OAIC releases the 2012 – 13 annual report
October 31, 2013 |
The Office of the Australian Information Commissioner has released its annual report today. It is found here.
It is a voluminous document, which is normal for an agency. Chapter 7 deals with privacy compliance. It provides:
Privacy compliance
Overview
To ensure that privacy is valued and respected in Australia, the Office of the Australian Information Commissioner (OAIC) undertakes a wide range of compliance activities.
These include running a telephone and written enquiry service, investigating and resolving individual complaints, conducting audits and data-matching inspections, conducting own motion investigations (OMIs) and receiving and reviewing data breach notifications (DBNs).
In 2012–13, the OAIC received 1496 complaints, an increase of 10.2% over the 1357 received in 2011–12. Additionally, the OAIC received 61 voluntary DBNs, a 33% increase on the number of DBNs received in 2011–12.
Thirteen OMIs were commenced and work was undertaken on seven audits.
Responding to privacy enquiries
The OAIC’s enquiries line (1300 363 992) provides information about privacy issues and privacy law for the cost of a local call. The OAIC’s enquiries line also responds to written enquiries received by post, email or fax.
Telephone enquiries
In 2012–13, the enquiries line answered 18,205 telephone calls, 9,009 of which related to privacy matters that were within the OAIC’s jurisdiction. A further 1,703 enquiries were received about privacy matters that were out of jurisdiction.
Most callers are individuals seeking information about their privacy rights and how to resolve privacy complaints.
Table 7.1 sets out the top 10 types of caller who telephoned the enquiries line in 2012–13.
Table 7.1 Top 10 privacy caller types | |
Top 10 privacy caller types | Number of calls |
Individuals |
7434 |
Business and professional associations |
510 |
Health service providers |
195 |
Real estate agents |
134 |
Australian Government |
128 |
Legal, accounting and management services |
93 |
Personal services (including employment, child care, vets) |
59 |
Charities |
50 |
Finance (including superannuation) |
49 |
Education |
44 |
Table 7.2 provides a breakdown of issues discussed in the calls received during 2012–13. More than three quarters (83%) of the privacy-related calls were about the National Privacy Principles (NPPs). The most frequently discussed issue continues to be the use and disclosure of personal information by private sector organisations, followed by NPP exemptions, improper collection, access and correction and data security.
The number of privacy-related calls about credit reporting and the Information Privacy Principles (IPPs) were lower than in previous years.
Table 7.2 Breakdown of issues discussed in privacy calls received | |
Issues | Number of calls |
NPP 1 — Collection |
1693 |
NPP 2 — Use and disclosure |
2361 |
NPP 3 — Data quality |
189 |
NPP 4 — Data security |
1159 |
NPP 5 — Openness (privacy statement) |
117 |
NPP 6 — Access and correction |
1381 |
NPP 7 — Identifiers |
6 |
NPP 8 — Anonymity |
20 |
NPP 9 — Transborder data flows |
41 |
NPP 10 — Sensitive information collection |
44 |
NPP Exemptions |
1733 |
NPPs generally |
114 |
Credit reporting |
924 |
Data breach notification |
25 |
Data-matching |
11 |
Healthcare identifier |
0 |
Information Privacy Principles (public sector) |
632 |
Personal Property Securities Register |
0 |
Personally controlled electronic health records |
10 |
Privacy codes |
5 |
Privacy law reforms |
82 |
Spent convictions |
120 |
Tax file numbers |
42 |
Table 7.3 lists the 10 private sector industry groups that were most enquired about in NPP telephone enquiries. This pattern has been generally consistent for several years.
Table 7.3 Top 10 private sector industry groups enquired about
Private sector industry group | Number of telephone enquiries |
Business and professional associations |
2896 |
Health service providers |
1169 |
Real estate agents |
768 |
Finance (including superannuation) |
559 |
Telecommunications |
466 |
Insurance |
264 |
Retail |
222 |
Personal services (including employment, child care, vets) |
217 |
Online services |
173 |
Education |
158 |
Following are some examples of calls received during 2012–13.
- A caller asked about the privacy implications of an organisation monitoring and recording calls for quality and coaching purposes. The caller was advised that ‘monitoring’ and ‘recording’ are not the same, and that the Privacy Act 1988 (Privacy Act) applies only to personal information that is or will be held in a record. The organisation should understand that personal information, once recorded, must be managed in accordance with the NPPs, even if recorded only for staff development and training. Information was provided to the caller about NPP 1 (Collection), NPP 2 (Use and disclosure) and NPP 6 (Access and correction). Best practice privacy compliance was also discussed, noting that best practice would be to provide individuals with the option not to have their call recorded.
- A caller was concerned about the actions of his ex-partner, who had obtained his details and was opening fraudulent lines of credit. The police had been contacted. The caller was advised that the Privacy Act may not apply as it does not cover the actions of individuals. The caller was nevertheless provided with information on NPP 2 (Use and disclosure), NPP 4 (data security), the OAIC’s complaints process, and OAIC fact sheets on protecting your own personal information.
- A caller asked if the Commonwealth Spent Convictions Scheme applied to a criminal history check for employment that includes working with children. He was provided with information about the Spent Convictions Scheme and relevant exemptions.
Written enquiries
Of the 3142 written enquiries received by the OAIC in 2012–13, 1567 related to privacy matters that were within the OAIC’s jurisdiction. A further 323 enquiries were about privacy matters out of jurisdiction. The OAIC is committed to responding to 90% of written enquiries within 10 working days. This benchmark was met in 2012–13, with 93% of privacy-related written enquiries responded to within 10 working days.
