Letter to the Attorney

To: The Hon Kyam Maher MLC - Attorney-General

This annual report will be presented to Parliament to meet the statutory reporting requirements of clause 4A of the Proclamation establishing the Privacy Committee of South Australia and the requirements of Premier and Cabinet Circular PC013 Annual Reporting.

This report is verified to be accurate for the purposes of annual reporting to the Parliament of South Australia.

Submitted on behalf of the Privacy Committee of South Australia by:

Stephanie Coleman
Presiding Member
Privacy Committee of South Australia

From the Presiding Member

The focus of the Privacy Committee of South Australia (Privacy Committee) is on the operation of the Government’s Information Privacy Principles Instruction (IPPI).  Through a set of 10 information privacy principles (IPPs), the IPPI describes the ways in which state government agencies can collect, use and store the personal information in their possession.

The IPPI is binding for public sector agencies and establishes that the Principal Officer of each agency must ensure that the IPPs are implemented, maintained and observed for, and in respect of, all personal information for which their agency is responsible.

During 2021-22 the Privacy Committee continued to meet online and the majority of its business related to personal information data breach notifications.

The Government’s 2018 Personal information data breaches guideline (DPC/G9.1) (the Guideline) advises agencies on how to deal with possible or confirmed unauthorised access to personal information held by state government agencies (breaches).  One step within the Guideline is to notify the Privacy Committee.

Since the release of the Guideline the number of breach notifications have increased each year, though the increase in 2021-22 was minor.  Aside from a significant cyber-attack, breach trends are still linked with human or procedural error.  The Privacy Committee reviews each breach it receives and provides agencies with suggestions for improvements to process and practices where necessary.  State Records continues to support the Privacy Committee by reviewing the notifications process to ensure it is delivering the required benefits.

The Privacy Committee has continued to contribute to the local and national response to COVID-19 through the provision of privacy advice and input to government policy.

Stephanie Coleman
Presiding Member
Privacy Committee of South Australia

Overview: about the Privacy Committee

The Privacy Committee of South Australia (Privacy Committee) was established by the Proclamation establishing the Privacy Committee of South Australia (the Proclamation) in the Government Gazette on 6 July 1989.  The functions of the Privacy Committee, as described in the Proclamation, are:

  • to advise the Minister as to the need for, or desirability of, legislation or administrative action to protect individual privacy and for that purpose to keep itself informed as to developments in relation to the protection of individual privacy in other jurisdictions.
  • to make recommendations to the Government or to any person or body as to the measures that should be taken by the Government or that person or body to improve its protection of individual privacy.
  • to make publicly available, information as to methods of protecting individual privacy and measures that can be taken to improve existing protection.
  • to keep itself informed as to the extent to which the Administrative Scheme of Information Privacy Principles is being implemented.
  • to refer written complaints concerning violations of individual privacy received by it (other than complaints from employees of the Crown, or agencies or instrumentalities of the Crown, in relation to their employment) to the appropriate authority.
  • such other functions as are determined by the Minister.

The Privacy Committee may, under clause 4 of the Proclamation, ‘exempt a person or body from one or more of the Information Privacy Principles on such conditions as the Privacy Committee thinks fit’.

South Australia’s Information Privacy Principles Instruction (IPPI) was introduced in July 1989 by means of Cabinet Administrative Instruction 1/89, issued as Premier & Cabinet Circular No. 12.  The IPPI includes a set of ten Information Privacy Principles (IPPs) that regulate the way South Australian public sector agencies collect, use, store and disclose personal information.

Responsibility for the IPPI resides with the Attorney-General.

Clause 1(2) of the Proclamation of the Privacy Committee establishes the membership of the Committee.  It requires that the Privacy Committee consists of six members, all of whom are to be appointed by the Minister.

Of the six members:

  • three are nominated by the Minister (one of whom must not be a public sector employee and one must have expertise in information and records management);
  • one is to be nominated by the Attorney-General;
  • one is to be nominated by the Minister responsible for the administration of the Health Care Act 2008; and
  • one is to be nominated by the Commissioner for Public Employment.

