THE OFFICE OF THE PRIVACY COMMISSIONER
Spacer GifHOME > 2006-07 Annual Report of the Office of the Privacy Commissioner -- Full Version Spacer Gif Spacer Gif Spacer Gif Spacer Gif
Spacer Gif
Spacer Gif Publications
Spacer Gif Bullet Archives
Spacer Gif SPECIFIC PRIVACY
INFORMATION FOR:
Spacer Gif > Individuals
Spacer Gif > Business
Spacer Gif > Health
Spacer Gif > Government
Horizontal Rule
Spacer Gif > Federal Privacy Law
Spacer Gif > About the Office
Spacer Gif > Frequently Asked Questions
Spacer Gif > IT and Internet Issues
Spacer Gif > Media and Speeches
Spacer Gif > Publications
Spacer Gif > Privacy Links
Spacer Gif > International
Spacer Gif > Contact us

Spacer Gif

2006-07 Annual Report of the Office of the Privacy Commissioner -- Full Version

View printable version of this page

Table of Contents

User's Guide

Commissioner's Overview 2006-07

Chapter 1 Respecting Privacy

Chapter 2 Promoting Privacy

Chapter 3 Protecting Privacy

Chapter 4 Management and Accountability

Appendices

Appendix 1 The Privacy Act and the Office of the Privacy Commissioner

Appendix 2 Freedom of Information Act Compliance

Appendix 3 Speeches and Presentations

Appendix 4 Commonwealth Disability Strategy Performance Reporting June 2006

Appendix 5 Demographic Information about Complainants

Appendix 6 National Privacy Principles

Appendix 7 Information Privacy Principles

Appendix 8 Strategic Plan 2007–09

Financial Statements (PDF only)

Glossary

Copyright © Office of the Privacy Commissioner 2007 ISSN 1035-3372

This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the Office of the Privacy Commissioner.

Requests and enquiries concerning reproduction, right and content should be addressed to:

Copyright Officer Corporate and Public Affairs Office of the Privacy Commissioner GPO Box 5218 SYDNEY NSW 2001

Email: privacy@privacy.gov.au

 

User's Guide and Commissioner's Overview 2006-07

User’s Guide

Immediately following this guide, you will find the Commissioner’s Overview for 2006–07 which includes a summary of significant issues, developments and achievements during the year, key statistics, and an outline for the year ahead for the Office.

The main chapters follow the Overview and the Annual Report is concluded by the various Appendices, Glossary and Index.

Chapter 1 Respecting Privacy describes the Office’s work for 2006–07 in providing advice on the privacy implications of legislation and government and private sector policy proposals that may have a significant impact on the handling of personal information.

Chapter 2 Promoting Privacy sets out the work the Office completed in promoting and educating key client groups on privacy issues. This includes liaising with key stakeholders in the private sector, networking with privacy representatives across Australian and ACT Government departments and agencies, handling media enquiries, maintaining the Office’s website and assisting with speeches and presentations by the Commissioner and members of staff.

Chapter 3 Protecting Privacy records the work the Office undertook to encourage and enforce compliance with the Privacy Act. This includes handling enquiries, undertaking audits of government agencies, investigating complaints and conciliating disputes.

Chapter 4 Management and Accountability contains an overview of the Office’s administrative arrangements, management of human resources and corporate governance.

The Appendices contain information required under specific legislation together with any other useful material. These can be found following on from Chapter 4.

The Office of the Privacy Commissioner’s audited Financial Statements for 2006–07 are located immediately following the Appendices. The Glossary and Alphabetical Index can be found at the end of the report.

ACT Government

Information that relates directly to ACT Government matters can be found in sections 1.4, 3.8.1.1, 3.8.2.1 and 4.1.3.

How to find out more

For enquiries about this report or for copies of other Office of the Privacy Commissioner publications, please contact:

Director
Corporate and Public Affairs
Office of the Privacy Commissioner
GPO Box 5218
SYDNEY   NSW   2001

Telephone:    + 61 2 9284 9800
         + 61 2 9284 9666
Email:        privacy@privacy.gov.au
Website:      www.privacy.gov.au

Enquiries line:      1300 363 992  local call
TTY:          1800 620 241  no voice calls

This report is also available on the Office of the Privacy Commissioner’s website at www.privacy.gov.au/publications/index.html#A.

Non-English Speakers

If you speak a language other than English and need help, please call the Translating and Interpreting Service on 131 450 and ask for the Australian Government Office of the Privacy Commissioner on 1300 363 992. This is a free service.

Commissioner’s Overview 2006–07

2006–07 was a year characterised by strategic analysis, reflection on the operation of the law and looking to the future.

Two projects in particular capture this. One was my Office’s submission to the Australian Law Reform Commission (ALRC) review of privacy. The other was our development of a new Strategic Plan to guide our operations over the next three years.

Our substantial submission to the ALRC review of privacy crystallises our thoughts on what the future of privacy regulation in Australia should look like. This submission brings together my Office’s position on issues as varied as the privacy principles, technology, transborder data flows, exemptions to the Privacy Act, health and telecommunications, to name a few.

A central theme of the submission was that any reform of Australia’s privacy laws should aim to enhance regulatory consistency and reduce complexity. Nationally consistent privacy legislation will reduce compliance difficulties for agencies and organisations and empower individuals to understand and exercise their privacy rights without confusion.

Currently, the Privacy Act contains two sets of privacy principles. One set applies to Australian and ACT Government agencies and the other to the private sector. I believe that a technology-neutral, principles-based approach remains the best way to regulate personal information handling in the context of rapid technological change. However, my Office has suggested that these two sets of principles should be replaced by a single set of principles to reduce regulatory complexity.

Further information about the ALRC review of privacy is available in section 1.2 of this report.

The second project that caused the Office to look to the future was our development of a new Strategic Plan; a project vital to all aspects of our operations.

For me, a Strategic Plan is essential to the success of an agency. It focuses the agency’s energies and gives a clear and steady direction to its many operations and functions. 

Our strategic planning process involved the whole Office and I am very pleased with the outcome, which is a plan that combines high standards and goals with practical actions for achieving those goals.

Our vision, as articulated in our new Strategic Plan, is of ‘an Australian community in which privacy is valued and respected’. This simple but powerful vision lies at the heart of all our efforts to promote, protect and encourage respect for that simple but powerful value: privacy.

Many have commented on the upheaval we have seen in the past few decades (particularly in the realm of information technology) and how this has impacted on privacy and the way we make ourselves known to the world. But what hasn’t changed is that we will still need privacy to live full, autonomous and free lives.

Our Strategic Plan heralds the next instalment of our work to promote and protect this important value. The Plan is attached to this Annual Report at Appendix 8.

The new Strategic Plan and our submission to the ALRC review of privacy were major pieces of work for 2006–07. However there were many significant projects undertaken by my Office during the year.

During 2006–07 my Office continued to work closely with the Office of Access Card and the Consumer and Privacy Taskforce to provide advice on the privacy framework surrounding the proposed Health and Social Services Access Card.

In 2006–07, the Office also implemented many of the recommendations made in its Complaint Handling Review in an ongoing effort to reduce the complaint backlog and enhance our service standards and conciliation techniques.

In 2006, my Office joined with state and territory privacy regulators to promote ‘Privacy Awareness Week’. During the week, the Office released a number of promotional items and hosted an event at which the Attorney-General launched the Office’s new layered privacy policy, and Privacy Impact Assessment Guide.

In November 2006, my Office also marked the five year anniversary of the National Privacy Principles (NPPs). My Office hosted a function which offered a chance both to look back at how the NPPs had performed and to look forward. This event is, I hope, the first of many Privacy Connections events hosted by the Office to raise privacy awareness in the private sector.

The year ahead

In 2007–08, the Office will continue to host Privacy Connections events across Australia to raise awareness in the private sector about privacy obligations under the Privacy Act. These events will likely involve speakers from the Office as well as guest speakers sharing their knowledge of information handling in their organisations.

We will also work to promote privacy via the Privacy Awareness Week initiative, which in 2007 will be promoted in coordination with other data protection authorities in the Asia Pacific region.

In 2007, the Office will be releasing the results of community attitudes research it has commissioned. This research seeks to find out what individuals think about privacy in different contexts. The research will help the Office to ‘tune in’ to community expectations about privacy and will be vital for ensuring that Office operations and activities match the needs of key stakeholders.

During the reporting period, the Office undertook to audit all of its publications to check for accuracy and currency. In 2007–08 the Office will update publications based on the findings of the audit. Our aim is to have guidance material available to stakeholders that is clear, up-to-date, accessible, and written in plain English.

Tying in closely with the publications review is the redevelopment of the Office’s website which will be progressed in the coming year. The website redevelopment seeks to make our publications easy to find and improve the layout and accessibility of the Office’s online presence.

With many of the recommendations implemented from the Office’s Complaint Handling Review, the Office will move to taking a more proactive approach to encouraging compliance with the Privacy Act and look to address systemic privacy issues.

In 2007–08, the Office looks forward to participating in the next phase of the ALRC review of privacy. The ALRC is due to release a discussion paper in 2007 and then its final report in 2008. The Office will continue to consult with the ALRC during this period to ensure the best outcome for privacy legislation in Australia.

And finally, the Office is committed to implementing the actions and goals encompassed in its new Strategic Plan and work towards the vision of ‘an Australian community in which privacy is valued and respected’.

The year in review – a summary

A brief summary of the Office’s performance in 2006–07 is outlined below. A more detailed review of performance is contained in chapters 1 – 4.

Telephone Enquiries:

The Office received 17 392 telephone enquiries in 2006–07 compared with 19 150 in 2005–06. This represents a 9% decrease in enquiries received by the Enquiries Line. See section 3.2.1 for further information.

Written Enquiries:

The Office received 2182 enquiries by email, post or facsimile in 2006–07 compared with 2316 written enquiries reported in 2005–06. This represents a 6% decrease in the number of written enquiries received by the Office from the previous year. See section 3.2.2 for further information.

Complaints:

The Office received 1094 complaints in 2006–07 compared with 1183 in 2005–06. This represents an 8% decrease in the number of complaints received by the Office from the previous year. See section 3.3.1 for further information. The Office closed 1210 complaints in 2006–07, representing a 7% increase from the previous year.

Case Notes:

The Office published 24 case notes on complaints that were closed during the year. The case notes are prepared to illustrate matters that may have a significant impact on a large number of people. Case notes serve to demonstrate to members of the public how the Commissioner handles complaints. Case notes also serve as a possible indication of the Commissioner’s view in relation to aspects of privacy law. See section 3.5 for further information.

Determinations:

In 2006–07, the Office renewed three credit provider determinations. See section 1.5.3 for further information.

On 23 December 2006, Temporary Public Interest Determinations (TPIDs) issued by the Privacy Commissioner, which allowed health practitioners to collect patients’ health information from the Prescription Shopping Information Service without consent, and without breaching NPP 10, expired. Amendments to the Privacy Act in 2006 removed the need for further TPIDs in this area. See section 1.6.3 for further information.

Complaint Handling Review:

As signalled in last year’s Annual Report, and in line with Recommendation 42 of the Office’s 2005 report, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, the Office has reviewed its complaint handling processes. A series of changes were recommended, and these changes have either been implemented, or are close to final implementation. Key changes include:

  • clarifying our conciliation process
  • new respondent and complainant response timeframes
  • developing strategies to proactively pursue responses
  • updating the Complaint Handling Manual
  • drafting Determination guidelines and
  • designing and implementing a uniform training program for Compliance Section staff.

Where changes directly affect complainants and respondents the Office has given stakeholders clear notice of the changes. For example, the Office announced the reduction in timeframes in the Office’s newsletter Privacy Matters and amended timeframes on its website. The impact of changes will be evaluated after they have been in operation for a reasonable period. This is likely to be within 12–18 months. See section 3.1 for further information about the Office’s compliance activities.

Media:

132 media enquiries were received in 2006–07. This represents an 11% decrease in comparison to the number of enquiries for 2005–06, in which the Office received 148 media enquiries. See section 2.3 for further information.

Speeches:

26 speeches and presentations were delivered in 2006–07. The presentations addressed ongoing and emerging privacy issues. Further information on speeches and presentations can be found at section 2.4 and a list of all speeches and presentations delivered by the Office can be found at Appendix 3.

Policy Advices:

The Office produced 163 advices on significant policy issues. This represents a 20% increase in the number of policy advices the Office prepared in comparison to 2005–06.

Policy advices include letters and emails to government departments and agencies and private sector organisations on specific proposals, advice for guidance material published by the Commissioner and advice for inclusion in other reports and published documents.

The number of submissions made by the Office to public consultation processes is listed separately below.

Submissions:

In 2006–07, the Commissioner provided 32 submissions to government departments and parliamentary inquiries on policy proposals or Bills before parliament, providing analysis on the privacy implications of the proposal or Bill and offering advice on methods to ensure privacy is appropriately considered and protected.

The following submissions were made by the Office:

  • Research Study into Public Support for Science and Innovation; Productivity Commission (August 2006)
  • Extradition and Mutual Assistance Treaties with Malaysia; Joint Standing Committee on Treaties (August 2006)
  • Consultation on the second exposure draft of the Anti-Money Laundering and Counter-Terrorism Funding Bill 2006; Attorney-General’s Department (August 2006)
  • Consultation on the Australian Government Health and Social Services Access Card – Discussion Paper Number 1; Department of Human Services: Access Card Consumer and Privacy Taskforce (August 2006)
  • Industry Standard for the Making of Telemarketing Calls – Discussion Paper; Australian Communications and Media Authority (September 2006)
  • Review of the Taxation Secrecy and Disclosure Provisions – Discussion Paper; Treasury (September 2006)
  • Inquiry into the Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006; Senate Legal and Constitutional Affairs Committee (October 2006)
  • Review of Australia’s Mutual Assistance Law and Practice; Attorney-General’s Department (October 2006)
  • Families, Community Services and Indigenous Affairs and Veterans’ Affairs Legislation Amendment (2006 Budget Measures) Bill 2006; Senate Standing Committee on Legal and Constitutional Affairs (November 2006)
  • Queensland Law Reform Commission Guardianship Review Stage 1 – Confidentiality in the Guardianship System: Public Justice, Private Lives; Queensland Law Reform Commission (November 2006)
  • Inquiry into the Anti-Money Laundering and Counter-Terrorism Financing Bill 2006 and the Anti-Money Laundering and Counter-Terrorism Financing (Transitional Provisions and Consequential Amendments) Bill 2006; Senate Legal and Constitutional Affairs Committee (November 2006)
  • Consultation on the Exposure Draft of the Human Services (Enhanced Service Delivery) Bill 2007; Office of Access Card (January 2007)
  • Telecommunications (Do Not Call Register) (Telemarketing and Research Calls) Draft Industry Standard 2006; Australian Communications and Media Authority (January 2007)
  • Review of the law on Personal Property Securities, Discussion Paper 1, Registration and Search Issues; Attorney-General’s Department (February 2007)
  • Exposure Draft of the Telecommunications (Interception and Access) Amendment Bill 2007; Attorney-General’s Department (February 2007)
  • Inquiry into the AusCheck Bill 2006; Senate Legal and Constitutional Affairs Committee (February 2007)
  • Inquiry into the AusCheck Bill 2006 – Questions on Notice Supplementary Submission; Senate Legal and Constitutional Affairs Committee (February 2007)
  • Australian Law Reform Commission Review of Privacy – Issues Paper 31; Australian Law Reform Commission (February 2007)
  • Inquiry into the Human Services (Enhanced Service Delivery) Bill 2007; Senate Finance and Public Administration Committee (February 2007)
  • Draft Consolidated Anti-Money Laundering and Counter-Terrorism Financing Rules; AUSTRAC (March 2007)
  • Consultation Draft Telecommunications Integrated Public Number Database Scheme 2007; Australian Communications and Media Authority (March 2007)
  • Consultation on the Privacy Blueprint – Unique Health Identifiers (Version 1.0); National E-Health Transition Authority (March 2007)
  • Draft of Telecommunications Integrated Public Number Database Legislative Instruments 2007; Department of Communications, Information Technology and the Arts (March 2007)
  • Consultation on the Australian Government Health and Social Services Access Card – Discussion Paper Number 2; Department of Human Services: Access Card Consumer and Privacy Taskforce (March 2007)
  • Government Agency Coercive Information-Gathering Powers, Draft Report; Administrative Review Council (March 2007)
  • Australian Law Reform Commission Review of Privacy – Issues Paper 32: Credit Reporting Provisions; Australian Law Reform Commission (April 2007)
  • Consultation on the Australian Government Health and Social Services Access Card – Discussion Paper Number 3 on Registration; Department of Human Services: Access Card Consumer and Privacy Taskforce (April 2007)
  • Consultation on Australian Government Smartcard Framework (version 0.12), Standards and Model Specification (‘Part c’); Australian Government Information Management Office (April 2007)
  • Consultation on Australian Government Smartcard Framework Part d (Working Draft Version 2.0); Australian Government Information Management Office (May 2007)
  • Research Calls on Sundays; Australian Communications and Media Authority (May 2007)
  • Legal Professional Privilege and Commonwealth Investigatory Bodies – Issues Paper 33; Australian Law Reform Commission (June 2007)
  • Consultation on Model Offences to Combat Identity Crime 2007; Model Criminal Law Officers’ Committee of the Standing Committee of Attorneys-General (June 2007).

Karen Curtis
Privacy Commissioner

 

Chapter 1 Respecting Privacy

 

1.1     Review of Performance

The Office’s work in reviewing new policy and legislative proposals during 2006–07 was extensive, with an increased number of new proposals involving the handling of personal information being analysed and commented on by the Office. The Office’s involvement with many of these proposals is detailed in the following sections.

The most significant of the proposals, the Health and Social Services Access Card (the Access Card), required considerable resources of the Office during the reporting period. To take account of this, the Department of Human Services entered into a Memorandum of Understanding (MOU) to provide the Office with additional resourcing to allow appropriate work on the various consultation papers and to allow the Office to engage in a number of government working groups on the Access Card.

During the year the Office also worked closely with the Department of Immigration and Citizenship, under an MOU, to assist the Department in relation to incorporating the knowledge and use of the Information Privacy Principles more effectively into its administrative practices.

These two MOUs, together with a number of other initiatives to build relationships with government agencies and businesses, reflect the Office’s goal of building and developing robust relationships as reflected in the 2007–09 Strategic Plan.

The other significant piece of policy work undertaken by the Office in 2006–07 was the development of our two submissions to the Australian Law Reform Commission (ALRC) review of privacy. This work meant drawing on the whole of the organisation’s resources and the extensive knowledge of its officers.

Undertaking the development or confirmation of the Office’s position on each of the ALRC’s 142 questions was a very significant task but the result is a comprehensive document detailing much of the Office’s understanding of the current law and our analysis of where it works well and what could be improved.

Altogether the Office made 32 public submissions during the reporting period, including the 474-page submission to the ALRC and several other substantial submissions, for example in relation to the proposed Access Card and the Anti-Money Laundering and Counter-Terrorism Financing legislation. In terms of numbers of submissions alone this year saw a 70% increase on 2005–06.

During the reporting period the Office also released a number of reports and information products. These included the Report on the Review of the Privacy Guidelines for the Handling of Medicare and PBS Claims Information (the section 135AA guidelines), the Review Report on the Credit Reporting Assignees and Classes Determinations, the finalised Privacy Impact Assessment Guide and an Information Sheet on the Prescription Shopping Information Service.

In addition, during the reporting period the Privacy Commissioner approved the Biometrics Institute Privacy Code and a minor variation to the Market and Social Research Privacy Code, and renewed three credit provider determinations.

The 32 submissions completed during the reporting period together with the various review reports, credit determinations and the information sheet have greatly assisted the Office to achieve the 2007–09 Strategic Plan goals of high quality results and increased awareness of privacy choices and obligations within the community.

1.2     Australian Law Reform Commission Review of Privacy

In response to the release of the Australian Law Reform Commission (ALRC) Review of Privacy – Issues Paper 31 (IP31), all sections of the Office were involved in the research and preparation of a comprehensive submission. Many of the recommendations from the Office’s 2005 report, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 were discussed and developed further.

In February 2007 the Office made a 474-page submission to the ALRC. The submission identified a wide range of issues in areas as diverse as health, technology and telecommunications.

While acknowledging that the existing principles in the Privacy Act are generally operating well, the Office made numerous suggestions to improve Australian privacy regulation. Amongst its suggestions, the Office called for a merging of the two sets of privacy principles in the Privacy Act to create a new single set of principles, as well as greater national consistency in privacy regulation.

As well, in order to create optimal privacy protection for people’s health information and help to clarify health service provider obligations, the Office suggested that the Privacy Act should ‘cover the field’ in regulating health service providers in the private sector.

In relation to new technologies, the Office made a number of suggestions including:

  • the Privacy Act should remain technology neutral to allow for sufficient regulatory flexibility
  • in certain circumstances, organisations should be required to notify customers of a security breach that has made their personal information vulnerable
  • biometric information should be classified as sensitive information under the Privacy Act to ensure that it is afforded a higher level of privacy protection than other forms of personal information.

In response to the ALRC’s second issues paper, ALRC Review of Privacy – Issues Paper 32: Credit Reporting Provisions (IP32), the Office made a second detailed submission in April 2007.

The Office noted that the regulation of personal credit information could be improved to reduce complexity while still maintaining strong privacy protections. As a way of achieving this, the Office recommended that the existing credit reporting provisions could be repealed and replaced by the National Privacy Principles operating in tandem with a binding code.

The Office also suggested to the ALRC that the Privacy Commissioner be provided with additional options for dealing with breaches depending on the type and seriousness of the breach. In particular, the Office submitted that the Privacy Commissioner should be given stronger powers to handle systemic issues within the credit industry and issues arising from industry practice. Additionally, the Office recommended that independent research be undertaken into the impact that comprehensive credit reporting would have in Australia.

Overall, the Office’s response to IP32 reflected a continuing commitment to helping Australians retain choice and control over the use of their personal credit information.

The complete Office submissions to the two ALRC issues papers can be found at:

The Office will continue to be closely engaged in the ALRC’s review, which is expected to be completed in early 2008.

1.3     Privacy and the Australian Government

This section discusses the work the Office did during the reporting period in relation to Commonwealth legislation and/or Australian Government activity.

Please note however that some areas of the Office’s work relating to the Australian Government are discussed in other sections of this Chapter (for example, 1.5 Business; 1.6 Health; 1.7 Information and Communications Technology).

1.3.1   Guide to Privacy Impact Assessments

In August 2006 the Office launched the Privacy Impact Assessment (PIA) Guide. The Attorney-General, the Hon. Philip Ruddock MP, was present to launch the document.

The PIA Guide is intended to assist Australian and ACT Government agencies to determine the impact new organisational proposals could have on privacy. The PIA Guide enables agencies to critically examine and assess their project’s capacity to comply with the Privacy Act, as well as inform agencies about broader privacy issues raised by the project. While the PIA Guide has been targeted at agencies, private sector organisations could also find it useful.

The Office has provided advice to agencies on the PIA process and received feedback that the Guide has assisted agencies to critically examine and assess their project’s capacity to comply with the Privacy Act, to build privacy safeguards into their projects at an early stage and minimise the need for retrospective and reactive privacy measures.

The PIA Guide can be found on the Office’s website at www.privacy.gov.au/publications/pia06/index.html.

1.3.2   Australian Government Health and Social Services Access Card

The Office made three submissions to the Minister for Human Services’ Access Card Consumer and Privacy Taskforce. These were made in response to the discussion papers released by the Taskforce concerning, respectively, the broad policy and implementation of the Access Card, the storage of optional and voluntary health information on the Access Card, and registration for the Access Card. These submissions are available at www.privacy.gov.au/news/access-card.html.

The Office proposed that ensuring adequate privacy protections will be important to promoting community trust and confidence in the Access Card system (comprising the card itself, as well as associated infrastructure and functions). The Office noted that a robust privacy framework is dependent on ensuring that reliance is not placed on one form of privacy protection. The Office suggested that such protections should be multifaceted, incorporating:

  • fundamental system design, including card design, system architecture and the parameters governing what information is collected and what information flows are possible
  • technological measures, including, but not limited to, data security initiatives, as well as measures to minimise the degree to which existing systems become increasingly integrated, a consequence of which may be new and potentially privacy invasive flows of personal information
  • legislative measures, including defining the extent of the functions of the Access Card, proscribing purposes that fall outside those functions and introducing sanctions for misusing any aspect of the system or the personal information it handles and
  • oversight mechanisms that promote confidence in the system by assuring the community that the operation of the system is subject to stringent accountability measures, including provision for audit and independent complaint handling.

In December 2006 the Office entered into an agreement in the form of a Memorandum of Understanding with the Department of Human Services (see section 4.1.5) which allows for close consultation on privacy-related issues in the development and roll-out of the Access Card.

Under the agreement, the Office will provide advice to the Department on the privacy implications of the Access Card system, participate in site visits with registration authorities to observe and analyse the privacy aspects of the registration process, and assist in the development of privacy-related information and educational materials.

1.3.3   Department of Immigration and Citizenship

The Office entered into a Memorandum of Understanding (MOU) with the Department of Immigration and Citizenship (DIAC) for 2006–07 (see section 4.1.7). Entering into the MOU was one aspect of DIAC’s change management strategies following the intensive policy review undertaken after the release of the Palmer and Comrie reports.

DIAC identified the need to assess and improve the manner in which it addressed privacy issues in fulfilling its statutory functions. Recognising the benefits of close cooperation with the Office on privacy issues, and without compromising the independence of the Office, DIAC entered into the MOU to provide the Office with funding to allow dedicated resources to be deployed to assist DIAC in its objective.

Under the MOU the Office provided advice to DIAC on the development of various guidance and training materials in the reporting period. This included advice on Privacy Impact Assessments and Checklists, privacy guidelines for staff, training scenarios and Information Privacy Principle (IPP) Flowcharts specifically related to IPP 11 disclosure obligations.

More information about Privacy Impact Assessments and Checklists is available at www.privacy.gov.au/publications/pia06/index.html.

1.3.4   Australian Government Information Management Office – Australian Government Smartcard Framework

The Office made submissions on Part c of the Australian Government Smartcard Framework which deals with Standards and Model Specification in April 2007, and Part d of the Framework, the Smartcard Implementation Guide in May 2007.

The Office’s comments in these two submissions primarily related to the management of interoperability for a particular smartcard project, while minimising the risk of function creep. The Office suggested that careful consideration should be given to the necessity of collecting and retaining personal information, including the creation and display of identifiers, in any smartcard project whether this information was intended to be on the smartcard, the chip or on the supporting systems. The Office also noted that the success of a smartcard project is likely to be linked to user acceptance and adoption of the smartcard, which can be assisted by good privacy practices.

1.3.5   Identity and Border Security

In the 2006–07 Budget, the Office received funding to allow it to participate in the development of a National Identity Security Strategy. The Privacy Commissioner is a member of the Commonwealth Reference Group on Identity Security (CRGIS) convened by the Attorney-General’s Department to assist in developing this national strategy. The Office has attended a number of meetings of the CRGIS and its working groups during 2006–07.

The Privacy Commissioner is also represented on the National Identity Security Coordination Group (NISCG). In 2006–07 the Office attended a number of meetings of the NISCG and provided comments on the development of an Inter-Governmental Agreement (IGA).

The Prime Minister, Premiers and Chief Ministers signed the IGA at the Council of Australian Governments (COAG) meeting on 13 April 2007. At that meeting, COAG also noted the progress made to date in giving effect to the six elements of the Strategy, and acknowledged the value of this work as reference documents for Australian Government agencies.

Information on the IGA can be found at www.coag.gov.au/meetings/130407.

There are five working groups under the CRGIS framework. These include working groups on the Document Verification Service (DVS), Integrity of Identity Data, Authentication, Security Standards for Proof of Identity and Proof of Identity.

The current funding is tied to the Office’s work in the Identity Security area, particularly in relation to the DVS. The Office has member status on the DVS Working Group. In 2006–07 the Office published on its website the final Audit report on the DVS prototype pilot completed in 2005–06. The Office also commented on the Privacy Impact Assessment (PIA) prepared by the Attorney-General’s Department in relation to the DVS.

The Privacy Commissioner is also represented as a member on the Integrity of Identity Data Working Group. During the reporting period the Office provided comment on the Memorandum of Understanding between the Attorney-General’s Department, the Australian Taxation Office and participating agencies for the Integrity of Identity Data Pilot and the PIA for the Integrity of Identity Data Pilot.

The Privacy Commissioner is not represented on the Authentication Working Group, which is a part of the CRGIS governance framework, but has observer status on this working group. However, related to this, during the reporting period the Office made submissions on the Australian Government Smartcard Framework (see section 1.3.4) and provided comment on amendments to the Public Key Infrastructure Gatekeeper Framework and comments on the Australian Government e-Authentication Framework (to cover government transactions with individuals).

1.3.6   Law Enforcement

The Anti-Terrorism Act (No.2) 2005 requires the Australian Federal Police to develop three sets of guidelines for the collection, use, handling, retention and disposal of personal information in relation to:

  • the police powers to stop, question and search
  • the expansion to the Australian Federal Police powers to obtain information and
  • optical surveillance.

The Office received funding to assist the Australian Federal Police, in consultation with the Attorney–General’s Department, to develop guidelines.

The Office has commenced consultation with the Australian Federal Police on this and expects the guidelines will be completed in 2007–08.

1.3.7   AusCheck

In February 2007, the Office made a submission to and appeared before the Senate Legal and Constitutional Affairs Committee’s inquiry into the AusCheck Bill 2006. The Bill established the regulatory framework around the creation of a centralised Australian Government managed background checking service to be known as ‘AusCheck’.

The Office noted that the establishment of a background checking service that was a prerequisite to obtaining or maintaining employment would involve the collection and handling of significant amounts of personal information, including potentially sensitive information. Consequently, the Office submitted that the Bill could be enhanced by providing more details regarding the:

  • purposes for which AusCheck’s background checking function may be applied
  • breadth of information that may be collected and assessed during a background check
  • use and disclosure of the information collected.
    Following the Committee’s inquiry, the AusCheck Bill 2006 was subsequently amended and reflected several of the Office’s recommendations, including:
  • a reduction in the initially broad scope of the purposes that the AusCheck scheme may be used for
  • a clarification that the authorisation of the collection, use and disclosure of personal information should be for the purposes of AusCheck’s function or purposes directly related to AusCheck’s function and
  • an explicit provision requiring that the use and disclosure of personal information be limited to that which is directly necessary and to the extent necessary, for security identification card verification.

On 28 March 2007, the AusCheck Act 2007 was passed and on 7 June 2007, the AusCheck Regulations 2007 were made.

During the reporting period, AusCheck also made a request for a partial exclusion from the federal Spent Convictions Scheme. In fulfilling her statutory function under s. 85ZZ(1)(b) of the Crimes Act 1914, the Commissioner examined the request and provided advice to the Minister for Justice and Customs regarding whether the exclusion should be granted. The amendment was subsequently granted by the Minister for Justice and Customs and the Crimes Regulations 1990 were amended on 7 June 2007.

1.3.8   Anti-Money Laundering and Counter-Terrorism Financing

On 24 August 2006, the Office made a submission to the Attorney-General’s Department on the second exposure draft of the Anti-Money Laundering and Counter-Terrorism Financing Bill 2006.

The Office has continued to note that collection of personal financial information is likely to increase significantly under the Bill. Therefore, while recognising the potential benefits to the community of measures to address money laundering and terrorism financing, the appropriate balance must be achieved.

Also as previously noted by the Office, Australia’s financial transactions reporting regime was introduced as a response to major crime and any broadening of the scope of its application may raise privacy issues.

Accordingly, the Office made a number of recommendations aimed at ensuring that adequate privacy protections be applied consistently across reporting entities and users of the information, and that the handling of this personal information was subject to appropriate privacy regulation.

More specifically, the recommendations made by the Office included those listed below.

  • A separate process should be undertaken to consider the issue of whether Australian Government agencies, other than the traditional law enforcement agencies, should be able to have direct access to AUSTRAC information for purposes unrelated to anti-money laundering and counter-terrorism financing.
  • The Bill needs to ensure that information collected by AUSTRAC that is passed on to state and territory government agencies will be subject to adequate privacy protection. Not all states and territories have enacted privacy legislation, which means there is a lack of uniformity in the protections and the remedies available.
  • There should be limits on how long the information collected under this legislation should be kept by reporting entities and government agencies.

The Office also recommended that a Privacy Impact Assessment (PIA) be conducted on the operation of this legislation.

A company engaged by the Attorney-General’s Department, Salinger & Co, released its PIA regarding the second exposure draft of the Bill on 15 September 2006. This document is available from the Attorney-General’s Department website.

In November 2006, the Office made a submission to the Senate Legal and Constitutional Affairs Committee’s Inquiry into the Anti-Money Laundering and Counter-Terrorism Financing Bill 2006 and the Anti-Money Laundering and Counter-Terrorism Financing (Transitional Provisions and Consequential Amendments) Bill 2006.

The Office continues to play an active role in the development of Anti-Money Laundering and Counter-Terrorism Financing legislation through its membership on industry and government forums, producing guidance material and providing comments on relevant issues.

During the reporting period the Office received funding of approximately $1.8 million over four years to provide guidance and assistance to small business operators to meet their obligations under anti-money laundering legislation, and to conduct auditing and compliance activity.

1.3.9   Emergencies and Disasters

In September 2006, the Office made a submission to the Senate Legal and Constitutional Affairs Committee’s Inquiry into the Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006.

The Bill clarified the legal basis for disclosure of personal information in the event of an emergency or disaster. The Office made some suggestions for improvements to give more definition of the circumstances under which the provisions could operate. These suggestions included:

  • the inclusion of criteria as to what constitutes a disaster or emergency
  • the clarification of ‘permitted purpose’ as ‘a purpose directly related to’ the emergency or disaster and
  • stronger mechanisms to ensure that normal processes protecting personal information disclosures and uses are resumed as soon as possible.

The Bill was passed with two amendments. The first amendment limited ‘permitted purpose’ to a purpose that ‘directly’ relates to the Commonwealth’s response to an emergency or disaster. The second imposed a maximum period of 12 months to a declaration of emergency. The new provisions are found in Part VIA of the Privacy Act.

After the Bill passed, Regulations were made under the Privacy Act on 13 December 2006. These exempt the secrecy provisions of the Census and Statistics Act 1905 from Part VIA of the Privacy Act. These Regulations confirm that data collected by the Australian Bureau of Statistics for statistical purposes will only be used for statistical purposes.

1.3.10 Government Agency Coercive Information-Gathering Powers

The Office made a submission to the Administrative Review Council’s draft Report into Government Agency Coercive Information-Gathering Powers in March 2007.

The Office’s comments primarily related to the Office’s experience in promoting an understanding of the Information Privacy Principles (IPPs) and National Privacy Principles (NPPs) and investigating complaints about acts or practices of agencies or organisations that may breach an IPP or NPP.

The Office suggested that the Council may wish to consider the issue of coercive information-gathering from a broader privacy perspective, giving more prominence to the privacy obligations and interests of organisations, agencies and individuals and clarifying the role of the IPPs and the NPPs in its report.

1.3.11 Taxation Secrecy and Disclosure Provisions Review

In September 2006, the Office made a submission to the Treasury on the Review of the Taxation Secrecy and Disclosure Provisions.

The secrecy provisions in tax legislation provide protections for personal (taxpayer) information in addition to those protections already provided by the Information Privacy Principles in the Privacy Act. The Office expressed concern that any proposal to reduce privacy safeguards currently offered by the secrecy provisions could risk a lessening in community confidence, and therefore any proposal to amend the protections should be approached with care.

1.3.12 Personal Property Securities

In February 2007 the Office provided comments to the Attorney-General’s Department in relation to the Standing Committee of Attorneys-General (SCAG) review of Australian personal property securities law. The review aims to develop a national register that will consolidate all security interests that are created by a contractual agreement and which are held over personal property.

The Office noted that the proposed national register would include personal information relating to the financial and credit affairs of a large number of individuals and had the potential to raise a number of privacy-related issues. The Office made a number of suggestions to reduce potential privacy risks. These suggestions included:

  • a Privacy Impact Assessment should be undertaken
  • only those individuals or entities that have a demonstrated need to access information on the database should be able to do so
  • personal information on the register should be minimised wherever possible and
  • mechanisms should be developed to ensure that faulty listings do not remain on the register indefinitely.

The personal property securities review is continuing. In the 2007–08 budget $113.3 million over five years was allocated to harmonise Australia’s personal property securities laws in one Commonwealth Act and develop a single national online register of personal property securities interests.

The Office will continue to provide advice to the Australian Government on the development of the register.

1.3.13 Mutual Assistance and Extradition

In October 2006, the Office made a submission to the review conducted by the Attorney-General’s Department regarding Australia’s mutual assistance law and practice. This submission reiterated the comments of the Office’s earlier March 2006 submission regarding the review of extradition arrangements conducted by the Attorney-General’s Department.

The Office noted that there is a need for clarity and certainty regarding how an individual’s personal information may be handled pursuant to extradition or mutual assistance matters to ensure that it is afforded appropriate privacy protections. This certainty would likely be best achieved by the enactment of clear legislative authority for such exchanges.

Specifically, the Office also commented on the following issues raised by the review:

  • grounds for refusal to provide personal information where the requesting country’s arrangements for handling that information do not offer privacy protections substantially similar to those applying in Australia
  • handling of DNA samples and information from persons without consent should be subject to a form of judicial oversight and consideration should be given to the protections afforded that information in the new jurisdiction before disclosing
  • provision of information from the DNA Database and DNA matching
  • handling of telecommunications interception material and surveillance device material.

The Office looks forward to the further opportunity for engagement on these issues.

1.4     Privacy and the Australian Capital Territory Government

In 2006–07 the Office continued to provide advice to ACT Government agencies. The Office provided detailed comments to the Department of Health on the obligations surrounding the collection of personal information in the implementation of a Health Management Plan for Pandemic Influenza and comments to the Department of Disability Housing and Community Services on the exposure draft for the Children and Young People Amendment Bill 2007. The Office also engaged with the Department of Health on the issue of iris scanning.

The Office also reviewed the exposure draft of the Planning and Development Bill 2006, providing comments to the ACT Planning and Land Authority (the Authority) on the Authority’s legal requirement to collect personal information and the manner in which that information was to be disclosed. The Office provided further comment to the Authority on the Planning and Development (Consequential Amendment) Bill 2007.

1.5     Privacy and Business

1.5.1   Review of the Private Sector Provisions of the Privacy Act

In November 2006, the Office welcomed the Australian Government’s response to its 2005 report Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (the Office’s 2005 report). The response is available at www.ag.gov.au/www/agd/agd.nsf/Page/Privacy_GovernmentresponsestoPrivacyActreports.

In its response, the Government either accepted, noted or referred to the Australian Law Reform Commission (ALRC) for further discussion, 81 of the 85 recommendations that were made in the Office’s 2005 report.

The Office notes that three of the key recommendations in its 2005 report had already been taken up by the Government prior to the release of its response to the report. These include the:

–  establishment of a wide-ranging review by the ALRC into Australia’s privacy-related legislative framework (see section 1.2)
–  creation of a Do Not Call Register for telemarketing calls and
–  extension of Privacy Act coverage to all residential tenancy database operators.

During the reporting period, the work of the Office continued to be shaped by the recommendations in its 2005 report. In particular, the Office made two comprehensive submissions to the ALRC review of privacy. As noted, the ALRC review is a response to a key recommendation made by the Office in its 2005 report.

In addition, the Office is currently working to implement those recommendations in its 2005 report concerning the Office’s functions. Specifically, work has been commenced on the development of guidance materials and publications that relate to particular recommendations.

The Office has also progressed planning to give effect to various health-related recommendations of the Review during the first half of 2007–08.

1.5.2   Privacy Codes

Part IIIAA of the Privacy Act allows organisations to apply to the Privacy Commissioner for approval of a Privacy Code that will replace the National Privacy Principles for organisations bound by that Code.

Biometrics Institute Privacy Code

On 19 July 2006 the Privacy Commissioner approved the Biometrics Institute Privacy Code under s. 18BB of the Privacy Act. The code came into operation on 1 September 2006 and is available on the Biometrics Institute website at www.biometricsinstitute.org.

Market and Social Research Privacy Code

Following a review of the Market and Social Research Privacy Code, the Association of Market and Social Research Organisations (AMSRO) made an application to vary the code under s. 18BD(1) of the Privacy Act. The Privacy Commissioner approved this variation under s. 18BD(2), to take effect on 30 June 2007.

Queensland Club Industry Privacy Code

Following a review of the Queensland Club Industry Privacy Code, Clubs Queensland made an application to vary the code under s. 18BD(1) of the Privacy Act. The Office is currently reviewing this application.

More information, including the Register of Approved Privacy Codes, can be found on the Office’s website at www.privacy.gov.au/business/codes/index.html.

1.5.3   Credit Reporting

Credit Provider Determinations

In the previous reporting period, three credit provider determinations made under the Privacy Act were renewed for short periods to allow the Office time to consult with the community about how these determinations have operated and the terms in which any further determinations should be cast. As part of this review, two consultation papers covering the three determinations were released for public comment.

In the current reporting period, the Office analysed the submissions received during the consultation process and produced a report relating to one of the consultation papers. This report on the review of Determination No. 2006–3 Assignees (the Assignees Determination) and Determination No. 2006–4 Classes of Credit Providers (the Classes Determination) is available at www.privacy.gov.au/act/credit/cpdreport.html.

The consultation on the operation of the third determination, Determination No. 2006–5 (Indigenous Business Australia) (the IBA Determination), and the experience of the Office demonstrated that the IBA Determination had operated effectively and provided unanimous support for the renewal of the IBA Determination.

Consequently, the three determinations were renewed.

Issues Paper 32 – Review of Privacy: Credit Reporting Provisions

In December 2006, the Australian Law Reform Commission (ALRC) published its Issues Paper 32 – Review of Privacy: Credit Reporting Provisions (IP32) as part of its wider review of privacy regulation in Australia. The Office made a submission to IP32 in April 2007. See section 1.2 for further information.

1.5.4   Tax File Number Guidelines

During the reporting period there were no changes to the Tax File Number Guidelines issued by the Privacy Commissioner under s. 17 of the Privacy Act. These guidelines, which have the effect of law, regulate the collection, storage, use and security of Tax File Numbers.

1.5.5   Research and Data-Holding

The Office has commented on a number of research and data holding initiatives through consultative relationships and its membership on various committees and working groups. In particular the Office has made a contribution to the National Data Network, the Prime Minister’s Science Education and Innovation Council and the Productivity Commission’s research study.

The National Data Network

The National Data Network (NDN) provides a distributed library of data holdings relevant to policy analysis and research. These data holdings remain held and controlled by their Custodian organisations.

During the reporting period, the Office has been involved with the NDN Working Group and NDN Interim Governing Board. These bodies have been involved in the development of a framework of policies and procedures to support the data sharing activities and creation of privacy-preserving data management tools.

The Office played an integral role in securing the agreement from the NDN Interim Governing Board to complete Privacy Impact Assessments as part of any data-sharing pilots.

In view of the significant privacy objectives that have been achieved, the Deputy Privacy Commissioner resigned from the Working Group and the Interim Governing Board on 28 May 2007. The Office will maintain its engagement with NDN on a consultative basis.

The Prime Minister’s Science Education and Innovation Council

The Prime Minister’s Science Education and Innovation Council (PMSEIC) was establish in 1997 and its function is to provide the Australian Government with independent advice on issues of science, engineering and innovation and relevant aspects of education and training. The Council meets in June and December each year to discuss and report on relevant issues. The Office has made submissions and provided comment on specific research issues impacting privacy.

In September, the Office responded to an issues paper produced by the PMSEIC Working Group which was seeking to assess the opportunities and risks of creating a national database for research purposes. The PMSEIC final report, including recommendations, was presented at the PMSEIC December meeting. Recommendation 8 supported the Office’s general advice in reference to the need for health research agencies to develop best practice policies, practices and methodologies while protecting privacy. The report examined and identified privacy regulation and its future impacts.

It is expected that the Office will have ongoing engagement with PMSEIC in the future, on a consultative basis.

During the reporting period the Office responded to the Research Study into Public Support for Science and Innovation undertaken by the Productivity Commission. The Office made a submission in August 2006 with the following emphases:

  • how to balance individuals’ right to choice in relation to the use of their health information against the public interest of conducting research
  • the need to provide guidelines about de-identification in terms of information used for research and
  • the Office’s commitment to work with the National Health and Medical Research Council to simplify guidelines for health research ethics committees in terms of the section 95AA Guidelines (see section 1.6.4). 

1.6     Privacy and the Health Sector

1.6.1   Electronic Health Records

The Office engaged with a number of bodies, including state government entities, on matters related to electronic health records. The Office also discussed electronic health records in its submission to the Australian Law Reform Commission (ALRC) review of privacy (See section 1.2). The Office noted that such systems have the potential to vastly increase the capacity to collect, store, copy, transmit, share and modify health information, including in ways not expected by individuals. Accordingly, electronic health records systems should only be pursued where accompanied by legislative measures that clearly set out and limit their operation and scope.

In March 2007, the Office made a submission to the National E-Health Transition Authority on its Privacy Blueprint for Unique Health Identifiers. The Office noted that a challenge for such identifiers is to ensure that such a highly reliable identifier is not used for purposes beyond the health system and the clinical care of individuals. If such identifiers were used expansively outside of the health system, particularly in ways the community may be uncomfortable with, then the trust individuals place in the system may be undermined. This was a view also expressed in Chapter 8 of the Office’s submission to the ALRC review of privacy.

1.6.2   Section 135AA Guidelines Review

The section 135AA Guidelines (the Guidelines) are issued by the Privacy Commissioner under section 135AA of the National Health Act 1953 and issuing the Guidelines is a function of the Privacy Commissioner under s. 27(1)(pa) of the Privacy Act. The Guidelines apply to the handling of information obtained by any Australian Government agency in connection with a claim under the Medicare Benefits Program or the Pharmaceutical Benefits Scheme (PBS).

The Office released its Report on the Review of the Privacy Guidelines for the Handling of Medicare and PBS claims information on 1 August 2006. The Report makes 25 findings on matters related to the Guidelines. Some of these findings require new Guidelines or changes to the Guidelines, while others describe the Office’s interpretation of matters relevant to the Guidelines.

The key findings are:

  • an additional permitted linkage for claims information for the purpose of an individual accessing their record (see Finding 2)
  • the prohibition against storing Medicare and PBS claims information should apply to all agencies (see Finding 23)
  • changes should be made to the periods for which Medicare Australia may retain claims information in linked and unlinked form (see Findings 6, 7 and 8)
  • some changes are required in relation to how the Department of Health and Ageing may handle claims information (see Findings 14-21).

The Office has commenced the development of new Guidelines that reflect the findings of this review. The Office is liaising with Medicare Australia and the Department of Health and Ageing and is proposing to issue the new Guidelines during 2007–08.

1.6.3   Prescription Shopping Information Service

On 14 September 2006, the Australian Parliament enacted the Privacy Legislation Amendment Act 2006, amending the National Health Act 1953 and the Privacy Act, to ensure that medical practitioners can continue to collect patients’ health information that is available through Medicare Australia’s Prescription Shopping Information Service (PSIS), without being in breach of the Privacy Act.

This practice had previously been the subject of two Temporary Public Interest Determinations issued by the Privacy Commissioner.

On 4 May 2007, the Privacy Commissioner released a new Information Sheet on the Privacy Act and the PSIS. The Information Sheet was developed in consultation with Medicare Australia and a number of other health and privacy stakeholders. It is intended to provide private sector medical practitioners with guidance on their obligations when using the PSIS. The Information Sheet is available at www.privacy.gov.au/publications/IS19_07.html.

1.6.4   Section 95AA Guidelines

In response to the 2003 report by the Australian Law Reform Commission (ALRC) and the Australian Health Ethics Committee of the National Health and Medical Research Council (NHMRC) entitled Essentially Yours: The Protection of Human Genetic Information in Australia, the Privacy Legislation Amendment Act 2006 introduced National Privacy Principle 2.1(ea). This amendment creates a discretion for organisations to use or disclose genetic information about an individual where necessary to lessen or prevent a serious threat to the life, health or safety (whether or not the threat is imminent) of a genetic relative.

Any use or disclosure must be in accordance with guidelines made by the NHMRC under s. 95AA of the Privacy Act, and approved by the Privacy Commissioner.
Prior to the guidelines being submitted for approval, the Office will work with the NHMRC as it progresses their development.

1.7     Privacy and the Information and Communications Technology Sector

1.7.1   Do Not Call Register

The Government launched the Do Not Call Register in May 2007. The Office strongly supported the introduction of this register. It is a partial response to Recommendation 25 of the Office’s 2005 report: Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988.

In the reporting period, the Office also played an active role in the implementation of the register through its consultations with the Do Not Call Taskforce on the draft Determinations, Standards and Ministerial instruments. In September 2006, the Office provided a submission to the Australian Communications and Media Authority’s Industry Standard for the Making of Telemarketing Calls Discussion Paper. In addition, the Deputy Privacy Commissioner served as a member of the Do Not Call Register Scheme Steering Committee.

1.7.2   Integrated Public Number Database

In March 2007, the Office made a submission to the Australian Communications and Media Authority (ACMA) on the consultation draft of the Telecommunications Integrated Public Number Database Scheme 2007 (the Scheme). The Telecommunications Amendment (Integrated Public Number Database) Act 2006 (the IPND Amendment Act) requires ACMA to, by legislative instrument, develop a scheme for granting authorisation enabling access to and use of the information in the IPND for specified purposes, such as for the purposes of producing a public number directory or for research.

The Department of Communications, Information Technology and the Arts (DCITA), on behalf of the Minister, has responsibility for drafting legislative instruments. There are seven instruments that may be made by the Minister. DCITA has produced draft instruments for additional Public Number Directory requirements, additional Public Number Directory information, Criteria for Deciding Applications, Permitted Research, and Conditions of Authorisation.

In March 2007, the Office made a submission to DCITA on these draft legislative instruments relating to IPND access arrangements published for comment by DCITA under the IPND Amendment Act. The Office also met with DCITA representatives to discuss issues raised in the Office’s submission.

The Office submitted that permitted use of the IPND for research should only be non-commercial rather than ‘primarily non-commercial’. The Office also recommended that DCITA define how the public interest of proposed research would be determined and proposed that IPND access users should opt in to coverage under the National Privacy Principles.

The finalised instruments allow researchers’ access to the IPND for primarily non-commercial purposes. However, examples defining the terms ‘primarily’ and ‘non-commercial’ are provided in the Explanatory Statement to assist ACMA in administering the Scheme. The instruments also allow ACMA to impose specific privacy obligations on IPND data users. The Scheme came into force on 15 May 2007.

1.7.3   Telecommunications and E-Marketing Industry Codes

The Telecommunications Act 1997 provides for the telecommunications and e-marketing industries to develop industry codes. Such codes can be enforced after they are registered with the Australian Communications and Media Authority (ACMA). Where telecommunications or e-marketing industry codes deal with privacy issues, it is a requirement that the Privacy Commissioner be consulted before ACMA registers a code.

In 2006, the Australian Communications Industry Forum (ACIF) and Service Providers Association Inc (SPAN) merged to form the telecommunications industry body Communications Alliance Ltd (Communications Alliance). Communications Alliance now handles the ACIF process for developing documentary outputs, including industry codes. The Office was consulted by Communications Alliance on eight ACIF codes during the reporting period. One of the codes currently under development, the Telecommunications Consumer Protection Code, is intended to consolidate the industry approach to issues covered by six ACIF codes.

1.7.4   Telecommunications Interception legislation

In February 2007, the Office made a submission to the Attorney-General’s Department on the exposure draft of the Telecommunications (Interception and Access) Amendment Bill 2007 (the Bill).

The Bill is the second stage of the Australian Government’s legislative program to implement the recommendations from the Review of the Regulation of Access to Communications under the Telecommunications (Interception) Act 1979 conducted by Mr Anthony S Blunn AO (the Blunn Review).

One of the key recommendations of the Blunn Review was that interception activity of law enforcement agencies and civil enforcement bodies should be consolidated under one legislative regime. The Bill was the second stage in the implementation of that recommendation, following the introduction of the Telecommunications (Interception) Amendment Act 2006.

In its submission, the Office recommended that:

  • the voluntary disclosure provisions could be made clearer in relation to content and call data to reduce the risk of carriers committing inadvertent breaches
  • there is merit in defining call data, or giving examples in the proposed Amendment Bill as to what might be considered ‘information or document’ as opposed to ‘contents or substance of a communication’
  • further guidance be provided where the privacy of telecommunications users needs to be taken into account when making decisions and
  • the operation of the Telecommunications (Interception) Amendment Act 2006 should be subject to overall independent review, including key stakeholder and public consultation, at least every five years.

A Bill was introduced into parliament on 14 June 2007 and was referred to the Senate Legal and Constitutional Affairs Committee for inquiry and report by 1 August 2007. In terms of the Office’s previous comments, the Explanatory Memorandum accompanying the Bill now defines the distinction between call data and ‘information and documents’.

 

Chapter 2 Promoting Privacy

 

2.1     Review of Performance

In 2006–07 the Office revised its Communications Strategy in line with its Budget commitments and goals set out in the Office’s 2007–09 Strategic Plan (see Appendix 8 and the Commissioner’s Overview for further information). The Office’s increased funding has allowed its communications unit to progress a range of projects and initiatives aimed at assisting organisations and individuals to better understand their rights and responsibilities under the Privacy Act.

An important communications focus for the Office is facilitating networking and working closely with key stakeholders to promote a broader understanding of privacy. This year the Office:

  • re-energised the Privacy Connections network of privacy professionals in the private sector (see section 2.7.1)
  • worked with the Privacy and Information Commissioners of New South Wales, Victoria and the Northern Territory to participate in the first national Privacy Awareness Week (see section 2.7.3) and
  • launched an international privacy themed writing competition targeting youth with the Commissioners of the Asia Pacific Privacy Authorities forum (see section 2.9.1).

2006–07 also saw the introduction of the Office’s Privacy Matters newsletter (see section 2.5.1). The newsletter is an important tool for the Office, allowing it to communicate important information to stakeholders on a regular basis throughout the year. In addition to downloads from the website, subscriptions to the newsletter have increased steadily, with the newsletter now reaching over 600 subscribers.

A significant undertaking for the Office is the review of its publications. During the year the Office audited its existing material with the aim of identifying and correcting any inaccurate or outdated material (see section 2.5.2).

As its main communication tool, the Office recognises the value of maintaining and improving the content and services delivered through its website. With this in mind, the Office commenced work on the redevelopment of the website, looking at ways of meeting the needs of its current users and offering services and refining content to attract new users (see section 2.2.1). The redevelopment of the website will continue into the next reporting period and will ensure that the website continues to be a valuable source of information for users with an interest in privacy.

2.2     Privacy Website

The Office’s website (www.privacy.gov.au) again features very prominently in the Office’s new 2007–08 Communications Strategy and 2007–09 Strategic Plan. The website continues to be the critical hub for the communication of the Office’s privacy messages.

2.2.1   Website Redevelopment

To ensure that the Office’s website continues to play the role of communications hub effectively, the Office has embarked on a project to redevelop the website. This is considered to be an important project, especially since the last major website redevelopment was completed when the private sector provisions commenced in 2001.

In the reporting period, the Office conducted a range of consultations including:

  • website and intranet-based external and internal user surveys between December 2006 and April 2007
  • email-based survey sent to a wide range of domestic and international Office stakeholders, including informal discussions where appropriate
  • focus groups and other informal discussions with internal users and
  • discussions with a range of other participants who have detailed experience in website redevelopments or familiarity with the Office’s website.

The Office’s focus is now on developing and implementing an action plan which aims to put into place many of the recommendations received during these consultations.

2.2.2   Website Usage

The Office's website (www.privacy.gov.au) increased its traffic from the previous reporting year. Visits to the website increased by 541 996 sessions during 2006-07 compared to the previous year, an increase of 38%. Page views (number of pages people looked at during the session) increased by 246 728, an increase of 4%.
The figures in Table 2.1 show the number of sessions and the number of page views for the privacy website each year for the last three financial years, while Chart 2.1 graphically represents the substantial increase in website traffic since 2001.

Table 2.1 Page and Session Views for the Privacy Website

 

2004-05

2005-06

2006-07

Increase 2005-06 to 2006-07

Session

1 072 361

1 411 320

1 953 316

+ 541 996

Page view

4 561 982

5 937 245

6 183 973

+ 246 728

Chart 2.1 Yearly Comparative Results for the Website

2.2.3   Layered Privacy Policy

In Privacy Awareness Week 2006 (see section 2.7.3), the Attorney-General launched the Office’s new Privacy Policy. The new Policy adopts a layered notice format to enhance the ease with which people can access and understand it. The Policy is available on the Office’s website, and provides browsers with both a condensed snapshot, as well as a full explanation, of the Policy.

The condensed version of the Policy uses clear simple language and includes the most important information that individuals usually need and want to know about the Office’s personal information handling practices. Individuals wanting further information can easily link to the Office’s full Privacy Policy.

The Policy is also intended to serve as a model for other agencies and organisations. It is available at www.privacy.gov.au/policy/index.html.

2.3     Media

132 media enquiries were made to the Office during 2006–07. This is down 11% from the 148 enquiries received in 2005–06. Of the 132 enquiries, 84 were from print media, 29 from radio stations, ten from television, eight from news websites, and one from a news agency.

The enquiries concerned a range of privacy-related issues, with the most common including:

  • scanning of patrons’ identification by clubs and bars
  • alleged privacy breaches by various organisations
  • incidents involving access by staff of government agencies to client records
  • companies transferring client data to overseas centres for processing
  • doctors’ use of overseas transcription services
  • the Health and Social Services Access Card
  • the disclosure of financial transactions by SWIFT (the Society of Worldwide Interbank Financial Telecommunication) to law enforcement agencies
  • privacy concerns resulting from online technologies.

In most cases, background information on the issue or a comment was supplied to the journalist. Interviews were also conducted on various radio stations and television programs.

The Office prepared 31 media announcements and releases during 2006–07.

The Office has an email list specifically targeting media personnel and media agencies. Members of the email list receive the Office’s media releases and announcements. Information about the list is available at www.privacy.gov.au/lists/index.html.

2.4     Speeches and Presentations

The Office delivered 26 speeches during 2006–07. These speeches were on a number of key issues including the Australian Law Reform Commission’s review of privacy, information technology, privacy and business and the Office’s new Strategic Plan 2007–09. The Commissioner also gave a number of speeches around Australia in conjunction with the Privacy Connections events hosted by the Office (see section 2.7.1).

A complete list of speeches and presentations made by the Commissioner and Office staff can be found at Appendix 3. Supporting papers and PowerPoint presentations for a number of these speeches are available on the Office’s website at www.privacy.gov.au/news/speeches/index.html.

2.5     Publications

The Office developed a number of new publications over 2006–07 including its new quarterly newsletter, Privacy Matters (see section 2.5.1). In Privacy Awareness Week 2006 (see section 2.7.3), the Attorney-General launched the Office’s Privacy Impact Assessment Guide developed for use by public sector agencies (see section 1.3.1), and the Office’s new layered Privacy Policy (see section 2.2.3). Also in Privacy Awareness Week, the Office released two ‘Ten Steps’ guides which provided ten practical steps that individuals and organisations could take to protect their own and other people’s personal information.

In 2007 the Office released a new information sheet on the Prescription Shopping Information Service and the Privacy Act (see section 1.6.3).

Most of the Office’s publications are available online at www.privacy.gov.au/publications/index.html.

2.5.1   Privacy Matters Newsletter

In September 2006, the Office launched its quarterly privacy newsletter Privacy Matters. The purpose of the newsletter is to provide an accessible and easy-to-read publication that keeps interested stakeholders up-to-date with important Office-related compliance, policy, public affairs and other privacy developments.

The newsletter is an initiative which implements Recommendation 50 of the Office’s 2005 Report, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988. It complements the work the Office already does through its various stakeholder networking strategies (see section 2.7), and further assists the Office in its Strategic Plan purpose of promoting and protecting privacy in Australia.

The Office aims for each issue of the newsletter to have as its primary focus one or two significant feature articles covering privacy matters of current importance. The newsletter also keeps subscribers informed of other privacy-related events and matters of interest, both within the Office and in the broader community.

The Office intends to continue producing Privacy Matters on a quarterly basis throughout the next reporting period. Subscription to the newsletter is available by visiting the Office’s website at www.privacy.gov.au/news/privacymatters/index.html.

2.5.2   Publications Review

In 2007 the Office commenced a comprehensive review of its existing publications to ensure that Office guidance material continues to best meet the needs of its stakeholders.

The publications review aims to identify and correct any inaccurate or outdated material, ensure that Office guidance material is presented in clear and understandable language, and address gaps in content. As part of this review, the Office intends to develop systems for the management of Office publications to facilitate their upkeep into the future.

The Office has recently completed an audit of existing publications and will shortly commence implementing updates identified in this process.

2.6     Community Attitudes Survey

In early 2007, the Office commenced work on a research study to ascertain community attitudes towards privacy issues. It commissioned the Wallis Consulting Group to undertake the quantitative study, which follows on from similar research the Office carried out in 2001 and 2004. The project will be completed and reported on in 2007–08.

2.7     Networking for Privacy Solutions

2.7.1   Privacy Connections

In line with Recommendation 50 of the Office’s 2005 Report, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, the related Budget commitment, and the Office’s 2007–09 Strategic Plan (Goal 2: increased awareness of privacy choices and obligations within the community), the Office undertook during 2006–07 to re-energise its Privacy Connections network of privacy professionals in the private sector. In this respect, it hosted a series of well-attended forums, allowing an opportunity for privacy professionals to network, to meet and engage with the Privacy Commissioner, and to learn about various privacy issues and developments both in Australia and abroad.

In November 2006 a breakfast forum was held in Sydney to mark five years since the introduction of the private sector provisions of the Privacy Act. Keynote speakers included the Attorney-General, the Hon. Philip Ruddock MP, the Privacy Commissioner, and Suzanne Pigdon, the former Privacy and Customer Advocacy Manager of the Coles Myer Group and a member of the Office’s Privacy Advisory Committee. Corporate breakfasts were also held in May 2007 with the Privacy Commissioner and Ms Pigdon in both Adelaide and Perth, in association with those states’ chambers of commerce.

Further events have been scheduled for early in 2007–08 in Brisbane, Canberra, Melbourne and Sydney, with Mr Peter Cullen, the US-based Chief Privacy Strategist of Microsoft, as the keynote speaker.

Privacy Connections members also receive electronic updates from the Office on a range of privacy issues, developments and events. The network commenced in 2001 and as at 30 June 2007 had 1841 members.
Information about Privacy Connections is available at www.privacy.gov.au/business/network/index.html.

