Department of Human Services Introduction of myGov Inbox

Department of Human Services Introduction of myGov Inbox

Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 Department of Human Services Introduction of myGov Inbox Privacy Impact Assessment 14 May 2014

2 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 Table of Contents Executive Summary . . 1 1. myGov Overview . . 1 2. Summary of Findings . . 2 3. Recommendations . . 2 Project Description . . 5 4. Purpose of the Inbox Release . . 5 5. Current myGov functionality . . 5 6. Inbox - changes to be implemented by the Inbox Release . . 9 7. Security architecture and processes . . 12 Analysis .

. 15 8. Inbox Release Personal Information flows . . 15 9. Assessment of compliance with the APPs . . 16 10. Assumptions . . 17 11. Glossary . . 18 Schedule 1 APP Compliance . . 21 Schedule 2 Privacy Notice . . 44

Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 Executive Summary 1. myGov Overview 1.1 The myGov project is part of the Australian Government's investigation of ways to improve individuals' ease of use and access to Australian Government services. The Department of Human Services (DHS) has the lead role in implementing the myGov project, and acts as the myGov Administrator. 1.2 The myGov project commenced with an initial IT release in May 2013 (May 2013 Release) which involved the replacement of the Australian Government’s primary online entry point, australia.gov.au, with myGov.

myGov provides individuals with access to government information and services and includes, among other things, a single sign-on service, allowing people to visit multiple government websites without repeatedly signing in at each site. 1.3 The May 2013 Release was successful in its transition from australia.gov.au to myGov and in implementing an additional service that gives the account user the capacity to recover their user name by providing their email address or mobile phone number. 1.4 A further IT release to enhance myGov functionality is planned for late March 2014 (Inbox Release). The Inbox Release will provide users who have a myGov account with a secure digital mailbox within the user's myGov account (Inbox).

The user's Inbox can be used to read and manage messages sent by either myGov or those Member Services which will utilise the Inbox service and to which the user has linked to their myGov account. 1.5 DHS commissioned a privacy impact assessment (PIA) in relation to the May 2013 Release to confirm that its implementation would not give rise to risks to individual privacy that could not be mitigated.

1.6 This PIA: (a) assesses the risks to individual privacy presented by the Inbox Release from the perspective of DHS as the myGov Administrator; (b) considers compliance with the Privacy Act, including the Australian Privacy Principles (APPs) which have applied from 12 March 2014; (c) serves to inform stakeholders and the public about the Inbox Release, and illustrate the focus and value being given to privacy risks and risk mitigation; (d) sets out the information life cycle which helps to highlight privacy risks and areas for improvement in terms of risk mitigation; and (e) considers the safeguards that DHS, in its capacity as myGov Administrator, has in place to secure personal information from misuse, interference or loss, or from unauthorised access, modification or disclosure.

1.7 The Office of the Australian Information Commissioner (OAIC) has published APP Guidelines on 21 February 2014. The APP Guidelines outline the mandatory requirements of the APPs, how the OAIC will interpret the APPs, and matters that may be taken into account when assessing DHS' compliance with the Privacy Act and the APPs. 1.8 This PIA "tells the story" of the Inbox Release from a privacy perspective. It has been developed in accordance with the OAIC's Privacy Impact Assessment Guide, and will help DHS to manage privacy impacts arising from the Inbox Release.

2 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 2.

Summary of Findings 2.1 DHS has identified certain privacy risks related to the Inbox Release of myGov. However, DHS believes that these risks may be mitigated by following the recommendations set out in paragraph 3 below. 2.2 HWL Ebsworth has prepared this Privacy Impact Assessment in consultation with DHS, and has taken into account feedback received from the Office of the Australian Information Commissioner. HWL Ebsworth has relied on DHS for the description of the myGov project and the Inbox service, and has drafted the Privacy Impact Assessment on the assumption that the description of the project accurately reflects the handling of personal information.

3. Recommendations 3.1 This Privacy Impact Assessment makes the following recommendations: Recommendation 1. Replace the Privacy Notice on the myGov website with the amended Privacy Notice at Schedule 2, to reflect the technical details of the Inbox Release This PIA recommends that DHS replaces the Privacy Notice on the myGov website with the amended Privacy Notice at Schedule 2. The short-form Privacy Notice in paragraph 1of Schedule 2 should be included in the website terms of use, and the long-form Privacy Notice in paragraph 2 of Schedule 2 is the full website Privacy Notice. The amended Privacy Notice reflects the technical details of the Inbox Release, and complies with DHS' obligations under the Privacy Act including the APPs.

Department response Agreed. DHS will replace the Privacy Notice on the myGov website with the amended Privacy Notice at Schedule 2. Recommendation 2. Review DHS' APP privacy policy to ensure that it appropriately addresses DHS' information handling practices as myGov Administrator DHS has had a new APP privacy policy in place from 12 March 2014, which contains a range of information including: (a) the kinds of personal information that DHS collects and holds; (b) how DHS collects and holds personal information; and (c) the purposes for which DHS collects, holds, uses and discloses personal information.

DHS' new APP privacy policy does not currently expressly identify how and the purposes for which DHS collects, holds, uses or discloses personal information in its capacity as the myGov Administrator after the Inbox Release. This PIA recommends that DHS review its APP privacy policy, to ensure that it addresses the collection of information by DHS in its capacity as myGov Administrator. Suggested amendments to DHS' new APP privacy policy are identified in paragraph 1 of Schedule 1.

Department response Agreed. DHS will ensure that its APP privacy policy appropriately reflects the information handling practices of DHS in its capacity as myGov Administrator.

3 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 Recommendation 3. Implement business rules to ensure that personal information is only contained in Linked Documents held in the Member Services systems and not in messages held in the Inbox If any personal information (such as a user's name and Member Service Identifier) were included in a message, myGov would be required to collect, hold, use and disclose that information in accordance with the Australian Privacy Principles.

However, personal information will not be included in a message. Messages contained in the Inbox in myGov will contain only a minimal amount of information, sufficient to enable the user to identify the Member Service which has sent the message, the subject matter, the date and time on which the message was sent, and the message in either the form of a message body or a link to a Linked Document. In addition, neither DHS nor any of its personnel would have access to a user's Inbox, or be able to see any messages or Linked Documents or any personal information contained in them. Personal information would only be included in a Linked Document, which is not contained in the Inbox in myGov but rather accessed by a user by clicking on a link contained in a message that would retrieve the Linked Document from a Member Service's system.

However, to reduce the risk of a situation arising where personal information is inadvertently included in a message and DHS (as the myGov Administrator) could be considered to be collecting and holding personal information (particularly a user's name and Member Service Identifiers) contained in the message from a Member Service and therefore stored in the myGov system, business rules should be formally agreed with the Member Services describing the sort of information which should be included in a message. However, myGov will not have any control over the content of the correspondence (provided through a link to a Linked Document in a message) being sent by the Member Services.

Department response Agreed. myGov will develop business rules, which will apply to Member Services, on what types of information cannot be contained in the text body of a message sent by a Member Service to the Inbox. Recommendation 4. Implement processes to monitor and manage privacy issues arising from myGov function creep DHS should implement processes and governance arrangements to ensure that function creep does not occur. Department response Agreed. DHS addresses issues of function creep in the myGov project by having a governance framework with external representatives (the Reliance Framework Board) as well as an internal programme board that oversees each stage of the project.

The Reliance Framework Board includes representatives from DHS, the Australian Taxation Office, the Attorney-General’s Department, the Department of Finance, the Department of Communications, the Department of Social Services and the Department of Health. The Board generally meets on a monthly basis and is responsible for monitoring and reporting on the Reliance Framework Programme . It is also tasked with providing biannual reports to the Secretaries ICT Governance Board. Amongst other things, the Reliance Framework Board's terms of reference provide that it will: (a) document the roles and responsibilities of Commonwealth agencies or

4 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 Recommendation 4. Implement processes to monitor and manage privacy issues arising from myGov function creep any third parties who provide elements of the Reliance Framework, the service delivery levels necessary to provide reliable and seamless services to users, and any broader impacts on affected Government agencies; and (b) establish a framework for measuring the extent to which the Reliance Framework capabilities improve the delivery of services to individuals. Recommendation 5. Implement appropriate privacy risk management tools to monitor and manage privacy issues arising from any subsequent Releases of myGov Further releases of myGov may involve materially different collections, uses and disclosures of personal information to those occurring under the Inbox Release.

DHS should implement appropriate privacy risk management tools (such as additional privacy impact assessments or addenda to this PIA) to assess the privacy impacts of each additional Release, once the technical details and processes of those Releases are better known.

Privacy risk management tools should also ensure that DHS and myGov remains compliant with the Privacy Act as it may be amended from time to time. Department response Agreed. DHS will implement appropriate privacy risk management tools, which may include additional PIAs and/or addendum PIAs, to assess and address privacy risks as the myGov service develops further enhancements and improvements to the system. DHS will also arrange for regular privacy audits to be conducted on the myGov system and services to ensure that DHS and myGov remains compliant with the Privacy Act as it may be amended from time to time.

5 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 Project Description 4. Purpose of the Inbox Release 4.1 Currently, individuals can create an online myGov account that has a single sign-on service and is linked to accounts the individual holds with any of the Member Services, currently being: (a) the Department of Human Services' Centrelink, Medicare and Child Support master programs; (b) the Department of Health's Personally Controlled Electronic Health Records program; (c) the Department of Veterans' Affairs; and (d) the National Disability Insurance Agency. 4.2 The key functionality to be introduced under the Inbox Release is the Inbox service.

The Inbox service will provide all users who have a myGov account with the convenience of a single digital facility, where they can receive secure messages from linked Member Services. The Inbox service will enable users to centralise and manage online messages from Member Services linked to their myGov account. This will reduce the time that the user must spend interacting with government, and increase confidence and satisfaction with services. 4.3 In order to understand how the Inbox Release impacts on personal privacy this PIA: (a) briefly describes current myGov functionality (in terms of collection, use, disclosure and storage of personal information); and (b) describes the changes to be implemented by the Inbox Release.

