JUDGMENTS

Use of CCTV footage to monitor employees condoned

On 8 January 2020, the Victorian Civil and Administrative Tribunal dismissed a complaint by a senior prison officer that the use of CCTV footage showing him absent from his post for extended periods of time amounted to a breach of Information Privacy Principle 1.3: Kaliszewski v Department of Justice and Community Safety (Human Rights) [2020] VCAT 27. IPP 1.3 states that an organisation must take reasonable steps to ensure that an individual is aware of certain matters, including the fact of collection and the purposes for which the information is collected, at or before the time (or, if that is not practicable, as soon as practicable thereafter) the organisation collects personal information about that individual from that individual. The respondent had used the footage in connection with disciplinary proceedings against the complainant. The complainant asserted that the information had been unlawfully collected because he had no prior knowledge that he was being monitored. The respondent countered that the complainant should have been aware he was being monitored because he had been employed as a prison officer for 16 years, the cameras were not disguised, and he knew that CCTV footage had been used previously to investigate allegations of misconduct about him. The complaint was dismissed on the basis that the complainant was aware, prior to the collection of his personal information, that it was being collected and could be used for the purpose of investigating a complaint of a security breach, including the investigation of a disciplinary matter.

NEW LEGISLATION AND GUIDELINES

New determination regarding notification of mobile roaming charges

On 17 December 2019, the Australian Communications and Media Authority (ACMA) issued the Telecommunications Service Provider (International Mobile Roaming) Determination 2019. The objective of the determination was to update the rules introduced by the Telecommunications (International Mobile Roaming) Industry Standard 2013 which were designed to address acute consumer harm from "bill shock" incurred through using international mobile roaming services. The 2013 Standard required that consumers be notified of activation of international mobile roaming services and maximum charges, and that they be able to track their use of international mobile roaming services when overseas to better manage their spending. ACMA commenced a review of the 2013 Standard in 2018, and resolved that the rules should be updated to take account of consumers' evolving use of technology and to provide greater flexibility in how providers notify customers about international mobile roaming charges. The new Determination, which comes into effect on 1 July 2020, introduces a number of key changes, including increased flexibility for providers regarding the nature of maximum charging information, the ability for charging information to relate to multiple locations, and setting the usage notification alert to 50% and 85% of the value pack, compared with 100% previously.

Emergency declaration eases privacy restrictions during bushfire disaster

On 20 January 2020, the Commonwealth government issued the Privacy (Australian Bushfires Disaster) Emergency Declaration (No 1) 2020 in the wake of the national bushfire crisis. The Declaration was issued under section 80J of the Privacy Act 1988 which empowers the Attorney-General to make a declaration if satisfied that an emergency or disaster of national significance has arisen and may affect Australian citizens or permanent residents in Australia or overseas. The little-used process enlivens Part VIA of the Act, meaning in effect the suspension of normal constraints on collecting, using and disclosing personal information for the purpose of identifying injured or missing persons, assisting individuals affected by the emergency, assisting law enforcement, coordinating emergency management, and ensuring that responsible persons for individuals involved in disaster management are kept appropriately informed regarding the welfare of those individuals.

CDR rules launched by ACCC

The Competition and Consumer (Consumer Data) Rules 2020 came into effect on 6 February 2020. The Consumer Data Right (CDR) is regulated by both the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC). Banking is the first sector to be designated by the Minister. As we have previously reported, the Treasury Laws Amendment (Consumer Data Right) Act 2019 introduced Part IVD into the Competition and Consumer Commission Act 2010 (the Act) to provide the legislative framework for the CDR. Under section 56BA(1) of the Act, the ACCC is empowered to make rules with the consent of the Minister, dealing with any or all aspects of the CDR regime as provided in Part IVD of the Act including the accreditation process, the use and disclosure of CDR data, dispute resolution, and rules in relation to the Privacy Safeguards. The CDR was originally intended to be launched and implemented in February 2020 but on 20 December 2019, the ACCC announced that the timeline for launching certain aspects had been deferred until 1 July 2020. Initially, the CDR will apply only to certain products that are offered by certain data holders in the banking sector. It is intended that it will progressively apply to a broader range of data holders and products over time.

POLICIES REPORTS AND ENQUIRIES

Telecommunications interception statistics released

On 27 January 2020, the Department of Home Affairs released the Telecommunications (Interception and Access) Act 1979 Annual Report 2018–19. The Report sets out the extent and circumstances in which eligible Commonwealth, State and Territory government agencies used the powers available under the Telecommunications (Interception and Access) Act 1979 (the TIA Act) between 1 July 2018 – 30 June 2019. The report noted that "the primary function of the TIA Act is to allow lawful access to communications and data for law enforcement and national security purposes, in a way that protects the privacy of people who use the Australian telecommunications network". The Report noted that in 2018-19, 3,561 interception warrants were issued to interception agencies, an increase of 37 on the 3,524 issued in 2017–18. The majority of offences that were specified in interception warrants issued were serious drug and trafficking offences (1,937 times specified), followed by loss of life or personal injury offences (565 times specified) and murder (333 times specified).

National blockchain roadmap released

On 7 February 2020, the Department of Industry, Science, Energy and Resources released a report entitled The National Blockchain Roadmap: Progressing Towards a Blockchain-Empowered Future. On 18 March 2019, the Commonwealth government had announced the development of a National Blockchain Roadmap for the purpose of highlighting opportunities which blockchain technology could enable in Australia. The Report emphasised that such opportunities existed in supply chains and logistics, agriculture, trusted credentials and smart contracts. As with any emerging, disruptive technology, blockchain and its uses would need regulatory frameworks that were "fit for purpose". Challenges included maintaining trust, ensuring security of blockchain systems and the integrity of data, identifying participants in blockchain systems, balancing privacy with transparency, tech-neutrality, and the legal status of smart contracts. It was noted that the use of de-identification and pseudonyms was not necessarily enough to protect blockchain user privacy, because if those identifiers on the blockchain became linked to the real people behind them, all of their transactions and data could be publicly viewed on the blockchain ledger. This was an issue being considered by Standards Australia which is leading the development of international blockchain standards through the International Organization for Standardization (ISO).

PRIVACY ISSUES

Legislation introduced to combat Medicare fraud

On 12 December 2019, the Health Legislation Amendment (Data-matching and Other Matters) Act 2019 (Cth) came into effect. The Act amended, inter alia, the National Health Act 1953 and the Privacy Act 1988. The National Health Act together with Privacy Guidelines issued pursuant to s 135AA of that Act, regulates the handling of Medicare and pharmaceutical benefits information. The purpose of the amendment was to authorise a data-matching scheme for Medicare compliance purposes, such as identifying Medicare fraud, specifically by giving the Chief Executive of Medicare the power to undertake data-matching of pharmaceutical benefits and Medicare benefits information. Prior to the amendment, the linkage of pharmaceutical benefits and Medicare benefits data was not permitted for compliance purposes. The legislation introduces a new Part VIIIA into the National Health Act, entitled "Data-matching", and section 132E clarifies that the Australian Information Commissioner has privacy functions in relation to Part VIIIA to the extent that it relates to personal information. A failure to handle personal information in accordance Part VIIIA constitutes an act or practice involving interference with the privacy of an individual for the purposes of section 13 of
the Privacy Act.

Disclosure of inaccurate medical information infringes State health privacy laws

On 10 January 2020, the New South Wales Civil and Administrative Tribunal ruled that the NSW Police Force had infringed the Health Records and Information Privacy Act 2002 (NSW) by disclosing inaccurate medical records relating to the applicant: DTN v Commissioner of Police, NSW Police Force [2020] NSWCATAD 16. Health Privacy Principle 9 provides that an agency must not use health information without taking steps to ensure the information is accurate, up to date, complete and not misleading. Information lawfully disclosed by the respondent in connection with a workers compensation claim by the applicant included inaccurate information regarding the medical reasons for him ceasing work. The Tribunal accepted that the disclosure amounted to a contravention of HPP 9, whilst rejecting submissions that it also amounted to a breach of the collection HPP (HPP 1) or the use HPP or the disclosure HPP (HPP 11).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.