Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Government Agency Coercive Information-Gathering Powers Draft Report; Submission to the Administrative Review Council (March 2007)

Government Agency Coercive Information-Gathering Powers; Draft Report Submission to the Administrative Review Council March 2007

pdfGovernment Agency Coercive Information-Gathering Powers Draft Report; Submission to the Administrative Review Council (March 2007)

Draft Report

Submission to the Administrative Review Council

March 2007

1. Office of the Privacy Commissioner

The Office of the Privacy Commissioner (the Office) is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

2. Introduction

The Office of the Privacy Commissioner welcomes the opportunity to comment on the Administrative Review Council’s (ARC) draft Report into Government Agency Coercive Information-Gathering Powers.[1]

While the Privacy Act bestows coercive information-gathering powers on the Commission,[2] this submission is not made from that perspective[3]. Instead, the comments below draw on the Office’s experience as the Australian Government agency responsible for, amongst other things:

  • promoting[4] an understanding of the Information Privacy Principles (IPPs) and National Privacy Principles (NPPs) and
  • investigating complaints[5] about acts or practices of agencies or organisations that may breach an IPP or NPP

Council’s draft Report is an important and welcome advance in ensuring that the use of coercive powers by Australian Government agencies is appropriate and, where possible, consistent. The Office appreciates that the Privacy Act is but one of a number of important considerations for agencies that collect, handle and disclose coercively-gathered personal information. The Office is pleased that Council recognises that good privacy practices are important elements in achieving appropriate outcomes.

The Office would be happy to provide further advice to Council on the drafting of any privacy-relevant sections to ensure privacy is appropriately represented in the context of the paper.

3. Observations

3.1 Expectations to privacy

Public perceptions of the usefulness and fairness of coercive information-gathering powers are affected in part by the information-handling practices of the agencies that utilise them. The Privacy Act, which regulates personal information handling practices in agencies and organisations, assists by creating and framing expectations to privacy. In so far as the Privacy Act applies, it therefore contributes to the public’s acceptance of coercive powers utilised by agencies.

It is worth noting that the IPPs and NPPs do more than codify good administrative practice – in fact they impose legal obligations on agencies and organisations, designed to prevent interferences with the personal information privacy of an individual.

As there is sometimes confusion about whether the IPPs and NPPs are legally binding, the Office would appreciate Council leaving this matter beyond doubt.[6]

Suggestion:

Council may wish to consider clarifying the role of the IPPs and NPPs in the Report.

The eleven IPPs set out minimum obligations that must be met by agencies handling personal information, including its collection, use and disclosure, storage and security, and access by the individual. In the current context, the eleven IPPs are relevant to all agencies that fall under the Privacy Act and that gather information using coercive powers.

The NPPs apply to all large private sector organisations, health service providers and some small businesses. In the context of Council’s Report, only NPP 2 is relevant. NPP 2 sets out the disclosure obligations of organisations from which personal information is being collected.

IPP11, which relates to disclosure, may also be relevant to Australian Government agencies from which the production of information is to be compelled.

The Office has produced comprehensive Guidelines on the application of the NPPs and the IPPs, which can be found on the Office’s website.[7] While the Guidelines are not binding and do not specifically contemplate the issues related to coercive powers and compelled information, they provide interpretation that may be of assistance to agencies and to Council.

Suggestion:

Council may wish to consider noting the Privacy Commissioner’s Guidelines as a relevant resource in the Report.

3.2 Collection of personal information

Distinguishing between potential applications of coercive powers

The draft Report does not currently distinguish between ‘evidence compelled directly from a person of interest’ and ‘third party evidence about a person of interest’. For a number of reasons, it may be advantageous to draw the distinction.

IPP 1 issues of fair collection (canvassed below) may sometimes be contingent on the distinction being drawn. This distinction may also be helpful when considering IPP 10 (use) and IPP 11 (disclosure) issues such as secondary and derivative uses.

Suggestion:

Council may wish to consider drawing the distinction between ‘primary’ and ‘third party’ evidence throughout the Report.

There is also a useful distinction to be made between compelling information from a person representing a legal entity, such as another agency or a corporation, and compelling information from a natural person acting in their private capacity.

