Dear Privacy Commissioner,

Related to general handling of privacy complaints or enquiries,

Please note I am referring FY2017 as the Income Tax Financial Year 2017, which can be alternatively any other such reasonable period that the data can be processed with aim that numbers provided can be comparable across the separate questions.

1) How many privacy complaints did you receive in total FY2017?

2) When does a complaint become an enquiry and other way around given complaints are labeled as enquiries if there is a difference between the two?

3) What is the difference between a complaint and an enquiry if any in respect of 2)

4) How many complaints did you receive originally submitted via the secure web form within your website within FY2017?

5) How many complaints did you receive originally submitted via insecure e-mail within FY2017?

6) How long the secure web form channel submission has been live?

7) How long the insecure e-mail channel submission has been live?

8) Was any of the technical service delivery elements regarding handling complaints subjected to a review, audit or such and if any please provide a copy. technical elements are your website secure form, complaint data handling and e-mail service delivery.

9) If a member of a public has alerted you to potential complaint data breach, what actions do you take and who provides oversight to this?

10) If a member of public has alerted you to a technical problem that can result breach of complaint data where there is a history of proven data breaches, what actions do you take and who provides oversight to this?

11) How many alerts from the members of public related to 9) and 10) you received during FY2017?

12) How do you evaluate potential or materialised data breaches on your complaint data that you hold, have sent or received? e.g. do you have a policy

13) When you have to forward or transfer the data from or to another commissioner how do you handle this? e.g. do you have a policy

14) What technical delivery is used for the transfer in respect of 13) e.g. insecure e-mail or "iron key" process using USB keys (MSD uses this) or physical paper form?

15) Has the transfer process from or to another body been formally designed and reviewed or is this up to the individual officer involved?

16) If you notice ad-hoc process created by individual officers relating to technical aspects of handling data and there is concern from a member public, is there any policy that addresses this?

17) During handling a complaint you need information from the complainant, complained party or a 3rd party, what data transfer method do you use or is this up to individual officer case-by-case basis?

18) Did the officers handling the complaints receive information security related training during FY2017.

19) Is there any information security policy related to handling complaints data? please provide a copy.

I would like also to request the below information regarding the data as part of the complaints;

a) How long has the current practice of copying the whole complaint data originally submitted and trusted via a secure https form into insecure e-mail has taken place?

b) Do you classify the data within complaints? e.g. as containing sensitive or medical data etc.

c) Are there any retention rules applied and what are these?

d) Is the complaint data stored in any searchable database?

e) Where else the complaint data is stored e.g. in e-mail inboxes/outboxes?

f) If you receive a letter of complaint in paper form via post, do you digitize this?

g) If the complaint in f) is digitized is it a subject of same treatment as originally digitally received complaint?

h) Can I have a copy of your policy regarding of using e-mail and complaint data protection

i) Does the secure web complaint form from the front-end web server transmit the complaint data to an internal e-mail address or to a secure database or such and is it a secure channel and what internet protocols are used?

j) Are there are e-mail forwarders in use where the complaint data gets copied incidentally to an officers personal e-mail for example.

k) Do you have rules with your e-mail provider in place that no e-mail forwarding in respect of j) can happen.

l) Can you audit who and when has inspected data from individual data, e.g, if you are in possession of health information or other sensitive data as part of the complaint.

m) Do you have any restrictions what data and when can individual officers access to e.g. only the cases they are handling.

n) Do you encrypt any of the complaint data you handle by practice or is this up to the individual officers on case by case basis?

Yours faithfully,

Miss W. Forest

Dear Privacy Commissioner,

You are past the 20 days allowed, a breach under the OIA s. 15(1).

Please provide a response.

p.s. You may want to remove the misleading automatic e-mail responder indicating 2-3 days expected response or provide separate e-mail address for OIA so your incoming data does not get mixed up in the same mailbox.

Yours sincerely,

Miss W. Forest