Submission Home | Executive Summary | Submission Summary | Summary of Positions | Part A | Part B | Part C | Part D | Part E | Part F | Part G | Part H | Part I | Part J | Bibliography

PART C

INTERACTION, INCONSISTENCY AND FRAGMENTATION

CHAPTER 10

OVERVIEW - INTERACTION, INCONSISTENCY AND FRAGMENTATION    

1. While no specific proposals flow from chapter 10, the Office welcomes the attention paid by the ALRC to a number of issues arising from interaction, inconsistency and fragmentation that impact on the regulation of personal information.

2. As noted in both the Office's report, Getting in on the Act: Review of the Private Sector Provisions of the Privacy Act (‘Private Sector Review')[126] and its submission to the ALRC's Issues Paper (IP 31) ‘the Office ... considers national uniformity in privacy regulation to be an overarching goal.'[127]

‘Because of the Privacy Act'

3. The Office also acknowledges the attention drawn in chapter 10 to the emerging notion of ‘BOTPAs', an abbreviated form of the expression ‘because of the Privacy Act'. BOTPA has come to represent circumstances where the Privacy Act is inappropriately attributed with preventing an information handling practice.

4. In many cases, BOTPAs may come to light via the media, where an agency or organisation cites the Privacy Act 1988 (Cth) as a reason not to engage in some way. The Office considers that BOTPAs may emerge where agencies or organisations:

• do not fully understand the operation or effect of the Privacy Act and either misapply the law or adopt unnecessarily conservative approaches; or
• may not have implemented appropriate privacy processes and procedures; or
• may be confusing obligations under the Privacy Act with other obligations, such as agency secrecy provisions or common law duties of confidentiality.

5. On some occasions, the effect of the Privacy Act may be deliberately miscast so that an organisation or agency can avoid having to perform a certain activity, such as by not disclosing personal information when it would be permitted by NPP 2.

6. For example, an agency may find that on closer examination, it has not provided an adequate IPP 2 notice to individuals that mirrors the way the agency actually intends to use or disclose the information it has collected, or an agency's own legislation may prevent it from using or disclosing the personal information it has collected in a particular way. Alternatively, an organisation may refuse to disclose information when it would comfortably fall within the related purpose/reasonable expectation test of NPP 2.1.

7. The Office's education and guidance functions are important in responding to BOTPAs and in ensuring that individuals, agencies and organisations have a clear understanding of their various rights and obligations, as well as understanding what the Privacy Act does not require or cover.

8. Perhaps more significantly though, national consistency in privacy regulation would likely make a significant contribution to promote clear and common understanding of privacy obligations among all parties.

CHAPTER 11

THE COSTS OF INCONSISTENCY AND FRAGMENTATION

Proposal 11-1 The Office of the Privacy Commissioner should provide further guidance to agencies and organisations on privacy requirements affecting information sharing.

1. The Office agrees with proposal 11-1.

Proposal 11-2   Agencies that are required or authorised by legislation or a public interest determination to share personal information should develop and publish documentation that addresses the sharing of personal information; and where appropriate, publish other documents (including memoranda of understanding and ministerial agreements) relating to the sharing of personal information.

2. The Office agrees with proposal 11-2.

Proposal 11-3 The Australian government should convene an inter-agency working group of senior officers to identify circumstances where it would appropriate to share or streamline the sharing of personal information among Australian Government agencies.

3. The Office does not support this proposal.

4. The intent of the proposal seems unclear. Such a forum would not appear to provide the necessary specific and reasoned consideration of privacy obligations.

5. In the view of the Office, any proposal for sharing information between agencies should be considered and assessed on its own merits by the respective agencies involved, with a view to the necessary legislative requirements and obligations governing the handling of the information. A Privacy Impact Assessment (PIA) of the proposed information sharing project would be a crucial, underpinning element of these considerations. Agencies are encouraged to consult with the Office in regard to privacy risks identified in a PIA.

Proposal 11-4   The Australian Government, in consultation with: state and territory governments, intelligence agencies, law enforcement agencies, and accountability bodies (including the Office of the Privacy Commissioner; the Inspector-General of Intelligence and Security; the Australian Commission for Law Enforcement Integrity; state and territory privacy commissioners and agencies with responsibility for privacy regulation; and federal, state and territory ombudsmen), should:

(a)    develop and publish a framework relating to interjurisdictional sharing of personal information within Australia by intelligence and law enforcement agencies; and

(b)    develop memoranda of understanding to ensure that accountability bodies can oversee interjurisdictional information sharing within Australia by law enforcement and intelligence agencies.

6. The Office agrees with proposal 11-4.

7. A transparent, published framework clarifying the interjurisdictional sharing of personal information within Australia by intelligence and law enforcement agencies would, in the view of the Office, be a welcome addition to the public's understanding of what, when and how information is shared between agencies and the accountability mechanisms that oversight such activities.

8. The proposal is in accord with suggestions made in the Office's submission to the Parliamentary Joint Committee on the Australian Crime Commission regarding its inquiry into the ‘Future impact of serious and organised crime on Australian Society' (August 2007).[128] The Office's suggestions included that:

• government agencies not subject to the statutory privacy regulation should develop and implement information handling practices that incorporate principles similar to those contained within the Privacy Act; and privacy guidelines could be included as part of any memorandum of understanding or agreement between jurisdictions.

Question 11-1 Are the definitions of ‘contracted service provider' and ‘State contract' under the Privacy Act adequate?  For example, do they cover all the types of activities that organisations might perform on behalf of agencies?

9. The Office welcomes the opportunity provided by the ALRC for further discussion on the definition of ‘contracted service provider', whether this definition should be amended and whether the definition of ‘State contract' under the Privacy Act is adequate.

10. This question is posed in response to the concerns raised in the Office's submission to the ALRC's Issues Paper 31 (IP 31),[129] where the Office suggested that the definition of ‘contracted service provider' in Part II of the Privacy Act be reviewed to ensure that it is adequate to cover all the types of activities that private sector organisations might perform on behalf of agencies.

11. The Office draws attention to the concerns it raised in its submission to ALRC 31,[130] regarding gaps and inconsistencies in state and territory contractor's privacy obligations and the provision of services by these contractors in its submission to IP 31.

CHAPTER 12

FEDERAL INFORMATION LAWS

Preliminary comments

1. The Office has experience in dealing with the overlap between the Privacy Act 1988 (Cth) (‘Privacy Act') and the Freedom of Information Act 1982 (Cth) (‘FOI Act'), which occurs in relation to access to, and amendment of, personal information.

2. In its submission to the ALRC's Issues Paper 31 (IP 31), the Office observed that while the overlap between the Privacy Act and the FOI Act is not debilitating, there is value in distinguishing the Privacy Act provisions regarding access to and correction of personal information from the access and amendment provisions in the FOI Act.[131] The Office is of the view that access to one's own personal information is an important form of privacy protection and where possible individuals should not be subject to prescriptive FOI processes.

3. The Office is pleased to note that the ALRC's proposals address this concern and suggests the introduction of a new part in the Privacy Act to deal with access to and correction of personal information held by agencies. The Office notes that a number of the proposals to address the overlap between the Privacy Act and the FOI Act would turn on amendments to the FOI Act.

4. The Office is aware that on 24 September 2007, the ALRC received terms of reference from the former Attorney-General, the Hon Philip Ruddock, to inquire into freedom of information laws and practices across Australia.

5. The Office also notes the Government's undertaking to significantly reform freedom of information and privacy laws and restructure their administration.[132] The Office submits that due to the interaction between the Privacy Act and the FOI Act a review of the FOI Act will have a significant impact upon the regulation and administration of the Privacy Act.

6. In anticipation of this more focused and substantial inquiry into the FOI Act, the Office has only provided brief responses to the issues regarding FOI at this time. The Office looks forward to contributing to the ALRC's review of the FOI Act as it progresses.

Proposal 12-1 The Australian Government and state and territory governments should ensure the consistency of definitions and key terms (for example, ‘personal information', ‘sensitive information' and ‘health information') in federal, state and territory legislation that regulates the handling of personal information.

7. The Office offers in principle support for this proposal.

8. However, in its submission to IP 31,[133]the Office suggested that such an exercise should be undertaken with care. The Office noted that the unintended consequences of attempting to inappropriately unify definitions may outweigh the benefits of clarity and convenience of interpretation achieved through the consistent use of key terms.

9. In general though, it would be helpful to, wherever possible, develop consistent definitions. In chapter 4 of this submission, the Office has supported the common use of terms such as ‘personal information', ‘sensitive information' and ‘health information' as an important step to harmonising health privacy regulation.

10. Similarly, the Office, in its submission to IP 31[134]noted that it may be useful to develop consistent definitions for ‘record' and ‘ document' across the FOI Act, the Privacy Act and the Archives Act 1982 (Cth). This is essentially because these laws tend to interact with one another frequently.

11. Accordingly the Office is of the view that consistent use of terms across federal, state and territory legislation should be pursued where a sound policy foundation for consistency exists.

Proposal 12-2 Section 41(1) of the Freedom of Information Act 1982 (Cth) should be amended to provide that a document is exempt if:

(a) it contains personal information, the disclosure of that information would constitute a breach of the proposed ‘Use and Disclosure' principle and disclosure would not, on balance, be in the public interest; or

12. The Office agrees with proposal 12-2(a).

13. The proposal is in accordance with the intent of the Office's position in its submission to IP 31[135]to make clearer references to Privacy Act provisions in legislation which interact with Privacy Act exceptions.

(b) it contains personal information of a deceased individual, the disclosure of that information would constitute a breach of the proposed ‘Use and Disclosure' principle (but where the Principle would require consent the agency must consider whether the proposed disclosure would involve the unreasonable disclosure of personal information about any individual including the deceased individual) and disclosure would not, on balance, be in the public interest.

14. The Office does not support paragraph (b) of proposal 12-2.

15. Currently, FOI legislation protects the personal information of deceased persons held by government agencies whereas the Privacy Act does not apply to the handling of the personal information of deceased individuals.

16. As discussed in detail in the Office's submission to IP 31 (at question 3-5) the Office supports an amendment to the Privacy Act to extend certain privacy protections to the health information of deceased individuals, including collection, use and disclosure and data security. However, the Office is not convinced that a clear rationale for privacy protection of deceased persons' personal information, beyond the health context, has been made.

17. However, the Office suggests that the arrangements for the personal information of deceased individuals under the FOI Act and Archives Act should be consistent with the arrangement for this information under the Privacy Act.

Proposal 12-3 ‘Personal information' should be defined in the Freedom of Information Act 1982(Cth) as ‘information or an opinion, whether true or not and whether recorded in a material form or not, about an identified or reasonably identifiable individual'.

18. The Office agrees with proposal 12-3.

19. As noted in question 3-5 the Office supports the amended definition of personal information.

20. The Office is also supportive of an amendment to the definition of personal information in the FOI Act to reflect the definition of personal information in the Privacy Act as it aids in consistent and robust privacy protection across both pieces of legislation.

Proposal 12-4 The Freedom of Information Act 1982 (Cth) should be amended to require that the body that is primarily responsible for administration of the Act is to:

(a) develop and publish guidelines on the interpretation and application of s41;

(b) consult with the Office of the Privacy Commissioner before issuing guidelines on the interpretation and application of s 41.

21. The Office agrees with proposal 12-4 that guidance should be produced on the application of section 41 of the FOI Act.

Proposal 12-5 The Freedom of Information Act 1982(Cth) should be amended to provide that disclosure of personal information in accordance with the Freedom of Information Act 1982 (Cth) is a disclosure that is required or authorised for the purposes of the proposed ‘Use and Disclosure' principle under the Privacy Act.

22. The Office agrees with proposal 12-5, though notes that it supports the adoption of a ‘required or specifically authorised' test in the proposed use and disclosure UPP.[136]

23. The proposal is in accordance with the intent of the Office's position in its submission to IP 31.[137]

24. The Office is supportive of the proposal to make clearer references to Privacy Act provisions in legislation which interacts with or intends to rely on Privacy Act exceptions.

25. As discussed in the Office submission to IP 31,[138]ambiguity in legislation can cause uncertainty for agencies and individuals as to how information should be handled and in this context whether the relevant provisions meet the requirement for use and disclosure under the Privacy Act.

26. The proposed amendment to the FOI Act will aid in clarifying the scope of particular legal provisions and their relationship to the Privacy Act.

Proposal 12-6 The Privacy Act 1988 (Cth) should be amended to provide a new Part dealing with access to, and correction of, personal information held by an agency.

