In June 2012, the Office of the Australian Information Commissioner (OAIC) made a number of announcements relating to various matters within its jurisdiction. This article summarises those recent announcements which may be applicable to the exercise of agency function in relation to freedom of information and privacy.
Telstra Investigation Report findings by the OAIC
The investigation report into Telstra Corporation Ltd’s (Telstra) alleged breach of consumer privacy was released on 29 June 2012.
The Australian Privacy Commissioner (Commissioner), Timothy Pilgrim, found Telstra to be in breach of National Privacy Principles (NPP) 2.1 (Use and disclosure) and 4.1 (Data security) under the Privacy Act 1988 (Cth) (Privacy Act), after a database containing 734,000 Telstra customers’ details (including customer names, phone numbers and orders numbers) was made available online in December 2011 via a link on the internet.
The report discloses a number of internal errors leading up to the incident, demonstrating significant weakness in Telstra’s reporting, monitoring and accountability systems. In particular:
- failure to categorise the database in its design phase as one involving customer data, meaning the database did not receive the appropriate level of protection from the beginning
- Telstra staff’s knowledge of the security issues associated with the database, but failure to raise these issues with top management.
Telstra has put in place remediation plans to improve the security of the personal information it holds and to prevent unauthorised access and disclosure in the future. Having reviewed the proposed remediation project, the Commissioner has ceased his investigation into the matter but has requested Telstra to provide him with a progress report on the remediation project by October 2012 and a completion report by April 2013.
OAIC – FOI guidelines revised
The OAIC has released revised versions of Parts 13 and 14 of the Guidelines issued under section 93A of the Freedom of Information Act 1982 (Cth) (FOI Act). Agencies must have regard to these revised Guidelines when they are performing a function or exercising a power under the FOI Act.
Part 13 of the Guidelines deals with the Information Publication Scheme (IPS). It now includes updated information about the OAIC’s upcoming IPS compliance review program.
Part 14 of the Guidelines deals with the disclosure log. Key revisions include:
- more detailed advice on the timing of publication of information on the disclosure log, and
- notice of statistics to be collected by Information Commissioner from agencies and ministers about disclosure log activity for inclusion in the 2012-2013 FOI Annual Report.
OAIC – new privacy fact sheets released
The following new privacy fact sheets have been published and are available on the OAIC website.
- Privacy fact sheet 10, which looks at the privacy complaint process for individuals who have complained or are considering complaining to OAIC under the Privacy Act
- Privacy fact sheet 11, which looks at the privacy complaint process for organisations and agencies that are the subject of a complaint to the OIAC under the Privacy Act, and
- Privacy fact sheet 12, which looks at the conciliation process and what to expect when participating in conciliation as part of OAIC’s privacy complaint handling process.
FOI merits review decision by the Australian Information Commissioner
The Australian Information Commissioner has handed down his decision in the matter of Briggs v Department of Broadband, Communications and the Digital Economy (No. 2)  AICmr 18 (25 June 2012).
By way of background, Mr Jamie Briggs MP, the federal member for Mayo, applied to the Department of Broadband, Communications and the Digital Economy (Department) for access to documents relating to the digital dividend and the Digital Switchover Household Assistance Scheme (Scheme). Mr Briggs requested that any charge be waived under section 29(4) of the FOI Act on public interest grounds.
Initially, the Department identified 102 documents and provided Mr Briggs with a preliminary assessment of $3,586.64. Mr Briggs then narrowed the scope of his request. This reduced the number of documents to 6 technical reports, with a revised charge of $1,056.73 to be reduced by 50% to $528.37, as a means of balancing the public interest in the release of the documents and the work required in processing Mr Briggs’ request.
On 5 August 2011, Mr Briggs sought review by the Australian Information Commissioner of the Department’s decision under s54L of the FOI Act, challenging the Department’s decision not to exercise the discretion conferred on it by section 29(4) of the FOI Act to not impose a charge at all.
In deciding whether the public interest purpose for disclosure has been established for the purposes of section 29(5) of the FOI Act, the Australian Information Commissioner held that it will ordinarily require consideration of both the content of the documents and the context of their release. He found that the release of the documents requested by Mr Briggs was in the general public interest, as Mr Briggs would be in a position to make use of the documents in parliamentary and public debate, and given the Scheme’s significance both in terms of cost and impact on individual Australians.
Additionally, he confirmed that it was open for the Department to apply a charge despite deciding that the giving of access to the documents would be in the general public interest. He accepted that, despite there being only 6 documents for release, the processing of Mr Briggs’ FOI request would require the Department to undertake significant consultations with affected third parties. Accordingly, he affirmed the Department’s decision to reduce the charge applicable by 50%.
OAIC makes submissions on the Superannuation Legislation Amendment (Further MySuper and Transparency Measures) Bill 2012
The OAIC has now commented on the exposure draft of the Superannuation Legislation Amendment (Further MySuper and Transparency Measures) Bill 2012 (Bill), specifically Schedule 3 of the Bill which includes amendments which operate to:
- expand the coverage of the Australian Prudential Regulation Authority’s (APRA) collection and publication of data on superannuation entities
- enable publication of data on MySuper products, and
- improve the disclosure of information related to the operation of superannuation entities, including new requirements to publish a product dashboard and portfolio headings.
With respect to the collection and disclosure of information by APRA, the OAIC has commented as follows:
- in relation to quarterly reports about MySuper products, APRA will not be able to publish information that would identify the beneficiary of a regulated superannuation fund, which is welcomed by OAIC
- it is understood that the collection and publication of other information by APRA under the Bill will not involve ‘personal information’ and therefore would not be subject to the Privacy Act. However, OAIC recommends that a note to that effect is inserted in Schedule 3 and clarified in the Explanatory Memorandum (EM) to the Bill, and
- given the possibility that information may become personal information after collection if it is aggregated to or linked with other information, OAIC recommends that APRA takes reasonable steps to prevent this from occurring by developing appropriate internal policies, procedures and processes for handling and de-identifying personal information.
The intended Regulations will outline specific documents to be published on the superannuation entity’s website. Information required to be published about specific individuals, such as the name and a brief biography of each director or individuals involved in the trusteeship of the fund, will likely be personal information and subject to the Privacy Act and the NPPs. However, given the disclosure of this information will be required if the Bill is enacted, NPP 2 will permit its disclosure as an exception. Thus, its disclosure needs to be balanced against the privacy interests of the individuals concerned. OAIC recommends that the EM to the Bill includes the policy rationale for the disclosure of this information, and detailed arguments supporting why mandatory disclosure of this information is necessary to fulfil the Bill’s objectives. Also, affected parties should be consulted by the Treasury to address their concerns with the disclosure of this information.
Lastly, OAIC recommends that a privacy impact statement of the proposals in the Bill is undertaken by the Treasury, to identify and assess the privacy impacts that may arise from Schedule 3 of the Bill.
OAIC comments on the Independent Review of Australian Government Environmental Information Activity (Review)
The OAIC has noted that this Review will assess current environmental information activity, identify opportunities for improving how the Government conducts its environmental information business, and identify and address systematic issues in environmental information management.
On this basis, OAIC has made the following comments on the Review’s Discussion Paper:
- firstly, the objectives of the Review are consistent with the Government’s broader information objectives and in line with the Government’s intended reform for Australian Government administration to deliver better service, create open government and improve agency capability and efficiency
- secondly, with respect to assessing how environmental information is acquired, managed and used, and particularly with respect to the proposed National Plan for Environment Information and the development of an integrated Environmental Information System, OAIC recommends that the Review considers its Principles on open public sector information (Principles), which are central to the management of government information in Australia and which set out the central values of open public sector information, and
in providing its response to the relevant questions set out in the Discussion Paper, OAIC commented as follows:
- the Principles, which were developed to guide agency information governance within the Government, should be used to ensure effective government of environmental information activities. For effective information governance, agencies need to manage information as a core strategic asset. Each agency should also have a responsible senior executive and supportive information governance body for the management and governance of information in accordance with OAIC’s Principles
- the application of appropriate open licensing terms will facilitate the reuse of public sector information without unnecessary impediments. By default, agencies should publish public sector information under licence in accordance with principle 6 of OAIC’s Principles. This licence allows others to distribute, reuse and build upon licensed work, provided that credit is given to the original creator, and
- to maximise the utility and value of public sector information, that information should be discoverable and useable and agencies should have regard to principle 5 of OAIC’s Principles on the publication of information and associated standards of information sharing.
OAIC promotes cybersecurity
In a media release dated 14 June 2012, the OAIC promoted National Cybersecurity Awareness Week 2012, and encouraged individuals and businesses alike to take active steps to protect personal information from online privacy and data breaches. Businesses in particular were encouraged to consider OAIC’s guide on data breach notification, which aims to assist businesses in responding to data breaches and implementing preventative action. OAIC suggested that businesses voluntarily notify them of any data breaches, so that OAIC can assist businesses to speedily resolve issues and contain a breach.