Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Corporate information

Privacy Matters Summer Newsletter 2010

document icon pdf (692.73 KB)

Commissioner's Message
Credit Information Audits
Submissions Summary
Privacy: It's in your hands
International Recognition for Privacy Awards and Medal
32nd Asia Pacific Privacy Authorities Forum
Complaint Snapshots
Electronic Health and Individual Health Identifiers
The Office of the Information Commissioner and FOI Reform update
Plain English
Mark your Diaries!
2010 Australia Day Achievement Medallion

Subscribe to Privacy Matters

Privacy Matters - Archived Issues

Volume 4 Issue 2 Summer 2010

Commissioner's Message

Welcome back everyone, we are now well into the New Year and again it is going to be a busy one!

With 2010 being the Year of the Tiger we are steadying ourselves for a time of challenge and change, and like the Tiger we will rise to the challenges ahead.

The biggest change for our Office will be the opportunity afforded by the creation of the Office of the Information Commissioner and our absorption into it. We are all keen to see the outcome of the Senate Committee's consideration of the Office of the Information Commissioner and Freedom of Information Bills later next month, and their subsequent debate and passage through Parliament. While we await the final decisions by Parliament on structure and timing, we are continuing to work hard and meet the challenge of our current purpose of promoting and protecting privacy.

This edition covers a range of privacy issues that I hope you will find interesting and useful. As there are credit reports about most adult Australians, I am pleased that the Office is reinvigorating the Credit Audit Program. This will complement the existing complaint handling processes on credit matters that are in place and is a more proactive approach to complying with the credit provisions of the Privacy Act.

E-health and individual health identifiers continue to be an important issue for our community. A new bill has been introduced into Parliament on health identifiers. Recognising that health identifiers are a key building block for the national e-health system, we continue to work very closely with the Department of Health and Ageing and the National e-Health Transition Authority to ensure that privacy considerations are built into any new system.

One of the highlights of last year was the success of Privacy Awareness Week. We will again be celebrating this important week on the privacy calendar so mark your diaries for 2-8 May 2010.

This year's celebrations will focus around the theme Privacy: It's in Your Hands and I am looking forward to the exciting program of events that are planned. I think it is important to remind agencies, organisations and individuals of the responsibility that they have over the protection of their own individual personal information as well as the information that they may hold about others. This year's theme provides us with the perfect opportunity to do that and I encourage you all to get involved and hold an event in your organisation.

It will be a year of change and challenge and I look forward to sharing our successes with you as we continue to provide high quality advice to government, investigate complaints and above all, promote and protect privacy for all Australians.

Karen Curtis
Privacy Commissioner

Credit Information Audits

After a few years break, the Office is about to undertake a number of credit information audits in the coming months. The relaunch of this audit program is an important step in monitoring compliance of credit providers and credit reporting agencies with the credit provisions contained in the Privacy Act. The Office looks forward to working with those organisations while it undertakes this work.

What are credit information audits?

Credit information audits are a proactive compliance mechanism. The intention is for the credit information audit program to be an advisory exercise as well as an enforcement activity. The existence of the audit functions should encourage all credit providers and credit reporting agencies to take compliance seriously.

The Privacy Commissioner's credit information audit functions are set out in section 28A of the Privacy Act 1988. Part IIIA of the Privacy Act governs the handling of individuals' credit reports and related information by credit reporting agencies and credit providers. The aim of the audit is to obtain evidence to assess whether credit information is maintained in accordance with Part IIIA and the Credit Reporting Code of Conduct. We do this by examining the practices and records of credit reporting agencies and credit providers to ensure that they are:

not using personal information in those records for unauthorised purposes
taking adequate steps to prevent unauthorised disclosure of those records.

Value of credit information audits

The audit is a snapshot of personal information handling practices relating to the auditee at a particular time and place. Past audits have revealed some compliance issues. Auditees are encouraged to consider audit findings broadly, and recognise that the issues identified may foster improvements beyond the audited program alone.

Our audit teams emphasise that the audit is an educative process and compliance with the Privacy Act is seen as part of good management practice. Audits have been the catalyst for organisational improvements to data security, accuracy of information, staff training and disclosure policies.

How is an audit conducted?

There are five phases in the credit information audit process: planning, identification of information handling systems and controls, confirmatory audit testing, preliminary finding at the closing conference, and reporting.

The audit process is flexible enough to apply to all credit providers and credit reporting agencies. It can be adapted to auditees of varying size, types of credit information maintained and the degree of risk or sensitivity associated with that information.

Self-auditing Quiz - Keeping your house in order

Organisations should conduct regular internal audits of credit information. This ensures best privacy practices and reduces the risk of privacy breaches. The Privacy Commissioner encourages internal reviews which can have similar objectives to the Commissioner's audits.

The following questions will provide credit providers and credit reporting agencies with a starting point for reviewing their own privacy compliance:

Does your organisation understand the difference between consumer and commercial credit? Do you have a process to distinguish between them in practice?
Does your organisation have a written policy on the physical and logical security of credit information? When was it last updated?
Does your organisation understand its obligations concerning the accuracy of information?
Does your organisation know when credit providers need to get an individual's consent to disclose credit information?
Does your organisation have a staff member ultimately responsible for compliance with the credit reporting provisions?

The credit reporting section of the Commissioner's website has a number of resources that will assist organisations understand and meet their credit reporting obligations. See: www.privacy.gov.au/law/act/credit

Information is also available from the Privacy Enquiries Line on 1300 363 992.

Submissions Summary

The Office has made a number of submissions in recent months, including the following...

Review of Part 1D of the Crimes Act

The Office made a submission to the Attorney General's Department about its review of Part 1D of the Crimes Act 1914 (Cth). Part 1D regulates forensic procedures undertaken in relation to the investigation of crimes, missing persons and unknown deceased persons, including identifying disaster victims.

In our submission we made a number of recommendations, including recommendations about improving notices to individuals about how their DNA sample will be used.

We also recommended that consideration be given to establishing a separate register for victims' profiles, given the sensitivities associated with these profiles and that the Crimes Act make clear that the destruction of forensic material encompasses both the physical destruction of the sample and the permanent de-identification of the profile.

Do Not Call Register legislative amendments

The Office submitted to the Senate Standing Committee on Environment, Communications and the Arts about amendments to the Do Not Call Register legislation. The Do Not Call Register, established in May 2007, is a list of phone numbers of people who have registered their desire not to be called by telemarketers. Telemarketers risk fines if they contact numbers on the Register.

In our submission, we supported the extension of the Register to the phone and fax numbers of all business, government and emergency service operators (where previously only domestic numbers were eligible for listing in the Register). The Office also encouraged the introduction of greater technological neutrality to the legislation and suggested that an opt-in approach to telemarketing calls (rather than the existing opt-out regime) would further enhance privacy.

Review of Superannuation

The Office made a submission to the panel reviewing the governance, efficiency, structure and operation of Australia's superannuation system. Regarding possible changes to allow greater use of the tax file number (TFN), the Office recommended that any TFN data matching should be limited to specific purposes set out in legislation and retain strict privacy safeguards to protect individual members' personal information (including the option not to participate). In our submission we also noted the importance of raising awareness amongst members about changes to how superannuation funds handle their TFNs.

Government 2.0 Taskforce draft report

In December, the Office made its second formal submission to the Government 2.0 Taskforce. In its final submission, the Office provided input on the Taskforce's draft report. The report provides a number of recommendations to Government on how the public service can harness the benefits of Web 2.0 tools (such as blogs, wikis and other collaborative media). It also identifies barriers to greater release of public sector information and ways these barriers could be removed to allow people to access and re-use the information.

The Taskforce's draft report took up suggestions in our earlier submission that agencies be given guidance on how public sector information could be effectively de-identified before release. In our second submission, we also emphasised the importance of good identity management which allowed for individuals to remain anonymous when collaborating with government via Web 2.0 tools.

Electoral Reform Green Paper

The Office made a submission to the Department of the Prime Minister and Cabinet regarding its Green Paper on Electoral Reform. The Green Paper canvassed options to increase participation rates through the introduction of automatic or online enrolment and updating processes.

The Office recommended that individuals should be able to opt-in to such processes and be provided with clear notices about sharing of their information between agencies. Moreover, any data-matching done as part of an automated scheme should have its purpose narrowly defined as maintaining the accuracy of the electoral roll.

The Office also suggested that robust identity verification and management processes be built into enrolment processes and the range of documents accepted as evidence of identity expanded to provide flexibility for individuals.

Amendments to Social Security law

In February, the Office made a submission to the Senate Standing Committee on Community Affairs regarding the Social Security and Other Legislation Amendment (Welfare Reform and Reinstatement of Racial Discrimination Act) Bill 2009.

Amongst other things, the Office noted its support for the Bill repealing requirements in the Northern Territory National Emergency Response Act 2007, so that certain unnecessary record keeping requirements on the sale of liquor in the Northern Territory no longer apply. The Office also suggested that businesses collecting personal information under those provisions be advised or required to securely dispose of this information. It will also be important that store managers, their staff, and communities are given privacy training in relation to the income management scheme.

Further, the Office encouraged continuing dialogue between law enforcement agencies, health professionals and the community about the provisions in the Bill allowing access of law enforcement agencies to medical records. The Office noted that the key aim should be that any such handling should not discourage individuals from seeking medical treatment.

Tax laws amendment

Tax laws are being amended bringing together disclosure and secrecy provisions (currently spread across numerous taxation laws) into one consolidated framework. The new framework is intended to provide clarity and certainty to tax payers and the Australian Taxation Office.

The Office made a submission to the Senate Standing Committee on Economics which is reviewing the amendments. Focusing mostly on exceptions allowing disclosure of tax payer information, we emphasised the importance of specifying the purpose of disclosure. The Office also noted that, in a number of places, the amendments reflected recommendations made by the Office to the Treasury in an earlier consultation.

These and other recent submissions are available at: www.privacy.gov.au/materials/types/submissions?sortby=65.

In the News...

Former High Court Judge, the Hon Michael Kirby AC CMG, has been awarded the Electronic Privacy Information Center’s 2010 International Privacy Champion Award

Former High Court Judge, the Hon Michael Kirby AC CMG, has been awarded the Electronic Privacy Information Center's 2010 International Privacy Champion Award for his contributions to developing the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

"I can think of no other person more worthy of such an award," said Karen Curtis, the Australian Privacy Commissioner.

"Mr Kirby's long and illustrious career in the law has seen him make outstanding contributions on a large range of issues, not least among which has been privacy. The OECD Guidelines have become the basis for privacy laws in Australia and across the world and Mr Kirby's significant role in their development cannot be overstated."

Privacy: It's in your hands

As Privacy Awareness Week 2010 is fast approaching, now is the perfect time to start planning your organisation's activities.

The Office is working to ensure that this year's program builds on the successes of previous years and targets those members of the Australian public who may not be as familiar with our messages as others.

Features of the week will include the:

launch of an online ID Theft tool aimed at educating individuals on ways in which their identity may be at risk and hints and tips on how they can protect themselves
release of an information product to assist consumers with protecting their privacy when using a mobile phone
release of a Privacy Impact Assessment module designed for the corporate sector
release of Case Notes highlighting recent examples of privacy breaches.

As in previous years, a range of resources will be available on the Privacy Awareness Week website. Visit www.privacyawarenessweek.org.

International Recognition for Privacy Awards and Medal

The Office was recently shortlisted for an international public affairs and corporate communications award for its Australian Privacy Awards and Medal programs...

gold standard awards

PublicAffairsAsia magazine's international Gold Standard Awards 2009 recognise excellence by business, government agencies, political groups and NGOs in the field of government relations, public affairs, CSR and corporate communications.

The Office's nomination was one of only three shortlisted in the "Stakeholder engagement category", which acknowledges excellence in a communications campaign addressing messages to stakeholders such as government, the media, investors, financial regulators, employees and the public.

The Australian Privacy Awards and Medal are a world first: it is the first time that a country's privacy regulator has hosted such programs to reward good privacy initiatives in the corporate, not for profit and public sectors, as well as acknowledging the work of an individual in the privacy sphere.

The 2008 and 2009 programs were an outstanding success, with a bevy of outstanding nominees and winners, and a high level of interest received from across the community.

Mr Andrea Biggi, the Australian Consul (Political/ Economic) in Hong Kong, attended the Gold Standard Awards' presentation event on behalf of the Office on 4 February 2010.

32nd Asia Pacific Privacy Authorities Forum

The 32nd Asia Pacific Privacy Authorities (APPA) Forum, hosted by the Privacy Committee of South Australia, was held in Adelaide on 3 and 4 December 2009.

APPA members from Australia, Korea, NSW, New Zealand, the Northern Territory and Victoria attended the Forum. Hong Kong participated by teleconference. Members were joined at the Forum by observers including the Information Commissioner of Queensland and a representative of the USA's Federal Trade Commission.

Members presented reports detailing recent privacy developments. Matters raised included:

data matching
privacy law reform
the APPA Secondment Framework, which members voted to adopt.

More details at: www.privacy.gov.au/aboutus/international/appa#asf.

Attendees also discussed the outcomes of the 31st International Conference of Data Protection and Privacy Commissioners, which took place in Madrid in November 2009. Members resolved to convene an international working group to work towards the establishment of a day or week during which privacy is celebrated and promoted on a global basis.

Members also resolved to convene a working group to review APPA's membership criteria, and confirmed their commitment to observing Privacy Awareness Week in the first week of May this year.

The second day of the Forum featured an interactive seminar, 'Losing my Identity: Privacy, Identity and E-Crime', attended by approximately 100 South Australian public servants.

The seminar featured panel discussions on youth privacy and identity crime prevention, and presentations on the internet and identity crime, balancing privacy and security in e-passport systems, and Privacy Victoria's Youth Advisory Group.

The 33rd APPA Forum will be held in Darwin on 3 and 4 June 2010.

Complaint Snapshots

Own Motion Investigation v Retailer [2009] PrivCmrA 25

A scrapbook containing personal information about a retailer's customers was found in public and forwarded to the Privacy Commissioner, who commenced an investigation to determine whether the retailer had taken reasonable steps to protect personal information under NPP 4.

The Commissioner was satisfied that the scrap book and its loss was an anomaly. The retailer had appropriate processes and procedures in place to protect privacy. The retailer also took steps to make sure the incident would not happen again. The Commissioner was satisfied that the retailer had fulfilled its NPP 4 obligations and ceased the investigation.

O v Automotive Company [2009] PrivCmrA 18

A complainant alleged that an organisation breached his privacy under NPP 6 by denying him access to his referee comments upon request. The referee provided information on the basis that it was confidential. The organisation argued that by providing access, it would breach its duty of confidence to the complainant's referees.

The Commissioner decided that: the information provided by the referees was not public knowledge, it had been given in confidence, and providing access to the complainant would be an unauthorised use of the information. Therefore, there was no breach of the complainant's privacy.

J v Commonwealth Agency [2009] PrivCmrA 13

An agency employee complained that their personal information was inappropriately disclosed to a doctor in the course of a workers' compensation claim. The information related to an investigation of the employee.

The Commissioner closed the case as it found the agency had not interfered with the employee's privacy because the agency had notified the employee that it would disclose their personal information to the doctor, and information about the investigation was relevant as it may have affected the employee's return to work.

Electronic Health and Individual Health Identifiers

For a number of years the Office has actively engaged with key stakeholders including the Department of Health and Ageing (DoHA) and the National Electronic Health Transition Authority (NEHTA) about privacy issues relating to the development of a healthcare identifier and the national e-health system.

Our consistent position has been that to achieve better health outcomes for Australians and to have a more efficient health system, we support the creation of a national e-health scheme provided that the scheme is underpinned by enabling legislation and appropriate privacy protections consistent with the community's expectations. We have made these comments in the context of consultation on specific e-health initiatives, health identifiers and on health privacy law reform.

The Council of Australian Governments in December 2008 agreed that to underpin an electronic health system, a system of identifiers for individuals and providers would be developed.

In August 2009 the Office responded to a discussion paper released by the Australian Health Ministers' Conference: Healthcare identifiers and Privacy: Discussion paper on proposals for legislative support.

After comments on the discussion paper were considered, DoHA in December 2009 released an Exposure Draft of the Healthcare identifiers Bill 2010. Submissions on the Bill were due by 7 January 2010. The Bill was introduced into Parliament on 10 February.

Key elements of the Bill are:

It will establish the Healthcare Identifiers Service (the HI Service) which will assign unique individual healthcare identifiers for all individuals receiving healthcare in Australia and individual and organisational healthcare providers.
A unique 16 digit number will be available by 1 July 2010.
It is a national approach and all states and territories have agreed to use the number in their jurisdictions.
Medicare Australia will be the HI service operator initially for two years.
The HI service has been designed so there are appropriate safeguards such as no clinical information being held by the service operator, and only authorised healthcare providers will be able to access the HI service and obtain healthcare identifiers for existing patients.
It will still be possible, where it is lawful and practicable, for individuals to seek treatment on an anonymous basis.
There will be limitations and protections for health care identifiers including:
- limiting the use of healthcare identifiers to health information management and communication activities undertaken as part of delivering healthcare, and other related purposes including health service management, research and emergency situations
- an oversight and complaint handling role for the Office of the Privacy Commissioner
- a review after two years of the HI service operator.

