Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Family Violence and Commonwealth Laws—Immigration Law (IP 37)

Submission to the Australian Law Reform Commission - April 2011

Submission by Timothy Pilgrim, Australian Privacy Commissioner

Office of the Australian Information Commissioner

  1. The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency established by the Australian Information Commissioner Act 2010 (AIC Act). The OAIC commenced operation on 1 November 2010 and is headed by the Australian Information Commissioner, supported by two other statutory office holders, the Freedom of Information Commissioner and the Privacy Commissioner.
  2. Together the Commissioners of the OAIC exercise three broad functions:
  • the freedom of information (FOI) functions set out in s 8 of the AIC Act
  • the privacy functions set out in s 9 of the AIC Act
  • the Information Commissioner functions set out in s 7 of the AIC Act.
  1. As the national privacy regulator the OAIC can provide general advice on privacy issues and the application of the Privacy Act 1988 (the Privacy Act).

Preliminary

  1. The OAIC appreciates the opportunity to make comments to the Australian Law Reform Commission (the ALRC) on the Issues Paper Family Violence and Commonwealth Laws—Immigration Law (IP 37) (the Issues Paper) which concerns the treatment of family violence in immigration law.[1]
  2. The OAIC strongly supports initiatives to protect the safety of those experiencing family violence and better support those adversely affected by this type of violence.
  3. The OAIC recognises the sensitivity of personal information related to family violence matters and the potential for an individual to be stigmatised, embarrassed or discriminated against as a result of the disclosure or inappropriate sharing of this information. The challenge is to ensure that initiatives contain appropriate privacy safeguards regarding the handling of an individuals’ personal information, while providing strong protection against harm from family violence.
  4. The right to privacy is not absolute and in some circumstances, privacy rights will necessarily give way where there is a compelling public interest reason to do so. In these instances, the OAIC seeks to ensure that the solution implemented minimises the intrusion to the fullest extent possible in the circumstances.

Comments on Family Violence and Commonwealth Laws—Immigration Law(IP 37)

Information sharing and national registers

  1. The Terms of Reference for the inquiry direct the ALRC to consider whether information sharing across Commonwealth, state and territory agencies is appropriate to protect the safety of those experiencing family violence.[2] In Family Violence—A National Legal Response (ALRC Report 114), the Commission recommended the establishment of a national register, which would include certain information about protection orders and family law orders and injunctions, to improve information sharing and the protection provided for victims of family violence.[3]
  2. The Issues Paper considers whether the Migration Review Tribunal and the Department of Immigration and Citizenship experience difficulties in accessing information relevant to judicially determined claims of family violence, from the courts. Access to a national register, as recommended in ALRC Report 114, is suggested as a mechanism for improving information sharing between these bodies.[4]
  3. The OAIC acknowledges the consideration given by the Commission in ALRC Report 114 to privacy and security concerns associated with a national register of this kind. The OAIC welcomes the Commission’s recommendation to underpin the national register with a comprehensive privacy framework and the undertaking of a privacy impact assessment.[5]
  4. As part of its submission to the Family Violence Inquiry, the former Office of the Privacy Commissioner submitted that any proposal to create a national register needs careful consideration from a privacy perspective and that a comprehensive privacy framework should be developed. [6] A comprehensive framework for privacy protection for new systems such as a national register, should be based on the following four key elements:

Design + Technology + Legislation + Oversight

  • Fundamental system design, including system architecture and the parameters governing what information is collected, information flows and consent mechanisms. Ensuring clarity and certainty about how individuals’ personal information will be handled in relation to a national protection order database may lead to greater community trust in the use of the database and handling of personal information by the agencies concerned.
  • Technological measures, including, but not limited to, data security initiatives.
  • Legislative measures, defining the extent of the system, proscribing purposes that fall outside those functions, and introducing sanctions for misusing any aspect of the system. Enabling legislation for a national protection order database should clearly set out who can access the database and for what purpose.
  • Oversight mechanisms that promote confidence in the system by assuring the community that the operation of the system is subject to stringent accountability measures, including provision for audit and independent complaint handling.
  1. Privacy should be built into every aspect of a new system from the earliest stages of its conceptualisation. The OAIC considers that adopting this approach will assist in ensuring that the privacy framework is comprehensive, effective and part of the core functionality of the register.
  2. Further, the OAIC agrees with the Commission’s view in ALRC Report 114 that access to the register should be restricted to a ‘need to know’ basis. [7]   It is the view of the OAIC that access to information on the register should only be granted where there is a clear public interest in doing so. Access beyond that which is reasonably necessary for the protection of family violence victims may increase the privacy risks associated with the register and may make it harder to protect personal information from misuse, loss and unauthorised access. In turn, this may ultimately compromise the safety of those who have experienced family violence.

Privacy Impact Assessment

  1. The OAIC strongly encourages the undertaking of a privacy impact assessment (PIA) as part of developing a national protection order database. A PIA is an assessment tool that describes in detail the personal information flows in a project. PIAs, updated at key stages of a project, can be an important tool in project risk management. The overarching benefit of a PIA is that the identification and analysis of privacy impacts during the design phase can assist in determining the appropriate management of any potentially negative impacts. A project that underestimates privacy impacts can place its overall success at risk by not meeting the expectations of the community as to how personal information may be handled. PIAs are another aid to engendering community trust in new proposals.
  2. Ideally, a PIA should be conducted by an independent expert in privacy and with experience in managing PIAs. The OAIC also has a Privacy Impact Assessment Guide, providing an introduction to the PIA process. The Guide describes the purpose and general features of a PIA.[8] The OAIC would welcome the opportunity to provide further advice and comment as part of the consultation process for a PIA.
  3. In the OAIC’s opinion, the conducting of PIAs, together with the adoption of a comprehensive privacy framework, would help to address the privacy risks associated with the proposed register.



Footnote

[1] Issues Paper available at: http://www.alrc.gov.au/publications/family-violence-and-commonwealth-laws%E2%80%94immigration-law-ip-37

[2] Terms of reference available at: http://www.alrc.gov.au/inquiries/family-violence-and-commonwealth-laws/terms-reference

[3] ALRC Report 114, recommendation 30–18 

[4] Issues Paper 37, paragraphs 86-88

[5] ALRC Report 114, recommendation 30–19

[7] Former Office of the Privacy Commissioner submission, paragraph 41, available at:   http://www.privacy.gov.au/materials/types/submissions/view/7095

[8] ALRC Report 114, paragraph 30.237

[9] Available at http://www.privacy.gov.au/materials/types/download/9509/6590