Corporate Plan activity 1.1
Develop the privacy management capabilities of businesses and Australian Government agencies and promote privacy best practice.
Performance measure 1.1.1
The OAIC applies a risk-based, proportionate approach to facilitate privacy compliance and promote privacy best practice.
During this reporting period, we engaged with entities reporting under the NDB scheme on requirements of the NDB scheme, causes of the data breach and measures to prevent reoccurrence. We used intelligence from privacy enquiries, privacy complaints and NDB reports, privacy assessments, media reports and tip-offs, to decide on appropriate regulatory action. We conducted preliminary inquiries or opened investigations on the Commissioner’s own initiative for 15 matters.
We regularly engaged with business and Australian Government agencies, including providing advice and guidance on how to comply with the Privacy Act 1988 (Privacy Act) and deliver privacy best practice.
We released a new training resource about the Privacy Code and NDB scheme during Privacy Awareness Week (12 to 18 May 2019) to educate Australian Government agencies about privacy best practice.
We published the Notifiable Data Breaches Scheme 12-Month Insights Report, which is available on our website, to help businesses and agencies understand the common causes of data breaches and how they can implement proactive strategies to prevent data breaches.
We launched new resources for My Health Record consumers.
Peformance measure 1.1.2
Guidance and educational materials are updated to include learnings from regulatory activities such as assessments and investigations.
We regularly updated our guidance and educational materials to make sure they are current and relevant.
For example, we released a new website for public review in June 2019 (see performance measure 1.7.4). During Privacy Awareness Week (PAW) we provided guidance to organisations and Australian Government agencies about their obligations under the Privacy Code.
Performance measure 1.1.3
Regular engagement and consultation with businesses and Australian Government agencies is undertaken.
We engaged regularly with businesses and Australian Government agencies, including providing advice on a wide range of matters such as the Australian Competition and Consumer Competition’s (ACCC) Digital Platforms Inquiry, the Consumer Data Right scheme, changes to the My Health Record system and the Privacy (Credit Reporting) Code 2014.
We drafted submissions on nine different issues, such as cooperative intelligent transport systems, automated vehicle data, Australian Government data sharing and telecommunications.
Performance measure 1.1.4
Privacy Professionals’ Network (PPN) members are provided with information that is relevant and engaging, a minimum of 10 times per year.
We continued to offer PPN members regular information and updates. In 2018–19, PPN members received 10 e-newsletters. We also invited them to events which included discussion panels and OAIC privacy training.
Performance measure 1.1.5
Levels of engagement with PPN members are recorded.
We had our highest number of organisations supporting our PAW campaign with 507 becoming PAW partners, up from 360 in 2017–18.
During this reporting period, the PPN membership continued to grow from 3,442 members to 3,623. More than half PPN members (51%) opened our e-newsletter and 39% clicked on a specific link in the e-newsletter.
Corporate Plan activity 1.2
Manage data breach notifications.
Performance measure 1.2.1*
80% of data breach notifications are finalised within 60 days.
- finalised 79% of notifications received under the NDB scheme within 60 days
- finalised notifications received under the NDB scheme in an average of 45.3 days
- finalised 66.1% of voluntary data breach notifications received within 60 days
- finalised voluntary data breach notifications in an average of 60.4 days.
Performance measure 1.2.2*
80% of My Health Records data breach notifications are finalised within 60 days.
We finalised 90% of My Health Record data breach notifications received within 60 days.
Performance measure 1.2.3
Guidance and support tools are promoted for the data breach notification schemes the OAIC oversees.
We published a resource for regulated entities on tips to prevent and mitigate data breaches with the Australian Cyber Security Centre.
We recorded and published:
- an interactive webinar with the Royal Australian College of General Practitioners (RACGP) on the requirements of the NDB scheme for health service providers, with case studies and frequently asked questions
- resources and information for RACGP members including updated flowcharts on the NDB scheme and My Health Record data breaches
- an interactive webinar on the requirements of the NDB scheme, and the lessons from the first 12 months of the NDB scheme’s operation, with case studies on best practice and approaches to multi-party data breaches.
Performance measure 1.2.4
Statistics on data breach notifications are published.
