THE OFFICE OF THE PRIVACY COMMISSIONER

Office of the Privacy Commissioner

Publications

SPECIFIC PRIVACY INFORMATION FOR:


Contents Users Guide Chapter 1 Chapter 2 Chapter 3 Chapter 4 Appendices Glossary

Annual Report 2005-06

Table of Contents

User's Guide

Commissioner's Overview 2005-06

Chapter 1 Respecting Privacy

Chapter 2 Promoting Privacy

Chapter 3 Protecting Privacy

Chapter 4 Management and Accountability

Appendix 1 The Privacy Act and the Office of the Privacy Commissioner

Appendix 2 Freedom of Information Act Compliance

Appendix 3 Speeches and Presentations

Appendix 4 Commonwealth Disability Strategy Performance Reporting June 2006

Appendix 5 Demographic Information about Complainants

Appendix 6 National Privacy Principles

Appendix 7 Information Privacy Principles

Financial Statements (PDF only)

Glossary

Copyright © Office of the Privacy Commissioner 2006 ISSN 1035-3372

This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the Office of the Privacy Commissioner.

Requests and enquiries concerning reproduction, right and content should be addressed to:

Copyright Officer Corporate and Public Affairs Office of the Privacy Commissioner GPO Box 5218 SYDNEY NSW 2001

Email: privacy@privacy.gov.au

User's Guide and Commissioner's Overview 2005-06

User's Guide

Immediately following this guide, you will find the Commissioner's Overview for 2005-06 which includes a summary of significant issues, developments and achievements during the year, including key statistics as well as an outline for the year ahead for the Office.

The main chapters follow the Overview and the Annual Report is completed by the various Appendices, Glossary and Index.

Chapter 1 Respecting Privacy describes the Office's work for 2005-06 in providing advice on the privacy implications of legislation and government and private sector policy proposals that may have a significant impact on the handling of personal information.

Chapter 2 Promoting Privacy sets out the work the Office completed in promoting and educating key client groups on privacy issues. This includes liaising with key stakeholders in the private sector, networking with privacy contacts across Australian and ACT Government departments and agencies, handling media enquiries and assisting with speeches and presentations by the Commissioner and members of staff.

Chapter 3 Protecting Privacy records the work the Office undertook to encourage and enforce compliance with the Privacy Act. This includes handling enquiries, undertaking audits of Australian and ACT Government agencies, investigating complaints and conciliating disputes.

Chapter 4 Management and Accountability contains an overview of the Office's administrative arrangements, management of human resources and corporate governance.

The appendices contain information required under specific legislation together with any other useful material. These can be found following on from Chapter 4.

The Office of the Privacy Commissioner audited Financial Statements for 2005-06 are located immediately following the Appendices. The Glossary and Alphabetical Index can also be found at the end of the Financial Statements.

ACT Government

Information that relates directly to ACT Government matters can be found in sections 1.3, 3.8.1.1, 3.8.2.1 and 4.1.3.

How to find out more

For enquiries about this report or for copies of other Office of the Privacy Commissioner publications, please contact:

Director
Corporate and Public Affairs
Office of the Privacy Commissioner
GPO Box 5218 SYDNEY NSW 2001

Telephone: + 61 2 9284 9800
Fax: + 61 2 9284 9666
Email: privacy@privacy.gov.au
Website: www.privacy.gov.au
Hotline: 1300 363 992 local call
TTY: 1800 620 241 no voice calls

This report is also available on the Office of the Privacy Commissioner's website at www.privacy.gov.au/publications/index.html#A.

Non-English Speakers

If you speak a language other than English and need help please call the Translating and Interpreting Service on 131 450 and ask for the Australian Government Office of the Privacy Commissioner on 1300 363 992. This is a free service.

Commissioner's Overview 2005-06

Six years into the 21st century and technology moves on at an incredible rate. A plethora of new terms has evolved to make sense of this new era: the Information Age; the Knowledge Economy; Informationalism; the Digital Revolution; the Intangible Economy … the list goes on. Researchers at the University of California at Berkeley recently estimated that now in the 21st century we can expect five billion gigabytes of new information to be produced yearly. If one gigabyte is a truckload of books, five billion gigabytes is beyond comprehension. Startlingly, only 0.01 per cent of those five billion gigabytes will be paper based; the vast majority of new information instead being produced in magnetic media such as hard disks.1

A considerable amount of this information will undoubtedly identify individuals. In the Information Age, personal information can be used in ways previously inconceivable in a world of paper documents and this raises a number of questions about privacy. Have our expectations about privacy changed in this new technological climate? Are current laws adequately protecting privacy? How can we ensure the protection of personal information while continuing to enjoy the advantages of electronic record systems, the internet and all manner of new technologies?

In 2005-06 we saw a number of positive steps towards addressing these important questions. In January, the Australian Law Reform Commission (ALRC) was given a reference by the Attorney-General to undertake a review of Australian privacy legislation in light of rapid technological advances. I was very pleased to see the Government take this step following recommendations I made in my 2005 review of the private sector provisions of the Privacy Act which called for a wider review of privacy laws to ensure the legislation best serves the needs of Australia in the 21st century. The final ALRC report is due to the Attorney-General in March 2008.

Over the year the Office also made a number of submissions relating to technological issues and initiatives. In 2005 my Office submitted to the Unauthorised Photographs on the Internet and Ancillary Privacy Issues: Discussion Paper while in 2006 submissions were made to the Review of the Spam Act 2003 undertaken by Department of Communications, Information Technology and the Arts and the Australian Government e-Authentication Framework for Individuals Discussion Paper released by the Australian Government Information Management Office.

2005-06 also saw the introduction of a number of anti-terrorism measures by the Government which brought to the fore the importance of balancing security with individuals' right to privacy. I believe that laws regulating individual privacy and national security are not mutually exclusive and can be synchronised to deliver safety to Australians in an environment where privacy is respected.