While the agency or organisation will have to consider IPP 11 or NPP 2.1 issues (as applicable), coercive Notices[8] usually apply only to natural persons. Some care needs to be taken by the agency seeking personal information to ensure that the agency or organisation which collected and holds the information is given an opportunity to manage their IPP 11 or NPP 2.1 obligations.

This issue would not arise for individuals acting in their private capacity, although they will have a legitimate interest in understanding how their information will be handled (consistent with IPP 2).

Suggestion:

Council may wish to consider the issue of coercive information-gathering from a ‘360 degree’ approach, giving more prominence to the privacy obligations and interests of organisations, agencies and natural persons that may be subject to Notices.

Fair collection

IPP 1(1) provides that collection of personal information must be for a lawful purpose that is directly related to a function or activity of the collector, and that the collection must be necessary for or directly related to that function (see IPP Guidelines 2, 3 and 4[9]).

IPP 1(2) provides that collection of personal information must be both lawful and fair (see IPP Guidelines 6 and 7[10]).

IPP 3(d) provides that the collection of personal information must not intrude to an unreasonable extent upon the personal affairs of the individual concerned (see IPP Guideline 22[11]).

The assessment of what might be a ‘lawful and fair collection’ and ‘a not unreasonable intrusion upon the personal affairs of the individual concerned’ is highly dependent on the context.

Some collection of third party evidence may be particularly vulnerable to criticism – for example where a coercive notice is used in circumstances where a search warrant authorised by a magistrate might be more usual for obtaining sensitive personal information, for example, from financial institutions or health providers. It is also possible that a record-keeper could resist a coercive power in such circumstances if they were not certain the disclosure was authorised in accordance with the Privacy Act, for example that the record-holder was not satisfied the collection was lawful and fair.

When using coercive powers to obtain personal information it is in the agency’s interests to ensure that coercive powers are exercised fairly, and that the agency is able to demonstrate this if a dispute arises, or if the proposed collection becomes subject to external scrutiny.[12]

At the agency level, some of these concerns might be overcome were authorisations for uses of powers deliberately structured so as to limit the scope of information-gathering to the least privacy intrusive option.

This could be achieved by a senior officer authorising (or declining) use of a power only after giving consideration to a number of relevant matters. These could include those reportedly used by the ACCC[13]:

  • Whether the information is otherwise available, including provided voluntarily;
  • The degree of risk that the information may be destroyed, not provided or provided on unacceptable terms to the Commission;
  • Whether it is appropriate for the ACCC to obtain information formally;
  • Whether the information is necessary and relevant to the ACCC’s investigation; and
  • The time and cost implications of a s.155 process for the ACCC and the recipients.

The Office notes that these considerations are consistent with an agency’s obligations under IPP 1 and 3.

Consistent with Council’s Better Practice Principle 4, the reasons for decision should be recorded.

The Office suggests that the senior officer should also have the capacity to place conditions (or limits) on the reasonable use of the power including: what is authorised to be collected, and the manner in which collection is authorised to occur.

For example, where the evidence sought is about a disputed attendance with a medical practitioner, it is unlikely there would be a need to compel production of clinical notes, as attendance could be substantiated in a number of other ways, meeting IPP 3(d) obligations. The relevant authorisation and Notice could be structured to reflect this. In this way, agency practice could place reasonable limits on the exercise of powers.

The Office also suggests that agency heads should have a specific obligation to issue guidelines for the reasonable exercise of powers within the agency, giving effect to the ‘least privacy invasive’ concept at the agency level.

Suggestions:

Council may wish to consider proposing a Better Practice Principle that separates the process of internal authorisation from the exercise of powers, allowing the opportunity for a senior officer to limit the scope of collections to that which is relevant and necessary.

Council may wish to consider proposing a Better Practice Principle that codifies the ‘least privacy intrusive’ concept.

Council may wish to consider setting out a minimum list of relevant privacy considerations as an adjunct to Principle 3.

There may also be a case for reviewing some legislation to provide clear and positive authority to obtain particular information from third parties (such as health information or financial information or electronic communications). This information is generally viewed within the community as sensitive and is accompanied by a higher expectation of privacy or confidentiality.

