    3. Respondent: University of Canberra (CP17/02121)
    4. Respondent: Chief Minister, Treasury and Economic Development Directorate (CP17/02157)
    5. Respondent: Child and Youth Protection Services (CP17/02288)
    6. Respondent: Transport Canberra and City Services Directorate (CP17/02578)
    7. Respondent: Transport Canberra and City Services Directorate (CP17/02569)
    8. Respondent: Transport Canberra and City Services Directorate (CP17/02572)
  4. 7.3 (3) For each finalised assessment, a summary of the outcome
    1. Assessments finalised in the reporting period
    2. Ongoing assessments as at 30 June 2018
  5. 7.3 (4) Information about any complaints that have not yet been finalised.
    1. Respondent: Independent Competition and Regulatory Commission (CP17/00779)
    2. Respondent: Canberra Hospital (CP18/00806)
    3. Respondent: ACT Corrective Services (CP18/01284)
    4. Respondent: University of Canberra (CP18/01726)
  6. 7.3 (5) Details of formal reports and recommendations made to ACT public sector agencies
  7. 7.3 (6) Any other information about the management of complaints or significant issues, including an analysis of systemic issues and common themes that have come to the Commissioner’s attention during the year
    1. Voluntary data breach notifications
    2. Systemic issues and common themes
  8. Acronyms and abbreviations
  9. Footnotes

Introduction

This report is made pursuant to the reporting requirements set out in section 7.3 of the 2017–18 Memorandum of Understanding (MOU) between the Australian Capital Territory (ACT) and the Office of the Australian Information Commissioner (OAIC), for the provision of privacy services related to the Information Privacy Act 2014 (ACT) (Information Privacy Act).

This report is for the period 1 July 2017 to 30 June 2018.

From 1 September 2014, the Information Privacy Act superseded the Privacy Act 1988 (Cth) (Privacy Act) in relation to the general privacy regulatory regime in relation to ACT public sector agencies. The Information Privacy Act contains the Territory Privacy Principles (TPPs) which ACT public sector agencies must comply with in relation to the collection and handling of personal information (other than personal health information).

The numbered headings below correspond to the reporting requirements set out in the MOU.

Back to Contents

7.3 (1) Number of complaints, assessments, written and telephone enquiries

Number of

Total

(a) Complaints open as at 30 June 2017

9

(b) Complaints received in 2017–18

11

(c) Complaints closed in 2017–18

17

(d) Complaints open as at 30 June 2018

4

(e) Complaints that resulted in a report to the Minister under section 43 of the Information Privacy Act

0

(f) Complaints about which the Commissioner has given a notice under section 45 of the Information Privacy Act

0

(g) Assessments finalised

1

(h) Written and telephone enquiries about ACT public sector agencies, including a summary of issues raised (see below).

23

7.3 (1)(h) Summary of issues raised in written and telephone enquiries

Telephone calls

Nineteen telephone enquiries were received during the reporting period. These calls covered a range of issues. Below is a summary of the issues raised:

