• Commissioner's Message
• Minister Launches Privacy Awards
• Privacy Guidelines for the Medicare Benefits and Pharmaceutical Benefits Programs
• Reappointment of Privacy Advisory Committee Members
• Data Breach Notification Guide
• Complaint Snapshots
• Automatic Number Plate Recognition
• Formation of Privacy Authorities Australia
• APEC
• Health Information Sheets and FAQs
• Privacy Complaints and Compensation
• Diary Notes

Download PDF

Privacy Matters - Archived Issues

Volume 2 Issue 3 Autumn 2008

Commissioner's Message

A phrase that I use a lot is that 'good privacy is good business'. And it seems like government agencies and organisations have adopted this principle, as there has been a definite increase in privacy awareness activities.

While agencies and organisations are showing an ever-increasing commitment to good privacy practice, unfortunately, despite their best efforts, sometimes an information security breach occurs. To assist making the decision whether or not to notify affected individuals, the Office has released a draft Voluntary Information Security Breach Notification Guide for public comment. The development of a voluntary guide offers an opportunity for stakeholders to comment on this important issue, and we look forward to hearing your views.

The feature article in this issue of Privacy Matters provides an overview of the Guide.

Something else which recently brought privacy into the spotlight was the highly successful launch of the inaugural Australian Privacy Awards and Australian Privacy Medal. These were launched by Senator the Hon John Faulkner, Special Minister of State and Cabinet Secretary, at a breakfast on Wednesday, 9 April. The Awards are aimed at recognising, rewarding and encouraging good privacy practice among agencies, businesses and community organisations. The Medal will be given to an individual who has exhibited an outstanding level of achievement in the Australian privacy field.

Nominations for the Awards and the Medal are now open, and I look forward to rewarding outstanding achievement at the Gala Presentation Dinner on 27 August.

This issue also includes coverage of the first meeting of Privacy Authorities Australia (which is made up of state, territory and federal privacy authorities) in April; an article about our recently released health information sheets; a report on the Office''s involvement in the APEC Pathfinder project in Peru; as well as some details from the Office''s submission on Automatic Number Plate Recognition.

Karen Curtis

Minister Launches Privacy Awards

Some 130 privacy professionals from across the public and private sectors attended a corporate breakfast on 9 April in Sydney featuring Senator the Hon John Faulkner, Special Minister of State and Cabinet Secretary, as the keynote speaker. The event marked 20 years since the enactment of the Privacy Act, as well as the launch of the inaugural Australian Privacy Awards and Australian Privacy Medal. In his speech, Senator Faulkner addressed current approaches to cross border data flows, including the APEC Data Privacy Pathfinder, the ALRC''s Review of the Privacy Act, and the impetus behind the Awards and Medal initiative. In her introduction, Privacy Commissioner Karen Curtis outlined the impact the Privacy Act has had on the Australian community over the past 20 years, the role the Office has taken in the ALRC Review process, and the criteria for nominating for the Awards and Medal. Senator Faulkner''s speech and the introduction by Ms Curtis, as well as information on how to nominate for the Awards and Medal, can be viewed at: www.privacy.gov.au/news/awards/.

Photo Clockwise from top left: Senator the Hon John Faulkner; Kate Harrison, Chief of Staff to Senator Faulkner, with former Privacy Commissioner Judge Kevin O''Connor; Privacy Commissioner Karen Curtis and Senator Faulkner; some of the attendees at the breakfast.

Coming soon . . .

Launch of the Australian/New Zealand chapter of the International Association of Privacy Professionals. See Diary Notes for more information.

Privacy Guidelines for the Medicare Benefits and Pharmaceutical Benefits Programs

On 6 March 2008, the Privacy Commissioner made new Privacy Guidelines for claims information collected under the Medicare and PBS programs. These Guidelines, which replace existing guidelines made in 1993, will come into effect from 1 July 2008, and have been registered on the Federal Register of Legislative Instruments.

The Privacy Commissioner is required to make these Guidelines under section 135AA of the National Health Act 1953. The Guidelines apply to the way Australian Government agencies handle claims information from the two programs. The enabling legislation seeks to ensure that information from the two programs is not stored permanently on the one government database, thus forming a rich repository of health information about individuals. However, information from each program may be temporarily linked in ways set out in the Guidelines.

