The Privacy Committee of South Australia (Privacy Committee) was established by Proclamation in the Government Gazette on 6 July 1989 and most recently updated on 11 June 2009. The functions of the Privacy Committee, as described in the Proclamation, are:

• (a)       to advise the Minister as to the need for, or desirability of, legislation or administrative action to protect individual privacy and for that purpose to keep itself informed as to developments in relation to the protection of individual privacy in other jurisdictions
• (b)       to make recommendations to the Government or to any person or body as to the measures that should be taken by the Government or that person or body to improve its protection of individual privacy
• (c)        to make publicly available information as to methods of protecting individual privacy and measures that can be taken to improve existing protection
• (d)       to keep itself informed as to the extent to which the Administrative Scheme of Information Privacy Principles are being implemented
• (g)       to refer written complaints concerning violations of individual privacy received by it (other than complaints from employees of the Crown, or agencies or instrumentalities of the Crown, in relation to their employment) to the appropriate authority
• (h)       such other functions as are determined by the Minister.

The Privacy Committee may, under clause 4 of the Proclamation, ‘exempt a person or body from one or more of the Information Privacy Principles on such conditions as the Committee thinks fit’.

Clause 1(2) of the Proclamation establishes its membership.  The Privacy Committee is to consist of six members appointed by the Minister.  Of the six members:

• three are nominated by the Minister [the Attorney-General] (one of whom must not be a public sector employee and one must have expertise in information and records management)
• one is to be nominated by the Attorney-General
• one is to be nominated by the Minister responsible for the administration of the Health Care Act 2008, and
• one is to be nominated by the Commissioner for Public [Sector] Employment.

Members of the Privacy Committee during the 2022-23 reporting year were:

Changes to the Privacy Committee

During 2022-23 there were no changes to membership.

Executive support to the Privacy Committee

Executive support to the Privacy Committee is delivered within the resources of State Records of South Australia.  This is in line with other State Records activities including research and policy advice, web hosting and responses to enquiries for both agencies and the public.  During 2022-23 Tamara Wenham served as Executive Officer.

The Privacy Committee reports to the Hon Kyam Maher MLC as Attorney-General.  The Attorney-General is also responsible for other information management regulation including the State Records Act 1997 and the Freedom of Information Act 1991.

South Australia’s Information Privacy Principles Instruction (IPPI) was introduced in July 1989 by means of Cabinet Administrative Instruction 1/89, issued as Premier & Cabinet Circular No. 12.  The IPPI includes a set of ten Information Privacy Principles (IPPs) that regulate the way South Australian public sector agencies collect, use, store and disclose personal information.

The Privacy Committee has a function to

“refer written complaints concerning violations of individual privacy received by it (other than complaints from employees of the Crown, or agencies or instrumentalities of the Crown, in relation to their employment) to the appropriate authority”.

In 2022-23 the Privacy Committee received 3 complaints.

During the reporting year State Records also referred several enquiries to state government agencies for consideration and advice.  These are not considered formal complaints to the Privacy Committee and are reported in the State Records Annual Activity Statement.

Enquiries related to matters outside the authority of the Privacy Committee, including the use of invasive technologies such as facial recognition technology and drones, collection of information by employers, and neighbourhood disputes.

A complaint about the Committee’s complaint handling activity will be reported by the Attorney-General’s Department. This has prompted a review of the Privacy Committee’s complaint handling process, to be undertaken in line with PC039 Complaint Management in the South Australian Public Sector.

Since 2018, state government agencies have been required to comply with a Guideline on how to deal with unauthorised access to personal information (privacy breaches).  One action within the Guideline is to notify the Privacy Committee so that it can:

• keep itself informed as to the extent to which the Information Privacy Principles are being implemented, and
• make recommendations of the measures that should be taken by the government to improve its protection of individual privacy.

The Privacy Committee received 140 notifications during the 2022-23 reporting year.

Since the introduction of the notification scheme the number of breach notifications has increased each year. The increase can be attributed to a strong reporting culture from the health sector and greater awareness of the scheme. Awareness has grown following several nation-wide high-profile privacy breaches, and by consultation on a new Information Privacy Strategy for SA Government.