5. Current myGov functionality 5.1 DHS administration of myGov currently covers the functions of myGov account registration, account login and linking the myGov account to the Member Services. This administration involves DHS either collecting or creating the following information: (a) a non-identifiable user name (eg My Account XH123789) and user password (over time other credentials may be added); (c) secret questions and answers provided by the user that, if answered correctly, enable the user to access their account; (d) confirmation that the user agrees to the myGov terms of use; (e) email address and potentially a mobile phone number (users must provide an email address but can choose as to whether they also provide a mobile phone number); (f) the Member Services that the account has linked to it; and

6 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1

7 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 5.5 Currently, a myGov user's name does not appear as their user name. DHS has confirmed that the secret questions and answers provided by the user cannot be used, by officials with administrator access to myGov, to identify any account user. The secret questions and answers can be attributed to specific users identified by the alphanumeric user name, but the identity of the users cannot be identified from their user name. DHS is unaware of any instance where a set of secret questions and answers has revealed the identity of an account user.

Although a user's email address or mobile phone number used for account recovery purposes could potentially enable the account user to be identified, access to part of the myGov Authentication Hub in which this information is stored is limited as described in paragraph 5.7 below.

5.6 DHS operates myGov accounts on network and gateway infrastructure that has the sole purpose of supporting myGov accounts. 5.8 Currently DHS' administration of myGov involves DHS: (a) collecting from all users, when they first use or create their myGov account, the user's email address and if a mobile phone number is provided by the user, the mobile phone number; and (b) undertaking authentication of account users seeking to link their myGov account to accounts held with any of the Member Services.

8 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1

9 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 6. Inbox - changes to be implemented by the Inbox Release 6.1 The Inbox Release will provide the Inbox service to all users with a myGov account. The Inbox is a secure digital mailbox within the user's myGov account. Although its core design, look and feel is synonymous with an e-mail experience, the Inbox is not an e-mail system. Rather, it is a secure online facility that displays core information about a message in an e- mail style.

6.2 Users will need to accept new myGov terms of use and provide their notification preference on the next log in after the Inbox goes live.

For new users, this will be part of the account creation process. Users will see a "popup" stating as follows: "Your myGov account has a new Inbox We are pleased to announce that your myGov account now has a secure Inbox. It gives you the option to receive your mail from participating member services. The Inbox will make it easier for you to manage your mail in a central place and is a better option for the environment.

There is a letter in your Inbox explaining how it works. As this is a new part of your account, we have updated the myGov terms of use. By continuing you are agreeing to the new terms." 6.3 When a user links a participating Member Service account to their myGov account, the Member Service systems will send the user correspondence (in the participating Member Service's choice of channel) that confirms that the user's record has been linked to their myGov account and their eligible new messages will be sent to their Inbox. 6.4 A user's Inbox can be used to read and manage messages forwarded by participating Member Services which the user has linked to his or her myGov account.

The types of messages which can be sent to the Inbox by a linked Member Service may include letters relating to payments, services or reviews, reporting statements, publications and brochures, follow-up actions and status updates on submitted transactions.

6.5 Only messages determined by the Member Service as eligible for online correspondence will be sent to a user's Inbox. Each Member Service will apply their own business rules to determine which messages will be sent to the Inbox and correspondence which the Member Service will send via other channels (such as traditional surface mail). Where a Member Service chooses to send part or all of a message through an alternative channel, a notification of the fact that the message was sent through an alternative channel may be displayed in the Inbox.

6.6 The Inbox Release will involve the following Inbox functions: (a) display Inbox interface and functionality; (b) filter and sort Inbox messages; (c) read messages with or without Linked Documents; (d) delete messages; (e) restore deleted messages;

10 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 (f) Inbox new message notifications; and (g) manage notification preference settings. 6.7 A message which a user receives in their Inbox will comprise: (a) the name of the Member Service sending the message; (b) the subject of the message; (c) the date and time on which the message was received by the Inbox; and (d) the message in either the form of a message body or a link to one or more Linked Documents. 6.8 The message will be stored within the myGov system, however any Linked Documents will not. Linked Documents will be stored in the system of the relevant Member Service.

Any personal information will be included in the Linked Document rather than in the message. Member Service Identifiers will only be included in Linked Documents and not in messages. 6.9 When a user clicks on the Linked Document icon within a message, the Linked Document will be retrieved from the linked Member Service via a web service, and displayed in the user's own computer's default program for the relevant file type, in a separate window. 6.10 While the Linked Document is open, the user can print or save a Linked Document, if this is permitted by the opening application. The user will not be able to save a Linked Document within the myGov system, but would save the Linked Document onto the user's own device.

6.11 Upon receipt of a message, the Inbox (or, for messages from Centrelink and for users who have linked their myGov account to Centrelink, Centrelink) will send a notification to the user's private email address or by SMS to a mobile phone. Notifications will advise the user that a message has been received in their Inbox, without providing further detail. 6.12 The user will set their preference for notifications the first time that they access the Inbox services. The contact detail fields in the user's notification preference will be prepopulated from the information which the user has provided for account recovery purposes, and the user will be required to elect to either use the existing details or to provide new details.

The user can update their preferences for notifications in the Inbox settings including the email address or mobile phone number to which notifications are sent, at any time. No one, other than the user, will have access to the user's Inbox or notification preference settings. 6.13 Centrelink requires the ability to notify a user directly when messages from Centrelink are delivered to their Inbox. In order to permit this, myGov will send the user's notification preference details (whether the user prefers notification by email or SMS and the email address or mobile phone number provided with the preference,) to Centrelink: (a) if the user has already linked their myGov account to Centrelink at the time they first access the Inbox services - when the user first sets their notification preference; or (b) if the user has not already linked their myGov account to Centrelink at the time they first access the Inbox services - when the user links their myGov account to Centrelink.

6.14 Centrelink will only be sent the contact detail for the communication channel that the user selects for Inbox notification (i.e. either email or SMS, but not both). The myGov Administrator will not send the contact details indicated in a user's notification preference to any other Member Service. 6.15 Centrelink will also use the contact details it is sent to subscribe the user for Centrelink's Electronic Messaging service, or, if the user is already subscribed, to update the contact

11 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 details for this service.

Centrelink would not subscribe the user for its Electronic Messaging service in some instances, for example if the user has already indicated their preference not to use Electronic Messaging through Centrelink's online services (e.g. by unsubscribing) and has indicated that they have unsubscribed for specific decline reasons which will block auto- subscription. Centrelink will also use the contact details it is sent to update its customer contact details that it holds for the user.

6.16 Users would be notified through "pop ups" before taking an action (setting their notification preference or linking to Centrelink) that the myGov Administrator will send the user's contact details contained in their notification preference to Centrelink, and that the information will be used by Centrelink for the purpose of sending the user notifications when Centrelink has sent a message to the Inbox, and also may be used by Centrelink to subscribe the user for Centrelink's Electronic Messaging service and to update the customer contact details that Centrelink holds for the user. The text to be contained in the "pop ups" is: (a) for users who have already linked their myGov account to Centrelink at the time they first access the Inbox service: "Your account is linked to Centrelink, so we will send Centrelink your Inbox notification preference information.

This is to make sure that you can be notified of any new Centrelink messages in your Inbox. Centrelink may also use your Inbox notification preference information to subscribe you to the Centrelink Electronic Messaging service, and will update the contact details that it holds for you. For Terms and Conditions for this Centrelink Electronic Messaging service go to humanservices.gov.au/em.

If your preference is an SMS, you must check the details against your mobile phone number by Centrelink are up to date. To check, go to Personal Details, View/Update Address, Accommodation or Contact Details in your linked Centrelink service." (b) for users who link their myGov account to Centrelink after the time they first access the Inbox service: "Once your account is linked to Centrelink, we will send Centrelink your Inbox notification preference information. This is to make sure that you can be notified of any new Centrelink messages in your Inbox. Centrelink may also use your Inbox notification preference information subscribe you to the Centrelink Electronic Messaging service and will update the contact details that it holds for you.

For Terms and Conditions for this Centrelink Electronic Messaging service go to humanservices.gov.au/em.

If your preference is an SMS you must check the details recorded against your mobile phone number are correct by going to your linked Centrelink service under Personal Details, View/Update Address, Accommodation or Contact Details." 6.17 Where a user updates their notification preference, myGov will not send a corresponding update of the information to Centrelink. Users will be notified that they need to update their notification preference for Centrelink communications through Centrelink's online systems. Unlinking Centrelink service from a user's myGov account will not affect the user's notification details stored by Centrelink in their own system.

6.18 Where a notification sent to a user's e-mail address is undelivered, myGov will receive a bounce back message from the relevant service provider. However, no processing will be performed on the bounce back message, and it will be automatically deleted by the myGov email server as soon as it is received. Where a notification via SMS is undelivered, a bounce back message will be sent to a Soprano Server which is managed by Telstra. myGov will not automatically receive a bounce back message from Telstra, but may request a report from Telstra on undelivered messages via SMS.

12 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 6.19 Messages will be contained in the Inbox until they reach the message expiry date.

Messages can be moved to a trash folder, however they will still be contained in the Inbox until the message expiry date. 6.20 The Inbox will only display messages from linked Member Services. If a user unlinks their myGov account from any Member Services, the user will not be able to access any messages from that unlinked Member Service via the Inbox. Existing messages from that Member Service (both read and unread) will be removed from the user's Inbox, and future correspondence from that Member Service will be sent via that Member Service's alternate correspondence channel (in most cases paper mail).

Messages from remaining linked Member Services will not be affected. Users will be warned prior to finalising the unlinking process that they will no longer be able to access messages from the unlinked Member Service once the unlinking is completed, and that they should print or save any history they would like to keep. After receiving this warning, users will be able to cancel the unlinking process if they wish.

6.21 When a user re-links to a Member Service that has been previously unlinked, messages and the migrated history of messages that have not passed their expiry date will be restored by myGov, including the date of the original message. This will only occur if the user relinks their myGov account which was previously linked to the Member Service. If the user links to a Member Service using a new myGov account, then previous unexpired messages that had been sent by the Member Service to the user will not appear in the Inbox of the "new" myGov account.

13 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1

14 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1

15 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 Analysis 8. Inbox Release Personal Information flows 8.1 Key features of the myGov architecture relevant to the Inbox Release, from the perspective of analysing privacy impacts, include: (a) The use by the myGov Administrator of a user's email address and mobile phone number which has been provided for account recovery purposes to prepopulate the user's contact details included in their notification preference. (b) The collection by the myGov Administrator of a user's email address and mobile phone number for the purposes of notifying the user when a new message is received in the user's Inbox.

This information is provided directly by the relevant user (either by confirming their existing account recovery information is to be used, or by providing different information).

(c) The publication by a Member Service of a message in the user's Inbox, which is hosted on the myGov website. This would permit the user (who has been authenticated to the same standard as currently applied for the Member Service's existing online services) to access the information contained in the message and any Linked Document. The publication by a Member Service of a message in the user's Inbox would not involve any disclosure of personal information by the Member Service to myGov. No DHS personnel can access a user's Inbox or the messages it contains, or any Linked Document. Messages can only be accessed by the user after having completed the necessary verification processes to log into their myGov account.

