Privacy
The Privacy Act requires Australian Government agencies and private sector organisations covered by the Privacy Act to follow a set of rules when collecting, using and storing an individual’s personal information. ‘Personal information’ is any information that is about an individual. The most obvious example is an individual’s name — other examples include their address, their date of birth, a photo of their face, or a record of their opinion and views. Any information that is about an identifiable individual is personal information.
Australian Privacy Principles
The Privacy Act includes 13 Australian Privacy Principles (APPs), which set out standards for business and government agencies managing personal information.
APP 1 — Open and Transparent Management of Personal Information
APP 2 — Anonymity and Pseudonymity
APP 3 — Collection of Solicited Personal Information
APP 4 — Dealing with Unsolicited Personal Information
APP 5 — Notification of the Collection of Personal Information
APP 6 — Use or Disclosure of Personal Information
APP 7 — Direct Marketing
APP 8 — Cross-Border Disclosure of Personal Information
APP 9 — Adoption, Use or Disclosure of Government Related Identifiers
APP 10 — Quality of Personal Information
APP 11 — Security of Personal Information
APP 12 — Access to Personal Information
APP 13 — Correction of Personal Information
Privacy enquiries
The OAIC offers a free public information service on privacy-related matters. Our service is mainly delivered through handling phone and written enquiries.
During this reporting period, we experienced a 10% decrease in privacy enquiries from 2017–18, consistent across both phone and written enquiries. We answered 13,457 phone enquiries about privacy matters and responded to 3,966 written privacy enquiries. We also helped with 22 in-person privacy enquiries.
We significantly improved our response time for written privacy enquiries. During this reporting period, we responded to 92% of written privacy enquiries within 10 working days, up from 74% in 2017–18.
We continued to receive a broad range of enquiries from the community. More than 60% of all phone enquiries about privacy matters concerned the operation of the APPs. We also continued to receive a significant proportion of enquiries about credit reporting and the new NDB scheme.
As a part of our Memorandum of Understanding (MOU) with the Australian Capital Territory (ACT) Government we continued to provide privacy services to ACT public sector agencies, including responding to enquiries from the public about the Information Privacy Act 2014 (ACT) (Information Privacy Act) and its Territory Privacy Principles (TPPs).
Examples of privacy enquiries handled during this reporting period are described in Case Studies 2.1 and 2.2.
|
Case Study 2.1: A business owner responds to a data breach |
|---|
|
A business owner contacted the OAIC after discovering a staff member had stolen the credit card details of some clients and used this information to run up a bill of more than $10,000. The business owner had reported the matter to the police but was seeking advice about their obligations under the Privacy Act. |
|
One of our enquiries officers discussed with the business owner the nature of their business and discovered that the business was a private health service provider. As a private health service provider, the business, even though a small business, must follow the APPs. |
|
The enquiries officer gave the business owner information on APP 11 Security of Personal Information and advised that the data breach may be notifiable under the NDB scheme. They also referred the business owner to our website for guidance on the NDB scheme, which may help the business to assess the data breach and mitigate the risk to the individuals whose personal information was involved. |
|
Case Study 2.2: An individual seeks access to his personal information |
|---|
|
An individual involved with an organisation became aware a complaint had been made about him to the organisation. The individual contacted us to ask if he could put in a FOI request to the organisation to find out who had submitted the complaint and what it was about. |
|
One of our enquiries officers explained to the individual that the Commonwealth FOI legislation applied to Australian Government agencies not private organisations; however, under APP 12 — Access to Personal Information, he had the right to access the personal information that the organisation held about him. |
|
The enquiries officer also advised the individual that while he could put in a request to the organisation for access to his personal information under APP 12 the organisation would need to consider whether giving access may have an unreasonable impact on the privacy of the individual who made the complaint and so he may not be entitled to any information about that individual, such as their name. |
Issues raised in privacy enquiries
During this reporting period the most common privacy enquiries we received were about the use and disclosure of personal information (APP 6), followed by access to an individual’s own personal information (APP 12) and then various exceptions to the APPs (see Table 2.1).
Table 2.1: Phone enquiries related to the APPs*
|
Issue raised in phone enquiry |
Number |
|---|---|
|
APP 1 — Open and Transparent Management of Personal Information |
84 |
|
APP 2 — Anonymity and Pseudonymity |
9 |
|
APP 3 — Collection of Solicited Personal Information |
938 |
|
APP 4 — Unsolicited Personal Information |
16 |
|
APP 5 — Notification of the Collection of Personal Information |
593 |
|
APP 6 — Use or Disclosure of Personal Information |
1,461 |
|
APP 7 — Direct Marketing |
154 |
|
APP 8 — Cross-Border Disclosure of Personal Information |
70 |
|
APP 9 — Adoption, Use or Disclosure of Government Related Identifiers |
8 |
|
APP 10 — Quality of Personal Information |
85 |
|
APP 11 — Security of Personal Information |
1,077 |
|
APP 12 — Access to Personal Information |
1,390 |
|
APP 13 — Correction of Personal Information |
110 |
|
Exceptions |
1,176 |
|
General enquiries |
1,284 |
* There may be more than one issue handled in an enquiry.
We also handled questions about other privacy issues, reflecting the broad range of matters the OAIC regulates. Table 2.2 categorises these enquiries.
Table 2.2: Phone enquiries on other privacy matters*
|
Issue raised in phone enquiry |
Number |
|---|---|
|
Credit reporting |
688 |
|
Notifiable Data Breaches scheme |
640 |
|
Spent convictions |
105 |
|
My Health Record |
103 |
|
Data breach notification (voluntary) |
70 |
|
Tax file numbers |
39 |
|
Territory Privacy Principles (ACT) |
31 |
|
Privacy codes |
9 |
|
Healthcare identifier |
9 |
|
Data matching |
6 |
|
National Privacy Principles |
3 |
|
Consumer Data Right or open banking |
2 |
|
Student identifiers |
1 |
* There may be more than one issue handled in an enquiry.
Privacy complaints
During this reporting period we continued to provide an effective complaints service — conciliating, investigating and resolving complaints individuals made to the OAIC about the possible mishandling of their personal information.
We can consider complaints by individuals about alleged interference with their privacy under the APPs, any registered APP code and consumer credit reporting. We can also consider complaints about the handling of other information such as: tax file numbers; spent convictions; data matching; healthcare identification information, including My Health Record.
In 2018–19, we received 3,306 privacy complaints (see Figure 2.1). This is a 12.1% increase on the number of privacy complaints we received in 2017–18 and follows the recent trend (2017–18: 18% increase; 2016–17: 17% increase). Consumers are increasingly aware of their privacy rights, including their right to make a complaint to the OAIC, which has contributed to the overall significant upward trend in number of complaints we have received since 2015–16.
The start of the NDB scheme and the European Union’s General Data Protection Regulation in 2018 helped to focus attention on privacy. This focus was maintained during this reporting period with the transition of the My Health Record system to an opt-out system, the ACCC’s inquiry into digital platforms, and several high-profile data breaches. The national and international focus on privacy has contributed to improved awareness about obligations to protect personal information under the Privacy Act and added to the substance and complexity of many matters brought to us to investigate.
While managing this significant increase in privacy complaint numbers, we finalised 2,920 complaints in 2018–19 (see Figure 2.2). This is a 5.6% increase on the number of complaints we closed last financial year and follows substantial increases in the previous two financial years as a result of making our processes more efficient and applying our resources more effectively (2017–18: 11% increase; 2016–17: 22% increase).
Figure 2.1: Privacy complaints received each month during the last three financial years
Figure 2.2: Privacy complaints closed each month during the last three financial years
As part of our MOU with the ACT Government, we continued to provide privacy services to ACT public sector agencies including handling privacy complaints under the Information Privacy Act.