In 2012–13, 64% of privacy related written enquiries concerned the private sector provisions of the Privacy Act. This is consistent with the 2011–12 figure (65%).
Complaints
The OAIC can investigate complaints about acts or practices that may be an interference with an individual’s privacy. These can include allegations that:
- personal information has been collected, held, used or disclosed by an organisation in contravention of the NPPs
- personal information has been handled by an Australian, ACT or Norfolk Island
Government agency in a manner that does not comply with the IPPs
- credit-worthiness information held by credit providers and credit reporting agencies has been mishandled
- Tax File Numbers (TFNs) have been mishandled by individuals or organisations
- personal information has not been managed in accordance with spent conviction, data matching or healthcare identifier legislation.
Complaints received during 2012–13
In 2012–13, the OAIC received a total of 1496 complaints relating to privacy, on a wide variety of issues.
Non-compliance with the NPPs continues to be most commonly complained about, being raised in 75% of all complaints received in this financial year. This is a significant increase from the previous financial year, where just over half of the complaints received related to the NPPs. In contrast, just over 17% of complaints in 2012–13 were about the IPPs. There was also an increase in complaints about credit reporting and in complaints where the OAIC found that it had no jurisdiction.
The particular issues complained about as a percentage of total complaints received in 2012–13 are described in Table 7.4. The percentages exceed 100% because a complaint can raise more than one issue.
Table 7.4 Key issues in complaints
|
NPP 2 — Use and disclosure |
378 |
25.3 |
NPP 6 — Access and correction |
216 |
14.4 |
NPP 1 — Collection |
187 |
12.5 |
NPP 4 — Data security |
183 |
12.2 |
Not in jurisdiction |
145 |
9.7 |
NPP 3 — Data quality |
137 |
9.2 |
IPP 10 and 11 — Use and disclosure |
127 |
8.5 |
Other jurisdictional issues |
80 |
5.4 |
IPP 1 — collection |
38 |
2.5 |
IPP 4 — Security |
38 |
2.5 |
TFNs |
16 |
1.1 |
IPP 8 — Accuracy |
16 |
1.1 |
IPP 6 and 7 — Access and correction |
15 |
1.0 |
IPP 3 — Nature of collection |
13 |
0.9 |
NPP 5 — Openness |
11 |
0.7 |
IPP 9 — Use for relevant purpose |
10 |
0.7 |
IPP 2 — Notice |
7 |
0.5 |
NPP 10 — Collection of sensitive information |
5 |
0.3 |
Spent convictions |
5 |
0.3 |
NPP 9 — Transborder issues |
3 |
0.2 |
NPP 7 — Agency identifier |
1 |
0.1 |
NPP 8 — Anonymity |
1 |
0.1 |
As in 2011–12, the most common issue in both NPP and IPP complaints was use and disclosure. Complaints received about credit reporting increased by 4.3% from the previous financial year.
Table 7.5 shows the number of complaints made about each of the 10 most commonly complained about industry sectors. As in 2011–12, the finance sector continues to be the most frequently complained about industry. Following a decrease last year, complaints about the Australian Government rose from the third to the second most commonly complained about sector. Complaints about telecommunications, retail and utilities organisations also increased, and complaints about business and professional associations entered the 10 most complained about sectors this financial year.
Table 7.5 Ten most commonly complained about sectors | |
Sector | Number of complaints |
Finance (including superannuation) |
305 |
Australian Government |
181 |
Telecommunications |
127 |
Credit reporting agencies |
117 |
Health service providers |
100 |
Retail |
75 |
Online services |
65 |
Insurance |
55 |
Utilities |
49 |
Business and professional associations |
45 |
Most complained about organisations and agencies
The most complained about organisations and agencies are listed in Table 7.6.
Many of these organisations and agencies carry out high numbers of transactions involving personal information, and the number of complaints may represent only a small percentage of those transactions.
The fact that an organisation or agency has been the subject of a complaint does not necessarily mean that the organisation or agency has been found to be in breach of the Privacy Act.
Table 7.6 Most complained about organisations and agencies
Organisation Number of complaints received
Veda Advantage Information Services and Solutions Ltd 98
Telstra Corporation Limited 53
Department of Human Services 39
Commonwealth Bank of Australia Limited 31
Westpac Banking Corporation 26
National Australia Bank Limited 23
Singtel Optus Pty Ltd 23
ANZ Bank Limited 21
Dun & Bradstreet (Australia) Pty Ltd 18
Synergy Energy 16
Complaints closed during 2012–13
In 2012–13, the OAIC closed 1504 complaints, an increase of approximately 8.7% on the complaints closed in 2011–12.
One of the OAIC’s deliverables (see Chapter 2) is to finalise 80% of all privacy complaints within 12 months of receipt. In 2012–13, 95.7% of complaints were finalised within 12 months. In 2012–13, complaints were closed in an average of 3.7 months, which is an improvement from the previous financial year (average of 4.4 months).
The OAIC can investigate acts or practices that may be a breach of privacy. Where appropriate, an attempt will be made to resolve a complaint through conciliation.
If the OAIC is satisfied that a matter has been adequately dealt with, or if there has not been an interference with privacy, the OAIC may decide not to investigate the matter or to cease an investigation. Otherwise, a Commissioner may make a determination about a complaint under s 52 of the Privacy Act.
The OAIC investigated or carried out preliminary inquiries on a slightly lower percentage of the total number of complaints received than it did in 2011–12. That is, there was a slight increase in the number and percentage of complaints that were declined at the outset.