(d) The use by the myGov Administrator of personal information held by myGov (the user's email address or mobile phone number) to send a notification to a user when a new message is received in the user's Inbox.

(e) The provision by the myGov Administrator of a user's notification preference information (whether the user prefers notification by email or SMS, and the email or mobile phone number provided with the preference) to Centrelink, to allow Centrelink to send its own notification messages to the user when Centrelink sends a message to the user's Inbox, and to subscribe the user to Centrelink's Electronic messaging service, (if the user is already subscribed for Centrelink's Electronic Messaging service) to update the contact details Centrelink uses for its Electronic Messaging service, or to update its customer contact details for the user.

This constitutes a use of the personal information by the myGov Administrator, which is one of the uses for which the information was collected, as notified to the user. However, there is no "disclosure" by the myGov Administrator to Centrelink and no "collection" by Centrelink from the myGov Administrator of this information, as both the myGov Administrator and Centrelink are part of the same "agency" for the purposes of the Privacy Act.

(f) The use by Centrelink of personal information held by Centrelink (the user's email address or mobile phone number) to send a further notification to a user when a new message from Centrelink is delivered to the user's Inbox. This use is one of the purposes for which the information is collected, as notified to the user. (g) The use by Centrelink of personal information held by Centrelink (the user's email address or mobile phone number) to subscribe the user to Centrelink's Electronic Messaging service or, if the user is already subscribed, to update the contact details Centrelink uses for its Electronic Messaging service.

This use is one of the purposes for which the information is collected, as notified to the user.

16 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 (h) The use by Centrelink of personal information held by Centrelink (the user's email address or mobile phone number) to update its customer contact details that it holds for the user. This use is one of the purposes for which the information is collected, as notified to the user. 8.2 The scope of this PIA is limited to the collections and uses of information by DHS in its capacity as the myGov Administrator. This PIA does not address the uses of personal information by Centrelink.

9. Assessment of compliance with the APPs 9.1 The Privacy Amendment (Enhancing Privacy Protection) Act 2012 amended the Privacy Act with effect from 12 March 2014.

The Australian Privacy Principles are now in force. 9.2 Each collection, use and disclosure of personal information under the Inbox Release must be assessed against the APPs. A detailed analysis of the Inbox Release in term of compliance with the Australian Privacy Principles which will apply from 12 March 2014 is set out at Schedule 1. The analysis recognises that: (a) under the Inbox Release only a limited category of personal information is collected and used by the myGov Administrator (comprising the email address and/or mobile phone number that the user wishes to use to receive notifications from the myGov Administrator regarding messages in the user's Inbox); and (b) any transfers of personal information between DHS in its capacity as myGov Administrator and a DHS Member Service would not be a "disclosure" or "collection" of personal information for the purposes of the Privacy Act, as the DHS Member Services and the myGov Administrator form part of the same agency for the purposes of the Privacy Act.

9.3 To comply with APP 1.4, DHS has adopted a new APP privacy policy, which contains a range of information including: (a) the kinds of personal information that the entity collects and holds; (b) how the entity collects and holds personal information; and (c) the purposes for which the entity collects, holds, uses and discloses personal information. 9.4 The information contained in DHS' APP privacy policy should also include how and the purposes for which DHS collects, holds, uses or discloses information for the purposes of performing its role as myGov Administrator after the Inbox Release (see Recommendation 2).

9.5 Anonymous or pseudonymous interactions, as described in APP 2, would not be practicable in the context of the Inbox, as it would jeopardise the security of myGov and the Member Services' systems. 9.6 No sensitive information would be collected for the purposes of the Inbox Release. To the extent that there is any collection of personal information for the purposes of the Inbox Release, this will be reasonably necessary for and directly related to DHS' functions and activities as required by APP 3. Collections will be by lawful and fair means. 9.7 DHS will provide the notifications required under APP 5, through the revised myGov Privacy Notice (see Recommendation 1), and DHS' APP privacy policy (see Recommendation 2).

9.8 The requirements under APP 4 for collection of unsolicited personal information are not relevant in the context of the Inbox Release. Similarly, APP 7 (direct marketing), APP 8

17 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 (cross-border disclosure of personal information), and APP 9 (adoption, use or disclosure of government related identifiers) are not relevant. 9.9 Information used or disclosed by DHS in connection with the Inbox Release is used for its primary purpose of collection, or in circumstances where the individual would reasonably expect DHS to use or disclose the information for another purpose which is directly related to the primary purpose, in accordance with APP 6.1. The information used by DHS in connection with the Inbox Release (the user's email address and mobile phone number) is provided directly by the relevant individual.

9.10 The individual can access and update the information easily through the user's myGov account. DHS would therefore comply with APPs 10, 12 and 13 in relation to the Inbox Release. 9.11 The security protections applied by DHS in relation to personal information collected or used for the purposes of the Inbox Release conform to Australian Government Protective Security Policy Framework and Australian Signals Directorate Information Security Manual security guidelines, and would therefore be compliant with APP 11.

9.12 There are a range of other tasks which DHS was required to complete before 12 March 2014 to ensure compliance with the APPs from that date.

These general compliance obligations are not related to the Inbox Release, and are therefore beyond the scope of this PIA. 10. Assumptions 10.1 This PIA is drafted on the assumptions that: (a) the description of the Inbox accurately reflects the handling of personal information for the purposes of providing the Inbox service; and (b) the security measures implemented by each Member Service in respect of personal information are compliant with APP 11.

10.2 This PIA does not analyse: (a) any myGov account or Inbox functions which are not to be introduced during the Inbox Release or which are under consideration for future releases; (b) the privacy impacts of collections, uses and disclosures of user personal information that are already undertaken by each Member Service as apart of the Member Service's existing business as usual processes; (c) the impact of the secrecy provisions in the legislation that applies to DHS or any of the Member Services; or (d) the compliance by DHS or any Member Service with their own internal privacy policies, as they are not applicable to myGov.

18 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 11. Glossary Acronyms AGPSPF Australian Government Protective Security Policy Framework APP Australian Privacy Principle ASDISM Australian Signals Directorate Information Security Manual DHS Department of Human Services MBUN Meaningless but unique number OAIC Office of the Australian Information Commissioner PIA Privacy Impact Assessment POI Proof of Identity PORO Proof of Record Ownership Definitions APP Guidelines The APP Guidelines published by the OAIC on 21 February 2014 at http://www.oaic.gov.au/privacy/applying-privacy-law/app-guidelines/.

Audit Log A chronological record of system activities. Includes records to system accesses and operations performed in a given period.

australia.gov.au The branded online entry point for the Australian Government, which previously provided an Authenticated access point to allow users to create anonymous accounts. These accounts were transferred to myGov in the May 2013 Release. authenticate The process of identifying a user using a credential e.g. user name, password, secret question and answer. A user must authenticate to myGov to access their myGov account. A user must authenticate to a Member Service website when linking to that Member Service using an existing Member Service online account.

Authentication Hub The Authentication Hub provides services and interfaces for Authentication, registration and single sign on to online services for Member Services DHS Member Services DHS' Centrelink, Medicare and Child Support master programs.

Electronic Messaging A free service provided by Centrelink that allows users to receive SMS or email messages from Centrelink, such as requests to attend appointments or provide documents, reminders to provide up-to-date information, payment advices and notifications about some decisions.

FOI Act the Freedom of Information Act 1982 (Cth). Front Channel The authentication and linkage of accounts process involving the individual

19 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 Linking logging into a myGov account and then being transferred to the Member Service's landing page to undertake the authentication process. function creep The incremental expansion in the purpose of a system, to a point where information is used for purposes not initially agreed to or envisaged and unrelated to its original intent. Such expansion is generally organic in nature and lacks overall direction, planning or oversight.

Inbox A secure online facility within a user's myGov account, where the user can receive messages from linked Member Services.

Linked Document Correspondence to a user from a Member Service that is linked to that user's myGov account and stored in a Member Service system, which is accessed by the user through an active link in a message stored in the user's Inbox in their myGov account. Member Services The agencies and DHS master programs that have agreed to participate in the services offered by myGov. Member Service Identifier The unique identifier allocated by a Member Service to a customer of that Member Service. message A communication sent to a user by a Member Service and held in the user's Inbox, which contains the name of the Member Service, the subject matter, the time and date the message was sent, and the message in either the form of a message body or link to a Linked Document.

myGov Unauthenticated ‘public’ content and primary landing page/entry point for myGov creation, account management, myGov services and access to myGov account services. myGov account The authenticated portion of myGov containing an individual’s security account, and service offerings including, from the Inbox Release, the Inbox. myGov Administrator DHS, acting in its capacity as administrator of the myGov website. personal information has the meaning given to it by section 6 of the Privacy Act. Privacy Act the Privacy Act 1988.

Privacy Impact Assessment Guide the OAIC's Privacy Impact Assessment Guide, available at http://www.oaic.gov.au/images/documents/migrated/oaic/repository/publicatio ns/ guidelines/Privacy_Impact_Assessment_Guide.pdf.

The OAIC published a revised Privacy Impact Assessment Guide on 6 March 2014 (available at http://www.privacy.gov.au/privacy/privacy-engaging-with-you/current-privacy - consultations/guide-to-undertaking-privacy-impact-assessments/guide-to- undertaking-privacy-impact-assessments), which will remain open for public consultation until 28 March 2014. The procedure used in this PIA is also consistent with the revised guide.

Privacy Notice The privacy notice to be included on the myGov website. User Log The table in myGov which allows a user to see certain elements of

20 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 the information contained in the Audit Log. users Refers to users of services provided by the Member Services.

21 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 Schedule 1 APP Compliance Below is an analysis of key elements of the APPs that are relevant to the Inbox Release. The analysis does not address those elements of the APPs which represent broader compliance obligations of DHS, but which do not specifically relate to the Inbox Release.

The APPs have applied from 12 March 2014. 1. APP1 – open and transparent management of personal information Text of APP1 Australian Privacy Principle 1 — open and transparent management of personal information 1.1 The object of this principle is to ensure that APP entities manage personal information in an open and transparent way.

Compliance with the Australian Privacy Principles etc. 1.2 An APP entity must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the entity’s functions or activities that: (a) will ensure that the entity complies with the Australian Privacy Principles and a registered APP code (if any) that binds the entity; and (b) will enable the entity to deal with inquiries or complaints from individuals about the entity’s compliance with the Australian Privacy Principles or such a code. APP Privacy policy 1.3 An APP entity must have a clearly expressed and up to date policy (the APP privacy policy) about the management of personal information by the entity.

