Publication date: 15 January 2021

Part 1: Executive summary

1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of the Department of Human Services’ (DHS – now known as Services Australia) [1] handling of personal information under the Privacy Act 1988 (Cth), conducted in September 2019.

1.2 This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the Australian Privacy Principles (APPs).

1.3 The scope of this assessment considered whether DHS’s handling of personal information, for the purposes of the Annual Investment Income Report data matching program (AIIR program), was done in accordance with APP 1.2 (open and transparent management of personal information), APP 5 (notification of the collection of personal information) and APP 12 (access to personal information). While this assessment predominantly focussed on the enhanced AIIR program from 2018, the OAIC considered the original AIIR program prior to 2018 where relevant to the overall end-to-end data matching process.

1.4 The assessment found that DHS has taken steps to document its information handling policies, practices and procedures, notify individuals of the collection of personal information and allow access to personal information held by the department. However, the OAIC also identified privacy risks associated with the AIIR program and made four recommendations in the report to address these risks.

1.5 The OAIC recommends that DHS:

  • reviews its risk management processes for the AIIR program to ensure that all privacy and information security risks are appropriately monitored, identified, treated, recorded and reported to senior management
  • regularly reviews and revises its cyber security policy documentation, such as the Cyber Security Incident Response Plan, to ensure that it is up-to-date, and accurately reflects current practices and language used in the Privacy Act
  • reviews and updates its privacy documentation to formalise the relationship between the Privacy and Cyber Security teams, as well as the roles and responsibilities of each area, in the event of an eligible data breach or a cyber security incident
  • as part of its scheduled review of the AIIR program protocol, identifies if any additional information should be included in the protocol, consistent with the department’s obligations under APP 1.2 and the OAIC’s Guidelines on Data Matching in Australian Government Administration (Data Matching Guidelines). Should these details be considered sensitive in nature, the OAIC suggests that DHS considers also creating an internal, more detailed version of the protocol for auditing, monitoring and quality control purposes.

Part 2: Introduction

Background

2.1 Data matching brings together at least two data sets that contain personal information from different sources and compares those data sets with the intention of producing a match. [2] Agencies must comply with the Privacy Act, when undertaking data matching related activities. In addition to their Privacy Act obligations, agencies such as DHS that conduct data matching activities can voluntarily adopt the OAIC’s Guidelines on Data Matching in Australian Government Administration.

2.2 The OAIC was funded to provide regulatory oversight of privacy implications arising from DHS’s increasing data matching activities using new methodologies for the period from 1 January 2016 to 30 June 2019. This funding is part of the ‘Enhanced Welfare Payment Integrity – non-employment income data matching’ 2015-16 budget measure.

2.3 DHS undertakes a range of compliance activities through data matching programs to ensure ongoing eligibility for entitlements and to maintain the integrity of customer payments and services.

2.4 DHS conducts a number of data matching programs to determine whether a customer’s payments are accurate. These programs are based on the type of income customers earn or the payments they receive. Information about an individual’s income, when combined with other information such as name and address, is personal information for the purposes of the Privacy Act.

Overview of the AIIR program

2.5 The purpose of the AIIR program is to identify DHS customers who do not declare or under-declare their financial investments, resulting in the receipt of incorrect welfare payments. DHS may undertake administrative or investigative action where discrepancies are identified between DHS and ATO data.

2.6 The AIIR program matches investment income information sourced from the ATO’s AIIR file (which is collected from third party organisations such as banks, investment companies and share subscriber lists) with information that DHS collects from welfare recipients about their income. The AIIR program focusses on two types of investment income:

  • interest bearing (savings) accounts
  • term deposits.

Collectively, these two types of investment income will be referred to as ‘bank interest’ throughout this report.

2.7 The original AIIR program commenced in January 2012 as a result of the ‘Fraud Prevention and Compliance – Improving Compliance with Income Reporting’ budget measure in 2011-2012 (2011-12 budget measure). AIIR reviews were conducted from 2012 to 2017. No AIIR reviews were initiated in 2018 because at that time DHS was, as part of its Compliance Modernisation Programme, looking at including ‘bank interest’ data matching as an extension of the original AIIR program. [3]

2.8 From 2018, DHS began work to improve the data-matching and risk identification of the original AIIR program by using two ATO data sources to identify discrepancies:

  • Annual Investment Income Report data
  • bank interest data sourced from personal income tax returns which individuals report to the ATO.

2.9 References to the AIIR program in this report will refer to the enhanced AIIR program that has been in place since 2018, unless specified. However, the OAIC may refer to the original AIIR program prior to 2018 in this report where relevant to the overall end-to-end data matching process.

Data matching process

2.10 DHS exchanges data with the ATO twice a year under the AIIR program, using a secure link. The ATO’s handling of personal information was outside the scope of this assessment.

2.11 Under this data exchange, DHS provides its customer records to the ATO for identity matching. In particular, DHS provides the ATO with the following data items for identity matching purposes:

  • DHS Customer Reference Number
  • full name (including any known aliases
  • gender
  • full address, including historical addresses
  • date of birth.

2.12 The ATO uses its proprietary software to identity match DHS’s customer information with ATO records. The ATO then provides DHS with the identity matched AIIR data. The ATO only provides DHS with high confidence matches, which are produced when all the above data items are matched to a taxpayer in the ATO systems.

2.13 The identity matched data is then sent to DHS and is stored in DHS’s SAP HANA system. The ICT (SAP Data Services) team within the Professional Services Branch (based in Adelaide) uses an automated process to validate the data received. This involves applying business rules which verify such matters as correct format and ensuring data is present in all mandatory fields. Any identified discrepancies, such as mismatches or multiple matches, are checked manually.

2.14 Once this validation process has taken place, the SAP Fraud Management system applies a series of risk rules to identify customers who have an asset discrepancy by comparing the investment amounts they have declared to DHS with an estimated investment amount derived from the bank interest income recorded in the validated data from the ATO. Customers identified with a discrepancy are assigned a risk score and are loaded into the Selection Intervention Management System (SIMS). Exclusions and filters are then manually applied to exclude customers that are flagged with particular markers, including customers who are identified as deceased, and customers who may be considered vulnerable, in accordance with departmental and ministerial direction.

2.15 The Case Selection, Planning and Engagement team manages the risk rules applied by the SAP Fraud management system. Customers who fall in the ‘very high’ and ‘high’ risk categories were selected for compliance review under the AIIR program at the time of this assessment.

Notification and compliance review process

2.16 DHS’s Compliance Management Centre (CMC) manually triggers the initiation notification letter to customers who have been selected for compliance action. The notification letter is issued based on the customer’s preferred method of correspondence, which can be in the form of a secure online letter (known as secure online messaging – SOM) through DHS’s self-service Centrelink portal (which is linked to myGov) or via registered post. The customer has 28 days to provide a response, upon confirmed receipt of the initiation letter. The reminder notifications are not triggered without a confirmed response to the initiation letter.

2.17 In the case where the initiation letter has been issued via SOM, the letter may be re-issued via registered post if the customer has not confirmed receipt of the original letter within 14 days of the SOM being issued. Customers will also be issued reminder electronic messaging if they are registered to receive electronic messaging.

2.18 Upon receipt of the initiation and/or reminder letter, the customer may verify their information over the phone with a DHS compliance officer using the number provided in the letter or upload documents online through myGov. DHS may engage a third party, such as a bank, if the customer is unsure or unable to provide DHS with the appropriate bank interest information. Emails are currently not used for any part of the compliance activity.

2.19 Where the customer does not respond to either letters, DHS will attempt to contact the customer twice, by phone, after 28 days have lapsed. After two failed attempts, DHS may:

  • suspend payment where a customer is currently in receipt of an income support payment. In this event the customer will be sent a suspension notification, which notifies the customer that their payment has been suspended
  • engage a third party to request the confirmation of the customer’s income and asset details to address the matched information.

2.20 If the customer contacts DHS after the suspension of payment and provides further information which supports the receipt of welfare payments, DHS will cancel the suspension and backdate any payments owed to the customer.

2.21 DHS advised that there is no automated compliance system applied to the AIIR program’s compliance review process. There is no requirement for AIIR program related customers to review and then confirm or amend their information online as part of the compliance process. The only online component of the AIIR program is the option for DHS customers to receive paperless correspondence or customers required to upload information online where a verbal update provided by the customer over the phone does not align with DHS records and there is no valid explanation for any discrepancy identified by the department.

Outcome of the compliance review

2.22 Since the commencement of the enhanced AIIR program in 2018-19, approximately 500,000 to 600,000 records are matched each year.

2.23 From 1 July 2018 to 30 June 2019, as part of testing the effectiveness of the enhanced matching process, DHS completed 2,140 compliance interventions, which resulted in 924 debts being raised.

2.24 DHS advised that the amount of debt raised is consistent with other compliance programs.

Part 3: Findings

Our approach

3.1 The key findings of the assessment are set out below under the following headings:

  • Implementing practices, procedures and systems to ensure APP compliance
  • Notification of collection of personal information
  • Access to personal information

3.2 For each issue, we have outlined a summary of the OAIC’s observations, the privacy risks arising from these observations, followed by recommendations or suggestions to address those risks.

3.3 As part of this assessment the OAIC has considered the:

  • APP Guidelines, which outline the mandatory requirements of the APPs, the way in which the OAIC will interpret the APPs and matters the OAIC may take into account when exercising functions and powers under the Privacy Act
  • OAIC’s Guidelines on Data Matching in Australian Government Administration (Data Matching Guidelines), which aim to assist Australian Government agencies to use data matching as an administrative tool in a way that complies with the APPs and the Privacy Act and is consistent with good privacy practice.

3.4 In the AIIR program protocol, DHS states that it complies with the OAIC’s Data Matching Guidelines.  [4]

Implementing practices, procedures and systems to ensure APP compliance

3.5 APP 1.2 requires an entity to take reasonable steps to implement practices, procedures and systems that will:

  • ensure that the entity complies with the APPs; and
  • enable the entity to deal with privacy related enquiries or complaints from individuals.

3.6 All Australian Government agencies, including DHS, also need to comply with the Australian Government Agencies Privacy Code (the Code) which commenced on 1 July 2018. The Code sets out specific requirements and key practical steps regarding privacy governance and personal information management, that agencies must take as part of complying with APP 1.2.

3.7 The OAIC did not consider the majority of DHS’s agency-wide obligations under the Code during this assessment, such as privacy training and DHS’s privacy management plan given these have been covered in previous data matching assessments. [5]

3.8 In relation to DHS’s obligations under APP 1.2, this assessment focussed on the AIIR program’s:

  • governance arrangements
  • risk management
  • internal policies, practices and procedures.

Governance, culture and training

3.9 DHS has established clear procedures for oversight, accountability and lines of authority for decisions regarding the AIIR program.

3.10 The Case Selection Planning and Engagement Section (CSPE Section), within the Compliance Programme Branch, is responsible for the day-to-day governance functions of the data matching compliance programs at DHS, which includes the AIIR program. The responsibilities include decisions on priorities in data matching activities and managing the flow-on impacts. There are various teams within the CSPE Section, including the Compliance Programme Management team and Case Selection teams, which monitor the selection processes and the outcome of reviews where a customer is contacted following a data match.

3.11 The Compliance Programme Management team leader (the Chair) chairs fortnightly Programme Risk Advisory Group (PRAG) meetings where issues that relate to any data matching compliance programs are raised, tracked and recorded in a register. The PRAG was established to provide advice and assurance to senior management on the progress against the achievements of the department’s compliance activities and includes representation from various teams within the Compliance Assurance Division. Risks associated with data matching compliance programs, such as the AIIR program, are reported by the Case Selection team through the PRAG process. Risks are assessed on a case by case basis and the Chair is responsible for communicating or escalating information on how compliance programs are tracking to senior management.

3.12 Data quality issues are generally raised during meetings and discussions with relevant stakeholders. Systemic issues are raised with CSPE and ICT for review and advice. Depending on the scale, nature and sensitivity of the data and how the data is reported, the Operational Privacy Section (Privacy team) would generally be contacted for advice and escalated to senior management if required.

3.13 Aside from the initial validation of the data received from the ATO which is carried out by DHS’s ICT team, most of the AIIR program’s data matching processes since 2018 are conducted by systems maintained by the ICT team, using business rules managed by the Compliance Programme Branch. The original AIIR program, prior to 2018, was managed within the Branch.

3.14 Data exchanges between DHS and the ATO involving the AIIR program are governed by the Data Management Forum (Forum), with representation from both departments, who meet on a quarterly basis. The Forum reports to the Governance Committee, also known as the Consultative Forum, comprised of more senior executive members who undertake joint six-monthly meetings. [6]

3.15 DHS does not provide specific training for staff who undertake data matching activities. All DHS staff undertake SIMS training before they are granted access to the system. All training for staff who are involved in AIIR data matching is delivered on the job by experienced staff who have the relevant security role to access SIMS. With every major change to systems, the department advises all staff through internal communication strategies. Where relevant to their work, DHS staff may also receive Statistical Analysis System training, which allows staff to run queries on datasets to resolve discrepancies in the matched data.

3.16 DHS has established procedures for oversight, communication and accountability for decisions regarding personal information handled within the AIIR program. Training and awareness activities help to ensure that all staff are aware of their privacy and security obligations. The OAIC did not identify any privacy risks in relation to the AIIR program’s governance, privacy culture or training.

Risk management

3.17 The implementation of privacy and security risk management processes is integral to establishing robust and effective privacy and security practices, procedures and systems. These risk management processes allow an entity to identify, assess, treat and monitor any privacy risks related to its activities. Good privacy risk management informs and triggers changes to practices, procedures and systems to better manage privacy risks.

3.18 The OAIC encourages entities to conduct an information security risk assessment, in conjunction with a privacy impact assessment (PIA), to identify and evaluate information security risks, including threats and vulnerabilities, and the potential impacts of these risks to information (including personal information) handled by an entity.

3.19 DHS has a number of information registers which describe the authority for holding customer information, such as under a Memorandum of Understanding (MOU) agreement and/or social security legislation. Each business team is responsible for their respective information registers and conduct regular reviews on the control of information. The information register is used to document all data exchange activities undertaken by DHS, including the AIIR program. DHS intends to consolidate all data exchanges to create a central repository.

3.20 DHS staff must undertake a formal registration process when they initiate a new program or project. Once a new project or program is registered, the project owner liaises with the Privacy team for advice on whether a privacy threshold assessment (PTA) or PIA is required (discussed below).

ICT security risk assessments

3.21 DHS relies on internal ICT systems to conduct its data matching activities. According to DHS system accreditation policies, the system owner manages the ICT security reviews for a given project and is responsible for ensuring system security documents remains up-to-date.

3.22 Depending on the scale of a project, the Project Manager would engage with the Cyber Security team to assess if an ICT security risk assessment needs to be completed. The Cyber Security team will be consulted if there are any changes to aspects of a project’s security or the handling of personal information. The team will also be involved if a PIA is conducted and the subsequent recommendations involve cyber security risks.

3.23 DHS provided the OAIC with an information security risk assessment, which was conducted in 2011 to establish whether a full security threat and risk assessment needed to be undertaken. The scope of the assessment was on the 2011-12 budget measure and was not specific to the AIIR program. The OAIC found the assessment to be lacking in detail with regards to the analysis of information security risks. For example, it was identified that some DHS staff will require privileged access across a range of information including customer and financial data, but there was no consideration of the potential risks and/or mitigation strategies such as additional access controls that may be required. There were also no recommendations to advise if a formal security threat and risk assessment needed to be undertaken. During fieldwork, DHS advised that the 2011 security risk assessment is outdated and does not accurately reflect its current security posture which they advised reflects the Australian Cyber Security Centre’s security standards. [7] The OAIC requested more recent documentation to support its ICT security risk assessment processes, particularly in relation to the AIIR program, but this was not provided.

3.24 DHS appears to have some processes in place to assist with the management of security risks associated with the systems used for its data matching programs. However, the OAIC did not review any current ICT security risk assessment specific to the AIIR program. Based on the limited documentation provided to the OAIC, there is a medium privacy risk that DHS has not properly considered the cyber security risks associated with the AIIR program.

3.25 Therefore, the OAIC recommends that DHS reviews its risk management processes for the AIIR program to ensure that all privacy and information security risks are appropriately monitored, identified, treated, recorded and reported to senior management.

Recommendation 1

The OAIC recommends that DHS reviews its risk management processes for the AIIR program to ensure that all privacy and information security risks are appropriately monitored, identified, treated, recorded and reported to senior management.

Privacy threshold assessments (PTAs) and privacy impact assessments (PIAs)

3.26 APP 1.2 outlines the requirements for entities to manage personal information in an open and transparent way. This includes embedding good privacy practices into an entity’s risk management strategies, such as conducting a PIA at the early stage of a proposal’s development to assist an entity to identify any personal information security risks and the reasonable steps that could be taken to protect personal information.

3.27 DHS’s Operational Privacy Policy (OPP) [8] requires its staff to undertake a PTA for all new projects, and for any other activities that involve changes to the way DHS manages (i.e. collects, discloses, stores or uses) any personal information.

3.28 Paragraph 11 of the OPP states that if the PTA identifies that the project or activity involves a significant change to DHS’s management of the personal information involved or might have a significant impact on the privacy of individuals, a PIA is required. DHS’s Privacy team is consulted on whether PTAs and/or PIAs need to be conducted.

3.29 DHS outsources all PIAs to external providers. DHS’s legal team coordinates the completion of a PIA by acting as a liaison between a DHS National Manager who is the executive member responsible for the compliance program and the private sector company that undertakes the PIA.

3.30 DHS’s senior management must sign-off to accept the recommendations in the PIA. A formal closure process is also required where the responsible Project Manager must sign-off to confirm that all the recommendations in the PIA have been implemented.

3.31 DHS conducted a PTA prior to the commencement of the enhanced AIIR program in 2018. The OAIC was provided with a copy of the PTA. The PTA outlines the types of personal, sensitive and/or protected information that are collected by the department and stipulates that the enhanced program does not involve new ways of identifying or accessing personal information. The PTA assessment process concluded that a PIA was not required as the PTA found the project did not involve significant changes to the way in which the department would collect, use, disclose or store personal information, that are likely to have a significant impact on the privacy of its customers.

3.32 Given DHS’s data matching activities under the AIIR program involve the handling of large volumes of personal and sensitive information, the OAIC encourages DHS to continue to conduct PTAs, and if necessary, a PIA, if changes are proposed to the AIIR program in the future.

Internal policies, practices and procedures

3.33 Entities should document the internal policies, practices and procedures they use to handle personal information. This documentation should outline the privacy measures that are in place to manage the risks and threats to personal information. These documents should be regularly reviewed and updated to ensure they reflect the entity’s current acts and practices.

3.34 DHS has a range of department-wide and program-specific policies and procedures, that are relevant to the handling of personal information under the AIIR program. This includes internal policies and procedures used by DHS staff to initiate, assess and finalise compliance reviews, as well as engage with customers who enquire about the AIIR program. For example, staff must follow documented steps in order to check and verify the identity of a caller before access to their personal information is granted. DHS staff must also fully explain and document all of their decisions and/or actions on the customer’s record.

3.35 The OAIC found that DHS’s operational procedures regarding the AIIR program were up-to-date and reviewed within the last six months. However, it is not clear how regularly internal reviews are conducted nor when the next review is expected to occur. The OAIC suggests that DHS schedules regular reviews of its internal documentation to ensure the continued effectiveness and appropriateness of its policies, practices and procedures. This could be done annually or after any major change to the AIIR program or relevant legislation.

Managing customer enquiries or complaints

3.36 Under APP 1.2, an APP entity is required to take reasonable steps to deal with enquiries or complaints from individuals about the entity’s compliance with the APPs or Code.

3.37 DHS has a number of internal policies and procedures in place to manage customer enquiries or complaints about the AIIR program. The OAIC reviewed the operational procedures DHS uses when a customer requests further explanation of a compliance intervention decision. These procedures apply to AIIR reviews, as do department-wide operational policies and procedures relating to the handling of customer complaints and feedback.

3.38 For all enquiries or complaints about the AIIR program, the first point of contact is DHS’s dedicated compliance telephone line, which is provided to the customer in each of the initiation, reminder and suspension of payment letters. The letters also provide a link to DHS’s feedback webpage if the customer chooses to make an enquiry or complaint online.

3.39 Once an AIIR program related enquiry or complaint is received, a DHS compliance officer will engage with the customer and provide an explanation of the decision, as well as correct any errors identified during the conversation. If the customer is not satisfied with the explanation and cannot provide any new information or evidence, they can request a quality check of the decision. A subject matter expert would be assigned to check the information provided by the customer against DHS’s records and contact the customer to discuss and/or explain the decision.

3.40 If the customer indicates that they have additional information to provide which was not considered as part of the initial review (either in the form of documented evidence or verbal evidence over the phone), DHS conducts a reassessment or review, which is independent from the initial review and decision-making process.

3.41 DHS customers can request a formal review of the case if they are not satisfied with the outcome of the quality check or if they disagree with the outcome of the decision. In those circumstances, the matter will be referred to an authorised review officer for a formal review. The debt recovery process is placed on hold while the review takes place.

3.42 DHS uses department-wide policies and procedures to manage general customer feedback and complaints in relation to the AIIR program. DHS has operational procedures in place for assessing the type of feedback received from customers and attempt to resolve any customer complaints at first contact. More complex or sensitive matters, such as a complaint about unauthorised disclosure of personal information under the AIIR program, are escalated and finalised by specialist complaints staff. DHS customer complaints about the AIIR program are triaged and specific enquiries about the AIIR program will be referred to the relevant team in the Compliance Programme Branch. Escalations may be referred to the Privacy team for further assessment.

3.43 DHS’s customer complaints and feedback policy states that the department aims to finalise and respond to complaints within 10 working days. If DHS takes longer than that to respond, DHS staff are advised to update the customer about the progress of their complaint at least every five working days after acknowledgement of their complaint.

3.44 The OAIC did not identify any privacy risks with the department’s handling of customer enquiries and complaints specific to the AIIR program.

Data breach response documentation

3.45 In the event of a data breach, having a response plan that includes procedures and clear lines of authority can assist an entity to contain the breach and manage the response. Ensuring that staff (including contractors) are aware of the plan and understand the importance of reporting breaches is essential for the plan to be effective.

3.46 DHS’s Privacy team is currently responsible for assessing and reporting all eligible data breaches that would fall under the Notifiable Data Breach scheme (NDB scheme) [9] and cyber security incidents. DHS informed the OAIC that DHS did not identify any data breaches or cyber security incidents in relation to its data matching activities, at the time of this assessment.

3.47 DHS’s Privacy Incident Response Plan (PIRP) sets out the roles and responsibilities of relevant DHS teams as well as procedures to be followed in the event of a suspected or alleged privacy breach, or a data breach that is reportable under the NDB scheme.

3.48 DHS’s PIRP includes procedures and clear lines of authority when reporting and escalating privacy incidents. The PIRP also sets out how the plan will apply to various types of data breaches, processes to notify the public or individuals under the NDB scheme and circumstances where external entities, such as the OAIC, may need to be involved. However, it is not clear if the PIRP is regularly tested or reviewed post-breach. The OAIC suggests that DHS regularly tests and reviews the PIRP to assess the effectiveness of the plan.

3.49 The OAIC also reviewed DHS’s Cyber Security Incident Response Plan, which contains references to personally identifiable information (PII), rather than personal information (PI) as defined in s 6 of the Privacy Act. The use of the term PII, which is narrower than the definition in the Privacy Act, could lead to a failure to protect personal information where such information is not considered to be PII but would fit the definition of personal information in s 6 of the Privacy Act. The reference to the Privacy and Information Release team is also outdated as it had been renamed the Operational Privacy Section a few years ago.

3.50 Because DHS’s cyber security documentation is not completely up-to-date, there is a medium privacy risk that DHS’s internal documentation may not accurately reflect current information handling practices. The OAIC recommends that DHS regularly reviews and revises its cyber security policy documentation, such as the Cyber Security Incident Response Plan, to ensure that they are up-to-date, and accurately reflect current practices and language used in the Privacy Act.

Recommendation 2

The OAIC recommends that DHS regularly reviews and revises its cyber security policy documentation, such as the Cyber Security Incident Response Plan, to ensure that they are up-to-date, and accurately reflect current practices and language used in the Privacy Act.

3.51 In the event that a cyber security incident involves personal information processed by the AIIR program, DHS advised that the Privacy and Cyber Security teams liaise with each other to resolve the issue. While both teams have their independent Incident Response Plans, the Privacy team’s Incident Response Plan would prevail where there is a conflict. However, while communication between the Privacy and Cyber Security teams appear to occur at an operational level, there is limited documentation which formalises the communication channels. The Cyber Security team’s Incident Response Plan references the General Counsel from the Privacy team in the event of a breach that impacts on DHS staff or customer information, but the Cyber Security team is not listed as a stakeholder in the PIRP.

3.52 This represents a medium risk that appropriate action and escalation processes are not followed in the event of a cyber security incident or eligible data breach where both privacy and cyber security areas may be impacted. The OAIC recommends that DHS reviews and updates its privacy documentation to formalise the relationship between the Privacy and Cyber Security teams, as well as roles and responsibilities of each area, in the event of an eligible data breach or cyber security incident.

Recommendation 3

The OAIC recommends that DHS reviews and updates its privacy documentation to formalise the relationship between the Privacy and Cyber Security teams, as well as roles and responsibilities of each area, in the event of an eligible data breach or cyber security incident.

Program protocol

3.53 Under APP 1, entities are required to manage personal information in an open and transparent manner. This requirement is also emphasised in the OAIC’s Data Matching Guidelines to ensure that entities provide a level of transparency and accountability for their data matching programs. Guideline 3 of the Data Matching Guidelines states that before commencing a data matching program, the primary user agency should:

  • prepare a program protocol
  • provide a copy of the program protocol to the OAIC
  • make the program protocol publicly available.

3.54 Guideline 4 of the Data Matching Guidelines suggests the matching agency details the technical standards for governing the conduct of the data matching program in a report which should clearly document information about the data matching techniques to be used in the data matching program. [10] By having a clearly written and informative program protocol, entities will be able to inform the public about the existence and nature of the data matching program [11] and demonstrate their transparency and accountability obligations.

3.55 At the time of the assessment, DHS had published a copy of its 2017 AIIR data matching protocol on its website. [12] However, DHS does not appear to have uploaded the most up-to-date protocol online, as the OAIC was provided a draft copy of an updated AIIR program protocol for review as part of the assessment. While the updated protocol provides customers with an overview of the data matching program and how customers’ personal information is used in the program, it does not fully meet the requirements outlined in the OAIC’s Data Matching Guidelines.

3.56 Specifically, details regarding the use of business rules and filtering should be expanded in existing text of the program protocol and in a technical standards report attached to the protocol, to provide a clearer explanation of the data processes once the matched data is collected from the ATO. DHS also advised during the assessment that a pilot was conducted prior to the commencement of the AIIR program. However, this is not mentioned in the program protocol. [13]

3.57 As noted above, while the program protocol is an external document, published to provide the community with information on DHS’s data matching activities under the AIIR program, it is also a vital source of corporate knowledge to ensure departmental consistency. An up-to-date and accurate program protocol is also important for directing DHS staff on how personal information is handled under the AIIR program. There is a medium risk that DHS may lose corporate knowledge and staff will not follow appropriate procedures if DHS fails to accurately document their internal AIIR program processes in detail. By clearly articulating their data matching processes in the protocol and attached technical standards report, DHS can ensure that they have documented this corporate knowledge to prevent losing it in the future and maintain continuity for staff within the AIIR program.

3.58 The OAIC acknowledges that adding additional information into the protocol will need to be considered carefully, as there may be issues of confidentiality or sensitivity. With these considerations in mind, the OAIC recommends that DHS, as part of its scheduled review of the AIIR program protocol, identifies if any additional information should be included in the protocol, consistent with the department’s obligations under APP 1.2 and the OAIC’s Data Matching Guidelines.

3.59 To address any concerns DHS may have around the confidentiality or sensitivity of data matching processes, the OAIC suggests that there may be value in creating an internal version of this protocol, which would expand on the technical aspects of the program. The internal protocol can be used for auditing, monitoring and quality control purposes.

3.60 Guideline 5 of the Data Matching Guidelines states that before an entity carries out or participates in a data matching program, the entity should take reasonable steps to ensure public notice of the proposed program is given. DHS did not notify the public about the AIIR program by publishing a notice in the Government Gazette prior to the program’s commencement. As the program protocol is published on the DHS website, there is a low risk that DHS customers have not been appropriately notified. The OAIC suggests that when DHS updates the program protocol, it notifies the public of its updated program protocol in the Government Gazette.

Recommendation 4

The OAIC recommends that DHS, as part of its scheduled review of the AIIR program protocol, identifies if any additional information should be included in the protocol, consistent with the department’s obligations under APP 1.2 and the OAIC’s Guidelines on Data Matching in Australian Government Administration (Data Matching Guidelines). Should these details be considered sensitive in nature, the OAIC suggests that DHS considers also creating an internal, more detailed version of the protocol for auditing, monitoring and quality control purposes.

Notification of collection of personal information

3.61 APP 5 requires an entity that collects personal information (including sensitive information) about an individual to take reasonable steps either to notify the individual of certain matters or to ensure the individual is aware of those matters. An APP entity must take these reasonable steps before, at, or as soon as practicable after it collects the personal information.

3.62 The matters that an individual must be notified about are listed in APP 5.2 and include:

  • the APP entity’s identity and contact details
  • the fact and circumstances of collection
  • whether the collection is required or authorised by law
  • the purposes of collection
  • the consequences if personal information is not collected
  • the entity’s usual disclosures of personal information of the kind collected by the entity
  • information about the entity’s APP Privacy Policy
  • whether the entity is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located.

3.63 For the purposes of the AIIR program, DHS collects information from customers during various stages of contact with the department and various forms of contact, including through telephone, collection forms or online.

3.64 New customers provide information to DHS when they claim welfare payments and the information is usually collected through hard copy application forms or online forms. The initial collection includes personal information such as the declaration of income and assets, and proof of identity information, which includes the customer’s full name, address and marital status. A privacy notice is also provided at this point, which requires the customer’s signature to acknowledge that the notice has been read.

Collection of personal information – notification letters

3.65 Under the AIIR program, DHS customers receive APP 5 collection notices on the back of the initiation and reminder letters which request further information on bank interest received by customers to accurately assess their circumstances. DHS provided the OAIC with template letters to customers used for the AIIR program.

3.66 The collection notice in both the initiation and reminder letters states that DHS undertakes data matching activities in line with the OAIC’s Data Matching Guidelines and provides a list of agencies that DHS works with to conduct data matching. Both letters also provide information about how customers can provide feedback or lodge a complaint, a short paragraph on DHS’s privacy obligations and a link to DHS’s privacy webpage [14] where customers can find further information.

3.67 DHS attempts to encourage customers to engage with the department and provide additional information to accurately assess their circumstances by not outlining in the initiation letter the consequences of customers not providing their personal information (i.e. the suspension of payments). Only the reminder letter refers to the suspension of payments if the customer does not engage with DHS.

3.68 APP 5.2 provides that individuals must be notified about an entity’s privacy policy, amongst other matters. DHS provides notification in both the initiation and reminder letters before the collection of personal information, in accordance with the requirements of APP 5. DHS’s general privacy webpage is linked in both notification letters and provides a description of why customer information is collected, used and shared.

3.69 The OAIC did not identify any privacy risks related to APP 5 in relation the collection notices in DHS’s notification letters for the AIIR program.

Collection of personal information - telephone

3.70 DHS may verbally collect information from customers who contact DHS over the phone, following the receipt of an initiation, reminder and/or suspension of payment letter from DHS.

3.71 At the beginning of the call, there is a recorded message that notifies the customers of the collection of their personal information and that the conversation will be recorded. DHS’s operational procedures also state that the compliance officer must inform the customer that the call may be recorded for quality assurance and training purposes. Prior to disclosing any information, the compliance office will authenticate the customer, which must include checking the customer’s current address and telephone number. More information about the authentication process is discussed at paragraphs 3.83-3.86.

3.72 Once authenticated, the compliance officer will explain to the customer why they have been selected for compliance review under the AIIR program. The customer will be asked to confirm the accuracy of the bank interest income and to provide a verbal update to ensure that DHS records are accurate.

3.73 Where the customer provides a verbal update, the compliance officer will record, assess and determine the validity of the updates. If the verbal update is deemed acceptable, the compliance officer will finalise the review process and document the outcome in DHS records. If the verbal update does not align with DHS records and there is no valid explanation for the discrepancy, then the information is deemed insufficient and the customer is required to provide documented evidence online.

3.74 The OAIC did not identify any privacy risks in relation to DHS’s collection notice used over the phone for the AIIR program.

Collection of personal information - online

3.75 For customers who choose to engage with DHS online or are required to provide documented evidence to validate their bank interest income, information is collected when customers upload documents through myGov. The OAIC was provided with screenshots of the Centrelink portal’s (which is linked to myGov) review screen which is seen by the customer prior to the uploading of any documents. On the screen it states that customers must declare that they ‘have read and accept the privacy statement’ amongst others, prior to submitting any documentation.

3.76 Under the ‘Terms of use’ section on the Centrelink portal, DHS provides a brief summary to inform customers that their information is collected to process applications, payments or services. Customers are also notified that information is shared with other parties where the customer has agreed or required by law.

3.77 DHS notifies the public about the AIIR program by publishing the program protocol on its website, in accordance with Guideline 5 of the Data Matching Guidelines. Guideline 5.3 states that a ‘public notice of the data match activity is considered a ‘reasonable’ step for an agency to take to satisfy APP 5 obligations’.

3.78 DHS also has a dedicated webpage which explains bank interest reviews conducted under the enhanced AIIR program to its customers. [15] The webpage provides information about why personal information, such as bank information, may be collected by DHS, how the information may be used by the department as well as contact numbers for the customer to receive further assistance regarding the data matching program.

3.79 The OAIC did not identify any privacy risks in relation to DHS’s online collection notices associated with the AIIR program.

Access to personal information

3.80 APP 12 requires an APP entity that holds personal information about an individual to give the individual access to that information on request. APP 12 also sets out minimum access requirements, including the time period for responding to an access request, how access is to be given, and that a written notice, including the reasons for the refusal, must be given to the individual if access is refused.

3.81 DHS customers can view some of their personal information, such as payments, on the Centrelink portal through myGov or visit a service centre in person.

3.82 DHS customers can also lodge a formal Freedom of Information (FOI) request to seek access to their personal information held by DHS. The OAIC did not review the FOI channel to access personal information in this assessment.

Verifying an individual’s identity before providing access to personal information

3.83 All customers undergo a proof of record ownership (PORO) process to prove their identity and select the checkbox to declare that they have read and accept the privacy statement prior to accessing any information online. DHS provided screenshots of the customer view of the authentication process on myGov. The customer’s identity is authenticated when they first access myGov. Once this occurs, they can access their Centrelink portal without further authentication. The customer authenticates into myGov by either:

  • entering their username/email, password and answering a secret question, or
  • entering their username/email, password and entering a one-time SMS code sent to their mobile phone.

3.84 Customers are asked to provide photo identification (photo ID) when they visit a service centre in person. Customers who have photo ID are often not asked additional PORO questions. Customers without photo ID will be asked to confirm their name, date of birth and address. DHS service officers may ask additional questions if there are doubts about the customer’s identity.

3.85 Customers who contact DHS via telephone also need to pass the PORO process, if they did not enrol or cannot be identified using a telephone access code or voice authentication.

3.86 The OAIC reviewed the operational procedure used by DHS telephone staff to authenticate a customer’s identity, as well as the PORO points matrix which outlines the value of each question that a customer correctly answers to prove their identity. Customers must successfully answer a combination of questions, totalling 100 points to pass PORO. DHS’s internal procedure notes that the name, date of birth and Centrelink reference number alone are not sufficient to verify a customer as these details may be known to a third party, such as the customer’s partner. Consequently, telephone staff are instructed to ask additional PORO questions. Sometimes customers place a password on their account as an additional access control mechanism, and they will need to provide the password in addition to the usual PORO process when identifying themselves over the phone.

3.87 The OAIC did not identify any privacy risks in relation to the steps which DHS takes to verify a customer’s identity prior to granting them access to personal information online, in person or over the phone.

APP 12 minimum access requirements

3.88 DHS advised that it responds to a customer’s access request within 30 days, in accordance with APP 12.4(a)(i), which requires that an agency respond to a request for access within 30 calendar days.

3.89 APP 12.4(b) stipulates that an APP entity must give access to personal information in the manner requested by the individual if it is reasonable and practicable to do so. DHS customers receive access to their personal information either in hard copy or through an online link to the system. DHS does not send personal information via email due to privacy and security concerns.

3.90 DHS does not impose an access charge to customers (which is consistent with APP 12.7), unless the request for access is made through the formal FOI channel.

3.91 Depending on the type of information requested, DHS may deny the access request in full or in part through written notification, where required or authorised by the Freedom of Information Act 1982. DHS’s FOI team also has regard to Chapter 12 of the APP guidelines when considering the grounds to decline an access request for personal information.

3.92 APP 12.9 provides that if an agency refuses to give access, or to give access in the manner requested by the individual, the agency must give the individual a written notice. DHS advised that it outline the reasons for the declined request, the department’s decision making processes, and additional information on how the individual could appeal the decision in its written response.

3.93 While DHS has regard to relevant legislation and the OAIC’s APP guidance material when assessing access requests by customers, DHS does not maintain any internal guidance that lists the grounds on which access requests for personal information can be declined by the department. The lack of internal policies or procedures which guide the decision-making process represents a low risk that decisions to grant or deny requests may not be consistently applied by DHS officers. Given some access requests to personal information may be complex and may require staff to exercise discretion, the OAIC suggests that DHS develops an internal policy or procedure to guide staff when deciding whether to grant or deny a personal information access request. The OAIC also suggests that DHS regularly reviews and updates its internal documentation to ensure its continued effectiveness, particularly as practices and legislative requirements evolve.

Handling of access requests by telephone

3.94 If a customer contacts DHS via telephone to enquire about the use of their personal information in the AIIR program, DHS staff will provide a general overview of the data matching process. Depending on the nature of the enquiry, the matter may be escalated to technical support, an onsite manager, and eventually through to the relevant team in the Compliance Programme Branch.

3.95 All requests to access personal information are assessed on a case by case basis by DHS staff, including contractors, who are trained to address enquiries. In addition to the mandatory privacy and security training, DHS's contact centre staff also receive training about confirming an individual's identity. DHS conducts internal privacy audits through phone recordings and monitoring to ensure that staff are following the correct procedures.

3.96 APP 5.2(g) provides that an entity should take reasonable steps, in its privacy policy, to notify an individual of how they may access their personal information. DHS notifies customers using their online channel of their entitlement to access their personal information through its privacy policy or through the direct link on DHS’s homepage. However, customers who engage with DHS about the AIIR program over the phone or via post are not notified of their rights to access their personal information.

3.97 The OAIC reviewed the operational procedures and notification letters sent to DHS customers; neither of which mentioned access to personal information. Given most DHS customers have access to myGov, this represents a low risk that customers who do not have access to the internet will be unaware of their rights to access their information. The OAIC suggests that DHS expands the communication channels to notify individuals of their right to access their personal information during phone calls with customers by including a section in the contact centre’s operational procedures, as well as in the notification letters sent to customers.

Part 4: Recommendations and responses

Recommendation 1

OAIC recommendation

4.1 The OAIC recommends that DHS reviews its risk management processes for the AIIR program to ensure that all privacy and information security risks are appropriately monitored, identified, treated, recorded and reported to senior management.

Response by DHS to the recommendation

4.2 Agreed. Services Australia will review the risk management process for the enhanced AIIR program.

Recommendation 2

OAIC recommendation

4.3 The OAIC recommends that DHS regularly reviews and revises its cyber security policy documentation, such as the Cyber Security Incident Response Plan, to ensure that they are up-to-date, and accurately reflect current practices and language used in the Privacy Act.

Response by DHS to the recommendation

4.4 Services Australia accepts this recommendation to regularly review and revise its cyber security policy documentation to ensure that they are up-to-date, and accurately reflect current practices and language used in the Privacy Act. Services Australia’s Cyber Security Incident Management Plan was updated in December 2019.

Recommendation 3

OAIC recommendation

4.5 The OAIC recommends that DHS reviews and updates its privacy documentation to formalise the relationship between the Privacy and Cyber Security teams, as well as roles and responsibilities of each area, in the event of an eligible data breach or cyber security incident.

Response by DHS to the recommendation

4.6 Services Australia accepts this recommendation. Services Australia has formalised the relationship between Cyber Security and Privacy teams, including documenting the relationship between the two areas and the roles and responsibilities of each area in the event of a cyber-security incident or eligible data breach.

Recommendation 4

OAIC recommendation

4.7 The OAIC recommends that DHS, as part of its scheduled review of the AIIR program protocol, identifies if any additional information should be included in the protocol, consistent with the department’s obligations under APP 1.2 and the OAIC’s Guidelines on Data Matching in Australian Government Administration (Data Matching Guidelines). Should these details be considered sensitive in nature, the OAIC suggests that DHS considers also creating an internal, more detailed version of the protocol for auditing, monitoring and quality control purposes.

Response by DHS to the recommendation

4.8 Agreed. Services Australia are currently developing a new program protocol for this data matching activity and will work with OAIC throughout that development process. The program protocol will be published before these activities are fully commenced. In addition, Services Australia is undertaking a process of review of all program protocols, including the business rules and technical information, to ensure these documents clearly outline the objectives of each program, while remaining aligned to the APPs and the OAIC Guidelines on Data Matching in Australian Government Administration.

Part 5: Description of assessment

Objective and scope of the assessment

5.1 This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the APPs.

5.2 The objective of this assessment was to determine whether DHS maintains personal information, under the AIIR program, in accordance with its obligations under the APPs.

5.3 The scope of this assessment was limited to DHS’s handling of personal information against the requirements of APP 1.2 (open and transparent management of personal information), APP 5 (notification of the collection of personal information) and APP 12 (access to personal information). Specifically, the assessment examined whether DHS:

  • is taking reasonable steps to implement practices, procedures and systems in accordance with APP 1.2, with the focus on the AIIR program’s governance arrangements, risk management and internal policies, practices and procedures, to avoid duplication with DHS’s department-wide obligations which have been covered in previous data matching assessments of DHS
  • is taking reasonable steps under APP 5 when collecting information from individuals under the AIIR program
  • manages requests for access to personal information handled in the context of the AIIR program in accordance with APP 12.

5.4 This assessment considered both the original pre-2018 data matching program as well as the data matching processes and procedures under the enhanced AIIR program from 2018. However, the assessment predominantly focusses on the enhanced AIIR program from 2018-19 (now known as the Bank Interest program) as there are currently no reviews being initiated under the pre-2018 program. The OAIC examined notification letters and other related documentation regarding or relevant to the Bank Interest program as a part of the APP 5 and 12 components of this assessment.

Privacy risks

5.5 Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance (Appendix A refers), the OAIC made recommendations to DHS about how to address those risks. These recommendations are set out in Part 4 of this report.

5.6 The OAIC assessments are conducted as a ‘point in time’ assessment; that is, our observations and opinion are only applicable to the time period in which the assessment was undertaken.

5.7 For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’. Chapter 7 of the OAIC’s Guide to privacy regulatory action provides further detail on this approach.

Timing, location and assessment techniques

5.8 The OAIC conducted a risk-based assessment of DHS’s AIIR program and focussed on identifying privacy risks to the effective handling of personal information in its relation to the APPs.

5.9 The assessment involved the following:

  • review of relevant policies and procedures provided by DHS
  • fieldwork, which included interviewing key members of staff at DHS’s office in Canberra on 3 and 4 September 2019.

Reporting

5.10 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report has been published in full.

Appendix A: Privacy risk guidance

Privacy risk rating Entity action required Likely outcome if risk is not addressed

High risk

Entity must, as a high priority, take steps to address mandatory requirements of Privacy legislation

Immediate management attention is required.

This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects

  • Likely breach of relevant legislative obligations (for example, APP, TFN, Credit) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking)
  • Likely adverse or negative impact upon the handling of individuals’ personal information
  • Likely violation of entity policies or procedures
  • Likely reputational damage to the entity, such as negative publicity in national or international media.
  • Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines
  • Likely ministerial involvement or censure (for agencies)

Medium risk

Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy legislation

Timely management attention is expected.

This is an internal control or risk management issue that may lead to the following effects

  • Possible breach of relevant legislative obligations (for example, APP, TFN, Credit) or meets some (but not all) requirements of a specific obligation
  • Possible adverse or negative impact upon the handling of individuals’ personal information
  • Possible violation of entity policies or procedures
  • Possible reputational damage to the entity, such as negative publicity in local or regional media.
  • Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities.
  • Possible ministerial involvement or censure (for agencies)

Low risk

Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy legislation r

Management attention is suggested.

This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed.

  • Risks are limited, and may be within acceptable entity risk tolerance levels
  • Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit)
  • Minimum compliance obligations are being met

Footnotes

[1] For the purposes of this report, Services Australia is referred to as DHS as this was the department’s name at the time of the assessment..

[2] Office of the Australian Information Commissioner’s Guidelines on Data Matching in Australian Government Administration, June 2014, Key terms section (accessed on 21 November 2019).

[3] At the time of fieldwork, DHS was developing a separate program protocol for the bank interest component of the AIIR program. .

[4] Department of Human Services, AIIR program protocol, 2017, p. 3 (accessed on 21 November 2019) .

[5] DHS’s department-wide privacy training and its privacy management plan are discussed in the OAIC’s assessment of DHS’s NEIDM data matching program, available on the OAIC’s website (accessed on 16 March 2020). .

[6] DHS’s governance arrangements for data exchanges with the ATO are discussed in the OAIC’s assessment of DHS’s NEIDM data matching program, available on the OAIC’s website (accessed on 16 March 2020).

[7] Australian Cyber Security Centre outlines a number of mitigation strategies, known as the Essential Eight, to assist organisations in protecting their systems against cyber security incidents. For more information, see https://www.cyber.gov.au/publications/essential-eight-explained (accessed 27 January 2020).

[8] Version 4 – approved 17 May 2018.

[9] Under the NDB scheme, which commenced in February 2018, any organisation or agency the Privacy Act covers must notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved. More information can be found at https://www.oaic.gov.au/privacy/notifiable-data-breaches/about-the-notifiable-data-breaches-scheme/.

[10] Details to be included in a technical standards report are set out in Appendix B of the Guidelines and include (amongst other things): the description of data used during the matching process; matching techniques used in the data matching program, for example the matching algorithm used; and the risks posed by the matching program.

[11] See Guideline 3.3 of the Data Matching Guidelines.

[12] 2017 AIIR data matching protocol available at: https://www.servicesaustralia.gov.au/organisations/about-us/publications-and-resources/centrelink-data-matching-activities#a2 (accessed 16 March 2020).

[13] Under Guideline 3.4, entities should disclose information about any pilot testing conducted on the data matching program in the program protocol.

[14] https://www.servicesaustralia.gov.au/individuals/privacy (accessed on 16 March 2020).

[15] For more information, visit the bank interest income reviews for the compliance program webpage.