Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy Assessment: Comcare — Open and transparent management of personal information, Collection and Notification

pdfPrintable version321.5 KB

Assessment undertaken: December 2015
Draft report issued: June 2016
Final report issued: September 2016

Part 1: Introduction

Summary

1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of Comcare.

1.2 The purpose of the assessment was to assess the policies and procedures put in place by Comcare to guide staff practices in order to meet requirements under the Privacy Act 1988 (Cth) with respect to:

  • managing personal information in an open and transparent way as required by Australian Privacy Principle (APP) 1
  • collecting personal information and sensitive information in accordance with APP 3
  • notifying individuals of the collection of personal information as required by APP 5.

1.3 The assessment was conducted on 8 and 9 December 2015 at Comcare’s offices in Canberra, ACT. Assessors conducted interviews with relevant Comcare staff, reviewed Comcare’s Privacy Policy and other relevant policy and procedure documents, and reviewed notifications provided to individuals of the collection of personal information.

1.4 The OAIC identified two medium privacy risks associated with Comcare’s handling of personal information and has made two recommendations to address these risks.

Back to Contents

Part 2: Description of assessment target

2.1 Comcare is established under the Safety, Rehabilitation and Compensation Act 1988 (Cth) (the SRC Act). Under the SRC Act, Comcare has a range of functions relating to rehabilitation and compensation for Australian Government employees. Employees may make claims under the SRC Act for compensation for injuries suffered in the course of their employment, subject to various conditions set out in the SRC Act. In the 2013–14 financial year, Comcare accepted 6,278 worker’s compensation claims under the SRC Act.[1]

2.2 Comcare has further functions under legislation including the Seafarers Rehabilitation and Compensation Act 1992 (Cth), the Asbestos-Related Claims (Management of Commonwealth Liabilities) Act 2005 (Cth), and the Work Health and Safety Act 2011 (Cth). These functions are outside the scope of this assessment.

Comcare’s claims process

2.3 An employee with a claim (claimant) initiates a claim for workers’ compensation under the SRC Act by completing the Workers’ Compensation Claim Form. The completed form is provided to Comcare by either the claimant or their employer. Submitted claims forms are scanned and stored in Comcare’s case management system.

2.4 Once a claim is received, a Comcare Claims Service Officer (CSO)[2] is assigned to the claim. The CSO is the primary point of contact between Comcare and the claimant. The CSO makes an assessment of the claim, and may seek further information from the claimant, the claimant’s employer, or the claimant’s treating providers (doctors and other health practitioners). A CSO’s assessment results in a determination being made as to Comcare’s liability for the claim. If Comcare accepts liability, the claimant may receive compensation or ongoing treatment for their injury.

2.5 Claims are initially handled by a CSO within Comcare’s ‘Early Intervention’ team. After six months, continuing claims are transferred to the ‘Ongoing Claims’ team. Some straightforward claims (for example, a broken arm or repetitive strain injury arising in the course of employment) may be resolved relatively quickly by the Early Intervention team. Other claims (for example, claims requiring physiotherapy treatment over a number of years) may take longer. The SRC Act entitles a claimant to compensation for loss of earnings until age 65 and medical treatment for life, as long as it relates to the accepted compensable injury.

2.6 Comcare CSOs maintain ongoing contact with claimants. In longer-term claims, this contact may be relatively infrequent. Comcare’s Periodic Review Form is sent on an annual basis to claimants who are off work and receiving benefits. A CSO would generally contact a claimant if new information was required.

2.7 A claimant who disputes Comcare’s determination may request reconsideration. Reconsideration of claims is handled by review officers within Comcare’s ‘Disputed Claims’ team. Review officers have access to all of the information that was available to the CSO who made the determination, however they may also seek additional information if required.

Back to Contents

Part 3: Description of assessment

Objective and scope

3.1 The objective and scope of this assessment was to determine whether Comcare’s collection of personal information and notification practices in relation to its functions and activities under the SRC Act meet the requirements of the following Australian Privacy Principles (APPs):

  • APP 1 (Open and transparent management of personal information)
  • APP 3 (Collection of solicited personal information)
  • APP 5 (Notification of the collection of personal information)

3.2 The assessment was limited to Comcare’s functions and activities under the SRC Act.

3.3 The focus of the assessment was on policies and procedures put in place by Comcare to guide staff practices relating to privacy, collection of personal information and notification. Assessment outcomes therefore relate to the adequacy of these policies and procedures, rather than Comcare’s practices.

Timing, location and assessment techniques

3.4 The assessors conducted the fieldwork component of the assessment on 8–9 December 2015 at Comcare’s offices at Level 4, 121 Marcus Clarke Street, Canberra ACT 2600.

3.5 Assessors employed the following assessment techniques:

  • document review of key internal policies and procedures
  • interviews with key staff to assess relevant processes, procedures and staff awareness
  • desktop review of Comcare’s privacy policy and privacy notices provided at the various points of collection (online, phone, hard copy).