1.4 Without limiting subclause 1.3, the APP privacy policy of the APP entity must contain the following information: (a) the kinds of personal information that the entity collects and holds; (b) how the entity collects and holds personal information; (c) the purposes for which the entity collects, holds, uses and discloses personal information; (d) how an individual may access personal information about the individual that is held by the entity and seek the correction of such information; (e) how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint; (f) whether the entity is likely to disclose personal information to overseas recipients; (g) if the entity is likely to disclose personal information to overseas recipients— the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

Availability of APP privacy policy etc. 1.5 An APP entity must take such steps as are reasonable in the circumstances to make its APP privacy policy available: (a) free of charge; and (b) in such form as is appropriate.

22 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 Note: An APP entity will usually make its APP privacy policy available on the entity’s website. 1.6 If a person or body requests a copy of the APP privacy policy of an APP entity in a particular form, the entity must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.

Analysis of compliance with APP1 1.1. There is no IPP equivalent to APP 1. APP 1 is intended to ensure that agencies manage personal information in an open and transparent way. Implementation of APP1, including the adoption of an APP privacy policy, is a broader responsibility of DHS. This PIA arguably represents one reasonable step to implement practices, procedures and systems to comply with the APPs, as required under APP1.1(a).

1.2. APP 1.4 requires an APP entity (including DHS) to adopt an APP privacy policy, which contains a range of information, including: (a) the kinds of personal information that the entity collects and holds; (b) how the entity collects and holds personal information, and (c) the purposes for which the entity collects, holds, uses and discloses personal information. The APP entity must also take reasonable steps to make its APP privacy policy available free of charge and in an appropriate form (typically on the entity's website). 1.3. APP entities were required to adopt and publish their APP privacy policy by no later than 12 March 2014, when the APPs came into effect.

It is open to an APP entity to choose the style and format for its APP privacy policy, so long as the policy is clearly expressed, up-to-date and otherwise complies with the requirements of APP 1.

1.4. DHS has published its APP privacy policy on its website. DHS' APP privacy is clearly expressed, and is up-to-date as at 12 March 2014. 1.5. Currently, a detailed explanation of how and the purposes for which DHS collects, holds, uses or discloses personal information in the capacity as myGov Administrator is provided within the APP 5 notice published on myGov. However, DHS' APP privacy policy does not refer to these matters, even in general terms. To ensure full compliance with APP 1.4, DHS should review its APP privacy policy to ensure that the general descriptions of how and the purposes for which DHS collects, holds, uses or discloses personal information in the APP privacy policy takes into account DHS' personal information handling practices as myGov Administrator (see Recommendation 2).

1.6. The APP Privacy Policy is not required to contain the same level of detail as a collection notice provided under APP 5.1, which provides specific information relevant to a particular collection of personal information. 2 It is therefore unnecessary to address all of the matters described in the myGov Privacy Notice within DHS' APP privacy policy. However, DHS could address collections as myGov Administrator in its APP privacy policy in a general way by making the following amendments: (a) Part A – Personal Information handling practices (i) Under the heading "Why do we collect information about you" (page 6 of 57), add the following paragraph as the third paragraph in the section: 2 APP Guidelines, Chapter 1, paragraph 1.10.

23 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 "We collect information for the purposes of administering the myGov website (http://mygov.gov.au), and to facilitate the provision of online services through myGov." (ii) Under the heading "The purposes for which we use and disclose your personal information" and the subheading "Sharing (using) your personal information across the department" (page 9 of 57), add the following sentence to the end of the second paragraph: "We may also share certain personal information across the department for the purposes of administering the myGov website and to facilitate the provision of online services to you through myGov.

For further information, see the myGov Privacy Notice at [insert hyperlink]." (iii) Under the heading "The purposes for which we use and disclose your personal information" and the subheading "Disclosing your personal information to other parties" (page 9 of 57), add the following paragraph: "We may also share certain personal information with other Government agencies for the purposes of administering the myGov website and to facilitate provision of online services to you through myGov. For further information, see the myGov Privacy Notice at [insert hyperlink]." (iv) Under the heading "The purposes for which we use and disclose your personal information" and the subheading " and the subheading "Electronic Messaging Service (SMS and Email)" (page 11 of 57), add the following dotpoint in the sentence starting "Messages you may receive include: "notification of correspondence in your myGov Inbox, if you have one." (b) Part B – Personal Information handling practices (i) Under the heading "Common information handling practices across the department", add the following dot point under the heading "Collection of personal information (including sensitive information) (page 13 of 57): "for the purposes of administering the myGov website (http://mygov.gov.au), and facilitating the provision of online services through myGov, we collect the information described in the myGov Privacy Notice at [insert hyperlink]." (ii) Under the heading "Common information handling practices across the department", under the heading "Disclosures of personal information (including sensitive information) (page 15 of 57) add the following sentence at the end of the second paragraph: "If you have a myGov account, we may also disclose your personal information to administer your myGov account and facilitate provision of online services to you through your myGov account, in accordance with the myGov Privacy Notice at [insert hyperlink]." 1.7.

In addition to an APP policy, DHS has a separate obligation to take reasonable steps to implement practices, procedures and systems that will ensure that it complies with the APPs, and is able to deal with related inquiries and complaints (APP 1.2). The APP Guidelines contains examples of practices, procedures and systems that each APP entity should consider implementing to comply with APP 1.2. While DHS' broader privacy practices, procedures and systems which apply generally and are not specific to the Inbox Release are beyond the scope

24 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 of this PIA, DHS has taken the OAIC's suggestions contained in the APP Guidelines into account in designing its practices, procedures and systems to comply with the APPs. 2. APP2 – anonymity and pseudonymity Text of APP2 Australian Privacy Principle 2 — anonymity and pseudonymity 2.1 Individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity in relation to a particular matter. 2.2 Subclause 2.1 does not apply if, in relation to that matter: (a) the APP entity is required or authorised by or under an Australian law, or a court/tribunal order, to deal with individuals who have identified themselves; or (b) it is impracticable for the APP entity to deal with individuals who have not identified themselves or who have used a pseudonym.

Analysis of compliance with APP2 2.1. Individual users are not required to identify themselves to the myGov Administrator, and they access their myGov accounts through non-identifiable user names and user passwords. However, certain information provided for account recovery purposes (the user's name and e- mail address) could potentially identify the user. This information is required for the administration of myGov, and it impracticable for this information not to be collected in respect of certain users who wish to interact anonymously. Those users could however provide a non- identifying email address for account recovery purposes if they wished to.

2.2. It is impractical for a Member Service to deal with an individual who has not identified themselves or who has used a pseudonym in relation to their online accounts. The identity and circumstances of the relevant user is an essential part of the administration of the programs for which each Member Service is responsible, including their services provided through an online channel. Permitting anonymous or pseudonymous interactions through the online channel would undermine the security of the Member Services' records. Therefore the three Validation Processes for linking a Member Service to a myGov account (PORO, Credential Linking, or using a Linking Code) each provide equivalent levels of authentication as is currently obtained by each Member Service before providing access to its existing online systems.

Anonymous interaction would not be possible without undermining the security of the DHS Member Services' records.

2.3. As it is impracticable for the Member Service to deal with an individual who has not identified themselves or who have used a pseudonym in relation to their online accounts, no recommendations are made in relation to APP 2 for the purposes of this PIA. 2.4. Other mechanisms to allow individuals to deal with DHS without identifying themselves, or of using a pseudonym, may be appropriate in the context of other interactions (for example, in responding to queries which are not related to an individual account). However, these interactions do not fall within the scope of this PIA.

3.

APP3 – collection of solicited personal information Text of APP3 Australian Privacy Principle 3 — collection of solicited personal information Personal information other than sensitive information 3.1 If an APP entity is an agency, the entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities.

25 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 3.2 If an APP entity is an organisation, the entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of the entity’s functions or activities. Sensitive information 3.3 An APP entity must not collect sensitive information about an individual unless: (a) the individual consents to the collection of the information and: (i) if the entity is an agency — the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities; or (ii) if the entity is an organisation — the information is reasonably necessary for one or more of the entity’s functions or activities; or (b) subclause 3.4 applies in relation to the information.

3.4 This subclause applies in relation to sensitive information about an individual if: (a) the collection of the information is required or authorised by or under an Australian law or a court/tribunal order; or (b) a permitted general situation exists in relation to the collection of the information by the APP entity; or (c) the APP entity is an organisation and a permitted health situation exists in relation to the collection of the information by the entity; or (d) the APP entity is an enforcement body and the entity reasonably believes that: (i) if the entity is the Immigration Department — the collection of the information is reasonably necessary for, or directly related to, one or more enforcement related activities conducted by, or on behalf of, the entity; or (ii) otherwise — the collection of the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities; or (e) the APP entity is a non-profit organisation and both of the following apply: (i) the information relates to the activities of the organisation; (ii) the information relates solely to the members of the organisation, or to individuals who have regular contact with the organisation in connection with its activities.

Note: For permitted general situation, see section 16A. For permitted health situation, see section 16B. Means of collection 3.5 An APP entity must collect personal information only by lawful and fair means. 3.6 An APP entity must collect personal information about an individual only from the individual unless: (a) if the entity is an agency: (i) the individual consents to the collection of the information from someone other than the individual; or (ii) the entity is required or authorised by or under an Australian law, or a court/tribunal order, to collect the information from someone other than the individual; or (b) it is unreasonable or impracticable to do so.

26 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 Solicited personal information 3.7 This principle applies to the collection of personal information that is solicited by an APP entity. Analysis of compliance with APP3 Collection of personal information – APP 3.1 3.1. Determining whether a particular collection of personal information is permitted under APP 3.1 requires a two-step process: Step 1 - identifying an APP entity's functions or activities; and Step 2 - determining whether the particular collection of personal information is reasonably necessary for or directly related to one of those functions or activities.

3 3.2. Identifying an agency's functions requires an examination of the legal instruments that confer or describe the agency's functions, including the relevant act and subordinate legislative instruments, the Administrative Arrangements Order made by the Governor-General, and government decisions or ministerial statements that announce a new government function, and agency publications which describe its functions such as the agency's Information Publication Scheme (IPS) entry, and annual report. The activities of an agency will be related to its functions, and include incidental and support activities such as human resources, corporate administration, property management and public relations activities.

