Annual Report 2006-07:

Chapter 3 Protecting Privacy

• 3.1 Review of Performance
• 3.2 Responding to Enquiries
  • 3.2.1 Telephone Enquiries
  • 3.2.2 Written Enquiries
• 3.3 Responding to Complaints
  • 3.3.1 Complaints received during 2006–07
  • 3.3.2 Complaints closed during 2006–07
    • 3.3.2.1 Complaints closed following investigations
    • 3.3.2.2 ­Nature of remedies achieved by conciliation following investigation
    • 3.3.2.3 ­Complaints closed following preliminary enquiries
    • 3.3.2.4 ­Nature of remedies achieved following preliminary enquirie
    • 3.3.2.5 Complaints closed without investigation
    • 3.3.2.6 ­Compliance issues in National Privacy Principle complaints
    • 3.3.2.7 ­Compliance issues in Information Privacy Principle complaints
    • 3.3.2.8 ­Compliance issues in Credit Reporting complaints
• 3.4 Own Motion Investigations
  • 3.4.1 Issues in Own Motion Investigations
  • 3.4.2 Outcomes of Own Motion Investigations
• 3.5 Case Notes
• 3.6 Complaints and Enquiries Statistics on www.privacy.gov.au
• 3.7 Reports of Complaints under
• 3.8 Audits
  • 3.8.1 Audits Commenced in 2006–07
    • 3.8.1.1 ACT Government Audits
    • 3.8.1.2 Biometrics for Border Control Audits
    • 3.8.1.3 Australian Government Audits
  • 3.8.2 Audits Finalised in 2006–07
    • 3.8.2.1 ACT Government Audits
    • 3.8.2.2 Identity Security Audits
• 3.9 Personal Information Digest
• 3.10 Monitoring Government Comparisons of Data Sets
  • 3.10.1 Matching under the Data-matching Program (Assistance and Tax) Act 1990 and statutory data-matching guidelines
    • 3.10.1.1 Inspections
  • 3.10.2 Matching under the Guidelines for the Use of Data-matching in Commonwealth Administration (the voluntary data-matching guidelines)

3.1     Review of Performance

The Privacy Commissioner protects the privacy of Australians through a wide range of compliance activities, including a telephone and written enquiry service, the resolution of individual privacy complaints, conducting audits and investigations, and monitoring data-matching activities.

While the Office’s compliance focus in 2006–07 continued to be on resolving individual complaints, it also undertook a number of audits. The Office strives to resolve cases in an open and fair way that builds the confidence of our stakeholders. The Office has applied considerable effort to managing complaints in line with Recommendation 42 of the Office’s 2005 Report Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988.

In the Office’s last annual report, it was noted that the Office was to receive an increase in funding over the next four years, and that one of the first priorities would be to invest in our complaint handling systems and practices. Effective complaint handling practices have been a clear focus in 2006–07. The Office has continued to evaluate and refine practices to ensure they worked well and that individual complaints were handled in a timely and effective manner.

The Office has restructured its Compliance section to facilitate a transition from being primarily a reactive regulator to an increasingly proactive regulator. To ensure best practice complaint handling and investigation, the Office has a renewed focus on staff training, staff development and stakeholder relationships.

2006–07 also signalled the return of the Office’s audit program into Australian Government agencies, with the Office embarking on its first Australian Government agency audit in almost three years. The Office also continued its data-matching and ‘own motion’ work. The Office this year increased its production of case notes. It produced 24 case notes to assist individuals, organisations and agencies understand its investigative processes and application of the Privacy Act.

3.2     Responding to Enquiries

3.2.1   Telephone Enquiries

The Office’s telephone enquiry service (1300 363 992) provides information about privacy issues and privacy law for the cost of a local call.

Since 1 July 2001 the enquiry service has answered over 120 000 telephone calls. The enquiry service answered 17 392 telephone enquiries in 2006–07. This is 9% less than the 19 150 received in 2005–06. The Office expects that more people are finding it convenient and effective to search for information online which may suggest a reason for the decreasing number of calls to the enquiry service.

