Part F—Office of the Privacy Commissioner

46. Structure of the Office of the Privacy Commissioner

Recommendation 46–1 The Privacy Act should be amended to change the name of the ‘Office of the Privacy Commissioner’ to the ‘Australian Privacy Commission’.

Recommendation 46–2 The Privacy Act should be amended to provide for the appointment by the Governor-General of one or more Deputy Privacy Commissioners. The Act should provide that, subject to the oversight of the Privacy Commissioner, the Deputy Commissioners may exercise all the powers, duties and functions of the Privacy Commissioner under the Act or any other enactment.

Recommendation 46–3 The Privacy Act should be amended to provide that the Privacy Commissioner must have regard to the objects of the Act, as set out in Recommendation 5–4, in the performance of his or her functions and the exercise of his or her powers.

Recommendation 46–4 The Privacy Act should be amended to make the following changes in relation to the Privacy Advisory Committee:

(a) expand the number of members on the Privacy Advisory Committee, in addition to the Privacy Commissioner, to not more than seven;

(b) require the appointment of a person who has extensive experience in health privacy; and

(c) replace ‘electronic data-processing’ in s 82(7)(c) with ‘information and communication technologies’.

Recommendation 46–5 The Privacy Act should be amended to empower the Privacy Commissioner to establish expert panels, at his or her discretion, to advise the Privacy Commissioner.

47. Powers of the Office of the Privacy Commissioner

Recommendation 47–1 The Privacy Act should be amended to delete the word ‘computer’ from s 27(1)(c).

Recommendation 47–2 The Privacy Act should be amended to reflect that, where guidelines issued or approved by the Privacy Commissioner are binding, they should be renamed ‘rules’. For example, the following should be renamed to reflect that a breach of the rules is an interference with privacy under s 13 of the Privacy Act:

(a) Tax File Number Guidelines issued under s 17 of the Privacy Act should be renamed the Tax File Number Rules;

(b) Privacy Guidelines for the Medicare Benefits and Pharmaceutical Benefits Programs (issued under s 135AA of the National Health Act 1953 (Cth)) should be renamed the Privacy Rules for the Medicare Benefits and Pharmaceutical Benefits Programs;

(c) Data-Matching Program (Assistance and Tax) Guidelines (issued under s 12 of the Data-Matching Program (Assistance and Tax) Act 1990 (Cth)) should be renamed the Data-Matching Program (Assistance and Tax) Rules; and

(d) Guidelines on the Disclosure of Genetic Information to a Patient’s Genetic Relative should be renamed the Rules for the Disclosure of Genetic Information to a Patient’s Genetic Relative.

Recommendation 47–3 Subject to the implementation of Recommendation 24–1, requiring agencies to develop and publish Privacy Policies, the Privacy Act should be amended to remove the requirement in s 27(1)(g) to maintain and publish the Personal Information Digest.

Recommendation 47–4 The Privacy Act should be amended to empower the Privacy Commissioner to:

(a) direct an agency to provide to the Privacy Commissioner a Privacy Impact Assessment in relation to a new project or development that the Privacy Commissioner considers may have a significant impact on the handling of personal information; and

(b) report to the ministers responsible for the agency and for administering the Privacy Act on the agency’s failure to comply with such a direction.

Recommendation 47–5 The Office of the Privacy Commissioner should develop and publish Privacy Impact Assessment Guidelines tailored to the needs of organisations. A review should be undertaken in five years from the commencement of the amended Privacy Act to assess whether the power in Recommendation 47–4 should be extended to include organisations.

Recommendation 47–6 The Privacy Act should be amended to empower the Privacy Commissioner to conduct ‘Privacy Performance Assessments’ of the records of personal information maintained by organisations for the purpose of ascertaining whether the records are maintained according to the model Unified Privacy Principles, privacy regulations, rules and any privacy code that binds the organisation.

Recommendation 47–7 The Office of the Privacy Commissioner should publish and maintain on its website a list of all the Privacy Commissioner’s functions, including those functions that arise under other legislation.

Recommendation 47–8 The Privacy Act should be amended to empower the Privacy Commissioner to refuse to accept an application for a Public Interest Determination where the Privacy Commissioner is satisfied that the application is frivolous, vexatious or misconceived.

48. Privacy Codes

Recommendation 48–1 Part IIIAA of the Privacy Act should be amended to specify that a privacy code:

(a) approved under Part IIIAA operates in addition to the model Unified Privacy Principles (UPPs) and does not replace those principles; and

(b) may provide guidance or standards on how any one or more of the model UPPs should be applied, or are to be complied with, by the organisations bound by the code, as long as such guidance or standards contain obligations that, overall, are at least the equivalent of all the obligations set out in those principles.

49. Investigation and Resolution of Privacy Complaints

Recommendation 49–1 The Privacy Act should be amended to provide that, in addition to existing powers not to investigate, the Privacy Commissioner may decide not to investigate, or not to investigate further, an act or practice about which a complaint has been made, or which the Commissioner has accepted under s 40(1B), if the Commissioner is satisfied that:

(a) the complainant has withdrawn the complaint;

(b) the complainant has not responded to the Commissioner for a specified period following a request by the Commissioner for a response in relation to the complaint; or

(c) an investigation, or further investigation, of the act or practice is not warranted having regard to all the circumstances.

Recommendation 49–2 The Privacy Act should be amended to empower the Privacy Commissioner to decline to investigate a complaint where:

(a) the complaint is being handled by an external dispute resolution scheme recognised by the Privacy Commissioner; or

(b) the Privacy Commissioner considers that the complaint would be more suitably handled by an external dispute resolution scheme recognised by the Privacy Commissioner, and should be referred to that scheme.