We published four quarterly reports on the operation of the NDB scheme. These reports included key statistics on the number of notifications received, the number of individuals whose personal information was involved in the data breach, detailed breakdowns on the reported sources of data breaches, comparisons of data breaches reported by the top five sectors and the kinds of personal information affected. They also provided detailed breakdowns of the types of data breaches notified by the top two reporting sectors.
In May 2019, we published the Notifiable Data Breaches Scheme 12-Month Insights Report, which is available on our website. The report provided lessons learned from the first year of the NDB scheme’s operation, as well as information about the changing international landscape with regards to privacy and mandatory data breach reporting schemes. The report also highlighted best practice tips and case studies from organisations that had notified under the NDB scheme, and strategies for mitigating the risk of cyber incidents.
Corporate Plan activity 1.3
Conduct Commissioner initiated investigations (CIIs).
Performance measure 1.3.1*
80% of CIIs are finalised within eight months.
Of the privacy CIIs finalised during this reporting period, 86% were finalised within eight months.
This reflected our commitment to working with respondents to resolve issues of non-compliance and improve privacy practices, as well as our efforts to reduce the time taken to progress a privacy CII.
For more information about CIIs, see page 65. Privacy Commissioner initiated investigations
Performance measure 1.3.2
CIIs result in improvements in the privacy practices of investigated organisations.
We made inquiries of, or investigated, organisations to ensure compliance with the Privacy Act. We accepted enforceable undertakings from two respondents in 2018–19: the Commonwealth Bank of Australia Ltd and Wilson Asset Management (International) Pty Ltd.
Each enforceable undertaking included steps the respondent agreed to take to address concerns we raised in the CII. By implementing these steps, the respondents will improve their privacy policies and procedures.
Performance measure 1.3.3
CII outcomes and lessons learnt are publicly communicated.
- published the enforceable undertakings accepted from the Commonwealth Bank of Australia Ltd and Wilson Asset Management (International) Pty Ltd on our website
- published statements and media releases on our website about the conclusion of these matters and the lessons learnt
- publicly communicated the lessons learnt from CIIs in external speeches and presentations given by OAIC staff.
Performance measure 1.3.4
The OAIC applies a risk-based and proportionate approach to commencing and conducting CIIs.
We applied the framework set out in the Guide to Privacy Regulatory Action (which is available on our website) when deciding whether to commence an investigation. As a result we commenced investigations into 15 matters.
Corporate Plan activity 1.4
Resolve privacy complaints.
Performance measure 1.4.1*
80% of privacy complaints are finalised within 12 months.
- finalised 95.1% of all privacy complaints within 12 months of receipt — 4.4 months was the average time taken to close a privacy complaint
- closed 5.5% more privacy complaints than in 2017–18
- responded to an 11% increase in privacy complaints in the number of privacy complaints received (2017–18: 18% increase)
- increased staffing levels in our Early Resolution team to continue the efficient processing of privacy complaints.
We ensured the quality of our privacy complaint process by:
- handling privacy complaints in line with our privacy regulatory action policy and privacy regulatory action guide
- undertaking regular staff training, including conciliation and investigations training, administrative law training and mental health training
- enabling staff to participate in complaint handling networks and events, including the Commonwealth Ombudsman’s Complaint Handling Forum and PAW activities
- holding regular staff meetings to discuss matters of significance across the teams and to ensure consistency in decision-making — for example, all the Dispute Resolution branch staff regularly met to discuss privacy cases
For more information on resolving privacy complaints, see page 57. Resolving privacy complaints
Performance measure 1.4.2
The complaint handling service is promoted to the community.
We promoted our complaints handling service to the community through media releases, speaking engagements, event campaigns and social media.
We promoted the OAIC’s regulatory function and complaint handling service as part of our My Health Record privacy controls campaign on Facebook and Twitter.
We also promoted our complaint handling service through our campaigns for Privacy Awareness Week and Right to Know Day.
Performance measure 1.4.3
Complaint handling processes are reviewed to ensure they align with current best practice and relevant legislative developments.
We reviewed our internal processes and developed a policy for responding to unreasonable client conduct. When finalised, this policy will always ensure best practice when handling unreasonable clients and support staff to manage challenging interactions.
We hired an external consultant to help us improve the timeliness of our privacy complaint process. We are currently developing strategies to reduce a backlog of privacy complaints.