Issues raised in privacy complaints
The majority (71.1%) of privacy complaints we received were about the handling of personal information under the APPs. The most common issues raised in these complaints were:
1. Use or disclosure of personal information (APP 6)
2. Security of personal information (APP 11)
3. Access to personal information (APP 12)
4. Collection of solicited personal information (APP 3)
5. Quality of personal information (APP 10).
During this reporting period, only 10.4% of the privacy complaints we received were about credit reporting — a decrease from the last two financial years (2017–18: 14%; 2016–17: 16%). This decrease reflected the continuing role of external dispute resolution schemes in resolving complaints about credit reporting matters.
More information is available in Appendix D.
Sectors
Privacy complaints can occur in a broad range of sectors. The top six sectors complained about are consistent with those in 2017–18 and 2016–17, except for complaints about credit reporting bodies, which was overtaken by online services (see Table 2.3 and Case Study 2.3).
Table 2.3: Top 10 sectors by privacy complaints received
|
Sector |
Number |
|---|---|
|
Finance (including superannuation) |
418 |
|
Australian Government |
389 |
|
Health service providers |
327 |
|
Telecommunications |
240 |
|
Retail |
176 |
|
Online services |
172 |
|
Credit reporting bodies |
156 |
|
Personal services (includes employment, childcare and vets) |
135 |
|
Real estate agents |
131 |
|
Debt collectors |
92 |
|
Case Study 2.3: Disclosure of personal information by telecommunication Providers |
|---|
|
The complainant became aware that her personal information had been inappropriately disclosed by a telecommunications provider to a public directory. The complainant was unclear which party was at fault: the telecommunications provider or the publisher of the public directory. The complainant had been the victim of domestic violence and the disclosure of her information in the public directory had adverse consequences and put her safety at risk. |
|
We investigated and conciliated the matter. Both respondents acknowledged they had interfered with the complainant’s privacy and each gave the complainant $20,000 in compensation. |
Resolving privacy complaints
In 2018–19, the average time we took to close a privacy complaint was 4.4 months. This compares to 3.7 months in 2017–18 and 4.7 months in 2016–17.
Our early resolution process, which we introduced in 2017–18, aims to see if a resolution can be achieved between the parties soon after the complaint is lodged. Our Early Resolution team finalised 64.5% of all privacy complaints in 2018–19, an improvement on 2017–18 when that team closed 53% of all privacy complaints.
When we cannot resolve a privacy complaint using the early resolution process, we make further inquiries and conciliate and/or investigate the matter.
Where we resolved complaints through conciliation, we achieved positive outcomes: either through the shuttle conciliation our Early Resolution team conducted or the formal conciliation conferences our Investigations team undertake. In many cases, parties advised the case officer of a high level of satisfaction with the outcome they had achieved together.
We support our staff to resolve complaints through providing conciliation training. We have a number of staff involved in conciliation, including senior staff, accredited under the National Mediator Accreditation Standards.
During this reporting period we closed 95.1% of all complaints within 12 months (2017–18: 97%).
In 2018–19, the main remedies we achieved in resolving privacy complaints were:
1. Record amended
2. Access provided
3. Other or confidential
4. Apology
5. Compensation.
See Case Studies 2.4 to 2.7. More information is available in Appendix D.
|
Case Study 2.4: Complaint about a false profile on a dating platform |
|---|
|
The complainant became aware that a false profile, including their photos and personal details, had been created on the respondent’s dating platform. |
|
We made inquiries with the respondent. The respondent conducted several searches to attempt to locate the profile in question and determined that it had been deleted, possibly by the individual who created the account. The respondent advised that when they receive a complaint of this nature their practice is to locate and delete any accounts that appear to be fraudulent. The respondent also told the complainant what steps can be taken if a similar issue arises in the future. For example, the complainant could contact the respondent’s privacy team directly or use their app’s reporting tools. |
|
Case Study 2.5: Disclosure of sensitive information by a medical centre |
|---|
|
The complainant became aware that the respondent, a medical centre, had disclosed their sensitive medical information to their spouse without their consent. |
|
We successfully conciliated the matter. The respondent gave the complainant a formal apology prepared by the doctor who was responsible for the disclosure. The doctor also got advice and privacy education material from their insurer, and in turn, carried out a training seminar for other practitioners working at the medical centre. |
|
Case Study 2.6: Disclosure of personal information by a retail store |
|---|
|
The complainant discovered that the respondent, a retail store, disclosed their personal information to a third party who fraudulently impersonated the complainant. |
|
We resolved the matter by conciliation. The respondent apologised to the complainant, strengthened their identity verification processes and paid:
|
|
Case Study 2.7: Failure to ensure the security of personal information by a superannuation fund |
|---|
|
The complainant alleged that the respondent, a superannuation fund provider, inadvertently included his welcome letter in correspondence they sent to another customer. The letter included the complainant’s name, age, account number, address, account balance and investments. |
|
We resolved the matter by conciliation. The respondent apologised to the complainant, implemented additional security measures and paid $1,500 compensation. |
Community and sector engagement
An important part of our role is interacting with key industry and community stakeholders, including government bodies and external dispute resolution schemes, about recurring or significant issues arising in complaints.
External dispute resolution schemes
The Information Commissioner can recognise an external dispute resolution scheme to handle particular privacy-related complaints (s 35A of the Privacy Act). The external dispute resolution schemes that are recognised are:
- Australian Financial Complaints Authority
- Energy & Water Ombudsman NSW
- Energy & Water Ombudsman SA
- Energy and Water Ombudsman (Victoria) Limited
- Energy & Water Ombudsman Queensland
- Energy and Water Ombudsman Western Australia
- Public Transport Ombudsman Limited (Victoria)
- Telecommunications Industry Ombudsman Limited
- Tolling Customer Ombudsman.
Community engagement
For PAW (12 to 18 May 2019), the OAIC produced a podcast with Legal Aid NSW in which our staff were interviewed about credit reporting.
During this reporting period, we continued to use social media to promote privacy awareness. For example, we used Twitter and Facebook to raise awareness about the privacy controls available in My Health Record and to encourage Australians to use them.
Determinations
Under s 52 of the Privacy Act, the Commissioner may make determinations in relation to privacy complaints. The Commissioner may also make determinations in relation to privacy CIIs. The Commissioner must make these determinations personally, that is, the decision cannot be delegated.
In 2018–19, the Commissioner made three privacy determinations. One of these determinations included findings that the respondent had not interfered with the individual’s privacy. This complaint was dismissed under s 51(1)(a) of the Privacy Act. See Determinations 2.1 to 2.3.
Determination 2.1: ‘QP’ and Commonwealth Bank of Australia Ltd (Privacy) AICmr 48 (28 June 2019)
The Commissioner found that the Commonwealth Bank of Australia Limited (CBA) interfered with the complainant’s privacy by using and disclosing personal information about the complainant which was inaccurate, out-of-date or incomplete and in breach of APP 10.2.
In this instance, the Commissioner declared under s 52(2)(b)(ii) that CBA issue a written apology to the complainant acknowledging their interference with the complainant’s privacy and declared under s 52(1)(b)(iii) that CBA pay the complainant $15,000 for non-economic loss suffered.
Determination 2.2: ‘QF’ and Others and Spotless Group Limited (Privacy) [2019] AICmr 20 (28 May 2019)
The Commissioner found that Spotless Group Limited (Spotless) interfered with the complainants’ privacy by improperly disclosing, through their related entity Cleanevent, the complainants’ personal information to the Australian Workers’ Union, in breach of National Privacy Principle (NPP) 2. The Commissioner also found Spotless failed to take reasonable steps to protect the complainants’ personal information from misuse and unauthorised disclosure, in breach of NPP 4.