27. The Office agrees with proposal 12-6.

28. As discussed in the Office's responses to question 7-6(a) of IP 31, the right to access one's own personal information (and the right to have it corrected) is an important element of privacy protection. Including it in the Privacy Act would assist in ensuring that a single, coherent piece of law allows individuals to gain an understanding of their privacy rights from a single source.

29. Accordingly, the Office is supportive of the proposal to amend the Privacy Act to provide a new part dealing with access to and correction of personal information held by an agency. In the Office's view it may be contrary to the spirit of the Act and inconsistent with the substantive rights of access under the private sector provisions (National Privacy Principle 6) if an individual's right to access and correct personal information held by an agency is determined by the FOI Act.

Proposal 12-7 The Freedom of Information Act 1982 (Cth) should be amended to:

(a) provide that an individual's right to access or correct his or her own personal information is dealt with under the Privacy Act;

30. The Office agrees with proposal 12-7(a).

31. The amendment to the FOI Act will add clarity and certainty regarding an individual's right to access and correct personal information.

(b) delete part V of the Act.

32. The Office reiterates the view offered in response to question 7-6(a) of IP 31[139]that in the interests of consistency it may be appropriate to expand the amendment rights under the FOI Act to align with those in the Privacy Act.

33. However, in arguing for a consistent approach to access and correction of personal information held by agencies, the Office emphasises that caution be exercised to ensure that the approach adopted does not detract from an individual's current right to access, and correct personal information held by an agency, or make the process for access and correction more onerous or complex for the individual.

Proposal 12-8 The proposed Part of the Privacy Act dealing with access to, and correction of, personal information held by an agency should provide that:

(a) if an agency holds personal information about an individual , the agency must, if requested by the individual, provide the individual with access to the information, subject to a number of exceptions under the Part;

34. The Office agrees in principle with the intent of proposal 12-8 (a) to afford individuals clear access to personal information held about them by agencies.

35. The nature of the proposed exceptions will likely have significant bearing on whether the intent of the proposal is achieved. If exceptions are too broad or excessive in number, the general intent of creating a mechanism to afford individuals' access to their personal information may be undermined.

36. The Office would expect that such exceptions be developed after substantial consultation by relevant decision makers, including with the Privacy Commissioner.

(b) where an individual is given access to personal information, the individual must be advised that he or she may request the correction of that information;

37. The Office agrees with proposal 12-8(b).

38. The Office also makes the general comment that the right to correct personal information should not be contingent upon the individual gaining access to that personal information. Individuals should have the right to request the correction of personal information in an agency's possession regardless of whether access has first been sought. This could occur, for example, if an agency sends the individual a letter containing incorrect personal information, such as a misspelt name or address, or containing any number of other types of inaccuracies.

(c) where an agency is not required to provide the individual with access to personal information because of an exception, the agency must take reasonable steps to reach an appropriate compromise, involving the use of a mutually agreed intermediary, provided that the compromise would allow for sufficient access to meet the needs of both parties; and

39. The Office agrees with proposal 12-8(c).

40. The proposal is in accordance with the Office's position in its submission to IP 31, question 4-35.[140]

(d) nothing in the Part is intended to prevent or discourage agencies from publishing or giving access to personal information, otherwise than as required by the Part, where they can do so properly or are required to do so by law.

41. The Office agrees with proposal 12-8(d).

42. It is not intended that the Privacy Act fetter an agency's ability to carry out its functions or activities nor inhibit an agency's compliance with its legal obligations.

43. Where an agency is in a position to give access to or publish personal information lawfully, without contravening one of the sections in this Part or is required by law to do so, the Privacy Act should not deter such conduct.

44. However, the Office is unsure of the meaning of the word ‘properly' in this proposal. In the Office's view it is unclear what the word ‘properly' refers to, and observes that it could have several interpretations. The Office suggests that this word be replaced with lawfully or otherwise clarified in the ALRC's final report.

Proposal 12-9 The proposed Part of the Privacy Act dealing with access to, and correction of, personal information held by an agency should provide that if an agency holds personal information about an individual the agency must:

(a) if requested by the individual take such steps to correct (by way of making appropriate corrections, deletions and additions) the information as are in the circumstances, reasonable to ensure that the information is, with reference to a purpose of collection permitted by the UPPs, accurate, complete, up-to-date, relevant and not misleading;

45. The Office agrees with proposal 12-9(a).

46. This is consistent with the proposed principle dealing with access to and correction of personal information held by organisations (UPP 9.5), as well as existing NPP 6.

(b) where the agency has taken the steps outlined in (a) above, if requested to do so by the individual, and provided such notification would be practicable in the circumstances, notify any other entities to whom the personal information has already been disclosed before correction.

47. The Office agrees with proposal 12-9(b).

48. The proposal is in accordance with the Office's position in its response to question 4-24 of IP 31, question 4-24.

Proposal 12-10 The proposed part of the Privacy Act dealing with access to, and correction of, personal information held by an agency should provide that where an agency decides not to correct the personal information of an individual and the individual requests the agency to annotate the personal information with a statement by the individual claiming that the information is not accurate, complete, up-to-date, relevant, or is misleading, the agency must take reasonable steps to do so.

49. The Office agrees with proposal 12-10.

50. The Office supports the implementation of a consistent approach, as far as possible, to the access and correction of personal information throughout the Privacy Act. To ensure that individuals are aware of this option, the ALRC should consider whether an obligation be imposed that agencies must make individuals aware that they can have such a notation recorded.

51. The Office notes that proposal 12-10 is consistent with the principle dealing with access to and correction of personal information held by organisations, UPP 9.6.

Proposal 12-11 The proposed Part of the Privacy Act dealing with access to, and correction, of personal information held by an agency should set out a process for dealing with a request to access or correct personal information that addresses:

(a) the requirements for making an application for correction or annotation of personal information;

(b) time periods for processing a request to access or correct personal information;

(c) the transfer of a request to access or correct personal information to another agency in certain circumstances (for example, when a document is not in the possession of an agency but is, to the knowledge of that agency, in the possession of another agency);

(d) how personal information is to be made available to the individual (including by giving a reasonable opportunity to inspect the records, by providing a copy of the record, by giving a summary of the contents of the record, by providing oral information about the contents of the record);

(e) how corrections are to be made (including by additions and deletions);

(f) the deletion of excepted matter or irrelevant material;

(g) the persons authorised to make a decision on behalf of an agency in relation to a request to access or correct personal information;

(h) when a request for access to personal information may be refused by an agency (for example, when it would substantially and unreasonably divert the resources of the agency from its other operations, or in the case of a Minister, would substantially and unreasonably interfere with the performance of the Minister's functions); and

(i) the provision of reasons for a decision to deny a request to access or correct personal information.

52. The Office agrees that many of the matters set out in proposal 12-11 should be clear for both the agency and the individual. The Office is less convinced that each of these matters need be set out in legislation, as opposed to being subject to guidance issued by the Office and agencies.

53. As discussed in the Office's submission to IP 31 question 7-6(a) the Office is of the view that an individual seeking access to personal information held by an agency should not unnecessarily be subject to the processes of FOI where a simpler process can be established.

54. The prescriptive nature of the FOI provisions dealing with access to personal information is appropriate for managing requests for access to the deliberative process of government, but contrary to the high level principle based approach of the Privacy Act.

55. Accordingly, the Office suggests that where possible the proposed Part of the Privacy Act dealing with access to and correction of personal information held by an agency mirror the proposed access and correction principle, UPP 9. Where it is considered necessary, guidance issued by the Commissioner could provide the essential details. In addition, agencies should retain some discretion, consistent with any guidance issued by the Office, to develop administrative processes reflective of that agency and the type of information in question.

56. Only in circumstances where it is deemed essential should the prescriptive provisions of the FOI legislation be incorporated into this Part of the Privacy Act.

Proposal 12-12 The Proposed Part of the Privacy Act dealing with access to, and correction of, personal information held by an agency should provide for:

(a) internal review by an agency of a decision made under the Part;

(b) review by the Administrative Appeals Tribunal of a decision made under the Part (including the power to make an order for compensation); and

(c) complaints to the Commonwealth Ombudsman.

57. The Office agrees with proposal 12-12(a) and (b).

58. The Office is of the view that an individual's right to an internal review by an agency, review by the Administrative Appeals Tribunal or the right to lodge a complaint with the Commonwealth Ombudsman regarding the administrative actions of agencies should not be diminished by incorporating a Part dealing with access to, and correction of, personal information held by agencies into the Privacy Act.

59. However, the Office does not agree with proposal 12-12(c).

60. The Office of the Privacy Commissioner has jurisdiction to investigate allegations regarding an interference with privacy. It is anticipated that this will include administration of the new Part of the Privacy Act dealing with access to, and correction of, personal information held by agencies.

61. Accordingly, the Office submits that the most appropriate jurisdiction to lodge a complaint regarding an interference with privacy, under this Part would be with the Privacy Commissioner.

Proposal 12-13 The Office of the Privacy Commissioner should issue guidelines on access to, and correction of records containing personal information held by an agency.

62. The Office agrees with proposal 12-13

Proposal 12-14 Part VIII of the Privacy Act 1988 (Cth) (obligations of confidence) should be repealed.

63. The Office has no experience in the application of Part VIII of the Privacy Act.

64. However, given the proposal of a statutory cause of action, the Office is persuaded by arguments of the ALRC that Part VIII of the Privacy Act is unnecessary.

Question 12-1 What exceptions should apply to the general provision granting an individual the right to access his or her own personal information?

For example, should the exceptions mirror the provisions in Part IV of the Freedom of Information Act 1982 (Cth) or should another set of exceptions apply?

65. The Office will consider this matter more fully as part of its contribution to the review the FOI Act.

66. However, the Office does note that any exceptions to providing access to personal information should have a clear rationale for its inclusion in the new Part of the Privacy Act. In general, such exceptions should be minimised to ensure that the presumption remains in favour of access being provided. The Office supports the number and scope of the exceptions currently provided under NPP 6, and would expect that this could serve as a model for regulating the denial of access by agencies.

Question 12-2 Should the Office of the Privacy Commissioner's complaint handling, investigative and reporting functions be exempt under the Freedom of Information Act 1982 (Cth)

67. As discussed in the Office's submission to IP 31 question 7-6(b) the Office is of the view that the Office's complaint files should be exempt from FOI disclosures. The Office is of the view that the disclosure of information contained in complaint files could prejudice the resolution of complaints.

68. However, the Office believes that the promotion of open and transparent public administration would be aided by its investigation (e.g. audit files, files created on investigations commenced on the Commissioner's initiative) and reporting functions and processes being subject to the FOI Act. Making information available to the public, where possible, will also assist the Office in maintaining proper processes of external accountability.

69. The Office will consider this matter further as part of its contribution to the ALRC's inquiry into the FOI Act.

CHAPTER 13

REQUIRED OR AUTHORISED BY OR UNDER LAW

Question 13-1 Should the definition of ‘law' for the purposes of determining when an act or practice is required or specifically authorised by or under a law include:

(a) common law or equitable duty;

(b) an order of a court or tribunal;

(c) documents that are given the force of law by an Act of Parliament, such as industrial awards;

(d) statutory instruments such  as a Local Environmental Plan made under a planning law?

1. The Office believes that a non-exhaustive definition could be useful in clarifying the meaning of ‘law' under the Privacy Act 1988 (Cth) (‘Privacy Act'), for the purposes of ‘required or [specifically] authorised by law' exceptions in the UPPs or equivalent principles.

2. Any definition of ‘law' should explain that the agency or organisation first needs to determine whether the law applies to them, in order to rely on the provision. This could be done by way of a note in the definition or in the principles that have a ‘required or [specifically] authorised by law' exception.

Complexities around defining ‘law'

3. As the ALRC notes in DP 72, the interpretation of the word ‘law' is ambiguous and may benefit from clarification.[141]However, the issue of whether ‘law' should be defined to include various instruments and orders under a unified set of privacy principles raises complexities for two main reasons.

4. Firstly, because ‘law' is not currently defined under the Privacy Act, and has therefore relied on case-by-case interpretation (taking into account the intent of the legislation, Acts and principles dealing with legislative interpretation, and any constitutional issues). Hence this would be introducing a new definition into the Privacy Act with the potential for unforeseen outcomes.

5. Secondly, because whether an act or practice is authorised by a given ‘law' may vary, depending on whether an Australian Government agency or a private sector organisation is performing the act or practice.

What may constitute ‘law' under the Privacy Act

6. The term ‘law' is not currently defined under the Privacy Act. In relation to part (a) of DP 72 question 13-1, the Office's Guidelines to the National Privacy Principles (2001) note that common law and equitable obligations would constitute law for the purposes of the NPPs (as would state and territory legislation).[142]This is consistent with the Second Reading Speech to the Privacy Amendment (Private Sector) Bill 2000 (as it then was), which led to the enactment of the NPPs.[143]

7. The situation appears more complex regarding the common law and Australian Government agencies. As the Office understands it, whether an agency can rely on the common law (or a state or territory instrument) to require or authorise an act firstly depends on whether the agency is considered to be part of the Crown. If it is necessary to determine whether the Crown is ‘immune' to the application of the common law principle (such as by statutory immunity). If an agency is ‘immune', it could not claim that the principle requires or authorises it to do something.

8. The Office also notes that requirements or authorisations of information handling practices by common law or equitable principles may lack the clarity or certainty of those found elsewhere, such as in legislation. This raises issues around the interrelationship between the common law and Privacy Act principles.

9. For example, NPP 6.1 states that an organisation must give an individual access ‘except to the extent that: ... (h) denying access is required or authorised by or under law'. In Breen v Williams[144], the High Court held that there is no right to access medical records under the common law. The Office would be concerned if a health service provider sought to rely on common law principles expressed in Breen v Williams as an ‘authorisation' to deny access to health information under NPP 2.1(h). This would appear contrary to the Parliament's intent to recognise a right of access to patient records, and if permitted, would be an unintended consequence of including common law in the scope of ‘law'.

10. The ALRC's final report on its review of privacy could explore the extent to which the common law can be relied upon to ‘require or authorise' acts that affect the application of the Privacy Act principles. The use of the term ‘specifically authorised' in the relevant Privacy Act exceptions (discussed further below), may be of some assistance in clarifying this point.

11. The ALRC also states that ‘law' should include state and territory Acts and delegated legislation, although this is not specifically raised in question 13-1.[145] As the Office understands it, whether a state instrument can require or authorise an act or practice of an Australian Government agency depends on whether the instrument intends to bind the Crown in right of the Commonwealth.[146]

12. Accordingly, although ‘law' could include common law and equitable duties, as well as state and territory Acts and delegated legislation, it is important that entities do not automatically assume they can rely on that principle or instrument for the purposes of Privacy Act exceptions. As a first step, the agency or organisation needs to determine whether the relevant ‘law' applies to it, and therefore whether it is required or (specifically) authorised to do a particular act or practice.

13. In relation to part (b) of question 13-1, the Office understands that while court and tribunal orders may not, in themselves, be considered ‘laws', the Commonwealth has bound itself to comply with properly issued process from state courts, such as subpoenas and search warrants. Accordingly, this is an example of where an act or practice is required or authorised ‘under law' for the purposes of the Privacy Act, because an Act or other relevant instrument (that is a law) gives effect to the order or document.

14. In relation to part (c) of question 13-1, the Office has previously noted that documents that are given the force of Commonwealth law (such as industrial awards) are also considered to be ‘law' for the purposes of the IPPs. However, the Office notes that while other proposed inclusions in the definition of ‘law' under question 13-1 are subject to various accountability requirements,[147] there is often comparatively little oversight of documents such as industrial awards.

15. In relation to part (d) of 13-1, complications again arise in relation to whether state-based statutory instruments (such as Local Environment Plans) would legally apply to Commonwealth agencies. This is something that an agency would need to determine before relying on the provision.

Any definition of ‘law' should remind entities to make sure the relevant law applies to them

16. As noted above, merely because something constitutes a ‘law', it does not automatically follow that any agency or organisation can rely on that law to require or authorise a particular act relating to information handling. Several state and territory statutes are expressed in general terms that do not expressly provide for whether they apply to the Commonwealth.

17. An example of such a provision is s 248(1) of the Children and Young Persons (Care and Protection) Act 1998 (NSW), which provides:

(a) the Director-General may, in accordance with the requirements (if any) prescribed by the regulations, furnish the prescribed body with information relating to the safety, welfare and well-being of a particular child or young person or class of children or young persons ...

Section 248(2) provides:

(2) It is the duty of a prescribed body to whom a direction is given under subsection (1)(b) to comply promptly with the requirements of the direction.

‘Prescribed body' is defined in s 248(6) to mean, amongst other things:

(a) the Police Service, a government department or a public authority ...

As the Office understands it, in such cases the agency would need to determine whether the law binds the Crown in right of the Commonwealth, before deciding whether the law requires or authorises the agency to do certain acts or practices. In many cases, this may turn on the application of interpretations Acts in the relevant jurisdictions.

18. In the Office's view, it is therefore important that a definition of ‘law' under the Privacy Act clarifies that, before relying on a ‘law' for the purposes of the Privacy Act, the agency or organisation must first determine:

• (i) whether or not the particular law applies to that entity (which may vary depending on the type of entity, as discussed); and
• (ii) whether the relevant law in fact requires or (specifically) authorises the proposed act or practice by that entity.

19. If adopted, the definition of ‘law' could remind agencies and organisations to consider these matters by including a note, either in the definition itself, or in the Privacy Act principles that contain a relevant exception. The use of the term ‘specifically authorised' (discussed in the next section) is also likely to be of considerable assistance in determining the above matters.

‘Specifically' authorised by or under law

20. The Office supports the inclusion of the term ‘specifically authorised' in the ‘required or authorised by law' exceptions under the Privacy Act. The Office has consistently held the view that exceptions to the IPPs or NPPs which permit acts or practices that are ‘authorised' by or under law should be narrowly interpreted, and that authorisations should generally be express rather than implied.[148] The requirement for express authorisation is particularly important regarding sensitive information, including health information. Nevertheless, in the Office's view, the requirement for ‘specific' authorisation should apply consistently under all exceptions where the term ‘authorised by law' is used under the Privacy Act.

21. Proposal 19-2 of DP 72 recommends that the UPP on sensitive information permit the collection of such information, without consent, where this is ‘required or specifically authorised by or under law' (emphasis added). While the Office notes that this broadens the exception for the collection of sensitive information in NPP 10.1(b) (collection ‘required by law'), the Office submits that this may be appropriate. The Office believes this amendment would recognise the intent of Parliament in making laws that ‘specifically authorise' certain information-handling practices, while maintaining appropriate privacy protections.

22. Similarly, question 22-1 of DP 72 asks whether the use and disclosure principle should also be amended to use the term ‘specifically' authorised. NPP 2.1(g) currently permits a use or disclosure that is ‘required or authorised by or under law'. The Office also supports this amendment.

23. As the Office understands it, the effect of including the term ‘specifically authorised', as opposed to simply ‘authorised', is that the relevant principle will only permit information-handling acts or practices that are expressly authorised by or under law. Such an amendment would lessen regulatory complexity and uncertainty by clarifying that legal authorities for various acts or practices cannot be implied or incidental.

24. This interpretation would also appear to better reflect the Parliament's intent when it enacted the NPPs. The explanatory memorandum (EM) to the Privacy Amendment (Private Sector) Bill 2000 (as it then was) notes that the exception in NPP 2.1(g) ‘is intended to cover situations where a law unambiguously requires or authorises the use or disclosure of personal information.'[149] The EM also notes that ‘implied requirements' under law ‘would be conservatively interpreted'.[150] The EM does not make reference to ‘implied authorisations'.

25. In order to give effect to the Parliament's intent, and in the interests of promoting regulatory certainty and consistency between principles, it seems appropriate to use the term ‘specifically authorised' wherever the UPPs or equivalent principles include a ‘required or authorised by or under law' exception. This should include the principles covering collection of sensitive information, including health information; the use and disclosure principle (UPP 5); and the access principle (UPP 9).[151]

Authorised ‘by' or ‘under' law

26. In considering the ‘required or [specifically] authorised by or under law' exceptions, the Office also considered the necessity of including both ‘by' and ‘under' law. The Office understands that an act or practice will be ‘authorised by law' if the source of the authorisation for the act or practice is the law itself. On the other hand, an act or practice will be ‘authorised under law' if the authorisation is pursuant to a law, even though the law may not be the direct source of the authorisation (such as in relation to court orders, discussed above). It therefore seems appropriate to continue using the phrase ‘by or under law' in the privacy principles.

Question 13-2  Should a list be compiled of laws that require or authorise acts or practices in relation to personal information that would otherwise be regulated by the Privacy Act? If so, should the list have the force of law? Should it be comprehensive or indicative? What body should be responsible for compiling and updating this list?

27. In its submission to the ALRC IP 31[152], the Office proposed that a consolidated digest could be developed of all legislative provisions that require or authorise personal information to be handled in ways that the Privacy Act may otherwise prevent. The Office also suggested that the ALRC ‘may wish to consider the logistical challenges of creating such a digest', such as the need for regular updates and the coordination of various agencies and organisations.

28. The Office welcomes the further consideration that has been given to this proposal in DP 72. Upon further reflection, the Office is not convinced of the merits of this proposal. In particular, the Office believes that the likely benefits of such a digest of laws may not justify the resources required to develop and maintain it. Accordingly, the Office would not seek to have primary responsibility for such a digest if it were adopted.

29. The Office notes that the administering department for any specific piece of legislation will be best placed to know of relevant provisions that it, or its portfolio agencies, might be able to rely on to meet ‘required or specifically authorised by law' exceptions. Accordingly, the provision of advice and guidance on such provisions seems best placed with the relevant administering departments. It is also unclear what value a consolidated list of such provisions would offer.

30. If this proposal were adopted, an important logistical consideration is whether the digest would be comprehensive or indicative. If the digest were indicative only, it would not resolve the issue of which laws, other than those in the digest, could be relied upon in the same manner. However, if the digest were exhaustive, keeping it complete and up-to-date would be a more resource-intensive exercise.

Census and Statistics Act 1905 (Cth)

31. The ALRC has not made a proposal in regard to the Census and Statistics Act 1905 (Cth).

32. In its submission on IP 31, the Office noted that it is important to ensure that the public interest in maintaining an accurate census is appropriately balanced with the public interest in affording individuals protections over how their personal information is handled. The Office cited a number of privacy concerns that have been raised with it by the community, particularly in regard to the 5-yearly population and housing census (‘the census').[153]

33. DP 72 has acknowledged these concerns at paragraph 13.64, and pointed to a range of administrative arrangements designed to address these and other possible privacy risks. Ensuring that information about such arrangements is widely disseminated may help promote community confidence in the census process and mitigate concerns of this type.

34. In the Office's view, the conduct of the census is generally supported by substantial community information campaigns. While the Office notes that the Australian Bureau of Statistics provides information on privacy and confidentiality issues, it may be helpful in the design of future information campaigns to consider whether these administrative arrangements could be explained more prominently or effectively to respond to specific community concerns.

Corporations Act 1901 (Cth)

35. The ALRC has not made a proposal in regard to the Corporations Act 1901 (Cth) (‘Corporations Act').

36. In responding to IP 31, the Office noted that the handling of personal information held in public registers for the purposes of the Corporations Act provides a specific example of a more general issue, that is, finding the appropriate balance in granting access to, and setting limits upon the subsequent use of, information held on public registers.

37. The availability of the personal information held in public registers has been a subject of complaints and enquiries made to the Office.[154] Equally, the Office recognises that public policy objectives behind making such information publicly available.

38. The Office reiterates its position that the balance between maintaining the privacy of this information and meeting the important public policy objectives might be better achieved by more narrowly specifying in the Corporations Act the purposes for which such information may be used, particularly in regard to shareholder registers.

39. The Office offers in principle support to the idea of a trusted third-party ‘clearing house' to manage contact between individuals on registers and third-parties.[155] This would avoid the need to provide personal information directly to the requesting party, thus addressing the risk that it may be used for other purposes or otherwise mishandled.

40. As noted in DP 72, the Corporations Amendment Regulation 2007 (No.9) would provide for such a mechanism, under which the ‘...person seeking to communicate with members would.. not obtain direct access to a register of members of the body corporate.'[156]Instead, contact with members would occur ‘...via a third-party service provider (known colloquially as a ‘mailing house') selected by the body corporate'. It should be noted though that, at the time of writing, this Regulation was subject to a disallowance motion prior to Parliament being prorogued for the 2007 federal election.[157]

Proposal 13-1  If the exemption that applies to registered political parties and political acts and practices is not removed, the Commonwealth Electoral Act 1918 (Cth) should be amended to provide that prescribed individuals, authorities and organisations to whom the Australian Electoral Commission must give information in relation to the electoral roll and certified lists of voters must take reasonable steps to:

(a) protect the information from misuse and loss and from unauthorised access, modification or disclosure; and

(b) destroy or render the information non-identifiable if it is no longer needed for a permitted purpose.