An important part of the review leading up to the new Guidelines was an extensive consultative process and review involving a range of stakeholders, including peak health bodies, consumer health and privacy advocacy groups, Medicare Australia and the Department of Health and Ageing.

Some of the major differences between the existing and the revised Guidelines are:

• to allow Medicare Australia to link claims information to provide it to a person who has requested access to their information, rather than have to provide separate reports;
• to allow Medicare Australia to retain claims information after 5 years, in a de-identified form;
• to promote transparency, Medicare Australia has new reporting obligations in relation to how often it links data and how long it keeps those linked data sets; and
• a new guideline to reflect the enabling legislation that prohibits any Australian Government agency storing Medicare and PBS claims information on the same database.

Further information is available at: www.privacy.gov.au/health/guidelines.

Reappointment of Privacy Advisory Committee Members

On 1 May, Dr Bill Pring, Ms Suzanne Pigdon and Ms Joan Sheedy were reappointed to the Privacy Advisory Committee (PAC) for two year terms. The Privacy Commissioner congratulates these members on their reappointment and looks forward to continuing the productive working relationship established with all members of the Committee.

The PAC is established under section 82 of the Privacy Act. It provides strategic advice to the Privacy Commissioner on privacy from a broad range of perspectives, and includes members involved with, or who have experience of community, information technology, business, government and consumer views. The Committee meets three times a year. As well, members are involved in assisting the Office in various ways between meetings - for example, providing assistance on framing the methodology for the Community Attitudes Survey.

The other members of the Committee are: Ms Robin Banks, Mr Peter Coroneos and Associate Professor John M. O''Brien.

Data Breach Notification Guide

On April 15, Privacy Commissioner Karen Curtis released a draft Voluntary Information Security Breach Notification Guide for consultation. During the two month consultation period, the Office hopes to hear views on the draft Guide from a broad range of stakeholders.

A brief history of breach notification

Breach notification has been an increasingly significant issue for privacy regulation in recent years. This is at least partly because of the increased awareness of the risks of identity theft, including in the online environment.

Notifying individuals when an information security breach occurs that may affect their information gives those individuals the opportunity to take steps to protect their interests.

The enactment in 2002 of the Californian ''Law on Notice of Security Breach'' marked a key development in moves toward breach notification laws and practices. The ''California Law'' requires organisations to notify individuals where a breach of computerised data compromises the security, confidentiality or integrity of personal information.

In a matter of months, several large information security breaches were exposed by the California Law, one breach affecting 40 million credit card holders.

Since the enactment of the California Law, a further 40 states in the United States have enacted breach notification laws and other countries, including Canada and New Zealand, have introduced voluntary breach notification guidelines. There has also been discussion regarding the European Union introducing mandatory notification obligations.

Breach notification in Australia

In Australia, the Privacy Act 1988 does not specifically require an agency or organisation to notify individuals of a breach of information security. However, the issue of an amendment to the Privacy Act to require mandatory data breach notification is under consideration as part of the Australian Law Reform Commission''s (ALRC) review of privacy.

In its 2007 Discussion Paper, Review of Australian Privacy Law, the ALRC made a preliminary reform proposal (Proposal 47-1) for amendments to the Privacy Act, to require agencies and organisations to notify affected individuals and the Privacy Commissioner of an information security breach in certain circumstances. The Office supports this proposal.

Why develop a voluntary guide now?

The Office is developing the voluntary Guide in response to requests for advice from agencies and organisations. These bodies have already come to recognise the potential value of voluntarily choosing to notify individuals when a breach occurs.

In addition, this consultative process affords the opportunity for the Office to reflect further on possible models for any future mandatory obligation, should the Australian Government choose to follow that path.

Our approach in drafting the guide

The Guide does not seek to be highly prescriptive regarding when notifications should be made. The Guide is meant to provide a framework that agencies and organisations can use to determine how to respond appropriately to a breach, should one occur, based on their business' operations and the nature of the breach, including the type of information involved.

As the draft Guide notes, agencies and organisations have obligations under the Privacy Act to secure personal information they hold against misuse. Prevention is always better than cure when it comes to information security breaches.

