Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Corporate information

Privacy Matters Spring Newsletter 2008

document icon pdf (673.02 KB)

Commissioner's Message
Complaints in 2007-2008: trends and outcomes
Update on Response to ALRC Report on Privacy
NSW Law Reform Commission Review Update
30th International Conference of Data Protection and Privacy Commissioners
30th Asia Pacific Privacy Authorities Forum
The Role of Evidence in the Complaint Investigation and Conciliation Process
Are You Being Watched?
Complaint Snapshots
Digital Rights Management
Submissions Summary
Diary Notes

Download PDF

Privacy Matters - Archived Issues

Volume 3 Issue 1 Spring 2008

Commissioner's Message

Welcome to the last issue of Privacy Matters for 2008, as we come to the close of celebrating the 20th anniversary of the introduction of the Privacy Act.

This year has been a full and productive one for my Office. The sheer range of submissions we made, stakeholders we consulted and projects we contributed to shows how pervasive privacy issues really are. As I reflect back on the year I am proud of the many goals my Office has achieved.

One of the most significant achievements of 2008 was the introduction of the Australian Privacy Awards and the Australian Privacy Medal during Privacy Awareness Week. This initiative was very successful and I enjoyed this truly public celebration of privacy. The opportunity to reward good privacy practice is important because it raises the profile of those who are working so hard to protect the privacy of Australians.

This year my Office also continued its invaluable contribution to the Australian Law Reform Commission's review of privacy. My Office looks forward to playing a major role in assisting the Australian Government's response to this extensive review.

The feature article in this issue of Privacy Matters analyses the trends and outcomes of complaints received in 2007-08. This demonstrates that privacy is an important issue for the Australian community. Figures published in the Office's 2007-08 Annual Report show that the number of complaints my Office received has risen 3% over the last year.

This issue also features an article on some new technological developments which potentially impact our privacy, such as the proposed new security screening techniques at airports and Google Street View. There is also an article highlighting our submissions for 2008, and a snapshot of some privacy complaints.

The diverse range of articles featured in this issue itself highlights how pervasive privacy really can be.

I thank everyone who has helped to make 2008 such a successful and interesting year for privacy. I have been encouraged by the efforts government and organisations have been making to ensure that their policies have privacy 'built in' and not just 'bolted on'.

My Office is already preparing for 2009. Next year Privacy Awareness Week will be celebrated in early May, so mark your diaries now!

I wish you all a safe and happy holiday season. See you in 2009.

Karen Curtis

Complaints in 2007-2008: trends and outcomes

Our Compliance functions include responding to privacy enquiries, investigating complaints and conducting 'own motion investigations', in which we identify and investigate systemic privacy issues in organisations and agencies. The number of enquiries and complaints we received and the number of own motion investigations we undertook were significantly higher in 2007-08 than in 2006-07.

The majority of enquirers were individuals seeking advice about their privacy rights. The most common issues in enquiries were the use, disclosure and collection of personal information. The number of telephone enquiries we received increased by 4% to 18,059.

The number of complaints received rose by 3% to 1,126. Consistent with the previous financial year, the majority of the complaints were about the information handling practices of private sector organisations (77%) rather than about government agencies. About 60% of complaints related to alleged breaches of the National Privacy Principles and, of these, the majority involved the use, disclosure, security or collection of personal information. Another 17% of complaints related to alleged breaches of the credit reporting provisions of the Privacy Act, and a further 12% related to the Information Privacy Principles.

The Office aims to resolve complaints through conciliation, where appropriate, and we were largely successful in facilitating conciliated outcomes to complaints in 2007-08. Organisations and agencies have often been willing to address concerns raised by complainants at an early stage, particularly since many individuals are simply seeking an acknowledgement of their concerns, or an apology, in order to consider their complaints resolved. In 26% of complaints where we investigated and found an interference with the complainant's privacy, an apology formed part of the resolution of the complaint.

Compensation was also a common outcome, and was involved in the resolution of a number of complaints where we investigated and found an interference with the complainant's privacy. Generally, the amount of compensation respondents paid was less than $2,000. In many cases "other remedies", which include outcomes such as staff training and staff counselling, were provided.

Over the past year, we adopted a proactive approach to dealing with systemic privacy issues and undertook more 'own motion investigations'. In 2007-08, 81 new matters involving alleged interferences with privacy were brought to our attention by agencies and organisations reporting their own data breaches to us, through media coverage, and by individuals contacting us. This compared with 55 in 2006-07.

On each occasion where 'own motion investigations' found an interference with privacy had occurred, the respondent adequately dealt with the issue raised either under their own initiative or at our suggestion. Actions taken have included written notifications to affected individuals, apologies, retrieval and appropriate disposal of records, changes in procedures and staff training.

Following an increase in the number of 'own motion investigations' undertaken in 2007-08, in response to requests for advice from agencies and organisations, and in recognition of global trends towards breach notification, the Office released the voluntary Guide to Handling Personal Information Security Breaches. The Guide is available at: www.privacy.gov.au/materials/types/guidelines/view/6478.

While it is early in the 2008-09 financial year, our statistics predict that 2008-09 will be even busier for the Compliance branch. We look forward to continuing to provide quality advice and a high quality complaint handling service in 2008-09.

chart 3.2 percentage of complaints received by Privacy Act jurisdiction

Update on Response to ALRC Report on Privacy

As reported in the last edition of Privacy Matters, the Government released the Australian Law Reform Commission's (ALRC) review report, For your information: Australian Privacy Law and Practice, on 11 August 2008.

The Department of Prime Minister and Cabinet (PM&C) is developing the Government's response to the 295 recommendations in the 2700 page report.

Given its size and complexity, the Cabinet Secretary, Senator the Hon John Faulkner, has announced that the Government will respond in two stages. At a seminar on 2 October, the Minister said that:

"The Government sees privacy as part of a holistic approach to information:

A holistic approach to Australians' rights to determine what is known about them, about their views and their behaviour.
A holistic approach to the responsibilities of the public and private sectors in gathering, storing, transferring and using information about people.
A holistic approach to balancing the interaction between different rights and values, such as privacy and law enforcement, or FOI and national security."

The Minister also confirmed that:

The first stage will involve looking at the building blocks of the revamped Privacy Act, namely the Unified Privacy Principles (UPPs), credit reporting, health and new technologies.
The starting point for consideration is the recommendations of the ALRC but that inevitably, there will be differing views within and without Government about these recommendations, and that the Government will be listening carefully to those views as it maps a way forward.
As announced on 11 August, he expects that the Government will introduce legislation as necessary on this first reform stage within 12 to 18 months.
PM&C has commenced discussions with key players on a number of these first stage issues and will target stakeholders in both the public and private sectors over the coming months.
He had written to all state and territory Attorneys-General to advise them of the Government's timetable for first stage reforms, and to seek their initial comments on the recommendations. The Minister anticipates being in a position to address the Standing Committee of Attorneys-General on the Government's views early in 2009.

To date, a half day meeting on credit regulation with industry has been held, and PM&C will hold five half-day targeted meetings in December with industry sectors on the proposed UPPs. There will also be meetings with consumer and privacy groups on credit regulation and the UPPs in December. Health and new technologies will be discussed early in 2009.

The Minister said: "The aim of these discussions is to ensure that everyone has the opportunity to put forward their views, to make the Government aware of any perceived gaps or limitations with the ALRC's recommendations, and to ensure the government is fully informed prior to making decisions about those recommendations."

NSW Law Reform Commission Review Update

The NSW Law Reform Commission (NSWLRC) is conducting an inquiry into whether existing legislation in New South Wales provides an effective framework for the protection of the privacy of an individual.

The Office recently made a submission to the NSWLRC welcoming proposals to reform NSW privacy law to achieve national consistency. Harmonising privacy regulations would help to promote clear and common understanding of privacy obligations across the community.

The submission also supports private sector health information being solely regulated by the Federal Privacy Act. This would be a significant step forward in promoting simplicity and uniformity in privacy regulation.

Other issues the submission supports include:

state-owned entities being covered by privacy law
contractors to state government agencies should be bound by privacy law
limiting NSW privacy law to NSW public sector agencies.

