ALRC submission in response to the Review of Personal Identifier Provisions in the Migration Act 1958—Preliminary Report
This submission is also available to view in PDF.
Introduction
1. The Australian Law Reform Commission (ALRC) makes the following submission in response to Review of Personal Identifier Provisions Introduced in 2004 to the Migration Act 1958—Preliminary Report (the Preliminary Report).
2. The ALRC has never undertaken a review of the Migration Act 1958 (Cth), and so does not intend to provide detailed comments on the issues raised by the Preliminary Report. However, the ALRC would like to highlight relevant recommendations made in our report For Your Information: Australian Privacy Law and Practice (ALRC 108, 2008). The submission also refers to the ALRC’s current review of relevant laws and practices relating to the protection of Commonwealth information, including the scope and appropriateness of legislative provisions regarding secrecy and confidentiality. The ALRC is yet to finalise its recommendations and release a final report for this inquiry.
ALRC Privacy Inquiry
3. In May 2008, the ALRC completed For Your Information: Australian Privacy Law and Practice (ALRC 108, 2008) (the report is available online at <www.alrc.gov.au>). The report represents the culmination of a 28 month inquiry into the extent to which the Privacy Act 1988 (Cth) and related laws continue to provide an effective framework for the protection of privacy in Australia. This Inquiry resulted in a three volume Report, containing 74 chapters and 295 recommendations for reform. The Report was tabled in Parliament on 11 August 2008.
4. The ALRC understands that the Australian Government is currently considering the recommendations contained in the Report with a view to releasing draft legislation in the next 12 to 18 months.
Part 4A of the Migration Act and the Unified Privacy Principles (UPPs)
5. The Preliminary Report notes that various Information Privacy Principles (IPPs) are relevant to the various personal identifier provisions contained in the Migration Act, including Part 4A. Following extensive research and consultation, the ALRC Privacy Inquiry concluded that several reforms should be made to the privacy regime in Australia, including the IPPs.
6. In particular, the ALRC recommended that the IPPs and National Privacy Principles (NPPs) should be unified into a single set of privacy principles, covering information handling in both the public and private sectors (referred to in the Inquiry as the model Unified Privacy Principles (UPPs)). [1] The model UPPs are set out in full at the end of this submission.
7. If implemented, a number of the model UPPs would provide additional regulation of personal information. For example, UPP 7 requires that a Commonwealth agency or organisation must take reasonable steps to make certain that the personal information it collects, uses or discloses is, with reference to the purpose of that collection, use or disclosure, accurate, complete, up-to-date and relevant. Further, UPP 11 sets out rules that apply when an agency or organisation in Australia transfers personal information about an individual to a recipient (other than the agency, organisation or the individual) who is outside Australia.
8. Some of the Inquiry’s other key recommendations include:
- Important definitions in the Privacy Act—such as the definition of ‘personal information’, ‘sensitive information’ and ‘record’—should be updated to deal with new technologies and new methods of collecting and storing personal information. [2]
- The model UPPs should include a principle dealing with ‘Identifiers’. This principle should apply only to the information-handling activities of organisations. [3] This principle is discussed in more detail below.
- The penalty regime should be strengthened by allowing the Privacy Commissioner to seek a civil penalty in the federal courts where there is a serious or repeated interference with the privacy of an individual. [4]
- Federal legislation should provide for a statutory cause of action for a serious invasion of privacy. [5]
9. If implemented, a number of the model UPPs will apply to information that is also protected by the provisions of Part 4A of the Migration Act. For example, UPP 2 addresses the use and disclosure of personal information by agencies and organisations, and Div 3 of Part 4A of the Migration Act contains a number of provisions regulating the disclosure of ‘identifying information’, which includes personal information. However, the Migration Act is a stricter regulatory scheme in that it includes a number of offences to do with the unauthorised use and disclosure of information.
Back to topThe model UPP dealing with ‘Identifiers’
10. In ALRC 108, the ALRC specifically considered the regulation of a particular type of personal information—identifiers. It recommended that the model UPPs should contain a principle regulating the handling of identifiers by organisations (the ‘Identifiers’ principle). The ‘Identifiers’ principle is intended to provide greater protection to identifiers than other types of personal information. It is set out in full at the end of this submission.
11. The ALRC did not recommend that the ‘Identifiers’ principle apply to the information-handling activities of Commonwealth agencies. However, the ALRC did recommend that some safeguards be placed around the assignment and use by agencies of an identifier used by multiple agencies, or for multiple purposes (a multi-purpose identifier). This was on the basis that multi-purpose identifiers pose significant privacy risks. Accordingly, the ALRC expressed the view that the handling of identifiers by Commonwealth agencies should follow the spirit of the ‘Identifiers’ principle and be established by legislative schemes that set out clearly any exceptions to the ‘Identifiers’ principle. [6]
12. Further, the ALRC noted that:
The potential privacy risks of multi-purpose identifiers are always so significant that the Australian Government, in consultation with the [Office of the Privacy Commissioner], should be required to conduct a [privacy impact assessment] before the introduction by agencies of any multi-purpose identifier. This proactive approach encourages agencies to incorporate privacy and security safeguards into the design of multi-purpose identifiers. [7]
13. The ALRC recommended:
Recommendation 30–1 Before the introduction by an agency of any multi-purpose identifier, the Australian Government, in consultation with the Privacy Commissioner, should conduct a Privacy Impact Assessment.
Data-matching
14. Section 336E of the Migration Act provides for an exception to the unauthorised disclosure offence for the purpose of data-matching. In ALRC 108, the ALRC noted the privacy concerns around data matching. The ALRC summarised these concerns as including: revealing of previously unknown information about an individual without the knowledge or consent of that individual; profiling of an individual; difficulty for an individual in accessing information contained in the new data-set without knowledge that such a data-set was compiled; accuracy of the matched data; and security of large amounts of data collected for the purposes of data-matching or data mining. [8]
15. In ALRC 108, the ALRC recommended that the Office of the Privacy Commissioner (OPC) provide guidance to organisations on data-matching. The ALRC noted that the OPC already has published guidance in this area that applies to agencies. [9]
Biometric information and the definition of ‘sensitive information’
16. Biometric systems enable unique behavioural or physiological attributes of people to be used for identification and authentication. [10] In ALRC 108, the ALRC noted that the use of biometric technologies raises a number of privacy concerns. These may vary according to the context in which the biometric information is collected and the type of biometric system in operation. [11]
17. For these reasons, the ALRC recommended that the definition of sensitive information in the Privacy Act should be amended to include:
- biometric information collected for the purpose of automated biometric verification or identification; and
- biometric template information. [12]
18. The Privacy Act and the model UPPs provide that sensitive information should generally be collected with consent and should be used only for the purpose for which the information was collected or a directly related secondary purpose. [13]
19. If this recommendation is implemented by the Australian Government, and biometric information is used as an identifier for the purposes of the Migration Act, there may need to be further consideration of the interaction between the Privacy Act and Migration Act.
Secrecy provisions and secondary disclosures
20. The ALRC notes that the Preliminary Report raises the issue of a lack of any protection against subsequent disclosure by an agency or organisation to which the Department of Immigration and Citizenship discloses identifying information.
21. In ALRC 108, the ALRC briefly considered the interaction between the Privacy Act and provisions in other federal legislation that regulate the use and disclosure of personal information. The ALRC concluded that secrecy provisions in federal legislation should be reviewed. [14]
22. The ALRC also considered the interaction of the Privacy Act and the complex regulatory regime contained in Part 13 of the Telecommunications Act 1997 (Cth). Part 13 contains a large number of provisions that regulate the use and disclosure of information. Part 13 of the Telecommunications Act creates offences for unauthorised use or disclosure of information as well as subsequent (or secondary) uses or disclosures. The Reviewers may wish to consider Part 13 of the Telecommunications Act, as well as the ALRC’s recommendations in ALRC 108 concerning how the Part interacts with the Privacy Act. [15] Subsequent disclosure is also being considered as part of the ALRC’s current Secrecy Inquiry. [16]
Children, Young People and Adults Requiring Assistance
23. The Preliminary Report notes that ss 261AL, 261AM and 261AB of the Migration Act relate to the types of personal identifiers that can be required of minors and incapable persons. The ALRC would like to highlight that it made a number of recommendations relating to the privacy of children, young people and adults requiring assistance. These recommendations include additional safeguards relating to decision making by and for individuals under the age of 18, and the use of third party representatives. [17]
Back to topALRC Secrecy Inquiry
24. On 5 August 2008, the ALRC received Terms of Reference from the Australian Government Attorney-General to review relevant laws and practices relating to the protection of Commonwealth information, including the scope and appropriateness of legislative provisions regarding secrecy and confidentiality.
25. The Terms of Reference for the Secrecy Inquiry require the ALRC to have regard to the importance of balancing the need to protect Commonwealth information and the public interest in an open and accountable system of government, in addition to having regard to the increased need to share such information within and between governments and with the private sector. [18]
26. The ALRC has released two consultation documents as part of the Secrecy Inquiry—Review of Secrecy Laws (Issues Paper 34, 2008) and Review of Secrecy Laws (Discussion Paper 74, 2009) and has conducted community and online consultation (both publications are available online at <www.alrc.gov.au>. The ALRC is required to report to the Attorney-General by 30 October 2009.
27. Part 4A of the Migration Act contains a range of secrecy provisions dealing with the unauthorised access, disclosure, modification and impairment, and destruction of identifying information. In addition to consideration of the interaction between the Privacy Act and secrecy laws, [19] Discussion Paper 74 contains detailed discussion and a number of proposals in relation to the elements of secrecy provisions, as well as exceptions and penalties contained in secrecy provisions. These proposals include:
- secrecy offences should generally incorporate a requirement that, for an offence to be committed, there must be a reasonable likelihood that the disclosure of information will cause harm to some specified public interest, except where there are clear countervailing public interests; [20]
- secrecy offences should generally not extend to conduct other than the disclosure of information, such as making a record, receiving or possessing protected information;[21]
- secrecy offences should generally require intention as the fault element for the disclosure of information; [22]
- the maximum penalties for the initial and subsequent unauthorised handling of Commonwealth information under specific secrecy offences should generally be the same, subject to relevant differences in relation to fault elements or the reasonable likelihood of harm. [23]
28. The ALRC also addresses the simplification and consistency of secrecy provisions in federal legislation. One of the key proposals is the establishment of a general secrecy offence. [24] The ALRC also proposes that Commonwealth secrecy offences should generally be:
- repealed where the scope of the offences substantially replicates the proposed general secrecy offence; and
- retained where the offences differ in significant and necessary ways from the proposed general secrecy offence. [25]
Appendix 1. The Model Unified Privacy Principles
UPP 1. Anonymity and Pseudonymity
Wherever it is lawful and practicable in the circumstances, agencies and organisations must give individuals the clear option of interacting by either:
(a) not identifying themselves; or
(b) identifying themselves with a pseudonym.
UPP 2. Collection
2.1 An agency or organisation must not collect personal information unless it is necessary for one or more of its functions or activities.
2.2 An agency or organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.
2.3 If it is reasonable and practicable to do so, an agency or organisation must collect personal information about an individual only from that individual.
2.4 If an agency or organisation receives unsolicited personal information about an individual from someone else, it must either:
(a) if lawful and reasonable to do so, destroy the information as soon as practicable without using or disclosing it except for the purpose of determining whether the information should be retained; or
(b) comply with all relevant provisions in the UPPs that apply to the information in question, as if the agency or organisation had actively collected the information.
2.5 In addition to the other requirements in UPP 2, an agency or organisation must not collect sensitive information about an individual unless:
(a) the individual has consented;
(b) the collection is required or authorised by or under law;
(c) the collection is necessary to prevent or lessen a serious threat to the life or health of any individual, where the individual to whom the information concerns is legally or physically incapable of giving or communicating consent;
(d) if the information is collected in the course of the activities of a non-profit organisation—the following conditions are satisfied:
(i) the information relates solely to the members of the organisation or to individuals who have regular contact with it in connection with its activities; and
(ii) at or before the time of collecting the information, the organisation undertakes to the individual to whom the information concerns that the organisation will not disclose the information without the individual’s consent;
(e) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim;
(f) the collection is necessary for research and all of the following conditions are met:
(i) the purpose cannot be served by the collection of information that does not identify the individual or from which the individual would not be reasonably identifiable;
(ii) it is unreasonable or impracticable for the agency or organisation to seek the individual’s consent to the collection;
(iii) a Human Research Ethics Committee that is constituted in accordance with, and acting in compliance with, the National Statement on Ethical Conduct in Human Research (2007), as in force from time to time, has reviewed the proposed activity and is satisfied that the public interest in the activity outweighs the public interest in maintaining the level of privacy protection provided by the Privacy Act; and
(iv) the information is collected in accordance with Research Rules issued by the Privacy Commissioner; or
(g) the collection is necessary for the purpose of a confidential alternative dispute resolution process.
2.6 Where an agency or organisation collects sensitive information about an individual in accordance with 2.5(f), it must take reasonable steps to ensure that the information is not disclosed in a form that would identify the individual or from which the individual would be reasonably identifiable.
Note: Agencies and organisations that collect personal information about an individual from an individual or from someone else must comply with UPP 3.
UPP 3. Notification
3. At or before the time (or, if that is not practicable, as soon as practicable after) an agency or organisation collects personal information about an individual from the individual or from someone other than the individual, it must take such steps, if any, as are reasonable in the circumstances to notify the individual, or otherwise ensure that the individual is aware of, the:
(a) fact and circumstances of collection, where the individual may not be aware that his or her personal information has been collected;
(b) identity and contact details of the agency or organisation;
(c) rights of access to, and correction of, personal information provided by these principles;
(d) purposes for which the information is collected;
(e) main consequences of not providing the information;
(f) actual or types of organisations, agencies, entities or other persons to whom the agency or organisation usually discloses personal information of the kind collected;
(g) fact that the avenues of complaint available to the individual if he or she has a complaint about the collection or handling of his or her personal information are set out in the agency’s or organisation’s Privacy Policy; and
(h) fact, where applicable, that the collection is required or authorised by or under law.
UPP 4. Openness
4.1 An agency or organisation must create a Privacy Policy that sets out clearly its expressed policies on the management of personal information, including how it collects, holds, uses and discloses personal information. This document should also outline the:
(a) sort of personal information the agency or organisation holds;
(b) purposes for which personal information is held;
(c) avenues of complaint available to individuals in the event that they have a privacy complaint;
(d) steps individuals may take to gain access to personal information about them held by the agency or organisation; and
(e) whether personal information is likely to be transferred outside Australia and the countries to which such information is likely to be transferred.
4.2 An agency or organisation should take reasonable steps to make its Privacy Policy available without charge to an individual:
(a) electronically; and
(b) on request, in hard copy, or in an alternative form accessible to individuals with special needs.
UPP 5. Use and Disclosure
5.1 An agency or organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection (the secondary purpose) unless:
(a) both of the following apply:
(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection; and
(ii) the individual would reasonably expect the agency or organisation to use or disclose the information for the secondary purpose;
(b) the individual has consented to the use or disclosure;
(c) the agency or organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to:
(i) an individual’s life, health or safety; or
(ii) public health or public safety;
(d) the agency or organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities;
(e) the use or disclosure is required or authorised by or under law;
(f) the agency or organisation reasonably believes that the use or disclosure is necessary for one or more of the following by or on behalf of an enforcement body:
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;
(iii) the protection of the public revenue;
(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal;
(g) the use or disclosure is necessary for research and all of the following conditions are met:
(i) it is unreasonable or impracticable for the agency or organisation to seek the individual’s consent to the use or disclosure;
(ii) a Human Research Ethics Committee that is constituted in accordance with, and acting in compliance with, the National Statement on Ethical Conduct in Human Research (2007), as in force from time to time, has reviewed the proposed activity and is satisfied that the public interest in the activity outweighs the public interest in maintaining the level of privacy protection provided by the Privacy Act;
(iii) the information is used or disclosed in accordance with Research Rules issued by the Privacy Commissioner; and
(iv) in the case of disclosure—the agency or organisation reasonably believes that the recipient of the personal information will not disclose the information in a form that would identify the individual or from which the individual would be reasonably identifiable; or
(h) the use or disclosure is necessary for the purpose of a confidential alternative dispute resolution process.
5.2 If an agency or organisation uses or discloses personal information under paragraph 5.1(f) it must make a written note of the use or disclosure.
5.3 UPP 5.1 operates in respect of personal information that an organisation that is a body corporate has collected from a related body corporate as if the organisation’s primary purpose of collection of the information were the primary purpose for which the related body corporate collected the information.
Note 1: It is not intended to deter organisations from lawfully cooperating with agencies performing law enforcement functions in the performance of their functions.
Note 2: Subclause 5.1 does not override any existing obligations not to disclose personal information. Nothing in subclause 5.1 requires an agency or organisation to disclose personal information; an agency or organisation is always entitled not to disclose personal information in the absence of a legal obligation to disclose it.
Note 3: Agencies and organisations also are subject to the requirements of the ‘Cross-border Data Flows’ principle when transferring personal information about an individual to a recipient who is outside Australia.