However, if the information security is compromised, the draft Guide encourages agencies and organisations to be prepared to respond to the breach effectively.

Breach notification as good privacy practice

Notifying individuals when an information security breach affects their personal information is consistent with good privacy.

Being open and transparent with individuals about how personal information may be handled is fundamental to good privacy. Part of being open about the handling of personal information may include telling individuals when something goes wrong, and explaining remedial steps that the organisation has taken or that the individual can take to prevent harm.

In some cases, notification may also align with compliance obligations. Telling individuals when there has been a breach can be a ''reasonable measure'' for organisations and agencies to take in keeping personal information secure.

Notification can also enhance an agency''s or organisation''s relationship with individuals, by providing a clear statement that it will be open and transparent, including when things go wrong. In the long term, such an approach can enhance consumers'' trust and confidence.

Breach notification - to notify or not to notify…

So, when is it appropriate to notify customers of a breach? Is it always appropriate? Should anyone else be told, such as the Privacy Commissioner or police?

The draft Guide aims to help agencies and organisations to answer these questions by making an assessment based on a range of factors. Notification will not always be the appropriate response to an information security breach and agencies and organisations will need to assess on a case-by-case basis whether notifying customers is the best course of action.

This is not always an easy judgement to make. Notifying customers of every tiny ''blip'' in the overall security of their personal information can generate undue anxiety among customers when actual risks to the information are minimal. Frequent reporting of low risk breaches can also cause customers to become desensitised to information security breaches and blasé about taking further steps to protect their information.

On the other hand, failing to notify customers of a serious breach to the security of their personal information can leave individuals vulnerable to fraud, theft or humiliation. So agencies and organisations need to be circumspect in their response to a security breach.

To find out more, the Office invites you to have a look at the consultation draft of the Voluntary Information Security Breach Notification Guide, available at: www.privacy.gov.au/aboutus/consult/.

Making a submission...

Comments on the consultation paper are invited by 16 June 2008 and may be emailed to consultation@privacy.gov.au or posted to:

Information Security Breach Notification Consultation Office of the Privacy Commissioner GPO Box 5218 Sydney NSW 2001

Complaint Snapshots

An individual complained that the manager of a licensed club gave their personal information to their ex-partner. They didn''t receive a satisfactory response from the club and a complaint was made to this Office. The Commissioner opened an investigation into the matter. As a result of the disclosure, the complainant said they received telephone calls which left them feeling unsafe and prompted them to relocate to another suburb. Compensation was sought by the complainant for costs associated with the relocation, as well as loss of income. The club offered an amount of compensation in resolution of the complaint, which was accepted by the complainant. Consequently, the Commissioner closed the matter as having been adequately dealt with.

---------------------------------------------------

An individual purchased an item from a door-to-door salesperson. Not satisfied with the product, the individual called the salesperson within the 10 day cooling off period and left a message advising they wished to return the product. The salesperson claimed not to have received the message, and a payment default was subsequently listed on the individual''s consumer credit information file. Upon complaining to this Office, the matter was referred to conciliation. As a result of conciliation the salesperson agreed that the product had been returned and that the message was sufficient notice to return the item. The payment default listing was removed, and the Commissioner closed the matter as being adequately dealt with.

---------------------------------------------------

The complainant was acting as a representative of an individual in a matter relating to a government agency. The government agency sought to collect a debt owed by the individual. The agency obtained personal information about the complainant as part of its investigations. The complainant disputed any link between themselves and the individual which would have allowed this information to be gathered by the government agency. The Commissioner opened an investigation, however it was noted that, as the complainant was acting as the individual''s representative, the agency needed to make enquiries about the complainant in order to rule out the possibility that they might be assisting the individual in avoiding liability. The Commissioner decided that the information gathered was not an unreasonable intrusion into the complainant''s privacy and closed the matter as no breach of the Privacy Act had occurred.

Automatic Number Plate Recognition

In January, the Office made a submission to the Queensland Parliamentary Travelsafe Committee''s Inquiry into the effectiveness of using Automatic Number Plate Recognition technology (ANPR) for road safety applications. Such uses could include ANPR being used to collect number plate images and match these against licence and registration data to identify vehicles and individuals of interest.

ANPR is already being used overseas and in some Australian states for a range of commercial and government functions.

The submission highlighted the privacy concerns associated with a technology that is capable of collecting and linking large amounts of personal information about individuals for whom there may be no cause for suspicion and who may not be aware that such surveillance is occurring.

In the Office''s view, ANPR should only be adopted where it is a proportionate response to a well defined problem. Careful regard should be given to privacy issues, including the need for measures that guard against function creep and the unwarranted intrusion into the privacy of individuals going about their day to day lives.The submission is available at: www.privacy.gov.au/publications#s.

Formation of Privacy Authorities Australia

On 7 April, the Australian Privacy Commissioner, the Privacy Commissioners from NSW, Victoria and the Northern Territory, and representatives from other Australian state and territory agencies dealing with privacy policy, met and agreed to establish a forum.

To be known as Privacy Authorities Australia, the forum will meet two or three times a year. The Australian Privacy Commissioner''s Office will provide secretariat support.

This collaborative forum will discuss issues of common interest, including privacy law reform and technology advances and their impacts on privacy.

The next meeting will focus on the Australian Law Reform Commission report after its tabling in Parliament.

APEC

Peru Report

In February, the APEC Electronic Commerce Steering Group (ECSG) met in Lima, Peru. Over the course of a week, a series of meetings were convened to discuss the implementation of the APEC Privacy Framework. A Technical Assistance Seminar was also held on International Implementation of the APEC Privacy Framework which addressed the issue of ''Data Privacy and E-Commerce: Fostering Economic Growth''. More information on the seminar is available at www.apec.org. The next round of APEC ECSG meetings will be held in Peru in August.

Pathfinder Update

In September 2007, APEC Ministers endorsed the APEC Data Privacy Pathfinder, an initiative aimed at furthering the practical implementation of the APEC Privacy Framework.

Under the Pathfinder, there are nine projects, most of which are now underway. The Office is leading projects concerning: a directory of data protection authorities; a template Enforcement Cooperation Arrangements; and a template cross-border complaint handling form. Currently, the Office is working with other jurisdictions on draft documents for these projects which will go to the project working group for comment.

Health Information Sheets and FAQs

In March, the Privacy Commissioner issued new privacy guidance materials for the private health sector, including practitioners and consumers. Five new information sheets address a range of topical issues raised by stakeholders since the National Privacy Principles (NPPs) in the Privacy Act 1988 came into effect in December 2001. [1] In addition, seven related FAQs were released to assist health consumers. [2]

The information sheets are intended to clarify a range of issues for health service providers, practice managers and peak bodies that handle personal information. Each information sheet has a ''key messages'' section to provide a quick snapshot of the main issues, with further detail explained in the sheet, including examples drawn on actual cases that the Office has investigated.

The information sheets address the following topics:

Denial of access to health information due to a serious threat to life or health (Information Sheet 21)

A patient may be denied access to their health information where giving access would pose a serious threat to any person''s life or health, including the individual, the practitioner, relatives, staff or other patients.

The information sheet discusses what is meant by ''a serious threat to life or health'' and some other aspects of dealing with access requests.

Fees for access to health information under the Privacy Act (22)

The Privacy Act requires that charges must not apply to merely lodge a request for access and any fee charged for access must not be excessive. Some factors are outlined that providers should consider when deciding how much to charge a patient (if anything) for access to their medical records.

Use and disclosure of health information for management, funding and monitoring of a health service (23)

This information sheet provides guidance on how providers may use or disclose a patient''s health information for the management, funding or monitoring of their health service. It also outlines what activities may be considered to constitute management, funding and monitoring of a health service.

Disclosure of health information and impaired capacity (24)

This information sheet explains the circumstances in which a patient''s health information may be disclosed to relatives and others, where the patient lacks the capacity to consent to the disclosure or capacity is impaired. Under the NPPs, providers may share the information of an incapacitated patient with family, a partner or others ''responsible'' for the patient, either to provide care or treatment, or for compassionate reasons. However, any disclosures may not go against a patient''s known wishes.

