Required or authorised by or under law

13.40 Chapter 16 considers the meaning of the phrase ‘required or authorised by or under law’. The chapter then examines a number of federal Acts that require or authorise acts and practices for the purposes of the Privacy Act. These laws include the Census and Statistics Act 1905 (Cth), the Corporations Act 2001 (Cth), the Commonwealth Electoral Act 1918 (Cth) and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act). The interaction between these laws and the Privacy Act has been the subject of recent public debate.

The meaning of ‘required or authorised by or under law’

13.41 An act or practice required or authorised by or under law is an exception to a number of the IPPs and the NPPs. The ALRC recommends that acts or practices that are required or authorised by or under law should be an exception to a number of the model UPPs.

13.42 There is a public expectation that governments are able to make laws to facilitate the handling of information in certain appropriate and necessary ways. The required or authorised by or under law exception reflects this expectation.

13.43 The scope of the exception, however, requires clarification. Submissions noted that the ambiguity in the operation of this exception can create uncertainty for individuals, agencies, organisations and privacy regulators. The ALRC discusses various methods to clarify the scope of the exception and suggests that clear references to the required or authorised by or under law exception be included in any future legislative provisions that intend to rely on the exception.

13.44 The ALRC has concluded that the exception should be clarified by amending the Privacy Act to provide that ‘law’ for the purposes of determining when an act or practice is required or authorised by or under law includes Commonwealth, state and territory Acts and delegated legislation; a duty of confidentiality under common law or equity (including any exceptions to such a duty); an order of a court or tribunal; and documents that are given the force of law by an Act, such as industrial awards.[13]

13.45 The ALRC also recommends that the OPC should develop and publish guidance to clarify when an act or practice will be required or authorised by or under law.[14] This guidance should include a list of examples of laws that require or authorise acts or practices in relation to personal information that would otherwise be regulated by the Privacy Act.

Census and Statistics Act 1905 (Cth)

13.46 The Australian Bureau of Statistics (ABS) conducts a census of population and housing every five years in accordance with the Census and Statistics Act. The census is regarded as the most important source of statistical information in Australia. The information from the census is used to produce statistical data for use by governments, as well as academics, industry, businesses and private individuals.

13.47 Stakeholders raised a number of issues concerning two recent developments in relation to the census—the retention for 99 years of name-identified information collected in the census, and a proposal to enhance the value of the census by combining it with future censuses and possibly other datasets held by the ABS. The ALRC does not make a recommendation in relation to these developments. In the ALRC’s view, the Privacy Act and the Census and Statistics Act continue to provide adequate protection of personal information collected as part of the census.

Corporations Act 2001 (Cth)

13.48 Section 168 of the Corporations Act requires companies and registered schemes to maintain a register of members, and, if relevant, a register of option holders and a register of debenture holders. The Corporations Act also requires companies to allow anyone to inspect these registers.

13.49 A number of issues in relation to registers of members were raised in submissions. The ALRC does not, however, make any recommendations concerning the availability of registers of members. The ALRC notes the significant public interest in disclosure of those who have control or an interest in a company. Further, the Corporations Act, and regulations made under it, provide significant protection of personal information held on a register of members.

Commonwealth Electoral Act 1918 (Cth)

13.50 Part VI of the Commonwealth Electoral Act provides for the establishment of an electoral roll. It is compulsory for all eligible persons in Australia to maintain continuous enrolment on the Commonwealth electoral roll for the purposes of federal elections and referendums. The names and addresses of all electors on the Commonwealth electoral roll are available for public inspection in various formats specified under the Act.

13.51 A range of issues raised in submissions related to the handling of personal information held on the electoral roll. In particular, the ALRC heard concerns about the use of old electoral rolls for unauthorised purposes, such as direct marketing. The ALRC notes that if the exemption under the Privacy Act that applies to registered political parties and political acts and practices is not removed, the Commonwealth Electoral Act should be amended. This amendment should provide that prescribed individuals, authorities and organisations to whom the Australian Electoral Commission must give information from the electoral roll and certified lists of voters, must take reasonable steps to protect the information from misuse and loss and from unauthorised access, modification or disclosure. Such information should also be destroyed or rendered non-identifiable if it is no longer needed for a permitted purpose.

13.52 The ALRC recommends that the Australian Electoral Commission and state and territory electoral commissions, in consultation with the OPC, state and territory privacy commissioners and agencies with responsibility for privacy regulation, develop and publish protocols that address the collection, use, storage and destruction of personal information shared for the purpose of the continuous update of the electoral roll.[15]

Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)

13.53 The AML/CTF Act is intended to enable individual businesses to minimise money laundering and terrorism financing risks. The Act sets out the primary obligations of ‘reporting entities’ when providing ‘designated services’. A ‘reporting entity’ is a financial institution, or other person who provides ‘designated services’. A large number of ‘designated services’ are listed in the Act, including opening an account, making a loan, and supplying goods by way of hire purchase.

13.54 The Act requires a reporting entity to carry out a procedure to verify a customer’s identity before providing a designated service to the customer. In addition, a reporting entity must give the Australian Transaction Reports and Analysis Centre (AUSTRAC) reports about suspicious matters, and must have and comply with an anti-money laundering and counter-terrorism financing program. Part 11 of the Act provides that the Australian Taxation Office and certain other ‘designated agencies’ may access AUSTRAC information. ‘Designated agencies’ include a large number of Australian Government agencies as well as some state and territory agencies. The Act requires designated agencies to comply with the IPPs in respect of AUSTRAC information.

13.55 The AML/CTF Act is the result of an extensive consultation process and has been the subject of a number of recent inquiries. The ALRC, therefore, restricts its consideration of the Act to issues raised in submissions to this Inquiry. The ALRC recommends that the statutory review of the AML/CTF Act mandated by s 251 of the Act should consider a number of matters, including whether reporting entities and designated agencies are handling personal information under the legislation appropriately.[16]

[13] Rec 16–1.

[14] Rec 16–2.

[15] Rec 16–3.

[16] Rec 16–4.