  • An individual called regarding the disclosure of personal information by an ACT school. They were advised on Territory Privacy Principle (TPP) 6 and the Office of the Australian Information Commissioner’s (OAIC) privacy complaint process.
  • An individual enquired about refusal of requests under the TPPs and the ACT Freedom of Information provisions. The individual was advised that the OAIC can receive privacy complaints in relation to the TPPs, and was referred to the ACT Government for information about FOI in the ACT.
  • An individual asked how to complain about a decision made by an ACT agency in a privacy matter. The individual was provided with information on the OAIC’s privacy complaints process.
  • An individual enquired about workplace surveillance in an ACT agency. The individual was referred to the ACT Government.
  • An individual asked how to complain about an ACT agency. They were advised to complain to the ACT agency in the first instance and if not satisfied with the response could then lodge a complaint with the OAIC.
  • An ACT agency made a misdirected enquiry. The agency was referred to the ACT Government.
  • An ACT agency enquired about disclosing personal information to a medical practitioner. The agency was provided with advice regarding TPP 6.
  • An individual enquired about accessing personal information from an ACT agency. The individual was advised on TPP 12 and the OAIC’s privacy complaints process.
  • An individual called regarding collection of personal information by ACT public sector agencies. They were provided advice regarding TPP 3, TPP 5 and the OAIC’s privacy complaints process.
  • An individual called and advised that they had ordered their birth certificate and the ACT agency provided them with their birth certificate and another individual’s birth certificate. The individual was advised that their own privacy must be interfered with in order to make a privacy complaint under the TPPs.
  • An ACT agency enquired about the Notifiable Data Breaches scheme, seeking a pdf version of the OAIC’s smart form in order to assist entities to know what questions are asked by the OAIC, and providing feedback on the OAIC’s resources regarding notification. The agency was advised the appropriate staff member would be notified to provide assistance.
  • An individual made a call regarding the Health Records (Privacy and Access) Act 1997 (ACT), which was misdirected. They were directed to the ACT Human Rights Commission which handles ACT public sector agency health record privacy complaints in the ACT.
  • An individual enquired about an ACT agency disclosing personal information. They were provided advice regarding TPP 6 and the OAIC’s complaints process.
  • An individual stated an ACT agency disclosed a number of individuals’ contact information. The individual was advised to make their enquiry by email.
  • An individual called in relation to an ACT agency disclosing personal information. They were advised on TPP 6 and the OAIC’s complaints process.
  • An individual called regarding updating details on the individual’s working with vulnerable people card. They were referred to the ACT Government, and advised they can complain to the OAIC if not satisfied with the response.
  • A charity asked whether it needed to comply with the Information Privacy Act and TPPs if funded by the ACT Government. The charity was given general information and advised to seek legal advice.
  • An individual stated an ACT agency had disclosed a number of individuals’ personal information. They were provided with advice regarding TPP 11 and the OAIC’s privacy complaints process.
  • An individual asked about completing the OAIC’s speech request form. They were provided information on how to request OAIC staff to speak at an event.

Written enquiries

Four written enquiries were received during this reporting period. Below is a summary of the main issues raised:

  • An individual emailed the OAIC regarding an ACT agency. The issue was not within the OAIC’s jurisdiction and the individual was referred to the ACT Human Rights Commission.
  • The OAIC received a misdirected copy of an email to another entity.
  • An individual asked about surveillance laws in the ACT. The individual was given general information and referred to the ACT Government.
  • An individual asked for links to the work the OAIC does under the Information Privacy Act. The individual was directed to the OAIC’s annual report and to the ACT Government.

Back to Contents

7.3 (2) For each complaint received in 2017–18, a summary of issues raised and outcomes.

Information about complaints that were received in the reporting period but have not yet been finalised is provided under heading 7.3 (4) below.

Respondent: ACT Health (CP17/01923)

Details: The complaint was received on 5 September 2017 and closed on 19 October 2017. The complainant alleged that the respondent inaccurately recorded health information about them.

The information complained about was personal health information. Section 8(1)(b) of the Information Privacy Act excludes personal health information from the definition of personal information and the scope of the Information Privacy Act. Personal health information is instead covered by the Health Records (Privacy and Access) Act 1997 (ACT) and regulated by the ACT Health Services Commissioner (within the ACT Human Rights Commission).

The complaint was closed under s 39(a) of the Information Privacy Act, on the basis that there was not an interference with the complainant’s privacy under the Information Privacy Act.

Respondent: Chief Minister, Treasury and Economic Development Directorate (CP17/02012)

Details: The complaint was received on 22 September 2017 and closed on 6 March 2018. The complainant alleged that the respondent improperly used and disclosed their personal information.

The personal information was used and disclosed for the same purpose for which it was collected, and therefore the use and disclosure was permitted under TPP 6.1. The complaint was closed under s 39(a) of the Information Privacy Act, on the basis that there was not an interference with the complainant’s privacy.

Respondent: University of Canberra (CP17/02121)

Details: The complaint was received on 29 September 2017 and closed on 28 February 2018. The complainant alleged that the respondent improperly collected the complainant’s personal information and failed to update its privacy policy.

