|
Your monthly update from the OAIC with latest news, resources, decisions and more |
|
|
|
|
|
|
|
|
|
|
|
COVID-19 guidance and advice
|
|
|
We’ve released new guidance to help businesses regulated by the Privacy Act 1988 understand their obligations when handling information about customers' and visitors' COVID-19 vaccination status.
Our advice encourages businesses to consider whether they are required to collect vaccination information – which is considered sensitive health information and attracts higher privacy protections – or whether they can sight the evidence instead.
Businesses should collect, use and disclose only the minimum information needed to achieve the purpose, and take steps to secure the information and destroy it when it’s no longer required.
Learn how to comply with these privacy obligations on our website, where we’ve also published guidance for employers and employees on collecting proof of COVID vaccination status.
|
|
|
|
|
|
|
|
|
|
|
Clearview AI privacy breach
|
|
|
Australian Information Commissioner and Privacy Commissioner Angelene Falk has found that Clearview AI, Inc. breached Australians’ privacy by scraping their biometric information from the web and disclosing it through a facial recognition tool.
The determination follows a joint investigation by the OAIC and the UK’s Information Commissioner’s Office (ICO).
Commissioner Falk ordered Clearview AI to cease collecting facial images and biometric templates from individuals in Australia, and to destroy existing images and templates collected from Australia.
'The covert collection of this kind of sensitive information is unreasonably intrusive and unfair. It carries significant risk of harm to individuals, including vulnerable groups such as children and victims of crime, whose images can be searched on Clearview AI’s database.'
|
|
|
|
|
|
|
|
|
|
|
Consultation on the Credit Reporting Code
|
|
|
The OAIC is seeking feedback on the operation of the Privacy (Credit Reporting) Code 2014 to ensure that it is achieving its purpose and is easy to read, understand and apply in practice.
We’ve published a consultation paper as part of our independent review, which considers a range of issues relating to the Code.
In late January, we will be holding a series of roundtable discussions to explore the questions set out in the consultation paper. These sessions will be facilitated by Information Integrity Solutions, which has been engaged to assist in our review.
Stakeholders are invited to express their interest in participating in these discussions by emailing [email protected] by Wednesday 12 January 2022.
We welcome stakeholder comments on the review by 4 February 2022.
|
|
|
|
|
|
|
|
|
|
|
Consumer Data Right assessment
|
|
|
 Our first Consumer Data Right (CDR) privacy assessment found the major 4 banks are generally handling data under the system in an open and transparent way with good privacy practices in place.
The assessment examined how these initial CDR data holders are complying with Privacy Safeguard 1, the bedrock privacy safeguard which requires providers to have a policy describing how they manage CDR data and to implement internal practices, procedures and systems to ensure compliance with their CDR privacy obligations.
Commissioner Angelene Falk said, ‘Our recommendations and suggestions will assist these data holders and other providers in the system to further embed, review and enhance their privacy practices, so that consumers can continue to use the Consumer Data Right with confidence.’
|
|
|
|
|
|
|
|
|
To coincide with the publication of the assessment, Commissioner Falk was interviewed for the latest CDR newsletter about the role of privacy in the CDR system and the OAIC’s priorities as co-regulator. Subscribe to CDR updates.
Upcoming guidance on V3 CDR Rules topics
The OAIC is developing new guidance explaining the key privacy obligations for participants arising from version 3 of the CDR Rules, covering topics including:
- CDR insights
- trusted advisers
- the CDR representative, sponsorship and outsourced service provider models.
We plan to publish the guidance on our website later this month. |
|
|
|
|
|
|
|
Privacy and online shopping
|
|
|
As we head into the holiday season, consumers are being reminded to safeguard personal information when making purchases online.
We’ve shared some online shopping safety tips in our reboot your privacy resource and Facebook and Twitter pages.
|
|
|
|
|
|
|
|
|
|
|
Privacy Act review and Online Privacy Code
|
|
|
Submissions on the Australian Government’s discussion paper on its review of the Privacy Act are open until 10 January 2022.