UPP 6. Direct Marketing (only applicable to organisations)
6.1 An organisation may use or disclose personal information about an individual who is an existing customer aged 15 years or over for the purpose of direct marketing only where the:
(a) individual would reasonably expect the organisation to use or disclose the information for the purpose of direct marketing; and
(b) organisation provides a simple and functional means by which the individual may advise the organisation that he or she does not wish to receive any further direct marketing communications.
6.2 An organisation may use or disclose personal information about an individual who is not an existing customer or is under 15 years of age for the purpose of direct marketing only in the following circumstances:
(a) either the:
(i) individual has consented; or
(ii) information is not sensitive information and it is impracticable for the organisation to seek the individual’s consent before that particular use or disclosure;
(b) in each direct marketing communication, the organisation draws to the individual’s attention, or prominently displays a notice advising the individual, that he or she may express a wish not to receive any further direct marketing communications;
(c) the organisation provides a simple and functional means by which the individual may advise the organisation that he or she does not wish to receive any further direct marketing communications; and
(d) if requested by the individual, the organisation must, where reasonable and practicable, advise the individual of the source from which it acquired the individual’s personal information.
6.3 In the event that an individual makes a request of an organisation not to receive any further direct marketing communications, the organisation must:
(a) comply with this requirement within a reasonable period of time; and
(b) not charge the individual for giving effect to the request.
UPP 7. Data Quality
An agency or organisation must take reasonable steps to make certain that the personal information it collects, uses or discloses is, with reference to the purpose of that collection, use or disclosure, accurate, complete, up-to-date and relevant.
UPP 8. Data Security
8.1 An agency or organisation must take reasonable steps to:
(a) protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure; and
(b) destroy or render non-identifiable personal information if it is no longer needed for any purpose for which it can be used or disclosed under the UPPs and retention is not required or authorised by or under law.
8.2 The requirement to destroy or render non-identifiable personal information is not ‘required by law’ for the purposes of the Archives Act 1983 (Cth).
Note: Agencies and organisations also should be aware of their obligations under the data breach notification provisions.
UPP 9. Access and Correction
9.1 If an agency or organisation holds personal information about an individual and the individual requests access to the information, it must respond within a reasonable time and provide the individual with access to the information, except to the extent that:
Where the information is held by an agency:
(a) the agency is required or authorised to refuse to provide the individual with access to that personal information under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents; or
Where the information is held by an organisation:
(b) providing access would be reasonably likely to pose a serious threat to the life or health of any individual;
(c) providing access would have an unreasonable impact upon the privacy of individuals other than the individual requesting access;
(d) the request for access is frivolous or vexatious;
(e) the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings;
(f) providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations;
(g) providing access would be unlawful;
(h) denying access is required or authorised by or under law;
(i) providing access would be likely to prejudice an investigation of possible unlawful activity;
(j) providing access would be likely to prejudice the:
(i) prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
(ii) enforcement of laws relating to the confiscation of the proceeds of crime;
(iii) protection of the public revenue;
(iv) prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or
(v) preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders;
by or on behalf of an enforcement body; or
(k) an enforcement body performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.
Back to top
9.2 Where providing access would reveal evaluative information generated within the agency or organisation in connection with a commercially sensitive decision-making process, the agency or organisation may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.
Note: The mere fact that some explanation may be necessary in order to understand information should not be taken as grounds for withholding information under UPP 9.2.
9.3 If an agency or organisation is not required to provide an individual with access to his or her personal information it must take such steps, if any, as are reasonable to provide the individual with as much of the information as possible, including through the use of a mutually agreed intermediary.
9.4 If an organisation charges for providing access to personal information, those charges:
(a) must not be excessive; and
(b) must not apply to lodging a request for access.
Note: Agencies are not permitted to charge for providing access to personal information under UPP 9.4.
9.5 An agency or organisation must provide personal information in the manner requested by an individual, where reasonable and practicable.
9.6 If an agency or organisation holds personal information about an individual that is, with reference to a purpose for which it is held, misleading or not accurate, complete, up-to-date and relevant, the agency or organisation must take such steps, if any, as are reasonable to:
(a) correct the information so that it is accurate, complete, up-to-date, relevant and not misleading; and
(b) notify other entities to whom the personal information has already been disclosed, if requested to do so by the individual and provided such notification would be practicable in the circumstances.
9.7 If an individual and an agency or organisation disagree about whether personal information is, with reference to a purpose for which the information is held, misleading or not accurate, complete, up-to-date or relevant and:
(a) the individual asks the agency or organisation to associate with the information a statement claiming that the information is misleading or not accurate, complete, up-to-date or relevant; and
(b) where the information is held by an agency, no decision or recommendation to the effect that the record should be amended wholly or partly in accordance with that request has been made under the applicable provisions of a law of the Commonwealth;
the agency or organisation must take reasonable steps to do so.
9.8 Where an agency or organisation denies a request for access or refuses to correct personal information it must provide the individual with:
(a) reasons for the denial of access or refusal to correct the information, except to the extent that providing such reasons would undermine a lawful reason for denying access or refusing to correct the information; and
(b) notice of potential avenues for complaint.
UPP 10. Identifiers (only applicable to organisations)
10.1 An organisation must not adopt as its own identifier of an individual an identifier of the individual that has been assigned by:
(a) an agency;
(b) an agent of an agency acting in its capacity as agent;
(c) a contracted service provider for a Commonwealth contract acting in its capacity as contracted service provider for that contract; or
(d) an Australian state or territory agency.
10.2 Where an identifier has been ‘assigned’ within the meaning of UPP 10.1 an organisation must not use or disclose the identifier unless:
(a) the use or disclosure is necessary for the organisation to fulfil its obligations to the agency that assigned the identifier;
(b) one or more of UPP 5.1(c) to (f) apply to the use or disclosure; or
(c) the identifier is genetic information and the use or disclosure would be permitted by the new Privacy (Health Information) Regulations.
10.3 UPP 10.1 and 10.2 do not apply to the adoption, use or disclosure by a prescribed organisation of a prescribed identifier in prescribed circumstances, set out in regulations made after the Minister is satisfied that the adoption, use or disclosure is for the benefit of the individual concerned.
10.4 The term ‘identifier’, for the purposes of UPP 10, includes a number, symbol or biometric information that is collected for the purpose of automated biometric identification or verification that:
(a) uniquely identifies or verifies the identity of an individual for the purpose of an agency’s operations; or
(b) is determined to be an identifier by the Privacy Commissioner.
However, an individual’s name or ABN, as defined in the A New Tax System (Australian Business Number) Act 1999 (Cth), is not an ‘identifier’.
Note: A determination referred to in the ‘Identifiers’ principle is a legislative instrument for the purposes of section 5 of the Legislative Instruments Act 2003 (Cth).
UPP 11. Cross-border Data Flows
11.1 If an agency or organisation in Australia or an external territory transfers personal information about an individual to a recipient (other than the agency, organisation or the individual) who is outside Australia and an external territory, the agency or organisation remains accountable for that personal information, unless the:
(a) agency or organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds privacy protections that are substantially similar to these principles;
(b) individual consents to the transfer, after being expressly advised that the consequence of providing consent is that the agency or organisation will no longer be accountable for the individual’s personal information once transferred; or
(c) agency or organisation is required or authorised by or under law to transfer the personal information.
Note: Agencies and organisations are also subject to the requirements of the ‘Use and Disclosure’ principle when transferring personal information about an individual to a recipient who is outside Australia
1. Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, ALRC 108 (2008), Rec 18–2.
8.Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, ALRC 108 (2008), [10.86].
9. Office of the Federal Privacy Commissioner, The Use of Data-Matching in Commonwealth Administration—Guidelines (1998).
10. Biometrics Institute, Biometrics Institute Ltd <www.biometricsinstitute.org> at 5 May 2008; Organisation for Economic Co-operation and Development, Biometric-Based Technologies (2004), 10–11; Council of Europe, Progress Report on the Application of the Principles of Convention 108 to the Collection and Processing of Biometric Data (2005), [16].
11. Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, ALRC 108 (2008), [9.7].
13. This is different to the regulation of handling of other personal information, which can be collected without consent and used and disclosed for a broader range of purposes: Ibid, [6.103].
14. Ibid, [13.36]. Secrecy provisions are discussed in greater detail below in relation to the ALRC’s current Secrecy Inquiry.
16. Australian Law Reform Commission, Review of Secrecy Laws (DP 74, 2009), Chs 8 and 10.
18. Australian Government Attorney-General’s Department Terms of Reference —Review of Secrecy Laws (2008).
19.Australian Law Reform Commission, Review of Secrecy Laws (DP 74, 2009), Ch 4.