2006-07 Annual Report of the Office of the Privacy ... · Requests and enquiries concerning...

The Operation of the Privacy Act Annual Report

1 July 2006 – 30 June 2007

Copyright © Office of the Privacy Commissioner 2007 ISSN 1035-3372

This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the Office of the Privacy Commissioner.

Requests and enquiries concerning reproduction, right and content should be addressed to:

Copyright Officer Corporate and Public Affairs Office of the Privacy Commissioner GPO Box 5218 SYDNEY NSW 2001

Email: [email protected]

Office of the Privacy Commissioner – Annual Report 2006-07 ii

The Hon Philip Ruddock MP Attorney-General Parliament House CANBERRA ACT 2600

Dear Attorney-General

I am pleased to submit to you, for presentation to the Parliament, the annual report for the Office of the Privacy Commissioner on the operation of the Privacy Act 1988 for the year ended 30 June 2007.

This report has been prepared in accordance with section 97 of the Privacy Act 1988.

Yours sincerely

Ms Karen Curtis Privacy Commissioner

24 September 2007

Office of the Privacy Commissioner iii

Office of the Privacy Commissioner – Annual Report 2006-07 iv

Contents Letter of Transmission iii

Contents v

List of Charts vii

List of Tables vii

User’s Guide ix

Commissioner’s Overview 2006–07 1

The Year Ahead 2

The Year in Review – A Summary 3

Chapter 1 Respecting Privacy 1.1 Review of Performance 9

1.2 Australian Law Reform Commission Review of Privacy 10

1.3 Privacy and the Australian Government 12

1.4 Privacy and the Australian Capital Territory Government 21

1.5 Privacy and Business 21

1.6 Privacy and the Health Sector 25

1.7 Privacy and the Information and Communications Technology Sector 27

Chapter 2 Promoting Privacy 2.1 Review of Performance 31

2.2 Privacy Website 32

2.3 Media 34

2.4 Speeches and Presentations 35

2.5 Publications 35

2.6 Community Attitudes Survey 36

2.7 Networking for Privacy Solutions 36

2.8 Privacy Advisory Committee 38

2.9 International Liaison 39

Office of the Privacy Commissioner v

Chapter 3 Protecting Privacy 3.1 Review of Performance 41

3.2 Responding to Enquiries 42

3.3 Responding to Complaints 46

3.4 Own Motion Investigations 57

3.5 Case Notes 58

3.6 Complaints and Enquiries Statistics on www.privacy.gov.au 59

3.7 Reports of Complaints under Approved Codes 59

3.8 Audits 60

3.9 Personal Information Digest 63

3.10 Monitoring Government Comparisons of Data Sets 64

Chapter 4 Management and Accountability 4.1 Administrative Arrangements 70

4.2 Corporate Services 72

4.3 Management of Human Resources 74

Appendix 1 The Privacy Act and the Office of the Privacy Commissioner 79

Appendix 2 Freedom of Information Act Compliance 85

Appendix 3 Speeches and Presentations 88

Appendix 4 Commonwealth Disability Strategy Performance Reporting June 2007 90

Appendix 5 Demographic Information about Complainants 99

Appendix 6 National Privacy Principles 103

Appendix 7 Information Privacy Principles 114

Appendix 8 Strategic Plan 2007–09 120

Financial Statements 125

Glossary 157

Index 158

vi Office of the Privacy Commissioner – Annual Report 2006-07

List of Charts Chart 2.1

Chart 3.1

Chart 3.2

Chart 3.3

Chart 3.4

Chart 3.5

Chart 3.6

Chart 3.7

Chart A1.1

List of Tables Table 2.1

Table 3.1

Table 3.2

Table 3.3

Table 3.4

Table 3.5

Table 3.6

Table 3.7

Table 3.8

Table 3.9

Table 3.10

Yearly Comparative Results for the Website 33

Private Sector Industry Groups to which Telephone Enquiries Relate 44

Percentage of Complaints received by Privacy Act Jurisdiction 47

Key Issues in Complaints 47

Complaints by Government and Industry Sector 48

Issues in NPP Complaints Resolved by the Respondent 55

Issues in IPP Complaints Resolved by the Respondent 56

Credit Reporting Complaints Resolved by the Respondent 56

Organisational Structure 80

Page and Session Views for the Privacy Website 33

Source of Telephone Enquiries 42

Breakdown of issues in calls received 43

Stage at which Complaints Closed 49

Grounds for Declining to Investigate Complaints Further Following an Investigation 50

Nature of Remedies in Complaints Closed as Adequately Dealt With After Investigation 51

Basis for Closing Complaints Following Preliminary Enquiries 52

Nature of Remedies in Complaints Closed as Adequately Dealt With After Preliminary Enquiries 53

Basis for Closing Complaints without Investigation 54

Approved Codes under the Privacy Act 59

ACT Audits Commenced 2006–07 61

Office of the Privacy Commissioner vii

Table 3.11 Biometrics for Border Control Audits Commenced 2006–07 61

Table 3.12 ACT Government Audits Finalised 2006–07 62

Table 3.13 Program Protocols produced under the Voluntary Data-matching Guidelines 2006–07 67

Table 4.1 Consultancy Contracts 2006–07 73

Table 4.2 Overview of Staffing Profile as at 30 June 2007 75

Table A1.1 Resources for Outcomes 84

Table A4.1 Commonwealth Disability Strategy Performance Reporting June 2007 90

Table A5.1 Gender of complainants 99

Table A5.2 Complainants’ access to the Internet 99

Table A5.3 Country of birth of complainants 100

Table A5.4 Main language spoken at home 100

Table A5.5 Location of complainants 100

Table A5.6 Aboriginal or Torres Strait Islander background of complainants 100

Table A5.7 Level of education completed by complainants 101

Table A5.8 Age range of complainants 101

Table A5.9 Complainants with a disability 101

Table A5.10 Source of knowledge about the Office of the Privacy Commissioner 102

Table A5.11 Annual income range of complainants 102

viii Office of the Privacy Commissioner – Annual Report 2006-07

User’s Guide

Immediately following this guide, you will find the Commissioner’s Overview for 2006–07 which includes a summary of significant issues, developments and achievements during the year, key statistics, and an outline for the year ahead for the Office.

The main chapters follow the Overview and the Annual Report is concluded by the various Appendices, Glossary and Index.

Chapter 1 Respecting Privacy describes the Office’s work for 2006–07 in providing advice on the privacy implications of legislation and government and private sector policy proposals that may have a significant impact on the handling of personal information.

Chapter 2 Promoting Privacy sets out the work the Office completed in promoting and educating key client groups on privacy issues. This includes liaising with key stakeholders in the private sector, networking with privacy representatives across Australian and ACT Government departments and agencies, handling media enquiries, maintaining the Office’s website and assisting with speeches and presentations by the Commissioner and members of staff.

Chapter 3 Protecting Privacy records the work the Office undertook to encourage and enforce compliance with the Privacy Act. This includes handling enquiries, undertaking audits of government agencies, investigating complaints and conciliating disputes.

Chapter 4 Management and Accountability contains an overview of the Office’s administrative arrangements, management of human resources and corporate governance.

The Appendices contain information required under specific legislation together with any other useful material. These can be found following on from Chapter 4.

The Office of the Privacy Commissioner’s audited Financial Statements for 2006–07 are located immediately following the Appendices. The Glossary and Alphabetical Index can be found at the end of the report.

Office of the Privacy Commissioner ix

ACT Government Information that relates directly to ACT Government matters can be found in sections 1.4, 3.8.1.1, 3.8.2.1 and 4.1.3.

How to find out more For enquiries about this report or for copies of other Office of the Privacy Commissioner publications, please contact:

Director Corporate and Public Affairs Office of the Privacy Commissioner GPO Box 5218 SYDNEY NSW 2001

Telephone: + 61 2 9284 9800 Fax: + 61 2 9284 9666 Email: [email protected] Website: www.privacy.gov.au

Enquiries line: 1300 363 992 local call TTY: 1800 620 241 no voice calls

This report is also available on the Office of the Privacy Commissioner’s website at www.privacy.gov.au/publications/index.html#A.

Non-English Speakers If you speak a language other than English and need help, please call the Translating and Interpreting Service on 131 450 and ask for the Australian Government Office of the Privacy Commissioner on 1300 363 992. This is a free service.

Office of the Privacy Commissioner – Annual Report 2006-07 x

Commissioner’s Overview 2006–07

2006–07 was a year characterised by strategic analysis, reflection on the operation of the law and looking to the future.

Two projects in particular capture this. One was my Office’s submission to the Australian Law Reform Commission (ALRC) review of privacy. The other was our development of a new Strategic Plan to guide our operations over the next three years.

Our substantial submission to the ALRC review of privacy crystallises our thoughts on what the future of privacy regulation in Australia should look like. This submission brings together my Office’s position on issues as varied as the privacy principles, technology, transborder data flows, exemptions to the Privacy Act, health and telecommunications, to name a few.

A central theme of the submission was that any reform of Australia’s privacy laws should aim to enhance regulatory consistency and reduce complexity. Nationally consistent privacy legislation will reduce compliance difficulties for agencies and organisations and empower individuals to understand and exercise their privacy rights without confusion.

Currently, the Privacy Act contains two sets of privacy principles. One set applies to Australian and ACT Government agencies and the other to the private sector. I believe that a technology-neutral, principles-based approach remains the best way to regulate personal information handling in the context of rapid technological change. However, my Office has suggested that these two sets of principles should be replaced by a single set of principles to reduce regulatory complexity.

Further information about the ALRC review of privacy is available in section 1.2 of this report.

The second project that caused the Office to look to the future was our development of a new Strategic Plan; a project vital to all aspects of our operations.

For me, a Strategic Plan is essential to the success of an agency. It focuses the agency’s energies and gives a clear and steady direction to its many operations and functions.

Our strategic planning process involved the whole Office and I am very pleased with the outcome, which is a plan that combines high standards and goals with practical actions for achieving those goals.

Our vision, as articulated in our new Strategic Plan, is of ‘an Australian community in which privacy is valued and respected’. This simple but

Office of the Privacy Commissioner 1

powerful vision lies at the heart of all our efforts to promote, protect and encourage respect for that simple but powerful value: privacy.

Many have commented on the upheaval we have seen in the past few decades (particularly in the realm of information technology) and how this has impacted on privacy and the way we make ourselves known to the world. But what hasn’t changed is that we will still need privacy to live full, autonomous and free lives.

Our Strategic Plan heralds the next instalment of our work to promote and protect this important value. The Plan is attached to this Annual Report at Appendix 8.

The new Strategic Plan and our submission to the ALRC review of privacy were major pieces of work for 2006–07. However there were many significant projects undertaken by my Office during the year.

During 2006–07 my Office continued to work closely with the Office of Access Card and the Consumer and Privacy Taskforce to provide advice on the privacy framework surrounding the proposed Health and Social Services Access Card.

In 2006–07, the Office also implemented many of the recommendations made in its Complaint Handling Review in an ongoing effort to reduce the complaint backlog and enhance our service standards and conciliation techniques.

In 2006, my Office joined with state and territory privacy regulators to promote ‘Privacy Awareness Week’. During the week, the Office released a number of promotional items and hosted an event at which the Attorney-General launched the Office’s new layered privacy policy, and Privacy Impact Assessment Guide.

In November 2006, my Office also marked the five year anniversary of the National Privacy Principles (NPPs). My Office hosted a function which offered a chance both to look back at how the NPPs had performed and to look forward. This event is, I hope, the first of many Privacy Connections events hosted by the Office to raise privacy awareness in the private sector.

The year ahead In 2007–08, the Office will continue to host Privacy Connections events across Australia to raise awareness in the private sector about privacy obligations under the Privacy Act. These events will likely involve speakers from the Office as well as guest speakers sharing their knowledge of information handling in their organisations.

Office of the Privacy Commissioner – Annual Report 2006-07 2

We will also work to promote privacy via the Privacy Awareness Week initiative, which in 2007 will be promoted in coordination with other data protection authorities in the Asia Pacific region.

In 2007, the Office will be releasing the results of community attitudes research it has commissioned. This research seeks to find out what individuals think about privacy in different contexts. The research will help the Office to ‘tune in’ to community expectations about privacy and will be vital for ensuring that Office operations and activities match the needs of key stakeholders.

During the reporting period, the Office undertook to audit all of its publications to check for accuracy and currency. In 2007–08 the Office will update publications based on the findings of the audit. Our aim is to have guidance material available to stakeholders that is clear, up-to-date, accessible, and written in plain English.

Tying in closely with the publications review is the redevelopment of the Office’s website which will be progressed in the coming year. The website redevelopment seeks to make our publications easy to find and improve the layout and accessibility of the Office’s online presence.

With many of the recommendations implemented from the Office’s Complaint Handling Review, the Office will move to taking a more proactive approach to encouraging compliance with the Privacy Act and look to address systemic privacy issues.

In 2007–08, the Office looks forward to participating in the next phase of the ALRC review of privacy. The ALRC is due to release a discussion paper in 2007 and then its final report in 2008. The Office will continue to consult with the ALRC during this period to ensure the best outcome for privacy legislation in Australia.

And finally, the Office is committed to implementing the actions and goals encompassed in its new Strategic Plan and work towards the vision of ‘an Australian community in which privacy is valued and respected’.

The year in review – a summary A brief summary of the Office’s performance in 2006–07 is outlined below. A more detailed review of performance is contained in chapters 1 – 4.

Telephone Enquiries: The Office received 17 392 telephone enquiries in 2006–07 compared with 19 150 in 2005–06. This represents a 9% decrease in enquiries received by the Enquiries Line. See section 3.2.1 for further information.


Written Enquiries: The Office received 2182 enquiries by email, post or facsimile in 2006–07 compared with 2316 written enquiries reported in 2005–06. This represents a 6% decrease in the number of written enquiries received by the Office from the previous year. See section 3.2.2 for further information.

Complaints: The Office received 1094 complaints in 2006–07 compared with 1183 in 2005–06. This represents an 8% decrease in the number of complaints received by the Office from the previous year. See section 3.3.1 for further information. The Office closed 1210 complaints in 2006–07, representing a 7% increase from the previous year.

Case Notes: The Office published 24 case notes on complaints that were closed during the year. The case notes are prepared to illustrate matters that may have a significant impact on a large number of people. Case notes serve to demonstrate to members of the public how the Commissioner handles complaints. Case notes also serve as a possible indication of the Commissioner’s view in relation to aspects of privacy law. See section 3.5 for further information.

Determinations: In 2006–07, the Office renewed three credit provider determinations. See section 1.5.3 for further information.

On 23 December 2006, Temporary Public Interest Determinations (TPIDs) issued by the Privacy Commissioner, which allowed health practitioners to collect patients’ health information from the Prescription Shopping Information Service without consent, and without breaching NPP 10, expired. Amendments to the Privacy Act in 2006 removed the need for further TPIDs in this area. See section 1.6.3 for further information.

Complaint Handling Review: As signalled in last year’s Annual Report, and in line with Recommendation 42 of the Office’s 2005 report, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, the Office has reviewed its complaint handling processes. A series of changes were recommended, and these changes have either been implemented, or are close to final implementation. Key changes include:


– clarifying our conciliation process

– new respondent and complainant response timeframes

– developing strategies to proactively pursue responses

– updating the Complaint Handling Manual

– drafting Determination guidelines and

– designing and implementing a uniform training program for Compliance Section staff.

Where changes directly affect complainants and respondents the Office has given stakeholders clear notice of the changes. For example, the Office announced the reduction in timeframes in the Office’s newsletter Privacy Matters and amended timeframes on its website. The impact of changes will be evaluated after they have been in operation for a reasonable period. This is likely to be within 12–18 months. See section 3.1 for further information about the Office’s compliance activities.

Media: 132 media enquiries were received in 2006–07. This represents an 11% decrease in comparison to the number of enquiries for 2005–06, in which the Office received 148 media enquiries. See section 2.3 for further information.

Speeches: 26 speeches and presentations were delivered in 2006–07. The presentations addressed ongoing and emerging privacy issues. Further information on speeches and presentations can be found at section 2.4 and a list of all speeches and presentations delivered by the Office can be found at Appendix 3.

Policy Advices: The Office produced 163 advices on significant policy issues. This represents a 20% increase in the number of policy advices the Office prepared in comparison to 2005–06.

Policy advices include letters and emails to government departments and agencies and private sector organisations on specific proposals, advice for guidance material published by the Commissioner and advice for inclusion in other reports and published documents.

The number of submissions made by the Office to public consultation processes is listed separately below.


Submissions: In 2006–07, the Commissioner provided 32 submissions to government departments and parliamentary inquiries on policy proposals or Bills before parliament, providing analysis on the privacy implications of the proposal or Bill and offering advice on methods to ensure privacy is appropriately considered and protected.

The following submissions were made by the Office:

– Research Study into Public Support for Science and Innovation; Productivity Commission (August 2006)

– Extradition and Mutual Assistance Treaties with Malaysia; JointStanding Committee on Treaties (August 2006)

– Consultation on the second exposure draft of the Anti-MoneyLaundering and Counter-Terrorism Funding Bill 2006; Attorney-General’s Department (August 2006)

– Consultation on the Australian Government Health and Social Services Access Card – Discussion Paper Number 1; Department of Human Services: Access Card Consumer and Privacy Taskforce (August 2006)

– Industry Standard for the Making of Telemarketing Calls – Discussion Paper; Australian Communications and Media Authority (September 2006)

– Review of the Taxation Secrecy and Disclosure Provisions –Discussion Paper; Treasury (September 2006)

– Inquiry into the Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006; Senate Legal and Constitutional Affairs Committee (October 2006)

– Review of Australia’s Mutual Assistance Law and Practice; Attorney-General’s Department (October 2006)

– Families, Community Services and Indigenous Affairs and Veterans’ Affairs Legislation Amendment (2006 Budget Measures) Bill 2006; Senate Standing Committee on Legal and Constitutional Affairs (November 2006)

– Queensland Law Reform Commission Guardianship Review Stage 1 – Confidentiality in the Guardianship System: Public Justice, Private Lives; Queensland Law Reform Commission (November 2006)

– Inquiry into the Anti-Money Laundering and Counter-Terrorism Financing Bill 2006 and the Anti-Money Laundering and Counter-Terrorism Financing (Transitional Provisions and Consequential Amendments) Bill 2006; Senate Legal and Constitutional Affairs Committee (November 2006)


– Consultation on the Exposure Draft of the Human Services (Enhanced Service Delivery) Bill 2007; Office of Access Card (January 2007)

– Telecommunications (Do Not Call Register) (Telemarketing and Research Calls) Draft Industry Standard 2006; Australian Communications and Media Authority (January 2007)

– Review of the law on Personal Property Securities, Discussion Paper 1, Registration and Search Issues; Attorney-General’s Department (February 2007)

– Exposure Draft of the Telecommunications (Interception and Access) Amendment Bill 2007; Attorney-General’s Department (February 2007)

– Inquiry into the AusCheck Bill 2006; Senate Legal and Constitutional Affairs Committee (February 2007)

– Inquiry into the AusCheck Bill 2006 – Questions on Notice Supplementary Submission; Senate Legal and Constitutional Affairs Committee (February 2007)

– Australian Law Reform Commission Review of Privacy – Issues Paper 31; Australian Law Reform Commission (February 2007)

– Inquiry into the Human Services (Enhanced Service Delivery) Bill 2007; Senate Finance and Public Administration Committee (February 2007)

– Draft Consolidated Anti-Money Laundering and Counter-Terrorism Financing Rules; AUSTRAC (March 2007)

– Consultation Draft Telecommunications Integrated Public Number Database Scheme 2007; Australian Communications and Media Authority (March 2007)

– Consultation on the Privacy Blueprint – Unique Health Identifiers (Version 1.0); National E-Health Transition Authority (March 2007)

– Draft of Telecommunications Integrated Public Number Database Legislative Instruments 2007; Department of Communications, Information Technology and the Arts (March 2007)

– Consultation on the Australian Government Health and Social Services Access Card – Discussion Paper Number 2; Department of Human Services: Access Card Consumer and Privacy Taskforce (March 2007)

– Government Agency Coercive Information-Gathering Powers, Draft Report; Administrative Review Council (March 2007)

– Australian Law Reform Commission Review of Privacy – Issues Paper 32: Credit Reporting Provisions; Australian Law Reform Commission (April 2007)


– Consultation on the Australian Government Health and Social Services Access Card – Discussion Paper Number 3 on Registration; Department of Human Services: Access Card Consumer and Privacy Taskforce (April 2007)

– Consultation on Australian Government Smartcard Framework (version 0.12), Standards and Model Specification (‘Part c’); Australian Government Information Management Office (April 2007)

– Consultation on Australian Government Smartcard Framework Part d (Working Draft Version 2.0); Australian Government Information Management Office (May 2007)

– Research Calls on Sundays; Australian Communications and Media Authority (May 2007)

– Legal Professional Privilege and Commonwealth Investigatory Bodies – Issues Paper 33; Australian Law Reform Commission (June 2007)

– Consultation on Model Offences to Combat Identity Crime 2007; Model Criminal Law Officers’ Committee of the Standing Committee of Attorneys-General (June 2007).

Karen Curtis Privacy Commissioner


Chapter 1 Respecting Privacy

1.1 Review of Performance The Office’s work in reviewing new policy and legislative proposals during 2006–07 was extensive, with an increased number of new proposals involving the handling of personal information being analysed and commented on by the Office. The Office’s involvement with many of these proposals is detailed in the following sections.

The most significant of the proposals, the Health and Social Services Access Card (the Access Card), required considerable resources of the Office during the reporting period. To take account of this, the Department of Human Services entered into a Memorandum of Understanding (MOU) to provide the Office with additional resourcing to allow appropriate work on the various consultation papers and to allow the Office to engage in a number of government working groups on the Access Card.

During the year the Office also worked closely with the Department of Immigration and Citizenship, under an MOU, to assist the Department in relation to incorporating the knowledge and use of the Information Privacy Principles more effectively into its administrative practices.

These two MOUs, together with a number of other initiatives to build relationships with government agencies and businesses, reflect the Office’s goal of building and developing robust relationships as reflected in the 2007–09 Strategic Plan.

The other significant piece of policy work undertaken by the Office in 2006–07 was the development of our two submissions to the Australian Law Reform Commission (ALRC) review of privacy. This work meant drawing on the whole of the organisation’s resources and the extensive knowledge of its officers.

Undertaking the development or confirmation of the Office’s position on each of the ALRC’s 142 questions was a very significant task but the result is a comprehensive document detailing much of the Office’s understanding of the current law and our analysis of where it works well and what could be improved.

Altogether the Office made 32 public submissions during the reporting period, including the 474-page submission to the ALRC and several other substantial submissions, for example in relation to the proposed Access


Card and the Anti-Money Laundering and Counter-Terrorism Financing legislation. In terms of numbers of submissions alone this year saw a 70% increase on 2005–06.

During the reporting period the Office also released a number of reports and information products. These included the Report on the Review of the Privacy Guidelines for the Handling of Medicare and PBS Claims Information (the section 135AA guidelines), the Review Report on the Credit Reporting Assignees and Classes Determinations, the finalised Privacy Impact Assessment Guide and an Information Sheet on the Prescription Shopping Information Service.

In addition, during the reporting period the Privacy Commissioner approved the Biometrics Institute Privacy Code and a minor variation to the Market and Social Research Privacy Code, and renewed three credit provider determinations.

The 32 submissions completed during the reporting period together with the various review reports, credit determinations and the information sheet have greatly assisted the Office to achieve the 2007–09 Strategic Plan goals of high quality results and increased awareness of privacy choices and obligations within the community.

1.2 Australian Law Reform Commission Review of Privacy

In response to the release of the Australian Law Reform Commission (ALRC) Review of Privacy – Issues Paper 31 (IP31), all sections of the Office were involved in the research and preparation of a comprehensive submission. Many of the recommendations from the Office’s 2005 report, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 were discussed and developed further.

In February 2007 the Office made a 474-page submission to the ALRC. The submission identified a wide range of issues in areas as diverse as health, technology and telecommunications.

While acknowledging that the existing principles in the Privacy Act are generally operating well, the Office made numerous suggestions to improve Australian privacy regulation. Amongst its suggestions, the Office called for a merging of the two sets of privacy principles in the Privacy Act to create a new single set of principles, as well as greater national consistency in privacy regulation.

As well, in order to create optimal privacy protection for people’s health information and help to clarify health service provider obligations, the Office

10 Office of the Privacy Commissioner – Annual Report 2006-07

suggested that the Privacy Act should ‘cover the field’ in regulating health service providers in the private sector.

In relation to new technologies, the Office made a number of suggestions including:

– the Privacy Act should remain technology neutral to allow forsufficient regulatory flexibility

– in certain circumstances, organisations should be required to notify customers of a security breach that has made their personal information vulnerable

– biometric information should be classified as sensitive information under the Privacy Act to ensure that it is afforded a higher level of privacy protection than other forms of personal information.

In response to the ALRC’s second issues paper, ALRC Review of Privacy – Issues Paper 32: Credit Reporting Provisions (IP32), the Office made a second detailed submission in April 2007.

The Office noted that the regulation of personal credit information could be improved to reduce complexity while still maintaining strong privacy protections. As a way of achieving this, the Office recommended that the existing credit reporting provisions could be repealed and replaced by the National Privacy Principles operating in tandem with a binding code.

The Office also suggested to the ALRC that the Privacy Commissioner be provided with additional options for dealing with breaches depending on the type and seriousness of the breach. In particular, the Office submitted that the Privacy Commissioner should be given stronger powers to handle systemic issues within the credit industry and issues arising from industry practice. Additionally, the Office recommended that independent research be undertaken into the impact that comprehensive credit reporting would have in Australia.

Overall, the Office’s response to IP32 reflected a continuing commitment to helping Australians retain choice and control over the use of their personal credit information.

The complete Office submissions to the two ALRC issues papers can be found at:

– IP31: www.privacy.gov.au/publications/alrc280207.html

– IP32: www.privacy.gov.au/publications/submissions/sub-alrc-ip32-credit-reporting-200704.html.

The Office will continue to be closely engaged in the ALRC’s review, which is expected to be completed in early 2008.


1.3 Privacy and the Australian Government This section discusses the work the Office did during the reporting period in relation to Commonwealth legislation and/or Australian Government activity.

Please note however that some areas of the Office’s work relating to the Australian Government are discussed in other sections of this Chapter (for example, 1.5 Business; 1.6 Health; 1.7 Information and Communications Technology).

1.3.1 Guide to Privacy Impact Assessments In August 2006 the Office launched the Privacy Impact Assessment (PIA) Guide. The Attorney-General, the Hon. Philip Ruddock MP, was present to launch the document.

The PIA Guide is intended to assist Australian and ACT Government agencies to determine the impact new organisational proposals could have on privacy. The PIA Guide enables agencies to critically examine and assess their project’s capacity to comply with the Privacy Act, as well as inform agencies about broader privacy issues raised by the project. While the PIA Guide has been targeted at agencies, private sector organisations could also find it useful.

The Office has provided advice to agencies on the PIA process and received feedback that the Guide has assisted agencies to critically examine and assess their project’s capacity to comply with the Privacy Act, to build privacy safeguards into their projects at an early stage and minimise the need for retrospective and reactive privacy measures.

The PIA Guide can be found on the Office’s website at www.privacy.gov.au/publications/pia06/index.html.

1.3.2 Australian Government Health and Social Services Access Card

The Office made three submissions to the Minister for Human Services’ Access Card Consumer and Privacy Taskforce. These were made in response to the discussion papers released by the Taskforce concerning, respectively, the broad policy and implementation of the Access Card, the storage of optional and voluntary health information on the Access Card, and registration for the Access Card. These submissions are available at www.privacy.gov.au/news/access-card.html.

The Office proposed that ensuring adequate privacy protections will be important to promoting community trust and confidence in the Access Card system (comprising the card itself, as well as associated infrastructure


and functions). The Office noted that a robust privacy framework is dependent on ensuring that reliance is not placed on one form of privacy protection. The Office suggested that such protections should be multifaceted, incorporating:

– fundamental system design, including card design, systemarchitecture and the parameters governing what information iscollected and what information flows are possible

– technological measures, including, but not limited to, data security initiatives, as well as measures to minimise the degree to which existing systems become increasingly integrated, a consequence of which may be new and potentially privacy invasive flows of personal information

– legislative measures, including defining the extent of the functions of the Access Card, proscribing purposes that fall outside those functions and introducing sanctions for misusing any aspect of the system or the personal information it handles and

– oversight mechanisms that promote confidence in the system by assuring the community that the operation of the system is subject to stringent accountability measures, including provision for audit and independent complaint handling.

In December 2006 the Office entered into an agreement in the form of a Memorandum of Understanding with the Department of Human Services (see section 4.1.5) which allows for close consultation on privacy-related issues in the development and roll-out of the Access Card.

Under the agreement, the Office will provide advice to the Department on the privacy implications of the Access Card system, participate in site visits with registration authorities to observe and analyse the privacy aspects of the registration process, and assist in the development of privacy-related information and educational materials.

1.3.3 Department of Immigration and Citizenship The Office entered into a Memorandum of Understanding (MOU) with the Department of Immigration and Citizenship (DIAC) for 2006–07 (see section 4.1.7). Entering into the MOU was one aspect of DIAC’s change management strategies following the intensive policy review undertaken after the release of the Palmer and Comrie reports.

DIAC identified the need to assess and improve the manner in which it addressed privacy issues in fulfilling its statutory functions. Recognising the benefits of close cooperation with the Office on privacy issues, and without compromising the independence of the Office, DIAC entered into the MOU


to provide the Office with funding to allow dedicated resources to be deployed to assist DIAC in its objective.

Under the MOU the Office provided advice to DIAC on the development of various guidance and training materials in the reporting period. This included advice on Privacy Impact Assessments and Checklists, privacy guidelines for staff, training scenarios and Information Privacy Principle (IPP) Flowcharts specifically related to IPP 11 disclosure obligations.

More information about Privacy Impact Assessments and Checklists is available at www.privacy.gov.au/publications/pia06/index.html.

1.3.4 Australian Government Information Management Office – Australian Government Smartcard Framework

The Office made submissions on Part c of the Australian Government Smartcard Framework which deals with Standards and Model Specification in April 2007, and Part d of the Framework, the Smartcard Implementation Guide in May 2007.

The Office’s comments in these two submissions primarily related to the management of interoperability for a particular smartcard project, while minimising the risk of function creep. The Office suggested that careful consideration should be given to the necessity of collecting and retaining personal information, including the creation and display of identifiers, in any smartcard project whether this information was intended to be on the smartcard, the chip or on the supporting systems. The Office also noted that the success of a smartcard project is likely to be linked to user acceptance and adoption of the smartcard, which can be assisted by good privacy practices.

1.3.5 Identity and Border Security In the 2006–07 Budget, the Office received funding to allow it to participate in the development of a National Identity Security Strategy. The Privacy Commissioner is a member of the Commonwealth Reference Group on Identity Security (CRGIS) convened by the Attorney-General’s Department to assist in developing this national strategy. The Office has attended a number of meetings of the CRGIS and its working groups during 2006–07.

