Information and Privacy Commissioner New South Wales Annual Report 2013-14

7/23/2019 Information and Privacy Commissioner New South Wales Annual Report 2013-14

1/86

Annual Report

2013 2014


2/86

Contact details

Our business hours are 9am to 5pm Monday to Friday (excluding public holidays).

The Information and Privacy Commission NSW is located at:

Street address: Level 11, 1 Castlereagh Street, Sydney NSW 2000

Postal address: GPO Box 7011, Sydney NSW 2001

free call: 1800 IPC NSW (1800 472 679)fax: (02) 8114 3756email: [email protected]: www.ipc.nsw.gov.au

If you are deaf or have a hearing or speech impairment, you can call us through theNational Relay Service (NRS) on 133 677 or if you would like the assistance of aninterpreter, call us through the Translating and Interpreting Service (TIS) on 131 450.

ISSN 1839-4523 (print)

ISSN 1839-9541 (online)

2014 Information and Privacy Commission NSW


3/86

Annual Report2013 2014 1

Letters to the President and Speaker

The Hon. Don Harwin MLCPresident Legislative CouncilParliament HouseMacquarie StreetSydney NSW 2000

The Hon. Shelley Hancock MPSpeaker Legislative AssemblyParliament HouseMacquarie StreetSydney NSW 2000

22 October 2014

Dear Mr President and Madam Speaker,

In accordance with theAnnual Reports (Departments) Act 1985, the Government Information(Information Commissioner) Act 2009, and the Privacy and Personal Information Protection Act 1998,I am pleased to present the Annual Report of the Information and Privacy Commission NSW.

This report provides an account of the work of the Information and Privacy Commission NSW during the2013 2014 nancial year.

The report meets the requirements for annual reports as advised by the NSW Premier in MinisterialMemorandum M2013-09. This report demonstrates our agencys performance and activities whileincurring minimal production costs.

Yours sincerely,

Elizabeth TyddCEO, Information Commissioner

The Hon. Don Harwin MLCPresident Legislative CouncilParliament HouseMacquarie StreetSydney NSW 2000

The Hon. Shelley Hancock MPSpeaker Legislative AssemblyParliament HouseMacquarie StreetSydney NSW 2000

22 October 2014

Dear Mr President and Madam Speaker,

In accordance with section 61A of the Privacy and Personal Information Protection Act 1998, I am pleased topresent the following report on my work as Privacy Commissioner for the 12 months ended 30 June 2014.

Under section 61B of the Privacy and Personal Information Protection Act 1998, a full report on the operation ofthe Privacy and Personal Information Protection Act 1998 across all public sector agencies for 12 months endedJune 2014 will be provided separately.

A copy of the report has been provided to the Attorney General as Minister responsible for this legislationas specied under section 61A (2) and 61B (2) of the Privacy and Personal Information Protection Act 1998.

Yours sincerely,

Dr Elizabeth CoombsPrivacy Commissioner


4/86

Highlights

Casemanagementsystem implemented to

improve GIPA backlog, page 33

Strategy developed for

stakeholderengagement

page 15

Delivery to Attorney General ofTransborder code

of practiceby Privacy Commissioner, page 20

Privacy

Awareness Weekcalled for NSW citizens to mobilisetheir privacy, page 17

Improvement of the IPCs

practices &procedures

a focus for 2014,

page 5

Engagement with

IPACpage 28

Development of

e-learningmodules for privacy

and information

access, page 17

Information Commmissioners report on

operation of theGIPA Acttabled in Parliament, page 21

Websiteredeveloped to meet stakeholder needs

and meet government accessibility

requirements, page 15

The IPC welcomed a new

Information

Commissionerpage 8

Annual Report 2013 20142


5/86

3Annual Report2013 2014

Contents

Letter to the President and Speaker 1

Highlights 2

CEO an overview 5

Privacy Commissioner an overview 6

Information Commissioner an overview 8

Year in snapshot 9

About the IPC

Who we are 10

Our purpose 10

What we do 10

Our vision 10

Our approach 10Our values 10

Our organisation

Accountability

Our stakeholders 11

Privacy Commissioner: role and powers, committees 11

Information Commissioner: role and powers, committees 11

Governance structure

Our governance 12

IPC governance 12

Legislative matters

Our legislation 13

Objectives of our legislation 13

Legislative changes 13

Our strategic objectives 14

Reporting against our strategic objectives: Objective 1To uphold and protect information and privacy rights

Priority 1: Promote and educate the communityabout their rights under the legislation

Website redevelopment 15

Publications 15

Stakeholder engagement 15

Communications strategies 15

Media 15

Community surveys 16

Events and awareness initiatives 16

Outlook for 2014 2015 17

Priority 2: Assist agencies and business to understandand implement the legislation

Practitioners network 17

Education and training 17

GIPA review reports 18

Speaking engagements 18

IPC resources 18

Assisting agencies GIPA 18

GIPA Tool 19

Assisting agencies Privacy 19

Advice files by source IPC 19

Privacy Genetic Health Guidelines 20

Privacy Public Interest Directions 20

Privacy Cross Border Information Sharing Code of Practice 20


Priority 3: Review agency performance

Report on the operation of the GIPA Act 21

GIPA protocol 21

Privacy breaches 22

Privacy Governance Framework 22

GIPA annual reporting 22

Advice 22

NSW 2021 State Plan Goal 31 23

Privacy management plans 23

Privacy Codes of Practice 23

Privacy Public Interest Directions 23

Privacy protocols 24

Human Research and Ethics Committees 24

Physical privacy 25


Priority 4: Review agency performance and decisions,investigate and conciliate complaints

GIPA matters 25

Privacy matters 26

NSW Civil and Administrative Decisions Tribunal (NCAT) 26

Public Interest Disclosures 27

Government information contraventions 27


Priority 5: Provide mechanisms for stakeholder feedback

Information and Privacy Advisory Committee (IPAC) 28

Collecting feedback 28

Consumer feedback 28

Surveys 28

Website analytics 28

Training 28

Stakeholder feedback 28


Priority 6: Provide feedback to Parliament aboutthe legislation and the relevant developments

Parliamentary Joint Committee 30

Parliamentary inquiries 30


Reporting against our strategic objectives: Objective 2

To be an effective organisation

Priority 1: be recognised as an employer of choice

Organisational structure 31

Our executive 31


6/86

Contents

Executive remuneration 32

Enterprise Industrial Relations 32

Equal Employment Opportunity (EEO) and staff numbers 32

Statistical information on EEO target groups 32

Recruitment and selection 32

Code of Conduct 32

Flexible work agreement 32

Surveys 32

Health and safety 33

Waste 33

Corporate services 33

Information and communication technology 33

Diversity Action Plans 33

Diversity Action Plans: reports 2013 2014 34


Priority 2: Implement a rigorous governanceframework

IPC Governance Lighthouse 36

Legislative compliance register 36

Recordkeeping 36

Research and development 36

Internet address 36

Insurances 36

Consultants 36

Litigation 36

International travel 36

External legal advice sought 36

Agreements with Community Relations Commission 36

Information Security Management System attestation 36

Digital Information Security Annual AttestationStatement for 2013 2014 37

Risk management 38

GIPA compliance 38

Internal Audit and Risk Management Attestation 39

Statement of action taken to comply with the PPIP Act 40

Statistical details of any review conducted underPart 5 of the PPIP Act 40


Priority 3: Promote continuous improvementof performance

IPC business plan 41

Performance development and achievementplanning framework 41

Open Government Plan 41

Professional development 41


Our financial performance

Statement by the Information Commissioner 42

Independent Auditors Report 43

Financial Statements for the year ended 30 June 2014 45

Notes to and forming part of the Financial Statements 49

Appendices

Appendix 1 Information Protection Principles (IPPs) 66

Appendix 2 Health Privacy Principles (HPPs) 67

Appendix 3 IPC Strategic Plan 2013 2016 68

Appendix 4 Publications list 71

Appendix 5 Access applications under Schedule 2

of GIPA Act 73Appendix 6 Credit card certification 76

Appendix 7 Payment of accounts 76

Appendix 8 Time for payment of accounts 77

Appendix 9 Annual Report compliance requirements 78

Complaining to the IPC 80

Index 81

Glossary 83

About this Annual Report 84



7/86


CEO overview

In 2013 2014 the IPC advanced the objective

of providing a single body overseeing both keyissues relating to government information public access and privacy. The single Commissionmodel promotes the management of governmentinformation and respects the dual statutoryfunctions of information access and privacyto ensure agencies and individuals receiveconsistent information and advice.

