Submission by the Australian Privacy Commissioner on the Australian Citizenship and Other Legislation Amendment Bill 2014

6 November 2014

Committee Secretary

Senate Legal and Constitutional Affairs Committee
PO Box 6100
Parliament House
Canberra ACT 2600

Dear Committee Secretary

Submission by the Australian Privacy Commissioner on the Australian Citizenship and Other Legislation Amendment Bill 2014

As the Australian Privacy Commissioner, I thank the Senate Legal and Constitutional Affairs Committee (the Committee) for the opportunity to comment on the Australian Citizenship and Other Legislation Amendment Bill 2014 (the Bill).

My comments are limited to items 74 and 77 of the Bill. Those provisions would amend the Australian Citizenship Act2007 and the Migration Act 1958 to enable personal information collected for the purposes of one Act (or the regulations under that Act), to be used or disclosed for the purposes of the other Act (or regulations under that Act). The Statement of Compatibility with Human Rights (the Statement) accompanying the Bill provides that these items are intended to facilitate ‘the efficient use of information held by the Department [of Immigration and Border Protection] as a whole to ensure that it can carry out its functions under the two Acts that it administers with accuracy and effectiveness.’ The Statement also provides that the measure would enhance the Department of Immigration and Boarder Protections’ (DIBP) ability to detect fraud, improve client service and improve decision-making on citizenship applications overall.[1]

While I have not had the opportunity to assess the impacts of items 74 and 77 on individuals’ privacy in detail, I raise the following privacy issues for the Committee’s consideration:

  • whether the broad range of information sharing proposed under items 74 and 77 is necessary, proportional and the least privacy invasive option. It would appear that for some of this information sharing, other exceptions in Australian Privacy Principle (APP) 6 might be available to the DIBP which would obviate the need for the broad authorisation in items 74 and 77 of the Bill. Further, those other exceptions would allow DIBP to share information, while also enabling individuals to maintain control over how their personal information is handled (for example, where the DIBP obtains the individual’s consent).

  • whether the measures proposed in items 74 and 77 are compatible with Article 17 of the International Covenant on Civil and Political Rights (ICCPR). It is unclear from the Statement whether they are, and consideration should be given to explaining the compatibility more clearly.

The Bill has an impact on privacy and engages Article 17 of the ICCPR. In line with Article 17 of the ICCPR, the Privacy Act recognises that the protection of individuals’ privacy, through the protection of their personal information, cannot be an absolute right. Rather, those interests must be balanced with the broader interest of the community in ensuring that entities are able to carry out their legitimate functions and activities. However, where handling of individuals’ personal information is authorised in the broader interests of the community, any such limitation on the privacy protections should be reasonable, proportional and necessary for the policy objective.

Ideally these issues would be considered in developing the legislative proposal, and form part of a Privacy Impact Assessment (PIA). I was not consulted in the development of this Bill and am not aware of whether such as assessment has been carried out. This is a step I would encourage agencies to consider taking where a change is proposed to their information handling practices. Whether a PIA is appropriate depends in part on the extent to which personal information will be collected, used or disclosed.[2]

Whether the proposed broad information sharing powers are necessary, reasonable and proportionate and the least privacy invasive option

The DIBP must comply with the Australian Privacy Principles (the APPs) in Schedule 1 of the Privacy Act 1988 when handling an individual’s personal information.[3] However, if the information handling practices in items 74 and 77 were enacted, they would invoke the exception in APP 6.2(b), which permits the use and disclosure of personal information where it is authorised or required by law.

There are a number of other exceptions under APP 6 that may already permit the use and disclosure of some of this information. For example, I understand from the Statement that the DIBP generally obtains a person’s informed consent to use personal information collected under the Australian Citizenship Act for other purposes.[4] Where an individual’s consent is obtained, personal information could be used or disclosed under APP 6.1(a), without needing to rely on the ‘required or authorised by or under law’ exception. It is considered good privacy practice to obtain an individual’s informed consent wherever possible, as this enables the individual to understand and exercise some control over how their personal information is handled. If consent to a particular information handling practice can usually be obtained, this might obviate the need for a broad authorisation.

Other exceptions in APP 6 that may permit the exchange of certain information under the Australian Citizenship Act and the Migration Act include:

  • APP 6.2(a) - where the individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose relates to the primary purpose of collection (or, for sensitive information, directly relates to the primary purpose of collection). Examples of where an individual may be taken to reasonably expect the use or disclosure of their personal information for a secondary purpose include where the entity has notified the individual of the particular secondary purpose, under the notification principle in APP 5.

  • APP 6.2(e) – the APP entity reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body. The definition of ‘enforcement body’ in s 6(1) of the Privacy Act includes ‘the Immigration Department’. The definition of ‘enforcement related activities’ includes ‘the protection of the public revenue.’

If there are uses and disclosures of personal information that the DIBP considers are not covered by these exceptions, then these particular uses and disclosures could be identified and authorised by law (if reasonable, proportional and necessary to achieve the policy objective).

A law that invokes the exception in APP 6.2(b) should then be drafted narrowly. As far as practicable, any such requirement or authorisation should constrain the use or disclosure of the personal information consistent with the policy objective of the Privacy Act. For example, an authorisation should clearly describe:

  • the kind of personal information that may be used or disclosed
  • who may use or disclose the information, and who may receive the information
  • the purpose for which the personal information may be used or disclosed, and the purpose for which it may be subsequently used or disclosed by the recipient.

In addition, any such law should ensure that the amount of personal information that is permitted to be used or disclosed is clearly limited to that which is necessary to achieve the policy objective of the proposal.

I also note that items 74 and 77 also authorise the disclosure of personal information, rather than just the ‘use’ of such information. Under the Privacy Act, the exchange of personal information within one agency is considered a ‘use’ of that information, rather than a ‘disclosure’.[5] According to the Explanatory Memorandum, these items authorise the disclosure of personal information on the basis that ‘it is possible that migration and citizenship matters could be split between different portfolios in future.’[6] In my view, an authorisation to disclose personal information under the exception in APP 6.2(b), would not usually be considered reasonable, proportional and necessary on the basis that it is possible such an authorisation could become necessary in future.

The Statement of Compatibility with Human Rights

The Statement of Compatibility with Human Rights provides, in relation to the potential impact on privacy of items 74 and 77, that ‘the issue for consideration is therefore whether the measure constitutes an arbitrary or unlawful interference with privacy.’[7] The Statement explains that the proposed measures do not fall within the meaning of ‘an interference with privacy’ on the basis that the information is willingly and lawfully provided by individuals and the DIBP obtains consent for some of its secondary uses of this information. For these reasons, it is argued, that these measures do not impact individuals’ privacy. The Statement does not discuss the effect of these provisions under the Privacy Act, which is to authorise the handling of personal information in a manner otherwise inconsistent with the privacy protections in APP 6.

The Statement notes that, in the alternative, if the measures in items 74 and 77 do engage the ‘privacy element’, this is not arbitrary or unreasonable because it will ‘not be unlimited in nature and would have a high degree of certainty as to who is affected and in what circumstances’ and will result in enhanced efficiencies for the DIBP.[8] Additionally, the collection of information is said to be ‘lawful, as it fits within the Privacy Principles’.[9]

I suggest that further consideration be given to explaining how these items are compatible with Article 17 of the ICCPR, with reference to the comments above about other exceptions that may be available under APP 6.

Should the Committee require any further information please contact Este Darin-Cooper, Director on [contact details redacted].

Yours sincerely

Timothy Pilgrim
Australian Privacy Commissioner
6 November 2014

Footnotes

[1] Statement of Compatibility with Human Rights, p. 13

[2] The OAIC’s Guide to undertaking privacy impact assessments is available on the OAIC website, see www.oaic.gov.au

[3] Explanatory Memorandum, paragraph 509. Personal information is defined in s 6(1) of the Privacy Act

[4] State of Compatibility with Human Rights, p. 13

[5] Explanatory memorandum to the Bill, paragraph 473 and 497

[6] Explanatory memorandum to the Bill, paragraph 474 and 498

[7] Statement of Compatibility with Human Rights, p. 13

[8] Statement of Compatibility with Human Rights, p. 14

[9] Statement of Compatibility with Human Rights, p. 14

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au