Table 7.7 provides more information about the stage at which complaints were closed.
Table 7.7 Stage at which complaints were closed
Stage closed
Number of complaints | % | |
Without investigation 827 55 |
|
Complaints closed without investigation
In 2012–13, the OAIC closed 55% of complaints without investigation.
The most common reasons for not investigating those complaints were:
- no interference with privacy (s 41(1)(a))
- complaint had not been raised with the respondent before being brought to the
OAIC (s 40(1A))
- complaint was not within jurisdiction, the individual lodging the complaint was not complaining about the handling of their own personal information, or a respondent was not specified (s 36)
- complainant had not given the respondent sufficient time to deal with the complaint (s 41(2)(b)). 71
Table 7.8 shows, in more detail, the reasons why complaints were closed without investigation. Complaints can cover more than one issue so the total number of issues by jurisdiction exceeds the number of complaints closed.
|
Table 7.8 Reasons for closing a complaint by jurisdiction
No interference with privacy — s 41(1)(a) | 127 | 25 | 69 | 1 | 0 | 45 | 267 |
Complaint not raised | 108 | 24 | 80 | 0 | 0 | 0 | 212 |
with respondent — | |||||||
s 40(1A) | |||||||
Aware of alleged breach | 22 | 12 | 7 | 2 | 0 | 0 | 43 |
for more than 12 months | |||||||
— s 41(1)(c) | |||||||
Frivolous, vexatious, | 14 |
5 |
3 | 0 | 0 | 0 | 22 |
misconceived, lacks | |||||||
substance — s 41(1)(d) | |||||||
Dealt with under another | 4 |
0 |
4 | 0 | 0 | 0 | 8 |
law — s 41(1)(e) | |||||||
Another law is more | 5 |
1 |
1 | 0 | 0 | 0 | 7 |
appropriate — s 41(1)(f) | |||||||
Respondent has | 18 |
2 |
4 | 1 | 0 | 0 | 25 |
adequately dealt with | |||||||
the matter — s 41(2)(a) | |||||||
Respondent has not had | 65 | 11 | 28 | 0 | 0 | 0 | 104 |
opportunity to deal with | |||||||
complaint — s 41(2)(b) | |||||||
Other (for example, | 6 |
0 |
5 | 0 | 0 | 2 | 13 |
withdrawn) | |||||||
Total | 406 | 91 | 201 | 5 | 1 | 164 | 868 |
Of note is that 316 complaints (nearly one-third) were closed as the complainant had not raised the matter first with the respondent (s 40(1A)) or the respondent had not had an opportunity to deal with the complaint (s 41(2)(b)).
Complaints closed following preliminary inquiries
The Privacy Act authorises the OAIC to conduct preliminary inquiries to determine whether to investigate a complaint or exercise a discretionary power to not investigate a matter. For instance, a preliminary inquiry may seek to determin
- whether an agency or organisation is willing to provide access to records
- if a particular act or practice is authorised by law
- whether an organisation falls within the small business operator exemption
- whether a respondent is an agency or organisation that is subject to the Privacy Act. In 2012–13, the OAIC closed 35.6% of complaints after making preliminary inquiries.
Table 7.9 provides more detail on the basis for closing complaints following preliminary inquiries. The total number of issues by jurisdiction exceeds the number of preliminary inquiries closed because a complaint may raise more than one issue.
|
Table 7.9 Reasons for closing complaints after making preliminary inquiries by jurisdiction
s 41(1)(a) | 192 | 34 | 36 | 0 |
2 |
1 | 47 | 312 |
s 40(1A) |
3 |
0 |
2 | 0 |
0 |
0 | 0 | 5 |
s 41(1)(d) |
3 |
1 |
3 | 0 |
1 |
0 | 0 | 8 |
s 41(1)(f) |
2 |
0 |
0 | 0 |
0 |
0 | 0 | 2 |
s 41(2)(a) | 134 |
9 |
21 | 1 |
0 |
0 | 0 | 165 |
s 41(2)(b) |
1 |
2 |
12 | 0 |
0 |
0 | 0 | 15 |
Other | 40 |
5 |
28 | 0 |
0 |
0 | 5 | 78 |
Total | 377 | 52 | 103 | 1 |
3 |
1 | 54 | 591 |
Key:
s 36 — not the privacy of the complainant or no respondent specified s 41(1)(a) — no interference with privacy
s 40(1A) — complaint not raised with respondent
s 41(1)(d) — frivolous, vexatious, misconceived, lacks substance s 41(1)(f) — another law is more appropriate
s 41(2)(a) — respondent has adequately dealt with the matter
s 41(2)(b) — respondent has not had an opportunity to deal with the complaint Other — for example, withdrawn
|
The most common reason for closing a complaint after conducting a preliminary inquiry continued to be a finding that the individual’s privacy had not been interfered with,for example the use or disclosure was permitted under the relevant NPP or IPP.
Nature of remedies achieved following preliminary inquiries
In conducting a preliminary inquiry, the OAIC may find that the respondent has adequately dealt with the matter, or the OAIC may be able to resolve the complaint through conciliation. Table 7.10 provides further detail about the types of remedies achieved following preliminary inquiries. The total number of remedies listed in Table 7.10 exceeds the total number of complaints where preliminary inquiries were conducted, as more than one remedy may have resulted for a particular complaint.
Table 7.10 Remedies for complaints closed as adequately dealt with after preliminary inquiries by jurisdiction
|
|
Remedy | NPPs | IPPs | Credit reporting | TFN | Total |
Access provided 57 0 0 0 57 |
Changed procedures | 21 | 1 | 0 |
1 |
23 |
Compensation $1001 to $5000 |
4 |
0 |
1 |
0 |
5 |
Compensation over $10,000 |
1 |
0 |
0 |
0 |
1 |
Other remedy |
28 |
3 |
3 |
1 |
35 |
Record amended | 23 | 4 | 170 |
0 |
44 |
Total |
188 |
17 |
26 |
3 |
234 |
|
|
As can be seen from Table 7.10, the most common remedy that resulted after a preliminary inquiry was a complainant receiving access to their records, followed by an amendment of records. Compensation was received by complainants in just over 7% of issues resolved at the preliminary inquiries stage. Complaints closed after an investigation
In 2012–13, the OAIC closed 9.4% of complaints after an investigation was opened under s 40(1) of the Privacy Act.
Table 7.11 shows the reasons for closing a complaint after an investigation was commenced. The number of issues by jurisdiction exceeds the number of investigations closed, because a complaint may raise more than one issue.
|
Respondent has adequately dealt with the
complaint — s 41(2)(a) | 57 | 12 | 12 |
2 |
83 |
Determination made by the Privacy Commissioner — s 52 | 0 | 0 |
1 |
0 |
1 |
Other (for example withdrawn or being dealt with under another law) | 9 | 3 |
4 |
0 |
16 |
Total | 91 | 29 | 31 |
2 |
153 |
The OAIC tries, where possible, to resolve cases through conciliation at an early stage of an investigation. Respondents took steps to resolve the complaint in just over 50% of cases.
The remedies that were achieved by conciliation after an investigation include:
- apologising to the complainant
- training and counselling staff
- amending database systems and records
- changing internal procedures
- providing the complainant with access to records
- paying compensation to the complainant.
Nature of remedies achieved after an investigation
Table 7.12 provides more detail on the outcome of complaints that were closed on the basis that they had been adequately dealt with by the respondent, after an investigation was commenced by the OAIC. More than one remedy may have been reached for a particular complaint. Therefore, the total listed in Table 7.12 is not equal to the total number of complaints.
Table 7.12 Remedies for complaints that were closed as adequately dealt with by respondent after an investigation was commenced by jurisdiction
|
Apology | 28 | 9 |
3 |
1 |
41 |
Changed procedures | 17 | 5 |
1 |
1 |
24 |
Compensation up to $1000 | 9 | 1 |
2 |
2 |
14 |
Compensation $1001 to $5000 | 2 | 2 |
2 |
0 |
6 |
Compensation $5001 to $10,000 | 4 | 2 |
1 |
0 |
7 |
Compensation over $10,000 | 1 | 0 |
0 |
0 |
1 |
Counselled staff | 9 | 0 |
0 |
0 |
9 |
Other remedy | 15 | 1 |
4 |
0 |
20 |
Records amended | 6 | 1 |
8 |
0 |
15 |
Staff training | 10 | 2 |
2 |
1 |
15 |
Total | 110 | 23 | 24 |
5 |
162 |
An apology to the complainant is the most common remedy achieved through conciliation, followed by compensation. The number of matters in which compensation formed part of the remedy (28) was the same as in 2011–12. There was a doubling in the number of matters in which a change of procedures formed part of the remedy (24) compared to the previous year.
Complaints under approved codes
The Privacy Act allows for organisations or groups of organisations to develop privacy codes. A code approved by the Information Commissioner replaces the NPPs as
the legally enforceable privacy standards for those organisations. The Information Commissioner is the code adjudicator.
At 30 June 2013, there were two approved privacy codes in force:
- Queensland Club Industry Privacy Code — effective from 23 August 2002
- Market and Social Research Privacy Code — effective September 2003.
The OAIC did not receive complaints under either of the approved codes in 2012–13.
Determinations
The Privacy Commissioner made one determination in 2012–13: ‘S’ and Veda Advantage
Information Services and Solutions Limited
A determination is a legal decision or finding made by a Commissioner, where conciliation has not resolved the matter. In this matter, the Privacy Commissioner declared that: the respondent apologise in writing to the complainant, amend the complainant’s credit file and not provide the complainant’s credit report to any other person or body until it has amended/removed the misleading content from the credit report. The respondent was also required to pay the complainant $2000. Further, the Privacy Commissioner recommended that the respondent revise training packages and user information guides for subscribers and engage an independent auditor to review the respondent’s compliance with the Privacy Act.
Own motion investigations
Section 40(2) of the Privacy Act enables the Information Commissioner to investigate a possible interference with privacy without first receiving a complaint from an individual, if the Information Commissioner considers an investigation to be desirable. These investigations are called own motion investigations (OMI). From March
2014 under the Privacy Amendment (Enhancing Privacy Protection) Act 2012 these investigations will be known as ‘Commissioner Initiated Investigations.’
When conducting an OMI the OAIC can gather information about a respondent’s privacy practices, and can work with that agency or organisation to resolve issues of non-compliance and improve their overall privacy practices.
During 2012–13, 13 new matters involving alleged interferences with privacy were assessed for investigation as OMIs. These matters came to the OAIC’s attention from a variety of sources, including emails and letters from individuals and systemic issues identified through complaints or as a result of media coverage.
The OAIC uses its own risk assessment criteria to determine whether to investigate a matter on its own motion. The criteria include:
- the number of people affected and the possible consequences for those individuals
- the sensitivity of the personal information involved
- the progress of an agency’s or organisation’s own investigation into the matter and consideration of the actions taken by the entity in response
- the likelihood that the investigation will reveal acts or practices that involve systemic interferences with privacy and/or that are unidentified.
