3 August 2017

Our reference: D2017/006135

Senator Jonathon Duniam
Committee Chair
Senate Standing Committee on Community Affairs
PO Box 6100
Parliament House, Canberra

By email: community.affairs.sen@aph.gov.au

Dear Senator Duniam

Submission to the Inquiry into the National Disability Insurance Scheme Amendment (Quality and Safeguards Commission and Other Measures) Bill 2017

I welcome the opportunity to provide these comments on the National Disability Insurance Scheme Amendment (Quality and Safeguards Commission and Other Measures) Bill 2017 (the Bill) to the Senate Standing Committee on Community Affairs (the Committee).

The Bill would establish a new National Disability Insurance Scheme Quality and Safeguards Commission (the Commission) and Commissioner. The Bill confers on the Commissioner broad powers to disclose personal and sensitive information.

I recognise that the protection of individuals’ privacy must be balanced with the broader interests of the community in ensuring that entities are able to carry out their legitimate functions and activities. The importance of protecting personal and sensitive information within the National Disability Insurance Scheme (NDIS) is also recognised in the Explanatory Memorandum to the Bill.[1]

This submission identifies several matters that I suggest could enhance the protections afforded personal and sensitive information in this context. I suggest these matters could be addressed as follows:

  • provisions authorising the disclosure of personal or sensitive information be drafted as narrowly as practicable
  • provisions that may have privacy impacts be contained in primary legislation, where possible, rather than in rules
  • a privacy impact assessment (PIA) be conducted to identify privacy risks and ways to mitigate those risks.

Limitations on the disclosure of personal and sensitive information

Item 45 of the Bill would insert a new s 67E into the National Disability Insurance Scheme Act 2013 (Cth) (the NDIS Act). Section 67E provides broad powers for the Commissioner to disclose protected information, which may include personal or sensitive information. I am concerned to ensure that any such provision achieves an appropriate balance between the needs and objectives of the Commission and the privacy of individuals.

The Privacy Act 1988 (Cth) (the Privacy Act) and the Australian Privacy Principles (APPs) seek to achieve such a balance, providing a principles-based approach that is flexible, technology neutral, and promotes national consistency of regulation by providing a minimum set of standards that are applicable to most Australian Government agencies and much of the private sector.

APP 6 provides limits around the use and disclosure of personal (including sensitive) information for purposes other than the primary purpose for which the information was collected. Section 67E would engage an exception under APP 6.2(b) permitting disclosures that are authorised by law. Where a law engages this exception under the Privacy Act, the authorisation should be reasonable, necessary and proportionate to achieve the relevant policy goals. Given the breadth of circumstances in which personal or sensitive information could be disclosed under s 67E, it is not clear whether the authorisation under s 67E is reasonable, necessary and proportionate.

Additionally, because APP 6.2(b) would be engaged, an individual who felt their information had been disclosed inappropriately may have limited redress. Under the Privacy Act, an individual who is concerned that an entity has not handled their personal information in accordance with the APPs may lodge a complaint. The broad authorisation of s 67E may mean that a complaint about a disclosure by the Commissioner would have limited prospects.

I understand that the public interest disclosure provisions of s 67E may be necessary in order to authorise the disclosure of information that is otherwise protected under secrecy provisions in the NDIS Act. However, as far as practicable, I suggest that any such authorisation be narrowly drafted. There are a range of exceptions to APP 6 which could serve as a model for exceptions to the secrecy provisions in the NDIS Act.[2]

I suggest that:

  • consideration be given as to whether a narrower authorisation of disclosures would better protect the privacy of individuals while still allowing the Commission to carry out its functions efficiently and effectively
  • consideration be given to any other mechanisms that could be included in the Bill to ensure that personal (including sensitive) information is handled appropriately, such as:
    • obtaining the informed consent of the individual prior to any disclosure
    • disclosing only de-identified information, where practicable.

Future amendments

Section 67F of the Bill provides for the National Disability Insurance Scheme rules (the NDIS rules) to make provision for and in relation to the exercise of the Commissioner’s disclosure powers under s 67E. The Explanatory Memorandum states that this use of the rules is necessary as ‘[t]he purposes for disclosure, the bodies to whom disclosure can be made and the type of information which may be disclosed is likely to change over time’.[3]

Where rules could authorise disclosures which impact privacy protections, the mechanism for permitting future authorisations may more appropriately occur through primary legislation. Alternatively, where a rule making power is used, it may be appropriate to include obligations in the primary legislation to ensure that privacy is given appropriate consideration in the development of those rules. For example, s 209 of the NDIS Act could be amended to include a positive obligation for DSS to consult with the OAIC before making rules for the purposes of s 67F.

The Department of Social Service (DSS) has consulted the OAIC and we would welcome continued engagement with DSS on this matter.

Privacy Impact Assessment

I also encourage the DSS to conduct a PIA on the proposed amendments prior to the enactment of the Bill, if they have not already done so. A PIA is a systematic assessment of a project or proposal that identifies the impact that the project or proposal might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact. I also encourage the publication of a PIA. Publication of PIAs can demonstrate to stakeholders and the community that the Bill has undergone critical privacy analysis.

If you wish to discuss any of these matters further, please contact Sarah Ghali, Director, Regulation and Strategy, on [contact details removed].

Yours sincerely

Angelene Falk
Acting Australian Information Commissioner

3 August 2017

Footnotes

[1] Paragraph 47.

[2] I note that ss 67B, 67C, and 67D provide for offences relating to the improper use or disclosure of protected information, which would include personal (including sensitive) information. However, these offences would not provide complaint or redress mechanisms to affected individuals.

[3] Paragraph 59.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia