Part 2: Performance

Our annual performance statement

Introduction

I, Angelene Falk, as the accountable authority of the Office of the Australian Information Commissioner (OAIC), presents the 2018–19 annual performance statement of the OAIC, as required under paragraph 39(1)(a) of the Public Governance, Performance and Accountability Act 2013 (PGPA Act). In my opinion, this annual performance statement is based on properly maintained records, accurately reflects the performance of the entity, and complies with subsection 39(2) of the PGPA Act.

Overall performance

During this reporting period, we worked to achieve 43 performance measures outlined in the OAIC Corporate Plan 2018–19. We met the target for 38 of these performance measures and we did not achieve four (one measure did not apply during this reporting period).

We:

  • promoted and upheld privacy rights by achieving 30 of the 32 performance measures
  • promoted and upheld information access rights by achieving 8 of the 11 performance measures (one measure did not apply during this reporting period).

Promote and uphold privacy rights

We:

  • negotiated and accepted enforceable undertakings from the Commonwealth Bank of Australia Ltd and Wilson Asset Management (International) Pty Ltd
  • conducted targeted privacy assessments in areas such as finance, telecommunications, government, data matching and digital health
  • finalised 2,919 privacy complaints, a 5.5% increase on the number of privacy complaints we closed last financial year, while managing a 12.1% increase in privacy complaints received
  • published quarterly reports on the operation of the Notifiable Data Breach (NDB) scheme and the Notifiable Data Breaches Scheme 12-Month Insights Report
  • finalised 79% of notifications received for 950 notifiable data breaches (under the NDB scheme) within 60 days, finalised 66.1% of voluntary notifications for 175 data breaches within 60 days and finalised 90% of notifications received for My Health Record data breaches within 60 days
  • made two public interest determinations on the disclosure of homicide data for the Australian Federal Police and the Australian honours system for the Department of Home Affairs
  • released a new training resource about the Privacy (Australian Government Agencies — Governance) APP Code 2017 (Privacy Code) and the Notifiable Data Breaches (NDB) scheme
  • launched new resources for My Health Record consumers
  • launched our new website for public feedback.

Promote and uphold information access rights

We:

  • finalised 659 Information Commissioner (IC) reviews, an 8% increase on the number of IC reviews we closed last financial year, while managing a 15.9% increase in IC review applications
  • published the Information Publication Scheme (IPS) Survey 2018
  • published a revised guide for Access to Government Information — Administrative Access
  • launched a digital campaign for Right to Know Day 2018.

Results

Our performance is measured against the activities in the OAIC Corporate Plan 2018–19. Where a performance measure covers a target in the Portfolio Budget Statement, an asterisk (*) is shown against the performance measure.

Privacy performance measures

Corporate Plan activity 1.1

Develop the privacy management capabilities of businesses and Australian Government agencies and promote privacy best practice.

Performance measure 1.1.1 The OAIC applies a risk-based, proportionate approach to facilitate privacy compliance and promote privacy best practice.

empty Achieved

During this reporting period, we engaged with entities reporting under the NDB scheme on requirements of the NDB scheme, causes of the data breach and measures to prevent reoccurrence. We used intelligence from privacy enquiries, privacy complaints and NDB reports, privacy assessments, media reports and tip-offs, to decide on appropriate regulatory action. We conducted preliminary inquiries or opened investigations on the Commissioner’s own initiative for 15 matters.

We regularly engaged with business and Australian Government agencies, including providing advice and guidance on how to comply with the Privacy Act 1988 (Privacy Act) and deliver privacy best practice.

We released a new training resource about the Privacy Code and NDB scheme during Privacy Awareness Week (12 to 18 May 2019) to educate Australian Government agencies about privacy best practice.

We published the Notifiable Data Breaches Scheme 12-Month Insights Report, which is available on our website, to help businesses and agencies understand the common causes of data breaches and how they can implement proactive strategies to prevent data breaches.

We launched new resources for My Health Record consumers.

Performance measure 1.1.2 Guidance and educational materials are updated to include learnings from regulatory activities such as assessments and investigations.

empty Achieved

We regularly updated our guidance and educational materials to make sure they are current and relevant.

For example, we released a new website for public review in June 2019 (see performance measure 1.7.4). During Privacy Awareness Week (PAW) we provided guidance to organisations and Australian Government agencies about their obligations under the Privacy Code.

Performance measure 1.1.3 Regular engagement and consultation with businesses and Australian Government agencies is undertaken.

empty Achieved

We engaged regularly with businesses and Australian Government agencies, including providing advice on a wide range of matters such as the Australian Competition and Consumer Competition’s (ACCC) Digital Platforms Inquiry, the Consumer Data Right scheme, changes to the My Health Record system and the Privacy (Credit Reporting) Code 2014.

We drafted submissions on nine different issues, such as cooperative intelligent transport systems, automated vehicle data, Australian Government data sharing and telecommunications.

Performance measure 1.1.4 Privacy Professionals’ Network (PPN) members are provided with information that is relevant and engaging, a minimum of 10 times per year.

empty Achieved

We continued to offer PPN members regular information and updates. In 2018–19, PPN members received 10 e-newsletters. We also invited them to events which included discussion panels and OAIC privacy training.

Performance measure 1.1.5 Levels of engagement with PPN members are recorded.

empty Achieved

We had our highest number of organisations supporting our PAW campaign with 507 becoming PAW partners, up from 360 in 2017–18.

During this reporting period, the PPN membership continued to grow from 3,442 members to 3,623. More than half PPN members (51%) opened our e-newsletter and 39% clicked on a specific link in the e-newsletter.

Corporate Plan activity 1.2

Manage data breach notifications.

Performance measure 1.2.1* 80% of data breach notifications are finalised within 60 days.

emptyNot achieved

We:

  • finalised 79% of notifications received under the NDB scheme within 60 days
  • finalised notifications received under the NDB scheme in an average of 45.3 days
  • finalised 66.1% of voluntary data breach notifications received within 60 days
  • finalised voluntary data breach notifications in an average of 60.4 days.

Performance measure 1.2.2* 80% of My Health Records data breach notifications are finalised within 60 days.

empty Achieved

We finalised 90% of My Health Record data breach notifications received within 60 days.

Performance measure 1.2.3 Guidance and support tools are promoted for the data breach notification schemes the OAIC oversees.

empty Achieved

We published a resource for regulated entities on tips to prevent and mitigate data breaches with the Australian Cyber Security Centre.

We recorded and published:

  • an interactive webinar with the Royal Australian College of General Practitioners (RACGP) on the requirements of the NDB scheme for health service providers, with case studies and frequently asked questions
  • resources and information for RACGP members including updated flowcharts on the NDB scheme and My Health Record data breaches
  • an interactive webinar on the requirements of the NDB scheme, and the lessons from the first 12 months of the NDB scheme’s operation, with case studies on best practice and approaches to multi-party data breaches.

Performance measure 1.2.4 Statistics on data breach notifications are published.

empty Achieved

We published four quarterly reports on the operation of the NDB scheme. These reports included key statistics on the number of notifications received, the number of individuals whose personal information was involved in the data breach, detailed breakdowns on the reported sources of data breaches, comparisons of data breaches reported by the top five sectors and the kinds of personal information affected. They also provided detailed breakdowns of the types of data breaches notified by the top two reporting sectors.

In May 2019, we published the Notifiable Data Breaches Scheme 12-Month Insights Report, which is available on our website. The report provided lessons learned from the first year of the NDB scheme’s operation, as well as information about the changing international landscape with regards to privacy and mandatory data breach reporting schemes. The report also highlighted best practice tips and case studies from organisations that had notified under the NDB scheme, and strategies for mitigating the risk of cyber incidents.

Corporate Plan activity 1.3

Conduct Commissioner initiated investigations (CIIs).

Performance measure 1.3.1* 80% of CIIs are finalised within eight months.

empty Achieved

Of the privacy CIIs finalised during this reporting period, 86% were finalised within eight months.

This reflected our commitment to working with respondents to resolve issues of non-compliance and improve privacy practices, as well as our efforts to reduce the time taken to progress a privacy CII.

For more information about CIIs, see page 65.

Performance measure 1.3.2 CIIs result in improvements in the privacy practices of investigated organisations.

empty Achieved

We made inquiries of, or investigated, organisations to ensure compliance with the Privacy Act. We accepted enforceable undertakings from two respondents in 2018–19: the Commonwealth Bank of Australia Ltd and Wilson Asset Management (International) Pty Ltd.

Each enforceable undertaking included steps the respondent agreed to take to address concerns we raised in the CII. By implementing these steps, the respondents will improve their privacy policies and procedures.

Performance measure 1.3.3 CII outcomes and lessons learnt are publicly communicated.

empty Achieved

We:

  • published the enforceable undertakings accepted from the Commonwealth Bank of Australia Ltd and Wilson Asset Management (International) Pty Ltd on our website
  • published statements and media releases on our website about the conclusion of these matters and the lessons learnt
  • publicly communicated the lessons learnt from CIIs in external speeches and presentations given by OAIC staff.

Performance measure 1.3.4 The OAIC applies a risk-based and proportionate approach to commencing and conducting CIIs.

empty Achieved

We applied the framework set out in the Guide to Privacy Regulatory Action (which is available on our website) when deciding whether to commence an investigation. As a result we commenced investigations into 15 matters.

Corporate Plan activity 1.4

Resolve privacy complaints.

Performance measure 1.4.1* 80% of privacy complaints are finalised within 12 months.

empty Achieved

We:

  • finalised 95.1% of all privacy complaints within 12 months of receipt — 4.4 months was the average time taken to close a privacy complaint
  • closed 5.5% more privacy complaints than in 2017–18
  • responded to an 11% increase in privacy complaints in the number of privacy complaints received (2017–18: 18% increase)
  • increased staffing levels in our Early Resolution team to continue the efficient processing of privacy complaints.

We ensured the quality of our privacy complaint process by:

  • handling privacy complaints in line with our privacy regulatory action policy and privacy regulatory action guide
  • undertaking regular staff training, including conciliation and investigations training, administrative law training and mental health training
  • enabling staff to participate in complaint handling networks and events, including the Commonwealth Ombudsman’s Complaint Handling Forum and PAW activities
  • holding regular staff meetings to discuss matters of significance across the teams and to ensure consistency in decision-making — for example, all the Dispute Resolution branch staff regularly met to discuss privacy cases

For more information on resolving privacy complaints, see page 57.

Performance measure 1.4.2 The complaint handling service is promoted to the community.

empty Achieved

We promoted our complaints handling service to the community through media releases, speaking engagements, event campaigns and social media.

We promoted the OAIC’s regulatory function and complaint handling service as part of our My Health Record privacy controls campaign on Facebook and Twitter.

We also promoted our complaint handling service through our campaigns for Privacy Awareness Week and Right to Know Day.

Performance measure 1.4.3 Complaint handling processes are reviewed to ensure they align with current best practice and relevant legislative developments.

empty Achieved

We reviewed our internal processes and developed a policy for responding to unreasonable client conduct. When finalised, this policy will always ensure best practice when handling unreasonable clients and support staff to manage challenging interactions.

We hired an external consultant to help us improve the timeliness of our privacy complaint process. We are currently developing strategies to reduce a backlog of privacy complaints.

Corporate Plan activity 1.5

Conduct privacy assessments.

Performance measure 1.5.1 Complete assessments in accordance with the schedule developed in consultation with the business or agency being assessed.

emptyNot achieved

We generally completed the information review and fieldwork stages of privacy assessments in line with a schedule we developed with the business or agency being assessed; however, the assessment report was not finalised on schedule in all cases. We will continue to improve our assessment reporting process in the next financial year and work with the business or agency being assessed to finalise draft assessment reports promptly.

Performance measure 1.5.2 Monitoring and compliance approaches are coordinated with the business and operational needs of the business or agency being assessed.

empty Achieved

We undertook professional, independent and systematic assessments in line with our privacy regulatory action policy and our guide to privacy regulatory action.

We engaged with and provided preliminary briefings to the business or agency being assessed prior to starting the formal assessment. This clarified our expectations and allowed us to develop a schedule that recognised the operational needs of the business or agency being assessed.

We engaged ICT security consultants to assist with the technical aspects of some of our Australian Privacy Principle 11 (security of personal information) assessments. For example, we engaged these consultants to support a series of assessments that considered how particular telecommunications service providers were protecting personal information.

Performance measure 1.5.3 A high proportion of recommendations are accepted by the business or agency being assessed.

empty Achieved

All businesses or agencies assessed accepted all our recommendations.

During an assessment, we proactively and openly raised privacy risks we identified and our recommendations to the business or agency being assessed. This promoted discussions with the business or agency about strategies to mitigate the privacy risks.

Performance measure 1.5.4 Key assessment outcomes and lessons learnt are publicly communicated where appropriate.

empty Achieved

We undertook assessments in the form of surveys with a number of businesses or agencies in a particular sector. We provided those businesses or agencies with individual reports and intend to publish a summary report on our website in 2019–20. This will provide general guidance to APP entities, while also providing tailored advice to the entities assessed.

Corporate Plan activity 1.6

Provide a privacy public information service.

Performance measure 1.6.1* 90% of written enquiries are responded to within 10 working days.

empty Achieved

We finalised 92% of written privacy enquiries within 10 working days. This is a significant improvement on our 2017–18 response rate of 74%. This improvement reflects a reallocation of resources and changes to the management of the OAIC’s enquiries service, which were put in place in 2017–18, and our ongoing commitment to provide a timely public information service to the Australian public. For more information, see Privacy Enquiries on page 50.

Performance measure 1.6.2 Community, legal and other networks are identified for targeted promotion of the public information service.

empty Achieved

We partnered with Legal Aid NSW during PAW (12 to 18 May 2019) to produce a podcast interview about credit reporting. By discussing a series of examples, we helped community workers and the public understand the circumstances in which they can gain access to their credit reports for free, how they may correct the information on their credit reports, and their rights to pursue complaints about their credit reports with recognised external dispute resolution schemes and the OAIC.

The Commissioner presented information about the OAIC and our functions to the Communications and Media Law Association and the annual conference of communications consumer representatives.

We also worked closely with the RACGP to increase member awareness of our regulatory role, including providing information about our public information service.

Performance measure 1.6.3 Website content is reviewed and updated as required to support our public information service.

empty Achieved

We released a new website for public feedback in June 2019 (see performance measure 1.7.4).

Corporate Plan activity 1.7

Promote awareness and understanding of privacy rights in the community.

Performance measure 1.7.1 Media and social media mentions about privacy rights increase.

empty Achieved

There were 2,805 online media mentions and 6,770 social media mentions of privacy rights and the OAIC during this reporting period (2017–18: 2,851 online media mentions and 4,400 social media mentions).

We responded to 238 media enquiries during the year, including 194 about privacy and 25 about My Health Record.

Performance measure 1.7.2 Awareness and understanding about privacy rights and the role of the OAIC improves.

empty Achieved

The consistent number of online media mentions and increasing number of social media mentions demonstrate continued and growing awareness of our privacy role. Our social media following has also increased.

The increase in privacy complaints also demonstrates increased awareness of the OAIC’s complaint handling service.

Performance measure 1.7.3 Attendance numbers and positive feedback from public facing events increases.

empty Achieved

We successfully hosted a breakfast event for PAW, attended by 160 privacy professionals and other stakeholders. The event sold out, and 95% of attendees surveyed indicated they would attend the PAW business breakfast again next year.

A joint webinar with Wolters Kluwer on the NDB scheme had more than 200 participants and 95% rated the webinar as ‘excellent’ or ‘very good’.

The OAIC also ran a number of privacy training sessions for Australian Government privacy officers, with each session booked to capacity.

Performance measure 1.7.4 The OAIC’s website is accessible to the community and content about privacy rights is regularly reviewed and updated.

empty Achieved

We released our new website for public feedback in June 2019. The website features improvements such as:

  • better search functionality, design and navigation in response to user feedback
  • information in one location — information that was once repeated or found over several pages is now on a single page
  • removing non-current information so the search function works more effectively
  • removing the print-based concept of ‘fact sheets’ and ‘resources’ and consolidating content into topics
  • content for individuals rewritten in plain English.

Corporate Plan activity 1.8

Develop legislative instruments.

Performance measure 1.8.1 Applications for public interest determinations and Australian Privacy Principles (APP) codes are considered and responded to in a timely manner.

empty Achieved

We did not receive any APP code applications during 2018–19.

We received three applications for a public interest determination:

  • Privacy (Disclosure of Homicide Data) Public Interest Determination 2019 — commenced 20 March 2019 — permits the Australian Federal Police to disclose certain personal information to the Australian Institute of Criminology for the purpose of the Australian Institute of Criminology’s research under the National Homicide Monitoring Program and the publication of aggregate findings.
  • Privacy (Australian Honours System) Public Interest Determination 2018 — commenced 12 October 2018 — permits the Department of Home Affairs to disclose personal information to the Office of the Official Secretary to the Governor-General and the Department of the Prime Minister and Cabinet for verifying the Australian citizenship and/or permanent residency status of individuals who are the subject of nominations for membership or honorary membership of the Order of Australia, or for other awards in the Australian honours system.
  • Australian Financial Complaints Authority (AFCA) — received 17 June 2019 — requested a public interest determination to be made by the Commissioner deeming AFCA an ‘agency’ for the sole purpose of interpreting APP 12. APP 12 provides that if an entity is an agency, the entity is not required to give access to personal information if the entity is required or authorised to refuse an individual access to personal information under the Freedom of Iinformation Act 1982 (FOI Act) or any other federal Act. We are currently considering this application.

Performance measure 1.8.2 Legislative instruments are reviewed when necessary.

empty Achieved

The acting Australian Information Commissioner and acting Privacy Commissioner approved a variation of the Privacy (Credit Reporting) Code 2014 (v2) (CR Code) on 29 May 2018, following an application by the code developer, the Australian Retail Credit Association. The variation addressed some of the recommendations and feedback in the independent review of the CR Code undertaken in 2017. The varied CR Code commenced on 1 July 2018.

On 18 April 2019, the Australian Retail Credit Association made a second application to vary the CR Code under section 26T of the Privacy Act. This variation addresses the remainder of the recommendations and feedback in the independent review of the CR Code undertaken in 2017. This application is currently under consideration.

Corporate Plan activity 1.9

Conduct regulatory activities and help businesses understand their rights and responsibilities under the Consumer Data Right (CDR).

Performance measure 1.9.1 Regular dialogue with the ACCC and other relevant stakeholders is conducted to ensure the effective operation of the CDR scheme.

empty Achieved

We engaged regularly with the ACCC and the Treasury, including through the provision of advice on draft legislative instruments and draft CDR rules, as well as guidance on general privacy matters affecting the CDR scheme.

We also engaged regularly with the Data Standards Body (CSIRO’s Data61), including through the provision of advice on development work for the technical standards relating to consumer experience and attended as observers Data Standards Advisory Committee meetings.

Performance measure 1.9.2 Guidance and education materials are developed to support a clear understanding of rights and obligations under the CDR scheme.

empty Achieved

Since the publication of the OAIC Corporate Plan 2018–19 the commencement date of the CDR scheme in the banking sector has moved from July 2019 to 1 February 2020.

Development of guidance and education materials is underway, including guidelines for the avoidance of acts or practices that may breach the privacy safeguards.

Performance measure 1.9.3 Internal processes and protocols are developed to support the implementation of the CDR.

empty Achieved

We created internal governance mechanisms to support the implementation of the CDR including developing project plans and reporting tools and establishing a CDR Project Governance Board.

We have reviewed existing processes and have begun developing new processes to support an efficient and effective CDR complaint handling process.

We have also started preparing internal training and other resources to ensure our Enquiries team are well equipped to answer questions from the public regarding the CDR.

Freedom of information performance measures

Corporate Plan activity 2.1

Develop the freedom of information (FOI) capabilities of Australian Government agencies and ministers, and promote FOI best practice.

Performance measure 2.1.1 Tools and guidance are updated to assist Australian Government agencies to comply with the Information Publication Scheme (IPS).

emptyNot achieved

In June 2019 we published the Information Publication Scheme Survey 2018, a survey of all Australian Government agencies subject to the FOI Act. The survey reviewed the operation of the IPS and gave agencies an opportunity to comply with the requirement to conduct a review under s 9 of the FOI Act.

In 2019–20, we will develop tools and guidance, including updating the Part 13 of the FOI Guidelines, to address issues identified in the IPS survey to help agencies better comply with their IPS obligations.

Performance measure 2.1.2 Guidance and resources are reviewed and updated to assist Australian Government agencies and ministers to apply the FOI Act.

empty Achieved

We consulted Australian Government agencies on a revised Part 4 (Charges) of the FOI Guidelines. We will issue the final version in 2019–20.

In September 2018, we published the revised ‘Agency Resource 14 — Access to Government Information — Administrative Access’.

In preparation for the release of our new website, all FOI resources were reviewed, and updated, where necessary, for migration to the new website.

Performance measure 2.1.3 Information is provided to stakeholders that is relevant in both content and delivery.

empty Achieved

In 2018–19, we met with many Australian Government agencies to discuss issues affecting FOI.

Our Information Contact Officers Network (ICON) comprising 527 at 30 June 2019, received 13 newsletters and updates updates with information about FOI. The average click-through rate for the ICON newsletter was 28%.

We also emailed a monthly newsletter to subscribers of OAICnet (known as Information Matters since May 2019). This newsletter contained news and updates about the OAIC, FOI and privacy matters and information on upcoming events.

In September 2018 and April 2019 we held ICON information sessions in Canberra to update members on recent FOI activity, trends and the OAIC’s priorities. Agencies who attended the information sessions gave positive feedback on the delivery of the session and the content.

The Information Commissioner addressed access to information issues in several speeches and presentations throughout the year, including the International Conference of Information Commissioners in South Africa in March and the Australian Government Solicitor FOI and Privacy Forum in May 2019.

Corporate Plan activity 2.2

Conduct Information Commissioner reviews.

Performance measure 2.2.1* 80% of Information Commissioner (IC) reviews are completed within 12 months.

emptyNot achieved

We completed 73.1% of IC reviews within 12 months.

The significant increase in IC review applications we received and our focus on reducing the number of cases over 12 months old prevented us from reaching our target of completing 80% within 12 months.

We used alternative dispute resolution methods and early appraisal to clarify at an early stage the issues to be resolved or the information to be provided by either party in support of their claims or submissions. This includes reviewing the material submitted by both parties and providing a preliminary view on the merits of the case to the relevant party. The party may then make further submissions or take other action as appropriate (an applicant withdrawing application or the agency revising the decision).

We facilitated the early resolution of IC reviews by helping the parties to reach an agreement about the outcome of the review in line with s 55F of the FOI Act, including by arranging teleconferences between parties where appropriate.

We used our regulatory powers under the FOI Act to ensure efficient and timely processes, including by issuing notices to agencies under ss 55E (to provide an adequate statement of reasons) and 55R (notice to produce information or documents).

The Information Commissioner made 60 IC review decisions under s 55K of the FOI Act (which are published on AustLII). These decisions help agencies interpret the FOI Act and provide guidance on the exercise of their powers and functions, by addressing novel issues and building on existing jurisprudence.

We developed the capacity of our staff to identify matters that can be resolved quickly and informally through early resolution processes, whether it be through agreement or negotiation, case appraisals or preliminary views, as well as identifying significant matters which should proceed to a s 55K decision by the Commissioner.

Corporate Plan activity 2.3

Investigate FOI complaints and conduct Commissioner initiated investigations (CIIs).

Performance measure 2.3.1* 80% of FOI complaints finalised within 12 months.

empty Achieved

We finalised 82% of FOI complaints within 12 months of receipt during this reporting period.

We identified at an early stage whether a complaint or an IC review is the appropriate mechanism. We also used early appraisal to clarify the issues to be resolved or the information to be provided by either party in support of their claims or submissions in relation to the complaint.

Performance measure 2.3.2* 80% of FOI-related CIIs finalised within eight months.

emptyNot applicable

Only one FOI-related CII was opened in 2018–19 and the eight-month period had not elapsed by 30 June 2019.

Corporate Plan activity 2.4

Provide an FOI public information service.

Performance measure 2.4.1* 90% of FOI written enquiries are finalised within 10 working days.

empty Achieved

We finalised 94% of all FOI written enquiries within 10 working days in 2018–19.

This is an improvement in response times from 2016–17 and 2017–18, when 88% of all written enquiries were finalised within 10 working days. During this reporting period, the FOI team focused on improving the processes for responding to FOI enquiries. As a result, the timeliness of the FOI team’s response to FOI enquiries has improved.

Performance measure 2.4.2 New community, legal and other networks are identified for targeted promotion of the public information service.

empty Achieved

Some of our staff attended the National Association of Community Legal Centres conference in Sydney in August 2018 and promoted information access rights to staff from community legal centres from across Australia.

We held two ICON information sessions in Canberra — one in September 2018 and the other in April 2019.

Information access issues, recent decisions and resource updates were highlighted for agency staff and members of the public throughout the year in regular OAICnet (from May 2019 called ‘Information Matters’) and ICON email newsletters.

The Information Commissioner made the keynote address at the Australian Government Solicitor’s FOI and Privacy Forum in Canberra on 17 May 2019. During this reporting period, members of the FOI team also participated in FOI practitioner forums that the Australian Government Solicitor hosted.

To celebrate Right to Know Day on 28 September 2018, we launched our first Right to Know Day digital campaign, which included three short videos.

Staff also celebrated Right to Know Day with an information booth during the morning transport peak period in Wynyard Park, Sydney, a major public transport hub area.

Performance measure 2.4.3 Website content is regularly reviewed and updated to support our public information service.

empty Achieved

We released a new website for public review in June 2019 (see performance measure 1.7.4).

Corporate Plan activity 2.5

Promote awareness and understanding of information access rights in the community.

Performance measure 2.5.1 Media and social media mentions about information access rights increase.

empty Achieved

During this reporting period there were 334 online media mentions (2017–18; 345) and 556 social media mentions of information access rights and the OAIC (2017–18; 428), resulting in a total of 890 mentions (2017–18: 773).

The work that we did to achieve these mentions included:

  • conducting a campaign for Right to Know Day 2018, which included relaunching the Right to Know website
  • creating three videos for Right to Know Day, two for the public and one for Australian Government FOI contact officers
  • using Twitter to highlight Information Awareness Month (May 2019)
  • responding to 13 media inquiries about FOI issues
  • increasing our international engagement
  • participating in the Association of Information Access Commissioners (AIAC).

Performance measure 2.5.2 The OAIC’s website is accessible to the community and content about information access rights is regularly reviewed and updated.

empty Achieved

We released a new website for public review in June 2019 (see performance measure 1.7.4).

Privacy

The Privacy Act requires Australian Government agencies and private sector organisations covered by the Privacy Act to follow a set of rules when collecting, using and storing an individual’s personal information. ‘Personal information’ is any information that is about an individual. The most obvious example is an individual’s name — other examples include their address, their date of birth, a photo of their face, or a record of their opinion and views. Any information that is about an identifiable individual is personal information.

Australian Privacy Principles

The Privacy Act includes 13 Australian Privacy Principles (APPs), which set out standards for business and government agencies managing personal information.

APP 1 — Open and Transparent Management of Personal Information

APP 2 — Anonymity and Pseudonymity

APP 3 — Collection of Solicited Personal Information

APP 4 — Dealing with Unsolicited Personal Information

APP 5 — Notification of the Collection of Personal Information

APP 6 — Use or Disclosure of Personal Information

APP 7 — Direct Marketing

APP 8 — Cross-Border Disclosure of Personal Information

APP 9 — Adoption, Use or Disclosure of Government Related Identifiers

APP 10 — Quality of Personal Information

APP 11 — Security of Personal Information

APP 12 — Access to Personal Information

APP 13 — Correction of Personal Information

Privacy enquiries

The OAIC offers a free public information service on privacy-related matters. Our service is mainly delivered through handling phone and written enquiries.

During this reporting period, we experienced a 10% decrease in privacy enquiries from 2017–18, consistent across both phone and written enquiries. We answered 13,457 phone enquiries about privacy matters and responded to 3,966 written privacy enquiries. We also helped with 22 in-person privacy enquiries.

We significantly improved our response time for written privacy enquiries. During this reporting period, we responded to 92% of written privacy enquiries within 10 working days, up from 74% in 2017–18.

We continued to receive a broad range of enquiries from the community. More than 60% of all phone enquiries about privacy matters concerned the operation of the APPs. We also continued to receive a significant proportion of enquiries about credit reporting and the new NDB scheme.

As a part of our Memorandum of Understanding (MOU) with the Australian Capital Territory (ACT) Government we continued to provide privacy services to ACT public sector agencies, including responding to enquiries from the public about the Information Privacy Act 2014 (ACT) (Information Privacy Act) and its Territory Privacy Principles (TPPs).

Examples of privacy enquiries handled during this reporting period are described in Case Studies 2.1 and 2.2.

Case Study 2.1: A business owner responds to a data breach

A business owner contacted the OAIC after discovering a staff member had stolen the credit card details of some clients and used this information to run up a bill of more than $10,000. The business owner had reported the matter to the police but was seeking advice about their obligations under the Privacy Act.

One of our enquiries officers discussed with the business owner the nature of their business and discovered that the business was a private health service provider. As a private health service provider, the business, even though a small business, must follow the APPs.

The enquiries officer gave the business owner information on APP 11 Security of Personal Information and advised that the data breach may be notifiable under the NDB scheme. They also referred the business owner to our website for guidance on the NDB scheme, which may help the business to assess the data breach and mitigate the risk to the individuals whose personal information was involved.

Case Study 2.2: An individual seeks access to his personal information

An individual involved with an organisation became aware a complaint had been made about him to the organisation. The individual contacted us to ask if he could put in a FOI request to the organisation to find out who had submitted the complaint and what it was about.

One of our enquiries officers explained to the individual that the Commonwealth FOI legislation applied to Australian Government agencies not private organisations; however, under APP 12 — Access to Personal Information, he had the right to access the personal information that the organisation held about him.

The enquiries officer also advised the individual that while he could put in a request to the organisation for access to his personal information under APP 12 the organisation would need to consider whether giving access may have an unreasonable impact on the privacy of the individual who made the complaint and so he may not be entitled to any information about that individual, such as their name.

Issues raised in privacy enquiries

During this reporting period the most common privacy enquiries we received were about the use and disclosure of personal information (APP 6), followed by access to an individual’s own personal information (APP 12) and then various exceptions to the APPs (see Table 2.1).

Table 2.1: Phone enquiries related to the APPs*

Issue raised in phone enquiry

Number

APP 1 — Open and Transparent Management of Personal Information

84

APP 2 — Anonymity and Pseudonymity

9

APP 3 — Collection of Solicited Personal Information

938

APP 4 — Unsolicited Personal Information

16

APP 5 — Notification of the Collection of Personal Information

593

APP 6 — Use or Disclosure of Personal Information

1,461

APP 7 — Direct Marketing

154

APP 8 — Cross-Border Disclosure of Personal Information

70

APP 9 — Adoption, Use or Disclosure of Government Related Identifiers

8

APP 10 — Quality of Personal Information

85

APP 11 — Security of Personal Information

1,077

APP 12 — Access to Personal Information

1,390

APP 13 — Correction of Personal Information

110

Exceptions

1,176

General enquiries

1,284

* There may be more than one issue handled in an enquiry.

We also handled questions about other privacy issues, reflecting the broad range of matters the OAIC regulates. Table 2.2 categorises these enquiries.

Table 2.2: Phone enquiries on other privacy matters*

Issue raised in phone enquiry

Number

Credit reporting

688

Notifiable Data Breaches scheme

640

Spent convictions

105

My Health Record

103

Data breach notification (voluntary)

70

Tax file numbers

39

Territory Privacy Principles (ACT)

31

Privacy codes

9

Healthcare identifier

9

Data matching

6

National Privacy Principles

3

Consumer Data Right or open banking

2

Student identifiers

1

* There may be more than one issue handled in an enquiry.

Privacy complaints

During this reporting period we continued to provide an effective complaints service — conciliating, investigating and resolving complaints individuals made to the OAIC about the possible mishandling of their personal information.

We can consider complaints by individuals about alleged interference with their privacy under the APPs, any registered APP code and consumer credit reporting. We can also consider complaints about the handling of other information such as: tax file numbers; spent convictions; data matching; healthcare identification information, including My Health Record.

In 2018–19, we received 3,306 privacy complaints (see Figure 2.1). This is a 12.1% increase on the number of privacy complaints we received in 2017–18 and follows the recent trend (2017–18: 18% increase; 2016–17: 17% increase). Consumers are increasingly aware of their privacy rights, including their right to make a complaint to the OAIC, which has contributed to the overall significant upward trend in number of complaints we have received since 2015–16.

The start of the NDB scheme and the European Union’s General Data Protection Regulation in 2018 helped to focus attention on privacy. This focus was maintained during this reporting period with the transition of the My Health Record system to an opt-out system, the ACCC’s inquiry into digital platforms, and several high-profile data breaches. The national and international focus on privacy has contributed to improved awareness about obligations to protect personal information under the Privacy Act and added to the substance and complexity of many matters brought to us to investigate.

While managing this significant increase in privacy complaint numbers, we finalised 2,920 complaints in 2018–19 (see Figure 2.2). This is a 5.6% increase on the number of complaints we closed last financial year and follows substantial increases in the previous two financial years as a result of making our processes more efficient and applying our resources more effectively (2017–18: 11% increase; 2016–17: 22% increase).

Figure 2.1: Privacy complaints received each month during the last three financial years

A graph showing the number of Privacy complaints received each month during the last three financial years

Figure 2.2: Privacy complaints closed each month during the last three financial years

A graph showing the number of Privacy complaints closed each month during the last three financial years

As part of our MOU with the ACT Government, we continued to provide privacy services to ACT public sector agencies including handling privacy complaints under the Information Privacy Act.

Issues raised in privacy complaints

The majority (71.1%) of privacy complaints we received were about the handling of personal information under the APPs. The most common issues raised in these complaints were:

  1. Use or disclosure of personal information (APP 6)
  2. Security of personal information (APP 11)
  3. Access to personal information (APP 12)
  4. Collection of solicited personal information (APP 3)
  5. Quality of personal information (APP 10).

During this reporting period, only 10.4% of the privacy complaints we received were about credit reporting — a decrease from the last two financial years (2017–18: 14%; 2016–17: 16%). This decrease reflected the continuing role of external dispute resolution schemes in resolving complaints about credit reporting matters.

More information is available in Appendix D.

Sectors

Privacy complaints can occur in a broad range of sectors. The top six sectors complained about are consistent with those in 2017–18 and 2016–17, except for complaints about credit reporting bodies, which was overtaken by online services (see Table 2.3 and Case Study 2.3).

Table 2.3: Top 10 sectors by privacy complaints received

Sector

Number

Finance (including superannuation)

418

Australian Government

389

Health service providers

327

Telecommunications

240

Retail

176

Online services

172

Credit reporting bodies

156

Personal services (includes employment, childcare and vets)

135

Real estate agents

131

Debt collectors

92

Case Study 2.3: Disclosure of personal information by telecommunication providers

The complainant became aware that her personal information had been inappropriately disclosed by a telecommunications provider to a public directory. The complainant was unclear which party was at fault: the telecommunications provider or the publisher of the public directory. The complainant had been the victim of domestic violence and the disclosure of her information in the public directory had adverse consequences and put her safety at risk.

We investigated and conciliated the matter. Both respondents acknowledged they had interfered with the complainant’s privacy and each gave the complainant $20,000 in compensation.

Resolving privacy complaints

In 2018–19, the average time we took to close a privacy complaint was 4.4 months. This compares to 3.7 months in 2017–18 and 4.7 months in 2016–17.

Our early resolution process, which we introduced in 2017–18, aims to see if a resolution can be achieved between the parties soon after the complaint is lodged. Our Early Resolution team finalised 64.5% of all privacy complaints in 2018–19, an improvement on 2017–18 when that team closed 53% of all privacy complaints.

When we cannot resolve a privacy complaint using the early resolution process, we make further inquiries and conciliate and/or investigate the matter.

Where we resolved complaints through conciliation, we achieved positive outcomes: either through the shuttle conciliation our Early Resolution team conducted or the formal conciliation conferences our Investigations team undertake. In many cases, parties advised the case officer of a high level of satisfaction with the outcome they had achieved together.

We support our staff to resolve complaints through providing conciliation training. We have a number of staff involved in conciliation, including senior staff, accredited under the National Mediator Accreditation Standards.

During this reporting period we closed 95.1% of all complaints within 12 months (2017–18: 97%).

In 2018–19, the main remedies we achieved in resolving privacy complaints were:

  1. Record amended
  2. Access provided
  3. Other or confidential
  4. Apology
  5. Compensation.

See Case Studies 2.4 to 2.7. More information is available in Appendix D.

Case Study 2.4: Complaint about a false profile on a dating platform

The complainant became aware that a false profile, including their photos and personal details, had been created on the respondent’s dating platform.

We made inquiries with the respondent. The respondent conducted several searches to attempt to locate the profile in question and determined that it had been deleted, possibly by the individual who created the account. The respondent advised that when they receive a complaint of this nature their practice is to locate and delete any accounts that appear to be fraudulent. The respondent also told the complainant what steps can be taken if a similar issue arises in the future. For example, the complainant could contact the respondent’s privacy team directly or use their app’s reporting tools.

Case Study 2.5: Disclosure of sensitive information by a medical centre

The complainant became aware that the respondent, a medical centre, had disclosed their sensitive medical information to their spouse without their consent.

We successfully conciliated the matter. The respondent gave the complainant a formal apology prepared by the doctor who was responsible for the disclosure. The doctor also got advice and privacy education material from their insurer, and in turn, carried out a training seminar for other practitioners working at the medical centre.

Case Study 2.6: Disclosure of personal information by a retail store

The complainant discovered that the respondent, a retail store, disclosed their personal information to a third party who fraudulently impersonated the complainant.

We resolved the matter by conciliation. The respondent apologised to the complainant, strengthened their identity verification processes and paid:

  • for the complainant’s subscription to a credit and identity protection service and mail re-direction
  • for counselling sessions for the complainant
  • $5,000 compensation to the complainant.

Case Study 2.7: Failure to ensure the security of personal information by a superannuation fund

The complainant alleged that the respondent, a superannuation fund provider, inadvertently included his welcome letter in correspondence they sent to another customer. The letter included the complainant’s name, age, account number, address, account balance and investments.

We resolved the matter by conciliation. The respondent apologised to the complainant, implemented additional security measures and paid $1,500 compensation.

Community and sector engagement

An important part of our role is interacting with key industry and community stakeholders, including government bodies and external dispute resolution schemes, about recurring or significant issues arising in complaints.

External dispute resolution schemes

The Information Commissioner can recognise an external dispute resolution scheme to handle particular privacy-related complaints (s 35A of the Privacy Act). The external dispute resolution schemes that are recognised are:

  • Australian Financial Complaints Authority
  • Energy & Water Ombudsman NSW
  • Energy & Water Ombudsman SA
  • Energy and Water Ombudsman (Victoria) Limited
  • Energy & Water Ombudsman Queensland
  • Energy and Water Ombudsman Western Australia
  • Public Transport Ombudsman Limited (Victoria)
  • Telecommunications Industry Ombudsman Limited
  • Tolling Customer Ombudsman.

Community engagement

For PAW (12 to 18 May 2019), the OAIC produced a podcast with Legal Aid NSW in which our staff were interviewed about credit reporting.

During this reporting period, we continued to use social media to promote privacy awareness. For example, we used Twitter and Facebook to raise awareness about the privacy controls available in My Health Record and to encourage Australians to use them.

Determinations

Under s 52 of the Privacy Act, the Commissioner may make determinations in relation to privacy complaints. The Commissioner may also make determinations in relation to privacy CIIs. The Commissioner must make these determinations personally, that is, the decision cannot be delegated.

In 2018–19, the Commissioner made three privacy determinations. One of these determinations included findings that the respondent had not interfered with the individual’s privacy. This complaint was dismissed under s 51(1)(a) of the Privacy Act. See Determinations 2.1 to 2.3.

Determination 2.1: ‘QP’ and Commonwealth Bank of Australia Ltd (Privacy) AICmr 48 (28 June 2019)

The Commissioner found that the Commonwealth Bank of Australia Limited (CBA) interfered with the complainant’s privacy by using and disclosing personal information about the complainant which was inaccurate, out-of-date or incomplete and in breach of APP 10.2.

In this instance, the Commissioner declared under s 52(2)(b)(ii) that CBA issue a written apology to the complainant acknowledging their interference with the complainant’s privacy and declared under s 52(1)(b)(iii) that CBA pay the complainant $15,000 for non-economic loss suffered.

Determination 2.2: ‘QF’ and Others and Spotless Group Limited (Privacy) [2019] AICmr 20 (28 May 2019)

The Commissioner found that Spotless Group Limited (Spotless) interfered with the complainants’ privacy by improperly disclosing, through their related entity Cleanevent, the complainants’ personal information to the Australian Workers’ Union, in breach of National Privacy Principle (NPP) 2. The Commissioner also found Spotless failed to take reasonable steps to protect the complainants’ personal information from misuse and unauthorised disclosure, in breach of NPP 4.

In this instance, the Commissioner declared under s 52(2)(b)(ii) that Spotless give each complainant a written apology acknowledging their interference with the complainants’ privacy and the distress it caused, and that Spotless engage an independent reviewer with privacy expertise to undertake a review of Spotless’s current privacy compliance procedures, policies and processes, as well as those of Spotless’s subsidiaries, and give the Commissioner a copy of the reports from the independent review.

The Commissioner also declared under s 52(1)(b)(iii) that Spotless pay each complainant compensation between $3,000 and $6,000 for non-economic loss suffered.

Determination 2.3: ‘QD’ and Dr ‘QE’ and Idameneo (No.123) Pty Limited (Privacy) [2019] AICmr 17 (3 May 2019)

The complainant alleged that Idameneo (No. 123) Pty Limited (Idameneo) and Dr QE had interfered with their privacy by failing to give access to personal information on request, in breach of APP 12.1. The complainant also alleged the respondents had failed to take reasonable steps to give access to the information in a way that met the party’s needs, and failed to give reasons for their refusal in breach of APP 12.5 and APP 12.9.

The Commissioner found that Idamenao and Dr QE could rely on the exception at APP 12.3(a) to refuse access. APP 12.3(a) provides that an entity is not required to give access where the entity reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual.

The Commissioner determined that the respondents gave sufficient consideration to alternative means of access and that the steps taken by the respondents were reasonable in the particular circumstances, finding no breach of APP 12.5.

The Commissioner also considered that although the respondents had not yet given the complainant a written notice of refusal of access, the ‘reasonable time’ limit had not yet expired, finding no breach of APP 12.9.

Data breach notifications

NDB scheme

The NDB scheme commenced on 22 February 2018. Under the NDB scheme, Australian Government agencies and private sector organisations with existing personal information security obligations under the Privacy Act must notify individuals who are likely to be at risk of serious harm as a result of a data breach. The OAIC must also be notified (see Table 2.4).