Table 7.13 shows a breakdown of the most common issues that arose in OMIs in 2012–13. The main compliance issues related to data protection, especially in relation to the adequacy of database security arrangements to prevent targeted hacking attacks that can lead to online disclosure of personal information.
Examples of incidents investigated in 2012–13 include:
- unlawful hacking attacks of customer databases that resulted in the online publication of customer data; this customer data included email addresses, passwords, quote and ordering information and in some instances credit card details
- hardcopy records of customers of an accommodation provider being stolen following a break-in at a secured storage facility; compromised data included identification documents and credit card details
- manipulation of an organisation’s website URL to reveal the details of different customers, such as name and address information.
Table 7.13 Issues in own motion investigations opened in 2012–13
Issues | Number of investigations |
Credit reporting agency — access to credit file (s 18H) |
1 |
NPP 1.1 — unnecessary collection |
1 |
NPP 1.2 — unlawful, unfair collection |
1 |
NPP 1.3 and 1.5 — insufficient notice |
1 |
NPP 1.4 — third party collection |
1 |
NPP 2 — improper use or disclosure |
2 |
NPP 3 — data quality issues |
1 |
NPP 4.1 — data protection issues |
10 |
NPP 4.2 — data retention issues |
3 |
NPP 9 — transborder data flow issues |
1 |
NPP 10 — sensitive information collection |
1 |
Total |
23 |
A number of issues that came to the attention of the OAIC in 2012–13 were matters of significant public concern. To promote community confidence and transparency of its regulatory activities, the OAIC published two OMI reports that are available on the OAIC’s website.
Data breach notifications
A data breach notification (DBN) occurs when an organisation or agency informs the OAIC that personal information in its possession or control has been subject to loss or unauthorised access, use, disclosure, modification or other misuse.
In 2012–13, the OAIC received 61 DBNs, a 33% increase from the number of DBNs received in 2011–12. While there is no specific obligation in the Privacy Act for agencies or organisations to report data breaches to the OAIC, many agencies and organisations do so as good privacy practice. The OAIC encourages agencies and organisations to apply the advice set out in the OAIC guide, Data breach notification: A guide to handling personal information security breaches.
The Data breach notification guide includes information about when to report a data breach to the OAIC or affected individuals. It outlines four steps to consider when responding to a breach or suspected breach and also outlines preventative measures that should be taken as part of a comprehensive information security plan.
Reporting a DBN to the OAIC and taking follow-up action can help agencies and organisations ensure they meet their obligations under the Privacy Act, and particularly IPP 4, NPP 4 and Part IIIA of the Privacy Act. The OAIC’s investigation of a DBN incident primarily focuses on the data security measures an agency or organisation had in place when the incident occurred and the steps taken to improve security practices as a result of a DBN. When considering the data security measures in place the OAIC has regard to its Guide to information security, released in April 2013.
The OAIC assesses each DBN to determine if further action is required by the agency or organisation to appropriately respond to the breach. The OAIC may take no further action if the agency or organisation has contained the breach by recovering the information or has taken steps that mitigate a further impact on individuals affected by the breach. These steps may include notifying relevant authorities and individuals, or reviewing and improving data security practices. Where the OAIC considers that inadequate steps have been taken or the agency or organisation is still assessing the
source and impact of the breach and the overall response that is required, the OAIC will work with the entity to assist it to apply best privacy practice. In cases where the OAIC is not satisfied with the voluntary action taken by the agency or organisation to resolve the matter, it may open an OMI.
Issues in data breach notifications
Incidents reported to the OAIC through DBNs in 2012–13 included:
- an email containing exit interview survey data from ex-staff was sent to third parties; the personal information included names, physical and email addresses, dates of birth and reasons for separation
- the theft of secured personal information due to criminal activities, such as break and enter offences
- disclosure of customer or client personal information (including in some cases health information) to unauthorised third parties
- the inadvertent collection of personal and health information while collecting technical data relating to the functioning of specialist equipment
- the hacking of databases containing customers’ personal information.
Typically, the actions taken by entities in response to a DBN included system reviews and modification, written notifications to affected individuals, apologies, retrieval of records, changes in standard operating procedures and staff training.
Data-matching
Monitoring government data-matching
Data-matching is the process of bringing together large data sets of personal information from different sources and comparing the data sets to identify any discrepancies. For example, the Australian Taxation Office (ATO) may undertake a data-match to identify retailers that may be operating outside the tax system or who may be under-reporting turnover. This process may include identifying individuals.
Data-matching involves analysing information about large numbers of people, the majority of whom are not under suspicion. This means that data-matching raises privacy issues. To ensure that government agencies have proper regard to privacy principles when undertaking data-matching, the OAIC performs a number of functions.
The Information Commissioner has statutory responsibilities under the Data-matching
Program (Assistance and Tax) Act 1990 (Data-matching Act) and the Guidelines for the Conduct of the Data-matching Program (statutory data-matching guidelines).
Additionally, the Information Commissioner oversees the functioning of the Guidelines for the use of data-matching in Commonwealth administration, which are voluntary guidelines to assist agencies not subject to the Data-matching Act to perform data-matching programs in a privacy sensitive way.
Matching under the Data-matching Act and statutory data-matching guidelines
To detect overpayments, taxation non-compliance and the receipt of duplicate payments, the Data-matching Act provides for the use of tax file numbers in
data-matching processes undertaken by a special Centrelink Program unit within the Department of Human Services (DHS). This unit runs matches on behalf of DHS, the Department of Veterans’ Affairs (DVA) and the ATO.