The discussion paper makes a number of proposals to reposition Australia’s privacy law for the next decade to prevent harm to individuals while promoting innovation and supporting our economic success.
The government has also been consulting on the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021. The draft legislation provides for higher penalties for privacy breaches and the development of a new Online Privacy Code to regulate social media services, data brokerage services and large online platforms
|
|
|
|
|
|
|
|
|
|
Global regulatory cooperation
|
|
 |
Asia Pacific Privacy Authorities
The OAIC attended the Asia Pacific Privacy Authorities’ (APPA) 56th Annual Conference earlier this month, hosted by the Office of the Information and Privacy Commissioner for British Columbia.
Commissioner Falk presented an update on the OAIC’s facial recognition investigations and recent 7-Eleven and Clearview determinations. She also moderated a panel with guest speakers from the Office of the Privacy Commissioner New Zealand, Personal Data Protection Commission, Singapore and the Office of the Victorian Information Commissioner. The panel discussion focused on how regulators balance their roles in giving guidance and acting as an impartial enforcement body dealing with those same issues.
Other APPA members and guests presented on topics such as the privacy challenges of virtual health care, the enabling of cross border data flows, and privacy law establishment and reform across jurisdictions such as China, Japan, Hong Kong and Canada. The NSW Information and Privacy Commission also presented on the development of their mandatory data breach notification scheme.
|
|
|
|
|
|
|
|
|
Global Privacy Assembly webinar
Assistant Commissioner Melanie Drayton chaired a webinar for the Global Privacy Assembly’s Digital Citizen and Consumer Working Group on 3 November. The discussion focused on its recently published academic report, Digital Crossroads: The Intersection of Competition Law and Data Privacy and a second study consisting of interviews with competition authorities from across the globe on their practical experiences with the intersection between privacy and competition.
The aim of this group is to facilitate cross-regulatory cooperation and collaboration to create a global regulatory environment with clear and consistently high standards of data protection.The event drew more than 50 attendees from 38 international privacy and competition authorities and featured thought-provoking presentations exploring the complements and tensions of privacy and competition.
Information access webinar
Our FOI Regulatory Group presented on Australia’s freedom of information framework at a webinar on accessing government information in Samoa, hosted by the UN Pacific Regional Anti-Corruption Project.
UN-PRAC is a joint UN Office on Drugs and Crime (UNODC) and UN Development Programme (UNDP) initiative, aimed at supporting Pacific Island countries in strengthening national integrity systems. This includes assisting Pacific Island counties with developing and implementing right to information legislation and policy.
The OAIC’s presentation outlined the role of the Australian Information Commissioner and the importance of proactive publication of government-held information.
|
|
|
|
|
|
|
|
Recent and upcoming events
|
|
|
The OAIC participated in several other events across November and December:
- Commissioner Angelene Falk attended the second meeting of Privacy Authorities Australia for 2021, joining state and territory privacy regulators to discuss best practice and promote consistency of privacy policies and laws.
- Commissioner Falk discussed the privacy landscape in 2021 and the outlook ahead with IAPP Country Leader, Australia and National Australia Bank Chief Privacy and Data Ethics Officer Stephen Bolinger for the IAPP ANZ Summit Online 2021. Watch the recording on LinkedIn.
- Commissioner Falk and Australian Competition and Consumer Commission Chair Rod Sims discussed their regulatory approaches and priorities for the digital environment at the King & Wood Mallesons Digital Future Summit. Watch the recording.
- Commissioner Falk spoke about the role of human research ethics committees (HREC) as the gatekeepers of the privacy of research participants in her opening address for the National HREC Conference.
- Acting FOI Commissioner Elizabeth Hampton presented to the Department of Agriculture, Water and the Environment’s Water Division on the role the OAIC plays in ensuring greater access to government-held information and the importance of proactive publication.
- Assistant Commissioner, Dispute Resolution David Stevens presented to the Australian Cyber Security Centre’s Joint Cyber Security Centre partners on the Notifiable Data Breaches scheme and managing data breaches.
- The OAIC’s Assessments team presented to the Australian Digital Health Agency’s partner health network and affiliates on privacy and the OAIC’s My Health Records assessments program. A second webinar for health service providers will be held on Monday. Register to attend.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Privacy complaint outcomes
|
|
|
During 2021 the OAIC has finalised more than 2,000 privacy complaints received from individuals about the mishandling of personal information under the Privacy Act 1988 and other relevant laws.
Our website features summarised and de-identified details from a selection of privacy complaints dealt with through our early resolution process, which brings parties together at an early stage to see if matters can be resolved by agreement.
The information is a subset of all privacy complaint outcomes and is intended to demonstrate the outcomes achieved with the assistance of the OAIC and provide guidance to parties. It does not include complaints dealt with through early resolution which may be identifiable (other than to the parties involved) or matters resolved through conciliation, determination or other means.
|
|
|
|
|
|
|
|
|
|
Information Commissioner review decisions
|
|
|
Information Commissioner review decisions are published on AustLII, with recent decisions including:
- 'YF' and Services Australia (Freedom of information) [2021] AICmr 59
- Agriwealth Capital Limited and Australian Taxation Office (Freedom of information) [2021] AICmr 60
- Australian Skeptics Inc and Commonwealth Ombudsman (Freedom of information) [2021] AICmr 61
- Independent Living Centre NSW t/as Assistive Technology Australia and National Disability Insurance Agency (Freedom of Information) [2021] AICmr 62
- ‘YH’ and Australian Communications and Media Authority (Freedom of information) [2021] AICmr 64
- 'YI' and Department of Home Affairs (Freedom of information) [2021] AICmr 65
- Seven Network Operations Limited and Australian Human Rights Commission [2021] AICmr 6
- 'YO' and Department of Home Affairs (Freedom of Information) [2021] AICmr 67
- 'YP' and Australian Securities and Investment Commission (Freedom of information) [2021] AICmr 68
- 'YQ' and Airservices Australia (Freedom of Information) [2021] AICmr 69
- 'YR' and Tertiary Education Quality and Standards Agency [2021] AICmr 70
- 'YS' and The Treasury (Freedom of information) [2021] AICmr 71
- Lisa Cox and Department of Agriculture, Water and the Environment (Freedom of information) [2021] AICmr 72
- 'YT' and the Australian Taxation Office (Freedom of information) [2021] AICmr 73
- 'YU' and Bureau of Meteorology (Freedom of information) [2021] AICmr 75
- 'YV' and the Bureau of Meteorology (Freedom of information) [2021] AICmr 76
- 'YW' and Department of Veterans' Affairs (Freedom of Information) [2021] AICmr 77
|
|
|
|
|
|
|
|
OAIC Executive appointment
|
|
|
We’re pleased to announce that Rocelle Ago has been appointed as Assistant Commissioner, Freedom of Information at the OAIC. Ms Ago previously served as Principal Director of the FOI Regulatory Group, leading functions including Information Commissioner reviews, complaints and investigations, extension of time applications and guidance on information access.
Our Deputy Commissioner Elizabeth Hampton is continuing to act as FOI Commissioner while the Attorney-General’s Department finalises recruitment for the position.
|
|
|
|
|
|
|
|
|
|
Latest news and submissions
|
|
|
Stay up to date with the latest OAIC news and resources through our Twitter, Facebook and LinkedIn pages.
You can catch up with our submissions on a range of legislative and other issues through our website.
We also publish information released by the OAIC under the Freedom of Information Act 1982 on our disclosure log.
|
|
|
|
|
|
|
|
|
|
Happy holidays from the OAIC
|
|
|
Our office will be closed for the holiday break from Friday 25 December and will reopen on Tuesday 4 January 2022. During this period, you can visit our website for guidance and resources.
We wish you all the best for a happy and safe festive season.
|
|
|
|
|
|
|
Please do not reply to this message as you will not get a response. We welcome your feedback at [email protected].
If you would prefer not to continue receiving this monthly newsletter, you can unsubscribe below. If you have been forwarded this newsletter by someone else, we invite you to subscribe.
|
|
|
|
|
|
|
|
|
|
|
|