In this instance, the Commissioner declared under s 52(2)(b)(ii) that Spotless give each complainant a written apology acknowledging their interference with the complainants’ privacy and the distress it caused, and that Spotless engage an independent reviewer with privacy expertise to undertake a review of Spotless’s current privacy compliance procedures, policies and processes, as well as those of Spotless’s subsidiaries, and give the Commissioner a copy of the reports from the independent review.
The Commissioner also declared under s 52(1)(b)(iii) that Spotless pay each complainant compensation between $3,000 and $6,000 for non-economic loss suffered.
Determination 2.3: ‘QD’ and Dr ‘QE’ and Idameneo (No.123) Pty Limited (Privacy) [2019] AICmr 17 (3 May 2019)
The complainant alleged that Idameneo (No. 123) Pty Limited (Idameneo) and Dr QE had interfered with their privacy by failing to give access to personal information on request, in breach of APP 12.1. The complainant also alleged the respondents had failed to take reasonable steps to give access to the information in a way that met the party’s needs, and failed to give reasons for their refusal in breach of APP 12.5 and APP 12.9.
The Commissioner found that Idamenao and Dr QE could rely on the exception at APP 12.3(a) to refuse access. APP 12.3(a) provides that an entity is not required to give access where the entity reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual.
The Commissioner determined that the respondents gave sufficient consideration to alternative means of access and that the steps taken by the respondents were reasonable in the particular circumstances, finding no breach of APP 12.5.
The Commissioner also considered that although the respondents had not yet given the complainant a written notice of refusal of access, the ‘reasonable time’ limit had not yet expired, finding no breach of APP 12.9.
Data breach notifications
NDB scheme
The NDB scheme commenced on 22 February 2018. Under the NDB scheme, Australian Government agencies and private sector organisations with existing personal information security obligations under the Privacy Act must notify individuals who are likely to be at risk of serious harm as a result of a data breach. The OAIC must also be notified (see Table 2.4).
Our responsibilities under the NDB scheme include:
- receiving notifications of eligible data breaches
- encouraging compliance with the NDB scheme, including handling complaints and taking regulatory action in response to instances of non-compliance
- offering advice and guidance to regulated organisations and informing the community about how the NDB scheme operates.
We reviewed each notice received under the NDB scheme to consider whether the data breach had been contained, that the organisation or agency had taken reasonable steps to mitigate the impact of the data breach on the individuals at risk of serious harm, and that the organisation or agency was taking reasonable steps to minimise the likelihood of a similar data breach occurring again. The Commissioner’s new powers under the NDB scheme include the discretion to direct an entity to notify individuals of eligible data breaches or declare that notification does not need to occur or can be delayed.
The first 12 months of the NDB scheme saw a 733% increase in the number of data breach notifications, compared to those received under the previous voluntary scheme. This is consistent with international trends in jurisdictions with comparable mandatory data breach notification schemes and shows that organisations and agencies were aware of their obligations and engaging with the requirements of the NDB scheme.
As well as quarterly statistics reports, in May 2019 we published the Notifiable Data Breaches Scheme 12-Month Insights Report, which gives a detailed overview of the first year of the NDB scheme’s operation. We have also jointly published with the Australian Cyber Security Centre a resource for organisations and agencies on tips to mitigate the risk of data breaches.
Case Studies 2.8 and 2.9 describe some data breaches we have handled during this reporting period.
|
Case Study 2.8: Human error |
|---|
|
In preparation for a product launch, an employee made an unintended change to an organisation’s system configuration. This resulted in customers being able to view details for other customers when activating their account online. The data breach mainly affected contact information, but in some instances also included passport or driver licence information. |
|
The organisation notified affected individuals by text message and offered to pay the cost of their passport being reissued or setting up a credit-monitoring service. |
|
To prevent reoccurrence of a similar data breach, the organisation took a range of steps, including introducing additional reviews for its content delivery network and implementing system configuration changes via an application programming interface. |
|
Case Study 2.9: Cyber-related incident |
|---|
|
An organisation detected suspicious activity on several customer accounts. They investigated and found that some accounts had been accessed without authorisation using correct credentials. The investigation concluded that the incident was not a result of a vulnerability in the organisation’s systems but occurred due to ‘credential stuffing’, where previously compromised credentials are used to gain unauthorised access to systems via large-scale automated log-in requests. |
|
The organisation informed affected individuals that their personal information including contact details, date of birth and membership number had been compromised and offered identity and cyber support services at no cost. |
|
In response to the incident, the organisation reset passwords on all affected accounts, implemented additional security measures to detect and mitigate malicious traffic and undertook continuous system monitoring. |
Voluntary data breaches
Prior to the introduction of the NDB scheme, we administered a voluntary data breach notification scheme. This scheme allowed organisations and agencies to self-report possible data breaches to us. We continued to register voluntary data breach notifications for incidents that do not fall within the scope of the NDB scheme (see Table 2.4). These included data breaches that occurred prior to 22 February 2018, incidents that did not meet the threshold of the NDB scheme, and data breaches that did not involve organisations or agencies the NDB scheme regulates.
Table 2.4: NDB, voluntary and mandatory My Health Record notifications
|
Year |
2016–17 |
2017–18 |
2018–19 |
|---|---|---|---|
|
Notifiable data breaches |
– |
305 |
950* |
|
Voluntary notifications |
114 |
174 |
175 |
|
Mandatory notifications (My Health Records Act 2012) |
35 |
28 |
35 |
|
Total |
149 |
507 |
1,160 |
* Where data breaches affect multiple entities, we may receive multiple notifications relating to the same data breach. Notifications to us about the same data breach incident are counted as a single notification in this number. End-of-year statistics may differ from quarterly publication statistics.
In 2018–19, the number of voluntarily reported data breaches remained consistent with the previous financial year and represented a 53.5% increase on voluntary data breaches reported in 2016–17, prior to the introduction of the NDB scheme.
The consistent number of voluntary notifications can be explained, in part, by our activities in engaging with stakeholders about the requirements of the NDB scheme, along with global regulatory developments which focused on the importance of understanding and responding to data breaches, and the domestic focus on transparency and good governance arising from the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry.
Given this significant increase in mandatory and voluntary notifications, we did not meet our overall target for finalising data breach notifications, with 79% of notifications under the NDB scheme finalised within 60 days and 66.1% of voluntary data breach notifications finalised within 60 days.
We also administered a mandatory scheme for digital health data breaches. See Table 4 and the Annual Report of the Australian Information Commissioner’s Activities in Relation to Digital Health 2018–19, which will be available on our website no later than 28 November 2019.
Privacy Commissioner initiated investigations
Section 40(2) of the Privacy Act allows the Commissioner to investigate an act or practice that may be an interference with privacy on the Commissioner’s own initiative. This power is used to investigate possible interferences with privacy that are of concern but are not in direct response to an individual privacy complaint.
A Privacy Commissioner initiated preliminary inquiry or investigation (CII) is conducted in response to an incident of significant community concern or discussion or notification from a third party about potentially serious privacy issues, or result from a notification about a data breach. Our key objective in undertaking Commissioner initiated preliminary inquiries or an investigation is improving the privacy practices of the organisation or agency involved.
During this reporting period, we opened preliminary inquiries or and/or an investigation in relation to 15 matters (see Table 2.5). At 30 June 2019, 10 of these matters and 12 matters from 2017–18 were ongoing.
Table 2.5: Privacy Commissioner initiated investigations
|
Year |
Number of CIIs |
|---|---|
|
2016–17 |
29 |
|
2017–18 |
21 |
|
2018–19 |
15 |
Visit
https://www.transparency.gov.au/annual-reports/office-australian-information-commissioner/reporting-year/2018-2019-21