Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Northern Territory Emergency Response Review; Submission to the Review Board (September 2008)

Our reference: P07/119rl Mr Peter Yu Chairman NTER Review Board Secretariat GPO Box 7576 Canberra Business Centre, ACT 2610 Dear Mr Yu REVIEW OF THE NORTHERN TERRITORY EMERGENCY RE...

pdfNorthern Territory Emergency Response Review; Submission to the Review Board (September 2008)

Our reference: P07/119rl

Mr Peter Yu Chairman NTER Review Board Secretariat GPO Box 7576 Canberra Business Centre, ACT 2610

Dear Mr Yu


The Office of the Privacy Commissioner ('the Office') welcomes the opportunity to provide comments to the review of the Northern Territory Emergency Response (NTER).

General Comments

The Office acknowledges the complexity and breadth of the measures and sub-measures under the NTER.  Many are health-related, covering substance abuse (drugs and alcohol), domestic violence, sexual abuse and child abuse, as well as more general family, education, housing, health and welfare matters.  The Office notes that the nature of these measures means that their implementation necessitates a cross-jurisdictional, multi-agency approach - involving both Australian and Northern Territory government agencies - as well as private sector organisations (for example, where government services may be contracted out).  

All of the measures noted above would appear to require the collection, use and disclosure of significant amounts of personal information[1] and sensitive[2] information, which includes health information.  

It is important to note that the Privacy Act 1988 (Cth) ('the Privacy Act') does not present a barrier to these measures.  The Privacy Act sets out obligations for the handling of personal information in the form of Information Privacy Principles (IPPs) for Australian Government agencies, and the National Privacy Principles (NPPs)[3] for private sector organisations. These principles cover the collection, use and disclosure, security, retention, access and notice to individuals about the collection of personal information among other things.

It is also important to note that the right to privacy and the protection of their personal information should be enjoyed by all Australians, including Indigenous Australians.  Many Indigenous people living in the Northern Territory may lack understanding of, or exposure to privacy laws, and their understanding may be further hampered by poor literacy or English language skills. The Office believes it is important that robust privacy frameworks, including training, education, processes and procedures are set in place in the course of the NTER emergency response. This will help to ensure that the personal and sensitive information ofall individuals affected by the measures is handled in compliance with the Privacy Act.   While the Office recognises that many of the proposed measures are crucial to the health and future wellbeing of individuals in the Northern Territory, these measures should not be implemented in such a way that unnecessarily diminishes the protections afforded to individuals' personal information.

In meeting their obligations, good privacy practice dictates that agencies and organisation may need to take extra steps to ensure appropriate handling of Indigenous Australians' personal and sensitive information under the NTER measures. Complex kinship relationships, cultural mores and language and literacy skills, for example, may necessitate more practical, sensitive and creative approaches on the part of agencies and organisations to ensure understanding.  

The Office refers the Board to its document Minding Your Own Business - A Protocol for Australian Government agencies in the Northern Territory, developed by the Office for Australian Government agencies, which the Board may find useful information (Attachment A). This protocol covers in more detail how the IPPs apply to some specific privacy issues relating to the handling of personal information of Aboriginal and Torres Strait Islander people.[4]

Office involvement with NTER measures

To date, the Office's involvement with NTER measures has been to provide privacy advice on the handling of personal information in respect of the sale of alcohol for licensees, their staff and customers, and the community stores income management scheme for managers and staff.  The Office notes that it has not been approached to provide similar advice on other NTER measures discussed above, including those requiring the collection of health information.

In the first half of 2008, under an agreement with the Department of Families, Health, Community Services and Indigenous Affairs (FaHCSIA), the Office developed privacy guidance for Northern Territory licensees of takeaway alcohol businesses, as well as community stores in the context of the income management measure applying to Centrelink benefits.

This guidance consisted of a brochure for licensees and their staff, a 'privacy postcard' for consumers and a poster.  The guidance provides advice to takeaway staff about their obligations under the Privacy Act and advice to customers about the collection of their personal information when they purchased specific quantities of alcohol. The Office understands that FaHCSIA intends to release this material shortly.

