Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Australian Law Reform Commission’s Review of Secrecy Laws- Issues Paper 34; Submission to the Australian Law Reform Commission (February 2009)

February 2009 Key recommendations 1. The Office of the Privacy Commissioner (the Office) welcomes the opportunity to provide a submission to the Australian Law Reform Commission (ALRC) on its Review of Secrecy Laws - Issues Paper 34. 2. The Office makes the following recommendations: Secrecy provisions should...

pdfAustralian Law Reform Commission’s Review of Secrecy Laws- Issues Paper 34; Submission to the Australian Law Reform Commission (February 2009)

February 2009

Key recommendations

1. The Office of the Privacy Commissioner (the Office) welcomes the opportunity to provide a submission to the Australian Law Reform Commission (ALRC) on its Review of Secrecy Laws - Issues Paper 34.

2. The Office makes the following recommendations:

  1. Secrecy provisions should continue to regulate personal information in circumstances where a need has been identified for that information to be subject to additional confidentiality protections or specific handling requirements (see paras 14-17).
  2. Where a secrecy provision regulates personal information, that provision should be required to address its interaction with the Privacy Act 1988 (Cth) (see para 18).
  3. Where possible, secrecy provisions that relate to the handling of personal information should refer to or use the terminology of the Privacy Act 1988 (Cth) (see paras 19-22).
  4. The Privacy Act 1988 (Cth) provides the most appropriate avenue for individuals to exercise their rights to access or correct their personal information held by agencies (see paras 23-30).
  5. Where an agency identifies a need to require or authorise the handling of personal information where that handling would otherwise breach the Privacy Act 1988 (Cth), the agency should have a clear and appropriate policy basis for doing so (see paras 31-37).
  6. Data matching activities between agencies have been well regulated by an interaction of secrecy provisions, the IPPs and specific legislation and should continue to be limited to very specific purposes (see paras 38-44).

Office of the Privacy Commissioner

3. The Office of the Privacy Commissioner is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) (the Privacy Act), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT Government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses.

4. In addition, the Commissioner also has statutory obligations under the Data-matching Program (Assistance and Tax) Act 1990(Cth). These obligations include the requirement to issue Guidelines under this Act[1] and the discretion to investigate any act or practice that may be a breach of the Act or Guidelines[2]. This Act applies to agencies undertaking data matching that involves the use of the Tax File Number. The Commissioner has also issued voluntary data matching guidelines for agencies undertaking data matching that does not involve the Tax File Number.

The Privacy Act 1988 (Cth) and Secrecy Laws

5. The Office acknowledges the ALRC's definition of the concept of a secrecy law "as any provision in primary or subordinate legislation which imposes secrecy or confidentiality obligations relating to the handling of Commonwealth information..."[3]. This definition specifically excludes provisions that merely permit disclosures as the protection of information through obligations of confidentiality or secrecy is not their principle focus.[4] Working within that definition, the Office's submission focuses on the impact that secrecy laws have upon the handling of an individual's personal information as well as the general interaction between secrecy laws and the Privacy Act.

6. The Privacy Act contains 11 Information Privacy Principles (IPPs) which outline the parameters by which most Australian and ACT government agencies can collect, handle, use and disclose an individual's personal information[5]. "Personal information" is defined as "information or an opinion...about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion."[6]

7. The IPPs are high-level principles which provide a framework for agencies for handling personal information. Importantly, the obligations are directed to the agency as a whole and should inform and guide the agency's general personal information handling practices and procedures.

8. The Privacy Act also provides a mechanism for individuals to make a complaint to the Privacy Commissioner if they believe that their personal information has been collected, handled, used or disclosed in breach of the Act. The Commissioner has powers to investigate an alleged breach[7] and either conciliate the complaint or, where conciliation is not possible, make a Determination[8].

9. In contrast, most specific secrecy provisions provide a relatively prescriptive framework regarding how certain types of information are to be handled. These secrecy provisions often outline the obligations imposed upon an individual officer within an agency regarding their handling of particular information in the course of an agency carrying out their activities and functions.

10. Sanctions, including criminal sanctions, which impose individual responsibility upon an officer are contained in both general secrecy provisions such as the Crimes Act 1914 (Cth) as well as provisions that protect specific types of Commonwealth information.

11. Broadly, the Office is of the opinion that in most instances the Privacy Act and secrecy laws function in a complementary manner. That is, the Privacy Act provides an overarching framework for how personal information should be handled by an agency and this framework is complemented by information type or agency specific secrecy provisions which address where the agency needs to protect the confidentiality of personal information as they carry out their particular activities and functions.

12. The Office believes that agencies are generally in the best position to determine what additional protections are required around particular information and, in practice, secrecy provisions can provide a more specific layer of protection to personal information than is afforded by the Privacy Act. This is potentially most apparent when personal information becomes more sensitive in a particular context or once aggregated with other information. As such, secrecy laws provide an avenue for agencies to identify such issues and implement appropriate protections.

13. However, importantly, where secrecy provisions may be silent regarding certain aspects of personal information handling, for example regarding collection or use, the Privacy Act level of protection applies. This complementary interaction serves to highlight the benefit of having a tiered approach to ensure comprehensive protection of personal information.

Response to Questions

Question 7-4 Does the relationship between secrecy provisions and the Privacy Act 1988 (Cth) need to be clarified? In particular, should secrecy provisions regulate personal information?   If so, should secrecy provisions:

  1. (a) refer to, or use the terminology of, the Privacy Act?

  2. (b) allow individuals to access and correct personal information about themselves?

14. The Office believes that, in most instances, the Privacy Act and secrecy provisions function in a complementary manner in relation to the handling of personal information. As such, the Office believes that secrecy provisions should continue to regulate personal information in circumstances where a need has been identified for that information to be subject to additional confidentiality protections or specific handling requirements over and above those afforded by the Privacy Act.

15. As stated in the Office's submission to the ALRC's Review of Privacy - Issues Paper31, the Office holds the view that it is appropriate that secrecy provisions remain regulated under the legislation that pertains to each agency.[9] The Office recognises that each agency is in the best position to determine the secrecy or confidentiality obligations that are most appropriate for the information held by their agency to ensure it is adequately protected. This is particularly important in relation to sensitive information or personal information that becomes sensitive within a specific context.

16. Similarly, the Office acknowledges that secrecy provisions often relate to an array of Commonwealth information which may include, as a subset, personal information. As such where the need is justified, secrecy provisions should apply to all the related information in a record. To establish a situation where the handling of a portion of the information contained in a record is regulated by a secrecy provision and the handling of personal information in other parts of the same record is regulated exclusively by the Privacy Act could result in confusion and inconsistency in the application of both the laws. For example, trying to delineate information relating to the taxation matters of a small business and its owner would be impractical and could prove very difficult in determining what information is regulated by the Privacy Act and what is regulated by a secrecy provision.

17. While the Privacy Act provides a fundamental overarching framework and should remain an important cornerstone of personal information handling obligations, the Office holds the view that secrecy provisions should regulate personal information where the need for an additional information type or agency specific layer of protection has been identified.

18. Consequently, the Office believes that clarification around the relationship between secrecy provisions and the Privacy Act would be useful. As discussed in the ALRC's Report For Your Information: Australian Privacy Law and Practice (ALRC 108), some secrecy provisions address the operation of the Privacy Act.[10] The Office strongly supports the suggestion that where a secrecy provision regulates personal information, that provision should be required to address its interaction with the Privacy Act.[11] This could go a long way to removing uncertainty regarding the intersection of obligations imposed by both pieces of legislation. Such a step could significantly improve clarity around interpretation and therefore promote more effective compliance.

Question 7-4(a)  Should secrecy provisionsrefer to, or use the terminology of, the Privacy Act?

19. The Office believes that where possible, secrecy provisions that relate to the handling of personal information should refer to or use the terminology of the Privacy Act. Using the same terminology would help clarify the interaction between the Privacy Act and secrecy provisions when they apply to the same information.

20. For example, the Office suggests that either using the Privacy Act's definition of "personal information" or making reference to the definition and specifically stating what additional information, if any, is included in the secrecy provision's scope of "personal information" would help clarify the interaction between the Privacy Act and the secrecy provision.

21. Alternatively, where using the Privacy Act's terminology is not practical or feasible, it may be useful for secrecy provisions that relate to personal information to address how the terminology used interacts with that of the Privacy Act. For example, where a secrecy provision uses the term "release" information, it would assist to note how, if at all, that differs from "disclose" in the Privacy Act.

22. However, the Office acknowledges that the standardisation of definitions across legislation is not always possible or practical. Nonetheless, broadly the Office suggests that the definitions included in the Privacy Act form the basis for an agency to tailor their own definition where possible. This suggestion aims to ensure that the interpretation of secrecy provisions relating to personal information becomes more consistent and simplified.

Question 7-4(b)  Should secrecy provisions allow individuals to access and correct personal information about themselves?

23. Currently both the Freedom of Information Act 1982 (Cth) (the FOI Act) and the Privacy Act provide a right of access to, and correction of, documents held by government agencies. While the rights conferred by the Privacy Act only relate to personal information, these rights (under IPP6 and IPP 7) are subject to other Commonwealth laws, most commonly the FOI Act.[12]

24. The Office believes that the Privacy Act, rather than secrecy provisions, provides the most appropriate avenue for individuals to exercise their rights to access or correct their personal information held by agencies. Having these individual rights expressed in the Privacy Act is consistent with the nature of the Act but may sit at odds with the majority of secrecy provisions as they focus on the protection of information through obligations of confidentiality or secrecy, rather than the accessibility to or quality of personal information.

25. The right to access one's own personal information and to have it corrected are essential aspects of an individual's ability to control and protect their personal information. This becomes particularly apparent when significant decisions may be made on the basis of the information. While agencies have an obligation to take reasonable steps to ensure that the information they hold is accurate, up to date and complete before using it, should an individual become aware that their information is inaccurate, not up to date, incomplete or misleading, then it is imperative that they have the ability to correct that information. Furthermore, if the consequences of using poor quality information could be serious for the subject of the information, or the agency, or for a third party, then the right to permit corrections by the individual becomes even more important.[13]

26. Difficulties may arise where correction is requested but access is denied. The Privacy Act provides for such circumstances. As the Office's IPP Guidelines explain:

"Under the Privacy Act the right to have records amended is slightly broader than the corresponding right under the FOI Act...[for example]...where a person seeks amendment of personal informationin a record to which he or she has not been provided lawful access. The FOI Act (s.48) restricts a person's correction rights to a document of an agency or an official document of a Minister to which access has been lawfully provided to the person, under the FOI Act or otherwise.The Privacy Act contains no such restriction, and section 35 of the Privacy Act clearly envisages that a person may complain to the Privacy Commissioner if an agency fails to amend a document to which the person has not been provided lawful access."[14]

27. The Office strongly believes that access and correction rights should be as consistent as possible for all individuals and from agency to agency. As such, retaining the provisions relating to access and correction in the Privacy Act rather than in various secrecy provisions will assist in reducing fragmentation and inconsistency.

28. Maintaining these rights in the Privacy Act will ensure consistency by avoiding the situation where an individual finds that they can access and/or correct their personal information through one agency but cannot through another. This is also particularly important where the same personal information may be held by several different agencies and the individual is only permitted to make corrections at one of those agencies, or where information is given to one agency and then is shared with other agencies or datamatching is undertaken.

29. Where agencies are not covered by the Privacy Act, for example the Australian Security Intelligence Organisation, it might be appropriate to have any applicable access and correction provisions included in the agency's secrecy provisions. For these agencies, providing appropriate access and correction rights within secrecy provisions would contribute to transparency as well as functioning as an important safeguard to ensure the highest quality of information is maintained.

30. The Office notes that in the ALRC's Report For Your Information: Australian Privacy Law and Practice (ALRC 108), the ALRC has proposed a new Unified Privacy Principle relating to access and correction. As the ALRC indicates, this provision is expressed as an obligation on the agency, rather than an entitlement of an individual.[15] The Office believes that should the government implement this recommendation, the access and correction obligations of an agency under the Privacy Act should continue to apply rather than be provided for in secrecy provisions.

Question 7-5  In what situations is it appropriate for secrecy provisions to authorise handling of personal information where that handling would otherwise breach the Privacy Act 1988 (Cth)?

31. The IPPs provide the general rules about handling personal information. Together with these general rules are exceptions which reflect the circumstances in which the rules can be deviated from. Applying these exceptions within secrecy provisions would be considered good privacy practice. For example, IPP 11(b) states that an agency shall not disclose information to a third party unless the individual has consented. Requiring consent from the individual in a secrecy provision before a disclosure can occur allows the agency to achieve its aim while providing the individual with control over how their personal information is used and allows them to make an informed decision regarding to whom their information is disclosed.

32. The protections afforded through the IPPs should be considered fundamental obligations that agencies should not legislate to reduce. The Office holds the view that should an agency identify a need to handle personal information in a way that is inconsistent with or would otherwise breach the IPPs, then there needs to be a clear policy basis or public policy need for doing so.

33. In particular, when considering an agency's obligations under the IPPs, the one exception that agencies need to carefully consider is the "required or authorised by or under law"[16] exception. Reliance on this exception must be narrowly defined, for specific purposes and clearly set out the type of information it relates to as well as the scope. More importantly, careful consideration of whether reliance on the exception is really necessary or whether the same outcome can be achieved by alternative means is vital before inclusion in a secrecy provision. The Office strongly believes that this exception should not be used as the basis for requiring or authorising practices that are detrimental to the individual or included without a strong policy rationale. As far as practicable, reliance on this exception should also be careful not to remove more of the baseline protections provided by the Privacy Act than absolutely necessary and should still reflect the spirit and intent of the Act wherever possible.

34. Furthermore, while agencies can, for example, authorise disclosures that they believe necessary, it is important that they also consider that such disclosures should be constrained by the specific activities and functions of the agency. Similarly, agencies should consider the purposes of collection of the information in the first instance when determining the ambit of the authority to disclose.

35. While the Office recognises that secrecy provisions have the ability to authorise activities that are potentially directly opposed to the obligations contained in the IPPs, the Office always encourages agencies to consider the impact of their secrecy provisions through consultation with the Office[17] and through the completion of a Privacy Impact Assessment (PIA).

36. The completion of a PIA is a useful process for agencies to gain an understanding of the implications of any proposed secrecy provisions which relate to the handling of personal information. A PIA is a practical tool to assess information flows and determine whether provisions are necessary and reflective of best privacy practice. Conducting a PIA through the use of an independent specialist builds transparency into the decision making process and enhances confidence that the need for provisions has been assessed objectively. As such, the Office recommends that PIAs should be completed when either a new secrecy provision[18] or a significant amendment to a current secrecy provision is being proposed.

37. Additionally, should the secrecy provision relate to the introduction of new law enforcement or national security powers, the review might be interested to note that the Office has developed a framework for assessing the introduction of such powers. The framework sets out a life cycle approach to such proposals and aims to bring balance and perspective to the assessment of such measures. A copy of the framework is attached (see Attachment ''A').

Question 7-6  What concerns arise from the interaction between secrecy provisions and data matching laws and practices? How should these issues be addressed?

38. The Office holds the view that data matching activities have been well regulated by an interaction of secrecy provisions, the IPPs and specific legislation such as the Data-matching Program (Assistance and Tax) Act 1990(Cth). The Office believes that data matching activities should continue to be limited to very specific needs and purposes and be subject to clear guidance about how the activities are undertaken.

39. The Office noted in its response to the ALRC's Review of Privacy - Issues Paper31, technological advances in the area of data matching continue to enhance the capacity for the analysis and synthesis of large amounts of information:

"Two aspects of new technologies are the capacity to link disparate sources of personal information to profile individuals (including where collected in different contexts and for different purposes), as well as the ability to link datasets of previously anonymous information to re-identify the individual to whom they relate.  These characteristics lead to a form of ''identity creep' whereby richer representations of an individual can be obtained than has previously been the case."[19]

40. That submission went on to discuss that aggregation of personal information often causes information to move from one context to another and this can result in significant risks to privacy where information is taken out of its original context.[20]

41. In the Office's view, agencies that wish to undertake data matching must first determine whether information held by an agency can be released pursuant to their secrecy provisions. Should this be the case, agencies are then obliged to consider their IPP obligations, particularly with regards to IPPs 1 and 11.

42. The following example illustrates the application of secrecy provisions and the Privacy Act.

  • Agency A wishes to data match with Agency B's information.
  • From Agency B's perspective, it will first need to determine whether it is permitted to release that information under applicable secrecy provisions.
  • If Agency B's secrecy provisions permit the release of the requested information, Agency B then needs to consider its IPP 11 obligations under the Privacy Act. Any disclosure of information by Agency B may be allowable under the exception of IPP11.1(d), if Agency A is required or authorised under its own legislation to collect the requested information.
  • From AgencyA's perspective, it needs to carefully consider why it needs to collect Agency B's information for the administration of Agency A's legislation. Under IPP 1, AgencyA is be required to ensure that the collection of the information is for a lawful and directly related purpose to their Agency's activities or functions.
  • Importantly, if Agency A does receive the requested information from Agency B, under IPP 11.3 Agency A is not permitted to make any secondary use or disclosure of the information it has received - the handling of the information is subject to a very limited and specific purpose under which it was disclosed by Agency B under IPP11.1.

43. The Office supports the ability to share information within and between governments and the private sector where a clear and legitimate purpose is identified. While data matching can be a very useful tool for a wide variety of purposes, it has the potential to significantly change the way that personal information is handled. This includes such risks as a change in the nature of the information, once combined, becoming more sensitive, as well as the context within which it was originally held becoming vastly different. Similarly, data matching may result in information being used in a way that is beyond the normal expectation of an individual.

44. Broadly the Office believes that, to date, the interaction of secrecy provisions and the Privacy Act has provided satisfactory protection. However, the Office believes that as the potential uses of matched data increase with technological advances, it is important that such activities are carefully regulated to ensure the appropriate protection of an individual's privacy. As such, in the Office's submission to the ALRC's Review of Privacy - Issues Paper31, the Office recommended that consideration be given to making the voluntary public sector data matching guidelines mandatory as well as extending regulation to private sector activities.[21]

Attachment A

Framework for assessing and implementing new law enforcement and national security powers

The Office of the Federal Privacy Commissioner has developed a proposed framework for assessing and implementing new law enforcement and national security powers. The framework sets out a life cycle approach to such proposals from development to implementation and review. The aim of the framework is to bring balance and perspective to the assessment of proposals for law enforcement or national security measures with significant effects on privacy.

First, careful analysis is needed in the development phase to ensure that the proposed measure is necessary, effective, proportional, the least privacy invasive option and consistent with community expectations. This analysis should involve consideration of the size, scope and likely longevity of the problem, as well as the range of possible solutions, including less privacy invasive alternatives. The impact on privacy of the proposed solution should be analysed and critical consideration given to whether the measure is proportional to the risk.

Second, the authority by which the measure is implemented should be appropriate to its privacy implications. Where there is likely to be a significant impact on privacy, the power should be conferred expressly by statute subject to objective criteria. Generally, the authority to exercise intrusive powers should be dependent on special judicial authorisation. Intrusive activities should be authorised by an appropriately senior officer.

Third, implementation of the measure should be transparent and ensure accountability. Accountability processes should include independent complaint handling, monitoring, independent audit, and reporting and oversight powers commensurate with the intrusiveness of the measures.

Finally, there should be periodic appraisal of the measure to assess costs and benefits. Measures that are no longer necessary should be removed and unintended or undesirable consequences rectified. Mechanisms to ensure such periodic review should be built into the development of the measure. This could involve a sunset clause or parliamentary review after a fixed period.

In summary: Analysis - is there a problem? Is the solution proportional to the problem? Is it the least privacy invasive solution to the problem? Is it in line with community expectations?

Authority - Under what circumstances will the organisation be able to exercise its powers and who will authorise their use?

Accountability - What are the safeguards? Who is auditing the system? How are complaints handled? Are the reporting mechanisms adequate? And how is the system working?

Appraisal - Are there built in review mechanisms? Has the measure delivered what it promised and at what cost and benefit?

[1]Data-matching Program (Assistance and Tax) Act 1990(Cth)s.12(2).

[2]Data-matching Program (Assistance and Tax) Act 1990(Cth) s.13.

[3] ALRC, Review of Secrecy Laws - Issues Paper 34, December 2008, paragraph 1.101.

[4] ALRC, Review of Secrecy Laws - Issues Paper 34, December 2008, paragraph 1.100.

[5]Privacy Act 1988 (Cth) s.14.

[6]Privacy Act 1988 (Cth) s.6.

[7]Privacy Act 1988 (Cth) s.27(1).

[8]Privacy Act 1988 (Cth) s.52.

[9] Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission's Review of Privacy - Issues Paper 31, February 2007, p268. 

[10] ALRC, For Your Information:  Australian Privacy Law and Practice, ALRC 108, (2008) at 15.116.

[11] ALRC, For Your Information:  Australian Privacy Law and Practice, ALRC 108, (2008) at 15.122.

[12] Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission's Review of Privacy - Issues Paper 31, February 2007, p248.

[13] Office of the Privacy Commissioner, Plain English Guidelines to Information Privacy

Principles 4-7 (February 1998), p 16.  Available at:  http://www.privacy.gov.au/materials/types/download/8686/6525

[14] Office of the Privacy Commissioner, Plain English Guidelines to Information Privacy

Principles 4-7 (February 1998), p 18.  Available at:  http://www.privacy.gov.au/materials/types/download/8686/6525

[15] ALRC, For Your Information:  Australian Privacy Law and Practice, ALRC 108, (2008) at 29.24.

[16] See IPP 10(c) and IPP 11(d).

[17] Under s.27(1)(b) of the Privacy Act 1988, the Commissioner has the function "to examine...a proposed enactment that would require or authorise acts or practices of an agency...that might, in the absence of the enactment, be interferences with the privacy of individuals...and to ensure that any adverse effects of such proposed enactment on the privacy of individuals are minimised;" 

[18] This is in line with the ALRC's view in For Your Information:  Australian Privacy Law and Practice, ALRC 108, (2008) at 15.122.

[19] Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission's Review of Privacy - Issues Paper 31, February 2007, p424.

[20] Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission's Review of Privacy - Issues Paper 31, February 2007, p424.

[21] Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission's Review of Privacy - Issues Paper 31, February 2007, p425.