3.3. Part 11 of the Schedule to the Administrative Arrangements Order made on 12 December 2013 provides that the matters dealt with by DHS are: "Development, delivery and co-ordination of government services, and development of policy on service delivery Monitoring and management of service delivery arrangements involving social security, child support, students, families, aged care, health programmes, disability employment services, superannuation release and Australian Hearing Services" 3.4. The myGov Administrator will collect personal information (comprising notification preference information including email address and mobile phone number) from a user: (a) for the purpose of sending the user a notification when the user receives a message in their Inbox; and (b) for users whose myGov accounts are linked to Centrelink, for the purpose of providing this information to Centrelink so that Centrelink can: (i) send the user a notification when Centrelink sends a message to a user's Inbox; (ii) to either subscribe the user for Centrelink's Electronic Messaging service or, if the user is already subscribed, to update the contact details used by that service; and (iii) update its customer contact details.

3.5. A collection will occur notwithstanding that the contact detail fields in the user's notification preference will be pre-populated with the details collected from the user for account recovery purposes, as the user will confirm or update this information. Email addresses have been treated as personal information for the purposes of this Privacy Impact Assessment, as they 3 See APP Guidelines, Chapter 3, paragraphs 3.9 to 3.24.

27 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 commonly include identifying information. However, a user could choose to use an anonymous email address if they wished. 3.6. An agency may only collect personal information that is "reasonably necessary for" or "directly related to" its functions or activities. (a) The "reasonably necessary" test is an objective test: whether a reasonable person who is properly informed would agree that the collection is necessary. It is the responsibility of an APP entity to be able to justify that the particular collection is reasonably necessary.

Factors relevant to determining whether a collection of personal information is reasonably necessary for a function or activity include the primary purpose of collection, how the personal information will be used and whether the entity could undertake the function or activity without collecting that personal information. "Necessary" is not defined in the Privacy Act. The High Court of Australia has noted that "there is, in Australia, a long history of judicial and legislative use of the term "necessary", not as meaning essential or indispensable, but as meaning reasonably appropriate and adapted." 4 Necessary is interpreted in a practical sense.

A collection, use or disclosure usually will not be considered necessary if there are reasonable alternatives available to handling information in that way.

5 (b) To be "directly related to" an agency's functions or activities, a clear and direct connection must exist between the personal information being collected and an agency's functions or activity. 3.7. The provision of the Inbox service through myGov, including sending notifications (including through Centrelink) where the user's notification preference requires it, facilitates the development, delivery and co-ordination of online services provided by the Member Services, and falls within the matters dealt with by DHS, as set out in the Administrative Arrangements Order.

3.8. The collection of personal information (email address or mobile phone number) by DHS as the myGov Administrator for the purposes of the Inbox Release would be reasonably necessary for, and directly related to, the provision of the Inbox Service, and therefore to DHS' functions or activities.

The collection is therefore compliant with APP 3.1. 3.9. There will be no collection of "sensitive information" for the purposes of the Inbox Release, and therefore APP 3.3 and APP 3.4 are not relevant.

Collection by lawful and fair means – APP 3.5 3.10. An APP entity must collect personal information "only by lawful and fair means" under APP 3.5. A collection of personal information is lawful if it is not contrary to law. Conversely, a means of collection will not be lawful if a law, legal order or legal principle prevents that means of collection. For example, a collection will be unlawful if it is: (a) in breach of legislation, such as computer hacking, using telephone interception or a listening device except under the authority or a warrant, or requesting or requiring information with, or for the purposes of, an act of discrimination; (b) by a means that would constitute a civil wrong, for example by trespassing on private property or threatening damage to a person unless information is provided; or (c) contrary to a court or tribunal order, such as an injunction issued against the collector.

6 4 Mulholland v Australian Electoral Commissioner [2004] HCA 41 per Gleeson CJ at paragraph 39. 5 APP Guidelines, Chapter B, paragraph B.109. 6 APP Guidelines, Chapter 3, paragraph 3.60 – 3.61.

28 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 3.11. No law, legal order or legal principles prevents DHS collecting user's email address or mobile phone number for the purposes of the Inbox Release, and the collection would therefore be by "lawful means". 3.12. A "fair means" of collecting information is one that is not oppressive, does not involve intimidation or deception, and is not unreasonably intrusive.

Whether a collection uses unfair means would depend on the circumstances. A collection of personal information may, for example, be unfair if it involves: (a) collecting from a file accidentally left on a street or from a lost electronic device; (b) collecting from an individual who is traumatised, in a state of shock or intoxicated; (c) misrepresenting the purpose or effect of collection, or the consequences for the individual of not providing the requested information; or (d) collecting by telephoning an individual in the middle of the night. 7 3.13. The collection of personal information by DHS as myGov Administrator is by "fair means" as required by APP 3.5, as: (a) users will provide the personal information contained in their notification preferences directly, and can elect to amend or update this information at any time; (b) users will be notified of the meaning and implications of the collection of their personal information in the short and long form Privacy Notice at Schedule 2; (c) users who do not wish to provide information to establish their notifications preferences and access the Inbox services will not be required to do so to access services, as they will be able to continue to access Member Services through the on- site or on-call channels; and (d) users will be notified in the Privacy Notice that their contact details included in their notification preferences will be provided to Centrelink, if their myGov account is linked to Centrelink, and the purposes for which this information will be used.

This will also be addressed in the "pop up" that will appear before the user takes the final step (providing their Inbox notification preference or linking their myGov account to Centrelink) that will result in the information being provided to Centrelink. A user who does not wish this information to be provided to or used by Centrelink has the option not to link their myGov account to their Centrelink account, and to interact with Centrelink through other channels.

4. APP4 – dealing with unsolicited personal information Text of APP4 Australian Privacy Principle 4 — dealing with unsolicited personal information 4.1 If: (a) an APP entity receives personal information; and (b) the entity did not solicit the information; the entity must, within a reasonable period after receiving the information, determine whether or not the entity could have collected the information under Australian Privacy Principle 3 if the entity had solicited the information. 4.2 The APP entity may use or disclose the personal information for the purposes of making the determination under subclause 4.1.

7 APP Guidelines, Chapter 3, paragraph 3.62 – 3.63.

29 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 4.3 If: (a) the APP entity determines that the entity could not have collected the personal information; and (b) the information is not contained in a Commonwealth record; the entity must, as soon as practicable but only if it is lawful and reasonable to do so, destroy the information or ensure that the information is de-identified. 4.4 If subclause 4.3 does not apply in relation to the personal information, Australian Privacy Principles 5 to 13 apply in relation to the information as if the entity had collected the information under Australian Privacy Principle 3.

Analysis of compliance with APP4 4.1. APP4 only applies if DHS receives unsolicited personal information. Unsolicited information is information that an APP entity receives, but has taken no active steps to solicit. This might include, for example, misdirected mail, unsolicited correspondence and job applications, and promotional flyers.

4.2. Users will need to take positive steps to register for a myGov account, and to confirm the personal information contained in their notifications preferences when they first use the Inbox service. The personal information collected in connection with the Inbox Release (the user's email address and/or mobile phone number) will be solicited by DHS, and therefore will not be unsolicited personal information. 4.3. As information that DHS receives from users and uses in connection with the Inbox Release will not be unsolicited, APP4 would not be relevant in the context of the Inbox Release.

5. APP5 – notification of the collection of personal information Text of APP5 Australian Privacy Principle 5 — notification of the collection of personal information 5.1 At or before the time or, if that is not practicable, as soon as practicable after, an APP entity collects personal information about an individual, the entity must take such steps (if any) as are reasonable in the circumstances: (a) to notify the individual of such matters referred to in subclause 5.2 as are reasonable in the circumstances; or (b) to otherwise ensure that the individual is aware of any such matters. 5.2 The matters for the purposes of subclause 5.1 are as follows: (a) the identity and contact details of the APP entity; (b) if: (i) the APP entity collects the personal information from someone other than the individual; or (ii) the individual may not be aware that the APP entity has collected the personal information; the fact that the entity so collects, or has collected, the information and the circumstances of that collection; (c) if the collection of the personal information is required or authorised by or under an Australian law or a court/tribunal order — the fact that the collection is so required or authorised (including the name of the Australian law, or details of the court/tribunal order, that requires or authorises the collection); (d) the purposes for which the APP entity collects the personal information;

30 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 (e) the main consequences (if any) for the individual if all or some of the personal information is not collected by the APP entity; (f) any other APP entity, body or person, or the types of any other APP entities, bodies or persons, to which the APP entity usually discloses personal information of the kind collected by the entity; (g) that the APP privacy policy of the APP entity contains information about how the individual may access the personal information about the individual that is held by the entity and seek the correction of such information; (h) that the APP privacy policy of the APP entity contains information about how the individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint; (i) whether the APP entity is likely to disclose the personal information to overseas recipients; (j) if the APP entity is likely to disclose the personal information to overseas recipients — the countries in which such recipients are likely to be located if it is practicable to specify those countries in the notification or to otherwise make the individual aware of them.

Analysis of compliance with APP5 5.1. DHS will comply with APP5, subject to the implementation of Recommendation 1 and Recommendation 2 prior to the Inbox Release. 5.2. APP 5 requires an APP entity that collects personal information about an individual to take reasonable steps to notify the individual of certain matters (referred to as "APP 5 matters"), or otherwise ensure that the individual is aware of those matters. This notification must occur at or before the time of collection, or as soon as practicable afterwards. 5.3. The "reasonable steps" test is an objective test: namely, whether a reasonable person in those circumstances would agree that the entity had acted reasonably in providing notice or ensuring awareness of the APP 5 matters.

The reasonable steps for an APP entity will depend on circumstances that include: (a) the type of personal information collected, including whether it included any sensitive information; (b) the possible adverse consequences for an individual as a result of the collection; (c) any special needs of the individual; and (d) the practicability including time and cost involved (although the entity is not automatically excused from taking particular steps by reason only that it would be inconvenient, time-consuming or impose some cost to do so, and whether these factors make it unreasonable to take particular steps will depend on whether the burden is excessive in all the circumstances).

8 5.4. The OAIC has suggested that reasonable steps that an APP entity could consider include: (a) if an entity collects personal information directly from an individual who completes a form or uses an online facility – clearly and prominently displaying the APP5 matters in the form or providing a readily accessible link to an APP5 notice, and asking the individual to confirm that they have reviewed the notice before providing their personal information; 8 APP Guidelines, Chapter 5, paragraph 5.4.

31 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 (b) If personal information is collected by telephone, explaining the APP 5 matters to the individual at the start of the call (perhaps following a template script or using an automated message, or where this is not practicable giving the individual information about the APP 5 matters as soon as possible afterwards , such as in any subsequent electronic or paper-based communication or directing the individual to the relevant notice on the entity's website); or (c) if the entity collects personal information from another entity, confirming whether the other entity has provided the relevant APP 5 notice to the individual, or whether the individual was otherwise aware of the APP 5 matters at the time of collection; or (d) where it is not reasonable to notify or ensure awareness of the full range of APP 5 matters, altering the individual to specific sections of its APP privacy policy or other general documents containing relevant information.

9 5.5. The myGov Privacy Notice describes the information which will be notified to a user prior to DHS collecting their personal information for the purposes of the Inbox Release. The revised Privacy Notice in Schedule 2 contains the notifications that are required to comply with APP 5. 5.6. It is not essential that all of the APP 5 matters are addressed in the myGov Privacy Not, provided that DHS is satisfied that it has otherwise taken reasonable steps to notify users or otherwise ensure users are aware of this information. For example, DHS may prefer to address matters such as the consequences for a user if personal information is not collected by DHS or overseas disclosure in its APP privacy policy.

6. APP6 – use or disclosure of personal information Text of APP6 Australian Privacy Principle 6 — use or disclosure of personal information Use or disclosure 6.1 If an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless: (a) the individual has consented to the use or disclosure of the information; or (b) subclause 6.2 or 6.3 applies in relation to the use or disclosure of the information. Note: Australian Privacy Principle 8 sets out requirements for the disclosure of personal information to a person who is not in Australia or an external Territory.

6.2 This subclause applies in relation to the use or disclosure of personal information about an individual if: (a) the individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose is: (i) if the information is sensitive information — directly related to the primary purpose; or (ii) if the information is not sensitive information — related to the primary purpose; or (b) the use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or (c) a permitted general situation exists in relation to the use or disclosure of the information by the APP entity; or 9 APP Guidelines, Chapter 5, paragraphs 5.6.

32 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 (d) the APP entity is an organisation and a permitted health situation exists in relation to the use or disclosure of the information by the entity; or (e) the APP entity reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body. Note: For permitted general situation, see section 16A. For permitted health situation, see section 16B.

6.3 This subclause applies in relation to the disclosure of personal information about an individual by an APP entity that is an agency if: (a) the agency is not an enforcement body; and (b) the information is biometric information or biometric templates; and (c) the recipient of the information is an enforcement body; and (d) the disclosure is conducted in accordance with the guidelines made by the Commissioner for the purposes of this paragraph.

6.4 If: (a) the APP entity is an organisation; and (b) subsection 16B(2) applied in relation to the collection of the personal information by the entity; the entity must take such steps as are reasonable in the circumstances to ensure that the information is de-identified before the entity discloses it in accordance with subclause 6.1 or 6.2.

Written note of use or disclosure 6.5 If an APP entity uses or discloses personal information in accordance with paragraph 6.2(e), the entity must make a written note of the use or disclosure. Related bodies corporate 6.6 If: (a) an APP entity is a body corporate; and (b) the entity collects personal information from a related body corporate; this principle applies as if the entity’s primary purpose for the collection of the information were the primary purpose for which the related body corporate collected the information.

Exceptions 6.7 This principle does not apply to the use or disclosure by an organisation of: (a) personal information for the purpose of direct marketing; or (b) government related identifiers.

Analysis of compliance with APP6 6.1. DHS will comply with APP6 in connection with the Inbox Release for the reasons set out below. 6.2. All personal information collected in connection with the Inbox Release will be used and disclosed for its primary purpose of collection. This purpose (for either DHS as myGov Administrator or Centrelink to send the user a notification when a Member Service has sent a message to the user's Inbox), is notified to the user in the myGov Privacy Notice and in the "pop up box" that appears before a user sets their notification preference or links to Centrelink.

33 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 7. APP7 – direct marketing Text of APP7 Australian Privacy Principle 7 — direct marketing Direct marketing 7.1 If an organisation holds personal information about an individual, the organisation must not use or disclose the information for the purpose of direct marketing. Note: An act or practice of an agency may be treated as an act or practice of an organisation, see section 7A. Exceptions — personal information other than sensitive information 7.2 Despite subclause 7.1, an organisation may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if: (a) the organisation collected the information from the individual; and (b) the individual would reasonably expect the organisation to use or disclose the information for that purpose; and (c) the organisation provides a simple means by which the individual may easily request not to receive direct marketing communications from the organisation; and (d) the individual has not made such a request to the organisation.

7.3 Despite subclause 7.1, an organisation may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if: (a) the organisation collected the information from: (i) the individual and the individual would not reasonably expect the organisation to use or disclose the information for that purpose; or (ii) someone other than the individual; and (b) either: (i) the individual has consented to the use or disclosure of the information for that purpose; or (ii) it is impracticable to obtain that consent; and (c) the organisation provides a simple means by which the individual may easily request not to receive direct marketing communications from the organisation; and (d) in each direct marketing communication with the individual: (i) the organisation includes a prominent statement that the individual may make such a request; or (ii) the organisation otherwise draws the individual’s attention to the fact that the individual may make such a request; and (e) the individual has not made such a request to the organisation.

Exception — sensitive information 7.4 Despite subclause 7.1, an organisation may use or disclose sensitive information about an individual for the purpose of direct marketing if the individual has consented to the use or disclosure of the information for that purpose.

Exception — contracted service providers

34 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 7.5 Despite subclause 7.1, an organisation may use or disclose personal information for the purpose of direct marketing if: (a) the organisation is a contracted service provider for a Commonwealth contract; and (b) the organisation collected the information for the purpose of meeting (directly or indirectly) an obligation under the contract; and (c) the use or disclosure is necessary to meet (directly or indirectly) such an obligation. Individual may request not to receive direct marketing communications etc.

7.6 If an organisation (the first organisation) uses or discloses personal information about an individual: (a) for the purpose of direct marketing by the first organisation; or (b) for the purpose of facilitating direct marketing by other organisations; the individual may: (c) if paragraph (a) applies — request not to receive direct marketing communications from the first organisation; and (d) if paragraph (b) applies — request the organisation not to use or disclose the information for the purpose referred to in that paragraph; and (e) request the first organisation to provide its source of the information.

7.7 If an individual makes a request under subclause 7.6, the first organisation must not charge the individual for the making of, or to give effect to, the request and: (a) if the request is of a kind referred to in paragraph 7.6(c) or (d) — the first organisation must give effect to the request within a reasonable period after the request is made; and (b) if the request is of a kind referred to in paragraph 7.6(e) — the organisation must, within a reasonable period after the request is made, notify the individual of its source unless it is impracticable or unreasonable to do so. Interaction with other legislation 7.8 This principle does not apply to the extent that any of the following apply: (a) the Do Not Call Register Act 2006; (b) the Spam Act 2003; (c) any other Act of the Commonwealth, or a Norfolk Island enactment, prescribed by the regulations.

Analysis of compliance with APP7 7.1. APP 7 applies to organisations rather than to agencies. 7.2. Under section 7A of the Privacy Act, an act or practice of an agency may in the prescribed circumstances be treated as an act or practice of an organisation. This applies to: (a) a prescribed agency specified in Part I of Schedule 2 to the Freedom of Information Act 1982 (FOI Act); or (b) an agency specified in Division 1 of Part II of Schedule 2 to the FOI Act. 7.3. These include acts or practices of the Department of Human Services "in relation to documents in respect of commercial activities relating to the functions of the Chief Executive

35 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 Medicare", and which relate to those commercial activities. 10 It does not however include acts or practices of DHS acting in its capacity as myGov Administrator, in connection with the Inbox Release. 7.4. In any event, it is not intended to use any personal information collected from users for the purposes of myGov or the Inbox Release for direct marketing. Accordingly it is not necessary to determine whether an exception applies so as to allow direct marketing under APP 7. Medicare should however consider the extent to which APP 7 affects its other activities, which are outside the scope of this PIA.

8. APP8 – cross border disclosure of personal information Text of APP8 Australian Privacy Principle 8 — cross-border disclosure of personal information 8.1 Before an APP entity discloses personal information about an individual to a person (the overseas recipient): (a) who is not in Australia or an external Territory; and (b) who is not the entity or the individual; the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.

Note: In certain circumstances, an act done, or a practice engaged in, by the overseas recipient is taken, under section 16C, to have been done, or engaged in, by the APP entity and to be a breach of the Australian Privacy Principles. 8.2 Subclause 8.1 does not apply to the disclosure of personal information about an individual by an APP entity to the overseas recipient if: (a) the entity reasonably believes that: (i) the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and (ii) there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; or (b) both of the following apply: (i) the entity expressly informs the individual that if he or she consents to the disclosure of the information, subclause 8.1 will not apply to the disclosure; (ii) after being so informed, the individual consents to the disclosure; or (c) the disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or (d) a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1)) exists in relation to the disclosure of the information by the APP entity; or (e) the entity is an agency and the disclosure of the information is required or authorised by or under an international agreement relating to information sharing to which Australia is a party; or (f) the entity is an agency and both of the following apply: 10 See section 7(A)(3) of the Privacy Act and Division 1 of Part II of Schedule 2 to the Freedom of Information Act 1982.

36 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 (i) the entity reasonably believes that the disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body; (ii) the recipient is a body that performs functions, or exercises powers, that are similar to those performed or exercised by an enforcement body. Note: For permitted general situation, see section 16A. Analysis of compliance with APP8 8.1. DHS is not intending to disclose any personal information in respect of users to an overseas recipient.

DHS' records containing personal information are not held by outsourced ICT service providers who are located overseas, or stored in offshore clouds. Accordingly it is not necessary to determine whether APP8 applies to the Inbox Release or whether an exception applies so as to allow the disclosure under APP8.

9. APP9 – adoption, use or disclosure of government related identifiers Text of APP9 Australian Privacy Principle 9 — adoption, use or disclosure of government related identifiers Adoption of government related identifiers 9.1 An organisation must not adopt a government related identifier of an individual as its own identifier of the individual unless: (a) the adoption of the government related identifier is required or authorised by or under an Australian law or a court/tribunal order; or (b) subclause 9.3 applies in relation to the adoption. Note: An act or practice of an agency may be treated as an act or practice of an organisation, see section 7A.

