Posted by Veronica Scott
Annual Report (2010-11) from OAIC
The Office of the Australian Information Commissioner ('OAIC') has released its first annual report since it was created in November 2010 to centralise the government's executive functions in relation to freedom of information ('FOI'), privacy protection and information policy. The Report gives an insight into the OAIC's operations during its first year and its areas of focus for 2011-12.
Much of the OAIC's operational work has focused on ensuring compliance with the Commonwealth Privacy Act 1988 and Freedom of Information Act 1982. Under the FOI regime, the OAIC received 88 complaints (finalising 39), 176 applications for review (finalising 29), over 1,000 applications by agencies for extensions of time and some 700 telephone enquiries. In the privacy area, it received 1,222 complaints, closing 1,167 (including from previous years), and almost 11,000 telephone enquiries.
The OAIC will continue its active involvement in the Australian Law Reform Commission's privacy reform process and expects to be asked to undertake a review of FOI charges. It has a backlog of privacy and FOI complaints and will this year begin evaluating agency compliance with the Information Publication Scheme. It will also continue liaising with privacy regulatory authorities and information commissioners in Australia and overseas.
By Peter Kearney
Introducing the first proposed amendments to the Privacy Act
The Privacy Commissioner has opened an investigation into the Telstra data breach which arose as a result of its many of its bigpond customers' personal information being downloaded from an insecure Telstra customer portal recently.
**New Federal privacy case notes Alert **
We have below reported on State based privacy cases of interest. The OAIC has now published 13 new case notes for the end of 2011 relating to privacy matters it finalised. The case notes are also available on AustLii. There are no significant decisions to report on at this stage. For summaries of and tips from previous cases decided by the former Office, see our Privacy Newsletter on our website.
The complaint was conciliated by the redacted file being provided to the complainant.
Annual Report (2010-11) from OAIC
The Office of the Australian Information Commissioner ('OAIC') has released its first annual report since it was created in November 2010 to centralise the government's executive functions in relation to freedom of information ('FOI'), privacy protection and information policy. The Report gives an insight into the OAIC's operations during its first year and its areas of focus for 2011-12.
Much of the OAIC's operational work has focused on ensuring compliance with the Commonwealth Privacy Act 1988 and Freedom of Information Act 1982. Under the FOI regime, the OAIC received 88 complaints (finalising 39), 176 applications for review (finalising 29), over 1,000 applications by agencies for extensions of time and some 700 telephone enquiries. In the privacy area, it received 1,222 complaints, closing 1,167 (including from previous years), and almost 11,000 telephone enquiries.
The OAIC will continue its active involvement in the Australian Law Reform Commission's privacy reform process and expects to be asked to undertake a review of FOI charges. It has a backlog of privacy and FOI complaints and will this year begin evaluating agency compliance with the Information Publication Scheme. It will also continue liaising with privacy regulatory authorities and information commissioners in Australia and overseas.
By Peter Kearney
Introducing the first proposed amendments to the Privacy Act
At the Privacy Summit held by iappANZ on 30 November 2011, the Minister for Privacy and Freedom of Infomration, Brendan O'Connor, announced that the proposed amendments to the Privacy Act introducing the new Privacy Principles and changes to the credit reporting provisions, would be introduced in the Autumn sittings of Parliament in 2012. Although not stated, it is assumed that there will also be some amendments tot he powers of the Privacy Commissioner.
By Charles Alexander
By Charles Alexander
Privacy Commissioner opens an investigation into Telstra bigpond
Telstra has been asked to also provide a written report on how the breach occurred, what information, if any, was compromised and what steps it has taken to prevent a reoccurrence. An investigation report is expected in late January 2012.
**New Federal privacy case notes Alert **
We have below reported on State based privacy cases of interest. The OAIC has now published 13 new case notes for the end of 2011 relating to privacy matters it finalised. The case notes are also available on AustLii. There are no significant decisions to report on at this stage. For summaries of and tips from previous cases decided by the former Office, see our Privacy Newsletter on our website.
Recent Privacy Case notes from the States
Here we look at some recent State privacy decisions in Victoria, NSW and Queensland.
By Veronica Scott and Mark Silberer
By Veronica Scott and Mark Silberer
Victoria
Complainant AU v Public Sector Agency [2011] VPrivCmr 03
This case is an important reminder to organisations to observe their privacy obligations when dealing with internal complaints.
The complainant was an employee of a public sector agency subject to the Victorian Information Privacy Act 2000 and the Information Privacy Principles (IPPs). The complainant had made a bullying complaint against co-workers by way of a document to the agency outlining the outcomes they sought and a list of all of the alleged bullying incidents. They were advised by the agency of the complaints process and that their document would be given to each of the alleged bullies. The complainant agreed at first, believing there was no other option, but then changed her mind. However by then the document had been disclosed.
The complainant alleged that the disclosure of the documentation breached her privacy under IPPs 1.3 (collection), 2.1 (disclosure) and 4.1 (data security).
The Victorian Privacy Commissioner found that: where an agency receives a complaint about its employees, it will be necessary to provide some documentation to relevant parties so that the complaint can be investigated and responded to. However, the information provided was more than necessary to enable the alleged bullies to respond to the complaint; andthe document could have been edited to protect the complainant's privacy.
The complaint was successfully conciliated. The agency apologised, paid compensation and agreed to change its policies relating to bullying investigations.
Complainants AS v Contracted Service Provider to a Department [2011] VPrivCmr 1
This case concerns the obligation to consider ways of gving as full access as possible to personal information.
The complainant had sought access to personal information held about her and her children by a contracted service provider to a Department (‘the CSP’) under IPP 6. The CSP responded that it was seeking legal advice. 112 days after making the request, the complainant made a complaint to the Privacy Commissioner that the CSP had not provided her with the personal information sought or adequate reasons for the delay. The CSP argued that the information could not be released as it contained private information about other individuals.
The Privacy Commissioner found that the CSP had not outlined steps it had taken to consider ways to give the complainant access to the information and suggested other methods of providing fuller access including:
- notifying or gaining consent of other individuals;
- removing or redacting identifying information; or
- properly considering whether the information unreasonably impacted on the privacy of others.
New South Wales
VK v Department of Education & Training (No 3) [2011] NSWADT 168
This decision by the NSW Administrative Decisions Tribunal ('ADT') is an important reminder to employers that they must be mindful of what information they disclose in relation to a work cover claim by an employee.
In 2004, the applicant, a teacher, commenced stress leave and lodged a workers compensation claim as a result of events that happened at his school. A consulting psychologist attended the school to interview the principal in relation to the claim. The principal disclosed to the psychologist, amongst other things, information they had received via an anonymous phone call relating to the applicant's behaviour and problems at another school where he was previously employed.
The applicant claimed the Department, by its officer the principal, disclosed and used information contrary to sections 16 and 18 of the Privacy and Personal Information Protection Act 1998 (NSW) ('PPIPA'). Section 16 requires an agency to check the accuracy of information before it is used and section 18 limits disclosure of information.
The ADT determined that the Department had:
- breached section 16 as the principal knew the identity of the applicant's previous school and failed to check the accuracy of the information received via the anonymous phone call; and
- breached section 18 as the disclosure of that particular information was not necessary for the purpose of enabling psychologist to determine the merit of the applicant's work cover claim.
NK v Northern Sydney Central Coast Area Health Service (No. 2) [2011] NSWADT 81
This is the first time that the maximum award for compensatory damages has been made
The ADT has ordered the respondent to pay $40,000 compensation to the applicant after an earlier decision ([2010] NSWADT 258) which found that the respondent had breached sections 16 and 17 of the PPIPA and numerous Health Privacy Principles (HPP) including:
- HPP 3 - collection of information was to be from individual concerned;
- HPP 4 - individual was to be informed of certain matters when their information was collected from a third party (in this case another hospital);
- HPP 5 - the applicant's health information should have been kept secure, inaccurate information was provided by the nurse;
- HPP 9 - officers of the respondent failed to check the accuracy of the information; and
- HPP 10 - the applicant's health information was used for a purpose other than for which it was obtained and the nurse disclosed the information to the HR Manager without the applicant's consent.
This is the first time the maximum award has been made, the ADT finding that the respondent was entitled to "compensatory damages as a step towards restoring him to the position that he would have been in but for the breaches" having regard to what it described as the respondent's "oppressive" conduct, the fact that the applicant had been "punished" as a result of the respondent's own privacy breaches which were based on unchecked inaccurate information, the applicant was both an employee and a patient, the evidence of loss and damage attributable to the respondent's conduct and the manner of the respondent's conduct.
The applicant was an employee and patient of a hospital operated by the respondent. The applicant had bipolar disorder. A psychiatric nurse at the hospital had obtained information concerning the applicant from another hospital and disclosed it to the respondent's HR Manager. As a result, the respondent was locked out of the hospital on the basis that he was a threat to staff and patients at the hospital. Some of the information provided by the nurse later proved to be incorrect and the officers of the respondent failed to check its accuracy. The respondent maintained that its officers had acted in good faith and the applicant failed to show evidence of damage.
The ADT found that the applicant's health information was interfered with, disclosed and used against him, preventing him from working for several years and causing a great deal of stress and uncertainty. In addition to payment of compensation the respondent was also ordered to correct or remove the inaccurate information contained in the applicant's file, commence an investigation in to the conduct of the nurse and make a formal apology.
Queensland
DH6QO5 and Department of Health (310034, 11 May 2011)
The applicant applied to the Department for access to their personal information, most of which was released. However, the Department refused to release a small piece of text (being information supplied by a third party) under section 67(1) of the Information Privacy Act 2009 (Qld) on the basis that disclosure would be contrary to the public interest under section 47(3)(b) of the Right to Information Act 2009 (Qld) ('RTI Act').
QH also withheld a number of documents on the basis that they were non-existent or could not be located (under section 67(1) of the IP Act and sections 47(e) and 52(1)(e) of the RTI Act).
The applicant complained to Right to Information Commissioner that he was entitled to the information as it would enable him to assess which treatment decisions had been made about him. The Department argued that disclosing information from third parties would hinder its ability to obtain confidential information in the future by deterring potential sources that may assist in a patient's treatment.
The RTI Commissioner found that:
- it was in the public interest to ensure such agencies were able to obtain confidential information from third party sources and given that the applicant had been provided the bulk of information requested, it was in the public interest to withhold the small extract of information; and
- the Department was not obliged to disclose documents that could not be located as they had demonstrated that reasonable steps had been taken to find them.
Partner: Charles Alexander
0 comments:
Post a Comment