|
Your monthly update from the OAIC with latest news, resources, decisions and consultations |
|
|
|
|
|
|
|
|
|
|
|
Privacy Act review submission
|
|
|
Australia needs a strong, fair and flexible privacy framework that prevents harm, protects fundamental human rights and builds public trust to support a successful economy. Our submission to the Australian Government’s review of the Privacy Act 1988, published on our website this week, says changes are needed to ensure privacy protections remain consistent with the values of Australians.
“The Privacy Act is a well-established framework that is principles-based, technologically neutral and flexible,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said in a media statement.
“However, the external landscape has changed significantly in recent years, and our research shows declining levels of community trust in how organisations handle personal information.
“Australians want more done to protect their privacy in the face of ongoing and emerging threats.”
Our submission on the Privacy Act recommends:
- greater emphasis on the protection of individuals and the obligations on entities to ensure business models and practices safeguard privacy
- the introduction of fairness and reasonableness standards for the collection, use and disclosure of personal information
- stronger organisational accountabilities for entities, with an onus on organisations to understand the risks that they create for others, and to mitigate those risks up front
- the removal of exemptions for employee records and acts and practices by small business operators and political parties
- that individuals should have a direct right to bring actions in the courts against organisations covered by the Privacy Act to seek compensation
- the introduction of a statutory tort that can respond to a wide range of serious invasions of privacy.
Our submission also recommends reforms that ensure the OAIC can take proportionate regulatory action and meet community expectations through broadening the jurisdiction of the courts to hear privacy matters, strengthening compulsive powers of the Commissioner, and allowing the Commissioner to issue infringement notices.
|
|
|
|
|
|
|
|
|
|
|
Flight Centre determination
|
|
|
Commissioner Falk has determined that Flight Centre interfered with the privacy of almost 7,000 customers by disclosing their personal information to third parties without consent.
The information, including individuals’ credit card and passport details, was released by Flight Centre Travel Group Ltd during a ‘design jam’ in 2017.
“This determination is a strong reminder for organisations to build privacy by design into new projects involving personal information handling, particularly where large datasets will be shared with third party suppliers for analysis,” Commissioner Falk said.
The company was found to have breached three Australian Privacy Principles (APPs) by:
- not taking reasonable steps to implement practices to ensure compliance with the APPs
- disclosing individuals’ personal information without consent, and
- failing to take reasonable steps to appropriately secure the personal information.
The full determination can be found on AustLII.
|
|
|
|
|
|
|
|
|
|
|
Global regulatory cooperation
|
|
|
The OAIC is among more than 30 privacy and data protection authorities from across the globe to share best practices and insights from dealing with the privacy challenges raised by the COVID-19 pandemic.
The ongoing pandemic has required regulators and privacy professionals around the world to respond to issues emerging in our new environment, particularly as governments and businesses seek solutions to address public health and economic problems involving new and changed ways of handling personal information.
The Global Privacy Assembly (GPA) Compendium of Best Practices in Response to COVID-19 collates the different approaches taken to:
- contact tracing and location tracking
- the sharing of health data with health authorities and institutions
- the sharing of health data with law enforcement agencies
- the sharing of health data with charitable or other similar organisations
- the handling of employee data in work-from-home and return-to-work situations.
The compendium is a significant body of work resulting from international collaboration through the GPA COVID-19 Taskforce. It aims to recount and reflect on our global experiences in responding to the privacy challenges and share best practices in response to these privacy challenges.
Stay up to date with the latest GPA news and events through their website, where you can also download their latest newsletter featuring an article by our Commissioner Angelene Falk.
|
|
|
|
|
|
|
|
|
The OAIC joined regulators from across the region last week for the 54th Asia Pacific Privacy Authorities (APPA) Forum hosted by the Office of the Victorian Information Commissioner (OVIC).
This was the second APPA Forum to be held virtually due to COVID-19. Delegates from 19 authorities met to discuss global privacy trends and exchange policy and regulatory experiences, including on the privacy implications of the COVID-19 pandemic, facial recognition and artificial intelligence, and the future of privacy frameworks.
The authorities affirmed the importance of working collaboratively to address these and other issues as they arise in the Asia-Pacific region.
The 55th APPA Forum is scheduled to take place in June 2021, to be hosted by the Personal Information Protection Commission, Korea.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Our first 6-month report on the privacy protections in the COVIDSafe app highlights the OAIC’s proactive work to ensure the system’s strict privacy measures are upheld.
The OAIC’s COVIDSafe Assessment Program follows the ‘information lifecycle’ of personal information collected by COVIDSafe.
Australian Information Commissioner and Privacy Commissioner Angelene Falk said 4 privacy assessments of the system are underway.
“The OAIC has worked to increase awareness and understanding of privacy protections and obligations related to COVIDSafe by developing guidance and providing advice to government, regulated entities and the community.
“We have also established a robust assessment program to audit the handling of personal information in the COVIDSafe system for compliance.”
See the COVIDSafe Report May-November 2020 here.
We’re also working with state and territory privacy regulators to harmonise requirements for collecting contact tracing information at businesses and venues, and to increase privacy protections for digital check-in services.
You can view the draft guidelines on our website.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The OAIC will present our first Privacy Officer training webinar for Australian Government staff in February 2021, with a second session to be held in March 2021. The events are now booked out due to high demand.
The webinar is for Privacy Officers from Australian Government agencies, and is suitable for those who are new to the role or anyone seeking a refresher. It’s a condensed version of the full-day course offered by the OAIC which is expected to resume later next year.
If you can’t make these sessions, you can check out our other resources including our Privacy in Practice e-learning module and Privacy Officer Toolkit.
Register your interest for a future Privacy Officer training webinar by emailing us at [email protected].
|
|
|
|
|
|
|
|
|
|
|
|
We hosted a virtual Information Contact Officers Network (ICON) session on 4 November to wrap up our International Access to Information Day campaign. Commissioner Angelene Falk, Deputy Commissioner Elizabeth Hampton and senior staff from our FOI Regulatory Group spoke to ICON members about the latest FOI statistics, recent updates and resources, and upcoming projects. The webinar acknowledged the important role of FOI officers in supporting the information access rights of Australians, which are a foundation of our democracy.
|
|
|
|
|
|
|
|
|
It was a busy month for our Notifiable Data Breaches (NDB) team, who delivered presentations at the GRC Conference 2020 and to Australian Finance Industry Association (AFIA) members. You can register to see the recording of the AFIA webinar.
Our Commissioner joined the Law Council of Australia on 12 November for a seminar on key privacy developments in 2020. The seminar covered the OAIC’s privacy regulatory priorities for 2020-21, privacy in the COVID-19 environment, developments affecting the flow of personal information across borders, and the Privacy Act review. You can access the video recording via our website.
Assistant Commissioner Melanie Drayton joined an International Association of Privacy Professionals (IAPP) panel discussion on 24 November on the convergence between privacy, competition and consumer regulation. IAPP members can view the recording for free.
Content is now available from the Open Government Partnership (OGP) Australia webinar and Victorian Privacy Network (VPN) meetings that we took part in earlier this year:
|
|
|
|
|
|
|
|
|
|
|
Last week we celebrated Human Rights Day, which is observed every year on 10 December – the day the United Nations General Assembly adopted the Universal Declaration of Human Rights in 1948.
This year’s Human Rights Day theme – Recover Better – Stand Up for Human Rights – focuses on the need to build back better by ensuring human rights are central to COVID-19 recovery efforts.
Privacy and freedom of information are important rights in Australia and are a key part of the solution to navigating through the pandemic. COVID-19 has highlighted the importance of maintaining public trust and confidence in the handling of personal information and in providing access to government-held information.
Watch the Australian Human Rights Commission’s 2020 Human Rights Day Oration on their website.
You can discover more about your privacy and FOI rights, as well as COVID-19 advice and guidance, on our website.
|
|
|
|
|
|
|
|
Australian Disputes Centre Awards
|
|
|
Congratulations to our OAIC privacy complaint conciliators whose work has been recognised by the Australian Disputes Centre in their annual awards.
The Australian ADR Awards recognise individual and team excellence in the area of Alternative Dispute Resolution.
The OAIC was awarded Ombudsman & Commissions ADR Group of the Year for 2020, and OAIC Director Cecilia Rice was named Conciliator of the Year.
|
|
|
|
|
|
|
|
|
|
ACT privacy annual report
|
|
|
We've published our 2019-20 Annual Report on the provision of privacy services to the Australian Capital Territory (ACT).
Under a Memorandum of Understanding with the ACT, the OAIC provides privacy services related to the Information Privacy Act 2014 (ACT).
The Information Privacy Act contains the Territory Privacy Principles which ACT public sector agencies must comply with in relation to the collection and handling of personal information, other than personal health information.
|
|
|
|
|
|
|
|
|
|
Consumer Data Right resources
|
|
|
The OAIC has worked with the Australian Competition and Consumer Commission (ACCC) to develop a new privacy factsheet for individuals, published on the Consumer Data Right website. The factsheet outlines individuals’ privacy rights under the Consumer Data Right and the strict obligations on businesses collecting and handing their data.
|
|
|
|
|
|
|
|
|
|
|
|
|
As we head into the holiday season, consumers are being reminded to safeguard personal information when making purchases online.
In the lead up to Christmas, and through Boxing Day sales, Australians who shop online will be sharing personal data including address and credit card details. Breaches of this personal data can have serious consequences, such as identity theft and financial fraud.
If you plan on shopping online these holidays, see our website for tips to protect your data online.
|
|
|
|
|
|
|
|
|
|
|
|
|
The Office of the eSafety Commissioner’s Holiday Gift Guide tells you what to look out for when buying tech gifts. It also features practical advice on how to stay safe online, including setting strong passwords, turning off location settings and limiting the amount of personal information shared.
Explore their resources and be smart, safe and secure when choosing tech gifts or connected devices for children and young people. You can also register your support for Safer Internet Day on Tuesday 9 February 2021.
|
|
|
|
|
|
|
|
|
|
ACSC cyber security campaign
|
|
|
Australians are being urged to strengthen their cyber defences and remain alert to online threats through a new national cyber security campaign. The Australian Cyber Security Centre campaign is initially focused on ransomware, which can cause serious financial and reputational damage to Australian businesses and organisations.
The OAIC’s latest Notifiable Data Breaches report shows the number of data breach notifications attributed to ransomware attacks rose by more than 150% from January to June 2020 compared to the previous 6 months, increasing from 13 to 33 breaches.
Our report says organisations must fully understand how and where personal information is stored on their network to help guard against these criminal attacks. They should also consider network segmentation, additional access controls and encryption to reduce the risk of personal or commercial information being exposed by a ransomware attack.
More cyber security advice is available at cyber.gov.au.
|
|
|
|
|
|
|
|
|
|
Latest news and submissions
|
|
|
|
|
|
|
|
|
|
Information Commissioner decisions
|
|
|
Information Commissioner review decisions are listed on our website and published in full on AustLII. Recent Information Commissioner decisions include:
- 'VY' and Department of Agriculture, Water and the Environment (Freedom of information) [2020] AICmr 54
- Wulf von der Decken and Services Australia [2020] AICmr 55
- 'VZ' and Department of Foreign Affairs and Trade (Freedom of information) [2020] AICmr 56
- WA', 'WB' and Australian Human Rights Commission (Freedom of information) [2020] AICmr 58
- Virginia Plowman and Australian Securities and Investments Commission (Freedom of information) [2020] AICmr 59
|
|
|
|
|
|
|
|
Holiday reminder for FOI requests
|
|
|
Many Australian Government agencies shut down between Christmas and New Year and staff may also take additional leave at this time. This can affect an agency’s ability to make decisions on FOI requests within statutory timeframes, particularly if a request falls due between Christmas and New Year. Our FOI resource on Public holidays and agency shut-down periods has more information.
Requests received between 25 November and 5 December 2020 will fall due before 4 January 2021, unless consultation with a foreign government or consultation under ss 26, 27 or 27A is required.
We encourage agencies to use an extension of time (EOT) smartform to notify the OAIC of s 15AA agreements, or to apply for an extension of time under ss 15AB, 15AC or 54D.
|
|
|
|
|
|
|
|
|
|
Have a safe holiday break
|
|
|
The past year has seen significant developments across the privacy and information access rights landscape, as we continue to work towards the OAIC’s vision of increasing public trust and confidence in the protection of personal information and access to government-held information.
You can read more about the OAIC’s highlights of 2020 in our infographic.
Our office will be closed for the holiday break from Friday 25 December 2020 and will reopen on Monday 4 January. During this period, you can visit our website for guidance and resources.
We wish you all the best for a happy and safe festive season.
|
|
|
|
|
|
|
|
|
Please do not reply to this message as you will not get a response. We welcome your feedback at [email protected].
If you would prefer not to continue receiving this monthly newsletter, you can unsubscribe below.
If you have been forwarded this newsletter by someone else, we invite you to subscribe.
|
|
|
|
|
|
|
|
|
|
|
|
