Complaints mostly related to inappropriate disclosure of personal information and data security have risen in Victoria during the financial year 2011-12, the Office of the Victorian Privacy Commissioner (OVPC) found.
The <i>2011-12 Annual Report</i> that was tabled in the state parliament today found that 75 of the 109 complaints were new with 34 carried over from the 2010-11 financial year.
“This exceeds the 100 complaints handled in the previous financial year and is the highest number of complaints handled since the establishment of the OVPC,” read the report.
In order for the OVPC to investigate a privacy complaint, the incident must involve one or more of the 10 Information Privacy Principles (IPPs) of the Information Privacy Act 2000.
Forty-one of the complaints alleged inappropriate disclosure of personal information under Principle 2.1 Use and Disclosure followed by IPP 4.1 Data Security (38 complaints) and IPP 1 Collection (26 complaints).
The OVPC also handled two complaints alleging a breach of IPP 10 which covers Sensitive Information.
“This is the highest number of complaints received alleging a breach of this principle over the past five reporting periods,” read the report.
Thirty-four complaints were received against Victorian government departments accounting for 45.3 per cent of the 75 new complaints lodged while 11 complaints were received against local councils and 10 regarding state law enforcement agencies.
According to the report, government departments remain the most common respondent to privacy complaints.
Of the 109 complaints handled in 2011-12, 81 complaints were finalised by the OVPC with 28 ongoing.
“Of those finalised, 33 have been successfully conciliated, 25 were dismissed without the complainant requesting referral to the Victorian Civil and Administrate Tribunal (VCAT), with 22 people who made privacy complaints choosing to refer their matter to VCAT,” read the report.
Outcomes from successful complaints included apologies, reviews of organisational privacy policies and information handling practices, refresher and general training for staff, reimbursement of expenses and financial compensation.
According to the report, the highest figure of compensation agreed to settle a complaint in the reporting period was $25,000.
OVPC received a total of 2617 privacy-related enquiries during the 2011-12 reporting period. This represented an increase of 1.6 per cent from 2010-11 and 6.2 per cent from 2009-10.
Training, BYOD concerns
Acting Victorian Privacy Commissioner Doctor Anthony Bendall, indicated in the report that the state’s government departments still needed work to improve staff training on privacy and the principles of the Information Privacy Act 2000.
“During the year approximately 2500 public sector staff participated in training and awareness sessions conducted by the OVPC, a 17 per cent decrease from the almost 3000 participating in 2010-11.”
Despite this training, Bendall said it “would be naïve” to suggest that all staff of organisations bound by the Act fully understand their privacy compliance responsibilities.
“This is particularly the case for new staff or staff progressing within an organisation who may find themselves with additional or different compliance responsibilities,” he said.
Bendall added that the “minimal cost” of OVPC’s training services, the availability of similarly priced online privacy training and the range of free training materials and other guidance means that privacy training is accessible to all staff regardless of the "current fiscal restraint" being experienced across the Victorian government.
In addition, he raised concerns about the rise of bring your own device (BYOD) and the fact that a number of organisations displayed a cavalier approach to securing portable storage devices.
The OVPC conducted a Portable Storage Devices survey in December 2011 with Victorian organisations. According to Bendall, it was a follow up to a similar survey in 2008.
“This revealed that a disappointing number of organisations had showed no improvement in securing portable storage devices,” he said.
“With the increasing ubiquity of tablet devices, ever smarter phones and the phenomenon of BYOD, this is a space that we will continue to watch.”
Follow Hamish Barwick on Twitter: @HamishBarwick
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.