At the conclusion of the reporting year, the membership of the Privacy Committee was as follows:

Presiding Member

Appointment dates

Stephanie Coleman, Director, State Records of South Australia, Attorney-General’s Department

appointed 23 May 2022 until 31 Jan 2026

Members, in alphabetical order

Deslie Billich, non-public sector employee

appointed to 30 Jan 2024

Abbie Eggers, A/Manager, Disability Royal Commission, Department of Human Services

appointed to 30 Jan 2024

Nathan Morelli, non-public sector employee

appointed to 31 Jan 2026

Prue Reid, Executive Director, Corporate Affairs, Department for Health and Wellbeing

appointed to 30 Jan 2024

Sam Whitten, Senior Solicitor, Crown Counsel Section in the Crown Solicitor's Office

appointed 23 May 2022 to 31 Jan 2026

During 2021-22 there were two changes to membership because of resignations.

Lucinda Byers, Manager, Special Counsel to the Crown Solicitor, Crown Solicitors Office resigned on 11 April 2022.

Presiding Member Simon Froude, Director, State Records of South Australia, Attorney-General’s Department, resigned on 20 May 2022.  Stephanie Coleman was appointed to the Committee for an interim term while Acting Director of State Records.  She was subsequently appointed to the role of Director on 11 July 2022.  In August 2022 her Presiding Membership was extended to 31 January 2026.

Executive support to the Privacy Committee, including administration and meeting coordination is delivered within the resources of State Records of South Australia. This is in line with other State Records activities including research and policy advice, web hosting and responses to enquiries for both agencies and the public.

Privacy Committee Business

Principal Officers of State Government agencies have responsibility to ensure that the IPPs are implemented, maintained and observed for, and in respect of, all personal information for which their agency is responsible.

Advice and assistance is provided to state government agencies to assist them to comply with the IPPI and ensure privacy is considered in the development of new projects and initiatives.  Policy and other guidance materials are routinely issued to support agencies.

National and local interest in facial recognition technology offered the Privacy Committee an opportunity to consider the privacy implications in the use of the technology in a South Australian Government context.  The Privacy Committee will keep itself informed about policy development by counterparts within Privacy Authorities of Australia.

State Records received several enquiries relating to mandatory vaccinations in certain settings.  These had generally been from public sector employees and accordingly were referred to the Office of the Commissioner for Public Sector Employment for response.  The essence of the enquiries related to agencies or organisations requiring copies of proof of vaccination instead of sighting documents.  Advice about collection and handling of personal information was published to State Records website.

The Privacy Committee is represented by the Presiding Member and senior staff from within State Records on a number of national groups including:

  • Privacy Authorities Australia
  • Privacy Authorities Australia – Policy Group, Complaints and Compliance Group, and Communications Group
  • National COVID-19 Privacy Team

Participation in the National COVID-19 Privacy Team – a gathering of the Office of the Australian Information Commissioner (OAIC) and states and territories – has reduced with few new emergency management initiatives.  Most jurisdictions have ended their Emergency Management response to the COVID-19 pandemic and have moved instead to business-as-usual for management of communicable diseases.  Privacy considerations remain in place for business-as-usual practice and the management of data.

The Privacy Committee may exempt any person or body from one or more of the IPPs on such conditions as the Privacy Committee sees fit.

One new exemption was sought during the reporting year, and extensions were granted to a number of existing exemptions.  These include:

  • Department for Health and Wellbeing (DHW) allowing DHW to use personal information for a purpose that was not the purpose of the collection of that information, and disclose matched information to Flinders Fertility
  • Department for Energy and Mining (DEM) and the Department for Infrastructure and Transport (DIT), concerning personal information contained in historical as-constructed sanitary drainage drawings held by the Office of the Technical Regulator – extended from 1 June 2021 to 31 May 2024
  • Extensions to a range of previous exemptions granted between 2015 and 2021 to agencies associated with SA NT Datalink initiative – extended to 31 December 2022.

