14 February 2018

Our reference: D2018/000803

Mr Murray Crowe
Principal Adviser
Individuals and Indirect Tax Division
Small Business Entities and Industries Concessions Unit
The Treasury
Langton Crescent
PARKES ACT 260

Dear Mr Crowe

Transparency of Business Tax Debts

I welcome the opportunity to provide comments on exposure drafts of the Treasury Laws Amendment (Tax Transparency) Bill 2018: Transparency of taxation debts (the draft Bill) and the associated Tax Debt Information Disclosure Declaration 2018 (the draft Declaration).

I understand that the draft Bill and the draft Declaration would give effect to a measure announced in the 2016–17 Mid-Year Economic and Fiscal Outlook, by allowing the Australian Taxation Office (ATO) to disclose the tax debt information of business entities to registered credit reporting bureaus (CRBs) for use in the commercial credit reporting system. The draft Bill would achieve this by creating exceptions to the offence of disclosure of protected information by taxation officers under s 355-25 of schedule 1 of the Taxation Administration Act 1953 (the TAA).

I acknowledge the important policy objectives of the provisions in the draft Bill, which include supporting more informed decision making within the business community and encouraging taxpayers to engage with the ATO to manage their tax debts.[1] I also recognise that the draft Bill includes certain privacy protections, including the notification requirements in section 355-72(2) and (3).

My comments below are intended to outline some remaining privacy risks and identify possible measures to address or minimise these. I also suggest that Treasury should undertake a privacy impact assessment (PIA), to assist in identifying privacy impacts and mitigation strategies. I have provided some information about PIAs below.

I have also made a submission to the ATO’s consultation on their proposed administrative approach, which I have attached to assist the Treasury in addressing areas of overlap.

About the Office of the Australian Information Commissioner (OAIC)

The Australian Parliament established the Office of the Australian information Commissioner (the OAIC) in 2010 to bring together three functions:

  • freedom of information functions (access to information held by the Australian Government in accordance with the Freedom of Information Act 1982 (Cth))
  • privacy functions (regulating the handling of personal information under the Privacy Act 1988 (Cth) (Privacy Act), and other Acts)
  • information management functions.

The Privacy Act contains 13 Australian Privacy Principles (APPs) that outline how regulated entities must handle, use and manage personal information. These apply to most Australian Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses.

The Privacy Act also regulates the handling of individuals’ credit information within the consumer credit reporting system – ‘consumer credit’ generally means credit that is intended to be used wholly or primarily for personal, family, household, or residential investment purposes.[2] Part IIIA of Privacy Act and the Privacy (Credit Reporting) Code 2014 set out:

  • the types of credit information that Credit Providers[3] can disclose to a credit reporting body,[4] for the purpose of that information being included in an individual’s credit report
  • the entities that can handle this information
  • the purposes for which that information may be handled.

Potential privacy impacts

While the draft Bill permits disclosures of tax debt information about businesses, rather than individuals,[5] it also appears to permit the disclosure of personal information about some individuals’ by the ATO to CRBs[6] and by CRBs to other entities.[7]

The definition of personal information in the Privacy Act extends to any information or opinion that is about an individual, from which they are reasonably identifiable.[8] This can include information about an individual’s business or work activities. For example, the draft Explanatory Memorandum (EM) indicates that information to be disclosed would include the taxpayer’s Australian Business Number and legal name, and their disclosable tax debt amount.[9] Should this information reasonably identify an individual, for example if the taxpayer is a sole trader, it would be considered personal information.

Authorised disclosures of personal information

APP 6 outlines when an APP entity may use or disclose personal information. Under APP 6, an APP entity can only use or disclose personal information for a purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose if an exception applies. By authorising the disclosure of personal information by the ATO to CRBs[10] and by CRBs to other entities,[11] the draft Bill engages the exception in APP 6.2(b), which permits the use or disclosure of personal information for a secondary purpose that is required or authorised by Australian law.[12]

The right to privacy is not absolute and, in some circumstances, privacy rights must necessarily give way where there is a compelling public interest reason to do so. However, where legislation has the effect of invoking this exception to APP 6, any such limitation on individuals’ expectations of privacy should be drafted narrowly, and be reasonable, necessary and proportionate to achieving the public policy objective.

A PIA may help Treasury ensure that any impacts on privacy are reasonable, necessary and proportionate in the circumstances. For example, a PIA could consider whether it would be possible for the draft Bill’s disclosure provisions to be more narrowly drafted, to more clearly describe:

  • the types of ‘information that relates to the tax debts of an entity’ that may be disclosed under s 355-72(1)(c)
  • the entities that may receive information under s 355-215
  • the purposes for which information can be used and disclosed under s 355-215.

Delegated legislation

Under ss 355-72(1)(c) and 355-72(5) of the draft Bill, the Minister must declare, by legislative instrument, the classes of entities whose information may be disclosed to CRBs.

Where a declaration by a Minister could authorise disclosures under APP 6.2(b), the mechanism for permitting future authorisations may more appropriately occur through primary legislation. In particular, I am concerned that the use of delegated legislation in this instance could lead to the future expansion of personal information handling, for example by extending the class of entities to include tax debt information about individuals, which could then be included in individuals’ consumer credit reports. If it is not possible to specify the class of entities in the draft Bill, the draft Bill could instead include a positive obligation for the Minister to consult with my Office before making a declaration for the purposes of s 355-72(5). Such consultation may assist the Minister at an early stage when considering any possible interactions with the consumer credit reporting system.