A single service IPCThe IPCs effective integration has provided a single point ofcontact that has enhanced our service delivery in a numberof areas including investigation and review functions; advice,communications and stakeholder engagement; and sharedcorporate functions to deliver greater operational efciencies.

Effective investigation and review functionsIn undertaking our case work responsibilities we haveprogressed the integration of previously separate teamshandling investigation and review functions. The results ofthis integration are tangible. In 2013 2014 the IPC nalised745 cases representing a 36% increase in the number ofinvestigations and reviews nalised compared to the 548

nalised equivalent cases reported in 2012 2013. The IPCreceived 511 GIPA review applications and complaints, andclosed 490 matters. The IPC received 253 privacy reviewsand complaints, and closed 255 matters.

While we have focused on harmonising and rening ourpractices and procedures in the rst half of 2014 thissignicant improvement in service delivery would nothave been possible without the expertise, professionalismand consistent commitment by the staff of the IPC.

I also acknowledge the signicant contribution of Ms KathrinaLo. These achievements build on the effective strategiesimplemented under her leadership as former Acting

Information Commissioner and Chief Executive Ofcer.Further work is continuing to promote the proportionate andtransparent delivery of a full range of IPC services includingour communications and projects team. These areas havealso delivered signicant outcomes in 2013 2014 with a46% increase in the numbers of advices nalised anda 133% increase in the number of Commissioner emailenquiries nalised. Continuing this approach will advanceour commitment to credible, intelligence led programsinformed by stakeholder feedback and data analysis.

Reliable and credible advice and assistanceThe creation of a single ofce has facilitated the delivery of

more consistent and co-ordinated training and assistance tothe public and agencies. In 2013 2014 the IPC conducteda comprehensive review of opportunities to better informour service delivery through stakeholder engagement. Thestrategy will enable us to more effectively receive feedback

from stakeholders and, together with other data inputsdeliver an evidence led program of advice, assistanceand training to the public and agencies. We aim to betteridentify the issues facing each of the sectors and ensurethat our activities are needs based. We have improvedour service delivery through the development of a suiteof communications materials that provide consistent andcredible responses to our most frequently asked questions;developed resources to respond to identied issues; andinvested in an upgrade of our website and its functionality

to enable us to deliver e-learning modules on informationaccess and privacy in 2014 2015. We invested in our staffand provided a range of training opportunities to promotethe provision of contemporary and credible advice with aparticular focus on our dual statutory responsibilities.

IPC efficiencies and effectivenessIn 2014 the IPC implemented a number of priority projectswith the objective of enhancing our service delivery. Weconducted a review of business services including the IPCsreporting and case management systems. As a result we areimplementing a more robust case management and reportingsystem to ensure we identify issues and implement solutions

in both privacy and access. These improvements will enableus to more effectively and consistently report to Parliamentand the Parliamentary Joint Committee on the Ombudsman,the Policy Integrity Commission and Crime Commission.

Directions for 2014 2015The IPC has established a clear agenda of improved servicedelivery and greater engagement with agencies and thecitizens of NSW. We will harness the expertise of theInformation and Privacy Advisory Committee (IPAC) toconsider and advise on new and emerging issues involvinginformation access and privacy. We will also review theIPCs service delivery channels to promote accessibility,exibility and innovation in promoting information accessand privacy rights throughout NSW.



8/86

Privacy Commissioner overviewAchievements and Report to NSW Parliament

I strongly believe emphasis is best placed

upon assisting the public and agenciesdevelop sound management practicesfor personal information. Progress onthe privacy work programme has beendisappointing although privacy issuesreceive growing attention. Delays in thework programme represent a missedopportunity to assist NSW public sectoragencies and members of the public.

2013 2014 saw privacy issues widely debated; triggeredin part by the Snowden revelations of mass surveillance.The European Union Court of Justices ruling in May 2014that Google and other search engines must remove personalinformation about private citizens that is inadequate orirrelevant also triggered privacy debates. Changes toCommonwealth privacy legislation also had the sameeffect. More of these debates are likely and welcomed.

As Privacy Commissioner, I found 2013 2014 a mixedyear. It was with sadness that I farewelled DeirdreODonnell, inaugural NSW Information Commissionerwhose commitment to information access and theequitable positioning of both access to information and

privacy functions within the IPC commanded respectboth within and outside the Commission.

Progress on the privacy work programme has beendisappointing. While there has been some progress,signicant projects have been delayed and projectsaddressing systemic issues in NSW public sectoragencies management of personal information couldnot be completed as planned. It also became apparentthe IPCs case management system and the mappingof work ows have not adequately captured privacymatters and need to be improved. This years report,for example, does not contain data on matters falling

under the Health Records and Information ProtectionAct 2002(HRIP Act).

But there have been some achievements.

Code of Practice for the movement ofpersonal information out of NSWOne of these was to submit, after two years development,a draft Transborder Code of Practice for the AttorneyGenerals approval. The NSW Parliament in 1998, whenpassing the Privacy and Personal Information ProtectionAct 1998(PPIP Act) envisaged that within a year, a Codeof Practice would regulate the movement of personal

information outside of NSW. Despite the efforts of earlierPrivacy Commissioners this did not eventuate. Theabsence of a Code is a major deciency in the protectionof the personal information of NSW citizens.

I was delighted to be advised by the Attorney Generalthat he intends to address this situation by legislativeamendment not a Code of Practice. This is extremelypositive news, bringing NSW in line with the Commonwealth,Queensland and Victoria, and recognises the need forprotection of the personal information of NSW citizens inthe global information economy. I strongly commend theAttorneys proposed course of action. Unti l legis lativeamendment has occurred however the current lack ofprotection remains.

Privacy and health informationIn early 2012, the Health Legislation Amendment Act 2012amended the HRIP Act to enable genetic information tobe provided to genetic relatives in certain circumstances.Guidelines are to be prepared by the Privacy Commissionerbefore the legislative amendments take effect. Progresswas delayed again in 2013 2014 with the result theassistance intended for health practitioners also delayed.Im hopeful in 2014 2015 resourcing will be availableso this project can be completed.

In 2012, we undertook an analysis of formal complaints

which revealed almost half of formal complaints aroseunder the HRIP Act and concerned primarily theprivate health sector and the right to access personalhealth records. We sought to support practitionerscompliance with the legislation via information explainingthe provisions relating to access to health records.These fact sheets have been delayed also but will beavailable nally in 2014 2015.

Good privacy governance is criticalStrong governance around personal information is criticalwith the increasing quantity of personal information held

by NSW public sector agencies. A serious example ofpoor governance that came to my attention in thisreporting year concerned the expiration of a protocolbetween Roads and Maritime Services and the NSWPolice for the provision of personal information from the



9/86


DRIVES system to NSW Police. While the PPIP Actincludes provision for NSW police to use personalinformation for law enforcement purposes, the failureto notice or address the expiration of an instrumentrequired under the Roads Transport Act 2013, is a seriousfailure of privacy governance. I urge all agency heads toensure that their governance arrangements to protectpersonal information are in good order and oversightedby their Audit and Risk Committees or other body,preferably one with independent representation.

Privacy rights and responsibilities need to be clearlycommunicated for effective governance. It is a statutoryfunction of the Privacy Commissioner to assist publicsector agencies to adopt and comply with the Information

Protection Principles (IPPs) through publishing guidelinesand other materials on the protection of personalinformation and other privacy matters. A recurring requestfrom individuals and agencies is for plain English materialsexplaining privacy rights and obligations, and outlininggood privacy operational practices. The 26% increase inrequests for advice from agencies during 2013 2014demonstrates this demand. During the same period,requests via the online Ask the Privacy Commissionerfacility typically from members of the public, haveincreased almost fourfold albeit from a small base.

In 2012 2013 we commenced development of an

online interactive Privacy Governance Frameworkfor NSW public sector chief executives and seniormanagement to address this need. This frameworkwas to be distributed in late 2013 but will now occur in2014 2015. It will need further interactive materials tomeet emerging trends such as data linkage initiatives.

The remaking of the Public Interest Directions allowedNSW public sector agencies to continue undertaking theiractivities without breaching the Information IPPs or HealthPrivacy Principles (HPPs). I remain of the view that theDirections are a short-term mechanism and that agenciesneed to look to legislative or other measures to enableongoing sharing of personal information if this sharing is in

the public interest, but outside the parameters of the IPPs.