During the year my Office provided advice on the impact of counter-terror measures on privacy, including submissions to the Review of Security Legislation relating to Terrorism undertaken by the Security Legislation Review Committee in January 2006; the Inquiry into the Exposure Draft of the Anti-money Laundering Bill and Counter-terrorism Financing Bill 2005; and the Inquiry into the Provisions of the Telecommunications (Interception) Amendment Bill 2006, the latter two both undertaken by the Senate Legal and Constitutional Committee in March 2006.

A final area of major change in the Australian privacy landscape for 2005-06 came in April, with the Government's announcement of its intention to introduce a health and social services access card. Already, my Office has provided advice to the Government's Draft Smartcard Framework, and we will continue to inform the Government's development and implementation of the access card with a view to ensuring the continued protection and security of Australians' personal information. New technologies, such as smartcards, create challenges to the maintenance of privacy. However, with careful planning and early intervention, privacy safeguards can be built into system design.

The year ahead

In May 2006, I welcomed the Government's budget announcement that my Office would be allocated approximately $8.1m in additional funding over the next four years. This increase in resources will make 2006-07 and subsequent years an exciting and productive period for the Office.

The additional funding will be directed toward three major areas of Office activity. Firstly, it will allow us to effectively implement recommendations made in our review of Office complaint handling processes to ensure that privacy complaints are handled efficiently. Our aim is to reduce the current complaint backlog while enhancing service standards and conciliation techniques.

Secondly, the funding will allow us to respond to calls from business and industry for greater assistance in meeting their obligations under the Privacy Act. Following on from recommendations made in my 2005 review of the private sector provisions of the Privacy Act, my Office will work closely with business and consumer representatives to develop guidance and educational material to assist organisations and individuals to better understand their rights and responsibilities under the Privacy Act.

Thirdly, the additional funding will enable my Office to respond to government requests for high level privacy advice in the development of new policy initiatives. Encompassed within the Office's additional funding was $1.3m for Identity Security which includes advising the Government on privacy issues and conducting audits during the implementation of the Document Verification Service. The Office was also allocated $250 000 to assist the Australian Federal Police introduce guidelines in relation to the increased collection of information from closed circuit television (CCTV) systems as set out in the Anti-terrorism Act (No. 2) 2005. Certainly these will be major projects in 2006-07.

Over the coming year, I am also committed to working with the Government during the design phase of the Health and Social Services Access Card to ensure that privacy impacts are addressed and individual privacy continues to be respected.

Finally, at an international level, my Office will be contributing to processes to implement the Asia Pacific Economic Cooperation (APEC) Privacy Framework which was endorsed by APEC Ministers in November 2004. This will involve my Office working with other privacy regulators in the region on matters such as the development of strategies to enable the handling of complaints across jurisdictions. Implementation of the APEC Privacy Framework will coincide with Australia hosting APEC in 2007.

The year in review - a summary

A brief summary of the Office's performance in 2005-06 is outlined below. A more detailed review of performance is contained in chapters 1 - 4.

Telephone Enquiries:

The Office received 19 150 telephone enquiries in 2005-06 compared with 21 108 in 2004-05. This represents a 9% decrease in enquiries received by the Hotline. See section 3.2.1 for further information.

Written Enquiries:

The Office received 2316 enquiries by email, post or facsimile in 2005-06 compared with 2094 written enquiries reported in 2004-05. This represents an 11% increase in the number of written enquiries received by the Office from the previous year. See section 3.2.2 for further information.

Complaints:

The Office received 1183 complaints in 2005-06 compared with 1275 in 2004-05. This represents an 7% decrease in the number of complaints received by the Office from the previous year. See section 3.3.1 for further

information. The Office closed 1131 complaints in 2005-06 representing a 2% decrease from the previous year.

Case Notes:

The Office published 18 case notes on complaints that were closed during the year. The case notes are prepared to illustrate matters that may have a significant impact on a large number of people. Case notes serve to demonstrate to members of the public how the Commissioner handles complaints. Case notes also serve as a possible indication of the Commissioner's view in relation to aspects of privacy law. See section 3.5 for further information.

Policy Advices:

The Office produced 155 advices on significant policy issues; this represents an 11% increase in the number of policy advices the Office prepared in comparison to 2004-05.

Policy advices include letters and emails to government departments and agencies and private sector organisations on specific proposals, submissions to public consultation processes and Senate inquiries, advice for guidance material published by the Commissioner and advice for inclusion in other reports and published documents.

Determinations:

Following the receipt of an application for a further Temporary Public Interest Determination regarding the collection of health information about individuals from Medicare Australia's Prescription Shopping Project Information Service, the Commissioner made two Temporary Public Interest Determinations (TPIDs) in February 2006: Temporary Public Interest Determination No. 2006-1 and Determination No. 2006-1A under section 80B(3) giving general effect to the Temporary Public Interest Determination No 2006-1. The Determinations and the Explanatory Statement are available at www.privacy.gov.au/act/publicinterest/index.html#3.

The Commissioner also issued three Credit Determinations in 2005-06 including Credit Provider Determination 2006-1 concerning assignees of debt and Credit Provider Determination 2006-2 concerning the classes of credit providers. See section 1.4.3 for further information. The consultation papers covering the three determinations can be found at www.privacy.gov.au/act/credit/index.html#cpd.

Media:

148 media enquiries were received in 2005-06. This is a decrease in comparison to the number of enquiries for 2004-05 in which the Office received 234 media enquiries.

Speeches:

39 speeches and presentations were delivered in 2005-06. The presentations addressed ongoing and emerging privacy issues. Further information on speeches and presentations can be found at section 2.4 and a list of all speeches and presentations delivered by the Office can be found at Appendix 3.

Complaint Handling Review:

The Office undertook an internal review of its complaint handling procedures in 2005-06. Key to the review were assessing current complaint handling procedures and developing methods of resolving complaints with quicker turnaround times and greater satisfaction by the parties concerned. The review produced a series of recommendations which are in the process of being implemented. See section 3.1 for further information.