Who is calling?

Continuing the trend that the Office has seen over the past few years, the vast majority of calls are from individuals seeking information about their privacy rights and advice about how to resolve privacy complaints.

Table 3.1 below illustrates the types of people who called the Privacy Enquiries Line in 2006–07.

Table 3.1 Source of Telephone Enquiries

What are calls about?

Of the calls received this year, 54% related to the National Privacy Principles (NPPs). This mirrors the proportion of calls received in relation to the NPPs in 2005–06. The most frequently discussed issue was the use and disclosure of personal information by private sector organisations. This has been a consistent theme over the last four years. Use and disclosure calls made up 33% of calls about the private sector provision in 2006–07, a slight decrease on last year’s 37%. Notably, there has been a significant increase in the number of calls about Tax File Numbers, with calls received this year almost doubling the number received in 2005–06. The proportion of calls about Credit Reporting and the Information Privacy Principles (IPPs) remained steady.

Table 3.2 shows a breakdown of issues discussed in calls received during 2006–07.

Table 3.2 Breakdown of issues in calls received

Who are National Privacy Principles calls about?

Chart 3.1 below distributes the NPP telephone enquiries by private sector industry groups.

A sample of calls received during 2006–07 appears below.

• A caller rang seeking general information about how her business should comply with the NPPs. The caller was provided with information about how the NPPs might apply and what kinds of things she should be doing when collecting and using her customer information in fulfilling product orders.
• A caller joined a personal introduction service. The service disclosed his personal information to numerous people, and disclosed others’ personal information to him. The caller was concerned because the service never explained that this type of disclosure would take place. The caller was provided with information about the relevant law and the Office’s complaint procedures.
• A caller rang asking how to access a deceased person’s information. The caller was advised that the Privacy Act does not apply to information about deceased individuals and that the Office was unfortunately unable to assist.
• A caller from New South Wales sought a copy of a strata roll held by an Owners’ Corporation and was denied a copy on ‘privacy grounds’. In New South Wales, strata legislation allows people on the strata roll to have a copy of the roll. The caller was advised that this may be a lawful disclosure by the Owners’ Corporation under NPP 2, in particular NPP 2.1(g), if authorised by law and, in that case, the Privacy Act would permit the disclosure.
• A caller put his computer in for repair and was told by the repairer that the hard drive had crashed and needed to be replaced. The caller authorised the repair and collected his computer from the repairer. The caller subsequently received a call from a person who had her own computer fixed by the same repairer, and upon taking it home found all of the caller’s personal information on her new hard drive. The caller suspected his original hard drive had been on-sold before the data on the hard drive was deleted. The caller claimed his old hard drive had all his work material on it, including personal address and contact details for his family, bank accounts and passwords, amongst other things. The caller was advised to raise the matter with the repairer by complaining. The caller was provided with information about the small business operator exemption. The caller undertook to contact the repairer and get back to the Office with any necessary complaint.

3.2.2   Written Enquiries

The Office also responds to requests for information that are received by email, letter or fax. The Office received 2182 written enquiries in 2006–07 which is a 6% decrease on the number received in 2005–06 (2316).

The Office is committed to responding to 90% of written enquiries in ten working days. This benchmark was met in 2006–07.

Over half (58%) of the written enquiries answered in 2006–07 related to the private sector provisions.

A sample of the written enquiries received in 2006–07 appears below.

• An enquirer asked if it is permissible for an agency to use, with an individual’s written consent, their Police Records Check result, obtained in the recruitment process, in the security clearance process.
• An enquirer asked about the data security obligations of a private sector organisation.
• An enquirer asked whether photographing a building required the owner’s permission.
• An employer asked if they could monitor staff emails.
• An enquirer asked about the definition of ‘personal information’ as it appears in the Privacy Act.