The full text of these exemptions is included in the Appendix.

The Privacy Committee has within its responsibilities the referral of written complaints concerning violations of individual privacy received by it (other than complaints from employees of the Crown, or agencies or instrumentalities of the Crown, in relation to their employment) to the appropriate authority.

During the reporting year State Records referred a number of enquiries to state government agencies for consideration and advice, these are not considered formal complaints to the Privacy Committee.  Enquiries related to the collection of information for proof of vaccination, use of information in applications for vaccine exemptions, and collection of information through facial recognition technology.

The 2018 Personal information data breaches guideline (DPC/G9.1) (the Guideline), requires that State government agencies take particular actions if they become aware of confirmed or potential unauthorised access to the personal information in their custody.  One action is to notify the Privacy Committee if a breach occurs.

Since the release of the Guideline the number of breach notifications have increased each year, though the increase in 2021-22 is minor.  During 2021-22 the Privacy Committee received 101 notifications relating to 98 incidents, compared with 97 incidents in the previous year.

Aside from a significant cyber-attack and a theft, trends indicate that breaches are still linked with human or procedural error.

The Privacy Committee reviews each breach it receives and, where necessary, provides agencies with suggestions for improvements to process and practices.

The Privacy Committee strongly encourages agencies to advise affected parties of a breach unless there is a significant reason not to do so.  This ensures affected parties are aware of any possible implications and builds trust through transparency and accountability by the agency.

State Records continues to support the Privacy Committee by reviewing the notifications process to ensure it is efficient and effective in delivering the required benefits.  State Records is also working with the Department of the Premier and Cabinet to review the Guideline.

Appendix: Exemptions from the IPPI granted 2021-22

All exemptions begin: Clause 4 of the Proclamation establishing the Privacy Committee of South Australia provides that the Committee may exempt any person or body from one or more of the Information Privacy Principles (IPPs) on such conditions as the Committee sees fit.  The following exemption from the IPPs is granted.

All exemptions require that:

  • The security of the personal information should be managed in line with the South Australian Protective Security Management Framework (in compliance with Premier and Cabinet Circular 30) and the agency’s security management systems and practices, and
  • Destruction or retention of the personal information must be undertaken in accordance with a disposal authority under the State Records Act 1997.

Approved 12 October 2021. A correction made in June 2022 changed the name of the Department from Health and Welfare to Health and Wellbeing.

This exemption applies to the Department for Health and Wellbeing (DHW).  It is an exemption from compliance with Principles 8 and 10, allowing DHW to use personal information for a purpose that was not the purpose of the collection of that information, and disclose matched information to Flinders Fertility.

The personal information to be used is from the Enterprise Master Patient Index (EMPI) and is limited to: Family name, Given names, Contact address, Gender, Age, Date of Birth and Ethnicity.

All other Principles continue to apply.

This exemption is a once only exemption to allow DHW to use the Enterprise Master Patient Index (EMPI) to match supplied UR number data with demographic data.

The use is restricted to information related to patients with UR numbers only, or patients with name and no UR number, supplied by Flinders Fertility as past clients of Flinders Fertility and their predecessors.  The information is only to be used for assisting Flinders Fertility to more fully identify past clients as needed for inclusion in the National Donor Conception Register (DCR).  Population of the DCR is mandated under an amended section 15 of the Assisted Reproductive Treatment Act 1988, to come into force on 7 November 2021.

DHW remains responsible for the secure transfer of matched personal information in line with the IPPs.

This exemption is granted from 7 November 2021 until the action is complete.

Extension approved 23 November 2021, back-dated to 1 June 2021.

This exemption applies to both the Department for Energy and Mining (DEM) and the Department for Infrastructure and Transport (DIT), concerning personal information contained in drawn representations of the underground on-site sanitary plumbing work within a specific property (also described as historical as-constructed sanitary drainage drawings) held by the Office of the Technical Regulator within DEM.