Recommendation 49–3 The Privacy Act should be amended to empower the Privacy Commissioner to delegate to a state or territory authority all or any of the powers in relation to complaint handling conferred on the Commissioner by the Act.

Recommendation 49–4 The Privacy Act should be amended to clarify the Privacy Commissioner’s functions in relation to complaint handling and the process to be followed when a complaint is received.

Recommendation 49–5 The Privacy Act should be amended to include new provisions dealing expressly with conciliation. These provisions should give effect to the following:

(a) If, at any stage after accepting the complaint, the Commissioner considers it reasonably possible that the complaint may be conciliated successfully, he or she must make reasonable attempts to conciliate the complaint.

(b) Where, in the opinion of the Commissioner, reasonable attempts to settle the complaint by conciliation have been made and the Commissioner is satisfied that there is no reasonable likelihood that the complaint will be resolved by conciliation, the Commissioner must notify the complainant and respondent that conciliation has failed and the complainant or respondent may require that the complaint be resolved by determination.

(c) Evidence of anything said or done in the course of a conciliation is not admissible in a determination hearing or any enforcement proceedings relating to the complaint, unless all parties to the conciliation otherwise agree.

(d) Subparagraph (c) does not apply where the communication was made in furtherance of the commission of a fraud or an offence, or in the commission of an act that would render a person liable to a civil penalty.

Recommendation 49–6 The Privacy Act should be amended to empower the Privacy Commissioner, in a determination, to prescribe the steps that an agency or respondent must take to ensure compliance with the Act.

Recommendation 49–7 The Privacy Act should be amended to provide that a complainant or respondent can apply to the Administrative Appeals Tribunal for merits review of a determination made by the Privacy Commissioner.

Recommendation 49–8 The Office of the Privacy Commissioner should develop and publish a document setting out its complaint-handling policies and procedures.

Recommendation 49–9 The Privacy Act should be amended to allow a class member to withdraw from a representative complaint at any time if the class member has not consented to be a class member.

Recommendation 49–10 The Privacy Act should be amended to permit the Privacy Commissioner, in accepting a complaint or determining whether the Commissioner has the power to accept a complaint, to make preliminary inquiries of third parties as well as the respondent. The Privacy Commissioner should be required to inform the complainant that he or she intends to make inquiries of a third party.

Recommendation 49–11 Section 46(1) of the Privacy Act should be amended to empower the Privacy Commissioner to compel parties to a complaint, and any other relevant person, to attend a compulsory conference.

Recommendation 49–12 The Privacy Act should be amended to allow the Privacy Commissioner, in the context of an investigation of a privacy complaint, to collect personal information about an individual who is not the complainant.

Recommendation 49–13 The Privacy Act should be amended to provide that the Privacy Commissioner may direct that a hearing for a determination may be conducted without oral submissions from the parties if the Privacy Commissioner is satisfied that the matter could be determined fairly on the basis of written submissions by the parties.

50. Enforcing the Privacy Act

Recommendation 50–1 The Privacy Act should be amended to empower the Privacy Commissioner to:

(a) issue a notice to comply to an agency or organisation following an own motion investigation, where the Commissioner determines that the agency or organisation has engaged in conduct constituting an interference with the privacy of an individual;

(b) prescribe in the notice that an agency or organisation must take specified action within a specified period for the purpose of ensuring compliance with the Privacy Act; and

(c) commence proceedings in the Federal Court or Federal Magistrates Court for an order to enforce the notice.

Recommendation 50–2 The Privacy Act should be amended to allow the Privacy Commissioner to seek a civil penalty in the Federal Court or Federal Magistrates Court where there is a serious or repeated interference with the privacy of an individual.

Recommendation 50–3 The Office of the Privacy Commissioner should develop and publish enforcement guidelines setting out the criteria upon which a decision to pursue a civil penalty will be made.

Recommendation 50–4 The Privacy Act should be amended to empower the Privacy Commissioner to accept an undertaking that an agency or organisation will take specified action to ensure compliance with a requirement of the Privacy Act or other enactment under which the Commissioner has a power or function. Where an agency or organisation breaches such an undertaking, the Privacy Commissioner may apply to the Federal Court for an order directing the agency or organisation to comply, or any other order the court thinks appropriate.

51. Data Breach Notification

Recommendation 51–1 The Privacy Act should be amended to include a new Part on data breach notification, to provide as follows:

(a) An agency or organisation is required to notify the Privacy Commissioner and affected individuals when specified personal information has been, or is reasonably believed to have been, acquired by an unauthorised person and the agency, organisation or Privacy Commissioner believes that the unauthorised acquisition may give rise to a real risk of serious harm to any affected individual.

(b) The definition of ‘specified personal information’ should include both personal information and sensitive personal information, such as information that combines a person’s name and address with a unique identifier, such as a Medicare or account number.

(c) In determining whether the acquisition may give rise to a real risk of serious harm to any affected individual, the following factors should be taken into account:

(i) whether the personal information was encrypted adequately; and

(ii) whether the personal information was acquired in good faith by an employee or agent of the agency or organisation where the agency or organisation was otherwise acting for a purpose permitted by the Privacy Act (provided that the personal information is not used or subject to further unauthorised disclosure).

(d) An agency or organisation is not required to notify an affected individual where the Privacy Commissioner considers that notification would not be in the public interest or in the interests of the affected individual.

(e) Failure to notify the Privacy Commissioner of a data breach as required by the Act may attract a civil penalty.