3.3     Responding to Complaints

Allegations about acts or practices that may be an interference with the privacy of an individual can be accepted by the Privacy Commissioner as complaints. This can, for example, include complaints about:

• how personal information is gathered, held, used or disclosed by large private sector organisations, private sector health service providers and some small businesses under the National Privacy Principles
• how personal information is handled by Australian and ACT Government agencies according to the Information Privacy Principles
• credit worthiness information held by credit providers and credit reporting agencies
• the use of personal tax file numbers by individuals and organisations and
• related legislation, including ‘spent convictions’ under the Crimes Act 1914 and Australian Government data-matching programs regulated by the Data-matching Program (Assistance and Tax) Act 1990.

3.3.1   Complaints received during 2006–07

In 2006–07, the Office received a total of 1094 complaints across all areas of its jurisdiction. This is an 8% decrease on the previous year (1183 were received in 2005–06).

Complaints related to a wide variety of issues. Examples of complaints and their outcomes can be found on the Office’s website at www.privacy.gov.au/act/casenotes/index.html.

The number of complaints received about each Privacy Act jurisdiction is given in Chart 3.2. Please note that complaints can have more than one jurisdiction issue, therefore the number of complaints listed in this chart exceeds the number of complaints received in 2006–07. As has been the case since the Privacy Commissioner’s role was extended to the private sector, the private sector continues to be the jurisdiction most commonly complained about.

The particular issues that are most regularly complained about as a percentage of total complaints received in 2006–07 are described in Chart 3.3. Please note that the percentages exceed 100% as some complaints contain more than one issue.

The most commonly complained about IPP issue was the improper use or disclosure of personal information, which makes up 43% of IPP allegations. The next most common allegation involved the unlawful or improper collection of personal information, making up 15% of allegations. The security of personal information was the third most frequent issue, making up 13% of allegations.

It is interesting to note that the most common issues raised in IPP complaints mirror the most common concerns raised in NPPs complaints. That is to say, that in relation to both IPP and NPP complaints the most frequently raised concerns in 2006–07 were about (in order) use or disclosure, collection and security.

Chart 3.4 shows the number of complaints made about each of the 12 most commonly complained about sectors. The finance sector continues to be the most frequently complained about industry. The Office expects that this is due to the large number of finance providers, the volume of personal information transactions conducted by the sector and a reflection of the fact that the sector is bound by both the NPPs and the Credit Reporting provisions.

3.3.2   Complaints closed during 2006–07

Acts or practices that may be a breach of privacy may be investigated by the Privacy Commissioner. Where appropriate, the Commissioner may attempt to conciliate a resolution of the matters which led to the complaint.

If the Commissioner is satisfied that a matter has been adequately dealt with, or if there has not been an interference with privacy, the Commissioner may decide not to investigate the matter any further. Otherwise, the Commissioner may make a determination about a complaint under s. 52 of the Privacy Act.

In 2006–07, the Office closed 1210 complaints, 7% more than the 1131 complaints closed in 2005–06.

The Office investigated slightly more complaints under s. 40(1) of the Privacy Act than the previous year. This year it chose to make preliminary enquiries into 7% more complaints and chose to summarily dismiss 8% less complaints than in 2005–06. Table 3.3 provides more information about the stage at which complaints were closed.

The Office aims to finalise all complaints within 12 months of receiving them. In 2006–07 complaints were closed in an average of eight months.

Table 3.3 summarises the stage at which complaints were closed.

Table 3.3 Stage at which Complaints Closed

3.3.2.1           Complaints closed following investigations

In 2006–07, the Privacy Commissioner closed 12% of complaints following an investigation of the matter under s. 40(1) of the Privacy Act. The Privacy Commissioner came to the view that the complaint would likely be upheld in about 50% of these cases. Common resolutions after the investigation proceeded to conciliation included:

• apologies to complainants
• changes to database systems
• correction of records
• provision of access to records and
• amounts of compensation ranging from less than $500 to $20 000.

There were no determinations made in 2006–07. A determination is a legal decision or finding made by the Commissioner, as a consequence of which the Privacy Act’s enforcement powers (ss. 52–62) are activated. A determination may dismiss the complaint or find that the complaint has been substantiated, and make declarations about action needed (including that conduct should cease or not be repeated), the nature of redress and compensation, or that no further action is needed.

