Government Agency Coercive
Information-Gathering Powers;
Draft Report
Submission to the Administrative
Review Council
March 2007
GPO Box 5218 SYDNEY NSW 2001 • Privacy hotline 1300363992 • www.privacy.gov.au
Office of the Privacy Commissioner
1. Office of the Privacy Commissioner
The Office of the Privacy Commissioner (the Office) is an independent statutory
body whose purpose is to promote and protect privacy in Australia. The Office,
established under the Privacy Act 1988 (Cth), has responsibilities for the
protection of individuals' personal information that is handled by Australian and
ACT government agencies, and personal information held by all large private
sector organisations, health service providers and some small businesses. The
Office also has responsibilities under the Privacy Act in relation to credit
worthiness information held by credit reporting agencies and credit providers,
and personal tax file numbers used by individuals and organisations.
2. Introduction
The Office of the Privacy Commissioner welcomes the opportunity to comment
on the Administrative Review Council’s (ARC) draft Report into Government
Agency Coercive Information-Gathering Powers. 1
While the Privacy Act bestows coercive information-gathering powers on the
Commission, 2 this submission is not made from that perspective 3 . Instead, the
comments below draw on the Office’s experience as the Australian
Government agency responsible for, amongst other things:
• promoting 4 an understanding of the Information Privacy Principles (IPPs)
and National Privacy Principles (NPPs) and
• investigating complaints 5 about acts or practices of agencies or
organisations that may breach an IPP or NPP
Council’s draft Report is an important and welcome advance in ensuring that
the use of coercive powers by Australian Government agencies is appropriate
and, where possible, consistent. The Office appreciates that the Privacy Act is
but one of a number of important considerations for agencies that collect,
handle and disclose coercively-gathered personal information. The Office is
pleased that Council recognises that good privacy practices are important
elements in achieving appropriate outcomes.
The Office would be happy to provide further advice to Council on the drafting
of any privacy-relevant sections to ensure privacy is appropriately represented
in the context of the paper.
1
For a copy of the report see: http://www.ag.gov.au/arc or
http://www.ag.gov.au/agd/www/rwpattach.nsf/VAP/(96E02A3185906E56B3F27DE5BFCC1C80
)~draft+coercive+powers+report.pdf/$file/draft+coercive+powers+report.pdf
2
Privacy Act 1988, ss 44-47, 65, 66, 70
3
The Office notes that the Report does not specifically consider the coercive informationgathering powers of government monitoring bodies.
4
Privacy Act 1988, s 27(1)(d)
5
Privacy Act 1988, ss 27(1)(a), 27(1)(ab)
OPC submission to the ARC Draft Report: Government Agency Coercive Information-Gathering Powers
Page 1
Office of the Privacy Commissioner
3. Observations
3.1
Expectations to privacy
Public perceptions of the usefulness and fairness of coercive informationgathering powers are affected in part by the information-handling practices of
the agencies that utilise them. The Privacy Act, which regulates personal
information handling practices in agencies and organisations, assists by
creating and framing expectations to privacy. In so far as the Privacy Act
applies, it therefore contributes to the public’s acceptance of coercive powers
utilised by agencies.
It is worth noting that the IPPs and NPPs do more than codify good
administrative practice – in fact they impose legal obligations on agencies and
organisations, designed to prevent interferences with the personal information
privacy of an individual.
As there is sometimes confusion about whether the IPPs and NPPs are legally
binding, the Office would appreciate Council leaving this matter beyond doubt. 6
Suggestion:
Council may wish to consider clarifying the role of the IPPs and NPPs in the
Report.
The eleven IPPs set out minimum obligations that must be met by agencies
handling personal information, including its collection, use and disclosure,
storage and security, and access by the individual. In the current context, the
eleven IPPs are relevant to all agencies that fall under the Privacy Act and that
gather information using coercive powers.
The NPPs apply to all large private sector organisations, health service
providers and some small businesses. In the context of Council’s Report, only
NPP 2 is relevant. NPP 2 sets out the disclosure obligations of organisations
from which personal information is being collected.
IPP11, which relates to disclosure, may also be relevant to Australian
Government agencies from which the production of information is to be
compelled.
The Office has produced comprehensive Guidelines on the application of the
NPPs and the IPPs, which can be found on the Office’s website. 7 While the
Guidelines are not binding and do not specifically contemplate the issues
related to coercive powers and compelled information, they provide
interpretation that may be of assistance to agencies and to Council.
Suggestion:
Council may wish to consider noting the Privacy Commissioner’s Guidelines as
a relevant resource in the Report.
6
7
Page 67 of the Report may be an appropriate place to do this.
http://www.privacy.gov.au/publications/index.html#G
OPC submission to the ARC Draft Report: Government Agency Coercive Information-Gathering Powers
Page 2
Office of the Privacy Commissioner
3.2
Collection of personal information
Distinguishing between potential applications of coercive powers
The draft Report does not currently distinguish between ‘evidence compelled
directly from a person of interest’ and ‘third party evidence about a person of
interest’. For a number of reasons, it may be advantageous to draw the
distinction.
IPP 1 issues of fair collection (canvassed below) may sometimes be contingent
on the distinction being drawn. This distinction may also be helpful when
considering IPP 10 (use) and IPP 11 (disclosure) issues such as secondary
and derivative uses.
Suggestion:
Council may wish to consider drawing the distinction between ‘primary’ and
‘third party’ evidence throughout the Report.
There is also a useful distinction to be made between compelling information
from a person representing a legal entity, such as another agency or a
corporation, and compelling information from a natural person acting in their
private capacity.
While the agency or organisation will have to consider IPP 11 or NPP 2.1
issues (as applicable), coercive Notices 8 usually apply only to natural persons.
Some care needs to be taken by the agency seeking personal information to
ensure that the agency or organisation which collected and holds the
information is given an opportunity to manage their IPP 11 or NPP 2.1
obligations.
This issue would not arise for individuals acting in their private capacity,
although they will have a legitimate interest in understanding how their
information will be handled (consistent with IPP 2).
Suggestion:
Council may wish to consider the issue of coercive information-gathering from a
‘360 degree’ approach, giving more prominence to the privacy obligations and
interests of organisations, agencies and natural persons that may be subject to
Notices.
Fair collection
IPP 1(1) provides that collection of personal information must be for a lawful
purpose that is directly related to a function or activity of the collector, and that
the collection must be necessary for or directly related to that function (see IPP
Guidelines 2, 3 and 4 9 ).
8
For convenience, the term ‘Notice’ is used throughout this submission to refer to a formal
Notice compelling production of information pursuant to a coercive power.
9
http://www.privacy.gov.au/publications/HRC_PRIVACY_PUBLICATION.pdf_file.p6_4_14.4.pdf
OPC submission to the ARC Draft Report: Government Agency Coercive Information-Gathering Powers
Page 3
Office of the Privacy Commissioner
IPP 1(2) provides that collection of personal information must be both lawful
and fair (see IPP Guidelines 6 and 7 10 ).
IPP 3(d) provides that the collection of personal information must not intrude to
an unreasonable extent upon the personal affairs of the individual concerned
(see IPP Guideline 22 11 ).
The assessment of what might be a ‘lawful and fair collection’ and ‘a not
unreasonable intrusion upon the personal affairs of the individual concerned’ is
highly dependent on the context.
Some collection of third party evidence may be particularly vulnerable to
criticism – for example where a coercive notice is used in circumstances where
a search warrant authorised by a magistrate might be more usual for obtaining
sensitive personal information, for example, from financial institutions or health
providers. It is also possible that a record-keeper could resist a coercive power
in such circumstances if they were not certain the disclosure was authorised in
accordance with the Privacy Act, for example that the record-holder was not
satisfied the collection was lawful and fair.
When using coercive powers to obtain personal information it is in the agency’s
interests to ensure that coercive powers are exercised fairly, and that the
agency is able to demonstrate this if a dispute arises, or if the proposed
collection becomes subject to external scrutiny. 12
At the agency level, some of these concerns might be overcome were
authorisations for uses of powers deliberately structured so as to limit the scope
of information-gathering to the least privacy intrusive option.
This could be achieved by a senior officer authorising (or declining) use of a
power only after giving consideration to a number of relevant matters. These
could include those reportedly used by the ACCC 13 :
• Whether the information is otherwise available, including provided
voluntarily;
• The degree of risk that the information may be destroyed, not provided or
provided on unacceptable terms to the Commission;
• Whether it is appropriate for the ACCC to obtain information formally;
• Whether the information is necessary and relevant to the ACCC’s
investigation; and
• The time and cost implications of a s.155 process for the ACCC and the
recipients.
The Office notes that these considerations are consistent with an agency’s
obligations under IPP 1 and 3.
10
Ibid.
Ibid.
12
For example an injunctive action (where available), a request for a statement of reasons
under s 13 of the Administrative Decisions (Judicial Review) Act 1977,or a Privacy
Commissioner or Ombudsman investigation.
13
As set out on p 19 of the draft Report.
11
OPC submission to the ARC Draft Report: Government Agency Coercive Information-Gathering Powers
Page 4
Office of the Privacy Commissioner
Consistent with Council’s Better Practice Principle 4, the reasons for decision
should be recorded.
The Office suggests that the senior officer should also have the capacity to
place conditions (or limits) on the reasonable use of the power including: what
is authorised to be collected, and the manner in which collection is authorised
to occur.
For example, where the evidence sought is about a disputed attendance with a
medical practitioner, it is unlikely there would be a need to compel production of
clinical notes, as attendance could be substantiated in a number of other ways,
meeting IPP 3(d) obligations. The relevant authorisation and Notice could be
structured to reflect this. In this way, agency practice could place reasonable
limits on the exercise of powers.
The Office also suggests that agency heads should have a specific obligation to
issue guidelines for the reasonable exercise of powers within the agency, giving
effect to the ‘least privacy invasive’ concept at the agency level.
Suggestions:
Council may wish to consider proposing a Better Practice Principle that
separates the process of internal authorisation from the exercise of powers,
allowing the opportunity for a senior officer to limit the scope of collections to
that which is relevant and necessary.
Council may wish to consider proposing a Better Practice Principle that codifies
the ‘least privacy intrusive’ concept.
Council may wish to consider setting out a minimum list of relevant privacy
considerations as an adjunct to Principle 3.
There may also be a case for reviewing some legislation to provide clear and
positive authority to obtain particular information from third parties (such as
health information or financial information or electronic communications). This
information is generally viewed within the community as sensitive and is
accompanied by a higher expectation of privacy or confidentiality.
This might be appropriate where it is anticipated that this will be a regular use
of coercive powers because of the fundamental nature of the regulatory or
compliance function and statutory relationships, and where it is deemed to be a
more efficient or preferable policy outcome. Legislation expressed in this way
would avert IPP 1(2) concerns about fair collection where a search warrant
authorised by a magistrate might otherwise be necessary.
Suggestion:
Council may wish to consider proposing a Better Practice Principle that
legislation, where possible, should settle the issue of application of coercive
powers to obtaining sensitive personal information in situations where obtaining
a search warrant might otherwise be the expected practice.
OPC submission to the ARC Draft Report: Government Agency Coercive Information-Gathering Powers
Page 5
Office of the Privacy Commissioner
‘Must I comply with a formal Notice?’ - Collecting information from
other agencies and organisations
Some organisations and agencies from which information is sought may
believe that the Privacy Act prevents compliance with a valid Notice.
Coercive powers validly exercised under an Act 14 will usually provide the
requisite exception (‘required or authorised by law’ - NPP 2.1(g) and IPP
11(1)(d)) to resolve issues relating to compelled disclosure of personal
information. Section 18K(m) of the Privacy Act also provides a ‘required or
authorised by law’ trigger in relation to credit reporting information.
However, it is worth noting that one agency’s collection may entail another
agency’s or organisation’s disclosure. The disclosing organisation or agency
must still actively consider NPP2.1 or IPP11 (as the case may be). As already
noted, it is possible that IPP1(2) and/or IPP 3(d) fairness concerns could
provide a reason to resist or refuse complying with a coercive Notice. Resisting
coercive Notices may require obtaining a legal opinion as the facts of each
case will vary.
See section 3.3 of this submission for a discussion of other issues relating to
inter-agency disclosure: ‘should we voluntarily share information?’.
Suggestion:
Council may wish to note that compelling information from other agencies or
organisations may trigger disclosure issues under the Privacy Act for those
entities.
Council may note that sections of the Privacy Act (other than the IPPs and
NPPs) may also affect coercive information-gathering powers. For example, it
may be that the lawfulness of the intended or unintended collection (or
disclosure) of Tax File Numbers (TFNs) is not sufficiently put beyond doubt by
legislation granting coercive information-gathering powers to some agencies.
The Office’s website includes a fact sheet 15 about TFNs that Council may find
helpful. Legislative instruments that are relevant include:
• The Privacy Commissioner’s Tax File Number Guidelines issued under s.17
of the Privacy Act 1988;
• Taxation Administration Act 1953, especially s 8WB; and
• Income Tax Assessment Act 1936.
Suggestion:
Council may wish to consider making observations in the Report about the
rules around collecting Tax File Numbers.
14
‘Laws’ in the context of the Privacy Act usually means laws of the Commonwealth. See the
Privacy Commissioner’s Guideline 32 (Plain English Guidelines to Information Privacy
Principles 8-11) for more information.
15
http://www.privacy.gov.au/act/tfn/index.html
OPC submission to the ARC Draft Report: Government Agency Coercive Information-Gathering Powers
Page 6
Office of the Privacy Commissioner
Notices (Principle 13)
The Office notes that one of the functions of Notices issued under a coercive
information-gathering power is to advise recipients as to the legislative authority
supporting the collection of information. A Notice that also included the purpose
of collection, and whether or how their personal information would usually be
used or disclosed, would also fulfil the requirements of IPP 2.
Suggestion:
Council may find it appropriate to place a short section on IPP2 of the Privacy
Act in this section of the Report (perhaps importing some of the text from page
67).
Council may give consideration to noting that the core elements of Notices
could conveniently be supplemented by information about normal practices of
the agency that are matters of administration or of expectation management,
but that do not form part of the formal Notice (e.g. reimbursement of costs,
procedural matters). This supplementary or companion notice would be an
appropriate place to advise the person as to how they can expect their personal
information to be treated, consistent with IPP 2.
Suggestion:
At Principle 13, Council may wish to make provision for coercive Notices to be
supplemented by other information, for example matters that would address the
agency’s IPP 2 obligations.
To give effect to IPP 2(d), as well as meeting a procedural fairness objective, it
would be appropriate for Notices or companion information to set out relevant
penalties 16 for non-compliance. 17 Council might give consideration to including
this aspect as one of the minimum criteria for Notices under Better Practice
Principle 13.
Suggestion:
Council may wish to consider setting out penalties for non-compliance as one
of the minimum criteria for Notices under Principle 13.
Consideration could also be given to advising individuals, where applicable,
that being subject to a Notice should not be taken to imply that their conduct is
in question, or that adverse findings have been made. It may also be
appropriate for the Notice recipient to be cautioned to not draw conclusions
about the agency’s disposition on the evidence, and to be asked not to
comment on the investigation until it is concluded. The aim of these strategies
16
For example, not producing information; refusing to swear an oath or affirmation; refusing of
failing to answer without excuse; wilful obstruction; providing false or misleading information or
statements
17
Offences for non-compliance with Notices: - Council may consider whether it is appropriate to
note or comment on the variance in penalties prescribed in various Acts for refusing or failing to
cooperate with Notices issued under coercive information-gathering powers. Council may also
wish to give consideration to adding a ‘penalty’ field to the Table in Appendix B of the Report.
OPC submission to the ARC Draft Report: Government Agency Coercive Information-Gathering Powers
Page 7
Office of the Privacy Commissioner
is to protect both the integrity of the investigation and the privacy of any parties
to the investigation.
These strategies would be consistent with IPP 11(3) which provides that a
person, body or agency to whom personal information is disclosed shall not use
or disclose the information for a purpose other than for the purpose the
information was given.
Suggestion:
Council may wish to consider proposing strategies that militate against
disclosure of information or other information about the proceedings by
witnesses.
As a minor matter, it may be convenient to transfer the section of Principle 13
dealing with minimum notice periods to a separate Principle. That would
separate issues relating to formal Notices (the main subject of the Principle)
from legislative issues.
Incidental collection of third party material
In general, legislation granting agencies a power to seize materials should
contain a requirement that incidentally collected third party personal information
that is irrelevant to the investigation or which is beyond authority of the coercive
Notice, be returned or destroyed, as appropriate, by the agency as soon as
practicable.
Suggestion:
Council may wish to consider making observations in the Report about
incidental collection of third party material.
Privilege and other professionals
The draft Report (page 60) refers to the secrecy of client information held by
doctors, accountants, bankers and social workers. To avoid confusion, Council
may consider referring instead to the confidential or sensitive nature of such
information. This construction more accurately represents the privacy
motivations of the individuals concerned.
3.3
Inter-agency exchange of information (Disclosure)
Framing the issue
The premise of Principle 21 is that there are circumstances that arise in which a
collection agency wishes to disclose compelled evidence to one or more other
agencies without the need to obtain the consent of the individual who gave the
evidence. Two questions 18 are relevant: Can we voluntarily disclose compelled
information? and Should we voluntarily disclose compelled information? The
first is a question about legislation, and the second is about judgement. Both
questions have privacy dimensions.
18
Note that the question ‘Must I comply with a formal Notice?’ has been discussed in section
3.2 of this submission.
OPC submission to the ARC Draft Report: Government Agency Coercive Information-Gathering Powers
Page 8
Office of the Privacy Commissioner
Can we voluntary disclose compelled information? (Principle 20)
The assessment of the legal authorities that can enable disclosure of compelled
evidence from one agency to another is a critical part of the analysis of whether
an appropriate public policy balance has been struck in granting coercive
information-gathering powers to an agency or for a purpose. Competing issues
include the policy desire for the efficient fulfilment of each agency’s statutory
functions, while respecting individual rights (including expectations to privacy)
and other public interest considerations.
Typically, if not universally, legislation 19 that provides for coercive powers also
provides pathways for lawful disclosure under IPP 11(1)(d), where information
may be disclosed by an agency if the disclosure is required or authorised under
law.
