• Commissioner's Message
• Privacy Awards and Medal showcasing a committment to privacy
• Privacy Awards and Medal the winners and finalists
• New Guidance on Spam and the Privacy Act
• Guide for Handling Personal Information Security Breaches
• ALRC Review of the Privacy Act 1988
• Complaint Snapshots
• OECD and APPA Forums in Korea
• APEC Update
• A Lesson in Privacy for the Insurance Sector
• Diary Notes

Download PDF

Privacy Matters - Archived Issues

Volume 2 Issue 4 Winter 2008

Commissioner's Message

When the Privacy Act was enacted 20 years ago, one could not have imagined the technologies that were to evolve and how they would influence our daily lives. Our personal information can be transferred globally and more rapidly than anyone could have anticipated.

2008 marks the 20th anniversary of the passage of the Privacy Act, so it is fitting it is also the year that the Australian Law Reform Commission (ALRC) has finalised its report on its review of privacy laws in Australia.  After two and a half years, the ALRC's final report was released on 11 August. My Office looks forward to helping the government respond to the report.

This issue of Privacy Matters celebrates Privacy Awareness Week 2008.

An international competition for secondary school students in the Asia Pacific region was a feature in this year's Privacy Awareness Week. The competition called for students to create a two minute video about privacy, such as how it does or doesn't affect them. It proved to be a great way to engage with young Australians to see what they think about privacy. Congratulations to the winning entries, which are available to view on our website.

I have been encouraged by the way businesses and government have risen to the new privacy challenges and the ways they have thought creatively about how to ensure their information-handling practices are privacy-friendly.

To reward these efforts, the Office introduced the inaugural Australian Privacy Awards and the Australian Privacy Medal. The Awards aim to encourage, recognise and reward businesses, government agencies and not-for-profit organisations that engage in good privacy practices. The Medal acknowledges an individual who has exhibited an outstanding level of achievement in advancing privacy in Australia.

The Awards were presented at a dinner in Sydney on Wednesday, 27 August 2008. The keynote speaker was Senator the Hon John Faulkner, Special Minister of State and Cabinet Secretary.

From businesses to government to NGOs, the range of nominations that we received for the Australian Privacy Awards was impressive. I believe it shows that organisations are increasingly recognising the value that good privacy practices play in building customer relationships.

I congratulate all of the nominees for their hard work and efforts in ensuring that the privacy of all Australians continues to be protected and respected.

My sincere thanks also to the sponsors of the awards - Symantec (Major Sponsor), Microsoft (Major Sponsor), Clayton Utz (Executive Sponsor), and Australian Finance Conference (Sponsor).

This special issue of Privacy Matters pays tribute to all of the entrants - a public celebration of privacy.

Karen Curtis

Privacy Awards and Medal showcasing a commitment to privacy

The commitment of individuals, businesses, government agencies and community organisations to privacy was the focus of the Gala Presentation Dinner of the Australian Privacy Awards and Australian Privacy Medal held in Sydney on Wednesday, 27 August.

The capacity crowd included privacy professionals and representatives from the corporate, public and community sectors and the media.

The event featured a keynote address by Senator the Hon John Faulkner, Cabinet Secretary, a video message from High Court Justice Michael Kirby, and a welcome by Karen Curtis, the Australian Privacy Commissioner.

The master of ceremonies for the evening was television presenter Helen Dalley, who introduced each Award category and provided a brief overview of the finalists' nominations. Participants were also treated to musical entertainment, and a video presentation marking 20 years of the Privacy Act.

The highlight of the Office's activities to mark Privacy Awareness Week, the event was the culmination of a busy four months for the Office. During this time, the Awards and Medal were launched at a corporate breakfast in April and an intensive promotional campaign was undertaken to encourage nominations.

The judging panel for the Awards included the Privacy Commissioner Karen Curtis, Craig Scroggie, Vice President and Managing Director Pacific Region of Symantec Corporation, and Privacy Advisory Committee members John O'Brien and Joan Sheedy.