Information obtained during the assessment

3.6 Comcare provided the OAIC assessors with a range of documents during the assessment. These documents are listed at Appendix A.

Privacy risks

3.7 This assessment was conducted as a risk based assessment. A risk based assessment focuses on identifying privacy risks to the effective handling of personal information by an entity in accordance with the Privacy Act.

3.8 The OAIC makes recommendations to address ‘high’ and ‘medium’ privacy risks. For more information about these privacy risk ratings, see the OAIC’s ‘Privacy risk guidance’ at Appendix B. A recommendation is a suggested course of action or a control measure that, if put in place by Comcare, will (in the opinion of the OAIC) minimise the privacy risks identified during the assessment. Further information about the OAIC’s assessment process can be found in Chapter 7 of the OAIC’s Guide to privacy regulatory action.[3]

3.9 The OAIC identified two medium privacy risks associated with Comcare’s handling of personal information and has made two recommendations to address these risks.

Reporting

3.10 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege.

3.11 Assessments are also generally described in the OAIC's annual report.

3.12 This report has been published in full.

Back to Contents

Part 4: Assessment issues: open and transparent management of personal information

4.1 The object of APP 1 is ‘to ensure that APP entities manage personal information in an open and transparent way’ (APP 1.1). This enhances the accountability of APP entities for their personal information handling practices and can build community trust and confidence in those practices.

4.2 APP 1.2 requires an APP entity to take reasonable steps to implement practices, procedures and systems in place that:

  • will ensure that the entity complies with the APPs
  • will enable the entity to deal with enquiries or complaints from individuals about the entity’s compliance with the APPs.

4.3 The OAIC’s APP Guidelines provide examples of practices, procedures and systems that an entity should consider implementing. The OAIC’s Privacy Management Framework provides further guidance on steps that an APP entity may take to address the requirements of APP 1.2.

4.4 APP 1.3 requires an APP entity to have a clearly expressed and up-to-date APP privacy policy that covers a range of matters set out in APP 1.4. Under APP 1.5, an APP entity must take reasonable steps to make its APP privacy policy available free of charge and in an appropriate form.

Observations

Governance mechanisms

4.5 Comcare’s privacy obligations are managed by a privacy unit comprising (at the time of the assessment) two dedicated privacy officers, one assistant director (whose responsibilities include privacy and freedom of information) and one director. The privacy unit sits within Comcare’s Corporate Legal team, which forms a part of Comcare’s Corporate Management Group. The General Manager of Corporate Management Group has overall responsibility for privacy, and reports to the Comcare CEO directly.

4.6 The privacy unit’s main functions are:

  • responding to and advising on privacy complaints and enquiries from Comcare staff, claimants and the public
  • providing guidance and training to Comcare on privacy obligations and issues
  • responding to privacy breaches.

4.7 Comcare’s privacy unit also prepares fortnightly and monthly privacy reports for Comcare’s management. These reports list matters that are before the OAIC (for example, complaints that have been made to the OAIC about Comcare), privacy breach notifications and enquiries received by Comcare, and ongoing privacy statistics.

Privacy by design

4.8 The OAIC considers that entities that handle personal information should build privacy into their projects and programs at the design stage. Building privacy protections into a project or program from the start, rather than adding these protections at a later stage, is known as ‘privacy by design’.[4]

4.9 Comcare has taken steps to ensure that privacy obligations are considered in the development of new projects and programs. Before a new project or program begins, Comcare project staff are required to complete a threshold assessment to determine whether or not a PIA is required for that project or program. A guide to preparing a PIA is contained in Comcare’s Privacy Impact Assessment Guide. Completed PIAs are sent to the privacy unit for comment as to whether or not the privacy impacts of the project or program are acceptable.

4.10 On completion of a project, Comcare project staff prepare a ‘lessons learned’ document that identifies any problems faced during the project (including privacy-related problems) or ways in which future projects could be improved.

Policies and procedures to ensure compliance with the APPs

4.11 The OAIC assessors were provided with a number of key Comcare policies relating to privacy. Key policy documents are described below.

4.12 The Comcare APP Privacy Policy (the Privacy Policy) was drafted by an external party. The Privacy Policy is reviewed by Comcare’s privacy unit every six months, or when a significant event occurs (such as a data breach or a change in relevant laws). Following approval by Comcare’s executive, Comcare staff and claimants are notified of the new policy. The contents of the Privacy Policy are discussed in more detail in paragraphs 4.30–4.32 below.

4.13 The CEO Direction—Privacy (the CEO Direction) sets out roles, responsibilities, and policies relating to privacy within Comcare. The CEO Direction requires the appointment of a privacy officer whose responsibilities include:

  • maintaining the Privacy Policy
  • coordinating privacy training
  • recommending a program of privacy audits to Comcare’s corporate governance unit
  • advising Comcare staff and management on privacy breaches
  • maintaining Comcare’s relationship with the OAIC.

4.14 The CEO Direction also sets out the privacy responsibilities of all Comcare staff. These responsibilities are aligned with the APPs. The CEO Direction requires Comcare staff to undertake an annual e-learning module on privacy, and to report any breach or suspected breach of privacy to the privacy officer. Comcare’s managers are required to promote the importance of meeting Comcare’s privacy obligations and to ensure that their staff are adequately trained in privacy.

4.15 Comcare’s Data Breach Response Plan sets out the staff involved in responding to a data breach, the steps staff should take to contain a data breach, the factors that should be considered when determining whether to notify affected individuals and the OAIC of a breach, and the steps to be taken to protect against future breaches.

4.16 The Privacy Assessment Procedure describes the process for responding to a potential breach of one or more of the APPs. This process includes an initial assessment of whether a breach may have occurred, the appointment of an officer to investigate the breach, preparation of an assessment report into the breach, possible notification of the breach, and consideration of recommendations to address any systemic issues.

4.17 Further policies and procedures specific to CSOs are contained in the Comcare Claims Policies and Procedures Manual (CPPM). The CPPM sets out procedures and relevant background information to assist Comcare staff with the management of compensation claims. Comcare provided the assessors with extracts of the CPPM related to privacy. These included, for example, extracts describing the procedures for requesting information from employees (claimants), for dealing with CCTV footage provided in support of a claim, for actioning a claimant’s withdrawal of consent, and for reporting inappropriate access to claimant information. The CPPM includes a section on privacy and summarises Comcare’s responsibilities under the APPs in this section.

Staff training

4.18 Comcare provides induction and ongoing privacy training to its staff. The current training program was developed following the amendments to the Privacy Act in 2014.

4.19 Induction training provided to all Comcare staff includes a module on privacy. This module provides staff with an overview of their privacy obligations and guidance on how to protect privacy. CSOs receive more detailed induction training on privacy. This training goes into greater detail about the Privacy Act and the APPs, and provides guidance on good information handling practices and on responding to privacy breaches. Staff in Comcare’s Claims and Liability Management group also receive face-to-face privacy training.

4.20 Staff training is supported by an e-learning module, developed in 2015. Completion of this module is compulsory for all staff and forms part of staff members’ performance evaluations.

4.21 Contractors and non-ongoing staff receive the same privacy training as ongoing Comcare staff.

4.22 In addition to these training programs, Comcare staff have access to range of privacy factsheets. Staff also receive privacy news items, awareness-raising material and alerts through Comcare’s internal network, and further awareness-raising material is distributed during Privacy Awareness Week each year.

Auditing and risk management

4.23 An audit committee, comprised of external members with relevant expertise, operates across all of Comcare’s activities. This committee develops a program of audits each year, based on an assessment of compliance risks across Comcare. Under the CEO Direction, the privacy officer must recommend a program of privacy audits to the audit committee for consideration in developing the annual audit plan. The most recent external privacy audit of Comcare was completed in late 2014.

4.24 Comcare’s privacy unit maintains a compliance plan that identifies compliance risks arising under the Privacy Act, and sets outs controls used to manage these risks, such as staff training.

Complaints, enquiries and privacy breaches

4.25 Comcare’s privacy unit receives privacy complaints and enquiries from claimants via email and telephone. Claimants may also make a complaint or enquiry through CSOs; these complaints and enquiries are passed on by the CSOs to the privacy unit.

4.26 Privacy breaches (or possible privacy breaches) are primarily brought to Comcare’s attention through notification by staff or claimants. Staff are required to inform the Comcare privacy unit of any potential breach. The privacy unit considers the potential breach against a risk assessment framework, contacts relevant staff within Comcare (including management and security officers), and prepares a written report on the incident.

4.27 The report is sent to the Director of the relevant line area where the breach occurred, and may include recommendations regarding remedial action or changes to policies or procedures. If a complaint was made, a response letter will be sent to the complainant, which includes information of the complainant’s right to an internal review by Comcare and information about making a complaint to the OAIC.

4.28 Comcare’s Privacy Assessment Procedures outline the Privacy unit’s processes for responding to privacy breaches, which includes a privacy breach report template.

4.29 Comcare staff training includes information on identifying and responding to privacy breaches. The process for identifying and reporting privacy breaches is set out in Comcare’s Privacy Factsheet 3: Identifying and Resolving a Privacy Breach and Data Breach Response Plan. The OAIC assessors were also provided with a recent copy of an information bulletin sent to Comcare staff outlining ways to avoid common privacy breaches and steps to be taken if a privacy breach is suspected.

