Download PDF

• Commissioner's Message
• Commissioner's use of s.52 Determination Power
• APEC Privacy Framework and the work of the APEC Privacy Sub-Group
• Paul Chadwick farewelled
• Diary Notes
• Privacy Awareness Week
• Building Capacity
• Access Card Submission
• DIMA MoU
• NZ MoU

Volume 1 Issue 1 Spring 2006

Commissioner's Message

Privacy Commissioner Karen Curtis and Attorney- General Philip Ruddock at Privacy Awareness Week Launch. Photo: Office of the Privacy Commisisoner

Welcome to the Spring issue of Privacy Matters, the Australian Office of the Privacy Commissioner's quarterly newsletter.

This is the first edition of Privacy Matters and it comes to you with all the latest news from my Office. It's great to be able to offer a new forum for the promotion and discussion of privacy issues. By keeping the issue of privacy in the spotlight (perhaps paradoxically!), we can do a lot to encourage an Australian culture that respects privacy.

Privacy in today's social and technological climate has never been more important or relevant. However, despite this, we often don't think about our privacy until it has been invaded or interfered with.

In August, my Office, along with other Australian state and territory Privacy Commissioners, hosted Privacy Awareness Week to encourage people to think about their privacy.

The theme of Privacy Awareness Week 2006 was Don't leave privacy to chance! and when you reflect on it, this idea lies at the heart of all privacy legislation. Privacy laws remove the 'gamble' from personal information handling and ensure that standards exist for the collection, use, disclosure and storage of personal information. Different people may have different expectations about privacy, but privacy laws allow us to decide for ourselves when, and to what extent, we reveal our personal information to others.

In this edition of Privacy Matters, you can read about our Privacy Impact Assessment Guide and Layered Privacy Policy, both launched in Privacy Awareness Week. Also included is a summary of our recent submission made to government on the Access Card and a report by Deputy Commissioner, Timothy Pilgrim on the meeting of the Asia-Pacific Economic Cooperation Privacy Sub-Group in Vietnam. We also offer an update on the implementation of our Complaint Handling Review, and make an important announcement about our new approach to determinations.

I hope Privacy Matters proves to be a useful and informative publication for you and I welcome your feedback.

Karen Curtis Privacy Commissioner

Commissioner's use of s.52 Determination Power

Consistent with the Office's recommendations in Getting in on the Act:The Review of the Private Sector Provisions of the Privacy Act 1988 (the Review Report), the Commissioner has reviewed the use of the s.52 determination making powers. As a result, the Commissioner is expecting to make greater use of these powers in cases where appropriate.

In the Review Report, the Commissioner made two recommendations regarding the use of the determination making power:

Recommendation 37:The Office will maintain its current approach to compliance including the focus on attempting to conciliate complaints in the first instance as set out in Information Sheet 13. However, the Office will consider whether it might be appropriate in some circumstances to use its other powers earlier, such as the determination making power.

Recommendation 42:The Office will review its complaints handling processes and will consider the circumstances in which it might be appropriate to make greater use of the Commissioner's power to make determinations under section 52 of the Privacy Act.

Reasons for more determinations

Generally speaking, the Commissioner will continue to aim to resolve most complaints by conciliation.

However, there are circumstances where it will be better for all parties to proceed more quickly to a determination under s.52 of the Act. In particular,

• Where the interests of the parties will be better served by the opportunity to make formal submissions to the Commissioner, either orally or in writing.
• Where the issues in the complaint are not clear and the Commissioner will need to make findings.
• In the case of some complaints that are not amenable to conciliation.

In other cases there may also be a public interest in proceeding to a determination.

Determinations will be published, with the complainant's name withheld. The Commissioner is mindful of the fact that making more determinations is consistent with the Office's commitment to openness and transparency in its operations. A greater number of published decisions by the Office will highlight the Office's thinking on the operation of the Act and this in turn will create a greater level of certainty for organisations, agencies and consumers.

When will determinations be made?

Determinations won't necessarily be limited to the most serious cases, nor will determinations issued by the Commissioner necessarily be punitive. The intent is to achieve the best resolution in each case with the added benefits of certainty andaccountability.

Cases which may result in determination include those where certainty is required by one party or both, where conciliation has failed or was not seen as possible in the first instance, or if the Commissioner cannot be satisfied on the basis of the evidence available as to whether the act or practice is an interference with privacy.

Powers under s.52

Following the investigation of a complaint, the Commissioner may make a determination under s.52 about her findings in relation to the complaint.

The determination may:

• dismiss the complaint; or
• find the complaint substantiated and make declarations about action needed including that the conduct should cease or not be repeated, the nature of redress and compensation, or that no further action is needed.

As with other decisions made under the Act, a determination will be reviewable under the Administrative Decisions (Judicial Review) Act 1977.

In addition, there is a limited right of review of the Commissioner's decisions by the Administrative Appeals Tribunal. This applies where the respondent is an Australian Government agency and the decision relates to the question of compensation.

A determination is not binding as such. However, if an agency or organisation does not comply with a determination, the complainant or the Commissioner may commence proceedings in the Federal Court or the Federal Magistrates Court for an order to enforce a determination. If the determination is made against an organisation as the respondent, an application under s.55A of the Act can be made for courts to make such orders as it sees fit. If the determination is made against an agency as the respondent the application must be made under s.62 of the Act.

Office's approach to complainthandling

The Office's approach to complaint handling and promoting compliance with the Privacy Act continues to focus on conciliation in the first instance as set out in Information Sheet 13.

The Office takes the approach that compliance will be achieved most often by helping organisations to comply rather than seeking out and punishing the few organisations that do not. The large majority of Australian organisations in the private sector and Australian and ACT Government agencies seek to comply with their legal obligations.

The Office's emphasis will be on providing advice, assistance and information. This is our first and preferred approach at all times. Our experience indicates that such an approach will be all that is necessary to resolve the large majority of matters that come to our attention.

The Office has identified that greater flexibility may be required in some circumstances to facilitate a better outcome for both parties. This flexibility includes the decision by the Commissioner to issue determinations under s.52 earlier in the conciliation process where deemed appropriate or in other circumstances following attempts to conciliate where a determination is assessed as the most appropriate means to resolve a complaint.

Openness and transparency

The Office will not take action in relation to an organisation or agency without first giving it fair warning of our intentions. Our objective is to assist organisations and agencies to comply with their obligations under the Act.

As such, if the Commissioner's intention is to issue a determination, the organisation or agency would be given notice of this and given the opportunity to respond. Section 43(5) of the Act provides

The Commissioner shall not make a finding under s.52 that is adverse to a complainant or respondent unless the Commissioner has afforded the complainant or respondent an opportunity to appear before the Commissioner and to make submissions, orally, in writing or both, in relation to the matter to which the investigation relates.

Each party will be given the opportunity to provide submissions before a final decision is made. In the case of a determination, a hearing before the Commissioner may be required.

Previous use of the Determination Power

Commissioners have issued eight determinations under s.52 of the Act since the commencement of the Privacy Act in 1989:

• Complaint Determination No. 5 of 2004
• Complaint Determination No. 4 of 2004
• Complaint Determination No. 3 of 2004
• Complaint Determination No. 2 of 2004
• Complaint Determination No. 1 of 2004
• Complaint Determination No. 1 of 2003
• Complaint Determination No. 2 of 1993
• Complaint Determination No. 1 of 1993

Next Steps

The Office is developing detailed procedures about the determination process and this information will be made available to the parties where a determination is proposed. We will also include information about the process on the Commissioner's website.

The Office will also be amending Information Sheet 13 which sets out the Commissioner's Approach to Promoting Compliance with the Privacy Act, to reflect the approach to determinations outlined above. The Office will consult key stakeholders as part of the process of amending the information sheet.

APEC Privacy Framework and the work of the APEC Privacy Sub-Group

The APEC Privacy Framework aims to promote a consistent approach to information privacy protection across APEC member economies, while avoiding the creation of unnecessary barriers to information flows. The aim is to have protections consistent across the region which will place APEC at the forefront of e-commerce.

Consistent with the OECD Privacy Guidelines, the Privacy Framework's principles and implementation guidance are focused on the achievement of four main goals:

1. to develop appropriate privacy protections for personal information;
2. to prevent the creation of unnecessary barriers to information flows;
3. to enable multinational businesses to implement uniform approaches to the collection, use and processing of data; and
4. to facilitate both domestic and international efforts to promote and enforce information privacy protections.

The Privacy Framework was endorsed by APEC Ministers in Chile in December 2004. The Privacy Framework consists of four parts:

• Part I is a preamble;
• Part II deals with the scope of the principles;
• Part III contains the nine privacy principles; and
• Part IV deals with implementation of the principles.

A commentary has been published alongside the sections of Parts II and III to provide further information and context.

The work program of the Privacy Sub-Group is focused on developing practical mechanisms for internationally implementing the Privacy Framework. An Information Privacy Individual Action Plan (IAP) template was agreed by the Privacy Sub-Group in February 2006, as the mechanism for member economies to report on the domestic implementation of the Privacy Framework. The IAP lists the APEC Privacy Principles and asks questions on how they have been implemented in the economy. Members' IAPs will be publicly available on the APEC website.

http://www.apecsec.org.sg/ A study group, comprising Australia, US, Korea and Mexico has also been established to consider cross-border corporate rules and the role of trust marks in promoting the cross-border flow of information. The September 2006 meeting of the Privacy Sub-Group in Vietnam continued discussions aimed at the information exchange on privacy protection issues, particularly on the cross-border transfer of data and privacy law enforcement.

In 2007 Australia will be hosting APEC and the related Senior Officials Meetings (SOM). As part of SOM, Australia will also hold two seminars aimed at providing practical support to the implementation of the APEC Privacy Framework. This will include processes for the development of cross-border rules a key aspect of which will be the involvement of privacy regulators in this work. The seminars will be held in Canberra on 22-23 January and in Cairns on 22-23 June 2007. More information on these seminars will be available through the Attorney-General's Department website at http://www.ag.gov.au/apec_privacy.

Paul Chadwick farewelled

The Office notes that Paul Chadwick, the first Privacy Commissioner of Victoria, finished his term at the end of July 2006. Paul did an outstanding job in establishing the office and in promoting privacy in Victoria and beyond. We wish him well in his future endeavours and look forward to continuing to work closely with the Victorian office.

Diary Notes

• 28th International Data Protection and Privacy Commissioners' Conference - 2-3 November2006, London
• Asia Pacific Privacy Authorities Forum - 8-10 November 2006, Hong Kong
• APEC Senior Officials Meeting - 15-27 January 2007, Canberra

For more information pleae visit our websitehttp://www.privacy.gov.au/news/calendar

Privacy Awareness Week

In August the Office celebrated Privacy Awareness Week. In 2001, Privacy Victoria initiated Privacy Awareness Week as a promotional campaign. This year for the first time Privacy Awareness Week was staged nationally with privacy agencies across Australia getting onboard, including: the Australian Office of the Privacy Commissioner, Privacy Victoria, Privacy NSW and the Office of the Information Commissioner Northern Territory.

The week was an opportunity to encourage organisations and agencies covered by the Privacy Act to promote privacy awareness to staff and customers.

During Privacy Awareness Week the Attorney-General launched two key documents produced by the Office: the Privacy Impact Assessment (PIA) Guide and the Layered Privacy Policy.

The PIA Guide enables agencies to determine the impact new projects could have on privacy. It helps them to examine and assess their project's capacity to comply with the Privacy Act, while also informing them about broader privacy issues that the project may raise. While the PIA Guide has been targeted at agencies, private sector organisations will also find it useful.

The Office's new Privacy Policy adopts a layered notice format to enhance the ease with which people can access and understand it. The Policy is available on the Office's website and provides browsers with both a condensed snapshot and full explanation of the Office's personal information handling practices. It is intended that this Policy be used as a model for other agencies and organisations.

As part of Privacy Awareness Week guides were released setting out 10 steps on how to protect personal information for individuals, agencies, and organisations. Privacy quizzes were also developed to encourage individuals, agencies and organisations to examine their general knowledge and understanding of privacy.

Due to the positive response to Privacy Awareness Week, the Office is planning to continue it's involvement in 2007.

The aim is to extend the event to be a joint initiative, not only within Australia, but to also include privacy organisations in the Asia-Pacific region. This would enable Privacy Awareness Week to become a widely recognised annual event that raises the awareness of individuals, agencies and organisations of their privacy rights and responsibilities.

Building Capacity

In the 2006/07 Budget the Government announced that it would provide additional funding to the Office of $8.1m over four years.

This additional resourcing will allow the Office to focus on ensuring that privacy complaints are being handled in the most efficient and effective manner; responding to calls from business and industry for greater assistance in meeting their obligations under the Privacy Act; and respond to government requests for high level privacy advice in the development of new policy initiatives.

To achieve these objectives the Office has recently undertaken a substantial recruitment process. Staff numbers in the Office have grown from 40 to 55.

Access Card Submission

In May 2006 the Minister for Human Services, the Hon Joe Hockey MP, established the Access Card Consumer and Privacy Task Force, chaired by Professor Allan Fels AO to address consumer and privacy issues related to the development, by his Department, of the health and social services access card.

In response to the Task Force's first discussion paper released in June 2006 the Office forwarded its submission in August.

The Office's submission recognises the access card proposal in its wider context, as a system, rather than merely a stand alone card. As the Office understands it, the access card will be accompanied by significant infrastructure, processes and policies, and accordingly it is necessary to consider the privacy implications of the system in its entirety.

The submission recommended a range of privacy safeguards be developed in the areas of card system design, technology choices, legislation and oversight measures.

Specifically the submission calls for the enactment of legislation with privacy protection measures which apply over all elements of the access card system, including sanctions and remedies. It recommends legislation to limit the uses of the physical card, prevent unauthorised access to, collection or misuse of information on the card or chip, and prevent unauthorised or unintended uses and disclosures, including routine data-matching. In addition, the submission suggests that individuals should have transparent rights to access and, where necessary, correct information on the system.

The submission suggests that further detailed privacy impact assessments be undertaken during the design and implementation of the access card system.

In her media announcement about the submission the Privacy Commissioner said "It is important for privacy protections to be developed while the access card is still in the planning process, rather than trying to add these on at a later stage."

DIMA MoU

On 23 June the Commissioner and the Secretary of the Department of Immigration and Multicultural Affairs (DIMA) signed a Memorandum of Understanding (MoU) that will run for twelve months.

The MoU is one of a number of recent initiatives being implemented by DIMA following recommendations made in the Palmer and Commonwealth Ombudsman Reports. Through the agreement, the Office will assist DIMA in providing an increased level of support in its handling of clients' personal information.

The Commissioner understands that DIMA has undertaken to thoroughly review its approach to privacy and welcomes DIMA's commitment to promoting a workplace culture that respects privacy.

The agreement provides for the Office to work with DIMA staff to identify and implement good privacy practices that take account of DIMA's unique business requirements.

NZ MoU

On 4 September the Australian and New Zealand Privacy Commissioners, signed an agreement which will allow for cooperation between their offices on privacy-related issues.

The agreement covers the sharing of information related to surveys, research projects, promotional campaigns, education and training programs, and techniques in investigating privacy violations and regulatory strategies. Other areas addressed include cooperation on complaints with a cross-border element and the possible undertaking of joint investigations.

The agreement stems in part from the APEC Privacy Framework, OECD Guidelines, and the Asia Pacific Privacy Authorities Forum, all of which advocate the forming of cooperative arrangements between privacy regulators.

It is anticipated that the agreement may become a prototype for other bilateral and multilateral agreements between privacy authorities in APEC and OECD countries, particularly in facilitating the management of cross-border privacy-related complaints.