The judges of the Privacy Awards and Privacy Medal: Craig Scroggie, Joan Sheedy, Karen Curtis and Associate Professor John O'Brien

Staff from Medicare Australia, winner of the Grand Award, with Senator the Hon John Faulkner and Privacy Commissioner Karen Curtis

Staff from Telstra Australia , winner of the Large Business Award with Senator the Hon John Faulkner

Malcolm Crompton, Karen Curtis and Judge Kevin O'Connor AM

Privacy Awards and Medal - the winners and finalists . . .

Awards were presented in four categories, with a Grand Award presented to the most outstanding entry from any of the categories.

Award entrants were asked to nominate their overall work or a privacy-related project, initiative, campaign or system. They were required to address three judging criteria in their nominations:

• the level of privacy consideration and consultation undertaken in the planning and implementation of their nominated work, project, initiative, campaign or system
• their success in communicating its privacy-related elements to staff, customers or external audiences
• the extent of its impact by showing leadership in privacy development, enhancing privacy awareness, facilitating better interaction or trust with stakeholders, enhancing customer satisfaction, and/or reducing privacy incidents and complaints.

The judging panel assessed each nomination according to these criteria, and selected four or five finalists in each category, as well as a category winner and a "highly commended" nomination.

The finalists and winners are:

Australian Privacy Medal

Presented to the Hon Justice Michael Kirby
  AC CMG, for outstanding achievement in advancing privacy in Australia for more than 30 years.

Privacy Commissioner Karen Curtis, inaugural medal recipient the Hon Justice Michael Kirby
 AC CMG, and Senator the Hon John Faulkner

Grand Award Winner

Medicare Australia

Symantec Government Award

Open to any government agency in Australia at a local, state or national level.

Winner: Child Support Agency

Highly commended: Kingston City Council (Vic)

Finalists:

• AusCheck
• Centrelink
• Medicare Australia

Large Business Award

Open to any business in Australia that has at least 100 employees.

Winner: Telstra Corporation

Highly commended: Sony Australia

Finalists:

• Hitachi Data Systems
• National Australia Bank

Microsoft Small Business Award

Open to any business in Australia with less than 100 employees.

Winner: Data Solutions Australia

Highly commended: StudentNet

Finalists:

• Records Solutions
• Space-Time Research

Community and NGO Award

Open to any not-for-profit organisation in Australia, such as charities, NGOs, industry bodies, advocacy organisations, and social, cultural, sporting or community groups.

Winner: Australian Dental Association, NSW Branch

Highly commended: Australian Privacy Foundation

Finalists:

• Association of Market and Social Research Organisations
• Biometrics Institute
• Pharmacy Guild (Queensland Branch)

Office of the Privacy Commissioner staff - Andrew Garcia, Danielle Guyder, Priya Malik, Karen Garrard, Rebecca Jeyasingham and Kieran Colreavy at the Privacy Awards and Privacy Medal Gala Dinner

Dr Anthony Burgess, Dr Tim Smyth & Dr Matthew Fisher of the Australian Dental Association (NSW Branch), winners of the Community and NGO Award

Centrelink representatives congratulate Kingston City Council on being awarded Highly Commended in the Symantec Government category

New Guidance on Spam and the Privacy Act

Electronic marketing can cause headaches for consumers if it is of the 'spam' variety. At best, it can be inconvenient; at worst, it can be offensive, spread scams and cause IT security problems. It can also be a concern for businesses that may be unsure of their privacy obligations when it comes to sending legitimate commercial electronic marketing messages.

The Office is pleased to announce the release this week of new guidance about electronic direct marketing. The information sheet and FAQs provide information on the difference between legitimate commercial electronic marketing messages and spam, and advice to individuals on how to avoid the risks of spam.

In particular, Information Sheet 26 - Interaction between the Privacy Act and the Spam Act - clarifies some of the areas of overlap between the Privacy Act and the Spam Act 2003, and gives advice on the handling of personal information in electronic direct marketing activities. The information sheet will also help marketing businesses to better understand their obligations when it comes to privacy and spam messages.

Written in response to concerns raised by stakeholders during our Private Sector review, the information sheet and FAQs were developed with the assistance of targeted stakeholder consultation.

