OAIC releases the 2012 – 13 annual report

October 31, 2013 |

The Office of the Australian Information Commissioner has released its annual report today.  It is found here.

It is a voluminous document, which is normal for an agency.  Chapter 7 deals with privacy compliance.  It provides:

Privacy compliance


To ensure that privacy is valued and respected in Australia, the Office of the Australian Information Commissioner (OAIC) undertakes a wide range of compliance activities.

These include running a telephone and written enquiry service, investigating and resolving individual complaints, conducting audits and data-matching inspections, conducting own motion investigations (OMIs) and receiving and reviewing data breach notifications (DBNs).

In 2012–13, the OAIC received 1496 complaints, an increase of 10.2% over the 1357 received in 2011–12. Additionally, the OAIC received 61 voluntary DBNs, a 33% increase on the number of DBNs received in 2011–12.

Thirteen OMIs were commenced and work was undertaken on seven audits.

Responding to privacy enquiries

The OAIC’s enquiries line (1300 363 992) provides information about privacy issues and privacy law for the cost of a local call. The OAIC’s enquiries line also responds to written enquiries received by post, email or fax.

Telephone enquiries

In 2012–13, the enquiries line answered 18,205 telephone calls, 9,009 of which related to privacy matters that were within the OAIC’s jurisdiction. A further 1,703 enquiries were received about privacy matters that were out of jurisdiction.

Most callers are individuals seeking information about their privacy rights and how to resolve privacy complaints.

Table 7.1 sets out the top 10 types of caller who telephoned the enquiries line in 2012–13.

Table 7.1 Top 10 privacy caller types  
Top 10 privacy caller types Number of calls


Business and professional associations


Health service providers


Real estate agents


Australian Government


Legal, accounting and management services


Personal services (including employment, child care, vets)




Finance (including superannuation)




 Table 7.2 provides a breakdown of issues discussed in the calls received during 2012–13. More than three quarters (83%) of the privacy-related calls were about the National Privacy Principles (NPPs). The most frequently discussed issue continues to be the use and disclosure of personal information by private sector organisations, followed by NPP exemptions, improper collection, access and correction and data security.

The number of privacy-related calls about credit reporting and the Information Privacy Principles (IPPs) were lower than in previous years.

Table 7.2 Breakdown of issues discussed in privacy calls received  
Issues Number of calls
NPP 1 — Collection


NPP 2 — Use and disclosure


NPP 3 — Data quality


NPP 4 — Data security


NPP 5 — Openness (privacy statement)


NPP 6 — Access and correction


NPP 7 — Identifiers


NPP 8 — Anonymity


NPP 9 — Transborder data flows


NPP 10 — Sensitive information collection


NPP Exemptions


NPPs generally


Credit reporting


Data breach notification




Healthcare identifier


Information Privacy Principles (public sector)


Personal Property Securities Register


Personally controlled electronic health records


Privacy codes


Privacy law reforms


Spent convictions


Tax file numbers


 Table 7.3 lists the 10 private sector industry groups that were most enquired about in NPP telephone enquiries. This pattern has been generally consistent for several years.

Table 7.3 Top 10 private sector industry groups enquired about

Private sector industry group Number of telephone enquiries
Business and professional associations


Health service providers


Real estate agents


Finance (including superannuation)








Personal services (including employment, child care, vets)


Online services





Following are some examples of calls received during 2012–13.

  • A caller asked about the privacy implications of an organisation monitoring and recording calls for quality and coaching purposes. The caller was advised that ‘monitoring’ and ‘recording’ are not the same, and that the Privacy Act 1988 (Privacy Act) applies only to personal information that is or will be held in a record. The organisation should understand that personal information, once recorded, must be managed in accordance with the NPPs, even if recorded only for staff development and training. Information was provided to the caller about NPP 1 (Collection), NPP 2 (Use and disclosure) and NPP 6 (Access and correction). Best practice privacy compliance was also discussed, noting that best practice would be to provide individuals with the option not to have their call recorded.
  • A caller was concerned about the actions of his ex-partner, who had obtained his details and was opening fraudulent lines of credit. The police had been contacted. The caller was advised that the Privacy Act may not apply as it does not cover the actions of individuals. The caller was nevertheless provided with information on NPP 2 (Use and disclosure), NPP 4 (data security), the OAIC’s complaints process, and OAIC fact sheets on protecting your own personal information.
  • A caller asked if the Commonwealth Spent Convictions Scheme applied to a criminal history check for employment that includes working with children. He was provided with information about the Spent Convictions Scheme and relevant exemptions.

 Written enquiries

Of the 3142 written enquiries received by the OAIC in 2012–13, 1567 related to privacy matters that were within the OAIC’s jurisdiction. A further 323 enquiries were about privacy matters out of jurisdiction. The OAIC is committed to responding to 90% of written enquiries within 10 working days. This benchmark was met in 2012–13, with 93% of privacy-related written enquiries responded to within 10 working days.

In 2012–13, 64% of privacy related written enquiries concerned the private sector provisions of the Privacy Act. This is consistent with the 2011–12 figure (65%).


The OAIC can investigate complaints about acts or practices that may be an interference with an individual’s privacy. These can include allegations that:

  • personal information has been collected, held, used or disclosed by an organisation in contravention of the NPPs
  • personal information has been handled by an Australian, ACT or Norfolk Island

Government agency in a manner that does not comply with the IPPs

  • credit-worthiness information held by credit providers and credit reporting agencies has been mishandled
  • Tax File Numbers (TFNs) have been mishandled by individuals or organisations
  • personal information has not been managed in accordance with spent conviction, data matching or healthcare identifier legislation.

 Complaints received during 2012–13

In 2012–13, the OAIC received a total of 1496 complaints relating to privacy, on a wide variety of issues.

Non-compliance with the NPPs continues to be most commonly complained about, being raised in 75% of all complaints received in this financial year. This is a significant increase from the previous financial year, where just over half of the complaints received related to the NPPs. In contrast, just over 17% of complaints in 2012–13 were about the IPPs. There was also an increase in complaints about credit reporting and in complaints where the OAIC found that it had no jurisdiction.

The particular issues complained about as a percentage of total complaints received in 2012–13 are described in Table 7.4. The percentages exceed 100% because a complaint can raise more than one issue.

 Table 7.4 Key issues in complaints

Issues Number of complaints % of complaints
Credit reporting                                                                                  403                                 26.9


NPP 2 — Use and disclosure


NPP 6 — Access and correction


NPP 1 — Collection


NPP 4 — Data security


Not in jurisdiction



NPP 3 — Data quality



IPP 10 and 11 — Use and disclosure



Other jurisdictional issues



IPP 1 — collection



IPP 4 — Security






IPP 8 — Accuracy



IPP 6 and 7 — Access and correction



IPP 3 — Nature of collection



NPP 5 — Openness



IPP 9 — Use for relevant purpose



IPP 2 — Notice



NPP 10 — Collection of sensitive information



Spent convictions



NPP 9 — Transborder issues



NPP 7 — Agency identifier



NPP 8 — Anonymity



 As in 2011–12, the most common issue in both NPP and IPP complaints was use and disclosure. Complaints received about credit reporting increased by 4.3% from the previous financial year.

 Table 7.5 shows the number of complaints made about each of the 10 most commonly complained about industry sectors. As in 2011–12, the finance sector continues to be the most frequently complained about industry. Following a decrease last year, complaints about the Australian Government rose from the third to the second most commonly complained about sector. Complaints about telecommunications, retail and utilities organisations also increased, and complaints about business and professional associations entered the 10 most complained about sectors this financial year.             

Table 7.5 Ten most commonly complained about sectors  
Sector Number of complaints
Finance (including superannuation)


Australian Government




Credit reporting agencies


Health service providers




Online services






Business and professional associations


 Most complained about organisations and agencies

The most complained about organisations and agencies are listed in Table 7.6.

 Many of these organisations and agencies carry out high numbers of transactions involving personal information, and the number of complaints may represent only a small percentage of those transactions.

The fact that an organisation or agency has been the subject of a complaint does not necessarily mean that the organisation or agency has been found to be in breach of the Privacy Act.

Table 7.6 Most complained about organisations and agencies

 Organisation                                                                                 Number of complaints received

Veda Advantage Information Services and Solutions Ltd                                                             98

Telstra Corporation Limited                                                                                                         53

Department of Human Services                                                                                                  39

Commonwealth Bank of Australia Limited                                                                                  31

Westpac Banking Corporation                                                                                                     26

National Australia Bank Limited                                                                                                  23

Singtel Optus Pty Ltd                                                                                                                    23

ANZ Bank Limited                                                                                                                        21

Dun & Bradstreet (Australia) Pty Ltd                                                                                           18

Synergy Energy                                                                                                                             16

Complaints closed during 2012–13

In 2012–13, the OAIC closed 1504 complaints, an increase of approximately 8.7% on the complaints closed in 2011–12.

One of the OAIC’s deliverables (see Chapter 2) is to finalise 80% of all privacy complaints within 12 months of receipt. In 2012–13, 95.7% of complaints were finalised within 12 months. In 2012–13, complaints were closed in an average of 3.7 months, which is an improvement from the previous financial year (average of 4.4 months).

The OAIC can investigate acts or practices that may be a breach of privacy. Where appropriate, an attempt will be made to resolve a complaint through conciliation.

If the OAIC is satisfied that a matter has been adequately dealt with, or if there has not been an interference with privacy, the OAIC may decide not to investigate the matter or to cease an investigation. Otherwise, a Commissioner may make a determination about a complaint under s 52 of the Privacy Act.

The OAIC investigated or carried out preliminary inquiries on a slightly lower percentage of the total number of complaints received than it did in 2011–12. That is, there was a slight increase in the number and percentage of complaints that were declined at the outset.

 Table 7.7 provides more information about the stage at which complaints were closed.

 Table 7.7 Stage at which complaints were closed

 Stage closed

Number of complaints %
Without investigation                                                                                   827                         55
Preliminary inquiries








Complaints closed without investigation

In 2012–13, the OAIC closed 55% of complaints without investigation.

