Part 2 — Performance

Publication date: 2018

Our performance statement

Introduction

I, Angelene Falk, as the accountable authority of the Office of the Australian Information Commissioner, present the 2017–18 annual performance statements of the Office of the Australian Information Commissioner, as required under paragraph 39(1)(a) of the Public Governance, Performance and Accountability Act 2013 (Cth) (PGPA Act). In my opinion, these annual performance statements are based on properly maintained records, accurately reflect the performance of the entity, and comply with subsection 39(2) of the PGPA Act.

Overall performance

In 2017–18 we were working to achieve 35 Performance Measures as outlined in the OAIC Corporate Plan 2017–18. We met the target for 27 of these Performance Measures, five we did not achieve and three were not relevant in this reporting cycle. We:

  • Promoted and upheld privacy rights — by achieving 21 of 25 Performance Measures
  • Promoted and upheld information access rights — by achieving nine of 10 Performance Measures

We achieved all of our key deliverables for the year:

Promote and uphold privacy rights

  • Developed and implemented the Australian Public Service Privacy Governance Code and supporting training and resources
  • Prepared for the implementation of the Notifiable Data Breaches scheme in February 2018
  • Hosted the Asia Pacific Privacy Authorities meeting and the Data + Privacy Asia Pacific national conference
  • Trialled an early resolution process to assist with more efficient processing of privacy complaints
  • Conducted targeted privacy assessments in areas such as national security, identity management, digital health and the Enhanced Welfare Payment Integrity data-matching program
  • Celebrated the 30th anniversary of the commencement of the  Privacy Act 1988
  • Reviewed the Privacy (Credit Reporting) Code 2014

Promote and uphold information access rights

  • Updated tools and guidance for Australian Government agencies to assist them to review their compliance with the FOI Act.
  • Developed and published an FOI regulatory action policy that outlines how we exercise our powers in relation to IC reviews, FOI complaints and Commissioner initiated FOI investigations.
  • Conducted a campaign for Right to Know Day 2017.

Results

Our performance is measured against Activities as outlined in the Corporate Plan 2017–18. Performance Measures marked with an asterisk were also performance targets in the OAIC’s 2017–18 Portfolio Budget Statement.

Privacy Performance Measures

Response to Corporate Plan Activity 1.1 — Develop the privacy management capabilities of businesses and Australian Government agencies and promote privacy best practice
Performance MeasureMeasure achievedDelivery strategies that were used to achieve the Performance Measure

1.1.1

The OAIC applies a risk-based, proportionate approach to facilitate compliance with privacy obligations and promote privacy best practice

Yes

  • We regularly engage with business and Australian Government agencies, including through the provision of advice and guidance on how to comply with the Privacy Act and deliver privacy best practice.
  • In the past year we have developed two suites of resources to assist entities in implementing their new obligations under the Notifiable Data Breaches scheme, and the Privacy (Australian Government Agencies — Governance) APP Code 2017.
  • We also released other guides on key privacy issues, such as the in-depth Guide to Data Analytics which assists entities to achieve a high standard of privacy protection in line with increasing community expectations, while maximising the value of data held.

1.1.2

Guidance and educational materials are amended to incorporate learnings from regulatory activities such as assessments and investigations

Yes

  • We regularly update our guidance and education materials to ensure currency and relevance.
  • For example, in the past year we updated our guidance on de-identification to ensure relevance on this high-profile topic and to incorporate learnings from a range of regulatory activities.

1.1.3

Regular dialogue and consultation with businesses and Australian Government agencies is undertaken

Yes

  • We engage regularly with businesses and Australian Government agencies, including through the provision of advice on a wide range of matters such as the Australian Government’s Public Data Agenda, the new Consumer Data Right scheme, changes to the My Health Record system, review and variations of the Privacy (Credit Reporting) Code 2014, and the proposed introduction of mandatory comprehensive credit reporting.

1.1.4

The number of participating partners for Privacy Awareness Week is increased

No

  • This year there were 360 participating partners for Privacy Awareness Week, just below our target of 370.

 

Response to Corporate Plan Activity 1.2 — Manage data breach notifications
Performance MeasureMeasure achievedDelivery strategies that were used to achieve the Performance Measure

1.2.1

80% of data breach notifications finalised within 60 days*

Yes

In meeting this target we:

  • Finalised 99% of notifications under the Notifiable Data Breaches (NDB) scheme, in operation from 22 February 2018, within 60 days
  • Finalised 97% of voluntary data breach notifications (DBNs) within 60 days
  • Closed 33% more voluntary DBNs than in 2016–17
  • Managed this alongside a 53% increase in voluntary DBNs received compared to 2016–17
  • Finalised voluntary DBNs within an average of 22.9 days, compared to 29.2 days in 2016–17

1.2.2

80% of My Health Records data breach notifications finalised within 60 days*

Yes

In meeting this target:

  • We finalised 100% of My Health Records data breach notifications received in 2017–18 within 60 days

1.2.3

Guidance and support tools for the Notifiable Data Breaches scheme are published

Yes

In meeting this target, we:

  • Published ‘Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth)’. This resource includes best practice advice on creating a data breach response plan and responding to a data breach, as well as specific information on compliance with the NDB scheme
  • Published resources for individuals who have received a data breach notification, with the aim of providing information about complaint rights and the steps individuals can take to reduce the chances of experiencing harm as a result of a data breach
  • Recorded and published an interactive webinar on the requirements of the NDB scheme, with case studies and frequently asked questions

1.2.4

Statistics on data breach notifications are published to inform the community about the operation of the data breach notification scheme

Yes

In meeting this target:

  • We published the first quarterly report on the operation of the NDB scheme. This report included key statistics on the number of notifications received, the reported sources of data breaches, the top five sectors reporting data breaches under the scheme and the kinds of personal information affected

 

Response to Corporate Plan Activity 1.3 — Conduct Commissioner initiated investigations
Performance MeasureMeasure achievedDelivery strategies that were used to achieve the Performance Measure

1.3.1

80% of CIIs finalised within 8 months*

No

  • This target was not met, with 72.2% of privacy Commissioner initiated investigations (CIIs) finalised within 8 months.
  • This reflects the complexity of the privacy CIIs finalised during 2017–18, which includes investigations into Australian Red Cross Blood Service, Precedent Communications Pty Ltd, and the Department of Health.
  • In these matters, the desire for a timely outcome was balanced against the need to comprehensively consider the matters investigated, in line with community expectations and the public interest.
  • The OAIC continues to improve efficiencies in how privacy CIIs are progressed to ensure timely outcomes.

1.3.2

CIIs result in improvements in the privacy practices of investigated entities

Yes

  • The OAIC achieved this measure by accepting enforceable undertakings from three respondents in 2017–18 (Australian Red Cross Blood Service, Precedent Communications Pty Ltd, and the Department of Health).
  • These enforceable undertakings set out steps that the respondent agreed to take to address concerns raised by the OAIC in its CII.
  • Implementation of these steps by the respondents led to changes in practices relating to improvement in privacy policies and procedures within those entities.

1.3.3

CII outcomes and lessons learnt are publicly communicated

Yes

The OAIC achieved this measure by:

  • Publishing privacy CII reports with our findings in relation to the Australian Red Cross Blood Service, Precedent Communications Pty Ltd investigations and the Department of Health investigation.
  • Publishing the enforceable undertakings accepted from the Australian Red Cross Blood Service, Precedent Communications and the Department of Health.
  • Publishing media releases on the OAIC’s website about the conclusion of these investigations and lessons learnt.
  • Communicating the outcomes of these CIIs in speeches and presentations by OAIC Executive and staff.

 

Response to Corporate Plan Activity 1.4 — Resolve privacy complaints
Performance MeasureMeasure achievedDelivery strategies that were used to achieve the Performance Measure

1.4.1

80% of privacy complaints finalised within 12 months*

Yes

In meeting this target, we:

  • Finalised 97% of all privacy complaints within 12 months of receipt
  • Closed 11% more privacy complaints than in 2016–17
  • Reduced the average time to close a privacy complaint to 3.7 months
  • Managed this alongside an 18% increase in the number of privacy complaints received in 2017–18
  • Used our early resolution pilot to contribute to the efficient processing of privacy complaints

We ensured the quality of our privacy complaint handling process by:

  • Handling privacy complaints in line with our Privacy regulatory action policy and Guide to privacy regulatory action
  • Undertaking regular staff training including: providing training with assistance from external trainers on decision writing, statutory investigation and conciliation, managing unreasonable complainant conduct, plain English language training and leadership training. Several staff also undertook Resolution Institute mediation training, and a number were accredited as mediators under the NMAS (National Mediator Accreditation Standards)
  • Enabling staff to participate in complaint handling networks and events, including the Complaint Handlers Information Sharing and Liaison seminars, the International Association of Privacy Professionals Australia New Zealand (iappANZ) conference and Privacy Awareness Week activities
  • Meeting regularly with staff to discuss matters of significance across the teams and to ensure consistency of decision making

The ‘Resolving complaints’ section from page 55 provides case studies that demonstrate the quality of our complaint resolution, and information about the initiatives we put in place in 2017–18 to ensure the continued timeliness of our complaints resolution.

1.4.2

Complaint handling service is promoted to the community

Yes

In meeting this target, we:

  • Undertook the Australian Community Attitudes to Privacy Survey in 2017, which helped us better understand the concerns of the community
  • Engaged with the community to promote our complaint handling service by:
    • Coordinating a consumer credit reporting education event with the Australian Retail Credit Association’s CreditSmart consumer education team in May 2018
    • Promoting OAIC services at the Sydney Disability Expo in May 2018
    • Promoted our complaint handling role in external speaking engagements
    • Recorded an increase of views of our ‘How do I make a privacy complaint?’ webpage by 22% compared to 2016–17, indicating an increased community awareness of our complaint handling service

 

Response to Corporate Plan Activity 1.5 — Conduct privacy assessments
Performance MeasureMeasure achievedDelivery strategies that were used to achieve the Performance Measure

1.5.1

Assessments are completed in accordance with the schedule developed in consultation with the assessment target

No

  • The information review and fieldwork stages of privacy assessments were generally completed in accordance with a schedule developed in consultation with the business or agency being assessed, however the finalisation of assessment reports was not completed on schedule in all cases.
  • We will continue to improve our assessment reporting process in the next financial year and work with the business or agency being assessed to assist them to finalise responses to draft assessment reports.

1.5.2

Monitoring and compliance approaches are coordinated with the business and operational needs of the assessment targets

Yes

  • We undertook professional, independent and systematic assessments in line with our Privacy regulatory action policy and our Guide to privacy regulatory action.
  • We engaged with and provided preliminary briefings to the business or agency being assessed prior to formally commencing an assessment. This is to clarify the OAIC’s expectations, and to develop a schedule that recognises the operational needs of the business or agency being assessed.
  • An example of how we met this measure is our assessment of Trulioo, a Canadian organisation. We conducted the assessment via video conference across multiple days to accommodate the time difference.

1.5.3

High proportion of recommendations accepted by assessment targets

Yes

  • 100% of recommendations were accepted by the business or agency being assessed.
  • The identification of privacy risks and resulting recommendations are proactively and openly communicated by the OAIC throughout assessments to promote discussion about how the business or agency being assessed can mitigate those risks.

1.5.4

Key assessment outcomes and lessons learnt are publicly communicated where appropriate

Yes

  • We published privacy assessment reports on our website in full or with minimal redactions where appropriate.
  • We published summary reports to communicate the outcome of assessments that involve confidential material. For example, we published a summary report of our assessments of information disclosures to law enforcement agencies at Telstra, Optus, Vodafone and iiNet.