Information Sheet 26 is available at www.privacy.gov.au/materials#I (see Information Sheets (Private Sector) and the Spam FAQs for individuals at www.privacy.gov.au/faq/individuals/#spam.

Guide for Handling Personal Information Security Breaches

In our last issue of Privacy Matters, we advised that our draft Voluntary Information Security Breach Notification Guide had been released for consultation. During the consultation, the Office received 75 submissions and these comments have made a valuable contribution to the finalised Guide.

In general, most stakeholders thought the Guide was a positive initiative and that it presented a balanced, pragmatic approach to handling personal information breaches. Some suggested that the Guide would benefit from additional clarity at Steps 2 and 3 - the Evaluation and Notification of Breaches. Also, many stakeholders asked for additional examples to be included in the Guide - so we have tried to do this where appropriate. Finally, the name of the Guide has been changed in response to submissions. The information below will take you through some of the more significant changes.

What's in a name?

At the outset, the Office decided that 'personal information' rather than 'data', aligned better with the terminology of the Privacy Act 1988. Many submissions agreed with this approach, though suggesting that different terminology might make this clearer and avoid confusion with the concept of 'security breaches' in other contexts. In line with these suggestions, the Guide has been renamed to focus on personal information security breaches.

Evaluate and Notify - getting the threshold right

It is appropriate that the Guide does not arbitrarily prescribe notification obligations in particular situations. The Office consciously chose not to specify when notification should occur, an approach that a number of submissions agreed with on the basis that it provided the flexibility for agencies and organisations ''...to make their own assessment of the risks involved and the best remedial steps to take...''.

At the same time, in response to requests for more general guidance on when notice might be appropriate, the discussion in Step 2 has been expanded. This includes additional guidance on what is the appropriate response where a breach is intentional and malicious as opposed to one that is accidental. Additionally, the Guide discusses why some security measures, such as encryption, may not by themselves be sufficient to avoid a real risk of serious harm arising from a breach.

As most stakeholders thought the examples in the guide were very useful, the Office has provided additional illustrative examples at key points in the guide. In terms of notification, additional guidance and illustrative examples have been provided for situations where exceptions may arise, for example, in a health context or where a third party or service provider relationship exists.

As most stakeholders thought the examples in the guide were very useful, the Office has provided additional illustrative examples at key points in the guide. In terms of notification, additional guidance and illustrative examples have been provided for situations where exceptions may arise, for example, in a health context or where a third party or service provider relationship exists.

A clear message from stakeholders was that more guidance on the Privacy Commissioner's role would be helpful - this has been provided.

The Guide

The Guide provides advice on four key steps that should be taken to help prevent and respond to personal information security breaches. A personal information security breach occurs when personal information is subject to loss or unauthorised access, use or disclosure. These steps are:

• contain the breach and do a preliminary assessment
• evaluate the risks associated with the breach
• consider notification
• prevent future breaches.

Step three of the Guide provides advice on when it may be appropriate to notify affected individuals. In general, it is suggested that individuals should be notified if there is a real risk of serious harm from a personal information security breach.

The operation of the Guide may inform the Australian Government's response to the Australian Law Reform Commission's August 2008 recommendation that mandatory breach notification be introduced into law.

The Office's Guide for Handling Personal Information Security Breaches is now available at: www.privacy.gov.au/materials/types/download/8628/6478

ALRC Review of the Privacy Act 1988

The Office welcomed the 11 August release of the ALRC's review report, For Your Information: Australian Privacy Law and Practice. The report comprises 2700 pages in three volumes, and makes 295 recommendations.

Most recommendations are consistent with the Office's three submissions to the review. Merging the Information Privacy Principles and National Privacy Principles into a single set of principles is a particularly welcome recommendation. The Office also supports recommendations to encourage all Australian jurisdictions to pursue consistency in privacy regulation. However, while promoting national consistency will help to lessen complexity, it is unclear whether the proposed creation of various potentially detailed and specific regulations and other instruments will help to streamline and simplify privacy regulation.

