pdf (67.26 KB)

Submission to the Security Legislation Review Committee

(established under the Security Legislation Amendment (Terrorism) Act 2002)

January 2006

Summary

1. The Office has made a number of public submissions regarding anti-terrorism measures since 2001. These include to the Senate Legal and Constitutional Committee’s original 2002 inquiry into the legislation currently subject to this review[1], as well as to that same Senate Committee’s recent inquiry into Anti-Terrorism Act (No.2) 2005.[2]
2. In its 2002 submission, the Office noted the importance of ensuring that measures taken in response to terrorism are appropriate to the broader environment in which they are enacted and take into consideration any subsequent legislative changes.
3. A balance must be struck between an individual’s right to privacy and security.
4. The Office’s experience with the legislation under review has been that it has received a miniscule number of complaints and enquiries from individuals that relate to concerns over how their information is handled under any of the relevant Acts.
5. The Office has conducted two audits of the Passenger Analysis Unit (PAU) of the Australian Customs Service to ensure that Customs’ new powers to access advance airline passenger information contained in Schedule 7 of the Border Security Legislation Amendment Act 2002 were being used in compliance with the Privacy Act. The audit revealed that the PAU in Customs generally complies with the Information Privacy Principles contained in the Privacy Act.
6. While the information handling practices of agencies under these Acts are likely to comply with the Privacy Act, as they would be authorised by law, such powers may detract from the spirit of the Act. It may also lessen the protection of an individual’s personal information that would have otherwise been provided by the Privacy Act. Accordingly, such measures should be pursued with care and after appropriate consideration, as well as being subject to periodic review.
7. The Office reasserts the importance of ongoing accountability and oversight mechanisms. The legislative requirement to have periodic review of these Acts is essential in ensuring that individual’s privacy rights are given due regard.

Submission to the Security Legislation Review Committee 2005

Background to this submission

In April 2002, the Office of the Privacy Commissioner (the Office) made a submission to the Senate Legal and Constitutional Legislation Committee’s Inquiry into Terrorism Bills[3]. This submission highlighted the potential privacy implications identified in the suite of Bills being debated before Parliament and made a number of recommendations, many of which pointed to the importance of ensuring that the amendments were subject to appropriate accountability, oversight and review. This current review is one appropriate mechanism of promoting such accountability.

In making this submission, the Office notes that the Terms of Reference as set out in Section 4(1) of the Security Legislation Amendment (Terrorism) Act 2002 (SLAT Act) is for the Committee to “review the operation, effectiveness and implications of amendments” made by each of the Acts being reviewed. Accordingly, this submission is limited to the Office’s experience with the operation of the legislation, rather than, for example, examining the broader policy-settings that may underpin the legislation.

Privacy issues frequently raised by anti-terrorism measures

The Committee also has the authority to “identify alternative approaches and mechanisms for the above legislation as appropriate”. The Office expects that the recently enacted Anti-Terrorism Act (No.2) 2005 may be relevant to any consideration given by the Committee to alternative approaches. The Committee should therefore be aware of the Office’s recent submission to the Senate’s Legal and Constitutional Committee’s recent Inquiry into the Anti-Terrorism Bill (No.2) 2005. This submission highlights many of the general privacy issues that should be considered in the context of the Government’s current and proposed counter-terrorism powers and the move to expand the information collection powers of agencies, including:

• An appropriate balance should be struck between the need for security and the right to privacy
• There is a need for oversight and accountability
• An expansion in the power of law enforcement and intelligence agencies to collect personal information about individuals is likely to diminish the privacy of individuals by eroding their ability to control their personal information
• In general, the creation of new offences, or the amendment of existing offences, will often permit law enforcement or intelligence agencies to perform acts and practices that may otherwise, in the absence of that law, constitute an interference with an individual’s privacy and
• Offences that are not terrorism offences should be pursued through separate legislation after appropriate scrutiny and consultation.[4]

Changes in the broader environment

The 2002 anti-terrorism amendments were introduced in a specific context and national security environment. As described by the Office’s submission to the 2002 Inquiry, the proposed amendments provided a “…necessary and urgent response to current world events”.[5] Whether such an environment stills warrants these measures will be an important consideration of this review.

