Protecting Information Rights – Advancing Information Policy

Phone iconCONTACT US: 1300 363 992
 
We're now a part of the Office of the Information Commissioner. Go to www.oaic.gov.au to find out more.

Site Changes

Types

Topic(s): Law enforcement and national security
 

Review of Extradition Arrangements; Submission to the Attorney-General's Department (March 2006)

document icon pdf (80.23 KB)


Submission by the Office of the Privacy Commissioner

March 2006

Executive Summary

a) The Office of the Privacy Commissioner (the Office) acknowledges the public interest in maintaining the safety and security of the Australian community through effective law enforcement measures. On some occasions, these measures may warrant diminishing the privacy protections otherwise expected by the community.

b) In regard to extradition, given the purposes for which the personal information is handled, it is likely that many individuals would expect that the handling of personal information for extradition processes should be transparent and subject to clear rules that ensure certainty and accountability (see, generally, paragraphs 13 - 19).

c) It is also understood that personal information about individuals who are indirectly or incidentally involved in, or concerned with, the extradition process would be affected. In many instances, these individuals may not be the subject of any suspicion and personal information would not otherwise be collected about them (paragraphs 13 - 19).

d) Ensuring appropriate measures to afford privacy protections to personal information handled in the course of extradition is important to meeting community expectations. This submission notes the elements of a privacy framework that could apply to the handling of personal information for extradition (paragraph 52).

e) Determining the "data flows" of personal information involved in the extradition processes will aid understanding of how the Privacy Act 1988 may facilitate information exchanges, as well as identifying the need for further measures to protect privacy (paragraphs 23 - 25).

f) The Office submits that over-reliance on exceptions provided for the purpose of enforcing criminal law may be inappropriate (paragraphs 29 - 33).

g) The explicit authorisation of an agency's information-handling activities provides a more appropriate arrangement than relying upon the criminal law enforcement exception. This may especially be the case where agencies seek to rely upon the exception in the case of foreign criminal laws (paragraphs 34 - 36).

h) Within Australia, personal information should not be disclosed to agencies or bodies which are not subject to privacy regulation without contractual or other administrative arrangements in place to prevent unauthorised uses or disclosures by the recipient.

i) It would be appropriate for disclosures of personal information to other jurisdictions to be predicated on the assurance that the jurisdiction will afford privacy protections similar to those available in Australia. In absence of privacy law in other jurisdictions, instruments such as memoranda of understanding or administrative agreements could be pursued, if they are not already in place (paragraphs 42 - 45).

j) The Office submits that a further component of a robust privacy framework could be Privacy Guidelines that help to give practical effect to the obligations created by the Privacy Act, Information Privacy Principles or any other new or existing legislative measures (paragraphs 46 - 49).

k) Public confidence in the integrity of the criminal justice system is fundamental to its effective operation. This is especially the case where community and intelligence based law enforcement relies on the trust and cooperation of the community. That confidence can be promoted and maintained by establishing an effective and robust privacy framework for the extradition system and ensuring that the community knows that privacy safeguards are in place (paragraphs 50 - 52).

Submission to the Attorney-General's Department Review of Extradition Arrangements

Introduction

1. The Office of the Privacy Commissioner (the Office) welcomes the opportunity to make a submission to the Attorney-General's Department's review of Australia's extradition law and practice (the review).

2. The Office is an independent statutory body responsible for promoting an Australian culture that respects privacy. The Privacy Commissioner has responsibilities under the Privacy Act 1988 (the Privacy Act) and other federal legislation to regulate the way Australian and ACT Government agencies and many private sector organisations collect, use, store and disclose individuals' personal information.

3. The Minister for Justice and Customs, Senator Ellison, has released a discussion paper, A new extradition system: A review of Australia's extradition law and practice â€'' December 2005. The discussion paper canvasses the need for the reform of extradition arrangements between Australia and other countries and invites comments on a range of issues relating to those arrangements.

Terms of reference

Privacy, security and effective law enforcement

4. Under its Terms of Reference,1 the review is required to have regard to inter alia ' the critical importance of extradition and mutual assistance in effectively combating terrorism and transnational and domestic crime.'

5. The Office has consistently and publicly acknowledged the public interest in maintaining the safety and security of the Australian community through effective law enforcement measures.2 On some occasions, these measures may warrant diminishing the privacy protections otherwise expected by the community.

Australia's international obligations and privacy

6. The review is also required by its Terms of Reference to have regard to 'Australia's international obligations'. In this context, relevant international obligations include those found in the International Covenant on Civil and Political Rights (ICCPR).3

7. Article 17 of the ICCPR articulates the obligation for the law of a state party to protect the individual against arbitrary or unlawful interference with the individual's right to privacy.

8. This submission proposes mechanisms which may be implemented to ensure that Australia's extradition arrangements achieve their law enforcement objectives in a manner that does not unnecessarily or unreasonably affect individuals' privacy.

Extradition and existing legislation

9. The Terms of Reference require the review to consider the 'interaction of existing legislation with extraditionâ€
¦ processes'. The Privacy Act interacts with those processes to the extent that personal information will be handled for the purpose of extradition decisions. This submission is limited to privacy issues that may emerge as a consequence of this interaction.

10. At page 49 of the discussion paper, there is a reference to 'Privacy laws' in the context how Australian laws and treaties might be improved. Under this heading, there appears the following comment:

Effective law enforcement requires information sharing. Australia's privacy laws should be clarified to provide appropriate law enforcement exceptions in the extradition process.

11. This submission describes how the Privacy Act regulates the information handling practices of Australian Government agencies. Additionally, it clarifies how the legislation reconciles the need to protect the individual's privacy with law enforcement imperatives. Moreover, it is submitted that a robust privacy framework, built upon an understanding of the information flows involved in the extradition process and informed by sound privacy practice, can contribute to an efficient and effective extradition system.

12. Except to the extent that they are relevant to privacy issues, the details of the extradition system (see, for example, the elements enumerated at p.20 of the discussion paper) will not be canvassed by this submission.

Extradition, personal information and the Privacy Act

The extradition process and sharing personal information

13. The discussion paper deals with the extradition arrangements between Australia and other countries that allows one country to send a person to another country to face criminal charges or to serve a sentence. The discussion paper expressly does not deal with extradition between Australian states and territories.

14. It is noted that there are broadly two categories of extradition arrangements; one, dealing with requests to and from New Zealand, and second dealing with requests to and from nations other than New Zealand.

15. It is understood, however, that the extradition processes, as outlined in Figure 1 â€'' Policy Framework (p.5) requires the cooperation of multiple agencies across all Australian jurisdictions. This may have significant implications in the context of protecting the privacy of affected Australian citizens.4

16. In broad terms, the extradition process involves the sharing of information between law enforcement agencies, prosecuting authorities and other agencies external to the criminal justice system. It is understood that these include the Department of Immigration and Multicultural Affairs (DIMA) and the Department of Foreign Affairs and Trade (DFAT). Information is also shared with state and territory agencies and with entities in foreign countries.

17. The personal information of individuals under investigation, facing criminal charges or sentences of imprisonment is collected and shared for the purpose of extradition.

18. Given the purposes for which the personal information is handled, it can be expected that many individuals would expect that the handling of personal information for extradition processes should be transparent and subject to clear rules that ensure certainty and accountability.

19. It is also understood that personal information about individuals who are indirectly or incidentally involved in, or concerned with, the extradition process would be affected. They may include, for example, witnesses, investigating officers, associates or relatives of extraditees, whose identification is unavoidable in the proper conduct of the extradition process. In many instances, these individuals may not be the subject of any suspicion and personal information would not otherwise be collected about them.

The Privacy Act

20. Under the Privacy Act, the Office has jurisdiction over the handling of personal information by Australian Government agencies.5 The Privacy Act and its Information Privacy Principles (IPPs)6 provide a principle-based regulatory scheme, describing the minimum standard to which agencies must comply when handling personal information.7 Where the handling of personal information may raise special sensitivities, more prescriptive regulation may be required to better reflect those concerns.8

21. The IPPs regulate the collection, use (handling within the agency), disclosure (sending personal information outside of the agency), storage and security of individual's personal information, as well as affording rights of access and correction to individuals.9

22. While each of the IPPs apply equally, there may be some that warrant particular consideration where personal information is exchanged between agencies. For example:

  • IPP 2 requires that where an agency collects personal information directly from an individual, that agency should take reasonable steps to tell the individual why the information is being collected, what it may be used for and to whom it may be disclosed. Taking such measures may prove useful in ensuring individuals have a reasonable awareness of how their personal information will be handled.
  • IPP 10 requires that personal information generally may only be used for the purpose for which it was collected. Exceptions are available however, including where the individual has consented (IPP 10.1(a)), where permitted by law (IPP 10.1(c)), or for a directly-related purpose (IPP 10.1(e)).10
  • IPP 11 prohibits agencies from disclosing personal information for any other purpose other than the primary purpose for which it was initially collected. However, this principle provides a number of exceptions, including where the individual consents (IPP 11.1(b)), or would reasonably be aware that the disclosure may occur (IPP 11.1(a)) or where the disclosure is permitted by law (IPP 11.1(d)).

The IPPs and personal information flows

23. Determining the "data flows" of personal information involved in the extradition processes is important to understanding how the IPPs may facilitate information exchanges, as well as identifying the need for further measures to protect privacy. By encouraging agencies to pause and reflect on their handling practices, such analysis may also help crystallise any inappropriate practices that require corrective measures.

24. An example of how the IPPs may apply to the exchange of data can be seen in the interrelation between IPPs 2 and 11. If an agency takes reasonable steps to inform an individual of the matters referred to in IPP 2, then the agency may be able to disclose the personal information under IPP 11.1(a).11

25. Alternatively, an individual's personal information can be disclosed where they have provided their consent. Such an approach is likely to be acceptable where it would ordinarily be expected that an individual may stand to benefit from the disclosure (for example, where information regarding a refugee claim by an individual may adversely affect another states' extradition request).

Provision for other public interests under the Information Privacy Principles

Law enforcement and the Privacy Act

26. The Privacy Act is not intended to hinder law enforcement and prosecution agencies from collecting personal information for the purpose of performing their functions, so long as their collection of personal information is lawful, fair and directly related to their activities (IPP 1). Where the collection is directly from the individual, then the agency may have obligations under IPP 2 to notify the individual of certain matters (see paragraph ).

27. In the context of personal information handling for extradition purposes, the analysis (use) and sharing (disclosure) of personal information by and between agencies will also be regulated by IPPs 10 and 11. Here, specific exceptions to those principles may facilitate these uses and disclosures for law enforcement purposes.12

28. For example, personal information collected for another purpose, may be disclosed by agencies for other purposes, such as law enforcement, if the disclosure is either authorised or required by law (IPP 11.1(d)). Similarly, if the enforcement of the criminal law makes that disclosure reasonably necessary, then personal information may be disclosed, without the consent of the individual (IPP 11.1(e)).

Enforcement of the criminal law

29. Guideline 39 of the Plain English Guidelines to Information Privacy Principles 8-1113 discusses the meaning of "to enforce the criminal law" in IPPs 10.1(d) and 11.1(e). The Guideline makes the following points:

  • "criminal law' is broadly defined to encompass federal, state and territory legislation that makes certain behaviours punishable and includes laws that enable criminal proceedings to be taken; and
  • the enforcement of the criminal law includes the investigation, together with intelligence-gathering to support the investigation, and any prosecution.

30. Personal information handling activities that are reasonably necessary to the conduct of the extradition process may often come within the scope of these exceptions. Care should be taken, however, not to place complete reliance upon the provisions. As explained by Guideline 38, determining whether a disclosure is "reasonably necessary" may prove problematic, particularly if not all the personal information contained in a record is reasonably necessary to safeguard the public interest.14

31. The Office also notes that the statutory meaning of "criminal law" for the purposes of the Privacy Act may be ambiguous in a transnational context, particularly given section 21(1)(b) of the Acts Interpretations Act 1901.15

32. The Office holds that view that it is not sound privacy practice for agencies to interpret IPPs 10.1(d) and 11.1(e) too broadly. In terms of policy, the exceptions exist to support an important public interest where there are no other practicable or less intrusive measures available. For that reason, agencies should be careful to establish a strong link between the proposed use or disclosure and the public interest in enforcing the criminal law.16

33. Accordingly, it can be seen that the Privacy Act and the Information Privacy Principles regulate how agencies handle personal information in accordance with privacy expectations of individuals, while recognising the important social interests that compete with privacy and the right of government to achieve its objectives in an efficient way.17 Equally, they provide the basis for a policy framework that can be informed by sound privacy practice while respecting the operational imperatives of the extradition system.

Authorising personal information flows for extradition requests

34. Where doubt arises as to the applicability or availability of one or more of the IPPs to a particular class or category of data exchanges, it would be advisable to expressly authorise the activity in legislation. Inquiry might usefully be made to ascertain whether or not, for a particular activity, authority already exists. In the absence of legislative warrant, agencies could look to proposing primary legislation or regulations under that legislation which, in this case, would be the Extradition Act 1988.

35. The benefits of legislative authorisation include community confidence gained by certainty, transparency and the process of Parliamentary scrutiny. The Office submits that explicit authorisation of an agency's information-handling activities provides a more appropriate arrangement than relying upon the criminal law enforcement exception. This may especially be the case where agencies seek to rely upon the exception in the case of foreign criminal laws.

36. Together with the basic protections offered by the IPPs, legislative authorisation of information sharing for extradition is another crucial element in an effective protective framework. The development of a robust privacy framework as part of the extradition system can be an integral part of reforming the Australian extradition system.

Dual criminality and privacy

37. In the context of authorising personal information flows under the Extradition Act 1988 where foreign countries are involved, the Office notes questions asked in the discussion paper concerning dual criminality (at p.24).

38. Currently the exception found in IPP 11.1(e) reduces the privacy protections available under the Privacy Act by allowing agencies to disclose personal information in support of the public interest in enforcing Australia's criminal law. The current dual criminality provisions in the Extradition Act 1988 mirror this balancing process by only allowing personal information flows to foreign countries for comparable offences in Australia.

39. The Office believes that allowing personal information flows to foreign countries for the purposes of enforcing foreign laws that criminalise conduct that is lawful in Australia would create an inconsistency in Australian privacy regulation, allowing personal information flows offshore that are not permitted onshore.

Privacy and jurisdictional issues

40. It was noted in paragraph 15 that the collaborative nature of the extradition process involves sharing information across state and territory agencies within Australia and with law enforcement and prosecuting bodies in foreign countries. Only some of the Australian states and territories have privacy legislation or administrative arrangements that offer some form of privacy protection. Similarly, only some foreign countries have privacy protections comparable to those in force in Australia.

41. Gaps in the regulatory coverage across Australian jurisdictions and externally mean that personal information that is shared cooperatively for the purposes of extradition may, at different stages of the process, be unprotected by privacy legislation.

Cross-jurisdiction disclosures issues

42. For the purposes of these comments, the disclosure of data by Australian Government agencies to other agencies or bodies within and external to Australia will be considered together.

43. It is a fundamental privacy principle, recognised in IPP11.3, that bodies or agencies to whom personal information is lawfully disclosed should not use or disclose the information for a purpose other than the purpose for which it was disclosed to them. The responsibility for ensuring that the data is adequately protected rests with the disclosing agency.18

44. Within Australia, personal information should not be disclosed to agencies or bodies which are not subject to privacy regulation without contractual or other administrative arrangements in place to prevent unauthorised uses or disclosures by the recipient. Such arrangements should be publicly available and include easily accessible complaint handling mechanisms and accountability measures.

45. The same policy approach underpins National Privacy Principle 9 (NPP 9) which regulates transborder data flows by private sector organisations.19 In short, personal information should not be transferred to a foreign jurisdiction unless the foreign jurisdiction offers privacy protections substantially similar to Australian privacy standards. This approach is consistent with international best privacy practice20 and should be provided for in any privacy arrangements existing for extradition.

Extradition and privacy guidelines

46.  The Office submits that a further component of a robust privacy framework could be Privacy Guidelines for the extradition process that help to give practical effect to the obligations created by the Privacy Act, Information Privacy Principles or any other new or existing legislative measures. Such Guidelines could provide assistance for those engaged in the extradition processes, whether in Australia or offshore.

47. Guidelines would provide certainty on such matters as to whether a certain class of data handling is authorised, whether there needs to be contractual arrangements entered into or whether a particular IPP should be considered. It would provide greater transparency if the Guidelines were to be publicly available, especially with information about the complaints handling processes available.

48. By way of example, one feature of Privacy Guidelines for extradition might be guidance on how to minimise the privacy impacts on individuals whose personal information is incidentally collected and used (see also paragraph ).

49. Development of the Guidelines could be undertaken by the agencies most directly affected by extradition procedures, including Attorney-General's Department, Commonwealth Director of Public Prosecutions, DIMIA and DFAT, together with state and territory bodies. The Office may have a consultative role at an appropriate stage.

Trust, personal information and extradition

50. The Office maintains the view that where law enforcement agencies rely to a significant degree upon the collection and disclosure of personal information from individuals, community trust in those agencies is critical. Community research suggests that individuals want to know what is happening to their data when they hand it over to organisations.21

51. Public confidence in the integrity of the criminal justice system is fundamental to its effective operation. This is especially the case where community and intelligence based law enforcement relies on the trust and cooperation of the community. That confidence can be promoted and maintained by establishing an effective and robust privacy framework for the extradition system and ensuring that the community knows that privacy safeguards are in place.

A robust privacy framework for extradition

52. This submission has made references to the development of a robust and effective privacy framework to protect the personal information of individuals affected by the extradition processes and to facilitate the collaborative exchanges of data across jurisdictions. The basic elements of this framework might comprise:

  • The protection offered by the IPPs as the basis of the framework;
  • The legislative authorisation of classes of information handling activities;
  • A series of administrative arrangements, memoranda of understanding and protocols to regulate transfers of data out of jurisdiction;
  • Guidelines to assist law enforcement and prosecuting bodies in understanding and implementing appropriate privacy protections;
  • Transparency, accountability and accessible complaints handling mechanisms.

Endnotes

  1. Attorney-General's Department A new extradition system, Appendix 1 - Terms of Reference p.56.
  2. For example, OPC Submission to the Senate Legal and Constitutional Legislation Committee Inquiry into the provisions of the Anti-Terrorism Bill (No. 2) 2005. November 2005, available at http://www.privacy.gov.au/publications/antiterrosub.doc; OPC Submission to the Security Legislation Review Committee. January 2006, available at http://www.privacy.gov.au/publications/citsub.doc.
  3. Available at http://www.ohchr.org/english/law/ccpr.htm.
  4. The discussion paper does not provide any statistical data about the number of extradition requests that are made annually or about the number of Australian citizens, here and overseas, who are affected, directly or indirectly, by extradition processes.
  5. Section 6(1) of the Act defines personal information as "information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion." A copy of the Act can be found on the Office's website at http://www.privacy.gov.au/act/privacyact/index.html.
  6. Section 14.
  7. For the purpose of the legislation, the meaning of 'agencies' is provided in section 6 of the Privacy Act and includes law enforcement agencies. Section 7 provides that, generally agencies responsible for intelligence or national security are outside of jurisdiction.
  8. Examples of more prescriptive regulation for the handling of personal information include Part IIIA of the Privacy Act (dealing with credit reporting), and provisions that may exist in other legislation, such as the secrecy provisions of the National Health Act 1953 (see, section 135A).
  9. The Office has published guidance on the operation of the IPPs on its website: Guidelines to Information Privacy Principles at http://www.privacy.gov.au/government/guidelines/index.html#34.
  10. The directly-related exception is only available in regard to the use of personal information by agencies; there is no equivalent for disclosures under IPP 11.
  11. For more information on IPP 11 disclosures, see Plain English Guidelines to Information Privacy Principles 8-11 at http://www.privacy.gov.au/publications/ipp8_11.doc.
  12. The Office's policy on the implementation of IPPs 10 and 11 can be seen in Plain English Guidelines to Information Privacy Principles 8-11. Available at http://www.privacy.gov.au/publications/ipp8_11.doc.
  13. Ibid.
  14. The handling of incidentally collected or third-party personal information becomes particularly relevant when considering whether a disclosure is reasonably necessary - see also paragraph 19.
  15. Section 21 of the Acts Interpretations Act 1901 says: (1) In any Act, unless the contrary intention appears:
    1. (a) references to any officer or office shall be construed as references to such officer or office in and for the Commonwealth; and
    2. (b) references to localities jurisdictions and other matters and things shall be construed as references to such localities jurisdictions and other matters and things in and of the Commonwealth.
  16. See Guideline 38 Plain English Guidelines to Information Privacy Principles 8-11 at http://www.privacy.gov.au/publications/ipp8_11.doc.
  17. See Section 29 of the Privacy Act.
  18. Guideline 50 in Plain English Guidelines to Information Privacy Principles at http://www.privacy.gov.au/publications/ipp8_11.doc .
  19. For the text of NPP 9, see Schedule 3 of Privacy Act 1988 at http://www.privacy.gov.au/publications/privacy88_030504.doc
  20. For example, Commission of the European Communities Proposal for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters 4 October 2005. Available at http://europa.eu.int/comm/justice_home/news/intro/doc/com_2005_475_en.pdf. [23 February 2006]
  21. OPC, Community and Privacy, July 2001. Available at http://www.privacy.gov.au/publications/rcommunity.html.