The Office's position on these issues is consistent with our submissions to the recently completed Australian Law Reform Commission's privacy law inquiry. The submission is available at: www.privacy.gov.au/materials#sub.

The NSWLRC website can be found at: www.lawlink.nsw.gov.au/lrc.

30th International Conference of Data Protection and Privacy Commissioners

In October, the 30th international privacy conference was held in Strasbourg. Jointly hosted by the German and French privacy authorities, the theme was "Protecting privacy in a borderless world".

In attendance were 600 delegates from data protection authorities around the world, as well as the public, business, and community sectors. Australia had ten representatives, including the Australian Privacy Commissioner, the Northern Territory Information Commissioner and the Victorian Deputy Privacy Commissioner.

Over two days, the conference discussed the following issues:

Is privacy an obstacle or an asset for global economic growth?
Privacy, an endangered space?
Security, towards a worldwide identification database?
My name is Clara, I am 14, here is my private life (a discussion on social networking sites)
The digitally assisted man: a digital angel or a digital devil?
New instruments of regulation for privacy

At the closed session, the Commissioners agreed to resolutions on:

the granting of accreditation for a number of national and sub-national privacy authorities
exploring the establishment of an International privacy/data protection day or week (the Australian Privacy Commissioner is chairing the working group)
children's online privacy
social networking sites
the development of international standards
a website for the conference
the establishment of a working group on representation by Commissioners at meetings of international organisations.

Further detail about the resolutions and the conference is available at: www.privacyconference2008.org.

The 31st International Conference will be held in Madrid, Spain, from 11 - 13 November 2009.

30th Asia Pacific Privacy Authorities Forum

Participants at the 30th APPA Forum held in Melbourne, 13 - 14 November 2008.

The 30th Asia Pacific Privacy Authorities (APPA) Forum was held in Melbourne, Australia, from 13 - 14 November 2008.

APPA welcomed the resolution from the 30th International Conference for Data Protection Authorities for the establishment of a working group to initiate a worldwide privacy and data protection awareness week/day. This idea was generated at the 29th APPA meeting held in Seoul.

International and national privacy issues were discussed, including the use of Portable Storage Devices, developments in data breach notification, and issues concerned with locational privacy and 'blacklists'.

The objectives for the APPA Forum were reviewed and opportunities for further joint initiatives were highlighted. The Australian Office agreed to continue to act as the APPA secretariat for an additional two years.

The 31st APPA meeting will be held in Hong Kong in June 2009.

The Role of Evidence in the Complaint Investigation and Conciliation Process

In this year's Autumn edition of Privacy Matters, we talked about the principles for assessing compensation. In this edition we look at the role that evidence plays in the investigation and conciliation of complaints made under the Privacy Act.

Once a complaint is made and the Office decides to investigate the complaint, the Office writes to the organisation or agency that is the subject of the complaint to seek a response.

The resolution process is a dynamic one. In some cases the Office will need to take further steps in response to information provided by the parties. Perhaps you have not provided enough information? Perhaps your response raises more questions?

In cases where the Office forms a view about whether the complaint breaches the Act or not, we need to make the decision based on the civil test of "balance of probabilities." In other words, taking into account all the relevant evidence, is it more likely than not that the facts that gave rise to the complaint are made out? If the facts are made out, how does the Privacy Act apply in the circumstances?

The types of information we may seek from a complainant include:

correspondence between the complainant and the respondent
statutory declarations
diary notes or other records.

The types of information we may seek from a respondent may include the above and in addition:

if the matter relates to a possible breach of the credit reporting provisions of the Act, copies of consumer credit information files
any relevant legislation you are relying on
copies of internal policies, training manuals and information on training processes
copies of internal file notes or other records.

Providing this information promptly will aid our investigation and help to resolve the matter sooner. In some circumstances the Office may use its powers under the Act to compel the production of information and documents.

When weighing up the evidence, the Office will consider the strength of the information provided. Is the statutory declaration from a person directly involved in the matter? Are the notes provided contemporaneous with the event?

Under the Act, the Privacy Commissioner also has the role of attempting to settle matters that are subject to investigation by conciliation if appropriate. Conciliation is a process where this Office talks to both parties about how they think the complaint should be resolved and tries to facilitate an outcome that is mutually satisfactory.

In the Autumn edition we talked about the kinds of conciliated outcomes that parties might agree to. Where a complainant is seeking compensation, the decision of the Administrative Appeals Tribunal in Rummery and Federal Privacy Commissioner and Anor [2004] AATA 1221 is of assistance. In general, the principles of damages applied in tort law will assist in measuring compensation. The case also makes it clear that compensation should be assessed having regard to the complainant's reaction and not only to the perceived reaction of the majority of the community or of a reasonable person in similar circumstances.

If a complainant wishes to pursue a claim for compensation, the complainant will need to provide a claim outlining how he or she has been affected by the matters giving rise to the complaint.
As such, prior to forwarding a conciliation proposal to the respondent, complainants are invited to provide evidence in support of their claim that there is a causal connection between the alleged breach of privacy and the damage they say has been suffered as a result.
This might include, but is not limited to:

invoices and receipts
doctors' certificates or similar for claims of non-financial loss, such as hurt and humiliation or to substantiate physical suffering
statutory declarations from relevant parties.

The Office provides a free complaint handling service. For more information visit our website or call our enquiries line on 1300 363 992.

Are You Being Watched?

Have you ever received unsolicited advertising through your Bluetooth device? Viewed someone else's house using Google's 'Street View'? Or been asked to trial the new body scanning equipment at Sydney, Melbourne or Adelaide airport?

New technologies can inadvertently be intrusive and lack transparency when personal information is collected, used and disclosed.
Described as a 'virtual' strip search, body scanning reveals the body outline beneath your clothes. And did you know that Bluetooth technology can build up a profile of locations and interactions?

Good privacy practice

Information collected and handled using new technologies may not always be personal information. For example, Google Street View uses pixilation software to blur faces and car number plates and the images it displays are 'captured in time' rather than 'real time'. While these images may not be personal information, individuals may still find them intrusive.

The Office encourages organisations to carefully consider the privacy impact of new technologies and not to confine themselves to simply complying with the obligations of the Privacy Act. For example, the organisation could take steps to protect individuals' bodily privacy (which is not covered by the personal information laws in the Privacy Act). In this way, they can ensure that their practices represent good privacy and align with community expectations.

Value of a Privacy Impact Assessment

A PIA is a highly valuable tool which can be used to pre-empt and address privacy risks associated with a new product, service or technology. A PIA should:

describe the personal information flows in a project
analyse possible privacy impacts of flows
assess the impact on individual privacy of the project as a whole, and
try to eliminate or minimise impacts.

Other benefits of a PIA are that it can be a 'living document', that can be reviewed and updated as the new product, service or technology develops, and it ensures use of privacy enhancing features.

The Office has published a PIA Guide for government agencies which is available at: www.privacy.gov.au/publications/pia06/index.html.

The Office also encourages other organisations to conduct PIAs and will soon be producing PIA guidance material for the private sector.

Complaint Snapshots

An individual requested a health service provider send their medical record, including original x-rays, to a nominated organisation. The health service provider posted the record through the regular mail. The individual complained to the Office that the organisation had not taken reasonable steps to protect their personal information from loss. The Commissioner investigated, and considered the nature of the sensitive information involved, potential harm to the individual should the records be lost, the size of the organisation, and the financial burden of alternative means of transport. She found that the health service provider had failed to take reasonable steps to protect personal information by using the general mail, in breach of NPP 4.1. The health service provider agreed to conciliate the matter. The investigation was closed having been adequately dealt with.

An ex-employee complained that their personal record held by their ex-employer, a government agency, had been accessed by another employee. This employee then used the records to locate where the individual was living. This caused the individual to fear for their safety, and to change their name and place of residence. Following an investigation, the Office formed the view that the agency had not taken adequate steps to prevent unauthorised access to the individual's personnel records in accordance with IPP 4. Through conciliation, the individual accepted a confidential settlement for costs associated with their change of name and residence. The Commissioner closed the complaint on the grounds that the agency had adequately dealt with the complaint.

An individual had a car accident involving a third party. While the individual's insurance claim was being processed, the individual alleged that the insurance company disclosed their contact details to the third party who then contacted the individual wanting to discuss the cost of the claim. The individual complained to the insurance company and received a cheque in the mail from them without any explanation.
The Office contacted the insurance company which agreed it had disclosed the individual's contact details to the third party. They also agreed that the cheque they sent should have accompanied a letter of explanation. The insurance company sent the individual a written apology and advised that the third party would not contact them about the claim. The individual was satisfied with the insurance company's actions and the Commissioner closed the matter as being adequately dealt with.

Digital Rights Management

Does anti-piracy = anti-privacy?

Digital Rights Management (DRM) is about controlling access to digital information to protect the rights of copyright owners, distributors and users. So, can digital piracy be tackled without compromising anonymity and privacy online?

What is DRM?

DRM is an umbrella term for technology systems that are designed to securely manage access, use and distribution of digital information. For example, when you pay for online music or an anti-virus subscription, DRM tools can protect copyright by restricting usage to a particular device, or monitor when a product expires.

DRM and Privacy

The internet has revolutionised the way that artists, creators and distributors connect to individuals.
This raises both opportunities and challenges. Consumers want flexible and convenient access to the digital products they purchase. Content providers want to protect their intellectual property - and may seek personal details to do so. Not surprisingly, questions arise about:

how freely individuals can access and control digital information
how much personal information a user should have to provide to access digital content
how that personal information can be used or disclosed.

Embedding privacy within DRM

The Office believes that effective DRM systems can protect copyright without sacrificing individual privacy online.
Achieving both of these aims may involve:

Only collecting personal information if it is necessary - individuals should always be able to interact anonymously if this is lawful and practicable.
Having privacy policies about the handling of personal information which are clear, transparent and highly visible - and complaint procedures if something goes wrong.
Understanding that technical information like IP addresses may be personal information in some contexts, and that this could have implications for DRM.
Wherever possible, giving individuals the choice of 'opting in' for any use of their information beyond the original purpose for which it was collected - such as marketing or sharing with partner companies.

Submissions Summary

One of the Office's functions is to examine and make submissions on proposals by government and business that have significant privacy implications. In the last three months the Office has provided submissions to the:

Senate and Legal and Constitutional Affairs Committee Inquiry into the Independent Reviewer of Terrorism Laws Bill 2008

The Office recognised any lowering of privacy protections for law enforcement purposes must be a necessary and proportionate response to the problem. The Office suggested the provisions in the Bill be drafted to ensure adequate oversight and accountability mechanisms are in place.

Department of Broadband, Communications and the Digital Economy on its Discussion Paper on 'Eligibility requirements for registration on the Do Not Call Register'

The Office acknowledged the national Do Not Call Register had been an important mechanism in helping individuals exercise control over how their personal information is handled. The Office recommended the Do Not Call Register be extended to the phone numbers of small businesses and private and domestic faxes.

National E-Health Transition Authority on the Privacy Blueprint for the Individual Electronic Health Record

The Office supported the express consent approach to individual electronic health records (IEHR) set out in the Privacy Blueprint as it offered important privacy benefits to individuals. Amongst other things, the Office suggested there be specific legislation for the IEHR system to ensure there are robust privacy protections in place and that "sensitivity labels" be used to restrict access to certain information within the system.

To read more about these submissions or any others, visit the Office's website at: www.privacy.gov.au/materials#sub.

Diary Notes

Australian and ACT Government Privacy Contact Officers' Meeting Canberra, 5 December 2008, 9.00
am - 12.00 noon.
Privacy Awareness Week 2009 presented by the Asia Pacific Privacy Authorities, 3 - 9 May 2009.
Privacy Awareness Week Seminar, Wednesday 6 May 2009. Details to be advised.
Privacy and Consumer NGOs meeting, Office of the Privacy Commissioner, Sydney, 20 May 2009.
31st APPA Meeting, Hong Kong, June 2009.
31st International Conference of Data Protection and Privacy Commissioners Madrid, Spain, 11 - 13 November 2009.