EXPLANATORY STATEMENT

 

Select Legislative Instrument 2006 No. 140

Privacy (Private Sector) Amendment Regulations 2006 (No. 1)

The Privacy Act 1988 (the Act) establishes, among other things, the National Privacy Principles (NPPs) which regulate the collection, use, disclosure and storage of personal information by private sector organisations.

NPP 7.2 provides that a private sector organisation must not use or disclose an identifier assigned to an individual by a Commonwealth agency, or by an agent or contracted service provider to that agency, except where:

(a)       the use or disclosure is necessary for the organisation to fulfil its obligations to the agency; or

(b)       the use or disclosure is in support of measures detailed in NPP 2.1(e) to 2.1(h) inclusive to lessen or prevent a threat to the health or safety of an individual or the public, is required or authorised by law, or is in support of law enforcement or prosecution activities; or

(c)       the use or disclosure is by a prescribed organisation of a prescribed identifier in prescribed circumstances.

Subsection 100(1) of the Act provides that the Governor-General may make regulations, not inconsistent with the Act, prescribing matters required or permitted by the Act to be prescribed, or necessary or convenient to be prescribed for carrying out or giving effect to the Act.

In determining the need for a Regulation under section 100 of the Act, the Department of Veterans' Affairs has consulted Centrelink, the Office of the Privacy Commissioner and the Attorney‑General's Department.

The purpose of the Regulations is to authorise the use and disclosure of the DVA File Number, assigned to individuals by the Department of Veterans' Affairs, by certain private sector organisations.  They allow prescribed organisations (listed in Part 2 of Schedule 3) to use and disclose the DVA File Number (an 'identifier') as a means of authentication and to verify the customer's entitlement to an Australian Government benefit and thereby to a concession offered by the relevant organisation. 

The use and disclosure of the DVA File Number by each private sector organisation is in each case only for the benefit of the individual concerned.  It enables service providers to access Centrelink's Confirmation eServices, with the customer's consent, and determine a customer's eligibility to concessional entitlements.  This removes the need for customers to go into a DVA office to get proof of their eligibility for these concessions.  The verification occurs on-line in real time, providing up to date eligibility information.  

Details of the Regulations are set out in the Attachment.

The Regulations commenced on the day after they were registered.

 

ATTACHMENT

PRIVACY (PRIVATE SECTOR) AMENDMENT REGULATIONS 2006 (No. 1)

Regulation 1 describes how the Regulations are to be cited.

Regulation 2 provides that the Regulations commence on the day after they are registered.

Regulation 3 provides that the Privacy (Private Sector) Regulations 2001 (the Principal Regulations) are amended in accordance with Schedule 1 to the Regulations.

The Regulations make additions to the Principal Regulations to authorise an exception to National Privacy Principle 7.2 in relation to the use and disclosure of the DVA File Number.

Schedule 1, Item 1 defines 'DVA File Number' as the file number assigned to an individual by the Department of Veterans' Affairs.

Schedule 1, Item 2 changes the heading of regulation 9 in the Principal Regulations to reflect that it relates to the 'Customer Confirmation' part of the Centrelink Confirmation eServices.

Schedule 1, Item 3 inserts a new sub‑heading 'Centrelink Customer Reference Number' into regulation 9 in the Principal Regulations and creates a new sub‑regulation 9(1) for the existing text of regulation 9 (the purpose of which is to prescribe organisations that are allowed to use and disclose the Centrelink Customer Reference Number to access the Centrelink Confirmation eServices to make a Customer Confirmation enquiry).

Schedule 1, Item 4 defines the 'prescribed organisations' that are allowed to use and disclose the Centrelink Customer Reference Number as being in Part 1 of Schedule 3 to the Principal Regulations (reflecting the change to Schedule 3, which is outlined at Schedule 1, Items 7 and 11 below).

Schedule 1, Item 5 refers to the 'prescribed organisations' that are allowed to use and disclose the Centrelink Customer Reference Number as being in Part 1 of Schedule 3 to the Principal Regulations (reflecting the change to Schedule 3, which is outlined at Schedule 1, Items 7 and 11 below).

Schedule 1, Item 6 inserts a new exception to National Privacy Principle 7.2 in sub‑regulation 9(2). The existing exception to National Privacy Principle 7.2 in regulation 9 authorises the use and disclosure by 24 organisations of the Centrelink Customer Reference Number for the purpose of accessing the Centrelink Confirmation eServices to make a Customer Confirmation enquiry.  The new exception authorises the use and disclosure by 17 organisations of the DVA File Number for the purpose of accessing the Centrelink Confirmation eServices to make a Customer Confirmation enquiry.

Schedule 1, Item 7 changes the heading of Schedule 3 in the Principal Regulations to reflect that the schedule contains prescribed organisations that are allowed to use and disclose certain identifiers to access the 'Customer Confirmation' part of the Centrelink Confirmation eServices.  It also creates a new Part 1 in Schedule 3 for organisations currently authorised to use and disclose the Centrelink Customer Reference Number for the purpose of accessing the Centrelink Confirmation eServices to make a Customer Confirmation enquiry.  

Schedule 1, Item 8 deletes 2 organisations from existing Schedule 3 in the Principal Regulations.  'Australian Inland Energy Water Infrastructure' (item 2) is deleted because it no longer exists.  Energex Retail Pty Ltd (item 7) is deleted and re-inserted under its new name 'Sun Retail Pty Ltd' at item 20A in Schedule 3 (see Schedule 1, Item 9 below).

Schedule 1, Item 9 inserts 'Sun Retail Pty Ltd' (previously known as 'Energex Retail Pty Ltd') as item 20A in Schedule 3 to the Principal Regulations.

Schedule 1, Item 10 replaces the ACN currently listed for 'TRUEnergy Pty Ltd' at item 23 in Schedule 3 to the Principal Regulations with its current ABN.

Schedule 1, Item 11 creates a new Part 2 in Schedule 3 to the Principal Regulations.  New Part 2 lists 17 organisations that may use or disclose the DVA File Number for the purpose of accessing the Centrelink Confirmation eServices to make a Customer Confirmation enquiry.