41. The Office agrees with proposal 13-1. This reflects the Office's position in its response to IP 31.[158]

42. The Office has also discussed the possibility of protections being afforded to how political parties handle personal information, including when collected from the electoral roll, in responding to chapter 37 of DP 72.

Continuous Roll Update and powers of demand

43. The Office has previously noted the finding of the Australian National Audit Office (ANAO) that information necessary for the Continuous Roll Update (CRU) process could be adequately sourced from 8 types of Commonwealth and State/Territory agencies. The ANAO specifically lists these 8 'Desirable CRU data sources' as: Australia Post, Centrelink, Motor Transport, Fact of Death files, Rental Bond Boards, Public Housing Authorities, State Revenue and/or Land Titles Offices, and Department of Immigration and Multiculturalism and Indigenous Affairs (DIMIA).[159]

44. Accordingly, the Office has previously submitted that the broad and general powers of demand, including from any agency or data source, may be excessive and unnecessary for the purposes of CRU.[160] This remains a matter which this current inquiry could usefully consider.

Proposal 13-2  The Australian Electoral Commission and state and territory electoral commissions, in consultation with the Office of the Privacy Commissioner, should develop and publish protocols that address the collection, use and destruction of personal information shared for the purposes of the continuous update of the electoral roll.

45. The Office agrees with this proposal.

Proposal 13-3  The review of the Anti-Money Laundering and Counterterrorism Financing Act 2006 (Cth), the regulations and the Anti-Money Laundering and Counter-terrorism Financing Rules under s 251 of  the Act should consider, in particular, whether:

(a) reporting entities and designated agencies are appropriately handling personal information under the legislation;

(b) the number and range of transactions for which identification is required should be more limited than currently provided for under the legislation;

(c)  it remains appropriate that reporting entities are required to retain information for seven years; and

(d) it is appropriate that reporting entities are able to use the electoral roll for the purpose of identification verification.

46. The Office agrees with this proposal. It is noted though that the proposed list of matters for review does not include how AUSTRAC handles the personal information it collects under the expanded regime. For example, an important matter for review is likely to be the processes and systems put place by AUSTRAC to facilitate access by designate agencies, as well as to overseas law enforcement and regulatory bodies.

47. As the Office has noted in a number of submissions,[161] including in response to IP 31,[162] reform of the anti-money laundering and counter-terrorism financing has raised a number of privacy concerns, some of which are discussed in DP 72. The review of this regulation will be important in ensuring that it remains a necessary and proportionate response to the risks it is intended to address.

48. The Office suggests that it would be prudent for relevant stakeholders, including AUSTRAC and the Office, to begin retaining appropriate data to assist in this review.

Proposal 13-4  The Anti-Money Laundering and Counter Terrorism Financing Act 2006 (Cth) should be amended to provide that state and territory agencies that access personal information provided to the Australian Transaction Reports and Analysis Centre under the Act be regulated under the Privacy Act in relation to the handling of that personal information, except where they are covered by obligations under a state of territory law that are, overall, at least the equivalent of all the relevant obligations in the Privacy Act.

49. The Office supports this proposal, which accords with its submission on IP 31, as well as other public submissions to the Attorney-General's Department and the Senate Legal and Constitutional Affairs Committee.[163]

50. The Office has previously recommended in a variety of submissions that state and territory agencies that receive personal information from AUSTRAC should be covered by privacy regulation equivalent to Australian Government agencies in the same circumstances.[164] Currently, only some state and territories have privacy regulation applying to their own agencies.

51. While section 126 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006(Cth) requires that state and territory agencies must undertake to comply with the Information Privacy Principles of the Privacy Act as a condition of accessing AUSTRAC held data, there is no statutory measure creating oversight or accountability for such undertakings. In particular, an individual could not complain to the Office if a state or territory agency did not comply with the IPPs, nor could the Office audit that agency's information handling practices.

52. As this personal information is compulsorily acquired during the course of an expanding range of transactions, in some instances without the knowledge of the individual, it seems reasonable to expect that agencies which receive it are subject to binding privacy obligations. Currently, state and territory agencies in a number of jurisdictions represent a gap in the privacy protections afforded to AML/CTF information, in particular since the enactment of provisions to bring small business reporting entities within the coverage of the Privacy Act. Essentially, all participating private sector organisations and Australian Government agencies are covered by enforceable privacy regulation, though not all state and territory agencies.

53. In its previous submissions, the Office has proposed a number of options for addressing this matter. For example, the Office has suggested that one option may be to introduce a provision into the Privacy Act for AML/CTF purposes that is similar to sections 17 and 18 concerning the handling of tax file numbers (TFNs).[165] In précis, s 17 requires the Privacy Commissioner to make statutory guidelines for the handling of TFNs, while s 18 makes it an offence for a 'file number recipient' to breach these guidelines. In turn, s 13 prescribes that a breach of s 17 is an ‘interference with privacy', in regard to which an individual may, under s 36(1) complain to the Privacy Commissioner. Significantly, 'tax file number recipients', about which individuals may complain, may include state and territory bodies that are not covered by the IPPs.

54. The Office also proposes that it be clarified that it would have responsibility for assessing the equivalence of other legislation to the Privacy Act. This assessment should include consideration not just of the various principles, but also the extent to which they apply. For example, in some jurisdictions, law enforcement activities are exempt from the local privacy law, thus while provisions may be equivalent, their scope and application might not meet this test.

CHAPTER 14

INTERACTION WITH STATE AND TERRITORY LAWS

Proposal 14-1   The Privacy Act should be amended to provide that when an Australian Government agency is participating in an intergovernmental body or other arrangement involving state and territory agencies (for example, a Ministerial Council) the Australian Government agency should ensure that a memorandum of understanding is in place so that the intergovernmental body and its members do not act, or engage in a practice , that would breach the Act.

1. The Office agrees with proposal 14-1. The proposal partially accords with the Office's position in its submission to ALRC IP 31.[166]

2. In addition, the Office reiterates the suggestion it made in its submission to ALRC IP 31,[167] that the definition of ‘agency' which currently includes a Minister, should describe the specific acts and practices of the Minister that are covered. This would assist in promoting clarity regarding which practices of a Minister are covered and which are exempt.

[126] At page 48, available at http://www.privacy.gov.au/act/review/review2005.htm#2_2.

[127] Discussed in chapter 7, question 7-1 available at http://www.privacy.gov.au/publications/submissions/alrc/c7.html#Introducto.

[128] Office submission to the Parliamentary Joint Committee on the Australian Crime Commission inquiry Future Impact of serious and organised crime on Australian society http://www.privacy.gov.au/publications/submissions/subaccinquiry060807.doc       

[129] Chapter 7.2(e)

[130] Chapter 7-2

[131] Question 7-6 available at http://www.privacy.gov.au/publications/submissions/alrc/c7.html#L19725.

[132] http://www.alp.org.au/download/now/071026_government_information_policy.pdf.

[133] Question 7-4 available at http://www.privacy.gov.au/publications/submissions/alrc/c7.html#L19656.

[134] Question 3-4 available at http://www.privacy.gov.au/publications/submissions/alrc/c3.html#L15597.

[135] Question 7-5 available at http://www.privacy.gov.au/publications/submissions/alrc/c7.html#L19680.

[136] The introduction of a ‘specific' element to the authorised by law test is discussed further in chapter 13 of this submission.

[137] Question 7-5 available at http://www.privacy.gov.au/publications/submissions/alrc/c7.html#L19680.

[138] Question 7-5 available at http://www.privacy.gov.au/publications/submissions/alrc/c7.html#L19680.

[139] Question 7-6 available at http://www.privacy.gov.au/publications/submissions/alrc/c7.html#L19725

[140] At paragraph 199, p 151, the Office submitted that NPP 6 should be ‘strengthened to give the individual the right to use an intermediary, rather than leaving the provision of an intermediary to the discretion of the organisation.'

[141] See, for example, DP 72, paragraphs 13.33-34.

[142] Office of the Privacy Commissioner, Guidelines to the National Privacy Principles (2001) p 41, available at http://www.privacy.gov.au/publications/nppgl_01.html#npp21g.

[143] The Hon Daryl Williams MP (then Attorney-General), Commonwealth Parliamentary Debates, House of Representatives, 12 April 2000, 15751.

[144] Breen v Williams [1995] HCA 63; (1996) 186 CLR 71, available at http://www.austlii.edu.au/au/cases/cth/HCA/1995/63.html.

[145] ALRC, DP 72, paragraph 13.31.

[146] See, for example, Re Residential Tenancies Tribunal of NSW and Henderson and Anor; Ex parte Defence Housing Authority (1990) 190 CLR 410; Commonwealth and Anor v Wood and Anor (2006) FCR 276; and Croker v Commonwealth of Australia [2005] NSWSC 994, at 14.

[147] See ALRC, DP 72, paragraph 13.30-31.

[148] See, for example, the Office's submission to IP 31, at question 8-15. This discussed lawful authorisation to collect health information without consent, by reference to NPP 10 and the lower standard proposed under National Health Privacy Principle (NHPP) 1 of the draft National Health Privacy Code (NHPC).

[149] Parliament of the Commonwealth of Australia, Senate, Revised Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000, paragraph 358 (emphasis added).

[150] Ibid.

[151] See ALRC, DP 72, proposal 19-2 and question 22-1.

[152] See question 7-5, available at http://www.privacy.gov.au/publications/submissions/alrc/c7.html#L19680.

[153] See, chapter 7, question 7-6(i), paragraphs 119-120, available at  http://www.privacy.gov.au/publications/submissions/alrc/c7.html#L19999

[154] This is discussed in chapter 7 of the Office's submission on IP 31, at paragraphs 127 and 133, available at http://www.privacy.gov.au/publications/submissions/alrc/c7.html#L20034. 

[155] As proposed at paragraph 13.77 of DP 72.

[156] At the time of writing, the explanatory statement for this bill was available from http://www.comlaw.gov.au/ComLaw/Legislation/LegislativeInstrument1.nsf/framelodgmentattachments/D57DF5FA02E17FB3CA25731E00157C19.

[157] As at 26 November 2007, this regulation had been subject to a disallowance motion on 20 September 2007 before Parliament was prorogued for the 2007 federal election.

[158] See the Office's position 7-6(vii) on IP 31, available at http://www.privacy.gov.au/publications/submissions/alrc/c7.html#Question179.

[159] ANAO Audit Report 42 2001-2002 Integrity of the Electoral Roll, at p.2.40 available at: http://www.anao.gov.au/WebSite.nsf/Publications/4A256AE90015F69BCA256B9E007B5F52.

[160] This is discussed in chapter 7 of the Office's submission to IP 31, at paragraph 160, available at http://www.privacy.gov.au/publications/submissions/alrc/c7.html#Continuous.

[161] See, for example, Submission to the Senate Legal and Constitutional Affairs Committee Inquiry into the Anti-Money Laundering and Counter-Terrorism Financing Bill 2006 and the Anti-Money Laundering and Counter-Terrorism Financing (Transitional Provisions and Consequential Amendments) Bill 2006 (November 2006); Submission to the Attorney-General's Department Consultation on the second exposure draft of the Anti-Money Laundering and Counter-Terrorism Funding Bill 2006 (August 2006) - both of these submissions are available from the AML/CTF page of Office's website at http://www.privacy.gov.au/business/aml/index.html.

[162] Chapter 7, question 7-6(l), paragraph 168-171, available at http://www.privacy.gov.au/publications/submissions/alrc/c7.html#L20301.

[163] The Office raised this issue most recently in its November 2006 submission to the Senate Legal and Constitutional Affairs Committee's inquiry into the AML/CTF Bill, available at http://www.privacy.gov.au/publications/subamlctfb.html

[164] See, for example, Submission to the Attorney-General's Department Consultation on the Exposure Draft of the Anti-Money Laundering and Counter-Terrorism Financing Bill 2005 (April 2006) paragraphs 42-48, available at      http://www.privacy.gov.au/publications/antimoneysub010506.html#mozTocId80183.

[165] This model was first proposed in the Office's April 2006 submission to Attorney-General's on the exposure draft of the AML/CTF bill, available at      http://www.privacy.gov.au/publications/antimoneysub010506.html#mozTocId80183

[166] Questions 3-4 available at http://www.privacy.gov.au/publications/submissions/alrc/c3.html#Agency.

[167] Question 5-3 available from http://www.privacy.gov.au/publications/submissions/alrc/c5.html#Australian5.