Corporate Plan activity 1.5
Conduct privacy assessments.
Performance measure 1.5.1
Complete assessments in accordance with the schedule developed in consultation with the business or agency being assessed.
We generally completed the information review and fieldwork stages of privacy assessments in line with a schedule we developed with the business or agency being assessed; however, the assessment report was not finalised on schedule in all cases. We will continue to improve our assessment reporting process in the next financial year and work with the business or agency being assessed to finalise draft assessment reports promptly.
Performance measure 1.5.2
Monitoring and compliance approaches are coordinated with the business and operational needs of the business or agency being assessed.
We undertook professional, independent and systematic assessments in line with our privacy regulatory action policy and our guide to privacy regulatory action.
We engaged with and provided preliminary briefings to the business or agency being assessed prior to starting the formal assessment. This clarified our expectations and allowed us to develop a schedule that recognised the operational needs of the business or agency being assessed.
We engaged ICT security consultants to assist with the technical aspects of some of our Australian Privacy Principle 11 (security of personal information) assessments. For example, we engaged these consultants to support a series of assessments that considered how particular telecommunications service providers were protecting personal information.
Performance measure 1.5.3
A high proportion of recommendations are accepted by the business or agency being assessed.
All businesses or agencies assessed accepted all our recommendations.
During an assessment, we proactively and openly raised privacy risks we identified and our recommendations to the business or agency being assessed. This promoted discussions with the business or agency about strategies to mitigate the privacy risks.
Performance measure 1.5.4
Key assessment outcomes and lessons learnt are publicly communicated where appropriate.
We undertook assessments in the form of surveys with a number of businesses or agencies in a particular sector. We provided those businesses or agencies with individual reports and intend to publish a summary report on our website in 2019–20. This will provide general guidance to APP entities, while also providing tailored advice to the entities assessed.
Corporate Plan activity 1.6
Provide a privacy public information service.
Performance measure 1.6.1*
90% of written enquiries are responded to within 10 working days.
We finalised 92% of written privacy enquiries within 10 working days. This is a significant improvement on our 2017–18 response rate of 74%. This improvement reflects a reallocation of resources and changes to the management of the OAIC’s enquiries service, which were put in place in 2017–18, and our ongoing commitment to provide a timely public information service to the Australian public. For more information, see Privacy Enquiries on page 50. Privacy enquiries
Performance measure 1.6.2
Community, legal and other networks are identified for targeted promotion of the public information service.
We partnered with Legal Aid NSW during PAW (12 to 18 May 2019) to produce a podcast interview about credit reporting. By discussing a series of examples, we helped community workers and the public understand the circumstances in which they can gain access to their credit reports for free, how they may correct the information on their credit reports, and their rights to pursue complaints about their credit reports with recognised external dispute resolution schemes and the OAIC.
The Commissioner presented information about the OAIC and our functions to the Communications and Media Law Association and the annual conference of communications consumer representatives.
We also worked closely with the RACGP to increase member awareness of our regulatory role, including providing information about our public information service.
Performance measure 1.6.3
Website content is reviewed and updated as required to support our public information service.
We released a new website for public feedback in June 2019 (see performance measure 1.7.4).
Corporate Plan activity 1.7
Promote awareness and understanding of privacy rights in the community.
Performance measure 1.7.1
Media and social media mentions about privacy rights increase.
There were 2,805 online media mentions and 6,770 social media mentions of privacy rights and the OAIC during this reporting period (2017–18: 2,851 online media mentions and 4,400 social media mentions).
We responded to 238 media enquiries during the year, including 194 about privacy and 25 about My Health Record.
Performance measure 1.7.2
Awareness and understanding about privacy rights and the role of the OAIC improves.
The consistent number of online media mentions and increasing number of social media mentions demonstrate continued and growing awareness of our privacy role. Our social media following has also increased.
The increase in privacy complaints also demonstrates increased awareness of the OAIC’s complaint handling service.
Performance measure 1.7.3
Attendance numbers and positive feedback from public facing events increases.
We successfully hosted a breakfast event for PAW, attended by 160 privacy professionals and other stakeholders. The event sold out, and 95% of attendees surveyed indicated they would attend the PAW business breakfast again next year.
A joint webinar with Wolters Kluwer on the NDB scheme had more than 200 participants and 95% rated the webinar as ‘excellent’ or ‘very good’.