 The most common reasons for not investigating those complaints were:

  • no interference with privacy (s 41(1)(a))
  • complaint had not been raised with the respondent before being brought to the

OAIC (s 40(1A))

  • complaint was not within jurisdiction, the individual lodging the complaint was not complaining about the handling of their own personal information, or a respondent was not specified (s 36)
  • complainant had not given the respondent sufficient time to deal with the complaint (s 41(2)(b)).                                                                                      71

 Table 7.8 shows, in more detail, the reasons why complaints were closed without investigation. Complaints can cover more than one issue so the total number of issues by jurisdiction exceeds the number of complaints closed.


Reasons for closing complaint  



















Not the privacy of the               37         11                   0           1                      1         117             167

complainant or no respondent specified, no jurisdiction — s 36


Table 7.8 Reasons for closing a complaint by jurisdiction

No interference with privacy — s 41(1)(a) 127 25 69 1 0 45 267
Complaint not raised 108 24 80 0 0 0 212
with respondent —              
s 40(1A)              
Aware of alleged breach 22 12 7 2 0 0 43
for more than 12 months              
— s 41(1)(c)              
Frivolous, vexatious, 14


3 0 0 0 22
misconceived, lacks              
substance — s 41(1)(d)              
Dealt with under another 4


4 0 0 0 8
law — s 41(1)(e)              
Another law is more 5


1 0 0 0 7
appropriate — s 41(1)(f)              
Respondent has 18


4 1 0 0 25
adequately dealt with              
the matter — s 41(2)(a)              
Respondent has not had 65 11 28 0 0 0 104
opportunity to deal with              
complaint — s 41(2)(b)              
Other (for example, 6


5 0 0 2 13
Total 406 91 201 5 1 164 868

 Of note is that 316 complaints (nearly one-third) were closed as the complainant had not raised the matter first with the respondent (s 40(1A)) or the respondent had not had an opportunity to deal with the complaint (s 41(2)(b)).

 Complaints closed following preliminary inquiries

The Privacy Act authorises the OAIC to conduct preliminary inquiries to determine whether to investigate a complaint or exercise a discretionary power to not investigate a matter. For instance, a preliminary inquiry may seek to determin

  • whether an agency or organisation is willing to provide access to records
  • if a particular act or practice is authorised by law
  • whether an organisation falls within the small business operator exemption
  • whether a respondent is an agency or organisation that is subject to the Privacy Act. In 2012–13, the OAIC closed 35.6% of complaints after making preliminary inquiries.

Table 7.9 provides more detail on the basis for closing complaints following preliminary inquiries. The total number of issues by jurisdiction exceeds the number of preliminary inquiries closed because a complaint may raise more than one issue.




































s 36                              2         1                   1          0                      0                   0           2           6


Table 7.9 Reasons for closing complaints after making preliminary inquiries by jurisdiction

s 41(1)(a) 192 34 36 0


1 47 312
s 40(1A)



2 0


0 0 5
s 41(1)(d)



3 0


0 0 8
s 41(1)(f)



0 0


0 0 2
s 41(2)(a) 134


21 1


0 0 165
s 41(2)(b)



12 0


0 0 15
Other 40


28 0


0 5 78
Total 377 52 103 1


1 54 591


s 36 — not the privacy of the complainant or no respondent specified s 41(1)(a) — no interference with privacy

s 40(1A) — complaint not raised with respondent

s 41(1)(d) — frivolous, vexatious, misconceived, lacks substance s 41(1)(f) — another law is more appropriate

s 41(2)(a) — respondent has adequately dealt with the matter

s 41(2)(b) — respondent has not had an opportunity to deal with the complaint Other — for example, withdrawn

Compensation $5001 to $10,000 0 0





 The most common reason for closing a complaint after conducting a preliminary inquiry continued to be a finding that the individual’s privacy had not been interfered with,for example the use or disclosure was permitted under the relevant NPP or IPP.

 Nature of remedies achieved following preliminary inquiries

In conducting a preliminary inquiry, the OAIC may find that the respondent has adequately dealt with the matter, or the OAIC may be able to resolve the complaint through conciliation. Table 7.10 provides further detail about the types of remedies achieved following preliminary inquiries. The total number of remedies listed in Table 7.10 exceeds the total number of complaints where preliminary inquiries were conducted, as more than one remedy may have resulted for a particular complaint.

 Table 7.10 Remedies for complaints closed as adequately dealt with after preliminary inquiries by jurisdiction

Apology 28 6


1 36


Compensation up to $1000 7 0


0 10


Remedy NPPs IPPs Credit reporting TFN Total
Access provided                                        57             0                                0                0             57


Changed procedures 21 1 0



Compensation $1001 to $5000












Compensation over $10,000












Other remedy











Record amended 23 4 170















Counselled staff 7 1





Staff training 12 2


0 14


As can be seen from Table 7.10, the most common remedy that resulted after a preliminary inquiry was a complainant receiving access to their records, followed by an amendment of records. Compensation was received by complainants in just over 7% of issues resolved at the preliminary inquiries stage. Complaints closed after an investigation

 In 2012–13, the OAIC closed 9.4% of complaints after an investigation was opened under s 40(1) of the Privacy Act.

 Table 7.11 shows the reasons for closing a complaint after an investigation was commenced. The number of issues by jurisdiction exceeds the number of investigations closed, because a complaint may raise more than one issue.