This might be appropriate where it is anticipated that this will be a regular use of coercive powers because of the fundamental nature of the regulatory or compliance function and statutory relationships, and where it is deemed to be a more efficient or preferable policy outcome. Legislation expressed in this way would avert IPP 1(2) concerns about fair collection where a search warrant authorised by a magistrate might otherwise be necessary.

Suggestion:

Council may wish to consider proposing a Better Practice Principle that legislation, where possible, should settle the issue of application of coercive powers to obtaining sensitive personal information in situations where obtaining a search warrant might otherwise be the expected practice.

‘Must I comply with a formal Notice?’ - Collecting information from other agencies and organisations

Some organisations and agencies from which information is sought may believe that the Privacy Act prevents compliance with a valid Notice.

Coercive powers validly exercised under an Act[14] will usually provide the requisite exception (‘required or authorised by law’ - NPP 2.1(g) and IPP 11(1)(d)) to resolve issues relating to compelled disclosure of personal information. Section 18K(m) of the Privacy Act also provides a ‘required or authorised by law’ trigger in relation to credit reporting information.

However, it is worth noting that one agency’s collection may entail another agency’s or organisation’s disclosure. The disclosing organisation or agency must still actively consider NPP2.1 or IPP11 (as the case may be). As already noted, it is possible that IPP1(2) and/or IPP 3(d) fairness concerns could provide a reason to resist or refuse complying with a coercive Notice. Resisting coercive Notices may require obtaining a legal opinion as the facts of each case will vary.

See section 3.3 of this submission for a discussion of other issues relating to inter-agency disclosure: ‘should we voluntarily share information?’.

Suggestion:

Council may wish to note that compelling information from other agencies or organisations may trigger disclosure issues under the Privacy Act for those entities.

Council may note that sections of the Privacy Act (other than the IPPs and NPPs) may also affect coercive information-gathering powers. For example, it may be that the lawfulness of the intended or unintended collection (or disclosure) of Tax File Numbers (TFNs) is not sufficiently put beyond doubt by legislation granting coercive information-gathering powers to some agencies.

The Office’s website includes a fact sheet[15] about TFNs that Council may find helpful. Legislative instruments that are relevant include:

  • The Privacy Commissioner’s Tax File Number Guidelines issued under s.17 of the Privacy Act 1988;
  • Taxation Administration Act 1953, especially s 8WB; and
  • Income Tax Assessment Act 1936.

Suggestion:

Council may wish to consider making observations in the Report about the rules around collecting Tax File Numbers.

Notices (Principle 13)

The Office notes that one of the functions of Notices issued under a coercive information-gathering power is to advise recipients as to the legislative authority supporting the collection of information. A Notice that also included the purpose of collection, and whether or how their personal information would usually be used or disclosed, would also fulfil the requirements of IPP 2.

Suggestion:

Council may find it appropriate to place a short section on IPP2 of the Privacy Act in this section of the Report (perhaps importing some of the text from page 67).

Council may give consideration to noting that the core elements of Notices could conveniently be supplemented by information about normal practices of the agency that are matters of administration or of expectation management, but that do not form part of the formal Notice (e.g. reimbursement of costs, procedural matters). This supplementary or companion notice would be an appropriate place to advise the person as to how they can expect their personal information to be treated, consistent with IPP 2.

Suggestion:

At Principle 13, Council may wish to make provision for coercive Notices to be supplemented by other information, for example matters that would address the agency’s IPP 2 obligations.

To give effect to IPP 2(d), as well as meeting a procedural fairness objective, it would be appropriate for Notices or companion information to set out relevant penalties[16] for non-compliance.[17] Council might give consideration to including this aspect as one of the minimum criteria for Notices under Better Practice Principle 13.

Suggestion:

Council may wish to consider setting out penalties for non-compliance as one of the minimum criteria for Notices under Principle 13.

Consideration could also be given to advising individuals, where applicable, that being subject to a Notice should not be taken to imply that their conduct is in question, or that adverse findings have been made. It may also be appropriate for the Notice recipient to be cautioned to not draw conclusions about the agency’s disposition on the evidence, and to be asked not to comment on the investigation until it is concluded. The aim of these strategies is to protect both the integrity of the investigation and the privacy of any parties to the investigation.