Aside from a handful of malicious or criminal incidents, breach trends are still largely linked with human or procedural error.  The Privacy Committee reviews each breach it receives and provides agencies with suggestions for improvements to process and practices where necessary.

Affected parties by cause of breach

The Privacy Committee strongly encourages agencies to advise affected parties of a breach unless there is a significant reason not to do so.  This ensures affected parties are aware of any possible implications and builds trust through transparency and accountability by the agency.

State Records continues to support the Privacy Committee by reviewing the notifications process to ensure it is delivering the required benefits.

Principal officers of State Government agencies have the responsibility to ensure that the IPPI is implemented, maintained, and observed for, and in respect of, all personal information for which their agency is responsible.

Advice is provided to state government agencies to help them comply with the IPPI and ensure privacy is considered in the development of new projects and initiatives.  Policy and other guidance materials are routinely issued to support agencies.

The Privacy Committee is represented by the Presiding Member on Privacy Authorities Australia (PAA).  State Records staff participate in three PAA working groups on policy, complaints and enforcement, and communications.

This exemption applies to South Australia Police (SAPOL). It is an exemption from compliance with Principles 8 and 10, allowing SAPOL to use personal information for a purpose that was not the purpose of the collection of that information, and to disclose that personal information under agreement to South Australian Centre for Economic Studies (SACES) of the University of Adelaide.

The personal information to be used is from SAPOL policing datasets dated between 1992-2022 relating to incidents attended by police under powers under the Mental Health Act 2009 and predecessors. The datasets are limited to:

• South Australia Computer Aided Dispatch (SACAD) data circa 2011 to 2022, and its predecessor Computer Aided Dispatch System (CAD) 1992 to 2011 – caller details, caller locations, event location
• SHIELD – Police Database / Niche RMS circa 2014 to 2022, and its predecessor Police Incident Management System (PIMS) 1992 to circa 2014, containing names of persons involved in mental health incidents, and summary of the event
• Offender Record Management System (ORMS) 1992 to circa 2014 – person name, detained under Mental Health Act 2009 and predecessors, and
• PD145 – Request for Patient Assistance Police form – Person Name, Address and Summary of Police Interaction and Incident.

Within each of the above datasets, the data will be limited to family name, given name, address, gender, age, date of birth and outcome of Police interaction.

All other Principles continue to apply.

This exemption has the following conditions:

• the use and disclosure are only for analysis of data concerning the commitment of South Australian police resources in the attendances described
• only researchers nominated in the agreement with SAPOL will have access to the data
• the research activity is approved by a Human Research Ethics Committee, and
• any research outcomes, such as the final report and findings, would not present information in a form that would identify an individual or from which an individual would be reasonably identifiable.

SAPOL remains responsible for the secure transfer and storage of personal information in line with the IPPI.

Staff involved in the program must have entered into confidentiality agreements with SAPOL.

Security audits must be completed regularly, allowing for breach prevention and mitigation, and remediation as needed. Monthly use of the SAPOL Audit Report form PD160A is recommended, with amendments suggested by the Committee.

SACES will not retain any copies of the identified or de-identified datasets after the completion of the research activity.

This exemption is granted for two years, from 20 September 2022 to 19 September 2024. It will be reviewed by SAPOL and the Privacy Committee two years following its approval unless required earlier. An extension may be negotiated with the Privacy Committee if required.

This exemption applies to Procurement Services SA (PSSA) within the Department of Treasury and Finance in executing the ICT across-government contract with SFDC Australia Pty Limited. It also applies to any South Australian Government client agency that enters into an agreement or contract for products or services under the specified across-government contract.

All other Principles continue to apply.

The exemption is from Clause 5(A) and 5(c) for the specified across-government contract where:

• PSSA has genuinely attempted to achieve service provider compliance with the IPPI, and
• the service provider is unwilling to enter into a contract which requires compliance with the IPPI, and
• the service provider is willing to be contractually bound to comply with the Australian Privacy Principles as established by the Commonwealth Privacy Act 1988.

The Crown Solicitor’s Office or approved external legal advisor must be involved in drafting the privacy-related obligations in the across-government contract and in any agency-level contracts formed under that across-government contract.

