PRIVACY AMENDMENT (SA NT DATALINK) REGULATIONS 2019 (F2019L00535) EXPLANATORY STATEMENT

Commonwealth Numbered Regulations - Explanatory Statements

[Index] [Search] [Download] [Related Items] [Help]


PRIVACY AMENDMENT (SA NT DATALINK) REGULATIONS 2019 (F2019L00535)

EXPLANATORY STATEMENT

 

Select Legislative Instrument No.    , 2019

 

Issued by the authority of the Attorney-General

 

Privacy Amendment (SA NT DataLink) Regulations 2019

Introduction

The Privacy Act 1988 (the Act) contains 13 Australian Privacy Principles that regulate the handling of individuals' personal information. These principles apply to Australian and Norfolk Island government agencies and to private sector organisations with an annual turnover of $3 million or more, and certain smaller organisations including private sector health service providers and Commonwealth contracted service providers.

Subsection 100(1) of the Act provides that the Governor-General may make regulations, not inconsistent with the Act, prescribing matters required or permitted to be prescribed, or necessary or convenient to be prescribed, for carrying out or giving effect to the Act.

Section 6F of the Act allows State and Territory Governments to request the Commonwealth to make regulations prescribing a State or Territory Government entity as an organisation for the purposes of the Act. It also allows for a prescription to modify the application of the Act to a State or Territory entity.

The Privacy Regulation 2013 (the Principal Regulation) contains State and Territory entities that have been prescribed as organisations under subsection 6F(1) as well as other prescribed matters under the Act.

Purpose and Operation of the Instrument

The purpose of the Privacy Amendment (SA NT DataLink) Regulations 2019 (the new Regulations) is to amend the Principal Regulation to prescribe the Department for Health and Wellbeing (an authority of South Australia) as an organisation under subsection 6F(1) of the Act. The Act would apply to the Department for Health and Wellbeing in relation to an act done, or a practice engaged in, in connection with technical data linkage work undertaken in relation to SA NT DataLink projects.

 

SA NT DataLink is the body established under the SA NT Data Linkage Consortium Agreement (the Agreement). The Agreement is between the South Australian Ministers for Health, Mental Health and Substance Abuse, Education and Child Development, Communities and Social Inclusion, Social Housing, as well as the Universities of Adelaide and South Australia, the South Australian Health and Medical Research Institute Limited, the Anti-Cancer foundation of South Australia, the Health Consumer Alliance of South Australia Incorporated, and the Northern Territory of Australia. The Agreement was entered into in 2009 and is ongoing (the current Agreement is from 1 January 2016 to 31 December 2020). Information about the Agreement can be found at: https://www.santdatalink.org.au/about_us.

 

SA NT DataLink is operated by the Department for Health and Wellbeing and provides services that link and combine data sets, identify relationships and integrate and validate data to allow for better use of existing data and future statistical and research projects between the parties. The reference to SA NT DataLink in the new Regulations should be interpreted as being a reference to whatever body of that name is in existence from time to time. Further information about SA NT DataLink can be found at: https://www.santdatalink.org.au.

 

A proposal to provide Commonwealth data to SA NT DataLink has arisen from work led by the Department of the Prime Minister and Cabinet (PM&C), as the department responsible for Commonwealth whole-of-government data policy. PM&C manages an administrative process to recognise Australian Government agencies or non-Commonwealth entities as 'Integrating Authorities'. These authorities have the role of linking datasets from different Australian Government agencies for analytical purposes. SA NT DataLink has been granted Integrating Authority accreditation through PM&C subject to the Department for Health and Wellbeing opting-in to the Act as an organisation under subsection 6F(1).

 

The requirement to opt-in is because South Australia is one of two Australian jurisdictions (along with Western Australia) without its own privacy legislation. Without this prescription, neither the Office of the Australian Information Commissioner nor a State privacy regulator would have jurisdiction in the event that SA NT DataLink experienced a privacy incident involving Commonwealth data. The new Regulations provide a mechanism for the Office of the Australian Information Commissioner to investigate such incidents and provide affected individuals with legally enforceable complaint rights.

 

The new Regulations specify that for the purposes of subsection 6F(1) of the Act:

*         the Department for Health and Wellbeing (as an authority of South Australia), is prescribed as an organisation under the Act;

*         the Act is to apply to the Department for Health and Wellbeing so that paragraph 7(1)(ee) of the Act is read to include an act done, or a practice engaged in, by the Department for Health and Wellbeing as an organisation under the Act only insofar as it undertakes technical data linkage work for SA NT DataLink projects.

 

Consultation

The Act specifies under subsection 6F(3) that before the Governor-General can make a regulation, the Attorney-General must be satisfied that the relevant State or Territory has requested the prescription and must consult the Australian Information Commissioner about the desirability of the prescription. These requirements have been satisfied and the Australian Information Commissioner has not raised any concerns about the new Regulations.

 

Consistent with the requirements in section 17 of the Legislation Act 2003 to consult, the Office of the Australian Information Commissioner and the South Australian Department for Health and Wellbeing were consulted on the text of the new Regulations.

 

The Office of Best Practice Regulation (OBPR) was consulted and advised that a Regulation Impact Statement is not required. The OBPR reference is ID: 24573.

 

Other Details

 

Details of the new Regulations are at Attachment A.

 

A Statement of Compatibility under subsection 9(1) of the Human Rights (Parliamentary Scrutiny) Act 2011 is at Attachment B.

 

The new Regulations are a legislative instrument for the purposes of the Legislation Act 2003.

 


 

ATTACHMENT A

Details of the Privacy Amendment (SA NT DataLink) Regulations 2019

Section 1 - Name

This section provides that the title of the new Regulations is the Privacy Amendment (SA NT DataLink) Regulations 2019.

Section 2 - Commencement

This section provides for the new Regulations to commence the day after the instrument is registered.

Subsection (1) provides that each provision of this instrument specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table, and that any other statement in column 2 has effect according to its terms.

The note to subsection (1) clarifies that the table only relates to the provisions of this instrument as originally made, and that it will not be amended to deal with any later amendments to the instrument.

Subsection (2) provides that information in column 3 of the table is not part of the instrument. It is designed to assist readers, and may be updated or changed in any published version of the new Regulations. Column 3 is empty at the time of making the instrument.

Section 3 - Authority

This section provides that the Privacy Amendment (SA NT DataLink) Regulations 2019 are made under the Act.

Section 4 - Schedule

This section provides that each instrument that is specified in a Schedule to this instrument is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this instrument has effect according to its terms.

Schedule 1 -Amendments

Item [1] - Section 8

Section 8 of the Principal Regulation lists New South Wales authorities that are currently prescribed for the purposes of subsection 6F(1) of the Act. This item inserts a heading for the New South Wales authorities.

Item [2] - Section 8

This item inserts a new subparagraph (1) which distinguishes the New South Wales authorities from the new South Australian authority being added.

Item [3] - Section 8

This item inserts a new heading for 'South Australia'. Under the South Australia heading, new subsection 8(2) specifies that for the purposes of subsection 6F(1) of the Act the Department for Health and Wellbeing (an authority of South Australia) is prescribed, and the Act applies in relation to the Department as if the Act were modified as set out in the following new subsection (3).

Subsection 8(3) applies the Act in relation to the Department for Health and Wellbeing as if paragraph 7(1)(ee) of the Act were modified by providing for an act done, or a practice engage in, by the Department for Health and Wellbeing (South Australia) in connection with undertaking technical data linkage work for SA NT DataLink, other than an exempt act or exempt practice (outlined in sections 7B and 7C of the Act).

Section 7B of the Act deals with exempt acts and practices in relation to individuals acting in a non-business capacity, organisations acting under Commonwealth or State contracts, or an act or practice directly related to employee records or journalism. Section 7C deals with political acts and practices that are exempt from the operation of the Act.

 


 

ATTACHMENT B

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human rights (Parliamentary Scrutiny) Act 2011

Privacy Amendment (SA NT DataLink) Regulations 2019

This Legislative Instrument is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Disallowable Legislative Instrument

The Disallowable Legislative Instrument amends the Privacy Regulation 2013 to prescribe the Department for Health and Wellbeing (an authority of South Australia) as an organisation under subsection 6F(1) of the Privacy Act 1988 (the Act). The Act would apply to the Department for Health and Wellbeing in relation to an act done, or a practice engaged in, in connection with technical data linkage work undertaken in relation to SA NT DataLink projects.

SA NT DataLink is the body established under the SA NT Data Linkage Consortium Agreement (the Agreement) between a number of South Australian Ministers, South Australian Universities, the South Australian Health and Medical Research Institute, South Australian Anti-Cancer Foundation, the South Australian Heath Consumer Alliance, and the Northern Territory. SA NT DataLink is operated by the Department for Health and Wellbeing and provides services that integrate and validate data to allow for better use of existing data and future statistical and research projects between the parties.

The Department of Prime Minister and Cabinet (PM&C) is proposing to allow sharing of Commonwealth data with SA NT DataLink by recognising it as an 'Integrating Authority' (subject to the Department for Health and Wellbeing opting-in to the Act). Integrating Authorities have the role of linking datasets from different Australian Government agencies for analytical purposes.

South Australia does not have its own privacy legislation. Without this prescription, neither the Office of the Australian Information Commissioner nor a State privacy regulator would have jurisdiction in the event that SA NT DataLink experienced a privacy incident involving Commonwealth data. The new Regulations provide a mechanism for the Office of the Australian Information Commissioner to investigate such incidents and provide affected individuals with legally enforceable complaint rights.

Human Rights Implications

The new Regulations engage Article 17 of the International Covenant on Civil and Political Rights (ICCPR), which provides that no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation, and that everyone has the right to the protection of the law against such interference or attacks.

The new Regulations protect against arbitrary interference with privacy by prescribing the Department for Health and Wellbeing (an authority of South Australia) as an organisation for the purposes of the Act. The Privacy Act would then apply to the Department for Health and Wellbeing in relation to an act done, or a practice engaged in, in connection with technical data linkage work undertaken for SA NT DataLink projects. This provides a mechanism for the Office of the Australian Information Commissioner to investigate privacy incidents relating to the personal information provided to them when undertaking these projects. It also provides affected individuals with legally enforceable complaint rights.

Conclusion

This Legislative Instrument engages the protection against arbitrary interference with privacy. It is compatible with human rights because it is consistent with the right to privacy and, to the extent that it may limit the right to privacy, those limitations are reasonable, necessary and proportionate.


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback