Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Australian Law Reform Commission’s Review of Secrecy Laws - Discussion Paper 74; Submission to the Australian Law Reform Commission (August 2009)

The Office's submission to the ALRC on its review of secrecy laws

pdfsub_review_secrecy_laws

Key recommendations

1. The Office of the Privacy Commissioner (the Office) welcomes the opportunity to provide a submission to the Australian Law Reform Commission (ALRC) on its Review of Secrecy Laws - Discussion Paper 74.

2. The Office makes the following recommendations:

  • i. Where a secrecy provision regulates personal information, that provision should be required to address its interaction with the Privacy Act 1988 (Cth). (see para 8-9)
  • ii. Privacy Impact Assessments (PIAs) should be completed when either a new secrecy provision or a significant amendment to a current secrecy provision is being proposed. (see para 12-13)
  • iii. A requirement that data matching activities must be subject to guidelines issued by the Privacy Commissioner should be included in the proposed agency level information sharing agreements. (see para 22)
  • iv. Consideration should be given to making an updated version of the voluntary data matching guidelines mandatory for the public sector. (see para 23-25)
  • v. Consideration should also be given to extending regulation to private sector data matching activities. (see para 24)
  • vi. The Office provides in-principle support for the proposed general secrecy offence. In particular, the Office supports simplification and increased consistency of offences relating to the disclosure of Commonwealth information that contains personal information. (see para 34)

Office of the Privacy Commissioner

1. The Office of the Privacy Commissioner is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) (the Privacy Act), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT Government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses.

2. In addition, the Commissioner also has statutory obligations under the Data-matching Program (Assistance and Tax) Act 1990 (Cth). These obligations include the requirement to issue Guidelines under this Act[1] and the discretion to investigate any act or practice that may be a breach of the Act or Guidelines[2]. This Act applies to agencies undertaking data matching that involves the use of the Tax File Number. The Commissioner has also issued voluntary data matching guidelines for agencies undertaking data matching that does not involve the Tax File Number.

Preliminary

3. The Office welcomes the opportunity to comment on the ALRC's Review of Secrecy Laws - Discussion Paper 74[3] (DP74). The Office's comments are intended to relate to those secrecy laws that relate to, or impact upon, the handling of an individual's personal information. As such, this submission focuses on the interaction of the Privacy Act and secrecy laws as well as how that interaction affects data matching activities.

Privacy and Secrecy Laws

Interaction of the Privacy Act 1988 (Cth) and Secrecy Laws

4. DP 74 considers the interaction of secrecy laws and other Commonwealth laws dealing with the handling of information. In relation to the Privacy Act, the ALRC comments that there is much confusion about what constitutes a privacy matter and what is governed by secrecy provisions.[4]

5. In the Office's submission to the ALRC's Review of Privacy - Issues Paper31, the Office stated its view that secrecy provisions should remain regulated under the legislation that applies to each agency.[5] The Office recognises that each agency is in the best position to determine the secrecy or confidentiality obligations that are most appropriate for the information[6] held by that agency to ensure it is adequately protected. From the Office's perspective, the additional protections afforded by secrecy laws can be particularly important in relation to personal information that is sensitive information or that becomes sensitive within a specific context. As such, secrecy laws provide an avenue for agencies to identify such issues and implement appropriate protections.[7]

6. The Office notes that the ALRC agreed with this position in its Report For Your Information: Australian Privacy Law and Practice (Report 108) and concluded that secrecy provisions designed to add additional protections to personal information sit most appropriately in specific laws rather than the Privacy Act.

7. Additionally, the Office has previously noted that where secrecy provisions may be silent regarding certain aspects of personal information handling, for example regarding collection or use, the Privacy Act's protections apply. This complementary interaction highlights the benefit of having a tiered approach to ensure comprehensive protection of personal information.[8]

8. Given this tiered approach to protecting information, the Office reiterates its support for the suggestion outlined in the ALRC Report 108[9] that where a secrecy provision regulates personal information, that provision should be required to address its interaction with the Privacy Act. This could assist in removing uncertainty regarding the intersection of obligations imposed by both pieces of legislation and therefore promote more effective compliance.[10]

9. This suggestion could potentially be achieved by adopting a similar proposal to that included in Proposal 4?2 which suggests a Drafting Direction could require any proposed secrecy provision to expressly indicate whether it overrides the Freedom of Information Act 1982 (Cth). The Office suggests a similar proposal could call for a Drafting Direction to require that any proposed secrecy provision that will regulate the handling of personal information, as defined by the Privacy Act,[11] must indicate expressly how that provision will interact with the agency's obligations under the Privacy Act. Such a requirement provides a specific trigger for agencies to consider their obligations in relation to the handling of that personal information. It would also provide clarification regarding the interaction between the secrecy provision and the Privacy Act at the time of drafting to avoid subsequent confusion.

Facilitating Disclosure

10. The ALRC's Review of Secrecy Laws - Issues Paper 34 contained a question regarding the instances where secrecy provisions may authorise the handling of personal information in a manner that would otherwise be a breach of the IPPs.

11. The Office holds the view that the protections afforded by the IPPs should be considered fundamental obligations legislated by Parliament and there should be sound public policy reasons for agencies to seek to reduce or remove them.[12] In particular, as the Office has stated previously, agencies need to carefully consider the "required or authorised by or under law"[13] exception and the Office emphasises that reliance on this exception must be narrowly defined and for specific purposes.[14]

12. As the ALRC outlined in its Report 108, and supported by the Office, the completion of a Privacy Impact Assessment[15] (PIA) is a useful process for agencies to gain an understanding of the implications of a proposed secrecy provision that may authorise disclosures. A PIA should identify where a proposed secrecy provision may allow disclosures not previously available under the Privacy Act. Similarly, a PIA should canvass the need, the public policy basis, and the purpose of the proposed disclosure.

13. As such, the Office supports the view that PIAs should be completed when either a new secrecy provision or a significant amendment to a current secrecy provision is being proposed.[16]

Data matching

14. The Office supports an agency's ability to share information for data matching purposes within government and in some situations with private sector organisations where a clear and cogent public policy purpose is identified. However, the Office believes that data matching activities should continue to be transparent, limited to specific needs and purposes, and be subject to clear guidance about how these activities are undertaken.[17]

Collection of personal information for data matching purposes

15. The Office notes the discussion in Chapter 3 of DP74 focuses on whether secrecy provisions permit the required disclosures to facilitate data matching and information sharing.

16. However, the Office suggests that another equally important consideration about whether an agency can undertake data matching is if an agency which is intended to be the recipient of personal information for data matching purposes has the ability to collect that personal information pursuant to IPP 1.

17. For example, if Agency A wishes to data match with Agency B's information, then Agency A needs to carefully consider why it needs to collect Agency B's information for the administration of Agency A's legislation. Under IPP 1, Agency A is required to ensure that the collection of the information is for a lawful and directly related purpose to their activities or functions.[18]

Disclosure of personal information for data matching purposes

18. As stated previously, the Office believes that to date, data matching activities have been adequately regulated by the interaction of secrecy provisions, the IPPs and specific legislation such as the Data-matching Program (Assistance and Tax) Act 1990 (Cth).[19]

19. Currently, in most instances, before undertaking to provide information for a data matching activity, an agency is required to determine whether its secrecy provisions permit the disclosure of the requested information. Should this information contain personal information, the agency is also obliged to determine whether such a disclosure is in compliance with the agency's obligations under IPP 11 of the Privacy Act.

20. Additionally, the Privacy Commissioner has issued advisory Guidelines for the Use of Data-matching in Commonwealth Administration[20] for voluntary adoption by agencies that carry out data matching but are not subject to specific data matching legislation or undertake matches that do not use the Tax File Number.

21. However, with rapidly increasing technological developments the possible uses of matched data has the potential to increase substantially. Consequently it is important that data matching activities continue to be carefully regulated to ensure the robust and appropriate protection of an individual's privacy.

22. The Office acknowledges the ALRC's view that, generally, information sharing could best be undertaken at agency level through individual agency agreements as part of a broader information management framework.[21] However, the Office suggests that within those individual agency agreements the issue of data matching should be addressed by the inclusion of a requirement that should an agency identify a need to undertake data matching involving significant volumes of data, then such activities be subject to guidelines issued by the Privacy Commissioner.

23. Furthermore, as the Office recommended in its response to the ALRC's Review of Privacy, consideration should be given to making the voluntary data matching guidelines mandatory for the public sector.[22] The Office notes that in its Report 108, the ALRC expressed the view that a case had not been made out for making these guidelines mandatory as there seemed to be no indication that agencies were not currently complying with the voluntary guidelines.[23] Nevertheless, in light of the increasingly recognised uses of matched data, the Office reiterates its view and suggests that an updated version of the data matching guidelines could be made mandatory. Should there be a breach of these guidelines, the Commissioner would continue to have the power to investigate and report to the relevant Minister.[24]

24. Similarly, in acknowledgement of the increased need for government to work collaboratively with the private sector, the Office recognises that data matching between agencies and private sector organisations has the potential to expand. As such, consideration should also be given to extending regulation to data matching activities between government and the private sector.[25]

25. The Office believes that it is important that data matching activities are seen to be transparent and accountable. In particular, the Office agrees that people should know when their personal information will be shared.[26] The Office suggests that mandatory guidelines overseen by the Privacy Commissioner would support community confidence in data matching activities.