There was no information to suggest that the respondent had improperly collected the complainant’s personal information, and there was no information to show that the privacy policy was out-of-date.

The complaint was closed under s 39(a) of the Information Privacy Act, on the basis that there was not an interference with the complainant’s privacy.

Respondent: Chief Minister, Treasury and Economic Development Directorate (CP17/02157)

Details: The complaint was received on 4 October 2017 and closed on 6 March 2018. The complainant alleged that the respondent improperly used their personal information.

The complaint lacked specific information demonstrating how the respondent improperly used the complainant’s personal information. The complaint was closed under s 39(c) of the Information Privacy Act, on the basis that the complaint was lacking in substance.

Respondent: Child and Youth Protection Services (CP17/02288)

Details: The complaint was received on 20 October 2017 and closed on 5 April 2018. The complainant alleged that they received an email from the respondent containing personal information relating to another individual, and that they were aware of such disclosures having occurred on other occasions.

The complaint was closed under s 34 of the Information Privacy Act, on the basis that the complainant was not complaining about the handling of the complainant’s own personal information, rather, the complaint involved another individual’s personal information.

Respondent: Transport Canberra and City Services Directorate (CP17/02578)

Details: The complaint was received on 17 November 2017 and closed on 7 December 2017. The complainant alleged that the respondent improperly disclosed their email address to an email list.

The complaint was closed under s 41(1A) of the Privacy Act, on the basis that the complaint was withdrawn by the complainant.

Respondent: Transport Canberra and City Services Directorate (CP17/02569)

Details: The complaint was received on 17 November 2017 and closed on 2 March 2018. The complainant alleged that the respondent improperly disclosed their email address to an email list.

In this instance, the complainant was not reasonably identifiable from the email address and it could not be said to be the complainant’s personal information. In addition, the respondent took a number of steps following the incident, such as recalling the email shortly after it was sent and apologising for the human error resulting in the disclosure.

The complaint was closed under sections 39(a) and 39(g)(i) of the Information Privacy Act, on the basis that there had not been an interference with the complainant’s privacy in this instance and that the matter had been adequately dealt with.

Respondent: Transport Canberra and City Services Directorate (CP17/02572)

Details: The complaint was received on 18 November 2017 and closed on 7 December 2017. The complainant alleged that the respondent improperly disclosed their email address to an email list.

The complaint was closed under s 41(1A) of the Privacy Act, on the basis that the complaint was withdrawn by the complainant.

Back to Contents

7.3 (3) For each finalised assessment, a summary of the outcome

Assessments finalised in the reporting period

Access Canberra

The assessment examined whether Access Canberra is:

  • Managing personal information in an open and transparent manner as required by TPP 1.
  • Notifying individuals of the collection of personal information in accordance with its TPP 5 obligations.

The scope of the assessment focused on how Access Canberra maintains and handles personal information related to transactions that involve vehicle registrations and applications for working with vulnerable people.

OAIC staff conducted the assessment by way of a review of relevant policies and procedures provided by Access Canberra, followed by interviews with key members of staff and reviewing further documentation at Access Canberra’s offices in February 2017.

The assessment report was published in December 2017. The OAIC made five recommendations to address privacy risks identified during the assessment. Access Canberra agreed to two of these recommendations and noted three.

Ongoing assessments as at 30 June 2018

Housing ACT

The assessment examined whether Housing ACT is:

  • Using and disclosing personal information in accordance with its TPP 6 obligations.
  • Taking reasonable steps to secure its personal information holdings as required by TPP 11.

The scope of the assessment focused on how Housing ACT maintains and handles personal information related to the provision of social housing and related services.

OAIC staff conducted the assessment by way of a review of relevant policies and procedures provided by Housing ACT, followed by interviews with key members of staff and reviewing further documentation at Housing ACT’s offices in February 2018. An assessment report is being prepared.

Back to Contents

7.3 (4) Information about any complaints that have not yet been finalised.

Respondent: Independent Competition and Regulatory Commission (CP17/00779)

Details: The complaint was received in the previous reporting period, on 7 April 2017. Under the TPPs the complainant alleges that the respondent interfered with their privacy by inappropriately collecting sensitive information, not providing appropriate notice and by failing to take reasonable steps to ensure the personal information it collected about them was accurate. The complainant also alleges the respondent may not have a privacy policy.