Disclosures to entities not subject to the Privacy Act

It appears that the draft Bill may allow for the disclosure of personal information to entities, such as small businesses, which are not covered by the Privacy Act:

  • section 355-71(6) prescribes that ‘an entity is a credit reporting bureau if the entity is recognised by the Commissioner [of Taxation] as an entity that prepares and issues credit worthiness reports in relation to other entities’. This definition varies from the Privacy Act’s definition of a credit reporting body.[13] As CRBs are recognised by the Commissioner of Taxation, there is the potential for a small business, which would not be covered by the Privacy Act, to be recognised as a CRB.[14]

  • section 355-155 of the TAA Act contains an offence for the on-disclosure of protected information by entities (who are not taxation officers). Section 355-215 of the draft Bill would create an exception to this offence, for the on-disclosure of information disclosed by CRBs. The draft EM clarifies that:

    For the avoidance of doubt, these amendments ensure that the customers of a credit reporting bureau and any other third parties subsequently dealing with tax debt information are not exposed to criminal sanctions for recording or on-disclosing the information.[15]

I suggest that Treasury considers whether this exception could facilitate the disclosure of personal information to customers that do not have obligations to handle personal information in accordance with the Privacy Act.

As I mentioned earlier, a PIA could assist Treasury in identifying mitigation strategies to ensure that personal information is afforded an appropriate level of protection. These may include more narrowly drafting the draft Bill’s disclosure provisions, or adopting administrative policies that only allow disclosures to occur to entities that have robust privacy policies and practices. Treasury may also want to consider the mechanism in s 6EA of the Privacy Act, which allows small businesses to opt-in to Privacy Act coverage, and s 6E(2), which allows regulations to be made to treat a small business as an organisation for prescribed acts or practices. This has been used as a privacy protection by other regulators where a law would authorise small businesses to handle personal information.[16]

Privacy Impact Assessment

Given the possible privacy impacts of the draft Bill, I recommend that Treasury conduct a PIA. A PIA would help Treasury to identify the impact that the measures in the draft Bill might have on the privacy of individuals, and set out recommendations for managing, minimising or eliminating that impact. In addition, while it does not appear that the tax debt information, which is to be disclosed under the draft Bill, could be included in an individual’s consumer credit report,[17] a PIA may make the intention clearer. I would appreciate being kept informed of developments in this area.

More information about PIAs can be found in the OAIC’s Guide to undertaking privacy impact assessments[18]and our Undertaking a Privacy Impact Assessment e-learning tool.[19] There is also more information on the OAIC website about the Australian Government Agencies Privacy Code,[20] which commences in July 2018 and will require agencies to undertake a written PIA for all high privacy risk projects.

If you would like to discuss these comments or have any questions, please contact Sophie Higgins, Director, Regulation & Strategy, on [contact information removed].

Yours sincerely

Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner

14 February 2018

Footnotes

[1] Exposure draft explanatory materials, para 1.8.

[2] See the definition of ‘consumer credit’ in section 6(1) of the Privacy Act.

[3] Defined in ss 6G to 6K of the Privacy Act.

[4] The definition of a credit reporting body in ss 6(1) and 6P of the Privacy Act varies from the draft Bill’s definition of a CRB, as an entity that is recognised by the Commissioner of Taxation as an entity that prepares and issues credit worthiness reports in relation to other entities (s 355-71(6)).

[5] Section 355-71(1)(c) of the draft Bill; s 7 of the draft Declaration; paragraph 1.6 of the draft EM.

[6] Section 355-72.

[7] Section 355-215.

[8] Personal information is defined in s 6(1) of the Privacy Act. More information is available in What is personal information? <https://www.oaic.gov.au/agencies-and-organisations/guides/what-is-personal-information>.

[9] Paragraph 1.39.

[10] Section 355-72.

[11] Section 355-215.

[12] Sections 355-72 and 355-215.

[13] Defined in s 6(1) of the Privacy Act as an organisation, or prescribed agency, which carries on a credit reporting business. A credit reporting business is defined in s 6P as ‘business or undertaking that involves collecting, holding, using or disclosing personal information about individuals for the purpose of, or for purposes including the purpose of, providing an entity with information about the credit worthiness of an individual’.

[14] Sections 6C(1) and 6D of the Privacy Act.

[15] Paragraph 1.71.

[16] For example, research entities that wish to be granted data by the Australian Communications and Media Authority under the Integrated Public Number Database Scheme must opt-in to Privacy Act coverage under s 6EA. More information is available on the OAIC’s website at <https://www.oaic.gov.au/privacy-law/privacy-registers/opt-in-register>.

[17] Paragraphs 1.6 and 1.9.

[18] <https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-undertaking-privacy-impact-assessments>.

[19] <https://www.oaic.gov.au/elearning/pia/>.

[20] <https://www.oaic.gov.au/privacy-law/australian-government-agencies-privacy-code/>.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia