Part 2 — Performance
Publication date: 2018
Our performance statement
Introduction
I, Angelene Falk, as the accountable authority of the Office of the Australian Information Commissioner, present the 2017–18 annual performance statements of the Office of the Australian Information Commissioner, as required under paragraph 39(1)(a) of the Public Governance, Performance and Accountability Act 2013 (Cth) (PGPA Act). In my opinion, these annual performance statements are based on properly maintained records, accurately reflect the performance of the entity, and comply with subsection 39(2) of the PGPA Act.
Overall performance
In 2017–18 we were working to achieve 35 Performance Measures as outlined in the OAIC Corporate Plan 2017–18. We met the target for 27 of these Performance Measures, five we did not achieve and three were not relevant in this reporting cycle. We:
- Promoted and upheld privacy rights — by achieving 21 of 25 Performance Measures
- Promoted and upheld information access rights — by achieving nine of 10 Performance Measures
We achieved all of our key deliverables for the year:
Promote and uphold privacy rights
- Developed and implemented the Australian Public Service Privacy Governance Code and supporting training and resources
- Prepared for the implementation of the Notifiable Data Breaches scheme in February 2018
- Hosted the Asia Pacific Privacy Authorities meeting and the Data + Privacy Asia Pacific national conference
- Trialled an early resolution process to assist with more efficient processing of privacy complaints
- Conducted targeted privacy assessments in areas such as national security, identity management, digital health and the Enhanced Welfare Payment Integrity data-matching program
- Celebrated the 30th anniversary of the commencement of the Privacy Act 1988
- Reviewed the Privacy (Credit Reporting) Code 2014
Promote and uphold information access rights
- Updated tools and guidance for Australian Government agencies to assist them to review their compliance with the FOI Act.
- Developed and published an FOI regulatory action policy that outlines how we exercise our powers in relation to IC reviews, FOI complaints and Commissioner initiated FOI investigations.
- Conducted a campaign for Right to Know Day 2017.
Results
Our performance is measured against Activities as outlined in the Corporate Plan 2017–18. Performance Measures marked with an asterisk were also performance targets in the OAIC’s 2017–18 Portfolio Budget Statement.
Privacy Performance Measures
| Performance Measure | Measure achieved | Delivery strategies that were used to achieve the Performance Measure |
|---|---|---|
|
1.1.1 The OAIC applies a risk-based, proportionate approach to facilitate compliance with privacy obligations and promote privacy best practice |
Yes |
|
|
1.1.2 Guidance and educational materials are amended to incorporate learnings from regulatory activities such as assessments and investigations |
Yes |
|
|
1.1.3 Regular dialogue and consultation with businesses and Australian Government agencies is undertaken |
Yes |
|
|
1.1.4 The number of participating partners for Privacy Awareness Week is increased |
No |
|
| Performance Measure | Measure achieved | Delivery strategies that were used to achieve the Performance Measure |
|---|---|---|
|
1.2.1 80% of data breach notifications finalised within 60 days* |
Yes |
In meeting this target we:
|
|
1.2.2 80% of My Health Records data breach notifications finalised within 60 days* |
Yes |
In meeting this target:
|
|
1.2.3 Guidance and support tools for the Notifiable Data Breaches scheme are published |
Yes |
In meeting this target, we:
|
|
1.2.4 Statistics on data breach notifications are published to inform the community about the operation of the data breach notification scheme |
Yes |
In meeting this target:
|
| Performance Measure | Measure achieved | Delivery strategies that were used to achieve the Performance Measure |
|---|---|---|
|
1.3.1 80% of CIIs finalised within 8 months* |
No |
|
|
1.3.2 CIIs result in improvements in the privacy practices of investigated entities |
Yes |
|
|
1.3.3 CII outcomes and lessons learnt are publicly communicated |
Yes |
The OAIC achieved this measure by:
|
| Performance Measure | Measure achieved | Delivery strategies that were used to achieve the Performance Measure |
|---|---|---|
|
1.4.1 80% of privacy complaints finalised within 12 months* |
Yes |
In meeting this target, we:
We ensured the quality of our privacy complaint handling process by:
The ‘Resolving complaints’ section from page 55 provides case studies that demonstrate the quality of our complaint resolution, and information about the initiatives we put in place in 2017–18 to ensure the continued timeliness of our complaints resolution. |
|
1.4.2 Complaint handling service is promoted to the community |
Yes |
In meeting this target, we:
|
| Performance Measure | Measure achieved | Delivery strategies that were used to achieve the Performance Measure |
|---|---|---|
|
1.5.1 Assessments are completed in accordance with the schedule developed in consultation with the assessment target |
No |
|
|
1.5.2 Monitoring and compliance approaches are coordinated with the business and operational needs of the assessment targets |
Yes |
|
|
1.5.3 High proportion of recommendations accepted by assessment targets |
Yes |
|
|
1.5.4 Key assessment outcomes and lessons learnt are publicly communicated where appropriate |
Yes |
|
| Performance Measure | Measure achieved | Delivery strategies that were used to achieve the Performance Measure |
|---|---|---|
|
1.6.1 90% of written enquiries are finalised within 10 working days* |
No |
Target not met:
|
|
1.6.2 New community, legal and other networks are identified for targeted promotion of the public information service |
Yes |
Target met:
|
| Performance Measure | Measure achieved | Delivery strategies that were used to achieve the Performance Measure |
|---|---|---|
|
1.7.1 Increase in media and social media mentions about privacy rights |
Yes |
|
|
1.7.2 Awareness and understanding about privacy rights and the role of the OAIC is improved |
Yes |
|
|
1.7.3 Increase in attendance numbers and positive feedback from public facing events |
Yes |
|
|
1.7.4 The OAIC’s website is accessible for individuals and contains targeted content about privacy rights |
Yes |
|
| Performance Measure | Measure achieved | Delivery strategies that were used to achieve the Performance Measure |
|---|---|---|
|
1.8.1 Applications for Public Interest Determinations and Australian Privacy Principles codes are considered and responded to in a timely manner |
Yes |
|
|
1.8.2 Legislative instruments are reviewed when necessary |
Yes |
|
Freedom of information Performance Measures
| Performance Measure | Measure achieved | Delivery strategies that were used to achieve the Performance Measure |
|---|---|---|
|
2.1.1 Tools and guidance are updated to assist Australian Government agencies to comply with the Information Publication Scheme (IPS) |
Yes |
|
|
2.1.2 Guidance and resources are reviewed and updated to assist Australian Government agencies and ministers to apply the FOI Act |
Yes |
|
|
2.1.3 The majority of OAIC’s stakeholders receiving information are satisfied with the content and delivery |
Yes |
|
| Performance Measure | Measure achieved | Delivery strategies that were used to achieve the Performance Measure |
|---|---|---|
|
2.2.1 80% of IC reviews are completed within 12 months* |
Yes |
|
| Performance Measure | Measure achieved | Delivery strategies that were used to achieve the Performance Measure |
|---|---|---|
|
2.3.1 80% of FOI complaints finalised within 12 months* |
Yes |
|
|
2.3.2 80% of FOI related Commissioner initiated investigations finalised within 8 months[*] |
N/A[*] |
|
[*] A Measure that is considered Not Applicable for that reporting year, for whatever reason, is recorded towards achieving the Performance Measure.
| Performance Measure | Measure achieved | Delivery strategies that were used to achieve the Performance Measure |
|---|---|---|
|
2.4.1 90% of FOI written enquiries are finalised within 10 working days* |
No |
Target not met:
|
|
2.4.2 New community, legal and other networks are identified for targeted promotion of the public information service |
Yes |
|
| Performance Measure | Measure achieved | Delivery strategies that were used to achieve the Performance Measure |
|---|---|---|
|
2.5.1 Increase in media and social media mentions about information access rights |
Yes |
The work that we did to achieve these mentions included:
|
|
2.5.2 The OAIC’s website is accessible for individuals and contains targeted content about information access rights |
Yes |
|
Privacy
The Privacy Act 1988 (Privacy Act) requires Australian Government agencies and private sector organisations to follow a set of rules when collecting, using and storing individuals’ personal information. Personal information is any information that is about an individual. The most obvious example is a name — other examples include address, date of birth, photo of their face or even a record of their opinion and views. Any information that is about an identifiable individual is personal information.
Additional information regarding privacy statistics is included at Appendix C on page 148.
Australian Privacy Principles
The Privacy Act includes 13 Australian Privacy Principles (APPs), which set out standards for business and government agencies managing personal information.
APP 1 — Open and transparent management of personal information
APP 2 — Anonymity and pseudonymity
APP 3 — Collection of solicited personal information
APP 4 — Dealing with unsolicited personal information
APP 5 — Notification of the collection of personal information
APP 6 — Use or disclosure of personal information
APP 7 — Direct marketing
APP 8 — Cross-border disclosure of personal information
APP 9 — Adoption, use or disclosure of government related identifiers
APP 10 — Quality of personal information
APP 11 — Security of personal information
APP 12 — Access to personal information
APP 13 — Correction of personal information
Privacy enquiries
We provide information about privacy issues and privacy law to the public.
The OAIC experienced a 16% increase in privacy enquiries on the previous year. We answered 14,928 telephone calls related to privacy, and responded to 4,452 written privacy enquiries. We also assisted 27 in-person privacy enquiries.
The OAIC continues to see a broad range of enquiries from the community. Over half of all privacy phone enquiries received concerned the operation of the Australian Privacy Principles. The growth in enquiries indicates a continuation of the year-on-year trend of increased awareness about privacy issues, and a desire by individuals to exercise their rights.
The introduction of the Notifiable Data Breaches scheme has also contributed to an increase in enquiries received by the OAIC, and reflects the work the OAIC does in supporting entities to comply with their obligations.
As a part of our Memorandum of Understanding (MOU) with the ACT Government we continued to provide privacy services to ACT public sector agencies including handling privacy complaints in relation to the Information Privacy Act 2014 and its Territory Privacy Principles (TPPs) and responding to enquiries from the public.
Case study 1 — An individual’s personal information is involved in a data breach
An enquirer received an email notifying them of a data breach from an organisation where they had applied for work, and contacted the OAIC for information about what they should do in response to the email.
We explained that under the Notifiable Data Breaches scheme, where an organisation has experienced a data breach involving personal information, the organisation needs to assess the potential impact and notify individuals of the data breach if there is a likely risk of serious harm to individuals. We referred the enquirer to guidance on our website on steps they could take to prevent identity fraud in the event of a data breach, as well as referring the individual to a security support service.
The enquiries officer also explained that organisations are required to take reasonable steps under Australian Privacy Principle 11 to ensure the security of personal information, and the steps the individual could take to lodge a privacy complaint.
Case study 2 — A health service provider seeks information on clients’ right to access information
A psychologist contacted the OAIC about a request from a client for access to their personal information. The client had attended couple’s counselling with their partner, and then individual sessions.
One of the individuals requested the psychologist provide access to all of the records for both their individual sessions, as well as the couple’s sessions. The psychologist asked about the individual’s right of access to these records.
We provided information on the application of APP 12 — Access to personal information, including APP 12.3(b), where providing access may have an unreasonable impact on the privacy of other individuals. We gave the enquirer information about a best privacy practice approach and referred them to the OAIC’s APP Guidelines for more detailed guidance.
Issues regarding privacy enquiries
In 2017–18 the most common privacy enquiries to our office were about the use and disclosure of someone’s personal information (APP 6) followed by access (APP 12) and collection of personal information (APP 3).
| Issues | Number |
|---|---|
| APP 1 — Open and transparent management | 48 |
| APP 2 — Anonymity and pseudonymity | 13 |
| APP 3 — Collection | 991 |
| APP 4 — Unsolicited personal information | 9 |
| APP 5 — Notification of collection | 637 |
| APP 6 — Use or disclosure | 1560 |
| APP 7 — Direct marketing | 159 |
| APP 8 — Cross-border disclosure | 60 |
| APP 9 — Government identifiers | 5 |
| APP 10 — Quality of personal information | 53 |
| APP 11 — Security of personal information | 882 |
| APP 12 — Access to personal information | 1351 |
| APP 13 — Correction | 145 |
| APPs — Exemptions | 975 |
| APPs — Generally | 980 |
We also received a number of questions related to other privacy issues, reflecting the broad range of matters the OAIC regulates.
The table below categorises these enquiries.
| Issues | Number of calls |
|---|---|
| Credit reporting | 904 |
| Data breach notification (voluntary) | 229 |
| Data–matching | 1 |
| Healthcare Identifier | 1 |
| My Health Records | 9 |
| Notifiable Data Breaches (NDB) scheme | 513 |
| National Privacy Principles | 4 |
| Privacy codes | 30 |
| Spent convictions | 102 |
| Tax file numbers | 31 |
| Territory Privacy Principles | 23 |
Privacy complaints
In 2017–18 the OAIC continued to provide an effective and efficient complaints service, investigating and resolving complaints by individuals about the possible mishandling of personal information under the Privacy Act and other relevant laws.
The OAIC handles complaints made about interferences with privacy under the APPs, any registered APP code, as well as matters relating to consumer credit reporting. We also resolve complaints about the handling of other information such as tax file numbers, spent convictions, data-matching and healthcare identification information.
In 2017–18 we received 2,947 privacy complaints. This is an 18% increase on the number of complaints we received last year, and follows on from a 17% increase in complaints in 2016–17, indicating a continuing awareness by individuals about their privacy rights, and a willingness by individuals to take steps to protect their personal information.
The implementation of the Notifiable Data Breaches scheme on 22 February 2018, and the General Data Protection Regulation on 25 May 2018, have also shined a spotlight on personal privacy, leading to an increased engagement by individuals.
Alongside this increase in complaints, the OAIC finalised 2,766 complaints during the period. This is an 11% increase on the number of complaints we closed last year, and follows on from a 22% increase in finalisations in 2016–17.
As part of an MOU with the ACT Government, we continue to provide privacy services to ACT public sector agencies including handling privacy complaints in relation to the Information Privacy Act 2014 and its 13 Territory Privacy Principles.
Issues regarding privacy complaints
The majority of complaints we receive (70%) are about the handling of personal information under the APPs.
The most common issues raised in complaints about the APPs were:
- APP 6 — Use or disclosure of personal information
- APP 11 — Security of personal information
- APP 12 — Access to personal information
- APP 3 — Collection of personal information
- APP 10 — Quality of personal information
In 2017–18, 14% of the complaints we received were about credit reporting (slightly down from 16% the previous year). This reflects the continuing role of external dispute resolution schemes in resolving complaints about credit reporting matters.
More information is available in Appendix C.
Sectors
Privacy complaints can cover a broad range of sectors. The top six sectors remain unchanged from the 2016–17 results. The top 10 complaints by sector are:
| Sector | Number |
|---|---|
| Finance (including superannuation) | 398 |
| Health service providers | 321 |
| Australian Government | 305 |
| Telecommunications | 244 |
| Credit reporting bodies | 173 |
| Retail | 147 |
| Online services | 142 |
| Utilities | 120 |
| Debt collectors | 116 |
| Insurance | 104 |
Case study 3 — Failure to protect personal information by an Australian Government agency
The complainant was notified by the respondent, an Australian Government agency, that a computer containing their personal information had been stolen from an office where it had not been stored securely.
The OAIC investigated the alleged failure to protect the complainant’s personal information from misuse and loss. The matter was resolved by conciliation. The respondent provided the complainant with $1,600 in compensation.
Case study 4 — Disclosure of medical information to a third party
The complainants, a couple, became aware that the respondent, a Medical Centre had disclosed their entire medical files to their insurer, including personal information that was not relevant to their insurance claim.
The matter was investigated and successfully conciliated by the OAIC. The respondent provided the complainants with a letter of apology, placed its privacy policy in its rooms and on its website, changed its procedures to ensure that a similar incident would not happen in the future, and provided $5,000 to each of the complainants.
Resolving complaints
In 2017–18, we substantially improved the average time taken to close a complaint from 4.7 months to 3.7 months. During this period, 97% of all privacy complaints were resolved within 12 months of receipt, an improvement on last year.
During 2017–18 we trialled an early resolution process, with a focus on bringing the parties together at an early stage to see if matters could be resolved by agreement. This approach has assisted parties to attain outcomes in a more timely manner, which is reflected in the improvement in the average time taken to close a complaint.
Matters that are unable to be resolved via the early resolution process proceed for further inquiries or investigation, and some are formally conciliated. Where complaints resolve through conciliation, many positive and innovative outcomes are achieved, and parties demonstrate a high level of satisfaction with the outcome.
To support the work of the teams in resolving complaints, we provide staff with conciliation training, and have a number of staff accredited under the National Mediator Accreditation Standards (NMAS).
Most privacy complaints are closed on the basis that the respondent has not interfered with the individual’s privacy, or on the basis that the respondent has adequately dealt with the complaint.
In 2017–18, the main remedies achieved in complaints were:
- Record amended
- Compensation
- Access provided
- Other or confidential
- Apology
More information is available in Appendix C.
Case study 5 — Security and disclosure of personal information by a bank
The complainant was a customer of the respondent, a bank. There was fraudulent activity on the complainant’s account. While the respondent was investigating the fraud, it misdirected an email meant for the complainant to a third party.
The complainant claimed the respondent interfered with their privacy by inappropriately disclosing personal information in the email, and failing to take reasonable steps in the circumstances to protect the personal information from unauthorised access and disclosure.
The OAIC conciliated the complaint, and the parties agreed to settle the matter on the basis that the respondent pay $7,000, and follow up with the police about the progress of the fraud investigation. The amount of compensation reflected that the incident had also impacted another member of the complainant’s family.
Case study 6 — Disclosure of personal information by an insurance assessor
There was a fire at a house in which the complainant lived. The insurer sent a loss assessor (the respondent) to inspect the property. The respondent provided a report of the incident to the complainant’s insurer, who passed it on to the complainant.
The complainant claimed that the respondent interfered with their privacy by amending the report and then disclosing it to the complainant’s real estate agent. The complainant alleged that the amended report was used by the real estate agent in a way that caused the complainant distress.
The OAIC conciliated the complaint, and the parties agreed to settle the matter on the basis that the respondent pay $2,000 in compensation. The respondent had previously apologised to the complainant.
Early resolution
The OAIC’s early resolution pilot was established in 2017. It brings the parties together at an early stage, to see if matters can be resolved by agreement between the parties. The process has reduced our initial response times and contributed to an increase in the number of complaints closed. In 2017–18, 53% of all complaints finalised were closed through our early resolution process.
Case study 7 — Failure by telecommunications provider to protect personal information from unauthorised access
The complainant had a mobile phone account with the respondent, a telecommunications provider. The complainant’s phone stopped working, and when they contacted the respondent they discovered the phone number had been ported (transferred to a different mobile provider) without their knowledge.
The matter was resolved through the OAIC’s Early Resolution Process, in which the respondent contacted the complainant directly to discuss the matter, reversed the port, offered three months free service and apologised.
Community and sector engagement
An important part of our role is interacting with key industry and community stakeholders, including government bodies and external dispute resolution schemes, about recurring or significant issues arising in complaints.
External Dispute Resolution schemes
The Information Commissioner can recognise external dispute resolution (EDR) schemes to handle particular privacy-related complaints (section 35A of the Privacy Act). The EDR schemes currently recognised are:
- Credit and Investments Ombudsman (CIO)
- Energy & Water Ombudsman NSW (EWON)
- Energy & Water Ombudsman Queensland (EWOQ)
- Energy & Water Ombudsman SA (EWOSA)
- Energy and Water Ombudsman Victoria (EWOV)
- Energy and Water Ombudsman Western Australia (EWOWA)
- Financial Ombudsman Service (FOS)
- Public Transport Ombudsman Victoria (PTO)
- Telecommunications Industry Ombudsman (TIO)
- Tolling Customer Ombudsman (TCO)
Community outreach
In 2017–18, we attended community outreach events to promote awareness of the privacy complaint functions of our office, and the ways in which individuals can access or protect their personal information and consumer credit reporting information. These events included the Sydney Disability Expo and a Privacy Awareness Week stall with the Australian Retail Credit Association.
During the year, we also continued to increase media and social media coverage about our complaint handling function with targeted messaging around the complaints process and privacy issues that may be of public interest.
Determinations
Under section 52 of the Privacy Act, the Commissioner may make determinations in relation to privacy complaints. The Commissioner may also make determinations in relation to privacy Commissioner initiated investigations (CIIs).
In 2017–18, three privacy determinations were made by the Commissioner. Two of these determinations included findings that the respondents had not interfered with the individual’s privacy and therefore the complaints were dismissed under section 51(1)(a) of the Privacy Act.
Determination: ‘PB’ and United Super Pty Ltd as Trustee for Cbus (Privacy) [2018] AICmr 51 (23 March 2018)
The Commissioner found that United Super Pty Ltd as Trustee for Cbus (Cbus) interfered with the privacy of class members by disclosing their personal information to an external organisation for a secondary purpose without their consent.
Under section 52(1)(b)(iii) of the Privacy Act the Commissioner may make a declaration that the complainant is entitled to a specified amount by way of compensation. In this instance, however, the Commissioner considered the most appropriate form of redress to the class members was a public apology.
The Commissioner also made a declaration that Cbus should provide written confirmation to the OAIC that certain corrective measures proposed after the breach were adopted and implemented by Cbus, and then to undertake a review of those measures and confirm in writing the findings and outcomes of that review.
Determination: ‘PA’ and Department of Veterans’ Affairs (Privacy) [2018] AICmr 50 (23 March 2018)
The complainant alleged that the disclosure of their personal information by the Department of Veteran’s Affairs (the Department) for inclusion in a database to assist in health research projects was a breach of APP 6 — Use or disclosure of personal information.
Section 95 of the Privacy Act allows an agency to commit an act that would breach an APP provided it is done in the course of medical research and in accordance with medical research guidelines approved by the Commissioner.
The Commissioner found that the medical research exemption applied in this case, as the disclosure of personal information occurred in the course of medical research, and in accordance with guidelines issued by the National Health and Medical Research Council. Therefore the Department did not interfere with the complainant’s privacy.
Determination: ‘OJ’ and Department of Home Affairs (Privacy) [2018] AICmr 35 (19 March 2018)
The complainant alleged that the Department of Home Affairs (the Department) had interfered with his privacy by disclosing his personal information to the Department of Human Services Victoria (DHSV) in, or around, 2013 (the DHSV complaint), and to the television show, A Current Affair (ACA) in July 2014 (the ACA complaint).
The Department advised that it disclosed the complainant’s personal information to DHSV in compliance with a subpoena. The Commissioner found that the disclosure was required by law and comes within the exception to IPP 11, set out in 11.1(d).
As the ACA complaint was against the Department, not the Minister of Home Affairs (the Minister), the Commissioner could only consider the Department’s use of personal information and its disclosure to the Minister’s office. He was unable to consider the disclosure to ACA by the Minister.
The Commissioner found the use and disclosure of personal information was made for the purpose of discharging the Secretary of the Department’s obligation under the Public Service Act 1999 to provide the Minister with advice. As the conduct was required by law, it fell within the exception to APP 6, set out in APP 6.2(b).
Data breach notifications
Notifiable Data Breaches scheme
The NDB scheme commenced on 22 February 2018, following changes to the Privacy Act in 2017. Under the NDB scheme, Australian Government agencies and organisations with existing personal security obligations under the Privacy Act are required to notify individuals who are likely to be at risk of serious harm as a result of a data breach. The OAIC must also be notified.
Our responsibilities under the NDB scheme include:
- Receiving notifications of eligible data breaches
- Encouraging compliance with the scheme, including handling complaints and taking regulatory action in response to instances of non-compliance
- Offering advice and guidance to regulated organisations, and providing information to the community about the operation of the scheme
In February 2018, we published a new resource on data breaches — ‘Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth)’. This resource combines best practice advice for preparing for and responding to data breaches, as well as specific information for agencies and organisations about how to comply with the NDB scheme.
We have also published resources for individuals that have received a notification under the NDB scheme. These are available on our website, and are intended to assist individuals to take steps to reduce the risk of experiencing harm as a result of a data breach.
The OAIC reviews each notice received under the NDB scheme to consider whether the data breach has been contained, that the agency or organisation has taken reasonable steps to mitigate the impact of the breach on the individuals at risk of serious harm, and that the entity is taking reasonable steps to minimise the likelihood of a similar breach occurring again.
Since the introduction of the NDB scheme in February 2018, there has been an increasing number of notifications made to the OAIC. This demonstrates that agencies and organisations are aware of their obligations.
More detailed information about data breaches reported under the NDB scheme is contained in our NDB Quarterly Statistics Reports, available on our website.[1]
Voluntary data breaches
Prior to the introduction of the NDB scheme, the OAIC administered a voluntary data breach notification scheme. This allowed businesses and agencies to self-report possible privacy breaches to the OAIC. The OAIC continues to register voluntary data breach notifications for incidents that do not fall within the scope of the NDB scheme. These include data breaches that occurred prior to 22 February 2018, or incidents that do not involve businesses or agencies that are regulated by the scheme.
| Year | 2015–16 | 2016–17 | 2017–18 |
|---|---|---|---|
| Total | 123 | 149 | 507 |
| Notifiable data breaches (NDB) | - | - | 305 |
| Voluntary notifications | 107 | 114 | 174 |
| Mandatory notifications (My Health Records Act 2012) | 16 | 35 | 28 |
In 2017–2018, the number of voluntarily reported data breaches continued to grow, with voluntary notifications up 53% on the previous year. This is significantly more than the 29% increase reported in the 2016–17 financial year. Alongside this, the OAIC met its overall target for finalising data breach notifications, with 99% of notifications under the NDB scheme finalised within 60 days, and 97% of voluntary data breach notifications finalised within 60 days.
The increase in voluntary notifications can be explained, at least in part, by the OAIC’s activities in raising awareness of the introduction of the NDB scheme in 2018, as well as global regulatory developments which focused on the importance of entities understanding and responding to data breaches.
We also administer a mandatory scheme for digital health data breaches. For further information, refer to the Annual Report of the Australian Information Commissioner’s activities in relation to digital health 2017–18 (available on the OAIC website no later than 28 November 2018).
Privacy Commissioner initiated investigations
Section 40(2) of the Privacy Act enables an investigation of an act or practice that may be an interference with privacy, to take place on the Commissioner’s own initiative. This power is used to investigate possible privacy breaches that have come to our attention other than by way of an individual privacy complaint.
Privacy Commissioner initiated investigations (CIIs) are often conducted in response to incidents of significant community concern or discussion, or in response to notifications from third parties about potentially serious privacy problems. They may also be conducted in response to notifications about data breaches. Our key objective in undertaking a CII is improving the privacy practices of investigated entities.
The Commissioner may also decide to discontinue an investigation. This may be in matters where the Commissioner is satisfied that there has not been an interference with privacy, or the matter has been adequately dealt with by the respondent or that no further regulatory action is warranted under the circumstances.
The Privacy Act provides the Commissioner with the power to accept an ‘enforceable undertaking’ offered by a respondent. Three enforceable undertakings were offered by respondents in 2017–18 following a CII.
In 2017–18, we conducted preliminary inquiries or commenced an investigation in relation to 21 matters. In some matters, more than one respondent was identified which is reflected in the number of CIIs. In April 2018, the OAIC commenced an investigation into the acts and practices of Facebook, in relation to allegations that the personal information of Facebook users had been improperly collected by third party applications. As of the end of the 2017–18 financial year, this investigation is ongoing.
| Year | Number of CIIs |
|---|---|
| 2015–16 | 17 |
| 2016–17 | 29 |
| 2017–18 | 21 |
While the average time taken to close CIIs in 2017–18 was 163 days, or approximately 23 weeks, the OAIC did not meet its target to finalise 80% of CIIs within eight months. Despite this, the OAIC closed 72% of CIIs within eight months and the OAIC remains committed to working with respondents to resolve issues of non-compliance and improve privacy practices.
Case study 8 — Accidental disclosure of health information by a third-party provider
In October 2016, the Australian Red Cross Blood Service (the Blood Service) was notified that a data file, which contained the personal information of approximately 550,000 prospective blood donors entered into the Blood Service’s website, had been saved to a public-facing web server. The Blood Service immediately took steps to contain the breach, including temporarily closing the website and notifying individuals whose personal information had been involved.
The subsequent investigation found that the file had been inadvertently placed by an employee of a third-party provider, Precedent Communications Pty Ltd (Precedent), on a publicly accessible portion of a web server managed by Precedent. The investigation also found that the Blood Service did not have appropriate measures in place to protect information concurrently held by third-party providers, and did not take reasonable steps to destroy or de-identify information collected through the Blood Service website once it was no longer needed.
Following the incident, the Blood Service took numerous steps to enhance its information handling practices and offered an enforceable undertaking to commit to reviewing its compliance with, and the effectiveness of, its third party management policy and operating procedure within a six month period.
In response to this incident, Precedent invested in improving its information handling practices, and offered an enforceable undertaking to commit to strengthening its information security measures; improving its privacy management policies, statement and procedures; and improving staff privacy training.
Case study 9 — Publication of a de-identified dataset
On 1 August 2016, the Department of Health (the Department) published a collection of Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Schedule (PBS) data. The dataset contained claims information for a 10% sample of people who had made a claim for payment of Medicare Benefits since 1984, or for payment of Pharmaceutical Benefits since 2003. Prior to publication, the Department of Health had taken a range of steps to de-identify the data set. However, in September 2016 researchers from the University of Melbourne identified a weakness in the technique used to encrypt Medicare service provider numbers in the dataset, allowing the encryption to be reversed. The Department immediately removed the dataset from public access; the Commissioner opened an investigation into the incident to determine if a breach of the Privacy Act had occurred.
The investigation found that the Department of Health improperly disclosed the information of service providers, but did not improperly disclose the personal information of patients. The investigation also found that the steps taken by the Department of Health to confirm personal information was removed from the dataset prior to its publication were inadequate relative to the sensitivity of the information and the context of its release.
The investigation was concluded by an enforceable undertaking offered by the Department of Health and accepted by the Commissioner, which provides for the OAIC’s oversight of the Department of Health’s ongoing review and enhancement of its data governance arrangements.
The incident provided key lessons for custodians of datasets when considering de-identification. In particular, deciding whether information has been de-identified to an extent suitable for public release requires careful and expert evaluation and consideration of the context of release, and appropriate processes and expertise should sit behind any decision to release de-identified personal information.
Privacy assessments
In 2017–18 we assessed a range of sectors including loyalty programs, identity verification, telecommunications and government. We also conducted privacy assessments in the digital health sector. For more information on our digital health assessments, see page 69.
We use a range of methodology to conduct our assessments, including comprehensive and in-depth review of policy documents, interviews with staff and/or site inspections. Consistent with last year, 100% of the OAIC’s recommendations were accepted or planned for action by businesses or government agencies being assessed.
Loyalty programs
We commenced two new assessments of loyalty programs in Australia in the 2016–17 financial year. These assessments examined how personal information is managed in accordance with APP 1 — Open and transparent management of personal information. The assessments also looked at whether sufficient notification to individuals is provided regarding the collection of their personal information in accordance with APP 5 — Notification of the collection of personal information. The assessments will be finalised, and made public, during the 2018–19 financial year.
Identity verification
In the 2016–17 financial year we commenced two assessments of Gateway Service Providers (GSPs) to the Document Verification Service (DVS) — VixVerify and Trulioo. The assessments examine how personal information collected through the DVS arrangement is handled by GSPs in accordance with APP 3 — Collection of solicited personal information and APP 5 — Notification of the collection of personal information. We finalised these assessments in the 2017–18 financial year, making one recommendation in each assessment. The assessment reports are published on our website. In 2017–18 we worked with the Department of Home Affairs to identify business users that will participate in our next assessment relating to the DVS, which will commence in 2018–19.
Telecommunications
Case study 10 — Handling of personal information disclosed under the Telecommunications (Interception and Access) Act 1979
In 2017–18 we finalised an assessment of whether iiNet was taking reasonable steps to protect personal information when responding to requests for access by law enforcement agencies, as required under the Telecommunications (Interception and Access) Act 1979 (TIA Act) and in accordance with APP 11 — Security of personal information. We had previously finalised similar assessments of Telstra, Vodafone and Optus. A combined summary report outlining the findings from each assessment is available on our website.
Case study 11 — Handling of personal information retained as part of the ‘data retention scheme’ under the Telecommunications (Interception and Access) Act 1979
In 2017–18 we began a series of assessments that consider whether certain telecommunications service providers are meeting their information security obligations under APP 11 — Security of personal information, with respect to the personal information they are required to retain under the ‘data retention scheme’ that came into full effect on 13 April 2017. We conducted the fieldwork for two assessments in 2017–18. These assessments will be finalised in 2018–19. Fieldwork for other assessments in this assessment series will commence in 2018–19.
Government
Passenger Name Record
Under our memorandum of understanding with the Department of Home Affairs we commenced a Passenger Name Record (PNR) data related assessment in the 2016–17 financial year which followed up the implementation of recommendations made in a previous assessment undertaken in 2015. The 2016–17 assessment also included consideration of Home Affairs’ practices concerning the destruction and de-identification of PNR data. The assessment will be finalised during the 2018–19 financial year.
In 2017–18 we also commenced a new PNR data related assessment. This assessment looked at Home Affairs’ connected information environment (CIE) project, and specifically how Home Affairs is implementing APP 11 — Security of personal information — to protect PNR data in the CIE. The assessment also considered whether Home Affairs is using and disclosing personal information in accordance with its obligations under APP 6. We have completed the fieldwork for this year’s assessment and it will be finalised during the 2018–19 financial year.
Contractual arrangements in relation to regional processing centres
In 2016–17 we commenced an assessment on the Home Affairs’ privacy arrangements for Regional Processing Centres, including:
- General governance and privacy frameworks under APP 1 — Open and transparent management of personal information.
- How Home Affairs met its security obligations under APP 11 — Security of personal information, including through the use of contractual measures as required under section 95B of the Privacy Act.
We finalised this assessment during the 2017–18 financial year. We made four recommendations, which were agreed by Home Affairs. The assessment report is published on our website.
Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014
In 2017–18 we finalised four assessments that considered how personal information was being handled by Home Affairs under the Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014 (Foreign Fighters Act). These assessments considered how personal information is handled through border clearance processes at Australian international airports, including biometric information collected by SmartGates (Schedule 5) and the Advanced Passenger Processing (AdPP) data exchanged between airlines and Home Affairs (Schedule 6). Three of these assessments commenced in the 2016–17 financial year:
- An assessment of the security arrangements that are in place to protect personal information after its collection by SmartGates. We made two recommendations in this assessment.
- An assessment of the steps that a third party provider to Home Affairs is taking to secure personal information collected through AdPP (Schedule 6). We made two recommendations in this assessment.
- An assessment of the procedures Home Affairs has in place to respond to an individual’s request for access to their personal information that was collected by SmartGates, in accordance with APP 12 — Access to personal information. We made one recommendation in this assessment.
- The fourth assessment in 2017–18 considered the steps that a third party to Home Affairs is taking to secure access to personal information that is held in the systems that support SmartGates. We did not make any recommendations in this assessment.
In 2017–18 we also followed up on Home Affairs’ implementation of the three initial assessments relating to Schedules 5, 6 and 7 of the Foreign Fighters Act that were completed across the 2015–16 and 2016–17 financial years. At the close of the 2017–18 financial year:
- We were satisfied that Home Affairs had implemented the recommendations in the Schedule 7 assessment
- We were satisfied that Home Affairs had either implemented or was taking steps to implement the recommendations in the Schedule 6 assessment
- We had not received a response from Home Affairs to our follow-up of the Schedule 5 assessment
Tax file numbers
Under the Privacy (Tax File Number) Rule 2015 which regulates the collection, storage, use, disclosure, security and disposal of individuals’ Tax File Number (TFN) information, six specified Australian Government agencies (Commissioner of Taxation/Australian Taxation Office, Australian Prudential Regulation Authority, Department of Human Services, Department of Education and Training, Department of Veterans’ Affairs and the Department of Social Services) have obligations to make a range of information publicly available in relation to how TFN information is to be handled.
In 2016–17 we commenced an assessment that looked at how the agencies meet their obligations. The assessment was conducted through a desktop review of each agency’s website and a targeted survey questionnaire sent to each agency. This assessment was finalised in 2017–18, and we will release a combined summary report during the 2018–19 financial year.
Universal Student Identifier
Under our MOU with the Department of Education and Training, acting through the Student Identifiers Registrar (the Registrar), we conducted a self-assessment of five registered training organisations’ (RTOs’) handling of student identifiers and associated personal information in accordance with the Student Identifiers Act 2014 and the Privacy Act. The self-assessment looked at how these RTOs were managing personal information in accordance with APP 1 — Open and transparent management of personal information, and APP 5 — Notification of the collection of personal information. The OAIC will be releasing a combined report in the 2018–19 financial year, along with a number of recommendations resulting from the survey.
ACT Government
Under our MOU with the ACT Government, we conducted two assessments of ACT Government agencies. These activities are reported on in more detail in the Memorandum of Understanding with the Australian Capital Territory for the provision of privacy services 2017–18 Annual Report (available on the OAIC website no later than 1 November 2018).
Appendix B on page 145 contains more information about our MOU with the ACT Government.
Data-matching
We perform a number of functions to assist government agencies to understand their privacy requirements and adopt best privacy practice when undertaking data-matching activities.
Data-matching is the process of bringing together data sets that come from different sources and comparing those data sets with the intention of producing a match. A number of government agencies use data-matching to detect non-compliance, identify instances of fraud and to recover debts owed to the Australian Government. For example, the Australian Taxation Office (ATO) may match tax return data with data provided by banks to identify individuals or businesses that may be under-reporting income or turnover.
Government agencies that carry out data-matching activities must comply with the Privacy Act. Data-matching raises privacy risks because it involves analysing personal information about large numbers of people, the majority of whom are not under suspicion.
Statutory data-matching
The Commissioner has statutory responsibilities under the Data-matching Program (Assistance and Tax) Act 1990 (Data-matching Act). The Data-matching Act authorises the use of tax file numbers in data-matching activities undertaken by the Department of Human Services (DHS), the Department of Veterans’ Affairs and the ATO. In previous years, we have conducted inspections of DHS’s data-matching records to ensure compliance with the requirements of the Data-matching Act. Agencies have continued to rely less on matching using the tax file number, consequently this year we have again focused on providing advice and oversight of the data-matching activities outside of the Data-matching Act.
Enhanced Welfare Payment Integrity
The ‘Enhanced Welfare Payment Integrity — non-employment income data-matching measure’ was announced in the 2015–16 Mid-Year Economic and Fiscal Outlook (MYEFO). It increases DHS’ capability to conduct data-matching to identify non-compliance by welfare recipients.
This year, we conducted two privacy assessments of DHS’s data-matching activities. The first of these assessments looked at DHS’s non-employment income data matching (NEIDM) program, and specifically how DHS addresses the requirements of APPs 1.2, 3 and 5 in relation to that program.
The other assessment considered APPs 10 and 13 by looking at how DHS ensures the quality of the personal information used in its Pay-As-You-Go (PAYG) data-matching program, and whether the PAYG program facilitates customer correction of personal information being used in the program. The draft reports for these assessments were provided to DHS for comment in May 2018, and we will work with DHS to finalise and publish the assessments in the 2018–19 financial year.
A third assessment, looking at how DHS addresses it obligations under APP 11 — Security of personal information, to secure the personal information used in both the NEIDM and PAYG programs, will take place early in the 2018–19 financial year.
Data-matching under the voluntary guidelines
We administer the Guidelines on Data-matching in Australian Government Administration (Guidelines), which are voluntary guidelines to assist government agencies with adopting appropriate privacy practices when undertaking data-matching activities that are not covered by the Data-matching Act. This year we reviewed seven data-matching program protocols submitted by matching agencies including the Australian Tax Office and the Department of Human Services.
The Commissioner approved two requests for exemption from certain requirements of the Guidelines. A list of the exemptions that we approved can be found on our website.
Digital health assessments
Health information is considered particularly sensitive. This sensitivity has been recognised in the My Health Records Act 2012 (My Health Records Act) and Healthcare Identifiers Act 2010 (HI Act), which regulate the collection, use and disclosure of information, and give the Information Commissioner a range of enforcement powers. This sensitivity is also recognised in the Privacy Act which treats health information as ‘sensitive information’.
We initiated one assessment relating to the My Health Record system in 2017–18; finalised one assessment which commenced in the previous reporting period; and continue to progress one assessment that began in the previous year. For further information, refer to the Annual Report of the Australian Information Commissioner’s Activities in Relation to Digital Health 2017–18 (available on the OAIC website no later than 28 November 2018).
Advice for businesses and agencies
Our teams provide advice for businesses and Australian Government agencies on their obligations under the Privacy Act. We also assist businesses and agencies achieve best practice in their approach to privacy management.
This year we issued advice on a variety of issues including:
- Adoption, use and disclosure of government related identifiers
- Australian Government Agencies Privacy Code
- Australian Government’s proposed Consumer Data Right Scheme
- Credit reporting
- Data breach notification requirements, including the Notifiable Data Breaches scheme
- De-identification and re-identification
- Digital identity systems
- Direct marketing
- External Dispute Resolution schemes
- Government data-matching
- Higher education proposals affecting handling of information about students
- Law enforcement and national security
- The My Health Records (MHR) system
- New and emerging technologies
- Online communications and privacy
- Privacy implications of data analytics and related activities
- Privacy and international agreements
- Privacy and security, as part of the Attorney-General’s Department’s reforms to the Protective Security Policy Framework (PSPF)
- Telecommunications
We also drafted submissions on issues such as:
- Privacy in the digital age
- Mandating consumer credit reporting
- National security laws
- Digital identity
- Digital economy
- Financial hardship
- Establishment of the Australian Financial Complaints Authority
- New information-sharing arrangements under proposed legislation
- National identity-matching services for biometric information
- Non-consensual sharing of intimate images
- Open Banking
- Access to Medicare information
- The redevelopment and audit of the Higher Education Data Collection
- The secondary use framework for information contained in the My Health Record system
Case study 12 — Open Banking
In August 2017 the Treasury released an Issues Paper on the Review into Open Banking in Australia. This paper invited submissions on the most appropriate model for the Australian context and how best to implement such a model, including what data should be shared, with whom, and how to ensure data is kept secure and privacy is respected.
The OAIC provided a submission to the review, acknowledging the potential of Open Banking to give individuals greater choice and control over how their data is used, while highlighting some important implications that the new scheme may have for the handling of individuals’ financial information, which many individuals consider especially sensitive. Many OAIC recommendations were reflected in the Final Open Banking Report, and the OAIC has continued to work with the Treasury on the development and implementation of the scheme, which is set to commence in July 2019.
Submissions can be read in full on the OAIC website.
Resources
We published a number of new resources, guides and fact sheets in 2017–18.
In preparation for the commencement of the Notifiable Data Breaches scheme, we published guidance and a webinar, to assist Australian Government agencies and businesses to understand the new requirements. We also published guidance for consumers about what to expect when receiving a data breach notification and what actions they can take if they have been affected by a data breach.
In preparation for the implementation of the European Union’s General Data Protection Regulation (GDPR) we published guidance to assist Australian Government agencies to understand whether the new requirements would apply to them.
We updated our ‘Guide to securing personal information’ to incorporate information about the Notifiable Data Breaches scheme, and to update references to information security resources.
To assist agencies and organisations to make the most of their valuable data resources, the OAIC released its final version of the Guide to Data Analytics, originally published as a consultation draft in 2016. We also collaborated with the CSIRO’s Data61 to release a joint resource which provides detailed guidance on de-identification, the De-Identification Decision-Making Framework. We also released the OAIC’s ‘De-identification and the Privacy Act’ resource to reflect this updated approach.
In preparation for the commencement of the Australian Government Agencies Privacy Code on 1 July 2018, we published a suite of resources to assist agencies to comply with their new obligations, including an Interactive Privacy Management Plan and a Privacy Officer toolkit. We also conducted a webinar for agencies to assist in the completion of their Privacy Management Plans and developed and delivered a Privacy Officer training course to assist Privacy Officers to undertake their role under the Code.
We published a series of multimedia resources for healthcare providers, to help them understand their privacy obligations and the mandatory data breach notification requirements under the My Health Records Act.
Privacy legislative instruments
Under the Privacy Act, the Commissioner has powers to make certain legislative instruments. These legislative instruments must comply with the requirements of the Legislation Act 2003. They are publicly available on the Federal Register of Legislative Instruments.
Privacy (Australian Government Agencies — Governance) APP Code 2017
On 26 October 2017, the Information Commissioner made the Privacy (Australian Government Agencies — Governance) APP Code 2017 (the Code).
The Code commences on 1 July 2018 and applies to all Australian Government agencies subject to the Privacy Act (except for ministers). The Code sets out specific requirements and key practical steps that agencies must take as part of complying with Australian Privacy Principle 1.2. It requires agencies to move towards a best practice approach to privacy governance to help build a consistent, high standard of personal information management across all Australian Government agencies.
The requirements of the Code include having a privacy management plan, appointing a Privacy Champion and Privacy Officer, undertaking Privacy Impact Assessments (PIAs) for all high privacy risk projects or initiatives that involve new or changed ways of handling personal information, and taking steps to enhance internal privacy capability.
Privacy (Australian Honours System) Temporary Public Interest Determination 2018
On 13 March 2018, the Information Commissioner made Privacy (Australian Honours System) Temporary Public Interest Determination 2018. This followed an application for a public interest determination on 6 March 2018 from the Department of Home Affairs (Home Affairs).
This temporary public interest determination (TPID) allows Home Affairs to disclose Australian citizenship and permanent residency status information without breaching APP 6 — Use or disclosure of personal information, for a period of 12 months. The disclosures can be made to the Department of the Prime Minister and Cabinet and to the Office of the Official Secretary to the Governor-General for the purposes of their consideration of nominees for awards (such as those in the Australian honours system).
The TPID repealed Public Interest Determination No. 2 which had been in operation since 1991.
The Information Commissioner and Privacy Commissioner is considering the Home Affairs’ application for a longer-term public interest determination.
Privacy (Credit Reporting) Code 2014 (Version 2)
The Privacy (Credit Reporting) Code 2014 (CR Code) is a written code of practice about credit reporting that supplements the credit reporting provisions in the Privacy Act.
On 29 May 2018, the then acting Information Commissioner and acting Privacy Commissioner approved a variation of the CR Code. The variation was requested by the code developer, Australian Retail Credit Association (ARCA). The approved variation made a number of minor and technical amendments to the CR Code, including clarifying the grace period for disclosing repayment history information, the definition of ‘consumer credit liability information’, and requirements for notifying consumers about a default listing.
The varied CR Code was scheduled to commence on 1 July 2018. It must be included on the OAIC’s Codes Register and registered on the Federal Register of Legislative Instruments.
The variation followed an independent review of the operation of the CR Code, conducted under paragraph 24.3 of the CR Code. Paragraph 24.3 requires the Australian Information Commissioner to initiate an independent review of the operation of the CR Code within three years of its commencement.
The OAIC engaged Pricewaterhouse Coopers (PwC) to seek feedback, through targeted and public consultation, on issues arising with regard to the interaction between the Code and the Act; significant issues or concerns about the practical operation of the Code and any requirements of the CR Code which had not been complied with in practice. PwC’s final report was published on 13 December 2017. The PwC review made recommendations and gave feedback on each of the CR Code provisions that were varied in the CR Code.
Some recommendations and important observations in the PwC review have not been addressed in the approved variations. The OAIC intends to consider these matters further in the 2018–19 financial year.
Privacy awareness
This year we continued to raise awareness about privacy rights for individuals, and also helped Australian businesses and government agencies understand their privacy obligations.
‘2018 marks 30 years of the Australian Privacy Act 1988. Since then, there have been remarkable changes in the way personal information is put to use across the world. Utilising personal information to engage with businesses, government, and each other online is an everyday occurrence. At the same time, the public benefits of increased data analysis and data mobility to research, policy-making, and the Australian economy are being actively sought.
This has reinforced the vital importance of privacy, which is integral to building and maintaining people’s trust in both government agencies and businesses in their handling of personal information.
Privacy today is founded on the principles of transparency and accountability. It is about ensuring individuals can exercise choice and control and that the actions of organisations reflect the value of personal information to individuals’ wellbeing and dignity.
To that end — 2018 is the year a number of regulatory developments were introduced in Australia that enhance privacy governance across the public and private sector. The Notifiable Data Breaches scheme came into force in February, formalising a long-standing community expectation for organisations to notify individuals affected by data breaches that are likely to result in serious harm. In just under two months time, Australian Government agencies must comply with the Australian Government Agencies Privacy Code. Internationally, on 25 May the European Union’s (EU’s) General Data Protection Regulation takes effect for all Australian businesses operating in the EU.’
Angelene Falk, then acting Information Commissioner and acting Privacy Commissioner, in ‘Welcome to Privacy Awareness Week. A message from the acting Commissioner, 2018’.
Reaching our audiences
This year we focused significant effort on preparing Australian Government agencies and businesses for the commencement of the NDB scheme in February 2018, and preparing agencies for the commencement of the Australian Government Agencies Privacy Code on 1 July 2018.
Reaching the community was also a focus for the OAIC, through targeted events and social media activity.
Speaking engagements
This year we participated in 51 speaking engagements aimed at privacy professionals.
Media
One of our aims this year was to increase media coverage of the NDB scheme and raise the public’s awareness of privacy.
We achieved this as demonstrated by:
- An increase of 24% in media enquiries when compared with 2016–17
- More than 310 mainstream media mentions during Privacy Awareness Week (compared to 250 in 2017)
The following graph shows the increase in reporting of privacy, and the spike when issues of community concern are covered, such as the commencement of an investigation into Facebook.
| Received | 2017–18 | 2016–17 | % Change |
|---|---|---|---|
| Total | 317 | 255 | 24% |
| Jul | 14 | 21 | -33% |
| Aug | 7 | 33 | -79% |
| Sep | 11 | 14 | -21% |
| Oct | 17 | 27 | -37% |
| Nov | 12 | 25 | -52% |
| Dec | 7 | 7 | 0% |
| Jan | 23 | 26 | -12% |
| Feb | 32 | 21 | 52% |
| Mar | 48 | 28 | 71% |
| Apr | 65 | 10 | 550% |
| May | 55 | 25 | 120% |
| Jun | 26 | 18 | 44% |
Figure 3 — Media enquiries received
Freedom of Information (FOI)
Freedom of Information (FOI) provides a legally enforceable right of access to government documents. It applies to Australian Government ministers and most agencies, although the obligations of agencies and ministers are different.
Individuals have rights under the FOI Act to request access to government documents. The FOI Act also requires government agencies to publish specified categories of information, it also allows them to proactively release other information.
Additional information regarding data collected from ministers and agencies subject to the FOI Act, and separately from the Administrative Appeals Tribunal, the Commonwealth Ombudsman and our own records is included at Appendix D on page 152.
FOI Enquiries
We respond to enquiries from the public on FOI issues, including our Information Commissioner review (IC review) function. This year our enquiries line answered 1,339 telephone calls related to FOI, and responded to 584 written FOI enquiries. We also assisted eight in-person FOI enquiries. Just over 49% of all enquiries about FOI matters related to general processes for FOI applicants, including how to make an FOI request or complaint, or seek review of an FOI decision.
| Issue | Number[*] |
|---|---|
| General processes | 952 |
| Jurisdiction | 709 |
| Processing by agency | 174 |
| Agency statistics | 142 |
| Access to general information | 18 |
| Access to personal information | 18 |
| Information Publication Scheme | 10 |
| Amendment and annotation | 7 |
| Vexatious application | 6 |
[*] There may be more than one issue in each enquiry.
Information Commissioner (IC) reviews
In an Information Commissioner (IC) review, the Information Commissioner is able to review decisions made by Australian Government agencies and ministers subject to the FOI Act, including decisions:
- Refusing to grant access to documents wholly or in part
- Where requested documents do not exist or cannot be found
- Granting access to documents, where a third party has a right to object (for example, if a document contains their personal information)
- To impose charges for access to documents, including decisions refusing to waive or reduce charges
- Refusing to amend or annotate records of personal information
This year we experienced a significant increase in IC reviews, receiving 801 applications for review — a 27% increase over 2016–17.
Alongside the significant increase in the number of applications, the OAIC was able to finalise 610 IC reviews (an 18% increase compared to 2016–17 when 515 reviews were finalised). Of the 610 IC reviews finalised in 2017–18, 84% were finalised within 12 months, exceeding the target of 80% completed within 12 months.
Informal resolution
The OAIC encourages resolution of IC reviews by agreement between the parties where possible. In 2017–18, 487 IC reviews were finalised without a formal decision being made (80% of all IC reviews finalised).
The number of IC reviews finalised under section 55F by way of a written agreement between the parties to the IC review has more than tripled since 2016–17. In 2017–18, 42 IC reviews were finalised by agreement under section 55F, in comparison to 14 in 2016–17.
There were 155 IC reviews finalised after the applicant withdrew their request, following action taken by the agency to resolve the issues in the IC review (such as by issuing a decision and statement of reasons in deemed access refusal cases, or a revised decision under section 55G to give the applicant access to further documents or material), or following an appraisal by the OAIC of the merits of their case.
Information Commissioner (IC) review decisions under section 55K
Under section 55K of the FOI Act the Information Commissioner made 123 decisions during 2017–18 (20% of all IC reviews finalised). Of these:
- 37% set aside the decision under review (45 decisions)
- 8% varied the decision under review (10 decisions)
- 55% affirmed the decision under review (68 decisions)
Thirteen per cent of the reviewable decisions (nine decisions) affirmed had been revised under section 55G of the FOI Act during the IC review, giving greater access to the documents sought. In 18% of decisions set aside and substituted (eight decisions), the agency had withdrawn certain exemption contentions during the course of the IC review.
The section 55K decisions published by the OAIC continue to be an important feature of the OAIC’s work. The decisions address novel issues and build on existing jurisprudence in the FOI jurisdiction. They help agencies interpret the FOI Act and provide guidance on the exercise of their powers and functions. The OAIC adopts a practical approach to its decision making and to its role in helping agencies meet their obligations under the FOI Act.
All IC review decisions are published on the AustLII website as part of the Australian Information Commissioner (AICmr) series.
Some Information Commissioner decisions made during 2017–18 are highlighted below.
Case study 13 — Elstone Pty Limited and Civil Aviation Safety Authority (Freedom of information) [2018] AICmr 52 (28 May 2018)
The applicant sought access to a complaint that was made against its helicopter tour business, as well as the complainant’s name or business name. On 24 August 2016, the Civil Aviation Safety Authority (CASA) identified one document within scope, and refused access to the document in full under sections 47E(d) and 47F of the FOI Act. On 20 February 2017, during the course of the IC review, CASA revised its decision under section 55G of the FOI Act to grant access to parts of the document.