APP privacy policy

4.30 The assessors were provided with an electronic copy of the Privacy Policy, last reviewed in November 2015. The Policy is readily accessible in PDF format through the Comcare website, via a prominent link on the bottom of Comcare’s home page. The website also includes information on obtaining copies of the Privacy Policy in other formats, including hard copy.

4.31 Under APP 1.4, an APP privacy policy must describe:

  • the kinds of personal information that the entity collects and holds;
  • how the entity collects and holds personal information;
  • the purposes for which the entity collects, holds, uses and discloses personal information;
  • how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;
  • how an individual may complain about a breach of the APPs, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;
  • whether the entity is likely to disclose personal information to overseas recipients;
  • if the entity is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

4.32 Comcare’s Privacy Policy addresses the majority of these issues.[5] The assessors found that the Policy is clearly expressed, and avoids overly complex or technical language.

Privacy issues

4.33 The assessors did not identify any particular privacy risks warranting recommendations with respect to APP 1.2. Assessors consider that Comcare has taken steps to implement many of the practices, procedures and systems identified in the APP Guidelines and the Privacy Management Framework. In particular, assessors note the merits of preparing a ‘lessons learned’ document on completion of a project as a means of evaluating the effectiveness of Comcare’s practices, procedures and systems in protecting privacy and ensuring compliance with the APPs.

4.34 APP 1.4(b) requires a description of how personal information is stored and secured—for example, whether the information is stored by a third party storage provider. Comcare’s Privacy Policy includes minimal information about the storage and security of personal information. The Policy states that Comcare’s records are held in accordance with the Archives Act 1983 (Cth) (the Archives Act) and that schedule 2 of the Policy describes how Comcare holds each of the classes of personal information it collects. However, the assessors noted that neither the Archives Act nor schedule 2 of the Policy describes how personal information is held. The assessors suggest that Comcare consider taking steps to include this type of information in its Privacy Policy.

4.35 Comcare should also make the Privacy Policy available in an accessible format, such as HTML, that complies with the Web Content Accessibility Guidelines version 2.0 (WCAG 2.0) guidelines endorsed by the Australian Government. APP 1.5 requires an APP entity to take reasonable steps to make its privacy policy available free of charge, and in an appropriate form. An APP entity is generally expected to make its policy available by publishing it on its website. If it is foreseeable that the policy may be accessed by individuals with particular needs (such as individuals with a vision impairment, or individuals from a non-English speaking background), appropriate accessibility measures should be put in place. The assessors note that the Comcare website includes instructions for obtaining the Privacy Policy and other documents in other formats, however this may not satisfy the requirements of APP 1.5(b).[6]

4.36 The WCAG 2.0 are the internationally recognised benchmark for website accessibility. The Guidelines contain a number of requirements for making web content more accessible for people with disabilities. At the time of the assessment, Comcare’s Privacy Policy was only available online in PDF format, and there is a risk that some individuals may not be able to access the policy in this format. PDF does not necessarily have the required accessibility support to fully claim WCAG 2.0 compliance, so it generally cannot be solely relied upon for the provision of website information.

Recommendation

Recommendation 1: Comcare should publish its Privacy Policy on its website in a format that supports the WCAG 2.0 guidelines.

Back to Contents

Part 5: Assessment issues: collection of solicited personal information

5.1 APP 3 provides the circumstances in which an agency (or other APP entity) may collect solicited personal information, including sensitive information.

5.2 APP 3.1 limits the personal information (other than sensitive information) that an agency may collect to information that is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities.

5.3 APP 3.3 limits the collection of sensitive information by an agency. An agency must not collect sensitive information about an individual unless:

  • the individual consents to the collection of the information and the information is reasonably necessary for, or directly related to, one or more of the agency’s functions or activities, or
  • one of the situations in APP 3.4 applies (this includes, for example, where the collection is required or authorised by law, or where the collection is necessary to reduce or prevent a serious threat to the life or health of an individual).

5.4 Under APP 3.5, an APP entity must only collect personal information by lawful and fair means.

Observations

Sources of personal information

5.5 The types of personal and sensitive information collected by Comcare are set out in an appendix to the Comcare Privacy Policy, along with the purpose of collection of each type of personal information.

5.6 Comcare collects personal and sensitive information from a number of sources during the claims process:

  • Individual claimants provide personal and sensitive information about themselves through claims forms. At the time of this assessment, claims forms must be lodged in hard copy. The main claim form is the Workers’ Compensation Claim Form. A full list of claims forms provided to the OAIC by Comcare is provided in Appendix A.
  • Individual claimants provide personal and sensitive information to Comcare in support of a compensation claim. This may include, for example, emails, employment records, or medical reports. Comcare has a power to request relevant information or documents from a claimant under s 58 of the SRC Act.
  • Employers may provide personal or sensitive information about claimants. Section 71 of the SRC Act provides Comcare with the power to require a claimant's employer to provide documents or information (such as emails, leave records, counselling records, meeting requests, records of conversations, or workstation ergonomic assessments) that are relevant to the claim.
  • Treating providers (doctors and medical specialists) may provide personal and sensitive information to Comcare about their patients. This may include the provider’s clinical notes about the claimant, or a medico-legal report.[7] Comcare does not have a legislative power to request documents or information from treating providers,[8] so collection from treating providers is carried out on the basis of the claimant’s authority, provided in the claim form.
  • Independent medical experts may provide personal and sensitive information about a claimant referred to them. Comcare has a power to refer a claimant to an independent medical expert under s 57 of the SRC Act. A claimant may be referred to an independent medical expert if, for example, there are conflicting reports from treating providers or a claimant’s treating provider does not provide the requested information.
  • A ‘Clinical Panel’ comprising legally qualified medical experts may also be engaged to provide expert advice to CSOs in relation to the management of a claimant’s claim. Members of the Clinical Panel are part-time employees of Comcare and conduct their work as Clinical Panel members onsite at Comcare facilities, using Comcare’s IT resources.

5.7 The amount of personal or sensitive information collected about a claimant will depend on the type of injury and its severity. Comcare indicated to the assessors that some simpler claims (such as claims for more straightforward physical injuries) may require only a statement from the claimant and a medical certificate, whereas complex physical injuries, chronic diseases or psychological injuries may require the collection of more personal or sensitive information. The decision to request documents or information from an employer or a treating provider, or to refer the claimant to an independent medical expert, will likewise depend on the complexity and type of compensable condition.

5.8 Comcare staff informed the assessors that treating providers do not always provide the requested information, and in many cases will require clear authority from the claimant and may contact the claimant separately to discuss the information being requested.

Reasonably necessary or directly related

5.9 APPs 3.1 and 3.3 require that personal or sensitive information, respectively, is only collected if it is reasonably necessary or directly related to one or more of the APP entity’s functions or activities. Comcare’s functions include making determinations of workers’ compensation claims under the SRC Act.[9] The OAIC assessors were informed that Comcare does not rely on APP 3.4 for its collection of sensitive information.

5.10 Comcare generally seeks to limit its collection of personal and sensitive information to information that is ‘relevant’ to a claim.[10] This is reflected in the Claims Policies and Procedures Manual (CPPM) and in templates for correspondence to treating providers and employers. The CPPM section titled Medical Report states that ‘[w]hen requesting clinical notes the CSO should only collect the relevant clinical records that relate to the condition the employee is claiming for’.

5.11 The correspondence template Request for a medical report (detailed), which is sent to a claimant’s treating provider to request a medical report, requests specific information (such as consultation dates and causes of injury) of the claimed condition, as well as ‘relevant history, pre-existing or underlying conditions’, and additional comments about any other matters which the treating provider considers ‘relevant to the claim’.

5.12 The template also informs the treating provider that the claimant’s employer is entitled to access the report under the SRC Act, and that the provider should therefore ‘exclude any sensitive or deeply personal information which is not relevant to the claim’.

5.13 Although these documents emphasise that only relevant information should be collected, there appears to be some difficulty in determining whether or not a particular piece of information is relevant to a claim and in ensuring that no irrelevant information is collected. Comcare staff interviewed during this assessment noted that determining whether information is relevant to a medical condition is a task suited to treating providers rather than CSOs. CSOs may lack the knowledge to decide whether a particular medical condition is related to the compensable condition claimed. Comcare staff also noted, however, that determining whether information is relevant to a claim, rather than related to a medical condition, is a task suited to CSOs rather than treating providers.

5.14 Assessors were advised that, in some cases, treating providers may provide extraneous or additional information that is not relevant to the claim. Comcare has processes in place to deal with this irrelevant personal or sensitive information. The assessors were informed that when a CSO receives material from a treating provider that the CSO considers to be irrelevant to the claim, the CSO can either redact the irrelevant portions of the information or, if entire documents are irrelevant, return the irrelevant documents to the treating provider.

5.15 This process involves retrieving documents or information from storage, identifying the irrelevant information to be redacted, having a staff member with access to the appropriate software redact the irrelevant information, printing the documents with redactions, scanning the documents with redactions, and storing the rescanned documents. This process helps to ensure that irrelevant material, if received, is not retained or used.

5.16 The requirement to redact or return irrelevant information is also set out in policies and correspondence templates. The Medical Report section in the CPPM, referred to above, states that ‘[i]f a CSO receives copies of clinical notes and there are pages that are not relevant to the employee's claimed condition, these pages should be removed from the claim file and returned to the medical practitioner. However, if a CSO receives copies of clinical notes and there is information contained within the clinical notes that is not relevant to the employee's claimed condition then the CSO will need to blank out the information that is not relevant’.

Consent

5.17 Under APP 3.3, collection of sensitive information by an agency requires that the individual consents to the collection. Under the APP Guidelines, this consent should be informed, voluntary, current and specific, and given by individuals with capacity to do so.[11]

5.18 Consent for the collection of sensitive information is initially obtained by Comcare through the Workers’ Compensation Claim Form. In completing this form, the claimant consents to:

the collection, use and disclosure of my relevant personal and medical information by Comcare and any relevant parties, including those listed [in the claim form], for purposes connected with the assessment and management of [the claimant’s] compensation claim, and by Comcare to carry out its regulatory functions.

5.19 Depending on the nature of the claim, consent may also be obtained through other claim forms, such as the Compensation Claim for Permanent Impairment and Non-economic Loss—Form and Checklist.

5.20 The OAIC assessors were advised that renewal of consent is often driven by treating providers requiring patients’ recent authority before disclosing information to Comcare. Some claimants request that Comcare obtain their consent before any requests for information are made to treating providers, and Comcare advised the OAIC assessors that such requests would normally be followed. Where a claim is ongoing (for example, where long-term medical treatment is required) CSOs contact claimants on a regular basis to ensure that consent remains current. These procedures did not appear to be set out in policy or procedure documents such as the CPPM, however staff interviewed by the assessors appeared to have a good understanding of the importance of obtaining current consent.

5.21 Comcare staff advised that where a claimant lacks capacity to provide consent, a representative will typically be able to provide consent on that claimant’s behalf.

5.22 Consent is generally provided on the basis that refusal to consent to collection will result either in a claim being terminated or in a claim being determined without the additional information being taken into consideration. Section 58 of the SRC Act allows Comcare to refuse to deal with a claim if the claimant refuses or fails to provide requested documents or information within 28 days of the request being made.

5.23 There appears to be an inconsistency in statements relating to withdrawal of consent between Comcare policies and claim forms. For example, the CPPM section on Employee Authority and Consent and the Consent to Interview with an Information Gathering Service state that consent to the use or disclosure of personal information related to the primary purpose of collection cannot be withdrawn. However, when signing the authority and declaration in the Workers’ Compensation Claim Form, a claimant confirms that they understand that withdrawing their consent may result in their claim being suspended or cancelled.

Lawful and fair means

5.24 The APP Guidelines provide examples of collection that would be unlawful, such as collection through unauthorised access to a computer system and collection by a means that would constitute a civil wrong.[12] The Guidelines also state that a ‘fair means’ of collection is one that ‘does not involve intimidation or deception, and is not unreasonably intrusive’.[13] Examples of unfair means of collection include, for example, collection from an individual who is traumatised or in shock, collection from a file accidentally dumped on a street, or collection by deception.

5.25 There was no indication that Comcare’s collection involves unlawful or unfair means.

Privacy issues

Reasonably necessary or directly related

5.26 As identified above, treating providers may in some cases provide additional or extraneous information about a claimant’s medical condition in response to a request from Comcare. In these circumstances, assessors consider that there is a risk that Comcare is collecting information that is not reasonably necessary for, or directly related to, its functions or activities as required by APPs 3.1 and 3.3.

5.27 Assessors note that Comcare has taken steps to ensure that CSOs and third parties are aware that only relevant information should be collected. However, the assessors consider that there remains a risk that irrelevant information (that is, personal information that is neither reasonably necessary for, nor directly related to, Comcare’s functions or activities) will be collected.

5.28 Comcare should consider providing additional guidance to third parties about the types of information that Comcare considers relevant when requesting personal information. Comcare should also consider providing additional guidance and training to Comcare staff about the types of information that would be considered relevant.

Consent

5.29 Assessors consider that Comcare has in place policies and procedures to ensure that consent is informed, voluntary, current and specific, and given by individuals with capacity to do so or suitable representatives of individuals who do not have such capacity.

5.30 Assessors identified some inconsistencies with statements in Comcare policies and claim forms about withdrawal of consent to the use or disclosure of personal information related to the primary purpose of collection. Under the APP Guidelines, an individual should be able to withdraw their consent at any time, regardless of whether the consent was related to primary purpose of collection or a secondary purpose.[14] However, the APP Guidelines also recognise that there may be consequences if an individual withdraws their consent. Comcare staff informed the assessors that if a claimant refuses their consent to collection, a claim must either be withdrawn or considered on the available information (see paragraph 5.22 above), and there may be similar consequences if an individual withdraws their consent. Comcare may consider updating its policies to acknowledge that an individual may withdraw their consent, and to advise the individual of any consequences that may result from their withdrawal.

Recommendation

Recommendation 2: Comcare should consider providing further guidance around the meaning of ‘relevant’ to treating providers and other third parties from whom personal or sensitive information is requested. Comcare should also consider providing further guidance and training to assist Comcare staff in determining whether information is relevant to a claim.

Back to Contents

Part 6: Assessment issues: notification of the collection of personal information

6.1 APP 5 requires an APP entity that collects personal information (including sensitive information) about an individual to take reasonable steps either to notify the individual of certain matters or to ensure the individual is aware of those matters. An APP entity must take these reasonable steps before, at, or as soon as practicable after it collects the personal information.

6.2 The matters that an individual must be notified about are listed in APP 5.2 and include:

  • the APP entity’s identity and contact details
  • the fact and circumstances of collection
  • whether the collection is required or authorised by law
  • the purposes of collection
  • the consequences if personal information is not collected
  • the entity’s usual disclosures of personal information of the kind collected by the entity
  • information about the entity’s APP privacy policy
  • whether the entity is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located.

Observations

Content of notifications

6.3 Comcare provides notification of collection on its claim forms and, in some circumstances, by telephone.

6.4 Comcare includes privacy statements on its various claim forms and related documentation. Some of these forms, such as the Workers’ Compensation Claim Form, contain detailed privacy statements. Other forms provided to claimants by Comcare, such as the Journey Claim Form, contain reduced privacy statements.

6.5 The OAIC assessors reviewed the privacy statements in the claims forms provided by Comcare. Comcare provides the required notification at or before the time of collection. Notifications were generally clearly expressed and displayed prominently on the forms. The claims forms with full privacy statements contained the information required under APP 5.2.

6.6 Comcare staff informed the OAIC assessors that the forms with reduced privacy statements would typically only be completed by claimants who had a pre-existing relationship with Comcare and had already been provided with more detailed notification about Comcare’s collection practices. For example, the Journey Claim Form would only be completed by an individual who had previously completed the Workers’ Compensation Form, and who had therefore already been provided with the more complete notification of collection contained in the latter form.

6.7 Notification of collection may also be provided by telephone. This typically arises when a CSO requires new information about an ongoing claim—claimants are contacted to obtain authorisation to request the additional information from treating providers. The assessors were informed that in these cases the CSO may provide some, but possibly not all, of the information set out in APP 5.2.

6.8 Assessors were advised that the Comcare privacy unit is consulted on any proposed changes to the privacy notifications.

Privacy issues

6.9 The claims forms containing reduced privacy statements do not address all of the matters set out in APP 5.2. However, APP 5.1 requires notification of the matters set out in APP 5.2 as ‘reasonable in the circumstances’. Chapter 5 of the APP Guidelines sets out examples of where it may be reasonable not to provide notification at collection. Two relevant examples are:

  • where the individual is already aware of the fact that information is being collected and of the matters set out in APP 5.2
  • where the collection takes place on a recurring basis in relation to the same matter.

6.10 The OAIC assessors consider that, given the circumstances in which the forms with reduced privacy statements would generally be used, the notifications in these forms appear to be reasonable in the circumstances.

6.11 Similarly, although notifications provided by telephone (as discussed in paragraph 6.7 above) do not contain all of the information listed in APP 5.2, assessors were advised that the claimants in these cases have ongoing relationships with Comcare. The assessors consider that partial notifications during these telephone contacts are reasonable in the circumstances.

Back to Contents

Part 7: Summary of recommendations

Recommendation 1: Comcare should publish its Privacy Policy on its website in a format that supports the WCAG 2.0 guidelines.

Comcare response:

  • We note the recommendation and confirm that, based on the majority of Comcare clients accessing documentation from our website through desktop devices we publish a WCAG 2.0 compliant PDF version of our Privacy Policy. To ensure complete accessibility Comcare has now added an RTF version of the Privacy Policy to our website.

Recommendation 2: Comcare should consider providing further guidance around the meaning of ‘relevant’ to treating providers and other third parties from whom personal or sensitive information is requested. Comcare should also consider providing further guidance and training to assist Comcare staff in determining whether information is relevant to a claim.

Comcare response:

  • Although Comcare does provide some guidance on relevancy to treating providers and third parties, we acknowledge that further guidance may be helpful and will look to develop further material as appropriate and in line with our obligations under APP3.
  • Comcare will also further enhance privacy training and guidance around the meaning of ‘relevant’ to internal staff in relation to requesting personal or sensitive information.

Back to Contents

Appendix A — Documents provided to the OAIC by Comcare

Access to Leave and Release of Comcare Payments

Additional Advice to Injured Workers

Application for Household, Attendant Care and/or Child Care Services

Applying APP 6 to Your Work

Authority and Consent for the Collection and Release of Medical Information Pertaining to My Claim

Authority and Consent for the Release of Superannuation Information

Authority/Removal of Authority to Act on an Employee’s Behalf

CEO Direction—Privacy

Claim for Aids or Appliances Excluding Hearing Aids

Claim for Alterations to a Place of Residence/Work or Modifications to a Vehicle/Article

Claim for Compensation for a Work-Related Death

Claim for Exercise as Medical Treatment

Claims Management Model (process diagram)

Claims Policies and Procedures Manual (extracts)

Clinical Framework for the Delivery of Health Services

Compensation Claim for Permanent Impairment and Non-Economic Loss—Form and Checklist

Consent to Interview with an Information Gathering Service

Correspondence templates (various)

Data Breach Response Plan

Electronic Funds Transfer (EFT)—Request for Injured Workers

Information Regarding Your Attendance at a Medical Centre

Internal Audit Draft Report

Journey Claim Form

Manager Notes—Personal Email @ Work

Medical Services Claim Form

Organisational Chart

Pay Start Information

Periodic Review Form: Section 58 Notice to Provide Information and Documents Relevant to Your Claim

Privacy Act Compliance Plan

Privacy Assessment Procedure

Privacy Breach Alert—Check Before You Hit Send—Protecting Privacy When Emailing

Privacy Breach Assessment Report Template

Privacy E-Learning Program

Privacy Factsheet #1: Overview of the Privacy Act

Privacy Factsheet #2: Protecting privacy @ work

Privacy Factsheet #3: Identifying and resolving a privacy breach

Privacy Factsheet #4: Anonymity and pseudonymity

Privacy Factsheet #5: Collection of unsolicited information

Privacy Factsheet #6: Correction of personal information

Privacy Factsheet #7: Use or disclosure of personal information

Privacy Factsheet #8: Cross border disclosure of personal information

Privacy Fortnightly Report

Privacy Impact Assessment (PIA) Guide

Privacy Induction Module

Privacy Monthly Report

Privacy News Item (referring to changes to the Privacy Act in March 2014)

Privacy Policy

Record of Earnings/Claim for Incapacity for Work: Statement of Hours Worked and Gross Weekly Earnings in Paid Employment

Record of Earnings/Claim for Incapacity for Work: Statement of Hours Worked in Self-Employment

Section 45 Election Form

Statement of Financial Circumstances

The Active Management Model and New Claims

Training Presentation—Privacy at Comcare

Using Your Personal Email @ Work

Workers’ Compensation Claim Form

Back to Contents

Appendix B — Risk based assessments: privacy risk guidance

Privacy risk rating

Entity action required

Likely outcome if risk is not addressed

High risk

Entity must, as a high priority, take steps to address mandatory requirements of Privacy legislation

Immediate management attention is required.

This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects

  • Likely breach of relevant legislative obligations (for example, APP, TFN, Credit) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking)
  • Likely adverse or negative impact upon the handling of individuals’ personal information
  • Likely violation of entity policies or procedures
  • Likely reputational damage to the entity, such as negative publicity in national or international media
  • Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines
  • Likely ministerial involvement or censure (for agencies)

Medium risk

Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy legislation

Timely management attention is expected.

This is an internal control or risk management issue that may lead to the following effects

  • Possible breach of relevant legislative obligations (for example, APP, TFN, Credit) or meets some (but not all) requirements of a specific obligation
  • Possible adverse or negative impact upon the handling of individuals’ personal information
  • Possible violation of entity policies or procedures
  • Possible reputational damage to the entity, such as negative publicity in local or regional media
  • Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities
  • Possible ministerial involvement or censure (for agencies)

Low risk

Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy legislation

Management attention is suggested.

This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed.

  • Risks are limited, and may be within acceptable entity risk tolerance levels
  • Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit)
  • Minimum compliance obligations are being met

Back to Contents

Footnotes

[1] Comcare Annual Report 2014, p 71.

[2] Claims Service Officers are now referred to as ‘Claims Managers’ by Comcare. This report reflects the terminology used at the time of the assessment.

[3] Office of the Australian Information Commissioner, Guide to privacy regulatory action, viewed 8 August 2016, <www.oaic.gov.au/about-us/our-regulatory-approach/guide-to-privacy-regulatory-action/>.

[4] Office of the Australian Information Commissioner, Guide to securing personal information, viewed 8 August 2016, <www.oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information>.

[5] While Comcare’s Privacy Policy does not include a list of countries to which personal information may be disclosed, Comcare advised that it is not likely to disclose personal information to overseas recipients.

[6] See also APP Guidelines 1.36.

[7] A medico-legal report is a specific type of report prepared by a medical practitioner for legal purposes.

[8] The Safety, Rehabilitation and Compensation (Improving the Comcare Scheme) Bill 2015 would amend the SRC Act to provide Comcare with this power.

[9] Safety, Rehabilitation and Compensation Act 1988 (Cth) s 69(a).

[10] This terminology is also used in the SRC Act: ss 58(1)(a), 71.

[11] APP Guidelines, B.35.

[12] APP Guidelines 3.60–3.61.

[13] APP Guidelines 3.62.

[14] APP Guidelines, B.51.

Back to Contents