Privacy Law and Policy Reporter
Commissioner O'connor's fifth Annual Report covers the period to 30 June 1993. Such a retrospective report is extremely valuable, particularly as it draws together many aspects of the Commissioner's work which is not otherwise seen in its entirety (for example, his extensive involvement in telecommunications privacy issues), and sometimes material not otherwise available at all (for example, audit and complaint details). While the Annual Report is not an adequate means by which lawyers and other advisers can stay abreast of developments in the Commissioner's Office, because of its brevity and lack of timeliness (it is limited to matters which are between six and 18 months old by the time of reporting), it is nevertheless indispensable.
This note focuses on the Commissioner's audit and complaint functions. A further note in the next issue of the Reporter will outline those aspects of the Annual Report dealing with his policy advice functions and his oversight of various legislative programs.
Since the Privacy Act does not contain any provisions allowing for separate publication of audit results, the Commissioner considers that the Annual Report is the only mechanism available for publishing details of his audit activities. This report contains more details of the recommendations made to each government agency audited, and whether or not the recommendations were accepted, following a request to this effect from the Senate Standing Committee on Legal and Constitutional Affairs. A Table of audits completed or commenced by the Commissioner in 1992-1993 is included in the Report.
The auditors did not find systematic serious breaches of the IPPs: ''overall the level of compliance was high'. Of 162 recommendations made under 21 audits, only 3 per cent were not implemented at least in part. The Report summarises all recommendations and agency responses.
One area of continuing dispute which the audits reveal is the use of criminal records for public sector pre-employment checks. The Department of Veterans' Affairs and the Australian Postal Commission both do checks on all new staff, regardless of position. The Commissioner recommended that checks should only be done where such an assessment is ''an inherent requirement of the position', in order to comply with the International Labor Organisation Convention III, appended to the Human Rights and Equal Opportunity Commission Act 1986 (Cth), and even then Pt VIIC of the Crimes Act 1914 (Cth) concerning spent convictions must be complied with. The Department rejected placing any limits on the positions checked, on the basis of the ''sensitivity of information that it holds', while the Postal Commission considered that almost all its employees needed to be checked because they handled money or mail (while agreeing that their might be some exceptional positions).
The Commissioner's policy is that he does not publish details of ''minor or arguable infractions' of legislation or codes by private sector organisations arising from tax file number or credit reporting audits. The 1992-1993 audit focus was on credit reporting, and ''the 20 audits of credit providers and a credit reporting agency did not reveal any systemic problems requiring comment' ''the auditors were generally satisfied with the level of compliance'. However, the audits of credit providers incidentally revealed that all credit providers audited (see table) had included tax file numbers (TFNs) ''in documents supporting loan applications as proof of income' (typically copies of tax returns, group certificates or notices of assessment).
During 1992-1993 1,000 written inquiries were received, 600 of which alleged interferences with privacy. Only 254 were judged to be within jurisdiction on the evidence provided, and their subject matter is summarised in the table following. Unfortunately, no details are given of the nature of the other 346 alleged interferences, so we have no way of knowing if there is a consistent unmet demand for particular privacy remedies. In addition, 1000 others complained by phone about data-matching using the TFN, but were advised that their complaints were not within jurisdiction as the matching was lawful.
Complaints closed during 1992-1993 amounted to 187. Of these, 99 were closed because ''the respondent had adequately dealt with the complaint', 79 were closed because there was no evidence of a breach of any of the legislation listed above, five were withdrawn or contact was lost with the complainant, and four were referred elsewhere. No determinations (formal decisions) whether legislation had been breached were made, and consequently no formal orders awarding remedies.
In all 99 cases where a complaint was closed because it had been ''adequately dealt with' ''there was a negotiated settlement of the complaint between the Commissioner's office and the respondent. Wherever possible, such a settlement was also acceptable to the complainant.' The negotiated redress usually involved an apology, generally involved correction of records, often involved undertakings by respondents to improve procedures, and in a few cases involved payments of up to $3000 for non-economic loss.
Of the complaints closed, the Commissioner's analysis is that approximately 50 per cent of IPP and TFN complaints ''are substantiated and would not have been resolved without an investigation by this office', and about 25 per cent of credit reporting complaints are both substantiated and non-trivial. Both spent convictions complaints were also substantiated.
The main deficiency of the complaint information in the Annual Report, from the perspective of lawyers who are attempting to gain guidance on the Commissioner's interpretations of the law, and his complaint-handling procedures, is that the summaries of the 20 or so complaints summarised in the Report are far too general and non-technical to be of any use for this purpose. For examples, see the significant complaints reported in Cases & Complaints in this issue and the next it is not possible to decide accurately what legislative provisions may have been breached, or came into play in resolving the matter. The Privacy Act does not give any clear guidance to the Commissioner in relation to reporting of complaints (see s43(2), s48, s53(1)). It would be very valuable to professional advisers if the Commissioner could release more detailed and more regular reports of significant complaints