The personal information consists of the name of persons who currently or previously owned a property, the address of that property, the name and contact details of the plumber who undertook the plumbing work to install the sanitary drains on the property and the location of the sanitary drains on the property.

This is an exemption from Principles 6 and 9 in relation to the drawings.  This is also an exemption from Principle 10 for the purpose of disclosing the drawings:

  • between DEM and DIT for the purpose of creating online access to the drawings by the public, and
  • to the public.

All other Principles continue to apply.

This exemption is granted on the condition that:

  • where possible, the name of the property owner and name and contact details of the plumber are deleted from the sanitary drain drawings prior to release to DIT or the public, and
  • the process is maintained that allows a person to apply to have the sanitary drain drawing of a property that he or she owns, or lives in, suppressed from access by the public.

DEM and DIT remain responsible for the secure transfer of personal information in line with the IPPs.

This exemption is an extension of D18/00368 and D18/00369 (SR07/00043), and is granted from 1 June 2021 to 31 May 2024.  A further extension may be negotiated with the Committee if required.

SA NT DataLink Data Linkage Unit within SA Health and associated agencies

Extensions A to H were approved 23 November 2021, granted from 1 January 2022 to 31 December 2022. All were approved on the condition that:

  • The information is only to be used for the creation of Master Linkage Keys in the further development of the Master Linkage File as part of the SA NT Data Linkage System.  The exemption is provided on the condition that the personal information is only to be accessed by officers of SA Health within the Data Linkage Unit.
  • This exemption is conditional on SA NT DataLink having a current Joint Venture Consortium Agreement in place.

This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and Consumer and Business Services (CBS) in the Attorney General’s Department.  It is an exemption from compliance with:

  • Principle 10, allowing CBS to disclose personal information to the SA NT DataLink, and
  • Principle 8, allowing SA Health DLU to use personal information for a purpose that was not the purpose of the collection of that information – namely in the establishment of the Master Linkage File as part of the Data Linkage System.

The personal information to be used is from South Australian births and deaths datasets, and is limited to:

Death Dataset: Unique record identifier (registration number); names (all names where available including surnames, surnames at birth, given names and given names at birth); date of birth; date of death; age at death; place of birth; place of death; sex; Aboriginality and/or Torres Strait Islander indicator; and full residential address, including geocodes, where available. The personal information to be used from the deaths dataset is limited to death records created after 1/1/1990.

Birth Dataset: Unique record identifier (registration number); Names (all names where available including surnames, surnames at birth, given names and given names at birth); Full residential address, including geocodes where available; Sex; Date of birth; Place of birth; Mother’s Aboriginal indicator; Mother’s Torres Strait Islander indicator; Father’s/Co-parent’s Aboriginal indicator; Father’s/Co-parent’s Torres Strait Islander indicator; Mother’s date of birth; Father’s/Co-parent’s date of birth; Birth weight (in grams); Plurality – order (only available for multiple births e.g. twins); Plurality – total (only available for multiple births e.g. twins); Mother’s occupation title; and Father’s/Co-parent’s occupation title.

The personal information to be used from the births dataset is limited to birth records created after 1/1/1944. The disclosure will include any of the above information provided for other family members that is included in these records.

All other Principles continue to apply.

SA Health and CBS remain responsible for the secure transfer and storage of personal information in line with the IPPs.

This exemption (Table Reference ‘A’) is an extension of A424422 and A424423 (SRSA19-00802) approved 7 July 2021. A further extension may be negotiated with the Privacy Committee if required.

This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and the Department for Child Protection (DCP).  It is an exemption from compliance with:

  • Principle 10, permitting DCP to disclose personal information to the Data Linkage Unit within SA NT DataLink, and
  • Principle 8, allowing SA Health DLU to use personal information for a purpose that was not the purpose of the collection of that information – namely to support the linkage with DCP data on Alternative Care, Care and Protection Orders, and Child Protection.

The personal information is limited to: Record identifier; Names – all names including nicknames, aliases and aka; Date of birth; Sex; Aboriginality, Torres Strait Islander indicator; Cultural group; Full address including geocodes where available; Client File Number (85 File Number for Client Information System (CIS) records within the Justice Information System (JIS) – a flag indicating that this child was under the Guardianship of the Minister); and any of the above information provided for other family members and included in these records, ie full name and date of birth of the mother and father of the child or young person.

All other Principles continue to apply.

SA Health and DCP remain responsible for the secure transfer and storage of personal information in line with the IPPs.

This exemption (Table Reference ‘B’) is an extension of A424424 and A424425 (SRSA19-00802) approved 7 July 2021. A further extension may be negotiated with the Privacy Committee if required.

This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and the Department for Human Services (DHS) Youth Justice branch.  It is an exemption from compliance with:

  • Principle 10, permitting DHS Youth Justice to disclose personal information to the Data Linkage Unit within SA NT DataLink, and
  • Principle 8, allowing the SA Health DLU to use personal information for a purpose that was not the purpose of the collection of that information – namely the creation of master linkage keys as part of the SA NT Data Linkage System by the Data Linkage Unit.

The personal information is limited to: Unique record identifier (i.e. episode reference number); Unique person identifier where available; Given name(s) (including all ‘akas’, aliases and nicknames); Date of birth; Sex; Aboriginality and/or Torres Strait Islander indicator; Country of birth; Full address including geocodes where available; and the full name and date of birth of the mother and father of the child or young person where available.

All other Principles continue to apply.

SA Health and DHS remain responsible for the secure transfer and storage of personal information in line with the IPPs.

This exemption (Table Reference ‘C’) is an extension of A424426 and A424427 (SRSA19-00802) approved 7 July 2021. A further extension may be negotiated with the Privacy Committee if required.

This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and the Department for Education (DE).  It is an exemption from compliance with:

  • Principle 10, permitting DE to disclose personal information to the Data Linkage Unit within SA NT DataLink, and
  • Principle 8, allowing SA Health DLU to use personal information for a purpose that was not the purpose of the collection of that information.

The personal information to be used is from the DE Public Schools Enrolment dataset, including preschools and is limited to: Record Identifier; Personal Identifier; Names; Date of Birth; Sex; Aboriginality, Torres Strait Islander Indicator; Country of Birth; Full address including Geocodes if available; Parent / Guardian Identifier; Date Enrolled; Date Left; Destination School; Census year; Census term; 85 File Number; and any of the above information provided for other family members and included in these records including family code.

All other Principles continue to apply.

SA Health DLU and DE remain responsible for the secure transfer and storage of personal information in line with the IPPs.

This exemption (Table Reference ‘D’) is an extension of A424428 and A424429 (SRSA19-00802) approved 7 July 2021. A further extension may be negotiated with the Privacy Committee if required.

This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and the Department for Education (DE).  It is an exemption from compliance with:

  • Principle 10, permitting DE to disclose personal information to the Data Linkage Unit within SA NT DataLink for the purpose of enabling a more complete understanding of the early childhood sector and pathways in child health and development when developing policy, research and strategic plans, and
  • Principle 8, allowing SA Health DLU to use personal information for a purpose that was not the purpose of the collection of that information – namely for SA NT DataLink for the purposes of data linkage.

The personal information to be used is from DE preschool enrolment census data for non-government and private schools. The personal information to be used was initially for the period between 2012 and 2017, representing approximately 110,000 students, with annual updates being sought, with an expectation that each update is to include approximately 18,500 new students.

The personal information includes linkage variables of: Record identifier; Personal identifier; Names – all names including nicknames, aliases and aka; Date of birth; Sex; Aboriginality, Torres Strait Islander Indicator; Country of birth; Full address including geocodes if available; Site name; Site ID; and Census year.

All other Principles continue to apply.

SA Health DLU and DE remain responsible for the secure transfer and storage of personal information in line with the IPPs.