Reasons for closing following
















No interference with privacy — s 41(1)(a)               25           14                  14            0            53


Respondent has adequately dealt with the

complaint — s 41(2)(a) 57 12 12


Determination made by the Privacy Commissioner — s 52 0 0



Other (for example withdrawn or being dealt with under another law) 9 3



Total 91 29 31



 The OAIC tries, where possible, to resolve cases through conciliation at an early stage of an investigation. Respondents took steps to resolve the complaint in just over 50% of cases.

The remedies that were achieved by conciliation after an investigation include:

  • apologising to the complainant
  • training and counselling staff
  • amending database systems and records
  • changing internal procedures
  • providing the complainant with access to records
  • paying compensation to the complainant.

 Nature of remedies achieved after an investigation

Table 7.12 provides more detail on the outcome of complaints that were closed on the basis that they had been adequately dealt with by the respondent, after an investigation was commenced by the OAIC. More than one remedy may have been reached for a particular complaint. Therefore, the total listed in Table 7.12 is not equal to the total number of complaints.

 Table 7.12 Remedies for complaints that were closed as adequately dealt with by respondent after an investigation was commenced by jurisdiction




IPPs Credit reporting TFN Total
Access provided                                                9             0                                1            0             10


Apology 28 9



Changed procedures 17 5



Compensation up to $1000 9 1



Compensation $1001 to $5000 2 2



Compensation $5001 to $10,000 4 2



Compensation over $10,000 1 0



Counselled staff 9 0



Other remedy 15 1



Records amended 6 1



Staff training 10 2



Total 110 23 24



 An apology to the complainant is the most common remedy achieved through conciliation, followed by compensation. The number of matters in which compensation formed part of the remedy (28) was the same as in 2011–12. There was a doubling in the number of matters in which a change of procedures formed part of the remedy (24) compared to the previous year.

Complaints under approved codes

The Privacy Act allows for organisations or groups of organisations to develop privacy codes. A code approved by the Information Commissioner replaces the NPPs as

the legally enforceable privacy standards for those organisations. The Information Commissioner is the code adjudicator.

At 30 June 2013, there were two approved privacy codes in force:

  • Queensland Club Industry Privacy Code — effective from 23 August 2002
  • Market and Social Research Privacy Code — effective September 2003.

 The OAIC did not receive complaints under either of the approved codes in 2012–13.


The Privacy Commissioner made one determination in 2012–13: ‘S’ and Veda Advantage

Information Services and Solutions Limited

 A determination is a legal decision or finding made by a Commissioner, where conciliation has not resolved the matter. In this matter, the Privacy Commissioner declared that: the respondent apologise in writing to the complainant, amend the complainant’s credit file and not provide the complainant’s credit report to any other person or body until it has amended/removed the misleading content from the credit report. The respondent was also required to pay the complainant $2000. Further, the Privacy Commissioner recommended that the respondent revise training packages and user information guides for subscribers and engage an independent auditor to review the respondent’s compliance with the Privacy Act.

 Own motion investigations

Section 40(2) of the Privacy Act enables the Information Commissioner to investigate a possible interference with privacy without first receiving a complaint from an individual, if the Information Commissioner considers an investigation to be desirable. These investigations are called own motion investigations (OMI). From March

2014 under the Privacy Amendment (Enhancing Privacy Protection) Act 2012 these investigations will be known as ‘Commissioner Initiated Investigations.’

 When conducting an OMI the OAIC can gather information about a respondent’s privacy practices, and can work with that agency or organisation to resolve issues of non-compliance and improve their overall privacy practices.

During 2012–13, 13 new matters involving alleged interferences with privacy were assessed for investigation as OMIs. These matters came to the OAIC’s attention from a variety of sources, including emails and letters from individuals and systemic issues identified through complaints or as a result of media coverage.

The OAIC uses its own risk assessment criteria to determine whether to investigate a matter on its own motion. The criteria include:

  • the number of people affected and the possible consequences for those individuals
  • the sensitivity of the personal information involved
  • the progress of an agency’s or organisation’s own investigation into the matter and consideration of the actions taken by the entity in response
  • the likelihood that the investigation will reveal acts or practices that involve systemic interferences with privacy and/or that are unidentified.

 Table 7.13 shows a breakdown of the most common issues that arose in OMIs in 2012–13. The main compliance issues related to data protection, especially in relation to the adequacy of database security arrangements to prevent targeted hacking attacks that can lead to online disclosure of personal information.                                     

 Examples of incidents investigated in 2012–13 include:

  • unlawful hacking attacks of customer databases that resulted in the online publication of customer data; this customer data included email addresses, passwords, quote and ordering information and in some instances credit card details
  • hardcopy records of customers of an accommodation provider being stolen following a break-in at a secured storage facility; compromised data included identification documents and credit card details
  • manipulation of an organisation’s website URL to reveal the details of different customers, such as name and address information.

Table 7.13 Issues in own motion investigations opened in 2012–13


Issues Number of investigations
Credit reporting agency — access to credit file (s 18H)


NPP 1.1 — unnecessary collection


NPP 1.2 — unlawful, unfair collection


NPP 1.3 and 1.5 — insufficient notice


NPP 1.4 — third party collection


NPP 2 — improper use or disclosure


NPP 3 — data quality issues


NPP 4.1 — data protection issues


NPP 4.2 — data retention issues


NPP 9 — transborder data flow issues


NPP 10 — sensitive information collection




 A number of issues that came to the attention of the OAIC in 2012–13 were matters of significant public concern. To promote community confidence and transparency of its regulatory activities, the OAIC published two OMI reports that are available on the OAIC’s website.

 Data breach notifications

A data breach notification (DBN) occurs when an organisation or agency informs the OAIC that personal information in its possession or control has been subject to loss or unauthorised access, use, disclosure, modification or other misuse.

 In 2012–13, the OAIC received 61 DBNs, a 33% increase from the number of DBNs received in 2011–12. While there is no specific obligation in the Privacy Act for agencies or organisations to report data breaches to the OAIC, many agencies and organisations do so as good privacy practice. The OAIC encourages agencies and organisations to apply the advice set out in the OAIC guide, Data breach notification: A guide to handling personal information security breaches.

The Data breach notification guide includes information about when to report a data breach to the OAIC or affected individuals. It outlines four steps to consider when responding to a breach or suspected breach and also outlines preventative measures that should be taken as part of a comprehensive information security plan.

Reporting a DBN to the OAIC and taking follow-up action can help agencies and organisations ensure they meet their obligations under the Privacy Act, and particularly IPP 4, NPP 4 and Part IIIA of the Privacy Act. The OAIC’s investigation of a DBN incident primarily focuses on the data security measures an agency or organisation had in place when the incident occurred and the steps taken to improve security practices as a result of a DBN. When considering the data security measures in place the OAIC has regard to its Guide to information security, released in April 2013.

The OAIC assesses each DBN to determine if further action is required by the agency or organisation to appropriately respond to the breach. The OAIC may take no further action if the agency or organisation has contained the breach by recovering the information or has taken steps that mitigate a further impact on individuals affected by the breach. These steps may include notifying relevant authorities and individuals, or reviewing and improving data security practices. Where the OAIC considers that inadequate steps have been taken or the agency or organisation is still assessing the

source and impact of the breach and the overall response that is required, the OAIC will work with the entity to assist it to apply best privacy practice. In cases where the OAIC is not satisfied with the voluntary action taken by the agency or organisation to resolve the matter, it may open an OMI.

 Issues in data breach notifications

Incidents reported to the OAIC through DBNs in 2012–13 included:

  • an email containing exit interview survey data from ex-staff was sent to third parties; the personal information included names, physical and email addresses, dates of birth and reasons for separation
  • the theft of secured personal information due to criminal activities, such as break and enter offences
  • disclosure of customer or client personal information (including in some cases health information) to unauthorised third parties
  • the inadvertent collection of personal and health information while collecting technical data relating to the functioning of specialist equipment
  • the hacking of databases containing customers’ personal information.

 Typically, the actions taken by entities in response to a DBN included system reviews and modification, written notifications to affected individuals, apologies, retrieval of records, changes in standard operating procedures and staff training.


Monitoring government data-matching

Data-matching is the process of bringing together large data sets of personal information from different sources and comparing the data sets to identify any discrepancies. For example, the Australian Taxation Office (ATO) may undertake a data-match to identify retailers that may be operating outside the tax system or who may be under-reporting turnover. This process may include identifying individuals.

Data-matching involves analysing information about large numbers of people, the majority of whom are not under suspicion. This means that data-matching raises privacy issues. To ensure that government agencies have proper regard to privacy principles when undertaking data-matching, the OAIC performs a number of functions.

The Information Commissioner has statutory responsibilities under the Data-matching

Program (Assistance and Tax) Act 1990 (Data-matching Act) and the Guidelines for the Conduct of the Data-matching Program (statutory data-matching guidelines).

Additionally, the Information Commissioner oversees the functioning of the Guidelines for the use of data-matching in Commonwealth administration, which are voluntary guidelines to assist agencies not subject to the Data-matching Act to perform data-matching programs in a privacy sensitive way.

 Matching under the Data-matching Act and statutory data-matching guidelines

To detect overpayments, taxation non-compliance and the receipt of duplicate payments, the Data-matching Act provides for the use of tax file numbers in

data-matching processes undertaken by a special Centrelink Program unit within the Department of Human Services (DHS). This unit runs matches on behalf of DHS, the Department of Veterans’ Affairs (DVA) and the ATO.

The Data-matching Act and the statutory data-matching guidelines outline the types of personal information that can be used, and how it can be processed. The Data-matching Act and guidelines also provide individuals with the opportunity to dispute or explain any matches, and require that individuals have a means of redress.

The Data-matching Act requires DHS, DVA and the ATO to report to Parliament on the results of any data-matching activities carried out under that Act. These reports are published separately by each agency.

The Data-matching Act also provides that the Information Commissioner is responsible for monitoring the functioning of the statutory data-matching program. The OAIC discharges this function by running data-matching inspections.


In previous financial years, the OAIC undertook data-matching inspections at specified regional Business Integrity Sites (BIS), which processed and completed the data-matching reviews. During this financial year, Centrelink implemented a nationwide, risk based intervention strategy for the processing of data-match reviews, known as Component Based Processing (CBP). Under CBP, individual components of a single data-match review may be completed across a number of BIS around Australia.

As a CBP inspection reviews data-match records completed across multiple sites, future data-match inspections can now be undertaken independently from a specific BIS location.

During the transition to CBP during 2012–13, the OAIC inspected DHS’s handling of a sample of data-matching cases for two BIS, and undertook a third inspection of records processed using the CBP approach.

The inspections were:

  • Business Integrity Network Queanbeyan (Griffith region), September 2012
  • Business Integrity Network Newcastle (Wallsend region), January 2013
  • Business Integrity Network Australia (CBP), May 2013.

 Representatives of the OAIC, with the assistance of Centrelink and regional staff, conducted inspections and reviewed a sample of customer records which had been through the data-matching process.

The Newcastle (Wallsend) inspection was undertaken at the Business Integrity Services Centre (BISC) in Queanbeyan, NSW, and included a sample of 10 records processed under the CBP approach. A full inspection of 100 records processed under the new CBP approach was undertaken at Centrelink premises in Redfern, NSW.

At the completion of each inspection, the OAIC prepared and forwarded a report to the National Manager of the Business Integrity Division, Centrelink, outlining the findings.

While the OAIC found that Centrelink’s processes and procedures for statutory data-matching were generally compliant with the requirements of the Data-matching Act and the Privacy Act, the OAIC identified some areas of risk and made recommendations to improve practices.

Matching under the Guidelines for the use of data-matching in Commonwealth administration

Many Australian Government agencies also carry out data-matching activities that are not subject to the Data-matching Act, but are run under different laws

authorising the use and disclosure of personal information for data-matching purposes.

To assist agencies performing such data-matching activities to have proper regard to the privacy of individuals, the Information Commissioner has issued voluntary data-matching guidelines called the Guidelines for the use of data-matching in Commonwealth administration.

 These voluntary guidelines require that programs are regularly monitored and evaluated, that individuals identified have the opportunity to dispute the results, and that action against individuals is not taken solely on the basis of automated processes.

Agencies are also required to prepare a description of the data-matching activity

(a ‘program protocol’). Before the activity is commenced, the program protocol should be submitted to the Information Commissioner for comment, and once it has been finalised, the program protocol should be made available to the public.

In 2012–13, the Information Commissioner received 13 program protocols for proposed non-statutory data-matching activities. A summary of these protocols is outlined below.

 Matching agency: Australian Taxation Office

 Contractor Payments Data-Matching Program (August 2012)

The purpose of the protocol is to match tax return data from contractors with taxation records from businesses that make payments to contractors.

Source agency: Australian Taxation Office (Employer (Payer) Obligation Audit data).

 Motor Vehicle Data-Matching Program (September 2012)

The purpose of the protocol is to match motor vehicle registration data against taxpayer records to identify individuals who are not meeting their tax obligations.

Source agencies:

  • Roads and Maritime Services, NSW
  • Department of Transport and Main Roads, QLD
  • Vic Roads
  • Department of Infrastructure, Energy and Resources, TAS
  • Department Transport, Energy and Infrastructure, TAS
  • Department of Transport, WA
  • Department of Lands & Planning, NT
  • Directorate of Territory and Municipal Services, ACT

 Debit and Credit Card Data-Matching Program (October 2012)

The purpose of the protocol is to match merchant debit and credit card data against taxpayer records to identify businesses not meeting their registration, reporting, lodgement and payment obligations.

 Source agencies:

  • Commonwealth Bank of Australia
  • St George Bank
  • Westpac
  • ANZ Bank
  • National Australia Bank
  • Bendigo and Adelaide Bank
  • Bank of Queensland
  • BWA Merchant Services
  • American Express Australia
  • Diners Club Australia.

 Tax-free Government Pensions or Benefits Data-Matching Program (October 2012)

The purpose of the protocol is to match tax-free government pensions or benefits data against taxpayer records to identify non-compliance by taxpayers claiming dependant tax offsets.

Source agencies: Department of Human Services and the Department of Veterans Affairs.

 Banking Transparency Strategy Data-Matching Program (October 2012)

The purpose of the protocol is to match offshore bank account details against taxpayer records to identify Australian residents utilising offshore bank accounts to conceal income and assets subject to tax in Australia.

Source agencies:

  • ANZ Bank
  • Commonwealth Bank of Australia
  • National Australia Bank
  • Westpac
  • Bank of Queensland Limited
  • Macquarie Bank Limited
  • Arab Bank of Australia Limited
  • Bank of China (Australia) Limited
  • Citigroup Pty Limited
  • HSBC Holdings PLC
  • Investec Bank (Australia) Limited
  • Rabobank Australia Limited
  • China Construction Bank Corporation
  • Citibank, N.A.
  • Credit Suisse AG
  • Deutsche Bank Aktiengessellschaft
  • Rabobank Nederland
  • Union Bank of Switzerland.

 Real Property Data-Matching Program (October 2012)

The purpose of the protocol is to match revenue, land titles and residential tenancies’ rental bonds data against tax records to identify non-compliance with taxation obligations such as capital gains.

Source agencies:

  • Office of State Revenue, NSW
  • Department of Finance and Services — Land and Property Information, NSW
  • Office of Fair Trading — Rental Bond Board, NSW
  • Victorian State Revenue Office
  • Consumer Affairs Victoria — Residential Tenancies Bond Authority
  • Directorate of Territory Environment and Sustainable Development, ACT
  • Office of Regulatory Services (Land Titles Office), ACT
  • Revenue Office, NT
  • Department of Lands, Planning and the Environment, NT
  • Office of State Revenue, QLD
  • Residential Tenancies Authority, QLD
  • Department of Primary Industries, Parks, Water and Environment, TAS
  • State Revenue Office, TAS
  • Department of Justice, TAS
  • Revenue SA
  • Department of Planning, Transport and Infrastructure — Land Services Group, SA
  • Land Information Authority, WA
  • Office of State Revenue, WA.

 Local Government Contractor Payments Data-Matching Program (November 2012)

The purpose of the protocol is to match contractor payments made by local government entities (councils and shires) in Queensland, NSW, Victoria and Tasmania against taxpayer records to identify non-compliance with taxation obligations including taxable government grants.

 Source agencies: local government council and shire authorities throughout Queensland, Tasmania, NSW, Victoria.

WorkCover Data-Matching Program (December 2012)

The purpose of the program is to match employer data from WorkCover authorities against taxpayer records to identify non-compliance with taxation obligations and also obligations under workers compensation laws.

 Source agencies:

  • WorkSafe VIC
  • WorkCover SA
  • WorkCover NSW
  • WorkCover QLD
  • WorkCover WA
  • WorkCover NT
  • WorkCover ACT
  • WorkCover TAS.

 Temporary Working Visas Data-Matching Program (January 2013)

The purpose of the program is to match temporary working visa data with taxpayer records to identify fraud and non-compliance with taxation obligations.

Source agency: Department of Immigration and Citizenship.

 Online selling Data-Matching Program (February 2013)

The purpose of the program is to match sales data from online selling websites with taxpayer records to identify non-compliance of individuals and businesses with their taxation obligations

Source agencies: various online selling websites.

 Matching agency: Department of Human Services

Commonwealth Seniors Health Card Data-Matching Program (September 2012)

The purpose of the protocol is to match tax return data with recipients of the

Commonwealth Seniors Health Card to ensure eligible senior citizens receive benefits. Source agency: Australian Taxation Office.

Australian Business Register Data-Matching Program (April 2013)

The purpose of the program is to match Australian Business Register data with Centrelink and Child Support customer data to identify business owners and operators who have had a change in their circumstances without notifying the Department of Human Services.

Source agency: the Australian Business Register.

 eBay Data-Matching Program (April 2013)

The purpose of the program is to match eBay data with Centrelink and Child Support customers to assist with the collection of payments, debt recovery and fraud/non-compliance.

 Source agency: eBay Incorporated.

AuditsUnder the Privacy Act the Information Commissioner has the power to conduct privacy audits of Australian and ACT Government agencies, as well as some other organisations in certain circumstances.

In 2012–13, the OAIC commenced four audits and finalised five audits.

 These audits help to determine and improve the level of compliance with the Privacy Act. The OAIC conducts audits to promote best privacy practice and to reduce privacy risks across agencies.

The Information Commissioner’s audit powers include:

  • auditing agency compliance with the IPPs — s 27(1)(h)
  • examining the records of the Commissioner of Taxation in relation to TFNs and TFN information — s 28(1)(d)
  • auditing TFN recipients — s 28(1)(e)
  • auditing credit information files and credit reports held by credit reporting agencies and credit providers — s 28A(1)(g).

Other than audits conducted by using the above powers, the Information Commissioner may only audit a private sector organisation if the organisation requests this under s 27(3) of the Privacy Act.

Under reforms to the Privacy Act made by the Privacy Amendment (Enhancing Privacy Protection) Act 2012, from March 2014 audits will be known as ‘assessments’. In addition, the Information Commissioner will have the power to conduct an assessment of both government agencies and private sector organisations.

An audit is a snapshot of personal information handling practices relating to the audited entity at a particular time and place. Audited entities are encouraged to consider audit findings broadly, and recognise that the issues identified may foster improvements beyond the audited program.

OAIC audits are an educative process that can convey an underlying message that compliance with the Privacy Act is part of good management practice. Audits have been the catalyst for improvements to agencies’ data security, accuracy of information, staff training and disclosure policies.

The OAIC generally publishes finalised audit reports on its website.

 ACT government audits

The OAIC currently has a Memorandum of Understanding (MOU) with the ACT Government, which includes a commitment by the OAIC to conduct one audit of an ACT Government agency per financial year. The OAIC selects audit targets based on a risk assessment analysis that takes into account previous audits and audit findings,  complaints against ACT Government agencies, the amount of personal information held by an agency and the sensitivity of, and risk to, that information.

In 2012–13, the OAIC commenced and/or finalised the following ACT Government audits.

 ACT Territory and Municipal Services Directorate

The audit examined the ‘MyWay’ Travel card program that was introduced to the ACT public in March 2011. Processes regarding the handling of personal information collected as part of the MyWay Travel Card registration process were reviewed.

This audit was commenced in February 2012. OAIC staff met with Territory and Municipal Services Directorate staff again in December 2012 and the audit was finalised in June 2013.

ACT Education and Training Directorate

The audit examined the policies, procedures and practices of the Education and Training Directorate with respect to third party access to student records, where the child is under 18, including where the personal information accessed is sensitive in nature.

The audit commenced on 29 March 2013. The draft report is in progress as of June 2013.

 Identity security audits

The OAIC provided privacy advice to key agencies about projects delivered under the Australian Government’s National Identity Security Strategy (NISS). One project under the NISS related to the National Document Verification Service (DVS).

The DVS system allows authorised government agencies to verify, online and in real time, the authenticity of an individual’s Evidence of Identity (EOI) documents sourced from another government agency, when enrolling for benefits and services. Agencies using the DVS are able to verify that:

  • the EOI document was issued by the relevant source government agency
  • details recorded on the EOI document correspond to the details held by the source government agency
  • the document is still valid.

 Lead responsibility for the development of the DVS rests with the Attorney-General’s Department.

In 2012–13, the OAIC commenced and/or finalised the following identity security audits.

 Department of Foreign Affairs and Trade

The audit assessed the acts and practices of the Department of Foreign Affairs and Trade as an issuer agency, including the management of document verification requests and security processes in relation to personal information handling under the IPPs.

The audit was commenced in November 2010 and finalised in December 2012.

 Australian Taxation Office

This audit will assess the notification provided to ATO customers prior to use of the DVS system, as well as the practices and procedures used by the ATO to ensure the accuracy and completeness of personal information. The audit commenced in May 2013 and is ongoing as at 30 June 2013.

 Australian Customs and Border Protection audits

The OAIC has an MOU with the Australian Customs and Border Protection Service (Customs) to conduct one audit each year of an aspect of Customs’ use of European-Union (EU) Passenger Name Record (PNR) data.

In 2012–13, the OAIC finalised an audit (commenced in November 2011) which examined Customs handling of PNR data at the Brisbane and Gold Coast international airport arrivals terminals. The audit was finalised in July 2012.

In October 2012, an audit was commenced into requests for information for EU-sourced PNR data. The audit assessed the use and disclosure of both hard-copy and electronic EU-sourced PNR data, in response to requests for information for this data, against Customs’ obligations under the Information Privacy Principles.

The OAIC audit teams found that Customs was generally maintaining its records of personal information in accordance with its IPP obligations under the Privacy Act. Where appropriate, the audit teams made recommendations to promote best privacy practice, and also made observations in relation to Customs’ separate obligations under

an agreement held with the EU for the provision of PNR data. The OAIC does not publish all Customs PNR audit reports on the OAIC website as some reports contain information that may affect the operational security of Australian Customs and Border Protection.

 Healthcare Identifier audits

The Healthcare Identifiers Act 2010 (HI Act) established the Healthcare Identifier Service (HI Service), which commenced on 1 July 2010. The HI Service is part of the Department of Human Services.

The functions of the HI Service are:

  • to assign and issue individual healthcare identifiers (IHIs) for all individuals who

have, are or will be provided with healthcare and to healthcare providers (HPI-Is) and healthcare provider organisations (HPI-Os)

  • allow those authorised to access the HI Service to retrieve healthcare identifiers
  • keep the information associated with healthcare identifiers up to date and accurate, including de-activating or retiring health identifiers when they are no longer needed.

Under s 29(3) of the HI Act, the Information Commissioner has the power to audit the handling of healthcare identifiers assigned to individuals and individual healthcare providers.

 The OAIC received funding in 2011–12 under an Exchange of Letters agreement with the Department of Health and Ageing (DoHA) to undertake up to two healthcare identifier audits. Under a subsequent MOU between the OAIC and DoHA, for the period November 2012 to June 2014, the OAIC is to conduct up to two audits of the

HI Service Operator (Department of Human Services) and up to two audits of agencies, organisations or state or territory authorities.

In 2012–13, the OAIC finalised an audit (commenced in June 2011) which examined the collection, storage and security, quality, use and disclosure of HPI-I information in keeping with the HI Service Operator’s obligations under the Privacy Act. This audit was finalised in August 2012.

In May 2013, the OAIC commenced an audit of the HI Service Operator examining the collection, use and disclosure of IHIs, HPI-I and associated identifying information by the HI Service Operator, after the HI record has been created and the IHI or HPI-I has been assigned and allocated. This audit was still in progress at 30 June 2013.

Personally Controlled Electronic Health Record audits

The Personally Controlled Electronic Health Records Act 2012 (Cth) (PCEHR Act) establishes the personally controlled electronic health record (PCEHR) system.

The OAIC has various enforcement and investigative powers in respect of the PCEHR system, under both the PCEHR Act and the Privacy Act.

Under an MOU between the OAIC and DoHA, for the period November 2012 to June 2014, the OAIC is to conduct up to two audits of the PCEHR System Operator and up to two audits of organisations or agencies, upon invitation.

In May 2013, the OAIC commenced an audit examining policies and procedures for the collection of personal information during the PCEHR consumer registration processes and guidance material for collecting personal information via the assisted registration procedure. This audit was still in progress at 30 June 2013.

 Personal Information Digest

To help people understand what personal information is held by each Australian and ACT government agency, IPP 5.3 in s 14 of the Privacy Act requires agencies to keep a record detailing:

  • the nature of records kept
  • the purpose for which these records are kept
  • the categories of people the information is about
  • the period for which the records are kept
  • who has access to the records
  • the steps an individual needs to take to gain access to the records.


Leave a Reply

Verified by MonsterInsights