Our responsibilities under the NDB scheme include:

  • receiving notifications of eligible data breaches
  • encouraging compliance with the NDB scheme, including handling complaints and taking regulatory action in response to instances of non-compliance
  • offering advice and guidance to regulated organisations and informing the community about how the NDB scheme operates.

We reviewed each notice received under the NDB scheme to consider whether the data breach had been contained, that the organisation or agency had taken reasonable steps to mitigate the impact of the data breach on the individuals at risk of serious harm, and that the organisation or agency was taking reasonable steps to minimise the likelihood of a similar data breach occurring again. The Commissioner’s new powers under the NDB scheme include the discretion to direct an entity to notify individuals of eligible data breaches or declare that notification does not need to occur or can be delayed.

The first 12 months of the NDB scheme saw a 733% increase in the number of data breach notifications, compared to those received under the previous voluntary scheme. This is consistent with international trends in jurisdictions with comparable mandatory data breach notification schemes and shows that organisations and agencies were aware of their obligations and engaging with the requirements of the NDB scheme.

As well as quarterly statistics reports, in May 2019 we published the Notifiable Data Breaches Scheme 12-Month Insights Report, which gives a detailed overview of the first year of the NDB scheme’s operation. We have also jointly published with the Australian Cyber Security Centre a resource for organisations and agencies on tips to mitigate the risk of data breaches.

Case Studies 2.8 and 2.9 describe some data breaches we have handled during this reporting period.

Case Study 2.8: Human error

In preparation for a product launch, an employee made an unintended change to an organisation’s system configuration. This resulted in customers being able to view details for other customers when activating their account online. The data breach mainly affected contact information, but in some instances also included passport or driver licence information.

The organisation notified affected individuals by text message and offered to pay the cost of their passport being reissued or setting up a credit-monitoring service.

To prevent reoccurrence of a similar data breach, the organisation took a range of steps, including introducing additional reviews for its content delivery network and implementing system configuration changes via an application programming interface.

Case Study 2.9: Cyber-related incident

An organisation detected suspicious activity on several customer accounts. They investigated and found that some accounts had been accessed without authorisation using correct credentials. The investigation concluded that the incident was not a result of a vulnerability in the organisation’s systems but occurred due to ‘credential stuffing’, where previously compromised credentials are used to gain unauthorised access to systems via large-scale automated log-in requests.

The organisation informed affected individuals that their personal information including contact details, date of birth and membership number had been compromised and offered identity and cyber support services at no cost.

In response to the incident, the organisation reset passwords on all affected accounts, implemented additional security measures to detect and mitigate malicious traffic and undertook continuous system monitoring.

Voluntary data breaches

Prior to the introduction of the NDB scheme, we administered a voluntary data breach notification scheme. This scheme allowed organisations and agencies to self-report possible data breaches to us. We continued to register voluntary data breach notifications for incidents that do not fall within the scope of the NDB scheme (see Table 2.4). These included data breaches that occurred prior to 22 February 2018, incidents that did not meet the threshold of the NDB scheme, and data breaches that did not involve organisations or agencies the NDB scheme regulates.

Table 2.4: NDB, voluntary and mandatory My Health Record notifications

Year

2016–17

2017–18

2018–19

Notifiable data breaches

305

950*

Voluntary notifications

114

174

175

Mandatory notifications (My Health Records Act 2012)

35

28

35

Total

149

507

1,160

* Where data breaches affect multiple entities, we may receive multiple notifications relating to the same data breach. Notifications to us about the same data breach incident are counted as a single notification in this number. End-of-year statistics may differ from quarterly publication statistics.

In 2018–19, the number of voluntarily reported data breaches remained consistent with the previous financial year and represented a 53.5% increase on voluntary data breaches reported in 2016–17, prior to the introduction of the NDB scheme.

The consistent number of voluntary notifications can be explained, in part, by our activities in engaging with stakeholders about the requirements of the NDB scheme, along with global regulatory developments which focused on the importance of understanding and responding to data breaches, and the domestic focus on transparency and good governance arising from the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry.

Given this significant increase in mandatory and voluntary notifications, we did not meet our overall target for finalising data breach notifications, with 79% of notifications under the NDB scheme finalised within 60 days and 66.1% of voluntary data breach notifications finalised within 60 days.

We also administered a mandatory scheme for digital health data breaches. See Table 4 and the Annual Report of the Australian Information Commissioner’s Activities in Relation to Digital Health 2018–19, which will be available on our website no later than 28 November 2019.

Privacy Commissioner initiated investigations

Section 40(2) of the Privacy Act allows the Commissioner to investigate an act or practice that may be an interference with privacy on the Commissioner’s own initiative. This power is used to investigate possible interferences with privacy that are of concern but are not in direct response to an individual privacy complaint.

A Privacy Commissioner initiated preliminary inquiry or investigation (CII) is conducted in response to an incident of significant community concern or discussion or notification from a third party about potentially serious privacy issues, or result from a notification about a data breach. Our key objective in undertaking Commissioner initiated preliminary inquiries or an investigation is improving the privacy practices of the organisation or agency involved.

During this reporting period, we opened preliminary inquiries or and/or an investigation in relation to 15 matters (see Table 2.5). At 30 June 2019, 10 of these matters and 12 matters from 2017–18 were ongoing.

Table 2.5: Privacy Commissioner initiated investigations

Year

Number of CIIs

2016–17

29

2017–18

21

2018–19

15

Privacy assessments

During this reporting period, we assessed privacy practices in the finance, telecommunications and government sectors, as well as the digital health sector.

We used a range of methods to conduct our assessments, such as comprehensive and in-depth review of policy documents, interviews with staff and site inspections. Consistent with last financial year, the businesses or government agencies we assessed accepted all our recommendations or planned to act on them.

Loyalty programs

During this reporting period we followed up on recommendations and suggestions we made in our 2016 loyalty program assessments of Woolworths Limited (Woolworths) and Coles Supermarkets Australia (Coles) with the following results:

  • Woolworths provided evidence to show that they had adopted all our suggestions.
  • Coles provided evidence to show that they had implemented our recommendation.
  • Coles adopted several of our suggestions and gave adequate reasons where they did not adopt one of our suggestions.

Finance

In 2018–19 we assessed the privacy policies of 20 organisations in the finance sector that use the Document Verification Service (DVS) for identity verification. We considered whether the privacy policy of each organisation was clearly expressed, available, up-to-date and contained the content required for the purposes of APP 1.3 to 1.5. We finalised these assessments during this reporting period and made a total of 40 recommendations.

Telecommunications

We began a series of assessments in 2017–18 to see if certain telecommunications service providers are meeting their information security obligations under APP 11 — Security of Personal Information, for the personal information they are required to retain under the data retention scheme that came into full effect on 13 April 2017. In 2017–18 we conducted the fieldwork for two assessments. We conducted the fieldwork for two more assessments in this series in 2018–19. We will finalise this series of assessments in 2019–20.

Government

Unique student identifier

In 2018–19, under our MOU with the Department of Education and Training acting through the Student Identifiers Registrar (the Registrar), we assessed how the Unique Student Identifiers (USI) Office, acting on behalf of the Registrar, managed privacy controls for the USI Transcript Service. Our assessment considered the USI Office’s practices, procedures and systems to make sure they complied with APP 1.2. This was the first assessment to consider the application of the Privacy Code. We did not identify any privacy risks that resulted in recommendations in this assessment.

We also followed up on the implementation of recommendations made in our 2016 assessment of how the USI Office handled personal information. We were satisfied that the USI Office had implemented the recommendations.

ACT Government

Under our MOU with the ACT Government, in 2017–18 we conducted an assessment of Housing and Community Services ACT. The assessment is examining whether Housing ACT is:

  • using and disclosing personal information in line with their TPP 6 obligations
  • taking reasonable steps to secure their personal information holdings as required by TPP 11

We will complete this assessment in 2019–20.

In 2018–19 we conducted an assessment involving 10 ACT Government agencies. This assessment is outlined in the Memorandum of Understanding with the Australian Capital Territory for the Provision of Privacy Services 2018–19 Annual Report, which is available on our website no later than 22 October 2019.

More information is available in Appendix C.

Data matching

We perform several functions to help government agencies to understand their privacy requirements and adopt best privacy practice when undertaking data-matching activities.

Data matching is the process of bringing together data sets that come from different sources and comparing those data sets with the intention of producing a match. Several government agencies use data matching to detect non-compliance, identify instances of fraud and recover debts owed to the Australian Government. For example, to identify individuals or businesses that may be under-reporting income or turnover, the Australian Taxation Office (ATO) may match tax return data with the data provided by banks.

Government agencies that carry out data-matching activities must comply with the Privacy Act. Data matching raises privacy risks because it involves analysing personal information about large numbers of people, the majority of whom are not under suspicion of non-compliance.

Statutory data matching

The Information Commissioner has statutory responsibilities under the Data-matching Program (Assistance and Tax) Act 1990 (Data-matching Act). The Data-matching Act authorises the use of tax file numbers in data-matching activities by the Department of Human Services (DHS), the Department of Veterans’ Affairs and the ATO. In previous financial years, we have inspected DHS’s data-matching records to make sure they comply with the requirements of the Data-matching Act. Agencies continue to rely less on data matching using tax file numbers, so this financial year we again focused on providing advice and oversight of data-matching activities outside the Data-matching Act.

Enhanced Welfare Payment Integrity

The Enhanced Welfare Payment Integrity — non-employment income data-matching measure was announced in the 2015–16 Mid-Year Economic and Fiscal Outlook (MYEFO). It increases DHS’s capability to conduct data matching to identify non-compliance by welfare recipients. In 2017–18, we conducted two privacy assessments of DHS’s handling of personal information. The first assessment looked at the Non-Employment Income Data Matching (NEIDM) program. The second assessment examined the Pay-As-You-Go (PAYG) program. During this reporting period, we finalised the NEIDM program assessment. We will finalise the PAYG program assessment in 2019–20.

During this reporting period we also conducted two privacy assessments which looked at how DHS secures the personal information used in the NEIDM and PAYG programs and at the role of the ATO as a source of data for DHS’s data-matching activities. We will finalise both assessments in 2019–20.

Data-matching under the voluntary guidelines

We administer the Guidelines on Data-matching in Australian Government Administration, which are voluntary guidelines to help government agencies adopt appropriate privacy practices when undertaking data-matching activities not covered by the Data-matching Act. This financial year we reviewed 13 data-matching program protocols submitted by matching agencies including the ATO, the Department of Home Affairs and the DHS.

Digital health assessments

Health information is considered particularly sensitive. This sensitivity has been recognised in the My Health Records Act 2012 (My Health Records Act) and Healthcare Identifiers Act 2010, which regulate the collection, use and disclosure of personal information, and give the Information Commissioner a range of enforcement powers. This sensitivity is also recognised in the Privacy Act which treats health information as ‘sensitive information’.

We initiated three assessments relating to the My Health Record system in 2018–19 and continue to progress two assessments that began in the previous financial year. See the Annual Report of the Australian Information Commissioner’s Activities in Relation to Digital Health 2018–19, which is available on our website no later than 28 November 2019.

Advice for businesses and agencies

Our teams provided advice for businesses and Australian Government agencies on their obligations under the Privacy Act. We also helped businesses and agencies achieve best practice in their approach to privacy management.

During this reporting period we issued advice on a variety of matters, including:

  • adoption, use and disclosure of government related identifiers
  • Australian Government Privacy Code
  • credit reporting
  • data breach notification requirements, including the NDB scheme
  • de-identification and re-identification
  • digital identity systems
  • direct marketing
  • draft CDR legislation, rules and technical standards
  • government data matching
  • higher education proposals affecting the handling of information about students
  • law enforcement and national security
  • the My Health Record system
  • new and emerging technologies
  • online communications and privacy
  • privacy and international agreements
  • privacy and security, as part of the Attorney-General’s Department’s reforms to the Protective Security Policy Framework
  • telecommunications.

We also drafted submissions on issues such as:

  • artificial intelligence
  • Australian Government data sharing
  • CDR draft legislation (see Case Study 2.10)
  • cooperative intelligent transport systems and automated vehicle data
  • digital platforms
  • human rights and technology
  • identity information
  • the My Health Record system
  • telecommunications.

Case Study 2.10: Consumer Data Right regulatory framework

The CDR is a right for consumers to access particular data in a readily usable form and to direct a business to transfer that data securely to a data recipient. It aims to give consumers greater control over how their data is used and disclosed in order to create more choice and competition in sectors of the economy the Treasurer designates.

In 2018–19, we gave privacy advice to the Treasury, the ACCC and CSIRO’s Data61 in the course of their respective development of the CDR legislation, rules and technical standards.

In August 2018, the Treasury released the exposure draft of the Treasury Laws Amendment (Consumer Data Right) Bill. We provided a submission on the exposure draft, acknowledging the potential of the CDR to give consumers greater choice and control over how their data is used, while highlighting important areas where further clarification or consideration of privacy issues was required. Many of our recommendations were reflected in the legislation introduced to Parliament in February 2019. We continued to engage with the Treasury throughout the development of the legislation.

We provided advice to the ACCC on their development of the CDR rules. These rules complement the legislation by defining the elements for consent, outlining the accreditation framework for data recipients and elaborating on the privacy safeguards.

We also provided advice to Data61 regarding development work for technical standards relating to consumer experience. The consumer experience standards will focus on the steps data recipients must take when seeking consent, and data holders must take when seeking authorisation, from consumers.

Resources

We released our new website for public feedback in June 2019 (see performance measure 1.7.4).

We published a new training resource about the Privacy Code to educate Australian Government agencies about privacy best practice. We also published the Notifiable Data Breaches Scheme: 12-Month Insights Report, to help businesses and agencies understand the common causes of data breaches and how they can implement proactive strategies to prevent data breaches.

Privacy legislative instruments

Under the Privacy Act, the Information Commissioner has powers to make certain legislative instruments. These legislative instruments must comply with the requirements of the Legislation Act 2003. They are publicly available on the Federal Register of Legislative Instruments.

Privacy (Australian Honours System) Public Interest Determination 2018

On 5 October 2018, the Information Commissioner made Privacy (Australian Honours System) Public Interest Determination 2018. This followed an application for a public interest determination (PID) on 6 March 2018 from the Department of Home Affairs and replaced Privacy (Australian Honours System) Temporary Public Interest Determination 2018.

The PID allows the Department of Home Affairs to disclose Australian citizenship and permanent residency status information without breaching APP 6 — Use or Disclosure of Personal Information, for a period of 10 years. The disclosures can be made to the Department of the Prime Minister and Cabinet and to the Office of the Official Secretary to the Governor-General for the purposes of their consideration of nominees for awards (such as those in the Australian honours system).

Privacy (Disclosure of Homicide Data) Public Interest Determination 2019

On 18 March 2019, the Information Commissioner made Privacy (Disclosure of Homicide Data) Public Interest Determination 2019. This followed an application for a PID on 1 November 2018 from the Australian Federal Police (AFP).

The PID allows the AFP to disclose personal information to the Australian Institute of Criminology (AIC) without breaching APP 6 — Use or Disclosure of Personal Information, for a period of seven years. The information which can be disclosed under the PID is personal information requested by the AIC about offenders and suspects in relation to homicides in the ACT, for the purposes of the AIC’s research under the National Homicide Monitoring Program and the publication of aggregate findings.

This PID replaced PID No. 5 which expired on 1 October 2018.

National Health (Privacy) Rules 2018

On 11 October 2018, the Information Commissioner issued the National Health (Privacy) Rules 2018 (National Health (Privacy) Rules). These rules are required under s 135AA of the National Health Act 1953 (National Health Act). The National Health (Privacy) Rules commenced on 1 April 2019 and repealed the previous s 135AA instrument — the Privacy Guidelines for the Medicare Benefits and Pharmaceutical Benefits Programs — on the same date.

The National Health (Privacy) Rules regulate the way that Australian Government agencies link and store claims information obtained under the Medicare Benefits Program and the Pharmaceutical Benefits Program.

Among other things, s 135AA(5) of the National Health Act requires that these rules prohibit agencies from storing claims information obtained under the Medicare Benefits Program and the Pharmaceutical Benefits Program on the same database.

Privacy awareness

During this reporting period we continued to promote awareness and understanding of privacy rights in the community, with a focus on data breaches, online security, credit reporting, health information and personal data.

Over the past year, in Australia and around the world, privacy has come into sharper focus as one of the top priorities for organisations and the public alike.

Our personal information is a critical input to the economy and government agencies, and we are seeing heightened awareness of privacy issues as organisations and agencies face increasingly complex data protection challenges.

Privacy Awareness Week is an annual event that highlights the importance of protecting personal information, and helps organisations, agencies and the public navigate the privacy landscape.

For organisations and agencies, it’s a reminder to review privacy practices and policies and educate their staff about information handling obligations.

For the public, it’s an opportunity to share information and practical tips that empower people to take control of their personal information.

Our central message is ‘Don’t be in the Dark on Privacy’, and over the course of the week we will explore a series of privacy priorities including data breaches, online security, your credit, health information and your data.

We hope that you will all join the conversation, at our events and on social media, to shine a light on these important issues.

Angelene Falk, Australian Information Commissioner and Privacy Commissioner, in ‘Welcome to Privacy Awareness Week’, September 2019.

Reaching our audiences

We offered training and guidance on the Australian Government Agencies Privacy Code (which commenced in July 2018) to Australian Government privacy officers, including face-to-face training sessions (118 attendees).

In early 2019, we ran a social media campaign to promote the My Health Record system’s privacy controls.

Speaking engagements

This year we participated in 34 speaking engagements aimed at privacy professionals.

Media

In 2018–19 we received 238 media enquiries: 219 were about privacy and 25 of those about My Health Record; the other 19 enquiries were about the OAIC and FOI.

Figure 2.3: Media enquiries received during 2018–19

A bar chart showing Media enquiries received during 2018–19

Freedom of information (FOI)

FOI provides a legally enforceable right of access to government documents. It applies to Australian Government ministers and most agencies, although the obligations of agencies and ministers are different.

Individuals have rights under the FOI Act to request access to government documents. The FOI Act also requires government agencies to publish specified categories of information. It also encourages them to release other information proactively.

FOI enquiries

The OAIC handles enquiries from the public on FOI issues, including the IC review function.

During this reporting period, we experienced a 49.2% increase in FOI enquiries from 2017–18. Our Enquiries Line answered 2,051 telephone calls about FOI and responded to 824 written enquiries about FOI. We also helped with six in-person enquiries about FOI. Most enquiries were about the OAIC’s jurisdiction (47%) and general processes for FOI applicants (39%), including how to make an FOI request or complaint, or seek review of an FOI decision. See Table 2.6.

Table 2.6: FOI enquiries by issue

Issue

Number*

OAIC’s jurisdiction

1,343

General processes

1,130

Processing by agency

263

Agency statistics

236

Access to personal information

34

Access to general information

20

Vexatious application

10

Amendment and annotation

5

Information Publication Scheme

4

* There may be more than one issue handled in an enquiry.

IC reviews

An IC review is a review of decision made by an Australian Government agency or minister subject to the FOI Act, including a decision:

  • refusing to grant access to a document wholly or in part
  • where a requested a document does not exist or cannot be found
  • granting access to a document where a third party has a right to object (for example, if a document contains their personal information)
  • to impose charges for access to a document, including a decision to refuse to waive or reduce charges, or
  • refusing to amend or annotate a record of personal information.

During this reporting period we experienced another significant increase in IC review applications, receiving 928 applications — a 15.9% increase over 2017–18. The overall increase in IC review applications since 2015–16, when we received 510, was 82%.

Despite this continuing significant increase in IC review applications, we finalised 659 IC reviews in 2018–19 (an 8% increase over 2017–18, when we finalised 610 IC reviews). We finalised 73.1% within 12 months. The increase in IC review applications and our focus on reducing the number of cases over 12 months old prevented us from reaching our target of finalising 80% of IC reviews within 12 months.

Informal resolution

We pursued informal resolution of IC reviews where possible. We used various approaches to help resolve an IC review such as narrowing the scope of a review, providing an appraisal or preliminary view, and trying to reach agreement between the parties. In 2018–19, we finalised 599 IC reviews without a formal decision being made (90.9%).

We finalised 76 IC reviews (12.7%) after the applicant withdrew their application following:

  • action the agency took to resolve the issues in the IC review (such as issuing a decision and statement of reasons in a deemed access refusal case, or making a revised decision under s 55G of the FOI Act to give the applicant access to further documents or material), or
  • our appraisal of their case’s merits.

We also finalised 25 IC reviews by written agreement between the parties under s 55F of the FOI Act.

IC review decisions under s 55 K of the FOI Act

The Information Commissioner made 60 decisions under s 55K of the FOI Act in 2018–19. Of these:

  • 37 decisions (61.7%) set aside and substituted the decision under review
  • 4 decisions (6.7%) varied the decision under review
  • 19 decisions (31.7%) affirmed the decision under review.

Of the decisions the Information Commissioner affirmed, two were revised during the IC review to give greater access to the documents sought under s 55G of the FOI Act.

Two were access grant decisions, where the Information Commissioner agreed with the agency that the documents were not exempt under the FOI Act and must be released.

The decisions we published under s 55K of the FOI Act continued to be an important part of our work. They addressed novel issues and built on existing FOI laws and judgments. They helped agencies interpret the FOI Act and guide them in exercising their powers and functions.

All IC review decisions are published on the AustLII website as part of the Australian Information Commissioner (AICmr) series.

Case Studies 2.11 and 2.15 describe IC review decisions made during this reporting period.