The Office has also developed a brochure for Community Store managers and their staff, giving advice about the handling of customers' personal information under the income management scheme. The Office understands that this brochure has been distributed by Centrelink to participating Community Stores in the Northern Territory.

The Office's specific comments on both the alcohol takeaway measures and the community stores income management measures follow.

Privacy and the alcohol takeaway measure

The Office understands that, under the Northern Territory National Emergency Response Act 2007 (the NTNER Act), customers are:

  • restricted as to the cost and quantity of takeaway alcohol they can purchase at any one time and
  • at the time of purchase, required to have their photo identification sighted (but not recorded) and have some personal information recorded - their name and address and the location where the alcohol is to be consumed. The Office notes that there is no legal requirement for a purchaser to be accurate as to where the alcohol is to be consumed.

The NTNER Act requires that licensees keep this information for 3 years.  The Office understands that licensees may also forward this information for storage to the Northern Territory Licensing Commission.

Coverage of the Privacy Act

The NPPs in the Privacy Act regulate how private sector organisations with an annual turnover of more than $3 million must handle personal information.  The NPPs also covers all private sector health providers regardless of their size. Small businesses (that is, businesses with an annual turnover of $3 million or less) are usually not covered by the Act unless an exception applies, for example, a small business selling or trading in personal information[5] will be covered by the Act, as are all private sector health service providers. 

Application of the Privacy Act and Northern Territory legislation to licensees

While large organisations in the Northern Territory selling takeaway alcohol, such as well known supermarkets and liquor chains, are subject to the NPPs, smaller takeaways may not be covered if their turnover does not meet the $3 million threshold.  The Office is unsure how many takeaways in the Northern Territory are not covered by the Privacy Act.  The Office noted this variable coverage in its guidance for takeaway staff and their customers.

In addition, the Office notes that Northern Territory privacy legislation, the Information Act 2002 (NT) ('the NT Act'), covers personal information, record keeping and archive management of information held in the public or government sector.  The NT Act does not regulate the private sector, such as takeaway businesses.

These limitations in the coverage of privacy legislation mean that there may be apersonal information protection 'gap' under the NTER alcohol purchase restriction measure.  Personal information collected by sometakeaways about individuals living in or visiting the Northern Territory (Indigenous and Non-Indigenous) may not be protected by either the Privacy Act or the NT Act.  In the event of a complaint about the way an individual's personal information had been misused by such a takeaway business, neither the Privacy Commissioner, nor the Northern Territory Information Commissioner, would be able to handle that complaint.

One way in which this 'gap' may be addressed would be to amend the NTER Act to ensure that any personal information collected for the purposes of the alcohol limit measure is subject to the Privacy Act in the way it is handled.

Purpose of collecting personal information under the alcohol takeaway measure

Takeaway businesses are required to collect particular information under the NTNER Act about purchasers and consumption locations at takeaway points of sale.  The Office is unsure for what subsequent function or activity the information is required, how it is to be used or to whom the information may be disclosed. 

The Office is also unsure as to why the licensee needs to store the personal information for three years and what happens to the information once it is forwarded to the Licensing Commission.  Related to this, the Office is concerned at anecdotal first-hand reports of this information being stored with inadequate security, such as in boxes under counters.

The Office would welcome clarification of these issues.

Recommendations for the alcohol takeaway measure

In light of the comments above, the Office recommends the following in relation to the alcohol takeaway measure:

  • The Review Board consider how the privacy legislation coverage may be addressed to extend privacy protection to personal information collected by all takeaways in the Northern Territory.
  • The NTER Act should clarify the purpose of collection, subsequent use and disclosure and secure storage of personal information about individuals who have purchased alcohol subject to the NTNER Act provisions.
  • More guidance should be developed to ensure that individuals in the Northern Territory understand why this personal information is being collected (the purpose), how it is intended to be used and disclosed and stored and how they can get access to personal information about themselves.

Community stores and the income management measure

The Office understands that, under the NTNER Act, individuals' benefits may be income managed by Centrelink. Income management means that a percentage of the Centrelink customer's benefit is earmarked for specific use such as food or clothing purchases. 

Community stores enter into contracts with Centrelink for the management of these Centrelink clients.  Centrelink is subject to the Information Privacy Principles (IPPs) in the Privacy Act in the way it handles personal information about its customers.  Community stores that handle this information on behalf of Centrelink are also subject to the Privacy Act and a clause to this effect is required to be included in the contract.[6]

Information about the customer comes directly to the community store from Centrelink, either electronically or by fax.  Generally the store should only discuss or disclose the individual's personal information with the customer or Centrelink.  One exception, may be where a customer is incapable of getting to the store themselves, for example, aged or chronically ill customers.  These customers may give express consent for someone else to act on their behalf and make purchases for them from their income-managed account.

Stores are required to store the information securely so that it is not mishandled (IPP 4).

Privacy issues and income management in community stores

The Office is concerned that both community store managers and staff and their customers may not have a clear understanding of the Privacy Act and the protection of personal information as it relates to income management measures.  While a community store privacy brochure is an excellent start, on its own it is not sufficient in the Office's view to ensure informed understanding of privacy obligations. 

This is particularly the case where language and literacy issues or the concepts of privacy and personal information may be so unfamiliar as to present complications for staff and customers alike.  The Office is concerned at anecdotal first-hand reports of a a community store manager writing customers' names and the amount remaining in their income managed accounts on a Community Store whiteboard for the whole community to see, Such an action is not only in breach of the Privacy Act (and potentially other legislation), it also risks those customers being subject to 'humbugging' of their income management funds.

Recommendations for the income management measure

In light of the issues discussed above, the Office recommends:

  • Education for community stores managers and their staff and communities about privacy and the handling of personal information as it relates to the income management scheme is necessary.

General recommendations

In light of the range and diversity of measures envisaged under the NTER, the Office recommends that two overarching measures be adopted to ensure the appropriate handling of personal information under any emergency response measure in the Northern Territory.  These two measures are:

  • agencies involved in each NTER measure should undertake a Privacy Impact Assessment[7] (PIA) (separately or collaboratively), to ensure that information flows and any resulting privacy risks are comprehensively identified and addressed.
  • an independent, comprehensive and thorough privacy audit should be conducted of how the existing measures operate. Such an audit may help to ensure that appropriate privacy protection frameworks are in place in regard to all NTER measures requiring the handling of personal information.

I hope these comments have been useful.  The Office would also welcome the opportunity to discuss privacy matters related to NTER measures, particularly where health and other sensitive information may be a factor.

Enquiries should be directed to Mr Andrew Hayne, Acting Director Policy, at or (02) 92849 671.

Yours sincerely

Karen Curtis Australian Privacy Commissioner

22 September 2008


Minding our own business

Privacy protocol for Commonwealth agencies in the Northern Territory handling personal information of Aboriginal and Torres Strait Islander people

Privacy Commissioner, February 1998

© Copyright Human Rights and Equal Opportunity Commission 1998. This publication may be reproduced for non-commercial purposes on condition that it is reproduced without alteration, and on condition that the source is clearly acknowledged. All other rights are reserved.

Commissioner's foreword

The Commonwealth Privacy Act protects the privacy of personal information handled by Commonwealth government agencies. The right to privacy is a basic human right, and it is my job as Privacy Commissioner to try to make sure that the Act's protection is enjoyed equally by every person in Australia. This is sometimes easier said than done. The right to privacy is constantly in danger of becoming lost in the pressure of day to day life.

Some time ago it became clear that the protections of the Act were not necessarily being fully enjoyed by Aboriginal and Torres Strait Islander people in the Northern Territory. Indigenous people's right to privacy was not always being addressed within the relevant cultural context. A project was therefore undertaken jointly with Aboriginal and Torres Strait Islander Social Justice Commissioner Mick Dodson to see what needed to be done to try to protect that right. This Protocol is the result.

The Protocol has been prepared in consultation with both Indigenous organisations and Commonwealth agencies in the Northern Territory, and is intended to be a practical guide to privacy issues in the handling of personal information of Aboriginal and Torres Strait Islander people. It provides guidance in the day to day interpretation of the Commonwealth Privacy Act's Information Privacy Principles.

The Protocol has been produced specifically for use in the Northern Territory. However, much of it is of more general application, and I would encourage Commonwealth agencies and other organisations to consult with Indigenous people in adapting it for use in other areas.

I would like to thank David Main for his work in researching and preparing the text of the Protocol. I would also like to acknowledge the assistance of Ian Stewart (Roy Morgan Research) and his report It's Like Delving Into Your Soul; and to thank the following for their assistance in the consultation process: Institute for Aboriginal Development; Central Australian Aboriginal Legal Aid Service; North Australian Aboriginal Legal Aid Service; Katherine Regional Aboriginal Legal Aid Service; Nerida Blair; Kevin Rolfe; Michael Loy; Australian Taxation Office; Centrelink; Social Security Appeals Tribunal, Darwin; Commonwealth Ombudsmans Office, Darwin; and the Departments of Health and Family Services, Social Security, and Employment Education Training and Youth Affairs.

Moira Scollay Privacy Commissioner March 1998

Introduction - the Privacy Act 1988

This Protocol has been prepared by the office of the Federal Privacy Commissioner, in consultation with Aboriginal and Torres Strait Islander people and organisations, and with Commonwealth government agencies.  It is intended for use specifically in the Northern Territory.  However agencies are encouraged to develop similar Protocols in consultation with Aboriginal and Torres Strait Islander people in other parts of the country.

When handling any personal information, Commonwealth government agencies must comply with the Information Privacy Principles found at s14 of the Privacy Act 1988.  This Protocol is intended to cover in more detail how the Principles apply to some specific privacy issues relating to the handling of personal information of Aboriginal and Torres Strait Islander people.

The Privacy Commissioner can investigate complaints about a breach of the Information Privacy Principles.  While failure to follow the guidelines in this Protocol will not necessarily be a breach of the Privacy Act, it would almost certainly require an investigation to determine whether or not this was the case.  If agency staff are in doubt they should follow the procedures for obtaining further advice which are outlined at the end of the Protocol.  Although it is unlikely that following this Protocol could result in a breach of the Information Privacy Principles, the Privacy Commissioner would take into account that the Protocol had been followed in coming to her decision on any related complaint.

Why have a Privacy Protocol for Aboriginal and Torres Strait Islander people?

The right to privacy is one of the range of human rights to which all people in Australia are entitled.  But the existence of the Privacy Act has not so far been able to ensure privacy rights for many Aboriginal and Torres Strait Islander people in the Northern Territory in their dealings with Commonwealth agencies.

This is partly because they do not equally enjoy other human rights.  But the right to privacy is also sometimes seen as making it harder to provide services for Aboriginal and Torres Strait Islander people.  The Protocol aims to explain in a practical way why this does not have to be the case - how to protect some specific rights provided by the Privacy Act, without interfering with service delivery.

The Information Privacy Principles in the Privacy Act are legally binding.  The Protocol aims to provide an interpretation of some aspects of the Principles in a way which is culturally appropriate for Aboriginal and Torres Strait Islander people living in the Northern Territory. 

Collection of personal information

The Privacy Act sets out broad rules to protect the personal information of everyone in Australia against unnecessary, unfair, or overly intrusive collection by Commonwealth government agencies.  But cultural differences mean that these rules will often have different effects for different types of information.  The cultural sensitivity of some personal information means that it requires increased protection.

Aboriginal and Torres Strait Islander people have a right to be told why their personal information is being collected, and to be protected against:

  • unnecessary collection of culturally sensitive personal information
  • methods of collecting personal information which are culturally insensitive
  • otherwise unreasonably intrusive collection of personal information

Unnecessary collection

Under the Privacy Act one of the basic rules is that any personal information collected by an agency (whether or not it is asked for) must be necessary for the agency's purposes.  When the information is culturally sensitive it is especially important to see if there are other ways of achieving the desired purpose than to collect that information. 

If there are less intrusive alternatives available than collecting culturally sensitive personal information, they should be used instead. 

This also means that all agency staff who are likely to have to assess whether information is culturally sensitive or not should be properly trained in cross-cultural issues appropriate to the local area.

Voluntary provision of culturally sensitive personal information

Culturally sensitive information should only be asked for on a voluntary basis, unless it is absolutely essential for an agency's statutory function. 

If there is no choice but to ask for culturally sensitive information, the request should be made carefully, and with all possible steps to minimise the intrusion.  The reason for the request must be explained.

Examples of culturally sensitive information

Information about people who have passed away

The name of a person who has passed away is generally extremely sensitive information, and must only be asked for when it is essential for an agency's purposes.  Even when this is the case, in many communities it is important that close relatives are not asked to discuss, write down, or see written down, the name of a person who has passed away.  If such information becomes relevant when a close relative is being interviewed or asked to complete a form, consent should be requested to obtain the information from another source (for instance hospital records).

It is also important that this information is not requested incidentally.  Questions about family members, on forms or in interviews, should be structured to ensure that the name of a person who has passed away is not being requested.  One way to do this is to ask first whether a person's parents are living, before asking for their names.  As a general rule, if the close relative has passed away, their name should not be requested.

Previous names

A common reason for a change of name is that a person with the same name has passed away, and that name can no longer be used.  Unless the information is essential for an agency's statutory functions, any questions about previous names on forms or in interviews therefore should allow for this information to be provided on a voluntary basis.  One way to achieve this is to make clear on forms that a question need only be answered "if you are able to".  Agency staff should in any case always request such information politely and with general sensitivity. 

Ceremonial business

It is unlikely that even general information relating to ceremonial business would be necessary for or relevant to an agency's functions.  Any proposal to request such information should therefore be carefully assessed to ensure that the information is essential for the agency's purposes.  As a general rule, detailed information about ceremonial business would not be relevant to most agencies' functions, and therefore must not be collected.

Skin names

There are sometimes legitimate reasons for asking for this information, for instance to help with establishing proof of identity.  Often it is not considered particularly sensitive, but to avoid any possible problems it should only be collected on a voluntary basis.  If a person cannot, or does not want to, provide their skin name, this should be allowed, and other means of sorting out identity pursued.

Surveys and research

It is essential in considering research or surveys of Aboriginal or Torres Strait Islander people that the necessity for the information is first established.  If research is considered necessary, the information obtained should not be retained in a form linking it with identifiable individuals unless this too is essential.

The Privacy Act also says that people who are being asked for personal information must usually be told why that information is needed, and what it will be used for.

If personal information is asked for in situations which are not directly related to an immediate service to the person concerned, then it is especially important to explain why that information is being asked for.  Even if the person's identity will later be removed from their information, for example as anonymous or aggregated survey information, the reason for asking for it should still be explained sensitively and clearly.

Unnecessary repeated collection of information

The collection of personal information is probably unnecessary, and perhaps unreasonably intrusive, if an agency already holds it and can readily retrieve it.  An example would be requiring a person to "start again" and provide proof of their identity or a tax file number after a relatively short break in contact, if that information is already held in a computer system or on a paper file.

Agencies should ensure that administrative practices avoid unnecessarily repeating the collection of basic information.  This will often require greater attention to information collection practices than might be necessary in an environment in which documentation is more likely to be available.

Inter-agency coordination to minimise unnecessary collection of information

Privacy principles generally require strict separation of information held by different government agencies, unless there is a law authorising exchanges of information, or the person has given their consent. 

On the other hand it can sometimes be very intrusive to be asked to provide the same information repeatedly to different government departments.  In some situations it may be better to give people the choice of having basic information obtained from another agency rather than repeatedly being asked to provide it themselves.

What agencies can do

Where information is likely to be held by another agency, the wishes of the individual should be determined at the outset.  If there is a preference for that information to be obtained from the other agency, the person's consent should be formally obtained. Existing coordination and liaison arrangements should then be used to obtain the information from the other agency.  If consent has been clearly provided to the agency requesting the information, the agency disclosing the information must satisfy itself that consent has been granted, but does not have to obtain separate consent itself.

It is possible that in some situations an insistence on collection from the individual concerned could raise issues related to unnecessarily intrusive collection of information.

What agencies cannot do

It is not appropriate to imply consent to obtain information from another agency simply from the fact that a person has had some dealings with that agency in the past.  Direct consent is necessary, and should whenever possible be obtained in writing.  If getting written consent would unnecessarily delay provision of the service, consent given by telephone may be sufficient, as long as it is formally recorded in a file note.

Disclosure of personal information to another person

Aboriginal and Torres Strait Islander people in the NT, whether they live in remote communities or in town, often use intermediaries to deal with government departments.  It is their right to do so if they wish, and using an intermediary should not cause the standard of service delivery to suffer.

On the other hand a person's right to privacy includes the right to protect their personal information from being disclosed to someone else, except in the limited situations set out in the Privacy Act.  Most agencies take this right very seriously, and protect the information they hold with strict security and confidentiality rules.

There is no conflict between these two principles - dealing with intermediaries but protecting the security of personal information - if the person consents to their information being given to the other person.  Under the Privacy Act and most other secrecy or confidentiality legislation, consent is a valid basis for providing a person's information to someone else. 

Consent to disclose information does not have to be in writing.  Nor does it have to be given directly by the person concerned, if it can be implied from their actions.  Subject to verification as outlined below, if a person asks someone to make enquiries for them, their action in asking them to make the enquiry will generally imply their consent for the agency to disclose their information.

The following approach should be adopted whenever someone contacts an agency and says they want information about someone else.

Note - these procedures only apply when the intermediary or the person whose information is at issue initiates the enquiry. 

ONE Obtain direct consent if possible

If it is practicable without causing unreasonable delay, the person's express consent to discuss his or her information with the intermediary should be obtained.  For telephone enquiries where the person speaks English and is with the intermediary they should be asked to be put on the line to confirm that disclosure is permitted.  If the request is not urgent, consent could be obtained in writing, by mail or fax, but it is important not to allow this to interfere with efficient service delivery.  Where practical, it is a good idea when first obtaining information from someone to also check if they want an intermediary to be authorised to be told information about them.  If they do, written consent may be obtained for future disclosures.

TWO Confirm the legitimacy of the intermediary

If no previous express consent has been provided, and a brief conversation to establish express consent is not possible, then the identity and legitimacy of the intermediary should be established. It is up to each agency to decide how this should be done.  Examples would be if the intermediary is already known to the staff member; if they are on a list of known representatives of organisations or community advisors; or by such devices as returning the phone call or questioning the intermediary further about their position.  In some cases it may be appropriate to have a form completed by people whose positions mean they will frequently be acting as intermediaries for agency clients.

THREE Confirm the relationship with the person

The legitimacy of the intermediary relationship with the client should also be established, either from the nature of the intermediary's formal position (examples would be community advisor, or legal aid lawyer), or by further exploring the relationship with the person whose information they are asking for.

FOUR Implied consent to disclose information

If it then appears reasonable in all the circumstances to do so, the consent of the person to disclose their personal information to the intermediary may be implied, and relevant information can be provided to the intermediary.  It is important to remember that the implied consent can only be to disclose information relevant to the intermediary and the nature of the enquiry. If there is reasonable doubt about the legitimacy of the claimed relationship with the person whose information is being sought, then agencies will need to make further checks.

A flexible approach should be adopted when an agency staff member thinks there is no valid implied consent to disclose someone's information to someone else.  Whenever possible the preferred option is for a more senior officer to take the enquiry before a final refusal to provide information is given.

What if the agency initiates the contact?

Implied consent could exist if the client has taken some action which suggests they intend the intermediary to receive the information from the agency, for example, the client has asked the intermediary to make the enquiry, or if the client makes available to an intermediary information which an agency seeks.

In agency-initiated enquiries, consent to disclose personal information cannot be assumed until it has either been expressly obtained, or can be implied from the client's actions.  For example, it cannot be assumed that information may routinely be disclosed to a community advisor or administrator, just because a person lives in that community.

If an agency initiates an enquiry, and has to make contact through an intermediary such as a community advisor, only the minimum information to make the message effective can be disclosed.


When information is asked for about another person, it cannot usually be disclosed without that person's consent.  Whether consent can be implied must be decided by agency staff, on the basis of an assessment which is reasonable in the circumstances of the person's actions.  While a person's right to privacy must be protected, so must the right to adequate service delivery.

Tax file numbers

The handling of tax file numbers (TFNs) is very closely regulated under two sets of rules - the tax laws, and the Privacy Commissioner's tax file number Guidelines.  Both sets of rules are binding on every person and organisation in Australia.

The most important rule is that unless there is a separate law permitting it, the TFN cannot be used to identify a person.  This Protocol cannot make any change to that rule.

The rules also require that TFNs are kept suitably secure by organisations and agencies which are allowed to ask for them.  Often this means that they would not be given to anyone except the person whose TFN it is.  It also means that only some staff have access to the TFNs.

But there are cases where Aboriginal and Torres Strait Islander people do not keep a record of their tax file number.  This can cause problems and delays when an agency asks for it.  As long as the security of TFNs is maintained, agencies should be as flexible as possible to minimise delays and disruption caused by a request for a TFN.

The best way to do this is to get the person's consent to obtain the TFN directly from the Australian Taxation Office, or from another agency which has asked for it in the past.

The ATO has developed a form for use by Aboriginal or Torres Strait Islander people who wish to obtain their TFN. The form allows the applicant to authorise the ATO to contact various organisations about the application.  It also allows for authorisation to provide the TFN to some agencies who commonly need it.

Agencies should ensure that there are effective liaison procedures in place to allow exchanges of TFN information, as long as the clear consent of the client has first been obtained by either the agency requesting the TFN, or the agency providing it.

What to do if there is a problem in applying this Protocol

As a first step, senior staff within the agency should be consulted if there is a problem with applying this Protocol.  Every agency also has a Privacy Contact Officer, usually located in the central office, who should be consulted about enquiries relating to privacy.  If necessary, the Privacy Commissioner's Office may be contacted tollfree on 1800 023 985 for advice about this Protocol.

Privacy complaints

Anyone who thinks that a Commonwealth government agency has not followed the Privacy Act can make a complaint.  The first step is to make the complaint directly to the agency, and to wait to see if the agency can fix up the problem.  If they can't, then the Privacy Commissioner will have a look at it to see if it is something that she can investigate for herself.

It is important to remember that this Protocol aims to explain the Privacy Act, but it cannot replace it.  The major agencies have agreed to follow this Protocol, but if they don't, it is not automatic that they have also not followed the Privacy Act.  That would be sorted out as part of looking at a complaint.

Anyone who needs any help about this Protocol, or about how to make a complaint, can ring the Privacy Commissioner's office in Sydney.  This is charged at local call rates.  The number is 1300 363 992.  Letters can also be addressed to the Privacy Commissioner at:

GPO Box 5218 SYDNEY, NSW 1042.

[1] Personal information is defined in Section 6 of  the Privacy Act 1988 (Cth).  More information about the Privacy Act, the Information Privacy Principles and the National Privacy Principles is available at

[2] Sensitive information is defined in section 6 of the Privacy Act and is a subset of personal information.  Sensitive information includes information or opinion about health information, criminal records, sexual preferences or practices and racial or ethnic origins among other things.

[5] More information about small business and the Privacy Act is available at      

[6] More information about Commonwealth contracts may be found in  Private Sector Information Sheet 14 - 2001 Privacy Obligations for Commonwealth Contracts available at  

[7] The Privacy Impact Assessment Guide produced by the Office is available  at