On 17 May 2017, the Information Commissioner referred questions of law to the Federal Court of Australia (the Federal Court) with respect to the construction of section 55G. On 9 April 2018, the Federal Court decided in Australian Information Commissioner v Elstone Pty Limited [2018] FCA 463 that it lacked jurisdiction to determine the referred questions of law because there was no matter for consideration within the meaning of Chapter III of the Constitution. Accordingly, the then acting Information Commissioner proceeded to make her decision on the basis that the decision under review is CASA’s decision of 24 August 2016, as varied on 20 February 2017.
The then acting Information Commissioner considered the document and agreed with CASA that disclosure of the relevant material that would identify the complainant, could discourage other individuals from raising safety concerns in the future and could reasonably be expected to have a substantial adverse effect on CASA’s operations in carrying out its regulatory functions in relation to the safety of civil aviation. The then acting Information Commissioner also considered the public interest test, and was satisfied that disclosure would, on balance, be contrary to the public interest.
Case study 14 — Josh Taylor and Prime Minister of Australia (Freedom of information) [2018] AICmr 42 (21 March 2018)
The applicant sought access to all Wickr (instant messaging app) conversations between the then Prime Minister Malcolm Turnbull and former Prime Minister Kevin Rudd, regarding former Prime Minister Rudd seeking the government’s nomination for Secretary-General of the United Nations. The Prime Minister decided to refuse access to the documents under section 24A of the FOI Act on the basis that they cannot be found or do not exist.
In making his decision, the Information Commissioner considered the nature of Wickr and found that users of the Wickr Me app can set the duration as to how long a message would last prior to its automatic deletion, up to a maximum of 6 days. The Information Commissioner noted that once a message has expired, the message would be securely destroyed from both the sender and recipient’s devices, and that unless a backup of the message was made prior to the expiration of the message, it would be highly unlikely that the message would continue to be stored on the device or any other location.
Based on this, the Information Commissioner considered that undertaking searches within the app and any available backups for the documents would constitute all reasonable steps for the purposes of section 24A. In particular, the Information Commissioner noted that, based on the circumstances and the Prime Minister’s evidence of searches and his submissions that there were no available backups of the apps, it was unlikely that the documents, if they existed, would be stored on the Prime Minister’s phone or in any other location.
Case study 15 — Paul Farrell and Department of Home Affairs (Freedom of information) [2018] AICmr 27 (28 February 2018)
The Information Commissioner set aside the decision of the Department of Home Affairs (Home Affairs) to neither confirm nor deny the existence of documents regarding any disclosures made under section 19 of the Australian Border Force Act 1995. Home Affairs advised that if the documents were to exist they would be exempt under section 37(1) of the FOI Act.
The Information Commissioner found that the documents requested were not of ‘such a kind’ that they would be exempt under section 37(1). Accordingly, Home Affairs was not entitled to give notice to neither confirm nor deny the existence of the documents under section 25 when responding to the FOI request.
The Information Commissioner considered whether Home Affairs had discharged its onus in establishing the decision to invoke section 25 in response to the applicant’s request. The Information Commissioner found that Home Affairs had not sufficiently demonstrated that exceptional circumstances existed. Accordingly, the Information Commissioner set aside the decision of Home Affairs to neither confirm nor deny the existence of the documents and substituted the decision that if documents were to exist, they would not be exempt as authorised under section 25.
Case study 16 — Justin Warren and Department of Human Services (Freedom of information) [2018] AICmr 16 (1 February 2018)
The applicant applied to the Department of Human Services (Human Services) for access to documents relating to the Pay As You Go data-matching initiative that was the subject of a Question on Notice from the Senate Community Affairs Legislation Committee Budget Estimates hearing on 3 June 2015. Human Services notified the applicant of its intention to impose a charge for the processing of the request. The applicant requested that Human Services reduce or waive the charge on public interest grounds. However, Human Services decided to impose a charge of $510.
The applicant sought internal review and Human Services affirmed its decision on internal review. The applicant subsequently paid the charge and Human Services processed the request.
The applicant then sought IC review of Human Services’ decision to impose a charge. Human Services submitted that the Information Commissioner did not have jurisdiction to review a charge that has been paid in full.
The Information Commissioner considered section 54L of the FOI Act, which provides that a person can seek IC review of an ‘access refusal decision’. Section 53A(e) of the FOI Act provides that a decision under section 29 relating to imposition of a charge or the amount of a charge is an ‘access refusal decision’.
Accordingly, the Information Commissioner was satisfied that a decision to impose a charge is an IC reviewable decision, despite the fact that the applicant has paid the charge in full. The Information Commissioner was also satisfied that Human Services had not discharged its onus under section 55D of the FOI Act to establish that the decision in respect of the charge is justified. The Information Commissioner decided that no charge should be imposed in relation to the applicant’s request.
Case study 17 — Dan Conifer and the Department of the Treasury (Freedom of information) [2017] AICmr 133 (8 December 2017)
The applicant sought access to briefs, advice and/or submissions from the Department of the Treasury to the Treasurer in relation to negative gearing, and Labor’s negative gearing and capital gains tax policies. The Treasury identified seven documents within scope and decided that one document was exempt in part under section 34(1)(c), six documents were exempt in part under section 47C and one document was exempt in part under section 47G.
On IC review, the then Information Commissioner agreed with the Treasury’s application of sections 34(1)(c) and 47G to the documents. However, he did not agree that the relevant documents were exempt under section 47C. In particular, he noted that the Treasury did not identify or provide any detail on any particular practice, process or policy that could reasonably be impacted through disclosure. The Information Commissioner found that although the relevant documents were conditionally exempt, disclosure at this time would not be contrary to the public interest.
Procedures to be followed in IC reviews
In February 2018, the Information Commissioner issued a ‘Direction as to certain procedures to be followed in IC reviews’ (the procedure direction) under section 55(2)(e)(i) of the FOI Act. The procedure direction provides further clarity on what is expected from agencies and ministers during the IC review process and promotes the efficient and timely resolution of IC reviews. The procedure direction sets out the particular procedures that agencies and ministers must follow in respect of the production of documents, the provision of a statement of reasons where access has been deemed to be refused, and the provision of submissions during an IC review.
The procedure direction is to be read alongside the OAIC’s ‘Freedom of information regulatory action policy’ (the FOI Regulatory Action Policy) and Part 10 of the Guidelines issued by the Information Commissioner under section 93A of the FOI Act (FOI Guidelines).
The FOI Regulatory Action Policy was developed and published this year to inform the Australian community and Australian Government agencies and ministers covered by the FOI Act of the regulatory strategy and approach of the Information Commissioner with respect to FOI regulatory powers, including in undertaking IC reviews. The policy should be read together with Part 10 of the FOI Guidelines.
Part 10 of the FOI Guidelines, to which agencies must have regard in performing a function or exercising a power under the FOI Act, sets out in detail the process and underlying principles of IC review. Part 10 was updated this year to reflect legislative amendments by the Norfolk Island Legislation Amendment Act 2015, developments and discussions in recent IC review decisions and Information Commissioner processes in carrying out IC review functions, as well as to include references to the procedure direction and the FOI Regulatory Action Policy.
FOI Complaints
Under section 69 of the FOI Act, the Information Commissioner has power to investigate agency actions relating to the handling of FOI matters.
Part 11 of the FOI Guidelines provides the Information Commissioner’s view that making a complaint is not an appropriate mechanism where IC review is available, unless there is a special reason to undertake an investigation and the matter can be dealt with more appropriately and effectively in that manner. IC review will ordinarily be the more appropriate avenue for a person to seek review of the merits of an FOI decision, particularly an access refusal or access grant decision. This approach accounts for the relatively small number of FOI complaints received compared with IC review applications.
In 2017–18, the OAIC received 62 complaints and closed 29. This represents a 72% increase in lodgements compared with 2016–17 (36 FOI complaints received) and a 61% increase in finalisations compared with 2016–17 (18 FOI complaints finalised).
The most common complaints about the handling of FOI matters by agencies are charging practices, consultation with applicants under practical refusal provisions and agencies not meeting statutory timeframes.
Of the 29 FOI complaints finalised in 2017–18, the Information Commissioner finalised four investigations and made recommendations to be implemented by an agency in two of these investigations.
FOI Extensions of time
The FOI Act sets out timeframes within which agencies and ministers must process FOI requests.
Where an agency or minister is unable to process an FOI request within the processing period, they are able to request an extension of time from the FOI applicant or the Information Commissioner.
Where the applicant agrees to an extension of time in writing, the agency or minister must advise the Information Commissioner of the agreement to extend the statutory processing time as soon as practicable.
An agency or minister can apply to the Information Commissioner for an extension of time to extend the processing period where an agency or minister is able to demonstrate that the processing of the FOI request has been delayed because the FOI request is voluminous or complex in nature (section 15AB) or where the agency or minister has been unable to process the request within the statutory timeframe and the agency or minister is deemed to have made a decision refusing the FOI request (section 15AC).
| Year | 2015–16 | 2016–17 | 2017–18 |
|---|---|---|---|
| Received | 5,605 | 4,412 | 3,367 |
| Closed | 5,602 | 4,420 | 3,333 |
This year, we finalised 90.5% of extension of time applications within five working days.
| Request type | 2015–16 | 2016–17 | 2017–18 |
|---|---|---|---|
| Total | 5,602 | 4,420 | 3,333 |
| Section 15AA | 5,171 | 3,808 | 2,762 |
| Section 15AB | 283 | 453 | 370 |
| Section 15AC | 102 | 112 | 122 |
| Section 51DA | 0 | 0 | 1 |
| Section 54B | 0 | 0 | 0 |
| Section 54D | 30 | 29 | 38 |
| Section 54T | 16 | 18 | 40 |
Section 15AA — Notification of agreement between agency and applicant to extend time
Section 15AB — Extension of time for complex or voluminous request
Section 15AC — Extension of time where deemed refusal of FOI request
Section 54B — Extension of time for internal review request
Section 54D — Extension of time where deemed affirmation of original decision on internal review
Section 54T — Extension of time for person to apply for IC review
In deciding whether to grant an extension of time, the Information Commissioner considers the impact the extension of time will have on the applicant, whether the agency or minister has taken realistic steps to process the FOI request, and whether granting extra time is within the objects of the Act.
FOI Vexatious applicant declarations
The Information Commissioner has the power to declare a person to be a vexatious applicant if they are satisfied that the grounds set out in section 89L of the FOI Act exist. Making a vexatious applicant declaration is not something the Information Commissioner undertakes lightly, but its use may be appropriate at times. A declaration by the Information Commissioner can be reviewed by the Administrative Appeals Tribunal (AAT).
During 2017–18, the Information Commissioner did not receive any applications from agencies under section 89K seeking to have a person declared a vexatious applicant. Two applications were finalised in 2017–18 after the applications were withdrawn by the agency.
FOI Awareness
FOI Guidelines
In January and February 2018, the Information Commissioner issued revised guidelines under section 93A of the FOI Act, which Australian Government ministers and agencies must have regard to when performing a function or exercising a power under the FOI Act. The revised parts include:
- Part 3 — Processing and deciding on requests for access
- Part 7 — Amendment and annotation of personal records
- Part 10 — Review by the Information Commissioner
- Part 11 — Complaints and investigations
FOI agency resources
In June 2018, the OAIC issued the revised FOI agency resource 14: Access to government information — administrative access. The OAIC sought comments from interested stakeholders about the readability and accessibility of the revised resource.
Newsletters
The OAIC issues a monthly e-newsletter to Government FOI contact officers who have subscribed to the Information Contact Officer Network (ICON). The monthly e-newsletter provides news, updates and information about FOI.
Events
The OAIC participated in various activities throughout the year to raise awareness about accessing government information and the role of the OAIC and its processes. We participated in the Australian Government Solicitor’s FOI Practitioners’ Forum and launched the first Right to Know Day digital campaign, which included awareness raising materials and a video from the Information Commissioner.
We also held an ICON information session in Canberra, which explored ongoing and emerging challenges in the FOI space and included an expert panel discussion.
Media
The Information Commissioner issued a joint media release with the Australian Information Access Commissioners about International Right to Know Day on 21 September 2017:
A citizen’s right to access government-held information and data, participate in government decision making, and have transparency in how decisions are made is central to any effective democracy.
Right to Know Day is an opportunity for all Australians and New Zealanders to reflect on their access rights and the benefits of a more open, transparent and accountable government. It is also a reminder to government that greater access to government information and data can deliver better public services, strengthen economic outcomes and build public trust and confidence in the public sector.
Australia and New Zealand Information Access Commissioners unite for citizens’ Right to Know
Joint Media Statement
21 September 2017
Information Publication Scheme
In 2017–18 the OAIC conducted an IPS survey with all Australian Government agencies subject to the FOI Act. The survey was conducted by ORIMA on behalf of the OAIC.
The survey reviewed the operation of the IPS in each agency and also provided agencies with an opportunity to comply with the requirement to conduct a review under section 9 of the FOI Act. Section 9 requires agencies to complete a review of the operation of the IPS within their agency, as appropriate from time to time and within five years of the commencement of the IPS, in conjunction with the Information Commissioner.
The information collected in the IPS Survey will be used by the OAIC to develop a high level report on the operation of the IPS across all Australian Government agencies and provide a comparative analysis with the results of the 2012 IPS Survey. The 2018 IPS Survey report will be published on the OAIC’s website.
The information collected may also be used to assist the OAIC understand agencies’ approaches to the publication of information and identify ways the OAIC can provide advice, assistance and training to agencies on the operation of the IPS in the future.
FOI Regulatory Action Policy
In 2017–18, the OAIC published an FOI Regulatory Action Policy that outlines and explains the Information Commissioner’s approach to using FOI regulatory action powers. The policy covers all FOI powers and functions conferred on the Information Commissioner by the Australian Information Commissioner Act 2010 and the FOI Act.
The policy should be read together with the FOI guidelines. The policy also outlines how the Information Commissioner works with agencies, ministers and regulators to promote access to information through regulatory action and undertakes public communication as part of FOI regulatory action.
FOI processing statistics received from Australian Government agencies and ministers
Below is a selection of the FOI request processing statistics provided by Australian Government agencies and ministers to the OAIC.
The number of FOI requests received declined 13% in 2017–18; from 39,519 in 2016–17 to 34,438. This decline was experienced in both requests for personal information and non-personal requests, with similar percentage falls across both types of requests. The decline in request numbers for personal information is in large part due to the introduction by the Department of Home Affairs of an administrative access scheme for access to personal information.
In 2017–18, 28,199 or 82% of all FOI requests were for documents containing personal information. This is the same proportion as in 2016–17 but a decrease when compared with 2015–16 (87%).
In 2017–18, the Department of Home Affairs, the Department of Human Services and the Department of Veterans’ Affairs together continued to receive the majority of FOI requests (69% of the total). Of these, 96% were for personal information.
The percentage of FOI requests processed within the applicable statutory time period increased from 58% of all FOI requests in 2016–17 to 85% in 2017–18, largely due to the improvement in timeliness by the Department of Home Affairs.
The percentage of FOI requests granted in full decreased from 55% of all requests in 2016–17 to 50%. The number of requests refused increased from 10% of all FOI requests in 2016–17 to 16%.
The personal privacy exemption in section 47F of the FOI Act remains the most claimed exemption (43% of all exemptions claimed).
The total reported costs attributable to processing FOI requests in 2017–18 was $52.2 million, a 17% increase on 2016–17 ($44.8 million).
Australian Government agencies issued 4,128 notices advising of an intention to refuse a request for a practical refusal reason in 2017–18. This was a 163% increase on the number issued in 2016–17. Of these requests, 84% were subsequently refused or withdrawn; the proportion was 66% in 2016–17.
There was a 24% decrease in the total charges notified in 2017–18 and a 21% decrease in the total charges collected by Australian Government agencies (to $115,863).
The total number of entries added to agency website disclosure logs in 2017–18 (1,104) is 15% higher than 2016–17, when 958 entries were added. This increase occurred despite there being a 13% decrease in the number of full or partial access grant decisions in 2017–18. However the proportion of entries from which members of the public can directly access disclosure log documents from agency websites has declined from 67% last year to 57%.
There was a 12% increase in internal review applications in 2017–18. Of the 733 decisions on internal review, 351 (48%) affirmed the original decision, 72 (10%) set aside the original decision and granted access in full, 217 (30%) granted access in part.
More detailed information is available in Appendix D on page 152.
Footnotes
[1] Where notifiable data breaches affect multiple entities, the OAIC may receive multiple notifications relating to the same data breach. Notifications under the NDB scheme to the OAIC relating to the same data breach incident are counted as a single notification in the NDB Quarterly Statistics Reports. In 2017–18 there were 49 secondary notices.
Long text descriptions
Figure 1 — Complaints received per month — the past three years
Figure 1 is a bar chart showing the number of complaints received per month over the 2015–16, 2016–17 and 2017–18 financial years.
| Complaints received per month | 2015–16 | 2016–17 | 2017–18 |
|---|---|---|---|
| July | 156 | 192 | 207 |
| August | 185 | 255 | 256 |
| September | 209 | 168 | 240 |
| October | 156 | 237 | 245 |
| November | 181 | 218 | 267 |
| December | 194 | 170 | 191 |
| January | 148 | 167 | 238 |
| February | 153 | 222 | 277 |
| March | 182 | 275 | 240 |
| April | 184 | 154 | 206 |
| May | 196 | 217 | 284 |
| June | 186 | 220 | 296 |
Figure 2 — Complaints closed per month — the past three years
Figure 2 is a bar chart showing the number of complaints closed per month over the 2015–16, 2016–17 and 2017–18 financial years.
| Complaints closed per month | 2015-16 | 2016-17 | 2017-18 |
|---|---|---|---|
| July | 163 | 152 | 214 |
| August | 129 | 189 | 244 |
| September | 160 | 208 | 301 |
| October | 339 | 209 | 233 |
| November | 167 | 181 | 264 |
| December | 149 | 193 | 148 |
| January | 114 | 179 | 167 |
| February | 161 | 176 | 253 |
| March | 176 | 241 | 252 |
| April | 165 | 172 | 161 |
| May | 124 | 308 | 269 |
| June | 191 | 277 | 260 |