The Office has a significant role in providing advice to Australian Government agencies on new policy proposals and legislative changes to ensure that the privacy of individuals' personal information is properly taken into account during the development and implementation of the proposals.
The Office also has a significant role in advising private sector organisations on how they can comply with their obligations under the Act. This is generally done through the issuing of guidelines and other information materials.
In the reporting period the Office focussed on responding to a large number of government legislative and policy initiatives including several anti-terrorism and serious crime related initiatives, information and communications technology changes and the Department of Human Services Access Card proposal.
In addition the Office made five credit and public interest determinations, registered a Privacy Code revocation and continued to participate in the Australian Government's National Identity Security Strategy.
In 2004-05 the Office made available a draft Privacy Impact Assessment (PIA) Guide together with a Privacy Impact Checklist developed by the Information Law Branch of the Attorney-General's Department. The draft PIA Guide has assisted Australian and ACT Government agencies to undertake voluntary PIAs to identify and manage privacy impacts that may be associated with projects that involve the handling of personal information.
In 2005-06 an increasing number of Australian and ACT Government agencies have been undertaking PIAs. The draft PIA Guide has helped these agencies to recognise privacy issues, build privacy safeguards into their projects at an early stage, and minimise the need for retrospective and reactive privacy measures.
The Office has provided a number of advices to agencies in relation to the PIA process and the use of the Guide. During the reporting period the Office worked on a revised version of the Guide, taking into account the feedback the Office received about the draft and its practical application.
The PIA Guide can be found on the Office's website at www.privacy.gov.au/government/officers/news/index.html.
The Office participated in the Australian Government's Interdepartmental Committee (IDC), chaired by the Department of Human Services (DHS), which was charged with examining smart technologies and services for government service delivery.
Since the conclusion of the IDC, the Office has continued to engage with the DHS by providing advice during the development of a business case and associated Privacy Impact Assessment. As the government progresses the implementation of the access card, the Office will continue to provide advice on privacy issues associated with the project.
The Office has raised with the Australian Government a multifaceted approach to incorporate fundamental privacy principles into the access card proposal. This approach includes:
On 12 October 2005, the Attorney-General established a Committee to review the Security Legislation Amendment (Terrorism) Act 2002 and other related legislation. Section 4(3) of that legislation requires that the Privacy Commissioner be a member of the review Committee. The Committee gave its report to the Attorney-General in April 2006. Over the period of the review the Commissioner's involvement was significant, including over 20 days of briefings and meetings.
The Office made a submission to this review in January 2006. The Office explained that it had only received a small number of complaints or enquiries relevant to the legislation under review, although it was noted that, given the largely covert nature of the practices in question, many individuals would not be aware of the practices.
The Office also noted that it conducted two audits, in 2003 and 2004, of the Australian Customs Service's use of certain powers enacted under legislation relevant to the review.
In November 2005, the Office made a submission to the Senate Legal and Constitutional Committee's inquiry into the provisions of the Anti-terrorism Bill (No.2) 2005. The Office expressed the view that there should be an appropriate balance between the need for security and the right to privacy.
The Office made specific recommendations on the need for greater certainty around review mechanisms for the Bill, as well as making a range of recommendations aimed at ensuring that any new powers concerning the handling of personal information should be accompanied by measures that afford privacy protections. These included:
In the 2005-06 Budget the Australian Government announced that it would provide funding for the development of a National Identity Security Strategy. The Privacy Commissioner is a member of the Commonwealth Reference Group on Identity Security (CRGIS) convened by the Attorney- General's Department to assist in developing this national strategy including the implementation of two trials:
The Office has attended a number of meetings of the CRGIS and its working groups. As well, the Office facilitated a meeting of the State and Territory Privacy Commissioners to discuss key aspects of the DVS.
The Office commented on a draft Privacy Impact Assessment prepared by the Attorney-General's Department in relation to the DVS prototype and on a working draft of the 'Integrity of Identity Data Pilot'. The Office also provided comments to the Proof of Identity Working Group regarding a Gold Standard Enrolment Process draft Issues Paper.
As part of its role on the Authentication Working Group, the Office made submissions on an Australian Government Smartcard Framework and an Australian Government eAuthentication Framework (for individuals dealing online with government agencies). For more information see section 1.2.9.
During the reporting period the Office continued to provide advice to the Australian Customs Service (Customs), DFAT and DIMA to assist them in addressing privacy issues that may arise as a result of the introduction of biometric technology into border control processes.
In particular, the Office liaised with DIMA in respect of proposed amendments to the Citizenship Act and Migration Act that specifically address the collection, use and disclosure of biometric information. The Office also provided advice to Customs on data security in relation to its automated border control system currently under development.
During the reporting period the Office provided a range of advices concerning law enforcement. This included advice to Australian Government agencies on the application of Information Privacy Principle (IPP) 11 to law enforcement, as well as the Office's interpretation of the 'law enforcement' exemptions contained in the National Privacy Principles (NPPs), particularly where personal information is required from private sector organisations.
The Office made a submission to a review of foreign extradition arrangements being conducted by the Attorney-General's Department. This submission suggested that the explicit authorisation of an agency's information-handling activities provides a more appropriate arrangement than relying upon the criminal law enforcement exception. It also proposed a number of elements of a privacy framework that could apply to the handling of personal information for extradition.
In May 2006, the Office made a submission to the independent review of the Proceeds of Crime Act 2002. The Office noted that Part 3-3 of that legislation empowers authorised law enforcement officers to compel financial institutions to disclose prescribed personal information. The Office suggested that the review give further consideration to the necessity of such powers being available without judicial oversight.
The Office made two submissions concerning the Exposure Draft of the Anti-money Laundering and Counter-terrorism Financing Bill. The first of these submissions, made in March 2006, was to the Senate Legal and Constitutional Committee's inquiry into the Exposure Draft of the Bill. A second submission was made in April 2006 as part of the consultation process being conducted by the Attorney-General's Department into the Exposure Draft of the Bill.
The Office noted that collection of personal financial information is likely to increase significantly under the Bill and that the privacy protections afforded to how this information was handled may potentially be applied inconsistently across reporting entities and users of the information. The draft Bill was amended to bring all reporting entities under the Privacy Act for matters covered by the Bill.
The Office noted that Australia's financial transactions reporting regime was introduced as a response to major crime, and that any broadening of the scope of its application will likely raise privacy issues. A number of recommendations were made aimed at ensuring that the handling of this personal information was subject to appropriate privacy regulation.
The Office also participated in consultative meetings held by the Attorney-General's Department and AUSTRAC.
In response to the experience of the Asian tsunami and the Bali bombings which had highlighted some misunderstanding and uncertainty about the scope and operation of the Privacy Act in an emergency or disaster situation, the Office, in its review of the private sector provisions of the Privacy Act, recommended legislative change to clarify the circumstances where disclosures could be allowed in an emergency.
During 2005 the Office was involved in an Interdepartmental Committee on the issue and in November 2005, the Attorney-General announced that the Privacy Act would be amended to enhance information exchange between Australian Government agencies, state and territory governments, nongovernment organisations and the private sector in an emergency or disaster situation.
The Australian Government Information Management Office (AGIMO), which chairs the Authentication Working Group (AWG) as part of the CRGIS (see section 1.2.5), is developing a number of frameworks for Government and the Office has had engagement with these in the reporting year. The Office is an observer on the AWG.
The Australian Government Authentication Framework for Individuals (AGAF(I)) is a framework which seeks to set out standards of authentication for individuals dealing online with Government agencies. The Office made a submission to the discussion paper on AGAF(I) in March 2006. The submission supports the approach endorsed by the AGAF(I) to match the level of authentication required with the risk level of a particular transaction.
The Office met with an external consultant, hired by AGIMO to conduct a Privacy Impact Assessment on the Information Management for Government Employees (IMAGE) Framework, and provided general advice on aspects of the IMAGE proposal. In March 2006, the Office also made a submission to AGIMO in relation to its draft Smartcard Framework.
The Office's submission on the Smartcard Framework included recommendations that agencies consider the three key areas where potential privacy issues may arise:
The submission also suggested that the Framework endorse the principle of maximising the choice individuals have about whether to use a smartcard, and the extent to which they use it. The submission also suggested that smartcards should only be designed to be identity credentials where there is a clear business case and where the privacy issues related to issuing a verified identity credential have been carefully assessed.
The Office provided advice to the Attorney-General's Department on a draft code of practice on the use of CCTV systems in the mass passenger transport sector for counter-terrorism purposes.1 The Code is an initiative of the Council of Australian Governments (COAG) following a special meeting during September 2005, to consider Australia's national counterterrorism arrangements.
The Office noted that the use of CCTV technology raises significant privacy and civil liberties concerns which must be balanced with the Code's utility as a risk-based counter-terrorism and law enforcement tool. The Office provided advice on strategies to achieve this balance.
In 2005-06 the Office continued to provide advice to ACT Government agencies, for example, in relation to the privacy implications of increasing internal agency data sharing within the Department of Disability, Housing and Community Services and disclosures of personal information to the Australian Mesothelioma Register.
The Office's report on the operations of the private sector provisions of the Privacy Act, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, which was completed in March 2005, has continued to shape the Office's responses to new proposals and the way it goes about its work.
Although the Australian Government has not yet responded to the full report, several government initiatives have implemented key recommendations of the report.
The main Government initiative in this regard is the privacy reference to the Australian Law Reform Commission in January 2006: a response to our main recommendation that there be a comprehensive review of privacy legislation.
In addition, the Do Not Call Register Act 2006 passed in June is a positive step towards implementing our recommendation for the establishment of a Do Not Contact Register.
With the increased resources provided through the budget process from July 2006 onwards the Office will be working to implement those recommendations of the review that relate to the Office's functions.
Part IIIAA of the Privacy Act provides that organisations can apply to the Privacy Commissioner for approval of a Privacy Code that will replace the National Privacy Principles for organisations bound by that Code.
General Insurance Information Privacy Code 2
Following a review of the General Insurance Information Privacy Code by the Insurance Council of Australia (ICA), the ICA applied to the Privacy Commissioner to revoke the code. The code was revoked with effect from 30 April 2006. The revocation of the code did not reflect any problems with privacy compliance in the general insurance industry, nor with insurers that were bound by the code.
The ICA has assured the Office that its commitment to the protection of the personal information of private individuals, which prompted the industry's establishment of the code, will continue among all ICA member companies which had been subject to the code.
Queensland Club Industry Privacy Code
In November 2005, Clubs Queensland provided a report on its three-yearly review of the Queensland Club Industry Privacy Code.
The report found that the code is operating well. The comments received were generally 'suggestions for improvement' and Clubs Queensland is considering whether to vary the code in light of the review.
During the reporting period the three credit provider determinations made under the Privacy Act were renewed for short periods. In reviewing the determinations the Commissioner decided to renew them for a short period to allow the Office time to consult with the community about how the determinations have operated and the terms in which any further determinations should be cast.
Two consultation papers covering the three determinations were released for public comment as part of the review. The consultation papers can be found at www.privacy.gov.au/act/credit/index.html#cpd.
The Office received 13 submissions which were under analysis at 30 June 2006.
During the reporting period there were no changes to the Tax File Number Guidelines issued by the Privacy Commissioner under s. 17 of the Privacy Act. These guidelines, which have the effect of law, regulate the collection, storage, use and security of Tax File Numbers.
The Australian Government introduced the Do Not Call Register Bill 2006 and the Do Not Call Register (Consequential Amendments) Bill 2006 during May 2006. Both pieces of legislation were passed by the Australian Parliament in late June 2006. The Register, which is to be managed by the Australian Communications and Media Authority, is scheduled to commence operating in 2007.
The Do Not Call Register Act 2006 establishes a scheme to enable individuals who have an Australian telephone number to opt-out of receiving certain unsolicited telemarketing calls.
The Office strongly supports the introduction of the Register, and welcomes the Australian Government taking this step in implementing Recommendation 25 of Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988.
The provisions of this Act set in place the foundations of a national scheme to protect Australians from intrusive telephone calls.
The Office contributed to the development and consideration of the Bill through its December 2005 submission to the Department of Communications, Information Technology and the Arts (DCITA), and through its June 2006 submission to the Senate Environment, Communications, Information Technology and the Arts Legislation Committee Inquiry into the Bill.
During 2005-06, the Office continued its representation on the joint working party established by the Ministerial Council on Consumer Affairs (MCCA) and the Standing Committee of Attorneys-General (SCAG) to consider the operations of residential tenancy databases and how the various existing regulatory frameworks affect their operations. The Office continued to provide input to this working party, which is chaired by the Australian Government Attorney-General's Department.
In the report on the review of the private sector provisions of the Privacy Act, the Office made a number of recommendations (Recommendations 14-16) suggesting options for regulating residential tenancy databases, including that the Australian Government should consider making the Privacy Act apply to all residential tenancy databases.
The Office understands that the national electronic health records (EHR) initiative, HealthConnect, has evolved from being an IT project to a "change management strategy" whereby the Department of Health and Ageing is responsible for managing national coordination.
The Office maintains that because an individual's willingness to engage in the health sector is affected by their perception of how their personal health information will be used and how much control they have over it, privacy is fundamental to building an effective EHR system.
Given the sensitivity Australian consumers place on their health information, the Office remains committed to the goal of ensuring appropriate privacy protections for individuals when they participate in e-health initiatives.
During 2005-06, the NSW Department of Health has begun a pilot of its Healthelink system in the Hunter region. The Office has engaged with NSW Health on this initiative, particularly in regard to any involvement that private sector health service providers may have in the system. Such health service providers will be required to comply with their obligations under the National Privacy Principles when handling personal health information.
The Health Leaders' Forum was renamed the Health Privacy Forum. The Forum remains an informal group, comprising key representatives from the health sector from both the public and private sector. It provides informal advice and information to the Commissioner on health-related privacy issues affecting both the public and private sectors.
The Health Privacy Forum met three times during 2005-06. Amongst other issues, two key topics for the Forum were the Australian Government proposal for a health and social services access card and progress in electronic health records.
In February 2005, an application for a Public Interest Determination was made to the Commissioner regarding the collection of health information about individuals from the Health Insurance Commission's (now Medicare Australia) Prescription Shopping Project Information Service.
On 10 February 2005, the Privacy Commissioner made Temporary Public Interest Determination No. 2005-1 under section 80A of the Privacy Act 1988. The Commissioner also made a Determination giving general effect to this Temporary Public Interest Determination (TPID). These determinations were due to expire on 9 February 2006.
On 16 January 2006, the applicant confirmed that the circumstances for lodging the initial application remained the same as when the initial instruments were made. The Commissioner considered this matter and decided to issue a further temporary determination with effect to 22 December 2006.
The Privacy Commissioner would not ordinarily issue a second temporary public interest determination in relation to the same matter. However, the Commissioner decided to do this on the basis that the Attorney-General's Department and the Department of Health and Ageing undertook to pursue legislative amendments to permanently authorise the acts and practices which are temporarily authorised by these two instruments. The Bill to effect these amendments was introduced to the Australian Parliament in June 2006 and will be debated in the Spring 2006 session.
The Determinations and the Explanatory Statement are available at www.privacy.gov.au/act/publicinterest/index.html#3.
The Telecommunications Act 1997 provides for the telecommunications and e-marketing industries to develop industry codes. Such codes can be enforced after they are registered with the Australian Communications and Media Authority (ACMA). Where telecommunications or e-marketing industry codes deal with privacy issues, it is a requirement that the Privacy Commissioner be consulted before ACMA registers a code.
The Office was consulted on 12 Australian Communications Industry Forum (ACIF) codes during the reporting period.
In March 2006, the Office made a submission to the Senate Legal and Constitutional Legislation Committee Inquiry into the provisions of the Telecommunications (Interception) Amendment Bill 2006. This Bill clarifies protections for stored communications such as emails, SMS messages and voicemail messages, provides for the interception of 'B-party' communications, adds provisions relating to equipment-based interceptions and repeals s. 6(2) of the Telecommunications (Interception) Act 1979.
The Office made recommendations intended to consolidate the privacy protections in the Telecommunications (Interception) Act, and noted areas of the Bill that may have had unintended consequences in relation to privacy. The Office supported the repeal of s. 6(2) of the Telecommunications (Interception) Act. This section has given rise to confusion in the past about the circumstances under which phone calls may be covertly monitored.
In February 2006, the Office made a submission to the Department of Communications, Information Technology and the Arts (DCITA) review of the operation of the Spam Act 2003 and related parts of the Telecommunications Act 1997.
The Office recommended that changes to the Spam Act should be aimed at enhancing national consistency in privacy-related legislation.
1 The Code is called A national approach to closed-circuit television: National Code of Practice for CCTV Systems for the Mass Passenger Transport Sector for Counter-Terrorism (2006)
2 See section 3.7 for the s. 97(2A) statement about the operation of the General Insurance Information Privacy Code up to 30 April 2006 when it was revoked.