Privacy Law and Policy Reporter
The most comprehensive parliamentary report on privacy issues for several years has recommended that Australia develops a national privacy code to extend privacy protection to personal information held by government business enterprises and the private sector. In Confidence: A Report on the Protection of Confidential Personal and Commercial Information held by the Commonwealth, is the result of over two years' work by the House of Representatives Standing Committee on Legal and Constitutional Affairs.
The report makes 39 recommendations on how the Commonwealth may strengthen privacy protection for the information it holds on individuals and businesses, and how this protection may be extended to cover government business enterprises and the private sector.
The committee began its work in August 1992 as a result of concerns relating to the confidentiality of third-party information raised by the NSW Independent Commission Against Corruption's (ICAC) investigation into the Unauthorised Disclosure of Confidential Government Information - 109 submissions were received during the course of the inquiry.
The report concludes that three years after the ICAC report, personal and commercial information remains vulnerable to unauthorised disclosure.
The terms of reference for the committee were to examine the adequacy of existing protection for confidential personal and commercial information (third-party information) held by the Commonwealth Government and its agencies. In particular, it was to examine:
(a) the adequacy of existing administrative measures;
(b) the extent to which legal safeguards hindered the legitimate transfer of information between agencies;
(c) the adequacy of penalties and administrative sanctions for the disclosure of information;
(d) the adequacy of penalties for procuring the wrongful disclosure of information;
(e) the role of criminal sanctions against wrongful disclosure;
(f) the effectiveness of civil and statutory remedies and compensation measures for third parties whose confidential information is disclosed; and
(g) the appropriateness of legislative and administrative provisions governing access to third party information.
The report discusses a wide range of measures which may be implemented in order to strengthen protections against the illegal disclosure of information. But one of the most significant aspects of the report is it emphasises that the problems which it has examined demonstrate the need for a stronger privacy culture within agencies.
Such lapses raise questions about the privacy culture or ethos in the public. Unfortunately, the evidence does not support the claims of many to this inquiry that an effective privacy ethos exists ... The committee considers that the development and enhancement of a culture that is sensitive to the responsibility of handling third-party information is a matter of great importance and urgency. It is necessary that such a culture be created and fostered within the public sector generally but particularly important for those agencies holding large quantities of confidential information. (Summary and Recommendations, p 5).
The report recommends that the Public Service Act 1922 should be amended to specify the responsibilities of agency heads, and that the description of responsibilities should expressly include responsibility for the protection of confidential third-party information (Recommendation 1). It is suggested that this responsibility includes providing agency staff with comprehensive guidelines, manuals, and adequate training in relation to the protection of personal information (Recommendation 2). The agency head should also monitor the collection of personal information by the agency, and should ensure its relevance. Further, the outcome of monitoring the collection of personal information should be reported to the Privacy Commissioner, while the outcome of monitoring commercial information collection should be stated in the agency's Annual Report (Recommendation 3).
The report also suggests that an Information Protection Committee should be established in each agency, with both monitoring protection of confidential information and determining strategies to improve privacy standards (Recommendation 8).
The report discusses the wide range of other administrative measures taken to protect confidential information, some of which are used by several agencies and others of which are unique to a department or agency. It suggests that the variety of measures taken reflect the personal influence of the heads of Commonwealth agencies, and the fact that consistent policies on protecting confidential information have not been developed. The report makes several practical recommendations relating to how improved administrative procedures could strengthen protections for confidential information.
Access to third-party information by other agencies should be regularised through an inter-agency agreement which would be subject to the approval of the Privacy Commissioner.
Agencies are encouraged to adopt a comprehensive security system, such as that contained in the Protective Security Manual, issued by the Attorney-General's Department (Recommendation 11). In particular, the report notes the importance of ensuring the security of computer information, in particular the security of information on portable computers Recommendations 12, 15). It suggests that computer security should be evaluated in the course of the Australian National Audit Office audit program (Recommendations 13, 14).
The report recommends that measures should be taken to develop an understanding that the disclosure of personal information is not a routine matter which can be justified purely on the basis of convenience. Controls over disclosure of information should be implemented by requiring that discretion to release personal information should be held by only a limited number of senior officers (Recommendation 4). The Privacy Commissioner should be informed within 14 days of the fact of an authorised disclosure and its justification, and the agency should keep a record relating to the disclosure (Recommendations 5, 6). In situations where notification or consent for disclosure of personal information can not be reasonably obtained, the report recommends that agency heads should have the discretion to permit disclosure of information subject to a range of conditions, including a requirement to report to the Privacy Commissioner (Recommendations 25-28).
The report recognises the fact that, increasingly, the protection of confidential information is in the hands of private companies who contract to process government work. It proposes an amendment to the Privacy Act 1988 to require that private contractors be made liable for the observance of the Information Privacy Principles as if the contractor were the agency (Recommendation 16).
The report suggests that agencies which transfer confidential third-party information should enter into formal inter-agency agreements with guidance from the Privacy Commissioner (Recommendation 10).
The report also suggests that amendments should be made to ensure that the Privacy Act regulates the transfers of personal information (Recommendation 17), rather than secrecy provisions in specific statutes. The effectiveness of the Data-matching Program Assistance and Tax Act 1990 is contrasted with the patchy implementation of the Privacy Commissioner's voluntary guidelines, leading to a recommendation that uniform controls for Commonwealth data-matching exercises should be established under the Privacy Act (Recommendation 23). A data-matching exercise should only proceed with the authority of a senior officer (Recommendation 24). The Standing Committee proposes amendments to the Information Privacy Principles to create exceptions for legitimate transfers of information between Commonwealth agencies (Recommendation 22).
In its report, the committee raises concerns about the consistency and adequacy of the general secrecy provisions and the 150 or so specific secrecy provisions which are included in over 100 Commonwealth statutes. Relevant provisions include:
The report notes that these provisions were introduced in a piecemeal fashion. Penalties vary widely and qualifications on prohibitions are not consistent. Information held by the Commonwealth is not always covered by specific statutory provisions. The report argues that criminal sanctions are appropriate in situations where information is released for profit or there is malicious intent in its disclosure.
The report recommends improved legal safeguards, through consolidating offence provisions relating to the illegal disclosure of third-party information held by the Commonwealth into a uniform set of provisions which would be included in the Crimes Act (Recommendation 29). This would address the inconsistencies currently, including the fact that a variety of sanctions could be applied for the disclosure of the same information, depending on the agency involved in the disclosure. Partial consolidation of provisions is recommended in preference to full consolidation, on the basis that some agencies will want to maintain control over their measures to protect the confidentiality of information. Under a regime of partial consolidation, the Crimes Act provisions would prohibit unauthorised disclosure and set out penalties depending on the seriousness of the offence. Commonwealth agencies could individually determine the seriousness of the disclosure of information, which would be set out in a schedule to the Crimes Act (Recommendation 30).
The committee makes a wider recommendation that unauthorised dealing in third-party information held by the Commonwealth should be 'prohibited at every point on the distribution chain' through the Crimes Act's general offence provisions (Recommendation 31). This unauthorised dealing includes unauthorised access, use, procuring, soliciting, soliciting by making untrue representations, offering to supply, promoting oneself as a supplier of confidential information or publishing the information.
Under existing privacy legislation, individuals are only able to obtain remedies for the disclosure of their personal information if any agency has breached an information privacy principle (Recommendation 32). The committee argues that this protection should be extended so that it operates as a strict liability scheme, a reform which would emphasise that, 'the Commonwealth should be regarded as holding third-party material "in trust" for the persons and organisation which are the subject of such records' (Summary, p 17).
In making this recommendation it rejects the recommendation of the Review of Commonwealth Criminal Law (the Gibbs Committee) which recommended that the criminal law sanctions should only apply when disclosure of information could harm the public interest, and that other criminal sanctions should be included in specific statutes.
The committee also notes that there is no general provision in the Crimes Act making it an offence to procure wrongful disclosure of third-party information from a Commonwealth officer. Prosecution would need to rely on s 5(1) which states that any person who aids or abets a Commonwealth offence is deemed to have committed that offence. This provision would not apply to a second or later recipient of illegally disclosed information.
The report discusses the adequacy of privacy protection measures in relation to public registers, archival information, and access to medical records for statistical and research purposes. The committee does not come to a conclusion on the general issue of public registers; it simply notes the Privacy Commissioner's concerns relating to the accessibility of a public register with new information processing tools, and recommends that the Privacy Commissioner should co-ordinate a review of the reasons for permitting access to information held in public registers. The Commissioner's review would include recommendations relating to whether controls should be placed on the use of this information (Recommendation 34).
The report also notes inconsistencies relating to the use of the electoral roll by business interests and recommends that the restrictions in the Commonwealth Electoral Act on the end use of electoral roll data on tape or disk should be extended to data on microfiche or in hard copy (Recommendation 35).
The report acknowledges criticisms that agencies sometimes use Information Privacy Principles 10 and 11 as a justification for wide exemptions from the IPPs in the Privacy Act. The report recommends that if another statute deals specifically with the issue of what disclosures should be permitted, the Privacy Act should not be used to provide additional grounds of disclosure (Recommendation 19). The report also recommends that the exceptions from the privacy principles outlined in IPPs 10 and 11, in particular the exemption for 'protection of the public revenue', need to be revised and stated more clearly (Recommendations 20, 21).
While the committee notes that its terms of reference related to information held by the Commonwealth, it was important to point out the inconsistency of establishing protection of personal information held by the Commonwealth without establishing similar protections for other holdings of personal information. The report notes that the coverage of the Privacy Act is too narrow to give adequate privacy protection, especially in an environment where outsourcing, corporatisation and privatisation have pushed a substantial amount of personal information outside of the reach of the Act.
'The committee recommends that the protections provided by the Information Privacy Principles should be extended to all confidential third-party information by way of a national privacy code ... The committee recommends that the proposal for a national privacy code be placed on the agenda, for the earliest possible meeting of the Council of Australian Governments' (Recommendations 38, 39).
The report of the Standing Committee on Legal and Constitutional Affairs has produced a comprehensive report which adds a strong voice to the growing calls for comprehensive privacy protection in Australia. It has followed on from the Broadband Services Expert Group and the Australian Law Reform Commission's Discussion Paper on Freedom of Information. It
has since been followed by the new National Information Services Council's Legal Working Group, which argues similarly that the gaps in the coverage of privacy laws need urgent attention.
As yet, neither of the major parties at the federal level have responded to the growing calls for stronger privacy legislation. Nevertheless, it seems unlikely that the government will be able to resist what is a rapidly forming consensus. The critical question is really not whether we extend the coverage of privacy legislation, but how it is done.