Our reference: D2015/006516
Senate Standing Committees on Community Affairs
PO Box 6100
Canberra ACT 2600
Dear Committee Chair
Social Security Legislation Amendment (Debit Card Trial) Bill 2015
As the Acting Australian Information Commissioner, I thank the Senate Community Affairs Legislation Committee (the Committee) for the opportunity to comment on the Social Security Legislation Amendment (Debit Card Trial) Bill 2015 (the Bill).
My comments are focused on those provisions introduced by the Bill which would allow the disclosure of information about a person involved in the trial. Proposed new sections 124PN and 124PO would amend the Social Security Administration Act 1999 to allow financial institutions, and community bodies (as specified by legislative instrument), to disclose information about a person to the Secretary of the Department of Human Services, if the information is relevant to the operation of the trial. If the information is disclosed, the Bill also enables the Secretary to disclose relevant information about the person to a financial institution or community body. In addition, items 16-18 of the Bill propose consequential amendments to the Social Security Administration Act 1999 to facilitate information sharing necessary for the administration of the trial.
In considering the personal information handling issues related to the trial it is important to note the potential for an individual to be embarrassed or discriminated against as a result of the mishandling of this information, particularly in small regional or remote communities. The challenge is to ensure that the scheme contains appropriate privacy safeguards regarding the handling of individuals’ personal information, while meeting the overall public policy objective.
In addressing this concern, I raise the following personal information privacy issues for the Committee’s consideration:
whether the broad range of information sharing proposed is necessary, proportional and the least privacy invasive option. That is, whether the provisions appropriately balance the intrusion on individuals’ privacy with the overall public policy objectives of the proposal.
whether the measures proposed are compatible with Article 17 of the International Covenant on Civil and Political Rights (ICCPR). The Statement of Compatibility with Human Rights (the Statement) accompanying the Bill does not address the impact of the provisions on privacy, and consideration should be given to explaining the compatibility.
Whether the proposed broad information sharing powers are necessary, reasonable and proportionate
If the information handling practices in new sections 124PN and 124PO are enacted, they would invoke the exception in Australian Privacy Principle (APP) 6.2(b) contained in the Privacy Act 1998 (Privacy Act), which permits the use and disclosure of personal information where it is authorised or required by law.
I generally suggest that where provisions are intended to invoke this exception consideration should be given to whether those measures are proportionate and necessary. That is, whether they appropriately balance the intrusion on individuals’ privacy with the overall public policy objectives of the proposal. Further, any laws that require or authorise the collection, use or disclosure of personal information should be drafted narrowly, and, to the extent possible, clearly describe:
- the type of personal information that is authorised or required to be used or disclosed
- who may use or disclose the information, and who may receive the information
- the purpose for which the personal information may be used or disclosed, and, once received, for which the information may be subsequently used or disclosed by the recipient.
Additionally, any such law should ensure that the amount of personal information that is permitted to be used or disclosed is clearly limited to that which is necessary to achieve the policy objective of the proposal. In this regard, I note the proposed information sharing arrangements in sections 124PN and 124PO are broadly framed and the type of personal information to be shared is limited only by its relevance to the operation of the trial.
Ideally these issues would be considered in developing the legislative proposal, and form part of a Privacy Impact Assessment (PIA). This is a step I encourage agencies to consider taking where a change is proposed to their information handling practices. I am not aware of whether such an assessment has been carried out. I would encourage the use of a PIA to assess the potential privacy impacts of the trial and ensure that the personal information handling activities are accompanied by an appropriate level of privacy safeguards and accountability. The comprehensive identification of privacy risks and the implementation of appropriate protections at this initial stage would be especially valuable, and could also assist in future assessment of the scheme.
Given that the arrangements are to be trialled for a period up to 30 June 2018, undertaking a further PIA at the end of the trial may be a useful step as part of assessing the overall privacy impacts of the trial. A PIA can be taken undertaken alongside other evaluation process and could usefully form part of the overall assessment of the scheme. Completing this step will afford the opportunity to minimise or mitigate any negative privacy impacts identified and lead to better privacy outcomes in any longer term arrangements.
The Statement of Compatibility with Human Rights
Further to my comments above, this approach to assessing privacy impacts is generally consistent with that taken in applying the right to privacy in Article 17 of the ICCPR, to which the Privacy Act, in part, gives effect. In line with Article 17 of the ICCPR, the Privacy Act recognises that the protection of individuals’ privacy, through the protection of their personal information, cannot be an absolute right. Rather, those interests must be balanced with the broader interest of the community in ensuring that entities are able to carry out their legitimate functions and activities. However, where handling of individuals’ personal information is authorised in the broader interests of the community, any such limitation on the privacy protections should be reasonable, proportional and necessary for the policy objective.
The Statement does not acknowledge that the Bill engages with the right to privacy and therefore provides no consideration as to the limitation it places on the right to privacy. I suggest that, with reference to the comments above, that further consideration be given to explaining how these information handling provisions are compatible with Article 17 of the ICCPR.
Should the Committee require any further information please contact Ms Melanie Drayton, Director Regulation and Strategy Branch on [contact details removed].
Timothy Pilgrim PSM
Acting Australian Information Commissioner
18 September 2015
 See proposed new subsections 124PN(1) and 124PO(1) of the Bill.
 The OAIC’s Guide to undertaking privacy impact assessments is available on the OAIC website, see www.oaic.gov.au
Was this page helpful?
If you would like to provide more feedback, please email us at email@example.com