Information Sharing and  Complaint Referral Arrangements  under Part VIIIA of the Privacy Act 1988

1.  Background

1.1.             The Privacy Amendment (Public Health Contact Information) Bill 2020 amended the Privacy Act to insert a new Part VIIIA.

1.2.             Part VIIIA regulates the COVIDSafe app and introduces stringent privacy protections and penalties for misuse of COVID app data and COVIDSafe.

1.3.             Relevantly, Part VIIIA:

  1. ensures that COVID app data is taken to be personal information and breaches of this Part are interferences with privacy; and
  2. provides for the Privacy Act to apply to State or Territory health authorities in relation to COVID app data; and
  3. enables the Commissioner to refer complaint matters to, and share information or documents with, State or Territory privacy authorities.

1.4.             The complaint referral and information sharing arrangements under Part VIIIA:

  1. reflect the expectation that the Commissioner may receive privacy complaints about State or Territory health authorities that fall outside the scope of Part VIIIA, but may involve a breach of applicable State or Territory privacy legislation; and
  2. recognise that State or Territory privacy authorities may be best placed to investigate State or Territory health authorities in some circumstances.

2.  Objectives of this Arrangement

2.1.             The objective of this Arrangement is to assist the process of complaint referral and information sharing from the Office of the Australian Information Commissioner (OAIC) to State or Territory privacy authorities as permitted under Part VIIIA.

2.2.             Nothing in this Arrangement is intended to:

  1. create binding obligations, or affect existing obligations under Commonwealth, state or territory law; or
  2. create obligations or expectations of cooperation that would exceed a party’s scope of authority and jurisdiction.

3.  Effect

3.1.             This Arrangement will come into effect between the OAIC, and the relevant State or Territory privacy authority on the date on which the State or Territory privacy authority provides its written notice to the OAIC of its agreement to be a party to this Arrangement.

3.2.             The Arrangement may be modified by the OAIC to include other State or Territory privacy authorities who become parties to the Arrangement during the period of arrangement (as set out in section 11).

4.  Definitions

In this Arrangement the following definitions apply:

Arrangement means this document, the Information Sharing and Complaint Referral Arrangements under Part VIIIA of the Privacy Act 1988.

Commissioner means the Australian Information Commissioner within the meaning of the Australian Information Commissioner Act 2010.

complaint means a complaint that meets the requirements of section 36 of the  Privacy Act.

COVID app data has the meaning given by subsection 94D(5) of the Privacy Act.

OAIC means the Office of the Australian Information Commissioner.

party means the OAIC and any State or Territory privacy authority that is a signatory to this Arrangement.

Privacy Act means the Privacy Act 1988 (Cth).

State or Territory health authority means a State or Territory authority responsible for the administration of health services in a State or Territory.

State or Territory privacy authority means a State or Territory authority that has functions to protect the privacy of individuals (whether or not the authority has other functions).

5.  The Office of the Australian Information Commissioner

5.1.             The OAIC is the independent regulator responsible for administering the Privacy Act.

5.2.             Among other things, Part VIIIA extends the operation of the Privacy Act to State or Territory health authorities, to the extent that those authorities deal with COVID app data.

5.3.             Although the OAIC has jurisdiction over State or Territory health authorities in relation to Part VIIIA, State or Territory privacy authorities retain their jurisdiction in all other respects.

5.4.             The OAIC recognises it may receive complaints or information that fall outside the scope of Part VIIIA, but may otherwise involve a breach of applicable State or Territory privacy legislation or go towards a State or Territory privacy authority exercising its powers, or performing its functions or duties.

6.  State and Territory privacy authorities

6.1.             A State or Territory privacy authority is eligible to be a party to the Arrangement if it has functions to protect the privacy of individuals, whether or not the authority has other functions.

6.2.             A State or Territory privacy authority will become a party to the Arrangement by providing written notice advising the OAIC of their agreement to do so. Parties to the Arrangement will be named in the Schedule.