More details about the proposed healthcare identifiers and how they will work follows:

The information associated with a person's healthcare identifier will be limited to identity information such as name, address, date of birth and Medicare number. Healthcare providers will also be assigned a healthcare identifier.
Initially healthcare identifiers will be used for limited purposes such as sending referrals, prescriptions and hospital discharge summaries by secure electronic messaging between healthcare providers. Healthcare providers will also be able to use healthcare identifiers for managing their records.
Unique healthcare identifiers will not change how healthcare providers share information about individuals. Patients should still continue to be involved in decisions about how their health information is handled and can be treated anonymously.

For more information about these and other changes proposed by the Government, see: www.ehealthinfo.gov.au.

The Office made a submission on the Exposure Draft of the Healthcare identifiers Bill 2010, and a copy can be found at the link below: www.privacy.gov.au/materials/types/download/9460/7027.

The Office of the Information Commissioner and FOI Reform update

As part of its 2007 election commitments, the Government announced it would:

reform the Freedom of Information Act 1982 (FOI Act) to promote a pro-disclosure culture across the Government and build a stronger foundation for more openness in government including the removal of the conclusive certificates provisions
create an Office of the Information Commissioner (OIC) with three statutory Office holders - an Information Commissioner, an FOI Commissioner and the existing Privacy Commissioner
incorporate the existing Office of the Privacy Commissioner into the new OIC.

Under the Freedom of Information (Removal of Conclusive certificates and Other Measures) Act 2009, the power to issue conclusive certificates in the FOI Act and the Archives Act 1983 has been repealed. This came into effect on 7 October 2009.

On 24 March 2009, exposure draft legislation on FOI reform generally and the Information Commissioner was released for comment by 15 May 2009. Following consideration of comments, the Government introduced the Information Commissioner Bill 2009 and the Freedom of Information Amendment (Reform) Bill 2009 into Parliament on 26 November 2009.

The Bills were referred to the Senate Finance and Public Administration Committee for inquiry and report by 16 March 2010.

Of particular interest to the OPC is the Information Commissioner Bill 2009 as it creates a new entity and confers all of the functions (FOI, information policy and privacy) of the OIC on the Information Commissioner.

The Government allocated funding in the 2009/10 budget of $19.4 million over four years to the OIC. The Department of the Prime Minister and Cabinet is responsible for implementation of the OIC and has created an Implementation Taskforce.

Depending on passage of the legislation and proclamation, the OIC is expected to be operational this year.

Plain English

To improve our ability to effectively communicate with all audiences, the Office has begun the process of applying Plain English principles to our publications.

Plain English combines clear, concise expression with an effective structure and good document design. The Office has engaged the Plain English Foundation to assist us in improving our communication style.

Documents on our website, starting with our Frequently Asked Questions, will gradually be updated over the next few months.

Mark your Diaries!

Australian and ACT Government Privacy Contact Officer Network meeting
12 March, Canberra

Privacy Awareness Week 2010
2 - 8 May

Watch This Space: Children, Young People and Privacy Conference Presented by the Office of the Victorian Privacy Commissioner, Crown Promenade, Melbourne, 21 May

33 rd Asia Pacific Privacy Authorities Forum
3 - 4 June, Darwin

32nd International Conference of Data Protection and Privacy Commissioners
October 2010, Jerusalem, Israel

2010 Australia Day Achievement Medallion

Georgia Ramsay, Director of Compliance receiving 2010 Australia Day Achievement Medallion from karen Curtis, Privacy Commissioner

Congratulations to Georgia Ramsay, Director of Compliance, on being awarded a 2010 Australia Day Achievement Medallion.

The Medallion program is organised by the National Australia Day Council as part of the annual Australia Day celebrations. Heads of government departments and agencies acknowledge their employees' contributions either on special projects that have made a significant contribution to the nation, or to recognise outstanding performance for core duties.

Georgia is pictured above receiving her medallion and certificate from Privacy Commissioner Karen Curtis.

NT Whistleblower Commissioner Appointed

The Northern Territory Government has appointed Ms Brenda Monaghan as the Commissioner for Public Interest Disclosures, a role that also includes the position of Information Commissioner. In this role Ms Monaghan will oversee the implementation of the Northern Territory's new whistleblower legislation, the Public Interest Disclosure Act.