During this reporting period, we assessed privacy practices in the finance, telecommunications and government sectors, as well as the digital health sector.
We used a range of methods to conduct our assessments, such as comprehensive and in-depth review of policy documents, interviews with staff and site inspections. Consistent with last financial year, the businesses or government agencies we assessed accepted all our recommendations or planned to act on them.
During this reporting period we followed up on recommendations and suggestions we made in our 2016 loyalty program assessments of Woolworths Limited (Woolworths) and Coles Supermarkets Australia (Coles) with the following results:
- Woolworths provided evidence to show that they had adopted all our suggestions.
- Coles provided evidence to show that they had implemented our recommendation.
- Coles adopted several of our suggestions and gave adequate reasons where they did not adopt one of our suggestions.
We began a series of assessments in 2017–18 to see if certain telecommunications service providers are meeting their information security obligations under APP 11 — Security of Personal Information, for the personal information they are required to retain under the data retention scheme that came into full effect on 13 April 2017. In 2017–18 we conducted the fieldwork for two assessments. We conducted the fieldwork for two more assessments in this series in 2018–19. We will finalise this series of assessments in 2019–20.
Unique student identifier
In 2018–19, under our MOU with the Department of Education and Training acting through the Student Identifiers Registrar (the Registrar), we assessed how the Unique Student Identifiers (USI) Office, acting on behalf of the Registrar, managed privacy controls for the USI Transcript Service. Our assessment considered the USI Office’s practices, procedures and systems to make sure they complied with APP 1.2. This was the first assessment to consider the application of the Privacy Code. We did not identify any privacy risks that resulted in recommendations in this assessment.
We also followed up on the implementation of recommendations made in our 2016 assessment of how the USI Office handled personal information. We were satisfied that the USI Office had implemented the recommendations.
Under our MOU with the ACT Government, in 2017–18 we conducted an assessment of Housing and Community Services ACT. The assessment is examining whether Housing ACT is:
- using and disclosing personal information in line with their TPP 6 obligations
- taking reasonable steps to secure their personal information holdings as required by TPP 11
We will complete this assessment in 2019–20.
In 2018–19 we conducted an assessment involving 10 ACT Government agencies. This assessment is outlined in the Memorandum of Understanding with the Australian Capital Territory for the Provision of Privacy Services 2018–19 Annual Report, which is available on our website no later than 22 October 2019.
More information is available in Appendix C.
We perform several functions to help government agencies to understand their privacy requirements and adopt best privacy practice when undertaking data-matching activities.
Data matching is the process of bringing together data sets that come from different sources and comparing those data sets with the intention of producing a match. Several government agencies use data matching to detect non-compliance, identify instances of fraud and recover debts owed to the Australian Government. For example, to identify individuals or businesses that may be under-reporting income or turnover, the Australian Taxation Office (ATO) may match tax return data with the data provided by banks.
Government agencies that carry out data-matching activities must comply with the Privacy Act. Data matching raises privacy risks because it involves analysing personal information about large numbers of people, the majority of whom are not under suspicion of non-compliance.
Statutory data matching
The Information Commissioner has statutory responsibilities under the Data-matching Program (Assistance and Tax) Act 1990 (Data-matching Act). The Data-matching Act authorises the use of tax file numbers in data-matching activities by the Department of Human Services (DHS), the Department of Veterans’ Affairs and the ATO. In previous financial years, we have inspected DHS’s data-matching records to make sure they comply with the requirements of the Data-matching Act. Agencies continue to rely less on data matching using tax file numbers, so this financial year we again focused on providing advice and oversight of data-matching activities outside the Data-matching Act.
Enhanced Welfare Payment Integrity
The Enhanced Welfare Payment Integrity — non-employment income data-matching measure was announced in the 2015–16 Mid-Year Economic and Fiscal Outlook (MYEFO). It increases DHS’s capability to conduct data matching to identify non-compliance by welfare recipients. In 2017–18, we conducted two privacy assessments of DHS’s handling of personal information. The first assessment looked at the Non-Employment Income Data Matching (NEIDM) program. The second assessment examined the Pay-As-You-Go (PAYG) program. During this reporting period, we finalised the NEIDM program assessment. We will finalise the PAYG program assessment in 2019–20.
During this reporting period we also conducted two privacy assessments which looked at how DHS secures the personal information used in the NEIDM and PAYG programs and at the role of the ATO as a source of data for DHS’s data-matching activities. We will finalise both assessments in 2019–20.
Data-matching under the voluntary guidelines
We administer the Guidelines on Data-matching in Australian Government Administration, which are voluntary guidelines to help government agencies adopt appropriate privacy practices when undertaking data-matching activities not covered by the Data-matching Act. This financial year we reviewed 13 data-matching program protocols submitted by matching agencies including the ATO, the Department of Home Affairs and the DHS.
Digital health assessments
Health information is considered particularly sensitive. This sensitivity has been recognised in the My Health Records Act 2012 (My Health Records Act) and Healthcare Identifiers Act 2010, which regulate the collection, use and disclosure of personal information, and give the Information Commissioner a range of enforcement powers. This sensitivity is also recognised in the Privacy Act which treats health information as ‘sensitive information’.
We initiated three assessments relating to the My Health Record system in 2018–19 and continue to progress two assessments that began in the previous financial year. See the Annual Report of the Australian Information Commissioner’s Activities in Relation to Digital Health 2018–19, which is available on our website no later than 28 November 2019.
Advice for businesses and agencies
Our teams provided advice for businesses and Australian Government agencies on their obligations under the Privacy Act. We also helped businesses and agencies achieve best practice in their approach to privacy management.
During this reporting period we issued advice on a variety of matters, including:
- adoption, use and disclosure of government related identifiers
- Australian Government Privacy Code
- credit reporting
- data breach notification requirements, including the NDB scheme
- de-identification and re-identification
- digital identity systems
- direct marketing
- draft CDR legislation, rules and technical standards
- government data matching
- higher education proposals affecting the handling of information about students
- law enforcement and national security
- the My Health Record system
- new and emerging technologies
- online communications and privacy
- privacy and international agreements
- privacy and security, as part of the Attorney-General’s Department’s reforms to the Protective Security Policy Framework
We also drafted submissions on issues such as:
- artificial intelligence
- Australian Government data sharing
- CDR draft legislation (see Case Study 2.10)
- cooperative intelligent transport systems and automated vehicle data
- digital platforms
- human rights and technology
- identity information
- the My Health Record system
Case Study 2.10: Consumer Data Right regulatory framework
The CDR is a right for consumers to access particular data in a readily usable form and to direct a business to transfer that data securely to a data recipient. It aims to give consumers greater control over how their data is used and disclosed in order to create more choice and competition in sectors of the economy the Treasurer designates.
In 2018–19, we gave privacy advice to the Treasury, the ACCC and CSIRO’s Data61 in the course of their respective development of the CDR legislation, rules and technical standards.
In August 2018, the Treasury released the exposure draft of the Treasury Laws Amendment (Consumer Data Right) Bill. We provided a submission on the exposure draft, acknowledging the potential of the CDR to give consumers greater choice and control over how their data is used, while highlighting important areas where further clarification or consideration of privacy issues was required. Many of our recommendations were reflected in the legislation introduced to Parliament in February 2019. We continued to engage with the Treasury throughout the development of the legislation.
We provided advice to the ACCC on their development of the CDR rules. These rules complement the legislation by defining the elements for consent, outlining the accreditation framework for data recipients and elaborating on the privacy safeguards.
We also provided advice to Data61 regarding development work for technical standards relating to consumer experience. The consumer experience standards will focus on the steps data recipients must take when seeking consent, and data holders must take when seeking authorisation, from consumers.
We released our new website for public feedback in June 2019 (see performance measure 1.7.4).
We published a new training resource about the Privacy Code to educate Australian Government agencies about privacy best practice. We also published the Notifiable Data Breaches Scheme: 12-Month Insights Report, to help businesses and agencies understand the common causes of data breaches and how they can implement proactive strategies to prevent data breaches.
Privacy legislative instruments
Under the Privacy Act, the Information Commissioner has powers to make certain legislative instruments. These legislative instruments must comply with the requirements of the Legislation Act 2003. They are publicly available on the Federal Register of Legislative Instruments.
Privacy (Australian Honors System) Public Interest Determination 2018
On 5 October 2018, the Information Commissioner made Privacy (Australian Honours System) Public Interest Determination 2018. This followed an application for a public interest determination (PID) on 6 March 2018 from the Department of Home Affairs and replaced Privacy (Australian Honours System) Temporary Public Interest Determination 2018.
The PID allows the Department of Home Affairs to disclose Australian citizenship and permanent residency status information without breaching APP 6 — Use or Disclosure of Personal Information, for a period of 10 years. The disclosures can be made to the Department of the Prime Minister and Cabinet and to the Office of the Official Secretary to the Governor-General for the purposes of their consideration of nominees for awards (such as those in the Australian honours system).
Privacy (Disclosure of Homicide Data) Public Interest Determination 2019
On 18 March 2019, the Information Commissioner made Privacy (Disclosure of Homicide Data) Public Interest Determination 2019. This followed an application for a PID on 1 November 2018 from the Australian Federal Police (AFP).
The PID allows the AFP to disclose personal information to the Australian Institute of Criminology (AIC) without breaching APP 6 — Use or Disclosure of Personal Information, for a period of seven years. The information which can be disclosed under the PID is personal information requested by the AIC about offenders and suspects in relation to homicides in the ACT, for the purposes of the AIC’s research under the National Homicide Monitoring Program and the publication of aggregate findings.
This PID replaced PID No. 5 which expired on 1 October 2018.
National Health (Privacy) Rules 2018
On 11 October 2018, the Information Commissioner issued the National Health (Privacy) Rules 2018 (National Health (Privacy) Rules). These rules are required under s 135AA of the National Health Act 1953 (National Health Act). The National Health (Privacy) Rules commenced on 1 April 2019 and repealed the previous s 135AA instrument — the Privacy Guidelines for the Medicare Benefits and Pharmaceutical Benefits Programs — on the same date.
The National Health (Privacy) Rules regulate the way that Australian Government agencies link and store claims information obtained under the Medicare Benefits Program and the Pharmaceutical Benefits Program.
Among other things, s 135AA(5) of the National Health Act requires that these rules prohibit agencies from storing claims information obtained under the Medicare Benefits Program and the Pharmaceutical Benefits Program on the same database.