OAIC privacy complaints drop to 2,800

The Office of the Australian Information Commissioner (OAIC) recorded 2,841 privacy complaints for the 2014-15 financial year, a drop of 33 percent from the 4,239 complaints a year ago, but still a rise of almost 90 percent from two years ago.

"During this period, the OAIC also handled some 16,166 privacy enquiries, received 2,841 privacy complaints, and closed 1,976, as well as handling 110 voluntary data breach notifications," said Privacy Commissioner Timothy Pilgrim.

According to the OAIC's 2015 annual report [PDF], year over year, total complaints made by phone dropped by 12.8 percent, from 15,175 to 13,229; written complaints fell by 8.7 percent, from 3,202 down to 2,925; and complaints made in person decreased by 36.8 percent, from 19 to 12 complaints.

According to the report, the jump in complaint numbers over the last two years is due to increasing consumer attentiveness to privacy.

"This is still a significant increase over previous years and may reflect a growing awareness among the community of privacy as an issue of concern, and awareness of the formal right to bring a complaint provided by the Privacy Act 1988 (Cth)," the report says.

"The OAIC also saw a significant increase in the number of voluntary DBNs [data breach notifications] received. In 2014-15, the OAIC received 110 voluntary DBNs, a 64 percent increase on the number received in 2013-14. The OAIC commenced four CIIs [commissioner-initiated investigations] and undertook work on 19 assessments."

Last year's 183 percent surge in complaint numbers [PDF] was also attributed to the changes made to the Privacy Act last March.

The OAIC's policy guarantees a response to 90 percent of written enquiries within two weeks; however, the commission only responded to 73 percent within this time frame in 2014-15.

Calls to the OAIC specifically about data-breach notifications numbered 77 during this financial year, while calls about the e-health record system and data matching each numbered seven.

The report also pointed towards the sectors that caused the most complaints, with Australian government agencies and departments overwhelmingly in the lead, at more than double the complaints about the runner-up finance industry.

The telecommunications sector came in at sixth place, with just 115 complaints for FY15. The Telecommunications Industry Ombudsman similarly reported in its own annual report that complaints about telcos have dropped over the past year, down 10.5 percent from 138,946 in 2013-14 to 124,417 in 2014-15.

The most complained about government department or private company was again the Department of Immigration and Border Protection (DIBP), which received 847 complaints during the year -- more than five times the amount of the next entity, which received 165 complaints.

The Department of Human Services received 63 complaints, while Telstra received 52, putting it in fifth place. Three of the big banks closed out the list, with the Commonwealth Bank receiving 34 complaints, and ANZ and Westpac each receiving 29 complaints.

The DIBP has been under scrutiny for its privacy practices for the last few years, with the Federal Court in September finding that its impact assessment of a breach was "procedurally unfair".

In February last year, the department accidentally published the details of almost 10,000 asylum seekers, including their full names, dates of birth, genders, nationalities, periods of immigration detention, locations, boat arrival information, and the reasons why an entrant was classified as having travelled into Australia "unlawfully".

The information was available on the department's website for just over eight days, remaining on its archive site for 14 days, and was removed from both sites only once publication The Guardian had alerted the department of the breach.

The breach occurred due to a DIBP staff member having copied and pasted a Microsoft Excel chart into a Word document, with the underlying data rendering the chart in Excel then embedded in the Word document.

KPMG's investigation into the breach, commissioned by the DIBP, found that the document had been accessed 123 times from 104 IP addresses before being pulled down, with a report by the OAIC last November finding that this constituted a breach of the Privacy Act.

"This incident was particularly concerning due to the vulnerability of the people involved," Pilgrim said at the time.

In April, the DIBP established a task force into its own accountability and information management practices after a similar gaffe where the passport numbers, dates of birth, and visa information of world leaders attending last year's G20 summit in Brisbane -- including those of US President Barack Obama and Russian President Vladimir Putin -- were accidentally emailed to a member of the Asian Cup Local Organising Committee.

Pilgrim, who was reappointed as privacy commissioner in August, has historically taken a hard line against companies that cover up data breaches, saying last November that the concealment of a data breach "will not be looked well on by our office".

The privacy commissioner had fought for the inclusion of a provision whereby data-breach notifications would be mandatory should a leak of the data occur under the mandatory data-retention legislation that came into effect earlier this month.

"By creating a large repository of personal information, the proposed data-retention scheme increases the risk and possible consequences of a data breach," Pilgrim stated in January.

"This is because the challenge of effectively securing that information from misuse, interference, and loss, and from unauthorised access, modification, or disclosure will become more difficult as technology evolves."

He argued that telcos already receive a high number of complaints, with 13 investigations having taken place since he took the office in 2010 -- such as when Telstra made the details of 734,000 customers accessible online in 2011.

Prior to its passing, Pilgrim also attempted to argue that the two-year retention period contained within the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 be assessed against the risk to privacy of storing such a large amount of personal data. He pointed out that 90 percent of investigations relying on retained data only use data that is less than one year old.

"If a decision is made to implement a scheme such as this which is going to require, as I said, the holding or the collection and retaining of huge volumes of data and personal information about people for a long period of time, we need to look at what else we can put in place to do our best to secure that information," he said.

Pilgrim flagged the issue again in the annual report, saying that he is continuing to work with the government on instituting a mandatory breach notification scheme as per the OAIC's recommendation.

"The OAIC continues to engage with the Australian government in relation to implementation of the reforms," the report says.

The annual report also addressed the Migration Amendment (Strengthening Biometrics Integrity) Bill 2015, which was introduced to Parliament in March for the purpose of preventing domestic terrorist threats by allowing for the collection of biometric data including fingerprints and iris scans from people arriving and departing through airport SmartGate systems.

The government currently already collects from all travellers facial images and the information contained within the chip embedded in ePassports, with the SmartGate also using facial-recognition technology to process entrants.

From 2010, the DIBP and Customs could also take the fingerprints of foreigners from certain parts of the world applying for particular visas to stay in Australia, and in some cases require DNA tests, with the authority to collect this data granted under the Migration Act 1994 and the Migration Regulations 1994.

The new biometric data-collection Bill gives the DIBP along with Customs expanded abilities to collect additional biometric information from more people -- including from Australian citizens -- and share it with other government agencies. The privacy implications inherent in such powers have been an issue since the Bill's first mention last year.

Five months after the introduction of the Bill, the Senate tabled the Privacy Impact Assessment (PIA), but it is still yet to be published.

The OAIC recommended releasing the PIA publicly, as well as narrowing the power to collect the biometrics data.

"To ensure that the privacy impact of the Biometrics Bill is minimised, the OAIC suggested the LCA [Senate Legal and Constitutional Affairs] Committee consider whether the new power to collect biometric information could be drafted more narrowly, while still enabling DIBP to carry out its functions and activities under the Migration Act," the OAIC report says.

"The LCA Committee recommended that the PIA prepared by DIBP in relation to the Biometrics Bill be made publicly available, a recommendation supported by the OAIC."

In relation to the government's e-health record system, the OAIC responded to eight mandatory data breach notifications during the year, and made various recommendations to the Department of Health on privacy concerns, including to make the system opt-out.

In September, the government responded by introducing legislation that will see e-health accounts automatically assigned to patients. The government will begin trialling these opt-out accounts, with a nationwide rollout planned should the trials be successful.

The OAIC's funding remains under question after the organisation was slated to be split up in January 2015 under the 2014 Australian Budget.

"The Bill to disband the OAIC passed through the House of Representatives but was not considered by the Senate prior to the date of effect, 1 January 2015. This remained the situation through the following six months of the reporting year," explained Pilgrim.

"Consequently, as it became clear that the OAIC would continue on into the 2015-16 financial year, the Australian government reallocated funding to enable the OAIC to continue to undertake a streamlined IC review function. This function continues to be effectively undertaken by a dedicated FOI team based in Sydney."