This complaint is currently active.

Respondent: Canberra Hospital (CP18/00806)

Details: The complaint was received on 6 March 2018. The complainant alleges that a staff member employed by the respondent improperly accessed and used their personal information. The complainant also seeks information on who has accessed their personal information.

This complaint is currently active.

Respondent: ACT Corrective Services (CP18/01284)

Details: The complaint was received on 1 May 2018. The complainant alleges that the respondent disclosed their personal information to a third party, and also seeks access to the personal information disclosed to the third party.

This complaint is currently active.

Respondent: University of Canberra (CP18/01726)

Details: The complaint was received on 20 June 2018. The complainant alleges that the respondent failed to provide access to the complainant’s personal information in response to the complainant’s request for access.

This complaint is currently active.

Back to Contents

7.3 (5) Details of formal reports and recommendations made to ACT public sector agencies

No formal reports or recommendations other than in relation to the above assessment was provided during the period.

Back to Contents

7.3 (6) Any other information about the management of complaints or significant issues, including an analysis of systemic issues and common themes that have come to the Commissioner’s attention during the year

Voluntary data breach notifications

An agreed service includes that where ACT public sector agencies notify the OAIC of a data breach, the OAIC will register the notification and provide further advice to the agency.

The OAIC receives data breach notifications from ACT public sector agencies on a voluntary basis.[1] In response to a voluntary data breach notification by an ACT public sector agency, the OAIC seeks to confirm that the data breach has been contained, and that the ACT public sector agency has taken reasonable steps to prevent reoccurrence of the data breach. The OAIC further assists agencies by providing links to our guidance on personal information security and data breach response preparation.

The OAIC received ten data breach notifications from ACT public sector agencies in 2017-18. In all instances, the agency reported that the data breach was caused by human error.

Systemic issues and common themes

This year, a number of requests for advice related to the new Commonwealth mandatory Notifiable Data Breaches (NDB) scheme under the Privacy Act. While the NDB scheme will only apply to ACT public sector agencies in relation to their handling of tax file number (TFN) information (as it does to other state and territory agencies), there has been strong interest in obtaining general advice on the scheme and its application.

For example, in May 2018, ACT Health invited the OAIC’s Acting Deputy Commissioner to deliver a presentation to the ACT Health Human Ethics Seminar. This presentation had a focus on the Commonwealth NDB scheme, including from a data breach best practice perspective as not all audience members were covered by the scheme. This best practice guidance is relevant to ACT public sector agencies given that the OAIC receives voluntary data breach notifications from agencies as outlined above.

In addition, the OAIC has provided advice about the NDB scheme. The OAIC updated the Australian Capital Territory Privacy page of its website[2] to include information about how the new Commonwealth NDB scheme applies to ACT public sector agencies. The OAIC also provided the Justice and Community Safety Directorate with general policy advice on the application of the new NDB scheme to ACT public sector agencies. The purpose of the advice was to assist the Justice and Community Safety Directorate in responding to general enquiries from other ACT directorates.

Back to Contents

Acronyms and abbreviations

TermMeaning
ACT Australian Capital Territory
Cth Commonwealth
FOI Freedom of Information
Information Privacy Act Information Privacy Act 2014 (ACT)
MOU Memorandum of Understanding
NDB Notifiable Data Breaches (under the Cth scheme)
OAIC Office of the Australian Information Commissioner
Privacy Act Privacy Act 1988 (Cth)
TPPs Territory Privacy Principles[3]

Back to Contents

Footnotes

[1] From 22 February 2018, data breaches involving tax file number information may be notifiable by ACT public sector agencies under the mandatory Notifiable Data Breaches scheme found in Part IIIC of the Privacy Act 1988 (Cth). No such notifications were made in the period.

[2] Available at the date of this report at https://www.oaic.gov.au/privacy-law/other-legislation/australian-capital-territory-privacy#ndb .

[3] Schedule 1 of the Information Privacy Act

Back to Contents