Sharing health information to provide a health service (25)

In general, providers in the private sector may only use or disclose their patient''s health information for the main reason for which it was initially collected. Guidance is given to providers on how the Privacy Act applies to using and disclosing a patient''s health information in the course of providing the patient with a health service. This includes when disclosing information to other members of an individual''s treating team, as well as when providing care in a holistic manner. The sheet explains how the Privacy Act aligns with principles of good patient-clinician communication.

National E-security Awareness Week (6-13 June) is an Australian Government initiative that aims to help Australians understand e-security risks and encourage them to take simple steps to protect themselves online. Watch our website for details.

Privacy Complaints and Compensation

In the last issue of Privacy Matters we examined conciliation of complaints under the Privacy Act 1988. Resolutions to a complaint may include an apology or process/systems changes. Sometimes parties may consider payment of compensation for quantifiable expenses incurred, or in recognition of non-financial loss (which may include injury to feelings and humiliation).

Conciliated outcomes are at the discretion of the participating parties. The Office encourages parties to actively conciliate, however we cannot compel either party to make or accept a proposal made during conciliation.

Where compensation forms part of the outcome, amounts paid vary from $500 to upwards of $100,000. Some conciliated settlements are based solely on non-financial loss.

Where the Office has formed a view that a respondent breached the privacy of an individual and loss or damage was suffered, some form of redress is ordinarily appropriate. Redress may be in the form of an apology, or changes to practices and procedures, and may include compensation. The Commissioner has the discretion to cease investigation of a complaint where she considers the respondent has adequately dealt with the matter.

If conciliation fails to resolve a complaint and it is not adequately dealt with by the respondent, the matter may be referred to the Commissioner, who will decide whether to make a determination under s.52 of the Act. Should a matter proceed to determination, the amount of damages that may be awarded by the Commissioner is unlimited.

The decision of the Administrative Appeals Tribunal in Rummeryand Federal Privacy CommissionerandAnor [2004] AATA 1221 provides guidance in assessing amounts of compensation payable. This decision indicates assessment of compensation should be based on five principles:

• where a complaint is substantiated and loss or damage is suffered, the legislation contemplates some form of redress in the ordinary course;
• awards should be restrained but not minimal;
• in measuring compensation the principles of damages applied in tort law will assist, although the ultimate guide is the words of the statute;
• in an appropriate case, aggravated damages may be awarded; and
• compensation should be assessed having regard to the complainant''s reaction and not to the perceived reaction of the majority of the community or of a reasonable person in similar circumstances.

While these principles may guide the Commissioner if awarding compensation in a determination, they are also useful for parties considering compensation as part of a conciliated resolution to a complaint.

Diary Notes

• Australian and ACT Government Privacy Contact Officers'' Meeting, Canberra, Friday, 6 June 2008, 9.00am - 12.00 noon.
• Asia Pacific Privacy Authorities, South Korea, 19 - 20 June 2008.
• Australian Privacy Awards and Medal deadline for nominations, 9 July 2008. Nomination details at www.privacy.gov.au/news/awards/.
• Privacy Awareness Week international privacy competition for secondary school students. Competition closes 25 July 2008.
• Privacy Awareness Week, presented by the Asia Pacific Privacy Authorities, 24 - 30 August 2008.
• Australian Privacy Awards and Medal Gala Presentation Dinner, Sydney, Wednesday, 27 August 2008.
• International Association of Privacy Professionals (IAPP) - following the establishment of the IAPP in 2000 in the USA, a group of privacy professionals in Australia and New Zealand are establishing IAPP ANZ. It will be formally launched at a half day conference in Sydney during Privacy Awareness Week on 27 August 2008. Privacy professionals from around the country will be able to attend the event before attending the Gala Presentation Dinner for the Australian Privacy Awards and Medal. More information on IAPP ANZ is available from Chris Jefferis at cjefferis@iispartners.com.
• SOCAP Symposium, Adelaide, 26-28 August. Details at www.socap.org.au.

  For more diary notes, or to submit an event, please visit our online events news/calendar: www.privacy.gov.au/news/calendar.

[1] Located on the Office's website at: www.privacy.gov.au/materials#I.

[2] Located on the Office's website at: www.privacy.gov.au/faq/health/.