Is NSW privacy legislation meetingtodays challenges?Growing technological capacity and the changing privacylandscape poses challenges for NSW privacy legislation.Some legislative issues have been identied in earlierreviews such as the 2004 statutory review of the PPIPAct. In 2014 2015 I aim to prepare a report on thesechallenges and NSW privacy legislation under section 61Bof the PPIP Act. I anticipate releasing this report in the2014 2015 reporting year depending upon availability

of resources. Consultation with the community, NSWpublic sector agencies and their privacy contact ofcers,as well as the non-government sector, will be an importantcomponent in developing the report.

Im hopeful there will be progress on addressing a numberof outstanding and longstanding issues in the comingyear. Big data and data sharing will remain on myagenda, and I will be discussing these issues with theParliamentary Joint Committee on the Ofce of theOmbudsman, the Police Integrity Commission and theCrime Commission, the Attorney General, our Informationand Privacy Advisory Committee (IPAC), and others.

Within the IPC, its important the data systems allowme as Privacy Commissioner to full my statutoryresponsibility to Parliament of reporting accuratelyand fully on the operation of NSW privacy legislation.

AcknowledgementsDuring 2013 2014 I met with the Parliamentary JointCommittee on the Ofce of the Ombudsman, the PoliceIntegrity Commission and the Crime Commission to reporton work undertaken in 2012 2013. The Committeesinterest in privacy is evident and I look forward to continuingthose conversations in the coming year.

In early 2014 the Hon. Greg Smith stepped down asAttorney General. I thank him for his support for privacyevents such as Privacy Awareness Week. I also thankthe Hon. Brad Hazzard, Attorney General, for hisengagement with privacy matters I draw to his andthe Parliaments attention.

Throughout the reporting year I worked with threeInformation Commissioners the inaugural InformationCommissioner Deirdre ODonnell to whom I pay specialtribute, Kathrina Lo who held the role for six months, andElizabeth Tydd who brings new and different perspectives.I also acknowledge the valuable collaboration with theFederal Privacy Commissioner on issues that crossCommonwealth and State boundaries. I also thank theIPC managers and staff who have worked under greatpressure this year, for their commitment and hard work.

I look forward to the challenges of the coming year andworking with our stakeholders to ensure privacy isprotected and championed throughout NSW.

Dr Elizabeth CoombsPrivacy Commissioner


10/86

Information Commissioner overviewAchievements and Report to NSW Parliament

Genuine reform of citizen access to government

held information has been achieved throughthe Government Information (Public Access)Act 2009(GIPA Act). The Act provides citizenswith different pathways to access informationand promotes opportunities to enable citizeninput into policy development. The maturationof the GIPA Acts application by decisionmakers enables me to focus on collaboratingwith the sectors to maximise opportunitiesfor citizen input.

Reporting to ParliamentIn early 2014 the IPC established a database to captureand report upon activities undertaken by agencies inconducting their information access and privacy functions.This database together with the IPCs case managementsystem facilitated the delivery of the inaugural reportto Parliament by the Information Commissioner on theoperation of the GIPA Act (s37 Report). The provision ofthis report, which analyses over three years of datainvolving over 50,000 applications has enabled the IPCto establish a base line from which agency performancecan be monitored and evaluated.

A focus on proactive releaseThe results of the s37 Report were promising and indicatethat in the main, agencies are adopting the Acts exibleand timely approach to decision making. Applying theintelligence gained through the report the IPC will identifyissues and implement strategies to advance our collectiveresponsibility for information access, increased proactivedisclosure and its contribution to our democratic society.

Increased public awareness andunderstanding their rights

The IPC conducts independent reviews of agencies accessdecisions and provides reports to members of the publicand recommendations to agencies. In 2013 2014 weimplemented processes to ensure a more proportionateand effective application of all IPC resources. This includesimproved practices and procedures together with moreappropriate governance and reporting mechanisms toensure that work volume demands are met within acceptabletime frames and statutory functions are effectively andcredibly delivered. This approach continues as we focus onconsistent decision making methodologies by decision makers.

In 2013 2014 we commissioned a review of the GIPA Toolto assist agencies in managing and reporting on accessapplications. Driving improved performance by agenciesis one means of meeting the GIPA Acts strategic intent.

However the role of the Information Commissioner extendsbeyond complaints handling. It is instrumental in working

with agencies to promote a representative government thatis open, fair, accountable and effective. Open governmentincludes the provision of data and information to betterinform citizens and enable them to more effectivelyparticipate in government decision making processes.

The early indicators provided in the s37 Report are againpromising. Under the previous Freedom of Information Actaround two-thirds of all applications for information concernedpersonal information. In the rst three years of the operation

of the GIPA Act 38% of all applications sought personalinformation; 45% of applications sought information otherthan personal information; and 17% sought information thatwas partly personal and partly non-personal in nature.

Given that 61% of all applications were lodged by membersof the public this signicant shift may be attributable togreater citizen engagement in government decision making.This issue will be my focus going forward.

Finally, I acknowledge the inaugural Information CommissionerDeirdre ODonnell, who successfully established the IPCas a one stop shop for NSW citizens together with thesound foundations required to advance access rights.

I also acknowledge the Privacy Commissioner ElizabethCoombs contribution as we work together to ensurethat we uphold our statutory responsibilities through anefcient and effective single service point.

Going forwardAdvancing the strategic intent of the GIPA Act and promotingopen government through proactive disclosure will be a primaryfocus of our work in the coming year. Better access to andexchange of government information facilitates better servicedelivery. The IPC will work across all sectors to increase theopportunities for proactive release and to provide greateraccess to information through better decision making.

Partnering with agencies to advance the Acts strategicintent will be a priority for the IPC in 2014 2015.




11/86

Annual Report2013 2014

Year in snapshot

9

PhoneThis year 84% of all contacts

were via telephone

4,340 calls

EmailJust under 16% of all contacts

were received via email

807 emails

WebsiteThe website received

a total of

290,388 page views

PLEASE NOTE: These gures include data from the former case management system.

Privacy

253 privacy reviews andcomplaints received

255 matters finalised

GIPA

511 GIPA review applicationsand complaints received

490 matters finalised

IPC745 matters finalised

in 2013 2014(36% increase)


12/86

10 Annual Report2013 2014

Our values

About the IPC

Who we areThe Information and Privacy Commission NSW (IPC) isan independent statutory authority that administers NSWlegislation dealing with privacy and access to governmentinformation. The IPC was established on 1 January 2011to support the Information Commissioner and the PrivacyCommissioner in fullling their legislative responsibilitiesand functions. The IPC is now recognised as a separateagency under Schedule 1 of the Government SectorEmployment Act 2013.

Our purpose to champion privacyand information rights for the

people of NSW.

What we doThe IPC promotes and protects privacy and informationaccess rights in NSW and provides information, advice,assistance and training for agencies and individualson privacy and access matters. The IPC reviews the

performance and decisions of agencies, and investigatesand conciliates complaints relating to government agencies,health service providers (both public and private) andsome large organisations that deal with health information.The IPC also provides feedback about the legislationand relevant developments in the law and technology.

Our visionThe people of NSW can be condent that their access toinformation and privacy rights are upheld and protected.

Our approach We are focused on the resolution of issues, applying

a proportionate approach appropriate to the issue

We make it easier for the community to exercise theirrights, and for organisations covered by our legislationto meet their responsibilities

We give priority to signicant or systemic publicpolicy issues

We work constructively with stakeholders

We operate in accordance with the NSW PublicSector Values and Code of Conduct

We identify trends and patterns, and share good practice.

We make decisions and give advicethat is impartial and objective.

We monitor trends and developments in the law We are flexible, innovative, reliable andand technology, identify emerging issues and fair in delivering quality services to meetrecommend changes, and tailor our work to the needs of agencies, the community

the changing environment in information access and businessand privacy law, policy and practice.

We take responsibility for our decisions andactions and provide transparency to enable

public scrutiny. We use resources efficientlyand effectively and foster a positive, inclusive

and safe working environment


13/86


Our organisation: accountability

Our stakeholders

NSW Parliament

Members of the public

Government (Premier and Attorney General)

Parliamentary Joint Committee on the Ofce of theOmbudsman, the Police Integrity Commission and theCrime Commission

NSW public sector agencies including state governmentbodies, councils, state-owned corporations*, universities

Non-Government Organisations delivering contractedservices to NSW Government agencies

Ministers and their staff

Members of Parliament and their staff Other Information and Privacy Commissioners

Information and Privacy Advisory Committee (IPAC)

Other oversight accountability agencies

Media

Staff.

Privacy Commissioner:role and powersThe Privacy Commissioner is appointed by the Governor as

an independent ofce holder under Section 34 of the Privacyand Personal Information Protection Act 1998 (NSW) (PPIP Act).

The role focuses on resolving complaints, protecting andenhancing the privacy rights of the NSW community andensuring agencies uphold the privacy principles in the PPIPAct and the Health Records and Information Privacy Act2002 (NSW) (HRIP Act). A key function is to educate thepeople of NSW about the meaning and value of privacy by:

Responding to enquiries and educating the communityabout privacy issues

Advising people of possible remedies for breaches oftheir privacy

Advising individuals, government agencies, businessesand other organisations on how to ensure that the rightto privacy is protected

Receiving, investigating and conciliating complaintsabout breaches of privacy

Overseeing privacy matters and performance oforganisations undertaking privacy work

Appearing in the NSW Civil and AdministrativeDecisions Tribunal (NCAT) and advising on privacy lawin privacy cases

Overseeing NSW government agency reviews ofreported privacy breaches

Researching developments in policy, law andtechnology that may impact on privacy, and makingreports and recommendations to relevant authorities

Issuing guidelines on privacy principles.

Participation in committees

During the reporting period, the Privacy Commissionerwas a member of the following committees:

Asia Pacic Privacy Authorit ies (APPA)

APPA Privacy Statistics Project Working Group

International Data Protection and PrivacyCommissioners Strategic Directions Working Group

Privacy Authorities Australia (PAA)

Global Privacy Enforcement Network (GPEN)steering committee

Enabling Information Department of Finance andServices ICT Strategy interagency forums.

Information Commissioner:role and powersThe Information Commissioner is appointed by the Governoras an independent ofce holder under section 4 of theGovernment Information (Information Commissioner) Act2009 (NSW) (GIIC Act).

The role is to promote public awareness and understandingof the right to access government information in NSW,and provide information, support, advice, assistance andtraining to agencies and the general public.

The Information Commissioner has the power to conductreviews of decisions made by other NSW governmentagencies and deal with complaints about informationaccess. The Information Commissioner also monitorsagencies functions, reports to Parliament on the operationof the GIPA Act, and reports to the Attorney General aboutproposals for legislative or administrative change.

When necessary the Information Commissioner can issueguidelines to assist agencies and the public on:

Public interest considerations in favour of disclosure

Public interest considerations against disclosure ofgovernment information

Agencies functions

The publics rights to access information

An agencys information guide

Reductions in processing charges.

The Information Commissioner can investigate agenciesand compel them to provide information in the conductof inquiries.

Participation in committeesDuring the reporting period, the Information Commissioner

was a member of the following committees: Association of Information Access Commissioners (AIAC)

Enabling Information Department of Financeand Services ICT Strategy interagency forums.

* Does not apply to the work of the Privacy Commissioner.


14/86


Our organisation: governance structure

12

Our governanceThe IPC is recognised as a separate agency underSchedule 1 of the Government Sector Employment Act2013. The Information Commissioner is appointed asagency head and now has responsibility for ensuringthat the IPC and its staff operate in accordance with allgovernment sector requirements.

The IPCs activit ies are also supported by the IPC Riskand Audit Committee.

The Privacy Commissioner reports to the NSW Parliamenton the operation of the PPIP Act and the HRIP Act.

The Information Commissioner reports to the NSW

Parliament on the operation of the GIPA Act.The IPC is an independent statutory authority that reportsdirectly to the Parliamentary Joint Committee on the Ofceof the Ombudsman, the Police Integrity Commission and

the Crime Commission, which oversees the functions ofthe Information Commissioner and Privacy Commissioner.The role of the committee does not provide for it to:

Investigate a matter relating to particular conduct

Reconsider a decision to investigate, not toinvestigate or to discontinue investigation ofa particular complaint or matter of conduct

Reconsider the ndings, recommendations,determinations or other decisions the InformationCommissioner or the Privacy Commissioner hasmade in relation to a particular investigation,matter or complaint.

IPC governance

Parliamentary Joint Committee on theOffice of the Ombudsman, the Police Integrity

Commission and the Crime Commission

CEO, InformationCommissioner

NSW

Parliament

PrivacyCommissioner

Auditand Risk

Committee

Informationand Privacy

AdvisoryCommittee

(IPAC)


15/86


Our organisation: legislative matters

Our legislationThe IPC administers the following legislation:

Government Information (Public Access) Act 2009(NSW) (GIPA Act)

Government Information (Public Access) Regulation2009 (NSW) (GIPA Regulation)

Government Information (Information Commissioner)Act 2009 (NSW) (GIIC Act)

Privacy and Personal Information Protection Act1998 (NSW) (PPIP Act)

Privacy and Personal Information Protection

Regulation 2005 (NSW) (PPIPA Regulation) Privacy Code of Practice (General) 2003 (NSW)

Health Records and Information Privacy Act2002 (NSW) (HRIP Act)

Health Records and Information Privacy Regulation2006 (NSW) (HRIPA Regulation)

Health Records and Information Privacy Codeof Practice 2005 (NSW)

Objectives of our legislation

The GIPA Act establishes an open approach to gainingaccess to government information. NSW governmentagencies, including state-owned corporations, NSWGovernment Ministers, local councils and universitiesare covered by the GIPA Act. The objectives of the GIPAAct are to maintain and advance a system of responsibleand representative democratic government that is open,accountable, fair and effective, by:

Authorising and encouraging the proactive releaseof government information by agencies

Giving members of the public an enforceable rightto access government information

Providing that access to government information isrestricted only where there is an overriding publicinterest against disclosure.

The GIIC Act establishes the role of the InformationCommissioner and provides the legislative frameworkthrough which the Information Commissioner and IPCstaff as delegates exercise functions in relation to theinvestigation of complaints and the conduct of enquiries.

The GIPA Act establishes an open

approach to gaining access to

government information.

The PPIP Act gives legal recognition to the public interestin the protection of privacy the right of individuals toexercise control over the availability and use of personalinformation about them. The PPIP Act protects privacyby regulating the way NSW public sector agencies(including local councils and universities) deal withpersonal information. Personal information does notinclude information about someone who has beendeceased for more than 30 years. The key to the PPIPAct is the 12 information protection principles (IPPs) see Appendix 1.

The HRIP Act protects the privacy of peoples healthinformation. It covers information created and collectedby hospitals and other health service providers. It also

includes other public and private organisations that holdany type of health information. Health information includesinformation about people who have been dead for lessthan 30 years. The HRIP Act contains 15 health privacyprinciples (HPPs) see Appendix 2.

The PPIP Act gives legal recognition

to the public interest in the

protection of privacy.

Legislative changesChanges which are brought forward by the AttorneyGeneral are covered in the Department of Justice annualreport. Changes which are brought forward by the HealthMinister which affect health privacy are covered in the NSWMinistry of Health annual report. In addition, the followinglegislative changes were made during the reporting period:

The Government Sector Employment Act 2013(GSE Act) to reect the recognition that the IPCagency head employs IPC staff to perform thestatutory functions undertaken within the IPC

The Government Information (Information Commissioner)Act 2013(GIIC Act) to recognise that IPC staff areemployed by the agency head

The Privacy and Personal Information Protection Act1998(PPIP Act) to recognise that IPC staff areemployed by the agency head

The Civil and Administrative Legislation (Repeal andAmendment) Act 2013to reect the commencementof the NSW Civil and Administrative Tribunal (NCAT)as a review body for matters arising from the GIPAAct, PPIP Act and HRIP Act. NCAT is declared tobe part of the Department of Justice for the purposesof the GIPA Act

Electoral and Lobbying Legislation Amendment(Electoral Commission) Act 2014under which theElectoral Commission may, at the request of a lobbyist,exclude information in the Lobbyists Register or the


16/86


Our organisation: legislative matters

Lobbyists Watch List from being made publiclyavailable if the Electoral Commission is satisedthat there is an overriding public interest againstdisclosure of the information within the meaningof the GIPA Act

Privacy and Personal Information ProtectionAmendment (Inspector of Custodial Services)Regulation 2014 which prescribes the Inspectorof Custodial Services as an investigative agency forthe purposes of the PPIP Act

The denition public sector agency now includes theofce of a political ofce holder within the meaning ofthe Members of Parliament Staff Act 2013, being the

ofce comprising the persons employed by the politicalofce holder under Part 2 of the PPIP Act

The denition public sector ofcial in the PPIP Actnow includes a person employed by a political ofce

holder under Part 2 of the Members of Parliament StaffAct 2013, and a person employed by a member ofParliament under Part 3 of the Members of ParliamentStaff Act 2013

Skills Board Act 2013 the NSW Skills Board is listedas a subsidiary of the Department of Education andCommunities in the GIPA Regulation

Subordinate Legislation (Postponement of Repeal)Order 2013postponed the repeal of the PPIP Regulationfrom 1 September 2013 to 1 September 2014.

Other legislative changes that resulted in amendments beingmade to names of agencies but not other substantivechanges to the legislation administered by the IPC have

not been captured in this report. Examples include theFines Amendment Act 2013, Passenger Transport Bill2014, and Bail (Consequential Amendments) Act 2014.

Our strategic objectivesPlease see Appendix 3 to view the IPCStrategic Plan 2013 2016 in detail.


17/86


Reporting against our strategic objectivesObjective 1: To uphold and protect information and privacy rights

Priority 1: Promote and educate

the community about their rightsunder the legislation

Website redevelopmentThe IPC commenced redevelopment of the organisationswebsite in the rst half of 2014 after consultation withour stakeholder groups.

As the IPCs central communication channel, considerablework was done to improve the user experience with acleaner format and simpler navigation, including theaddition of web forms to improve efciency of receiving

applications and information from our stakeholders.Also implemented was a feedback channel to ensureall users can provide comments and feedback on theirexperience of the website. An e-learning portal will beadded during 2014 2015 to provide improved trainingcapability for agency staff.

An important driver for developing the new website wasaccessibility, which was built into the new site to complywith W3Cs Web Content Accessibility Guidelines (WCAG).We look to achieve compliance with WCAG 2.0 Level AAfor all IPC resources by December 2014.

Prior to the launch of the new website, the IPCs website

attracted 290,388 page views during 2013 2014.

Website visits 2013 2014

Visi ts 95,699

Unique visits 62,881

Page views 290,388

Average visi t duration 3.17 minutes

Note: Totals based on monthly averages.

Publications

During 2013 2014, we helped members of the NSWcommunity to understand their information access andprivacy rights by providing guidance through our enquiriesservice and website.

The IPC produced a range of reports, submissions, policydocuments, fact sheets and other resources to promoteunderstanding of right to information and privacylegislation. See the full list at Appendix 4.

All resources are available for download on our website,with some also distributed at community events whereIPC staff were on hand to meet with members of thepublic and answer their right to information and privacy

enquiries directly.

Stakeholder engagement

During 2013 2014 a stakeholder engagement strategywas developed which identied our stakeholder networks.These groups are uti lised to disseminate news, updatesand information about privacy and right to informationactivities.

During 2013 2014 our known networks were used tosend out information about the work, news and eventsof the IPC via e-alerts and emails. Groups were alsocontacted to consult on publications and resourcesthat were developed, and to request assistance withdistributing our core fact sheets which will be furtherdeveloped during the next reporting year.

The goals of the IPCs Diversity Action plans Aboriginal,Disability and Multicultural have been incorporated intothe stakeholder engagement strategy and are reportedon separately on page 34.

Communications strategiesDuring the reporting period the IPC developed an internalcommunications strategy to be rolled out in the 2014 2015 reporting period. The communications teamdeveloped and delivered external communicationsstrategies to stakeholder groups for projects andevents including:

Report on the operation of the Government Information(Public Access) Act 2009: 2010 2013

Privacy Awareness Week 2014

Right To Know Day 2013

Stay Smart Online 2014

Safer Internet Day 2014

Data Privacy Day 2014

Youth on Track Public Interest Directions

Consultation for the Genetic Health Guidelines.

MediaBoth Commissioners communicated with the mediathrough media releases, statements and interviews.

The Privacy Commissioner conducted interviews andprovided commentary for a number of NSW newspapers,radio stations, and media outlets on a range of issues. Thisincluded ID scanners in Kings Cross, Roads and MaritimeServices licencing issues, the issue of collection andstorage of photographs of vehicle number plates, issuesaround CCTV use by local councils, concerns aboutchildren and online privacy, data mining in schools andgeneral media interest in Privacy Awareness Week.

We also gained media coverage through the announcementof the NSW Information Commissioner and CEO of the IPC,who led further media discussion around the release ofthe inauguralReport on the Operation of the GovernmentInformation (Public Access) Act 2009 (GIPA Act) 2010 2013.

15


18/86



The IPCs main social media channel, Twitter, was usedto promote events including Privacy Awareness Week,National Law Week, Right to Know Day and Data PrivacyDay. Our messages were also retweeted by our Twitterfollowers and information and privacy authorities inother jurisdictions.

During 2013 2014 the Department of Justice delivereda cluster wide social media policy which the IPC looksto adopt with exceptions during 2014 2015. This willcontinue to allow our stakeholders to provide directfeedback on our programs and performance, and stayup to date with developments in privacy and accessissues in NSW.

Community surveysDuring 2013 2014 the IPC undertook two omnibusattitudinal surveys.

During February 2014 the Privacy Commissionercommissioned a survey to nd out what the NSWcommunity knew about their rights to access theirpersonal information.

Results from the privacy survey included:

More than 50% of people in NSW dont know theycan access information about themselves held byNSW public sector agencies; and of those who

know, only 44% know how to do it

Up to 53% arent aware of their rights to accesshealth information

65% dont know about their rights to access personalinformation held by a government department, localcouncil or university

Young people under the age of 24 are less aware oftheir rights to access information held about them,although 59% of respondents have consideredaccessing information from NSW education providers

About 50% of older age groups (55+) are more aware

of how to access their personal and health informationthan other age groups.

The results from this survey indicated further work isrequired to educate both the NSW community andagencies about their rights and responsibilities aroundaccessing personal and health information under NSWprivacy legislation. This project will be completed during2014 2015.

In April 2014 the Information Commissioner commissionedan attitudinal survey to nd out what the NSW communityknew about their rights to access government informationunder the GIPA Act.

A survey sample of the NSW public was asked howimportant information access was to them. Resultsincluded:

52% responded that it is very important

32% responded that it is quite important

84% (combined) said it was very/quite important

58% of people surveyed know they have a rightto access government information from a NSWgovernment agency

65% of NSW citizens surveyed have tried to accessinformation held by Local Councils

70% of all requests to access government informationhave been successful.

The results will assist in the development of the nextreport on the operation of the GIPA Act, which will bepublished in the second half of 2014 as per the statutoryrequirements under section 37 of the GIIC Act.

Events and awareness initiativesThe IPC events calendar was a core feature of theorganisations stakeholder engagement during 2013 2014. Please see below for details of the IPCs two mainevents Right to Know Day and Privacy Awareness Week.

Other events acknowledged with smaller campaignsincluded Data Privacy Day (28 January), Safer Internet Day(11 February), Information Awareness Month (May 2014),

Law Week (12-18 May), and Stay Smart Online (2-6 June).Right to Know Day 2013

As part of the international Right to Know Day campaign(28 September), the IPC developed a communicationsstrategy with the aim to increase awareness of the GIPAAct and the role of the IPC in championing informationrights in NSW. This included developing a fact sheetYour rights to access government information in NSWwhich includes a ow chart to demonstrate the freedomof information system in NSW, and creating a news itemand web page on the IPCs website. The website receivedaround 20% more trafc on Saturday, 28 September

compared to the previous Saturday.

The IPC utilised its social media platforms, in the form oftweeting on Twitter with the hashtag #RTKD2013.

This is the rst time the IPC has run any public awarenessaround Right to Know Day and as such this initial campaigncan be used as a benchmark for future campaign activities.The impact and numbers reached could be conservativelyestimated at 2,000 people (1,700 website visits and 155Twitter followers).

In 2014 2015 the IPC will roll out a larger campaign tocelebrate ve years of the GIPA Act. We are looking topartner our activities with other agencies to further spread

the message of right to information in NSW.

1616


19/86


Privacy Awareness Week 2014

Privacy Awareness Week 4 10 May 2014 (PAW 2014)is an initiative of the Asia Pacic Privacy Authorities forum(APPA) held every year to promote awareness of privacyissues and the importance of the protection of personalinformation. This year, the theme for PAW 2014 in NSWwas Mobilise your privacy, stay safe online.

Fifteen IPC resources were developed or updated for PAW2014, including ve posters, an infographic, seven factsheets, media releases and newsletter templates. APPAdeveloped an infographic, which the IPC tweeted and alsouploaded to the website. A dedicated IPC PAW 2014 webpage provided stakeholders with access to resources andinformation, with the IPC website receiving 8,539 page

views during the event period. E-alerts sent to stakeholdersgroups included practitioners and local governmentchannels. In addition, a further e-alert was sent asking forfeedback about involvement in PAW.

The IPC received a number of enquiries regarding PAW2014, mostly from NSW public sector agencies requestingassistance with the resources or training. Through IPCe-alerts and other networks, we were able to reach outto a number of agencies, councils and additionally localMPs. Please see page 20 for further details on how ourstakeholders celebrated PAW 2014.

Three media releases were sent out with two dedicated tolocal radio channels. Live radio interviews were undertakenwith ABC Illawarra and Techworld.

During PAW 2014 the IPCs Twitter followers increased to205, with 10 tweets and retweets with hashtag #2014PAW.

Outlook for 2014 2015In the coming year, the IPC will:

Achieve compliance with WCAG 2.0 Level AA forall resources and the IPC website

Continue to review resources and to develop factsheets and guidelines on information that will assistour stakeholder groups to understand and complywith NSW privacy and access information legislation

Use our distribution networks to get IPC productsand services out to our stakeholder groups includingregional communities

Use the stakeholder engagement strategy to acquitidentied tasks on our diversity action plans

Identify mechanisms to promote citizen participationin decision making

Use the results of the attitudinal surveys to inform

projects by the Privacy Commissioner and

Information Commissioner

Develop dynamic stakeholder campaigns for Rightto Know Day and Privacy Awareness Week.

Priority 2: Assist agencies and

business to understand andimplement the legislation

Practitioners networkThe Right to Information and Privacy Practit ionersNetwork holds quarterly forums which are attendedby the Privacy Commissioner and the InformationCommissioner. The forums provided an opportunityfor the IPC to share information and advice withagencies on current matters and issues under privacyand right to information legislation in NSW.

Education and trainingDuring the reporting period the IPC continued to workon delivering education and training to its variousstakeholder groups.

E-learning

The IPC is working towards the development of a GIPAe-learning module for decision makers and a privacymodule for complaint handling. Groundwork wascompleted during the reporting period including thescoping of a vendor to facilitate the e-learning portal,along with research and content development.

Our current e-learning modules include:

Online training in the Privacy and PersonalInformation Protection Act 1998(PPIP Act)

Module 1: GIPA introduction for agency staff

Module 2a: Managing the publics right togovernment information

Module 2b: The contract register and contractdisclosures

Module 2c: Managing the publics right togovernment information local councils.

Training

We conducted 21 training and information sessions foragency staff during 2013 2014, including for:

City of Sydney

NSW Business Link

Sutherland Shire Council

Ofce of the Childrens Guardian

St George/Sutherland Hospitals and HealthServices

Legal Aid NSW

Holroyd Council

Ministry of Health.


20/86



GIPA review reports

The IPC is proactively releasing more of its review andinvestigation reports.

During the reporting period the IPC published 18 GIPAreview reports. Not all reports prepared by the IPC arepublished. Published reports are a resource to be utilisedby agencies, business and the public to better understandand implement the legislation. Reports are only publishedin circumstances where the Information Commissioner isof the view that the report provides new guidance or mayprovide further guidance in specic areas.

Speaking engagements

Information access

The Information Commissioner delivered a number ofpresentations during the reporting period on the role ofthe IPC and the operation of the GIPA Act in NSW. TheCommissioner addressed stakeholders on the right toinformation and best practice in information managementthrough the following forums:

Government and Industry Think Tank 2014

The Ofce of Environment and Heritage Establish publicvalue and collective advancement of open government

NSW Right to Information and Privacy Practitioners

Network forum, quarterly 2013 2014

The launch of the Open Government Communityof Practice, June 2014

National Local Government Customer Service Network The GIPA Act and customer service

Indonesian delegation: Australian Indonesian Partnershipfor Local Government Planning and Budgeting Program.

Privacy

The Privacy Commissioner shared her expertise onprivacy issues with delegates from the public, private and

non-government sectors through the following forums: First State Super seminar My career in the public sector,

my current role and experiences in a leadership position

Regional support workers conferences, NationalDisability Services, Dubbo and South Western Sydney Understanding Boundaries and Privacy

University of Technology, Sydney Industry panel seminar Privacy issues with data retention and reuse

University of Technology, Sydney Privacy in Australia:the legislative framework at a state level

Open Data Forum Privacy and the NSW Government

open data initiative

Biometrics Institute Asia Pacic Conference, Sydney panel: Biometrics moving into everyday life and whyprivacy matters even more

Charles Sturt University Graduation ceremony Privacy Commissioners Occasional Address

NSW Right to Information and Privacy PractitionersNetwork forum, quarterly 2013 2014

APPA Forum 2013, New Zealand: Data sharing.

IPC resourcesDuring the year the IPC identied the need for new resourcesto assist agencies with their requirements under the GIPA Act.An internal review fact sheet was developed and following aconsultation period with stakeholders will be available as aresource for agencies in 2014 2015. Other resourcesincluding fact sheets on Reasonable searches under the

GIPA Actand Legal Professional Privilegewere identied andare in development for release during the 2014 2015 year.

A key priority for the IPC is assisting the NSW public sectorand businesses to understand and implement the GIPA,PPIP and HRIP legislation. Strategies to achieve thisobjective include:

Publishing IPC information access decisions to provideguidance to all agencies

Supporting agencies and private health service providersto understand and implement privacy positive practicesin core and corporate support activities

Supporting agencies to implement a proactive andinformal information release program and develop theirculture around it

Supporting agencies in complying with the PPIP Act,HRIP Act and GIPA Act internal review requirements

Providing an effective and responsive enquiry service

Publishing accurate, clear and tailored information,guidelines and resources for agencies and business onthe IPC website and other channels. See Appendix 4.

Providing targeted online education courses andresources, and other educational services and products

using innovative technologies, media channels andpartnerships with agencies and organisations

Providing easily accessible mechanisms for agenciesand business to provide feedback and suggestions onthe IPCs products and services

Supporting the NSW Right to Information and PrivacyPractitioners Network forum with information andtargeted education programs and resources.

Assisting agencies GIPAOne of the key principles of the GIPA Act is to encourage

agencies to move towards a culture of proactively releasinggovernment information. The Information Commissionersrole is to promote and support access to and disclosure ofgovernment information.

1818


21/86


The Information Commissioner has a responsibi lity toundertake reviews of agency decisions under thelegislation. Through the reviews, the IPC can identifytrends and systemic issues on which to focus itsassistance, and in turn develop resources to promoteagency best practice in line with community expectation.

The IPC works to assist agencies to improve their accesspractices in the following ways:

Preparing and delivering targeted advice and training onissues where agencies are having particular difculty

Identifying sector specic and agency wide trends andperformance issues

Obtaining feedback from agencies formally andinformally on aspects of the GIPA Act that areexperienced by those agencies

Providing guidance and assistance to agencies toaddress agency specic or sector wide issues

Developing best practice guidelines and resources toassist agencies in providing greater access togovernment information

Regularly consulting with practitioners and seekingtheir feedback at meetings such as the NSW Right toInformation and Privacy Practitioners Network forumand Local Government Managers Association (LGMA)

Providing guidance to agencies on a case-by-casebasis in review reports, and publishing those reportsonline for the benet of a wider audience

Visiting agencies to examine their processes, andidentify and help address problematic issues.

GIPA ToolThe Information Commissioner assists agencies with theexercise of their functions under the GIPA Act by providingservices to assist with the lodgement, handling andprocessing of access applications. This is done through

the GIPA Tool which is a database available to agenciesto use to register and process access applications.

During the course of the year the Information Commissionerhas implemented a review of the GIPA Tool to assess itseffectiveness as a resource and tool for agencies. Thereview although commenced, was not yet complete at thepublication of this annual report. Further details on thereview will be provided in the 2014 2015 annual report.

Assisting agencies PrivacyThe IPC provides privacy advice to members of the public,NSW public sector agencies and other organisations.

An important part of privacy work is strategic policy publicprogram matters and oversight of complaints. The PrivacyCommissioner is consulted on proposed legislation, reviews ofActs, submissions regarding professional standards,

discussion papers, guidelines and protocols. The PrivacyCommissioner made a number of submissions, including asubmission on State Owned Corporations Review IssuesPaper. Submissions are available on the IPC website.

The IPC does not provide legal advice, but gives generalguidance on privacy-related matters and procedural advice.In many cases, enquiries are resolved by staff suggestingpractical ways of approaching a dispute. Generally the IPCresolves most enquiries within one working day, with themajority of matters nalised at the time of the call.

Enquiries often focus on matters relating to surveillance,criminal records and privacy concerns arising from theconduct of businesses. Workplace surveillance is a keyissue and is covered under the Workplace SurveillanceAct 2005 (NSW)and Surveillance Devices Act 2007 (NSW).General intrusive surveillance in public and private areasis another area of concern for the NSW public. While thisissue is privacy-related, the Privacy Commissioner doesnot administer it and cannot act in relation to complaintsabout breaches of these Acts.

