Inquiry into Centrelink’s compliance program – submission to Senate Community Affairs References Committee

30 September 2019

The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to provide this submission to the Senate Community Affairs References Committee’s inquiry into Centrelink’s compliance program.

The OAIC is an independent Commonwealth statutory agency, established to bring together the functions of oversight of privacy protection, freedom of information and Government information policy.

The Privacy Act 1988 (Privacy Act)[1] confers on the Australian Information Commissioner and Privacy Commissioner (the Commissioner) a range of privacy regulatory functions and powers. In performing these functions, the Commissioner is required to have regard to the objects of the Privacy Act. The objects include promoting the protection of the privacy of individuals, implementing Australia’s international obligations in relation to privacy, promoting responsible and transparent handling of personal information as well as recognising that the protection of privacy of individuals must be balanced with the interests of entities in carrying out their functions and activities.[2]

Where data used in a data matching program contains personal information, the collection, use and disclosure of the data must be done in accordance with the Privacy Act. The OAIC works with Government agencies to provide information on their privacy obligations and best practice when undertaking data matching activities.

This submission sets out:

information about the OAIC’s regulatory role in relation to data matching
the data matching privacy regulatory framework
a high-level overview of the OAIC’s regulatory experience with data matching since 2016, together with information regarding recommendations made by the OAIC in its privacy assessment (audit) of Centrelink’s compliance program.

Background

Data matching privacy framework and OAIC role

Data matching is the bringing together of at least two data sets that contain personal information from different sources, and the comparison of those data sets with the intention of producing a match.[3] Agencies usually match data so that they can identify people for further investigation or action. This has a privacy impact as it can involve the retention and analysis of the personal information of large numbers of people without prior cause and may result in the generation of new personal information.

What constitutes personal information[4] will vary, depending on whether identity can reasonably be ascertained in the circumstances. This may include information used in or created by data matching processes. For example, two pieces of information that, in isolation, do not identify an individual could identify an individual when they are combined.

The Privacy Act contains 13 Australian Privacy Principles (APPs) that cover the handling of personal information by some private sector organisations, as well as most Australian Government agencies (collectively referred to as ‘APP entities’). The APPs are technologically neutral and set out standards, rights and obligations in relation to handling, holding, accessing and correcting personal information.

The Commissioner has a range of regulatory functions and powers under the Privacy Act, including specific functions with respect to data matching:

undertaking research into, and monitoring developments in, data processing and technology (including data matching and linkage) to ensure that any adverse effects of such developments on the privacy of individuals are minimised[5]
examining a proposal for data matching or linkage that may involve an interference with the privacy of individuals or which may otherwise have any adverse effects on the privacy of individuals.[6]

In addition, the OAIC also oversees data matching activities conducted by Australian Government agencies under:

the Data-matching Program (Assistance and Tax) Act 1990 (DMPAT Act) and the Guidelines for the Conduct of Data-Matching Program (the statutory guidelines), which generally apply when Tax File Numbers (TFNs) are used for data matching and;
the Guidelines on Data Matching in Australian Government Administration (voluntary guidelines), issued under s 28(1)(a) of the Privacy Act, which apply to data matching activities outside the scope of the DMPAT Act.

The voluntary guidelines assist agencies to use data matching as an administrative tool in a way that complies with the APPs and represent the OAIC’s view on best practice with respect to undertaking data matching activities.

Several Government agencies have adopted the voluntary guidelines and seek an exemption from the Commissioner should they wish to depart from them. DHS have publicly stated that they adhere to the voluntary guidelines when undertaking their data matching activities, including data matching related to Centrelink’s compliance program.[7]

The voluntary guidelines recommend that agencies prepare and make publicly available a program protocol before commencing a data mating program. The purpose of a program protocol is to inform the public about the existence and nature of a data matching program and is a key requirement of the OAIC’s voluntary guidelines.[8]

DHS and data matching

Centrelink compliance program

In July 2016 DHS launched the automated Online Compliance Intervention (OCI) system (since renamed the Employment Income Confirmation (EIC) and now the Check and Update Your Income (CUPI) system[9]) for raising and recovering debts for the Pay-As-You-Go (PAYG) data matching program. The PAYG program matches earnings recorded on a customer’s Centrelink record with historical employer-reported income data from the Australian Taxation Office (ATO).

For further information regarding the flow of personal information through the Centrelink compliance program, see the report on the OAIC’s privacy assessment of the DHS’s PAYG data matching program at Attachment A.[10]

Privacy enquiries, complaints and assessments

The OAIC is responsible for responding to enquiries and complaints relating to the privacy aspects of DHS’s data matching activities, receiving mandatory data breach notifications and conducting assessments of DHS’s data matching programs. Since July 2016, the OAIC has received 5 enquiries and 2 privacy complaints relating to the privacy aspects of Centrelink’s compliance program.

Since 2017 the OAIC has conducted four privacy assessments in relation to DHS’s increased data matching activities using new methodologies and processes. One of the assessments was conducted on DHS’s PAYG data matching program.

The PAYG assessment was conducted following the Commonwealth Ombudsman’s investigation into the automated debt raising and recovery system in 2017.[11] The Commonwealth Ombudsman also conducted an implementation review in 2019.[12]

The Commonwealth Ombudsman’s investigation dealt with broad concerns about the Centrelink compliance program such as fairness, transparency and usability of the online system. The OAIC assessed the impact of the PAYG data matching program on an individual’s privacy and the reasonable steps taken by DHS to ensure personal information is handled in accordance with APPs 10 and 13. Further information regarding the OAIC’s assessment is set out below and in the OAIC’s assessment report at Attachment A.

Privacy assessment

The OAIC’s assessment of DHS’s PAYG data matching program was a risk-based assessment where the focus is on identifying privacy risks to the effective handling of personal information. Where risks are identified, recommendations are made based on the OAIC’s estimates of the relative privacy risk against the relevant legislative requirements, with the aim of assisting entities to improve their observed privacy practices and procedures. These assessments are a point-in-time exercise. The fieldwork for the assessment was carried out in December 2017.

Data quality and the correction of personal information

The OAIC’s privacy assessment of Centrelink’s compliance program identified several privacy risks which are outlined below. Our privacy assessment report provides further detail on our findings and can be found at Attachment A.

Specifically, the scope of this assessment was limited to considering DHS’s handling of personal information for the purposes of the PAYG program under APP 10 (quality of personal information) and APP 13 (correction of personal information).

The OAIC’s assessment considered privacy related risks, the reasonable steps that had been taken at the time[13] and additional steps that DHS could consider to ensure compliance with the Privacy Act.

APP 10 requires a regulated entity, such as DHS, to take reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, up-to-date, complete and relevant, having regard to the purpose for which it uses or discloses the information.

APP 13 requires DHS to take reasonable steps to correct personal information to ensure that it is up-to-date, complete, relevant and not misleading, having regard to the purposes for which it uses the information. This includes steps that DHS must take if a customer makes a request for their personal information to be corrected. If DHS refuses any such step, the obligations also include providing a written notice to a customer,[14] and taking reasonable steps to associate a statement with the personal information that the customer believes it to be inaccurate, out-of-date, incomplete, irrelevant or misleading.[15]

The Commonwealth Ombudsman’s reports and the OAIC’s assessment

In April 2017, the Commonwealth Ombudsman published the Centrelink’s automated debt raising and recovery system: A report about the Department of Human Services’ Online Compliance Intervention system for debt raising and recovery (2017 Ombudsman report).[16] The investigation focused on debts raised by the OCI system[17] and examined concerns the Ombudsman had relating to the system. In particular, the Commonwealth Ombudsman considered the fairness, transparency and usability of the system. The report identified a range of issues and found that many could have been addressed by better project management, design, user testing and support for users of the online system. The Ombudsman’s 2017 report made eight recommendations, many of which centred on DHS’s communication to customers.[18]

The OAIC conducted the PAYG assessment later in 2017 after the Ombudsman’s investigation report. The OAIC’s assessment found that DHS has made improvements to the compliance program and associated processes since the Ombudsman’s investigation, however there remained areas for improvement in relation to personal information. The OAIC identified potential privacy risks associated with the PAYG program and made five recommendations to address these risks.

The OAIC recommended that DHS:

implement additional measures to ensure the personal information it receives from the ATO for the PAYG program is accurate, up-to-date and complete, having regard to the purposes for which the personal information is being used
addresses the quality of the personal information in DHS records which are used in its PAYG program
in relation to the EIC process, DHS implement additional measures to facilitate customer-initiated correction of information under the EIC process to ensure the outcome of the EIC process, following review by customers, is that any debt calculation is based on accurate, up-to-date and complete personal information
implement measures to ensure it is adhering to the minimum procedural requirements in relation to correcting personal information contained in APP 13 (specifically 13.2-13.5), whenever a customer raises concerns about their personal information being incorrect, including during the EIC compliance intervention process
continue to conduct privacy threshold assessments (PTAs), and where appropriate, privacy impact assessments (PIAs), for any future changes to the PAYG program. The OAIC also recommend that DHS ensure personal information quality is also captured by the PIA process and that DHS monitor the implementation of any recommendations that arise out of such assessments.

DHS accepted all of the OAIC’s recommendations.

In April 2019, the Commonwealth Ombudsman published the Centrelink’s Automated Debt Raising and Recovery System Implementation Report (Implementation report).[19] The purpose of the investigation and report was to seek assurances that the Department of Social Services (DSS) and DHS had implemented the agreed recommendations in the 2017 Ombudsman report. The investigation found that DSS had implemented the recommendation for which it was responsible,[20] and DHS had made significant progress in implementing the remainder of the recommendations. The Ombudsman noted in their report that:

greater clarity in written and online communication had made the online and manual handling procedures fairer, more transparent and more user friendly
new policy guidance on the use of information gathering powers to assist customers who cannot obtain income information themselves was made publicly available and reinforced in staff training and communication
DHS had evaluated and redesigned their online and manual processes.[21]

However, the Ombudsman also noted that while DHS had made significant progress, further action was required. The Ombudsman made an additional four recommendations as part of the Implementation report.[22]

These further changes to the program and the Ombudsman’s additional recommendations align with the OAIC’s expectations in relation to APPs 10 (quality of personal information) and 13 (correction of personal information). Clear communication ensures that customers understand what information they are being asked to confirm, where DHS has sourced their personal information from, how customers can check if the information is correct, and how to gather and provide evidence to DHS if they think it is incorrect.

The OAIC remains engaged with DHS on ongoing privacy issues identified in the PAYG assessment.

Additional privacy matters

Open and transparent handling of personal information

Privacy by design

When undertaking the PAYG assessment, DHS indicated to the OAIC that a PIA was not conducted prior to the PAYG program commencing in 2004, nor prior to the introduction of the OCI (now EIC/CUPI) system in 2016. The OAIC’s assessment recommended that DHS continue to conduct PTAs and where appropriate, PIAs for any future changes to the PAYG program, including assessments of personal information quality risks where relevant.

APP 1.2 requires a ‘privacy by design’ approach to privacy protection by requiring entities to embed APP compliance in their information practices, procedures and systems. All Australian Government agencies, including DHS, are bound by the Privacy (Australian Government Agencies – Governance) APP Code 2017 (APS Privacy Code), which commenced on 1 July 2018. The APS Privacy Code particularises the openness and transparency requirements under APP 1.2, which includes the requirement for agencies to undertake a written privacy impact assessment (PIA) for all ‘high privacy risk’ projects or initiatives that involve new or changed ways of handling personal information. A PIA is a tool that systematically assesses the privacy impacts of a project and recommends strategies to manage or minimise or eliminate those impacts. A project involving personal information and data matching would generally be considered ‘high risk’ and the OAIC would expect that a PIA be conducted.[23]

It is important that agencies involved in data matching and automated decision making are as transparent as possible about their data practices. Good privacy practice such as ‘privacy by design’, together with effective communication and community engagement strategies can help to ensure that the handling of personal information is consistent with the community’s expectations.

Program Protocols

As part of its privacy oversight of DHS’s data matching activities, the OAIC has also considered the 2017 PAYG data matching protocol (published on the DHS website).[24] The OAIC noted that some sections of the PAYG program protocol could be improved to enhance transparency about how the PAYG program operates. Specifically, DHS should include more information on how the matched data is handled once it is collected from the ATO, including the role played by Centrelink’s compliance program. The OAIC sets out the matters a program protocol should address in the voluntary guidelines.[25]

International developments

Some international data protection regulations include additional principles beyond those rights and obligations in the Privacy Act. In particular, the European Union’s General Data Protection Regulation (GDPR) includes certain rights and obligations in relation to automated decision making.[26] The GDPR provides a right for individuals to be provided with information about the existence of automated decision-making including profiling, and meaningful information about the logic involved.[27] The OAIC recognises the importance of ensuring that Australia's privacy protection framework is fit for purpose in the digital age and has recommended that consideration should be given to the suitability of adopting certain GDPR rights in the Australian context where gaps are identified in relation to emerging and existing technologies.[28]

Attachment A

OAIC privacy assessment report, Handling personal information: Department of Human Services, PAYG data matching program, September 2019

Attachment A submitted as a separate document.

Footnotes

[1] Section 29.

[2] Section 2A.

[3] See ‘Key terms’ in the OAIC’s Guidelines on Data Matching in Australian Government Administration June 2014 (voluntary guidelines).

[4] Section 6 of the Privacy Act 1988 defines ‘personal information’ as ‘information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable’.

[5] Section 28A(2)(d).

[6] Section 28A(2)(b).

[7] See https://www.humanservices.gov.au/organisations/about-us/publications-and-resources/centrelink-data-matching-activities. Further, the 2017 PAYG data matching protocol at 1.2 states that ‘DHS…comply with these guidelines’.

[8] See guideline 3.1 of the voluntary guidelines.

[9] From October 2018 DHS began a ‘soft’ rollout of its enhanced online system known as CUPI which was informed by input from stakeholders, user testing and complaints data. People who were sent initiation letters prior to October 2018 will continue to use the EIC online system, while people sent initiation letters on or after 1 October 2018 will use the CUPI online system – see Commonwealth Ombudsman, Centrelink’s Automated Debt Raising and Recovery System, April 2019 at p. 1.

[10] Table 1, page 7 of the report provides a summary of the flow of personal information through the PAYG data matching program, including the EIC process.

[11] Commonwealth Ombudsman, Centrelink’s automated debt raising and recovery system, April 2017.

[12] Commonwealth Ombudsman, Centrelink’s Automated Debt Raising and Recovery System, April 2019.

[13] The fieldwork stage of an assessment is to collect sufficient information to enable to the OAIC to identify how an entity is maintaining personal information in accordance with its obligations, in line with the scope, objectives and assessment criteria. Staff from the OAIC will usually attend the entity’s premises during the fieldwork stage over a set period of time. For further information see chapter 7 of the OAIC’s Guide to privacy regulatory action.

[14] APP 13.3, Schedule 1.

[15] APP 13.4, Schedule 1.

[16] Commonwealth Ombudsman, Centrelink’s automated debt raising and recovery system, April 2017.

[17] The Commonwealth Ombudsman’s 2017 report notes that since the end of 2016, the Commonwealth Ombudsman had received numerous complaints from people who had incurred debts under the OCI (p.4).

[18] The recommendations related to communication to customers through the contact letters sent to them, the messaging within the online portal itself, the ease with which some customers could obtain employment income evidence to update the information in the system, and the resources available to customers to understand how to use the system. In addition, the report noted the particular difficulties for vulnerable customers.

[19] Commonwealth Ombudsman, Centrelink’s Automated Debt Raising and Recovery System, April 2019.

[20] Recommendation 4(d) of the 2017 Ombudsman report sought to ensure that DSS gave clear guidelines on the use of s 192 of the Social Security (Administration) Act 1999 for EIC investigations in its Guide to Social Security Law. The Ombudsman was satisfied that this recommendation was met.

[21] Commonwealth Ombudsman, Centrelink’s Automated Debt Raising and Recovery System, April 2019, page 1.

[22] Commonwealth Ombudsman, Centrelink’s Automated Debt Raising and Recovery System, April 2019, page 3.

[23] PIAs are also recommended at paragraph 2.3 of the voluntary guidelines.

[24] As part of the OAIC’s privacy assessment, DHS have advised that they are reviewing an updated 2019 PAYG Protocol. At the time of drafting this submission (as at 26 September 2019), only the 2017 PAYG Protocol was available on DHS’s website.

[25] See guideline 3 and Appendix A of the voluntary guidelines.

[26] The European Commission has also adopted the Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/79 which provides guidance on the regulation of automated individual decision-making and profiling under the GDPR.

[27] Articles 13(2)(f), 14(2)(g), 15(1)(h) of the Regulation (EU) 2016/679 (General Data Protection Regulation).

[28] The OAIC made a submission on the final report of the Australian Competition and Consumer Commission’s Digital Platforms Inquiry. In the submission, the OAIC recommended, in the context of a broader review of privacy law, consideration of whether protections for individuals in relation to profiling and automated decision-making should be introduced in Australia. This submission will become publicly available online in due course.