These strategies would be consistent with IPP 11(3) which provides that a person, body or agency to whom personal information is disclosed shall not use or disclose the information for a purpose other than for the purpose the information was given.

Suggestion:

Council may wish to consider proposing strategies that militate against disclosure of information or other information about the proceedings by witnesses.

As a minor matter, it may be convenient to transfer the section of Principle 13 dealing with minimum notice periods to a separate Principle. That would separate issues relating to formal Notices (the main subject of the Principle) from legislative issues.

Incidental collection of third party material

In general, legislation granting agencies a power to seize materials should contain a requirement that incidentally collected third party personal information that is irrelevant to the investigation or which is beyond authority of the coercive Notice, be returned or destroyed, as appropriate, by the agency as soon as practicable.

Suggestion:

Council may wish to consider making observations in the Report about incidental collection of third party material.

Privilege and other professionals

The draft Report (page 60) refers to the secrecy of client information held by doctors, accountants, bankers and social workers. To avoid confusion, Council may consider referring instead to the confidential or sensitive nature of such information. This construction more accurately represents the privacy motivations of the individuals concerned.

3.3 Inter-agency exchange of information (Disclosure)

Framing the issue

The premise of Principle 21 is that there are circumstances that arise in which a collection agency wishes to disclose compelled evidence to one or more other agencies without the need to obtain the consent of the individual who gave the evidence. Two questions[18] are relevant: Can we voluntarily disclose compelled information? and Should we voluntarily disclose compelled information? The first is a question about legislation, and the second is about judgement. Both questions have privacy dimensions.

Can we voluntary disclose compelled information? (Principle 20)

The assessment of the legal authorities that can enable disclosure of compelled evidence from one agency to another is a critical part of the analysis of whether an appropriate public policy balance has been struck in granting coercive information-gathering powers to an agency or for a purpose. Competing issues include the policy desire for the efficient fulfilment of each agency’s statutory functions, while respecting individual rights (including expectations to privacy) and other public interest considerations.

Typically, if not universally, legislation[19] that provides for coercive powers also provides pathways for lawful disclosure under IPP 11(1)(d), where information may be disclosed by an agency if the disclosure is required or authorised under law.

Council has concluded that agency secrecy provisions are ad hoc and need to be less complex (Principle 20) and recommended that a review should be conducted. While the premise for the review is to ensure that unnecessary barriers to information-sharing for legitimate purposes are removed, such a review would also be an opportunity to consider whether the current arrangements, or their alternatives, provide adequate privacy protections.

The Office originally developed a framework (Attachment A) for assessing new law enforcement powers but has since applied the framework more broadly to other issues. The ‘Four A’ Framework, as it is known, may be of use in the review Council proposes.

Suggestion:

In reference to a review of agency ‘secrecy’ provisions, Council may wish to note the Office’s ‘Four A’ Framework as a tool to assist in finding the appropriate policy balance between the use of coercive powers and privacy in relation to personal information.

In the view of the Office, it is preferable for legislation to provide expressly for legislative authority that unambiguously regulates issues like derivative or secondary uses, instead of relying upon broadly-expressed discretions for disclosure.

Suggestion:

Council may wish to note the Office’s preference for clear legislative authority to regulate disclosures and secondary uses.

Should we voluntarily disclose compelled information?

The purpose of Principle 21 is to assist agencies that hold compelled information (and that are authorised to disclose it) to make good judgements about inter-agency exchanges of information.

As already noted, IPP 11(3) places a limit on ‘downstream’ disclosure, potentially affecting ‘derivative use’ considerations[20] where these matters are not settled in source legislation. In considering issues related to disclosures and derivative uses, Council may find it useful to refer to the decision[21] in Johns v Australian Securities Commission and Others [1993] HCA 56.

Suggestion:

Council may wish to consider whether it would be appropriate to map out some of the higher level issues, including privacy, related to voluntary disclosures or ‘information sharing’.

Council may note that IPP 11(2) provides[22] that records of disclosure are to be created in some circumstances, for example where personal information is disclosed for the purposes of the enforcement of a law imposing a pecuniary penalty. Good privacy practice would also be to keep a record of every disclosure related to coercively acquired information.

