Privacy Law and Policy Reporter
On 1 July 2000, the goods and services tax (GST) replaced a range of other indirect taxes and duties, with major changes in income tax rates and a significant restructuring of Australia’s federal and state government finances.
The two months prior to the introduction saw the Federal Government under attack for three separate alleged breaches of privacy connected with the GST. These were, firstly, the proposed use of the electoral roll for direct mailing a personalised letter from the Prime Minister; secondly, the proposed sale of postal and email addresses of individuals registered for GST; and thirdly, the disclosure of personal information, including bank account details, of persons registered as advisers and suppliers of GST assistance goods and services.
These three issues, all of which attracted widespread media coverage, are of interest not only in their own right, but also as good illustrations of the imperfect way the current privacy legislation applies to the Commonwealth government, the limited ability of individuals or the media to obtain adequate and timely responses to privacy concerns, and the ambiguous role of the Privacy Commissioner.
This commentary is based on the incomplete information available at the time of writing — largely drawn from official media releases and statements. It is to be hoped that more detailed and complete details of what was proposed and subsequent events and outcomes will be available in due course from the Privacy Commissioner.
The first ‘incident’ arose from the Government’s desire to sell its tax changes to the Australian people. In May, evidence by the Australian Electoral Commissioner to a Senate Committee revealed that the Australian Electoral Commission (AEC) had supplied detailed electoral roll information to the Australian Taxation Office (ATO). It subsequently emerged that the ATO required the information to be used as part of its GST advertising campaign; to send personalised letters from the Prime Minister to most adults in the country.
The immediate reaction of all the agencies concerned was to defend the proposal. The Electoral Commissioner said on 25 May that the data had been provided for a one off use subject to a written ‘safeguard agreement’, and on 6 June stated that he had legal advice (from the Australian Government Solicitor) that he could provide the ATO with the personal information it had requested. The ATO and the Government both claimed the planned communication was a legitimate technique as part of the overall campaign to raise awareness of and explain the new tax system.
However, following a threat of legal action by the Victorian Government, the Government took further advice from the Solicitor-General, who advised on 8 June that the release of the information was contrary to the Commonwealth Electoral Act 1918 because no regulations had been made pursuant to the section of the Act which could have authorised the use. The Government agreed to return the data, and the personalised letters were replaced by a generic letter to each household. The legal advice has also cast doubt on the legitimacy of a range of other disclosures of electoral roll data over the years, and the Government now intends to review the legislation. The Electoral Commis-sioner had already been pushing for authority to publish voters’ names and addresses on the internet, albeit with safeguards against bulk commercial uses.
Somewhat belatedly (on 8 June) the Privacy Commissioner confirmed he was investigating, and on 4 July he issued a media release confirming that he had senior counsel’s advice that there was no legal authority for the disclosure, and therefore there had been a breach of the Privacy Act 1988 (Cth). The Electoral Commissioner continues to maintain that he did not act unlawfully in releasing the information — accepting only that the ATO did not have authority for the proposed use.
The second incident came to light on 2 June with a front page article in The Sydney Morning Herald with the headline ‘Taxpayers’ details for sale at $20’. The Herald reported that the ATO had sold the postal and email addresses of holders of an Australian Business Number (ABN) to commercial organisations. In subsequent days, it became clear that the publication of some details on the Australian Business Register (operated by the Department of Workplace Relations and Small Business (DWRSB)) and the sale of other details are both expressly authorised by the ABN legislation. The A New Tax System (Australian Business Number) Act 1999 (Cth) had been enacted in 1999 with no public debate, although the Tax Commissioner claimed to have consulted with the Privacy Commissioner.
The initial defence of the publication and sale by the DWRSB reflected a clear official perception that this was an issue of business accountability, similar to the long established publication of company and business registration details. What this view failed to take into account was the large number of individuals who have been required to obtain an ABN because they have some non-salary income. A level of public accountability and exposure which is generally accepted as a trade-off for the benefits of incorporation is completely unexpected by these individuals. While the lengthy booklet accompanying the ABN application forms does state clearly that the information will be entered on a public register, the form itself does not and in places is arguably misleading on this point; for example, email addresses are requested ‘for service of notices and correspondence’.
The Sydney Morning Herald pursued the story vigorously and reported in detail its increasingly frustrated attempts to obtain clarification of the ATO’s intentions.
The sustained publicity led the Government to concede that postal and email addresses will not be made publicly available, notwithstanding the legal authority to do so, and to promise changes to the legislation to support this commitment. The Tax Commissioner wrote to ABN holders in July explaining the situation. In this letter, he spelt out the different levels of access to ABR information: limited details available to the public and more complete details to various government agencies. He also outlined a new suppression facility whereby individuals concerned for their safety can apply for some normally public details to be withheld.
The Privacy Commissioner was initially somewhat ambivalent about whether he was investigating the matter, but clearly became heavily involved behind the scenes and issued several media releases later on acknowledging the Government’s concessions. Several formal complaints were made by individual ABN holders and it is to be hoped that the eventual outcome will be a clearer history of how the problem arose and the extent to which it breached the Privacy Act. It will also be interesting to find out what involvement the Privacy Commissioner had in the design of the ABN, and what if any advice he gave on privacy protection at the time.
The third incident occurred in the week before the introduction of the GST. A student exploring the GST Assist website, which is a directory of officially recognised advisers and suppliers, found that he was able to access not only the details intended to be publicly available, but also the bank account details of the registered suppliers. In what he claimed to be a public spirited alert, the student emailed thousands of the suppliers with their own banking details.
The immediate reaction from the Treasury (responsible for the GST Start-up Assistance Office) to this revelation was a ‘shoot the messenger’ condemnation of the incident as a potentially criminal ‘hacking’ attack, and the launch of a police investigation, rather than acknowledgement that it may have been primarily a case of lax security. The ATO’s unedifying media release was confined to ‘it’s not us’ — perhaps understandable after the heat generated for them by the first two issues.
The Treasury spokesman was reported as saying that a firewall was inappropriate, but that time pressures had prevented as thorough a security review as might have been carried out.
The Privacy Commissioner was reported on 1 July as having launched a formal investigation, although as at 24 July there was no reference to it on his website. If he follows previous practice, he will wait for the police investigation to be completed. As at 19 July the AFP media office confirmed that investigations were continuing and that no charges had been laid.
There are several important issues arising from these three incidents.
Firstly, there is the worrying fact that after 11 years of being subject to the Privacy Act, major government agencies are still able to so fundamentally misread the significance of privacy issues and of the application of privacy principles.
A related issue is the apparently cavalier attitude in the ABN and GS Assist cases to the roles of the different agencies — most individuals concerned would have thought they were dealing with the ATO, when significant responsibility for handling their information actually lay with the DWRSB and Treasury respectively. Although governments have always displayed some discomfort with the fact, the Privacy Act is clearly drafted to ensure that separate agencies have to account separately for their uses of personal information. The collection of information for ABN and GST Assist purposes appears to fail the basic requirements of IPP 1 to explain to applicants who it is they are dealing with.
Secondly, there is the apparent failure of the Privacy Commissioner’s Office to influence the decisions of the AEC and the ATO at an early stage. Was this due to ignorance of the proposals, and if so, could this ignorance have been avoided? If the Commissioner was aware of the proposals, why did he not take action to stop them going ahead? A full report on these incidents should answer these questions.
Thirdly, there is the question of whether the Privacy Commissioner could and should have responded more vigorously when the incidents were first reported. From personal experience, I know that it is not always either desirable or effective for the Commissioner to rush into public positions, particularly on politically sensitive issues, and that more can be achieved behind the scenes. It may be that in one or more of these cases, the Commissioner’s influence on the eventual outcome will be shown to have been greater than if he had leapt into public condemnation.
Nonetheless, the overall impression created by the Office’s public reaction to the AEC and ATO incidents was one of disappointing timidity. There is surely nothing to be lost by giving a firm initial response along the lines of ‘While I have requested the facts, these are very disturbing allegations ...’. (On a technical point, successive Commissioners have been loath to say that they are ‘investigating’, which carries a certain meaning under the Act, even if the more accurate ‘preliminary inquiries’ will often be misreported.)
Fourthly, there is the apparent unwillingness of the ATO to accept the legitimate interest of the media in the details of its proposed response to the ABN issue. Senior Herald journalist Margot Kingston, who tried to find out what practical steps ABN holders could take to protect their privacy, was astounded by the resistance she encountered from the ATO.
Fifthly, it is disappointing that the Government’s apparent response to the AEC/ATO issue was to signal amending legislation to permit the uses of the electoral roll that may have been unlawful. A more constructive response would be to belatedly conduct the fundamental review of the secondary uses of the electoral roll requested by the first Privacy Commissioner, Kevin O’Connor. Current Commissioner Crompton similarly flagged in his 5 July release the wider issue of re-use of public registers in general. This review is long overdue and could usefully take account of experience in New Zealand with specific public register privacy principles.
Finally, on a more positive note, at least the first two incidents demonstrated the power of public opinion, when sufficiently mobilised through the media, to force a change of policy by the Government, even to the extent of changing the law to reverse privacy invasive measures that had already been authorised.
However, it remains important that the history and outcomes of these cases are fully documented, to provide both analysis of the issues and guidance for other agencies. It is to be hoped that the Privacy Commissioner will produce the same sort of detailed public reports as previous Commissioners did in the 90s on major alleged breaches such as systemic mail out failures by several agencies and the release of social security information about AIDEX demonstrators. It will not be sufficient for the outcome to be simply an acceptance of the immediate remedial action. In the electoral roll case it is particularly important that the apparently conflicting interpretations of the legal advice are reconciled — we need to know if the disclosure, and not just the intended use, was unlawful.
These incidents are a timely reminder, after two years almost exclusively focused on the private sector, that compliance with privacy principles by government agencies can never be taken for granted.
Nigel Waters, Associate Editor.