Submissions:

In 2005-06, the Commissioner provided 19 submissions to government departments and parliamentary inquiries on policy proposals or Bills before parliament, providing analysis on the privacy implications of the proposal or Bill and offering advice on methods to ensure privacy is appropriately considered and protected.

The following submissions were made by the Office.

Karen Curtis Privacy Commissioner

1 Peter Lyman & Hal R. Varian, How Much Information? 2003, retrieved from www.sims.berkeley.edu/how-much-info-2003 on 8 August 2006.

Letter of Transmission

The Hon Philip Ruddock MP Attorney-General
Parliament House CANBERRA ACT 2600

Dear Attorney-General

I am pleased to submit to you, for presentation to the Parliament, the annual report for the Office of the Privacy Commissioner on the operation of the Privacy Act 1988 for the year ended 30 June 2006.

This report has been prepared in accordance with section 97 of the Privacy Act 1988.

Yours sincerely

Ms Karen Curtis Privacy Commissioner
11 October 2006

Chapter 1 Respecting Privacy

1.1 Review of Performance

The Office has a significant role in providing advice to Australian Government agencies on new policy proposals and legislative changes to ensure that the privacy of individuals' personal information is properly taken into account during the development and implementation of the proposals.

The Office also has a significant role in advising private sector organisations on how they can comply with their obligations under the Act. This is generally done through the issuing of guidelines and other information materials.

In the reporting period the Office focussed on responding to a large number of government legislative and policy initiatives including several anti-terrorism and serious crime related initiatives, information and communications technology changes and the Department of Human Services Access Card proposal.

In addition the Office made five credit and public interest determinations, registered a Privacy Code revocation and continued to participate in the Australian Government's National Identity Security Strategy.

1.2 Privacy and the Australian Government

1.2.1 Guide to Privacy Impact Assessments

In 2004-05 the Office made available a draft Privacy Impact Assessment (PIA) Guide together with a Privacy Impact Checklist developed by the Information Law Branch of the Attorney-General's Department. The draft PIA Guide has assisted Australian and ACT Government agencies to undertake voluntary PIAs to identify and manage privacy impacts that may be associated with projects that involve the handling of personal information.

In 2005-06 an increasing number of Australian and ACT Government agencies have been undertaking PIAs. The draft PIA Guide has helped these agencies to recognise privacy issues, build privacy safeguards into their projects at an early stage, and minimise the need for retrospective and reactive privacy measures.

The Office has provided a number of advices to agencies in relation to the PIA process and the use of the Guide. During the reporting period the Office worked on a revised version of the Guide, taking into account the feedback the Office received about the draft and its practical application.

The PIA Guide can be found on the Office's website at www.privacy.gov.au/government/officers/news/index.html.

1.2.2 Department of Human Services Health and Social Services Access Card

The Office participated in the Australian Government's Interdepartmental Committee (IDC), chaired by the Department of Human Services (DHS), which was charged with examining smart technologies and services for government service delivery.

Since the conclusion of the IDC, the Office has continued to engage with the DHS by providing advice during the development of a business case and associated Privacy Impact Assessment. As the government progresses the implementation of the access card, the Office will continue to provide advice on privacy issues associated with the project.

The Office has raised with the Australian Government a multifaceted approach to incorporate fundamental privacy principles into the access card proposal. This approach includes:

1.2.3 Security Legislation Review

On 12 October 2005, the Attorney-General established a Committee to review the Security Legislation Amendment (Terrorism) Act 2002 and other related legislation. Section 4(3) of that legislation requires that the Privacy Commissioner be a member of the review Committee. The Committee gave its report to the Attorney-General in April 2006. Over the period of the review the Commissioner's involvement was significant, including over 20 days of briefings and meetings.

The Office made a submission to this review in January 2006. The Office explained that it had only received a small number of complaints or enquiries relevant to the legislation under review, although it was noted that, given the largely covert nature of the practices in question, many individuals would not be aware of the practices.

The Office also noted that it conducted two audits, in 2003 and 2004, of the Australian Customs Service's use of certain powers enacted under legislation relevant to the review.

1.2.4 Anti-terrorism Legislation

In November 2005, the Office made a submission to the Senate Legal and Constitutional Committee's inquiry into the provisions of the Anti-terrorism Bill (No.2) 2005. The Office expressed the view that there should be an appropriate balance between the need for security and the right to privacy.

The Office made specific recommendations on the need for greater certainty around review mechanisms for the Bill, as well as making a range of recommendations aimed at ensuring that any new powers concerning the handling of personal information should be accompanied by measures that afford privacy protections. These included:

1.2.5 Identity and Border Security

In the 2005-06 Budget the Australian Government announced that it would provide funding for the development of a National Identity Security Strategy. The Privacy Commissioner is a member of the Commonwealth Reference Group on Identity Security (CRGIS) convened by the Attorney- General's Department to assist in developing this national strategy including the implementation of two trials:

The Office has attended a number of meetings of the CRGIS and its working groups. As well, the Office facilitated a meeting of the State and Territory Privacy Commissioners to discuss key aspects of the DVS.

The Office commented on a draft Privacy Impact Assessment prepared by the Attorney-General's Department in relation to the DVS prototype and on a working draft of the 'Integrity of Identity Data Pilot'. The Office also provided comments to the Proof of Identity Working Group regarding a Gold Standard Enrolment Process draft Issues Paper.

As part of its role on the Authentication Working Group, the Office made submissions on an Australian Government Smartcard Framework and an Australian Government eAuthentication Framework (for individuals dealing online with government agencies). For more information see section 1.2.9.

During the reporting period the Office continued to provide advice to the Australian Customs Service (Customs), DFAT and DIMA to assist them in addressing privacy issues that may arise as a result of the introduction of biometric technology into border control processes.

In particular, the Office liaised with DIMA in respect of proposed amendments to the Citizenship Act and Migration Act that specifically address the collection, use and disclosure of biometric information. The Office also provided advice to Customs on data security in relation to its automated border control system currently under development.

1.2.6 Law Enforcement

During the reporting period the Office provided a range of advices concerning law enforcement. This included advice to Australian Government agencies on the application of Information Privacy Principle (IPP) 11 to law enforcement, as well as the Office's interpretation of the 'law enforcement' exemptions contained in the National Privacy Principles (NPPs), particularly where personal information is required from private sector organisations.

The Office made a submission to a review of foreign extradition arrangements being conducted by the Attorney-General's Department. This submission suggested that the explicit authorisation of an agency's information-handling activities provides a more appropriate arrangement than relying upon the criminal law enforcement exception. It also proposed a number of elements of a privacy framework that could apply to the handling of personal information for extradition.

In May 2006, the Office made a submission to the independent review of the Proceeds of Crime Act 2002. The Office noted that Part 3-3 of that legislation empowers authorised law enforcement officers to compel financial institutions to disclose prescribed personal information. The Office suggested that the review give further consideration to the necessity of such powers being available without judicial oversight.

1.2.7 Exposure Draft of the Anti-Money Laundering and Counter-Terrorism Financing Bill

The Office made two submissions concerning the Exposure Draft of the Anti-money Laundering and Counter-terrorism Financing Bill. The first of these submissions, made in March 2006, was to the Senate Legal and Constitutional Committee's inquiry into the Exposure Draft of the Bill. A second submission was made in April 2006 as part of the consultation process being conducted by the Attorney-General's Department into the Exposure Draft of the Bill.

The Office noted that collection of personal financial information is likely to increase significantly under the Bill and that the privacy protections afforded to how this information was handled may potentially be applied inconsistently across reporting entities and users of the information. The draft Bill was amended to bring all reporting entities under the Privacy Act for matters covered by the Bill.

The Office noted that Australia's financial transactions reporting regime was introduced as a response to major crime, and that any broadening of the scope of its application will likely raise privacy issues. A number of recommendations were made aimed at ensuring that the handling of this personal information was subject to appropriate privacy regulation.

The Office also participated in consultative meetings held by the Attorney-General's Department and AUSTRAC.

1.2.8 Responding to Large Scale Emergencies

In response to the experience of the Asian tsunami and the Bali bombings which had highlighted some misunderstanding and uncertainty about the scope and operation of the Privacy Act in an emergency or disaster situation, the Office, in its review of the private sector provisions of the Privacy Act, recommended legislative change to clarify the circumstances where disclosures could be allowed in an emergency.

During 2005 the Office was involved in an Interdepartmental Committee on the issue and in November 2005, the Attorney-General announced that the Privacy Act would be amended to enhance information exchange between Australian Government agencies, state and territory governments, nongovernment organisations and the private sector in an emergency or disaster situation.

1.2.9 Australian Government Information Management Office Frameworks

The Australian Government Information Management Office (AGIMO), which chairs the Authentication Working Group (AWG) as part of the CRGIS (see section 1.2.5), is developing a number of frameworks for Government and the Office has had engagement with these in the reporting year. The Office is an observer on the AWG.

The Australian Government Authentication Framework for Individuals (AGAF(I)) is a framework which seeks to set out standards of authentication for individuals dealing online with Government agencies. The Office made a submission to the discussion paper on AGAF(I) in March 2006. The submission supports the approach endorsed by the AGAF(I) to match the level of authentication required with the risk level of a particular transaction.

The Office met with an external consultant, hired by AGIMO to conduct a Privacy Impact Assessment on the Information Management for Government Employees (IMAGE) Framework, and provided general advice on aspects of the IMAGE proposal. In March 2006, the Office also made a submission to AGIMO in relation to its draft Smartcard Framework.

The Office's submission on the Smartcard Framework included recommendations that agencies consider the three key areas where potential privacy issues may arise:

The submission also suggested that the Framework endorse the principle of maximising the choice individuals have about whether to use a smartcard, and the extent to which they use it. The submission also suggested that smartcards should only be designed to be identity credentials where there is a clear business case and where the privacy issues related to issuing a verified identity credential have been carefully assessed.

1.2.10 Closed Circuit Television

The Office provided advice to the Attorney-General's Department on a draft code of practice on the use of CCTV systems in the mass passenger transport sector for counter-terrorism purposes.1 The Code is an initiative of the Council of Australian Governments (COAG) following a special meeting during September 2005, to consider Australia's national counterterrorism arrangements.

The Office noted that the use of CCTV technology raises significant privacy and civil liberties concerns which must be balanced with the Code's utility as a risk-based counter-terrorism and law enforcement tool. The Office provided advice on strategies to achieve this balance.

1.3 Privacy and the Australian Capital Territory Government

In 2005-06 the Office continued to provide advice to ACT Government agencies, for example, in relation to the privacy implications of increasing internal agency data sharing within the Department of Disability, Housing and Community Services and disclosures of personal information to the Australian Mesothelioma Register.

1.4 Privacy and Business

1.4.1 Review of the Private Sector Provisions of the Privacy Act

The Office's report on the operations of the private sector provisions of the Privacy Act, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, which was completed in March 2005, has continued to shape the Office's responses to new proposals and the way it goes about its work.

Although the Australian Government has not yet responded to the full report, several government initiatives have implemented key recommendations of the report.

The main Government initiative in this regard is the privacy reference to the Australian Law Reform Commission in January 2006: a response to our main recommendation that there be a comprehensive review of privacy legislation.

In addition, the Do Not Call Register Act 2006 passed in June is a positive step towards implementing our recommendation for the establishment of a Do Not Contact Register.

With the increased resources provided through the budget process from July 2006 onwards the Office will be working to implement those recommendations of the review that relate to the Office's functions.