Suggestion:

Council may wish to propose a Better Practice Principle that provides for records to be maintained of every disclosure related to coercively acquired information.

The Office agrees that voluntary disclosure powers should rest with a senior officer (Principle 21) and considers that this is a matter that should be reflected in the source legislation. Council may give consideration to suggesting a capacity for the delegate (or the head of an agency) to impose conditions on disclosures and future uses of information disclosed. Guidance should also be developed to advise senior officers about voluntary disclosure powers and their use.

For example, a checklist could be prepared which requires the certifying officer to be satisfied that the body receiving the information has appropriate procedures or protocols in place to deal with issues such as: the handling of irrelevant information; preventing secondary uses and disclosures; data security; data matching; and timely destruction of records. Consideration should also be given to protect against unreasonable intrusions on the personal affairs of individuals (IPP 3 (d)).

Suggestion:

Council may wish to consider providing for agency heads to be able to limit the scope of disclosure authorities, to produce guidance for senior officers, and to enable conditions to be placed on the uses of information disclosed to other agencies.

The issue of consent (see IPP 11(1)(b)) might usefully be explored further in the Report. Compelled evidence does not always mean that a witness will be hostile to disclosures, although it will not always be operationally viable for an agency to inform witnesses of impending disclosures. However, there is an intersection here with the procedural fairness obligation that was implied in Johns v ASC, that an individual should be afforded an opportunity to raise objections to disclosure in some circumstances, including the opportunity to suggest caveats or conditions on the uses to which information may be put.

It can also be noted that the disclosure exception under IPP 11(1)(a)[23] is less likely to be available in the context of coerced information-gathering because of the lack of choice in providing the information. For that reason, agencies should be cautious about relying on an IPP2 notice to provide authority for disclosure of personal information collected in this way.

On the other hand, the benefit of a comprehensive IPP 2 notice is that it provides an opportunity prior to providing information for an informed witness to claim privilege or seek undertakings in relation to derivative and secondary uses of any material that might be provided under coercion.

Suggestion:

Council may wish to consider further the issues of consent and procedural fairness relating to disclosures.

For all these reasons, the Office is hesitant to endorse Council’s ‘threshold trigger’ proposal for disclosure to other agencies, as encapsulated in Better Practice Principle 21, at least in it’s current form. The Office notes, however, that the Principle is apparently an advance on the current situation. The Office notes that the relevant provisions of the Privacy Act must be observed, and perhaps Principle 21 can be amended to incorporate this requirement.

Suggestion:

Council may wish to consider further the interaction of the Privacy Act with the threshold provisions proposed in Better Practice Principle 21.

3.4 Use (‘Intra-agency exchange of information’)

IPPs 8, 9 and 10 relate to the use of personal information within an agency. Generally speaking, personal information should only be used for the specific purposes for which it was collected.

In the coercive information-gathering context it is possible that, because of procedural fairness considerations, stricter limitations apply to the valid uses of coercively gathered information than are imposed by the IPPs. It is also possible that uses of coercively-obtained information are fettered by the terms and scope of the Notice under which the information was obtained.

It is reported at page 75 of the Report (under the sub-heading ‘Consultation’) that the ACCC and ASIC consider they have a broad scope to use coercively obtained information within each agency. The Report suggests that this practice is supported by the construction of the relevant Acts, and therefore falls into the third exception to IPP 10 (‘use required or authorised by law’).

The Office is not able to advise on this matter in this submission, but we draw Council’s attention to the Privacy Commissioner’s Guideline 34[24].

Suggestion:

Council may wish to consider further the issues of intra-agency use.

3.5 Record-keeping

The Office considers the appropriate handling of records containing personal information in accordance with the Privacy Act to be fundamental. The regulation of record-handling by agencies is set out in IPPs 4-9. Council may consider dealing with record handling issues in a dedicated Chapter.

Suggestion:

Council may wish to consider elevating record-handling issues to Chapter level.

As an administrative matter, agencies need to be able to track the various consents and prohibitions that apply to information collected coercively. A convenient way to achieve this is to attach metadata to information. In this way, an agency record-handler would immediately know the purposes and context for which information was collected and appreciate the limitations on alternative uses or disclosures without express authority.

The meta-data would also inform an agency of conditions it should attach to any disclosures (for example use immunities) outside of the agency.

Suggestion:

Council may wish to consider proposing an additional Better Practice Principle that encourages the attachment of meta-data to records containing compelled information.

As an incidental point on the commentary on page 76, it is worth noting that the sensitivity of information is as critical as the volume of documents that might be collected using coercive powers.

3.6 Accountability

Appropriate use of coercive power

The Office has a general interest in ensuring that the privacy-intrusive nature of coercive powers is recognised and that there are appropriate checks and balances built in to the systems that surround the granting and use of powers. This, of course, is one of the primary purposes of Council’s investigation, and underpins most of Council’s Better Practice Principles.

The Office notes that some of the personal information that is able to be collected from Australian government agencies and organisations using coercive powers may otherwise[25] not be available due to the limitations on the disclosure of information imposed by the Privacy Act.

For that reason, the Office would welcome and be reassured by a consistent set of safeguards against misuse or overuse of powers, as suggested by Council. The Office recognises that there may be some additional cost to agencies in providing those safeguards (for example Principles 4 and 19) but suggests that the protection achieved by the implementation of these safeguards on balance outweighs the additional cost.

Suggestion:

The Office supports safeguards against misuse or overuse of powers, noting the potential for an increased compliance burden for agencies using coercive powers. Council may wish to note the Office’s view.

Written records (Principle 4)

The Office welcomes Principle 4, in particular the requirement to make written records of the deliberations that lead to the exercise of a coercive power.

The Office notes that a person affected by a decision to use a coercive power is likely to be eligible to request a statement of reasons for decision under the Administrative Decisions (Judicial Review) Act 1977.

In addition, from a privacy perspective, contemporaneous records (that would underpin a statement of reasons) are invaluable to the investigation of complaints received by the Office about interferences with privacy. Establishing written records recognises the special place coercive powers hold in administrative law, and is also a proportionate reassurance to the public that their privacy expectations are being met.

Other accountability mechanisms (Chapter 9)

It would be appropriate for the Office of the Privacy Commissioner to be included in the section about external complaint processes. Council might also note the capacity of the Office to undertake ‘own motion investigation’[26] and the ability of the Privacy Commissioner and the Commonwealth Ombudsman to jointly[27] investigate matters relating to privacy.

Suggestion:

Council should add the Office of the Privacy Commission to the discussion about complaint-handling authorities.

Council might also note the accountability opportunities afforded by access to personal information provisions that are provided under the Freedom of Information Act 1982 and IPPs 5, 6 and 7.

Suggestion:

Council may wish to consider further the accountability role that IPPs 5-7 and the Freedom of Information Act 1982play in a coercive information-gathering context.

The Privacy Commissioner is able to make determinations[28] following investigations about interferences with the privacy of an individual. Determinations made under the Privacy Act may include financial remedies. A related mechanism for redress is the government’s scheme for providing financial remedy, the Compensation for Detriment caused by Deficient Administration Scheme (CDDA).

Suggestion:

Council may wish to consider including information in Chapter 9 about the Privacy Commissioner’s determinative powers, as well as noting the Compensation for Detriment caused by Deficient Administration Scheme (CDDA).

The Office would welcome Council expressing a view about certain other accountability matters that are privacy related and, if appropriate, translating that view into a Better Practice Principle. These might include:

  • the desirability of specifically and proactively informing Notice recipients of their rights to redress and complaint; and
  • reporting (publicly, to Parliament, to a Minister, or to a government oversight agency) on the effectiveness of powers (in addition to incidence, Principle 19).

Suggestion:

Council may wish to consider expressing a view about other accountability options that would provide a reassurance that an agency’s coercive collection of information does not intrude to an unreasonable extent upon the personal affairs of individuals.

