Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Discussion Paper: Options for Reform of the Structure of ACT Tribunals; Submission to the ACT Department of Justice and Community Safety (September 2007)

Our Ref:  2004-06

Mr Peter Quinton Director, General Law Group

Dear Mr Quinton

Re: Office of the Privacy Commissioner's Comments on the ACT Tribunal Review Discussion Paper

The ACT Department of Justice and Community Safety (the Department) has requested comment on its discussion paper entitled ''Options for Reform of the Structure of ACT Tribunals' (the Discussion Paper)[1].  The Office of the Privacy Commissioner (the Office) welcomes this opportunity to provide comment. 

The Discussion Paper presents a number of options for reforming the structure of ACT Tribunals, ranging from creating a common legislative scheme, to consolidating all Tribunals.[2]  While the Office does not have a view on which option is preferable, the following comments may inform the Department of Justice and Community Safety's (the Department's) consideration of the options.  The following comments also outline some of the privacy issues which may arise in the implementation process and suggest privacy-enhancing practices.

About the Office

The Office is an independent statutory body whose purpose it is to promote and protect privacy in Australia. The Office has responsibility for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Privacy Act 1988 (the Privacy Act) regulates how these agencies and organisations handle personal information.

The Office's Jurisdiction over ACT Tribunals

The Office understands that ACT Tribunals are fully covered by the Privacy Act (as modified for the ACT).  Personal information which is handled as part of both tribunal

proceedings and administrative matters would therefore be regulated by the Information Privacy Principles.

The Office also notes that the Department holds some concerns about the appropriateness of this situation.  Avenues which the Department may explore in relation to Privacy Act coverage include the following:

  1. The broader issue of exemptions from the Privacy Act is currently being considered by the Australian Law Reform Commission (ALRC) as part of its ''Review of Privacy.'[3]  The Department may wish to consider raising the issue of the Privacy Act's coverage of ACT Tribunals with the ALRC directly.
  2. The Department may also choose to address this issue through legislative reform within the ACT.  The Office is open to discussing this matter further with the Department.

Only Collecting Relevant Information

The Discussion Paper expresses concern that the present Tribunal system lacks a single point of access through which individuals may engage with a Tribunal, and by which the Tribunal may collect information from individuals.[4]

In general terms, when streamlining information collection processes, it is important to ensure that the personal information captured is relevant and necessary for a clearly defined purpose.  This is particularly relevant to the Department's proposal for standardised application forms.[5]  Given the breadth of matters currently covered by ACT Tribunals, the Office would be concerned if a generic application form allowed scope for information to be collected which was not relevant to the matter at hand.  This may occur either by asking for more detail than is required, or by creating scope for individuals to supply more information than the Tribunal has requested.

Further guidance on collecting relevant information may be found in the Office's Guidelines to the Information Privacy Principles.[6]

Ensuring that personal information is only collected where relevant is, in the Office's view, particularly important given the sensitivity of information handled by some ACT Tribunals.  The Office notes, for example, that the Guardianship and Management of Property Tribunal collects disability and medical status information for ''represented persons'.[7]

Accordingly, the Office notes that collection practices would need to adhere to Information Privacy Principle 1.1 (IPP 1.1).  This provision, which may be found in section 14 of the Act, states that a given collection of personal information must be ''necessary for or directly related to' a purpose which is itself directly related to a function or activity of the collector.  Each area of tribunal operations would need to consider whether collecting a given piece of information (for example, disability and medical status) is necessary for a specifically identified purpose within the terms of IPP 1.1.

To minimise privacy risks in this area, the Department may consider a range of privacy-enhancing collection practices, including:

  • Designing forms so as to limit the amount of free-text space available,
  • Including clear directions within a multi-purpose form directing individuals as to which sections needed to be completed for their matter.
  • Having regard to IPP 1.1 when designing computer databases to ensure that only relevant and necessary information is collected.

Such practices would also assist in effective information management, as they may reduce the need to process irrelevant information.

Storing Information Securely

It is important that agencies take reasonable steps to protect personal information from loss and misuse (including inappropriate access).  In the Office's view, security in this context involves consideration of physical security, technical security, and workplace policies around the proper handling of personal information.

In the Discussion Paper, the Department considers consolidating Tribunals and/or registries.[8]  The Office welcomes the Discussion Paper's indication that, were this to proceed, structures would be implemented to ensure the confidentiality of client information.[9]

In addition to these formal separations between operational areas, the Office advises that the Department also consider IPP 4.  This provision states that agencies holding records containing personal information are to ensure:

  1. that the record is protected, by such security safeguards as it is reasonable  in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and
  2. that if it is necessary for the record to be given to a person in connection with the provision of a service to the record''keeper, everything reasonably within the power of the record''keeper is done to prevent unauthorised use or disclosure of information contained in the record.

The nature of the safeguards required under IPP 4 will depend on factors including the nature of the personal information being handled.  Where information such as medical history or disability status is involved, the sensitivity of the information may warrant a higher level of security protections.

