Parliamentary Joint Committee on Intelligence and Security
PO Box 6021
CANBERRA ACT 2600
Dear Committee Secretary
Submission by the Australian Privacy Commissioner on the Inquiry into the Counter-Terrorism Legislation Amendment (Foreign Fighters) Bill 2014
As the Australian Privacy Commissioner (the Commissioner), I thank the Joint Committee on Intelligence and Security (the Joint Committee) for the opportunity to comment on the Counter-Terrorism Legislation Amendment (Foreign Fighters) Bill 2014 (the Bill). I note that many of the measures proposed in the Bill have the potential to impact upon the privacy of individuals.
I recognise that the intention of the Bill is to strengthen and improve Australia’s counter-terrorism legislative framework. Further, I appreciate that ensuring Australian law enforcement agencies have access to the tools and information necessary to perform their national security functions is critical to achieving this intention. At the same time, I consider that it is important to ensure that any proposals to expand the powers of those agencies accord with contemporary community expectations, including expectations about the handling of personal information.
The Committee will be aware, that the Statement of Compatibility with Human Rights (the Statement) that accompanies the Bill recognises the privacy impacts of the Bill. Article 17 of the International Covenant on Civil and Political Rights (ICCPR) provides that no-one shall be subjected to arbitrary or unlawful interference with their privacy. To the extent that there is a restriction on an individual’s right to privacy, any interference must be reasonable, necessary and proportionate.
In line with Article 17 of the ICCPR, Australia’s Privacy Act 1988 (the Privacy Act), recognises that the protection of individuals’ privacy, through the protection of their personal information, cannot be an absolute right. Rather, those interests must be balanced with the broader interest of the community in ensuring that entities are able to carry out their legitimate functions and activities. However, where handling of individuals’ personal information is authorised in the broader interests of the community (including upholding national security) it is important that those activities are accompanied by an appropriate level of privacy safeguards and accountability.
The Statement addresses these issues and sets out the existing and proposed safeguards to address privacy impacts. I have reviewed the Statement and the Bill and in the time allowed I make the following comments for the Joint Committee’s consideration. In particular, I seek to advise the Committee on how the Privacy Act would interact with the Bill, and to provide my analysis of certain personal information handling practices.
Application of the Privacy Act
The starting position is that generally Australian government agencies affected by the amendments proposed in the Bill are required to comply with the Australian Privacy Principles (APPs) contained in the Privacy Act when handling personal information, including personal information collected for the purpose of upholding Australia’s national security (for example the Australian Federal Police (AFP), the Australian Transaction Analysis Centre (AUSTRAC), the Department of Immigration and Border Protection (DIBP) and the Attorney General’s Department (AGD)). The exception is the intelligence agencies which are not within the jurisdiction of the Privacy Act, but are subject to other oversight mechanisms.
The APPs are legally binding principles which set out standards, rights and obligations in relation to the collection, use, disclosure, holding and access to ‘personal information’, that is, information or opinion about a reasonably identifiable individual. The APPs apply to most Australian government agencies and most private sector organisations and replace the former Information Privacy Principles (that applied to Australian government agencies) and National Privacy Principles (that applied to private sector organisations). I am responsible for ensuring compliance with the APPs and other obligations contained in the Privacy Act.
The APPs require that an Australian government agency only collect information that is reasonably necessary for, or directly related to, the agency’s functions and activities. Further, that those agencies only use and disclose that personal information for the purpose for which the information was collected unless an exception applies to permit the information to be used or disclosed for a secondary purpose. Importantly, those exceptions include where the use or disclosure is authorised or required by an Australian law or court/tribunal order.
I note that many of the measures proposed in the Bill involve the handling of individuals’ personal information. Importantly, where the proposed measures in the Bill authorise the collection, use or disclosure of personal information, this brings the activity within the ‘authorised or required by law’ exceptions in the APPs, to permit the collection, use or disclosure without contravening the Privacy Act. However, even where a particular collection, use or disclosure is authorised by law, the relevant agency must still comply with other obligations contained in the APPs when handling the information (including those relating to providing notice and ensuring the quality and security of the information). Further, where the Bill authorises the collection of personal information, in some instances it limits the purposes for which that information may be used or disclosed, and creates corresponding offences for unauthorised uses or disclosures of that information. Given that certain provisions of the Bill will mean that the Privacy Act does not apply to some activities as they will be ‘authorised or required by law‘, these additional safeguards are necessary and appropriate.
These additional safeguards will complement existing measures, which include regulatory oversight by the Independent National Security Legislation Monitor, the Inspector-General of Intelligence and Security and the Commonwealth Ombudsman. In addition, I have a range of powers under the Privacy Act to ensure that agencies are complying with their obligations where they arise under the APPs. These powers include the power to conduct assessments (previously referred to as audits) of agencies and organisations to ascertain whether personal information is being maintained and handled in accordance with the APPs, initiate investigations of matters involving the handling of personal information by agencies and organisations, and direct an agency to conduct and provide me with a privacy impact assessment. Since 12 March 2014 I also have enhanced enforcement powers such as the ability to make a determination where I initiate an investigation and to seek enforcement in the Federal Court.
Other privacy considerations
In addition to personal information privacy, the Bill also engages broader notions of privacy, including issues that go beyond data protection and extend to issues such as bodily privacy and surveillance. Examples of proposals that raise these issues include: the proposals to introduce a delayed notification search warrant scheme for terrorism offences and the proposals to extend the control order regime and preventative detention order (PDO) regime for a further ten years.
I note that the Statement considers whether these proposals are compatible with the right to protection against arbitrary and unlawful interferences with privacy in Article 17 of the ICCPR. As identified in the Statement, where the proposed measures impact upon the privacy interests of individuals, consideration should be given to whether those measures are proportionate and necessary; that is, whether they appropriately balance the intrusion on individuals’ privacy with the need to protect the public from threats to national security (including terrorism).
To assist the Joint Committee in considering whether these measures are necessary and proportionate, the Joint Committee might wish to consider the approach contained in the OAIC’s 4A framework (a copy of the framework can be found in Appendix A). The 4A Framework outlines a four step approach for assessing and implementing new law enforcement and national security powers. The aim of the framework is to bring balance and perspective to the assessment of proposals for law enforcement or national security measures with significant effects on privacy by asking:
- Whether the proposed measure is a proportional response, in light of its impact on privacy and existing community expectations?
- Under what circumstances the powers can be exercised?
- What safeguards are in place?
- Whether there are any built in review mechanisms?
I also draw the Joint Committee’s attention to the submission made by the then Office of the Privacy Commissioner to the Senate Legal and Constitutional Legislation Committee (the Senate Committee) in relation to the Inquiry into the provisions of the Anti-Terrorism Bill (No. 2) 2005, which introduced the control order and PDO regimes (a copy of the submission can be found in Appendix B).
In light of the tight time-frame, I have given more detailed consideration to the proposed measures that involve the handling of personal information and that, therefore, may engage my regulatory responsibilities under the Privacy Act.
Listing the Attorney-General’s Department as a ‘designated agency’ for the purpose of accessing AUSTRAC information
The Bill amends the definition of a ‘designated agency’ in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act)to include AGD. This will enable AGD to access financial intelligence information held by AUSTRAC (AUSTRAC information), subject to written authorisation provided by the AUSTRAC CEO.
I appreciate that the intention of this amendment is to enable AGD to more efficiently and effectively develop policy to combat terrorism financing risks. However, I am concerned that the extension of the definition of a designated agency to include AGD represents a significant shift in the types of entities that are permitted to access AUSTRAC information; specifically, that designated agencies are primarily agencies that have law enforcement functions and activities, whereas AGD is seeking access to assist in its policy making activities.
In expressing this concern, I am mindful that there are a range of privacy safeguards that apply to the handling of AUSTRAC information. Importantly, I understand that when the AUSTRAC CEO is considering whether to give a designated agency access to AUSTRAC information, the CEO must have regard to privacy matters (see s 212 of the AML/CTF Act). Further, where AUSTRAC information includes personal information and that information is disclosed to a designated agency that is also an APP entity (such as AGD), the APPs regulate how that personal information must be handled by the designated agency. In particular, under APP 3.1, agencies requesting access to AUSTRAC’s information will have to consider their obligation to only collect personal information that is reasonably necessary for, or directly related to, one or more of their functions or activities.
Additionally, I note that in considering the privacy impacts of this amendment the Statement of Compatibility with Human Rights suggests that the majority of AUSTRAC information accessed by AGD would be considered at an aggregated level. I advise that if the information is aggregated to a level where it is no longer about an identifiable individual or an individual who is reasonably identifiable (that is, where the information has been de-identified), the information is no longer personal information and is not regulated by the Privacy Act. However, whilst it is always preferable from a privacy perspective to de-identify personal information before using or disclosing the information, I recognise that in some circumstances the purpose of the use or disclosure cannot be served by de-identification of information.
With those considerations in mind, I suggest that the Joint Committee seek further clarification about the nature of the information likely to be sought by AGD and whether any of that information would be sufficiently aggregated to make it de-identified. Further, that the Joint Committee consider whether AGD’s collection of AUSTRAC information that is personal information (that is, information that is not sufficiently aggregated to ensure that it is de-identified) is reasonably necessary for, or directly related to, AGD’s functions or activities.
Collection of biometric information by automated border clearance systems
I understand that the Bill amends the Migration Act 1958 (the Migration Act) to allow an automated border clearance system (authorised system), such as a SmartGate, to collect certain personal information, including biometric information (for example, facial images).
I advise that since the reforms to the Privacy Act, which came into effect on 12 March 2014, this type of personal information is considered to be ‘sensitive information’ and, therefore, attracts a higher level of protection under the Privacy Act. Specifically, biometric information, such as a facial image, will be sensitive information where it is used for the purpose of automated biometric verification or biometric identification (for example, when it is used by a SmartGate).
APP 3 requires that sensitive information must only be collected with the consent of the individual unless one of the listed exceptions applies. Those exceptions include where the collection is authorised or required by law. While this means that if the Bill is passed an individual’s consent will no longer be required for the collection of this type of biometric information, I note the assurance in the Statement that any handling of this information will be undertaken in accordance with the APPs. In particular, the Statement notes the steps that will be taken to ensure compliance with the notice obligations in APP 5 – namely, that individuals will be notified about the collection of this information through signs, information sheets, and information on DIBP’s and Customs’ websites. Further, the Statement makes clear that this biometric information will be subject to the existing restrictions in the Migration Act in relation to the purposes for which the information may be collected, used and disclosed.
In making these observations, I am mindful of the rapid growth in the use of biometric technology, and I am taking steps to ensure that agencies and organisations are aware of the addition protections that are afforded to this type of sensitive personal information by the Privacy Act.
In addition to the assurance that this information will be handled in accordance with the APPs, I understand that this type of biometric information (facial images) is currently being collected by the DIBP. However, I am mindful that the proposed amendment does allow for the making of regulations prescribing additional categories of biometric information (referred to in the Migration Act as personal identifiers), such as fingerprints and iris scans.
I appreciate the need to ensure that the law is able to accommodate changes in technology and, therefore, do not raise any concerns about this amendment. In saying this, I would, however, expect that any proposal to extend the types of biometric information prescribed in the regulations would be subject to appropriate public consultation. In addition, I would welcome any invitation to provide feedback on the likely privacy impacts of such a proposal.
Authorising DIBP to collect and retain personal information contained in a document
I understand that the Bill introduces a new provision into the Migration Act that authorises a clearance authority (including both an authorised system and an authorised border clearance officer) to collect and retain any information contained in a document that is presented by an individual to the clearance authority. Further, that this would include the clearance officer making a physical or electronic copy of any information contained on the document or, where the document is an electronic document, such as an ePassport, stored in the document.
I understand that the effect of this amendment is not to authorise the collection of any additional information by DIBP, as this information is already able to be collected from an individual by a border clearance officer. Rather, the amendment is intended to take account of developments in border security technologies (such as the introduction of SmartGates) and the shift towards an automated border clearance system.
Further, I note that the Migration Act currently contains provisions that will regulate how this information must be handled. As identified above, those safeguards are supplemented by certain obligations in the APPs, including those relating to notice (APP 5), quality (APP 10) and security (APP 11).
With these considerations in mind, I do not raise any concerns in relation to this amendment.
Advanced identification of persons leaving Australia
I understand that the Bill amends the Migration Act to extend airlines’ obligation to provide Australian border authorities (DIBP and Customs) with information about inward bound passengers and crew, to include information about departing passengers and crew. The information that must currently be reported is personal information and includes the incoming passenger or crew members name, passport number, nationality and (in certain circumstances) their date-of-birth and sex. I note that this amendment does not purport to expand the types of personal information collected, only to extend the reporting obligation to include travellers and crew that are departing Australia. Further, that the information collected is information that is already collected by the border authorities when the passenger or crew member presents at the border.
I note that, as is clearly identified in the Statement, this information will need to be handled by DIBP and Customs in accordance with the APPs. Further, I acknowledge that in addition to security considerations, there are benefits to the individual, in terms of reduced border processing time, by DIBP and Customs collecting this information in advance of the passenger or crew member presenting at the border (at the time of check-in).
With these considerations in mind, I do not raise any concerns in relation to this amendment.
Should the Joint Committee require any further information please contact Este Darin-Cooper, Director of Privacy Law and Practice, on [phone number redacted].
Australian Privacy Commissioner
3 October 2014
 A privacy impact assessment is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, mitigating or eliminating that risk.
 The Department of Immigration and Boarder protection (DIBP, formally the Department of Immigration and Citizenship) (2008) Australia’s APP Advance Passenger Processing System: Check-in Guide, Commonwealth of Australia, available online at: <http://www.immi.gov.au/managing-australias-borders/border-security/air/airlines/app-checkin.htm>.
Was this page helpful?
If you would like to provide more feedback, please email us at firstname.lastname@example.org