1.4.2 Privacy Codes

Part IIIAA of the Privacy Act provides that organisations can apply to the Privacy Commissioner for approval of a Privacy Code that will replace the National Privacy Principles for organisations bound by that Code.

General Insurance Information Privacy Code 2

Following a review of the General Insurance Information Privacy Code by the Insurance Council of Australia (ICA), the ICA applied to the Privacy Commissioner to revoke the code. The code was revoked with effect from 30 April 2006. The revocation of the code did not reflect any problems with privacy compliance in the general insurance industry, nor with insurers that were bound by the code.

The ICA has assured the Office that its commitment to the protection of the personal information of private individuals, which prompted the industry's establishment of the code, will continue among all ICA member companies which had been subject to the code.

Queensland Club Industry Privacy Code

In November 2005, Clubs Queensland provided a report on its three-yearly review of the Queensland Club Industry Privacy Code.

The report found that the code is operating well. The comments received were generally 'suggestions for improvement' and Clubs Queensland is considering whether to vary the code in light of the review.

1.4.3 Credit Reporting Determinations

During the reporting period the three credit provider determinations made under the Privacy Act were renewed for short periods. In reviewing the determinations the Commissioner decided to renew them for a short period to allow the Office time to consult with the community about how the determinations have operated and the terms in which any further determinations should be cast.

Two consultation papers covering the three determinations were released for public comment as part of the review. The consultation papers can be found at www.privacy.gov.au/act/credit/index.html#cpd.

The Office received 13 submissions which were under analysis at 30 June 2006.

1.4.4 Tax File Number Guidelines

During the reporting period there were no changes to the Tax File Number Guidelines issued by the Privacy Commissioner under s. 17 of the Privacy Act. These guidelines, which have the effect of law, regulate the collection, storage, use and security of Tax File Numbers.

1.4.5 Do Not Call Register

The Australian Government introduced the Do Not Call Register Bill 2006 and the Do Not Call Register (Consequential Amendments) Bill 2006 during May 2006. Both pieces of legislation were passed by the Australian Parliament in late June 2006. The Register, which is to be managed by the Australian Communications and Media Authority, is scheduled to commence operating in 2007.

The Do Not Call Register Act 2006 establishes a scheme to enable individuals who have an Australian telephone number to opt-out of receiving certain unsolicited telemarketing calls.

The Office strongly supports the introduction of the Register, and welcomes the Australian Government taking this step in implementing Recommendation 25 of Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988.

The provisions of this Act set in place the foundations of a national scheme to protect Australians from intrusive telephone calls.

The Office contributed to the development and consideration of the Bill through its December 2005 submission to the Department of Communications, Information Technology and the Arts (DCITA), and through its June 2006 submission to the Senate Environment, Communications, Information Technology and the Arts Legislation Committee Inquiry into the Bill.

1.4.6 Residential Tenancy Databases

During 2005-06, the Office continued its representation on the joint working party established by the Ministerial Council on Consumer Affairs (MCCA) and the Standing Committee of Attorneys-General (SCAG) to consider the operations of residential tenancy databases and how the various existing regulatory frameworks affect their operations. The Office continued to provide input to this working party, which is chaired by the Australian Government Attorney-General's Department.

In the report on the review of the private sector provisions of the Privacy Act, the Office made a number of recommendations (Recommendations 14-16) suggesting options for regulating residential tenancy databases, including that the Australian Government should consider making the Privacy Act apply to all residential tenancy databases.

1.5 Privacy and the Health Sector

1.5.1 Electronic Health Records

The Office understands that the national electronic health records (EHR) initiative, HealthConnect, has evolved from being an IT project to a "change management strategy" whereby the Department of Health and Ageing is responsible for managing national coordination.

The Office maintains that because an individual's willingness to engage in the health sector is affected by their perception of how their personal health information will be used and how much control they have over it, privacy is fundamental to building an effective EHR system.

Given the sensitivity Australian consumers place on their health information, the Office remains committed to the goal of ensuring appropriate privacy protections for individuals when they participate in e-health initiatives.

During 2005-06, the NSW Department of Health has begun a pilot of its Healthelink system in the Hunter region. The Office has engaged with NSW Health on this initiative, particularly in regard to any involvement that private sector health service providers may have in the system. Such health service providers will be required to comply with their obligations under the National Privacy Principles when handling personal health information.

1.5.2 Health Privacy Forum

The Health Leaders' Forum was renamed the Health Privacy Forum. The Forum remains an informal group, comprising key representatives from the health sector from both the public and private sector. It provides informal advice and information to the Commissioner on health-related privacy issues affecting both the public and private sectors.

The Health Privacy Forum met three times during 2005-06. Amongst other issues, two key topics for the Forum were the Australian Government proposal for a health and social services access card and progress in electronic health records.

1.5.3 Prescription Shopping Temporary Public Interest Determination

In February 2005, an application for a Public Interest Determination was made to the Commissioner regarding the collection of health information about individuals from the Health Insurance Commission's (now Medicare Australia) Prescription Shopping Project Information Service.

On 10 February 2005, the Privacy Commissioner made Temporary Public Interest Determination No. 2005-1 under section 80A of the Privacy Act 1988. The Commissioner also made a Determination giving general effect to this Temporary Public Interest Determination (TPID). These determinations were due to expire on 9 February 2006.

On 16 January 2006, the applicant confirmed that the circumstances for lodging the initial application remained the same as when the initial instruments were made. The Commissioner considered this matter and decided to issue a further temporary determination with effect to 22 December 2006.

The Privacy Commissioner would not ordinarily issue a second temporary public interest determination in relation to the same matter. However, the Commissioner decided to do this on the basis that the Attorney-General's Department and the Department of Health and Ageing undertook to pursue legislative amendments to permanently authorise the acts and practices which are temporarily authorised by these two instruments. The Bill to effect these amendments was introduced to the Australian Parliament in June 2006 and will be debated in the Spring 2006 session.

The Determinations and the Explanatory Statement are available at www.privacy.gov.au/act/publicinterest/index.html#3.

1.6 Privacy and the Information and Communication Technology Sector

1.6.1 Telecommunications and E-Marketing Industry Codes

The Telecommunications Act 1997 provides for the telecommunications and e-marketing industries to develop industry codes. Such codes can be enforced after they are registered with the Australian Communications and Media Authority (ACMA). Where telecommunications or e-marketing industry codes deal with privacy issues, it is a requirement that the Privacy Commissioner be consulted before ACMA registers a code.

The Office was consulted on 12 Australian Communications Industry Forum (ACIF) codes during the reporting period.

1.6.2 Telecommunications (Interception) Act

In March 2006, the Office made a submission to the Senate Legal and Constitutional Legislation Committee Inquiry into the provisions of the Telecommunications (Interception) Amendment Bill 2006. This Bill clarifies protections for stored communications such as emails, SMS messages and voicemail messages, provides for the interception of 'B-party' communications, adds provisions relating to equipment-based interceptions and repeals s. 6(2) of the Telecommunications (Interception) Act 1979.

The Office made recommendations intended to consolidate the privacy protections in the Telecommunications (Interception) Act, and noted areas of the Bill that may have had unintended consequences in relation to privacy. The Office supported the repeal of s. 6(2) of the Telecommunications (Interception) Act. This section has given rise to confusion in the past about the circumstances under which phone calls may be covertly monitored.

1.6.3 Spam Act

In February 2006, the Office made a submission to the Department of Communications, Information Technology and the Arts (DCITA) review of the operation of the Spam Act 2003 and related parts of the Telecommunications Act 1997.

The Office recommended that changes to the Spam Act should be aimed at enhancing national consistency in privacy-related legislation.

Footnotes

1 The Code is called A national approach to closed-circuit television: National Code of Practice for CCTV Systems for the Mass Passenger Transport Sector for Counter-Terrorism (2006)

2 See section 3.7 for the s. 97(2A) statement about the operation of the General Insurance Information Privacy Code up to 30 April 2006 when it was revoked.

Chapter 2 Promoting Privacy

2.1 Review of Performance

In 2005-06 the Office's communication strategy focussed on its website as its main communication tool, offering new services and refining its content and functions to provide a source of valuable information for individuals with an interest in privacy.

This included RSS (Really Simple Syndication) enabling sections of the Office's website, improving the website's search functionality and continuing to upload speeches and media announcements and releases as the Office makes comment. The Office also developed a privacy events calendar allowing organisations hosting privacy related events to have their event listed on the calendar.

2.2 Privacy Website

The Office's website continues to be a major focus for the Office's communication activities. In 2005-06 the Office made some enhancements to the website including RSS enabling its 'Latest Uploads' section of the home page and adding a privacy events calendar to inform users of privacy related events taking place globally which is also RSS enabled.

RSS is an alternative way of viewing webpage content. By RSS enabling the 'Latest Uploads' section of the website, users who download RSS newsreader software are able to easily subscribe to the Office's website, allowing them to automatically receive updated information from the website whenever new material is added.

The privacy events calendar provides details and links on a no endorsement basis to privacy related events taking place in Australia and overseas. This service is also RSS enabled.

The Office continues to prepare and publish on the Office's website case notes of finalised complaints that are considered to be of interest to the general public (see section 3.5 for further information). Monthly statistical updates on complaints and enquiries are also loaded to the website at www.privacy.gov.au/about/complaints/index.html.

The Office's website www.privacy.gov.au increased its traffic from the previous reporting year. Visits to the website increased by 338 959 sessions during 2005-06 compared to the previous year, an increase of 32%. Page views (number of pages people looked at during the session) increased by 1 375 263 (see Table 2.1), an increase of 30%.

The figures in Table 2.1 show the number of sessions and the number of page views for the privacy website each year for the last three financial years, while Chart 2.1 graphically represents the substantial increase in website traffic since 2001.

Table 2.1 Page and Session Views for the Privacy Website

2003-04 2004-05 2005-06 Increase 2004-05 to 2005-06
Session views 827 391 1 072 361 1 411 320 + 338 959
Page views 3 892 737 4 561 982 5 937 245 + 1 375 263

Chart 2.1 Yearly Comparative Results for the Website

Chart 2.1 Yearly Comparative Results for the Website

The top six most popular documents on the website for 2005-06 were:

  1. The Privacy Act 1988 - 290 328
  2. The National Privacy Principles (extracted from the Act) - 86 571
  3. Guidelines on Workplace Email, Web Browsing and Privacy - 67 775
  4. Guidelines for Federal and ACT Government Websites - 40 807
  5. Guidelines to the National Privacy Principles - 27 682
  6. Commonwealth Personal Information Digest 1999 - 20 710.

2.3 Media

148 media enquiries were made to the Office during 2005-06. This is down from the 234 enquiries received in 2004-05.

Some of the key issues to come out of media enquiries included:

  1. Health privacy issues
  2. Workplace surveillance and employee privacy
  3. Direct marketing
  4. General privacy issues
  5. Office functions and activities
  6. Health and Social Services Access Card
  7. Overseas call centre issue
  8. Reverse find directories
  9. Venues scanning identity documents
  10. National identity card.

Health privacy media enquiries covered a wide range of issues including e-health, access to medical records and the security of medical records. Workplace surveillance and direct marketing were also high on the list, with the direct marketing media enquiries being predominantly around the issue of the Government proposed 'Do Not Call' Register.

The Office prepared 14 media announcements and releases during 2005-06 and issued these by mediawire or through the Office's media email network 'primedia' (see section 2.5 for further information).

2.4 Speeches and Presentations

The Office delivered 39 speeches during 2005-06.

The number of speeches delivered during the current financial year has remained at a similar level to those given in recent reporting periods.

To ensure that the Office resources remain directed to priority areas, the Office only undertakes speaking engagements which correspond with key Office objectives. Speeches and presentations were given on a range of subjects including compliance, security and health. A complete list of presentations made by the Commissioner and staff of the Office can be found at Appendix 3. PowerPoint presentations for a number of these speeches are available on the Office's website at www.privacy.gov.au/news/speeches/index.html.

2.5 Networking for Privacy Solutions

The Office's Privacy Connections Network receives messages from the Office concerning privacy issues, developments, events, and other privacy related material in an effort to keep its members informed of privacy related developments. The network commenced in 2001 and as at 30 June 2006 had 688 members. The network comprises people from the Australian community who are interested in privacy issues.

Information about the Privacy Connections Network is available at www.privacy.gov.au/about/connections/index.html.

The Office also has an email list specifically targeting media personnel and media agencies. These members receive the Office's media releases and announcements.

As at 30 June 2006 the media release and announcement email list had 1135 members. Information about the media release and announcement email list is available at www.privacy.gov.au/lists/index.html.

2.5.1 Privacy Contact Officer Network

The Office facilitates a network of Privacy Contact Officers (PCOs). PCOs are the designated points of contact in Australian and ACT Government agencies with whom the Office liaises on an ongoing basis.

The Office views the PCO meetings as a key to maintaining open lines of communication to allow for the exchange of information between the Office and government agencies by keeping each party informed of project developments that have privacy implications.

The PCO Network is also an effective way for the Office to appropriately refer complaints lodged with the Office about a government agency to the agency itself, thereby creating a more efficient complaints handling process.

The Office provides a secretariat role to the PCO Network and organises regular PCO meetings, distributes relevant information and develops resource materials. In 2005-06, the Office held four PCO meetings.

The Office gauges interest in the forums by seeking feedback following each meeting. The meetings continue to receive positive feedback. The Office plans to survey members in 2006-07 to assist in ensuring that the needs of the PCO Network are being met.

2.6 Privacy Advisory Committee

The Privacy Advisory Committee (PAC) is established under s. 82 of the Privacy Act. Its members are appointed by the Governor-General. The functions of the PAC are established under s. 83 of the Privacy Act and provide for the PAC to assist the Commissioner in engaging in and promoting community education, and community consultation, in relation to the protection of individual privacy, and advise the Commissioner on matters relevant to their functions.

The PAC also acts as an external reference point that supports the Commissioner in gaining access to the broad views about privacy in the private sector, government and the community at large. The Office provides a secretariat role to the PAC.

In particular, this year the PAC assisted by providing the Office with direction on a number of activities including the Office's complaint handling review. PAC members attended the November 2005 Asia Pacific Privacy Authorities Forum (see section 2.7.1 for further information) at which they briefed the forum on their role and the benefits of the committee for the Office.

There are currently six members of the PAC. In February 2006, the terms of two of the members, Mr Peter Coroneos and Associate Professor John M. O'Brien, expired. Subsequently, both members were reappointed for additional three-year terms. Following his appointment as Human Rights Commissioner in December 2005, Mr Graeme Innes AO resigned from the PAC. The Government is currently considering his replacement.

2.7 International Liaison

2.7.1 Asia Pacific Privacy Authorities

The Asia Pacific Privacy Authorities (APPA) forum is a regional forum that includes the Office, the State and Territory Privacy Commissioners in Australia (NSW, Victoria and the Northern Territory), together with the Privacy Commissioners of New Zealand and Hong Kong. The Korean Republic is also a member.

The forum, which was previously known as the Privacy Agencies of New Zealand and Australia plus Hong Kong and Korea, meets biannually and is hosted with a rotating venue and host. APPA meetings are an important opportunity to discuss international privacy developments and emerging issues of relevance to APPA affiliates. Further, the forum provides an opportunity for regional Commissioners to exchange knowledge and experiences about privacy regulation across the different jurisdictions. The forum met twice in 2005-06, in November 2005 in Melbourne and in May 2006 in Sydney.

In November 2005 the APPA forum established a Statement of Objectives and resolved that members agreed to closer cooperation on issues of mutual interest and continued development of joint projects. During the year the members of the forum commenced a joint promotions initiative which will be reported on in the 2006-07 annual report.

2.7.2 27th International Conference on Privacy and Personal Data Protection

In September 2005, the Privacy Commissioner attended the 27th International Conference on Privacy and Personal Data Protection in Montreux, Switzerland. During the conference, the Commissioner spoke at 'The importance of self-regulation in the implementation of data protection principles'. The subject of the Commissioner's presentation was The Australian Private Sector Experience in which the Commissioner examined the success of self-regulation in the private sector before the introduction of the National Privacy Principles (NPPs) and the subsequent co-regulatory experience since the introduction of the NPPs. The session explored issues pertaining to regulatory regimes, their comparative effectiveness and the Australian experience of privacy compliance.

At the conference, the Commissioner also presented a speech at the Privacy Laws and Business Roundtable. The Commissioner's speech provided an outline of privacy law in Australia, with particular regard to the Review of the Private Sector Provisions of the Privacy Act and other contemporary privacy issues.

Chapter 3 Protecting Privacy

3.1 Review of Performance

The Privacy Commissioner protects the privacy of Australians through compliance activities that include offering a telephone enquiries service, resolving individual privacy complaints, conducting investigations and audits, and monitoring data-matching activities.

The Office's compliance focus in 2005-06 was on the resolution of individual complaints. The Office aims to resolve cases in ways which are fair, open and engender stakeholder confidence.

As mentioned earlier in this report, the Office is to receive an increase in funding of approximately $8.1m over four years. One of the first priorities will be to ensure that the Office's complaints handling systems and practices are working well and that individuals' complaints are handled in a timely and effective way. The additional funding will enable an improvement in turnaround times and the removal of the current backlog.

In addition to its work on individual complaints, the Office also assessed 90 incidents that may have indicated privacy breaches affecting individuals or systemic privacy breaches. Where indicated on the basis of a risk assessment, formal investigations or other actions, including providing advice, were instituted.