The Privacy Commissioner is also represented on the National Identity Security Coordination Group (NISCG). In 2006–07 the Office attended a number of meetings of the NISCG and provided comments on the development of an Inter-Governmental Agreement (IGA).


The Prime Minister, Premiers and Chief Ministers signed the IGA at the Council of Australian Governments (COAG) meeting on 13 April 2007. At that meeting, COAG also noted the progress made to date in giving effect to the six elements of the Strategy, and acknowledged the value of this work as reference documents for Australian Government agencies.

Information on the IGA can be found at www.coag.gov.au/meetings/130407.

There are five working groups under the CRGIS framework. These include working groups on the Document Verification Service (DVS), Integrity of Identity Data, Authentication, Security Standards for Proof of Identity and Proof of Identity.

The current funding is tied to the Office’s work in the Identity Security area, particularly in relation to the DVS. The Office has member status on the DVS Working Group. In 2006–07 the Office published on its website the final Audit report on the DVS prototype pilot completed in 2005–06. The Office also commented on the Privacy Impact Assessment (PIA) prepared by the Attorney-General’s Department in relation to the DVS.

The Privacy Commissioner is also represented as a member on the Integrity of Identity Data Working Group. During the reporting period the Office provided comment on the Memorandum of Understanding between the Attorney-General’s Department, the Australian Taxation Office and participating agencies for the Integrity of Identity Data Pilot and the PIA for the Integrity of Identity Data Pilot.

The Privacy Commissioner is not represented on the Authentication Working Group, which is a part of the CRGIS governance framework, but has observer status on this working group. However, related to this, during the reporting period the Office made submissions on the Australian Government Smartcard Framework (see section 1.3.4) and provided comment on amendments to the Public Key Infrastructure Gatekeeper Framework and comments on the Australian Government e-Authentication Framework (to cover government transactions with individuals).

1.3.6 Law Enforcement The Anti-Terrorism Act (No.2) 2005 requires the Australian Federal Police to develop three sets of guidelines for the collection, use, handling, retention and disposal of personal information in relation to:

– the police powers to stop, question and search

– the expansion to the Australian Federal Police powers to obtain information and

– optical surveillance.


The Office received funding to assist the Australian Federal Police, in consultation with the Attorney–General’s Department, to develop guidelines.

The Office has commenced consultation with the Australian Federal Police on this and expects the guidelines will be completed in 2007–08.

1.3.7 AusCheck In February 2007, the Office made a submission to and appeared before the Senate Legal and Constitutional Affairs Committee’s inquiry into the AusCheck Bill 2006. The Bill established the regulatory framework around the creation of a centralised Australian Government managed background checking service to be known as ‘AusCheck’.

The Office noted that the establishment of a background checking service that was a prerequisite to obtaining or maintaining employment would involve the collection and handling of significant amounts of personal information, including potentially sensitive information. Consequently, the Office submitted that the Bill could be enhanced by providing more details regarding the:

– purposes for which AusCheck’s background checking function may be applied

– breadth of information that may be collected and assessed during a background check

– use and disclosure of the information collected.

Following the Committee’s inquiry, the AusCheck Bill 2006 was subsequently amended and reflected several of the Office’s recommendations, including:

– a reduction in the initially broad scope of the purposes that theAusCheck scheme may be used for

– a clarification that the authorisation of the collection, use and disclosure of personal information should be for the purposes of AusCheck’s function or purposes directly related to AusCheck’s function and

– an explicit provision requiring that the use and disclosure of personal information be limited to that which is directly necessary and to the extent necessary, for security identification card verification.

On 28 March 2007, the AusCheck Act 2007 was passed and on 7 June 2007, the AusCheck Regulations 2007 were made.

During the reporting period, AusCheck also made a request for a partial exclusion from the federal Spent Convictions Scheme. In fulfilling her statutory function under s. 85ZZ(1)(b) of the Crimes Act 1914, the


Commissioner examined the request and provided advice to the Minister for Justice and Customs regarding whether the exclusion should be granted. The amendment was subsequently granted by the Minister for Justice and Customs and the Crimes Regulations 1990 were amended on 7 June 2007.

1.3.8 Anti-Money Laundering and Counter-Terrorism Financing

On 24 August 2006, the Office made a submission to the Attorney-General’s Department on the second exposure draft of the Anti-Money Laundering and Counter-Terrorism Financing Bill 2006.

The Office has continued to note that collection of personal financial information is likely to increase significantly under the Bill. Therefore, while recognising the potential benefits to the community of measures to address money laundering and terrorism financing, the appropriate balance must be achieved.

Also as previously noted by the Office, Australia’s financial transactions reporting regime was introduced as a response to major crime and any broadening of the scope of its application may raise privacy issues.

Accordingly, the Office made a number of recommendations aimed at ensuring that adequate privacy protections be applied consistently across reporting entities and users of the information, and that the handling of this personal information was subject to appropriate privacy regulation.

More specifically, the recommendations made by the Office included those listed below.

– A separate process should be undertaken to consider the issue of whether Australian Government agencies, other than the traditional law enforcement agencies, should be able to have direct access to AUSTRAC information for purposes unrelated to anti-money laundering and counter-terrorism financing.

– The Bill needs to ensure that information collected by AUSTRAC that is passed on to state and territory government agencies will be subject to adequate privacy protection. Not all states and territories have enacted privacy legislation, which means there is a lack of uniformity in the protections and the remedies available.

– There should be limits on how long the information collected under this legislation should be kept by reporting entities and government agencies.

The Office also recommended that a Privacy Impact Assessment (PIA) be conducted on the operation of this legislation.


A company engaged by the Attorney-General’s Department, Salinger & Co, released its PIA regarding the second exposure draft of the Bill on 15 September 2006. This document is available from the Attorney-General’s Department website.

In November 2006, the Office made a submission to the Senate Legal and Constitutional Affairs Committee’s Inquiry into the Anti-Money Laundering and Counter-Terrorism Financing Bill 2006 and the Anti-Money Laundering and Counter-Terrorism Financing (Transitional Provisions and Consequential Amendments) Bill 2006.

The Office continues to play an active role in the development of Anti-Money Laundering and Counter-Terrorism Financing legislation through its membership on industry and government forums, producing guidance material and providing comments on relevant issues.

During the reporting period the Office received funding of approximately $1.8 million over four years to provide guidance and assistance to small business operators to meet their obligations under anti-money laundering legislation, and to conduct auditing and compliance activity.

1.3.9 Emergencies and Disasters In September 2006, the Office made a submission to the Senate Legal and Constitutional Affairs Committee’s Inquiry into the Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006.

The Bill clarified the legal basis for disclosure of personal information in the event of an emergency or disaster. The Office made some suggestions for improvements to give more definition of the circumstances under which the provisions could operate. These suggestions included:

– the inclusion of criteria as to what constitutes a disaster oremergency

– the clarification of ‘permitted purpose’ as ‘a purpose directly related to’ the emergency or disaster and

– stronger mechanisms to ensure that normal processes protecting personal information disclosures and uses are resumed as soon as possible.

The Bill was passed with two amendments. The first amendment limited ‘permitted purpose’ to a purpose that ‘directly’ relates to the Commonwealth’s response to an emergency or disaster. The second imposed a maximum period of 12 months to a declaration of emergency. The new provisions are found in Part VIA of the Privacy Act.

After the Bill passed, Regulations were made under the Privacy Act on 13 December 2006. These exempt the secrecy provisions of the Census and


Statistics Act 1905 from Part VIA of the Privacy Act. These Regulations confirm that data collected by the Australian Bureau of Statistics for statistical purposes will only be used for statistical purposes.

1.3.10 Government Agency Coercive Information-Gathering Powers

The Office made a submission to the Administrative Review Council’s draft Report into Government Agency Coercive Information-Gathering Powers in March 2007.

The Office’s comments primarily related to the Office’s experience in promoting an understanding of the Information Privacy Principles (IPPs) and National Privacy Principles (NPPs) and investigating complaints about acts or practices of agencies or organisations that may breach an IPP or NPP.

The Office suggested that the Council may wish to consider the issue of coercive information-gathering from a broader privacy perspective, giving more prominence to the privacy obligations and interests of organisations, agencies and individuals and clarifying the role of the IPPs and the NPPs in its report.

1.3.11 Taxation Secrecy and Disclosure Provisions Review

In September 2006, the Office made a submission to the Treasury on the Review of the Taxation Secrecy and Disclosure Provisions.

The secrecy provisions in tax legislation provide protections for personal (taxpayer) information in addition to those protections already provided by the Information Privacy Principles in the Privacy Act. The Office expressed concern that any proposal to reduce privacy safeguards currently offered by the secrecy provisions could risk a lessening in community confidence, and therefore any proposal to amend the protections should be approached with care.

1.3.12 Personal Property Securities In February 2007 the Office provided comments to the Attorney-General’s Department in relation to the Standing Committee of Attorneys-General (SCAG) review of Australian personal property securities law. The review aims to develop a national register that will consolidate all security interests that are created by a contractual agreement and which are held over personal property.


The Office noted that the proposed national register would include personal information relating to the financial and credit affairs of a large number of individuals and had the potential to raise a number of privacy-related issues. The Office made a number of suggestions to reduce potential privacy risks. These suggestions included:

– a Privacy Impact Assessment should be undertaken

– only those individuals or entities that have a demonstrated need to access information on the database should be able to do so

– personal information on the register should be minimised wherever possible and

– mechanisms should be developed to ensure that faulty listings do not remain on the register indefinitely.

The personal property securities review is continuing. In the 2007–08 budget $113.3 million over five years was allocated to harmonise Australia’s personal property securities laws in one Commonwealth Act and develop a single national online register of personal property securities interests.

The Office will continue to provide advice to the Australian Government on the development of the register.

1.3.13 Mutual Assistance and Extradition In October 2006, the Office made a submission to the review conducted by the Attorney-General’s Department regarding Australia’s mutual assistance law and practice. This submission reiterated the comments of the Office’s earlier March 2006 submission regarding the review of extradition arrangements conducted by the Attorney-General’s Department.

The Office noted that there is a need for clarity and certainty regarding how an individual’s personal information may be handled pursuant to extradition or mutual assistance matters to ensure that it is afforded appropriate privacy protections. This certainty would likely be best achieved by the enactment of clear legislative authority for such exchanges.

Specifically, the Office also commented on the following issues raised by the review:

– grounds for refusal to provide personal information where the requesting country’s arrangements for handling that information do not offer privacy protections substantially similar to those applying in Australia

– handling of DNA samples and information from persons without


consent should be subject to a form of judicial oversight and consideration should be given to the protections afforded that information in the new jurisdiction before disclosing

– provision of information from the DNA Database and DNA matching

– handling of telecommunications interception material and surveillance device material.

The Office looks forward to the further opportunity for engagement on these issues.

1.4 Privacy and the Australian Capital Territory Government

In 2006–07 the Office continued to provide advice to ACT Government agencies. The Office provided detailed comments to the Department of Health on the obligations surrounding the collection of personal information in the implementation of a Health Management Plan for Pandemic Influenza and comments to the Department of Disability Housing and Community Services on the exposure draft for the Children and Young People Amendment Bill 2007. The Office also engaged with the Department of Health on the issue of iris scanning.

The Office also reviewed the exposure draft of the Planning and Development Bill 2006, providing comments to the ACT Planning and Land Authority (the Authority) on the Authority’s legal requirement to collect personal information and the manner in which that information was to be disclosed. The Office provided further comment to the Authority on the Planning and Development (Consequential Amendment) Bill 2007.

1.5 Privacy and Business

1.5.1 Review of the Private Sector Provisions of the Privacy Act

In November 2006, the Office welcomed the Australian Government’s response to its 2005 report Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (the Office’s 2005 report). The response is available at www.ag.gov.au/www/agd/agd.nsf/Page/ Privacy_ GovernmentresponsestoPrivacyActreports.

In its response, the Government either accepted, noted or referred to the Australian Law Reform Commission (ALRC) for further discussion, 81 of the 85 recommendations that were made in the Office’s 2005 report.


The Office notes that three of the key recommendations in its 2005 report had already been taken up by the Government prior to the release of its response to the report. These include the:

– establishment of a wide-ranging review by the ALRC into Australia’s privacy-related legislative framework (see section 1.2)

– creation of a Do Not Call Register for telemarketing calls and

– extension of Privacy Act coverage to all residential tenancy database operators.

During the reporting period, the work of the Office continued to be shaped by the recommendations in its 2005 report. In particular, the Office made two comprehensive submissions to the ALRC review of privacy. As noted, the ALRC review is a response to a key recommendation made by the Office in its 2005 report.

In addition, the Office is currently working to implement those recommendations in its 2005 report concerning the Office’s functions. Specifically, work has been commenced on the development of guidance materials and publications that relate to particular recommendations.

The Office has also progressed planning to give effect to various health-related recommendations of the Review during the first half of 2007–08.

1.5.2 Privacy Codes Part IIIAA of the Privacy Act allows organisations to apply to the Privacy Commissioner for approval of a Privacy Code that will replace the National Privacy Principles for organisations bound by that Code.

Biometrics Institute Privacy Code

On 19 July 2006 the Privacy Commissioner approved the Biometrics Institute Privacy Code under s. 18BB of the Privacy Act. The code came into operation on 1 September 2006 and is available on the Biometrics Institute website at www.biometricsinstitute.org.

Market and Social Research Privacy Code

Following a review of the Market and Social Research Privacy Code, the Association of Market and Social Research Organisations (AMSRO) made an application to vary the code under s. 18BD(1) of the Privacy Act. The Privacy Commissioner approved this variation under s. 18BD(2), to take effect on 30 June 2007.


Queensland Club Industry Privacy Code

Following a review of the Queensland Club Industry Privacy Code, Clubs Queensland made an application to vary the code under s. 18BD(1) of the Privacy Act. The Office is currently reviewing this application.

More information, including the Register of Approved Privacy Codes, can be found on the Office’s website at www.privacy.gov.au/business/codes/index.html.

1.5.3 Credit Reporting

Credit Provider Determinations

In the previous reporting period, three credit provider determinations made under the Privacy Act were renewed for short periods to allow the Office time to consult with the community about how these determinations have operated and the terms in which any further determinations should be cast. As part of this review, two consultation papers covering the three determinations were released for public comment.

In the current reporting period, the Office analysed the submissions received during the consultation process and produced a report relating to one of the consultation papers. This report on the review of Determination No. 2006–3 Assignees (the Assignees Determination) and Determination No. 2006–4 Classes of Credit Providers (the Classes Determination) is available at www.privacy.gov.au/act/credit/cpdreport.html.

The consultation on the operation of the third determination, Determination No. 2006–5 (Indigenous Business Australia) (the IBA Determination), and the experience of the Office demonstrated that the IBA Determination had operated effectively and provided unanimous support for the renewal of the IBA Determination.

Consequently, the three determinations were renewed.

Issues Paper 32 – Review of Privacy: Credit Reporting Provisions

In December 2006, the Australian Law Reform Commission (ALRC) published its Issues Paper 32 – Review of Privacy: Credit Reporting Provisions (IP32) as part of its wider review of privacy regulation in Australia. The Office made a submission to IP32 in April 2007. See section 1.2 for further information.


1.5.4 Tax File Number Guidelines During the reporting period there were no changes to the Tax File Number Guidelines issued by the Privacy Commissioner under s. 17 of the Privacy Act. These guidelines, which have the effect of law, regulate the collection, storage, use and security of Tax File Numbers.

1.5.5 Research and Data-Holding The Office has commented on a number of research and data holding initiatives through consultative relationships and its membership on various committees and working groups. In particular the Office has made a contribution to the National Data Network, the Prime Minister’s Science Education and Innovation Council and the Productivity Commission’s research study.

The National Data Network

The National Data Network (NDN) provides a distributed library of data holdings relevant to policy analysis and research. These data holdings remain held and controlled by their Custodian organisations.

During the reporting period, the Office has been involved with the NDN Working Group and NDN Interim Governing Board. These bodies have been involved in the development of a framework of policies and procedures to support the data sharing activities and creation of privacy-preserving data management tools.

The Office played an integral role in securing the agreement from the NDN Interim Governing Board to complete Privacy Impact Assessments as part of any data-sharing pilots.

In view of the significant privacy objectives that have been achieved, the Deputy Privacy Commissioner resigned from the Working Group and the Interim Governing Board on 28 May 2007. The Office will maintain its engagement with NDN on a consultative basis.

The Prime Minister’s Science Education and Innovation Council

The Prime Minister’s Science Education and Innovation Council (PMSEIC) was establish in 1997 and its function is to provide the Australian Government with independent advice on issues of science, engineering and innovation and relevant aspects of education and training. The Council meets in June and December each year to discuss and report on relevant issues. The Office has made submissions and provided comment on specific research issues impacting privacy.


In September, the Office responded to an issues paper produced by the PMSEIC Working Group which was seeking to assess the opportunities and risks of creating a national database for research purposes. The PMSEIC final report, including recommendations, was presented at the PMSEIC December meeting. Recommendation 8 supported the Office’s general advice in reference to the need for health research agencies to develop best practice policies, practices and methodologies while protecting privacy. The report examined and identified privacy regulation and its future impacts.

It is expected that the Office will have ongoing engagement with PMSEIC in the future, on a consultative basis.

During the reporting period the Office responded to the Research Study into Public Support for Science and Innovation undertaken by the Productivity Commission. The Office made a submission in August 2006 with the following emphases:

– how to balance individuals’ right to choice in relation to the use of their health information against the public interest of conducting research

– the need to provide guidelines about de-identification in terms of information used for research and

– the Office’s commitment to work with the National Health and Medical Research Council to simplify guidelines for health research ethics committees in terms of the section 95AA Guidelines (see section 1.6.4).

1.6 Privacy and the Health Sector

1.6.1 Electronic Health Records The Office engaged with a number of bodies, including state government entities, on matters related to electronic health records.

The Office also discussed electronic health records in its submission to the Australian Law Reform Commission (ALRC) review of privacy (See section 1.2). The Office noted that such systems have the potential to vastly increase the capacity to collect, store, copy, transmit, share and modify health information, including in ways not expected by individuals. Accordingly, electronic health records systems should only be pursued where accompanied by legislative measures that clearly set out and limit their operation and scope.

In March 2007, the Office made a submission to the National E-Health


Transition Authority on its Privacy Blueprint for Unique Health Identifiers. The Office noted that a challenge for such identifiers is to ensure that such a highly reliable identifier is not used for purposes beyond the health system and the clinical care of individuals. If such identifiers were used expansively outside of the health system, particularly in ways the community may be uncomfortable with, then the trust individuals place in the system may be undermined. This was a view also expressed in Chapter 8 of the Office’s submission to the ALRC review of privacy.

1.6.2 Section 135AA Guidelines Review The section 135AA Guidelines (the Guidelines) are issued by the Privacy Commissioner under section 135AA of the National Health Act 1953 and issuing the Guidelines is a function of the Privacy Commissioner under s. 27(1)(pa) of the Privacy Act. The Guidelines apply to the handling of information obtained by any Australian Government agency in connection with a claim under the Medicare Benefits Program or the Pharmaceutical Benefits Scheme (PBS).

The Office released its Report on the Review of the Privacy Guidelines for the Handling of Medicare and PBS claims information on 1 August 2006. The Report makes 25 findings on matters related to the Guidelines. Some of these findings require new Guidelines or changes to the Guidelines, while others describe the Office’s interpretation of matters relevant to the Guidelines.

The key findings are:

– an additional permitted linkage for claims information for the purpose of an individual accessing their record (see Finding 2)

– the prohibition against storing Medicare and PBS claims information should apply to all agencies (see Finding 23)

– changes should be made to the periods for which Medicare Australia may retain claims information in linked and unlinked form (see Findings 6, 7 and 8)

– some changes are required in relation to how the Department of Health and Ageing may handle claims information (see Findings 14-21).

The Office has commenced the development of new Guidelines that reflect the findings of this review. The Office is liaising with Medicare Australia and the Department of Health and Ageing and is proposing to issue the new Guidelines during 2007–08.


1.6.3 Prescription Shopping Information Service On 14 September 2006, the Australian Parliament enacted the Privacy Legislation Amendment Act 2006, amending the National Health Act 1953 and the Privacy Act, to ensure that medical practitioners can continue to collect patients’ health information that is available through Medicare Australia’s Prescription Shopping Information Service (PSIS), without being in breach of the Privacy Act.

This practice had previously been the subject of two Temporary Public Interest Determinations issued by the Privacy Commissioner.

On 4 May 2007, the Privacy Commissioner released a new Information Sheet on the Privacy Act and the PSIS. The Information Sheet was developed in consultation with Medicare Australia and a number of other health and privacy stakeholders. It is intended to provide private sector medical practitioners with guidance on their obligations when using the PSIS. The Information Sheet is available at www.privacy.gov.au/publications/IS19_07.html.

1.6.4 Section 95AA Guidelines In response to the 2003 report by the Australian Law Reform Commission (ALRC) and the Australian Health Ethics Committee of the National Health and Medical Research Council (NHMRC) entitled Essentially Yours: The Protection of Human Genetic Information in Australia, the Privacy Legislation Amendment Act 2006 introduced National Privacy Principle 2.1(ea). This amendment creates a discretion for organisations to use or disclose genetic information about an individual where necessary to lessen or prevent a serious threat to the life, health or safety (whether or not the threat is imminent) of a genetic relative.

Any use or disclosure must be in accordance with guidelines made by the NHMRC under s. 95AA of the Privacy Act, and approved by the Privacy Commissioner.

Prior to the guidelines being submitted for approval, the Office will work with the NHMRC as it progresses their development.

1.7 Privacy and the Information and Communications Technology Sector

1.7.1 Do Not Call Register The Government launched the Do Not Call Register in May 2007. The Office strongly supported the introduction of this register. It is a partial response to


Recommendation 25 of the Office’s 2005 report: Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988.

In the reporting period, the Office also played an active role in the implementation of the register through its consultations with the Do Not Call Taskforce on the draft Determinations, Standards and Ministerial instruments. In September 2006, the Office provided a submission to the Australian Communications and Media Authority’s Industry Standard for the Making of Telemarketing Calls Discussion Paper. In addition, the Deputy Privacy Commissioner served as a member of the Do Not Call Register Scheme Steering Committee.

1.7.2 Integrated Public Number Database In March 2007, the Office made a submission to the Australian Communications and Media Authority (ACMA) on the consultation draft of the Telecommunications Integrated Public Number Database Scheme 2007 (the Scheme). The Telecommunications Amendment (Integrated Public Number Database) Act 2006 (the IPND Amendment Act) requires ACMA to, by legislative instrument, develop a scheme for granting authorisation enabling access to and use of the information in the IPND for specified purposes, such as for the purposes of producing a public number directory or for research.

The Department of Communications, Information Technology and the Arts (DCITA), on behalf of the Minister, has responsibility for drafting legislative instruments. There are seven instruments that may be made by the Minister. DCITA has produced draft instruments for additional Public Number Directory requirements, additional Public Number Directory information, Criteria for Deciding Applications, Permitted Research, and Conditions of Authorisation.

In March 2007, the Office made a submission to DCITA on these draft legislative instruments relating to IPND access arrangements published for comment by DCITA under the IPND Amendment Act. The Office also met with DCITA representatives to discuss issues raised in the Office’s submission.

The Office submitted that permitted use of the IPND for research should only be non-commercial rather than ‘primarily non-commercial’. The Office also recommended that DCITA define how the public interest of proposed research would be determined and proposed that IPND access users should opt in to coverage under the National Privacy Principles.

The finalised instruments allow researchers’ access to the IPND for primarily non-commercial purposes. However, examples defining the terms ‘primarily’ and ‘non-commercial’ are provided in the Explanatory Statement


to assist ACMA in administering the Scheme. The instruments also allow ACMA to impose specific privacy obligations on IPND data users. The Scheme came into force on 15 May 2007.

1.7.3 Telecommunications and E-Marketing Industry Codes

The Telecommunications Act 1997 provides for the telecommunications and e-marketing industries to develop industry codes. Such codes can be enforced after they are registered with the Australian Communications and Media Authority (ACMA). Where telecommunications or e-marketing industry codes deal with privacy issues, it is a requirement that the Privacy Commissioner be consulted before ACMA registers a code.

In 2006, the Australian Communications Industry Forum (ACIF) and Service Providers Association Inc (SPAN) merged to form the telecommunications industry body Communications Alliance Ltd (Communications Alliance). Communications Alliance now handles the ACIF process for developing documentary outputs, including industry codes. The Office was consulted by Communications Alliance on eight ACIF codes during the reporting period. One of the codes currently under development, the Telecommunications Consumer Protection Code, is intended to consolidate the industry approach to issues covered by six ACIF codes.

1.7.4 Telecommunications Interception legislation In February 2007, the Office made a submission to the Attorney-General’s Department on the exposure draft of the Telecommunications (Interception and Access) Amendment Bill 2007 (the Bill).

The Bill is the second stage of the Australian Government’s legislative program to implement the recommendations from the Review of the Regulation of Access to Communications under the Telecommunications (Interception) Act 1979 conducted by Mr Anthony S Blunn AO (the Blunn Review).

One of the key recommendations of the Blunn Review was that interception activity of law enforcement agencies and civil enforcement bodies should be consolidated under one legislative regime. The Bill was the second stage in the implementation of that recommendation, following the introduction of the Telecommunications (Interception) Amendment Act 2006.

In its submission, the Office recommended that:

– the voluntary disclosure provisions could be made clearer in relation to content and call data to reduce the risk of carriers committing inadvertent breaches


– there is merit in defining call data, or giving examples in the proposed Amendment Bill as to what might be considered ‘information or document’ as opposed to ‘contents or substance of a communication’

– further guidance be provided where the privacy of telecommunications users needs to be taken into account when making decisions and

– the operation of the Telecommunications (Interception) Amendment Act 2006 should be subject to overall independent review, including key stakeholder and public consultation, at least every five years.

A Bill was introduced into parliament on 14 June 2007 and was referred to the Senate Legal and Constitutional Affairs Committee for inquiry and report by 1 August 2007. In terms of the Office’s previous comments, the Explanatory Memorandum accompanying the Bill now defines the distinction between call data and ‘information and documents’.


Chapter 2 Promoting Privacy

2.1 Review of Performance In 2006–07 the Office revised its Communications Strategy in line with its Budget commitments and goals set out in the Office’s 2007–09 Strategic Plan (see Appendix 8 and the Commissioner’s Overview for further information). The Office’s increased funding has allowed its communications unit to progress a range of projects and initiatives aimed at assisting organisations and individuals to better understand their rights and responsibilities under the Privacy Act.

An important communications focus for the Office is facilitating networking and working closely with key stakeholders to promote a broader understanding of privacy. This year the Office:

– re-energised the Privacy Connections network of privacyprofessionals in the private sector (see section 2.7.1)

– worked with the Privacy and Information Commissioners of New South Wales, Victoria and the Northern Territory to participate in the first national Privacy Awareness Week (see section 2.7.3) and

– launched an international privacy themed writing competition targeting youth with the Commissioners of the Asia Pacific Privacy Authorities forum (see section 2.9.1).

2006–07 also saw the introduction of the Office’s Privacy Matters newsletter (see section 2.5.1). The newsletter is an important tool for the Office, allowing it to communicate important information to stakeholders on a regular basis throughout the year. In addition to downloads from the website, subscriptions to the newsletter have increased steadily, with the newsletter now reaching over 600 subscribers.

A significant undertaking for the Office is the review of its publications. During the year the Office audited its existing material with the aim of identifying and correcting any inaccurate or outdated material (see section 2.5.2).

As its main communication tool, the Office recognises the value of maintaining and improving the content and services delivered through its website. With this in mind, the Office commenced work on the redevelopment of the website, looking at ways of meeting the needs of its


current users and offering services and refining content to attract new users (see section 2.2.1). The redevelopment of the website will continue into the next reporting period and will ensure that the website continues to be a valuable source of information for users with an interest in privacy.

2.2 Privacy Website The Office’s website (www.privacy.gov.au) again features very prominently in the Office’s new 2007–08 Communications Strategy and 2007–09 Strategic Plan. The website continues to be the critical hub for the communication of the Office’s privacy messages.

2.2.1 Website Redevelopment To ensure that the Office’s website continues to play the role of communications hub effectively, the Office has embarked on a project to redevelop the website. This is considered to be an important project, especially since the last major website redevelopment was completed when the private sector provisions commenced in 2001.

In the reporting period, the Office conducted a range of consultations including:

– website and intranet-based external and internal user surveysbetween December 2006 and April 2007

– email-based survey sent to a wide range of domestic and international Office stakeholders, including informal discussions where appropriate

– focus groups and other informal discussions with internal users and

– discussions with a range of other participants who have detailed experience in website redevelopments or familiarity with the Office’s website.

The Office’s focus is now on developing and implementing an action plan which aims to put into place many of the recommendations received during these consultations.

2.2.2 Website Usage The Office’s website (www.privacy.gov.au) increased its traffic from the previous reporting year. Visits to the website increased by 541 996 sessions during 2006–07 compared to the previous year, an increase of 38%. Page views (number of pages people looked at during the session) increased by 246 728, an increase of 4%.


The figures in Table 2.1 show the number of sessions and the number of page views for the privacy website each year for the last three financial years, while Chart 2.1 graphically represents the substantial increase in website traffic since 2001.

Table 2.1 Page and Session Views for the Privacy Website

2004–05 2005–06 2006–07 Increase 2005–06

to 2006–07

Session 1 072 361 1 411 320 1 953 316 + 541 996

Page view 4 561 982 5 937 245 6 183 973 + 246 728

Chart 2.1 Yearly Comparative Results for the Website

9 000 000

8 000 000

7 000 000

6 000 000

5 000 000

2001–02 2002–03 2003–04 2004–05 2005–06 2006–07

YEARS

Page view

Session 4 000 000

3 000 000

2 000 000

1 000 000

–

2.2.3 Layered Privacy Policy In Privacy Awareness Week 2006 (see section 2.7.3), the Attorney-General launched the Office’s new Privacy Policy. The new Policy adopts a layered notice format to enhance the ease with which people can access and understand it. The Policy is available on the Office’s website, and provides browsers with both a condensed snapshot, as well as a full explanation, of the Policy.


TR

AF

FIC

The condensed version of the Policy uses clear simple language and includes the most important information that individuals usually need and want to know about the Office’s personal information handling practices. Individuals wanting further information can easily link to the Office’s full Privacy Policy.

The Policy is also intended to serve as a model for other agencies and organisations. It is available at www.privacy.gov.au/policy/index.html.

2.3 Media 132 media enquiries were made to the Office during 2006–07. This is down 11% from the 148 enquiries received in 2005–06. Of the 132 enquiries, 84 were from print media, 29 from radio stations, ten from television, eight from news websites, and one from a news agency.

The enquiries concerned a range of privacy-related issues, with the most common including:

– scanning of patrons’ identification by clubs and bars

– alleged privacy breaches by various organisations

– incidents involving access by staff of government agencies to client records

– companies transferring client data to overseas centres for processing

– doctors’ use of overseas transcription services

– the Health and Social Services Access Card

– the disclosure of financial transactions by SWIFT (the Society of Worldwide Interbank Financial Telecommunication) to law enforcement agencies

– privacy concerns resulting from online technologies.

In most cases, background information on the issue or a comment was supplied to the journalist. Interviews were also conducted on various radio stations and television programs.

The Office prepared 31 media announcements and releases during 2006–07.

The Office has an email list specifically targeting media personnel and media agencies. Members of the email list receive the Office’s media releases and announcements. Information about the list is available at www.privacy.gov.au/lists/index.html.


2.4 Speeches and Presentations The Office delivered 26 speeches during 2006–07. These speeches were on a number of key issues including the Australian Law Reform Commission’s review of privacy, information technology, privacy and business and the Office’s new Strategic Plan 2007–09. The Commissioner also gave a number of speeches around Australia in conjunction with the Privacy Connections events hosted by the Office (see section 2.7.1).

A complete list of speeches and presentations made by the Commissioner and Office staff can be found at Appendix 3. Supporting papers and PowerPoint presentations for a number of these speeches are available on the Office’s website at www.privacy.gov.au/news/speeches/index.html.

2.5 Publications The Office developed a number of new publications over 2006–07 including its new quarterly newsletter, Privacy Matters (see section 2.5.1). In Privacy Awareness Week 2006 (see section 2.7.3), the Attorney-General launched the Office’s Privacy Impact Assessment Guide developed for use by public sector agencies (see section 1.3.1), and the Office’s new layered Privacy Policy (see section 2.2.3). Also in Privacy Awareness Week, the Office released two ‘Ten Steps’ guides which provided ten practical steps that individuals and organisations could take to protect their own and other people’s personal information.

In 2007 the Office released a new information sheet on the Prescription Shopping Information Service and the Privacy Act (see section 1.6.3).

Most of the Office’s publications are available online at www.privacy.gov.au/publications/index.html.

2.5.1 Privacy Matters Newsletter In September 2006, the Office launched its quarterly privacy newsletter Privacy Matters. The purpose of the newsletter is to provide an accessible and easy-to-read publication that keeps interested stakeholders up-to-date with important Office-related compliance, policy, public affairs and other privacy developments.

The newsletter is an initiative which implements Recommendation 50 of the Office’s 2005 Report, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988. It complements the work the Office already does through its various stakeholder networking strategies (see section 2.7), and further assists the Office in its Strategic Plan purpose of promoting and protecting privacy in Australia.


The Office aims for each issue of the newsletter to have as its primary focus one or two significant feature articles covering privacy matters of current importance. The newsletter also keeps subscribers informed of other privacy-related events and matters of interest, both within the Office and in the broader community.

The Office intends to continue producing Privacy Matters on a quarterly basis throughout the next reporting period. Subscription to the newsletter is available by visiting the Office’s website at www.privacy.gov.au/news/privacymatters/index.html.

2.5.2 Publications Review In 2007 the Office commenced a comprehensive review of its existing publications to ensure that Office guidance material continues to best meet the needs of its stakeholders.

The publications review aims to identify and correct any inaccurate or outdated material, ensure that Office guidance material is presented in clear and understandable language, and address gaps in content. As part of this review, the Office intends to develop systems for the management of Office publications to facilitate their upkeep into the future.

The Office has recently completed an audit of existing publications and will shortly commence implementing updates identified in this process.

2.6 Community Attitudes Survey In early 2007, the Office commenced work on a research study to ascertain community attitudes towards privacy issues. It commissioned the Wallis Consulting Group to undertake the quantitative study, which follows on from similar research the Office carried out in 2001 and 2004. The project will be completed and reported on in 2007–08.

2.7 Networking for Privacy Solutions 2.7.1 Privacy Connections In line with Recommendation 50 of the Office’s 2005 Report, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, the related Budget commitment, and the Office’s 2007–09 Strategic Plan (Goal 2: increased awareness of privacy choices and obligations within the community), the Office undertook during 2006–07 to re-energise its Privacy Connections network of privacy professionals in the private sector. In this respect, it hosted a series of well-attended forums, allowing an opportunity for privacy professionals to network, to meet and engage


with the Privacy Commissioner, and to learn about various privacy issues and developments both in Australia and abroad.

In November 2006 a breakfast forum was held in Sydney to mark five years since the introduction of the private sector provisions of the Privacy Act. Keynote speakers included the Attorney-General, the Hon. Philip Ruddock MP, the Privacy Commissioner, and Suzanne Pigdon, the former Privacy and Customer Advocacy Manager of the Coles Myer Group and a member of the Office’s Privacy Advisory Committee. Corporate breakfasts were also held in May 2007 with the Privacy Commissioner and Ms Pigdon in both Adelaide and Perth, in association with those states’ chambers of commerce.

Further events have been scheduled for early in 2007–08 in Brisbane, Canberra, Melbourne and Sydney, with Mr Peter Cullen, the US-based Chief Privacy Strategist of Microsoft, as the keynote speaker.

Privacy Connections members also receive electronic updates from the Office on a range of privacy issues, developments and events. The network commenced in 2001 and as at 30 June 2007 had 1 841 members.

Information about Privacy Connections is available at www.privacy.gov.au/business/network/index.html.

2.7.2 Privacy Contact Officer Network The Office manages a network of Privacy Contact Officers (PCOs) from Australian and ACT Government agencies. The Office hosts four PCO meetings a year to provide PCOs with an opportunity to network and to hear from speakers on a range of privacy-related issues. These meetings also enable PCOs to meet with Office staff and regularly hear from the Commissioner on the Office’s activities and initiatives.

During 2006–07, the Office has used this forum to inform PCOs of changes to the Office’s approach to complaint handling, key aspects of the Office’s submission to the Australian Law Reform Commission (ALRC) review of privacy, and international developments in privacy regulation.

The Office has also invited external speakers to address PCOs including a senior legal officer at the ALRC to provide an update on its review of privacy, an adviser to the Attorney-General to discuss privacy from a ministerial officer’s perspective, a member of the Privacy Advisory Committee, and individual PCOs.

In December 2006, the Office presented a ‘Privacy Checklist’ to the network that the Office developed to help PCOs effectively handle privacy complaints, and the PCOs were surveyed for their feedback on this resource. The Office also consulted with the network on Privacy Awareness Week 2007 and the resources and activities they would like to see promoted during this event.


In general the PCO Network provides a crucial link between agencies and the Office for the purposes of managing privacy complaints and the Office continues to promote the important role of the PCO as an internal agency contact point for information about privacy compliance obligations.

2.7.3 Privacy Awareness Week The Office celebrated Privacy Awareness Week from 27 August – 2 September 2006. The Office collaborated with Privacy Victoria, Privacy NSW and the Office of the Information Commissioner, Northern Territory to promote the event.

The week was an opportunity to encourage organisations and agencies covered by the Privacy Act to promote privacy awareness among staff and customers.

During Privacy Awareness Week the Attorney-General launched two key documents produced by the Office: the Privacy Impact Assessment (PIA) Guide (see section 1.3.1) and the Layered Privacy Policy (see section 2.2.3). Guides were also released setting out ‘Ten Steps’ on how to protect personal information for individuals, agencies, and organisations and privacy quizzes were developed to encourage individuals, agencies and organisations to examine their general knowledge and understanding of privacy.

The Office is continuing its involvement in Privacy Awareness Week in 2007 through joint promotions and activities with the Asia Pacific Privacy Authorities (APPA) (see section 2.9.1), as well as its own Privacy Awareness Week calendar of events.

Privacy Awareness Week will be held from 26 August – 1 September in 2007. The Office’s promotional activities leading up to and throughout Privacy Awareness Week will contribute to the Office’s goal of increased awareness of privacy choices and obligations within the community as outlined in the Office’s 2007–09 Strategic Plan.

2.8 Privacy Advisory Committee The Privacy Advisory Committee (PAC) is established under s. 82 of the Privacy Act. Its members are appointed by the Governor-General. The functions of the PAC are established under s. 83 of the Privacy Act and provide for the PAC to assist the Commissioner in engaging in and promoting community education and consultation, in relation to the protection of individual privacy.

The PAC also advises the Commissioner on matters relevant to his/her functions. They act as an external reference point that supports the


Commissioner in gaining access to the broad views about privacy in the private sector, government and the community at large.

This year, the PAC has been actively involved in a number of Office activities. Members of the PAC had significant input into the development of the Community Attitudes Survey (see section 2.6), including participation in the tender evaluation and content review committees.

The PAC members provided support to the Office through their promotion of the Privacy Connections network events (see section 2.7.1). Suzanne Pigdon, a member of the PAC, was a keynote speaker at three events and provided attendees with information and advice on privacy from a business perspective.

PAC members also attended the 2006 Asia Pacific Privacy Authorities Forum (see section 2.9.1) and the Asia-Pacific Economic Cooperation (APEC) Data Privacy Seminar.

There are currently six members of the PAC. Ms Robin Banks was appointed as a PAC member in November 2006 replacing Mr Graeme Innes AM who resigned in December 2006.

2.9 International Liaison 2.9.1 Asia Pacific Privacy Authorities The Asia Pacific Privacy Authorities (APPA) forum is a regional forum that includes this Office, the State and Territory Privacy Commissioners in Australia (NSW, Victoria and the Northern Territory), together with the Privacy Commissioner of New Zealand, the Privacy Commissioner for Personal Data of Hong Kong and the Korean Information Security Agency.

The Forum meets biannually and is hosted with a rotating venue and host. In June 2007 the 27th APPA forum was hosted by the Office in Cairns to coincide with the APEC Senior Officials Meetings and Data Privacy Seminars. At this meeting the APPA membership was broadened to include the Information and Privacy Commissioner of British Columbia, Canada.

APPA meetings are an important opportunity to discuss international privacy developments and emerging issues of relevance to APPA affiliates. The Forum provides an opportunity for Commissioners to exchange knowledge and experiences about privacy regulation across different jurisdictions. At the 27th APPA forum it was agreed that a Working Party be established to look at the possibility of developing guidelines for the protection of individuals’ privacy rights in relation to the use of biometrics.

At the 26th APPA forum hosted in November 2006 by the Office of the Privacy Commissioner for Personal Data, Hong Kong, the APPA members


agreed to jointly undertake Privacy Awareness Week (see section 2.7.3) in 2007. As a result an international privacy themed competition was launched in April 2007 targeting secondary students. Publicity for the competition has included a joint media release, the production of a website (www.privacyawarenessweek.org) and a mail out to secondary schools across Australia, Hong Kong and New Zealand which included an introductory letter, poster and promotional booklet. Promotional material was translated into Chinese to ensure the competition was accessible to entrants from the jurisdictions involved. The Commissioners will announce the competition winners during Privacy Awareness Week 2007 (26 August – 1 September 2007).

As outlined in the Office’s 2007–09 Strategic Plan, robust relationships are at the core of how the Office operates. Developing international linkages, particularly through the APPA forum, is one way in which the Office achieves this. APPA is an effective forum that the Office will continue to develop and sustain through future joint initiatives.

2.9.2 28th International Conference of Data Protection and Privacy Commissioners

In November 2006, Deputy Privacy Commissioner Timothy Pilgrim attended the 28th International Conference of Data Protection and Privacy Commissioners held in London. The theme of the conference was ‘A Surveillance Society?’, with speakers addressing a range of issues related to surveillance and how to balance public safety with individual privacy rights.

At the conference a resolution proposed by the New Zealand Privacy Commissioner and co-sponsored by the Australian Privacy Commissioner was adopted. This resolution recommended that attention be given to improving conference organisation arrangements with a view to ensuring the continued viability of annual conferences. With the adoption of the resolution, a working group was established to examine existing organisational arrangements and suggest options for improvement.

The New Zealand Privacy Commissioner is chair of the working group which encompasses four subgroups; the Hosting Subgroup, the Host Selection Subgroup, the Website Subgroup and the Participant Expectations Subgroup.

Fourteen data protection authorities are participating in the working group with this Office acting as chair of the Hosting Subgroup and co-chair of the Website Subgroup.

The working group is due to report its findings to the 29th Conference to be held in Canada in September 2007.


Chapter 3 Protecting Privacy

3.1 Review of Performance The Privacy Commissioner protects the privacy of Australians through a wide range of compliance activities, including a telephone and written enquiry service, the resolution of individual privacy complaints, conducting audits and investigations, and monitoring data-matching activities.

While the Office’s compliance focus in 2006–07 continued to be on resolving individual complaints, it also undertook a number of audits. The Office strives to resolve cases in an open and fair way that builds the confidence of our stakeholders. The Office has applied considerable effort to managing complaints in line with Recommendation 42 of the Office’s 2005 Report Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988.

In the Office’s last annual report, it was noted that the Office was to receive an increase in funding over the next four years, and that one of the first priorities would be to invest in our complaint handling systems and practices. Effective complaint handling practices have been a clear focus in 2006–07. The Office has continued to evaluate and refine practices to ensure they worked well and that individual complaints were handled in a timely and effective manner.

The Office has restructured its Compliance section to facilitate a transition from being primarily a reactive regulator to an increasingly proactive regulator. To ensure best practice complaint handling and investigation, the Office has a renewed focus on staff training, staff development and stakeholder relationships.

2006–07 also signalled the return of the Office’s audit program into Australian Government agencies, with the Office embarking on its first Australian Government agency audit in almost three years. The Office also continued its data-matching and ‘own motion’ work. The Office this year increased its production of case notes. It produced 24 case notes to assist individuals, organisations and agencies understand its investigative processes and application of the Privacy Act.


3.2 Responding to Enquiries

3.2.1 Telephone Enquiries The Office’s telephone enquiry service (1300 363 992) provides information about privacy issues and privacy law for the cost of a local call.

Since 1 July 2001 the enquiry service has answered over 120 000 telephone calls. The enquiry service answered 17 392 telephone enquiries in 2006–07. This is 9% less than the 19 150 received in 2005–06. The Office expects that more people are finding it convenient and effective to search for information online which may suggest a reason for the decreasing number of calls to the enquiry service.

Who is calling?

Continuing the trend that the Office has seen over the past few years, the vast majority of calls are from individuals seeking information about their privacy rights and advice about how to resolve privacy complaints.

Table 3.1 below illustrates the types of people who called the Privacy Enquiries Line in 2006–07.

Table 3.1 Source of Telephone Enquiries

Individuals 13 505

Health Service Providers 415

Real Estate 327

Legal, Accounting and Management Services 299

Federal Government 289

Finance 231

State Government 219

Business and Professional Associations 217

Retail 139

Employment Services 137

What are calls about?

Of the calls received this year, 54% related to the National Privacy Principles (NPPs). This mirrors the proportion of calls received in relation to the NPPs in 2005–06. The most frequently discussed issue was the use and disclosure of personal information by private sector organisations. This has been a consistent theme over the last four years. Use and disclosure


calls made up 33% of calls about the private sector provision in 2006–07, a slight decrease on last year’s 37%. Notably, there has been a significant increase in the number of calls about Tax File Numbers, with calls received this year almost doubling the number received in 2005–06. The proportion of calls about Credit Reporting and the Information Privacy Principles (IPPs) remained steady.

Table 3.2 shows a breakdown of issues discussed in calls received during 2006–07.

Table 3.2 Breakdown of issues in calls received

Private Sector Provisions Issues

NPP 1 – Collection 1337

NPP 2 – Use and Disclosure 3160

NPP 3 – Data Quality 131

NPP 4 – Data Security 762

NPP 5 – Openness 120

NPP 6 – Access and Correction 1068

NPP 7 – Identifiers 14

NPP 8 – Anonymity 5

NPP 9 – Transborder Data Flows 45

NPP 10 – Sensitive Information 77

NPP Exemptions 1788

Private Sector Provisions (General) 927

Sub-total 9434

Non-Private Sector Provisions Issues

Credit Reporting 1088

Data-matching 16

IPPs 800

Spent Convictions 181

Tax File Numbers 93

Privacy (General) 4039

Sub-total 6217

Unrelated to privacy 1741

TOTAL 17 392


Who are National Privacy Principles calls about?

Chart 3.1 below distributes the NPP telephone enquiries by private sector industry groups.

Chart 3.1 Private Sector Industry Groups to which Telephone Enquiries Relate

0 300 600 900 1200 1500

1493

1329

1262

756

727

529

432

359

358

356

Health Service Providers

Finance

Real Estate

Debt Collectors / Credit and

Tenancy Databases

Telecommunications

Business and Professional Associations

Market Research and Direct Marketing

Insurance

Retail

Employment Services

A sample of calls received during 2006–07 appears below.

– A caller rang seeking general information about how her business should comply with the NPPs. The caller was provided with information about how the NPPs might apply and what kinds of things she should be doing when collecting and using her customer information in fulfilling product orders.

– A caller joined a personal introduction service. The service disclosed his personal information to numerous people, and disclosed others’ personal information to him. The caller was concerned because the service never explained that this type of disclosure would take place. The caller was provided with information about the relevant law and the Office’s complaint procedures.

– A caller rang asking how to access a deceased person’s information. The caller was advised that the Privacy Act does not apply to information about deceased individuals and that the Office was unfortunately unable to assist.


– A caller from New South Wales sought a copy of a strata roll held by an Owners’ Corporation and was denied a copy on ‘privacy grounds’. In New South Wales, strata legislation allows people on the strata roll to have a copy of the roll. The caller was advised that this may be a lawful disclosure by the Owners’ Corporation under NPP 2, in particular NPP 2.1(g), if authorised by law and, in that case, the Privacy Act would permit the disclosure.

– A caller put his computer in for repair and was told by the repairer that the hard drive had crashed and needed to be replaced. The caller authorised the repair and collected his computer from the repairer. The caller subsequently received a call from a person who had her own computer fixed by the same repairer, and upon taking it home found all of the caller’s personal information on her new hard drive. The caller suspected his original hard drive had been on-sold before the data on the hard drive was deleted. The caller claimed his old hard drive had all his work material on it, including personal address and contact details for his family, bank accounts and passwords, amongst other things. The caller was advised to raise the matter with the repairer by complaining. The caller was provided with information about the small business operator exemption. The caller undertook to contact the repairer and get back to the Office with any necessary complaint.

3.2.2 Written Enquiries The Office also responds to requests for information that are received by email, letter or fax. The Office received 2182 written enquiries in 2006–07 which is a 6% decrease on the number received in 2005–06 (2316).

The Office is committed to responding to 90% of written enquiries in ten working days. This benchmark was met in 2006–07.

Over half (58%) of the written enquiries answered in 2006–07 related to the private sector provisions.

A sample of the written enquiries received in 2006–07 appears below.

– An enquirer asked if it is permissible for an agency to use, with an individual’s written consent, their Police Records Check result, obtained in the recruitment process, in the security clearance process.

– An enquirer asked about the data security obligations of a private sector organisation.

– An enquirer asked whether photographing a building required the owner’s permission.


– An employer asked if they could monitor staff emails.

– An enquirer asked about the definition of ‘personal information’ as it appears in the Privacy Act.

3.3 Responding to Complaints Allegations about acts or practices that may be an interference with the privacy of an individual can be accepted by the Privacy Commissioner as complaints. This can, for example, include complaints about:

– how personal information is gathered, held, used or disclosed by large private sector organisations, private sector health service providers and some small businesses under the National Privacy Principles

– how personal information is handled by Australian and ACT Government agencies according to the Information Privacy Principles

– credit worthiness information held by credit providers and credit reporting agencies

– the use of personal tax file numbers by individuals and organisations and

– related legislation, including ‘spent convictions’ under the Crimes Act 1914 and Australian Government data-matching programs regulated by the Data-matching Program (Assistance and Tax) Act 1990.

3.3.1 Complaints received during 2006–07 In 2006–07, the Office received a total of 1094 complaints across all areas of its jurisdiction. This is an 8% decrease on the previous year (1183 were received in 2005–06).

Complaints related to a wide variety of issues. Examples of complaints and their outcomes can be found on the Office’s website at www.privacy.gov.au/act/casenotes/index.html.

The number of complaints received about each Privacy Act jurisdiction is given in Chart 3.2. Please note that complaints can have more than one jurisdiction issue, therefore the number of complaints listed in this chart exceeds the number of complaints received in 2006–07. As has been the case since the Privacy Commissioner’s role was extended to the private sector, the private sector continues to be the jurisdiction most commonly complained about.


Chart 3.2 Percentage of Complaints Received by Privacy Act Jurisdiction

National Privacy Principles

Credit Reporting

Information Privacy Principles

Outside Privacy Act Jurisdiction

ACT Information Privacy Principles

Spent Convictions Scheme

Tax File Number Guidelines

Contracted Service Providers

0% 20% 40% 60% 80%

64.2%

12.1%

11.5%

10.8%

0.5%

0.5%

0.3%

0.1%

The particular issues that are most regularly complained about as a percentage of total complaints received in 2006–07 are described in Chart 3.3. Please note that the percentages exceed 100% as some complaints contain more than one issue.

Chart 3.3 Key issues in complaints

0% 5% 10% 15% 20% 25% 30% 35% 40%

37%

18%

16%

16%

14%

11%

11%

10%

1%

<1%

NPP Use and Disclosure

IPPs

NPP Collection

Credit Reporting

NPP Security

Other

NPP Access and Correction

NPP Data Quality

NPP Other

Tax File Numbers


The most commonly complained about IPP issue was the improper use or disclosure of personal information, which makes up 43% of IPP allegations. The next most common allegation involved the unlawful or improper collection of personal information, making up 15% of allegations. The security of personal information was the third most frequent issue, making up 13% of allegations.

It is interesting to note that the most common issues raised in IPP complaints mirror the most common concerns raised in NPPs complaints. That is to say, that in relation to both IPP and NPP complaints the most frequently raised concerns in 2006–07 were about (in order) use or disclosure, collection and security.

Chart 3.4 shows the number of complaints made about each of the 12 most commonly complained about sectors. The finance sector continues to be the most frequently complained about industry. The Office expects that this is due to the large number of finance providers, the volume of personal information transactions conducted by the sector and a reflection of the fact that the sector is bound by both the NPPs and the Credit Reporting provisions.

Chart 3.4 Complaints by Government and Industry Sector

Finance

Australian Government

Health Service Providers

Debt Collector/Credit and Tenancy Databases

Telecommunications

Real Estate

Retail

Insurance

State Government

Legal, Accounting and Management Services

Property and Business Services

Personal and Other Services

161

130

113

112

81

54

53

34

34

26

23

20

0 50 100 150 200


3.3.2 Complaints closed during 2006–07 Acts or practices that may be a breach of privacy may be investigated by the Privacy Commissioner. Where appropriate, the Commissioner may attempt to conciliate a resolution of the matters which led to the complaint.

If the Commissioner is satisfied that a matter has been adequately dealt with, or if there has not been an interference with privacy, the Commissioner may decide not to investigate the matter any further. Otherwise, the Commissioner may make a determination about a complaint under s. 52 of the Privacy Act.

In 2006–07, the Office closed 1210 complaints, 7% more than the 1131 complaints closed in 2005–06.

The Office investigated slightly more complaints under s. 40(1) of the Privacy Act than the previous year. This year it chose to make preliminary enquiries into 7% more complaints and chose to summarily dismiss 8% less complaints than in 2005–06. Table 3.3 provides more information about the stage at which complaints were closed.

The Office aims to finalise all complaints within 12 months of receiving them. In 2006–07 complaints were closed in an average of eight months.

Table 3.3 summarises the stage at which complaints were closed.

Table 3.3 Stage at which Complaints Closed %

Decline to investigate – s. 41 52

Preliminary enquiries – s. 42 36

Formal investigation – s. 40(1) 12

Total 100

3.3.2.1 Complaints closed following investigations

In 2006–07, the Privacy Commissioner closed 12% of complaints following an investigation of the matter under s. 40(1) of the Privacy Act. The Privacy Commissioner came to the view that the complaint would likely be upheld in about 50% of these cases. Common resolutions after the investigation proceeded to conciliation included:

– apologies to complainants

– changes to database systems

– correction of records

– provision of access to records and

– amounts of compensation ranging from less than $500 to $20 000.


There were no determinations made in 2006–07. A determination is a legal decision or finding made by the Commissioner, as a consequence of which the Privacy Act’s enforcement powers (ss. 52–62) are activated. A determination may dismiss the complaint or find that the complaint has been substantiated, and make declarations about action needed (including that conduct should cease or not be repeated), the nature of redress and compensation, or that no further action is needed.

Table 3.4 shows the grounds for declining to investigate complaints further following an investigation. Please note complaints can have more than one jurisdiction issue, therefore the number of complaints listed below exceeds the number of investigations closed in 2006–07.

Table 3.4 Grounds for Declining to Investigate Complaints Further Following an Investigation

NPPs IPPs Credit Spent TFNs ACT Service convictions IPPs Provider Total

No interference with privacy – s. 41(1)(a) 29 11 10 0 0 1 1 52

Respondent has adequately dealt with matter – s. 41(2)(a) 53 5 17 0 0 0 1 76

Other (for example, withdrawn) 20 8 10 0 1 0 0 39

Total 102 24 37 0 1 1 2 167

In very general terms, the Commissioner found that about half of both the National Privacy Principles and Credit Reporting complaints investigated under s. 40 of the Privacy Act were substantiated. The Commissioner was less likely to find a complaint substantiated after investigating allegations about the Information Privacy Principles, with only approximately 20% of these complaints upheld.

3.3.2.2 Nature of remedies achieved by conciliation following investigation

Table 3.5 provides more detail on the outcome of complaints that were closed as adequately dealt with following investigation under s. 40(1) of the Privacy Act. As in Table 3.4, more than one resolution may have been reached for a particular complaint, meaning that the total listed in Table 3.5 is not equal to the total number of complaints.


18

Table 3.5 Nature of Remedies in Complaints Closed as Adequately Dealt With After Investigation

Service NPPs IPPS Credit Providers Total

Record amended 15 1 12 0 28

Apology 12 2 4 0

Changed procedure 4 2 1 1 8

Access provided 6 0 0 0 6

Other 10 1 0 0 11

Compensation – up to $500 12 1 3 0 16

Compensation – $501 – $2000 9 0 3 0 12

Compensation – $2001 – $20 000 3 1 1 0 5

Compensation – confidential settlement 1 1 0 0 2

Total 72 9 24 1 106

Compensation was the most common resolution in investigated complaints. Compensation was paid in just over 30% of these complaints. The majority of payments were under $2000. The second most common outcome was the amendment of records.

3.3.2.3 Complaints closed following preliminary enquiries

The Privacy Act gives the Privacy Commissioner powers to conduct preliminary enquiries to determine whether the Commissioner has the power to investigate or should exercise a discretion not to investigate a matter further. For instance, a preliminary enquiry may seek to determine:

– whether an agency or organisation is willing to provide access to records

– if a particular act or practice is authorised by law

– whether an organisation may claim the small business operatorexemption or

– whether a respondent is an agency or organisation.

In 2006–07 the Commissioner closed 36% of complaints after preliminary enquiries. Table 3.6 provides more detail on the basis for closing complaints following preliminary enquiries. Please note that complaints can have more than one jurisdiction issue, therefore the number of complaints listed below exceeds the number of preliminary enquiries closed in 2006–07.


Table 3.6 Basis for Closing Complaints Following Preliminary Enquiries

NPPs IPPs Credit ACT Other TFNs Contract Total IPPs Service

Providers

Complaint not raised with respondent – s. 40(1A) 17 2 2 0 0 0 0 21

No interference with privacy* – s. 41(1)(a) 145 22 19 0 3 2 1 192

Aware of complaint for over 12 months – s. 41(1)(c) 2 0 0 0 0 0 0 2

Frivolous, vexatious, misconceived or lacking in substance – s. 41(1)(d) 2 2 0 0 0 0 0 4

Is being dealt with under another law – s. 41(1)(e) 1 2 0 0 0 0 0 3

Another law is more appropriate – s. 41(1)(f) 2 1 1 0 0 0 0 4

Respondent has adequately dealt with matter – s. 41(2)(a) 120 7 32 1 3 0 1 164

Respondent has not had adequate opportunity to deal with matter – s. 41(2)(b) 18 3 4 0 0 0 0 25

Other (for example, withdrawn) 46 7 20 0 4 0 0 77

Total 353 46 78 1 10 2 2 492

* This includes matters that fall outside the Commissioner’s jurisdiction, for example the respondent is a state government body.

As was the case in 2005–06, the most common reason for closing complaints after preliminary enquiries was due to a finding that the individual’s privacy had not been interfered with. This is in contrast to the complaints that were investigated, where the most common outcome was that the complaint was substantiated. Interestingly, in contrast to this overall trend, Credit Reporting complaints that were the subject of preliminary enquiries were more likely to be substantiated than unsubstantiated.

3.3.2.4 Nature of remedies achieved following preliminary enquiries

In the process of conducting preliminary enquiries, the Commissioner may find that the respondent has adequately dealt with the matter, or may be able to resolve the cause of the complaint through conciliation. Table 3.7 gives


further detail about the types of resolutions achieved following preliminary enquiries. Please note that complaints can have more than one remedy.

Table 3.7 Nature of Remedies in Complaints Closed as Adequately Dealt With After Preliminary Enquiries

NPPs IPPS Credit Contracted ACT Other Total Service IPPs

Providers

Access provided 39 0 0 0 0 1 40

Compensation – up to $500 6 1 0 0 0 0 7

Compensation – $501 – $2000 9 2 1 0 0 0 12

Compensation – confidential settlement 5 0 5 0 0 0 10

Other 28 0 2 0 1 0 31

Apology 24 5 1 1 0 1 32

Record amended 37 2 25 0 0 2 66

Changed procedures 10 0 0 0 0 0 10

Total 158 10 34 1 1 4 208

Compensation was an outcome in only 14% of complaints closed after preliminary enquiries. The most popular resolution was the amendment of records. In addition, a significant proportion of these matters were resolved after the provision of access, which reflects the volume of preliminary enquiries that involved complaints about access to records.

3.3.2.5 Complaints closed without investigation

In 2006–07, the Privacy Commissioner closed 52% of complaints by exercising discretions not to investigate (or ‘decline’) the complaint. Table 3.8 gives a listing of the grounds the Commissioner relied on to close these complaints.

The most common reasons for closing complaints without investigation were:

– the complaint had not been raised with the respondent before being brought to the Commissioner (s. 40(1A)) or the complainant had not given the respondent sufficient time to deal with the complaint (s. 41(2)(b)) or

– there was no interference with privacy (s. 41(1)(a)).

Compared with 2005–06, there was a 12% decrease in the number of complaints closed due to no interference with privacy. The decrease was


spread evenly across the categories of complaints, indicating a general trend rather than any specific clustering of ‘other’ cases.

Table 3.8 shows the basis for closing complaints without investigation. Please note that complaints can have more than one jurisdiction issue, therefore the number of complaints listed below exceeds the number of complaints closed without investigation in 2006–07.

Table 3.8 Basis for Closing Complaints without Investigation

NPPs IPPs Credit Other ACT IPPs TFN Total

Complaint not raised with respondent – s. 40(1A) 99 19 17 8 0 1 144

No interference with privacy* – s. 41(1)(a) 154 25 16 66 2 1 264

Aware of complaint for over 12 months – s. 41(1)(c) 2 2 1 0 0 0 5

Frivolous, vexatious, misconceived or lacking in substance – s. 41(1)(d) 4 6 2 6 0 0 18

Is being dealt with under another law – s. 41(1)(e) 3 1 0 0 0 0 4

Another law is more appropriate – s. 41(1)(f) 2 8 0 0 0 0 10

Respondent has adequately dealt with matter – s. 41(2)(a) 15 3 5 1 0 0 24

Respondent has not had adequate opportunity to deal with matter – s. 41(2)(b) 62 10 18 3 0 1 94

Other (for example, withdrawn) 73 14 27 10 0 3 127

Total 414 88 86 94 2 6 690

* This includes matters that fall outside the Commissioner’s jurisdiction, for example the respondent is a state government body.

3.3.2.6 Compliance issues in National Privacy Principle complaints

The issues raised in complaints against private sector organisations that the Privacy Commissioner investigated and were closed as adequately dealt with, are set out in Chart 3.5. Please note that complaints can have more that one issue, therefore the total number of issues can exceed the total number of complaints.


Chart 3.5 Issues in NPP Complaints Resolved by the Respondent

NPP 6.1 – Refused access to personal information

NPP 3 – Data quality

NPP 4 – Data security

NPP 2.1 –Improper disclosure

51

45

42

40

NPP 2.1 – Improper use

NPP 1.1 – Unnecessary collection

NPP 2.1 – Direct marketing

NPP 6.4 – Excessive access charge

NPP 1.3 and 1.5 – Insufficient collection notice

NPP 1.2 – Unlawful or unfair collection

NPP 10 – Sensitive information collection

NPP 1.3 –

27

15

14

6

5

4

3

1Bundled consent form

NPP 5 – Openness 1

NPP 8 – Anonymity 1

0 10 20 30 40 50

This year has seen a change in the most common National Privacy Principle (NPP) compliance issues. In 2006–07, the most frequently substantiated complaints against private sector organisations involved the refusal of access to personal information. This was despite the fact that the most commonly complained about NPP issue was the use and disclosure of personal information (see Chart 3.3). In 2005–06, the most frequently substantiated NPP complaint was about use and disclosure.

3.3.2.7 Compliance issues in Information Privacy Principle complaints

The issues raised in complaints against Australian and ACT Government agencies, where the agency took action after preliminary enquiries or a formal investigation by the Privacy Commissioner, are set out in Chart 3.6. Please note that complaints can have more than one issue, therefore the total number of issues can exceed the total number of complaints.


9

3

2

2

1

1

1

Chart 3.6 Issues in IPP Complaints Resolved by the Respondent

IPP 11 – Disclosure

IPP 8 – Accuracy

IPP 10 – Use

IPP 4 – Security

IPP 1 – Collection

IPP 2 – Notice

IPP 7 – Amendment

9

3

2

2

1

1

1

2006–07 has also seen a change in the most common Information Privacy Principle (IPP) compliance issues. Compared with 2005–06, the issues of disclosure (IPP 11) and use (IPP 10) rose in frequency, while security (IPP 4) dropped slightly. It is important to note that the question of access is commonly dealt with under Freedom of Information (FOI) legislation and is therefore not a common issue in IPP complaints.

3.3.2.8 Compliance issues in Credit Reporting complaints

The issues raised in complaints against credit providers or credit reporting agencies, where the respondent took action following preliminary enquiries or a formal investigation by the Privacy Commissioner, are set out in Chart 3.7. Please note that complaints can have more that one issue, therefore the total number of issues can exceed the total number of complaints.

Chart 3.7 Issues in Credit Reporting Complaints Resolved by the Respondent

Disputed listing

Accuracy

Other

31

29

9

As has been the trend for many years, the most commonly raised and corroborated Credit Reporting issue is the improper listing of payment defaults.


3.4 Own Motion Investigations Section 40(2) of the Privacy Act gives the Privacy Commissioner the power to investigate a possible interference with privacy without first receiving a complaint from an individual, if the Commissioner considers it desirable. The Office calls these investigations ‘own motion’ investigations.

3.4.1 Issues in Own Motion Investigations During 2006–07, 55 new matters involving alleged interferences with privacy were brought to the attention of the Office by media coverage, calls to the Privacy Enquiries line, or individuals writing to the Office. The Office took steps to contact the organisation involved in the alleged act or practice in about 85% of cases.

The Office uses risk assessment criteria to determine whether to investigate a matter. These criteria include the:

– number of people affected and the consequences for thoseindividuals

– sensitivity of the personal information involved

– progress of an agency or organisation’s own investigation into the matter and

– likelihood that the investigation will reveal acts or practices thatinvolve systemic interferences with privacy and/or that arewidespread.

The allegations considered by the Office in 2006–07 included that:

– an organisation left records containing personal information on public transport

– a government agency was collecting personal information unrelated to its employment requirements as part of its recruitment process

– an organisation was conducting direct marketing under the guise of social research

– personal information may have been improperly disclosed by an enforcement body

– the security of personal information stored and accessed on certain websites had been compromised and

– an Australian Government agency improperly disclosed Tax File Numbers.


3.4.2 Outcomes of Own Motion Investigations The majority of cases investigated where the Privacy Commissioner found the allegations to be substantiated resulted in the respondent dealing with the issue raised, either under their own initiative or with the Office’s suggestions.

Actions taken have included apologies, retrieval and appropriate disposal of records, and change in procedures.

3.5 Case Notes The Privacy Commissioner regularly publishes case notes describing, in de-identified form, the issues and outcomes of selected complaints. The purpose of these case notes is to provide an insight into how privacy principles are being applied, in order to:

– assist individuals, organisations and agencies in deciding whether to pursue a complaint, or to decide if personal information is being handled appropriately

– encourage good privacy practices and compliance with the Privacy Act and

– ensure the Office is accountable and transparent in its processes and decision making.

In 2006–07, the Office published 24 case notes about complaints under the National Privacy Principles, Information Privacy Principles and other areas of the Privacy Act. This compares with 18 case notes published in 2005–06.

Some situations illustrated by the case notes include:

– a government agency accessing information regarding a third party in relation to an investigation the agency was undertaking

– the improper disclosure of personal information by an investigator retained by an insurance company and

– a patient seeking access to medical records which had been withheld as part of a legal case.

The case notes are accessible on the Office’s website at www.privacy.gov.au/act/casenotes/index.html, in the CCH Federal Privacy Handbook, and on the Australasian Legal Information Institute (Austlii) website at www.austlii.edu.au/au/cases/cth/PrivCmrA.


3.6 Complaints and Enquiries Statistics on www.privacy.gov.au

Statistical information is published by the Office to give an overview of complaints and enquiries received by the Office in a more generalised and wide-ranging form than the published case notes. Quarterly updates published on the Office’s website include the number of complaints, telephone and written enquiries received, and the number of National Privacy Principle complaints closed according to issue type.

These are available at www.privacy.gov.au/about/complaints/index.html.

3.7 Reports of Complaints under Approved Codes

The Privacy Act allows for organisations or groups of organisations to develop privacy codes. If approved by the Privacy Commissioner, these codes replace the National Privacy Principles as the legally enforceable privacy standards for those organisations. As at 30 June 2007 there were three approved privacy codes (see Table 3.9).

Table 3.9 Approved Codes under the Privacy Act

Code Title Code Adjudicator Monitoring /

Reporting Responsibility

Date Came into Effect

Queensland Club Industry Privacy Code

Privacy Commissioner

Clubs Queensland and the Privacy Commissioner

23 August 2002

Market and Social Research Privacy Code


Association of Market and Social Research

1 September 2003

Organisations and the Privacy Commissioner

Biometrics Institute Privacy Code


Biometrics Institute and the Privacy Commissioner

1 September 2006

The Privacy Commissioner is the code adjudicator for each of the codes listed above. There were no complaints handled by the Office under any of the approved codes in 2006–07.


The Privacy Commissioner is required to maintain a register of approved codes under s. 18BG of the Privacy Act. The register can be found on the Office’s website at www.privacy.gov.au/business/codes/index.html.

3.8 Audits Under the Privacy Act, the Privacy Commissioner has powers to conduct privacy audits of Australian and ACT Government agencies, as well as some other organisations in certain circumstances. These audits are crucial to determining and improving the degree of compliance with the Privacy Act. The Office conducts audits to promote best privacy practice and to reduce privacy risks across agencies.

The Commissioner’s audit powers are set out in several sections of the Privacy Act:

– auditing agency compliance with the Information Privacy Principles – s. 27(1)(h)

– examining the records of the Commissioner of Taxation in relation to tax file numbers (TFNs) and TFN information – s. 28(1)(d)

– auditing TFN recipients – s. 28(1)(e)

– auditing credit information files and credit reports held by credit reporting agencies and credit providers – s. 28A(1)(g).

The Commissioner does not have an audit function in relation to compliance with the National Privacy Principles by private sector organisations, unless at the request of the organisation under s. 27(3).

The number of audits carried out by the Office has varied over the life of the Privacy Act depending on the nature and volume of privacy complaints and other priorities of the Office. In 2006–07 the Office mainly undertook audits where it had received specific funding to do so. This is consistent with the approach taken by the Office since 2002–03 when the Commissioner decided to redirect the Office’s resources as a result of the significant increase in complaint numbers. However, 2006–07 also signalled the return of the audit program into Australian Government agencies.

In an effort to promote transparency in the Office’s audit work and to help promote good privacy practice, the Office has published the finalised reports of audits of Australian and ACT Government agencies undertaken since 1 July 2002 on its website (see www.privacy.gov.au/government/audits). Some audit reports have classified content and as such have been withheld from publication or have been published in an abridged form.


3.8.1 Audits Commenced in 2006–07 3.8.1.1 ACT Government Audits

The Office currently has a Memorandum of Understanding with the ACT Government (see section 4.1.3) which includes a commitment by the Office to conduct two audits of ACT Government agencies per financial year. The Office selects audit targets based on a risk assessment analysis which takes into account previous audits and audit findings, complaints against ACT Government agencies, the amount of personal information held by an agency and the sensitivity of, and risk to, that information.

Table 3.10 below shows audits of ACT Government agencies commenced by the Office in 2006–07 under this arrangement.

Table 3.10 ACT Audits Commenced 2006–07 Agency Audit Scope Commenced

ACT Department of Territory and Municipal Services Client Records February 2007

University of Canberra Staff and Student Records June 2007

3.8.1.2 Biometrics for Border Control Audits The Office has been allocated additional funding over four years (2005–06 to 2008–09) as a component of the Biometrics for Border Control program involving the Department of Foreign Affairs and Trade, the Australian Customs Service (Customs) and the Department of Immigration and Citizenship (DIAC). The broad objective of this program is to develop and implement biometric systems to enhance identity management at the border and to increase the efficiency of border processing. The Office has committed to undertake three audits per year of key projects in the Biometrics for Border Control program.

Table 3.11 below shows audits of Biometrics for Border Control projects commenced by the Office in 2006–07 under this funding.

Table 3.11 Biometrics for Border Control Audits Commenced 2006–07

Agency Audit Scope Commenced

Customs SmartGate (System Design) August 2006

DIAC eHealth System June 2007

The Office had scheduled a post-implementation audit of the Customs SmartGate project during 2006–07. However, the project was not ready to be audited and the audit has been postponed until 2007–08.


3.8.1.3 Australian Government Audits

During 2006–07 the Office commenced an audit of one Australian Government agency, the Australian National University, under s. 27(1)(h) of the Privacy Act. The purpose of the audit was to assess the agency’s compliance with the Information Privacy Principles in its handling of personnel case files, personnel recruitment files and student records, and other records as appropriate.

3.8.2 Audits Finalised in 2006–07

3.8.2.1 ACT Government Audits

In 2006–07, the Office finalised privacy audits of the ACT Government agencies shown in Table 3.12 below.

Table 3.12 ACT Government Audits Finalised 2006–07 Agency Audit Scope Finalised

ACT Office of the Community Advocate Client Records July 2006

ACT Corrective Services Client and Staff Records November 2006

The Office found that the agencies generally had appropriate privacy controls in place to ensure a satisfactory level of compliance with the Information Privacy Principles. However, where insufficient privacy controls were identified or where better privacy practice could be instituted, the auditors made recommendations concerning those aspects of the agencies’ operations.

Common audit findings covered: – the lack of appropriate database audit trail capacities to monitor

access and amendment of client records – the need for better security controls for electronic records such as

‘need-to-know’ access controls and regular password change prompts

– a requirement to provide better privacy training for both new and existing staff in terms of keeping records of personal information

– a need for clear policies regarding data retention and storage/transit of personal information

– a need to improve notices provided to individuals when collecting their personal information and

– the need to ensure the agency did not retain unnecessary personal information.

Generally, the audited agencies accepted the Office’s recommendations.


linst

Typewritten Text

3.8.2.2 Identity Security Audits

In 2005–06 the Office received funding to provide privacy advice and oversight in respect of projects to be delivered under the Australian Government’s National Identity Security Strategy (see section 1.3.5). As part of its oversight activity, the Office undertook an audit of the Document Verification Service (DVS) Prototype convened by the Attorney-General’s Department (AGD).

The DVS is an online system which allows authorised Australian, state and territory Government agencies to verify the details of documents presented to them as proof of identity with the data recorded in the register of the corresponding document-issuing agencies.

The audit was commenced in June 2006 and finalised in May 2007. The Office made seven recommendations in this audit relating to clarification of roles between the parties, data security (encryption), handling of personal information by recipients and provider agencies and the development of specific guidelines in the handling of DVS data.

These recommendations were provided to the participating agencies for consideration in the future development of a Privacy Impact Assessment for the National DVS being conducted by the AGD.

3.9 Personal Information Digest To help people understand what personal information is held by each Australian and ACT Government agency, Information Privacy Principle 5.3 in s. 14 of the Privacy Act requires agencies to keep a record detailing:

– the nature of records kept

– the purpose for which these records are kept

– the categories of people the information is about

– the period for which the records are kept

– who has access to the records and

– the steps an individual needs to take to gain access to the records.

These explanatory records must be provided to the Privacy Commissioner in June of each year, and are subsequently compiled and published as the Personal Information Digest (PID).

The ACT Department of Justice and Community Safety (JACS) compiled the ACT PID and the final documents were published on the JACS website and the Office’s website. The Office published the PID for Australian Government agencies for the period ending June 2006 on its website at www.privacy.gov.au/government/digest/index.html.


3.10 Monitoring Government Comparisons of Data Sets

Data-matching is the process of bringing together large data sets of personal information from different sources and comparing these data sets in order to identify any discrepancies.

For example the Australian Taxation Office (ATO) may undertake a data-match to identify retailers that may be operating outside the tax system or who may be under-reporting turnover. This may include identifying individuals.

The process involves analysing information about large numbers of people, the majority of whom are not under suspicion. This means that data-matching raises a number of privacy issues. To ensure that government agencies minimise their impact on individuals’ privacy while data-matching, the Office performs a number of functions. The Privacy Commissioner has statutory responsibilities under the Data-matching Program (Assistance and Tax) Act 1990 (the Data-matching Act) and the Guidelines for the Conduct of the Data-matching Program (the statutory data-matching guidelines). Additionally, the Commissioner oversees the functioning of the Guidelines for the Use of Data-matching in Commonwealth Administration (1998), which are voluntary guidelines to assist agencies not subject to the Data-matching Act, to perform data-matching programs in a privacy sensitive way.

3.10.1 Matching under the Data-matching Program (Assistance and Tax) Act 1990 and statutory data-matching guidelines

In order to detect overpayments, taxation non-compliance and the receipt of duplicate payments, the Data-matching Program (Assistance and Tax) Act 1990 (the Data-matching Act) provides for the use of tax file numbers in data-matching processes undertaken by a special unit within Centrelink (the data-matching agency). The data-matching agency runs matches on behalf of Centrelink, the Department of Veterans’ Affairs (DVA) and the Australian Taxation Office (ATO).

The Data-matching Act and the Guidelines for the Conduct of the Data-matching Program (the statutory data-matching guidelines) outline the type of personal information that can be used, how it can be processed and how the results can be used. They also require that individuals be provided with the opportunity to dispute or explain any matches, and require that individuals have means for redress.


The Data-matching Act requires Centrelink, DVA and the ATO to report to parliament on the results of any data-matching activities carried out under the Act. These reports are published separately by each agency. The Data-matching Act also makes the Commissioner responsible for monitoring the functioning of the statutory data-matching program. To this end, the Office runs inspections (see section 3.10.1.1).

3.10.1.1 Inspections

During 2006–07 the Office inspected Centrelink’s handling of a sample of data-matching cases in three regions. The regions inspected were as follows:

– Area South Australia, September 2006

– Area Pacific Central, December 2006

– Area Hunter, March 2007.

Representatives of the Office, with the assistance of Centrelink and regional staff, conduct inspections and reviews of a sample (usually 100) of customer records which have been through the data-matching process. At the completion of each of the inspections, a report is prepared and provided to Centrelink outlining the findings. The Office found that Centrelink’s processes and procedures for statutory data-matching were largely compliant with the requirements of the Data-matching Act.

3.10.2 Matching under the Guidelines for the Use of Data-matching in Commonwealth Administration (the voluntary data-matching guidelines)

Many Australian government agencies also carry out data-matching activities that are not subject to the Data-matching Act but run under different laws authorising the use and disclosure of personal information for data-matching purposes. To assist agencies performing such data-matching activities to have proper regard for the privacy of individuals, the Privacy Commissioner has issued voluntary data-matching guidelines called the Guidelines for the Use of Data-matching in Commonwealth Administration (1998).

These voluntary guidelines require that programs are regularly monitored and evaluated, that individuals identified have the opportunity to dispute the results, and that action against individuals is not taken solely on the basis of automated processes.

Agencies are also required to prepare a description of the data-matching


activity (a ‘program protocol’). Before the activity is commenced, the program protocol should be submitted to the Privacy Commissioner for comment and, once it has been finalised, the program protocol should be made available to the public.

In 2006–07, the Privacy Commissioner received 13 program protocols for proposed non-statutory data-matching activities. A summary of these protocols is outlined in Table 3.13.


Table 3.13 Program Protocols produced under the Voluntary Data-matching Guidelines 2006–07

Matching

Agen

cy

Sour

ce A

genc

ies

orOr

gani

satio

ns

Nam

e of

the

Prog

ram

Prot

ocol

De

scrip

tion

of th

e Pr

ogra

m P

roto

col

Rece

ived

Date

ATO

Civi

l Avi

atio

n an

d Sa

fety

Auth

ority

Aust

ralia

n Sp

orts

Rot

orcr

aft

Asso

ciat

ion

Recr

eatio

nal A

viat

ion

Aust

ralia

Airc

raft

Proj

ect P

rogr

amPr

otoc

ol

Iden

tifie

s hi

gh w

ealth

indi

vidu

als

who

fail

tom

eet t

heir

taxa

tion

oblig

atio

ns.

The

prot

ocol

soug

ht to

iden

tify

o wne

rs o

f airc

raft

who

may

hav

e fa

iled

to lo

dge

tax

retu

rns

orun

der-

repo

rted

thei

r tax

able

inco

me.

Augu

st20

06

ATO

Barte

rCar

d pr

ovid

ers

Barte

r Ind

ustr

y Pr

ogra

mPr

otoc

ol

Upda

te o

f 200

4 pr

ogra

m p

roto

col t

o re

view

data

from

late

r per

iods

. Se

ptem

ber

2006

ATO

Raci

ng N

SW

Hors

e Ra

cing

Dat

a M

atch

ing

Prog

ram

Pro

toco

l Up

date

of 2

003

prog

ram

pro

toco

l ext

endi

ngth

e pr

ogra

m to

revi

ew 2

003-

04 a

nd 2

004 -

05 fi

nanc

ial y

ear p

erio

ds.

Sept

embe

r20

06

ATO

Vario

us s

hopp

ing

cent

reop

erat

ors

(e.g

. Wes

tfiel

d,St

ockl

and

etc)

.

Shop

ping

Cen

tre R

etai

lers

Data

Mat

chin

g Pr

ogra

mPr

otoc

ol

Iden

tifie

s re

taile

rs th

at m

ay b

e op

era t

ing

outs

ide

the

tax

syst

em o

r who

may

be

unde

r-re

porti

ng tu

rnov

er. T

his

may

inc l

ude

iden

tifyi

ng in

divi

dual

s.

Sept

embe

r20

06

ATO

Vict

oria

n Ta

xi D

irect

orat

e

Quee

nsla

nd T

rans

port

Taxi

Indu

stry

Da t

a M

atch

ing

Prog

ram

Pro

toco

l Id

entif

ies

taxi

driv

ers

who

may

hav

e fa

iled

to re

gist

er fo

r GST

or d

ecla

re in

com

e.

Sept

embe

r20

06


Table 3.13 Program Protocols produced under the Voluntary Data-matching Guidelines 2006–07 – continued

Mat

chin

gAg

ency

So

urce

Age

ncie

s or

Orga

nisa

tions

Na

me

of th

e Pr

ogra

mPr

otoc

ol

Desc

riptio

n of

the

Prog

ram

Pro

toco

l Re

ceiv

edDa

te

ATO

Wor

kCov

er

WA,

Tas

, NT

and

ACT

Wor

kCov

er W

A, T

as, N

T an

dAC

T Da

ta M

atch

ing

Prog

ram

Prot

ocol

Iden

tifie

s no

n-co

mpl

ianc

e w

ith re

gist

ratio

n,lo

dgem

ent a

nd p

aym

ent o

blig

atio

ns u

nder

taxa

tion

law

. The

pro

toco

l mat

ched

bus

ines

sna

mes

and

add

ress

es re

gist

ered

with

Wor

kCov

er W

A, T

as, N

T an

d AC

T w

ith it

sow

n re

cord

s. T

his

may

incl

ude

pers

onal

info

rmat

ion.

Nove

mbe

r20

06

ATO

Tels

tra C

orpo

ratio

n Lt

d

New

s Li

mite

d

John

Fai

rfax

Hold

ings

Lim

ited

Cars

ales

.com

.au

Lim

ited

Just

Mag

azin

es G

roup

Inte

rnet

Tra

ding

, Prin

t Med

iaAd

verti

sing

and

Mot

or V

ehic

lePu

blic

a tio

ns D

ata

Mat

chin

gPr

ojec

t

To im

prov

e co

mpl

ianc

e w

ith ta

xatio

nob

ligat

ions

, the

pro

toco

l mat

ches

sal

es d

a ta

prov

ided

by

key

inte

rnet

trad

ing,

prin

t med

iaad

verti

sing

and

mot

or v

ehic

le p

ublic

atio

nsw

ith A

TO ta

xpay

er re

cord

s.

Dece

mbe

r20

06

ATO

Vario

us m

arke

t ope

rato

rslo

cate

d in

NSW

, Vic

toria

and

Quee

nsla

nd

Mar

ket S

tall

Hold

ers

Data

Mat

chin

g Pr

ojec

t To

impr

ove

com

plia

nce

with

taxa

tion

oblig

atio

ns, t

he p

roto

col m

atch

es d

ata

prov

ided

by

arou

nd 2

1 m

arke

t ope

rato

rs(a

nd th

e en

titie

s th

at o

pera

te s

talls

in th

ese

mar

kets

) with

ATO

taxp

ayer

reco

rds.

Dece

mbe

r20

06

Cent

relin

k St

age

1: A

TO

Stag

e 2:

Iden

tifie

d ex

tern

alag

enci

es

Spou

sal I

ndic

ator

Mat

chin

gw

ith E

xter

nal A

genc

ies

Iden

tifie

s Ce

ntre

link

cust

omer

s w

ho a

rere

ceiv

ing

sing

le-r

ate

bene

fits

who

are

mar

ried

or in

a m

arria

ge-li

ke re

latio

nshi

p.At

leas

t 8 id

entif

ied

exte

rnal

age

ncie

s w

illpa

rtici

pate

in S

tage

2 (e

.g. M

edic

are,

Aust

ralia

n El

ecto

ral C

omm

issi

on, L

and

Title

sOf

fice)

.

Dece

mbe

r20

06


Table 3.13 Program Protocols produced under the Voluntary Data-matching Guidelines 2006–07 – continued

Mat

chin

gAg

ency

So

urce

Age

ncie

s or

Orga

nisa

tions

Na

me

of th

e Pr

ogra

mPr

otoc

ol

Desc

riptio

n of

the

Prog

ram

Pro

toco

l Re

ceiv

edDa

te

Cent

relin

k Ce

ntre

link

Com

mon

wea

lth B

ank

ofAu

stra

lia (C

BA)

Bank

Acc

ount

Ver

ifica

tion

–Pr

oof o

f Con

cept

Tria

l To

ens

ure

paym

ent i

nteg

rity

is m

aint

aine

d,th

e pr

otoc

ol m

a tch

ed s

peci

fied

Cent

relin

kan

d CB

A cu

stom

er re

cord

s to

iden

tify

ifCe

ntre

link

cust

omer

s el

igib

ility

for p

aym

ents

had

chan

ged

on th

e gr

ound

s of

var

iatio

ns in

inco

me

or a

sset

det

ails

.

Dece

mbe

r20

06

Cent

relin

k Re

leva

nt O

vers

eas

Auth

ority

De

a th

mat

chin

g w

ithIn

tern

atio

nal A

genc

ies

Iden

tifie

s de

ceas

ed C

entre

link

cust

omer

sw

ho h

ave

died

ove

rsea

s an

d co

ntin

ue to

be

paid

.

Mar

ch20

07

Cent

relin

k AT

O Ta

x Ga

rnis

hee

Proj

ect

Iden

tifie

s AT

O cl

ient

s w

ith a

Cen

trelin

k de

btfo

r the

pur

pose

of i

nter

cept

ing

thei

r tax

refu

nd o

r ava

ilabl

e cr

edit

by a

gar

nish

eeno

tice

from

Cen

trelin

k.

May

200

7

Cent

relin

k In

com

e St

ream

Pro

vide

rs(IS

Ps)

Impr

oved

Adm

inis

tratio

n of

Inco

me

Stre

ams

Revi

sion

of 2

005

prog

ram

pro

toco

l to

incr

ease

the

usef

ulne

ss o

f the

pro

toco

l for

Inco

me

Stre

am P

rovi

ders

(ISP

s) p

artic

ipa t

ing

in th

e da

ta-m

atch

ing

activ

ity.

June

200

7


Chapter 4 Management and Accountability

4.1 Administrative Arrangements

4.1.1 Human Rights and Equal Opportunity Commission Memorandum of Understanding

The Office has a Memorandum of Understanding with the Human Rights and Equal Opportunity Commission (HREOC) which establishes an arrangement for the provision of corporate services. The Office paid $878 086 for these services in 2006–07. This includes payroll, recruitment services and general personnel support, finance, legal and support services, and information technology support. The Office also sub-lets premises from HREOC.

4.1.2 Attorney-General’s Department Memorandum of Understanding

The Office has a non-financial Memorandum of Understanding with the Attorney-General’s Department. This Memorandum was established in 2000–01 and sets out an agreed basis for policy and operational coordination between the Department and the Office. Representatives from both agencies meet monthly. The benefits of the arrangements include open lines of communication to keep each party informed of relevant activities and developments, and improved advice to Ministers and other key stakeholders.

4.1.3 ACT Government Memorandum of Understanding

The Office continues to have a Memorandum of Understanding with the ACT Government. The relationship has been in place since 1 July 2000 and the current Memorandum will expire on 30 June 2008. Under the Memorandum, the Office fulfils advisory, education and compliance roles including audits, and reports half-yearly and annually on activities undertaken in relation to the ACT Government. In 2006–07, in return for these services the Office received $94 987, as set out in the financial statements. Further information regarding advice provided to ACT Government agencies can be found at section 1.4.


4.1.4 Centrelink The Office continued to undertake its responsibilities under the Data-matching Program (Assistance and Tax) Act 1990 throughout 2006–07. Under an agreement with Centrelink, the Office receives annual funding of $331 875 to support the costs of monitoring the conduct of the data-matching program. For further information on data-matching see section 3.10.

4.1.5 Department of Human Services Memorandum of Understanding

In December 2006 the Office entered into a Memorandum of Understanding with the Department of Human Services (DHS) which allows for close consultation on privacy-related issues in the development and roll-out of the proposed Health and Social Services Access Card. Under the terms of the Memorandum, DHS has agreed to provide the Office with $375 000 per year for the term of the agreement (1 July 2006 to 30 June 2010). For more information see section 1.3.2.

4.1.6 Medicare Australia Memorandum of Understanding

The Office has a Memorandum of Understanding with Medicare Australia. Under the Memorandum, Medicare Australia provides the Office with resources ($130 000 per annum for the period 1 July 2005 to 30 June 2007) to provide advice and undertake work on privacy-related projects relevant to Medicare Australia.

4.1.7 Department of Immigration and Citizenship Memorandum of Understanding

The Office had a Memorandum of Understanding with the Department of Immigration and Citizenship (DIAC) during the reporting period. Under the Memorandum DIAC provided the Office with resources ($350 000 for the period 1 July 2006 to 30 June 2007) to give advice on privacy-related projects. For more information see section 1.3.3.

4.1.8 NSW Privacy Memorandum of Understanding In December 2005 the Office entered into a non-financial Memorandum of Understanding with the Office of the NSW Privacy Commissioner to provide a framework for cooperation in undertaking their respective responsibilities when those responsibilities overlap, and to take advantage of opportunities to assist each other in joint training, education, promotion and enforcement activities.


4.1.9 Commonwealth Ombudsman Memorandum of Understanding

In November 2006, a non-financial Memorandum of Understanding was established between the Privacy Commissioner and the Commonwealth Ombudsman to allow for greater cooperation between their offices when dealing with privacy-related complaints.

The Memorandum allows for the exchange of relevant information where both Offices are considering the same issue and also offers the option of undertaking a joint investigation where a complaint falls under the jurisdiction of both Offices. Further, it enables referral of complaints to the other office where appropriate and with consent.

The two Offices will hold annual consultations to discuss the effectiveness of the agreement.

4.1.10 Office of the New Zealand Privacy Commissioner Memorandum of Understanding

The Office entered a non-financial Memorandum of Understanding with the New Zealand Office of the Privacy Commissioner in September 2006. The Memorandum enables cooperation between the two offices on privacy-related issues and the sharing of information related to surveys, research projects, promotional campaigns, education and training programs, and techniques in investigating privacy violations and regulatory strategies.

The Memorandum stems in part from the APEC Privacy Framework, OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, and the Asia Pacific Privacy Authorities Forum, all of which advocate the forming of cooperative arrangements between privacy regulators.

The current Memorandum will expire in September 2008.

4.2 Corporate Services

4.2.1 Audit Committee Consistent with ASX principles of good corporate governance and the requirements of the Financial Management and Accountability Act 1997, the Office maintains an audit committee to advise the Privacy Commissioner on the agency’s compliance with external reporting requirements and the effectiveness and efficiency of internal control and risk management mechanisms in place within the Office. The audit committee met four times during the reporting period.


4.2.2 Purchasing The Office’s purchasing procedures comply with the Australian Government Procurement Guidelines issued by the Department of Finance and Administration. They address a wide range of purchasing situations, allowing managers to be flexible when making purchasing decisions while complying with the Australian Government’s core procurement principle of value for money.

There was no competitive tendering and contracting during 2006–07 that resulted in a transfer of provider from a Commonwealth supplier of goods or services to a non-government body.

4.2.3 Certification of Fraud Measures The Office has a fraud risk assessment and fraud control plan including procedures and processes in place to assist in the process of fraud prevention, detection, investigation and reporting in line with the Commonwealth Fraud Control Guidelines.

4.2.4 Consultants The Office uses consultancy services where there is a need to access skills and expertise not available within the human resources of the agency.

During 2006–07 one new consultancy contract was entered into involving total actual expenditure including GST of $84 709. There were no active part-performed consultancy contracts from prior years.

Table 4.1 Consultancy Contracts 2006–07

Consultant Name

Description Contract Price Selection Process

Justification

Wallis Consulting Group Pty Ltd

Research into community attitudes towards privacy in Australia

$84 709 Select Tender A,B

TOTAL $84 709

Information on expenditure on contracts and consultancies is also available on the AusTender website at www.tenders.gov.au.


4.2.5 Advertising and Market Research As noted in section 4.2.4, a contract for the provision of research into community attitudes towards privacy was entered into in 2006–07. The total value of the contract was $84 709 including GST. During 2006–07 a total of $12 706 (including GST) was paid out to the contractor under the contract.

4.2.6 Ecologically Sustainable Development and Environmental Performance

The role and activities of the Office do not directly link with the principles of ecologically sustainable development or impact on the environment other than through its business operations in the consumption of resources required to sustain its operations.

The Office uses energy saving methods in its operation and endeavours to make the best use of resources. The Office has implemented a number of environmental initiatives to ensure issues of environmental impact are addressed. Major energy consuming services such as air conditioning and lighting are switched off outside working hours. In addition waste products such as paper, cardboard, printer cartridges and other recyclable materials are recycled subject to the availability of appropriate recycling schemes. Preference is given to environmentally sound products when purchasing office supplies. Purchase/leasing of ‘Energy Star’ rated office machines and equipment is encouraged, as are machines with ‘power save’ features.

During 2006–07 the Office and its staff participated in the Earth Hour initiative, which was held on Saturday 31 March 2007.

4.3 Management of Human Resources

4.3.1 Staffing Overview There was an increase in staffing through the year as a result of increased funding. An additional Senior Executive Service position was created and filled at the Band 2 level as a result of a restructure in the Office. The Office’s average staffing level for 2006–07 was 52.13 staff with a turnover of approximately 21% for ongoing staff. Ten ongoing staff either resigned or transferred to other Commonwealth agencies. Twenty-five ongoing staff were employed. The increase was largely in the Compliance section to deal with the increased workload.

As at 30 June 2007 the Office had a total of 63 staff, including both ongoing and non-ongoing employees. An overview of the Office’s staffing


profile as at 30 June 2007 is summarised in Table 4.2. The number of part-time staff also includes casual staff employed as at 30 June 2007.

Table 4.2 Overview of Staffing Profile as at 30 June 2007 Classification Male Female Full Time Part Time Total Total

Ongoing Non-ongoing Total

Statutory Office Holder — 1 1 — — 1 1

SES Band 2 1 — 1 — 1 — 1

SES Band 1 1 — 1 — 1 — 1

EL 2 ($85,544-$98,521) 1 3 4 — 4 — 4

EL 1 ($74,170-$81,337) 4 5 8 1 9 — 9

APS 6 ($59,295-$66,460) 10 12 19 3 20 2 22

APS 5 ($53,567-$57,856) 6 8 12 2 10 4 14

APS 4 ($48,026-$52,147) 2 4 3 3 4 2 6

APS 3 ($43,092-$46,509) 3 2 2 3 3 2 5

APS 2 ($38,874-$41,954) — — — — — — —

APS 1 ($33,430-$36,946) — — — — — — —

Total 28 35 51 12 52 11 63

4.3.2 Workplace Relations and Employment Staff members at the Office are employed under s. 22 of the Public Service Act 1999. Staff members are covered by the Office of the Privacy Commissioner Certified Agreement 2006–2009 which was certified by the Australian Industrial Relations Commission in March 2006 and is in operation until March 2009. The Agreement is comprehensive and was certified under s. 70LJ of the Workplace Relations Act 1996. The number of Office employees covered by the Agreement as at 30 June 2007 was 56, including both ongoing and non-ongoing staff.

The current Agreement provides for 14 weeks paid maternity leave, four


weeks paid parental leave, and access to extended leave following maternity or parental leave. The Office also supports access to part-time employment up until the child reaches school age. Salary progression within classification levels is subject to performance assessment. Salary ranges are reflected in Table 4.2.

The Office had seven staff covered by Australian Workplace Agreements during the reporting period, including two Senior Executive Service (SES) staff members.

4.3.3 Performance Management and Staff Development

The Office’s Performance Management Scheme provides a framework to manage and develop staff to achieve corporate objectives. The Scheme provides regular and formal assessment of an employee’s work performance and allows for access to training and skill development.

The Office’s Certified Agreement recognises the need to provide adequate training for staff to support workplace changes. This is especially relevant with changes in the information technology area where staff are provided with relevant and ongoing training. Training in investigation and conciliation was a priority for the year and staff in the Compliance area attended training sessions.

Training is identified through an individual’s training and development plan in conjunction with the Performance Management Scheme. Training encompasses a range of development activities including professional development courses, on-the-job training and the opportunity to represent the organisation at seminars and other forums.

As part of the Office’s staff development strategy, staff members are provided with support under a Studies Assistance policy. The policy provides for access to study leave where study is relevant to the work of the Office, an individual’s work responsibilities and where it assists with career development.

4.3.4 Workplace Diversity and Equal Employment Opportunity

The Office recognises that diversity in staff is one of its greatest assets and is committed to valuing and promoting the principles of workplace diversity through work practices. The Office participates in a joint Workplace Diversity Committee with the Human Rights and Equal Opportunity Commission. Throughout the year the Office promoted and supported events including International Women’s Day, NAIDOC Week and Harmony


Day. Other strategies under the plan focus on family friendly workplace policies. Five ongoing staff had part-time arrangements in place. The Committee continues to work towards achieving results in the Workplace Diversity Plan.

The Office’s Reconciliation Action Plan (see section 4.3.5) was developed during the year and the strategies developed will link in with the Office’s Workplace Diversity Plan.

4.3.5 Reconciliation Action Plan During the reporting period the Office developed a Reconciliation Action Plan. The Reconciliation Action Plan initiative was developed by Reconciliation Australia to help organisations and agencies identify and develop business practices that contribute to the wellbeing and quality of life of Indigenous Australians.

The Office’s draft Plan, which involved staff input from all sections of the Office, identified five Key Reconciliation Result Areas:

– establishing dialogue with Indigenous stakeholders on privacy issues

– improving awareness of privacy rights in the Indigenous community

– developing guidance material for agencies and organisations on protecting and respecting the privacy of Indigenous Australians

– improving and applying cultural awareness and knowledge within the Office

– creating employment and development opportunities.

During National Reconciliation Week (27 May – 3 June 2007), the Office hosted an afternoon tea at which the Privacy Commissioner presented the Office’s draft Plan to staff. At the event, the Director of the Social Justice Unit at the Human Rights and Equal Opportunity Commission also spoke to staff about reconciliation.

In 2006–07, the Office began consulting with Reconciliation Australia on the draft version of the Plan. In 2007–08, the Office will finalise the Plan and make it available on the Office’s website.

4.3.6 Occupational Health and Safety The Office and the Human Rights and Equal Opportunity Commission are co-located and cooperate over Occupational Health and Safety (OH&S) issues. The Office’s Health and Safety representative is a member of the joint agencies’ OH&S Committee (the Committee). This Committee also includes corporate support staff and meetings are held regularly throughout the year.


It is the policy of the Office to promote and maintain the highest degree of health, safety and wellbeing of all staff. The Office monitors health and safety though the Committee. Minutes of the Committee are placed on the Office’s intranet and any issues that require action are brought to the attention of management.

Personnel staff have been trained as case managers and regularly attend Comcare forums and training as required.

Ongoing assistance and support on OH&S and ergonomic issues is provided to new and existing staff. Assessments are completed as required for staff who identify particular ergonomic issues. A software program called ‘WorkPace’ assists staff in taking regular pause breaks through the day. The Office also offers support to staff through the promotion of health programs such as flu vaccinations. The Office provides a Healthy Lifestyle Allowance under the Certified Agreement to promote health and fitness as a means of achieving work/life balance and improving the health and wellbeing of our employees.

The Office continues to provide staff with access to counselling services through its Employee Assistance Program. This is a free and confidential service for staff and their families to provide counselling on personal and work related problems if required. No systemic issues have been identified through this service.

A hazards survey is conducted annually and the Committee monitors any OH&S issues that arise. There have been no dangerous accidents or occurrences reported over the last year.

Work has begun on the development of new Health and Safety Management Administrative plans (HSMAs) as a result of changes to the Safety Rehabilitation Compensation and Other Legislation Amendment Act 2007 which came into effect on 13 April 2007.

4.3.7 Commonwealth Disability Strategy All Australian Government agencies are required to report annually against the Commonwealth Disability Strategy (CDS) performance framework. The Office’s report against the CDS is at Appendix 4. Full details on the CDS can be found on the Department of Family and Community Services website at www.facsia.gov.au/disability/cds/index.htm. Through the CDS the Government seeks to ensure its policies, programs and services are as accessible to people with disabilities as they are to all other Australians.


Appendix 1 The Privacy Act and the Office of the Privacy Commissioner

Privacy Commissioner’s Functions The Privacy Commissioner has specific statutory functions under ss. 27, 28 and 28A of the Privacy Act 1988. These functions include, amongst other things, investigating possible breaches of the Privacy Act, undertaking audits of agencies or organisations to ensure compliance with the Privacy Act, providing advice to agencies and organisations on matters related to privacy, and promoting and encouraging the adoption of privacy standards in the community.

One of the key responsibilities of the Office is to handle complaints. Individuals who believe that their privacy may have been interfered with by an agency or organisation are able to lodge a complaint with the Office under s. 36 of the Privacy Act. The Privacy Commissioner may then undertake preliminary enquiries of the respondent to determine whether there are grounds, and whether the Commissioner has jurisdiction, to formally open an investigation into the complaint under s. 40 of the Privacy Act.

Staff members of the Compliance section conciliate between the parties to attempt to adequately resolve the dispute. If the parties are not able to come to a mutually satisfactory agreement, the Privacy Commissioner is able to make a determination under s. 52 of the Privacy Act to dismiss the complaint. Alternatively, the Privacy Commissioner is able to find in favour of the complainant and decide upon suitable orders to remedy the breach. The orders are enforceable in the Federal Court or Federal Magistrates Court under s. 55A of the Privacy Act.

Generally, a complaint must be in writing. The Office is obliged to provide appropriate assistance to people who require it in order to help formulate and appropriately set out the particulars of the complaint.

Individuals cannot complain to the Privacy Commissioner about organisations which are bound by a privacy code approved by the Commissioner, when that code has its own code adjudicator. Individuals may, however, ask the Privacy Commissioner to review a determination made by a code adjudicator under s. 18BI of the Privacy Act.

The Privacy Commissioner has the power to launch investigations under


s. 40(2) of the Privacy Act, and these are referred to as Own Motion Investigations (OMIs). The Privacy Commissioner undertakes OMIs where it appears that a breach of the Privacy Act may have occurred and it is thought to be desirable that an OMI be u ndertaken. For example, where the alleged breach is not limited to one complainant, or in circumstances where the alleged breach raises systemic and/or ongoing issues.

The Office’s Policy section assists the Privacy Commissioner in providing advice on privacy issues, including interpreting the operation of the Privacy Act, to Ministers, Australian and ACT Government agencies, and organisations. The section develops guidance material (such as guidelines, information sheets and FAQs) to help explain the operation of the Privacy Act and the Privacy Commissioner’s functions.

The Policy section examines enactments and proposals from agencies, advising on their potential privacy implications and their overall compliance with the Privacy Act. It also assists the Privacy Commissioner in carrying out other functions under the Privacy Act, as well as prescribed functions under the National Health Act 1953, the Telecommunications Act 1977 and the Crimes Act 1914.

The Office’s Corporate and Public Affairs section manages the public profile of the Office and the Privacy Commissioner, provides secretariat support and manages the Office’s corporate responsibilities. The unit is responsible for developing and maintaining the Office’s website, handling media enquiries, assisting with the provision of Privacy Act training and providing a secretariat role to several committees including the Privacy Contact Officer Steering Committee, Privacy Advisory Committee and Asia Pacific Privacy Authorities forum. The section also liaises with key stakeholders, including domestic bodies and international authorities, and handles the Office’s corporate governance responsibilities.

Chart A1.1 Organisational Structure


Deputy Privacy Commissioner

Assistant Privacy Commissioner

Corporate and Public Affairs

PolicyCompliance


Privacy Act The Privacy Act gives effect to article 17 of the International Covenant on Civil and Political Rights and to the OECD’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The Privacy Act establishes the method by which personal information about individuals can be collected and stored, specifies the permissible uses of that information, and limits the circumstances in which that information can be disclosed. It also sets out a mechanism by which individuals can gain access to, and amend where appropriate, the personal information about them held by agencies and organisations.

The Privacy Act protects personal information under four main sets of requirements.

– The National Privacy Principles (NPPs) (see Appendix 6) regulate the way private sector organisations handle personal information. These principles cover the collection, storage, use, disclosure and access obligations of organisations covered by the Privacy Act. In general the NPPs apply to all businesses and non-government organisations with a turnover of $3 million or more, all health service providers and a limited range of small businesses.

– The Information Privacy Principles (IPPs) (see Appendix 7) regulate the way most Australian and ACT Government agencies handle personal information. These principles cover the collection, storage, use, disclosure and access obligations of those agencies covered by the Privacy Act.

– Individuals’ Tax File Number (TFN) provisions: the Privacy Act prevents TFNs from being used as a de facto national identification system and gives individuals the right to withhold this information. Where a TFN is provided, its use is limited to tax-related, assistance agency and superannuation purposes. Under the Privacy Act, the Privacy Commissioner issues and enforces legally binding guidelines.

– Part IIIA of the Privacy Act places strict safeguards on the handling of individuals’ consumer credit information by the credit industry. These provisions recognise the sensitivity of credit-worthiness information and the implications for individuals should credit information be mishandled. Strict penalties apply if these provisions are breached.

Subordinate Legislation Privacy in Australia is further regulated by subordinate legislation including those listed below.

– Privacy (Private Sector) Regulations 2001, which set out the standards under s. 18BB(3)(a)(i) of the Privacy Act that need to be


met before a privacy code can be approved by the Privacy Commissioner, and prescribe specific agencies, state authorities and organisations for particular purposes under the Privacy Act.

– Privacy Regulations 2006, which exempt the secrecy provisions of the Census and Statistics Act 1905 from the provisions in the Privacy Act (Part VIA) which relate to allowable disclosures during emergencies.

– Privacy codes developed by organisations and approved by the Privacy Commissioner under Part IIIAA of the Privacy Act can replace the National Privacy Principles for particular organisations or activities if they enhance or are equivalent to those principles.

– Mandatory guidelines under the Privacy Act, for example the Tax File Number Guidelines issued under s. 17 of the Privacy Act.

– Public Interest Determinations and Temporary Public InterestDeterminations under Part VI of the Privacy Act.

– Credit Reporting Determinations under Part IIIA of the Privacy Act.

– The Credit Reporting Code of Conduct issued under s. 18A of the Privacy Act.

The Privacy Act and the subordinate legislation are supported by advisory guidelines issued by the Office, including:

– Guidelines to the National Privacy Principles

– Guidelines to the Information Privacy Principles

– Guidelines for the Use of Data-matching in CommonwealthAdministration

– Guidelines on Privacy in the Private Health Sector

– Guidelines on Privacy Code Development (part of these guidelines are mandatory)

– Guidelines on Public Interest Determination Procedure

– Guidelines for Federal and ACT Government Websites

– Guidelines on Workplace Email, Web Browsing and Privacy

– Guidelines for Agencies using Privacy and Public Key Infrastructure to communicate or transact with individuals.

In addition, the National Health and Medical Research Council (NHMRC) has issued the following binding guidelines after consulting with the Privacy Commissioner:

– Guidelines under Sections 95 and 95A of the Privacy Act 1988.


Other Legislation The role of the Privacy Commissioner is further defined by legislated responsibilities that are set out in the following legislation.

– Part VIIC of the Crimes Act 1914, the Commonwealth Spent Convictions Scheme, which provides protection for individuals with old minor convictions in certain circumstances (the Privacy Commissioner has the power to investigate breaches of the legislation, and is also required to provide advice to the Attorney-General in relation to exemptions under the scheme).

– The Data-matching Program (Assistance and Tax) Act 1990, which regulates data-matching between the Australian Taxation Office and the assistance agencies to detect overpayment and ineligibility for assistance (under this Act, the Privacy Commissioner is responsible for issuing mandatory guidelines for protecting privacy, investigating complaints and monitoring agency compliance).

– The National Health Act 1953, under which the Privacy Commissioner is required to issue guidelines covering the storage, use, disclosure and retention of individuals’ claim information under the Pharmaceutical Benefits Scheme and the Medicare program.

– The Telecommunications Act 1997, under which the Privacy Commissioner has certain monitoring and compliance functions.

Outcomes and Outputs Structure The Office’s outcome statement, as set out in the Portfolio Budget Statement, is:

An Australian culture in which privacy is respected, promoted and protected.

There is one output for the Office’s outcome:

Complaint handling, compliance and monitoring, and education and promotion.

There are two performance measures:

Quality

– Majority of complainants and respondents surveyed satisfied that complaint handling service was timely and impartial.

– Majority of enquirers surveyed satisfied with advice provided byHotline and in written response.


– 80% of complaints finalised within 12 months of receipt, 90% of written enquiries answered within ten days.

– Agencies and organisations satisfied that audits improve their privacy practices and procedures.

– Audits finalised within 6 months of commencement.

– Targeted information available that informs the community, including business and government, of their rights and responsibilities in respect of the Office’s jurisdictional responsibilities.

Quantity

– Close 1300 complaints, respond to 2000 written enquiries, and answer 20 000 calls.

– 3 audits commenced.

– >800 000 visits to the website.

– >3.5 million pages viewed on the website.

Table A1.1 Resources for Outcomes

Budget 2006–07

$’000

Actual Expenses 2006–07

$’000

Budget 2007–08

$’000

Total Administrative Expenses

Price of Department Outputs Output Group 1.1 Complaint handling, compliance and monitoring, and education and promotion

7358 6833 7805

Subtotal Output Group 1.1 7358 6833 7805

Revenue from Government (Appropriation) for Departmental Outputs

6486 6486 6931

Revenue from other Sources 872 347 874

Total price of Outputs 7358 6833 7805

Total for Outcome 1 (Total price of Outputs and Administered Expenses)

7358 6833 7805

Actual 2006–07 Estimated Actual 2007–08

Average Staffing Level 52 56


Appendix 2 Freedom of Information Act Compliance

The Freedom of Information Act 1983 (FOI Act) gives the general public legal access to government documents. For information on the Office’s procedures see Freedom of Information procedures on page 87.

Section 8 of the FOI Act requires each Australian Government agency, including this Office, to publish information about the way the Office is organised, together with its functions, powers and arrangements for public participation in the work of the agency. The Office is also required to publish the categories of documents that the Office holds and how members of the public can gain access to them.

Organisation The Office’s organisational structure is provided in Chart A1.1 in Appendix 1.

Authority and legislation The Office is established, and the Privacy Commissioner’s functions and powers are conferred, by the Privacy Act 1988. Information regarding the Office’s functions and powers are set out in Appendix 1.

Number of formal requests for information During 2006–07, the Office received 14 requests for access to documents under the FOI Act. Twelve requests related to access to documents concerning individual privacy. Two requests related to documents concerning the functions and activities of this Office.

Avenues for public participation The Office uses the following processes and consultative bodies to assist the participation by persons or bodies outside the Commonwealth administration in the policy-making functions of the Office or in its administration of various schemes and enactments.

– The Office has a Strategic Plan (see Appendix 8) which commits it to developing robust relationships with external stakeholders, and to ensuring that effective relationships, partnerships and networks are at the core of the Office’s internal and external operations.


– Part VII of the Privacy Act provides for the establishment of the Privacy Advisory Committee to advise the Commissioner on relevant matters, recommend material to the Commissioner for inclusion in guidelines and, subject to direction by the Commissioner, engage in community education and consultation.

– The Privacy Commissioner’s Health Privacy Forum is an informal group of senior stakeholders from the health sector to assist the Commissioner on matters of health privacy.

– The Office coordinates the Privacy Contact Officer (PCO) Network to facilitate the resolution of privacy issues within Australian and ACT Government agencies and provide training and expertise to those agencies. The PCO network meets four times per year.

– The Privacy Connections network plays a similar role in the private sector and regular forums are held for network members across Australia.

– The Office meets on an informal basis with representatives of privacy and consumer non-government organisations to discuss privacy matters affecting the Australian community.

– The Compliance section conducts customer surveys to determine levels of service and customer satisfaction. A survey was conducted in 2004–05. Although initially scheduled for 2006–07, this survey will now be carried out again in 2007–08.

– The Commissioner also has legislative requirements to consult. For example the provisions relating to making a public interest determination require the production of a draft determination and the invitation of interested parties to attend a conference (ss. 75 and 76). Similarly, the Commissioner needs to be satisfied that there has been an adequate opportunity for the public to comment before approving a proposed privacy code (s. 18BB(2)(f)).

– The Office invites public consultation from individuals andorganisations through its website.

Categories of documents Documents held by the Office relate to:

– administration matters, including personnel, recruitment, accounts, purchasing, registers, registry, library records and invoices

– complaint matters, including audits and the investigation,clarification, conciliation and resolution of complaints

– legal matters, including legal documents, opinions, advice andrepresentations


– research matters, including research papers in relation to complaints, existing or proposed legislative practices, public education, national inquiries and other relevant issues

– policy matters, including minutes of meetings, administrative and operational guidelines

– operational matters, including files on formal inquiries and

– reference materials, including press clippings, survey and research materials, documents relating to conferences, seminars and those contained in the library.

Freedom of Information procedures Initial enquiries regarding access to documents from the Office of the Privacy Commissioner should be directed to the Freedom of Information Officer by either telephoning (02) 9284 9800 or writing to:

Freedom of Information Officer Office of the Privacy Commissioner GPO Box 5218 Sydney NSW 2001.

Procedures for dealing with FOI requests are detailed in s. 15 of the FOI Act. A valid request must:

– be in writing

– be accompanied by the payment of a $30 application fee

– include the name and address of the person requesting theinformation and

– be processed within 30 days of receipt.

Some documents are exempt from public perusal under the FOI Act. Where documents are not accessible by the applicant, valid reasons will be provided. The Office’s decisions about accessibility of documents may be reviewed by the Administrative Appeals Tribunal.

Facilities for obtaining physical access The Office provides copies of the requested documents by mail to the enquiring party, subject to exceptions established under the FOI Act.

The Office will also consider requests from parties to view hard copies of the requested documents in person at the Office.


Appendix 3 Speeches and Presentations

Karen Curtis, Privacy Commissioner

2006

25 July Personal Property Securities – Policy Development Workshop, Sydney

29 August Privacy Awareness Week Launch, Sydney

1 September Privacy Contact Officer Network Meeting, Canberra

18 September Launch of DIMA/OPC Memorandum of Understanding, Canberra

24 October Australian Regulatory Reform Evolution Conference, Canberra

23 November Privacy Connections Corporate Breakfast, Sydney

23 November ACMA Information Communications Entertainment Conference, Canberra

1 December Privacy Contact Officer Network Meeting, Canberra

2007

23 March Administrative Review Council, Canberra

27 March Privacy Professionals Network, Sydney

10 May Privacy Connections Corporate Breakfast, Adelaide

11 May Privacy Connections Corporate Breakfast, Perth

1 June Privacy Contact Officer Network Meeting, Canberra

25 June Second Technical Assistance Seminar on International Implementation of the APEC Privacy Framework, Cairns


Staff of the Office of the Privacy Commissioner

2006

27 July Advertising, Marketing and Media Summit, Melbourne

28 July Little Sisters of the Poor, Melbourne

10 August DIMA Compliance Officer Pilot Training Program, Canberra

1 September Privacy Contact Officer Network Meeting, Canberra

12 September ACMA International Training Program, Melbourne

1 December Privacy Contact Officer Network Meeting, Canberra

2007

2 March Privacy Contact Officer Network Meeting, Canberra (2 presentations)

31 May OSHC Worldcare ‘The Application of the Privacy Act to the International Student Industry’, Melbourne

1 June Privacy Contact Officer Network Meeting, Canberra (3 presentations)


Appendix 4 Commonwealth Disability Strategy Performance Reporting June 2007

Table A4.1 Commonwealth Disability Strategy Performance Reporting June 2007

Policy adviser role

Performance Indicator

Performance Measure

Current level of performance (2006–07)

1. New or revised Percentage of new The Office provides advice on the policy / program or revised policy/program/legislative activities of proposals assess policy/program other agencies from a privacy perspective. impact on the lives proposals that Submissions are made available on the of people with document that the Office’s website where possible. disabilities prior to impact of the In a significant number of advices decision. proposal was

considered prior to the decision making stage.

provided, particularly where new technologies are being considered, the privacy of people with disabilities is factored into the discussion. During the reporting period, the Office’s submissions to the Australian Law Reform Commission review of privacy and the Department of Human Services regarding the proposed Access Card addressed privacy issues specific to people with a disability.

The Office seeks to have representative bodies actively involved in consultation, including in privacy impact assessments of proposals.

A consideration for the Office is how the privacy rights of individuals with disabilities are being met. To aid this assessment, the Office surveys and collects demographic information relating to complainants (see Appendix 5).

During 2006–07 the Office received 105 responses to the survey. Of these, 28 respondents indicated they had a disability.


Policy Adviser Role – continued


Performance Measure


2. People with Percentage of Where the Office undertakes consultations, disabilities are consultations groups representing the interests of people included in about new or with disabilities are invited to participate. consultation about new or revised policy / program proposals.

revised policy / program proposals that are developed in consultation with people with disabilities.

During consultation processes the Office considers the needs of people with disabilities.

Public consultation events all occur in accessible venues.

3. Public Percentage of new, Simultaneous to public release 100% of announcements of revised or information about new Office initiatives is new, revised or proposed policy / available on a W3C compliant website. proposed policy / program Other formats are available on request. program initiatives are available in accessible formats for people with disabilities in a timely manner.

announcements available in a range of accessible formats.

Time taken in providing

A staff member undertook training in 2006–07 with the specific purpose of ensuring that the Office’s website is fully accessible to all visitors.

All material is available in other formats on

announcements in accessible formats.

request.

The Privacy Connections network had 1841 members as at 30 June 2007. Disability peak groups are members of this network. Membership is also open to members of the public who may have disabilities. Members are offered the opportunity to sign up to an email subscription. Email messages to the network are sent in plain text accessible formats.


Regulator role


Performance Measure


1. Publicly Percentage of Section 36(4) of the Privacy Act requires available publicly available the Commissioner to provide appropriate information on information on assistance to complainants where they regulations and regulations and have difficulty in lodging a complaint. This quasi-regulations quasi-regulations includes giving appropriate assistance to is available in requested and people with disabilities. accessible formats for people with disabilities.

provided in: • accessible

electronic

100% of Office information is available on its W3C compliant website.

formats; and All material is available in other formats on • accessible request.

formats other than electronic. Office services are accessible via website,

phone and TTY. Average time taken to provide Electronic access is immediate, via

accessible website. Average turnaround for requests

material in: for electronic information is within the day;

• electronic hard copy information a couple of days.

format; and Some requests may require that we use • formats other external service providers. In these cases

than electronic. the turnaround to provide information in accessible formats may be impacted.


Regulator role – continued


Performance Measure


2. Publicly Percentage of 100% of Office information is available on available publicly available its W3C compliant website. regulatory compliance

information on regulations and All material is available in other formats on

reporting is quasi-regulations request.

available in requested and Office services are accessible via website, accessible formats provided in: phone and TTY. for people with • accessible disabilities. electronic

formats; and • accessible

formats other than electronic.

Average time taken to provide accessible material in: • electronic

format; and • formats other

than electronic.

Electronic access is immediate, via website. Average turnaround for requests for electronic information is within the day; hard copy information a couple of days.

Some requests may require that we use external service providers. In these cases the turnaround to provide information in accessible formats may be impacted.

Provider role


Performance Measure


1. Providers have established mechanisms for quality improvement and assurance.

Evidence of quality improvement and assurance systems in operation.

The Office has an enquiries line and a website link which gives individuals the opportunity to lodge complaints/grievances with the Office.

The Office generally conducts customer satisfaction surveys to determine the level of customer satisfaction with the Office’s services. Although originally scheduled for 2006–07, this survey will be carried out again in 2007–08.


Provider role – continued

Performance Performance Current level of performance Indicator Measure (2006–07)

2. Providers have Established service The Office does not have an agency-wide an established charter that service charter but has complaint handling service charter adequately reflects service standards in place as this is a that specifies the the needs of major client focus. roles of the provider and consumer and service standards which address accessibility for people with disabilities.

people with disabilities in operation.

All Office complaints information and brochures are available on the website in accessible electronic format. Information about complaints process and legislation is available in plain English format on the Office website. The website is updated regularly.

Office information is available in alternative formats upon request.

3. Complaints / Established The Office uses a current complaints grievance complaints / information referral list to ensure callers mechanisms, grievance with disabilities can be referred to including access to mechanisms, appropriate advocacy groups. external including access to The Office has an enquiries line and a mechanisms, in external website link which gives individuals the place to address mechanisms, in opportunity to lodge complaints/grievances concerns raised operation. with the Office. about performance.

Email, TTY and a national 1300 number at the cost of a local call are all available.

Premises are accessible.

Section 36(4) of the Privacy Act requires the Commissioner to provide appropriate assistance to complainants where they have difficulty in lodging a complaint. This includes giving appropriate assistance to people with disabilities.

When dealing with requests for access to personal information, organisations are advised to consider issues of accessibility.

No complaints have been received regarding access to the Office complaint handling service or premises.


Employer role


Performance Measure


1. Employment Number of The Office promotes and supports APS policies, employment values. procedures and practices comply with the requirements of the Disability

policies, procedures and practices that meet the requirements of the Disability

The Office’s Certified Agreement (CA) contains reference to Workplace Diversity principles. Most of the Office’s policies on employment are contained within the CA.

Discrimination Act Discrimination Act The Workplace Diversity Plan (jointly 1992. 1992. participated in by the Office and the

Human Rights and Equal Opportunity Commission) outlines strategies to maximise employment opportunities for people with disabilities. On induction all new staff are provided with a copy of the plan.

The email/internet policy is reviewed annually. It specifically prohibits the inappropriate use of email that may demean people with disabilities.

There were no formal complaints/grievances made by staff with regard to current work practices.


Employer role – continued


Performance Measure


2. Recruitment Percentage of 100% compliance providing accessible information for recruitment formats for recruitment material. potential job applicants is available in

information requested and provided in:

Recruitment information is able to be provided in any format.

accessible formats • accessible All recruitment material is on the Office’s on request. electronic W3C compliant website.

formats; and • accessible Advertisements in press advise that

formats other information is available at contact phone

than electronic. number, by TTY phone and on the Office’s website.

Average time taken to provide The Office website meets the criteria for

accessible accessibility as outlined in the Government

information in: Online Strategy and the Deputy Disability

• electronic Commissioner has advised in the process.

formats; and There were no requests for Braille in• formats other 2006–07.

than electronic.

3. Agency Percentage of Selection guidelines include information on recruiters and recruiters and reasonable adjustment and guidelines for managers apply managers provided interviewing staff with disabilities. the principle of reasonable adjustment.

with information on reasonable adjustment.

Recruitment action is managed internally and not outsourced, and all committees are provided with selection information on reasonable adjustment.




Performance Measure


4. Training and Percentage of Due to the small number of staff in the development training and Office, training is coordinated by each of programs consider development the unit managers under the Office’s the needs of staff programs that Performance Management Scheme. The with disabilities. consider the needs

of staff with disabilities.

majority of training is provided off-site with external providers and any in-house training programs recognise the needs of people with disabilities.

Training nomination forms include specific requirements that may be needed such as:

• wheelchair access • accessible toilets/parking • a hearing device • sign language interpreter • an attendant • a support person • information in Braille, audio cassette,

large print, ASCII format.

5. Training and Percentage of As noted above training is coordinated by development training and each individual section. programs include information on disability issues as they relate to the

development programs that include information on disability issues

Induction includes information on Workplace Diversity and relevant legislation, including the DDA.

content of the as they relate to The Complaint Handling section of HREOC program. the program. conducts training and information on

disability issues for staff of HREOC and the Office.



6. Complaint / grievance mechanism, including access to external mechanisms, in place to address issues and concerns by staff.

Established complaints / grievance mechanisms, including access to external mechanisms in operation.

There is an established process in the Office’s Certified Agreement for complaints/grievances, which includes access to external review through the Australian Public Service Commission.

All staff are advised of access to the Office’s Employee Assistance Program and encouraged to use this service when needed. This free service provides counselling and support for staff and their families.

Note: Accessible electronic formats include ASCII (or .txt) files and html for the website. Non electronic accessible formats include Braille, audio cassette, large print and easy English. Other ways of making information available include video captioning and Auslan interpreters.


Appendix 5 Demographic Information about Complainants

In 2006–07 the Office continued collecting detailed demographic information about complainants. The Office invites all complainants to voluntarily respond to a survey. While the response rate is low, the Office will continue to use the information to improve its accessibility and other services to complainants. Below are a series of tables which provide a summary of the responses received in 2006–07 compared to the results received in 2005–06.

Due to the voluntary nature of the survey, the information gathered may not necessarily give an accurate representation of the relative proportions of demographic categories of complainants.

Table A5.1 Gender of complainants

2005-06 2006-07

Female 53 44.9% 53 50.5%

Male 65 55.1% 52 49.5%

Total 118 100% 105 100%

Table A5.2 Complainants’ access to the internet

2005-06 2006-07

Nil Return 0 0.0% 0 0.0%

No 23 19.5% 17 16.2%

Yes 95 80.5% 88 83.8%

Total 118 100% 105 100%


Table A5.3 Country of birth of complainants

2005-06 2006-07

Australia 83 70.3% 73 69.5%

Great Britain 14 11.9% 8 7.6%

New Zealand 7 5.9% 3 2.9%

Other 14 11.9% 21 20.0%

Total 118 100% 105 100%

Table A5.4 Main language spoken at home

2005-06 2006-07

English 115 97.5% 103 98.1%

Other 3 2.5% 2 1.9%

Total 118 100% 105 100%

Table A5.5 Location of complainants

2005-06 2006-07

Capital City 81 68.6% 72 68.6%

Country Town 18 15.3% 13 12.4%

Major regional centre 18 15.3% 19 18.0%

Rural 1 0.8% 1 1.0%

Total 118 100% 105 100%

Table A5.6 Aboriginal or Torres Strait Islander background of complainants

2005-06 2006-07

Aboriginal/Torres Strait Islander 2 1.7% 1 1.0%

Non-Aboriginal/Torres Strait Islander 116 98.3% 103 98.0%

Did not comment 0 0.0% 1 1.0%

Total 118 100% 105 100%


Table A5.7 Level of education completed by complainants

2005-06 2006-07

Bachelor/Post Graduate Degree 47 39.8% 38 36.2%

Diploma/Advanced Diploma 21 17.8% 24 22.9%

Study not leading to a qualification 4 3.4% 2 1.9%

Year 10 or below 29 24.6% 22 20.9%

Year 12 16 13.6% 19 18.1%

Nil Return 1 0.8% 0 0.0%

Total 118 100% 105 100%

Table A5.8 Age range of complainants

2005-06 2006-07

19-29 years 12 10.2% 12 11.4%

30-39 years 20 16.9% 17 16.2%

40-49 years 39 33.1% 41 39.0%

50-59 years 27 22.9% 17 16.2%

60-69 years 15 12.7% 13 12.4%

70-79 years 3 2.5% 4 3.8%

80-89 years 2 1.7% 1 1.0%

Total 118 100% 105 100%

Table A5.9 Complainants with a disability

2005-06 2006-07

No Disability 80 67.8% 77 73.3%

Medical 10 8.5% 7 6.7%

Sensory 4 3.4% 2 1.9%

Psychiatric 6 5.1% 5 4.8%

Movement 12 10.2% 9 8.5%

Other 5 4.2% 5 4.8%

No Comment 1 0.8% 0 0.0%

Total 118 100% 105 100%


Table A5.10 Source of knowledge about the Office of the Privacy Commissioner

2005-06 2006-07

A Legal Centre/Lawyer 11 9.3% 14 13.3%

Another Community Organisation 8 6.8% 0 0.0%

Family member/friend/ support person/associate 8 6.8% 14 13.3%

Government agency (not the agency complained about) 16 13.6% 17 16.2%

Our website www.privacy.gov.au 9 7.6% 15 14.3%

Other 30 25.4% 14 13.3%

Internet 8 6.8% 6 5.7%

Media 13 11.0% 14 13.3%

The organisation/government agency complained about 10 8.5% 7 6.7%

Telephone book 5 4.2% 4 3.8%

Total 118 100% 105 100%

Table A5.11 Annual income range of complainants

2005-06 2006-07

$0 – $25 000 42 35.6% 26 24.7%

$25 001 – $50 000 31 26.3% 32 30.5%

$50 001 – $75 000 16 13.6% 23 21.9%

$75 001 or more 27 22.9% 24 22.9%

Nil Return 2 1.7% 0 0.0%

Total 118 100% 105 100%


Appendix 6 National Privacy Principles The National Privacy Principles as set out in Schedule 3 of the Privacy Act 1988 are as follows:

1 Collection 1.1 An organisation must not collect personal information unless the

information is necessary for one or more of its functions or activities.

1.2 An organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.

1.3 At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of:

(a) the identity of the organisation and how to contact it; and

(b) the fact that he or she is able to gain access to the information; and

(c) the purposes for which the information is collected; and

(d) the organisations (or the types of organisations) to which the organisation usually discloses information of that kind; and

(e) any law that requires the particular information to be collected; and

(f) the main consequences (if any) for the individual if all or part of the information is not provided.

1.4 If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.

1.5 If an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in subclause 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.


2 Use and disclosure 2.1 An organisation must not use or disclose personal information about

an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless:

(a) both of the following apply:

(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;

(ii) the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or

(b) the individual has consented to the use or disclosure; or

(c) if the information is not sensitive information and the use of the information is for the secondary purpose of direct marketing:

(i) it is impracticable for the organisation to seek the individual’s consent before that particular use; and

(ii) the organisation will not charge the individual for giving effect to a request by the individual to the organisation not to receive direct marketing communications; and

(iii) the individual has not made a request to the organisation not to receive direct marketing communications; and

(iv) in each direct marketing communication with the individual, the organisation draws to the individual’s attention, or prominently displays a notice, that he or she may express a wish not to receive any further direct marketing communications; and

(v) each written direct marketing communication by the organisation with the individual (up to and including the communication that involves the use) sets out the organisation’s business address and telephone number and, if the communication with the individual is made by fax, telex or other electronic means, a number or address at which the organisation can be directly contacted electronically; or

(d) if the information is health information and the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety:

(i) it is impracticable for the organisation to seek the individual’s consent before the use or disclosure; and


(ii) the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph; and

(iii) in the case of disclosure—the organisation reasonably believes that the recipient of the health information will not disclose the health information, or personal information derived from the health information; or

(e) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent:

(i) a serious and imminent threat to an individual’s life, health or safety; or

(ii) a serious threat to public health or public safety; or

(ea) if the information is genetic information and the organisation has obtained the genetic information in the course of providing a health service to the individual:

(i) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety (whether or not the threat is imminent) of an individual who is a genetic relative of the individual to whom the genetic information relates; and

(ii) the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95AA for the purposes of this subparagraph; and

(iii) in the case of disclosure—the recipient of the genetic information is a genetic relative of the individual; or

(f) the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or

(g) the use or disclosure is required or authorised by or under law; or

(h) the organisation reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of an enforcement body:

(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;


(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;

(iii) the protection of the public revenue;

(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;

(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.

Note 1: It is not intended to deter organisations from lawfully cooperating with agencies performing law enforcement functions in the performance of their functions.

Note 2: Subclause 2.1 does not override any existing legal obligations not to disclose personal information. Nothing in subclause 2.1 requires an organisation to disclose personal information; an organisation is always entitled not to disclose personal information in the absence of a legal obligation to disclose it.

Note 3: An organisation is also subject to the requirements of National Privacy Principle 9 if it transfers personal information to a person in a foreign country.

2.2 If an organisation uses or discloses personal information under paragraph 2.1(h), it must make a written note of the use or disclosure.

2.3 Subclause 2.1 operates in relation to personal information that an organisation that is a body corporate has collected from a related body corporate as if the organisation’s primary purpose of collection of the information were the primary purpose for which the related body corporate collected the information.

2.4 Despite subclause 2.1, an organisation that provides a health service to an individual may disclose health information about the individual to a person who is responsible for the individual if:

(a) the individual:

(i) is physically or legally incapable of giving consent to the disclosure; or

(ii) physically cannot communicate consent to the disclosure; and

(b) a natural person (the carer) providing the health service for the organisation is satisfied that either:

(i) the disclosure is necessary to provide appropriate care or treatment of the individual; or


(ii) the disclosure is made for compassionate reasons; and

(c) the disclosure is not contrary to any wish:

(i) expressed by the individual before the individual became unable to give or communicate consent; and

(ii) of which the carer is aware, or of which the carer could reasonably be expected to be aware; and

(d) the disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (b).

2.5 For the purposes of subclause 2.4, a person is responsible for an individual if the person is:

(a) a parent of the individual; or

(b) a child or sibling of the individual and at least 18 years old; or

(c) a spouse or de facto spouse of the individual; or

(d) a relative of the individual, at least 18 years old and a member of the individual’s household; or

(e) a guardian of the individual; or

(f) exercising an enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual’s health; or

(g) a person who has an intimate personal relationship with the individual; or

(h) a person nominated by the individual to be contacted in case of emergency.

2.6 In subclause 2.5:

child of an individual includes an adopted child, a step-child and a foster-child, of the individual.

parent of an individual includes a step-parent, adoptive parent and a foster-parent, of the individual.

relative of an individual means a grandparent, grandchild, uncle, aunt, nephew or niece, of the individual.

sibling of an individual includes a half-brother, half-sister, adoptive brother, adoptive sister, step-brother, step-sister, foster-brother and foster-sister, of the individual.


3 Data quality An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.

4 Data security 4.1 An organisation must take reasonable steps to protect the personal

information it holds from misuse and loss and from unauthorised access, modification or disclosure.

4.2 An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under National Privacy Principle 2.

5 Openness 5.1 An organisation must set out in a document clearly expressed

policies on its management of personal information. The organisation must make the document available to anyone who asks for it.

5.2 On request by a person, an organisation must take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.

6 Access and correction 6.1 If an organisation holds personal information about an individual, it

must provide the individual with access to the information on request by the individual, except to the extent that:

(a) in the case of personal information other than health information—providing access would pose a serious and imminent threat to the life or health of any individual; or

(b) in the case of health information—providing access would pose a serious threat to the life or health of any individual; or

(c) providing access would have an unreasonable impact upon the privacy of other individuals; or

(d) the request for access is frivolous or vexatious; or

(e) the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of


discovery in those proceedings; or

(f) providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or

(g) providing access would be unlawful; or

(h) denying access is required or authorised by or under law; or

(i) providing access would be likely to prejudice an investigation of possible unlawful activity; or

(j) providing access would be likely to prejudice:

(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; or

(ii) the enforcement of laws relating to the confiscation of the proceeds of crime; or

(iii) the protection of the public revenue; or

(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or

(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders;

by or on behalf of an enforcement body; or

(k) an enforcement body performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.

6.2 However, where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process, the organisation may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.

Note: An organisation breaches subclause 6.1 if it relies on subclause 6.2 to give an individual an explanation for a commercially sensitive decision in circumstances where subclause 6.2 does not apply.

6.3 If the organisation is not required to provide the individual with access to the information because of one or more of paragraphs 6.1(a) to (k) (inclusive), the organisation must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.


6.4 If an organisation charges for providing access to personal information, those charges:

(a) must not be excessive; and

(b) must not apply to lodging a request for access.

6.5 If an organisation holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up-to-date, the organisation must take reasonable steps to correct the information so that it is accurate, complete and up-to-date.

6.6 If the individual and the organisation disagree about whether the information is accurate, complete and up-to-date, and the individual asks the organisation to associate with the information a statement claiming that the information is not accurate, complete or up-to-date, the organisation must take reasonable steps to do so.

6.7 An organisation must provide reasons for denial of access or a refusal to correct personal information.

7 Identifiers 7.1 An organisation must not adopt as its own identifier of an individual

an identifier of the individual that has been assigned by:

(a) an agency; or

(b) an agent of an agency acting in its capacity as agent; or

(c) a contracted service provider for a Commonwealth contract acting in its capacity as contracted service provider for that contract.

7.1A However, subclause 7.1 does not apply to the adoption by a prescribed organisation of a prescribed identifier in prescribed circumstances.

Note: There are prerequisites that must be satisfied before those matters are prescribed: see subsection 100(2).

7.2 An organisation must not use or disclose an identifier assigned to an individual by an agency, or by an agent or contracted service provider mentioned in subclause 7.1, unless:

(a) the use or disclosure is necessary for the organisation to fulfil its obligations to the agency; or

(b) one or more of paragraphs 2.1(e) to 2.1(h) (inclusive) apply to the use or disclosure; or


(c) the use or disclosure is by a prescribed organisation of a prescribed identifier in prescribed circumstances.

Note: There are prerequisites that must be satisfied before the matters mentioned in paragraph (c) are prescribed: see subsection 100(2).

7.3 In this clause: identifier includes a number assigned by an organisation to an individual to identify uniquely the individual for the purposes of the organisation’s operations. However, an individual’s name or ABN (as defined in the A New Tax System (Australian Business Number) Act 1999) is not an identifier.

8 Anonymity Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.

9 Transborder data flows An organisation in Australia or an external Territory may transfer personal information about an individual to someone (other than the organisation or the individual) who is in a foreign country only if:

(a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles; or

(b) the individual consents to the transfer; or

(c) the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual’s request; or

(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or

(e) all of the following apply:

(i) the transfer is for the benefit of the individual;

(ii) it is impracticable to obtain the consent of the individual to that transfer;

(iii) if it were practicable to obtain such consent, the individual would be likely to give it; or


(f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles.

10 Sensitive information 10.1 An organisation must not collect sensitive information about an

individual unless:

(a) the individual has consented; or

(b) the collection is required by law; or

(c) the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns:

(i) is physically or legally incapable of giving consent to the collection; or

(ii) physically cannot communicate consent to the collection; or

(d) if the information is collected in the course of the activities of a non-profit organisation—the following conditions are satisfied:

(i) the information relates solely to the members of the organisation or to individuals who have regular contact with it in connection with its activities;

(ii) at or before the time of collecting the information, the organisation undertakes to the individual whom the information concerns that the organisation will not disclose the information without the individual’s consent; or

(e) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.

10.2 Despite subclause 10.1, an organisation may collect health information about an individual if:

(a) the information is necessary to provide a health service to the individual; and

(b) the information is collected:

(i) as required or authorised by or under law (other than this Act); or


(ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation.

10.3 Despite subclause 10.1, an organisation may collect health information about an individual if:

(a) the collection is necessary for any of the following purposes:

(i) research relevant to public health or public safety;

(ii) the compilation or analysis of statistics relevant to public health or public safety;

(iii) the management, funding or monitoring of a health service; and

(b) that purpose cannot be served by the collection of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained; and

(c) it is impracticable for the organisation to seek the individual’s consent to the collection; and

(d) the information is collected:

(i) as required by law (other than this Act); or

(ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation; or

(iii) in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph.

10.4 If an organisation collects health information about an individual in accordance with subclause 10.3, the organisation must take reasonable steps to permanently de-identify the information before the organisation discloses it.

10.5 In this clause: non-profit organisation means a non-profit organisation that has only racial, ethnic, political, religious, philosophical, professional, trade, or trade union aims.


Appendix 7 Information Privacy Principles

The Information Privacy Principles as set out in s. 14 of the Privacy Act 1988 are as follows:

Principle 1 – Manner and purpose of collection of personal information

1. Personal information shall not be collected by a collector for inclusion in a record or in a generally available publication unless:

(a) the information is collected for a purpose that is a lawful purpose directly related to a function or activity of the collector; and

(b) the collection of the information is necessary for or directly related to that purpose.

2. Personal information shall not be collected by a collector by unlawful or unfair means.

Principle 2 – Solicitation of personal information from individual concerned

Where:

(a) a collector collects personal information for inclusion in a record or in a generally available publication; and

(b) the information is solicited by the collector from the individual concerned;

the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, before the information is collected or, if that is not practicable, as soon as practicable after the information is collected, the individual concerned is generally aware of:

(c) the purpose for which the information is being collected;

(d) if the collection of the information is authorised or required by or under law – the fact that the collection of the information is so authorised or required; and

(e) any person to whom, or any body or agency to which, it is the collector’s usual practice to disclose personal information of the


kind so collected, and (if known by the collector) any person to whom, or any body or agency to which, it is the usual practice of that first mentioned person, body or agency to pass on that information.

Principle 3 – Solicitation of personal information generally

Where:

(a) a collector collects personal information for inclusion in a record or in a generally available publication; and

(b) the information is solicited by the collector:

the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is collected:

(c) the information collected is relevant to that purpose and is up to date and complete; and

(d) the collection of the information does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.

Principle 4 – Storage and security of personal information

A record-keeper who has possession or control of a record that contains personal information shall ensure:

(a) that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and

(b) that if it is necessary for the record to be given to a person in connection with the provision of a service to the record-keeper, everything reasonably within the power of the record-keeper is done to prevent unauthorised use or disclosure of information contained in the record.

Principle 5 – Information relating to records kept by record-keeper

1. A record-keeper who has possession or control of records that contain personal information shall, subject to clause 2 of this Principle, take such steps as are, in the circumstances, reasonable to enable any


person to ascertain:

(a) whether the record-keeper has possession or control of any records that contain personal information; and

(b) if the record-keeper has possession or control of a record that contains such information:

(i) the nature of that information;

(ii) the main purposes for which that information is used; and

(iii) the steps that the person should take if the person wishes to obtain access to the record.

2. A record-keeper is not required under clause 1 of this Principle to give a person information if the record-keeper is required or authorised to refuse to give that information to the person under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.

3. A record-keeper shall maintain a record setting out:

(a) the nature of the records of personal information kept by or on behalf of the record-keeper;

(b) the purpose for which each type of record is kept;

(c) the classes of individuals about whom records are kept;

(d) the period for which each type of record is kept;

(e) the persons who are entitled to have access to personal information contained in the records and the conditions under which they are entitled to have that access; and

(f) the steps that should be taken by persons wishing to obtain access to that information.

4. A record-keeper shall:

(a) make the record maintained under clause 3 of this Principle available for inspection by members of the public; and

(b) give the Commissioner, in the month of June in each year, a copy of the record so maintained.


Principle 6 – Access to records containing personal information

Where a record-keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record, except to the extent that the record-keeper is required or authorised to refuse to provide the individual with access to that record under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.

Principle 7 – Alteration of records containing personal information

1. A record-keeper who has possession or control of a record that contains personal information shall take such steps (if any), by way of making appropriate corrections, deletions and additions as are, in the circumstances, reasonable to ensure that the record:

(a) is accurate; and

(b) is, having regard to the purpose for which the information was collected or is to be used and to any purpose that is directly related to that purpose, relevant, up to date, complete and not misleading.

2. The obligation imposed on a record-keeper by clause 1 is subject to any applicable limitation in a law of the Commonwealth that provides a right to require the correction or amendment of documents.

3. Where:

(a) the record-keeper of a record containing personal information is not willing to amend that record, by making a correction, deletion or addition, in accordance with a request by the individual concerned; and

(b) no decision or recommendation to the effect that the record should be amended wholly or partly in accordance with that request has been made under the applicable provisions of a law of the Commonwealth;

the record-keeper shall, if so requested by the individual concerned, take such steps (if any) as are reasonable in the circumstances to attach to the record any statement provided by that individual of the correction, deletion or addition sought.


Principle 8 – Record-keeper to check accuracy etc of personal information before use

A record-keeper who has possession or control of a record that contains personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date and complete.

Principle 9 – Personal information to be used only for relevant purposes

A record-keeper who has possession or control of a record that contains personal information shall not use the information except for a purpose to which the information is relevant.

Principle 10 – Limits on use of personal information

1. A record-keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless:

(a) the individual concerned has consented to use of the information for that other purpose;

(b) the record-keeper believes on reasonable grounds that use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person;

(c) use of the information for that other purpose is required or authorised by or under law;

(d) use of the information for that other purpose is reasonably necessary for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue; or

(e) the purpose for which the information is used is directly related to the purpose for which the information was obtained.

2. Where personal information is used for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue, the record-keeper shall include in the record containing that information a note of that use.


Principle 11 – Limits on disclosure of personal information

1. A record-keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless:

(a) the individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that information of that kind is usually passed to that person, body or agency;

(b) the individual concerned has consented to the disclosure;

(c) the record-keeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person;

(d) the disclosure is required or authorised by or under law; or

(e) the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue.

2. Where personal information is disclosed for the purposes of enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the purpose of the protection of the public revenue, the record-keeper shall include in the record containing that information a note of the disclosure.

3. A person, body or agency to whom personal information is disclosed under clause 1 of this Principle shall not use or disclose the information for a purpose other than the purpose for which the information was given to the person, body or agency.


Appendix 8 Strategic Plan 2007–09

Our Vision:

An Australian community in which privacy is valued and respected.

Our Purpose:

To promote and protect privacy in Australia.

Our Values:

As an Australian Government agency the Office of the Privacy Commissioner is committed to upholding the APS Values and Code of Conduct. In particular we will:

– demonstrate leadership in promoting and protecting privacy

– act with independence, impartiality and integrity

– value our staff

– be responsive to our clients

– work collaboratively with stakeholders.

Context:

The Office of the Privacy Commissioner is established under the Privacy Act 1988 to:

– provide advice and assistance to individuals

– provide advice and assistance to organisations and agencies with responsibilities under the Privacy Act

– promote privacy through policy advice and educational activities

– administer the Privacy Act including by investigating individual privacy complaints and systemic issues, and conducting audits.


GOALS STRATEGIES ACTIONS for 2007

High quality results • Build our policy and strategic analysis capacity

• Identify and focus our policy and analysis effort on areas of maximum impact

• Increase our influence through quality advice and information

• Manage our resources effectively and efficiently

• Identify partnership opportunities to maximise our ability to advise on key policy issues

• Maximise the impact of our policy advice through follow-up strategies

• Implement recommendations from the Private Sector Review

• Deliver fair, transparent, efficient and effective privacy complaint handling

• Implement recommendations from the Complaint Handling Review

• Increase our focus on systemic privacy issues

• Harness and utilise knowledge gained from day to day activities to inform our strategic work

• Ensure robust work practice and information systems support our core business

• Build our capacity to respond to evolving and emerging technology

• Eliminate backlog of complaints

• Identify key privacy compliance issues

• Expand our audit program

• Review our approach to data matching and monitoring

• Review and build on our knowledge management systems



Increased awareness • Communicate • Implement of privacy choices effectively with more recommendations from and obligations within targeted integrated Private Sector Review the community strategies

• Harness existing communication channels to maximum effect especially pop culture medium

• Utilise the media to deliver the privacy

• Develop and implement communication plans targeting key audiences, for example, young people, industry sectors, regional, disadvantaged, people from a Non English

message

• Ensure that material published by the Office is up-to-date, accurate

Speaking Background

• Develop and implement media strategy

and targeted at identified key audiences

• Ensure that the website as the Office’s key communication channel is up-to-date and accurate

• Develop guidance material to assist the private sector

• Re-energise PCO and Privacy Connections Networks

• Review content and structure of our publications and other written material

• Review content and design of website

• Review and develop services provided to PCO and Privacy Connections Networks, including the provision of training

• Develop programs to recognise and reward best practice



Robust relationships • Ensure that effective relationships, partnerships and networks are at the core of how we operate internally and externally

• Develop formal links with external parties where appropriate and

• Nurture, manage and review existing relationships

• Identify, build and manage new relationships

• Train and support staff to manage internal and external relationships

useful to maximise influence and understanding

• Further develop the private sector communications program

• Provide quality and timely advice and services under our MOUs

• Develop international linkages particularly APPA and APEC

• Review and develop systems that support internal and external networks and relationships

• Review and measure the success of our relationships


•

•

•

•

•


A confident and • Attract well qualified • Develop a Workforce competent workforce staff

• Retain our staff through commitment to training and development, career development, conditions of service, and work-life balance

• Acquire and develop our skills base to respond to emerging issues including technology

Plan that:

• Includes learning and development strategies based on an assessment of our skills base and a training needs analysis

• Reviews career development framework for all staff

• Establishes a secondment program with other agencies and within the Office

• Examines a range of recruitment and retention strategies

• Promotes and improves knowledge sharing


Office of the Privacy Commissioner Notes to and forming part of the Financial Statements

for the period ended 30 June 2007


Office of the Privacy Commissioner

Financial Statements for the year ended 30 June 2007

STATEMENT BY THE CHIEF EXECUTIVE AND CHIEF FINANCE OFFICER

In our opinion, the attached financial statements for the year ended 30 June 2007

are based on properly maintained financial records and give a true and fair view

of the matters required by the Finance Ministers Orders made under the Financial

Management and Accountability Act 1997 , as amended.



Financial Statements for the period ended 30 June 2007

Table of Contents

Independent Audit Report

Statement by the Chief Executive and Chief Financial Officer

Income Statement

Balance Sheet

Statement of Changes in Equity

Cash Flow Statement

Schedule of Commitments

Schedule of Contingencies

Notes to and forming part of the financial statements:

Note 1: Summary of Significant Accounting Policies

Note 2: Events after the Balance Sheet Date

Note 3: Income

Note 4: Expenses

Note 5: Financial Assets

Note 6: Non-Financial Assets

Note 7: Payables

Note 8: Provisions

Note 9: Cash Flow Reconciliation

Note 10: Contingent Liabilities and Assets

Note 11: Executive Remuneration

Note 12: Remuneration of Auditors

Note 13: Average Staffing Levels

Note 14: Financial Instruments

Note 15: Appropriations

Note 16: Reporting of Outcomes



INCOME STATEMENT


Revenue

Revenue from Government

Sale of goods and rendering of services

Other revenue

Total revenue

INCOME

Notes

3A

3B

3C

2007

$’000

6,486

1,361

24

7,871

2006

$’000

4,156

1,047

22

5,225

TOTAL INCOME 7,871 5,225

EXPENSES

Employee benefits

Suppliers

Depreciation and amortisation

Finance costs

Write-down and impairment of assets

4A

4B

4C

4D

4E

4,439

2,350

32

2

10

3,132

1,749

49

8

5

TOTAL EXPENSES 6,833 4,943

Surplus 1,038 282

The above statement should be read in conjunction with the accompanying notes.



BALANCE SHEET

as at 30 June 2007

2007 2006

Notes $’000 $’000

ASSETS

Financial Assets

Cash and cash equivalents 5A 780 533

Trade and other receivables 5B 1,090 107

Total financial assets 1,870 640

Non-Financial Assets

Infrastructure, plant and equipment 6A 33 23

Intangibles 6B - 11

Other non-financial assets 6C 10 166

Total non-financial assets 43 200

TOTAL ASSETS 1,913 840

LIABILITIES

Payables

Suppliers 7A 47 113

Other payables 7B 65 -

Total payables 112 113

Provisions

Employee provisions 8A 757 575

Other provisions 8B 34 344

Total provisions 791 919

TOTAL LIABILITIES 903 1,032

Net Assets 1,010 (192)

EQUITY

Contributed equity (349) (444)

Retained surplus 1,359 252

TOTAL EQUITY 1,010 (192)

Current Assets 1,870 713

Non-Current Assets 43 127

Current Liabilities 724 947

Non-Current Liabilities 179 85




Off

ice

of

the

Pri

va

cy C

om

mis

sio

ner

ST

AT

EM

EN

T O

F C

HA

NG

ES

IN

EQ

UIT

Y

for

the

per

iod

en

ded

30

Ju

ne

20

07

Op

enin

g b

ala

nce

Bal

ance

car

ried

fo

rwar

d f

rom

pre

vio

us

per

iod

Adju

stm

ent

for

erro

rs

Ad

just

men

t fo

r ch

ang

es i

n a

cco

un

tin

g p

oli

cies

Ad

just

ed o

pen

ing

ba

lan

ce

Surp

lus

for

the

per

iod

Tota

l in

com

e a

nd

ex

pen

ses

Ap

pro

pri

atio

n (

equ

ity

in

ject

ion

)

Su

b-t

ota

l tr

an

sact

ion

s w

ith

ow

ner

s

Clo

sin

g b

ala

nce

at

30

Ju

ne

Clo

sin

g b

ala

nce

att

rib

uta

ble

to

th

e A

ust

rali

an

Go

ver

nm

ent

Ret

ain

ed E

arn

ings

Res

erv

es

Ass

et R

eva

lua

tio

n

Co

ntr

ibu

ted

Eq

uit

y/C

ap

ita

l T

ota

l E

qu

ity

a2

00

7

a20

06

$’0

00

$

'00

0

a2

00

7

a20

06

$’0

00

$

’00

0

a2

007

a2006

$’0

00

$’0

00

a2007

a2006

$’0

00

$’0

00

25

2

(32

)

5

2

64

-

--

--

--

(444)

(444)

--

--

(192)

(476)

5

2

64

-

32

1

(30

) -

-(4

44)

(444)

(123)

(474)

1,0

38

2

82

-

--

-1,0

38

282

1,0

38

2

82

-

--

-1,0

38

282

--

--

95

-95

-

--

--

95

-95

-

1,3

59

2

52

-

-(3

49)

(444)

1,0

10

(192)

1,3

59

2

52

-

-(3

49)

(444)

1,0

10

(192)

Th

e ab

ov

e st

atem

ent

sho

uld

be

read

in

co

nju

nct

ion

wit

h t

he

acco

mpan

yin

g n

ote

s.


CASH FLOW STATEMENT


a2007 a2006

Notes $’000 $’000

OPERATING ACTIVITIES

Cash received

Goods and services 1,161 1,138

Appropriations 6,486 4,156

Net GST received 72 -

Total cash received 7,719 5,294

Cash used

Employees (4,257) (3,112)

Suppliers (2,321) (1,673)

Net GST paid - (38)

Total cash used (6,578) (4,823)

Net cash from Operating Activities 9 1,141 471

INVESTING ACTIVITIES

Cash used

Purchase of infrastructure, plant and equipment (31) (12)

Total cash used (31) (12)

Net cash used by investing activities (31) (12)

FINANCING ACTIVITIES

Cash received

Appropriations - contributed equity 95 -

Total cash received 95 -

Cash used

Other cash used (958) -

Total cash used (958) -

Net cash used by financing activities (863) -

Net increase in cash held 247 459

Cash at the beginning of the reporting period 533 74

Cash at the end of the reporting period 5A 780 533




SCHEDULE OF COMMITMENTS

as at 30 June 2007

a2007 a2006

BY TYPE $’000 $’000

Commitments receivable

Sublease rental income (338) (416)

Other commitments receivable (560) (41)

Total commitments receivable (898) (457)

Commitments payable

Operating leases1 3,329 4,110

Other commitments payable 2,827 897

Total other commitments 6,156 5,007

Net commitments by type 5,258 4,550

BY MATURITY

Commitments receivable

Sublease rental income

one year or less (80) (55)

from one to five years (258) (415)

Total operating lease income (338) (470)

Other commitments receivable

one year or less (163) (84)

from one to five years (397) (317)

Total other commitments receivable (560) (401)

Commitments payable

Operating lease commitments

one year or less 829 819

from one to five years 2,500 3,291

Total operating lease commitments 3,329 4,110

Other commitments payable

one year or less 2,827 897

Total other commitments 2,827 897

Net Commitments by maturity 5,258 4,136

Note: Commitments are GST inclusive where relevant.

1. Operating leases included are effectively non-cancellable and comprise:

Nature of leases/General description

Leases for office accommodation

Lease payments are subject to fixed annual rental increases. The initial periods of office accommodation are still

current and there are no options in the lease agreement to renew.

Agreements for the provision of motor vehicles to senior executive officers

No contingent rentals exist and there are no renewal or purchase options available to the Office.

Lease agreement in relation to the provision of desktop computer equipment and printers

The lessor provides all desktop computer equipment and software. The lease agreement allows for variations

to the duration of the rental period and to the equipment being provided.

Other commitments

Consists of agreements with other entities for the provision of goods and services, outgoings and

agreements equally proportionately unperformed.

The above schedule should be read in conjunction with the accompanying notes.



SCHEDULE OF CONTINGENCIES

as at 30 June 2007

a2007 a2006

$’000 $’000

Contingent assets - -

Contingent liabilities - -

Net contingent assets/(liabilities) - -

Details of each class of contingent liabilities and assets, including those not included above because they cannot be quantified, are disclosed in Note 10: Contingent Liabilities and Assets.

The above schedule should be read in conjunction with the accompanying notes.




Note 1: Summary of Significant Accounting Policies

1.1 Objectives of the Office of the Privacy Officer

The Office of the Privacy Commissioner (the Office) is an Australian Public Service organisation. The objective of the Office is to ensure that Government's social justice initiatives are reflected in its commitment to the protection and promotion of citizen's privacy rights.

The Office is structured to meet the following outcome:

"An Australian culture in which privacy is respected, promoted and protected."

Office activities contributing toward these outcomes are all classified as departmental. Departmental activities involve the use of assets, liabilities, revenues and expenses controlled or incurred by the Office in its own right.

Departmental activities are identified under one output:

"Complaint handling, compliance and monitoring and education and promotion."

The continued existence of the Office in its present form and with its present programs is dependent on Government policy and on continuing appropriations by Parliament for the Office’s administration and programs.

1.2 Basis of Preparation of the Financial Report

The financial statements and notes are required by clause 1(b) of Schedule 1 to the Financial Management and Accountability Act 1997 and are a General Purpose Financial Report.

The financial statements and notes have been prepared in accordance with:

� Finance Minister’s Orders (FMOs) for reporting periods ending on or after 1 July 2006; and � Australian Accounting Standards and Interpretations issued by the Australian Accounting Standards Board that apply for the reporting period.

The financial report has been prepared on an accrual basis and is in accordance with historical cost convention, except for certain assets at fair value. Except where stated, no allowance is made for the effect of changing prices on the results or the financial position.

The financial report is presented in Australian dollars and values are rounded to the nearest thousand dollars unless disclosure of the full amount is specifically required.

Unless an alternative treatment is specifically required by an Accounting Standard or the FMOs, assets and liabilities are recognised in the Balance Sheet when and only when it is probable that future economic benefits will flow to the Office and the amounts of the assets or liabilities can be reliably measured. However, assets and liabilities arising under agreements equally proportionately unperformed are not recognised unless required by an Accounting Standard. Liabilities and assets that are unrealised are reported in the Schedule of Commitments and the Schedule of Contingencies (other than unquantifiable or remote contingencies, which are reported at Note 10).

Unless alternative treatment is specifically required by an accounting standard, revenues and expenses are recognised in the Income Statement when and only when the flow, consumption or loss of economic benefits has occurred and can be reliably measured.




1.3 Significant Accounting Judgements and Estimates

No accounting assumptions or estimates have been identified that have a significant risk of causing a material adjustment to carrying amounts of assets and liabilities within the next accounting period.

1.4 Statement of Compliance

Australian Accounting Standards require a statement of compliance with International Financial Reporting Standards (IFRSs) to be made where the financial report complies with these standards. Some Australian equivalents to IFRSs and other Australian Accounting Standards contain requirements specific to not-for-profit entities that are inconsistent with IFRS requirements. The Office is a not for profit entity and has applied these requirements, so while this financial report complies with Australian Accounting Standards including Australian Equivalents to International Financial Reporting Standards (AEIFRSs) it cannot make this statement.

Adoption of new Australian Accounting Standard requirements

No accounting standard has been adopted earlier than the effective date in the current period.

The Office is required to disclose Australian Accounting Standards and Interpretations which have been issued but are not yet effective that have not been early adopted by the Office. The following adopted requirements have resulted in a change to the Office’s accounting policies or have affected the amounts reported in the current or prior periods or are estimated to have a financial affect in future reporting periods.

Restriction of the fair value option under AASB 139

The AASB through 2005-4 Amendments to Australian Accounting Standards [AASB 139, AASB 132, AASB 1, AASB 1023 and AASB 1038] restricted the option to designate a financial asset or liability at fair value through profit and loss.

The change was introduced with effect from the beginning of the comparative reporting period (1 July 2005). The Office designates all financial assets and liabilities at their nominal value and the amendment has had no affect on the Office's financial statements.

Reimbursement rights

The AASB through 2005-5 Amendments to Australian Accounting Standards [AASB 1 & AASB 139] excluded from the scope of AASB 139 Financial Instruments: Recognition and Measurement rights for reimbursement for expenditure required to settle a present or former provision recognised under AASB 137 Provisions, Contingent Liabilities and Contingent Assets. The right to reimbursement is now required to be accounted for under AASB 137.

The application of this amendment is applied from the beginning of the comparative period (1 July 2005). The Office does not have any reimbursement rights and therefore this amendment has had no impact on the Office's financial statements.

Financial guarantee contracts

The AASB through 2005-9 Amendments to Australian Accounting Standards [AASB 4, AASB 1023, AASB 139 & AASB 132] now require financial guarantee contracts to be recognised and measured at inception under AASB 139 Financial Instruments: Recognition and Measurement. Initially these items are measured at fair value and subsequently at the higher of the amount determined in accordance with AASB 137 Provisions, Contingent Liabilities and Contingent Assets and the initial amount recognised less, when appropriate, cumulative amortisation recognised in accordance with AASB 118 Revenue.

The Office does not have any financial guarantee contracts and therefore this amendment has no affect on the Office's financial statements.




Other effective requirement changes

The following amendments, revised standards or interpretations have become effective but have had no financial impact or do not apply to the operations of the Office.

Amendments: • 2005-1 Amendments to Australian Accounting Standards [AASBs 1, 101, 124] • 2005-6 Amendments to Australian Accounting Standards [AASB 3] • 2006-1 Amendments to Australian Accounting Standards [AASB 121] • 2006-3 Amendments to Australian Accounting Standards [AASB 1045]Interpretations:• UIG 4 Determining whether an Arrangement contains a Lease • UIG 5 Rights to Interests arising from DeOfficeing, Restoration and Environmental Rehabilitation Funds • UIG 7 Applying the Restatement Approach under AASB 129 Financial Reporting in Hyperinflationary Economies • UIG 8 Scope of AASB 2 • UIG 9 Reassessment of Embedded Derivatives

UIG 4 and UIG 9 might have impacts in future periods, subject to existing contracts being renegotiated.

Future Australian Accounting Standard requirements

The following new standards, amendments to standards or interpretations have been issued by the Australian Accounting Standards Board but are effective for future reporting periods. It is estimated that the impact of adopting these pronouncements when effective will have no material financial impact on future reporting periods.

Financial instrument disclosure

AASB 7 Financial Instruments: Disclosures is effective for reporting periods beginning on or after 1 January 2007 (the 2007-08 financial year) and amends the disclosure requirements for financial instruments. In general AASB 7 requires greater disclosure than that presently. Associated with the introduction of AASB 7 a number of accounting standards were amended to reference the new standard or remove the present disclosure requirements through 2005-10 Amendments to Australian Accounting Standards [AASB 132, AASB 101, AASB 114, AASB 117, AASB 133, AASB 139, AASB 1, AASB 4, AASB 1023 & AASB 1038]. These changes have no financial impact but will affect the disclosure presented in future financial reports.

Other

The following standards and interpretations have been issued but are not applicable to the operations of the Office. • AASB 1049 Financial Reporting of General Government Sectors by Governments • UIG 10 Interim Financial Reporting and Impairment

1.5 Revenue

Revenue from Government

Amounts appropriated for departmental outputs appropriations for the year (adjusted for any formal additions and reductions) are recognised as revenue, except for certain amounts that relate to activities that are reciprocal in nature, in which case revenue is recognised only when it has been earned.

Appropriations receivable are recognised at their nominal amounts.




Resources Received Free of Charge

Resources received free of charge are recognised as revenue when and only when a fair value can be reliably determined and the services would have been purchased if they had not been donated. Use of those resources is recognised as an expense.

Contributions of assets at no cost of acquisition or for nominal consideration are recognised as gains at their fair value when the asset qualifies for recognition, unless received from another Government Agency or Authority as a consequence of a restructuring of administrative arrangements.

Resources received free of charge are recorded as either revenue or gains depending on their nature ie whether they have been generated in the course of the ordinary activities of the Office.

Other Types of Revenue

Revenue from the sale of goods is recognised when:

� the risks and rewards of ownership have been transferred to the buyer;

� the seller retains no managerial involvement nor effective control over the goods;

� the revenue and transaction costs incurred can be reliably measured; and

� it is probable that the economic benefits associated with the transaction will flow to the Office.

Revenue from rendering of services is recognised by reference to the stage of completion of contracts at the reporting date. The revenue is recognised when:

� The amount of revenue, stage of completion and transaction costs incurred can be reliably measured; and

� The probable economic benefits with the transaction will flow to the Office.

The stage of completion of contracts at the reporting date is determined by reference to the proportion that costs incurred to date bear to the estimated total costs of the transaction.

Receivables for goods and services, which have 30 day terms, are recognised at the nominal amounts due less any provision for bad and doubtful debts. Collectability of debts is reviewed at balance date. Provisions are made when collectability of the debt is no longer probable.

1.6 Gains

Other Resources Received Free of Charge

Resources received free of charge are recognised as gains when and only when a fair value can be reliably determined and the services would have been purchased if they had not been donated. Use of those resources is recognised as an expense.

Contributions of assets at no cost of acquisition or for nominal consideration are recognised as gains at their fair value when the asset qualifies for recognition, unless received from another Government Agency or Authority as a consequence of a restructuring of administrative arrangements (Refer to Note 1.7).

Resources received free of charge are recorded as either revenue or gains depending on their nature ie. whether they have been generated in the course of the ordinary activities of the Office.

Sale of Assets

Gains from disposal of non-current assets is recognised when control of the asset has passed to the buyer.

1.7 Transactions with the Government as Owner

Equity injections

Amounts appropriated which are designated as ‘equity injections’ for a year (less any formal reductions) are recognised directly in Contributed Equity in that year.




Restructuring of Administrative Arrangements

Net assets received from or relinquished to another Australian Government Agency or Authority under a restructuring of administrative arrangements are adjusted at their book value directly against contributed equity.

Other distributions to owners

The FMOs require that distributions to owners be debited to contributed equity unless in the nature of a dividend.

1.8 Employee Benefits

Liabilities for services rendered by employees are recognised at the reporting date to the extent that they have not been settled.

Liabilities for ‘short-term employee benefits’ (as defined in AASB 119) and termination benefits due within twelve months of balance date are measured at their nominal amounts.

The nominal amount is calculated with regard to the rates expected to be paid on settlement of the liability.

All other employee benefit liabilities are measured at the present value of the estimated future cash outflows to be made in respect of services provided by employees up to the reporting date.

Leave

The liability for employee benefits includes provision for annual leave and long service leave. No provision has been made for sick leave as all sick leave is non-vesting and the average sick leave taken in future years by employees of the Office is estimated to be less than the annual entitlement for sick leave.

The leave liabilities are calculated on the basis of employees’ remuneration, including the Office’s employer superannuation contribution rates to the extent that the leave is likely to be taken during service rather than paid out on termination.

The liability for long service leave has been determined in accordance with applicable FMO's issued by the Department of Finance and Administration as at 30 June 2007. The estimate of the present value of the liability takes into account attrition rates and pay increases prescribed by the Office's Certified Agreement.

Separation and Redundancy

Provision is made for separation and redundancy benefit payments. The Office recognises a provision for termination when it has developed a detailed formal plan for the terminations and has informed those employees affected that it will carry out the terminations.

Superannuation

Staff of the Office are members of the Commonwealth Superannuation Scheme (CSS), the Public Sector Superannuation Scheme (PSS) or the PSS accumulation plan (PSSap).

The CSS and PSS are defined benefit schemes for the Australian Government. The PSSap is a defined contribution scheme.

The liability for defined benefits is recognised in the financial statements of the Australian Government and is settled by the Australian Government in due course.

The Office makes employer contributions to the Employee Superannuation Scheme at rates determined by an actuary to be sufficient to meet the cost to the Government of the superannuation entitlements of the Office’s employees. The Office accounts for the contributions as if they were contributions to defined contribution plans.

From 1 July 2005, new employees are eligible to join the PSSap scheme.

The liability for superannuation recognised as at 30 June represents outstanding contributions for the final fortnight of the year.




1.9 Leases

A distinction is made between finance leases and operating leases. Finance leases effectively transfer from the lessor to the lessee substantially all the risks and rewards incidental to ownership of leased non-current assets. An operating lease is a lease that is not a finance lease. In operating leases, the lessor effectively retains substantially all such risks and benefits.

Where a non-current asset is acquired by means of a finance lease, the asset is capitalised at either the fair value of the lease property or, if lower, the present value of minimum lease payments at the inception of the contract and a liability is recognised at the same time and for the same amount.

The discount rate used is the interest rate implicit in the lease. Leased assets are amortised over the period of the lease. Lease payments are allocated between the principal component and the interest expense.

Operating lease payments are expensed on a straight-line basis which is representative of the pattern of benefits derived from the leased assets.

1.10 Cash

Cash means notes and coins held and any deposits held at call with a bank or financial institution. Cash is recognised at its nominal amount.

1.11 Financial Risk Management

The Office’s activities expose it to normal commercial financial risk. As a result of the nature of the Office’s business and internal and Australian Government policies, dealing with the management of financial risk, the Office’s exposure to market, credit, liquidity and cash flow and fair value interest rate risk is considered to be low.

1.12 Derecognition of Financial Assets and Liabilities

Financial assets are derecognised when the contractual rights to the cash flows from the financial assets expire or the asset is transferred to another Entity. In the case of a transfer to another Entity, it is necessary that the risks and rewards of ownership are also transferred.

Financial liabilities are derecognised when the obligation under the contract is discharged, cancelled or expires.

1.13 Impairment of Financial Assets

Financial assets are assessed for impairment at each balance date.

Financial Assets held at Amortised Cost

If there is objective evidence that an impairment loss has been incurred for loans and receivables or held to maturity investments held at amortised cost, the amount of the loss is measured as the difference between the asset’s carrying amount and the present value of estimated future cash flows discounted at the asset’s original effective interest rate. The carrying amount is reduced by way of an allowance account. The loss is recognised in the Income Statement.

Financial Assets held at Cost

If there is objective evidence that an impairment loss has been incurred on an unquoted equity instrument that is not carried at fair value because it cannot be reliably measured, or a derivative asset that is linked to and must be settled by delivery of such an unquoted equity instrument, the amount of the impairment loss is the difference between the carrying amount of the asset and the present value of the estimated future cash flows discounted at the current market rate for similar assets.




1.14 Supplier and other payables

Supplier and other payables are recognised at amortised cost. Liabilities are recognised to the extent that the goods or services have been received (and irrespective of having been invoiced).

1.15 Contingent Liabilities and Contingent Assets

Contingent Liabilities and Contingent Assets are not recognised in the Balance Sheet but are reported in the relevant schedules and notes. They may arise from uncertainty as to the existence of a liability or asset, or represent an existing liability or asset in respect of which settlement is not probable or the amount cannot be reliably measured. Remote contingencies are part of this disclosure. Contingent assets are reported when settlement is probable, and contingent liabilities are recognised when settlement is greater than remote.

1.16 Acquisition of Assets

Assets are recorded at cost on acquisition except as stated below. The cost of acquisition includes the fair value of assets transferred in exchange and liabilities undertaken. Financial assets are initially measured at their fair value plus transaction costs where appropriate.

Assets acquired at no cost, or for nominal consideration, are initially recognised as assets and revenues at their fair value at the date of acquisition, unless acquired as a consequence of restructuring of administrative arrangements. In the latter case, assets are initially recognised as contributions by owners at the amounts at which they were recognised in the transferor Agency’s accounts immediately prior to the restructuring.

1.17 Infrastructure, Plant and Equipment

Asset Recognition Threshold

Purchases of infrastructure, plant and equipment are recognised initially at cost in the Balance Sheet, except for purchases costing less than $2,000, which are expensed in the year of acquisition (other than where they form part of a group of similar items which are significant in total).

The initial cost of an asset includes an estimate of the cost of dismantling and removing the item and restoring the site on which it is located. This is particularly relevant to ‘makegood’ provisions in property leases taken up by the Office where there exists an obligation to restore the property to its original consition. These costs are included in the value of the Office’s leasehold improvements with a corresponding provision for the ‘makegood’ taken up.

Revaluations

Fair values for each class of asset are determined as shown below:

Asset class Fair value measured at:

Computer, plant and equipment Market selling price

Leasehold improvements Depreciated replacement cost

Following initial recognition at cost, infrastructure plant and equipment are carried at fair value less accumulated depreciation and accumulated impairment losses. Valuations are conducted with sufficient frequency to ensure that the carrying amounts of assets do not differ materially from the assets’ fair values as at the reporting date. The regularity of independent valuations depends upon the volatility of movements in market values for the relevant assets.

Revaluation adjustments are made on a class basis. Any revaluation increment is credited to equity under the heading of asset revaluation reserve except to the extent that it reverses a previous revaluation decrement of the same asset class that was previously recognised through surplus and deficit. Revaluation decrements for a class of assets are recognised directly through surplus and deficit except to the extent that they reverse a previous revaluation increment for that class.




Any accumulated depreciation as at the revaluation date is eliminated against the gross carrying amount of the asset and the asset restated to the revalued amount.

Depreciation and amortisation

Depreciable infrastructure, plant and equipment assets are written-off to their estimated residual values over their estimated useful lives to the Office using, in all cases, the straight-line method of depreciation.

Depreciation and amortisation rates (useful lives), residual values and methods are reviewed at each reporting date and necessary adjustments are recognised in the current, or current and future reporting periods, as appropriate.

Depreciation and amortisation rates applying to each class of depreciable asset are based on the following useful lives:

2007 2006

Leasehold improvements Lease term Lease term

Computer, plant and equipment 4 to 10 years 4 to 10 years

Impairment

All assets were assessed for impairment at 30 June 2007. Where indications of impairment exist, the asset’s recoverable amount is estimated and an impairment adjustment made if the asset’s recoverable amount is less than its carrying amount.

The recoverable amount of an asset is the higher of its fair value less costs to sell and its value in use. Value in use is the present value of the future cash flows expected to be derived from the asset. Where the future economic benefit of an asset is not primarily dependent on the asset’s ability to generate future cash flows, and the asset would be replaced if the Office were deprived of the asset, its value in use is taken to be its depreciated replacement cost.

1.18 Intangibles

The Office’s intangibles comprise:

� externally developed software for internal use; and

� internet website for internal/external use.

These assets are carried at cost.

Software is amortised on a straight-line basis over its anticipated useful life. The useful lives of the Office’s software are 2 to 5 years (2006: 2 to 5 years).

All software assets were assessed for indications of impairment as at 30 June 2007.

1.19 Taxation

The Office is exempt from all forms of taxation except fringe benefits tax (FBT) and the goods and services tax (GST).

Revenues, expenses and assets are recognised net of GST:

• except where the amount of GST incurred is not recoverable from the Australian Taxation Office; and

• except for receivables and payables.

Note 2: Events after the Balance Sheet Date

The Office is not aware of any significant events that have occurred since balance date which warrant disclosure in these financial statements.




Note 3: Income

2007 2006

Revenue $’000 $’000

Note 3A: Revenue from Government

Appropriation:

Departmental outputs 6,486 4,156

Total revenue from Government 6,486 4,156

Note 3B: Sale of goods and rendering of services

Provision of goods - related entities - 26

Provision of goods - external entities 1 16

Total sale of goods 1 42

Rendering of services - related entities 1,235 993

Rendering of services - external entities 125 12

Total rendering of services 1,360 1,005

Total sale of goods and rendering of services 1,361 1,047

Note 3C: Other revenue

Resources received free of charge 24 22

Total other revenue 24 22

Note 4: Expenses

2007 2006

$’000 $’000

Note 4A: Employee benefits

Wages and salaries 3,414 2,419

Superannuation 548 434

Leave and other entitlements 432 249

Other employee expenses 45 30

Total employee benefits 4,439 3,132

Note 4B: Suppliers

Provision of goods – related entities 1 2

Provision of goods – external entities 117 62

Rendering of services – related entities 1,049 857

Rendering of services – external entities 528 194

Operating lease rentals:

Minimum lease payments 634 610

Workers compensation premiums 21 24

Total supplier expenses 2,350 1,749


l i d fi i l



Note 4: Expenses (continued)

Note 4C: Depreciation and amortisation

Depreciation:

Infrastructure, plant & equipment

Computer, plant & equipment

Total depreciation

2007

$’000

12

12

2006

$’000

9

9

Amortisation:


Leasehold improvements

Deferred costs - Make Good

Intangibles:

Computer software

Total amortisation

Total depreciation and amortisation

-

9

9

11

20

32

2

25

27

13

40

49

Amortisation expenses are $1,700 lower than they would have been as a result of the independent asset revaluation. (2006: Nil).

Note 4D: Finance costs

Unwinding of discounted cashflows for Make Good provision

Total finance costs

2

2

8

8

Note 4E: Write-down and impairment of assets

Non-financial assets

Infrastructure, plant and equipment - revaluation decrement 10 5

Total write-down and impairment of assets 10 5

Note 5: Financial Assets

2007 2006

$’000 $’000

Note 5A: Cash and cash equivalents

Cash on hand or on deposit 780 533

Total cash and cash equivalents 780 533




Note 5: Financial Assets (continued)

2007 2006

$’000 $’000

Note 5B: Trade and other receivables

Goods and services 90 98

Appropriations receivable:

for existing outputs 958 -

Total appropriations receivable 1,048 98

GST receivable from the Australian Taxation Office 42 9

Total trade and other receivables (gross) 1,090 107

Less Allowance for doubtful debts:

Goods and services - -

Total trade and other receivables (net) 1,090 107

Receivables are aged as follows:

Not overdue 1,004 14

Overdue by:

Less than 30 days - -

30 to 60 days - 93

61 to 90 days 86 -

More than 90 days - -

Total receivables (gross) 1,090 107

The allowance for doubtful debts is aged as follows:

Not overdue - -

Overdue by:

Less than 30 days - -

30 to 60 days - -

61 to 90 days - -

More than 90 days - -

Total allowance for doubtful debts - -

All trade and other receiveable assets are current.

All receivables are with entities external to the Office. Credit terms for all receivables are 30 days.

(2006: 30 days)

Note 6: Non-Financial Assets

2007 2006

$’000 $’000

Note 6A: Infrastructure, plant and equipment

Infrastructure, plant and equipment:

Computer, plant and equipment

- fair value 25 14 - accumulated depreciation - -

Total Computer, plant and equipment 25 14

Leasehold improvements

- fair value 8 9

- accumulated amortisation - -

Total Leasehold improvements 8 9

Total infrastructure, plant and equipment (non-current) 33 23




Note 6: Non-Financial Assets (continued)

All revaluations are conducted in accordance with the revaluation policy stated at Note 1. In 2006-07, an independent valuer (AON Valuation Services) conducted the revaluations.

A revaluation decrement of $800 for leasehold improvements (2006: $167 increment) has been applied to the asset revaluation reserve by asset class and included in the equity section of the balance sheet to the extent that a reserve is available, the remaining $633 (2006: Nil) has been expensed; a revaluation decrement of $8,642 for computer, plant and equipment has been expensed (2006: $5,085 expensed).

Note 6B: Intangibles

No indicators of impairment were found for infrastructure, plant and equipment.

2007

$’000

2006

$’000

Computer software at cost:

Externally produced – in use

Internet website – in use

Accumulated amortisation

Total intangibles (non-current)

65

44

(109)

-

65

44

(98)

11

No indicators of impairment were found for intangible assets.

Note 6C: Other non-financial assets

Prepayments

Other:

Deferred costs -

Make Good

Amortisation - Make Good

Total other non-financial assets

-

29

(19)

10

72

149

(55)

166

Other non-financial assets are represented by:

Current

Non-current

Total other non-financial assets

-

10

10

72

94

166





Note 6D: Analysis of infrastructure, plant and equipment

TABLE A – Reconciliation of the opening and closing balances of infrastructure, plant and equipment (2006-07)


Computer, plant & Leasehold

Item equipment improvements Total

$’000 $’000 $’000

As at 1 July 2006

Gross book value

Accumulated depreciation/amortisation and impairment

Net book value 1 July 2006

Additions:

by purchase

Depreciation/amortisation expense

Revaluations and impairments recognised in the operating result

Net book value 30 June 2007

Net book value as of 30 June 2007 represented by:

Gross book value

Accumulated depreciation/amortisation and impairment

14

-

14

9

-

9

23

-

23

31

(12)

(9)

25

-

-

(1)

8

31

(12)

(10)

33

25

-

25

8

-

8

33

-

33

TABLE A – Reconciliation of the opening and closing balances of infrastructure, plant and equipment (2005-06)


Computer, plant & Leasehold

Item equipment improvements Total

$’000 $’000 $’000

As at 1 July 2005

Gross book value 14 10 24

Accumulated depreciation/amortisation and impairment - - -

Net book value 1 July 2005 14 10 24

Additions:

by purchase 14 - 14

Net revaluations and impairments through equity (5) - (5)

Depreciation/amortisation expense (9) (1) (10)

Net book value 30 June 2006 14 9 23


Gross book value 14 9 23

Accumulated depreciation/amortisation and impairment - - -

14 9 23





Note 6E: Intangibles

Table B: Reconciliation of the opening and closing balances of intangibles (2006-07)

Intangibles

Computer Item software Total

$’000 $’000

As at 1 July 2006

Gross book value 109 109

Accumulated depreciation/amortisation and impairment (98) (98)

Net book value 1 July 2006 11 11

Amortisation (11) (11)

Net book value 30 June 2007 - -


Gross book value - -

Accumulated depreciation/amortisation and impairment - -

- -

Table B: Reconciliation of the opening and closing balances of intangibles (2005-06)

Intangibles

Computer Item software Total

$’000 $’000

As at 1 July 2005


Accumulated amortisation and impairment (85) (85)

Net book value 1 July 2005 24 24

Amortisation (13) (13) Net book value 30 June 2006 11 11



Accumulated depreciation/amortisation and impairment (98) (98)

11 11




Note 7: Payables

Note 7A: Suppliers

Trade creditors

Total supplier payables

2007

$’000

47

47

2006

$’000

113

113

All supplier payables are current liabilities.

Settlement is generally made in accordance with the terms of the supplier invoice.

Note 7B: Other payables

Accrued expenses

Total other payables

65

65

-

-

All other payables are current liabilities.

Note 8: Provisions

2007 2006

$’000 $’000

Note 8A: Employee provisions

Salaries and wages 29 20

Leave 713 549

Superannuation 6 6

Other 9 -

Total employee provisions 757 575

Employee provisions are represented by:

Current 610 490

Non-current 147 85

Total employee provisions 757 575

The classification of current includes amounts for which there is not an unconditional right of deferral of one year, hence in the case of employee provisions the above classification does not equal the amount expected to be settled within one year of reporting date. Employee provisions expected to be settled in one year $476,300 (2006: $275,366), in excess of one year $280,941 (2006: $299,180).




Note 8: Provisions (continued)

2007 2006

$’000 $’000

Note 8B: Other provisions

Revenue received in advance - 175

Restoration obligations 32 169

Provision for contract obligations 2 -

Total other provisions 34 344

Other provisions are represented by:

Current 2 175

Non-current 32 169

Total other provisions 34 344

Revenue received in Provision for Provision for

advance restoration contract obligations obligations Total

$’000 $’000 $’000 $’000

Carrying amount 1 July 2006 175 169 - 344

Additional provisions made - 2 2 4

Amounts used (175) - - (175)

Amounts reversed - (139) - (139)

Closing balance 2007 - 32 2 34

The Office currently has an agreement for the leasing of premises which has a provision requiring the Office to restore the premises to their original condition at the conclusion of the lease. The Office has made a provision to reflect the present value of this obligation.