This exemption (Table Reference ‘E’) is an extension of A424430 and A425394 (SRSA19-00802) approved 7 July 2021. A further extension may be negotiated with the Privacy Committee if required.

This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and the Electoral Commission of South Australia (ECSA).  It is an exemption from compliance with:

  • Principle 10, permitting ECSA to disclose personal information to the Data Linkage Unit within SA NT DataLink, and
  • Principles 2 and 8, allowing SA Health DLU to collect and use personal information for a purpose that was not the purpose of the collection of that information.

The personal information to be used is from the ECSA South Australian Electoral Roll dataset and is limited to: Elector Number; Title; Family Name; Given Names; Date of Birth; Country of Birth (3 character code); Sex; Address Line 1, 2 and 3 (including State and postcode); and any of the above information provided for other family members and included in these records.

Excluded from the dataset is information relating to ‘silent electors’ and those individuals who have sought to be ‘provisionally enrolled’.

All other Principles continue to apply.

SA Health DLU and ECSA remain responsible for the secure transfer and storage of personal information in line with the IPPs.

This exemption (Table Reference ‘F’) is an extension of A424431 and A424432 (SRSA19-00802) approved 7 July 2021. A further extension may be negotiated with the Privacy Committee if required.

This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and the South Australian Housing Authority (SAHA).  It is an exemption from compliance with:

  • Principle 10, permitting SAHA to disclose personal information from the Housing SA dataset and the Homelessness to Home (H2H) dataset to the Data Linkage Unit within SA NT DataLink, and
  • Principle 8, allowing SA Health DLU to use personal information for a purpose that was not the purpose of the collection of that information – namely for the creation of master linkage keys as part of the establishment of the Data Linkage System.

The personal information from the Housing SA dataset is limited to: Unique Person Identifier; System Date; Names, all names including nicknames, aliases and aka; Date of Birth; Sex; Title; Aboriginality and/or Torres Strait Islander identifier; Country of Birth; Full address including geocodes if available; and any of the above information provided for other family members and included in these records.

The personal information from the Homelessness to Home (H2H) dataset is limited to: H2H customer number; Housing SA customer number; Given names; Surname; Date of birth; Sex; Aboriginality and/or Torres Strait Islander indicator; Country of birth; Full address details, including past addresses where available; System date; and any of the above information provided for other family members and included in these records.

All other Principles continue to apply.

SA Health DLU and SAHA remain responsible for the secure transfer and storage of personal information in line with the IPPs.

This exemption (Table Reference ‘G’) is an extension of A424433, A424434 and A425398 (SRSA19-00802) approved 7 July 2021. A further extension may be negotiated with the Privacy Committee if required.

This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and the Department for Correctional Services (DCS).  It is an exemption from compliance with:

  • Principle 10, permitting DCS to disclose personal information to the Data Linkage Unit within SA NT DataLink, and
  • Principle 8, allowing SA Health DLU to use personal information for a purpose that was not the purpose of the collection of that information – namely to enable researchers and policy analysist to develop and disseminate a more comprehensive understanding of health, education and justice system pathways and outcomes.

The personal information to be disclosed by DCS relates to individuals who have been sentenced to a period of supervision, either in a custodial setting or in the community and is limited to: DCS IDs; JIS PIN; Entry and exit dates; Surnames (including previous names and maiden names); Given Name(s) (all including “aka’s”, aliases and nicknames); Date of Birth (DD/MM/YYYY); Sex; Residential address and postcodes (including previous addresses); and Aboriginal and Torres Strait Islander indicator.

All other Principles continue to apply.

SA Health and DCS remain responsible for the secure transfer and storage of personal information in line with the IPPs.

This exemption (Table Reference ‘H’) is an extension of A425401 (SRSA19-00802) approved 7 July 2021 and introduces an exemption from principle 8 (use). A further extension may be negotiated with the Privacy Committee if required.

Page last updated: 7 November 2022