Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Discussion Paper - A Working with Vulnerable People Checking System for the ACT; Submission to the ACT Department of Disability, Housing and Community Services (October 2009)

Key Recommendations

1. The Office of the Privacy Commissioner (the Office) welcomes the opportunity to provide comments on the Discussion Paper 'A Working with Vulnerable People Checking System for the ACT'. The Office acknowledges the public interest in ensuring the safety of children and vulnerable adults living in the ACT. The Office makes the following suggestions which are intended to enhance community confidence in personal information handling under the proposal:

  • i. A Privacy Impact Assessment for the proposed background checking system would be beneficial, as the proposal will potentially involve the collection of 'sensitive' personal information of a significant number of individuals
  • ii. A clearer definition of 'vulnerable people' may result in more effectively targeting the appropriate potential, and existing, employees for the proposed background checking system and reduce the risk of collecting personal information unnecessarily
  • iii. Further consideration be given to the list of proposed regulated activities to ensure that the proposed background checking system will only apply to individuals who will be working with vulnerable people
  • iv. The scope and type of personal information collected and used is limited to ensure that only necessary and relevant personal information is collected for the purpose of undertaking the proposed background checks
  • v. Guidance material be developed, and made public, for the collection, handling and security of personal information collected during the proposed background checking system
  • vi. Detailed information around what is to be considered relevant information for the background checks be provided and if information is collected by the screening unit that is not relevant for the risk assessment, this information should not be retained
  • vii. External experts be subject to a contract with the screening unit that ensures they apply the same privacy protections to the personal information of individuals subject to background screening as the screening unit itself
  • viii. Staff of the screening unit receive training in the practical application of the Privacy Act.

Office of the Privacy Commissioner

1. The Office of the Privacy Commissioner (the Office) is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) (the Privacy Act), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT Government agencies, and personal information held by all large private sector organisations, all private health service providers and some small businesses.

Background

2. The Office welcomes the opportunity to comment on the Discussion Paper 'A Working with Vulnerable People Checking System for the ACT' (the Discussion Paper). [1] The Discussion Paper outlines the ACT Government's proposal to establish a centralised background checking and risk assessment system (the proposed background checking system) for individuals working with children and vulnerable adults to "reduce the risk of sexual, physical, emotional or financial harm or neglect".[2]

3. Individuals seeking to work with vulnerable people in the ACT will be required to apply to the Working with Vulnerable People Screening Unit (the screening unit) before commencing work. With the applicant's consent, screening will include a national criminal history check. It is estimated that around 10% of the ACT population (or 34 420 people) will be subject to the proposed background checking system.[3]

4. While the ACT may be the first Australian jurisdiction to extend background checking to those working with vulnerable adults, the Discussion Paper notes that other Australian states and territories have established, or are in the process of establishing, centralised background checking systems.[4]

5. The Office notes that the screening unit, as part of an ACT Government agency, will be covered by the Information Privacy Principles[5] (IPPs) in the Privacy Act.[6] The IPPs outline an agency's obligations regarding the collection, handling, use and disclosure of personal information.

6. The establishment of the proposed background checking system will result in the screening unit collecting and handling significant quantities of personal information of the individuals undergoing background checks. As such, the Office emphasises the need for the screening unit to carefully identify which individuals it will be necessary to collect personal information about as well as the extent of personal information collected and used in conducting the background checks.

Privacy Impact Assessment

7. A systematic way of identifying and resolving the privacy and personal information-handling issues involved in a new proposal or project is to conduct a Privacy Impact Assessment. The Office suggests that doing a Privacy Impact Assessment for the proposed background checking system would be beneficial, as the proposal will potentially involve the collection of 'sensitive' personal information of a significant number of individuals.

8. A Privacy Impact Assessment allows agencies to identify and analyse privacy impacts during a project's design phase. A project that underestimates privacy impacts can place its overall success at risk. A Privacy Impact Assessment would help the ACT Government to identify the various personal information flows relating to the proposed background checking system and how privacy regulation might apply to them.

9. The Office has developed a Privacy Impact Assessment Guide for Australian and ACT Government agencies.[7] Following are some specific comments in relation to the proposal based on the Discussion Paper structure.

Vulnerable People in the ACT

10. The Discussion Paper proposes the following definition for the term "Vulnerable Adult":

"Vulnerable Adult" refers to people aged 18 or over that access services in the ACT, as defined under Regulations, to alleviate the effects of physical, social, financial and/or psychological disadvantage.[8]

11. The breath of the definition that is settled on for 'vulnerable adult' will have a significant bearing on the scope of the prospective employees and existing employees who will be subject to background checking. This in turn will have a correlation with the amount of personal information that is collected. Good privacy practice suggests limiting collection of personal information to essential purposes.

12. The Office notes the various definitions of "vulnerable adult" from other jurisdictions as outlined in the Discussion Paper.[9] The Office considers that the following definition used by the Department of Health and Home Office (UK) may more clearly define the categories of adults who are considered vulnerable:

People aged 18 and over who:
  • need community care services due to a mental disability, other disability, age or illness; and
  • may be unable to take care of themselves or protect themselves against serious harm or exploitation.[10]

13. The Office suggests that a clearer definition of 'vulnerable people' may result in more effectively targeting the appropriate potential, and existing, employees for the proposed background checking system and reduce the risk of collecting personal information unnecessarily.

Who will be checked?

14. Annex B in the Discussion Paper sets out the proposed regulated occupations or services that will attract screening.[11] The Office acknowledges the need to cover relevant employees or potential employees if the proposed background checking system is to be effective. However, in line with our comment above in relation to the definition of vulnerable adults, the breadth of the occupations and services listed may result in individuals being subject to screening, when they are not actually working with vulnerable people.

15. Accordingly, the Office suggests further consideration be given to the list of proposed regulated activities to ensure that the proposed background checking system will only apply to individuals who will be working with vulnerable people.

What will be checked?

Criminal History Information

16. The Discussion Paper notes that an individual's national criminal history will be collected as well as a "range of other types of information that could potentially be useful in the assessment process, including Apprehended Violence Orders, Child Protection Orders and past employment records".[12]

17. While the Office acknowledges the importance of determining whether an individual seeking to work with vulnerable people holds criminal convictions in relation to certain offences, the Office is also aware of the sensitivity attaching to personal information that relates to an individual's criminal history information. This is because there is potential for an individual to be stigmatised, embarrassed or discriminated against as a result of this information.

18. For this reason, the Office considers that the collection of criminal history information, in particular, the collection of criminal convictions normally excluded under the Spent Convictions Schemes[13] should only occur where it is necessary to fulfil an important public interest objective and the collection is necessary or directly related to fulfilling that objective.

19. Further, agencies have obligations under IPPs 2 and 3 when collecting personal information. In particular, IPP 3 sets out that when an agency collects personal information it must take reasonable steps to make sure that the information collected is relevant, up to date and complete.[14] The collection of irrelevant, out of date or incomplete information may have an unwarranted adverse impact on the individual.

Other Types of Information

20. The Office also notes the reference in the Discussion Paper to the "range of other types of information that could potentially be useful in the assessment process".[15] As discussed above in relation to criminal history information, the Office suggests that the scope and type of personal information collected and used is limited to ensure that only necessary and relevant personal information is collected for the purpose of undertaking the proposed background checks.

Risk Assessment Process

21. The Discussion Paper advises that there will be a number of principles guiding risk assessment including that the privacy of people will be protected and sensitive and personal information will be protected from inappropriate disclosure.[16]

22. The Office suggests that guidance material be developed for the collection, handling and security of personal information collected during the proposed background checking system. Guidance material could assist those engaged in managing these processes by explaining the practical effect of the IPPs and ways to facilitate good privacy practice.

23. The Office suggests that the guidance material including information about complaint handling processes be made publicly available to enhance public confidence in personal information handling by the screening unit.

Relevant Information

24. The Office welcomes the consideration around what would be included as "relevant offences"[17] in the context of criminal history information. Providing a list of relevant offences is a good way of limiting the personal information collected or used in the risk assessment process.

25. Specifically, the Office notes that in collecting an individual's criminal history, there will be some information that will be considered not relevant, for example, an applicant's driving record will not be considered by the screening unit.[18] The Office supports this distinction between relevant and irrelevant information and suggests the screening unit provide detailed information around what is to be considered relevant information. Additionally, if information is collected by the screening unit that is not relevant for the risk assessment, this information should not be retained.

Expert Advice

26. The Office acknowledges that in complex cases, the screening unit may need to engage external advice from relevant experts. It is important that the screening unit does not disclose personal information in a manner inconsistent with IPP 11. Under IPP 11.1, an agency must not disclose personal information about an individual unless an exception applies. Exceptions include if the individual is reasonably likely to have been aware that the information will be disclosed (IPP11.1(a)) or if the individual has consented to the disclosure (IPP11.1(b)).[19]

27. In addition, if they are not already covered by the Privacy Act, the Office suggests that external experts be subject to a contract with the screening unit that ensures they apply the same privacy protections to the personal information of individuals subject to background screening as the screening unit itself.

Assessment Outcomes

Positive Notices

28. The Office acknowledges the proposal to issue successful applicants with a unique number to assist in card validation.[20] It should be noted that organisations that employ individuals who are subject to the proposed background checking system may have obligations under the National Privacy Principles (NPPs).[21] Accordingly, the screening unit may wish to make employers of screened individuals aware of their obligations under NPP 7 which places strict limits around the use of 'identifiers' assigned by agencies.[22]

Interim Negative Notices

29. The Office notes that in cases where an initial assessment indicates a risk, it is proposed that the screening unit will issue an interim negative notice and inform the employer or organisation of their intention to issue such a notice.[23] While it is not proposed that the screening unit will explicitly advise the employer or organisation its reasons for issuing an interim negative notice, by proposing to issue a negative notice in itself indicates the outcome of the risk assessment. In the Office's view, this action may constitute a disclosure of the applicant's personal information.

30. The Office suggests that the screening unit advise applicants at the time it collects their personal information that it will inform their employer or organisation of the outcome of the application. This will assist in satisfying the requirements of IPP 2 and IPP 11.1(a). Alternatively, the screening unit may wish to gain the individual's express consent for this disclosure to occur, in line with IPP 11.1(b).

31. Further, the Office appreciates the need to protect vulnerable people particularly in response to the identification of a potential risk. However, the requirement to cease employment pending final determination of an interim negative notice only serves to highlight the importance of ensuring that the screening unit relies on accurate personal information in line with obligations contained in IPP 8. IPP 8 requires an agency to take reasonable steps in the circumstances to ensure that the information it uses is accurate, up to date and complete.

The screening unit

32. The Office is pleased to note that the Discussion Paper advises that records will be held securely in the screening unit in accordance with legislative requirements.

33. The Office suggests that staff of the screening unit receive training in the practical application of the Privacy Act. The Office's website contains resources that may be of assistance.[24]


[1] See A Working with Vulnerable People Checking System for the ACT Discussion Paper.  Available at: http://www.dhcs.act.gov.au/__data/assets/word_doc/0004/72589/Working_with_Vulnerable_People_Checks_Discussion_Paper_-_August_2009.doc

[2] See p.7 of A Working with Vulnerable People Checking System for the ACT Discussion Paper.

[3] See p.9 of A Working with Vulnerable People Checking System for the ACT Discussion Paper.

[4] See p.17 of A Working with Vulnerable People Checking System for the ACT Discussion Paper.

[5] See Information Privacy Principles, section 14 of the Privacy Act 1988.  Available at: www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s14.html

[6] Note that ACT Government agencies are bound by the Privacy Act as it was at 1 July 1994 when the Australian Capital Territory Government Service (Consequential Provisions) Act 1994 commenced and as modified by the schedule in that Act (the schedule is found at: www.austlii.edu.au/au/legis/cth/consol_act/actgspa1994806/sch3.html).

[7] See the Office's PIA Guide:  Available at: www.privacy.gov.au/materials/types/download/9349/6590

[8] See p.27 of A Working with Vulnerable People Checking System for the ACT Discussion Paper.

[9] See pgs. 25-26 of A Working with Vulnerable People Checking System for the ACT Discussion Paper.

[10] See p.26 of A Working with Vulnerable People Checking System for the ACT Discussion Paper.

[11] See p.68 of A Working with Vulnerable People Checking System for the ACT Discussion Paper.

[12] See p.42 of A Working with Vulnerable People Checking System for the ACT Discussion Paper.

[13] See Part VIIC of the Crimes Act 1914. Information about the Commonwealth Spent Convictions Scheme available at: http://www.privacy.gov.au/law/other/criminal

[14] See Information Privacy Principle 3, section 14 of the Privacy Act 1988.

[15] See p.42 of A Working with Vulnerable People Checking System for the ACT Discussion Paper.

[16] See p.45 of A Working with Vulnerable People Checking System for the ACT Discussion Paper.

[17] See p.46 of A Working with Vulnerable People Checking System for the ACT Discussion Paper.

[18] See p.46 of A Working with Vulnerable People Checking System for the ACT Discussion Paper.

[19] See Information Privacy Principle 11, section 14 of the Privacy Act 1988.

[20] See p.50 of A Working with Vulnerable People Checking System for the ACT Discussion Paper.

[21] See National Privacy Principles, Schedule 3 to the Privacy Act 1988.  Available at: http://privacy.gov.au/materials/types/infosheets/view/6583

[22] See National Privacy Principle 7, Schedule 3 to the Privacy Act 1988.

[23] See p.51 of A Working with Vulnerable People Checking System for the ACT Discussion Paper.

[24] See 'Resources to help government agencies understand their privacy responsibilities' on the Office's website.  Available at: http://www.privacy.gov.au/government