In the implementation phase, security measures which may be considered include:

  • How to prevent unauthorised access to information (for example, staff assigned to one area of the tribunal accessing individuals' records from another area of operations). Technical safeguards which may assist in this regard include:
    • Staff's access to information should be allocated on a ''need-to-know' basis according to their role and responsibilities
    • Audit facilities should be in place to track access to personal information
    • Flagging information for restricted access where there are particular sensitivities involved, (for example, medical records).
  • How to prevent loss of personal information: Technical safeguards may include procedures for dealing with emergencies and data-recovery.

Legislative Basis for Using or Disclosing Personal Information

Some of the options considered by the Discussion Paper may entail creating new bodies, or new divisions of existing organisations.   The Office's understanding is that the transition process may involve handling personal information in ways other than the routine Tribunal process. For example, if a single Tribunal was created, it would be necessary to transfer existing records to this new body.

This information-handling may be classified as either a use or disclosure.  The Office's view is that ''disclosure' occurs where information leaves an agency's effective control, while a ''use' occurs where an agency acts upon the information in some way while that information remains within the organisation. 

In either case, the Department would need to consider IPPs 10 and 11, which regulate agencies' use and disclosure of personal information.  In general terms, information collected for a particular purpose may not be used for any other purpose unless one of a number of exceptions applies.

In particular, the Office notes IPP 10.1(c) and IPP 11.1(d), which state that uses and disclosures are permitted under the Privacy Act where there is some other law which requires or authorises the use or disclosure.

Accordingly, there would need to be a clear legislative foundation for any uses or disclosures of personal information which occur as part of implementing reforms. 

Relevant provisions may be referred to in information material produced by a Tribunal (see below) for the purposes of complying with IPP 2 (see below).

Informing Tribunal Users

The Office suggests that the present Review offers an opportunity to consider how Tribunals inform individuals about their information-handling practices.   IPP 2 states that, where information is collected from an individual, they should be informed as to:

  • The purpose for which their information is being collected,
  • Any law which requires or authorised the collection; and
  • People or bodies to whom that information is usually disclosed. Where the agency is aware that recipients of information are themselves in the practice of disclosing that information, individuals should also be informed of this practice.

These matters may be covered in a brochure or included as part of a Tribunal's application forms.  For legal proceedings, particular matters which individuals should be informed of include:

  • Where it is the Tribunal's practice to copy documents provided by one party to the other; and
  • Where records of proceedings are made publicly available (for example, via a website).

Such practices would also contribute to making Tribunal processes more transparent and accessible to the general public.

Other Useful Resources

The Office suggests that when the options for reform have been crystallised, the Department may consider conducting a Privacy Impact Assessment (PIA).   A PIA can assist agencies to manage privacy impacts by providing a thorough analysis of the effect of the project on individual privacy and helping to find solutions. The elements that make up a PIA (including identification, analysis and management of privacy impacts) help agencies to drive good privacy practice and underpin good public policy in their projects. The Office has released a Privacy Impact Assessment Guide, which may be found at: http://www.privacy.gov.au/publications/pia06/index.html.

The Office has also produced Guidelines to the Information Privacy Principles, which may be found at: http://www.privacy.gov.au/act/guidelines/#3.4.

Lastly, the Office notes that the Privacy Act's coverage was discussed as part of the Office's response to the current Australian Law Reform Commission (ALRC) Review of the Privacy Act (http://www.alrc.gov.au/inquiries/current/privacy/index.htm). 

Our submission is available at: http://www.privacy.gov.au/materials/types/submissions/view/6757.

In that submission the Office noted inconsistencies in the Privacy Act's application, with some Tribunals being exempt for their non-administrative functions, while others are fully covered, and suggested that this be addressed as part of the ALRC's review.  

The Office hopes that the Department finds these comments useful.  The Office would also welcome the opportunity to discuss any issues raised, and participate in future consultation as this project progresses.

If you have any further enquiries, the contact officer is Nina Rassaby, who may be contacted on (02) 9284 9796, or ninarassaby@privacy.gov.au.

Yours sincerely,

Andrew Solomon

Director, Policy

10 September 2007

Endnotes

[1]http://www.jcs.act.gov.au/eLibrary/OtherReports/Tribunals_options_paper.pdf

[2] ACT Department of Justice and Community Safety, Discussion Paper, p 24.

[3] See http://www.alrc.gov.au/inquiries/current/privacy/index.htm

[4] Above, n 1, page 12.

[5] Above, n 1, page 12.

[6] Office of the Privacy Commissioner, ''Plain English Guidelines to Information Privacy Principles 1 - 3', pp 6-8, available at http://www.privacy.gov.au/publications/HRC_PRIVACY_PUBLICATION.word_file.p6_4_14.4.pdf.

[7] ACT Government, Department of Justice and Community Safety, ''Personal Information Digest', p17.

[8] Above, n 1, page 24.

[9] Above, n 1, page 28.