Our reference: D2018/005624
Senator Slade Brockman
Chair, Senate Community Affairs Legislation Committee
PO Box 6100
Parliament House
Canberra ACT 2600
By email: community.affairs.sen@aph.gov.au
Dear Senator
National Redress Scheme for Institutional Child Sexual Abuse Bill 2018 and related bill
The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to comment in relation to the Committee’s inquiry into the National Redress Scheme for Institutional Child Sexual Abuse Bill 2018 (the Bill) and the National Redress Scheme for Institutional Child Sexual Abuse (Consequential Amendments) Bill 2018. The comments below relate to the disclosure provisions in s 95 of the Bill.[1]
The Bill will establish the National Redress Scheme for Institutional Child Sexual Abuse (the Scheme), in response to the relevant recommendations of the Royal Commission into Institutional Responses to Child Sexual Abuse’s Redress and Civil Litigation Report (the Royal Commission Report).[2] The OAIC understands that for the purposes of assessing abuse redress claims, the Scheme authorises the collection, use and disclosure of detailed personal information (including sensitive information, such as health information and information about certain criminal convictions),[3] described as ‘protected information’ in the Bill.
By way of overall comment, the OAIC is supportive of the recommendations made in the Royal Commission Report, and appreciates that a key aim of the Scheme is to facilitate information sharing where it may assist in identifying, preventing and responding to child sexual abuse (as noted in the Explanatory Memorandum of the Bill). The OAIC notes that the right to privacy is not absolute. An appropriate balance must be struck, and placing certain limitations on an individual’s right to privacy may be justifiable in legislation where there are compelling public interest reasons to do so.
Given that the legislative information-sharing scheme deals with personal information of a very sensitive nature, it is important to ensure that any disclosures permitted for secondary purposes to third parties by the Bill are reasonable, necessary and proportionate to achieving a legitimate policy goal. In this regard, the OAIC has made some recommendations below to enhance the protections in the Bill afforded to the personal and sensitive information shared in the context of the Scheme.
Narrowing the disclosure provision in s 95
The Bill provides for secrecy provisions, contained in sections 92 to 101, which would protect protected information collected by the Operator in the course of administering the Scheme. These provisions are aimed at ensuring that protected information is used and disclosed only for appropriate and prescribed purposes.
However, section 95 appears to provide a broad power to disclose protected information collected in the Scheme under a wide range of unspecified circumstances. In particular, section 95(1)(b)(iv) enables the Operator to make a disclosure to the head (however described) of any government institution (including State and Territory institutions), for any purpose of that government institution. As the powers to disclose under this provision seem to be particularly broad, it is not clear on the face of the Bill whether they are reasonable, necessary, and proportionate to achieving a legitimate policy objective.
The OAIC would therefore recommend that consideration be given to:
- narrowing the scope of s 95(1)(b)(iv), to more clearly prescribe the purposes for which information collected under the Scheme can be disclosed to a government institution for secondary purposes, and
- providing further clarification in the Explanatory Memorandum to the Bill to explain why these authorisations to disclose information are reasonable, necessary and proportionate to achieving a legitimate aim, in the context of the overall objectives of the Scheme.
The National Redress Scheme Rules
The OAIC notes that section 95(4) provides for the making of the ‘National Redress Scheme Rules’, to make provision for (and in relation to) the exercise of the Operator’s power to certify disclosures as necessary in the public interest (s 95(1)(a)), as well as the disclosure of information to the head of a government institution (s 95(1)(b)(iv)). The Explanatory Memorandum states that this use of the rules is necessary ‘to ensure that the Scheme can be flexible in adapting to a range of circumstances not yet contemplated in this Bill where it may be necessary to disclose information’.[4]
While appreciating the need for some flexibility, the OAIC considers that these rules could have the potential to significantly impact upon the privacy of affected individuals, given the highly sensitive nature of the information in question. Any conditions relating to the collection, use and disclosure of such personal information should be prescribed in the primary legislation as far as is possible.
As such, the OAIC would recommend that consideration be given to adding greater detail to section 95, to limit and guide the discretionary powers of the rule maker as far as practicable. For instance, the Bill could set out some of the factors which may help the rule-maker to determine whether an action is in the public interest under s 95(1)(a).[5]
The OAIC would also recommend that:
- the Explanatory Memorandum provide further clarification on the likely content of the rules, and why this represents a reasonable, necessary and proportionate way of regulating the handling of Scheme information, and
- the Bill include an obligation to consult with, and have regard to any submissions of, the Information Commissioner prior to the making of the rules under s 95(4).[6]
Yours sincerely
Angelene Falk
Acting Australian Information Commissioner
Acting Privacy Commissioner
6 June 2018
Footnotes
[1] A function of the Australian Information Commissioner and Privacy Commissioner (the Commissioner) under the Privacy Act 1988 (the Privacy Act) is to examine proposed enactments that would require or authorise acts or practices of an entity that might otherwise be interferences with the privacy of individuals, or which may otherwise have any adverse effects on the privacy of individuals. The Commissioner also has the function of ensuring that any adverse effects of the proposed enactment or the proposal on the privacy of individuals are minimised. See section 28A of the Privacy Act 1988 for further information.
[2] See the Royal Commission into Institutional Responses to Child Sexual Abuse’s Redress and civil litigation report, (September 2015) <https://www.childabuseroyalcommission.gov.au/redress-and-civil-litigation>.
[3] See sections 63 and section 92(2) of the National Redress Scheme for Institutional Child Sexual Abuse Bill 2018. The highly sensitive nature of the information required to be supplied to the Scheme is also noted in the Statement of Compatibility with Human Rights of the Explanatory Memorandum on page 124.
[4] See page 64 of the Explanatory Memorandum to the National Redress Scheme for Institutional Child Sexual Abuse Bill 2018.
[5] For example, the Bill could require that the rule-maker consider whether a proposed disclosure is in the public interest, when the purpose is balanced against any impacts that the disclosure may have on the affected individual, and the overall objectives of the scheme.
[6] This is similar to the consultation provisions provided under various other pieces of legislation, for example under s 28(1A) of the National Cancer Screening Register Act 2016, which provides an obligation to consult with the Australian Information Commissioner before the making of rules that relate to privacy functions.
