Office of the Privacy Commissioner

1. The Office is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) (‘Privacy Act’), has responsibilities for the protection of individuals’ personal information handled by Australian and ACT Government agencies, large private sector organisations, all private health service providers and some small businesses.

2. The Office welcomes the opportunity to make a submission to the Senate Standing Committee on Community Affairs (the Committee) on Social Security and Other Legislation Amendment (Welfare Reform and Reinstatement of Racial Discrimination Act) Bill 2009 (‘the Bill’). [1]

Coverage of the Privacy Act and related laws

3. The Privacy Act largely protects the ‘personal information’ of individuals through binding privacy principles. [2] The 11 Information Privacy Principles [3] (IPPs) regulate personal information handling by Australian and ACT Government agencies.

4. The 10 National Privacy Principles (NPPs) regulate private sector organisations with an annual turnover greater than $3 million, all private health service providers, and some other small businesses. [4] Many small business employers (other than health service providers) are not subject to the NPPs.

5. In October 2009 the Australian Government announced its first stage policy response to the Australian Law Reform Commission’s 2008 review of privacy laws. [5] Draft legislation to implement the first stage response, including a single set of privacy principles for the private sector and Australian Government agencies, is expected in 2010.

6. Relatedly, the Office notes that Northern Territory (NT) privacy legislation, the Information Act 2002 , covers personal information, record-keeping and archive management in the NT public sector. That Act does not regulate information held by the private sector, such as ‘takeaway alcohol’ businesses. Beyond the NT, state-based privacy laws in other states and territories similarly focus on their public sectors, although some of those laws also regulate private health services.

Background

7. The Office has previously made submissions to the Senate Standing Committee on Legal and Constitutional Affairs on the Northern Territory Emergency Response Bill 2007 in August 2007 [6] and to the Northern Territory Emergency Response (NTER) Review Board in September 2008. [7]

8. The current Bill proposes amendments to several Acts relating to the income management arrangements, most notably the Northern Territory National Emergency Response Act 2007 (‘NTNER Act’). The Bill retains the core measures of the NTNER Act, amends several other measures and repeals provisions which limit the application of the Racial Discrimination Act 1975 (Cth) and State and Territory anti-discrimination laws to the NTER.

9. The Office understands that the Bill generally gives effect to a scheme of income management that will initially commence across urban, regional and remote areas in the Northern Territory. Other trials are currently underway in Western Australia and Queensland. If deemed successful, the income management scheme is proposed as a first step in a future roll out to disadvantaged regions across Australia.

10. The Office notes that the Bill aims to support disengaged and vulnerable welfare recipients in the most disadvantaged locations in Australia. It is important to ensure that any personal information collected, used or disclosed under the income management scheme is handled in accordance with the principles in the Privacy Act.

11. Privacy is important in this context given:

1. the generally acknowledged importance of information privacy and security in the community, particularly with the ease of digital communication
2. the potential for unwanted attention or stigma associated with receipt of welfare payments or income management, particularly if information is shared unnecessarily or released without informed consent
3. the intent of the Bill to focus on disadvantaged or otherwise vulnerable communities, heightening the need for agency and institutional awareness of, and compliance with, privacy obligations. [8]

12. This submission outlines several privacy safeguards which may help to minimise the risk of personal information being mishandled.

Community stores and income management

13. The Bill will establish a new model of income management for people who meet criteria that are designed to be objective and independent of race or ethnicity. [9]

14. Income management means that an individual’s benefits may be income managed by Centrelink so that a percentage of their Centrelink benefit is earmarked for specific use, such as food or clothing purchases. The Office understands that community stores enter into contracts with Centrelink for the management of Centrelink clients’ income for these purposes, and that this involves the sharing of personal information.

15. Centrelink is subject to the IPPs in the Privacy Act in the way it handles personal information about its clients. It is also understood that having contracts with Centrelink would mean that community stores which handle personal information are also subject to the Privacy Act (for activities performed under those contracts). [10]

16. It is important that community store managers, their staff and customers are assisted to understand how the Privacy Act applies to personal information handled under the income management scheme. Education, training and accessible guidance material – such as brochures, leaflets, and posters – would reduce the risk of personal information being mishandled and improve community trust in the initiative.

17. For example, the Office previously developed guidance material for the Department of Families, Health, Community Services and Indigenous Affairs (FaHCSIA) on the privacy issues related to the NTER measures. [11] This material could be adapted to apply to the measures proposed under the Bill, particularly to assist entities that may be less familiar with personal information handling obligations and good practice.

Licensing of Community Stores

18. The community stores licensing process under the Bill involves the assessment and monitoring of businesses which are a key source of food, drink and grocery items for an indigenous community [12] . The licensing process is intended to enable scrutiny of the financial, retail, and governance arrangements of a particular store. [13]

19. The Bill amends the existing community stores licensing scheme in Part 7 of the NTNER Act by expanding its scope to additional businesses, and modifying the range of ‘assessable matters’ which form the basis for assessing community stores in relation to licensing decisions. [14]

20. One of the nine assessable matters includes the community stores’ capacity to participate in the income management scheme, and (if applicable) the community store’s record of compliance with the scheme’s requirements. For example, this could be demonstrated by its administrative and record-keeping practices and technical systems. [15]

21. To the extent that this promotes appropriate personal information handling, the Office welcomes the Bill’s strengthening of the community stores licensing process.

22. To further this aim, the Office recommends that appropriate personal information handling practices (based on the privacy principles in the Privacy Act) could be included in the expanded ‘assessable matters’ criteria proposed under the Bill. [16] For example, the ability to adequately protect personal information could be considered under the proposed criterion noted above, relating to administrative and record-keeping practices. [17]

23. Even where legal obligations to comply with the Privacy Act would be in place, considering the ability to adequately protect personal information may reinforce those obligations and assist organisations to put reasonable protections in place. As the Privacy Act contains high level principles, often expressed in terms of ‘reasonable steps’, these principles allow for flexibility and are intended to avoid imposing an unreasonable compliance burden.

Alcohol Restrictions

24. Under the existing NTNER Act, customers who purchase certain amounts of alcohol are, at the time of purchase, required to have their photo identification sighted (but not recorded) and have some personal information recorded (their name and address, and the name or address of the place where the alcohol will be consumed), with licensees required to keep this information for 3 years. [18]

25. The Bill amends the NTNER Act’s alcohol measures, with Schedule 3 of the Bill removing Division 3A of Part 2 of the NTNER Act so that those record-keeping requirements on alcohol sales no longer apply.

26. In its September 2008 submission to the NTER Review Board, the Office noted the following:

Takeaway businesses are required to collect particular information under the NTNER Act about purchasers and consumption locations at takeaway points of sale. The Office is unsure for what subsequent function or activity the information is required, how it is to be used or to whom the information may be disclosed.

The Office is also unsure as to why the licensee needs to store the personal information for three years and what happens to the information once it is forwarded to the Licensing Commission. Related to this, the Office is concerned at anecdotal first-hand reports of this information being stored with inadequate security, such as in boxes under counters.

27. The Office is therefore supportive of the amendment to repeal those provisions, as the Government has noted that this record-keeping measure has not been effective. [19] Repealing this measure minimises the likelihood of personal information being lost, misused or unnecessarily collected.

28. The Office understands that some small businesses which collected personal information under the above measure may not be subject to the Privacy Act in future, unless they continue to be Commonwealth contractors. However, contractual obligations to comply with the Privacy Act extend beyond the completion of a Commonwealth contract. [20]

29. In light of the Bill’s repeal of this measure, the Office believes it would be appropriate to advise or require relevant businesses to securely dispose of personal information collected under those record-keeping provisions. This may include shredding the information or providing it to a nominated government agency for secure and immediate destruction or de-identification.

Sensitive information and law enforcement

30. The Bill amends the Australian Crime Commission Act 2002 (‘ACC Act’) by repealing and replacing the definition of ‘Indigenous violence or child abuse’ in subsection 4(1) of the ACC Act. The new definition will be ‘serious violence or child abuse committed against an Indigenous person’. This amendment is to ensure that the Australian Crime Commission’s (ACC) special powers are used only in relation to violence and child abuse committed against Indigenous victims. [21]

31. An area of past sensitivity in relation to the NTER has been the issue of law enforcement access to medical records. [22] In the interests of good privacy practice and meeting the community’s and patients’ expectations that medical privacy will be respected, the Office encourages ongoing dialogue between law enforcement agencies, communities, and the medical and other health professions, to manage the sensitivities around collection of medical records for law enforcement purposes. It is important that the handling of such records, or the perception of how they may be handled, does not discourage individuals (including young people) from seeking medical treatment.

Privacy Evaluation

32. Where additional or modified personal information handling is anticipated under this or related bills, [23] the Office suggests that the agencies involved should consider undertaking a Privacy Impact Assessment (PIA) of relevant measures before they are implemented. This would ensure that personal information flows are identified, and any resulting privacy risks from the collection, use, storage and disclosure of personal information handled under those measures are addressed. [24]

33. The Office welcomes the evaluation processes planned for assessing the effectiveness of the Bill’s measures. As part of these processes, the Office suggests that the handling of personal information be included. This may help to ensure that appropriate privacy protection frameworks are in place, and assist in decision making on any future proposals.

34. The Office notes that appropriate privacy evaluation will be especially valuable if the measures under the Bill are rolled out nationally. If such a rollout occurs, significant personal information flows could be anticipated between the various entities responsible for implementing or participating in income management measures, and on a much broader scale. The Office would also welcome further input and community consultation in advance of such a national rollout.