Our reference: 2002/111

Mr Tom Sherman AO c/- Attorney-General's Department Robert Garran Offices National Circuit Barton, ACT 2600

Dear Mr Sherman

Submission to the Review of the Proceeds of Crime Act 2002

I refer to your letter of 12 April 2006, inviting the Office of the Privacy Commissioner ('the Office') to make a submission to the review of the Proceeds of Crime Act 2002 ('PoC Act'). Your letter asks for submissions by 2 May 2006.

The Office understands that the PoC Act extends the mechanisms by which individual's may be deprived of the proceeds of crime. In particularly, the PoC Act introduced a non-conviction based (that is, civil) element to the regime, whereby an action may be pursued against an individual who has not been convicted of a crime.

In regard to individuals' privacy, the legislation establishes significant powers for law enforcement agencies to gather personal information from a number of sources, particularly financial institutions. The extension of the PoC Act to civil matters enables these powers to be exercised over a greater number of individuals than was the case under the Proceeds of Crime Act 1997.

About this review

The Office understands that it is a requirement of s.327 of the PoC Act that it be reviewed after three years of operation. The terms of reference for this review are to:

1. Gather information on the impact of the operation of the Act
2. Identify and consider any factors which have limited the achievement of the objectives of the Act, and
3. Make recommendations for any changes required to enable the Act to better achieve its objectives.

The Office submits that any recommendations made under these terms of reference that may lead to a further extension of the powers of law enforcement agencies to gather personal information, should also be accompanied by an acknowledgement of the need for further stakeholder consultation and careful consideration of privacy issues.

Office submission concerning Proceeds of Crime Bill 2002

In 2002, the Office made a submission to the Senate Legal and Constitutional Committee's Inquiry in the Proceeds of Crimes Bill 2002. In making this 2002 submission, the Office supported the policy intent of taking steps to deprive criminals of the proceeds of crime. The Office also noted that the legislation raised important privacy implications and encouraged the Senate Committee to carefully consider the necessity of new information gathering powers, as well as the need for robust oversight and accountability arrangements over those agencies empowered to exercise them.

Previous Office submissions concerning law enforcement

The Office has consistently and publicly acknowledged the public interest in maintaining the safety and security of the Australian community through effective law enforcement measures. This theme has been articulated in a number of submissions, including:

• Submission to the Attorney-General's Department Review of Extradition Arrangements, March 20061
• Submission to the Security Legislation Review Committee, January 20062 and
• Submission to the Senate Legal and Constitutional Legislation Committee Inquiry into the provisions of the Anti-Terrorism Bill (No. 2) 2005, November 2005.3

On some occasions, the policy objectives underpinning these law enforcement measures may warrant diminishing the privacy protections otherwise expected by the community. However, any reductions in privacy protections should reflect a proportionate response to the problem at hand, and be reasonably necessary to address that problem. Where an important policy objective can be met by means that do not reduce individuals' privacy, then that should be the preferred approach.

Privacy regulation of proceeds of crime laws

The Privacy Act prescribes 11 Information Privacy Principles (IPPs) that govern the way most Australian Government agencies collect, use, disclose and handle personal information. The principles also give individuals the right to gain access to information held about them and they oblige agencies to correct information if it is inaccurate.4

There are exceptions under the IPPs that allow agencies to use or disclose personal information when it is "required or authorised by or under law" (see, IPPs 10.1(c) and 11.1(d), respectively). In addition, there are further exceptions that permit agencies to use or disclose personal information where "…reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty…" (see, IPP 10.1(d) and 11.1(d), respectively).

In addition to this regulation of agencies, the Privacy Act imposes similar, though not identical, obligations on many private sector organisations.5 These obligations are codified in 10 National Privacy Principles (NPPs). Relevantly, NPP 2.1(h)(ii) permits organisations to disclose personal information, that it would otherwise be prohibited from disclosing, for the purpose of enforcing law relating to the confiscation of the proceeds of crime. Further, NPP 6.1(j) provides an exception to the general requirement that organisations provide an individual with access to their personal information, where such disclosure would likely prejudice the enforcement of laws concerning the proceeds of crime.

Accordingly, the Privacy Act provides mechanisms by which agencies and organisations are permitted to handle personal information, including collecting and disclosing it, for the purpose of the PoC Act. While the information handling practices of agencies and organisations under the PoC Act may comply with the Privacy Act, care should be taken to ensure that such powers do not detract from the spirit and intent of the Act, nor unnecessarily or disproportionately lessen the protection of an individual's personal information. Accordingly, such measures should be pursued with care and after appropriate consideration, as well as being subject to periodic review.

"Four-A" framework for assessing and implementing new law enforcement and national security powers

The Office submits that this review should consider whether the PoC Act has provided a proportionate and necessary response to the problem of individuals retaining the proceeds of crime. The Office has developed a framework for assessing new law enforcement powers that may impact on the handling of personal information. The framework sets out a life cycle approach to such proposals and aims to bring balance and perspective to the assessment of such measures. As it may inform this current review, a copy of the framework is attached.

Judicial oversight of information gathering powers

In its 2002 submission on the PoC Bill, the Office was encouraged that the direction of the legislation provided for judicial oversight of the exercise of information gathering powers. The exception to this appears in Part 3-3 of the PoC Act ('Notices to financial institutions') which empowers authorised law enforcement officers to compel financial institutions to disclose prescribed personal information. Amongst other things, the prescribed personal information includes all transactions on an account over a 6 month period (s. 213(1)(d)) and details of any related accounts (s. 213(1)(e)). Unlike other information gathering powers established by the PoC Act, this power is not subject to judicial oversight.

The Office notes that the Proceeds of Crime Act 1997, which preceded the current Act, required a police officer apply to a Judge of the Supreme Court of a State or Territory for an order directing a financial institution to give information to a law enforcement authority.

The Office suggests that this review give further consideration to the necessity of such powers being available without judicial oversight.

Complaints and enquiries concerning the PoC Act

In regard to enquiries and complaints, the Office has no record of receiving any complaints or enquiries directly relevant to the PoC Act.

Due to the limited direct experience the Office has with this Act, it is unable to state whether the application of the legislation has balanced privacy interests with the interests of law enforcement. However, I would encourage you to ensure, when assessing whether any changes should be made to the existing legislation that any legislative response is necessary and proportionate to the problem being addressed.

I thank you for the opportunity to make this submission to the review.

Yours sincerely,

 

Karen Curtis

Privacy Commissioner

May 2006

Office of the Privacy Commissioner

Framework for assessing and implementing new law enforcement and national security powers

The Office of the Federal Privacy Commissioner has developed a proposed framework for assessing and implementing new law enforcement and national security powers. The framework sets out a life cycle approach to such proposals from development to implementation and review. The aim of the framework is to bring balance and perspective to the assessment of proposals for law enforcement or national security measures with significant effects on privacy.

First, careful analysis is needed in the development phase to ensure that the proposed measure is necessary, effective, proportional, the least privacy invasive option and consistent with community expectations. This analysis should involve consideration of the size, scope and likely longevity of the problem, as well as the range of possible solutions, including less privacy invasive alternatives. The impact on privacy of the proposed solution should be analysed and critical consideration given to whether the measure is proportional to the risk.

Second, the authority by which the measure is implemented should be appropriate to its privacy implications. Where there is likely to be a significant impact on privacy, the power should be conferred expressly by statute subject to objective criteria. Generally, the authority to exercise intrusive powers should be dependent on special judicial authorisation. Intrusive activities should be authorised by an appropriately senior officer.

Third, implementation of the measure should be transparent and ensure accountability. Accountability processes should include independent complaint handling, monitoring, independent audit, and reporting and oversight powers commensurate with the intrusiveness of the measures.

Finally, there should be periodic appraisal of the measure to assess costs and benefits. Measures that are no longer necessary should be removed and unintended or undesirable consequences rectified. Mechanisms to ensure such periodic review should be built into the development of the measure. This could involve a sunset clause or parliamentary review after a fixed period.

In summary:

Analysis - is there a problem? Is the solution proportional to the problem? Is it the least privacy invasive solution to the problem? Is it in line with community expectations?

Authority - Under what circumstances will the organisation be able to exercise its powers and who will authorise their use?

Accountability - What are the safeguards? Who is auditing the system? How are complaints handled? Are the reporting mechanisms adequate? And how is the system working?

Appraisal - Are there built in review mechanisms? Has the measure delivered what it promised and at what cost and benefit?

Endnotes

1. http://www.privacy.gov.au/materials/types/download/8905/6680
2. http://www.privacy.gov.au/materials/types/download/8637/6484
3. http://www.privacy.gov.au/materials/types/download/8609/6461
4. In a similar way, many private sector organisations are governed by the 10 National Privacy Principles (NPPs) as set out in Schedule 3 of the Privacy Act.
5. Broadly, section 6C of the Privacy Act defines 'organisations' as including all businesses with a turnover of more than $3 million, all private sector health service providers, and business that trade in personal information.