Inquiry into the Veterans’ Affairs Legislation Amendment (Omnibus) Bill 2017 — submission to the Senate Foreign Affairs, Defence and Trade Legislation Committee
Our reference: D2017/002915
Senator Chris Back
Chair, Senate Foreign Affairs, Defence and Trade Legislation Committee
PO Box 6100
Parliament House
Canberra ACT 2600
Dear Senator
Submission to the Inquiry into the Veterans’ Affairs Legislation Amendment (Omnibus) Bill 2017
I welcome the opportunity to comment on the provisions of the Veterans’ Affairs Legislation Amendment (Omnibus) Bill 2017 (the Bill), as part of the Senate Foreign Affairs, Defence and Trade Legislation Committee Inquiry.
In view of the broad range of provisions contained in the Bill, I have focussed my comments on the privacy impacts of the provisions of Schedule 5 of the Bill, which authorise the handling of personal information, including sensitive information.
Specifically, Schedule 5 of the Bill authorises the Commonwealth Superannuation Corporation (CSC) as a body that the Military Rehabilitation and Compensation Commission (MRCC) may provide information to. This would be for the purpose of CSC performing a function, or exercising a power under an Act or instrument it administers. I understand these amendments are designed to enable the CSC to access claims information (particularly medical and rehabilitation information) held by the MRCC to assist in assessing Australian Defence Force (ADF) members’ superannuation benefits.
Where legislative provisions have an impact on the privacy of individuals, they should be limited to what is reasonable, necessary and proportionate to achieve the policy objectives of the Bill. Individuals should also be made aware of how their personal information is being handled.
Schedule 5 – disclosure of information
I welcome that the provisions restrict the sharing and subsequent use of information by prohibiting the CSC from using or disclosing the information for purposes other than a purpose relating to the performance or function of the CSC related legislation. However, I note that the range of functions undertaken by the CSC and breadth of CSC legislation may mean that the full extent of those purposes is unclear. As a result, it may be difficult to discern what impact such uses or disclosures might have on the ability for current and former ADF members to understand how their personal information is handled.
To create greater transparency, I encourage the appropriate department or agency to undertake a Privacy Impact Assessment (PIA), if it has not done so already. A PIA is an assessment tool that describes the personal information flows in a project and analyses the possible privacy impacts that those flows, and the project as a whole, may have on the privacy of individuals.
In this situation, a PIA would highlight any privacy impacts associated with the handling of the personal information of current and former members of the ADF and provided an opportunity to take proactive steps to mitigate any impacts. This would include outlining what steps should be taken to ensure that the individual is aware of the way their personal information is handled.
More generally, a PIA will also assist to:
- set out the purpose of the provisions in the Bill which allow for the collection, use and disclosure of personal information and why they are necessary
- identify any potential impacts on individuals’ privacy and the safeguards that will apply to minimise the impact
- explain what, how and when information will be collected, used and disclosed under the Bill and for what specific purposes, and
- assist to manage, minimise or eliminate the privacy impacts to ensure that the measures proposed in the Bill are a necessary and proportionate response to achieving the objectives of the Bill.
If you wish to discuss any of these matters further, please contact Sarah Ghali, Director Regulation and Strategy, at [contact details removed].
Yours sincerely
Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner
8 May 2017