The Data-matching Act and the statutory data-matching guidelines outline the types of personal information that can be used, and how it can be processed. The Data-matching Act and guidelines also provide individuals with the opportunity to dispute or explain any matches, and require that individuals have a means of redress.
The Data-matching Act requires DHS, DVA and the ATO to report to Parliament on the results of any data-matching activities carried out under that Act. These reports are published separately by each agency.
The Data-matching Act also provides that the Information Commissioner is responsible for monitoring the functioning of the statutory data-matching program. The OAIC discharges this function by running data-matching inspections.
Inspections
In previous financial years, the OAIC undertook data-matching inspections at specified regional Business Integrity Sites (BIS), which processed and completed the data-matching reviews. During this financial year, Centrelink implemented a nationwide, risk based intervention strategy for the processing of data-match reviews, known as Component Based Processing (CBP). Under CBP, individual components of a single data-match review may be completed across a number of BIS around Australia.
As a CBP inspection reviews data-match records completed across multiple sites, future data-match inspections can now be undertaken independently from a specific BIS location.
During the transition to CBP during 2012–13, the OAIC inspected DHS’s handling of a sample of data-matching cases for two BIS, and undertook a third inspection of records processed using the CBP approach.
The inspections were:
- Business Integrity Network Queanbeyan (Griffith region), September 2012
- Business Integrity Network Newcastle (Wallsend region), January 2013
- Business Integrity Network Australia (CBP), May 2013.
Representatives of the OAIC, with the assistance of Centrelink and regional staff, conducted inspections and reviewed a sample of customer records which had been through the data-matching process.
The Newcastle (Wallsend) inspection was undertaken at the Business Integrity Services Centre (BISC) in Queanbeyan, NSW, and included a sample of 10 records processed under the CBP approach. A full inspection of 100 records processed under the new CBP approach was undertaken at Centrelink premises in Redfern, NSW.
At the completion of each inspection, the OAIC prepared and forwarded a report to the National Manager of the Business Integrity Division, Centrelink, outlining the findings.
While the OAIC found that Centrelink’s processes and procedures for statutory data-matching were generally compliant with the requirements of the Data-matching Act and the Privacy Act, the OAIC identified some areas of risk and made recommendations to improve practices.
Matching under the Guidelines for the use of data-matching in Commonwealth administration
Many Australian Government agencies also carry out data-matching activities that are not subject to the Data-matching Act, but are run under different laws
authorising the use and disclosure of personal information for data-matching purposes.
To assist agencies performing such data-matching activities to have proper regard to the privacy of individuals, the Information Commissioner has issued voluntary data-matching guidelines called the Guidelines for the use of data-matching in Commonwealth administration.
These voluntary guidelines require that programs are regularly monitored and evaluated, that individuals identified have the opportunity to dispute the results, and that action against individuals is not taken solely on the basis of automated processes.
Agencies are also required to prepare a description of the data-matching activity
(a ‘program protocol’). Before the activity is commenced, the program protocol should be submitted to the Information Commissioner for comment, and once it has been finalised, the program protocol should be made available to the public.
In 2012–13, the Information Commissioner received 13 program protocols for proposed non-statutory data-matching activities. A summary of these protocols is outlined below.
Matching agency: Australian Taxation Office
Contractor Payments Data-Matching Program (August 2012)
The purpose of the protocol is to match tax return data from contractors with taxation records from businesses that make payments to contractors.
Source agency: Australian Taxation Office (Employer (Payer) Obligation Audit data).
Motor Vehicle Data-Matching Program (September 2012)
The purpose of the protocol is to match motor vehicle registration data against taxpayer records to identify individuals who are not meeting their tax obligations.
Source agencies:
- Roads and Maritime Services, NSW
- Department of Transport and Main Roads, QLD
- Vic Roads
- Department of Infrastructure, Energy and Resources, TAS
- Department Transport, Energy and Infrastructure, TAS
- Department of Transport, WA
- Department of Lands & Planning, NT
- Directorate of Territory and Municipal Services, ACT
Debit and Credit Card Data-Matching Program (October 2012)
The purpose of the protocol is to match merchant debit and credit card data against taxpayer records to identify businesses not meeting their registration, reporting, lodgement and payment obligations.
Source agencies:
- Commonwealth Bank of Australia
- St George Bank
- Westpac
- ANZ Bank
- National Australia Bank
- Bendigo and Adelaide Bank
- Bank of Queensland
- BWA Merchant Services
- American Express Australia
- Diners Club Australia.
Tax-free Government Pensions or Benefits Data-Matching Program (October 2012)
The purpose of the protocol is to match tax-free government pensions or benefits data against taxpayer records to identify non-compliance by taxpayers claiming dependant tax offsets.
Source agencies: Department of Human Services and the Department of Veterans Affairs.
Banking Transparency Strategy Data-Matching Program (October 2012)
The purpose of the protocol is to match offshore bank account details against taxpayer records to identify Australian residents utilising offshore bank accounts to conceal income and assets subject to tax in Australia.
Source agencies:
- ANZ Bank
- Commonwealth Bank of Australia
- National Australia Bank
- Westpac
- Bank of Queensland Limited
- Macquarie Bank Limited
- Arab Bank of Australia Limited
- Bank of China (Australia) Limited
- Citigroup Pty Limited
- HSBC Holdings PLC
- Investec Bank (Australia) Limited
- Rabobank Australia Limited
- China Construction Bank Corporation
- Citibank, N.A.