 

Response to Corporate Plan Activity 1.6 — Provide a privacy public information service
Performance MeasureMeasure achievedDelivery strategies that were used to achieve the Performance Measure

1.6.1

90% of written enquiries are finalised within 10 working days*

No

Target not met:

  • 74% of written privacy enquiries were finalised within 10 working days. Enquirers were notified of any delay at the time. This represents a decline in the 2016–17 response rate of 78% finalised within 10 working days. An increase in the complexity and volume of enquiries, as well as staff turnover affected our ability to meet this target in 2017–18. See the ‘Enquiries’ section on page 48 for more information

1.6.2

New community, legal and other networks are identified for targeted promotion of the public information service

Yes

Target met:

  • The OAIC promoted its information services for privacy related matters through outreach activities and community events, social media, in media statements and on our website
  • In 2017–18, this included attending the Sydney Disability Expo, and holding a community stall during Privacy Awareness Week to promote individuals’ right to access their credit files and to answer questions about our services
  • The OAIC also arranged staff training by the Federation of Ethnic Communities’ Council of Australia about how to better engage with culturally and linguistically diverse communities
  • Privacy determinations, resources and updates were highlighted for privacy professionals and members of the public in our regular OAICnet and Privacy Professionals’ Network email newsletters

 

Response to Corporate Plan Activity 1.7 — Promote awareness and understanding of privacy rights in the community
Performance MeasureMeasure achievedDelivery strategies that were used to achieve the Performance Measure

1.7.1

Increase in media and social media mentions about privacy rights

Yes

  • In 2017–18 there were 317 media mentions generated by media enquiries; an increase of 24% when compared to the 255 media mentions in 2016–17.
  • There were 2,851 online media mentions and 4,400 social media mentions of privacy rights and the OAIC.

1.7.2

Awareness and understanding about privacy rights and the role of the OAIC is improved

Yes

  • The large number of media and social media mentions reported above demonstrates a strong awareness and understanding of privacy rights in the community.
  • This is supported by external consumer research undertaken throughout the year. For example, the Consumer Policy Research Centre’s 2018 Consumer data & the digital economy report showed that 67% of Australians reported reading a privacy policy/terms and conditions for one or more services/products they signed up to in the past 12 months. This is compared to the finding in the OAIC’s 2017 Australian Community Attitudes to Privacy Survey that 61% of people do not regularly read online privacy policies.
  • The 18% increase in the number of privacy complaints and 16% increase in the number of privacy enquiries that we received in 2017–18 indicates a growing awareness of the role of the OAIC.

1.7.3

Increase in attendance numbers and positive feedback from public facing events

Yes

  • In 2017–18, the OAIC focused on the July Data + Privacy Asia Pacific conference as our major public facing event. The conference had 274 attendees. The average rating for the quality of session content was 4.42/5, and the average rating for the overall event experience was 4.25/5.
  • The OAIC’s NDB scheme webinar on 21 November 2017 was viewed live by 1,170 people. This included registrants from 10 countries, as well as Australia. The webinar is available on our website and as at 30 June 2018 had been viewed more than 2,000 times.
  • The OAIC’s showcase public facing event during Privacy Awareness Week — the business breakfast — was attended by 154 attendees. Extra tickets were released after the event sold out early, with a substantial waitlist.
  • The OAIC held a number of other small public facing events throughout 2017–18, including a Privacy as a Career event at the University of Technology Sydney, and a debate at the Queensland University of Technology.

1.7.4

The OAIC’s website is accessible for individuals and contains targeted content about privacy rights

Yes

  • The OAIC’s website contains a number of web accessibility improvements and we continually look for further ways that these can be enhanced.
  • For example, in 2017–18 we introduced a ‘mega-menu’, which assists users to find content more easily. We also introduced ReadSpeaker, which is a naturalistic text-to-speech reader.
  • In 2017–18 we commenced a project to redevelop our website. One of the aims of this project is to revise content for individuals, to make it easier to find and understand. The OAIC’s new website will launch in 2018–19.

 

Response to Corporate Plan Activity 1.8 — Develop legislative instruments
Performance MeasureMeasure achievedDelivery strategies that were used to achieve the Performance Measure

1.8.1

Applications for Public Interest Determinations and Australian Privacy Principles codes are considered and responded to in a timely manner

Yes

  • The OAIC did not receive any APP Code applications during the 2017–18 year. However, on 26 October 2017, the former Australian Information Commissioner developed and made the Privacy (Australian Government Agencies — Governance) APP Code 2017 (the Australian Government Agencies Privacy Code, or the Code). This code development process was initiated by a request made from the Australian Information Commissioner to the Department of Prime Minister and Cabinet in May 2017. The Code was to commence on 1 July 2018 and applies to all Australian Government agencies subject to the Privacy Act 1988 (except for ministers).
  • On 6 March 2018, the OAIC received an urgent application for a privacy Public Interest Determination (PID) from the Department of Home Affairs, which would vary the terms of Public Interest Determination No. 2, which had been in operation since 1991 and permitted the disclosure of Australian citizenship status information. In response, on 13 March 2018, the former Information Commissioner made the Privacy (Australian Honours System) Temporary Public Interest Determination 2018. The Information Commissioner is currently considering the Department of Home Affairs’ application for a longer-term public interest determination.

1.8.2

Legislative instruments are reviewed when necessary

Yes

  • The OAIC administers the Privacy (Credit Reporting) Code 2014 (CR Code), a legislative instrument, which regulates the handling of consumer credit reporting information in Australia. On 26 July 2017, following a tender process, the OAIC announced that it had contracted PricewaterhouseCoopers (PwC) to conduct an independent review of the operation of the CR Code. The independent review was required by paragraph 24.3 of the CR Code. The review sought feedback, through targeted and public consultation, on issues arising with regard to the interaction between the CR Code and the Privacy Act; significant issues or concerns about the practical operation of the CR Code and any requirements of the CR Code which had not been complied with in practice. PwC’s final report was published on 13 December 2017. The report made recommendations and gave feedback about a number of matters arising from the operation of the CR Code.
  • On 29 May 2018, following an application by the code developer, the Australian Retail Credit Association, the then acting Australian Information Commissioner and acting Privacy Commissioner approved a variation of the CR Code under section 26T of the Privacy Act. The variations addressed recommendations and feedback in the PwC review. The varied CR Code was scheduled to commence on 1 July 2018.

Freedom of information Performance Measures

Response to Corporate Plan Activity 2.1 — Develop the FOI capabilities of Australian Government agencies and ministers, and promote FOI best practice
Performance MeasureMeasure achievedDelivery strategies that were used to achieve the Performance Measure

2.1.1

Tools and guidance are updated to assist Australian Government agencies to comply with the Information Publication Scheme (IPS)

Yes

  • In 2017–18 the OAIC conducted an IPS survey of all Australian Government agencies. The survey reviewed the operation of the IPS in agencies and also provided agencies with an opportunity to comply with the requirement to conduct a review under section 9 of the FOI Act.

2.1.2

Guidance and resources are reviewed and updated to assist Australian Government agencies and ministers to apply the FOI Act

Yes

  • The former Information Commissioner reissued Parts 3, 7, 10 and 11 of the Guidelines under section 93A of the FOI Act, which agencies and ministers must have regard to when performing a function or exercising a power under the FOI Act (FOI Guidelines).
  • In June 2018, the then acting Information Commissioner also undertook public consultation on the revised Agency Resource 14 — Access to government information — administrative access.

2.1.3

The majority of OAIC’s stakeholders receiving information are satisfied with the content and delivery

Yes

  • In 2017–18, the OAIC met with various government agencies to discuss issues affecting the FOI jurisdiction.
  • The OAIC issues a monthly e-newsletter to Government FOI contact officers subscribed to the Information Contact Officer Network (ICON), which provides news, updates and information about FOI. The average click through rate for these monthly newsletters is 33.5%.
  • The OAIC also issues a monthly e-newsletter to subscribers of OAICnet, which provides news and updates in relation to the OAIC, information about upcoming events, and recent privacy determinations and Information Commissioner review decisions.
  • On 27 March 2018, the OAIC held an ICON information session and provided an update about the recent achievements and the priorities of the OAIC in the FOI jurisdiction. Agencies who attended the ICON information session provided positive feedback regarding the delivery and the content.

 

Response to Corporate Plan Activity 2.2 — Conduct Information Commissioner (IC) reviews
Performance MeasureMeasure achievedDelivery strategies that were used to achieve the Performance Measure

2.2.1

80% of IC reviews are completed within 12 months*

Yes

  • The OAIC completed 84.1% of IC reviews within 12 months.
  • We used alternative dispute resolution methods and early appraisal to clarify at an early stage the issues to be resolved or the information to be provided by either party in support of their claims or submissions. This included reviewing the material submitted by both parties and providing a preliminary view as to the merits of the case to the relevant party. The party then has the opportunity to make further submissions or take other action as may be appropriate (withdrawal of the IC review application or issuance of a section 55G revised decision).
  • We facilitated the early resolution of Information Commissioner Reviews by assisting the parties to reach an agreement about the outcome of the IC Review pursuant to section 55F of the FOI Act, including by arranging teleconferences between parties where appropriate.
  • We used our regulatory powers under the FOI Act to ensure efficient and timely processes. The Information Commissioner issued a ‘Direction as to certain procedures to be followed in IC reviews’ under section 55(2)(e)(i) of the FOI Act setting out the particular procedures that agencies and ministers must follow in respect of the production of documents, the provision of a statement of reasons where access has been deemed to be refused and the provision of submissions (including when the OAIC will accept submissions in confidence).
  • We updated Part 10 of the FOI Guidelines, to which agencies must have regard in performing a function or exercising a power under the FOI Act, to reflect legislative amendments, developments and discussions in recent IC review decisions and Information Commissioner processes in carrying out IC review functions. Part 10 sets out in detail the process and underlying principles of IC review.
  • There are 123 Commissioner-issued IC review decisions made under section 55K of the FOI Act published on AustLII. These decisions help agencies interpret the FOI Act and provide guidance on the exercise of their powers and functions by addressing novel issues as well as building on existing jurisprudence which shapes the FOI jurisdiction.
  • We published an FOI regulatory action policy that outlines our approach to using our IC review powers. The policy should be read together with Part 10 of the FOI Guidelines.
  • We reviewed and updated the SmartForm used by applicants to seek an IC review online.
  • We developed staff capacity to identify matters that can be resolved quickly and informally through early resolution processes, whether it be through agreement or negotiation, case appraisals/preliminary views as well as identifying significant matters which should proceed to a Commissioner decision.

 

Response to Corporate Plan Activity 2.3 — Investigate FOI complaints and conduct Commissioner initiated investigations
Performance MeasureMeasure achievedDelivery strategies that were used to achieve the Performance Measure

2.3.1

80% of FOI complaints finalised within 12 months*

Yes

  • 83% of FOI complaints finalised during the year were completed within 12 months of receipt.
  • We identified at an early stage whether a complaint is the appropriate mechanism where IC review is available.
  • We used early appraisal to clarify at an early stage the issues to be resolved or the information to be provided by either party in support of their claims or submissions.
  • We published an FOI Regulatory Action Policy, providing detailed information about our approach to the exercise of our FOI functions, including complaint handling. The policy should be read together with the FOI Guidelines.
  • We updated Part 11 of the FOI Guidelines, to which agencies must have regard in performing a function or exercising a power under the FOI Act, to reflect the publication of the FOI Regulatory Action Policy. Part 11 sets out in detail the complaint handling process.

2.3.2

80% of FOI related Commissioner initiated investigations finalised within 8 months[*]

N/A[*]

  • No FOI related Commissioner initiated investigations began in 2017–18.

[*] A Measure that is considered Not Applicable for that reporting year, for whatever reason, is recorded towards achieving the Performance Measure.

 

Response to Corporate Plan Activity 2.4 — Provide an FOI public information service
Performance MeasureMeasure achievedDelivery strategies that were used to achieve the Performance Measure

2.4.1

90% of FOI written enquiries are finalised within 10 working days*

No

Target not met:

  • 88% of written enquiries were finalised within 10 working days. Enquirers were notified of any delay at the time
  • The response rate of 88% finalised within 10 working days was maintained from 2016–17. Staff turnover and increase in overall volume of enquiries affected our ability to meet this target in 2017–18

2.4.2

New community, legal and other networks are identified for targeted promotion of the public information service

Yes

  • Staff from the OAIC’s FOI team promoted its public information service at the Sydney Disability Expo in May 2018.
  • The OAIC held an Information Contact Officers Network (ICON) in March 2018.
  • Members of the FOI team participated in FOI practitioner forums hosted by the Australian Government Solicitor throughout the year.
  • The OAIC launched a ‘Right to Know’ day website in September 2017 which highlighted access to information and included a social media campaign and a video from the Information Commissioner on the theme ‘Why Freedom of Information matters to all Australians’.
  • Information access issues, recent decisions and resource updates were highlighted for agency staff and members of the public in regular OAICnet and ICON email newsletters.
  • Staff are working with other Information Commissioner offices to develop an optimal set of principles to inform FOI laws.

 

Response to Corporate Plan Activity 2.5 — Promote awareness and understanding of information access rights in the community
Performance MeasureMeasure achievedDelivery strategies that were used to achieve the Performance Measure

2.5.1

Increase in media and social media mentions about information access rights

Yes

  • In 2017–18, there were 345 online media mentions and 428 social media mentions of information access rights and the OAIC.

The work that we did to achieve these mentions included:

  • Conducting a campaign for ‘Right to Know Day 2017’, which included launching a Right to Know website, with a video welcome from the then Information Commissioner on ‘Why Freedom of Information matters to all Australians’, as well as social media tips and posters
  • Using Twitter to highlight Information Awareness Month (May 2018)
  • Participating in the Association of Information Access Commissioners (AIAC), which is an important way for the Australian Information Commissioner and staff to engage with other Information Commissioners. These meetings are held every six months and allow Information Commissioners to exchange ideas and experiences gained from the range of information access jurisdictions across Australia

2.5.2

The OAIC’s website is accessible for individuals and contains targeted content about information access rights

Yes

  • The OAIC’s website contains a number of web accessibility improvements and we continually look for further ways that these can be enhanced.
  • For example, in 2017–18 we introduced a ‘mega-menu’, which assists users to find content more easily. We also introduced ReadSpeaker, which is a naturalistic text-to-speech reader.
  • In 2017–18 we commenced a project to redevelop our website. One of the aims of this project is to revise content for individuals, to make it easier to find and understand. The OAIC’s new website will launch in 2018–19. Throughout 2017–18 the OAIC has revised and updated its information access resources, including Fact Sheets and FAQs, to make them more accessible to all members of the community, including for culturally and linguistically diverse groups.

Privacy

The Privacy Act 1988 (Privacy Act) requires Australian Government agencies and private sector organisations to follow a set of rules when collecting, using and storing individuals’ personal information. Personal information is any information that is about an individual. The most obvious example is a name — other examples include address, date of birth, photo of their face or even a record of their opinion and views. Any information that is about an identifiable individual is personal information.

Additional information regarding privacy statistics is included at Appendix C on page 148.

Australian Privacy Principles

The Privacy Act includes 13 Australian Privacy Principles (APPs), which set out standards for business and government agencies managing personal information.

APP 1 — Open and transparent management of personal information

APP 2 — Anonymity and pseudonymity

APP 3 — Collection of solicited personal information

APP 4 — Dealing with unsolicited personal information

APP 5 — Notification of the collection of personal information

APP 6 — Use or disclosure of personal information

APP 7 — Direct marketing

APP 8 — Cross-border disclosure of personal information

APP 9 — Adoption, use or disclosure of government related identifiers

APP 10 — Quality of personal information

APP 11 — Security of personal information

APP 12 — Access to personal information

APP 13 — Correction of personal information

Privacy enquiries

We provide information about privacy issues and privacy law to the public.

The OAIC experienced a 16% increase in privacy enquiries on the previous year. We answered 14,928 telephone calls related to privacy, and responded to 4,452 written privacy enquiries. We also assisted 27 in-person privacy enquiries.

The OAIC continues to see a broad range of enquiries from the community. Over half of all privacy phone enquiries received concerned the operation of the Australian Privacy Principles. The growth in enquiries indicates a continuation of the year-on-year trend of increased awareness about privacy issues, and a desire by individuals to exercise their rights.

The introduction of the Notifiable Data Breaches scheme has also contributed to an increase in enquiries received by the OAIC, and reflects the work the OAIC does in supporting entities to comply with their obligations.

As a part of our Memorandum of Understanding (MOU) with the ACT Government we continued to provide privacy services to ACT public sector agencies including handling privacy complaints in relation to the Information Privacy Act 2014 and its Territory Privacy Principles (TPPs) and responding to enquiries from the public.

Case study 1 — An individual’s personal information is involved in a data breach

An enquirer received an email notifying them of a data breach from an organisation where they had applied for work, and contacted the OAIC for information about what they should do in response to the email.

We explained that under the Notifiable Data Breaches scheme, where an organisation has experienced a data breach involving personal information, the organisation needs to assess the potential impact and notify individuals of the data breach if there is a likely risk of serious harm to individuals. We referred the enquirer to guidance on our website on steps they could take to prevent identity fraud in the event of a data breach, as well as referring the individual to a security support service.

The enquiries officer also explained that organisations are required to take reasonable steps under Australian Privacy Principle 11 to ensure the security of personal information, and the steps the individual could take to lodge a privacy complaint.

Case study 2 — A health service provider seeks information on clients’ right to access information

A psychologist contacted the OAIC about a request from a client for access to their personal information. The client had attended couple’s counselling with their partner, and then individual sessions.

One of the individuals requested the psychologist provide access to all of the records for both their individual sessions, as well as the couple’s sessions. The psychologist asked about the individual’s right of access to these records.

We provided information on the application of APP 12 — Access to personal information, including APP 12.3(b), where providing access may have an unreasonable impact on the privacy of other individuals. We gave the enquirer information about a best privacy practice approach and referred them to the OAIC’s APP Guidelines for more detailed guidance.

Issues regarding privacy enquiries

In 2017–18 the most common privacy enquiries to our office were about the use and disclosure of someone’s personal information (APP 6) followed by access (APP 12) and collection of personal information (APP 3).

Table 1 — Phone enquiries about the APPs
IssuesNumber
APP 1 — Open and transparent management 48
APP 2 — Anonymity and pseudonymity 13
APP 3 — Collection 991
APP 4 — Unsolicited personal information 9
APP 5 — Notification of collection 637
APP 6 — Use or disclosure 1560
APP 7 — Direct marketing 159
APP 8 — Cross-border disclosure 60
APP 9 — Government identifiers 5
APP 10 — Quality of personal information 53
APP 11 — Security of personal information 882
APP 12 — Access to personal information 1351
APP 13 — Correction 145
APPs — Exemptions 975
APPs — Generally 980

We also received a number of questions related to other privacy issues, reflecting the broad range of matters the OAIC regulates.

The table below categorises these enquiries.

Table 2 — Other phone enquiries regarding privacy
IssuesNumber of calls
Credit reporting 904
Data breach notification (voluntary) 229
Data–matching 1
Healthcare Identifier 1
My Health Records 9
Notifiable Data Breaches (NDB) scheme 513
National Privacy Principles 4
Privacy codes 30
Spent convictions 102
Tax file numbers 31
Territory Privacy Principles 23

Privacy complaints

In 2017–18 the OAIC continued to provide an effective and efficient complaints service, investigating and resolving complaints by individuals about the possible mishandling of personal information under the Privacy Act and other relevant laws.

The OAIC handles complaints made about interferences with privacy under the APPs, any registered APP code, as well as matters relating to consumer credit reporting. We also resolve complaints about the handling of other information such as tax file numbers, spent convictions, data-matching and healthcare identification information.

In 2017–18 we received 2,947 privacy complaints. This is an 18% increase on the number of complaints we received last year, and follows on from a 17% increase in complaints in 2016–17, indicating a continuing awareness by individuals about their privacy rights, and a willingness by individuals to take steps to protect their personal information.

The implementation of the Notifiable Data Breaches scheme on 22 February 2018, and the General Data Protection Regulation on 25 May 2018, have also shined a spotlight on personal privacy, leading to an increased engagement by individuals.

Alongside this increase in complaints, the OAIC finalised 2,766 complaints during the period. This is an 11% increase on the number of complaints we closed last year, and follows on from a 22% increase in finalisations in 2016–17.

As part of an MOU with the ACT Government, we continue to provide privacy services to ACT public sector agencies including handling privacy complaints in relation to the Information Privacy Act 2014 and its 13 Territory Privacy Principles.

Figure 1 — Complaints received per month — the past three years

Graph generally shows an increase in the number of complaints received per month over the last three years. Link to long text description follows image.

Figure 2 — Complaints closed per month — the past three years

Graph generally shows an increase in the number of complaints received per month over the last three years. Link to long text description follows image.

Issues regarding privacy complaints

The majority of complaints we receive (70%) are about the handling of personal information under the APPs.

The most common issues raised in complaints about the APPs were:

  1. APP 6 — Use or disclosure of personal information
  2. APP 11 — Security of personal information
  3. APP 12 — Access to personal information
  4. APP 3 — Collection of personal information
  5. APP 10 — Quality of personal information

In 2017–18, 14% of the complaints we received were about credit reporting (slightly down from 16% the previous year). This reflects the continuing role of external dispute resolution schemes in resolving complaints about credit reporting matters.

More information is available in Appendix C.

Sectors

Privacy complaints can cover a broad range of sectors. The top six sectors remain unchanged from the 2016–17 results. The top 10 complaints by sector are:

Table 3 — Top 10 sectors by complaints received
SectorNumber
Finance (including superannuation) 398
Health service providers 321
Australian Government 305
Telecommunications 244
Credit reporting bodies 173
Retail 147
Online services 142
Utilities 120
Debt collectors 116
Insurance 104

Case study 3 — Failure to protect personal information by an Australian Government agency

The complainant was notified by the respondent, an Australian Government agency, that a computer containing their personal information had been stolen from an office where it had not been stored securely.

The OAIC investigated the alleged failure to protect the complainant’s personal information from misuse and loss. The matter was resolved by conciliation. The respondent provided the complainant with $1,600 in compensation.

Case study 4 — Disclosure of medical information to a third party

The complainants, a couple, became aware that the respondent, a Medical Centre had disclosed their entire medical files to their insurer, including personal information that was not relevant to their insurance claim.

The matter was investigated and successfully conciliated by the OAIC. The respondent provided the complainants with a letter of apology, placed its privacy policy in its rooms and on its website, changed its procedures to ensure that a similar incident would not happen in the future, and provided $5,000 to each of the complainants.

Resolving complaints

In 2017–18, we substantially improved the average time taken to close a complaint from 4.7 months to 3.7 months. During this period, 97% of all privacy complaints were resolved within 12 months of receipt, an improvement on last year.

During 2017–18 we trialled an early resolution process, with a focus on bringing the parties together at an early stage to see if matters could be resolved by agreement. This approach has assisted parties to attain outcomes in a more timely manner, which is reflected in the improvement in the average time taken to close a complaint.

Matters that are unable to be resolved via the early resolution process proceed for further inquiries or investigation, and some are formally conciliated. Where complaints resolve through conciliation, many positive and innovative outcomes are achieved, and parties demonstrate a high level of satisfaction with the outcome.

To support the work of the teams in resolving complaints, we provide staff with conciliation training, and have a number of staff accredited under the National Mediator Accreditation Standards (NMAS).

Most privacy complaints are closed on the basis that the respondent has not interfered with the individual’s privacy, or on the basis that the respondent has adequately dealt with the complaint.

In 2017–18, the main remedies achieved in complaints were:

  1. Record amended
  2. Compensation
  3. Access provided
  4. Other or confidential
  5. Apology

More information is available in Appendix C.

Case study 5 — Security and disclosure of personal information by a bank

The complainant was a customer of the respondent, a bank. There was fraudulent activity on the complainant’s account. While the respondent was investigating the fraud, it misdirected an email meant for the complainant to a third party.

The complainant claimed the respondent interfered with their privacy by inappropriately disclosing personal information in the email, and failing to take reasonable steps in the circumstances to protect the personal information from unauthorised access and disclosure.

The OAIC conciliated the complaint, and the parties agreed to settle the matter on the basis that the respondent pay $7,000, and follow up with the police about the progress of the fraud investigation. The amount of compensation reflected that the incident had also impacted another member of the complainant’s family.

Case study 6 — Disclosure of personal information by an insurance assessor

There was a fire at a house in which the complainant lived. The insurer sent a loss assessor (the respondent) to inspect the property. The respondent provided a report of the incident to the complainant’s insurer, who passed it on to the complainant.

The complainant claimed that the respondent interfered with their privacy by amending the report and then disclosing it to the complainant’s real estate agent. The complainant alleged that the amended report was used by the real estate agent in a way that caused the complainant distress.

The OAIC conciliated the complaint, and the parties agreed to settle the matter on the basis that the respondent pay $2,000 in compensation. The respondent had previously apologised to the complainant.

Early resolution

The OAIC’s early resolution pilot was established in 2017. It brings the parties together at an early stage, to see if matters can be resolved by agreement between the parties. The process has reduced our initial response times and contributed to an increase in the number of complaints closed. In 2017–18, 53% of all complaints finalised were closed through our early resolution process.

Case study 7 — Failure by telecommunications provider to protect personal information from unauthorised access

The complainant had a mobile phone account with the respondent, a telecommunications provider. The complainant’s phone stopped working, and when they contacted the respondent they discovered the phone number had been ported (transferred to a different mobile provider) without their knowledge.

The matter was resolved through the OAIC’s Early Resolution Process, in which the respondent contacted the complainant directly to discuss the matter, reversed the port, offered three months free service and apologised.

Community and sector engagement

An important part of our role is interacting with key industry and community stakeholders, including government bodies and external dispute resolution schemes, about recurring or significant issues arising in complaints.

External Dispute Resolution schemes

The Information Commissioner can recognise external dispute resolution (EDR) schemes to handle particular privacy-related complaints (section 35A of the Privacy Act). The EDR schemes currently recognised are:

  • Credit and Investments Ombudsman (CIO)
  • Energy & Water Ombudsman NSW (EWON)
  • Energy & Water Ombudsman Queensland (EWOQ)
  • Energy & Water Ombudsman SA (EWOSA)
  • Energy and Water Ombudsman Victoria (EWOV)
  • Energy and Water Ombudsman Western Australia (EWOWA)
  • Financial Ombudsman Service (FOS)
  • Public Transport Ombudsman Victoria (PTO)
  • Telecommunications Industry Ombudsman (TIO)
  • Tolling Customer Ombudsman (TCO)

Community outreach

In 2017–18, we attended community outreach events to promote awareness of the privacy complaint functions of our office, and the ways in which individuals can access or protect their personal information and consumer credit reporting information. These events included the Sydney Disability Expo and a Privacy Awareness Week stall with the Australian Retail Credit Association.

During the year, we also continued to increase media and social media coverage about our complaint handling function with targeted messaging around the complaints process and privacy issues that may be of public interest.

Determinations

Under section 52 of the Privacy Act, the Commissioner may make determinations in relation to privacy complaints. The Commissioner may also make determinations in relation to privacy Commissioner initiated investigations (CIIs).

In 2017–18, three privacy determinations were made by the Commissioner. Two of these determinations included findings that the respondents had not interfered with the individual’s privacy and therefore the complaints were dismissed under section 51(1)(a) of the Privacy Act.

Determination: ‘PB’ and United Super Pty Ltd as Trustee for Cbus (Privacy) [2018] AICmr 51 (23 March 2018)

The Commissioner found that United Super Pty Ltd as Trustee for Cbus (Cbus) interfered with the privacy of class members by disclosing their personal information to an external organisation for a secondary purpose without their consent.

Under section 52(1)(b)(iii) of the Privacy Act the Commissioner may make a declaration that the complainant is entitled to a specified amount by way of compensation. In this instance, however, the Commissioner considered the most appropriate form of redress to the class members was a public apology.

The Commissioner also made a declaration that Cbus should provide written confirmation to the OAIC that certain corrective measures proposed after the breach were adopted and implemented by Cbus, and then to undertake a review of those measures and confirm in writing the findings and outcomes of that review.

Determination: ‘PA’ and Department of Veterans’ Affairs (Privacy) [2018] AICmr 50 (23 March 2018)

The complainant alleged that the disclosure of their personal information by the Department of Veteran’s Affairs (the Department) for inclusion in a database to assist in health research projects was a breach of APP 6 — Use or disclosure of personal information.

Section 95 of the Privacy Act allows an agency to commit an act that would breach an APP provided it is done in the course of medical research and in accordance with medical research guidelines approved by the Commissioner.

The Commissioner found that the medical research exemption applied in this case, as the disclosure of personal information occurred in the course of medical research, and in accordance with guidelines issued by the National Health and Medical Research Council. Therefore the Department did not interfere with the complainant’s privacy.

Determination: ‘OJ’ and Department of Home Affairs (Privacy) [2018] AICmr 35 (19 March 2018)

The complainant alleged that the Department of Home Affairs (the Department) had interfered with his privacy by disclosing his personal information to the Department of Human Services Victoria (DHSV) in, or around, 2013 (the DHSV complaint), and to the television show, A Current Affair (ACA) in July 2014 (the ACA complaint).

The Department advised that it disclosed the complainant’s personal information to DHSV in compliance with a subpoena. The Commissioner found that the disclosure was required by law and comes within the exception to IPP 11, set out in 11.1(d).

As the ACA complaint was against the Department, not the Minister of Home Affairs (the Minister), the Commissioner could only consider the Department’s use of personal information and its disclosure to the Minister’s office. He was unable to consider the disclosure to ACA by the Minister.

The Commissioner found the use and disclosure of personal information was made for the purpose of discharging the Secretary of the Department’s obligation under the Public Service Act 1999 to provide the Minister with advice. As the conduct was required by law, it fell within the exception to APP 6, set out in APP 6.2(b).

Data breach notifications

Notifiable Data Breaches scheme

The NDB scheme commenced on 22 February 2018, following changes to the Privacy Act in 2017. Under the NDB scheme, Australian Government agencies and organisations with existing personal security obligations under the Privacy Act are required to notify individuals who are likely to be at risk of serious harm as a result of a data breach. The OAIC must also be notified.

Our responsibilities under the NDB scheme include:

  • Receiving notifications of eligible data breaches
  • Encouraging compliance with the scheme, including handling complaints and taking regulatory action in response to instances of non-compliance
  • Offering advice and guidance to regulated organisations, and providing information to the community about the operation of the scheme

In February 2018, we published a new resource on data breaches — ‘Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth)’. This resource combines best practice advice for preparing for and responding to data breaches, as well as specific information for agencies and organisations about how to comply with the NDB scheme.

We have also published resources for individuals that have received a notification under the NDB scheme. These are available on our website, and are intended to assist individuals to take steps to reduce the risk of experiencing harm as a result of a data breach.

The OAIC reviews each notice received under the NDB scheme to consider whether the data breach has been contained, that the agency or organisation has taken reasonable steps to mitigate the impact of the breach on the individuals at risk of serious harm, and that the entity is taking reasonable steps to minimise the likelihood of a similar breach occurring again.

Since the introduction of the NDB scheme in February 2018, there has been an increasing number of notifications made to the OAIC. This demonstrates that agencies and organisations are aware of their obligations.

More detailed information about data breaches reported under the NDB scheme is contained in our NDB Quarterly Statistics Reports, available on our website.[1]

Voluntary data breaches

Prior to the introduction of the NDB scheme, the OAIC administered a voluntary data breach notification scheme. This allowed businesses and agencies to self-report possible privacy breaches to the OAIC. The OAIC continues to register voluntary data breach notifications for incidents that do not fall within the scope of the NDB scheme. These include data breaches that occurred prior to 22 February 2018, or incidents that do not involve businesses or agencies that are regulated by the scheme.

Table 4 — NDB, voluntary and mandatory My Health Records notifications
Year2015–162016–172017–18
Total 123 149 507
Notifiable data breaches (NDB) - - 305
Voluntary notifications 107 114 174
Mandatory notifications (My Health Records Act 2012) 16 35 28

In 2017–2018, the number of voluntarily reported data breaches continued to grow, with voluntary notifications up 53% on the previous year. This is significantly more than the 29% increase reported in the 2016–17 financial year. Alongside this, the OAIC met its overall target for finalising data breach notifications, with 99% of notifications under the NDB scheme finalised within 60 days, and 97% of voluntary data breach notifications finalised within 60 days.

The increase in voluntary notifications can be explained, at least in part, by the OAIC’s activities in raising awareness of the introduction of the NDB scheme in 2018, as well as global regulatory developments which focused on the importance of entities understanding and responding to data breaches.

We also administer a mandatory scheme for digital health data breaches. For further information, refer to the Annual Report of the Australian Information Commissioner’s activities in relation to digital health 2017–18 (available on the OAIC website no later than 28 November 2018).

Privacy Commissioner initiated investigations

Section 40(2) of the Privacy Act enables an investigation of an act or practice that may be an interference with privacy, to take place on the Commissioner’s own initiative. This power is used to investigate possible privacy breaches that have come to our attention other than by way of an individual privacy complaint.

Privacy Commissioner initiated investigations (CIIs) are often conducted in response to incidents of significant community concern or discussion, or in response to notifications from third parties about potentially serious privacy problems. They may also be conducted in response to notifications about data breaches. Our key objective in undertaking a CII is improving the privacy practices of investigated entities.

The Commissioner may also decide to discontinue an investigation. This may be in matters where the Commissioner is satisfied that there has not been an interference with privacy, or the matter has been adequately dealt with by the respondent or that no further regulatory action is warranted under the circumstances.

The Privacy Act provides the Commissioner with the power to accept an ‘enforceable undertaking’ offered by a respondent. Three enforceable undertakings were offered by respondents in 2017–18 following a CII.

In 2017–18, we conducted preliminary inquiries or commenced an investigation in relation to 21 matters. In some matters, more than one respondent was identified which is reflected in the number of CIIs. In April 2018, the OAIC commenced an investigation into the acts and practices of Facebook, in relation to allegations that the personal information of Facebook users had been improperly collected by third party applications. As of the end of the 2017–18 financial year, this investigation is ongoing.

Table 5 — Privacy CIIs
YearNumber of CIIs
2015–16 17
2016–17 29
2017–18 21

While the average time taken to close CIIs in 2017–18 was 163 days, or approximately 23 weeks, the OAIC did not meet its target to finalise 80% of CIIs within eight months. Despite this, the OAIC closed 72% of CIIs within eight months and the OAIC remains committed to working with respondents to resolve issues of non-compliance and improve privacy practices.

Case study 8 — Accidental disclosure of health information by a third-party provider

In October 2016, the Australian Red Cross Blood Service (the Blood Service) was notified that a data file, which contained the personal information of approximately 550,000 prospective blood donors entered into the Blood Service’s website, had been saved to a public-facing web server. The Blood Service immediately took steps to contain the breach, including temporarily closing the website and notifying individuals whose personal information had been involved.

The subsequent investigation found that the file had been inadvertently placed by an employee of a third-party provider, Precedent Communications Pty Ltd (Precedent), on a publicly accessible portion of a web server managed by Precedent. The investigation also found that the Blood Service did not have appropriate measures in place to protect information concurrently held by third-party providers, and did not take reasonable steps to destroy or de-identify information collected through the Blood Service website once it was no longer needed.

Following the incident, the Blood Service took numerous steps to enhance its information handling practices and offered an enforceable undertaking to commit to reviewing its compliance with, and the effectiveness of, its third party management policy and operating procedure within a six month period.

In response to this incident, Precedent invested in improving its information handling practices, and offered an enforceable undertaking to commit to strengthening its information security measures; improving its privacy management policies, statement and procedures; and improving staff privacy training.

Case study 9 — Publication of a de-identified dataset

On 1 August 2016, the Department of Health (the Department) published a collection of Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Schedule (PBS) data. The dataset contained claims information for a 10% sample of people who had made a claim for payment of Medicare Benefits since 1984, or for payment of Pharmaceutical Benefits since 2003. Prior to publication, the Department of Health had taken a range of steps to de-identify the data set. However, in September 2016 researchers from the University of Melbourne identified a weakness in the technique used to encrypt Medicare service provider numbers in the dataset, allowing the encryption to be reversed. The Department immediately removed the dataset from public access; the Commissioner opened an investigation into the incident to determine if a breach of the Privacy Act had occurred.

The investigation found that the Department of Health improperly disclosed the information of service providers, but did not improperly disclose the personal information of patients. The investigation also found that the steps taken by the Department of Health to confirm personal information was removed from the dataset prior to its publication were inadequate relative to the sensitivity of the information and the context of its release.

The investigation was concluded by an enforceable undertaking offered by the Department of Health and accepted by the Commissioner, which provides for the OAIC’s oversight of the Department of Health’s ongoing review and enhancement of its data governance arrangements.

The incident provided key lessons for custodians of datasets when considering de-identification. In particular, deciding whether information has been de-identified to an extent suitable for public release requires careful and expert evaluation and consideration of the context of release, and appropriate processes and expertise should sit behind any decision to release de-identified personal information.

Privacy assessments

In 2017–18 we assessed a range of sectors including loyalty programs, identity verification, telecommunications and government. We also conducted privacy assessments in the digital health sector. For more information on our digital health assessments, see page 69.

We use a range of methodology to conduct our assessments, including comprehensive and in-depth review of policy documents, interviews with staff and/or site inspections. Consistent with last year, 100% of the OAIC’s recommendations were accepted or planned for action by businesses or government agencies being assessed.

Loyalty programs

We commenced two new assessments of loyalty programs in Australia in the 2016–17 financial year. These assessments examined how personal information is managed in accordance with APP 1 — Open and transparent management of personal information. The assessments also looked at whether sufficient notification to individuals is provided regarding the collection of their personal information in accordance with APP 5 — Notification of the collection of personal information. The assessments will be finalised, and made public, during the 2018–19 financial year.

Identity verification

In the 2016–17 financial year we commenced two assessments of Gateway Service Providers (GSPs) to the Document Verification Service (DVS) — VixVerify and Trulioo. The assessments examine how personal information collected through the DVS arrangement is handled by GSPs in accordance with APP 3 — Collection of solicited personal information and APP 5 — Notification of the collection of personal information. We finalised these assessments in the 2017–18 financial year, making one recommendation in each assessment. The assessment reports are published on our website. In 2017–18 we worked with the Department of Home Affairs to identify business users that will participate in our next assessment relating to the DVS, which will commence in 2018–19.

Telecommunications

Case study 10 — Handling of personal information disclosed under the Telecommunications (Interception and Access) Act 1979

In 2017–18 we finalised an assessment of whether iiNet was taking reasonable steps to protect personal information when responding to requests for access by law enforcement agencies, as required under the Telecommunications (Interception and Access) Act 1979 (TIA Act) and in accordance with APP 11 — Security of personal information. We had previously finalised similar assessments of Telstra, Vodafone and Optus. A combined summary report outlining the findings from each assessment is available on our website.

Case study 11 — Handling of personal information retained as part of the ‘data retention scheme’ under the Telecommunications (Interception and Access) Act 1979

In 2017–18 we began a series of assessments that consider whether certain telecommunications service providers are meeting their information security obligations under APP 11 — Security of personal information, with respect to the personal information they are required to retain under the ‘data retention scheme’ that came into full effect on 13 April 2017. We conducted the fieldwork for two assessments in 2017–18. These assessments will be finalised in 2018–19. Fieldwork for other assessments in this assessment series will commence in 2018–19.

Government

Passenger Name Record

Under our memorandum of understanding with the Department of Home Affairs we commenced a Passenger Name Record (PNR) data related assessment in the 2016–17 financial year which followed up the implementation of recommendations made in a previous assessment undertaken in 2015. The 2016–17 assessment also included consideration of Home Affairs’ practices concerning the destruction and de-identification of PNR data. The assessment will be finalised during the 2018–19 financial year.

In 2017–18 we also commenced a new PNR data related assessment. This assessment looked at Home Affairs’ connected information environment (CIE) project, and specifically how Home Affairs is implementing APP 11 — Security of personal information — to protect PNR data in the CIE. The assessment also considered whether Home Affairs is using and disclosing personal information in accordance with its obligations under APP 6. We have completed the fieldwork for this year’s assessment and it will be finalised during the 2018–19 financial year.

Contractual arrangements in relation to regional processing centres

In 2016–17 we commenced an assessment on the Home Affairs’ privacy arrangements for Regional Processing Centres, including:

  • General governance and privacy frameworks under APP 1 — Open and transparent management of personal information.
  • How Home Affairs met its security obligations under APP 11 — Security of personal information, including through the use of contractual measures as required under section 95B of the Privacy Act.

We finalised this assessment during the 2017–18 financial year. We made four recommendations, which were agreed by Home Affairs. The assessment report is published on our website.

Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014

In 2017–18 we finalised four assessments that considered how personal information was being handled by Home Affairs under the Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014 (Foreign Fighters Act). These assessments considered how personal information is handled through border clearance processes at Australian international airports, including biometric information collected by SmartGates (Schedule 5) and the Advanced Passenger Processing (AdPP) data exchanged between airlines and Home Affairs (Schedule 6). Three of these assessments commenced in the 2016–17 financial year:

  • An assessment of the security arrangements that are in place to protect personal information after its collection by SmartGates. We made two recommendations in this assessment.
  • An assessment of the steps that a third party provider to Home Affairs is taking to secure personal information collected through AdPP (Schedule 6). We made two recommendations in this assessment.
  • An assessment of the procedures Home Affairs has in place to respond to an individual’s request for access to their personal information that was collected by SmartGates, in accordance with APP 12 — Access to personal information. We made one recommendation in this assessment.
  • The fourth assessment in 2017–18 considered the steps that a third party to Home Affairs is taking to secure access to personal information that is held in the systems that support SmartGates. We did not make any recommendations in this assessment.

In 2017–18 we also followed up on Home Affairs’ implementation of the three initial assessments relating to Schedules 5, 6 and 7 of the Foreign Fighters Act that were completed across the 2015–16 and 2016–17 financial years. At the close of the 2017–18 financial year:

  • We were satisfied that Home Affairs had implemented the recommendations in the Schedule 7 assessment
  • We were satisfied that Home Affairs had either implemented or was taking steps to implement the recommendations in the Schedule 6 assessment
  • We had not received a response from Home Affairs to our follow-up of the Schedule 5 assessment

Tax file numbers

Under the Privacy (Tax File Number) Rule 2015 which regulates the collection, storage, use, disclosure, security and disposal of individuals’ Tax File Number (TFN) information, six specified Australian Government agencies (Commissioner of Taxation/Australian Taxation Office, Australian Prudential Regulation Authority, Department of Human Services, Department of Education and Training, Department of Veterans’ Affairs and the Department of Social Services) have obligations to make a range of information publicly available in relation to how TFN information is to be handled.

In 2016–17 we commenced an assessment that looked at how the agencies meet their obligations. The assessment was conducted through a desktop review of each agency’s website and a targeted survey questionnaire sent to each agency. This assessment was finalised in 2017–18, and we will release a combined summary report during the 2018–19 financial year.

Universal Student Identifier

Under our MOU with the Department of Education and Training, acting through the Student Identifiers Registrar (the Registrar), we conducted a self-assessment of five registered training organisations’ (RTOs’) handling of student identifiers and associated personal information in accordance with the Student Identifiers Act 2014 and the Privacy Act. The self-assessment looked at how these RTOs were managing personal information in accordance with APP 1 — Open and transparent management of personal information, and APP 5 — Notification of the collection of personal information. The OAIC will be releasing a combined report in the 2018–19 financial year, along with a number of recommendations resulting from the survey.

ACT Government

Under our MOU with the ACT Government, we conducted two assessments of ACT Government agencies. These activities are reported on in more detail in the Memorandum of Understanding with the Australian Capital Territory for the provision of privacy services 2017–18 Annual Report (available on the OAIC website no later than 1 November 2018).

Appendix B on page 145 contains more information about our MOU with the ACT Government.

Data-matching

We perform a number of functions to assist government agencies to understand their privacy requirements and adopt best privacy practice when undertaking data-matching activities.

Data-matching is the process of bringing together data sets that come from different sources and comparing those data sets with the intention of producing a match. A number of government agencies use data-matching to detect non-compliance, identify instances of fraud and to recover debts owed to the Australian Government. For example, the Australian Taxation Office (ATO) may match tax return data with data provided by banks to identify individuals or businesses that may be under-reporting income or turnover.

Government agencies that carry out data-matching activities must comply with the Privacy Act. Data-matching raises privacy risks because it involves analysing personal information about large numbers of people, the majority of whom are not under suspicion.

Statutory data-matching

The Commissioner has statutory responsibilities under the Data-matching Program (Assistance and Tax) Act 1990 (Data-matching Act). The Data-matching Act authorises the use of tax file numbers in data-matching activities undertaken by the Department of Human Services (DHS), the Department of Veterans’ Affairs and the ATO. In previous years, we have conducted inspections of DHS’s data-matching records to ensure compliance with the requirements of the Data-matching Act. Agencies have continued to rely less on matching using the tax file number, consequently this year we have again focused on providing advice and oversight of the data-matching activities outside of the Data-matching Act.

Enhanced Welfare Payment Integrity

The ‘Enhanced Welfare Payment Integrity — non-employment income data-matching measure’ was announced in the 2015–16 Mid-Year Economic and Fiscal Outlook (MYEFO). It increases DHS’ capability to conduct data-matching to identify non-compliance by welfare recipients.

This year, we conducted two privacy assessments of DHS’s data-matching activities. The first of these assessments looked at DHS’s non-employment income data matching (NEIDM) program, and specifically how DHS addresses the requirements of APPs 1.2, 3 and 5 in relation to that program.

The other assessment considered APPs 10 and 13 by looking at how DHS ensures the quality of the personal information used in its Pay-As-You-Go (PAYG) data-matching program, and whether the PAYG program facilitates customer correction of personal information being used in the program. The draft reports for these assessments were provided to DHS for comment in May 2018, and we will work with DHS to finalise and publish the assessments in the 2018–19 financial year.

A third assessment, looking at how DHS addresses it obligations under APP 11 — Security of personal information, to secure the personal information used in both the NEIDM and PAYG programs, will take place early in the 2018–19 financial year.

Data-matching under the voluntary guidelines

We administer the Guidelines on Data-matching in Australian Government Administration (Guidelines), which are voluntary guidelines to assist government agencies with adopting appropriate privacy practices when undertaking data-matching activities that are not covered by the Data-matching Act. This year we reviewed seven data-matching program protocols submitted by matching agencies including the Australian Tax Office and the Department of Human Services.

The Commissioner approved two requests for exemption from certain requirements of the Guidelines. A list of the exemptions that we approved can be found on our website.

Digital health assessments

Health information is considered particularly sensitive. This sensitivity has been recognised in the My Health Records Act 2012 (My Health Records Act) and Healthcare Identifiers Act 2010 (HI Act), which regulate the collection, use and disclosure of information, and give the Information Commissioner a range of enforcement powers. This sensitivity is also recognised in the Privacy Act which treats health information as ‘sensitive information’.

We initiated one assessment relating to the My Health Record system in 2017–18; finalised one assessment which commenced in the previous reporting period; and continue to progress one assessment that began in the previous year. For further information, refer to the Annual Report of the Australian Information Commissioner’s Activities in Relation to Digital Health 2017–18 (available on the OAIC website no later than 28 November 2018).

Advice for businesses and agencies

Our teams provide advice for businesses and Australian Government agencies on their obligations under the Privacy Act. We also assist businesses and agencies achieve best practice in their approach to privacy management.

This year we issued advice on a variety of issues including:

  • Adoption, use and disclosure of government related identifiers
  • Australian Government Agencies Privacy Code
  • Australian Government’s proposed Consumer Data Right Scheme
  • Credit reporting
  • Data breach notification requirements, including the Notifiable Data Breaches scheme
  • De-identification and re-identification
  • Digital identity systems
  • Direct marketing
  • External Dispute Resolution schemes
  • Government data-matching
  • Higher education proposals affecting handling of information about students
  • Law enforcement and national security
  • The My Health Records (MHR) system
  • New and emerging technologies
  • Online communications and privacy
  • Privacy implications of data analytics and related activities
  • Privacy and international agreements
  • Privacy and security, as part of the Attorney-General’s Department’s reforms to the Protective Security Policy Framework (PSPF)
  • Telecommunications

We also drafted submissions on issues such as:

  • Privacy in the digital age
  • Mandating consumer credit reporting
  • National security laws
  • Digital identity
  • Digital economy
  • Financial hardship
  • Establishment of the Australian Financial Complaints Authority
  • New information-sharing arrangements under proposed legislation
  • National identity-matching services for biometric information
  • Non-consensual sharing of intimate images
  • Open Banking
  • Access to Medicare information
  • The redevelopment and audit of the Higher Education Data Collection
  • The secondary use framework for information contained in the My Health Record system

Case study 12 — Open Banking

In August 2017 the Treasury released an Issues Paper on the Review into Open Banking in Australia. This paper invited submissions on the most appropriate model for the Australian context and how best to implement such a model, including what data should be shared, with whom, and how to ensure data is kept secure and privacy is respected.

The OAIC provided a submission to the review, acknowledging the potential of Open Banking to give individuals greater choice and control over how their data is used, while highlighting some important implications that the new scheme may have for the handling of individuals’ financial information, which many individuals consider especially sensitive. Many OAIC recommendations were reflected in the Final Open Banking Report, and the OAIC has continued to work with the Treasury on the development and implementation of the scheme, which is set to commence in July 2019.

Submissions can be read in full on the OAIC website.

Resources

We published a number of new resources, guides and fact sheets in 2017–18.

In preparation for the commencement of the Notifiable Data Breaches scheme, we published guidance and a webinar, to assist Australian Government agencies and businesses to understand the new requirements. We also published guidance for consumers about what to expect when receiving a data breach notification and what actions they can take if they have been affected by a data breach.

In preparation for the implementation of the European Union’s General Data Protection Regulation (GDPR) we published guidance to assist Australian Government agencies to understand whether the new requirements would apply to them.

We updated our ‘Guide to securing personal information’ to incorporate information about the Notifiable Data Breaches scheme, and to update references to information security resources.

To assist agencies and organisations to make the most of their valuable data resources, the OAIC released its final version of the Guide to Data Analytics, originally published as a consultation draft in 2016. We also collaborated with the CSIRO’s Data61 to release a joint resource which provides detailed guidance on de-identification, the De-Identification Decision-Making Framework. We also released the OAIC’s ‘De-identification and the Privacy Act’ resource to reflect this updated approach.

In preparation for the commencement of the Australian Government Agencies Privacy Code on 1 July 2018, we published a suite of resources to assist agencies to comply with their new obligations, including an Interactive Privacy Management Plan and a Privacy Officer toolkit. We also conducted a webinar for agencies to assist in the completion of their Privacy Management Plans and developed and delivered a Privacy Officer training course to assist Privacy Officers to undertake their role under the Code.

We published a series of multimedia resources for healthcare providers, to help them understand their privacy obligations and the mandatory data breach notification requirements under the My Health Records Act.

Privacy legislative instruments

Under the Privacy Act, the Commissioner has powers to make certain legislative instruments. These legislative instruments must comply with the requirements of the Legislation Act 2003. They are publicly available on the Federal Register of Legislative Instruments.

Privacy (Australian Government Agencies — Governance) APP Code 2017

On 26 October 2017, the Information Commissioner made the Privacy (Australian Government Agencies — Governance) APP Code 2017 (the Code).

The Code commences on 1 July 2018 and applies to all Australian Government agencies subject to the Privacy Act (except for ministers). The Code sets out specific requirements and key practical steps that agencies must take as part of complying with Australian Privacy Principle 1.2. It requires agencies to move towards a best practice approach to privacy governance to help build a consistent, high standard of personal information management across all Australian Government agencies.

The requirements of the Code include having a privacy management plan, appointing a Privacy Champion and Privacy Officer, undertaking Privacy Impact Assessments (PIAs) for all high privacy risk projects or initiatives that involve new or changed ways of handling personal information, and taking steps to enhance internal privacy capability.

Privacy (Australian Honours System) Temporary Public Interest Determination 2018

On 13 March 2018, the Information Commissioner made Privacy (Australian Honours System) Temporary Public Interest Determination 2018. This followed an application for a public interest determination on 6 March 2018 from the Department of Home Affairs (Home Affairs).

This temporary public interest determination (TPID) allows Home Affairs to disclose Australian citizenship and permanent residency status information without breaching APP 6 — Use or disclosure of personal information, for a period of 12 months. The disclosures can be made to the Department of the Prime Minister and Cabinet and to the Office of the Official Secretary to the Governor-General for the purposes of their consideration of nominees for awards (such as those in the Australian honours system).

The TPID repealed Public Interest Determination No. 2 which had been in operation since 1991.

The Information Commissioner and Privacy Commissioner is considering the Home Affairs’ application for a longer-term public interest determination.

Privacy (Credit Reporting) Code 2014 (Version 2)

The Privacy (Credit Reporting) Code 2014 (CR Code) is a written code of practice about credit reporting that supplements the credit reporting provisions in the Privacy Act.

On 29 May 2018, the then acting Information Commissioner and acting Privacy Commissioner approved a variation of the CR Code. The variation was requested by the code developer, Australian Retail Credit Association (ARCA). The approved variation made a number of minor and technical amendments to the CR Code, including clarifying the grace period for disclosing repayment history information, the definition of ‘consumer credit liability information’, and requirements for notifying consumers about a default listing.

The varied CR Code was scheduled to commence on 1 July 2018. It must be included on the OAIC’s Codes Register and registered on the Federal Register of Legislative Instruments.

The variation followed an independent review of the operation of the CR Code, conducted under paragraph 24.3 of the CR Code. Paragraph 24.3 requires the Australian Information Commissioner to initiate an independent review of the operation of the CR Code within three years of its commencement.

The OAIC engaged Pricewaterhouse Coopers (PwC) to seek feedback, through targeted and public consultation, on issues arising with regard to the interaction between the Code and the Act; significant issues or concerns about the practical operation of the Code and any requirements of the CR Code which had not been complied with in practice. PwC’s final report was published on 13 December 2017. The PwC review made recommendations and gave feedback on each of the CR Code provisions that were varied in the CR Code.

Some recommendations and important observations in the PwC review have not been addressed in the approved variations. The OAIC intends to consider these matters further in the 2018–19 financial year.

Privacy awareness

This year we continued to raise awareness about privacy rights for individuals, and also helped Australian businesses and government agencies understand their privacy obligations.

‘2018 marks 30 years of the Australian Privacy Act 1988. Since then, there have been remarkable changes in the way personal information is put to use across the world. Utilising personal information to engage with businesses, government, and each other online is an everyday occurrence. At the same time, the public benefits of increased data analysis and data mobility to research, policy-making, and the Australian economy are being actively sought.

This has reinforced the vital importance of privacy, which is integral to building and maintaining people’s trust in both government agencies and businesses in their handling of personal information.

Privacy today is founded on the principles of transparency and accountability. It is about ensuring individuals can exercise choice and control and that the actions of organisations reflect the value of personal information to individuals’ wellbeing and dignity.

To that end — 2018 is the year a number of regulatory developments were introduced in Australia that enhance privacy governance across the public and private sector. The Notifiable Data Breaches scheme came into force in February, formalising a long-standing community expectation for organisations to notify individuals affected by data breaches that are likely to result in serious harm. In just under two months time, Australian Government agencies must comply with the Australian Government Agencies Privacy Code. Internationally, on 25 May the European Union’s (EU’s) General Data Protection Regulation takes effect for all Australian businesses operating in the EU.’

Angelene Falk, then acting Information Commissioner and acting Privacy Commissioner, in ‘Welcome to Privacy Awareness Week. A message from the acting Commissioner, 2018’.

Reaching our audiences

This year we focused significant effort on preparing Australian Government agencies and businesses for the commencement of the NDB scheme in February 2018, and preparing agencies for the commencement of the Australian Government Agencies Privacy Code on 1 July 2018.

Reaching the community was also a focus for the OAIC, through targeted events and social media activity.

Speaking engagements

This year we participated in 51 speaking engagements aimed at privacy professionals.

Media

One of our aims this year was to increase media coverage of the NDB scheme and raise the public’s awareness of privacy.

We achieved this as demonstrated by:

  • An increase of 24% in media enquiries when compared with 2016–17
  • More than 310 mainstream media mentions during Privacy Awareness Week (compared to 250 in 2017)

The following graph shows the increase in reporting of privacy, and the spike when issues of community concern are covered, such as the commencement of an investigation into Facebook.

Table 6 — General privacy — media exposure
Received2017–182016–17% Change
Total 317 255 24%
Jul 14 21 -33%
Aug 7 33 -79%
Sep 11 14 -21%
Oct 17 27 -37%
Nov 12 25 -52%
Dec 7 7 0%
Jan 23 26 -12%
Feb 32 21 52%
Mar 48 28 71%
Apr 65 10 550%
May 55 25 120%
Jun 26 18 44%

Figure 3 — Media enquiries received

Chart represents the data in Table 6 above. It is a bar chart comparing the 2016-17 financial year with the 2017-18 financial year.

Freedom of Information (FOI)

Freedom of Information (FOI) provides a legally enforceable right of access to government documents. It applies to Australian Government ministers and most agencies, although the obligations of agencies and ministers are different.

Individuals have rights under the FOI Act to request access to government documents. The FOI Act also requires government agencies to publish specified categories of information, it also allows them to proactively release other information.

Additional information regarding data collected from ministers and agencies subject to the FOI Act, and separately from the Administrative Appeals Tribunal, the Commonwealth Ombudsman and our own records is included at Appendix D on page 152.

FOI Enquiries

We respond to enquiries from the public on FOI issues, including our Information Commissioner review (IC review) function. This year our enquiries line answered 1,339 telephone calls related to FOI, and responded to 584 written FOI enquiries. We also assisted eight in-person FOI enquiries. Just over 49% of all enquiries about FOI matters related to general processes for FOI applicants, including how to make an FOI request or complaint, or seek review of an FOI decision.

Table 7 — FOI enquiries by issue[*]
IssueNumber[*]
General processes 952
Jurisdiction 709
Processing by agency 174
Agency statistics 142
Access to general information 18
Access to personal information 18
Information Publication Scheme 10
Amendment and annotation 7
Vexatious application 6

[*] There may be more than one issue in each enquiry.

Information Commissioner (IC) reviews

In an Information Commissioner (IC) review, the Information Commissioner is able to review decisions made by Australian Government agencies and ministers subject to the FOI Act, including decisions:

  • Refusing to grant access to documents wholly or in part
  • Where requested documents do not exist or cannot be found
  • Granting access to documents, where a third party has a right to object (for example, if a document contains their personal information)
  • To impose charges for access to documents, including decisions refusing to waive or reduce charges
  • Refusing to amend or annotate records of personal information

This year we experienced a significant increase in IC reviews, receiving 801 applications for review — a 27% increase over 2016–17.

Alongside the significant increase in the number of applications, the OAIC was able to finalise 610 IC reviews (an 18% increase compared to 2016–17 when 515 reviews were finalised). Of the 610 IC reviews finalised in 2017–18, 84% were finalised within 12 months, exceeding the target of 80% completed within 12 months.

Informal resolution

The OAIC encourages resolution of IC reviews by agreement between the parties where possible. In 2017–18, 487 IC reviews were finalised without a formal decision being made (80% of all IC reviews finalised).

The number of IC reviews finalised under section 55F by way of a written agreement between the parties to the IC review has more than tripled since 2016–17. In 2017–18, 42 IC reviews were finalised by agreement under section 55F, in comparison to 14 in 2016–17.

There were 155 IC reviews finalised after the applicant withdrew their request, following action taken by the agency to resolve the issues in the IC review (such as by issuing a decision and statement of reasons in deemed access refusal cases, or a revised decision under section 55G to give the applicant access to further documents or material), or following an appraisal by the OAIC of the merits of their case.

Information Commissioner (IC) review decisions under section 55K

Under section 55K of the FOI Act the Information Commissioner made 123 decisions during 2017–18 (20% of all IC reviews finalised). Of these:

  • 37% set aside the decision under review (45 decisions)
  • 8% varied the decision under review (10 decisions)
  • 55% affirmed the decision under review (68 decisions)

Thirteen per cent of the reviewable decisions (nine decisions) affirmed had been revised under section 55G of the FOI Act during the IC review, giving greater access to the documents sought. In 18% of decisions set aside and substituted (eight decisions), the agency had withdrawn certain exemption contentions during the course of the IC review.

The section 55K decisions published by the OAIC continue to be an important feature of the OAIC’s work. The decisions address novel issues and build on existing jurisprudence in the FOI jurisdiction. They help agencies interpret the FOI Act and provide guidance on the exercise of their powers and functions. The OAIC adopts a practical approach to its decision making and to its role in helping agencies meet their obligations under the FOI Act.

All IC review decisions are published on the AustLII website as part of the Australian Information Commissioner (AICmr) series.

Some Information Commissioner decisions made during 2017–18 are highlighted below.

Case study 13 — Elstone Pty Limited and Civil Aviation Safety Authority (Freedom of information) [2018] AICmr 52 (28 May 2018)

The applicant sought access to a complaint that was made against its helicopter tour business, as well as the complainant’s name or business name. On 24 August 2016, the Civil Aviation Safety Authority (CASA) identified one document within scope, and refused access to the document in full under sections 47E(d) and 47F of the FOI Act. On 20 February 2017, during the course of the IC review, CASA revised its decision under section 55G of the FOI Act to grant access to parts of the document.

On 17 May 2017, the Information Commissioner referred questions of law to the Federal Court of Australia (the Federal Court) with respect to the construction of section 55G. On 9 April 2018, the Federal Court decided in Australian Information Commissioner v Elstone Pty Limited [2018] FCA 463 that it lacked jurisdiction to determine the referred questions of law because there was no matter for consideration within the meaning of Chapter III of the Constitution. Accordingly, the then acting Information Commissioner proceeded to make her decision on the basis that the decision under review is CASA’s decision of 24 August 2016, as varied on 20 February 2017.

The then acting Information Commissioner considered the document and agreed with CASA that disclosure of the relevant material that would identify the complainant, could discourage other individuals from raising safety concerns in the future and could reasonably be expected to have a substantial adverse effect on CASA’s operations in carrying out its regulatory functions in relation to the safety of civil aviation. The then acting Information Commissioner also considered the public interest test, and was satisfied that disclosure would, on balance, be contrary to the public interest.

Case study 14 — Josh Taylor and Prime Minister of Australia (Freedom of information) [2018] AICmr 42 (21 March 2018)

The applicant sought access to all Wickr (instant messaging app) conversations between the then Prime Minister Malcolm Turnbull and former Prime Minister Kevin Rudd, regarding former Prime Minister Rudd seeking the government’s nomination for Secretary-General of the United Nations. The Prime Minister decided to refuse access to the documents under section 24A of the FOI Act on the basis that they cannot be found or do not exist.

In making his decision, the Information Commissioner considered the nature of Wickr and found that users of the Wickr Me app can set the duration as to how long a message would last prior to its automatic deletion, up to a maximum of 6 days. The Information Commissioner noted that once a message has expired, the message would be securely destroyed from both the sender and recipient’s devices, and that unless a backup of the message was made prior to the expiration of the message, it would be highly unlikely that the message would continue to be stored on the device or any other location.

Based on this, the Information Commissioner considered that undertaking searches within the app and any available backups for the documents would constitute all reasonable steps for the purposes of section 24A. In particular, the Information Commissioner noted that, based on the circumstances and the Prime Minister’s evidence of searches and his submissions that there were no available backups of the apps, it was unlikely that the documents, if they existed, would be stored on the Prime Minister’s phone or in any other location.

Case study 15 — Paul Farrell and Department of Home Affairs (Freedom of information) [2018] AICmr 27 (28 February 2018)

The Information Commissioner set aside the decision of the Department of Home Affairs (Home Affairs) to neither confirm nor deny the existence of documents regarding any disclosures made under section 19 of the Australian Border Force Act 1995. Home Affairs advised that if the documents were to exist they would be exempt under section 37(1) of the FOI Act.

The Information Commissioner found that the documents requested were not of ‘such a kind’ that they would be exempt under section 37(1). Accordingly, Home Affairs was not entitled to give notice to neither confirm nor deny the existence of the documents under section 25 when responding to the FOI request.

The Information Commissioner considered whether Home Affairs had discharged its onus in establishing the decision to invoke section 25 in response to the applicant’s request. The Information Commissioner found that Home Affairs had not sufficiently demonstrated that exceptional circumstances existed. Accordingly, the Information Commissioner set aside the decision of Home Affairs to neither confirm nor deny the existence of the documents and substituted the decision that if documents were to exist, they would not be exempt as authorised under section 25.

Case study 16 — Justin Warren and Department of Human Services (Freedom of information) [2018] AICmr 16 (1 February 2018)

The applicant applied to the Department of Human Services (Human Services) for access to documents relating to the Pay As You Go data-matching initiative that was the subject of a Question on Notice from the Senate Community Affairs Legislation Committee Budget Estimates hearing on 3 June 2015. Human Services notified the applicant of its intention to impose a charge for the processing of the request. The applicant requested that Human Services reduce or waive the charge on public interest grounds. However, Human Services decided to impose a charge of $510.

The applicant sought internal review and Human Services affirmed its decision on internal review. The applicant subsequently paid the charge and Human Services processed the request.

The applicant then sought IC review of Human Services’ decision to impose a charge. Human Services submitted that the Information Commissioner did not have jurisdiction to review a charge that has been paid in full.

The Information Commissioner considered section 54L of the FOI Act, which provides that a person can seek IC review of an ‘access refusal decision’. Section 53A(e) of the FOI Act provides that a decision under section 29 relating to imposition of a charge or the amount of a charge is an ‘access refusal decision’.

Accordingly, the Information Commissioner was satisfied that a decision to impose a charge is an IC reviewable decision, despite the fact that the applicant has paid the charge in full. The Information Commissioner was also satisfied that Human Services had not discharged its onus under section 55D of the FOI Act to establish that the decision in respect of the charge is justified. The Information Commissioner decided that no charge should be imposed in relation to the applicant’s request.

Case study 17 — Dan Conifer and the Department of the Treasury (Freedom of information) [2017] AICmr 133 (8 December 2017)

The applicant sought access to briefs, advice and/or submissions from the Department of the Treasury to the Treasurer in relation to negative gearing, and Labor’s negative gearing and capital gains tax policies. The Treasury identified seven documents within scope and decided that one document was exempt in part under section 34(1)(c), six documents were exempt in part under section 47C and one document was exempt in part under section 47G.

On IC review, the then Information Commissioner agreed with the Treasury’s application of sections 34(1)(c) and 47G to the documents. However, he did not agree that the relevant documents were exempt under section 47C. In particular, he noted that the Treasury did not identify or provide any detail on any particular practice, process or policy that could reasonably be impacted through disclosure. The Information Commissioner found that although the relevant documents were conditionally exempt, disclosure at this time would not be contrary to the public interest.

Procedures to be followed in IC reviews

In February 2018, the Information Commissioner issued a ‘Direction as to certain procedures to be followed in IC reviews’ (the procedure direction) under section 55(2)(e)(i) of the FOI Act. The procedure direction provides further clarity on what is expected from agencies and ministers during the IC review process and promotes the efficient and timely resolution of IC reviews. The procedure direction sets out the particular procedures that agencies and ministers must follow in respect of the production of documents, the provision of a statement of reasons where access has been deemed to be refused, and the provision of submissions during an IC review.

The procedure direction is to be read alongside the OAIC’s ‘Freedom of information regulatory action policy’ (the FOI Regulatory Action Policy) and Part 10 of the Guidelines issued by the Information Commissioner under section 93A of the FOI Act (FOI Guidelines).

The FOI Regulatory Action Policy was developed and published this year to inform the Australian community and Australian Government agencies and ministers covered by the FOI Act of the regulatory strategy and approach of the Information Commissioner with respect to FOI regulatory powers, including in undertaking IC reviews. The policy should be read together with Part 10 of the FOI Guidelines.

Part 10 of the FOI Guidelines, to which agencies must have regard in performing a function or exercising a power under the FOI Act, sets out in detail the process and underlying principles of IC review. Part 10 was updated this year to reflect legislative amendments by the Norfolk Island Legislation Amendment Act 2015, developments and discussions in recent IC review decisions and Information Commissioner processes in carrying out IC review functions, as well as to include references to the procedure direction and the FOI Regulatory Action Policy.

FOI Complaints

Under section 69 of the FOI Act, the Information Commissioner has power to investigate agency actions relating to the handling of FOI matters.

Part 11 of the FOI Guidelines provides the Information Commissioner’s view that making a complaint is not an appropriate mechanism where IC review is available, unless there is a special reason to undertake an investigation and the matter can be dealt with more appropriately and effectively in that manner. IC review will ordinarily be the more appropriate avenue for a person to seek review of the merits of an FOI decision, particularly an access refusal or access grant decision. This approach accounts for the relatively small number of FOI complaints received compared with IC review applications.

In 2017–18, the OAIC received 62 complaints and closed 29. This represents a 72% increase in lodgements compared with 2016–17 (36 FOI complaints received) and a 61% increase in finalisations compared with 2016–17 (18 FOI complaints finalised).

The most common complaints about the handling of FOI matters by agencies are charging practices, consultation with applicants under practical refusal provisions and agencies not meeting statutory timeframes.

Of the 29 FOI complaints finalised in 2017–18, the Information Commissioner finalised four investigations and made recommendations to be implemented by an agency in two of these investigations.

FOI Extensions of time

The FOI Act sets out timeframes within which agencies and ministers must process FOI requests.

Where an agency or minister is unable to process an FOI request within the processing period, they are able to request an extension of time from the FOI applicant or the Information Commissioner.

Where the applicant agrees to an extension of time in writing, the agency or minister must advise the Information Commissioner of the agreement to extend the statutory processing time as soon as practicable.

An agency or minister can apply to the Information Commissioner for an extension of time to extend the processing period where an agency or minister is able to demonstrate that the processing of the FOI request has been delayed because the FOI request is voluminous or complex in nature (section 15AB) or where the agency or minister has been unable to process the request within the statutory timeframe and the agency or minister is deemed to have made a decision refusing the FOI request (section 15AC).

Table 8 — Overview of FOI extension of time notifications and requests received
Year2015–162016–172017–18
Received 5,605 4,412 3,367
Closed 5,602 4,420 3,333

This year, we finalised 90.5% of extension of time applications within five working days.

Table 9 — Notifications and extension of time requests closed
Request type2015–162016–172017–18
Total 5,602 4,420 3,333
Section 15AA 5,171 3,808 2,762
Section 15AB 283 453 370
Section 15AC 102 112 122
Section 51DA 0 0 1
Section 54B 0 0 0
Section 54D 30 29 38
Section 54T 16 18 40

Section 15AA — Notification of agreement between agency and applicant to extend time
Section 15AB — Extension of time for complex or voluminous request
Section 15AC — Extension of time where deemed refusal of FOI request
Section 54B — Extension of time for internal review request
Section 54D — Extension of time where deemed affirmation of original decision on internal review
Section 54T — Extension of time for person to apply for IC review

In deciding whether to grant an extension of time, the Information Commissioner considers the impact the extension of time will have on the applicant, whether the agency or minister has taken realistic steps to process the FOI request, and whether granting extra time is within the objects of the Act.

FOI Vexatious applicant declarations

The Information Commissioner has the power to declare a person to be a vexatious applicant if they are satisfied that the grounds set out in section 89L of the FOI Act exist. Making a vexatious applicant declaration is not something the Information Commissioner undertakes lightly, but its use may be appropriate at times. A declaration by the Information Commissioner can be reviewed by the Administrative Appeals Tribunal (AAT).

During 2017–18, the Information Commissioner did not receive any applications from agencies under section 89K seeking to have a person declared a vexatious applicant. Two applications were finalised in 2017–18 after the applications were withdrawn by the agency.

FOI Awareness

FOI Guidelines

In January and February 2018, the Information Commissioner issued revised guidelines under section 93A of the FOI Act, which Australian Government ministers and agencies must have regard to when performing a function or exercising a power under the FOI Act. The revised parts include:

  • Part 3 — Processing and deciding on requests for access
  • Part 7 — Amendment and annotation of personal records
  • Part 10 — Review by the Information Commissioner
  • Part 11 — Complaints and investigations

FOI agency resources

In June 2018, the OAIC issued the revised FOI agency resource 14: Access to government information — administrative access. The OAIC sought comments from interested stakeholders about the readability and accessibility of the revised resource.

Newsletters

The OAIC issues a monthly e-newsletter to Government FOI contact officers who have subscribed to the Information Contact Officer Network (ICON). The monthly e-newsletter provides news, updates and information about FOI.

Events

The OAIC participated in various activities throughout the year to raise awareness about accessing government information and the role of the OAIC and its processes. We participated in the Australian Government Solicitor’s FOI Practitioners’ Forum and launched the first Right to Know Day digital campaign, which included awareness raising materials and a video from the Information Commissioner.

We also held an ICON information session in Canberra, which explored ongoing and emerging challenges in the FOI space and included an expert panel discussion.

Media

The Information Commissioner issued a joint media release with the Australian Information Access Commissioners about International Right to Know Day on 21 September 2017:

A citizen’s right to access government-held information and data, participate in government decision making, and have transparency in how decisions are made is central to any effective democracy.

Right to Know Day is an opportunity for all Australians and New Zealanders to reflect on their access rights and the benefits of a more open, transparent and accountable government. It is also a reminder to government that greater access to government information and data can deliver better public services, strengthen economic outcomes and build public trust and confidence in the public sector.

Australia and New Zealand Information Access Commissioners unite for citizens’ Right to Know
Joint Media Statement
21 September 2017

Information Publication Scheme

In 2017–18 the OAIC conducted an IPS survey with all Australian Government agencies subject to the FOI Act. The survey was conducted by ORIMA on behalf of the OAIC.

The survey reviewed the operation of the IPS in each agency and also provided agencies with an opportunity to comply with the requirement to conduct a review under section 9 of the FOI Act. Section 9 requires agencies to complete a review of the operation of the IPS within their agency, as appropriate from time to time and within five years of the commencement of the IPS, in conjunction with the Information Commissioner.

The information collected in the IPS Survey will be used by the OAIC to develop a high level report on the operation of the IPS across all Australian Government agencies and provide a comparative analysis with the results of the 2012 IPS Survey. The 2018 IPS Survey report will be published on the OAIC’s website.

The information collected may also be used to assist the OAIC understand agencies’ approaches to the publication of information and identify ways the OAIC can provide advice, assistance and training to agencies on the operation of the IPS in the future.

FOI Regulatory Action Policy

In 2017–18, the OAIC published an FOI Regulatory Action Policy that outlines and explains the Information Commissioner’s approach to using FOI regulatory action powers. The policy covers all FOI powers and functions conferred on the Information Commissioner by the Australian Information Commissioner Act 2010 and the FOI Act.

The policy should be read together with the FOI guidelines. The policy also outlines how the Information Commissioner works with agencies, ministers and regulators to promote access to information through regulatory action and undertakes public communication as part of FOI regulatory action.

FOI processing statistics received from Australian Government agencies and ministers

Below is a selection of the FOI request processing statistics provided by Australian Government agencies and ministers to the OAIC.

The number of FOI requests received declined 13% in 2017–18; from 39,519 in 2016–17 to 34,438. This decline was experienced in both requests for personal information and non-personal requests, with similar percentage falls across both types of requests. The decline in request numbers for personal information is in large part due to the introduction by the Department of Home Affairs of an administrative access scheme for access to personal information.

In 2017–18, 28,199 or 82% of all FOI requests were for documents containing personal information. This is the same proportion as in 2016–17 but a decrease when compared with 2015–16 (87%).

In 2017–18, the Department of Home Affairs, the Department of Human Services and the Department of Veterans’ Affairs together continued to receive the majority of FOI requests (69% of the total). Of these, 96% were for personal information.

The percentage of FOI requests processed within the applicable statutory time period increased from 58% of all FOI requests in 2016–17 to 85% in 2017–18, largely due to the improvement in timeliness by the Department of Home Affairs.

The percentage of FOI requests granted in full decreased from 55% of all requests in 2016–17 to 50%. The number of requests refused increased from 10% of all FOI requests in 2016–17 to 16%.

The personal privacy exemption in section 47F of the FOI Act remains the most claimed exemption (43% of all exemptions claimed).

The total reported costs attributable to processing FOI requests in 2017–18 was $52.2 million, a 17% increase on 2016–17 ($44.8 million).

Australian Government agencies issued 4,128 notices advising of an intention to refuse a request for a practical refusal reason in 2017–18. This was a 163% increase on the number issued in 2016–17. Of these requests, 84% were subsequently refused or withdrawn; the proportion was 66% in 2016–17.

There was a 24% decrease in the total charges notified in 2017–18 and a 21% decrease in the total charges collected by Australian Government agencies (to $115,863).

The total number of entries added to agency website disclosure logs in 2017–18 (1,104) is 15% higher than 2016–17, when 958 entries were added. This increase occurred despite there being a 13% decrease in the number of full or partial access grant decisions in 2017–18. However the proportion of entries from which members of the public can directly access disclosure log documents from agency websites has declined from 67% last year to 57%.

There was a 12% increase in internal review applications in 2017–18. Of the 733 decisions on internal review, 351 (48%) affirmed the original decision, 72 (10%) set aside the original decision and granted access in full, 217 (30%) granted access in part.

More detailed information is available in Appendix D on page 152.

Footnotes

[1] Where notifiable data breaches affect multiple entities, the OAIC may receive multiple notifications relating to the same data breach. Notifications under the NDB scheme to the OAIC relating to the same data breach incident are counted as a single notification in the NDB Quarterly Statistics Reports. In 2017–18 there were 49 secondary notices.

Long text descriptions

Figure 1 — Complaints received per month — the past three years

Figure 1 is a bar chart showing the number of complaints received per month over the 2015–16, 2016–17 and 2017–18 financial years.

Complaints received per month2015–162016–172017–18
July 156 192 207
August 185 255 256
September 209 168 240
October 156 237 245
November 181 218 267
December 194 170 191
January 148 167 238
February 153 222 277
March 182 275 240
April 184 154 206
May 196 217 284
June 186 220 296

Back to Figure 1

Figure 2 — Complaints closed per month — the past three years

Figure 2 is a bar chart showing the number of complaints closed per month over the 2015–16, 2016–17 and 2017–18 financial years.

Complaints closed per month2015-162016-172017-18
July 163 152 214
August 129 189 244
September 160 208 301
October 339 209 233
November 167 181 264
December 149 193 148
January 114 179 167
February 161 176 253
March 176 241 252
April 165 172 161
May 124 308 269
June 191 277 260

Back to Figure 2