Introduction

This report is made pursuant to the reporting requirements set out under section 7.3 of the 2018–21 Memorandum of Understanding (MOU) between the Australian Capital Territory (ACT) and the Office of the Australian Information Commissioner (OAIC), for the provision of privacy services related to the Information Privacy Act 2014 (ACT).

This report is for the period 1 July 2018 to 30 June 2019.

From 1 September 2014, the Information Privacy Act superseded the Privacy Act 1988 in relation to the general privacy regulatory regime covering ACT public sector agencies. The Information Privacy Act contains the Territory Privacy Principles (TPPs) which ACT public sector agencies must comply with in relation to the collection and handling of personal information (other than personal health information).

The numbered headings below correspond to the reporting requirements set out in the MOU.

7.3 (1) Number of complaints, assessments, written and telephone enquiries

Number of

Total

(a) Complaints open as at 1 July 2018

4

(b) Complaints received in 2018–19

10

(c) Complaints closed in 2018–19

8

(d) Complaints open as at 30 June 2019

6

(e) Complaints that resulted in a report to the Minister under section 43 of the Information Privacy Act

n/a

(f) Complaints about which the Commissioner has given a notice under section 45 of the Information Privacy Act

n/a

(g) Assessments finalised

0

(h) Written and telephone enquiries about ACT public sector agencies

21

7.3 (1)(h) Summary of issues raised in written and telephone enquiries

Telephone calls

Eighteen telephone enquiries were received during the reporting period:

  • One individual and one business called for general information about the OAIC’s role in regulating ACT government agencies, including ACT government subcontractors. They were given information about the TPPs and the OAIC’s privacy complaints process.
  • Four enquiries involved questions about the collection of personal information by ACT government agencies. Two of these individuals were concerned that an ACT agency was collecting excessive or unnecessary personal information. They were provided advice on TPPs 3, 5 and 6, and the OAIC’s privacy complaints process
  • Three enquiries related to the handling of health information. These included questions about the quality and accuracy of health information and improper disclosures of health information. These individuals were advised the TPPs do not cover health information and, where appropriate, they were referred to the ACT Human Rights Commission who regulates the Health Records (Privacy and Access) Act 1997.
  • Four enquiries related to accessing personal information. The individuals were given information about TPP 12 and the OAIC’s privacy complaints process.
  • One individual called for information about the disclosure of their personal information, as well as how to request access to personal information held by ACT government agencies. This individual was provided advice on TPPs 6 and 12 and the OAIC’s privacy complaints process.
  • One individual and one business called for general information about the OAIC’s role in regulating ACT government agencies, including ACT government subcontractors. They were given information about the TPPs and the OAIC’s privacy complaints process.
  • The OAIC received four misdirected enquiries which were referred to the relevant entity to assist:
    • Two of these involved individuals attempting to seek access to personal information held by other ACT government agencies
    • One involved an individual attempting to contact a different entity
    • One involved a spent conviction that fell under a State spent convictions scheme.
  • An individual called to provide the OAIC with a tip-off about an ACT government entity that was allegedly disclosing personal information without consent. They were provided with advice on TPP 11.

Written enquiries

Three written enquiries were received during this reporting period:

  • An individual emailed the OAIC regarding an alleged data breach. They were advised on TPP 11 and the OAIC’s complaints process.
  • An individual enquired about ACT privacy legislation in general. They were advised on the TPPs and the role of the OAIC in handling complaints about ACT government agencies.
  • An individual enquired about obligations to provide opt-in or opt-out choices to parents receiving communications from an ACT school.  They were advised that the TPPs do not specifically cover the issue of opting in or out of communications. However, they were provided general information on TPP 6 and TPP 11.

7.3 (2) For each complaint received in 2018–19, a summary of issues raised and outcomes

Respondent: ACT Government Community Services Directorate (CP18/03315)

Details: The complaint was received on 18 November 2018 and closed on 21 March 2019. The complainant alleged that the respondent improperly disclosed their personal information by identifying her as the reporter in a child protection matter.

In this instance the respondent provided an apology to the complainant and advised that the staff members responsible for the disclosure were reminded of their obligations under privacy legislation.

The complaint was satisfied with this outcome and the complaint was closed under s 39(g)(i) of the Information Privacy Act on the basis that the respondent had adequately dealt with the matter.

Respondent: ACT Education Directorate (CP18/03356)

Details: The complaint was received on 21 November 2018 and closed on 21 February 2019. The complainant alleged that the respondent improperly disclosed their health information to a school that the complainant did not attend.

The information complained about was personal health information. Section 8(1)(b) of the Information Privacy Act excludes personal health information from the definition of personal information and the scope of the Information Privacy Act. Personal health information is instead covered by the Health Records (Privacy and Access) Act 1997 (ACT) and regulated by the ACT Health Services Commissioner (within the ACT Human Rights Commission).

The complaint was closed under s 39(a) of the Information Privacy Act, on the basis that there was not an interference with the complainant’s privacy. The complainant was referred to the ACT Human Rights Commission.

Respondent: ACT Sheriff’s Office (CP19/00688)

Details: The complaint was received on 8 March 2019 and closed on 27 March 2019. The complainant alleged that the respondent improperly disclosed their personal information to ACT authorities for use in a court proceeding.

The respondent was part of the ACT Supreme Court and it was found that the handling of the complainant’s personal information occurred in the exercise of the court’s judicial functions.

Section 25(1)(b) of the Information Privacy Act provides that ACT courts are exempt from the Information Privacy Act unless the act or practice relates to a matter of an administrative nature.

Accordingly, the complaint was closed on the basis that it related to an exempt act or practice and therefore did not meet the requirements of s 33 of the Information Privacy Act.

Respondent: University of Canberra (CP19/01151)

Details: The complaint was received on 2 May 2019 and closed on 13 May 2019. The complainant alleged that the respondent inappropriately collected their personal information via CCTV and disclosed their medical information without a release form.

The complainant made a complaint to the respondent on 1 May 2019 and lodged their complaint with the OAIC on 2 May 2019, meaning the respondent had not been given an opportunity to provide a response.

The complaint was closed under s 39(g)(ii) of the Information Privacy Act on the basis that the respondent had not had an adequate opportunity to deal with the complaint.

Respondent: Canberra Hospital (CP19/01542)

Details: The complaint was received on 17 June 2019 and closed on 25 June 2019. The complainant alleged that the respondent improperly disclosed their health information to another health care provider.

Section 8(1)(b) of the Information Privacy Act excludes personal health information from the definition of personal information and the scope of the Information Privacy Act. Personal health information is instead covered by the Health Records (Privacy and Access) Act 1997 (ACT) and regulated by the ACT Health Services Commissioner (within the ACT Human Rights Commission).

The complaint was closed under s 34 of the Information Privacy Act on the basis that the matter was outside the OAIC’s jurisdiction.

Summary of issues raised, and outcomes of complaints received in 2017-18 and closed in 2018-19

Respondent: Canberra Hospital (CP18/00806)

Details: The complaint was received in the previous reporting period, on 6 March 2018, and was closed on 5 October 2018. The complainant alleged that an employee of the respondent inappropriately accessed and used her personal information.

The complainant requested access logs to demonstrate any searches carried out by the respondent for their name.

The respondent provided details about when and how the complainant’s personal information was accessed, including audit reports to demonstrate when staff searched for the complainant’s name.

The complainant withdrew their complaint and confirmed they had no further inquiries for the respondent.

Respondent: ACT Corrective Services (CP18/01284)

Details: The complaint was received in the previous reporting period, on 1 May 2018, and closed on 27 June 2019. The complainant was notified by the respondent that their personal information was inadvertently released to another entity as part of its response to a Freedom of Information request.

Attempts were made to contact the complainant to request further information, including what outcomes they were seeking. The complainant did not provide a response, and the OAIC received returned mail, indicating the complainant’s contact details had changed.

The complaint was closed under s 40(2)(a) and 40(2)(c) of the Information Privacy Act on the basis that the complainant did not comply with a reasonable request made by the Commissioner, and the Commissioner was unable to contact the complainant for a reasonable period.

Respondent: University of Canberra (CP18/01726)

Details: The complaint was received in the previous reporting period, on 20 June 2018, and was closed on 22 November 2018. The complainant alleged that the respondent refused to facilitate access under TPP 12.

However, the complainant subsequently withdrew their complaint.

7.3 (3) For each finalised assessment, a summary of the outcome

The OAIC did not finalise any assessments for the 2018-19 reporting period.

Ongoing assessments as at 30 June 2019

Housing ACT

The assessment is examining whether Housing ACT is:

  • Using and disclosing personal information in accordance with its TPP 6 obligations
  • Taking reasonable steps to secure its personal information holdings as required by TPP 11.

The scope of the assessment is focused on how Housing ACT maintains and handles personal information related to the provision of social housing and related services.

As part of the assessment, OAIC staff have reviewed relevant policies and procedures and Interviewed staff.  A draft assessment report was provided to Housing ACT on 28 June 2019.

Privacy policy review of ten agencies

The assessment is examining the privacy policies of ten ACT public sector agencies to determine whether the policies meet the requirements of TPPs 1.3, 1.4 and 1.5.