Use or disclosure of government related identifiers 9.2 An organisation must not use or disclose a government related identifier of an individual unless: (a) the use or disclosure of the identifier is reasonably necessary for the organisation to verify the identity of the individual for the purposes of the organisation’s activities or functions; or (b) the use or disclosure of the identifier is reasonably necessary for the organisation to fulfil its obligations to an agency or a State or Territory authority; or (c) the use or disclosure of the identifier is required or authorised by or under an Australian law or a court/tribunal order; or (d) a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1)) exists in relation to the use or disclosure of the identifier; or (e) the organisation reasonably believes that the use or disclosure of the identifier is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or (f) subclause 9.3 applies in relation to the use or disclosure.

Note 1: An act or practice of an agency may be treated as an act or practice of an organisation, see section 7A.

Note 2: For permitted general situation, see section 16A.

37 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 Regulations about adoption, use or disclosure 9.3 This subclause applies in relation to the adoption, use or disclosure by an organisation of a government related identifier of an individual if: (a) the identifier is prescribed by the regulations; and (b) the organisation is prescribed by the regulations, or is included in a class of organisations prescribed by the regulations; and (c) the adoption, use or disclosure occurs in the circumstances prescribed by the regulations.

Note: There are prerequisites that must be satisfied before the matters mentioned in this subclause are prescribed, see subsections 100(2) and (3). Analysis of compliance with APP9 9.1. APP 9 applies to organisations rather than to agencies. 9.2. Under section 7A of the Privacy Act, an act or practice of an agency may in the prescribed circumstances be treated as an act or practice of an organisation. This applies to: (a) a prescribed agency specified in Part I of Schedule 2 to the FOI Act; or (b) an agency specified in Division 1 of Part II of Schedule 2 to the FOI Act. 9.3. These include acts or practices of the Department of Human Services "in relation to documents in respect of commercial activities relating to the functions of the Chief Executive Medicare", and which relate to those commercial activities.

11 It does not include acts or practices of DHS in its capacity as myGov Administrator. It is therefore not necessary to determine whether APP 9 applies in the context of the Inbox Release. 9.4. However, it is worth noting that DHS in its capacity as myGov Administrator will not adopt a user's existing government related identifier as its own identifier. Users will be identified in myGov using a non-identifiable username and password, which DHS as myGov Administrator will not disclose to any Member Service. A user's myGov account will have MBUNs associated with it, which is a unique number generated to link a Member Service which does not identify a user.

An MBUN does not contain or reveal a user's myGov username or Member Service Identifier.

9.5. Medicare should however consider the extent to which APP 9 affects its other activities, which are outside the scope of this PIA. 10. APP10 – quality of personal information Text of APP10 Australian Privacy Principle 10 — quality of personal information 10.1 An APP entity must take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that the entity collects is accurate, up-to-date and complete. 10.2 An APP entity must take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that the entity uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant.

Analysis of compliance with APP10 10.1. DHS will comply with APP 10 in relation to the Inbox Release for the reasons set out below. 11 See section 7(A)(3) of the Privacy Act and Division 1 of Part II of Schedule 2 to the FOI Act.

38 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 10.2. Under APP10, DHS needs to determine what steps (if any) are reasonable for it to take in order to verify that the personal information collected from the user is accurate, up to date, complete and relevant. In the context of APP 10, the 'reasonable steps' that an APP entity should take will depend upon circumstances that include: (a) the sensitivity of the personal information; (b) the nature of the APP entity (including its size, resources and business models); (c) the possible adverse consequences for an individual if the quality of personal information is not ensured; and (d) the practicability, including time and cost involved.

However, an entity is not excused from taking particular steps by reason only that it would be inconvenient, time- consuming or impose some cost to do so. Whether these factors make it unreasonable to take particular steps will depend on whether the burden is excessive in all the circumstances.

12 10.3. It is implicit from the use of the phrase "if any" in APP 10.1 that it will be reasonable for an APP entity to take no steps to ensure data quality in some circumstances. For example, where an entity collects personal information from a source known to be reliable (such as the individual concerned) it may be reasonable to take no steps to ensure data quality. 13 10.4. The personal information which is used in connection with the Inbox Release will be provided directly by the relevant individual concerned (the original source of the information). In the circumstances, it is reasonable for DHS as myGov Administrator not to take steps to ensure the accuracy of the information collected.

10.5. myGov permits users to update the personal information contained in their notifications preferences easily. The provision of a readily accessible means to update the user's personal information constitutes reasonable steps to ensure the currency and completeness of the information. 11. APP11 – security of personal information Text of APP11 Australian Privacy Principle 11 — security of personal information 11.1 If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information: (a) from misuse, interference and loss; and (b) from unauthorised access, modification or disclosure.

11.2 If: (a) an APP entity holds personal information about an individual; and (b) the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity under this Schedule; and (c) the information is not contained in a Commonwealth record; and (d) the entity is not required by or under an Australian law, or a court/tribunal order, to retain the information; the entity must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified. 12 APP Guidelines, Chapter 10, paragraph 10.6.

13 APP Guidelines, Chapter 10, paragraph 10.7.

39 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 Analysis of compliance with APP11 11.1. DHS will comply with APP11 in connection with the Inbox Release for the reasons set out below. 11.2. APP 11.1 requires each APP entity to take such steps as are reasonable to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. The term "reasonable" is not defined in the Privacy Act. The APP Guidelines provide that the term bears its ordinary meaning, as being based upon or according to reason and capable of sound explanation.

What is reasonable is a question of fact in each individual case. It is an objective test that has regard to how a reasonable person, who is properly informed, would be expected to act in the circumstances. What is reasonable can be influenced by current standards and practices.

14 11.3. The Inbox Release does not alter the existing security measures applied by DHS in respect of personal information held by it. DHS will apply appropriate security measures in respect of myGov, which will conform to Australian Government Protective Security Policy Framework (AGPSPF) and the Australian Signals Directorate Information Security Manual (ASDISM) security guidelines, and include use of data encryption, storing data at a secure facility and recording when a user's myGov account is accessed.

11.4. Access to a user's myGov Account and to their Inbox is protected by appropriate security measures, such as the use of an anonymous username and password, and restrictions on username recovery (which require access to the user's nominated email account and password resetting (which requires the user to answer secret questions provided by the user during the establishment of their myGov account).

11.5. These measures have been assessed by DHS as sufficiently secure in light of nature of the information held. The application of these measures constitute such steps as are reasonable in the circumstances to protect the information from misuse, interference and loss and unauthorised access, modification or disclosure, sufficient to demonstrate compliance with APP 11.

11.6. As any other personal information collected or held by DHS would be contained in a Commonwealth record, the obligation to destroy or de-identify records containing personal information once they are no longer required would not arise. Although users who delete their myGov account would be unable to access their account, this would not result in the deletion of historical information stored by the myGov Administrator in connection with this account. This information is retained in accordance with DHS' obligations in respect of Commonwealth records under the Archives Act 1983.

12.

APP12 – access to personal information Text of APP12 Australian Privacy Principle 12 — access to personal information Access 12.1 If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information. Exception to access — agency 12.2 If: (a) the APP entity is an agency; and (b) the entity is required or authorised to refuse to give the individual access to the personal information by or under: 14 Bankstown Foundry Pty Ltd v Braistina [1986] HCA 20 (Mason, Wilson and Dawson JJ at paragraph 12).

40 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 (i) the Freedom of Information Act; or (ii) any other Act of the Commonwealth, or a Norfolk Island enactment, that provides for access by persons to documents; then, despite subclause 12.1, the entity is not required to give access to the extent that the entity is required or authorised to refuse to give access. Exception to access — organisation 12.3 If the APP entity is an organisation then, despite subclause 12.1, the entity is not required to give the individual access to the personal information to the extent that: (a) the entity reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or (b) giving access would have an unreasonable impact on the privacy of other individuals; or (c) the request for access is frivolous or vexatious; or (d) the information relates to existing or anticipated legal proceedings between the entity and the individual, and would not be accessible by the process of discovery in those proceedings; or (e) giving access would reveal the intentions of the entity in relation to negotiations with the individual in such a way as to prejudice those negotiations; or (f) giving access would be unlawful; or (g) denying access is required or authorised by or under an Australian law or a court/tribunal order; or (h) both of the following apply: (i) the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in; (ii) giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or (i) giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or (j) giving access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision-making process.

Dealing with requests for access 12.4 The APP entity must: (a) respond to the request for access to the personal information: (i) if the entity is an agency — within 30 days after the request is made; or (ii) if the entity is an organisation — within a reasonable period after the request is made; and (b) give access to the information in the manner requested by the individual, if it is reasonable and practicable to do so.

Other means of access 12.5 If the APP entity refuses: (a) to give access to the personal information because of subclause 12.2 or 12.3; or (b) to give access in the manner requested by the individual;

41 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 the entity must take such steps (if any) as are reasonable in the circumstances to give access in a way that meets the needs of the entity and the individual. 12.6 Without limiting subclause 12.5, access may be given through the use of a mutually agreed intermediary. Access charges 12.7 If the APP entity is an agency, the entity must not charge the individual for the making of the request or for giving access to the personal information.

12.8 If: (a) the APP entity is an organisation; and (b) the entity charges the individual for giving access to the personal information; the charge must not be excessive and must not apply to the making of the request. Refusal to give access 12.9 If the APP entity refuses to give access to the personal information because of subclause 12.2 or 12.3, or to give access in the manner requested by the individual, the entity must give the individual a written notice that sets out: (a) the reasons for the refusal except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so; and (b) the mechanisms available to complain about the refusal; and (c) any other matter prescribed by the regulations.

12.10 If the APP entity refuses to give access to the personal information because of paragraph 12.3(j), the reasons for the refusal may include an explanation for the commercially sensitive decision.

Analysis of compliance with APP12 12.1. DHS would comply with APP 12 in connection with the personal information used in connection with the Inbox Release, for the reasons set out below. 12.2. Under APP 12, DHS is required to give an individual access to the personal information held by it unless it is authorised to refuse access under the FOI Act or other Commonwealth or Norfolk Island legislation. The exceptions to access in APP 12.3 only apply to "organisations", and would not apply to an agency such as DHS.

12.3. DHS must give the individual access to the personal information within 30 days of request, and in the form reasonably requested by the individual.

DHS cannot charge the individual for making the request or giving access to the information. 12.4. If DHS refuses: (a) to give access to the information at all, because DHS is authorised to refuse access under the FOI Act or other Commonwealth legislation; or (b) to give access to the information in the manner requested by the individual, DHS must take reasonable steps to give access in a way that meets the needs of DHS and the individual. This might involve, for example, access through the use of an intermediary, or access to a redacted document.

