Summary statement with APEC — Privacy Enforcement Authority enforcement practices and activities
Australia — Office of the Australian Information Commissioner
Privacy Enforcement Authority name: Office of the Australian Information Commissioner (OAIC)
Website address: www.oaic.gov.au
Key law(s) enforced by Australian authority:
Privacy Act 1988
The Privacy Act adopts a principle-based, rather than a prescriptive, approach. It sets out 13 Australian Privacy Principles (or APPs). The APPs apply to Australian Government agencies and all businesses and not-for-profit organisations with an annual turnover greater than $3 million and all health service providers and organisations trading in personal information have responsibilities under the Privacy Act, subject to some exceptions.
The APPs govern the collection, storage, use and disclosure of personal information, as well as providing individuals with certain rights to access their personal information and correct errors. There are specific APPs that apply to open and transparent management of personal information, direct marketing, cross-border disclosure of personal information and government identifiers.
Under the Privacy Act sensitive information, including health information and financial information, have higher protections.
The Privacy Act also provides for a range enforcement actions to be taken by the OAIC.
Other legislation under which the Office of the Australian Information Commissioner has (a role/responsibilities?):
The Telecommunications Act 1997 contains a number of provisions dealing with the privacy of personal information held by carriers, carriage service providers and others. The Telecommunications Act provides for the development of industry codes and standards in a range of consumer protection and privacy areas. The OAIC must be consulted on any privacy codes. The codes are voluntary in the first instance, but breaches can be enforced by the Australian Communications and Media Authority.
Part 13 of the Telecommunications Act sets out strict rules for carriers, carriage service providers and others in their use and disclosure of personal information and the OAIC has the role of monitoring compliance with these rules.
Medicare and pharmaceutical benefits
The National Health Act 1953 (NH Act) and legally binding privacy guidelines issued under section 135AA of the NH Act regulate the handling of Medicare and pharmaceutical benefits (MBS and PBS) information. Agencies that handle MBS and PBS information must inform the OAIC about certain matters under the guidelines and a person may complain to the OAIC if they believe that a breach of the guidelines has occurred.
The Data-matching Program (Assistance and Tax) Act 1990and legally binding guidelines issued under that Act regulate the use of tax file numbers (TFNs) in matching personal information held by the Australian Taxation Office and assistance agencies such as the Department of Human Services and the Department of Veterans’ Affairs. A person may complain to the OAIC if they believe that a breach of that Act or guidelines has occurred. The OAIC has also issued voluntary guidelines for agencies, which generally apply to data-matching that does not involve TFNs.
The Crimes Act 1914 (Crimes Act) — Part VIIC — (the Commonwealth Spent Convictions Scheme) provides protection for individuals with old minor convictions from having to disclose those convictions in certain circumstances. The OAIC has the power to investigate breaches of the legislation and is also required to provide advice to the Attorney-General in relation to exemptions under the scheme.
Anti-money laundering and counter-terrorism
The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) aims to prevent money laundering and the financing of terrorism by imposing a number of obligations on the financial sector, gambling sector, bullion dealers and other professionals or businesses that provide particular ‘designated services’. The Australian Transaction Reports and Analysis Centre (AUSTRAC) is the agency responsible for ensuring compliance with the AML/CTF Act, and must consult the OAIC on matters that relate to the privacy of individuals. Small businesses, normally exempt from the Privacy Act, who have obligations under the AML/CTF Act are covered by the Privacy Act in relation to their handling of personal information to meet those obligations.
The Healthcare Identifiers Act 2010 (HI Act) establishes the Healthcare Identifiers Service (HI Service) and prescribes how healthcare identifiers will be assigned and how they can be used and disclosed. The OAIC has oversight and compliance functions under the HI Act, including investigating complaints about the mishandling of healthcare identifiers.
The Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) and the rules and regulations issued under the PCEHR Act create the legislative framework for the Australian Government’s personally controlled electronic health (eHealth) record system. Under the eHealth record system the OAIC regulates the handling of personal information by individuals, Australian Government agencies, private sector organisations and some state and territory agencies (in particular circumstances).
Personal Property Securities Register
The Personal Property Securities Act 2009 (PPS Act) establishes a single, national, online Personal Property Securities Register (PPS Register). The PPS Register allows lenders and businesses to register their security interests over personal property. Registrations on the PPS Register may include personal information about individuals. A breach of certain sections of the PPS Act is a breach of the Privacy Act.
Note: Australian legislation is available and searchable online at www.comlaw.gov.au.
General sectors/jurisdictions regulated by Australian authority:
(Public sector, private sector, a particular industry sector? Do you operate in a particular geographical jurisdiction such as a state or province?)
Australian Government (called Commonwealth or Federal agencies) and Norfolk Island Government agencies and all businesses and not-for-profit organisations with an annual turnover greater than $3 million have responsibilities under the Privacy Act subject to some exceptions.
Some small business operators (organisations with a turnover of $3 million or less) are also covered by the Privacy Act including:
- private sector health services providers
- businesses that sell or purchase personal information
- credit reporting bodies
- contracted serviced providers for a Commonwealth contract.
In addition, particularly acts and practices of some other small business operators are covered by the Privacy Act.
The Privacy Act also covers specified persons handling credit reporting information, tax file numbers, personal information contained on the Personal Property Securities Register, old conviction information under the Commonwealth Spent Convictions Scheme and ehealth record information.
The Privacy Act does not cover state or territory agencies, subject to some exceptions; small business operators, unless an exception applies (see above); media organisations acting in the course of journalism if the organisation is publicly committed to observing published privacy standards; and registered political parties and political representatives.
Approach to investigation / resolution of enforcement matters:
(What are your key enforcement activities or roles? For example, do you receive complaints, grant approvals, investigate, mediate or make determinations on matters? Broadly speaking, what are your investigation processes? What are your enforcement powers?)
The OAIC has a range of regulatory powers for working with entities to encourage compliance and best practice privacy practices. These regulatory powers including powers to:
- conduct an assessment of whether an entity is maintaining and handling personal information in accordance with relevant provisions (such as the APPs)
- direct an agency to give the OAIC a privacy impact assessment (PIA)
- the OAIC can also request entities to develop an APP code or impose one where appropriate.
- investigate an entity following a complaint
- investigate an entity on its own initiative, that is, without someone making a complaint (Commissioner initiated investigation). For example, if the media reports an alleged breach of privacy, the OAIC may take action and investigate before a complaint is made.
- accept an enforceable undertaking from an entity. An enforceable undertaking is a promise by an entity that it will take specified action or refrain from taking specified action in order to comply with relevant privacy provisions, or to ensure it does not do an act or engage in a practice that interferes with an individual’s privacy
- make a determination on a privacy complaint. The OAIC can also make a determination after conducting a Commissioner initiated investigation
- apply to the courts for an injunction to restrain a person from engaging in conduct that would constitute a breach of relevant privacy provisions or for an order that an entity pay the a civil penalty.
Central to the OAIC’s regulatory approach is an escalation model that includes a range of regulatory responses.
In the case of individual complaints, the OAIC would expect to see a person try to resolve a matter with the organisation or agency first. If the respondent is a member of a recognised External Dispute Resolution scheme, the OAIC would also expect the individual to have first accessed that scheme. If a matter is accepted by the OAIC, we will always attempt to resolve issues through conciliation. In relation to Commissioner initiated investigations the OAIC will work with respondent organisations and agencies to resolve the matter. However, where conciliation or working with entities is not effective, we may use our other tools, including determinations, enforceable undertakings or in the case of serious or repeated breaches, initiating court proceedings to impose a civil penalty.
(Does your authority have a policy on the prioritization of enforcement matters it is willing to handle? If so, please provide a link to your current policy)
The OAIC is in the process of finalising a regulatory action policy. The OAIC’s privacy regulatory action policy explains the OAIC’s range of powers and its approach to using its privacy regulatory powers and making related public communications. The draft policy is available here: OAIC’s privacy regulatory action policy.
The draft policy sets out that in taking privacy regulatory action, the OAIC’s main goal is to promote and ensure the protection of personal information, consistent with the objects of the Privacy Act and the OAIC’s strategic plan. More specifically, the OAIC will take privacy regulatory action aiming to:
- ensure compliance with personal information handling obligations
- increase knowledge of personal information handling rights and obligations and the OAIC’s privacy regulatory powers
- assist and influence entities to adopt best practice personal information handling practices
- deter contravening conduct (both specifically and generally)
- secure remedies where contraventions have occurred
- address systemic issues in relation to personal information handling
- instil public confidence in the OAIC’s role of ensuring the protection of personal information.
Other relevant information
(Are there any restrictions on how your agency can cooperate on enforcement? Are there any circumstances in which your agency may be required by law to provide information obtained under the Cooperation Arrangement to a third party?)
The OAIC is required to comply with the Australian Privacy Principles (APPs). The office aims to be a leader in good privacy practices, emphasising confidential and consent-based handling of complaints and other personal information.
APP 6 provides for the use and disclosure of personal information in a number of circumstances, including when:
- the use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order
- an entity reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
Up until recently section 43(2) of the Privacy Act provided that the investigation of complaints and Commissioner initiated investigations: ‘shall be conducted in private but otherwise in such manner as the Commissioner thinks fit’.
However, amendments to the Privacy Act that commenced on 12 March 2014 removed reference to conducting investigations in private. The amendment is designed to clarify that the Commissioner has the discretion to investigate in public or private. This provision may provide the OAIC with the flexibility to participate in joint enforcement action.
The OAIC is also a member of various international forums including:
- the Asia Pacific Privacy Authorities (APPA) forum
- the OECD Global Privacy Enforcement Network (GPEN)
- the APEC Cross-border Privacy Enforcement Arrangement (CPEA).
The OAIC has signed a memorandum of understanding (MOU) with the Data Protection Commissioner of Ireland.
The OAIC has agreed a set of Collaboration Principles with the Information and Privacy Commission NSW.