Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Personal Property Securities Bill 2009 [Provisions]; Submission to the Senate Legal and Constitutional Affairs Committee (July 2009)

The Office's submission to the Senate Legal and Constitutional Affairs Committee on the Personal Property Securities Bill 2009

pdfsub_personal_property_securities_bill

Key Recommendations

1. The Office of the Privacy Commissioner ('the Office') makes the following recommendations in relation to the proposed Personal Property Securities Bill 2009 ('the PPS Bill') and the accompanying Explanatory Memorandum ('EM'):

  • The Office generally supports all the recommendations of the July 2009 Privacy Impact Assessment of the PPS Bill.
  • Clause 173(2) could clarify that the Registrar can lodge a complaint with the Privacy Commissioner, if the Registrar is authorised by the individual whose personal information has been inappropriately used or accessed to make a representative complaint on their behalf.
  • The PPS Bill or the Explanatory Memorandum could clarify that information gained through inappropriate searches and used by third parties is also subject to the provisions of clause 173 of the PPS Bill.
  • Paragraph 5.100 of the Explanatory Memorandum to the PPS Bill could be amended to more accurately reflect the Privacy Commissioner's usual complaint handling processes under the Privacy Act 1988.
  • Paragraph 5.64 of the Explanatory Memorandum to the PPS Bill could be amended so that it clarifies that under clause 157 only grantors who are 'individuals' can make a complaint under section 36 of the Privacy Act 1988.
  • The Office suggests that the coverage of the Privacy Act in relation to individuals and entities otherwise exempt from the Privacy Act, in relation to the two specified 'interferences with privacy' in the PPS Bill, will need to be addressed in the consequential amendments to the Privacy Act.

Office of the Privacy Commissioner

2. The Office of the Privacy Commissioner ('the Office') is an independent statutory agency whose purpose is to promote an Australian culture that respects privacy.  The Office, established under the Privacy Act 1988 ('Privacy Act'), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT Government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses[1].

3. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

Background

4. The Office welcomes the opportunity to provide comments to the Senate Legal and Constitutional Committee ('the Committee') on the Personal Property Securities Bill 2009 ('the PPS Bill')[2].

5. The Office has been engaged with the development of the Personal Property Securities scheme since 2006 and has provided comments on a number of occasions including to the:

  • Attorney-General's Department's initial Discussion Paper (Feb 2007)[3]
  • Attorney-General's Department's Consultation Draft (Aug 2008)[4]
  • Attorney-General's Department's Discussion Paper on the Personal Property Securities Regulations (Nov 2008)[5]
  • Committee's inquiry into the exposure draft of the PPS Bill (Dec 2008)[6].

6. The Office's December 2008 submission to the Committee noted that the PPS Register may include personal information relating to the financial and credit affairs of a large number of individuals and had the potential to raise a number of privacy-related issues. The Office made a number of suggestions to reduce these potential risks including:

  • undertaking a Privacy Impact Assessment ('PIA')
  • limiting personal information on the PPS Register to that which is necessary to fulfil the purpose of the PPS Register and thereby prevent 'function creep'
  • including privacy protections for individuals in primary legislation
  • clarifying the complaint mechanisms for inappropriate searches of the register
  • limiting search results to information necessary to satisfy the search and where possible, limit searches to a challenge response basis.

In March 2009 the Committee released its report on the PPS Bill[7]. The Report recommended:

  • the primary legislation for the personal property securities reform include the key privacy protections for individuals, including a prohibition on making the address details of any individual public
  • a PIA be conducted by an independent consultant
  • any issues raised by the Office's submission not considered by the PIA should be considered by the Department and a response to the issue be provided to the Office in writing or made public[8].

7. The Australian Government's response to the Committee's report was tabled on 8 June 2009[9].  The Office notes that the response accepted most of the Committee's privacy-related recommendations.

8. The Office notes that the PPS Bill was subsequently amended to clarify certain aspects of the complaint handling mechanisms relating to inappropriate searches of the PPS Register. The Office understands that further clarification of the complaint process and other aspects of the Office's functions in relation to the PPS scheme will be canvassed in a forthcoming consequential amendments bill.

9. In May 2009 the Department engaged the consultants, Information Integrity Solutions P/L, to conduct a PIA of the PPS scheme. The Office participated in a consultation process with IIS in relation to the PIA. A report of the PIA has now been released[10].

10. The Office generally supports all of the recommendations in the July 2009 PIA report, including that the three year review of the PPS Act consider the impact of the operation of the PPS Register on individual grantors' privacy.

11. The Office appreciates that many of its previous suggestions have been adopted or reflected in some way in the current draft of the PPS Bill. The Office also notes that it anticipates that the Australian Government's response to the PIA recommendations may add to the privacy protections around the PPs scheme.

12. The Office now draws the Committee's attention to a few remaining issues that the Office believes would improve consistency of the PPS Bill's provisions with those of the Privacy Act.

Complaints by the Registrar to the Privacy Commissioner

13. The Office supports the characterisation of an unauthorised search and use of the Register as an 'interference with privacy'[11]. It also welcomes the complaint mechanisms available under clause 173(2), allowing individuals to complain to the Privacy Commissioner about an unauthorised search of the PPS Register. Clear and accessible complaint mechanisms are important to promoting and safeguarding information privacy.

14. However, the Office suggests that clause 173, about the Registrar making a complaint to the Privacy Commissioner, does not fully correspond with the existing requirements of the Privacy Act.

15. Under the Privacy Act, an individual can make a complaint to the Privacy Commissioner or a representative complaint can be made on their behalf[12]. The Office suggests that clause 173(2) could clarify that the Registrar can lodge a complaint with the Privacy Commissioner, if the Registrar is authorised by the individual whose personal information has been inappropriately used or accessed to make a representative complaint on their behalf.[13]

16. The Office notes that under the Privacy Act any person, including the Registrar, has the option of informing the Privacy Commissioner in relation to a suspected mishandling of personal information. In such cases it would be up to the Privacy Commissioner to decide whether or not to conduct an own motion investigation into the matter[14].

Third Parties

17. The Office also suggests that it is unclear in the PPS Bill when information gained through inappropriate searches that is subsequently disclosed to and used by others, whether the misuse by those third parties is also to be considered an 'interference with privacy'. The Office supports third parties being subject to the same obligations as those who undertake the search initially.

18. The Office suggests the PPS Bill or the EM clarify that information gained through inappropriate searches and used or disclosed by third parties is also subject to clause 173.

Privacy Commissioner's powers

19. Paragraph 5.100 of the EM to the PPS Bill gives an example by which the complaints process under clause 173(2) will operate. The example describes a complaint made about a party that has undertaken unauthorised searches of the PPS Register resulting in the Privacy Commissioner finding a breach of an individual's privacy. The example also states that the party responsible for the breach agrees to the Commissioner's recommendations, which includes an apology, the Commissioner then reports this decision on its website and in its annual report.

20. The Privacy Act makes it a function of the Privacy Commissioner to endeavour to resolve complaints by conciliation[15]. However, it should be noted that there is a difference between a conciliated outcome (such as an apology) and determinations made by the Privacy Commissioner, which are reported in the way described in the example.

21. Section 52 of the Privacy Act provides that the Commissioner may make formal determinations in relation to complaints investigated under section 36. The very large majority of complaints handled by the Commissioner are resolved without a section 52 determination.

22. In relation to conciliated outcomes, the Privacy Commissioner publishes case notes of a few complaints that are considered to be of interest to the general public. Most cases chosen for inclusion in case notes involve new interpretation of the Act or associated legislation, illustrate systemic issues, or illustrate the application of the law to a particular industry and do not include any personal information or information that would identify the complainant or respondent.

23. The Office suggests amending paragraph 5.100 to reflect the Privacy Commissioner's usual practice.

24. As well, paragraph 5.100 states that 'Where a complaint is lodged, the Privacy Act would apply as though the complaint were a complaint involving a breach of the information privacy principles under section 36 of the Act.' The Office is unclear as to why this reference to the Information Privacy Principles ('IPPs') has been included in the EM.

25. The Office suggests the Privacy Commissioner should be left to decide this issue by reference to whether the respondent is an agency or organisation. During a complaint process generally the IPPs are applied to agencies and the NPPs to organisations.

Notice, Complaints and Individual Grantors

26. The Office notes that under clause 157(4) a failure to send a notice of a verification statement to the grantor as soon as reasonably practicable would not alter the effectiveness of a registration, but would constitute an interference of the grantor's privacy for the purposes of section 13 of the Privacy Act and may be the subject of complaints under section 36 of that Act.

27. The Office supports the intent of clause 157(4) to make a failure to send a notice of a verification statement, an interference of the grantor's privacy. However, it should be noted that as currently drafted, clause 157(4) does not appear to align with some aspects of the Privacy Act. In particular, the Office notes that the section could be read to allow all grantors to be able to lodge a complaint under the Privacy Act[16].

28. The complaints process under section 36 of the Privacy Act specifically states that 'an individual may complain to the Privacy Commissioner about an act or practice that may be an interference with the privacy of the individual'[17].

29. The Office suggests that paragraph 5.64 of the Explanatory Memorandum to the PPS Bill could be amended so that it clarifies that under clause 157 only grantors who are 'individuals' can make a complaint under section 36 of the Privacy Act 1988.

Complaints against some small business operators and individuals

30. Under the PPS Bill, conducting unauthorised searches of the PPS Register or failing to provide a 'verification statement' to grantors in certain circumstances will be deemed an 'interference with privacy'.

31. Currently the Privacy Act's complaint process is generally oriented towards handling complaints against government agencies and private sector organisations, with many small businesses, and individuals handling personal information for the purposes of their personal, family or household affairs generally not subject to the Privacy Act. Only in relation to very specific situations (i.e. the use of Tax File Numbers ('TFNs')[18] and credit reporting[19]) does the Privacy Commissioner have the power to handle complaints against individuals not acting in a business capacity or small business otherwise exempt from the Privacy Act.

32. The Office suggests that the coverage of the Privacy Act in relation to individuals and entities otherwise exempt from the Privacy Act, in relation to these two specified 'interferences with privacy' in the PPS Bill, will need to be addressed in the consequential amendments to the Privacy Act.


[1] Information relating to the operation of the Privacy Act can be found on the Office's website at http://www.privacy.gov.au/.  Specific information outlining the privacy provisions covering private sector organisations and Australian government agencies can be found at:

www.privacy.gov.au/business for businesses

www.privacy.gov.au/government for government

[2] http://www.aph.gov.au/Senate/committee/legcon_ctte/personal_property/info.htm

[3] Submission available at: http://www.privacy.gov.au/materials/types/submissions/view/6675

[4] Submission available at: http://www.privacy.gov.au/materials/types/submissions/view/6702

[5] Submission available at: http://www.privacy.gov.au/materials/types/download/8943/6701

[6] Submission available at: http://www.privacy.gov.au/materials/types/submissions/view/6691

[7] The committee's report may be accessed at: http://www.aph.gov.au/senate/committee/legcon_ctte/completed_inquiries/index.htm

[8] See Recommendation 4 (paragraph 5.27), Recommendation 5 (paragraph 5.33) and Recommendation 6 (paragraph 5.34)

[9] The Government's response to the Committee's report available at: http://www.ag.gov.au/www/agd/agd.nsf/Page/Publications_GovernmentResponsetotheSenateCommitteeonLegalandConstitutionalAffairsReportonExposuredraftofthePersonalPropertySecuritiesBill2008

[10] The PIA is available at:

http://www.ag.gov.au/www/agd/rwpattach.nsf/VAP/(C7C220BBE2D77410637AB17935C2BD2E)~PPSPrivacyImpactReportJuly2009.pdf/$file/PPSPrivacyImpactReportJuly2009.pdf

[11] PPS Bill, Clause 173(2)

[12] See Privacy Act, Part V

[13] Paragraph 5.100 of the Explanatory Memorandum to the Bill would need to be amended in line with this proposed change.

[14] Section 40(2) of the Privacy Act allows the Privacy Commissioner to investigate an act or practice if the Commissioner thinks it desirable for that act or practice to be investigated.

[15] Privacy Act 1988 (Cth), section 27(1)(a).

[16] Paragraph 5.64 of the Explanatory memorandum to the Bill which explains the operation of this clause does not discuss whether the term 'grantor' only refers to individual grantors. In addition, paragraph 5.64 refers to clause 157(5). However, the current draft of the Bill does not contain a clause 157(5). The Office assumes this reference is a mistake.

[17] Privacy Act 1988 (Cth), section 36(1)

[18] See section 28 for the functions of the Commissioner in relation to TFNs. The TFN Guidelines (available at http://www.privacy.gov.au/materials/types/download/8959/6713) issued under section 17 of the Act, regulate the use of TFN information. A breach of the Guidelines is an interference with the privacy of an individual and an affected individual may complain to the Privacy Commissioner and, where appropriate, seek compensation.

[19] See PartIIIA of the Act which governs credit reporting and section 28A for the functions of the Commissioner in relation to credit reporting.