12.5. Users would be able to access the information which DHS uses in connection with the Inbox Release (the user's email address and mobile phone number) by accessing the notifications preferences in their myGov account.

42 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 12.6. As users can access their personal information directly through their myGov account, it is not necessary for DHS to implement separate processes to provide individuals with access to the personal information contained in their notifications preferences. 12.7. The only circumstances in which a user could not access their personal information contained in their myGov account would be if their account is permanently locked, because the user has forgotten their user password and been unable to remember the answers to their secret questions.

Once an account is locked, information contained in that account can no longer be accessed by the user until such time as the account is unlocked. DHS can technically access information in a locked account for legitimate purposes such as law enforcement, but will not permit users to access locked accounts for security reasons. Given the limited information held by the myGov Administrator in connection with a myGov account, it would not be possible for a user to provide sufficient information to the myGov Administrator to prove record ownership and address security concerns.

12.8. After an account is permanently locked, the account and any information it contains is deleted from the myGov system after a period of time. It is not technically possible for DHS to provide a user with access to deleted information. 13. APP13 – correction of personal information Text of APP13 Australian Privacy Principle 13 — correction of personal information Correction 13.1 If: (a) an APP entity holds personal information about an individual; and (b) either: (i) the entity is satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out of date, incomplete, irrelevant or misleading; or (ii) the individual requests the entity to correct the information; the entity must take such steps (if any) as are reasonable in the circumstances to correct that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up to date, complete, relevant and not misleading.

Notification of correction to third parties 13.2 If: (a) the APP entity corrects personal information about an individual that the entity previously disclosed to another APP entity; and (b) the individual requests the entity to notify the other APP entity of the correction; the entity must take such steps (if any) as are reasonable in the circumstances to give that notification unless it is impracticable or unlawful to do so. Refusal to correct information 13.3 If the APP entity refuses to correct the personal information as requested by the individual, the entity must give the individual a written notice that sets out: (a) the reasons for the refusal except to the extent that it would be unreasonable to do so; and (b) the mechanisms available to complain about the refusal; and (c) any other matter prescribed by the regulations.

43 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 Request to associate a statement 13.4 If: (a) the APP entity refuses to correct the personal information as requested by the individual; and (b) the individual requests the entity to associate with the information a statement that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading; the entity must take such steps as are reasonable in the circumstances to associate the statement in such a way that will make the statement apparent to users of the information.

Dealing with requests 13.5 If a request is made under subclause 13.1 or 13.4, the APP entity: (a) must respond to the request: (i) if the entity is an agency — within 30 days after the request is made; or (ii) if the entity is an organisation — within a reasonable period after the request is made; and (b) must not charge the individual for the making of the request, for correcting the personal information or for associating the statement with the personal information (as the case may be).

Analysis of compliance with APP13 13.1. The personal information used by DHS in connection with the Inbox Release is of a limited nature, comprising the user's notification preference information including their email address or mobile phone number. This information is provided to DHS directly by the relevant individual.

13.2. Users will be able to update their personal information directly through their myGov account. 13.3. The association of a statement that the personal information contained the user's notifications preferences is inaccurate, out of date, incomplete, irrelevant or misleading would not be appropriate in the context of myGov and Inbox, as a user is able to update the information directly themselves.

44 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 Schedule 2 Privacy Notice 1. Privacy Notice (Short form) Your personal information is protected by law, including the Privacy Act 1988, and is collected by the Department of Human Services (as the administrator of myGov) to establish and administer your myGov account, which includes linking member services to your account when you request us to do so.

Your personal information is also collected and used to provide you with the Inbox service including establishing your Inbox notification preferences and sending you notifications when we receive any communications from linked member services in your Inbox. Your information may be used by the Department of Human Services or disclosed to other parties where you have agreed or it is required or authorised by law. You can get more information about the way in which the Department of Human Services will manage your personal information by accessing our detailed privacy notice, or by accessing our APP privacy policy.

2. Privacy Notice (Long form) Your privacy Privacy Notice The myGov website is managed by the Department of Human Services (the department) on behalf of the Australian Government. This Privacy Notice applies to the myGov website only. Separate privacy notices apply to the Centrelink, Medicare and Child Support services and the other Australian Government agencies you may link to your myGov account. Centrelink, Medicare and Child Support services and other Australian Government agencies which participate in myGov are referred to as Member Services in this Privacy Notice.

This Privacy Notice explains how the department collects, through the myGov website, personal information from you and: how the department will use and disclose that information; how the department will store and secure that information; and how you can access and alter your personal information.

Collections If you held an australia.gov.au account managed by the Department of Finance, that account is now managed through this website. Existing australia.gov.au account holders who wish to use their myGov account, and new users will be required to provide to the department, through myGov: an email address, and may also provide a mobile phone number, for account creation and to implement the user name recovery service feature of myGov; and a password and at least three secret questions and answers.

45 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 When the department receives the above information, you will automatically be provided with a user name for your myGov account. The department will maintain audit logs of activity in relation to your account such as last login, attempted logins and password changes. You can see much of this in your account history in your account. If you wish to link your myGov account to a Member Service's online account, the department may: • collect your personal information and send it to the Member Service so that the department can undertake an authentication process to ensure that your myGov account is linked to the correct record; or • transfer you to that Member Service's website landing page so that the Member Service can undertake an authentication process to ensure that your myGov account is linked to the correct record.

For this authentication process, amongst other things, you will be requested to provide the Member Service with the identification number relevant to that Member Service (for example, your Centrelink Customer Registration Number). In relation to some Member Services, you may also be able to link your myGov account to a Member Service’s online account using a myGov linking code issued to you. The department will send the myGov linking code that you provide to the relevant Member Service that issued the linking code. The Member service will validate the linking code and link your myGov Account to the correct record.

The department will collect your email address and/or mobile phone number and your notification preference to send you a notification that you have received a message in your Inbox. The department will pre-populate your notification preferences with the details that it holds for account recovery purposes, and you will need to either confirm or update these details before you first use the Inbox services. You can change your notification preferences within myGov at any time. You may opt out of receiving any further messages through the Inbox from your linked participating member services at any time, by contacting the Member Services directly.

If the department does not collect the personal information referred to above, you will not be able to create a myGov account use the Inbox service or link the relevant Member Service's online account to your myGov account. Uses and Disclosures The department will use your personal information for the purposes for which you gave it to us. Those purposes include establishing, maintaining and performing administration in relation to your myGov account and the links between that account and the Member Services.

The department will only disclose your personal information you provide through the myGov website to another organisation, or a government agency, if it: is necessary to provide you with a service that you have requested (including enabling us to link your accounts, and providing the Inbox service); or is necessary to complete an activity that you have chosen to undertake.

Centrelink will use the contact details (email address or mobile telephone number) contained in your notification preference for your myGov Inbox to:

46 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 • let you know when it has sent you a message to your myGov Inbox; • update the contact details that Centrelink holds for you; and • where appropriate, either subscribe you for Centrelink's Electronic Messaging service or, if you are already subscribed, to update your contact details for that service. For Terms and Conditions for this Centrelink service go to humanservices.gov.au/em. Centrelink will not subscribe you for Electronic Messaging if you have previously indicated you do not wish to use this service.

If your myGov account is already linked to Centrelink when you first confirm your notification preferences, then Centrelink will use the details in your myGov preferences at that time.

If you link your myGov account to Centrelink after you first use Inbox, Centrelink will use the details in your myGov notification preferences at the time you link your myGov account to Centrelink As Centrelink's records are separate to myGov, changing your myGov notification preferences or unlinking your myGov account from Centrelink would not automatically update the information relating to your notification preferences held in Centrelink records. You would need to update this information directly with Centrelink.

We will only use your personal information, or disclose it to another organisation or government agency, for any another purpose (other than the purpose of collection) if you consent, or if that other purpose: is required or authorised by law; will prevent or lessen a serious and imminent threat to the life or health of an individual; or is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty or for the protection of public revenue. We will not disclose the personal information you provide to us to any overseas recipient. Cookies The department only analyses non-identifiable website traffic data to improve our services for the myGov website service.

Cookies are pieces of information that a website can transfer to an individual's computer. We only use session-based cookies (temporary cookie files, which are erased when you close your browser) for the single sign-on service and to gather anonymous website usage data to help improve the structure and functionality of myGov. We do not use persistent cookies (cookies that remain on your hard drive until you erase them or they expire). You can change your web browser settings to reject cookies or to prompt you each time a website wishes to add a cookie to your browser. Some functionality on the myGov website may be affected by this.

The department will not attempt to identify you or your browsing activities. However, there are some circumstances when the department may need to disclose your information to law enforcement authorities, for example, if the disclosure: is required or authorised by law; will prevent or lessen a serious and imminent threat to the life or health of an individual; or is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty or for the protection of public revenue.

47 Privacy Impact Assessment – 14 May 2014 Doc ID 173877411/v1 Data security The department takes reasonable steps to protect the personal information that it holds against loss, unauthorised access, use, modification or disclosure and against other misuse. These steps include storing electronic files in secure facilities, encryption of data, conducting regular backups of data, using audit and logging mechanisms and having physical access restrictions in place. Subject to the department's record-keeping obligations under the Archives Act 1983, personal information is destroyed in a secure manner, if it is no longer required.

Access to and correction of your personal information You may gain access to personal information about you that the department holds and more specifically any personal information collected and held as a result of the management of myGov unless the department is required or authorised by law to refuse to allow you to access the record. You can ask the department to amend information it holds about you if you consider that the information is misleading or is not complete or up to date. The department will make the amendment you request unless there is a sound reason under law not to make the amendment.

The department will explain its reasons to you, if we decide not to amend the information. If the department refuses to make the amendment that you request, you may ask that a statement regarding the amendment that you have sought be added to your information To protect your privacy and the privacy of others, the department may need to have evidence of your identity before we can give you access to information about you or change the information in your myGov account.

The department's APP privacy policy contains information about how you can access personal information about you that the department holds, and seek the correction of this information. How to contact us If you wish to access your personal information, or if you are concerned about how myGov has collected or managed your personal information, please call Customer Relations on 1800 050 004 or the TTY phone on 1800 000 567. The department's APP privacy policy contains information about how you can complain about a breach of the Australian Privacy Principles, and how we will deal with such a complaint.

Privacy and Australian Government agencies For more information about privacy obligations for Australian Government agencies please visit the following links: Office of the Australian Information Commissioner Privacy Act 1988 APP Guidelines Privacy Fact Sheet 17: Australian Privacy Principles