This exemption is conditional on PSSA undertaking due diligence prior to execution of the specified across-government contract, including assessing whether the service provider has in place appropriate technical and other measures to protect the privacy of individuals, and whether the service provider has:

• previously breached South Australian Government requirements relating to the privacy of individuals in the course of a previous engagement with a South Australian agency, or
• been party to any adverse decisions or determinations made by the Office of the Australian Information Commissioner (OAIC).

PSSA will use contract guidelines to advise client agencies that PSSA has sought and been granted an exemption from clause 5A and 5(c) of the IPPI for ICT products and services and indicate that agencies are required to otherwise comply with the IPPI.

The contract guidelines will require client agencies to:

• conduct a privacy impact assessment of the activities for which the contracted service products and services will be used
• establish collection notices and privacy statements which address avenues for complaint or authorised access, and
• establish a process for handling and reporting any known privacy-related breaches or complaints to the Privacy Committee of South Australia.

The client agency remains responsible for the secure transfer and storage of personal information in line with the IPPI.

This exemption applies for five years from the execution of the ICT across-government contract with SFDC Australia Pty Limited.  During this period, any agency that enters into a contract under the exempted across-government ICT contract will inherit the exemption until the expiry of this exemption or for 12 months from the customer order execution date, whichever is later.

An extension may be negotiated with the Privacy Committee if required.

This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and Consumer and Business Services (CBS) in the Attorney General’s Department.  It is an exemption from compliance with:

• Principle 10, allowing CBS to disclose personal information to the SA NT DataLink, and
• Principle 8, allowing SA Health DLU to use personal information for a purpose that was not the purpose of the collection of that information – namely in the establishment of the Master Linkage File as part of the Data Linkage System.

The personal information to be used is from South Australian births and deaths datasets, and is limited to:

Death Dataset: Unique record identifier (registration number); names (all names where available including surnames, surnames at birth, given names and given names at birth); date of birth; date of death; age at death; place of birth; place of death; sex; Aboriginality and/or Torres Strait Islander indicator; full residential address, including geocodes, where available; correction indicator (if a record previously reported is being re-reported due to a correction in the register); father/co-parent (type, surnames, surnames at birth, given names, occupation); and mother (type, surnames, surnames at birth, given names, occupation). The personal information to be used from the deaths dataset is limited to death records created after 1/1/1990.

Birth Dataset: Unique record identifier (registration number); Names (all names where available including surnames, surnames at birth, given names and given names at birth); Full residential address, including geocodes where available; Sex; Date of birth; Place of birth; Mother’s Aboriginal indicator; Mother’s Torres Strait Islander indicator; Father’s/Co-parent’s Aboriginal indicator; Father’s/Co-parent’s Torres Strait Islander indicator; Mother’s date of birth; Father’s/Co-parent’s date of birth; Birth weight (in grams); Plurality – order (only available for multiple births e.g. twins); Plurality – total (only available for multiple births e.g. twins); Mother’s occupation title; Father’s/Co-parent’s occupation title; correction indicator (if a record previously reported is being re-reported due to a correction in the register); marriage type; date of marriage; place of marriage; and previous children of this relationship (given names, sex, date of birth, living indicator).

The personal information to be used from the births dataset is limited to birth records created after 1/1/1944. The disclosure will include any of the above information provided for other family members that is included in these records.

All other Principles continue to apply.

SA Health and CBS remain responsible for the secure transfer and storage of personal information in line with the IPPs.

This exemption is granted from 1 January 2023 to 31 December 2023.

This exemption (Table Reference ‘A’) is an extension of A541925 (SRSA19-00802) granted from 1 January to 31 December 2022, with some additional data fields. A further extension may be negotiated with the Privacy Committee if required.

This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and the Department for Child Protection (DCP).  It is an exemption from compliance with:

• Principle 10, permitting DCP to disclose personal information to the Data Linkage Unit within SA NT DataLink, and
• Principle 8, allowing SA Health DLU to use personal information for a purpose that was not the purpose of the collection of that information – namely to support the linkage with DCP data on Alternative Care, Care and Protection Orders, and Child Protection.

The personal information is limited to: Record identifier; Names – all names including nicknames, aliases and aka; Date of birth; Sex; Aboriginality, Torres Strait Islander indicator; Cultural group; Full address including geocodes where available; Client File Number (85 File Number for Client Information System (CIS) records within the Justice Information System (JIS) – a flag indicating that this child was under the Guardianship of the Minister); and any of the above information provided for other family members and included in these records, ie full name and date of birth of the mother and father of the child or young person.

All other Principles continue to apply.

SA Health and DCP remain responsible for the secure transfer and storage of personal information in line with the IPPs.

This exemption is granted from 1 January 2023 to 31 December 2023.

This exemption (Table Reference ‘B’) is an extension of A541982 (SRSA19-00802) granted from 1 January to 31 December 2022. A further extension may be negotiated with the Privacy Committee if required.

This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and the Department for Human Services (DHS) Youth Justice branch.  It is an exemption from compliance with:

• Principle 10, permitting DHS Youth Justice to disclose personal information to the Data Linkage Unit within SA NT DataLink, and
• Principle 8, allowing the SA Health DLU to use personal information for a purpose that was not the purpose of the collection of that information – namely the creation of master linkage keys as part of the SA NT Data Linkage System by the Data Linkage Unit.

The personal information is limited to: Unique record identifier (i.e. episode reference number); Unique person identifier where available; Given name(s) (including all ‘akas’, aliases and nicknames); Date of birth; Sex; Aboriginality and/or Torres Strait Islander indicator; Country of birth; Full address including geocodes where available; and the full name and date of birth of the mother and father of the child or young person where available.

All other Principles continue to apply.

SA Health and DHS remain responsible for the secure transfer and storage of personal information in line with the IPPs.

This exemption is granted from 1 January 2023 to 31 December 2023.

This exemption (Table Reference ‘C’) is an extension of A542014 (SRSA19-00802) granted from 1 January to 31 December 2022. A further extension may be negotiated with the Privacy Committee if required.

This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and the Department for Education (DE).  It is an exemption from compliance with:

• Principle 10, permitting DE to disclose personal information to the Data Linkage Unit within SA NT DataLink, and
• Principle 8, allowing SA Health DLU to use personal information for a purpose that was not the purpose of the collection of that information.

The personal information to be used is from the DE Public Schools Enrolment dataset, including preschools and is limited to: Record Identifier; Personal Identifier; Names; Date of Birth; Sex; Aboriginality, Torres Strait Islander Indicator; Country of Birth; Full address including Geocodes if available; Parent / Guardian Identifier; Date Enrolled; Date Left; Destination School; Census year; Census term; 85 File Number; and any of the above information provided for other family members and included in these records including family code.

All other Principles continue to apply.

SA Health DLU and DE remain responsible for the secure transfer and storage of personal information in line with the IPPs.

This exemption is granted from 1 January 2023 to 31 December 2023.

This exemption (Table Reference ‘D’) is an extension of A542022 (SRSA19-00802) granted from 1 January to 31 December 2022. A further extension may be negotiated with the Privacy Committee if required.

This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and the Department for Education (DE).  It is an exemption from compliance with:

• Principle 10, permitting DE to disclose personal information to the Data Linkage Unit within SA NT DataLink for the purpose of enabling a more complete understanding of the early childhood sector and pathways in child health and development when developing policy, research and strategic plans, and
• Principle 8, allowing SA Health DLU to use personal information for a purpose that was not the purpose of the collection of that information – namely for SA NT DataLink for the purposes of data linkage.

The personal information to be used is from DE preschool enrolment census data for non-government and private schools. The personal information to be used was initially for the period between 2012 and 2017, representing approximately 110,000 students, with annual updates being sought, with an expectation that each update is to include approximately 18,500 new students.

The personal information includes linkage variables of: Record identifier; Personal identifier; Names – all names including nicknames, aliases and aka; Date of birth; Sex; Aboriginality, Torres Strait Islander Indicator; Country of birth; Full address including geocodes if available; Site name; Site ID; and Census year.

All other Principles continue to apply.

SA Health DLU and DE remain responsible for the secure transfer and storage of personal information in line with the IPPs.

This exemption is granted from 1 January 2023 to 31 December 2023.

This exemption (Table Reference ‘E’) is an extension of A542023 (SRSA19-00802) granted from 1 January to 31 December 2022. A further extension may be negotiated with the Privacy Committee if required.

This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and the Electoral Commission of South Australia (ECSA).  It is an exemption from compliance with:

• Principle 10, permitting ECSA to disclose personal information to the Data Linkage Unit within SA NT DataLink, and
• Principles 2 and 8, allowing SA Health DLU to collect and use personal information for a purpose that was not the purpose of the collection of that information.

The personal information to be used is from the ECSA South Australian Electoral Roll dataset and is limited to: Elector Number; Title; Family Name; Given Names; Date of Birth; Country of Birth (3 character code); Sex; Address Line 1, 2 and 3 (including State and postcode); and any of the above information provided for other family members and included in these records.

Excluded from the dataset is information relating to ‘silent electors’ and those individuals who have sought to be ‘provisionally enrolled’.

All other Principles continue to apply.

SA Health DLU and ECSA remain responsible for the secure transfer and storage of personal information in line with the IPPs.

This exemption is granted from 1 January 2023 to 31 December 2023.

This exemption (Table Reference ‘F’) is an extension of A542031 (SRSA19-00802) granted from 1 January to 31 December 2022. A further extension may be negotiated with the Privacy Committee if required.

This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and the South Australian Housing Authority (SAHA).  It is an exemption from compliance with:

• Principle 10, permitting SAHA to disclose personal information from the Housing SA dataset and the Homelessness to Home (H2H) dataset to the Data Linkage Unit within SA NT DataLink, and
• Principle 8, allowing SA Health DLU to use personal information for a purpose that was not the purpose of the collection of that information – namely for the creation of master linkage keys as part of the establishment of the Data Linkage System.

The personal information from the Housing SA dataset is limited to: Unique Person Identifier; System Date; Names, all names including nicknames, aliases and aka; Date of Birth; Sex; Title; Aboriginality and/or Torres Strait Islander identifier; Country of Birth; Full address including geocodes if available; and any of the above information provided for other family members and included in these records.

The personal information from the Homelessness to Home (H2H) dataset is limited to: H2H customer number; Housing SA customer number; Given names; Surname; Date of birth; Sex; Aboriginality and/or Torres Strait Islander indicator; Country of birth; Full address details, including past addresses where available; System date; and any of the above information provided for other family members and included in these records.

All other Principles continue to apply.

SA Health DLU and SAHA remain responsible for the secure transfer and storage of personal information in line with the IPPs.

This exemption is granted from 1 January 2023 to 31 December 2023.

This exemption (Table Reference ‘G’) is an extension of A542034 (SRSA19-00802) granted from 1 January to 31 December 2022. A further extension may be negotiated with the Privacy Committee if required.

This exemption applies to the SA NT DataLink Data Linkage Unit within SA Health (SA Health DLU) and the Department for Correctional Services (DCS).  It is an exemption from compliance with:

• Principle 10, permitting DCS to disclose personal information to the Data Linkage Unit within SA NT DataLink, and
• Principle 8, allowing SA Health DLU to use personal information for a purpose that was not the purpose of the collection of that information – namely to enable researchers and policy analysist to develop and disseminate a more comprehensive understanding of health, education and justice system pathways and outcomes.

The personal information to be disclosed by DCS relates to individuals who have been sentenced to a period of supervision, either in a custodial setting or in the community and is limited to: DCS IDs; JIS PIN; Entry and exit dates; Surnames (including previous names and maiden names); Given Name(s) (all including “aka’s”, aliases and nicknames); Date of Birth (DD/MM/YYYY); Sex; Residential address and postcodes (including previous addresses); and Aboriginal and Torres Strait Islander indicator.

All other Principles continue to apply.

SA Health and DCS remain responsible for the secure transfer and storage of personal information in line with the IPPs.

This exemption is granted from 1 January 2023 to 31 December 2023.

This exemption (Table Reference ‘H’) is an extension of A542044 (SRSA19-00802) granted from 1 January to 31 December 2022. A further extension may be negotiated with the Privacy Committee if required.