2.7.2   Privacy Contact Officer Network

The Office manages a network of Privacy Contact Officers (PCOs) from Australian and ACT Government agencies. The Office hosts four PCO meetings a year to provide PCOs with an opportunity to network and to hear from speakers on a range of privacy-related issues. These meetings also enable PCOs to meet with Office staff and regularly hear from the Commissioner on the Office’s activities and initiatives.

During 2006–07, the Office has used this forum to inform PCOs of changes to the Office’s approach to complaint handling, key aspects of the Office’s submission to the Australian Law Reform Commission (ALRC) review of privacy, and international developments in privacy regulation.

The Office has also invited external speakers to address PCOs including a senior legal officer at the ALRC to provide an update on its review of privacy, an adviser to the Attorney-General to discuss privacy from a ministerial officer’s perspective, a member of the Privacy Advisory Committee, and individual PCOs.

In December 2006, the Office presented a ‘Privacy Checklist’ to the network that the Office developed to help PCOs effectively handle privacy complaints, and the PCOs were surveyed for their feedback on this resource. The Office also consulted with the network on Privacy Awareness Week 2007 and the resources and activities they would like to see promoted during this event.

In general the PCO Network provides a crucial link between agencies and the Office for the purposes of managing privacy complaints and the Office continues to promote the important role of the PCO as an internal agency contact point for information about privacy compliance obligations.

2.7.3   Privacy Awareness Week

The Office celebrated Privacy Awareness Week from 27 August – 2 September 2006. The Office collaborated with Privacy Victoria, Privacy NSW and the Office of the Information Commissioner, Northern Territory to promote the event.

The week was an opportunity to encourage organisations and agencies covered by the Privacy Act to promote privacy awareness among staff and customers.

During Privacy Awareness Week the Attorney-General launched two key documents produced by the Office: the Privacy Impact Assessment (PIA) Guide (see section 1.3.1) and the Layered Privacy Policy (see section 2.2.3). Guides were also released setting out ‘Ten Steps’ on how to protect personal information for individuals, agencies, and organisations and privacy quizzes were developed to encourage individuals, agencies and organisations to examine their general knowledge and understanding of privacy.

The Office is continuing its involvement in Privacy Awareness Week in 2007 through joint promotions and activities with the Asia Pacific Privacy Authorities (APPA) (see section 2.9.1), as well as its own Privacy Awareness Week calendar of events.

Privacy Awareness Week will be held from 26 August – 1 September in 2007. The Office’s promotional activities leading up to and throughout Privacy Awareness Week will contribute to the Office’s goal of increased awareness of privacy choices and obligations within the community as outlined in the Office’s 2007–09 Strategic Plan.

2.8     Privacy Advisory Committee

The Privacy Advisory Committee (PAC) is established under s. 82 of the Privacy Act. Its members are appointed by the Governor-General. The functions of the PAC are established under s. 83 of the Privacy Act and provide for the PAC to assist the Commissioner in engaging in and promoting community education and consultation, in relation to the protection of individual privacy.

The PAC also advises the Commissioner on matters relevant to his/her functions. They act as an external reference point that supports the Commissioner in gaining access to the broad views about privacy in the private sector, government and the community at large.

This year, the PAC has been actively involved in a number of Office activities. Members of the PAC had significant input into the development of the Community Attitudes Survey (see section 2.6), including participation in the tender evaluation and content review committees.

The PAC members provided support to the Office through their promotion of the Privacy Connections network events (see section 2.7.1). Suzanne Pigdon, a member of the PAC, was a keynote speaker at three events and provided attendees with information and advice on privacy from a business perspective.

PAC members also attended the 2006 Asia Pacific Privacy Authorities Forum (see section 2.9.1) and the Asia-Pacific Economic Cooperation (APEC) Data Privacy Seminar.

There are currently six members of the PAC. Ms Robin Banks was appointed as a PAC member in November 2006 replacing Mr Graeme Innes AM who resigned in December 2006.

2.9     International Liaison

2.9.1   Asia Pacific Privacy Authorities

The Asia Pacific Privacy Authorities (APPA) forum is a regional forum that includes this Office, the State and Territory Privacy Commissioners in Australia (NSW, Victoria and the Northern Territory), together with the Privacy Commissioner of New Zealand, the Privacy Commissioner for Personal Data of Hong Kong and the Korean Information Security Agency.

The Forum meets biannually and is hosted with a rotating venue and host. In June 2007 the 27th APPA forum was hosted by the Office in Cairns to coincide with the APEC Senior Officials Meetings and Data Privacy Seminars. At this meeting the APPA membership was broadened to include the Information and Privacy Commissioner of British Columbia, Canada.

APPA meetings are an important opportunity to discuss international privacy developments and emerging issues of relevance to APPA affiliates. The Forum provides an opportunity for Commissioners to exchange knowledge and experiences about privacy regulation across different jurisdictions. At the 27th APPA forum it was agreed that a Working Party be established to look at the possibility of developing guidelines for the protection of individuals’ privacy rights in relation to the use of biometrics.

At the 26th APPA forum hosted in November 2006 by the Office of the Privacy Commissioner for Personal Data, Hong Kong, the APPA members agreed to jointly undertake Privacy Awareness Week (see section 2.7.3) in 2007. As a result an international privacy themed competition was launched in April 2007 targeting secondary students. Publicity for the competition has included a joint media release, the production of a website (www.privacyawarenessweek.org) and a mail out to secondary schools across Australia, Hong Kong and New Zealand which included an introductory letter, poster and promotional booklet. Promotional material was translated into Chinese to ensure the competition was accessible to entrants from the jurisdictions involved. The Commissioners will announce the competition winners during Privacy Awareness Week 2007 (26 August – 1 September 2007).

As outlined in the Office’s 2007–09 Strategic Plan, robust relationships are at the core of how the Office operates. Developing international linkages, particularly through the APPA forum, is one way in which the Office achieves this. APPA is an effective forum that the Office will continue to develop and sustain through future joint initiatives.

2.9.2   28th International Conference of Data Protection and Privacy Commissioners

In November 2006, Deputy Privacy Commissioner Timothy Pilgrim attended the 28th International Conference of Data Protection and Privacy Commissioners held in London. The theme of the conference was ‘A Surveillance Society?’, with speakers addressing a range of issues related to surveillance and how to balance public safety with individual privacy rights.

At the conference a resolution proposed by the New Zealand Privacy Commissioner and co-sponsored by the Australian Privacy Commissioner was adopted. This resolution recommended that attention be given to improving conference organisation arrangements with a view to ensuring the continued viability of annual conferences. With the adoption of the resolution, a working group was established to examine existing organisational arrangements and suggest options for improvement.

The New Zealand Privacy Commissioner is chair of the working group which encompasses four subgroups; the Hosting Subgroup, the Host Selection Subgroup, the Website Subgroup and the Participant Expectations Subgroup.

Fourteen data protection authorities are participating in the working group with this Office acting as chair of the Hosting Subgroup and co-chair of the Website Subgroup.

The working group is due to report its findings to the 29th Conference to be held in Canada in September 2007.

 

Chapter 3 Protecting Privacy

 

3.1     Review of Performance

The Privacy Commissioner protects the privacy of Australians through a wide range of compliance activities, including a telephone and written enquiry service, the resolution of individual privacy complaints, conducting audits and investigations, and monitoring data-matching activities.

While the Office’s compliance focus in 2006–07 continued to be on resolving individual complaints, it also undertook a number of audits. The Office strives to resolve cases in an open and fair way that builds the confidence of our stakeholders. The Office has applied considerable effort to managing complaints in line with Recommendation 42 of the Office’s 2005 Report Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988.

In the Office’s last annual report, it was noted that the Office was to receive an increase in funding over the next four years, and that one of the first priorities would be to invest in our complaint handling systems and practices. Effective complaint handling practices have been a clear focus in 2006–07. The Office has continued to evaluate and refine practices to ensure they worked well and that individual complaints were handled in a timely and effective manner.

The Office has restructured its Compliance section to facilitate a transition from being primarily a reactive regulator to an increasingly proactive regulator. To ensure best practice complaint handling and investigation, the Office has a renewed focus on staff training, staff development and stakeholder relationships.

2006–07 also signalled the return of the Office’s audit program into Australian Government agencies, with the Office embarking on its first Australian Government agency audit in almost three years. The Office also continued its data-matching and ‘own motion’ work. The Office this year increased its production of case notes. It produced 24 case notes to assist individuals, organisations and agencies understand its investigative processes and application of the Privacy Act.

3.2     Responding to Enquiries

3.2.1   Telephone Enquiries

The Office’s telephone enquiry service (1300 363 992) provides information about privacy issues and privacy law for the cost of a local call.

Since 1 July 2001 the enquiry service has answered over 120 000 telephone calls. The enquiry service answered 17 392 telephone enquiries in 2006–07. This is 9% less than the 19 150 received in 2005–06. The Office expects that more people are finding it convenient and effective to search for information online which may suggest a reason for the decreasing number of calls to the enquiry service.

Who is calling?

Continuing the trend that the Office has seen over the past few years, the vast majority of calls are from individuals seeking information about thei