Federal information laws

13.17 In Chapter 15, the ALRC considers how the Privacy Act interacts with a number of federal laws that regulate the handling of personal information. Matters addressed in the chapter include: consistent terms and definitions; the interrelationship between the Privacy Act, the Freedom of Information Act 1982 (Cth) (FOI Act) and the Archives Act 1983 (Cth); secrecy provisions; and Part VIII of the Privacy Act (obligations of confidence).

Terms and definitions

13.18 Federal legislation other than the Privacy Act regulates the handling of personal information. Sometimes this legislation adopts different terms or definitions to those used in the Privacy Act. For example, the concept of ‘personal information’ is central to the regime established by the Privacy Act, but other federal legislation adopts different terms such as ‘personal affairs’ to describe similar information. The definitions of other terms used in the Privacy Act also sometimes differ from the same terms in other federal legislation.

13.19 The inconsistent use of terms and definitions in privacy legislation contributes to the complexity of privacy law and may increase compliance burden and cost. The Australian Government should ensure the consistency of definitions and key terms in federal legislation that regulates the handling of personal information. The ALRC acknowledges that there will be occasions, however, when other policy considerations will justify the use of terms or definitions that differ from those used in the Privacy Act.

Freedom of Information Act 1982 (Cth)

13.20 The interrelationship between the FOI Act and the Privacy Act is significant. The FOI Act and the Privacy Act both regulate the way in which information is handled, but the Acts have different objectives. Freedom of information legislation is concerned mainly with transparency in government and protects privacy only to the extent that it prevents the unreasonable disclosure of personal information, and allows an individual to access and correct personal information. In contrast, privacy legislation is focused primarily on data protection and provides for transparency only to the extent that it enhances the information privacy rights of individuals.

13.21 On 24 September 2007, following the release of the ALRC’s Discussion Paper, Review of Privacy (DP 72), the then Attorney-General of Australia requested that the ALRC examine and report on the extent to which the FOI Act and related laws continue to provide an effective framework for access to information in Australia. It is the ALRC’s view that many issues related to the interaction between the FOI Act and the Privacy Act should be considered as part of that review.

13.22 In Chapter 15, however, the ALRC does deal with access to, and correction of, personal information under the Privacy Act and the FOI Act. Both the FOI Act and the IPPs enable individuals to access personal information about them and to correct or annotate that information if it is incorrect, incomplete, out-of-date or misleading. The rights provided by the Privacy Act are found in IPP 6 and IPP 7. The correction rights in the FOI Act are located in Part V and are dependent on the individual having been lawfully provided with the document under the FOI Act or otherwise. A number of stakeholders submitted that the overlap has created confusion for both agencies and the public.

13.23 The ALRC has considered various models for dealing with the overlap, and recommends that an individual’s right to obtain access to, or correction of, his or her own personal information held by an agency should be dealt with under the ‘Access and Correction’ principle of the Privacy Act.

13.24 The ALRC has concluded that an individual’s right to access his or her own personal information should still be subject to the limitations under the FOI Act. Individuals should not be able to obtain access to information under the Privacy Act that would be the subject of an exemption under the FOI Act. In the ALRC’s view, however, an individual’s right to correct his or her own personal information under the Privacy Act should no longer be subject to the limitations of the FOI Act. For example, an individual’s right to correct their own personal information should not be subject to the limitation under the FOI Act that an individual must have been lawfully provided with the document.[8]

13.25 The ALRC has concluded that, for the time being, Part V of the FOI Act should be retained. The issue of whether the FOI Act should continue to regulate access to, and correction of, personal information, however, should be considered as part of the ALRC’s review of the FOI Act and related laws.

Archives Act 1983 (Cth)

13.26 The Archives Act establishes the National Archives of Australia and provides for the preservation of the archival resources of the Commonwealth. It also creates an access regime whereby the public generally has a right of access to Commonwealth records that are more than 30 years old. The Archives Act provides some protection of information relating to the ‘personal affairs’ of any person, including a deceased person.

13.27 It was suggested by one stakeholder that amending the ‘personal affairs’ exemption to apply to ‘personal information’ would protect privacy better, and harmonise the Archives Act with both the Privacy Act and the FOI Act.[9] There was strong opposition to this amendment from other stakeholders. It was noted that the reference to ‘personal affairs’ in the exemption is an appropriate recognition of the different age and sensitivity of the information covered by the Archives Act, that such an amendment would restrict needlessly access to records, and would increase the workload of officers making access decisions under the Act. The ALRC concludes that, in the absence of any identifiable problem in this area, the benefits in changing the exemption to refer to ‘personal information’ do not outweigh the disadvantages of such an amendment.

A single information Act?

13.28 One option for consideration is whether, given the significant overlap between the FOI Act and the Privacy Act, the two Acts should be consolidated into a single Act. A number of overseas jurisdictions have combined freedom of information and privacy legislation. Another option would be to consolidate the FOI Act, the Privacy Act and the Archives Act into a single Act. An example of such legislation is the Information Act 2002 (NT).

13.29 There was little support among stakeholders for combining the Privacy Act, FOI Act and Archives Act. Stakeholders noted that the three Acts have different purposes, and that the ALRC should focus on the harmonisation of the Acts. In the ALRC’s view, the benefits to be gained by combining the Acts do not outweigh the disadvantages occasioned by disturbing the current legislative framework.

A single regulator?

13.30 The ALRC has also considered the option of the same regulator administering the Privacy Act and the FOI Act. This is the case in the Northern Territory, and a number of overseas jurisdictions—for example, the Office of the Information and Privacy Commissioner for British Columbia, the Office of the Ontario Information and Privacy Commissioner, and the United Kingdom Information Commissioner’s Office.

13.31 There was little support for this proposal. It was noted in submissions that the Privacy Act and the FOI Act have a different focus, and should be administered by two different regulators. Further, a number of stakeholders supported a separate body, such as a Freedom of Information Commissioner, to oversee freedom of information at the federal level.

13.32 The ALRC does not recommend the establishment of a single body to administer the Privacy Act and the FOI Act. In the ALRC’s view, however, the Australian Government should establish a statutory office of the FOI Commissioner to oversee the administration of the FOI Act and these functions should be conferred on the Commonwealth Ombudsman.

13.33 The ALRC notes the Australian Government’s election policy document Government Information: Restoring Trust and Integrity which sets out the Government’s proposals for a restructure of freedom of information laws. These proposals include bringing together the functions of privacy protection and freedom of information in an Office of the Information Commissioner. While the ALRC does not recommend a single regulator to administer the Privacy Act and the FOI Act, the ALRC notes that the Government’s policy for an Office of the Information Commissioner is consistent with the ALRC’s recommendations in this Report.

Secrecy provisions

13.34 Federal legislation contains a large number of secrecy provisions that impose duties on public servants not to disclose information that comes to them by virtue of their office. Secrecy provisions usually are based on the need to preserve the secrecy of government operations in order for government to function effectively.

13.35 In DP 72, the ALRC noted that there was no support for having the Privacy Act, rather than secrecy provisions in specific statutes,regulate the disclosure of personal information by agencies. The ALRC considers that it is appropriate that specific statutes include secrecy provisions designed to protect information, because secrecy provisions do not relate solely to personal information. They also protect other information, for example, commercial information, security details and operational information.

13.36 In the ALRC’s view, however, secrecy provisions in federal legislation should be reviewed.[10] This review should consider, among other matters, how each of these provisions interacts with the Privacy Act. The need for such a review has been established by a number of inquiries.

Obligations of confidence

13.37 Part VIII of the Privacy Act (Obligations of confidence) applies where an agency or an employee of an agency (a ‘confidant’) is subject to an obligation of confidence to another person (a ‘confider’) in respect of personal information. Part VIII of the Privacy Act represents an extension of the law of confidentiality in that it extends the right to enforce a duty of confidentiality to the subject of the personal information, not just the confider.

13.38 The ALRC recommends that the confidentiality provisions contained in Part VIII of the Privacy Act be repealed.[11] The ALRC notes that the courts in the United Kingdom have developed the action for breach of confidence so that it now covers the disclosure of information that the defendant knows, or ought to know, is private because such disclosure is a wrongful invasion of privacy. In the ALRC’s view, the common law of Australia should not follow the United Kingdom example of transforming breach of confidence in this way. This is discussed in detail in Part K.

13.39 The ALRC considers that, rather than extending the law of confidentiality, it is more appropriate to enact a statutory cause of action for a serious invasion of privacy. The cause of action will: apply to both agencies and organisations, unlike Part VIII which only applies to agencies; provide broader protection of privacy than that offered by Part VIII; and offer a range of remedies.[12] The ALRC also notes that the provisions of Part VIII have never been used.

[8] These issues are also discussed in Ch 29.

[9] ‘Personal affairs’ is generally considered to be a narrower concept than ‘personal information’.

[10] Rec 15–2.

[11] Rec 15–3.

[12] See Recs 74–1 to 74–5.