4. Summary of suggestions

  • Council may wish to consider clarifying the role of the IPPs and NPPs in the Report.
  • Council may wish to consider noting the Privacy Commissioner’s Guidelines as a relevant resource in the Report.
  • Council may wish to consider drawing the distinction between ‘primary’ and ‘third party’ evidence throughout the Report.
  • Council may wish to consider the issue of coercive information-gathering from a ‘360 degree’ approach, giving more prominence to the privacy obligations and interests of organisations, agencies and natural persons that may be subject to Notices.
  • Council may wish to consider proposing a Better Practice Principle that separates the process of internal authorisation from the exercise of powers, allowing the opportunity for a senior officer to limit the scope of collections to that which is relevant and necessary.
  • Council may wish to consider proposing a Better Practice Principle that codifies the ‘least privacy intrusive’ concept.
  • Council may wish to consider setting out a minimum list of relevant privacy considerations as an adjunct to Principle 3.
  • Council may wish to consider proposing a Better Practice Principle that legislation, where possible, should settle the issue of application of coercive powers to obtaining sensitive personal information in situations where obtaining a search warrant might otherwise be the expected practice.
  • Council may wish to note that compelling information from other agencies or organisations may trigger disclosure issues under the Privacy Act for those entities.
  • Council may wish to consider making observations in the Report about the rules around collecting Tax File Numbers.
  • Council may find it appropriate to place a short section on IPP2 of the Privacy Act in this section of the Report (perhaps importing some of the text from page 67).
  • At Principle 13, Council may wish to make provision for coercive Notices to be supplemented by other information, for example matters that would address the agency’s IPP 2 obligations.
  • Council may wish to consider setting out penalties for non-compliance as one of the minimum criteria for Notices under Principle 13.
  • Council may wish to consider proposing strategies that militate against disclosure of information or other information about the proceedings by witnesses.
  • Council may wish to consider making observations in the Report about incidental collection of third party material.
  • In reference to a review of agency ‘secrecy’ provisions, Council may wish to note the Office’s ‘Four A’ Framework as a tool to assist in finding the appropriate policy balance between the use of coercive powers and privacy in relation to personal information.
  • Council may wish to note the Office’s preference for clear legislative authority to regulate disclosures and secondary uses.
  • Council may wish to consider whether it would be appropriate to map out some of the higher level issues, including privacy, related to voluntary disclosures or ‘information sharing’.
  • Council may wish to propose a Better Practice Principle that provides for records to be maintained of every disclosure related to coercively acquired information.
  • Council may wish to consider providing for agency heads to be able to limit the scope of disclosure authorities, to produce guidance for senior officers, and to enable conditions to be placed on the uses of information disclosed to other agencies.
  • Council may wish to consider further the issues of consent and procedural fairness relating to disclosures.
  • Council may wish to consider further the interaction of the Privacy Act with the threshold provisions proposed in Better Practice Principle 21.
  • Council may wish to consider further the issues of intra-agency use.
  • Council may wish to consider elevating record-handling issues to Chapter level.
  • Council may wish to consider proposing an additional Better Practice Principle that encourages the attachment of meta-data to records containing compelled information.
  • The Office supports safeguards against misuse or overuse of powers, noting the potential for an increased compliance burden for agencies using coercive powers. Council may wish to note the Office’s view.
  • Council should add the Office of the Privacy Commission to the discussion about complaint-handling authorities.
  • Council may wish to consider further the accountability role that IPPs 5-7 and the Freedom of Information Act 1982 play in a coercive information-gathering context.
  • Council may wish to consider including information in Chapter 9 about the Privacy Commissioner’s determinative powers, as well as noting the Compensation for Detriment caused by Deficient Administration Scheme (CDDA).
  • Council may wish to consider expressing a view about other accountability options that would provide a reassurance that an agency’s coercive collection of information does not intrude to an unreasonable extent upon the personal affairs of individuals.

Attachment A

OPC ‘Four A’ Privacy Evaluation Framework for assessing and implementing new law enforcement and national security powers

The Office of the Privacy Commissioner has developed a proposed framework for assessing and implementing new law enforcement and national security powers. The framework sets out a life cycle approach to such proposals from development to implementation and review. The aim of the framework is to bring balance and perspective to the assessment of proposals for law enforcement or national security measures with significant effects on privacy.