In addition, the Office suggests that there is merit in the Committee taking into consideration any changes in the legislative environment that may impact on the application, necessity or relevance of the 2002 amendments. The Office notes that since 2002, a significant number of other pieces of legislation have been enacted [6], for example:

• Aviation Transport Security Act 2004
• Anti-Terrorism Act 2004

Privacy Enquiries and Complaints

The Office concluded in its 2002 submission that “The challenge facing Parliament in this current raft of anti-terrorism bills is how to achieve a balance between privacy and security, particularly in situations where the two are opposed”.[7] To assist the Committee in assessing whether this balance has been achieved, the Office is able to provide the Committee with data drawn from its regulatory functions to investigate complaints, respond to enquiries and conduct audits.

In regard to enquiries and complaints, the Office has received a miniscule number from individuals that may relate to concerns over how their information is handled under any of the Acts under review. Of the small number of complaints received, all were declined either because there was deemed not be an interference with the privacy of an individual or because the complainant had not contacted the respondent in the first instance.

The Office notes however that this outcome should not be interpreted as a demonstration that there are no privacy implications for individuals arising out of the introduction of these Acts and, in particular, new information handling powers obtained by the Australian Customs Service (Customs), AUSTRAC or ASIO. Rather, it could be suggested that, given the nature of the information handling practices in question, individuals may not be aware that their information is being collected, used and disclosed by these agencies for the purposes designated under the legislation. As the Office commented in its 2002 submission, “there are unlikely to be many complaints associated with the handling of personal information under the proposed legislation, given the largely covert nature of its operation”.[8]

The Office recognises that other agencies may be better positioned to comment on the operation of the Acts. These include the Commonwealth Ombudsman and the Inspector-General of Intelligence and Security.

Privacy Audits

In addition to complaints and enquiries, the Office is also able to provide to the Committee the findings of audits it has conducted since the enactment of the 2002 amendments.

In February 2003, and as a consequence of the 2002 amendments, the Office conducted an audit under Section 27(1)(h) of the Privacy Act of the Passenger Analysis Unit (PAU) in the Australian Customs Service (Customs). The principal purpose of this audit was to ascertain whether the PAU handles passenger name records (PNRs) in accordance with the Privacy Act. Customs requested the OPC to conduct this audit, to ensure that Customs’ new powers to access advance airline passenger information contained in Schedule 7 of the Border Security Legislation Amendment Act 2002 (BSLA Act) were being used in compliance with the Privacy Act.

The audit examined Customs’ power to access advance airline passenger information (s.64AF of the Customs Act 1901) by analysing the operation of the PAU. The audit also focused on sections 213A and 213B of the Customs Act 1901. These sections were inserted by the BSLA Act.

The audit revealed that the PAU in Customs generally complies with the Information Privacy Principles contained in the Privacy Act.

In regard to sections 213A and 213B, these provisions govern Customs’ power to request employee information from employers and Aviation Security Identification Card (ASIC) issuers at Australian international airports. The Office reviewed Customs’ processes in the collection of employee personal from employers operating airside retail stores within Australian international airports and Aviation Security Identification Card (ASIC) issuers at Australian international airports.

In response to one of the Office’s audit recommendations, Customs accepted that employees are to be made aware when Customs collects their personal information from their employers. Material explaining the privacy obligations of employers was provided to all employees about whom details are provided to Customs under section 213A of the Act. In addition, Customs wrote to all known employers of restricted area employees to whom section 213A applied explaining the legal obligations of the employer and outlined how the information could be provided to Customs.

The Office notes that while it is good privacy practice that Customs undertakes this notification, it is not specifically required under the Privacy Act or the Border Security Legislation. The Office reiterates its 2002 recommendation that such a requirement should be included in the legislation.

The Office conducted a follow up audit of Customs’ PAU between 20 and 22 September 2004. This audit revealed that the PAU at Customs generally manages PNR data in accordance with the IPPs in the Privacy Act and the level of compliance in this regard had been assessed as satisfactory. Indeed, the PAU was observed to have a strong culture of privacy protections. The Office suggested that improvements could be made in regard to a small number of matters.

To the limited extent that the Office has had experience with the operation of the Border Security Legislation, Customs are adhering to the IPPs with respect to the collection, use and disclosure of PNR data, access to airline’s records and collection of restricted area employee’s personal information.

Privacy regulation

The Privacy Act sets out 11 Information Privacy Principles (IPPs) that govern the way Australian Government agencies (and their outsourced providers) collect, use, disclose and handle personal information. The principles also give individuals the right to gain access to information held about them and they oblige agencies to correct information if it is inaccurate. In a similar way, many private sector organisations are governed by the 10 National Privacy Principles (NPPs) as set out in Schedule 3 of the Privacy Act.

There are exceptions under both the IPPs and the NPPs that allow agencies or organisations to use or disclose personal information when it is ‘required or authorised by or under law’. While the information handling practices of agencies under these Acts may comply with the Privacy Act, as it would be authorised by law, such powers may detract from the spirit and intent of the Act. It may also lessen the protection of an individual’s personal information that would have otherwise been provided by the Privacy Act. Accordingly, such measures should be pursued with care and after appropriate consideration, as well as being subject to periodic review.

In addition, in its most recent submission the Office advocated the importance of there being Guidelines or similar guidance material as to how certain discretionary powers should be exercised. Similarly, in its 2002 submission the Office recommended that the legislation expressly provide similar guidance on the exercise of powers. While this recommendation was not taken up in enacting the legislation under the review, the Office submits that there remains merit in the Committee exploring whether guidelines of this sort would assist in promoting an appropriate accountability framework.

The Office recognises that it is often necessary to balance privacy with other important social interests, such as the safety and security of the community. As one means of making judgements between competing priorities, the Office has developed and refined a framework by which any new legislative measures could be assessed (see Attachment 1).

Conclusion

Due to the limited direct experience the Office has with these Acts, it is unable to conclusively state whether the application of the legislation has been to balance privacy interests with the interests of national security. However, the Committee should ensure that this issue is taken into consideration when assessing whether any changes should be made to the existing legislation. Any legislative response should be necessary and proportionate to the threat.

Given the fluid nature of the national security environment, the Office therefore reasserts the importance of ongoing accountability and oversight mechanisms. The legislative requirement to have periodic review of these Acts is essential in ensuring that individual’s privacy rights are assessed and maintained in changing contexts.

Attachment 1

Office of the Privacy Commissioner

Framework for assessing and implementing new law enforcement and national security powers

The Office of the Federal Privacy Commissioner has developed a proposed framework for assessing and implementing new law enforcement and national security powers. The framework sets out a life cycle approach to such proposals from development to implementation and review. The aim of the framework is to bring balance and perspective to the assessment of proposals for law enforcement or national security measures with significant effects on privacy.

First, careful analysis is needed in the development phase to ensure that the proposed measure is necessary, effective, proportional, the least privacy invasive option and consistent with community expectations. This analysis should involve consideration of the size, scope and likely longevity of the problem, as well as the range of possible solutions, including less privacy invasive alternatives. The impact on privacy of the proposed solution should be analysed and critical consideration given to whether the measure is proportional to the risk.

Second, the authority by which the measure is implemented should be appropriate to its privacy implications. Where there is likely to be a significant impact on privacy, the power should be conferred expressly by statute subject to objective criteria. Generally, the authority to exercise intrusive powers should be dependent on special judicial authorisation. Intrusive activities should be authorised by an appropriately senior officer.

Third, implementation of the measure should be transparent and ensure accountability. Accountability processes should include independent complaint handling, monitoring, independent audit, and reporting and oversight powers commensurate with the intrusiveness of the measures.

Finally, there should be periodic appraisal of the measure to assess costs and benefits. Measures that are no longer necessary should be removed and unintended or undesirable consequences rectified. Mechanisms to ensure such periodic review should be built into the development of the measure. This could involve a sunset clause or parliamentary review after a fixed period.