The Office supports the idea that there should be mandatory notification for information security breaches that pose a real risk of serious harm to individuals. If adopted, compliance with any obligation should ultimately rest with the organisation or agency, rather than be subject to the Privacy Commissioner's direction, as recommended in the report.

The Office also supports a statutory cause of action for privacy. We believe that the suggested model represents a good balance between meeting individuals' expectations, while still protecting other important public interests, like freedom of speech.

Credit reporting is a key area for privacy reform. The Office agrees that regulation should be simplified. As individuals view their financial information as particularly sensitive, proposals to expand the potential uses of credit reporting information may need to be pursued with care.

The Office agrees that the Privacy Act should 'cover the field' in the private health care sector, thereby overcoming a key source of regulatory uncertainty and complexity in that sector.

The Office disagrees with the ALRC proposals that the non-consensual research provisions of the Privacy Act should be broadened and watered-down.

Overall, the Office commends the ALRC for its report and we now look forward to assisting the Australian Government as it forms its response to the ALRC's recommendations.

Complaint Snapshots

An individual went to a health service provider and was asked to fill out a form giving their contact details and medical history. Prior to treatment, the individual decided not to use the service and requested that the provider destroy the personal information they had collected. The provider told the individual they had to keep the record under the Medical Practice Act 1992 (NSW). The individual complained that the provider had not destroyed the personal information consistent with NPP 4.2. The Commissioner investigated and found the provider was obliged under the NSW legislation to keep the record for 7 years. She decided not to investigate the matter further because there was no interference with the privacy of the individual.

---------------------------------------------------

An individual complained that a private school had not provided access to information about an investigation, which led to a student being asked to leave the school. It had provided information relating to the student leaving, but had refused access to investigation documents. The school argued that providing access to these documents would interfere with the privacy of other individuals, who had provided information for the investigation. The Commissioner opened an investigation and decided that under NPP 6.1(c), providing these documents to the individual, even with the names of the third parties suppressed, would have an unreasonable impact upon the privacy of those individuals. All documents held by the school, except the investigation documents, were provided to the individual. The Commissioner closed the matter as being adequately dealt with.

---------------------------------------------------

During a newspaper interview about working in a remote community, a health service provider discussed aspects of the complainant's health care and medical history. Although the provider did not name the complainant, due to the nature of the information, the complainant claimed their identity would be apparent to the other residents of the community. Both parties agreed that this information could identify the complainant and that it was likely that an interference with the complainant's privacy had occurred. The Commissioner opened preliminary enquiries into the matter. The parties agreed an amount of compensation. The Commissioner closed the complaint on the basis that the health service provider had adequately dealt with the matter.

OECD and APPA Forums in Korea

The Australian Privacy Commissioner and Deputy Privacy Commissioner were part of the Australian delegation at the OECD Ministerial meeting on the Future of the Internet Economy held in Seoul from 17-18 June 2008. An essential ingredient in the growth of the internet and new technologies is how well personal information is protected.

The OECD meeting was followed by the 29th Asia Pacific Privacy Authorities (APPA) Forum on 19 - 20 June.

The first day of the Forum was a broader session. In attendance were the Privacy Commissioners and representatives of Canada, Hong Kong, Korea, New Zealand, Australia and Victoria, as well as observers from the French Data Protection Authority (CNIL), the Office for Personal Data Protection, Macao, the United States Federal Trade Commission and the OECD. Korean government officials and representatives from Korean and global corporations were also present.

The open session featured presentations on:

• personal information protection in Korea
• personal information grievance resolution in Korea, and
• the Korean Internet Personal Identification Number (i-Pin).

The Forum also included sessions on issues of interest to the region, such as an overview of the current status of work to implement the APEC Privacy Framework and related initiatives being undertaken through the OECD.

The second day of the Forum was a closed session for APPA members and invited observers from CNIL and the Office for Personal Data Protection, Macao. The Forum resolved to continue its efforts to strengthen international relationships between APPA members, the OECD and European Union member states.

Initiatives for Privacy Awareness Week in 2009 were planned and the timing changed to the first week of May.

The 30th APPA meeting is scheduled for 13-14 November 2008 in Victoria, Australia and Privacy Awareness Week is scheduled for 4-10 May 2009.

APEC Update

Stakeholder Workshop

On 31 July 2008, the Department of Prime Minister and Cabinet convened a consultation workshop on the APEC Data Privacy Pathfinder for Australian stakeholders. Senator the Hon John Faulkner, Special Minister of State and Cabinet Secretary, opened the workshop, noting the overall context in which the APEC Data Privacy Sub-Group's work is being undertaken. A large number of key stakeholders were present, including representatives from a broad range of industry sectors and consumer bodies.

The Privacy Commissioner Karen Curtis and Deputy Privacy Commissioner Timothy Pilgrim were in attendance at the workshop, with Mr Pilgrim providing an overview of work to date on the Pathfinder projects being led by Australia.

The workshop provided participants with an opportunity to give their views and input into the development of a number of the Pathfinder projects for consideration at the formal APEC meetings to be held in Lima, Peru.

Round Two of APEC Data Privacy Meetings in Lima, Peru

APEC Data Privacy meetings were held in Lima during the week of 11 August. This included a two day 'Capacity Building Workshop on the International Implementation of the APEC Privacy Framework', an informal Data Privacy Pathfinder project meeting, and a meeting of the APEC Data Privacy Subgroup.

The purpose of these meetings was to further develop and finalise the Pathfinder project documentation.Participants addressed outstanding issues relating to the Pathfinder projects. Following the finalisation of the Pathfinder projects, the Data Privacy Subgroup will pursue Pathfinder project nine, a trial phase of implementing the Pathfinder projects.

Further work of the APEC Data Privacy Subgroup can be found at www.apec.org.

IAPP - ANZ Chapter

The Australian & New Zealand Chapter of the International Association of Privacy Professionals was launched on 27 August. The conference, 'Privacy in a Dramatically Changing Landscape', featured a number of guest speakers. More information on their website www.iappanz.org or phone 03
 9895
 4475.

A Lesson in Privacy for the Insurance Sector

In May and June, the Office ran Case Study Workshops for the general insurance sector. The Office and the Insurance Council of Australia invited general insurance compliance professionals to attend one of three workshops. Workshops were held in Sydney, Melbourne and Brisbane.

The workshops focused on two privacy complaint scenarios. These were tailored for the industry and dealt with common privacy issues such as the collection of personal information through surveillance and a request for access to personal information. Participants applied the National Privacy Principles to the scenarios and worked through the handling of each complaint.

The workshops were well received by those in attendance. Participants reported an increased knowledge of privacy as a result of the workshops. Participants also reported that the workshops increased their confidence in dealing with privacy complaints within their own organisations.

The Office is committed to undertake educational programs with the aim of promoting individual privacy. Following the success of these workshops, the Office hopes to conduct similar seminars for other sectors in the future.

Diary Notes

• Privacy Authorities Australia meeting - Sydney, 19 September 2008
• Meeting the Privacy Challenge - A Symposium on ALRC and NSWLRC Privacy Reviews. Part of the Interpreting Privacy Principles project of the Cyberspace Law and Policy Centre. Information at s.christou@unsw.edu.au
• Scanning Data Protection Horizons in the Asia-Pacific Region. Conference in Strasbourg, France, 15 - 17 October 2008
• 30th International Conference of Data Protection and Privacy Commissioners, Strasbourg, France, 15 - 17 October 2008
• APEC privacy seminar hosted by PM&C - Melbourne, 11 November 2008
• [Id]entity 2008, a one day conference hosted by the Victorian Privacy Commissioner and Victorian Department of Premier and Cabinet, Melbourne, 12 November 2008
• Asia Pacific Privacy Authorities meeting - Melbourne, 13
   - 14 November 2008
• Australian and ACT Government Privacy Contact Officers' Meeting - Canberra, 5 December 2008, 9.00
   am - 12.00 noon
• Privacy Awareness Week 2009, presented by the Asia Pacific Privacy Authorities, 3 - 9 May 2009 (Note: Privacy Awareness Week has been changed to the first week of May from 2009)