Timothy Pilgrim: OAIC has a mandate, powers, and is not afraid to use them

By The Mandarin

Thursday September 3, 2015

Presentation by Timothy Pilgrim PSM, Australian privacy commissioner and acting Australian information commissioner, to The Law Society of New South Wales Government Solicitors Conference in Sydney on September 1, 2015.

As solicitors in the government field, many of you will have had cause to focus on the activities of the Office of the Australian Information Commissioner in the past year. You may even had direct dealings with us.

It is therefore not surprising that you may be wondering what is the current state of play with the OAIC and its future, and more specifically, the important jurisdictions of privacy and freedom of information that we are responsible for. Even this week the future of the OAIC has again been the subject of a number of media articles [The Mandarin included].

I want to outline the current status of the OAIC and importantly, how I see us going forward on privacy and FOI through the mid to longer term.

But first, a quick bit of background. The OAIC was established in November of 2010 to bring together the functions of information policy, FOI and privacy governance. This built on what had been the successful model of the Office of the Privacy Commissioner which had been in existence since 1988.

However, in May 2014 the Government announced an intention to disband the Office, to put in place new arrangements for these functions.

  • FOI complaints would be handled by the Ombudsman;
  • FOI policy and reporting would go to the Attorney General’s Department;
  • Review of FOI decisions would be handled by the AAT; and
  • A new Office of the Australian Privacy Commissioner would be established.

The Bill to implement these changes was passed by the House of Representatives and the changes were to take effect on January 1, 2015. But, the Bill has not yet been considered by the Senate.

OAIC keeps working

However, in anticipation of these changes and in recognition that there was a potential significant impact on the administration of both Acts and importantly on the careers and futures of our staff in our Canberra Office, we began to implement some of the changes. This was necessary as from July 1, 2014 our budget had been reduced to also reflect these changed arrangements.

Consequently we:

  • began a process to assist staff in Canberra obtain new jobs or transition out of the APS
  • arranged for the Commonwealth ombudsman to commence dealing with FOI complaints
  • transferred FOI policy and reporting functions to the AGD;
  • further streamlined our IC review processes to improve the timeliness of our processes, including using s.54(W) to allow matters to go to the Administrative Appeals Tribunal, and
  • closed our Canberra premises in December 2014, moving the remaining FOI functions to our Sydney office where the bulk of our privacy work had always been handled.

However, as I said, to date, the Bill to abolish the OAIC has not been considered by the Senate. Consequently as we moved closer towards the 2015/16 financial year it was clear that the OAIC would be continuing to operate and as a result funding was reappropriated to allow us to continue on with our streamlined IC Review processes.

This has, naturally, created uncertainty and speculation particularly amongst administrative law and open government advocacy circles about the ability of the OAIC to be effective and perform the important role that it holds for the community in the privacy and FOI spaces.

“This should be a heads up, a warning to those entities covered by the Privacy Act and the FOI Act … we will actively be fulfilling the mandate we have to ensure the community’s rights are upheld.”

So let me be clear about this. Of course, this uncertainty is far from an ideal situation and I hope that soon we will have some clarity about the future of the OAIC.

However, having spent in excess of 30 years in the public service, I believe I am safe in saying that it is quite remarkable what the OAIC has achieved in this period of uncertainty and, regardless of what may occur over the months ahead, this should be a heads up, or to look at it another way, a warning to those entities covered by both the Privacy Act 1988 and, while we have the jurisdiction, the FOI Act, that we will actively be fulfilling the mandate we have to ensure the community’s rights are upheld under both statutes.

Achievements in FOI

As I mentioned prior to May 2014 the OAIC had already been revising its information commissioner review processes to improve the timeliness of decisions and this has significantly enhanced our performance with respect to IC reviews during the 2014-15 year.

While we are close to resolving the last of our legacy backlog, in terms of new matters coming in our current average time for finalising these is around 3 months. The number of IC review decisions finalised were up 40% on the previous year, to 138. And overall, while we received 374 IC review applications during the year we finalised 482. At the same time making significant inroads into the legacy backlog, further demonstrating the effect of our revised processes.

We are using our power under s 54W to refer matters to the AAT where that facilitates better administration of the Act, but overall this remains a small number of the matters finalised.

But, we are still clearly maintaining an active role in this space and consequently, while the FOI policy function moved to the AGD, it is my intention to review and amend the FOI Guidelines in the next few months to update them in the light of a number of decisions made by both the OAIC Commissioners and the AAT. This is important in my view as Agencies must have regard to those guidelines as set out in the FOI Act.