For more information about IC review decisions under s 55K of the FOI Act, see Appendix D, Review of FOI Decisions.

Case Study 2.11: Jack Waterford and Department of Human Services (Freedom of information) [2019] AICmr 21 (5 June 2019)

The applicant sought access to documents the DHS generated in response to a media request he made to them and a media article he wrote in the week before making the request.

On completing the request consultation process (s 24AB of the FOI Act), the DHS refused the applicant’s request on the basis that a practical refusal reason existed. They believed the request did not meet the identification requirements of s 15(2)(b) of the FOI Act (these require a request to supply enough information to enable the DHS to identify the document sought) and processing the request would substantially and unreasonably divert the DHS’s resources from their other operations (ss 24AA(1)(a)(i) and 24AA(1)(b) of the FOI Act).

The Information Commissioner was not satisfied that the request consultation notice fulfilled the requirements of s 24AB of the FOI Act, because it did not give the name of a contact person and how the applicant could contact this person, as s 24AB(2)(c) requires. Also, the Information Commissioner was not satisfied the DHS had taken reasonable steps to help the applicant to revise his request and remove the practical refusal reason (s 24AB(3) of the FOI Act). The DHS’s notice gave the applicant limited information to help him revise his request and from the applicant’s response it was apparent that he had concerns about the steps the DHS took to help him to revise the request.

The DHS also estimated it would take 238 hours to process the request. The Information Commissioner was not satisfied that the DHS discharged its onus to justify the estimated processing time. Also, the Information Commissioner was not satisfied that the DHS had proved that processing the request would substantially and unreasonably divert the DHS’s resources from its other operations.

Case Study 2.12: Justin Warren and Department of Human Services (Freedom of information) [2019] AICmr 22 (5 June 2019)

The applicant sought access to meeting agendas, minutes and other notes for meetings held between the DHS and the Minister for Human Services or Minister for Social Services between 1 January 2016 and 31 December 2016.

On completing the request consultation process (s 24AB of the FOI Act), the DHS refused the applicant’s request on the basis a practical refusal reason existed. The DHS asserted that processing the request would substantially and unreasonably divert the DHS’s resources from its other operations (s 24AA(1)(a)(i)).

The Information Commissioner was not satisfied the DHS took reasonable steps to help the applicant revise the scope of his request to remove the practical refusal reason (s 24AB(3)). The applicant had tried to revise the request but was unsuccessful because he did not understand the terms the DHS used. The Information Commissioner said that where it is apparent that an applicant’s attempt to revise the scope of their request doesn’t remove the practical refusal reason, the contact person should consider whether they could take additional steps to help the applicant revise their request.

The DHS estimated it would take more than 130 hours to process the request because every branch of the DHS would need to conduct searches for the requested documents. During the IC review, the applicant indicated he would be willing to reduce the scope of his request in light of information the DHS supplied. The DHS then conducted searches within the revised scope and advised that they could not locate any documents. The Information Commissioner considered that when an applicant proposes a revised scope based on advice from the agency that results in no documents being found, unless there are compelling reasons not to, the agency should generally consult with the applicant about why no documents exist and help them to revise the scope of their request before making a decision about the request.

Case Study 2.13: ‘QG’ and Department of Human Services (Freedom of information) [2019] AICmr 23 (5 June 2019)

The applicant sought access to: ‘A copy of all communication, including emails, correspondence, phone calls, internal memos, sms and faxes between Child Support and Complex Assessment departments relating to me.’

On completing the request consultation process (s 24AB of the FOI Act), the DHS refused the applicant’s request on the basis a practical refusal reason existed. The DHS asserted the request didn’t meet the identification requirements of s 15(2)(b) of the FOI Act (s 24AA(1)(b) of the FOI Act).

The Information Commissioner considered whether the agency had followed the request consultation process under s 24AB of the FOI Act. The Information Commissioner was not satisfied that the DHS had taken reasonable steps to help the applicant revise the scope of the request to remove the practical refusal reason (s 24AB(3). The applicant tried to revise the scope of the request based on the information the DHS supplied. The DHS had a very particular approach to interpreting terms the applicant used in the revised request such as ‘relating to’ and ‘including’. The Information Commissioner said that where an agency or minister takes a very particular approach to interpreting terms an applicant uses, it may be difficult for an applicant to revise the scope of a request to remove the practical refusal reason without the agency or minister suggesting what would be a reasonable request in the circumstances. The Information Commissioner noted that the DHS proposed a revised scope of the request at the start of the IC review and it appeared that this scope could have been proposed during the request consultation process.

The Information Commissioner noted that the FOI Guidelines explain that an agency or minister must read a document request fairly, being mindful not to take a narrow or pedantic approach to its construction. The Information Commissioner was satisfied that the applicant had supplied sufficient information for the DHS to identify the documents sought (s 15(2)(b) of the FOI Act).

Case Study 2.14: Seven Network (Operations) Limited and Australian Federal Police (Freedom of information) [2019] AICmr 32 (6 June 2019)

This is the first IC review decision to consider the application of s 46 of the FOI Act (where the disclosure of the requested documents would be a contempt of Parliament or a Court).

The applicant sought access to documents, including CCTV footage, related to an incident in the Parliament House precinct. The exemption under s46(c) of the FOI Act was applied on a basis that disclosure would infringe parliamentary privilege.

The FOI Guidelines explain that the term ‘parliamentary privilege’ refers to the privileges or immunities of the Houses of the Parliament, and the powers of the Houses to protect the integrity of their processes. The use of CCTV footage captured by the Parliament House CCTV system is subject to a code which restricts viewing, storing, accessing, releasing and disposing of CCTV footage without the approval of the President of the Senate and the Speaker of the House of Representatives (Presiding Officers).

The Information Commissioner also considered s 6 of the Parliamentary Precincts Act 1988, which states that the parliamentary precincts are under the control and management of the Presiding Officers. Given the authority of the Presiding Officers under the Parliamentary Precincts Act 1988 and their endorsement of the code, the Information Commissioner considered the code amounts to a rule of the Houses of Parliament that restricts the use and disclosure of CCTV footage captured in the parliamentary precincts and the act of disclosing CCTV footage contrary to the code would infringe parliamentary privilege.

The Information Commissioner was satisfied that conduct which improperly interfered with the free exercise by the House of Parliament of its authority or functions, such as the contravention of a rule or order of a House of Parliament, may constitute contempt of the parliament and infringe the privileges of the parliament.

The Information Commissioner affirmed the decision refusing access to the CCTV footage.

We have updated paragraphs 5.188 to 5.195 of the FOI Guidelines to refer to this decision.

Case Study 2.15: Rex Patrick and Minister for Resources and Northern Australia (Freedom of information) [2019] AICmr 13 (25 March 2019)

The applicant applied to the Minister for Resources and Northern Australia for access to diary entries relating to the National Radioactive Waste Management Facility at Kimba and Hawker. The Minister refused the request under s 24A of the FOI Act because no ‘diary entries’ exist.

During the IC review, the Minister’s office accepted that the term ‘diary’ included electronic calendars and other email calendars and schedules. The Minister’s office subsequently indicated the Minister was willing to process the request because the scope of the applicant’s request included the Minister’s electronic email calendars and schedules.

The Information Commissioner was satisfied that documents within the scope of the applicant’s request did exist.

FOI complaints

Under s 69 of the FOI Act, the Information Commissioner has power to investigate agency actions about the handling of FOI matters.

Part 11 of the FOI Guidelines explains that making a complaint is not an appropriate mechanism where IC review is available, unless there is a special reason to undertake an investigation and the matter can be dealt with more appropriately and effectively in that way. Generally, an IC review is the more appropriate way for a person to seek review of the merits of an FOI decision, particularly an access refusal or access grant decision. This approach accounts for the relatively small number of FOI complaints received compared with IC review applications.

In 2018–19, we received 61 FOI complaints and closed 22. This represents a slight decrease (1.6%) in lodgements compared with 2017–18 (when 62 FOI complaints were received) and a 24% decrease in finalisations compared with 2017–18 (when 29 FOI complaints were finalised). The decrease in the number of FOI complaints finalised is primarily the result of us receiving a sustained increase in the number of IC review applications and our focus on finalising IC reviews, in particular those over 12 months old.

Of the FOI complaints finalised during this reporting period, 81.8% were closed within 12 months of receipt — meeting the OAIC’s target of closing 80% of all FOI complaints within 12 months.

As in previous years, the most common complaints about the handling of FOI matters by agencies were:

  • agencies not meeting statutory timeframes
  • problems with consultation under practical refusal provisions
  • the imposition or amount of a charge
  • poor customer service (most commonly a failure to reply to correspondence).

In 2018–19, there was an increase in the number of complaints about decision-makers not stating their name and designation in the notice of decision as s 26 of the FOI Act requires and agency administration of the IPS.

FOI extensions of time

The FOI Act sets out timeframes within which agencies and ministers must process FOI requests.

Where an agency or minister is unable to process an FOI request within the processing period, they may request an extension of time from the FOI applicant or the Information Commissioner.

Where the applicant agrees to an extension of time in writing, the agency or minister must advise the Information Commissioner of the agreement to extend the statutory processing time as soon as practicable.

An agency or minister can apply to the Information Commissioner for an extension of time to the processing period where an agency or minister is able to demonstrate that the processing of the FOI request has been delayed because the FOI request is voluminous or complex in nature (s 15AB of the FOI Act) or where the agency or minister has been unable to process the request within the statutory timeframe and the agency or minister is deemed to have made a decision refusing the FOI request (s 15AC of the FOI Act). See Tables 2.7 and 2.8.

Table 2.7: FOI extension of time (EOT) notifications and requests received and closed

Year

2016–17

2017–18

2018–19

Received

4,412

3,367

3,785

Closed

4,420

3,333

3,779

During this reporting period, we finalised 84% of extension of time applications within five working days.

Table 2.8: FOI extensions of time (EOT) notifications and requests closed, by type

Request type

2016–17

2017–18

2018–19

Section 15AA (notification of EOT agreements between agency and applicant)

3,808

2,762

2,959

Section 15AB (request to OAIC by agency where voluminous or complex)

453

370

562

Section 15AC (request to OAIC by agency where deemed refusal decision)

112

122

178

Section 51DA (request to OAIC by agency for EOT for dealing with amendment/annotation request)

1

1

Section 54B (extension of the period to make an internal review request made by agency)

1

Section 54D (request to OAIC by agency for EOT where deemed affirmation on internal review)

29

38

37

Section 54T (request to OAIC for EOT for person to apply for IC review)

18

40

41

Total

4,420

3,333

3,779

FOI vexatious applicant declarations

The Information Commissioner has the power to declare a person to be a vexatious applicant if she is satisfied that the grounds set out in s 89L of the FOI Act exist.

During 2018–19, the Information Commissioner received nine applications from agencies under s 89K seeking to have a person declared a vexatious applicant. Eight applications were finalised in 2018–19, with three declarations being made, three refused and two withdrawn.

