Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Inquiry into the AusCheck Bill 2006; Submission to the Senate Legal and Constitutional Affairs Committee (February 2007)

Submission to the Senate Legal and Constitutional Affairs CommitteeFebruary 2007 Office of the Privacy Commissioner The Office of the Privacy Commissioner (the Office) is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) (the Privacy Act) has re...

Submission to the Senate Legal and Constitutional Affairs Committee

February 2007

Office of the Privacy Commissioner

The Office of the Privacy Commissioner (the Office) is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) (the Privacy Act) has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

Privacy and the AusCheck Bill 2006

The Office welcomes the development of the AusCheck Bill 2006 ('the Bill')1 to provide a regulatory framework around the creation of a centralised Australian Government managed background checking service to be known as "AusCheck". Furthermore, the Office welcomes the commitment to undertake a Privacy Impact Assessment2 ('PIA') on the AusCheck scheme.

The Office acknowledges that the establishment of the AusCheck scheme is in response to a recommendation made by the 'Wheeler Report'3 . The Office notes that such a scheme, will by its very nature, involve the collection and handling of a significant amount of personal information, including potentially sensitive information about individuals and is encouraged to see that a range of information management and protection measures have been included in the Bill.

Within the current national security context, the Office acknowledges the need for both government agencies and private organisations involved in the aviation and maritime sectors to minimise the risks associated with employing individuals working within secure areas of airports and seaports without undertaking a background check.

The Office is mindful that through the scheme individuals will be required to provide personal information in order to secure or maintain employment. Consequently, it is important that personal information is not used for purposes that are not currently contemplated, or in a manner that was not within the reasonable expectations of the individual at the time of collection. Furthermore, to facilitate informed consent, it is imperative that the individual is clearly notified, at the time of collection, regarding the purposes of collection and potential subsequent use and disclosure of the information.

The Office appreciates that centralising background checking for the purpose of issuing Aviation Security Identity Cards (ASICs) and Maritime Security Identity Cards (MSICs) can promote consistency and efficiency in assessing applications for either card.

Whilst the Office is generally cautious of the development of centralised database systems containing significant amounts of personal information, the Office also notes that the establishment of such database systems has the potential to enhance the protection of an individual's personal information. This is achieved where there is a comprehensive framework for privacy protection involving four elements. These are: underpinning legislation, the design of the system, the technology that is used and oversight arrangements. The Bill and the Privacy Impact Assessment are a good start to build such a framework around the AusCheck scheme.

Enhancing privacy protections in the Bill

From an optimum privacy perspective, the Office holds the view that the AusCheck scheme could be further enhanced by some greater specificity in the legislation, specifically relating to the following elements;

  • the purposes for which the AusCheck's background checking function may be applied
  • the breadth of information that may be collected and assessed during a background check
  • the use and disclosure of the information collected.

Suggestions to further enhance the privacy protections in the Bill in relation to these elements are discussed in detail below.

AusCheck scheme purposes

Section 8(1)(a) and (b) addresses the establishment of a background checking scheme for the purposes of issuing ASICs and MSICs under their relevant Acts or respective regulations. However, section 8(1)(c) provides for AusCheck to carry out its function in relation to "other purposes" which may include the purposes listed in section 8(2). The Office notes the particularly broad scope of the "other purposes" that the AusCheck scheme may be used for, some of which would not require further primary legislation.

The Office acknowledges that the current Bill seeks to regulate the purposes for which it will undertake background checks by requiring them to either be enacted in other primary legislation or through regulations under this Bill. However, the Office believes that in the interests of maximum public confidence and legislative transparency potential future purposes of the AusCheck scheme should be able to be undertaken only after primary legislation has been enacted, either through amendments to the AusCheck legislation or through other new or amended primary legislation.

Background checks - information that can be collected

The Information Privacy Principles (IPPs) in the Privacy Act 1988 regulate the collection and handling of personal information by Australian government agencies. Specifically, IPP 1 relates to the manner and purpose of collection of personal information. In essence, IPP 1 requires agencies to limit the collection of personal information to where it is "necessary for or directly related to" a purpose that is directly related to the function of the collector.

Relevantly, section 13 of the Bill authorises the collection of personal information about an individual. In particular, section 13(a) of the Bill authorises the collection of information for "the purposes of, or for purposes relating to [AusCheck's function]…" (emphasis added).

The Office is concerned that the effect of section 13(a) may result over time in a broadening of the scope of information that AusCheck may collect. The Office believes that this could be addressed by adding that the collection be directly related to the purpose.

The Office understands that currently the information returned from criminal background checks in some jurisdictions may include all records, not just those that may be relevant to the purpose of the check. The Office would suggest that consideration be given to an additional section in the Bill under Part 3 that requires AusCheck to delete information that is not relevant to the background check for which it is being collected, used or disclosed. The Office notes that this would be in addition to any requirements under the various spent convictions schemes and the Privacy Act 1988 .

Background checks - information that may be assessed

Section 3 of the Bill establishes the object of the proposed Act and states that it provides a framework for the coordination and conduct of "certain criminal, security and other background checking", thus establishing the function of AusCheck.

However, the definition of a "background check" provided for in section 5 appears to allow, through regulations, an open ended expansion of the information that may be assessed without reference to any specific criteria. The scope of the regulations that may expand the types of information that can be assessed in a background check could benefit from being referenced to the risk associated with particular employment situations or other reasons the background check is being undertaken.

Background checks - use and disclosure of information collected

Section 13 of the Bill authorises the use and disclosure of personal information by AusCheck. However, the uses and disclosures provided for in section 14(2)(b)(ii) and (iii) of the Bill appear to be much wider than the background checking function of AusCheck as established in the 'Object of Act' outlined in section 3.

The Office believes that these provisions may benefit from more specificity as it is not readily apparent to whom the information may be used or disclosed. The Office understands that other mechanisms already exist that would permit the subsequent use of the information, for example, in relation to criminal investigations.

Security of Personal Information

The Office is pleased to note that section 15(1) of the Bill provides for the protection of information, including personal information. However, in relation to section 15(2)(a) and (d) the effectiveness of the protections are potentially reduced by the broad scope of the purposes of the AusCheck scheme as discussed above.

1. For information about the legislation and the Committee''s inquiry see: http://www.aph.gov.au/Senate/committee/legcon_ctte/auscheck/index.htm

2. For further information about Privacy Impact Assessments in general see the Office''s guide at: http://www.privacy.gov.au/publications/pia06/index.html

3. ''An Independent Review of Airport Security and Policing for the Government of Australia'', Right Hon Sir John Wheeler DL, September 2005, p73: http://www.aspr.gov.au/docs/Security_and_Policing_Review_PUBLIC.pdf