The OAIC also ran a number of privacy training sessions for Australian Government privacy officers, with each session booked to capacity.
Performance measure 1.7.4
The OAIC’s website is accessible to the community and content about privacy rights is regularly reviewed and updated.
We released our new website for public feedback in June 2019. The website features improvements such as:
- better search functionality, design and navigation in response to user feedback
- information in one location — information that was once repeated or found over several pages is now on a single page
- removing non-current information so the search function works more effectively
- removing the print-based concept of ‘fact sheets’ and ‘resources’ and consolidating content into topics
- content for individuals rewritten in plain English.
Corporate Plan activity 1.8
Develop legislative instruments.
Performance measure 1.8.1
Applications for public interest determinations and Australian Privacy Principles (APP) codes are considered and responded to in a timely manner.
We did not receive any APP code applications during 2018–19.
We received three applications for a public interest determination:
- Privacy (Disclosure of Homicide Data) Public Interest Determination 2019 — commenced 20 March 2019 — permits the Australian Federal Police to disclose certain personal information to the Australian Institute of Criminology for the purpose of the Australian Institute of Criminology’s research under the National Homicide Monitoring Program and the publication of aggregate findings.
- Privacy (Australian Honours System) Public Interest Determination 2018 — commenced 12 October 2018 — permits the Department of Home Affairs to disclose personal information to the Office of the Official Secretary to the Governor-General and the Department of the Prime Minister and Cabinet for verifying the Australian citizenship and/or permanent residency status of individuals who are the subject of nominations for membership or honorary membership of the Order of Australia, or for other awards in the Australian honours system.
- Australian Financial Complaints Authority (AFCA) — received 17 June 2019 — requested a public interest determination to be made by the Commissioner deeming AFCA an ‘agency’ for the sole purpose of interpreting APP 12. APP 12 provides that if an entity is an agency, the entity is not required to give access to personal information if the entity is required or authorised to refuse an individual access to personal information under the Freedom of Information Act 1982 (FOI Act) or any other federal Act. We are currently considering this application.
Performance measure 1.8.2
Legislative instruments are reviewed when necessary.
The acting Australian Information Commissioner and acting Privacy Commissioner approved a variation of the Privacy (Credit Reporting) Code 2014 (v2) (CR Code) on 29 May 2018, following an application by the code developer, the Australian Retail Credit Association. The variation addressed some of the recommendations and feedback in the independent review of the CR Code undertaken in 2017. The varied CR Code commenced on 1 July 2018.
On 18 April 2019, the Australian Retail Credit Association made a second application to vary the CR Code under section 26T of the Privacy Act. This variation addresses the remainder of the recommendations and feedback in the independent review of the CR Code undertaken in 2017. This application is currently under consideration.
Corporate Plan activity 1.9
Conduct regulatory activities and help businesses understand their rights and responsibilities under the Consumer Data Right (CDR).
Performance measure 1.9.1
Regular dialogue with the ACCC and other relevant stakeholders is conducted to ensure the effective operation of the CDR scheme.
We engaged regularly with the ACCC and the Treasury, including through the provision of advice on draft legislative instruments and draft CDR rules, as well as guidance on general privacy matters affecting the CDR scheme.
We also engaged regularly with the Data Standards Body (CSIRO’s Data61), including through the provision of advice on development work for the technical standards relating to consumer experience and attended as observers Data Standards Advisory Committee meetings.
Performance measure 1.9.2
Guidance and education materials are developed to support a clear understanding of rights and obligations under the CDR scheme.
Since the publication of the OAIC Corporate Plan 2018–19 the commencement date of the CDR scheme in the banking sector has moved from July 2019 to 1 February 2020.
Development of guidance and education materials is underway, including guidelines for the avoidance of acts or practices that may breach the privacy safeguards.
Performance measure 1.9.3
Internal processes and protocols are developed to support the implementation of the CDR.
We created internal governance mechanisms to support the implementation of the CDR including developing project plans and reporting tools and establishing a CDR Project Governance Board.
We have reviewed existing processes and have begun developing new processes to support an efficient and effective CDR complaint handling process.
We have also started preparing internal training and other resources to ensure our Enquiries team are well equipped to answer questions from the public regarding the CDR.