- Credit Suisse AG
- Deutsche Bank Aktiengessellschaft
- Rabobank Nederland
- Union Bank of Switzerland.
Real Property Data-Matching Program (October 2012)
The purpose of the protocol is to match revenue, land titles and residential tenancies’ rental bonds data against tax records to identify non-compliance with taxation obligations such as capital gains.
Source agencies:
- Office of State Revenue, NSW
- Department of Finance and Services — Land and Property Information, NSW
- Office of Fair Trading — Rental Bond Board, NSW
- Victorian State Revenue Office
- Consumer Affairs Victoria — Residential Tenancies Bond Authority
- Directorate of Territory Environment and Sustainable Development, ACT
- Office of Regulatory Services (Land Titles Office), ACT
- Revenue Office, NT
- Department of Lands, Planning and the Environment, NT
- Office of State Revenue, QLD
- Residential Tenancies Authority, QLD
- Department of Primary Industries, Parks, Water and Environment, TAS
- State Revenue Office, TAS
- Department of Justice, TAS
- Revenue SA
- Department of Planning, Transport and Infrastructure — Land Services Group, SA
- Land Information Authority, WA
- Office of State Revenue, WA.
Local Government Contractor Payments Data-Matching Program (November 2012)
The purpose of the protocol is to match contractor payments made by local government entities (councils and shires) in Queensland, NSW, Victoria and Tasmania against taxpayer records to identify non-compliance with taxation obligations including taxable government grants.
Source agencies: local government council and shire authorities throughout Queensland, Tasmania, NSW, Victoria.
WorkCover Data-Matching Program (December 2012)
The purpose of the program is to match employer data from WorkCover authorities against taxpayer records to identify non-compliance with taxation obligations and also obligations under workers compensation laws.
Source agencies:
- WorkSafe VIC
- WorkCover SA
- WorkCover NSW
- WorkCover QLD
- WorkCover WA
- WorkCover NT
- WorkCover ACT
- WorkCover TAS.
Temporary Working Visas Data-Matching Program (January 2013)
The purpose of the program is to match temporary working visa data with taxpayer records to identify fraud and non-compliance with taxation obligations.
Source agency: Department of Immigration and Citizenship.
Online selling Data-Matching Program (February 2013)
The purpose of the program is to match sales data from online selling websites with taxpayer records to identify non-compliance of individuals and businesses with their taxation obligations
Source agencies: various online selling websites.
Matching agency: Department of Human Services
Commonwealth Seniors Health Card Data-Matching Program (September 2012)
The purpose of the protocol is to match tax return data with recipients of the
Commonwealth Seniors Health Card to ensure eligible senior citizens receive benefits. Source agency: Australian Taxation Office.
Australian Business Register Data-Matching Program (April 2013)
The purpose of the program is to match Australian Business Register data with Centrelink and Child Support customer data to identify business owners and operators who have had a change in their circumstances without notifying the Department of Human Services.
Source agency: the Australian Business Register.
eBay Data-Matching Program (April 2013)
The purpose of the program is to match eBay data with Centrelink and Child Support customers to assist with the collection of payments, debt recovery and fraud/non-compliance.
Source agency: eBay Incorporated.
AuditsUnder the Privacy Act the Information Commissioner has the power to conduct privacy audits of Australian and ACT Government agencies, as well as some other organisations in certain circumstances.
In 2012–13, the OAIC commenced four audits and finalised five audits.
These audits help to determine and improve the level of compliance with the Privacy Act. The OAIC conducts audits to promote best privacy practice and to reduce privacy risks across agencies.
The Information Commissioner’s audit powers include:
- auditing agency compliance with the IPPs — s 27(1)(h)
- examining the records of the Commissioner of Taxation in relation to TFNs and TFN information — s 28(1)(d)
- auditing TFN recipients — s 28(1)(e)
- auditing credit information files and credit reports held by credit reporting agencies and credit providers — s 28A(1)(g).
Other than audits conducted by using the above powers, the Information Commissioner may only audit a private sector organisation if the organisation requests this under s 27(3) of the Privacy Act.
Under reforms to the Privacy Act made by the Privacy Amendment (Enhancing Privacy Protection) Act 2012, from March 2014 audits will be known as ‘assessments’. In addition, the Information Commissioner will have the power to conduct an assessment of both government agencies and private sector organisations.
An audit is a snapshot of personal information handling practices relating to the audited entity at a particular time and place. Audited entities are encouraged to consider audit findings broadly, and recognise that the issues identified may foster improvements beyond the audited program.
OAIC audits are an educative process that can convey an underlying message that compliance with the Privacy Act is part of good management practice. Audits have been the catalyst for improvements to agencies’ data security, accuracy of information, staff training and disclosure policies.
The OAIC generally publishes finalised audit reports on its website.
ACT government audits
The OAIC currently has a Memorandum of Understanding (MOU) with the ACT Government, which includes a commitment by the OAIC to conduct one audit of an ACT Government agency per financial year. The OAIC selects audit targets based on a risk assessment analysis that takes into account previous audits and audit findings, complaints against ACT Government agencies, the amount of personal information held by an agency and the sensitivity of, and risk to, that information.
In 2012–13, the OAIC commenced and/or finalised the following ACT Government audits.
ACT Territory and Municipal Services Directorate
The audit examined the ‘MyWay’ Travel card program that was introduced to the ACT public in March 2011. Processes regarding the handling of personal information collected as part of the MyWay Travel Card registration process were reviewed.
This audit was commenced in February 2012. OAIC staff met with Territory and Municipal Services Directorate staff again in December 2012 and the audit was finalised in June 2013.
ACT Education and Training Directorate
The audit examined the policies, procedures and practices of the Education and Training Directorate with respect to third party access to student records, where the child is under 18, including where the personal information accessed is sensitive in nature.
The audit commenced on 29 March 2013. The draft report is in progress as of June 2013.
Identity security audits
The OAIC provided privacy advice to key agencies about projects delivered under the Australian Government’s National Identity Security Strategy (NISS). One project under the NISS related to the National Document Verification Service (DVS).
The DVS system allows authorised government agencies to verify, online and in real time, the authenticity of an individual’s Evidence of Identity (EOI) documents sourced from another government agency, when enrolling for benefits and services. Agencies using the DVS are able to verify that:
- the EOI document was issued by the relevant source government agency
- details recorded on the EOI document correspond to the details held by the source government agency
- the document is still valid.
Lead responsibility for the development of the DVS rests with the Attorney-General’s Department.
In 2012–13, the OAIC commenced and/or finalised the following identity security audits.
Department of Foreign Affairs and Trade
The audit assessed the acts and practices of the Department of Foreign Affairs and Trade as an issuer agency, including the management of document verification requests and security processes in relation to personal information handling under the IPPs.
The audit was commenced in November 2010 and finalised in December 2012.
Australian Taxation Office
This audit will assess the notification provided to ATO customers prior to use of the DVS system, as well as the practices and procedures used by the ATO to ensure the accuracy and completeness of personal information. The audit commenced in May 2013 and is ongoing as at 30 June 2013.
Australian Customs and Border Protection audits
The OAIC has an MOU with the Australian Customs and Border Protection Service (Customs) to conduct one audit each year of an aspect of Customs’ use of European-Union (EU) Passenger Name Record (PNR) data.
In 2012–13, the OAIC finalised an audit (commenced in November 2011) which examined Customs handling of PNR data at the Brisbane and Gold Coast international airport arrivals terminals. The audit was finalised in July 2012.
In October 2012, an audit was commenced into requests for information for EU-sourced PNR data. The audit assessed the use and disclosure of both hard-copy and electronic EU-sourced PNR data, in response to requests for information for this data, against Customs’ obligations under the Information Privacy Principles.
The OAIC audit teams found that Customs was generally maintaining its records of personal information in accordance with its IPP obligations under the Privacy Act. Where appropriate, the audit teams made recommendations to promote best privacy practice, and also made observations in relation to Customs’ separate obligations under
an agreement held with the EU for the provision of PNR data. The OAIC does not publish all Customs PNR audit reports on the OAIC website as some reports contain information that may affect the operational security of Australian Customs and Border Protection.
Healthcare Identifier audits
The Healthcare Identifiers Act 2010 (HI Act) established the Healthcare Identifier Service (HI Service), which commenced on 1 July 2010. The HI Service is part of the Department of Human Services.
The functions of the HI Service are:
- to assign and issue individual healthcare identifiers (IHIs) for all individuals who
have, are or will be provided with healthcare and to healthcare providers (HPI-Is) and healthcare provider organisations (HPI-Os)
- allow those authorised to access the HI Service to retrieve healthcare identifiers
- keep the information associated with healthcare identifiers up to date and accurate, including de-activating or retiring health identifiers when they are no longer needed.
Under s 29(3) of the HI Act, the Information Commissioner has the power to audit the handling of healthcare identifiers assigned to individuals and individual healthcare providers.
The OAIC received funding in 2011–12 under an Exchange of Letters agreement with the Department of Health and Ageing (DoHA) to undertake up to two healthcare identifier audits. Under a subsequent MOU between the OAIC and DoHA, for the period November 2012 to June 2014, the OAIC is to conduct up to two audits of the
HI Service Operator (Department of Human Services) and up to two audits of agencies, organisations or state or territory authorities.
In 2012–13, the OAIC finalised an audit (commenced in June 2011) which examined the collection, storage and security, quality, use and disclosure of HPI-I information in keeping with the HI Service Operator’s obligations under the Privacy Act. This audit was finalised in August 2012.
In May 2013, the OAIC commenced an audit of the HI Service Operator examining the collection, use and disclosure of IHIs, HPI-I and associated identifying information by the HI Service Operator, after the HI record has been created and the IHI or HPI-I has been assigned and allocated. This audit was still in progress at 30 June 2013.
Personally Controlled Electronic Health Record audits
The Personally Controlled Electronic Health Records Act 2012 (Cth) (PCEHR Act) establishes the personally controlled electronic health record (PCEHR) system.
The OAIC has various enforcement and investigative powers in respect of the PCEHR system, under both the PCEHR Act and the Privacy Act.
Under an MOU between the OAIC and DoHA, for the period November 2012 to June 2014, the OAIC is to conduct up to two audits of the PCEHR System Operator and up to two audits of organisations or agencies, upon invitation.
In May 2013, the OAIC commenced an audit examining policies and procedures for the collection of personal information during the PCEHR consumer registration processes and guidance material for collecting personal information via the assisted registration procedure. This audit was still in progress at 30 June 2013.
Personal Information Digest
To help people understand what personal information is held by each Australian and ACT government agency, IPP 5.3 in s 14 of the Privacy Act requires agencies to keep a record detailing:
- the nature of records kept
- the purpose for which these records are kept
- the categories of people the information is about
- the period for which the records are kept
- who has access to the records
- the steps an individual needs to take to gain access to the records.