Protecting Information Rights – Advancing Information Policy

Phone iconCONTACT US: 1300 363 992
 
We're now a part of the Office of the Information Commissioner. Go to www.oaic.gov.au to find out more.

Site Changes

Types

Topic(s): Other
 

Families, Community Services and Indigenous Affairs and Veterans' Affairs Legislation Amendment (2006 Budget Measures) Bill 2006; Submission to the Senate Standing Committee on Legal and Constitutional Affairs (November 2006)

document icon pdf (78.74 KB)


Submission to the Senate Standing Committee on Legal and Constitutional Affairs

November 2006  

Office of the Privacy Commissioner

1. The Office of the Privacy Commissioner (the Office) is an independent statutory body responsible for promoting an Australian culture that respects privacy. The Office, established under the Privacy Act 1988 (Cth) ('the Privacy Act'), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

Background

2. The Office welcomes the opportunity to present a submission to the Inquiry into the Families, Community Services and Indigenous Affairs and Veterans' Affairs Legislation Amendment (2006 Budget Measures) Bill 2006 ('the Bill').

3. We propose to limit our comments to parts of Schedule 2 (new search and seizure powers) and Schedule 4 (new data matching program) of the Bill, insofar as they impact upon the handling of personal information.

Schedule 2 - New search and seizure powers for administrative officers

4. The proposed search, entry and seizure powers largely mirror those in Division 2 of Part IAA of the Crimes Act 1914.

5. Under the Bill, new powers would be conferred on 'suitably qualified and experienced'1 officers of the relevant agencies (eg; Centrelink) administering the:

  • A New Tax System (Family Assistance) (Administration) Act 1999;
  • Social Security (Administration) Act 1999; and
  • Student Assistance Act 1973.

6. It is argued2 that enhanced investigative powers for Centrelink are to 'effectively investigate and prosecute cases of more serious abuse' of social security law.

The Privacy Act

7. Section 14 of the Privacy Act prescribes 11 Information Privacy Principles (IPPs) that govern the way most Australian Government agencies collect, use, disclose and handle personal information3. The principles also give individuals the right to gain access to information held about them and they oblige agencies to correct information if it is inaccurate.

8. There are exceptions under the IPPs that allow agencies to use or disclose personal information when it is "required or authorised by or under law" (see, IPPs 10.1(c) and 11.1(d), respectively). In addition, there are further exceptions that permit agencies to use or disclose personal information where "...reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty..." (see, IPP 10.1(d) and 11.1(d), respectively).

9. The Office takes a continuing interest4 in the granting of powers to enter, search and seize material and the exercise of such powers by Australian Government Agencies.

Evaluation framework

10. The Office has previously5 utilised a framework (the "OPC 'Four A' Framework") for assessing new law enforcement powers that may impact on the handling of personal information. The framework sets out a life cycle approach to such proposals and aims to bring balance and perspective to the assessment of such measures. As it may inform the Committee's deliberations, a copy of the framework is included (Attachment A).

11. The Office notes that the current Bill would provide new search and seizure powers to administrative officers, primarily operating in a social security or welfare payment context. In our view, there are significant differences to be taken into account in evaluating the appropriateness of the granting of powers to administrative officers as opposed to law enforcement officers. This distinction has significance because:

  • Law enforcement agencies have detailed procedures that are binding on sworn members to ensure that exercise of intrusive powers, and any use of force, is appropriately applied. Significant training and supervision resources support adherence to such guidelines and protocols.
  • Such processes adopted by the law enforcement agencies are protections to those exercising warrants (for example against falsely-made complaints of harassment, heavy-handedness or theft), as well as effective privacy protections for subjects of warrants in an inherently privacy-invasive process.
  • The accountability regime set out above differs to that of public servants employed under the Public Service Act 1999. The more strict and proactive accountability regimes for law enforcement have been seen as a counterbalance to the intrusive powers law enforcement officers can access.

Specific comments

12. The Office makes the following specific comments on the Bill.

Search warrants - warrant conditions

13. The Office notes the absence of a power for Magistrates to impose conditions on warrants. From a privacy perspective, it would be advisable to provide such a power. For example, as a privacy reassurance, a warrant that might apply to a boarding house premises or a child care centre may include a condition that the warrant only applies to seizure of documents containing personal information relating to a particular person of interest.

Incidental collection of third party material

14. In general, legislation granting agencies a power to seize materials should contain a requirement that incidentally collected third party personal information be destroyed by the agency as soon as practicable or when operational necessities permit.

Return of things which are seized

15. Section 3ZV of the Crimes Act 1914 provides for time limits in which seized items that are no longer required, such as documents containing personal information, must be returned. The Office considers that it would be appropriate to consider similar measures for the current Bill (whether seized under a search by warrant or search with consent).

Oversight mechanisms

16. The Office notes that complaints about the exercise of investigation powers would likely be within the jurisdiction of the Office of the Privacy Commissioner (in respect of information privacy matters).

17. It would be a welcome accountability gesture were the Bill to compel administrative officers to provide the contact details of the Office of the Privacy Commissioner to persons who have been subject to searches. It is our expectation that an administering Agency would also have robust internal complaint handling procedures.

18. Having regard to this Office's observations above about the distinction between searches conducted by law enforcement officers and those conducted by administrative staff, we believe it is reasonable for the community to expect to be told about how the use of these measures is progressing with regard to their effects upon the collection and use of personal information. For this reason, it may be advisable for specific reporting functions to be adopted, for example to report on use of powers to the Minister; the Privacy Commissioner or Parliament.

Schedule 4 - Miscellaneous

19. Schedule 4 of the Bill proposes amendments to the Aged Care Act 1997 which would enable the Department of Health and Ageing to give Centrelink regular information about people permanently entering residential aged care. This data would be matched against data held by Centrelink on people who are receiving carer payments. The Office notes that individuals may be at risk of accumulating large debts if carer payments continued in these circumstances and that such checks also ensure that payments are made only to those individuals who are entitled to receive them.

20. The Office provides advice and assistance to agencies wishing to comply with the Privacy Commissioner's voluntary data-matching guidelines6 including comment on program protocols for proposed data-matching activities. The Office currently monitors statutory data-matching activities conducted by Centrelink, with matched data from the Department of Veterans Affairs and the Australian Taxation Office under the Data-matching Program (Assistance and Tax) Act 1990.

21. Agencies should advise individuals through Information Privacy Principle 2 notices of regular disclosures of personal information to other agencies. As a matter of administration, it would also be useful in any brochures developed for carers as a consequence of the passage of this Bill to include information about data-matching and to reiterate steps carers must take in regard to stopping any carer payments they might receive once someone has entered permanent residential care.

Attachment A

OPC 'Four A' Privacy Evaluation Framework for assessing and implementing new law enforcement and national security powers

The Office of the Privacy Commissioner has developed a proposed framework for assessing and implementing new law enforcement and national security powers. The framework sets out a life cycle approach to such proposals from development to implementation and review. The aim of the framework is to bring balance and perspective to the assessment of proposals for law enforcement or national security measures with significant effects on privacy.

First, careful analysis is needed in the development phase to ensure that the proposed measure is necessary, effective, proportional, the least privacy invasive option and consistent with community expectations. This analysis should involve consideration of the size, scope and likely longevity of the problem, as well as the range of possible solutions, including less privacy invasive alternatives. The impact on privacy of the proposed solution should be analysed and critical consideration given to whether the measure is proportional to the risk.

Second, the authority by which the measure is implemented should be appropriate to its privacy implications. Where there is likely to be a significant impact on privacy, the power should be conferred expressly by statute subject to objective criteria. Generally, the authority to exercise intrusive powers should be dependent on special judicial authorisation. Intrusive activities should be authorised by an appropriately senior officer.

Third, implementation of the measure should be transparent and ensure accountability. Accountability processes should include independent complaint handling, monitoring, independent audit, and reporting and oversight powers commensurate with the intrusiveness of the measures.

Finally, there should be periodic appraisal of the measure to assess costs and benefits. Measures that are no longer necessary should be removed and unintended or undesirable consequences rectified. Mechanisms to ensure such periodic review should be built into the development of the measure. This could involve a sunset clause or parliamentary review after a fixed period.

In summary:

Analysis - is there a problem? Is the solution proportional to the problem? Is it the least privacy invasive solution to the problem? Is it in line with community expectations?

Authority - Under what circumstances will the organisation be able to exercise its powers and who will authorise their use?

Accountability - What are the safeguards? Who is auditing the system? How are complaints handled? Are the reporting mechanisms adequate? And how is the system working?

Appraisal - Are there built in review mechanisms? Has the measure delivered what it promised and at what cost and benefit?

Endnotes

1 See for example new s 221A(2), set out in s 13 of the Bill.

2 Explanatory Memorandum, Families, Community Services and Indigenous Affairs and Veterans' Affairs Legislation Amendment (2006 Budget Measures) Bill 2006, p 11.

3 Section 6(1) of the Act defines personal information as "information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion." A copy of the Act can be found on the Office's website at http://www.privacy.gov.au/law/act/.

4 See, for example, the OPC submission to the Inquiry by the Senate Standing Committee for the Scrutiny of Bills into the Australian Government's response to the Fourth Report of 2000: Entry and Search Provisions in Commonwealth Legislation, http://www.privacy.gov.au/publications/scrusub.pdf

5 See, for example, the OPC submission to the Review of the Proceeds of Crime Act 2002: http://www.privacy.gov.au/materials/types/submissions/view/6703

6 The use of data-matching in Commonwealth administration -Guidelines www.privacy.gov.au/publications/HRC_PRIVACY_PUBLICATION.pdf_file.p6_4_23.15.pdf