Privacy, information access complaints surge in 2019 – IPC

Privacy complaints in NSW have risen by 38 per cent as concerns mount over access to and disclosure of personal or health information, figures from the 2018/2019 NSW Information and Privacy Commission (IPC) annual report reveal.

Information access complaints also increased by a staggering 105 per cent from FY18, with applicants voicing concerns over inadequate decision-making processes, extended timeframes and a lack of available open-access information from state and local government agencies, among other entities.

The IPC takes complaints and requests covering public sector agencies, health service providers (both public and private) and large organisations dealing with health information. 

Where information access reviews – that is, individuals' requests to look into an agency’s internal decision-making processes – are concerned, the commission also provides both parties with a final report.

The uptick in health-related privacy complaints coincides with the lead-up to and launch of the federal government’s My Health Record scheme in January this year – a system which enables local health professionals to access a shared database of patient medical records.

At the time of the My Health Record launch, privacy advocates expressed concerns around the system’s design, including hacking risks posed by data centralisation and the potential for patient records to be uploaded without informed consent.

Furthermore, Australia’s health sector was identified, then as now, as the leading source of data breaches, comprising nearly one-in-five reported incidents, more than half of which were caused by “human error”, according to the Office of the Australian Information Commissioner (OAIC).

The report also spruiked the IPC's increasing public engagement through its revamped digital channels, with the agency fielding 2,633 email, phone, and in-person enquiries while receiving 495,545 website views over FY19 – a 14 per cent jump in unique visitors on the previous year. The bump in page views was credited to the IPC’s “easy to navigate” webpage facelift.

Despite the Commission’s growing caseload, case finalisation rates still rose by an impressive 28 per cent, largely credited to internal restructuring following amendments made in 2018 to the Government Information (Public Access) 2009 Act (or GIPA Act). The changes meant the IPC was able to meet a 40-day timeframe for finalising external reviews set by the Information Commissioner, Elizabeth Tydd.

Nearly four out of five privacy complaints were finalised within the target timeframe, while more than two-thirds of information access complaints were resolved within 40 days, with timelines largely impacted by an increased caseload, the IPC acknowledged.

Cases are considered “finalised” when the Commission advises both parties (agency and complainant) of an outcome following impartial investigations.

Where data security was concerned, NSW Privacy Commissioner Samantha Gavel received 74 voluntary data breach notifications from public agencies in 2018/19 – a 64 per cent increase on 2018 figures.

The NSW Department of Justice in August opened consultations for a mandatory breach notification scheme to replace IPC’s voluntary reporting system, citing a seven-fold increase in the reporting of data breaches by federal agencies after the Notifiable Data Breach (NDB) scheme took effect in 2018, suggesting “underreporting may be the norm” for public agencies.

At the same time, IPC launched two “innovative online tools" for public sector agencies to assess their information governance maturity and compliance with NSW Privacy and Information Access laws, which include dashboard monitoring features to help identify and track potential improvement areas.

Commissioner Gavel also expressed concerns over the unchecked development of AI – citing local governments’ use of “smart cities” technology – with the technology’s potential to infringe on individuals’ rights; however, she stressed the value of sound data governance and privacy practices in ensuring ethical use of the technology.

“Privacy initiatives during the year included [the] production of guidance materials to assist agencies to diminish privacy risks and increase the reporting of privacy breaches and guide agencies in preparing public interest disclosures and in obtaining consent,” Gavel said.

Commissioner Tydd also emphasised the link between customers’ acceptance of digital services and governments’ transparency and accountability.

“The importance of [information access and privacy] rights has been amplified by digital technology… The increase in rights awareness and reliance upon digital solutions will require an ongoing commitment and a strong strategic focus going forward,” Tydd said.

IPC’s full Annual Report can be accessed here.