Information sharing more broadly

26. The Office acknowledges that the notion of information sharing is a far broader concept than information shared purely for the purposes of data matching. In the comments above, the Office has directed its comments specifically in relation to personal information sharing for data matching activities.

27. However, the discussion and submissions in DP74 regarding the sharing of Commonwealth information more broadly raises the suggestion that this could be a useful topic to be addressed by the proposed Office of the Information Commissioner.[27]

Privacy and a General Secrecy Offence

Current Situation

28. In the event that an unauthorised disclosure of an individual's personal information occurs, it must first be determined whether this unauthorised disclosure has occurred in contravention of the agency's secrecy provisions or the Privacy Act, or both. The outcome of these investigations could differ markedly for the individual whose personal information has been disclosed.

29. The Privacy Act provides for the investigation and conciliation of a complaint made by an individual regarding a breach of the IPPs by an agency.[28] The Privacy Commissioner also has the power to make a determination under s.52 of the Privacy Act. In making a determination regarding a substantiated complaint, the Privacy Commissioner may include a declaration that the agency "...should perform any reasonable act or course of conduct to redress any loss or damaged suffered by the complainant"[29] or that the "...complainant is entitled to a specified amount by way of compensation for any loss or damaged suffered...".[30]

30. In contrast, secrecy provisions along with the relevant provisions of the Crimes Act 1914 (Cth) currently regulate the actions of an individual as opposed to the agency. Moreover, the Office understands that the sanctions contained in these provisions are mostly of an administrative, civil or criminal nature. The Office is unaware of any sanctions that attempt to remedy the personal loss or address the specific damage suffered by an individual in the event that their personal information is wrongfully disclosed.

31. The Privacy Act also provides for other mechanisms to address the alleged inappropriate handling of personal information. For example, under s.49 of the Privacy Act, if the Privacy Commissioner forms the opinion that a credit reporting or tax file number offence[31] may have been committed, the Commissioner is compelled to cease investigating the matter and refer it to the Australian Federal Police (AFP) or the Director of Public Prosecutions (DPP).

32. However, despite the provision for further investigation by the AFP or the DPP, in the Office's experience, this avenue is rarely pursued. As the Office stated in its submission to the ALRC's Review of Privacy:

"The DPP has advised the Office that they will not consider a matter unless they receive a statement of evidence from the AFP.  As such, the referral option to the DPP may in itself be questionable at that stage of the process.
The AFP, as with all agencies, must prioritise its activities in line with its resources.  In the Office's experience, few matters referred to the AFP under s 49 as possible offences are subsequently prioritised for investigation by the AFP."[32]

33. In the last six years, the Office is aware of at least nine referrals made to the AFP.[33] In all instances, the AFP has considered the Office's referral but has declined to, or has been unable to, investigate for various reasons including lack of resources or competing operational requirements. These complaints have been returned to us and their investigation has been resumed by the Office.

Proposed General Secrecy Offence

34. The Office does not hold a firm view regarding the need or otherwise for a general secrecy offence as an umbrella offence to apply to all current and former Commonwealth officers.[34] However, the Office would broadly consider in-principle support for the simplification and increased consistency of offences relating to the disclosure of Commonwealth information that contains personal information.

35. The existence of robust protections around personal information held by government is vital and an important aspect of ensuring community confidence and continued engagement with government. The Office believes that if individuals have confidence in governments' commitment to protect their personal information, individuals will continue to provide accurate information and timely updates to that information when necessary. In turn, this ensures that government can continue to deliver services and function as effectively as possible.

36. A large number of interactions with government require an individual to provide significant amounts of personal information. Given the indispensable and sometimes obligatory nature of many interactions with government, the Office believes that strong protections must be implemented around the handling and disclosure of personal information held by agencies. Accordingly, the Office also sees merit in implementing proportionate sanctions.

37. The Office suggests that in many instances, administrative penalties could act as a sufficient deterrent against inappropriate handling and disclosure of personal information. However, in the event that an individual suffers harm from a disclosure, the ability for such activity to attract criminal penalties is an important avenue of redress to have available.