First, careful analysis is needed in the development phase to ensure that the proposed measure is necessary, effective, proportional, the least privacy invasive option and consistent with community expectations. This analysis should involve consideration of the size, scope and likely longevity of the problem, as well as the range of possible solutions, including less privacy-invasive alternatives. The impact on privacy of the proposed solution should be analysed and critical consideration given to whether the measure is proportional to the risk.

Second, the authority by which the measure is implemented should be appropriate to its privacy implications. Where there is likely to be a significant impact on privacy, the power should be conferred expressly by statute subject to objective criteria. Generally, the authority to exercise intrusive powers should be dependent on special judicial authorisation. Intrusive activities should be authorised by an appropriately senior officer.

Third, implementation of the measure should be transparent and ensure accountability. Accountability processes should include independent complaint handling, monitoring, independent audit, and reporting and oversight powers commensurate with the intrusiveness of the measures.

Finally, there should be periodic appraisal of the measure to assess costs and benefits. Measures that are no longer necessary should be removed and unintended or undesirable consequences rectified. Mechanisms to ensure such periodic review should be built into the development of the measure. This could involve a sunset clause or parliamentary review after a fixed period.

In summary:

Analysis – is there a problem? Is the solution proportional to the problem? Is it the least privacy invasive solution to the problem? Is it in line with community expectations?

Authority – Under what circumstances will the organisation be able to exercise its powers and who will authorise their use?

Accountability – What are the safeguards? Who is auditing the system? How are complaints handled? Are the reporting mechanisms adequate? And how is the system working?

Appraisal – Are there built in review mechanisms? Has the measure delivered what it promised and at what cost and benefit?


[1] For a copy of the report see: http://www.ag.gov.au/arc or http://www.gov.au/agd/www/rwpattach.nsf/VAP/(96E02A3185906E56B3F27DE5BFCC1C80)~draft+coercive+powers+report.pdf/$file/draft+coercive+powers+report.pdf

[2] Privacy Act 1988, ss 44-47, 65, 66, 70

[3] The Office notes that the Report does not specifically consider the coercive information-gathering powers of government monitoring bodies.

[4] Privacy Act 1988, s 27(1)(d)

[5] Privacy Act 1988, ss 27(1)(a), 27(1)(ab)

[6] Page 67 of the Report may be an appropriate place to do this.

[8] For convenience, the term ‘Notice’ is used throughout this submission to refer to a formal Notice compelling production of information pursuant to a coercive power.

[10] Ibid.

[11] Ibid.

[12] For example an injunctive action (where available), a request for a statement of reasons under s 13 of the Administrative Decisions (Judicial Review) Act 1977,or a Privacy Commissioner or Ombudsman investigation.

[13] As set out on p 19 of the draft Report.

[14] ‘Laws’ in the context of the Privacy Act usually means laws of the Commonwealth. See the Privacy Commissioner’s Guideline 32 (Plain English Guidelines to Information Privacy Principles 8-11) for more information.

[16] For example, not producing information; refusing to swear an oath or affirmation; refusing of failing to answer without excuse; wilful obstruction; providing false or misleading information or statements

[17] Offences for non-compliance with Notices: - Council may consider whether it is appropriate to note or comment on the variance in penalties prescribed in various Acts for refusing or failing to cooperate with Notices issued under coercive information-gathering powers. Council may also wish to give consideration to adding a ‘penalty’ field to the Table in Appendix B of the Report.

[18] Note that the question ‘Must I comply with a formal Notice?’ has been discussed in section 3.2 of this submission.

[19] To assist further discussion on this point, Council may wish to consider adding a ‘disclosure’ field to the Table in Appendix B of the Report to provide data about the underlying issues.

[20] See Chapter 9 – The Use of Compelled Evidence, in, Donaghue S (2001) Royal Commissions and Permanent Commissions of Inquiry. Butterworths. Australia.

[22] See IPP Guidelines 46 and 47

[23] ‘reasonably likely to have been aware, or made aware under [IPP 2], that information… is usually passed to [a particular] body or agency’

[25] That is, but for the ‘required or authorised by law’ trigger in NPP 2.1(g) or IPP 11(1)(d), it is likely that the information would not be able to be disclosed without the express consent of the person to whom the personal information relates, unless another exception applied.

[26] Privacy Act 1988, s 40(2)

[28] Privacy Act 1988, s 52