Privacy regulation

For anyone who is working in this area it is abundantly clear that the OAIC has been extremely active in this area over the last 12 months. By way of some statistics, during the past year, our office:

  • handled 12,241 privacy enquiries
  • received 2838 complaints, successfully closing 1976
  • and managed 117 voluntary data breach notifications
  • undertook 12 privacy assessments (formerly known as audits), involving 94 entities, to assist compliance with good personal information handling practices making recommendations to improve privacy practice.

The office accepted its first enforceable undertakings under the 2014 reforms to the Privacy Act, following a Commissioner Initiated Investigation.

At the same time, we continued to bed down the most significant reforms to the Privacy Act following their commencement on 14 March 2014. As part of this we issued 32 sets of guidance material to assist entities covered by the Privacy Act, and for the broader community, to understand their responsibilities and rights.

An important example of this guidance was the release of our Regulatory action policy, and complimentary Regulatory action guide which clarify OAIC’s commitment and approach to our privacy regulation activities. We also released the Privacy management framework, designed to enable good privacy practice by embedding privacy governance within entities.

Beyond speaking to the output of our office, these statistics also speak to the rapidly-growing consumer and corporate interest in privacy management. Indeed, the fact that voluntary data breach notifications increased by nearly 50% on the previous year speaks of agencies and businesses who understand that a good privacy reputation is good for their business, and for the success of their programs in the case of government agencies.

This is of course very positive.

It’s something we want to encourage and so, with the 2014 Privacy Act amendments now well embedded, a key focus for the year ahead is strategic privacy assessments. We have looked at entities’ privacy policies under Australian Privacy Policy 1 including a number of ACT government agencies, online privacy policies of top websites, and most recently GP health clinics.

We will build on this work and look at how entities are implementing effective privacy practice, procedures and systems.

Privacy and national security

This year we will also commence privacy oversight of the implementation of mandatory telecommunications data retention scheme and the implementation of the privacy aspects of the Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014, which introduces changes to the handling of personal information.

We are already working closely with Department of Immigration and Border Protection on privacy impact assessments and we have put together a new national security team, working on privacy assessments, advice, and privacy impact assessments.

We will similarly be working with telecommunications service providers to ensure that privacy protections are built into their practices, procedures and systems and have already released guidance in this area.

Throughout all this work, there is of course the need to balance individual privacy with national security. But, this is not a single limb test. Even when the public interest balance falls in favour of national security there is still a need to ensure policies are implemented in a way that minimises their privacy impact to the fullest extent that is reasonably possible.

Privacy Impact Statements

I’ve been talking about the value of Privacy Impact Statements for a long time. Although some organisations and agencies have adopted them as part of their business-as-usual processes, many are lagging behind on this important and effective tool.

Privacy Impact Assessments should be considered for any new program that involves changes to personal information handling, and that includes proposals to mandate collections, use or disclosures of personal information in legislation.

Most new legislation, including legislative instruments, must be accompanied by a statement of compatibility with human rights. That is; compatibility with the rights and freedoms recognised in the seven core international human rights treaties to which Australia is a party.

This includes, under the International Covenant on Civil and Political Rights, a right to privacy. So where a policy or legislative proposal impacts on privacy, a PIA can help agencies to address the statement of compatibility.

Overall, having a PIA is vitally important when considering privacy in the context of any legal or legislative issues. It can, and should, be a vital component of both project planning and of risk assessment.

A framework for agencies

But in the overall context of managing privacy within agencies and organisations I hope that everyone is becoming familiar with our new Privacy Management Framework.

But just in case anyone is not, the Framework is a tool that is designed to help agencies comply with their ongoing obligations under APP 1.2 and, above all, to embed privacy into their project planning and processes.

As is clear from the Framework, a leadership commitment to a culture of privacy is a foundation for good privacy governance and is really the first step in meeting an entity’s obligations.

APP 1.2 requires agencies to be proactive in establishing, implementing and maintaining privacy processes. Just writing a privacy policy, or putting in place set-and-forget processes is not enough.

“When we do an assessment of an agency, we will be looking to see how privacy is managed right up to CEO level.”

This is why our Framework provides clear steps to develop and maintain best privacy practice. Most importantly, it can help entities to avoid meeting the regulatory arm of my office.

In that respect, when we do an assessment of an agency or an organisation we will be looking to see how privacy is managed right up to CEO level.

Wielding the stick

Turning then from the carrot to the stick, you will have also seen an increase in the matters which I have determined under the s 52 Determination powers of the Privacy Act (7 in the last financial year).

While the vast majority of privacy complaints are resolved without need to recourse to determination, these cases do provide some useful signposts of potential risks to that entity’s privacy practices and how my Office may view these.

One case in particular has attracted significant attention as it brought together a journalist from our ‘paper of record’, the nation’s largest telecommunications provider, and arguably the most topical issue in privacy in the past year, metadata.

In Ben Grubb and Telstra Corporation Limited, I found that Telstra had breached Mr Grubb’s privacy by failing to provide to him personal information about him held by Telstra. Significantly, in order to reach that decision I needed to first conclude, against Telstra’s consistent argument, that Mr Grubb’s metadata did in fact constitute personal information.

While I note that Telstra is appealing this matter to the AAT, this case will remain significant because the challenge Telstra faced in withholding the data will inevitably occur more and more often.

“Personal information is not just that which does identify you but also that which reasonably can.”

Telstra argued that much of the metadata sought was simply not ‘personal information’, because on its face the data was anonymous. This is correct. But that argument overlooks the reality of data-linking and that a customer’s identity and much more information about them can be established by cross-matching data sets.

Personal information is not just that which does identify you but also that which reasonably can. For this reason the challenge faced by Telstra will lie with any organisation that handles complex data sets in which anonymous data can be linked to other sources from which an individual becomes reasonably identifiable. Retailers and loyalty programs, in particular, spring to mind.

Pending any appeal outcomes, my advice to prudent organisations would be to work on the assumption that such data is “personal information” and to manage it and secure it as if it is.

Departments in violation

Turning briefly to other determinations, relevant specifically to government agencies.

  • In February 2015, I found that the Great Barrier Reef Marine Park Authority had breached Information Privacy Principles 11.1 of the Privacy Act by disclosing the complainant’s personal information to a news outlet. I declared that the agency apologise in writing to the complainant, review its training of staff and agents who act on the agency’s behalf in handling personal information and confirm with me that the review of the training had been completed. I also awarded $5000 to the complainant for non-economic loss.
  • In another case that was also related to disclosure under IPP 11.1, I found that the Department of Veterans’ Affairs had interfered with the complainant’s privacy by disclosing his personal information to Australian Defence Force officers and the Department of Defence. I determined that the DVA should apologise in writing to the complainant and that the secretary initiate a review of privacy complaints within the DVA, and notify me of the results of the review.
  • In September 2014, I found that the Department of Defence had breached the Privacy Act by disclosing the complainant’s sensitive personal information to his treating GP after he had expressly refused to grant consent for this to occur. I found that the Department should apologise in writing, amend its information handling procedures, specifically around the handling of sensitive personal information, undertake staff training and pay the complainant $5,000.

With the above decisions in mind, I would like to conclude by remarking that we still, occasionally, receive the message that privacy is a roadblock to getting work done. Well, I think if an agency is finding that they are consistently coming up against privacy, then they’re probably not approaching privacy obligations in an integrated way.

“Privacy needs to be considered in corporate and project planning, so that privacy protections and responsiveness to privacy is built into delivery.”

Privacy law in Australia is principles based — it’s flexible and able to accommodate a vast range of different information sharing and handling arrangements. But it is not a bolt-on accessory. Privacy needs to be considered in corporate and project planning, so that privacy protections and responsiveness to privacy is built into delivery.

When a privacy-by-design approach is taken to project and policy planning privacy law is flexible enough to both protect individuals and facilitate effective agency performance.

Think OAIC isn’t watching?

So, what does all this demonstrate? Well, pending other decisions, it is my intention that OAIC will continue deliver the combination of functions we have outlined and will actively continue to do this to the high and efficient standard we have achieved in the past year.

Any agency or organisation thinking that they can ‘game the system’ because of the uncertainty about the future of the OAIC better look at what we have done over the last 12 months and think again! We are actively using the powers available to us to uphold these important community rights.

Finally, it would be remiss of me not to remark that the significant output our Office has achieved, in challenging and changing circumstances is an amazing demonstration of the commitment of our people to uphold the best values of public service and meet the needs of the Australian community. Thank you.

About the author
Inline Feedbacks
View all comments

The essential resource for effective
public sector professionals