While, as noted above, the Office currently has a limited audit program, it did complete all audits planned under specific funding arrangements established by Memoranda of Understanding (MOUs) (see section 4.1). It also finalised arrangements to publish most audit reports on its website (see section 3.8).

3.2 Responding to Enquiries

3.2.1 Telephone Enquiries

The Office operates a cost of a local call telephone enquiry service (1300 363 992), which provides general advice about privacy issues and privacy law. It answered 19 150 telephone enquiries in 2005-06, 9% less than the 21 108 received in 2004-05. While there are calls from organisations or agencies seeking advice about how to comply with their obligations under the Privacy Act, most calls were from individuals seeking advice about how to deal with possible interferences with their privacy.

Table 3.1 below shows a break-down of issues that calls were received about during 2005-06.

Table 3.1 Telephone Enquiries

Issue
Credit Reporting 1279
Data-matching 30
Information Privacy Principles 905
Spent Convictions 190
Tax File Numbers 49
Privacy General 3612
Privacy Issues Outside Jurisdiction 689
Sub-total 6754
Private Sector Provisions
NPP 1 - Collection 1439
NPP 2 - Use and Disclosure 3804
NPP 3 - Data Quality 180
NPP 4 - Data Security 625
NPP 5 - Openness 153
NPP 6 - Access and Correction 1408
NPP 7 - Identifiers 23
NPP 8 - Anonymity 7
NPP 9 - Transborder Data Flows 90
NPP 10 - Sensitive Information 47
NPP Exemptions 2000
Private Sector Provisions (General) 571
Sub-total 10 347
Unrelated to Privacy 2049
TOTAL 19 150

Of the total calls received most related to the National Privacy Principles (54%). Of these, use and disclosure of personal information was the area of greatest concern (37%) with 2701 of these being about inappropriate disclosures of personal information. Other categories of concern were collection of personal information (14%) and access to and correction of personal information (14%).

Callers were also concerned about issues relating to the private sector that did not fall within jurisdiction. Of the 2000 enquiries received in this category, employment matters rated highly (43%) as did the practices of small business operators (21%).

Chart 3.1 below distributes telephone enquiries by industry sector.

Chart 3.1 Industry Sectors to which Telephone Enquiries relate 2005-06

Chart 3.1 Industry Sectors to which Telephone Enquiries relate 2005-06

A sample of calls received appears below.

3.2.2 Written Enquiries

In addition to enquiries received via the telephone enquiry service, the Office received 2316 written enquiries by email, post and facsimile. This is an 11% increase on the 2094 reported in 2004-05. Of the written enquiries received this year, 1441 or 62% were specifically about the operation of the private sector provisions.

3.3 Responding to Complaints

The Privacy Commissioner may accept complaints from individuals about acts or practices that may be an interference with their privacy. This can include complaints about:

3.3.1 Complaints received during 2005-06

In 2005-06 the Office received a total of 1183 complaints across all areas of its jurisdiction (1275 were received in 2004-05).

The nature of complaints varied considerably. Some examples are listed below:

The spread of complaints received in relation to the various jurisdictions of the Privacy Act is set out in Chart 3.2 below. Complaints relating to the private sector in relation to possible breaches of the NPPs continue to dominate.

Chart 3.2 Percentage of Complaints received by Privacy Act Jurisdiction

Chart 3.2 Percentage of Complaints received by Privacy Act Jurisdiction

The matters most frequently raised in complaints as a percentage of total complaints received is set out in Chart 3.3 below. Percentages exceed 100 due to complaints containing more than one issue.

Chart 3.3 Percentage of Complaints received by Key Issue

Chart 3.3 Percentage of Complaints received by Key Issue

Chart 3.4 sets out the number of complaints received by sector (for the twelve sectors regarding which most complaints are made).

Chart 3.4 Complaints received by Sector

Chart 3.4 Complaints received by Sector

3.3.2 Complaints closed during 2005-06

The Office closed 1131 complaints in 2005-06. This was 1% less than the 1144 complaints closed in 2004-05.

About 11% of matters were closed following a formal investigation and, where appropriate, through reaching a conciliated resolution to the matters that gave rise to the complaint. In other cases, matters were finalised after the Privacy Commissioner made preliminary enquiries which may have included a conciliation process or which revealed that there was an interference with privacy or that the matter was not within jurisdiction. In many cases the Privacy Commissioner declined the matter, for example because:

Table 3.2 below summarises the stage at which complaints were closed and the average time the Office took to finalise the complaint.

Table 3.2 Stage at which Complaints Closed

Stage at which complaint closed Number of matters Average time to finalise (months/years)
Formal investigations - s. 40(1) 124 1 year 6 months
Preliminary inquiries - s. 42 333 6 months
Declined to investigate - s. 41 674 1 month
Total 1131

The Office aims to finalise all complaints within 12 months of receipt. While it meets this target on the average duration for all complaints, formal investigations currently take longer than this due to the current complaint backlog.

3.3.2.1 Complaints closed following investigations

The Privacy Commissioner may investigate acts or practices that may be a breach of privacy and, if appropriate, endeavour to conciliate a resolution to the matters that gave rise to the complaint.

Following an investigation, and conciliation if appropriate, the Privacy Commissioner may decide not to investigate a matter further if satisfied that the matter has been adequately dealt with by the respondent or that there is no interference with privacy, or may decide to make a determination in relation to a complaint under s. 52.

In 2005-06 the Privacy Commissioner closed 124 or 11% of complaints following a formal investigation of the matters that gave rise to a complaint. Table 3.3 below sets out the grounds the Privacy Commissioner relied on to close these complaints. The matters mentioned here are greater than the total number of complaints closed as in some cases there is more than one ground for closing a matter. In about 50% of cases the Privacy Commissioner formed the view that the complaint was likely to be upheld and proceeded to conciliation.

The resolutions agreed between the parties in these cases include: