Protecting Information Rights – Advancing Information Policy

Phone iconCONTACT US: 1300 363 992
 
We're now a part of the Office of the Information Commissioner. Go to www.oaic.gov.au to find out more.

Site Changes

Types

Topic(s): Other
 

Privacy Matters Winter Newsletter 2009

document icon pdf (1.62 MB)


Subscribe to Privacy Matters

Privacy Matters - Archived Issues

 

 

Volume 3 Issue 4 Winter 2009

Minister's Message

Senator Ludwig

After 10 years as a Queensland Senator, I am humbled by the Prime Minister's appointment of me as Cabinet Secretary and Special Minister of State.

I am continuing the important work of my predecessor, Senator Faulkner, in the areas of Freedom of Information, whistleblower, electoral and privacy reform.

The Government's work in each of these areas demonstrates our commitment to restoring trust and integrity in government. As Shadow Attorney-General, I developed the policies to reform information law, and it's now my priority to see them through.

Shortly I will be responding on behalf of the Government to the Australian Law Reform Commission's privacy report, For Your Information.

The Government is putting in the time necessary to ensure that reforms to privacy laws will meet the needs of a modern Australia. After considering additional proposals and extensive public consultations, the Government expects to:

  • respond to the first stage of the ALRC recommendations this spring sitting period;
  • release exposure draft legislation on the first stage of reforms for public comment early next year.

This spring, I will also introduce legislation into Parliament to establish the new Office of the Information Commissioner.

This represents an exciting opportunity for the Office of the Privacy Commissioner, which will form part of the new Office.

For the first time government information policy will be developed on a holistic basis, with oversight of privacy protection operating hand-in-hand with access to government information.

Senator the Hon Joe Ludwig
Cabinet Secretary, Special Minister of State

Commissioner's Message

We are closer to the implementation of the major reforms the Government has proposed for privacy and Freedom of Information. The Information Commissioner Bill and the Freedom of Information Amendment (Reform) Bill are listed for proposed introduction and passage in the Spring sittings of Parliament.

As advised in the Autumn edition of Privacy Matters, the Government released draft exposure legislation in March seeking comments by mid May. As well as reforming FOI laws to make government more open and accessible, the draft legislation establishes an Office of the Information Commissioner bringing together privacy, FOI and information policy.

In anticipation of the legislation being passed and an expected start-up date of 1 January 2010, the Government announced in the 2009-10 Budget the creation of the Office of the Information Commissioner providing $20.5 million over four years to establish and run the OIC. This is in addition to the existing funding for the Office of the Privacy Commissioner.

The OIC will be a statutory agency within the PM&C portfolio and comprise the new roles of the Information Commissioner and the FOI Commissioner, and the existing role of the Privacy Commissioner. The Office of the Privacy Commissioner will be incorporated into the new office.

There is a perception by some that Privacy and FOI are at odds. But in fact both are underpinned by the same concepts - accuracy, accountability and integrity in information handling. Importantly, consolidating the full spectrum of information law in one statutory body brings opportunities in many areas, particularly in raising community awareness of privacy and information rights and responsibilities. Our Office looks forward to embracing these opportunities.

June saw ministerial changes with Senator the Hon Joe Ludwig appointed Special Minister of State and Cabinet Secretary, and Senator the Hon John Faulkner became the Minister for Defence. We enjoyed working with Senator Faulkner and wish him all the best in his new portfolio. We look forward to working closely with Senator Ludwig to further improve privacy practices in Australia.

This edition of Privacy Matters features an article explaining what individuals need to know about credit reporting. It emphasises the need for individuals to monitor their credit files and outlines my Office's role in resolving credit reporting complaints. Notably, this issue heralds the completion of my Office's upgraded website which I encourage you to visit.

Although the privacy landscape is facing change, I am encouraged to see that business and government continue to place importance on protecting individuals' personal information. This is shown by the strong field of entrants we have received for the upcoming Privacy Awards and Medal. I look forward to honouring Award and Medal recipients at a gala presentation dinner on 12 November. If you haven't already, please mark that date in your diaries.

Karen Curtis
Privacy Commissioner

Credit Reporting Provisions - what individuals need to know

A bad credit rating can have serious consequences for an individual...

credit report image

The Privacy Act has specific provisions to ensure that individuals' credit information is accurate, up-to-date and complete, and to ensure that the information on credit files is not misused, or given to unauthorised people. The Privacy Act also sets out the steps a credit provider needs to take before it lists information on a credit file.

Usually a credit file is created when an individual first applies for a loan for personal or household purposes. This might include a credit card application, or a new mobile phone account. Credit files contain the person's date of birth, recent addresses, drivers licence number, employment details and a detailed history of credit applications and any payment defaults.

The information on a credit file is used by credit providers (such as banks, building societies, credit unions and retail businesses that provide credit) to assess an individual's eligibility for further loans or other purposes allowed in the Privacy Act.

Credit providers must tell individuals when credit has been declined because of information held on their credit file. This notification can alert individuals to check their credit file for inaccuracies.

Default Listings

The most common complaints relating to credit files are 'default listings'. A default can stay on a file for up to five years, and may prevent a person from obtaining credit.

If an individual is having difficulty paying a loan, they should talk to the credit provider first - a payment plan may be an option.

Before a credit provider lists a credit file with a default it must:

  • take steps to recover the debt
  • notify the individual of the potential listing
  • list the default only after the debt is over 60 days old.

If an individual believes the information on their credit file is wrong, they should:

STEP 1 Get a copy of their credit file from the Credit Reporting Agency (CRA). See our website for information: www.privacy.gov.au/topics/credit

STEP 2 Write a letter of complaint to the relevant party - the CRA or the credit provider - stating why they think information on their credit file is incorrect.

STEP 3 Allow 30 days for the respondent to investigate and respond to them.

STEP 4 If no response is received, or the individual is not satisfied with the response, Iodge a complaint with our Office. See: www.privacy.gov.au/complaints

Our Office will assess the complaint to determine whether we will investigate the matter

Our Office can only investigate issues that are covered by the credit reporting provisions in the Privacy Act. See further information below for issues relating to a credit provider's service, loan conditions or debt collection practices.

If individuals believe they have been a victim of identity theft they should report it to the Police.

Further Information

The Australian Competition and Consumer Commission (ACCC) and the Australian Securities and Investments Commission (ASIC) have developed Guidelines for debt collectors

Complaints about the conduct of a debt collector can also be directed to the ACCC.

SCAMwatch was established by the ACCC to help individuals recognise, report and protect themselves from scams.

FIDO on the ASIC website provides financial tips and safety advice, including on scams and warnings.

The Financial Ombudsman Service (FOS) can investigate complaints relating to banking, life and general insurance and superannuation issues.

The ID theft kit can help individuals protect themselves from identify theft.

The Office's Website upgrade

Website image thumbnail

The Office is very pleased to announce that the upgrade of its website is now complete. Have a look for yourself at www.privacy.gov.au

The overall aim of this website redevelopment - the first since the private sector provisions commenced in 2001 - was fairly simple: to make the new website more accessible, easier to use and more attractive.

The website is also designed to be flexible enough to meet the changing needs of the Office, particularly in light of the proposed establishment of the Office of the Information Commissioner.

Just some of the improvements and features which you will notice include:

  • a full reworking of the site's content structure and navigation, to ensure that users have the easiest possible access to the information and resources they need
  • a complete redesign of the site's look-and-feel, providing it with a fresh and more visually appealing look
  • much improved search facility
  • simpler and more flexible Materials and Resources section
  • improved accessibility, to ensure our website is a positive experience for all users
  • new Plain English content for some of the most popular topic areas (for example, take a look at our new Privacy Topics pages at: www.privacy.gov.au/topics).

The Office's approach to this website upgrade is one of continuous improvement so all feedback is very welcome: simply use our website feedback form at www.privacy.gov.au/feedback

And thank you to all stakeholders for the positive and constructive feedback you have provided so far.

Privacy Awards Gala Dinner

Thursday 12 November 2009 promises to be a memorable evening!

The Office's hallmark event, the Gala Presentation Dinner for the Australian Privacy Awards and Australian Privacy Medal 2009 will be held at the Amora Jamison Hotel in Sydney. The keynote speaker is Senator the Hon Joe Ludwig, Cabinet Secretary and Special Minister of State, whose portfolio includes privacy.

hugh Rimmington

Walkley Award winning journalist Hugh Riminton will be master of ceremonies. Hugh has worked for the CNN network and at Channel Nine. He is currently Network Ten's Chief Political Correspondent.

Dinner will give guests an opportunity to hear about the most outstanding Privacy Awards entrants. The presentation of the Australian Privacy Medal will honour a leading achiever in the Australian privacy field. Other components of the night include musical entertainment by String Source and the Sydney Jazz Collective. A full three-course meal and beverages will be served.

This is truly an event not to be missed!

To reserve your place today, please call (02) 9284 9830 or email corporate@privacy.gov.au

advertisement thanking the sponsors of the Australian Privacy Awards and Australian Privacy Medal 2009

Privacy Advisory Committee Appointments

Under the Privacy Act, the Privacy Advisory Committee (PAC) provides the Privacy Commissioner with strategic advice on privacy from a broad range of perspectives. Community, information technology, business, government and consumer views are brought together to help the Office promote and protect privacy in Australia.

The Office congratulates Professor Christine O'Keefe on her appointment to the PAC. Professor O'Keefe is Strategic Operations Director for the CSIRO Preventative Health National Research Flagship and Director of the Australian Population Health Research Network Centre for Data Linkage. She brings expertise on e-health records, technology and privacy disclosure controls with statistics to the committee.

The Office also congratulates Associate Professor John O'Brien from the University of New South Wales on his reappointment. Professor O'Brien was first appointed in 2002 and he has made a significant contribution to the PAC since that time.

New Real Estate FAQs

In response to inquiries about the handling of personal information by real estate agents and landlords, the Office recently released a series of Frequently Asked Questions (FAQs). These FAQs suggest how agents should best handle people's personal information and include the following information:

  • Generally, an agent will only be covered by the NPPs in the Privacy Act if they have an annual turnover of $3 million or more, or if they trade in personal information.
  • If an agent covered by the NPPs wants to collect personal information at an open inspection, the agent must be sure that they need to collect that information for a particular purpose. Personal information must not be collected on the off chance that it may be useful in the future.
  • Agents and landlords must also advise clients:
    • why it is necessary to collect the information
    • who they would usually disclose it to
    • how the client can access the information they have collected
    • the consequences, if any, if the client chooses not to give the agent the information.

An agent covered by the NPPs may give personal information to a residential tenancy database (RTD) operator only if they have given clients prior notice. All RTD operators are covered by the Privacy Act and must comply with the NPPs.

Sometimes an agent may need to photograph a tenant's premises. If a photo is taken of a person's possessions, it will only be covered by the NPPs if:

  • someone can be identified by that image
  • the agent is covered by the Privacy Act.

Some states and territories also have laws that regulate the taking of photographs of a tenant's premises without consent.

More Information

FAQs - Real Estate on the Office's website at: www.privacy.gov.au/faq/individuals#real-estate

APEC Update

The 2009 APEC Data Privacy meetings were held recently in Singapore.

The program began on 27 July with a one day seminar on Developing the Cross Border Privacy Rules system-learning from testing outcomes and considering implementation issues.

This seminar covered a broad range of topics and included presentations from the Irish Data Protection Commissioner, Billy Hawkes, on the issue of 'Accountability and Privacy', as well as a session considering 'Developing domestic enforcement priorities and strategies'.

The APEC Electronic Commerce Steering Group Data Privacy Sub-group met on 28 July.

This meeting included an update and discussion on the nine Data Privacy Pathfinder projects being undertaken by various working groups. It was also an opportunity to share information on cross-border privacy issues and to discuss activities to promote the domestic implementation of the APEC Privacy Framework.

In particular, the meeting finalised the three Pathfinder projects which had been led by the Office of the Australian Privacy Commissioner and resulted in final drafts of documents relating to:

  • a directory of data protection authorities
  • a template cooperation arrangement to facilitate assistance between data protection authorities
  • a template cross-border complaint handling form.

These three documents will now be considered by all APEC Economies for endorsement.

Privacy Commissioner Reappointed

On 30 June, Senator the Hon Joe Ludwig announced the reappointment of Karen Curtis as Privacy Commissioner for a further 12 months from 12 July 2009. She was initially appointed as Commissioner in 2004 for a five year period.

Complaint Snapshots...

An individual was not satisfied with an assessment by a repairer engaged by an insurance company and expressed their concerns in a letter to the insurance company. The individual was later contacted by the repairer, who was angry about the statements made in the letter. After an investigation, the Commissioner came to the view that the insurer had breached the individual's privacy by disclosing a full copy of the letter to the repairer. The insurance company apologised to the individual and agreed to amend its training program. The Commissioner was able to close the complaint on the basis that the insurance company had adequately dealt with the matter.

An individual discussed workplace matters in a session with a counselling service. Several days later, the individual attended a workplace meeting. The contents of the meeting led the individual to believe that their employer had become aware of the issues raised with the counsellor. The Commissioner investigated the complaint, including security at the counselling service. There was no evidence of a disclosure occurring and the counselling service had adequate security measures in place. The Commissioner closed the complaint on the grounds that the counselling service had not breached the individual's privacy.

An individual changed mobile phone carriers and so lost access to the original carrier's automated accounts management service. Later, the original telecommunications carrier listed a payment default on the individual's credit file because the individual did not pay a residual balance. The individual alleged the telecommunications carrier had not provided sufficient notice. The Commissioner's investigations revealed the telecommunications carrier had sent several written notices in relation to the account and had therefore fulfilled its requirements under the Privacy Act. The Commissioner subsequently closed the complaint.

We can't tell you that because . . .

Sometimes organisations use privacy laws as a reason for not giving out information. In our Office, and other privacy offices around the world, we call these 'BOTPAs' - 'Because of the Privacy Act'.

In our experience, BOTPAs occur where an agency or a business:

  • does not fully understand the operation or effect of the Privacy Act and either misapplies the law or adopts an unnecessarily conservative approach
  • may not have appropriate privacy processes and procedures in place
  • may be confusing obligations under the Privacy Act with other obligations, such as secrecy provisions, state laws or common law duties of confidentiality.

Stories about BOTPAs in the media often report situations that aren't prevented by the Privacy Act. For example:

  • relatives unable to transact on behalf of individuals in their care
  • researchers unable to conduct research
  • health and community workers unable to access important information to provide appropriate care for people at risk
  • parents unable to find missing children.

Through our guidance and awareness activities, we try to minimise the number of BOTPAs by giving individuals, agencies and business a clear understanding of rights and obligations, as well as an understanding of what is not covered or required by the Privacy Act.

We expect that the proposed privacy reforms will lead to national consistency in privacy regulation which will help promote clearer understanding of privacy laws.

Meanwhile, we continue to promote awareness within agencies, businesses and the community that information privacy laws are not intended to get in the way of appropriate information flows. Privacy laws are intended to protect individual privacy, not provide a reason for agencies or business to unnecessarily restrict the disclosure of information.

31st Asia Pacific Privacy Authorities Meeting in Hong Kong

The 31st Asia Pacific Privacy Authorities (APPA) Forum was held in Hong Kong on 11-12 June 2009. APPA members were joined at the Forum by observers from the data protection authorities of Portugal and Macau.

Members discussed national and international privacy issues, including complaint handling practices, employee monitoring in the workplace, and strategies to deal with the privacy challenges related to the increasing use of portable storage devices. All attendees agreed to monitor these areas and to continue sharing strategies for privacy protection and compliance across the region.

The Privacy Awareness Week (PAW) Working Group reported to the Forum on the success of PAW in 2009. PAW will be held in the first week of May in 2010.

The Forum also amended its objectives to better reflect its composition and aims. To view the new objectives, visit www.privacy.gov.au/aboutus/international/appa

The second day of the Forum included a public roundtable discussion on Electronic Health Record Sharing. On 13 June, APPA members attended a privacy conference in Macau hosted by the Office for Personal Data Protection, Macau.

The 32nd APPA Forum will be held in Adelaide on 3 - 4 December 2009.

A selection of photos from the recent APPA Forum in Hong Kong and Macau . . .

A selection of photos from the recent APPA Forum in Hong Kong and Macau

Cloud Computing and Privacy

Cloud computing is a relatively new term which refers to internet-based computing involving large-scale computing power distributed via the internet (the 'cloud'). Online services such as Hotmail, Facebook, YouTube and Flickr are examples of cloud computing services for individuals.

Rather than stored on your own PC, the information is stored and processed on remote computer servers. End users interact with the information using an internet browser. Information in the 'cloud' is often stored multiple times in multiple locations around the world, for reliability and performance purposes. This potentially raises privacy and security issues.

Increasingly, organisations are using 'cloud computing services' to undertake their computing requirements, including records management, data processing and communications. This allows organisations to easily scale up and down their computer use to meet their day-to-day IT requirements without needing to purchase and maintain their own IT hardware, software and support services.

What does this mean for organisations and individuals?

The transborder nature of cloud computing services creates several privacy challenges given the divergent national legal frameworks for data privacy, data retention, law enforcement access to data, censorship, and national security.

Australian organisations should ensure their collection and handling of personal information using 'cloud computing services' continues to meet the requirements of the Australian Privacy Act. Particular attention needs to be paid to NPP 4 (Data security) and NPP 9 (Transborder data flows) in relation to these services.

Individuals should be more aware of what information they are sharing with others, and take the time to explore the privacy settings and policies of the online services they are using, or thinking of using. Being aware of what information is available online, and thinking about who and what information they want other people to see, now and in the future, is an important step for users to take online. Remember, the internet can leave trails of information about you forever!

Privacy Tune Up

Mozelle Thompson and the Privacy Commissioner Karen Curtis

On 11 August, Mozelle Thompson, a member of the Advisory Board of Facebook and a former US Federal Trade Commissioner, visited the Office in Sydney.

Mozelle spoke to staff about Facebook's approach to privacy and the imminent improvements to its privacy settings.

Key Dates

Privacy Authorities Australia Forum
17 September, Sydney

International Association of Privacy Professionals Australia & New Zealand Conference
14 October, Melbourne

31st International Conference of Data Protection and Privacy Commissioners
4 - 6 November, Madrid, Spain

Australian and ACT Government Privacy Contact Officer Network meeting
6 November, Canberra

Privacy Awards and Medal Gala Dinner
12 November, Sydney

32nd Asia Pacific Privacy Authorities Forum
3 - 4 December, Adelaide