Council has concluded that agency secrecy provisions are ad hoc and need to
be less complex (Principle 20) and recommended that a review should be
conducted. While the premise for the review is to ensure that unnecessary
barriers to information-sharing for legitimate purposes are removed, such a
review would also be an opportunity to consider whether the current
arrangements, or their alternatives, provide adequate privacy protections.
The Office originally developed a framework (Attachment A) for assessing new
law enforcement powers but has since applied the framework more broadly to
other issues. The ‘Four A’ Framework, as it is known, may be of use in the
review Council proposes.
Suggestion:
In reference to a review of agency ‘secrecy’ provisions, Council may wish to
note the Office’s ‘Four A’ Framework as a tool to assist in finding the
appropriate policy balance between the use of coercive powers and privacy in
relation to personal information.
In the view of the Office, it is preferable for legislation to provide expressly for
legislative authority that unambiguously regulates issues like derivative or
secondary uses, instead of relying upon broadly-expressed discretions for
disclosure.
Suggestion:
Council may wish to note the Office’s preference for clear legislative authority to
regulate disclosures and secondary uses.
Should we voluntarily disclose compelled information?
The purpose of Principle 21 is to assist agencies that hold compelled
information (and that are authorised to disclose it) to make good judgements
about inter-agency exchanges of information.
19
To assist further discussion on this point, Council may wish to consider adding a ‘disclosure’
field to the Table in Appendix B of the Report to provide data about the underlying issues.
OPC submission to the ARC Draft Report: Government Agency Coercive Information-Gathering Powers
Page 9
Office of the Privacy Commissioner
As already noted, IPP 11(3) places a limit on ‘downstream’ disclosure,
potentially affecting ‘derivative use’ considerations 20 where these matters are
not settled in source legislation. In considering issues related to disclosures and
derivative uses, Council may find it useful to refer to the decision 21 in Johns v
Australian Securities Commission and Others [1993] HCA 56.
Suggestion:
Council may wish to consider whether it would be appropriate to map out some
of the higher level issues, including privacy, related to voluntary disclosures or
‘information sharing’.
Council may note that IPP 11(2) provides 22 that records of disclosure are to be
created in some circumstances, for example where personal information is
disclosed for the purposes of the enforcement of a law imposing a pecuniary
penalty. Good privacy practice would also be to keep a record of every
disclosure related to coercively acquired information.
Suggestion:
Council may wish to propose a Better Practice Principle that provides for
records to be maintained of every disclosure related to coercively acquired
information.
The Office agrees that voluntary disclosure powers should rest with a senior
officer (Principle 21) and considers that this is a matter that should be reflected
in the source legislation. Council may give consideration to suggesting a
capacity for the delegate (or the head of an agency) to impose conditions on
disclosures and future uses of information disclosed. Guidance should also be
developed to advise senior officers about voluntary disclosure powers and their
use.
For example, a checklist could be prepared which requires the certifying officer
to be satisfied that the body receiving the information has appropriate
procedures or protocols in place to deal with issues such as: the handling of
irrelevant information; preventing secondary uses and disclosures; data
security; data matching; and timely destruction of records. Consideration should
also be given to protect against unreasonable intrusions on the personal affairs
of individuals (IPP 3 (d)).
Suggestion:
Council may wish to consider providing for agency heads to be able to limit the
scope of disclosure authorities, to produce guidance for senior officers, and to
enable conditions to be placed on the uses of information disclosed to other
agencies.
20
See Chapter 9 – The Use of Compelled Evidence, in, Donaghue S (2001) Royal
Commissions and Permanent Commissions of Inquiry. Butterworths. Australia.
21
http://www.austlii.edu.au/au/cases/cth/HCA/1993/56.html
22
See IPP Guidelines 46 and 47
OPC submission to the ARC Draft Report: Government Agency Coercive Information-Gathering Powers
Page 10
Office of the Privacy Commissioner
The issue of consent (see IPP 11(1)(b)) might usefully be explored further in
the Report. Compelled evidence does not always mean that a witness will be
hostile to disclosures, although it will not always be operationally viable for an
agency to inform witnesses of impending disclosures. However, there is an
intersection here with the procedural fairness obligation that was implied in
Johns v ASC, that an individual should be afforded an opportunity to raise
objections to disclosure in some circumstances, including the opportunity to
suggest caveats or conditions on the uses to which information may be put.
It can also be noted that the disclosure exception under IPP 11(1)(a) 23 is less
likely to be available in the context of coerced information-gathering because of
the lack of choice in providing the information. For that reason, agencies should
be cautious about relying on an IPP2 notice to provide authority for disclosure
of personal information collected in this way.
On the other hand, the benefit of a comprehensive IPP 2 notice is that it
provides an opportunity prior to providing information for an informed witness to
claim privilege or seek undertakings in relation to derivative and secondary
uses of any material that might be provided under coercion.
Suggestion:
Council may wish to consider further the issues of consent and procedural
fairness relating to disclosures.
For all these reasons, the Office is hesitant to endorse Council’s ‘threshold
trigger’ proposal for disclosure to other agencies, as encapsulated in Better
Practice Principle 21, at least in it’s current form. The Office notes, however,
that the Principle is apparently an advance on the current situation. The Office
notes that the relevant provisions of the Privacy Act must be observed, and
perhaps Principle 21 can be amended to incorporate this requirement.
Suggestion:
Council may wish to consider further the interaction of the Privacy Act with the
threshold provisions proposed in Better Practice Principle 21.
3.4
Use (‘Intra-agency exchange of information’)
IPPs 8, 9 and 10 relate to the use of personal information within an agency.
Generally speaking, personal information should only be used for the specific
purposes for which it was collected.
In the coercive information-gathering context it is possible that, because of
procedural fairness considerations, stricter limitations apply to the valid uses of
coercively gathered information than are imposed by the IPPs. It is also
possible that uses of coercively-obtained information are fettered by the terms
and scope of the Notice under which the information was obtained.
23
‘reasonably likely to have been aware, or made aware under [IPP 2], that information… is
usually passed to [a particular] body or agency’
OPC submission to the ARC Draft Report: Government Agency Coercive Information-Gathering Powers
Page 11
Office of the Privacy Commissioner
It is reported at page 75 of the Report (under the sub-heading ‘Consultation’)
that the ACCC and ASIC consider they have a broad scope to use coercively
obtained information within each agency. The Report suggests that this practice
is supported by the construction of the relevant Acts, and therefore falls into the
third exception to IPP 10 (‘use required or authorised by law’).
The Office is not able to advise on this matter in this submission, but we draw
Council’s attention to the Privacy Commissioner’s Guideline 34 24 .
Suggestion:
Council may wish to consider further the issues of intra-agency use.
3.5
Record-keeping
The Office considers the appropriate handling of records containing personal
information in accordance with the Privacy Act to be fundamental. The
regulation of record-handling by agencies is set out in IPPs 4-9. Council may
consider dealing with record handling issues in a dedicated Chapter.
Suggestion:
Council may wish to consider elevating record-handling issues to Chapter level.
As an administrative matter, agencies need to be able to track the various
consents and prohibitions that apply to information collected coercively. A
convenient way to achieve this is to attach metadata to information. In this way,
an agency record-handler would immediately know the purposes and context
for which information was collected and appreciate the limitations on alternative
uses or disclosures without express authority.
The meta-data would also inform an agency of conditions it should attach to
any disclosures (for example use immunities) outside of the agency.
Suggestion:
Council may wish to consider proposing an additional Better Practice Principle
that encourages the attachment of meta-data to records containing compelled
information.
As an incidental point on the commentary on page 76, it is worth noting that the
sensitivity of information is as critical as the volume of documents that might be
collected using coercive powers.
3.6
Accountability
Appropriate use of coercive power
The Office has a general interest in ensuring that the privacy-intrusive nature of
coercive powers is recognised and that there are appropriate checks and
balances built in to the systems that surround the granting and use of powers.
This, of course, is one of the primary purposes of Council’s investigation, and
underpins most of Council’s Better Practice Principles.
24
http://www.privacy.gov.au/publications/ipp8_11.pdf
OPC submission to the ARC Draft Report: Government Agency Coercive Information-Gathering Powers
Page 12
Office of the Privacy Commissioner
The Office notes that some of the personal information that is able to be
collected from Australian government agencies and organisations using
coercive powers may otherwise 25 not be available due to the limitations on the
disclosure of information imposed by the Privacy Act.
For that reason, the Office would welcome and be reassured by a consistent
set of safeguards against misuse or overuse of powers, as suggested by
Council. The Office recognises that there may be some additional cost to
agencies in providing those safeguards (for example Principles 4 and 19) but
suggests that the protection achieved by the implementation of these
safeguards on balance outweighs the additional cost.
Suggestion:
The Office supports safeguards against misuse or overuse of powers, noting
the potential for an increased compliance burden for agencies using coercive
powers. Council may wish to note the Office’s view.
Written records (Principle 4)
The Office welcomes Principle 4, in particular the requirement to make written
records of the deliberations that lead to the exercise of a coercive power.
The Office notes that a person affected by a decision to use a coercive power is
likely to be eligible to request a statement of reasons for decision under the
Administrative Decisions (Judicial Review) Act 1977.
In addition, from a privacy perspective, contemporaneous records (that would
underpin a statement of reasons) are invaluable to the investigation of
complaints received by the Office about interferences with privacy. Establishing
written records recognises the special place coercive powers hold in
administrative law, and is also a proportionate reassurance to the public that
their privacy expectations are being met.
Other accountability mechanisms (Chapter 9)
It would be appropriate for the Office of the Privacy Commissioner to be
included in the section about external complaint processes. Council might also
note the capacity of the Office to undertake ‘own motion investigation’ 26 and the
ability of the Privacy Commissioner and the Commonwealth Ombudsman to
jointly 27 investigate matters relating to privacy.
Suggestion:
Council should add the Office of the Privacy Commission to the discussion
about complaint-handling authorities.
25
That is, but for the ‘required or authorised by law’ trigger in NPP 2.1(g) or IPP 11(1)(d), it is
likely that the information would not be able to be disclosed without the express consent of the
person to whom the personal information relates, unless another exception applied.
26
Privacy Act 1988, s 40(2)
27
http://www.privacy.gov.au/news/media/06_07.html
OPC submission to the ARC Draft Report: Government Agency Coercive Information-Gathering Powers
Page 13
Office of the Privacy Commissioner
Council might also note the accountability opportunities afforded by access to
personal information provisions that are provided under the Freedom of
Information Act 1982 and IPPs 5, 6 and 7.
Suggestion:
Council may wish to consider further the accountability role that IPPs 5-7 and
the Freedom of Information Act 1982 play in a coercive information-gathering
context.
The Privacy Commissioner is able to make determinations 28 following
investigations about interferences with the privacy of an individual.
Determinations made under the Privacy Act may include financial remedies. A
related mechanism for redress is the government’s scheme for providing
financial remedy, the Compensation for Detriment caused by Deficient
Administration Scheme (CDDA).
Suggestion:
Council may wish to consider including information in Chapter 9 about the
Privacy Commissioner’s determinative powers, as well as noting the
Compensation for Detriment caused by Deficient Administration Scheme
(CDDA).
The Office would welcome Council expressing a view about certain other
accountability matters that are privacy related and, if appropriate, translating
that view into a Better Practice Principle. These might include:
• the desirability of specifically and proactively informing Notice recipients of
their rights to redress and complaint; and
• reporting (publicly, to Parliament, to a Minister, or to a government oversight
agency) on the effectiveness of powers (in addition to incidence, Principle
19).
Suggestion:
Council may wish to consider expressing a view about other accountability
options that would provide a reassurance that an agency’s coercive collection
of information does not intrude to an unreasonable extent upon the personal
affairs of individuals.
28
Privacy Act 1988, s 52
OPC submission to the ARC Draft Report: Government Agency Coercive Information-Gathering Powers
Page 14
Office of the Privacy Commissioner
4.
Summary of suggestions
•
Council may wish to consider clarifying the role of the IPPs and NPPs in the
Report.
•
Council may wish to consider noting the Privacy Commissioner’s Guidelines
as a relevant resource in the Report.
•
Council may wish to consider drawing the distinction between ‘primary’ and
‘third party’ evidence throughout the Report.
•
Council may wish to consider the issue of coercive information-gathering
from a ‘360 degree’ approach, giving more prominence to the privacy
obligations and interests of organisations, agencies and natural persons that
may be subject to Notices.
•
Council may wish to consider proposing a Better Practice Principle that
separates the process of internal authorisation from the exercise of powers,
allowing the opportunity for a senior officer to limit the scope of collections to
that which is relevant and necessary.
•
Council may wish to consider proposing a Better Practice Principle that
codifies the ‘least privacy intrusive’ concept.
•
Council may wish to consider setting out a minimum list of relevant privacy
considerations as an adjunct to Principle 3.
•
Council may wish to consider proposing a Better Practice Principle that
legislation, where possible, should settle the issue of application of coercive
powers to obtaining sensitive personal information in situations where
obtaining a search warrant might otherwise be the expected practice.
•
Council may wish to note that compelling information from other agencies or
organisations may trigger disclosure issues under the Privacy Act for those
entities.
•
Council may wish to consider making observations in the Report about the
rules around collecting Tax File Numbers.
•
Council may find it appropriate to place a short section on IPP2 of the
Privacy Act in this section of the Report (perhaps importing some of the text
from page 67).
•
At Principle 13, Council may wish to make provision for coercive Notices to
be supplemented by other information, for example matters that would
address the agency’s IPP 2 obligations.
OPC submission to the ARC Draft Report: Government Agency Coercive Information-Gathering Powers
Page 15
Office of the Privacy Commissioner
•
Council may wish to consider setting out penalties for non-compliance as
one of the minimum criteria for Notices under Principle 13.
•
Council may wish to consider proposing strategies that militate against
disclosure of information or other information about the proceedings by
witnesses.
•
Council may wish to consider making observations in the Report about
incidental collection of third party material.
•
In reference to a review of agency ‘secrecy’ provisions, Council may wish to
note the Office’s ‘Four A’ Framework as a tool to assist in finding the
appropriate policy balance between the use of coercive powers and privacy
in relation to personal information.
•
Council may wish to note the Office’s preference for clear legislative
authority to regulate disclosures and secondary uses.
•
Council may wish to consider whether it would be appropriate to map out
some of the higher level issues, including privacy, related to voluntary
disclosures or ‘information sharing’.
•
Council may wish to propose a Better Practice Principle that provides for
records to be maintained of every disclosure related to coercively acquired
information.
•
Council may wish to consider providing for agency heads to be able to limit
the scope of disclosure authorities, to produce guidance for senior officers,
and to enable conditions to be placed on the uses of information disclosed
to other agencies.
•
Council may wish to consider further the issues of consent and procedural
fairness relating to disclosures.
•
Council may wish to consider further the interaction of the Privacy Act with
the threshold provisions proposed in Better Practice Principle 21.
•
Council may wish to consider further the issues of intra-agency use.
•
Council may wish to consider elevating record-handling issues to Chapter
level.
•
Council may wish to consider proposing an additional Better Practice
Principle that encourages the attachment of meta-data to records containing
compelled information.
•
The Office supports safeguards against misuse or overuse of powers,
noting the potential for an increased compliance burden for agencies using
coercive powers. Council may wish to note the Office’s view.
OPC submission to the ARC Draft Report: Government Agency Coercive Information-Gathering Powers
Page 16
Office of the Privacy Commissioner
•
Council should add the Office of the Privacy Commission to the discussion
about complaint-handling authorities.
•
Council may wish to consider further the accountability role that IPPs 5-7
and the Freedom of Information Act 1982 play in a coercive informationgathering context.
•
Council may wish to consider including information in Chapter 9 about the
Privacy Commissioner’s determinative powers, as well as noting the
Compensation for Detriment caused by Deficient Administration Scheme
(CDDA).
•
Council may wish to consider expressing a view about other accountability
options that would provide a reassurance that an agency’s coercive
collection of information does not intrude to an unreasonable extent upon
the personal affairs of individuals.
OPC submission to the ARC Draft Report: Government Agency Coercive Information-Gathering Powers
Page 17
Office of the Privacy Commissioner
Attachment A
OPC ‘Four A’ Privacy Evaluation Framework for assessing and
implementing new law enforcement and national security
powers
The Office of the Privacy Commissioner has developed a proposed framework for
assessing and implementing new law enforcement and national security powers. The
framework sets out a life cycle approach to such proposals from development to
implementation and review. The aim of the framework is to bring balance and
perspective to the assessment of proposals for law enforcement or national security
measures with significant effects on privacy.
First, careful analysis is needed in the development phase to ensure that the proposed
measure is necessary, effective, proportional, the least privacy invasive option and
consistent with community expectations. This analysis should involve consideration of
the size, scope and likely longevity of the problem, as well as the range of possible
solutions, including less privacy-invasive alternatives. The impact on privacy of the
proposed solution should be analysed and critical consideration given to whether the
measure is proportional to the risk.
Second, the authority by which the measure is implemented should be appropriate to
its privacy implications. Where there is likely to be a significant impact on privacy, the
power should be conferred expressly by statute subject to objective criteria. Generally,
the authority to exercise intrusive powers should be dependent on special judicial
authorisation. Intrusive activities should be authorised by an appropriately senior
officer.
Third, implementation of the measure should be transparent and ensure accountability.
Accountability processes should include independent complaint handling, monitoring,
independent audit, and reporting and oversight powers commensurate with the
intrusiveness of the measures.
Finally, there should be periodic appraisal of the measure to assess costs and
benefits. Measures that are no longer necessary should be removed and unintended
or undesirable consequences rectified. Mechanisms to ensure such periodic review
should be built into the development of the measure. This could involve a sunset
clause or parliamentary review after a fixed period.
In summary:
Analysis – is there a problem? Is the solution proportional to the problem? Is it the
least privacy invasive solution to the problem? Is it in line with community
expectations?
Authority – Under what circumstances will the organisation be able to exercise its
powers and who will authorise their use?
Accountability – What are the safeguards? Who is auditing the system? How are
complaints handled? Are the reporting mechanisms adequate? And how is the system
working?
Appraisal – Are there built in review mechanisms? Has the measure delivered what it
promised and at what cost and benefit?
OPC submission to the ARC Draft Report: Government Agency Coercive Information-Gathering Powers
Page 18