7.  Complaint referral

7.1.             Where the OAIC receives a complaint under section 36 of the Privacy Act, about an act or practice that may involve a breach of a requirement of Part VIIIA, the Commissioner may decide not to investigate the matter, if the Commissioner forms the opinion that:

  1. the complainant has made, or could have made, a complaint relating to that matter to a State or Territory privacy authority; and
  2. the matter could be more conveniently or effectively dealt with by the State or Territory privacy authority.

7.2.             If the Commissioner decides not to investigate such a matter, the Commissioner will:

  1. transfer the complaint to that State or Territory authority; and
  2. give notice in writing to the complainant stating that the complaint has been transferred; and
  3. give to the State or Territory privacy authority any information or documents that relate to the complaint.

7.3.             To properly inform the Commissioner, the OAIC will consult with the relevant State or Territory privacy authority to determine whether the conditions outlined in 7.1 exist.

7.4.             A complaint transferred under this section will be taken, for the purposes of the Privacy Act, to have been made to that State or Territory authority.

8.  Information Sharing

8.1.             The Commissioner may share information or documents with a State or Territory privacy authority:

  1. for the purpose of the Commissioner exercising powers, or performing functions or duties under the Privacy Act in relation to the requirements of Part VIIIA; or
  2. for the purpose of the State or Territory privacy authority exercising its powers or performing its functions or duties.

8.2.             The Commissioner may only share information or documents with a State or Territory privacy authority under section 94W of the Privacy Act if:

  1. the information or documents were acquired by the Commissioner in the course of exercising powers, or performing functions or duties, under the Privacy Act; and
  2. the Commissioner is satisfied on reasonable grounds that the State or Territory privacy authority has satisfactory arrangements in place for protecting the information or documents.

8.3.             For the avoidance of doubt, the Commissioner may share information or documents with a State or Territory privacy authority under section 94W whether or not the Commissioner is transferring a complaint or part of a complaint to the authority.

8.4.             In agreeing to be a party to this Arrangement, the State or Territory privacy authority confirms that it has satisfactory arrangements in place for protecting information or documents shared by the Commissioner under section 94W. The State or Territory privacy authority will provide to the Commissioner, on request, information or documents about these arrangements. The State or Territory privacy authority will promptly notify the Commissioner of any changes to these arrangements.

8.5.             In agreeing to be a party to this Arrangement, the parties agree to store the relevant information securely and that access to the information or documents will be restricted to individuals on a need to know basis.

9. Transfer of information or documents

9.1.             The OAIC shall adopt appropriate security measures, in accordance with the requirements under the Protective Security Policy Framework, to protect the transfer of information or documents.

9.2.             Parties shall have regard to the sensitivity of the information or documents and any classification that is applied by the sender.

10. Contact officer

10.1.         Parties shall nominate a designated contact officer for the purposes of this Arrangement.

10.2.         Parties may change their designated contact officer at any time by providing written notice to the OAIC.

11. Amendment and period of arrangement

11.1.         The Arrangement will continue until the repeal of Part VIIIA, being 90 days after the day determined under subsection 94Y(1) of the Privacy Act.

11.2.         Should the Arrangement continue until 30 June 2022, the Arrangement will be reviewed on that date, and every two years thereafter.

11.3.         The Arrangement may be amended at any time by agreement of the parties.

11.4.         Parties may withdraw from this Arrangement at any time by providing written notice to the OAIC.

12. Schedule

The following State or Territory privacy authorities are parties to this Arrangement:

State or Territory privacy authority

Date of effect

Ombudsman Tasmania

18 January 2021

Office of the Victorian Information Commissioner

19 January 2021

The Information Commissioner (Northern Territory)

19 January 2021

Information and Privacy Commission, NSW

20 January 2021

The Office of the Health and Community Services Complaints Commissioner

1 February 2021

Office of the Information Commissioner (Queensland)

10 May 2021

Privacy Committee of South Australia

18 May 2021