Specified Public Interests 

38. The Office notes the general secrecy offence proposed by the ALRC will be limited by the need to establish that a particular disclosure caused harm, was reasonably likely to cause harm, or was intended to cause harm to specified public interests. Included in this list of specified public interests is ‘personal privacy'. The ALRC has proposed a relatively high threshold in that the disclosure would have to "have a substantial adverse effect on personal privacy".[35]

39. The Office also notes that the ALRC has stated that the proposed general secrecy offence should complement the Freedom of Information Act 1982 (FOI Act). Specifically, the inclusion of the notion of harm to a specified public interest is "intended to balance the need to protect certain Commonwealth information with the public interest in an open and accountable system of government." [36]

40. The Office acknowledges the ALRC's view that unauthorised disclosure of personal information generally should not attract criminal penalties. However, in light of concern expressed by agencies about the need to support community confidence in the government's ability to protect personal information, the ALRC has included the notion of personal privacy within the proposed general secrecy offence as outlined in Proposal 7-1.

41. Very broadly, the Office offers in-principle support to the inclusion of personal privacy as a specific public interest in the general secrecy offence. As personal privacy is an important public interest, adverse impacts upon it should be carefully taken into account in assessing the harm caused by unauthorised disclosures.


[1] Data-matching Program (Assistance and Tax) Act 1990 (Cth) s.12(2).

[2] Data-matching Program (Assistance and Tax) Act 1990 (Cth) s.13.

[3] Australian Law Reform Commission's Review of Secrecy Laws, Discussion Paper 74, June 2009.

[4] See paragraph 4.194 of ALRC Review of Secrecy Laws, Discussion Paper 74, June 2009.

[5] Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission's Review of Privacy - Issues Paper 31, February 2007, p268.  Available at:  http://www.privacy.gov.au/materials/types/submissions/view/6757

[6] Personal information is a subset of the information that may be covered by secrecy provisions.

[7] Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission's Review of Secrecy Laws- Issues Paper 34, February 2009, p5.  Available at:  http://www.privacy.gov.au/materials/types/submissions/view/6683

[8] Ibid, p4.

[9] ALRC, For Your Information:  Australian Privacy Law and Practice, ALRC 108, (2008) at 15.122.

[10] Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission's Review of Secrecy Laws - Issues Paper 34, February 2009, p6. 

[11] See s.6 of the Privacy Act 1988.

[12] Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission's Review of Secrecy Laws- Issues Paper 34, February 2009, p9.

[13] See Information Privacy Principle 10(c) and 11(d), s.14 of the Privacy Act 1988.

[14] Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission's Review of Secrecy Laws- Issues Paper 34, February 2009, p9.

[15] The Office of the Privacy Commissioner's Guide to PIAs is available at:  http://www.privacy.gov.au/materials/types/download/9349/6590

[16] Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission's Review of Secrecy Laws- Issues Paper 34, February 2009, p10.

[17] See also the Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission's Review of Secrecy Laws- Issues Paper 34, February 2009, p10-12.

[18] Ibid, p11.

[19] Ibid, p12.

[20] Available at:  http://www.privacy.gov.au/materials/types/download/8688/6527

[21] See paragraph 3.90 of ALRC Review of Secrecy Laws, Discussion Paper 74, June 2009.

[22] See Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission's Review of Privacy - Issues Paper 31, February 2007, p254 and 425.

[23] ALRC, For Your Information:  Australian Privacy Law and Practice, ALRC 108, (2008) at 10.97.

[24] See s.32(1) of the Privacy Act.

[25] See Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission's Review of Privacy - Issues Paper 31, February 2007, p425-6.

[26] See paragraph 3.88 of ALRC Review of Secrecy Laws, Discussion Paper 74, June 2009.

[27] See media release made by Senator John Faulkner, 12 May 2009, at http://www.smos.gov.au/media/2009/mr_162009.html

[28] S.27(1)(a) of the Privacy Act.

[29] S.52(1)(b)(ii) of the Privacy Act.

[30] S.52(1)(b)(iii) of the Privacy Act.

[31] As defined by s.49(4) of the Privacy Act.

[32] Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission's Review of Privacy - Issues Paper 31, February 2007, p213. 

[33] As per a search conducted of the Office's complaints database on 17 July 2009.

[34] See paragraph 6.86 of ALRC Review of Secrecy Laws, Discussion Paper 74, June 2009.

[35] See Proposal 7-1 of ALRC Review of Secrecy Laws, Discussion Paper 74, June 2009.

[36] Ibid, paragraph 6.84.