Protecting Information Rights – Advancing Information Policy

Phone iconCONTACT US: 1300 363 992
 
We're now a part of the Office of the Information Commissioner. Go to www.oaic.gov.au to find out more.

Site Changes

Types

Topic(s): Corporate information
 

Privacy Matters Summer Newsletter 2009

document icon pdf (759.04 KB)


Download privacy matters PDF

Download PDF

Privacy Matters - Archived Issues

Volume 3 Issue 2 Summer 2009

Commissioner's Mesage

Happy New Year and welcome to the first edition of Privacy Matters for 2009!

2009 is the Chinese Year of the Ox. Traditionally this means a year filled with hard work and fortitude. The Office expects the next 12 months will bring an increased volume of work, particularly as we start to see the shape of changes in the Australian privacy landscape.

The Australian Law Reform Commission's report on privacy was launched in August last year. This was a significant 74 chapter, 295 recommendations, body of work. Sensibly, the Government's response to the report will be two staged and we expect a response on the first tranche to be released this year. My Office has played a key role in assisting the Government in its response.

It is also expected that the Government will further outline its proposal for an Information Commissioner which would bring privacy and FOI functions together.

This issue of Privacy Matters flags the launch of our new and improved website. Our website is a key way of promoting and protecting privacy, and is often the first port of call for many of our stakeholders, service providers, and of course the general Australian community. We hope that, once launched, you will find the website simple to understand, relevant and informative. We value any feedback you may have on the redesign.

Other articles in this issue include information on the Compliance section's data matching activities, a snapshot of complaints the Office has received, and an update of what is happening in the international sphere of privacy.

Also featured is advance notice about Privacy Awareness Week 2009, to be celebrated from 3 - 9 May. As Privacy Awareness Week is just around the corner, it's time to start planning ways to promote privacy awareness in your office now! I thought the efforts of many businesses and government agencies last year were impressive. Hopefully this will continue, and indeed grow, in 2009.

Another area I hope to see continue to grow this year is the strong relationships my Office has with key stakeholders. Last year, the Privacy Authorities Australia forum was formed as a way to share information and promote privacy within Australia. I look forward to strengthening this forum in 2009. Our first meeting is scheduled in Melbourne in late March.

Ultimately, all of these projects, initiatives and launches focus on one thing - that the privacy of Australians continues to be valued and respected.

Karen Curtis

Voluntary Data-matching Guidelines - getting the perfect match . . .

There are serious privacy risks in routine data-matching on a large scale, particularly where it involves sensitive information. Our compliance functions include providing independent oversight and advice to agencies on data-matching regulated by statute and data-matching under the Commissioner's voluntary regulatory scheme.

Data-matching involves bringing together data sets of personal information from different sources, which were collected or held for different purposes, and using the combined data for a new purpose. Agencies often use combined data to identify discrepancies across collections, to assist in maintaining accurate records or to identify individuals who may not be complying with relevant obligations to the agency.

Statutory data-matching involves the use of Tax File Numbers (TFNs) as the matching key, and is undertaken by a limited number of agencies under the authority of the Data-Matching Program (Assistance and Tax) Act 1990.

All other data-matching undertaken by Australian government agencies has to be based on the use of non-TFN matching keys. To assist agencies, the Commissioner issued the Guidelines for the Use of Data-matching in Commonwealth Administration (Voluntary Guidelines) in 1998.

While the Voluntary Guidelines are not legally binding, some agencies have agreed to adopt them to assist in protecting the privacy of individuals whose information is being matched. The Voluntary Guidelines aim to encourage a higher standard of regard for people's privacy rights under a data-matching activity than would be required by compliance with the Information Privacy Principles (IPPs) alone.

The Voluntary Guidelines cover large matches, involving databases of more than 5,000 individuals. Generally, the Voluntary Guidelines require:

  • agencies to prepare a Program Protocol, outlining in detail the proposed program, and forward it to the Commissioner for comment
  • each agency involved to provide public notice of the proposed program
  • agencies to give individuals an opportunity to comment on matched information before taking administrative action
  • agencies to destroy unmatched data, or matched data that requires no further action
  • agencies to not create new permanent databases of matched data, and
  • agencies to conduct an evaluation of the data-matching program.

While the Commissioner does not 'approve' Program Protocols, the Commissioner does provide comments and recommendations to agencies on the protocols they have developed. By addressing these comments and recommendations, agencies may reduce privacy risks and allay any privacy concerns that may be held by individuals whose details are involved in the data-matching activity. This promotes trust and confidence in the agency and the data-matching program.

When considering Program Protocols, one issue the Commissioner commonly addresses is the purpose for the collection of personal information by the data- matching activity. The purpose for which the data- matched information is collated should be specified in the Program Protocol clearly, and the data-matched information should only be used for the specified purpose(s). Use of data-matched information for an unrelated purpose may lead to a privacy complaint from an affected individual, which would need to be resolved by the agency in the first instance, and possibly the Privacy Commissioner if unresolved.

The Commissioner also receives requests from agencies to conduct data-matches in a way that is inconsistent with the Voluntary Guidelines. The Commissioner decides these exemption requests on a case by case basis, having regard to any public interest considerations.

While each agency is primarily responsible for its data-matching programs and compliance with the Act, the Commissioner welcomes the opportunity to work closely with agencies to provide advice and support during the development and implementation of these activities to ensure privacy issues are addressed.

For further information visit www.privacy.gov.au or call our enquiries line on 1300 363 992.

Update on the Australian Government's response to the ALRC Report on Privacy

As reported in the last edition of Privacy Matters, the Minister, Senator the Hon John Faulkner, announced last year the Government's response to the Australian Law Reform Commission's (ALRC) review report, For your information: Australian Privacy Law and Practice, would be in two stages.

The first stage involves looking at the building blocks of the revamped Privacy Act, namely the Unified Privacy Principles (UPPs), credit reporting, health and new technologies. The second stage will consider the remaining ALRC recommendations, including those relating to the removal of exemptions and data breach notices.

Consultation Process

The Department of Prime Minister and Cabinet (PM&C) is currently developing the Government's first stage response to the ALRC report.

The ALRC recommended the existing National Privacy Principles and Information Privacy Principles be streamlined and consolidated into 11 UPPs which will apply equally to both the public and private sectors. The ALRC also suggested that a rules based approach in the form of regulations and industry codes be adopted in the areas of credit regulation and health.

PM&C have conducted a series of targeted consultative meetings on the proposed first stage reforms with key stakeholders, including consumer groups, privacy advocates, organisations and industry groups. To date, consultative meetings have been held to discuss:

  • the proposed UPPs
  • credit regulation
  • health, and
  • new technologies.

The purpose of these consultations has been to canvass the views of stakeholders about where they believe there may be gaps in the ALRC's recommendations and to identify any practical or compliance difficulties which they believe may result from the proposed reforms.

Combined with the consultative meetings, PM&C have a webpage with information about their response process at www.pmc.gov.au/privacy/alrc.cfm and have called for written submissions on these first stage proposals. Submissions can be made to: ALRCPrivacyResponse@pmc.gov.au.

Next Steps

It is expected that an Exposure Draft of the proposed legislation will be circulated later this year.

Coming Soon ... New Website for the Office

The Office is currently in the final stages of a major redevelopment of its website.

Whilst the Office regularly updates and improves the content of its website, the site as a whole has not been comprehensively reviewed since the private sector provisions commenced in 2001. It is timely that we redesign the content and layout of the website, to ensure that it keeps pace with changes in privacy information and improvements in technology.

Feedback from our users generally suggested that, while the current website contains a great deal of useful information, a number of improvements could be made to improve access to, and the look of, that information.

The aim of the redevelopment is therefore simple: to make the new website more accessible, easier to use and more attractive.

Just some of the improvements and features which the new site will offer include:

  • a reworking of the site's content structure and navigation, to ensure that users have the easiest possible access to the information and resources they need
  • a complete redesign of the site's look-and-feel, providing it with a fresh and more visually appealing new look
  • much improved search facility
  • simpler and more flexible Materials and Resources section
  • improved accessibility
  • new Plain English content for some of the most popular content areas.

The Office is very excited about the forthcoming launch of its new website, and looks forward to providing all its stakeholders with a much improved communication tool. Keep an eye out for further details of the launch.

Mark your diaries now and . . . start planning for Privacy Awareness Week!

3 - 9 May 2009

The Asia-Pacific Privacy Authorities (APPA) has moved its annual Privacy Awareness Week initiative from August to May, and the Office is working to ensure that this year's program in Australia builds on the successes of previous years.

Features of the week will include:

  • a lunch with former High Court Judge the Hon Michael Kirby
  • a one-day seminar, "Privacy in Practice", aimed at providing compliance and legal affairs professionals with practical insights into promoting and enhancing privacy compliance
  • the launch of the 2009 Australian Privacy Awards and Medal
  • the release of an online portal and magazine for young adults on privacy issues
  • the launch of a video (produced with other APPA members) encouraging young people to consider the type of personal information they put online
  • the publication of the results of a survey on the use of portable storage devices by Australian Government agencies.

As in previous years, a range of resources will be available on the Privacy Awareness Week website. Visit www.privacyawarenessweek.org.

Surveillance in Public Places: Statistics

Recently the Office provided some statistics to the Victorian Law Reform Commission to assist with a reference being undertaken into the use of surveillance activities in public places. This article provides a summary of these complaints and enquiries ...

Every year, the Office receives some enquiries from individuals concerned about the collection of their personal information through surveillance devices operating in public places. Many of these issues relate to the collection and potential uses of individual's personal information collected through Closed-Circuit Television (CCTV) systems operating in public spaces, such as inner city streets, parks, pubs, on public transport systems and in car parks.

The Office's 2007 Survey of Community Attitudes to Privacy identified that most Australians (92%) were aware of the use of CCTV in public places, and that the majority of Australians (79%) were not concerned about this. Only 5% of Australians were very concerned about the use of CCTV in public places, and most of this concern related to the potential for their information to be misused after it had been collected.

Consistent with these findings, only around 2% of the 4,350 written enquiries received over the past two financial years (and around 2.5% of the 35,451 phone enquiries received) have related specifically to individuals' concerns around 'surveillance' issues in general. The most common issues that individuals raise with the Office relate to the use of:

  • surveillance devices in a workplace setting (around one-third), and
  • surveillance devices (such as web cams, home-based video monitoring systems) by individuals acting in a private capacity (around one-quarter to one-third).

Only a handful of complaints relating to surveillance issues have been investigated by the Office in the same period, with the majority of these relating to complaints around covert surveillance which has been undertaken by an organisation (such as an insurance company) on an individual, in the assessment of a claim.

Office participates in Australia/China Human Rights Technical Cooperation activity

Since 1997, Australia and China have been involved in activities to further the understanding and practical implementation of human rights protection. These activities have been conducted under the Australia /China Human Rights Technical Co-operation agreement.

Last year the Office was invited by the Australian Human Rights Commission (AHRC) to participate in a 'Privacy and Family Planning Consultation' activity. The Office was asked to provide expertise on the Australian Privacy Act and its implementation in relation to the private health sector in Australia.

Andrew Solomon, Policy Director, represented the Office. Other participants from Australia were Ms
 Maureen Harris from AHRC and Ms Kaisu Värttö from SHine SA.

The visit encompassed discussions and field trips with national, provincial and local officials and service providers from the National Population and Family Planning Commission of China (NPFPC) and with other Chinese Government and Communist Party officials related to the work of the NPFPC.

Taking place over five days from 15 - 19 December 2008, the activity occurred in the Chinese provinces of Guizhou and Yunnan and included visits to county and town level sexual health and family planning clinics in Xi Xiuqu County, Guizhou and two town sexual health and family planning clinics in Ma Long County, Yunnan. The trip also included formal presentations of information from all participants in Anshun City, Guizhou and Ma Long, Yunnan. In addition there were numerous informal discussions between all participants over the five days of the visit.

Follow up activity will occur this year with the NPFPC providing draft privacy guidelines and other written materials to our Office for comment.

For further information see: www.ausaid.gov.au/china/hrtc_program.cfm.

Some of the participants in the Australia/China Human Rights Technical Cooperation activitySome of the participants in the Australia/China Human Rights Technical Cooperation activity

Some of the participants in the Australia/China Human Rights Technical Cooperation activity

The Office's Actions for 2009

As part of the Office's strategic planning process it has identified key actions for 2009. The actions all relate to our purpose of promoting and protecting privacy in Australia with a view to having an Australian community in which privacy is fully valued and respected.

The Office has four goals:

  • high quality results
  • increased awareness of privacy choices and obligations within the community
  • robust relationships
  • a confident and competent workforce.

To achieve these goals we have agreed our key actions for 2009. These are:

  • assist the government to formulate its response to the ALRC report on privacy
  • consider and implement as appropriate ALRC recommendations about the Office, its procedures and advice that do not require legislative change
  • develop an online portal and magazine for young adults about privacy
  • redevelop and launch improved website
  • run privacy awards program for 2009
  • celebrate Privacy Awareness Week 3 - 9 May
  • enhance complaint handling processes
  • promote our client service charter
  • implement enhanced audit program
  • finalise Certified Agreement
  • finalise and implement the Workforce Plan.

Complaint Snapshots

An individual fell behind in repaying an account to a company.
  The company listed the overdue account on the individual's consumer credit information file.
  The individual alleged the company had not sent a notice to their last known address advising the account was overdue as required by the Credit Reporting Code of Conduct. The Office decided to investigate. The company provided the Office with copies of the account statements.
  The statements were sent to the individual's last known address before the account was listed, specified the amount owing and advised the amount overdue.
  As the company provided evidence it had complied with the Code, the Commissioner closed the complaint on the basis that there was no interference with the individual's privacy.

An agency was told that an individual may have committed a criminal offence.
  The agency investigated the claim in part by collecting information from the individual in a meeting.
  The individual complained to the Commissioner that the agency had unfairly collected the information by not clearly stating the purpose of the meeting.
  The Office investigated. The Commissioner found that the agency had advised the complainant the reason for the meeting, the legal authority for collecting the information and that the meeting was voluntary.
  The Commissioner closed the complaint on the grounds that the agency had not breached the individual's privacy.

An individual shared custody of their children with their ex-spouse. The couple used a community centre to meet to transfer care of the children. The individual complained that the centre had not provided notice of video surveillance and was refusing to provide the surveillance footage and its privacy policy. The Office contacted the community centre. The Centre provided evidence that showed that the complainant had been notified of the video surveillance. The centre also advised that it had provided the individual with a copy of all surveillance footage featuring the individual as well as a copy of its privacy policy. The Commissioner declined to further investigate the matter as there had been no breach of the Act.

Submissions Summary

One of the Office's functions is to examine and make submissions on proposals by government and business that have significant privacy implications. In the last three months the Office has provided submissions to the:

Senate Education, Employment and Workplace Relations Committee Inquiry into the Fair Work Bill 2008

The Office noted that the Bill is intended to provide a balanced framework for cooperative and productive workplace relations. The Office recommended that organisations with permits to enter workplaces under the Bill, that would ordinarily fall outside the jurisdiction of the Privacy Act, should be brought under the Act's coverage. The Office's submission also provided suggestions on how to clarify and enhance the privacy protections applying to personal information collected and handled under the 'right of entry' and 'protected action ballot' provisions of the Bill.

Attorney-General's Department on the Draft Model Spent Convictions Bill 2008

The Office recommended that the proposed spent convictions scheme should enable individuals to complain to a relevant privacy oversight body if information about a spent conviction has been mishandled.
  The Office suggested that the Australian Privacy Commissioner should have power to assess and advise the Minister on proposed exclusions to the scheme.

Australian Health Ministers' Advisory Council's Public Consultation Paper on the National Registration and Accreditation Scheme for the Health Professions (NRAS): Proposed arrangements for information sharing and privacy

In its submission, the Office supported the development of a National Registration and Accreditation Scheme for health professions ('NRAS') that protects and respects practitioners' privacy through sound information-handling practices, while maintaining high quality and safety standards throughout the health sector. The Office suggested that this could be achieved through the adoption of a comprehensive privacy framework based on existing standards under the Privacy Act, rather than a separate set of principles or other laws.

To read more about these submissions or any others, visit the Office's website at: www.privacy.gov.au/materials#sub.

2009 Australia Day Achievement Medallions

On 22 January, the Commissioner announced that four staff members had been awarded an Australia Day Achievement Medallion.

The Medallion program is organised by the National Australia Day Council as part of the annual Australia Day celebrations. Through presenting the medallions, heads of government departments and agencies acknowledge their employees' contributions, either on special projects that have made a significant contribution to the nation, or simply outstanding performance for core duties.

Congratulations to the OPC recipients of the Medallion:

  • Suzanne Christian
  • Linda King
  • Angela MacMillan
  • Anna Tran
Australia day achievement winnersAustralia day achievement winner

International Update

The 2009 APEC Data Privacy meetings will be held in Singapore this year. The meetings begin on 22 February with a two day seminar focusing on "Making It Work - Cross-Border Privacy In Practice" with the United Kingdom Information Commissioner, Richard Thomas, as the keynote speaker. This will be followed by a meeting of the APEC Electronic Commerce Steering Group Data Privacy Sub-group on 24 February.

These meetings provide an opportunity for Economies involved in the development of Pathfinder project documentation and testing to report on their progress as well as discuss outstanding issues in moving these projects forward.

The Office has headed up a small working group consisting of Regulators from several other Economies in developing three of the Pathfinder projects. This has resulted in the development of documents relating to: a directory of data protection authorities; a template Cooperation Arrangement to facilitate assistance between data protection authorities; and a template cross-border complaint handling form. These documents will be presented to the broader Data Privacy Sub-group for review and comment.

NZ Privacy Secondment

In late 2008, Office staff member Natasha Roberts was seconded to the New Zealand Office of the Privacy Commissioner for two months. This secondment was carried out under the Australia/New Zealand Memorandum of Understanding and the Asia Pacific Privacy Authorities draft secondment guidelines, both of which seek to encourage cross border cooperation between privacy authorities.

During the secondment, Natasha undertook a research project on Closed-Circuit Television (CCTV) which involved assessing: current use of CCTV in New Zealand; community attitudes to CCTV; CCTV technologies; and CCTV guidance material from other jurisdictions.

The research project culminated in the development of a draft set of guidelines aimed at encouraging good privacy practice amongst New Zealand organisations wishing to establish and operate CCTV.

The New Zealand Office of the Privacy Commissioner will release its draft CCTV
 guidelines later this year.

Visit www.privacy.org.nz for further information.

Diary Notes

  • Privacy Authorities of Australia meeting, Melbourne, 27 March
  • Privacy Awareness Week 2009 presented by the Asia Pacific Privacy Authorities, 3 - 9 May
  • Privacy Awards Nomination period commences, 6 May
  • Privacy Awareness Week Seminar, Privacy in Practice, Wednesday 6 May, Sydney
  • PCO Network Meeting, Friday 8 May, Canberra
  • Privacy and Consumer NGOs meeting, Office of the Privacy Commissioner, 20 May, Sydney
  • 31st APPA Meeting, 9 - 12 June, Hong Kong
  • Privacy Awards Gala Presentation Dinner, 4 November, Sydney
  • 31st International Conference of Data Protection and Privacy Commissioners, 11 - 13 November, Madrid, Spain