Australians made over 2,000 privacy complaints to Commissioner in 2016-17

Australian Information and Privacy Commissioner Timothy Pilgrim has revealed the number of privacy complaints made to the Office of the Australian Information Commissioner (OAIC) increased this year, with the total reaching 2,494.

Speaking at the iappANZ 2017 Summit in Sydney on Tuesday, Pilgrim said the "upward swing of public interest" highlighted Australia's increasing trust in the OAIC and comfort with their right to lodge such a complaint.

"In the past year, we've seen a 17 percent increase in the number of privacy complaints brought to my office, with a total of 2,494 complaints investigations being received," he said.

"This shows that Australians are increasingly comfortable exercising their right to lodge a privacy complaint -- they are also more aware of the privacy rights afforded by the Privacy Act."

While a deeper breakdown is expected to be provided in the OAIC 2016-17 annual report, which is due for release later this month, Pilgrim said the top six sectors his office received complaints about were finance, health service providers, the Australian government, telecommunications, credit reporting bodies, and retail.

"The most common issues raised were use and disclosure, security, and individual's ability to access their personal information, collection, and the quality of the information being held by industry," he explained.

In addition, 95 percent of all privacy complaints were resolved within 12 months of receipt, with Pilgrim calling it an "exceptional outcome in my view for a small agency".

As the Information and Privacy Commissioner, Pilgrim is also responsible for the regulation of the Freedom of Information Act. Calling the individual's right to access government information "increasingly important", Pilgrim said that just like privacy complaints, his office experienced a significant increase in the number of requests for him to review the decision of government agencies to not release information.

"24 percent increase in requests for me to undertake such a review," he said.

"Australians are increasingly challenging agencies' decisions to withhold access to documents; however, it is also significant that 80 percent of all information commission review requests that we received were managed [and] resolved without formal decision being made. About one-third of cases ... were resolved by the agency taking steps to attend to the applicants concern."

Pilgrim said there's an important link between the Privacy Act and the Freedom of Information (FOI) Act.

According to the commissioner, in the last financial year there were 38,000 requests made under the FOI Act; of those, 83 percent were people seeking to access their own personal information held by government.

"These increases in privacy complaints, and applications for Information Commissioner review, both point to a community expectation about how personal information and data more generally should be managed," he said. "The key concept in both seems to be transparency.

"Privacy is not about secrecy; Australians are by and large open to new technology, and innovative uses of data -- so long as transparency is part of the bargain."

As mentioned in the OAIC's Corporate Plan 2017-18 published in August, Pilgrim's office will be conducting assessments of Australian government agencies over the next 12 months, with the probe requiring the commissioner to encourage agencies and businesses to "respect and protect" the personal information of citizens that they handle.

The OAIC also published draft resources relating to Australia's impending data breach notification laws last week, seeking public comment ahead of the guidebook becoming an official resource.

The draft resources include guidelines on how to prepare an eligible data breach statement for when the scheme takes effect on February 22, 2017; how to assess a suspected breach; what quantifies reporting; how to notify the OAIC of an incident; and exceptions under the legislated obligations.

As not all data breaches are notifiable -- the scheme only requires organisations to notify when there is a data breach that is likely to result in serious harm to any individual to whom the information relates -- exceptions to the scheme will apply for some data breaches, meaning that notification to individuals or to the commissioner may not be required.

In an attempt to clarify the phrase "likely to result in serious harm", Pilgrim said on Tuesday that the term is a qualification introduced to avoid over-burdening organisations with the cost of compliance and to reduce the likelihood of notification fatigue for individuals.