Declarations are published on the AustLII website as part of the AICmr series.

Case Study 2.16 describes an FOI vexatious applicant declaration made during this reporting period.

Case Study 2.16: Office of the Registrar of Indigenous Corporations and ‘PW’ (Freedom of information) [2019] AICmr 6 (13 February 2019)

‘PW’ was the subject of a vexatious applicant declaration made by a former Information Commissioner which expired on 3 June 2017. Between 26 July 2017 and 5 July 2018, PW engaged in a further 28 access actions.

In deciding whether to make the declaration, the Information Commissioner considered whether the agency had used other provisions in the FOI Act to lessen the impact of PW’s access actions on its operations and whether deficiencies in the agency’s FOI administration had contributed to the respondent’s access actions. This included: the impact of PW’s access actions on the agency’s other work, the size of the agency, the resources the agency could reasonably allocate to FOI processing, the impact PW’s access actions had on FOI administration in the agency and whether PW had cooperated reasonably with the agency to enable efficient FOI processing.

The Information Commissioner had regard to the parties’ submissions and was satisfied the agency had established that PW had repeatedly engaged in access actions that involved an abuse of process by unreasonably interfering with the agency’s operations.

The Information Commissioner decided that a declaration for three years was appropriate in circumstances where the respondent had previously been declared vexatious.

FOI agency resources

We produced guidelines and other resources during this reporting period to promote FOI best practice and help Australian Government agencies understand their FOI obligations.

FOI Guidelines

In June 2019, we amended Part 5 of the FOI Guidelines about the exemption in s 46 of the FOI Act (where the disclosure of the requested documents would be a contempt of Parliament or a Court) to reflect the IC review decision: Seven Network (Operations) Limited and Australian Federal Police (Freedom of information) [2019] AICmr 32 (6 June 2019). This was the first IC review decision to consider the exemption.

Administrative access resource

In September 2018, we re-issued FOI Agency Resource 14: Access to Government Information — Administrative Access. We sought comments from interested stakeholders about the readability and accessibility of the revised resource.

The resource helps agencies and ministers understand administrative access and emphasises the importance of considering administrative access as an alternative to formal FOI processes. This approach is consistent with the object of the FOI Act to facilitate and promote public access to information promptly and at the lowest reasonable cost.

The resource is available on our website under FOI Guidelines, Administrative Access.

Disclosure log determination

Section 11C of the FOI Act includes some circumstances in which an agency or minister is not required to publish information released in response to FOI requests on their website. Section 11(1)(c) of the FOI Act provides that if the Information Commissioner has made a determination under s 11C(2) of the FOI Act, an agency is not required to publish information specified in the determination.

On 28 November 2018, the Information Commissioner made a determination under s 11C(2) of the FOI Act: Freedom of Information (Disclosure Log — Exempt Documents) Determination 2018.

This determination establishes two circumstances in which an agency or minister is not required to publish information, in addition to those already found in s 11C of the FOI Act. The additional circumstances are:

  • Information was exempt from disclosure when the agency or minister gave access to the applicant.
  • Information in the document that the agency or minister would have decided was exempt at the time access was given to the applicant, if the request had been made by someone other than the applicant.

The determination is otherwise substantially the same as the previous determination and will be in effect for five years.

Newsletters

We sent 13 newsletters and updates to FOI contact officers who signed up to our ICON members. These newsletters included news and information about FOI, information management and general OAIC updates. ICON members also received alerts including reminders for upcoming ICON events, reporting and policy updates, and summaries of recent IC review decisions.

Events

We participated in a range of activities throughout the year to raise awareness about accessing government-held information, the role of the OAIC and our processes.

ICON information sessions

We re-established six-monthly information sessions for information contact officers. These ICON sessions were held in Canberra in September 2018 and April 2019. Both sessions were attended by more than 70 information contact officers.

The ICON sessions provided an opportunity to network with FOI colleagues and to discuss information access issues. Examples of topics covered at ICON meetings include:

  • policy and operational updates from the Information Commissioner and other key OAIC staff, including the Deputy and Assistant Commissioners
  • the role of the FOI practitioner in promoting accountability and transparency
  • the OpenAustralia Foundation introducing its Right to Know website
  • the National Archives of Australia published a new records authority for ministerial records.

National Association of Community Legal Centres Conference

In August 2018, staff from the OAIC attended the National Association of Community Legal Centres Conference in Sydney, where they explained the right to access government-held information to staff from community legal centres across Australia.

Australian Government Solicitor forums

The Information Commissioner gave the keynote address at the Australian Government Solicitor’s FOI and Privacy Forum in Canberra on 17 May 2019.

In her address, ‘From personal information to information access rights: building a strong foundation for our democracy and digital economy’, the Information Commissioner spoke about how important it is for practitioners to handle personal information in an honest and ethical way. She also canvassed the international access to information landscape, sharing insights from the International Conference of Information Commissioners in South Africa in March.

Right to Know Day 2018

International Right to Know Day is held on 28 September each year. In 2018, we promoted the event and general awareness of information access rights with a digital campaign.

The campaign included three short videos highlighting information access themes: ‘It’s your right to know’, ‘How to make an FOI request’ and ‘12 tips for FOI decision-makers’. These videos are available as an ongoing resource on our website and YouTube channel.

Staff also set up an information booth at Wynyard in Sydney to promote Right to Know Day on 28 September. They talked to more than 500 commuters and provided printed material about open government and the right to access government-held information.

Media

The AIAC issued a joint media statement for Right to know Day following a meeting hosted by the OAIC in Sydney on 20 to 21 September 2018.

The statement encouraged all government agencies across Australia and New Zealand to take a proactive approach towards releasing information and documents.

The community’s right to know is the foundation of open and accountable government. Access to the information and data held by government strengthens our democracy by promoting greater public participation and scrutiny and supporting better decision-making.

International Right to Know Day, held on 28 September, recognises citizens’ right to access this information and reinforces the importance of transparency in building trust in government. As Information Commissioners we strive to promote and uphold the fundamental right of citizens to access government information.

We are also supporting information access officers in carrying out their very important role as part of the effective management of government-held information.

Statement of Australian and New Zealand information access commissioners for International Right to Know Day 2018

Website

We released a new website for public feedback in June 2019 (see performance measure 1.7.4).

IPS

Between May and August 2018, we undertook an IPS survey of all Australian Government agencies subject to the FOI Act. ORIMA Research conducted the survey on behalf of the OAIC.

The survey reviewed the operation of the IPS in each agency and gave agencies an opportunity to comply with the requirement to conduct a review under s 9 of the FOI Act. This section requires an agency to complete a review of the operation of the IPS within their agency as appropriate from time to time and within five years of the commencement of the IPS.

The final report was published in June 2019. The survey had a response rate of 82% (compared to 78% in 2012) with 190 agencies participating.

The results show the IPS continued to be an important element in ensuring information Australian Government agencies hold is managed for public purposes and is treated as a national resource.

Agency responses confirmed a continued commitment to IPS requirements and principles, although a decline was observed in the four key areas of compliance measured in both the 2012 and 2018 survey. Larger agencies generally reported higher levels of compliance with IPS requirements and better practice principles, compared with micro to small agencies.

Compliance with the IPS is an ongoing statutory responsibility for agencies subject to the FOI Act. The survey’s results have helped us to identify areas where improvements can be made to further promote the proactive publication of Australian Government information.

FOI processing statistics received from Australian Government agencies and ministers

Below is a selection of the FOI request processing statistics provided by Australian Government agencies and ministers to the OAIC. The figures have been rounded to the nearest whole number. For detailed figures, see Appendix D.

The number of FOI requests received across Australian Government agencies increased by 13% from 34,438 in 2017–18 to 38,879 in 2018–19. This increase was experienced in both requests for personal information and other (non-personal) information; however, the increase in personal requests was more pronounced (15% higher than 2017–18) than non-personal requests (3% higher than 2017–18). The increase in requests for personal information is in large part due to the Department of Home Affairs (DHA) receiving 24% more personal requests in 2018–19 than in the previous financial year.

In 2018–19, 32,440 or 83% of all FOI requests were for documents containing personal information. This is marginally higher than in 2017–18 and 2016–17 when 82% of all requests were for personal information.

In 2018–19, the DHA, the DHS and the Department of Veterans’ Affairs together continued to receive the majority of FOI requests (69% of the total). Of these, 96% were for personal information.

The percentage of FOI requests processed within the applicable statutory time period decreased from 85% in 2017–18, to 83% in 2018–19.

The percentage of FOI requests granted in full increased from 50% of all requests in 2017–18 to 52% in 2018–19 and the number of requests refused decreased from 16% of all FOI requests in 2017–18 to 13% in 2018–19.

The personal privacy exemption in s 47F of the FOI Act remains the most claimed exemption (38% of all exemptions claimed).

The total reported costs attributable to processing FOI requests in 2018–19 was $59.85 million, a 15% increase on 2017–18 ($52.19 million).

Australian Government agencies and ministers issued 2,225 notices advising of an intention to refuse a request for a practical refusal reason in 2018–19. This is a 47% decrease on the number issued in 2017–18. Of these requests, 77% were subsequently refused or withdrawn; that proportion was 84% in 2017–18.

There was a 7% decrease in the total charges notified in 2018–19 but a 6% increase in the total charges collected by Australian Government agencies ($122,774).

The total number of entries added to agency website disclosure logs in 2018–19 (1,200) is 9% higher than 2017–18, when 1,104 new entries were added. However, the proportion of entries from which members of the public can directly access disclosure log documents from agency websites remains low at 59%.

There was a 12% increase in internal review applications in 2018–19. Of the 829 decisions on internal review, 429 (52%) affirmed the original decision, 91 (11%) set aside the original decision and granted access in full and 232 (28%) granted access in part.

For more information, see Appendix E.

Long text descriptions

Privacy complaints received each month during the last three financial years

Figure 2.1: Privacy complaints received each month during the last three financial years
 

2018–19

2017–18

2016–17

July

362

207

192

August

315

256

255

September

262

240

168

October

260

245

237

November

316

267

218

December

210

191

170

January

314

238

167

February

271

277

222

March

234

240

275

April

244

206

154

May

278

284

217

June

237

296

220

Back to Figure2.1

Figure 2.2: Privacy complaints closed each month during the last three financial years

Figure 2.2: Privacy complaints closed each month during the last three financial years
 

2018–19

2017–18

2016–17

July

232

214

152

August

264

244

189

September

242

301

208

October

257

233

209

November

239

264

181

December

176

148

193

January

214

167

179

February

240

253

176

March

326

252

241

April

197

161

172

May

298

269

308

June

234

260

277

Back to Figure2.2

Figure 2.3: Media enquiries received during 2018–19

Figure 2.3: Media enquiries received during 2018–19
 

2018–19

2017–18

July

55

14

August

21

7

September

9

11

October

30

17

November

20

12

December

16

7

January

19

23

February

11

32

March

8

48

April

21

65

May

18

55

June

10

26

Back to Figure2.3