Matters relating to both the use and disclosure of criminalrecords in both the public and private sector continue tobe an area of community concern and the basis ofassistance from the Privacy Commissioner.

Each council is required to make available a copy of their

updated privacy management plan to the IPC. The PrivacyCommissioner has received 22 plans from local councilsin the nancial year.

We provide formal advice on privacy matters to a numberof stakeholders. Often this relates to legislative or programproposals, and agencies understanding of the applicabilityof the legislation.

In 2013 2014, we responded to 136 requests for policy advice.The majority of requests for formal advice were from the NSWgovernment sector (63%), followed by private individuals (10%).

Advice files by source IPC

Type Privacy GIPA

BothPrivacy/

GIPAissues

NeitherPrivacyor GIPArelated

Private individual 13 3 1 1

State government 79 11 6 0

Other governments 12 1 0 0

Private organisation 8 0 0 0

Other* 9 4 0 0

Local government 4 1 0 0Advocate/lawyer 1 0 0 0

Parliamentary enquiry 3 1 0 0

TOTAL = 158 129 21 7 1

2013 2014

* Other includes universities, Members of Parliament and unknown.

19


22/86



We also produced materials for agencies to meet theirobligations under the PPIP Act and the HRIP Act:

Privacy checklist for NSW public sector stafflaunched during Privacy Awareness Week 2014

Fact sheet: Your privacy rights in NSW

Reports and advice by the Privacy Commissionerfollowing reviews of privacy complaints.

Privacy Awareness Week 2014 (PAW 2014) provided anopportunity to strengthen our support for NSW public sectoragencies in the area of privacy protection. IPC Investigationand Review Ofcers provided advice and guidance toagencies to help them develop efcient privacy managementplans on request, and delivered training to agencies. We alsoproduced a range of privacy resources that were availableto download and use during PAW 2014 (see Appendix 4).State government departments, universities and local councils,and MPs throughout NSW used IPC resources to disseminateprivacy protection messages to their staff and stakeholders.

Examples of activities included:

Holroyd Council promoted PAW via their website, staffemails and the IPC delivered a talk on online safety andgood privacy work practices

Goulburn Mulwaree Council promoted PAW with posters,privacy slides at customer service points, a staff newsletter

and emails and an advertisement in the Post Weekly Cessnock Council displayed posters in the foyer and

council libraries, and had governance ofcers availableduring the week to respond to privacy enquiries

Wollongong Council promoted PAW on their intranet,linked to the IPC website and their privacy managementplan, and made privacy announcements

City of Sydney promoted PAW on their intranet, sent amessage from the CEO to managers and supervisors,and placed an article in their e-newsletter

Narrabri Council promoted PAW via the web, Facebook,radio, and in the Mayoral Column in the local newspaper.

Employees were encouraged to review privacy practicesThe IPC delivered two presentations on pr ivacy to Legal

and Regulatory Services at Ministry of Health NSW

Safety, Return to Work and Support in Gosfordpromoted PAW on their website

Department of Justice included PAW on their intranet

State Emergency Services reviewed their privacymanagement plan

Department Education and Communities developeda media release

UrbanGrowth (Landcom) placed PAW posters aroundtheir ofces

Central Coast LHD developed a poster for hospitalstaff rooms and sent a staff email

Crown Solicitors promoted PPIP Act privacy training

NSW Police distributed PAW information to the CAPPAlumni network

NSW Fire and Rescue included PAW in the Commissionersweekly newsletter

The University of Technology Sydney announcedincreased capacity for online privacy law library

University of Newcastle undertook privacy refreshertraining across faculties

PAW was promoted by public schools including Beecroft,Woonona East, Bronte, Kiama, Hamilton and Katoomba.

Privacy Genetic Health GuidelinesIn 2013 2014, the Privacy Commissioner conducteda public consultation on the guidelines for Use and disclosureof genetic information to a patients genetic relatives:

Proposed guidelines for organisations in NSW 2014. DraftGuidelines were made available on the NSW GovernmentsHave Your Say website as well as the IPC and NSW Healthwebsites. E-alerts were also sent to key stakeholders. TheGenetic Health Guidelines will be issued following approvalby the Minister for Health in 2014 2015.

Privacy Public Interest DirectionsPublic Interest Directions are made by the Privacy Commissionerwith the agreement of the Attorney General, to modify theapplication of information protection principles in NSWlegislation for a specic program or public sector activity.

Nine Public Interest Directions were remade under section 41of the PPIP Act and one Public Interest Direction was remadeunder section 62 of the HRIP Act during 2013 2014. TheDirections under section 41 of the PPIP Act commenced on1 January 2014 and expire on 30 June 2015. The Directionmade under section 62 of the HRIP Act commenced on10 January 2014 and expire on 30 June 2015.

A number of existing Public Interest Directions will not befurther renewed. Rather, during the year the PrivacyCommissioner requested that agencies incorporate intolegislation and regulations ongoing requirements to ensuretransparency for the community.

Privacy Cross Border InformationSharing Code of PracticeUnder section 19 of the PPIP Act the Privacy Commissioneris to prepare a code relating to the disclosure of personalinformation by public sector agencies to persons or bodiesoutside of NSW and to Commonwealth agencies. It wasenvisaged for the Privacy Commissioner to introduce acode within 12 months of the enactment of the legislation.For a variety of reasons that did not occur, with two pastattempts to develop guidance by previous Commissioners.

Agency service requirements commonly involve the disclosure

of personal information outside of NSW. An AdministrativeDecisions Tribunal (ADT) decision (GQ v NSW Department ofEducation and Training (No 2) [2008] NSWADT 319) set theprecedence for the following decisions, with section 18(1)relating to general limitations to the disclosure of personal

2020


23/86


information considered inapplicable where informationhas been disclosed outside of NSW. In the absence of atransborder Code of Practice, accountability could not beplaced on the agency and this matter was dismissed andconsidered outside of the Tribunals jurisdiction. More recentmatters at NCAT (previously known as the ADT) have alsohighlighted the gap in privacy legislation within NSW.

The demand for this guidance on responsibil ities in thisarea has become more apparent as the NSW public sectorseeks to move towards digitalising information and scopeopportunities for improved information storage throughoffshore cloud hosting arrangements.

In 2013 2014, the Privacy Commissioner prepared andsubmitted a draft Transborder Code of Practice for the AttorneyGenerals approval. The draft Code of Practice will allow thedisclosure of personal information in certain circumstances bya NSW public sector agency to a person or body who is in ajurisdiction outside NSW, or to a Commonwealth agency.

The Attorney General has indicated that the regulation ofthe disclosure of personal information to other jurisdictionsoutside NSW is best addressed by a legislative amendmentrather than a Code of Practice.

Outlook for 2014 2015In the coming year, the IPC will:

Assist the NSW Right to Information and PrivacyPractitioners Network to clarify their governanceframework, seek feedback through surveys andlook to develop a seminar series for practitioners

Continue to publish GIPA review reports

Implement a needs based practitioner trainingapproach for information access and privacy

Develop an e-learning portal containing a modulefor information access and privacy

Publish the Genetic Health Guidelines

Re-make Public Interest Directions as required

Continue to pursue provision for sharing personalinformation across borders

Develop guidelines and highlight sound practicemodels to assist agencies and practitioners tocomply with NSW legislation.

Priority 3: Review agency

performance

Report on the operation of the GIPA ActUnder section 37 of the GIIC Act the InformationCommissioner is required to report annually to NSWParliament on the operation of the GIPA Act acrossall agencies.

The inaugural report was tabled in Parliament in June2014 on the operation of the GIPA Act for 2010 2013.

The report demonstrates the advancement of theobjectives of the GIPA Act through collective data provided

by the ve decision making sectors the GIPA Act appliesto NSW government agencies, state-owned corporations,NSW councils, universities and Ministers and their staff.

The key report ndings between 2010 2013 include:

50,318 applications were lodged across theve sectors

82% of those applications were lodged withgovernment agencies, state-owned corporationsor Ministers

61% of the applications lodged with governmentare attributed to three agencies Police (36%), Roads

and Maritime Services (15%) and WorkCover (10%) 87% of applications were nalised within the statutory

time frame, 3% exceeded the 35 days

During the reporting period (2010 2013), the numberof invalid applications decreased from 13% to 7%and the number of invalid applications subsequentlybecoming valid increased from 13% to 26%

75% of decisions resulted in information beingrelease in full and in part

69% of internal reviews varied the initial decision

Just 3% of council and 9% of government decisionswere deemed refused.

Over the next year, the focus will be to examine howagencies and the IPC can work collaboratively toachieve greater maturity in:

the reporting framework to deliver quality data andmore integrated information

operational competencies, particularly throughinformation and training to assist agencies tostreamline service delivery

decision making, particularly at the initial decisionmaking stage to ensure information is made availableat the earliest point in the access process.

GIPA protocolThe IPC has entered into a new Memorandum ofUnderstanding with the Ofce of the NSW Ombudsman tofacilitate effective exchange of information as providedunder the GIPA Act and the Ombudsman Act 1974.


24/86



Privacy breaches

During the reporting period certain privacy issues werebrought to the attention of the Privacy Commissioner.

Roads and Maritime Services (RMS) protocol

The Privacy Commissioner worked with RMS to addressthe expiration of the Privacy Protocol for The release bythe Roads and Trafc Authority of New South Walesof driver licence photographs to the New South WalesPolice Force for non counter-terrorism investigations(Privacy Protocol). The Protocol expired on 1 April 2013.

Subsequently, RMS consulted with the Privacy Commissionerto introduce a new Privacy Protocol, Police Access to

Photos: Major Crime and Missing Persons Investigations.A new Privacy Protocol was approved by the PrivacyCommissioner on 6 June 2014 and expires 5 June 2019.

To demonstrate accountability and transparency, theProtocol has been published on the IPC website.

The issue demonstrates the importance of having privacygovernance embedded in the mainstream mechanisms thatagencies have for ensuring compliance with law andassociated instruments.

Castle Hill High School SMS messaging service

An example of a breach received by the Privacy Commissioner

was Castle Hill High Schools SMS messaging service, whichled to a possible breach by the Department of Education ofthe privacy of several parents, caregivers and studentsof the school. As a result the Department has reinforcedthe importance of privacy security measures by schools,implemented a comprehensive Information SecurityManagement System and raised the issue with theDepartments Audit and Risk Committee.

Privacy Governance FrameworkTo prevent breaches and the resulting potential loss ofpublic condence in the management of their privacy,agencies have highlighted the need to have an easy andefcient way to understand their responsibilities under NSWprivacy legislation. To address this need, during 2013 2014the Privacy Commissioner commenced development of thePrivacy Governance Framework. The framework isintended to provide a broad overview of the NSW privacyregime for senior managers in NSW Government.

Consultation with key departmental Secretaries, practitionersand other jurisdictions was conducted during the reportingperiod with comments incorporated in the framework toensure that the framework meets the needs of NSW publicsector agencies. The framework will be published in the2014 2015 reporting period.

GIPA annual reportingUnder the GIPA Act all NSW Government agencies arerequired to report to the IPC on their management of accessapplications. The reporting requirements identify specic data

from agencies. This information has been collected by theIPC since the commencement of the GIPA Act. In 2014 inpreparation for the production of the inaugural report on theoperation of the GIPA Act the IPC commissioned work toestablish a database to act as a repository for this signicantdata set. The database was also established to facilitate theproduction of reports which inform the IPCs reports toParliament and to the Attorney General. The new databasewill also enable the IPC to work with agencies to promotecompliance with access and privacy legislation.

AdviceThroughout the reporting period, the IPC has been activelyinvolved in providing strategic and expert advice on

numerous government initiatives:

IPC

The Information Commissioner and Privacy Commissioner weremembers of the Enabling Information Sharing Working Groupestablished in 2012 to advise the ICT Leadership Group and ICTBoard on actions necessary to achieve NSW Governmentsagreed service capability principle to deliver better informationsharing between agencies. This is an action stemming from akey target of the NSW 2021: A Plan to Make NSW NumberOneto improve service delivery and restore accountability togovernment. The activities of the EIS Working Group willimprove service delivery by transforming how services are

delivered using data exchanged between agency systems;build capacity for information sharing in service delivery partnersand non-government organisations; and bridge the gap intechnology needed to provide robust, end-to-end service forresearch and service delivery.

The IPC representatives were also members of the LegislativeReview Steering Committee providing guidance on informationaccess and privacy as part of the review of the existinglegislative and policy framework for records and informationmanagement in a digital environment. The review of thelegislative and policy framework was intended to assist in theimplementation of the NSW Government documents, NSW

2021 and the NSW Government ICT Strategy. The reportdescribes the work underway and makes preliminaryrecommendations to lay a foundation for improved recordsand information management in light of digital ways foragencies to create, store and manage information.

Privacy

During the year, a number of agencies sought advice fromthe Privacy Commissioner in relation to the operation ofthe privacy legislation for specic programs or activities.A particular focus was in the areas of crime preventionprograms and domestic violence reforms.

The Privacy Commissioner made a new Public Interest

Direction under s41 of the PPIP Act to support theDepartment of Justice Youth on Track Program. This is atrial strategy to reduce juvenile offending through casemanagement and early intervention. The Direction allowsfor referral of young people at risk into the program, andcame into effect on 28 February 2014.

2222


25/86


The Privacy Commissioner provided advice, commentand submissions in relation to NSW privacy legislation ona number of government proposals including:

new Domestic Violence reforms during the year whichseek to share information to provide improved responsesand referral pathways by public sector agencies

Debt Recovery initiatives under consideration by theNSW Parliament Legal Affairs Committee

sharing of information by non-government organisationsfor services funded by Family and Community Services

NSW Law Reform Commission review of disputeresolution frameworks in NSW, and mechanismsavailable to individuals with regard to the PPIP Act,

HRIP Act and NCAT data sharing and data linkage policies and programs

across the NSW public sector and health information.

NSW 2021 State Plan Goal 31The Information Commissioner had lead responsibility underthe NSW 2021 State PlanGoal 31 to improve governmenttransparency by increasing access to government. The IPCconducts compliance audits twice yearly on the governmentsectors compliance with the mandatory proactive releaserequirements under the GIPA Act. This is publicly reportedunder Goal 31 of the NSW 2021 State Plan. The IPC

submitted data in October 2013 and March 2014.

Privacy management plansUnder the PPIP Act, public sector agencies are required toprepare and implement a privacy management plan (PMP) andprovide a copy to the Privacy Commissioner. A PMP is anintegral part of a public sector agencies governance framework.A PMP has the ability to ensure privacy obligations areintegrated into the functions and activities of the agency andnot appended as a last resort. The PMP sets out the agencyspolicies and procedures for complying with relevant IPPs andHPPs in their management and dealing with information.

It assists and guides staff in their day-to-day handling of personaland health information, and clients who wish to understand theprivacy protections and how they are managed. The IPC doesnot prepare these PMPs but can provide general assistanceand feedback and has material to assist agencies on its website.

In the 2012 2013 nancial period the IPC completed an auditof all PMPs to ensure all state agencies complied with theirstatutory obligation to provide a copy of their plan to the PrivacyCommissioner and that all plans are up-to-date. During the2013 2014 period the IPC received 22 PMPs for review.

The IPC has developed resources to help NSW public sectoragencies write and review their PMPs:

A Guide to Making Privacy Management Plans

The Privacy Management Plan Assessment Checklist.

The IPC assesses PMPs submitted to the PrivacyCommissioner for consideration against the above checklistand provides guidance to agencies as required.

Our ofce has a PMP in line with this requirement that isavailable on our website and reviewed regularly to ensureit is clear, accurate and up to date.

Privacy Codes of PracticeAgencies may request a Privacy Code of Practice toregulate the collection, use and disclosure of personal orhealth information held by public sector agencies and theprocedures for dealing with that information. Codes mayalso modify the application to any public sector agency ofone or more of the IPPs or the HPPs.

There are presently 12 Privacy Codes operating under NSWprivacy legislation and they are published on the IPCs website.

No new Codes were gazetted during the reporting period.

Privacy Public Interest DirectionsUnder section 41 of the PPIP Act, the Privacy Commissionerwith the agreement of the Attorney General, may make aPublic Interest Direction to waive or modify the requirementfor a public sector agency to comply with an IPP.

The Privacy Commissioner must weigh the public interestin considering whether to make a Public Interest Direction.This process may involve consultation with affected parties,and the Privacy Commissioner may need to ask the agencyor agencies concerned for more detailed information about

their request and their reasons for seeking the exemption.If the Privacy Commissioner is satised that the public interesti

Information and Privacy Commissioner New South Wales Annual Report 2013-14

Documents

Transcript of Information and Privacy Commissioner New South Wales Annual Report 2013-14