Table 3.4 shows the grounds for declining to investigate complaints further following an investigation. Please note complaints can have more than one jurisdiction issue, therefore the number of complaints listed below exceeds the number of investigations closed in 2006–07.

Table 3.4 Grounds for Declining to Investigate Complaints Further Following an Investigation

In very general terms, the Commissioner found that about half of both the National Privacy Principles and Credit Reporting complaints investigated under s. 40 of the Privacy Act were substantiated. The Commissioner was less likely to find a complaint substantiated after investigating allegations about the Information Privacy Principles, with only approximately 20% of these complaints upheld.

3.3.2.2           Nature of remedies achieved by conciliation following investigation

Table 3.5 provides more detail on the outcome of complaints that were closed as adequately dealt with following investigation under s. 40(1) of the Privacy Act. As in Table 3.4, more than one resolution may have been reached for a particular complaint, meaning that the total listed in Table 3.5 is not equal to the total number of complaints.

Table 3.5 Nature of Remedies in Complaints Closed as Adequately Dealt With After Investigation

Compensation was the most common resolution in investigated complaints. Compensation was paid in just over 30% of these complaints. The majority of payments were under $2000. The second most common outcome was the amendment of records.

3.3.2.3           Complaints closed following preliminary enquiries

The Privacy Act gives the Privacy Commissioner powers to conduct preliminary enquiries to determine whether the Commissioner has the power to investigate or should exercise a discretion not to investigate a matter further. For instance, a preliminary enquiry may seek to determine:

• whether an agency or organisation is willing to provide access to records
• if a particular act or practice is authorised by law
• whether an organisation may claim the small business operator exemption or
• whether a respondent is an agency or organisation.

In 2006–07 the Commissioner closed 36% of complaints after preliminary enquiries. Table 3.6 provides more detail on the basis for closing complaints following preliminary enquiries. Please note that complaints can have more than one jurisdiction issue, therefore the number of complaints listed below exceeds the number of preliminary enquiries closed in 2006–07.

Table 3.6 Basis for Closing Complaints Following Preliminary Enquiries

* This includes matters that fall outside the Commissioner’s jurisdiction, for example the respondent is a state government body.

As was the case in 2005–06, the most common reason for closing complaints after preliminary enquiries was due to a finding that the individual’s privacy had not been interfered with. This is in contrast to the complaints that were investigated, where the most common outcome was that the complaint was substantiated. Interestingly, in contrast to this overall trend, Credit Reporting complaints that were the subject of preliminary enquiries were more likely to be substantiated than unsubstantiated.

3.3.2.4           Nature of remedies achieved following preliminary enquiries

In the process of conducting preliminary enquiries, the Commissioner may find that the respondent has adequately dealt with the matter, or may be able to resolve the cause of the complaint through conciliation. Table 3.7 gives further detail about the types of resolutions achieved following preliminary enquiries. Please note that complaints can have more than one remedy.

Table 3.7 Nature of Remedies in Complaints Closed as Adequately Dealt With After Preliminary Enquiries

Compensation was an outcome in only 14% of complaints closed after preliminary enquiries. The most popular resolution was the amendment of records. In addition, a significant proportion of these matters were resolved after the provision of access, which reflects the volume of preliminary enquiries that involved complaints about access to records.

3.3.2.5           Complaints closed without investigation

In 2006–07, the Privacy Commissioner closed 52% of complaints by exercising discretions not to investigate (or ‘decline’) the complaint. Table 3.8 gives a listing of the grounds the Commissioner relied on to close these complaints.

The most common reasons for closing complaints without investigation were:

• the complaint had not been raised with the respondent before being brought to the Commissioner (s. 40(1A)) or the complainant had not given the respondent sufficient time to deal with the complaint (s. 41(2)(b)) or
• there was no interference with privacy (s. 41(1)(a)).

Compared with 2005–06, there was a 12% decrease in the number of complaints closed due to no interference with privacy. The decrease was spread evenly across the categories of complaints, indicating a general trend rather than any specific clustering of ‘other’ cases.

Table 3.8 shows the basis for closing complaints without investigation. Please note that complaints can have more than one jurisdiction issue, therefore the number of complaints listed below exceeds the number of complaints closed without investigation in 2006–07.

Table 3.8 Basis for Closing Complaints without Investigation

* This includes matters that fall outside the Commissioner’s jurisdiction, for example the respondent is a state government body.

3.3.2.6           Compliance issues in National Privacy Principle complaints

The issues raised in complaints against private sector organisations that the Privacy Commissioner investigated and were closed as adequately dealt with, are set out in Chart 3.5. Please note that complaints can have more that one issue, therefore the total number of issues can exceed the total number of complaints.

This year has seen a change in the most common National Privacy Principle (NPP) compliance issues. In 2006–07, the most frequently substantiated complaints against private sector organisations involved the refusal of access to personal information. This was despite the fact that the most commonly complained about NPP issue was the use and disclosure of personal information (see Chart 3.3). In 2005–06, the most frequently substantiated NPP complaint was about use and disclosure.

3.3.2.7           Compliance issues in Information Privacy Principle complaints

The issues raised in complaints against Australian and ACT Government agencies, where the agency took action after preliminary enquiries or a formal investigation by the Privacy Commissioner, are set out in Chart 3.6. Please note that complaints can have more than one issue, therefore the total number of issues can exceed the total number of complaints.

2006–07 has also seen a change in the most common Information Privacy Principle (IPP) compliance issues. Compared with 2005–06, the issues of disclosure (IPP 11) and use (IPP 10) rose in frequency, while security (IPP 4) dropped slightly. It is important to note that the question of access is commonly dealt with under Freedom of Information (FOI) legislation and is therefore not a common issue in IPP complaints.

3.3.2.8           Compliance issues in Credit Reporting complaints

The issues raised in complaints against credit providers or credit reporting agencies, where the respondent took action following preliminary enquiries or a formal investigation by the Privacy Commissioner, are set out in Chart 3.7. Please note that complaints can have more that one issue, therefore the total number of issues can exceed the total number of complaints.

As has been the trend for many years, the most commonly raised and corroborated Credit Reporting issue is the improper listing of payment defaults.

3.4     Own Motion Investigations

Section 40(2) of the Privacy Act gives the Privacy Commissioner the power to investigate a possible interference with privacy without first receiving a complaint from an individual, if the Commissioner considers it desirable. The Office calls these investigations ‘own motion’ investigations.

3.4.1   Issues in Own Motion Investigations

During 2006–07, 55 new matters involving alleged interferences with privacy were brought to the attention of the Office by media coverage, calls to the Privacy Enquiries line, or individuals writing to the Office. The Office took steps to contact the organisation involved in the alleged act or practice in about 85% of cases.

The Office uses risk assessment criteria to determine whether to investigate a matter. These criteria include the:

• number of people affected and the consequences for those individuals
• sensitivity of the personal information involved
• progress of an agency or organisation’s own investigation into the matter and
• likelihood that the investigation will reveal acts or practices that involve systemic interferences with privacy and/or that are widespread.

The allegations considered by the Office in 2006–07 included that:

• an organisation left records containing personal information on public transport
• a government agency was collecting personal information unrelated to its employment requirements as part of its recruitment process
• an organisation was conducting direct marketing under the guise of social research
• personal information may have been improperly disclosed by an enforcement body
• the security of personal information stored and accessed on certain websites had been compromised and
• an Australian Government agency improperly disclosed Tax File Numbers.

3.4.2   Outcomes of Own Motion Investigations

The majority of cases investigated where the Privacy Commissioner found the allegations to be substantiated resulted in the respondent dealing with the issue raised, either under their own initiative or with the Office’s suggestions.

Actions taken have included apologies, retrieval and appropriate disposal of records, and change in procedures.

3.5     Case Notes

The Privacy Commissioner regularly publishes case notes describing, in de-identified form, the issues and outcomes of selected complaints. The purpose of these case notes is to provide an insight into how privacy principles are being applied, in order to:

• assist individuals, organisations and agencies in deciding whether to pursue a complaint, or to decide if personal information is being handled appropriately
  
• encourage good privacy practices and compliance with the Privacy Act and
• ensure the Office is accountable and transparent in its processes and decision making.

In 2006–07, the Office published 24 case notes about complaints under the National Privacy Principles, Information Privacy Principles and other areas of the Privacy Act. This compares with 18 case notes published in 2005–06.

Some situations illustrated by the case notes include:

• a government agency accessing information regarding a third party in relation to an investigation the agency was undertaking
• the improper disclosure of personal information by an investigator retained by an insurance company and
• a patient seeking access to medical records which had been withheld as part of a legal case.

The case notes are accessible on the Office’s website at www.privacy.gov.au/act/casenotes/index.html, in the CCH Federal Privacy Handbook, and on the Australasian Legal Information Institute (Austlii) website at www.austlii.edu.au/au/cases/cth/PrivCmrA.

3.6     Complaints and Enquiries Statistics on www.privacy.gov.au

Statistical information is published by the Office to give an overview of complaints and enquiries received by the Office in a more generalised and wide-ranging form than the published case notes. Quarterly updates published on the Office’s website include the number of complaints, telephone and written enquiries received, and the number of National Privacy Principle complaints closed according to issue type.

These are available at www.privacy.gov.au/about/complaints/index.html.

3.7     Reports of Complaints under Approved Codes

The Privacy Act allows for organisations or groups of organisations to develop privacy codes. If approved by the Privacy Commissioner, these codes replace the National Privacy Principles as the legally enforceable privacy standards for those organisations. As at 30 June 2007 there were three approved privacy codes (see Table 3.9).

Table 3.9 Approved Codes under the Privacy Act

The Privacy Commissioner is the code adjudicator for each of the codes listed above. There were no complaints handled by the Office under any of the approved codes in 2006–07.

The Privacy Commissioner is required to maintain a register of approved codes under s. 18BG of the Privacy Act. The register can be found on the Office’s website at www.privacy.gov.au/business/codes/index.html.

3.8     Audits

Under the Privacy Act, the Privacy Commissioner has powers to conduct privacy audits of Australian and ACT Government agencies, as well as some other organisations in certain circumstances. These audits are crucial to determining and improving the degree of compliance with the Privacy Act. The Office conducts audits to promote best privacy practice and to reduce privacy risks across agencies.

The Commissioner’s audit powers are set out in several sections of the Privacy Act:

• auditing agency compliance with the Information Privacy Principles – s. 27(1)(h)
• examining the records of the Commissioner of Taxation in relation to tax file numbers (TFNs) and TFN information – s. 28(1)(d)
• auditing TFN recipients – s. 28(1)(e)
• auditing credit information files and credit reports held by credit reporting agencies and credit providers – s. 28A(1)(g).

The Commissioner does not have an audit function in relation to compliance with the National Privacy Principles by private sector organisations, unless at the request of the organisation under s. 27(3).

The number of audits carried out by the Office has varied over the life of the Privacy Act depending on the nature and volume of privacy complaints and other priorities of the Office. In 2006–07 the Office mainly undertook audits where it had received specific funding to do so. This is consistent with the approach taken by the Office since 2002–03 when the Commissioner decided to redirect the Office’s resources as a result of the significant increase in complaint numbers. However, 2006–07 also signalled the return of the audit program into Australian Government agencies.

In an effort to promote transparency in the Office’s audit work and to help promote good privacy practice, the Office has published the finalised reports of audits of Australian and ACT Government agencies undertaken since 1 July 2002 on its website (see www.privacy.gov.au/government/audits). Some audit reports have classified content and as such have been withheld from publication or have been published in an abridged form.

3.8.1   Audits Commenced in 2006–07

3.8.1.1           ACT Government Audits

The Office currently has a Memorandum of Understanding with the ACT Government (see section 4.1.3) which includes a commitment by the Office to conduct two audits of ACT Government agencies per financial year. The Office selects audit targets based on a risk assessment analysis which takes into account previous audits and audit findings, complaints against ACT Government agencies, the amount of personal information held by an agency and the sensitivity of, and risk to, that information.

Table 3.10 below shows audits of ACT Government agencies commenced by the Office in 2006–07 under this arrangement.

Table 3.10 ACT Audits Commenced 2006–07

3.8.1.2           Biometrics for Border Control Audits

The Office has been allocated additional funding over four years (2005–06 to 2008–09) as a component of the Biometrics for Border Control program involving the Department of Foreign Affairs and Trade, the Australian Customs Service (Customs) and the Department of Immigration and Citizenship (DIAC). The broad objective of this program is to develop and implement biometric systems to enhance identity management at the border and to increase the efficiency of border processing. The Office has committed to undertake three audits per year of key projects in the Biometrics for Border Control program.

Table 3.11 below shows audits of Biometrics for Border Control projects commenced by the Office in 2006–07 under this funding.

Table 3.11 Biometrics for Border Control Audits Commenced 2006–07

The Office had scheduled a post-implementation audit of the Customs SmartGate project during 2006–07. However, the project was not ready to be audited and the audit has been postponed until 2007–08.

3.8.1.3           Australian Government Audits

During 2006–07 the Office commenced an audit of one Australian Government agency, the Australian National University, under s. 27(1)(h) of the Privacy Act. The purpose of the audit was to assess the agency’s compliance with the Information Privacy Principles in its handling of personnel case files, personnel recruitment files and student records, and other records as appropriate.

3.8.2  Audits Finalised in 2006–07

3.8.2.1           ACT Government Audits

In 2006–07, the Office finalised privacy audits of the ACT Government agencies shown in Table 3.12 below.

Table 3.12 ACT Government Audits Finalised 2006–07

The Office found that the agencies generally had appropriate privacy controls in place to ensure a satisfactory level of compliance with the Information Privacy Principles. However, where insufficient privacy controls were identified or where better privacy practice could be instituted, the auditors made recommendations concerning those aspects of the agencies’ operations.

Common audit findings covered:

• the lack of appropriate database audit trail capacities to monitor access and amendment of client records
• the need for better security controls for electronic records such as ‘need-to-know’ access controls and regular password change prompts
• a requirement to provide better privacy training for both new and existing staff in terms of keeping records of personal information
• a need for clear policies regarding data retention and storage/transit of personal information
• a need to improve notices provided to individuals when collecting their personal information and
• the need to ensure the agency did not retain unnecessary personal information.

Generally, the audited agencies accepted the Office’s recommendations.

3.8.2.2           Identity Security Audits

In 2005–06 the Office received funding to provide privacy advice and oversight in respect of projects to be delivered under the Australian Government’s National Identity Security Strategy (see section 1.3.5). As part of its oversight activity, the Office undertook an audit of the Document Verification Service (DVS) Prototype convened by the Attorney-General’s Department (AGD).

The DVS is an online system which allows authorised Australian, state and territory Government agencies to verify the details of documents presented to them as proof of identity with the data recorded in the register of the corresponding document-issuing agencies.

The audit was commenced in June 2006 and finalised in May 2007. The Office made seven recommendations in this audit relating to clarification of roles between the parties, data security (encryption), handling of personal information by recipients and provider agencies and the development of specific guidelines in the handling of DVS data.

These recommendations were provided to the participating agencies for consideration in the future development of a Privacy Impact Assessment for the National DVS being conducted by the AGD.

3.9     Personal Information Digest

To help people understand what personal information is held by each Australian and ACT Government agency, Information Privacy Principle 5.3 in s. 14 of the Privacy Act requires agencies to keep a record detailing:

• the nature of records kept
• the purpose for which these records are kept
• the categories of people the information is about
• the period for which the records are kept
• who has access to the records and
• the steps an individual needs to take to gain access to the records.

These explanatory records must be provided to the Privacy Commissioner in June of each year, and are subsequently compiled and published as the Personal Information Digest (PID).

The ACT Department of Justice and Community Safety (JACS) compiled the ACT PID and the final documents were published on the JACS website and the Office’s website. The Office published the PID for Australian Government agencies for the period ending June 2006 on its website at www.privacy.gov.au/government/digest/index.html.

3.10   Monitoring Government Comparisons of Data Sets

Data-matching is the process of bringing together large data sets of personal information from different sources and comparing these data sets in order to identify any discrepancies.

For example the Australian Taxation Office (ATO) may undertake a data-match to identify retailers that may be operating outside the tax system or who may be under-reporting turnover. This may include identifying individuals.

The process involves analysing information about large numbers of people, the majority of whom are not under suspicion. This means that data‑matching raises a number of privacy issues. To ensure that government agencies minimise their impact on individuals’ privacy while data-matching, the Office performs a number of functions. The Privacy Commissioner has statutory responsibilities under the Data-matching Program (Assistance and Tax) Act 1990 (the Data-matching Act) and the Guidelines for the Conduct of the Data-matching Program (the statutory data-matching guidelines). Additionally, the Commissioner oversees the functioning of the Guidelines for the Use of Data-matching in Commonwealth Administration (1998), which are voluntary guidelines to assist agencies not subject to the Data-matching Act, to perform data-matching programs in a privacy sensitive way.

3.10.1 Matching under the Data-matching Program (Assistance and Tax) Act 1990 and statutory data-matching guidelines

In order to detect overpayments, taxation non-compliance and the receipt of duplicate payments, the Data-matching Program (Assistance and Tax) Act 1990 (the Data-matching Act) provides for the use of tax file numbers in data-matching processes undertaken by a special unit within Centrelink (the data-matching agency). The data-matching agency runs matches on behalf of Centrelink, the Department of Veterans’ Affairs (DVA) and the Australian Taxation Office (ATO).

The Data-matching Act and the Guidelines for the Conduct of the Data-matching Program (the statutory data-matching guidelines) outline the type of personal information that can be used, how it can be processed and how the results can be used. They also require that individuals be provided with the opportunity to dispute or explain any matches, and require that individuals have means for redress.

The Data-matching Act requires Centrelink, DVA and the ATO to report to parliament on the results of any data-matching activities carried out under the Act. These reports are published separately by each agency. The Data‑matching Act also makes the Commissioner responsible for monitoring the functioning of the statutory data-matching program. To this end, the Office runs inspections (see section 3.10.1.1).

3.10.1.1         Inspections

During 2006–07 the Office inspected Centrelink’s handling of a sample of data-matching cases in three regions. The regions inspected were as follows:

• Area South Australia, September 2006
• Area Pacific Central, December 2006
• Area Hunter, March 2007.

Representatives of the Office, with the assistance of Centrelink and regional staff, conduct inspections and reviews of a sample (usually 100) of customer records which have been through the data-matching process. At the completion of each of the inspections, a report is prepared and provided to Centrelink outlining the findings. The Office found that Centrelink’s processes and procedures for statutory data-matching were largely compliant with the requirements of the Data-matching Act.

3.10.2 Matching under the Guidelines for the Use of Data-matching in Commonwealth Administration (the voluntary data-matching guidelines)

Many Australian government agencies also carry out data-matching activities that are not subject to the Data-matching Act but run under different laws authorising the use and disclosure of personal information for data-matching purposes. To assist agencies performing such data-matching activities to have proper regard for the privacy of individuals, the Privacy Commissioner has issued voluntary data-matching guidelines called the Guidelines for the Use of Data-matching in Commonwealth Administration (1998).

These voluntary guidelines require that programs are regularly monitored and evaluated, that individuals identified have the opportunity to dispute the results, and that action against individuals is not taken solely on the basis of automated processes.

Agencies are also required to prepare a description of the data-matching activity (a ‘program protocol’). Before the activity is commenced, the program protocol should be submitted to the Privacy Commissioner for comment and, once it has been finalised, the program protocol should be made available to the public.

In 2006–07, the Privacy Commissioner received 13 program protocols for proposed non-statutory data-matching activities. A summary of these protocols is outlined in Table 3.13.