The agencies included in the assessment are: Access Canberra, ACT Corrective Services, Public Trustee and Guardian, Elections ACT, Legal Aid, ACT Revenue Office, Canberra Health Services, Victim Support ACT, Transport Canberra and the Community Services Directorate.

OAIC staff notified each agency of the assessment by letter on 9 May 2019 and requested certain information about the privacy policies. OAIC staff have also reviewed the privacy policies as they appeared online between 27 and 30 May 2019.

Draft assessment reports for each agency are being prepared. A consolidated report summarising the high-level findings across all agencies will be published on the OAIC’s website.

7.3 (4) Information about any complaints that have not yet been finalised

Respondent: ACT Government Community Services Directorate (CP18/03367)

Details: The complaint was received on 20 November 2018. The complainant alleges that the respondent inappropriately solicited their personal information by collecting more information than is necessary for the respondent’s functions or activities.

The complainant also alleges that the respondent failed to keep their personal information secure by sending their personal information by regular post.

The complainant is seeking a change in the respondent’s practices regarding the collection of personal information.

Respondent: Transport Canberra and City Services Directorate (CP18/03375)

Details: The complaint was received on 21 November 2018. The complainant alleges that an employee of the respondent improperly collected and read their mail. The complainant also alleges that this employee revealed the contents of the mail to other individuals.

Respondent: Legal Aid ACT (CP18/03568)

Details: The complaint was received on 10 December 2018. The complainant alleges the respondent improperly disclosed their personal information by sending information to an incorrect email address and postal address. The complainant also alleges that the respondent discussed details of their case in the respondent’s office, when other individuals were present and could overhear.

Respondent: Access Canberra (CP19/00783)

Details: The complaint was received on 19 March 2019. The complainant alleges the respondent improperly disclosed their personal information. The complainant alleges this occurred when the respondent mistakenly provided an unknown third party with a copy of the complainant’s transaction receipt which contained their identity details including their full name, date of birth, address, licence number and signature.

The complainant is seeking written confirmation form the respondent that this occurred.

Respondent: ACT Corrective Services (CP19/00941)

Details: The complaint was received on 3 April 2019. The complainant was notified by the respondent that their personal information was inadvertently released to another entity as part of its response to a Freedom of Information request.

The complainant is seeking information about what personal information was disclosed, what steps the respondent has taken to address the matter and whether compensation is available.

7.3 (5) Details of formal reports and recommendations made to ACT public sector agencies

No formal reports or recommendations other than in relation to the above assessments were provided during the period.

7.3 (6) Any other information about the management of complaints or significant issues, including an analysis of systemic issues and common themes that have come to the Commissioner’s attention during the year

Voluntary data breach notifications

An agreed service under the MOU includes that a data breach notified to the OAIC by an ACT public sector agency will be registered by the OAIC and further advice will be provided to the agency.  The OAIC receives data breach notifications from ACT public sector agencies on a voluntary basis.[1]

In response to a voluntary data breach notification by an ACT public sector agency, the OAIC will seek to confirm that the data breach has been contained, and that the ACT public sector agency has taken reasonable steps to prevent reoccurrence of the data breach. The OAIC further assists agencies by directing them to relevant guidance on personal information security and data breach response preparation.

The OAIC received four data breach notifications from ACT public sector agencies in 2018-19. In two instances, agencies reported that the data breach was the result of a cyber incident. The remaining data breaches were caused by human error.

OAIC advice to ACT Government Transport Canberra and City Services: Body Worn Video

Written policy advice was provided in September 2018 in relation to the proposed Transport Canberra and City Services Body Worn Video Trial.

ACT Digital Account

The OAIC met with the Chief Minister, Treasury and Economic Development Directorate in December 2018 to discuss the ACT Digital Account, which provides a single validated digital identity to enable citizens to access a range of ACT Government services from any computer or smart device.

Acronyms and abbreviations

TermMeaning
ACTAustralian Capital Territory
CthCommonwealth
FOIFreedom of Information
Information Privacy ActInformation Privacy Act 2014 (ACT)
MOUMemorandum of Understanding;
NDBNotifiable Data Breaches (under the Cth scheme)
OAICOffice of the Australian Information Commissioner
Privacy ActPrivacy Act 1988
TPPsTerritory Privacy Principles [2]

Footnotes

[1] From 22 February 2018, data breaches involving tax file number information may be notifiable by ACT public sector agencies under the mandatory Notifiable Data Breaches scheme found in Part IIIC of the Privacy Act 1988. No such notifications were made in the period.

[2] Schedule 1 of the Information Privacy Act