Note 9: Cash Flow Reconciliation

2007 2006

$’000 $’000 Reconciliation of cash and cash equivalents as per Balance Sheet to Cash Flow Statement

Report cash and cash equivalents as per:

Cash Flow Statement 780 533

Balance Sheet 780 533

Difference - -

Reconciliation of operating result to net cash from operating activities:

Operating result 1,038 282

Depreciation /amortisation 32 49

Finance costs 2 8

Adjustment for prior year accounting error 5 -

Net write down of non financial assets 10 5

(Increase) / decrease in net receivables (25) (84)

(Increase) / decrease in prepayments 72 (3)

Increase / (decrease) in supplier payables (67) 19

Increase / (decrease) in other payables 65 -

Increase / (decrease) in employee provisions 182 20

Increase / (decrease) in other provisions (173) 175

Net cash from / (used by) operating activities 1,141 471




Note 10: Contingent Liabilities and Assets

Unquantifiable Contingencies

At 30 June 2007, the Office had no unquantifiable contingencies. (2006: Nil)

Note 11: Executive Remuneration

2007 2006

Number Number

The number of senior executives who received or were due

to receive total remuneration of $130,000 or more:

$160 000 to $174 999 - 1

$205 000 to $219 999 1 -

$290 000 to $304 999 - 1

$305 000 to $319 999 1 -

Total 2 2

The aggregate amount of total remuneration of executives shown above. $532,413 $464,173

The aggregate amount of separation and redundancy/termination benefit payments during the year to executives shown above.

Nil Nil

Note 12: Remuneration of Auditors

2007 2006

$’000 $’000

Financial statement audit services are provided free of charge to the agency.

The fair value of the services provided was:

Office of the Privacy Commissioner 24 22

24 22

No other services were provided by the Auditor-General.

Note 13: Average Staffing Levels

2007 2006

The average staffing levels for the Agency during the year were: 52 41



Off

ice

of

the

Pri

vacy

Co

mm

issi

one

rN

ote

s to

and

fo

rmin

g p

art

of

the

finan

cial

sta

tem

ents

for

the

per

iod

end

ed 3

0 Ju

ne 2

007

Not

e 14

: F

inan

cial

Ins

trum

ents

No

te 1

4A

: In

tere

st R

ate

Ris

k

20

07

$’0

00

2

00

6$

’00

0

20

07

$’0

00

2006

$’0

00

2007

$’0

00

2006

$’0

00

2007

%

2006

%

Cas

h a

t b

ank

5

A

--

--

-533

n/a

n

/a

Rec

eiv

able

s fo

r g

oo

ds

and

ser

vic

es (

net

) 5

B

--

--

-107

n/a

n

/a

Ap

pro

pri

atio

n r

ecei

vab

le

5B

-

--

--

-n

/a

n/a

--

--

-640

840

20

07

$’0

00

2

00

6$

’00

0

20

07

$’0

00

2006

$’0

00

2007

$’0

00

2006

$’0

00

2007

%

2006

%

Tra

de

cred

ito

rs

7A

-

--

--

113

n/a

n

/a

--

--

-113

n/a

n

/a

1,0

32

To

tal

Lia

bil

itie

s

To

tal

Assets

Note

Fin

an

cia

l In

stru

men

t

Fin

an

cia

l L

iab

ilit

ies

Fin

an

cia

l A

sset

s

To

tal

To

tal

Fix

ed I

nte

rest

Rate

Matu

rin

g I

n

1 Y

ear

or

Les

s

Flo

ati

ng

In

tere

st R

ate

1 t

o 5

Yea

rs

> 5

Yea

rs

Non

-In

tere

st B

eari

ng

Tota

l W

eigh

ted

Aver

age

Eff

ecti

ve

Inte

rest

Rate

2007

$’0

00

2006

$’0

00

2007

$’0

00

2006

$’0

00

2007

$’0

00

2006

$’0

00

--

-780

533

780

--

-132

107

132

--

-958

-958

--

-1,8

70

640

1,8

70

1,9

13

2007

$’0

00

2006

$’0

00

2007

$’0

00

2006

$’0

00

2007

$’0

00

2006

$’0

00

--

-47

113

47

--

-47

113

47

903

l



Note 14: Financial Instruments (continued)

Note 14B: Fair Values of Financial Assets and Liabilities

2007 2006

Notes Total Aggregate Total Carrying Aggregate Fair

$’000 $’000 $’000 $’000

Departmental

Financial Assets

Cash 5A 780 780 533 533

Receivables for goods and services (net) 5B 132 132 107 107

Appropriation receivable 5B 958 958 - -

Total Financial Assets 1,870 1,870 640 640

Financial Liabilities (Recognised)

Trade creditors 7A 47 47 113 113

Total Financial Liabilities (Recognised) 47 47 113 113

Note 15C: Credit Risk Exposures

The Office’s maximum exposures to credit risk at reporting date in relation to each class of recognised financial assets is the carrying amount of those assets as indicated in the Balance Sheet.

The Office has no significant exposures to any concentrations of credit risk.

All figures for credit risk referred to do not take into account the value of any collateral or other security.




Note 15: Appropriations

Table A: Acquittal of Authority to Draw Cash from the Consolidated Revenue Fund for Ordinary Annual Services Appropriations and borrowings

Particulars

Departmental Output Total

2007

$'000

2006

$'000

2007

$'000

2006

$'000

Balance carried from previous period 533 74 533 74

Appropriation Act:

Appropriation Act (No.1) 6,282 4,081 6,282 4,081

Appropriation Act (No.3) 204 75 204 75

Departmental adjustments by the Finance Minister (Appropriation Acts) - - - -

Comcover receipts (Appropriation Act s13) - - - -

Advance to the Finance Minister - - - -

Reductions: - - -

- prior years - - - -

- current year - - - -

FMA Act:

Refunds credited (FMA s 30) - - - -

Appropriations to take account of recoverable GST (FMA s 30A) 72 - 72 -

Annotations to ‘net appropriations’ (FMA s 31) 1,161 1,138 1,161 1,138

Adjustment of appropriations on change of entity function (FMA s 32)

- - - -

Total appropriation available for payments 8,252 5,368 8,252 5,368

Cash payments made during the year (GST inclusive) 6,578 4,835 6,578 -

Appropriations credited to Special Accounts (excluding GST) - - - -

Balance of Authority to Draw Cash from the Consolidated Revenue Fund for Ordinary Annual Services Appropriations

1,674 533 1,674 5,368

Represented by

Cash at bank and on hand 716 533 716 533

Departmental appropriations receivable 958 - 958 -

Undrawn, unlapsed administered appropriations - - - -

��Total 1,674 533 1,674 533

Departmental and non-operating appropriations do not lapse at financial year end.




Note 15: Appropriations (continued)

Table B: Acquittal of Authority to Draw Cash from the Consolidated Revenue Fund for Other than Ordinary Annual Services Appropriations

Particulars

Non – operating

Total

Equity

2007

$'000

2006

$'000

2007

$'000

2006

$'000

Balance carried from previous period - - - -

Appropriation Act:

Appropriation Act (No.2) 44 - 44 -

Appropriation Act (No.4) 51 - 51 -

Departmental Adjustments - - - -

Advance to the Finance Minister - - - -

Reductions:

- prior years - - - -

- current year - - - -

FMA Act: - -

Refunds credited (FMA s30) - - - -

Appropriations to take account of recoverable GST (FMA s30A) - - - -

Adjustment of appropriations on change of entity function (FMA s32)

- - - -

Total appropriations available for payments 95 - 95 -

Cash payments made during the year (GST inclusive) 31 - - -

Appropriations credited to Special Accounts (GST exclusive) - - - -

Balance of Authority to Draw Cash from the Consolidated Revenue Fund for Other Than Ordinary Annual Services Appropriations

64 - 95 -

Represented by:

Cash 64 - 64 -

Total 64 - 64 -




Note 16: Reporting of Outcomes

The Office is structured to meet one outcome. The Office's outcome and output structure is is outlined in Note 1.1 to these financial statements. All resources available to be used by the Office are directed towards the achievement of this outcome.

Note 16A: Net Cost of Outcome Delivery

Outcome 1 Total

2007

$’000

2006

$’000

2007

$’000

2006

$’000

Expenses

Departmental 6,833 4,943 6,833 4,943

Total expenses 6,833 4,943 6,833 4,943

Costs recovered from provision of goods and services to the non government sector

Departmental 126 28 126 28

Total costs recovered 126 28 126 28

Other external revenues

Departmental 1,235 1,019 1,235 1,019

Total other external revenues 1,235 1,019 1,235 1,019

Net cost/(contribution) of outcome 5,472 3,896 5,472 3,896

Net costs shown include intra-government costs that are eliminated in calculating the actual Budget Outcome. Refer to the Outcome Resourcing Table in Appendix 1 of this Annual Report.

Note 16B: Major Classes of Departmental Revenues and Expenses by Output Groups and Outputs

Output Group 1.1 Outcome 1 Total

Outcome 1 2007

$’000

2006

$’000

2007

$’000

2006

$’000

Departmental expenses

Employee benefits 4,439 3,132 4,439 3,132

Suppliers 2,350 1,749 2,350 1,749

Depreciation and amortisation 32 49 32 49

Finance costs 2 8 2 8

Other expenses 10 5 10 5

Total departmental expenses 6,833 4,943 6,833 4,943

Funded by:

Revenues from Government 6,486 4,156 6,486 4,156

Sales of goods and rendering of services 1,361 1,047 1,361 1,047

Other revenues 24 22 24 22

Total departmental revenues 7,871 5,225 7,871 5,225


GlossaryAAT Administrative Appeals Tribunal

ACMA Australian Communications and Media Authority

ACIF Australian Communications Industry Forum

AGD Attorney-General’s Department

AGIMO Australian Government Information Management Office

ALRC Australian Law ReformCommission

APEC Asia-Pacific EconomicCooperation

APPA Asia Pacific Privacy Authorities

APS Australian Public Service

AWG Authentication Working Group

ATO Australian Taxation Office

Austlii Australasian Legal Information Institute

AUSTRACAustralian Transaction and Reports Analysis Centre

CA Certified Agreement

CBA Commonwealth Bank of Australia

CDS Commonwealth Disability Strategy

COAG Council of Australian Governments

CRGIS Commonwealth Reference Group on Identity Security

Customs Australian Customs Service

DCITA Department of Communications, Information Technology and the Arts

DFAT Department of Foreign Affairs and Trade

DHS Department of Human Services

DIAC Department of Immigration and Citizenship

DoHA Department of Health and Ageing

DVA Department of Veterans’ Affairs

DVS Document Verification Service

EHR electronic health records

FOI

HREOC

HSMAs

IPND

IPPs

JACS

MOU

NDN

NHMRC

NISCG

NPPs

OECD

OH&S

OMI

PAC

PCO

PIA

PID

PMSEIC

PSIS

RTDs

SCAG

SES

TFN

TPID

Freedom of Information

Human Rights and Equal Opportunity Commission

Health and Safety Management Administrative plans

Integrated Public Number Database

Information Privacy Principles

Justice and Community Safety (ACT Department of)

Memorandum of Understanding

National Data Network

National Health and Medical Research Council

National Identity Security Coordination Group

National Privacy Principles

Organisation for Economic Cooperation and Development

Occupational Health and Safety

Own Motion Investigation

Privacy Advisory Committee

Privacy Contact Officer

Privacy Impact Assessment

Personal Information Digest

Prime Minister’s Science, Education and Innovation Council

Prescription Shopping Information Service

residential tenancy databases

Standing Committee of Attorneys-General

Senior Executive Service

tax file number

Temporary Public Interest Determination


Index

A Access Card, Health and Social Services,

2, 6, 7, 8, 9, 12-13, 71, 90 submissions, 6, 7, 8

accountability, 70-8

achievements, summary, 3-8

ACT Government see Australian Capital Territory

address, contact, x

Administrative Appeals Tribunal (AAT), 87

administrative arrangements, 70-2

Administrative Review Council, 7, 88 draft Report into Government Agency Coercive Information-Gathering Powers, 19

advertising and market research, 74

Anti-Money Laundering and Counter-Terrorism Financing Bill 2006, 6, 10, 18

Anti-Money Laundering and Counter-Terrorism Financing (Transitional Provisions and Consequential Amendments) Bill 2006, 17-18

Anti-Terrorism Act (No.2) 2005, 15

appropriation, government, 84 increase, 31, 74 see also financial statements

approved codes, 22-3, 59-60, 82

Asia Pacific Privacy Authorities (APPA), 38, 39-40, 72 Working Party on biometrics, 39

Asia-Pacific Economic Cooperation (APEC), 39 APEC Privacy Framework, 72

Assignees Determination, 23

Attorney-General, iii, 2, 12, 33, 35, 37, 38, 83

Attorney-General’s Department (AGD), 6, 7, 14, 15, 16, 17, 18, 19, 29, 38, 63 Memorandum of Understanding, 15, 70 review of extradition arrangements, 20-1

Audit Committee, 72-3

audit report, independent, 125-6

audits, 60-3 ACT Government, 61, 62 Australian Customs Service, 61 Australian Government agencies, 41, 60, 62 Biometrics for Border Control, 61 commenced, 61-2 finalised, 60, 62 identity security, 63 Information Privacy Principles, 61-3 publication, 3

AusCheck Act 2007, 16-17

AusCheck Regulations 2007, 16

AUSTRAC, 17

Australian Capital Territory (ACT), x, 21 audits commenced, 61 audits finalised, 62 complaints, 47 Memorandum of Understanding, 61, 71 Personal Information Digest, 63

Australian Communications and Media Authority (ACMA), 6, 7, 8, 28-9, 88, 89

Australian Communications Industry Forum (ACIF) codes, 29

Australian Customs Service (ACS) Biometrics for Border Control, 61 SmartGate, 61

Australian Federal Police, 15-16

Australian Government sector, 12-21, 42 monitoring comparisons of data sets, 64

Australian Government e-Authentication Framework, 15

Australian Government Information Management Office (AGIMO), 14


Australian Government Procurement Guidelines, 73

Australian Government Smartcard Framework, 14, 15

Australian Industrial Relations Commission, 75

Australian Law Reform Commission (ALRC) review of privacy legislation, 1, 2, 3, 10-11, 22, 25, 26, 35, 37 ALRC Review of Privacy – Issues Paper 31, 10 ALRC Review of Privacy – Issues Paper 32, 11, 23

Australian National University, 62

Australian National Audit Offices, 125-6

Australian Public Service (APS) Commission, 98 values, 120

Australian Sports Rotorcraft Association, 67

Australian Taxation Office (ATO), 15, 65 data-matching program protocols, 67-8, 69

Australian Workplace Agreements, 78

Authentication Working Group (AWG), 15

B background checking service, Australian

Government, 16-17

Banks, Robin, 39

BarterCard, 67

biometric technology, 11, 39, 61

Biometrics Institute Privacy Code, 10, 22, 59

Blunn Review, 29

border controls/security, 14-15 Biometrics for Border Control program, 61

business and professional associations, 42, 44

business sector, 21-5

C Canada

Information and Privacy Commissioner of British Columbia, 39 29th International Conference of Data Protection and Privacy Commissioners, 40

Carsales.com.au Limited, 68

case notes, 4, 41, 58 publication, 4

case studies, 44-5

Census and Statistics Act 1905, 18-19

Centrelink, 71 data-matching program protocols, 65, 68-9 inspections, 65

Certified Agreement, 75, 76

Civil Aviation and Safety Authority, 67

Classes of Credit Providers Determination, 23

client satisfaction, 3, 36, 39, 86

code adjudicator, 59, 79

codes, approved, 22-3, 59-60, 82

Coercive Information Gathering Powers, draft Report into Government Agency, 19

Comcare, 78

Commissioner’s overview, 1-8

Commonwealth Bank of Australia (CBA), 69

Commonwealth Disability Strategy (CDS), 78, 90-8 employer role, 95-8 policy adviser role, 90-1 provider role, 93-4 regulator role, 92-3

Commonwealth Fraud Control Guidelines, 73

Commonwealth Reference Group on Identity Security (CRGIS), 14, 15


communications technology see information and communications technology

Communications Strategy, 31, 32

community consultation, 85-6 education, 38, 86, 87

community attitudes research, 3, 36, 39, 86

competitive tendering and contracting, 73

complainants Aboriginal or Torres Strait Islander background, 100 access to the internet, 99 age range, 101 annual income range, 102 country of birth, 100 demographic information, 99-102 education level, 101 gender, 99 income, 102 location, 100 main language, 100 source of knowledge about the Office of the Privacy Commissioner, 102 survey on demographic information, 99 with a disability, 101

key changes, 5

complaint handling, 5, 13, 37, 41, 83, 84, 94

Complaint Handling Review, 2, 3, 4-5, 121

complaints, 4, 46-56 approved codes, 59-60 backlog, 2, 121 closed, 49-50 closed following investigations, 49-50 closed following preliminary enquiries, 51-3 closed without investigation, 53-4 compliance issues, 54-7 credit reporting, 56 declined to investigate, 50, 53 by government and industry sector, 48 by key issue, 47-8 by Privacy Act jurisdiction, 47 received, 46

remedies achieved by conciliation, 50-1 remedies after preliminary enquiries, 53 resolved by respondent, 57 responding to, 46 statistics, 46-56, 59 tenancy databases, 48 timeliness, 41 under approved codes, 59-60

compliance, 1, 3, 38, 41, 58, 60, 70, 79, 80, 83 credit providers, 56-7 IPP complaints, 55-6 NPP complaints, 54-5 see also audits

Compliance section, 41, 7476, 79, 86

Comrie report, 13

conciliation, 2, 5, 49, 50, 52, 76 training, 76

conferences Data Privacy Seminar, 39 28th International Conference of Data Protection and Privacy Commissioners, 40 see also speeches and presentations

consultants, 73

contact information, x

Corporate and Public Affairs, x, 80

Council of Australian Governments (COAG), 15

counter-terrorism, 10, 17, 18

credit reporting, 11, 23 binding code, proposed, 11 breaches, 11 complaints, 47, 56 compliance issues, 56-7 determinations, 4, 10, 23 enquiries, 43 statistics, 56

Credit Reporting Code of Conduct, 82

Crimes Act 1914, 16, 80, 83

Crimes Regulations 1990, 17

Curtis, Karen speeches, 88 see also Privacy Commissioner


D dangerous accidents or occurrences, 78

data-matching, 64-6 Australian Taxation Office, 67-8 Centrelink, 65, 68-9, 71 Department of Veterans’ Affairs, 64 enquiries, 43 inspections, 65 statutory guidelines, 64 voluntary guidelines, 64, 65-6

program protocols, 65-6, 67-9

Data-matching Program (Assistance and Tax) Act 1990, 46, 64-5, 71, 83

debt collectors, 44, 48

Department of Communications, Information Technology and the Arts (DCITA), 28

Department of Family and Community Services, 78

Department of Finance and Administration, 73

Department of Foreign Affairs and Trade (DFAT), 61

Department of Health and Ageing (DoHA), 26

Department of Human Services Health and Social Services Access Card, 2, 6, 7, 8, 9, 12-13, 34, 71, 90 Memorandum of Understanding, 9, 13, 71

Department of Immigration and Citizenship (DIAC), 9, 13, 61, 71

Department of Veterans’ Affairs (DVA), 64

determinations see Public Interest Determinations

direct marketing sector, 44

Disability Discrimination Act 1992, 95

Disability Strategy, Commonwealth (CDS) see Commonwealth Disability Strategy

Do Not Call Register, 7, 22, 27-8 Taskforce, 28

Document Verification Service (DVS), 15, 63

E ecologically sustainable development, 74

education, 70, 71, 72, 83, 120 community, 38, 86, 87

educational material, 13, 40

electronic health records, 25-6

electronic records, 62

emergencies and disasters, 6, 18-19

Employee Assistance Program, 78

employment services sector, 42, 44

enquiries, 42-6 by industry sector, 44 main issues, 42-3 media, 5 source, 42 telephone, 3, 42 written, 4, 45 see also complaints

environmental performance, 74

equal employment opportunity, 76-7

Essentially Yours: The Protection of Human Genetic Information in Australia, 27

exemption, small business operator, 45, 51

external scrutiny Australian National Audit Office, 125-6

extradition, 6, 20-1

F Federal Government sector, 12-21, 42

finance sector, 42, 44

Financial Management and Accountability Act 1997, 72

financial statements, 125-6

fraud measures, 73


Freedom of Information Act 1983, 85-7 categories of documents, 86-7 contact officer, 87 number of requests, 85 procedures, 87

funding increase, 31, 74

future issues, 2-3

G genetic information, 27

Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, 4, 10, 21-2, 28, 35, 36, 41, 121, 122

glossary, 157

Governor-General, 38

Guide to the Report, ix

guidelines advisory, 82 statutory data-matching, 64 section 95AA, 27 section 135AA, 26

voluntary data-matching, 64, 65-6

Guidelines for the Conduct of the Data-matching Program, 64

Guidelines for the Use of Data-matching in Commonwealth Administration, 64, 65-8

H Health and Safety Management

Administrative plans (HSMAs), 78

Health and Social Services Access Card, 2, 6, 7, 8, 9, 12-13, 71, 90

Health Privacy Forum, 86

health sector, 10-11, 22, 25-7 electronic health records (EHR), 25-6 genetic information, 27 Medicare and PBS claims, 10, 26, 27 service providers, 11, 42, 44 unique health identifiers, 26 see also National Health Act 1953

Healthy Lifestyle Allowance, 78

Hong Kong Privacy Commissioner for Data Security, 39

Human Rights and Equal Opportunity Commission (HREOC), 77, 97 Memorandum of Understanding, 70

I identity

national, security strategy, 14, 63 pilot, Integrity of Identity Data, 15

identity and border security, 14-15 audits, 63

Indigenous Australians, 100

Indigenous Business Australia Determination, 23

industry codes, 29

Industry Standard for the Making of Telemarketing Calls Discussion Paper, 28

information and communications technology, 2, 10, 27-31 new technologies, 11 telecommunications, 29-31 see also biometric technology

Information Privacy Principles (IPPs), 114-19 audits, 61-3 complaints, 47 descriptions, 114-19 Privacy Act, 81 publication of audits, 60

information sheet, 10, 35

Innes, Graeme, 39

insurance sector, 44, 48, 58

Inter-Governmental Agreement, National Identity Security Strategy, 14-15

International Conference of Data Protection and Privacy Commissioners (28th), 40

International Covenant on Civil and Political Rights, 81


L

international liaison, 39-40 see also Asia-Pacific Economic Cooperation; Asia Pacific Privacy Authorities

internet complainants access to, 99 disability policy, 95 see also website

investigations, own motion (OMIs), 57-8

J John Fairfax Holdings Ltd, 68

Just Magazines Group, 68

K key statistics, 4-6

Korean Information Security Agency, 39

law enforcement, 15-16

layered privacy policy, 2, 33-4, 35, 38

legal, accounting and management services sector, 42

legislation enabling, 81, 85 other (privacy), 19, 83 Privacy Act, 27, 81, 85 subordinate (privacy), 81-2 tax, 19 telecommunications interception, 29-30 see also Australian Law Reform Commission review of privacy; names of Acts

letter of transmittal, iii

M market research, 74

sector, 44

Market and Social Research Privacy Code, 22, 59

media, 34 enquiries, 5, 34 most common issues, 34 releases, 34

Medicare Australia, 10, 26, 27, 71

Memoranda of Understanding, 15 ACT Government, 61 Attorney-General’s Department, 70 Commonwealth Ombudsman, 72 Department of Human Services, 9, 13, 71 Department of Immigration and Citizenship, 9, 13-14, 71 Human Rights and Equal Opportunity Commission, 70 Medicare Australia, 71 Office of the NSW Privacy Commissioner, 71 Office of the New Zealand Privacy Commissioner, 72

Minister for Justice and Customs, 17

mutual assistance and extradition, 20-1

N National Data Network (NDN), 24

National Health Act 1953, 26, 27, 80, 83

National Health and Medical Research Council (NHMRC), 25, 27

National Identity Security Strategy Coordination Group (NISCG), 14, 63

National Privacy Principles (NPPs) complaints, 47 description, 103-13 five year anniversary, 2 Privacy Act, 81 see also privacy codes

National Reconciliation Week, 77

networking Privacy Connections, 2, 31, 36-7, 39, 86 Privacy Contact Officers, 37-8, 80, 86

New Zealand Privacy Commissioner, 39, 40 Memorandum of Understanding, 72

News Ltd, 68


Newsletter, 35

non-English speakers, x

NSW Privacy Commissioner, Office of the, 71

O occupational health and safety,77-8

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 72, 81

Office of the Privacy Commissioner administrative arrangements, 70-2 Compliance section, 41, 74, 79, 86 Corporate and Public Affairs section, 80 corporate services, 72-4 functions, 22, 26, 64. 79-80,85 human resources management, 74 Policy section, 81 strategic plan, 1-2, 31, 35, 36, 38, 40, 85, 120-4 see also Privacy Commissioner

Office of the Privacy Commissioner Certified Agreement, 2006-2009, 75, 76

Organisation for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 72, 81

organisational chart, 80

outcomes and outputs structure, 83-4 resources, 84

overview, Commissioner’s, 1-8

own motion investigations (OMIs), 57 nature of issues, 57 outcomes, 58

P Palmer report, 14

performance review, 9-10, 31-2 staff assessment, 76 summary, 3-8

Performance Management Scheme, 76

performance measures, outcomes and outputs, 83

Personal Information Digest (PID), 63

personal property securities review, 19-20

Pharmaceutical Benefits Scheme (PBS), 26

Pigdon, Suzanne, 37, 39

policy, privacy, 2, 33-4, 35, 38

policy advices, 5

Prescription Shopping Information Service, 27, 39 information sheet, 10, 35

presentations and speeches, 5, 35, 88-9

Prime Minister’s Science Education and Innovation Council (PMSEIC), 24-5

Privacy Act 1988, 79-84 amendments 2006, 4 audit powers, 60 purpose, 81 subordinate legislation, 81-2 see also Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act

Privacy Advisory Committee (PAC), 3, 38-9, 80

Privacy Awareness Week, 2, 3, 31, 33, 35, 38, 38, 40

Privacy Checklist, 37

privacy codes, 22-3, 59-60, 82


Deputy, 24 functions and powers, 26, 60, 64, 79-80 overview, 1-8 speeches, 88

Privacy Connections network, 2, 31, 36-7, 39, 86

Privacy Contact Officers (PCOs) network, 37-8, 80, 86

Privacy Impact Assessment Guide, 2, 10-12, 35, 38


Privacy Impact Assessments, 15, 17, 18, 24

Privacy Impact Checklist, personal property securities review, 19-20

privacy legislation, review, 1, 2, 3, 9, 10-11, 22, 25, 26, 35, 37

Privacy Legislation Amendment Act 2006, 27

Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006, 18

Privacy Matters newsletter, 35

privacy principles, 1 Information, 114-19 merging, 10 National, 103-13

Privacy (Private Sector) Regulations 2001, 81-2

Privacy Regulations 2006, 82

private sector, ix, 1, 2, 12, 27, 31, 32, 37, 39, 42-3, 44, 45, 46, 54, 55, 60, 81, 86, 122, 123 see also Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act

Productivity Commission, 24, 25

Professional associations, 42, 44

program protocols, voluntary data-matching, 65-6, 67-9

proof of identity, 15

public affairs, 5, 34, 80

Public Interest Determinations, 4, 82 credit reporting, 4, 10, 23 temporary, 27, 82

Public Key Infrastructure Gatekeeper Framework, 15

Public Service Act 1999, 75

publications, 35 audit, 3, 31, 36 obtaining copies, x

purchasing, 73

Q Queensland Club Industry Privacy Code,

23, 59

Queensland Transport, 67

R Racing NSW 67

real estate sector, 42, 44

Reconciliation Action Plan, 77

remedies, 51-2

Report on the Review of the Privacy Guidelines for the Handling of Medicare and PBS Claims Information, 10, 26

reports released, 10

research, 24, 28 community attitudes, 3, 36, 39, 86 data holding, 24

Research Study into Public Support for Science and Innovation, 25

residential tenancy databases (RTDs), 22, 44, 48

resources summary, 84

retail sector, 42, 44

Review of Privacy see Australian Law Reform Commission

Review Report on the Credit Reporting Assignees and Classes Determinations, 10

Review of the Taxation Secrecy and Disclosure Provisions, 19

risk assessment, 57, 73 fraud control, 73

Ruddock, the Hon Philip, iii, 12, 37 see also Attorney-General


S Safety Rehabilitation Compensation and

Other Legislation Amendment Act 2007, 78

Salinger and Co, 18

science and innovation, 24-5

Section 95AA Guidelines, 27

Section 135AA Guidelines, 36

Senate Legal and Constitutional Affairs Committee, 16, 18

Senior Executive Service (SES), 74, 76

small business operator exemption, 45, 51

smartcards, 14

SmartGate, 61

speeches and presentations, 5, 35, 88-9

spent convictions, 16, 43, 46

scheme, 16, 18

staff average level, 74, 84 benefits, 75-6 counselling services, 78 overview, 74-5 performance management, 76 profile, 75 safety, 77-8 salary ranges, 75 SES, 74, 75 study leave, 76 training and development, 6, 41, 76 turnover, 74 see also Certified Agreement

stakeholders, 3, 5, 27, 31, 32, 35, 36, 41, 70, 77, 80, 85, 86, 120 consultation, 32

Standing Committee of Attorneys-General (SCAG), 19

states and territories, 17, 31

statistics availability on website, 59 case notes, 5 complaints, 5, 46-56, 59 complainants, 99-101

media enquiries, 5, 34policy advices, 5speeches, 5staffing, 74-5summary, 3-6telephone enquiries, 3, 42website publication, 59written enquiries, 45

Strategic Plan 2007-09, 1-2, 31, 35, 36, 38, 40, 85, 120-4

Stockland, 67

submissions, 6-8, 9-10 ALRC review of privacy, 10-11, 25, 37

T Tax File Number Guidelines, 24, 47

tax file numbers, 43 complaints, 43, 47, 57 data-matching, 64 enquiries, 43 Privacy Act, 60, 81

taxation secrecy provisions, 19

technology see information and communications technology

Telecommunications Act 1997, 29, 80

Telecommunications Amendment (Integrated Public Number Database) Act 2006, 28

Telecommunications Consumer Protection Code, 29

Telecommunications (Interception and Access) Amendment Bill 2007, 29-30

Telecommunications (Interception) Act 1979, 29

Telecommunications (Interception) Amendment Act 2006, 29

telecommunications sector, 44 Do Not Call Register, 7, 22, 27-8 e-marketing, 29 Integrated Public Number Database Scheme 2007, 28-9


telephone enquiries, 3, 42 by industry, 44 issues, 43 source, 42

telephone number, Privacy enquiries, x

Telstra, 68

Temporary Public Interest Determinations (TPIDs), 27, 82

tendering, 73

terrorism, 6, 7, 10, 18-19

training disability, 91, 97 other government agencies, 14, 72, 86 Privacy Act, 80, 122 staff, 6, 41, 76-8, 124

transborder data flows, 43, 72, 81, 111-12

translations, x, 40

U unique health identifiers, 26

V Victorian Taxi Directorate, 67

voluntary data-matching guidelines, 64, 65-6 program protocols, 65-6, 67-9

W Wallis Consulting Group, 36

website, Privacy, 32-4 address, x audit reports, 60 number of visits, 32-3 page and session views, 32-3 redevelopment, 3, 31-2, 32 statistical information, 59 written enquiries, 4 see also website addresses throughout report

Westfield, 67

WorkCover, WA, Tas, NT and ACT, 68

workplace diversity, 76-7, 95, 97

Workplace Relations Act 1996, 75

written enquiries, 4, 45


2006-07 Annual Report of the Office of the Privacy ... · Requests and enquiries concerning...

Documents

Transcript of 2006-07 Annual Report of the Office of the Privacy ... · Requests and enquiries concerning...