Sharing information

14.36 Inconsistent, fragmented and multi-layered privacy regulation can contribute to confusion about how to achieve compliance with privacy regulation. This, in turn, can result in reluctance by agencies and organisations to share information.[48]

14.37 The OPC submitted that some obstacles to appropriate information sharing between agencies and organisations may arise either from misapplication or a ‘risk-averse’ interpretation of privacy laws.[49] The ALRC heard numerous examples of agencies and organisations using ‘because of the Privacy Act’ as an excuse for not providing information.[50] In many cases, however, the Privacy Act 1988 (Cth) would not have prohibited the sharing of the information. For example, a member of the public reported that:

My daughter attends a childcare centre in my local area. One day, the carer commented on how well she was playing with a special friend. When I asked who the special friend was, I was advised that the name of the child, even the first name, couldn’t be released to me due to the provisions of the Privacy Act. This is crazy.[51]

14.38 The complexity of privacy laws can act as a barrier to information sharing between federal, state and territory agencies,[52] and between agencies and organisations.[53] For example, the OVPC submitted that information sharing can be problematic where federal agencies such as Centrelink, the Australian Taxation Office (ATO) and the Electoral Commissioner want bulk access to state datasets because:

  • some states have no privacy law and so provide the information;

  • other states have privacy or other legislative provisions restricting disclosure to jurisdictions that do not have adequate privacy protection in place; and

  • the Commonwealth can override privacy protection in state legislation to collect and use datasets in ways not authorised under, or anticipated by, state law.[54]

14.39 The Queensland Government noted that there is some evidence of inconsistency in privacy regulation affecting national schemes involving the participation of state and territory agencies.

For example, Queensland Transport’s participation in the National Exchange of Vehicle Driver Information System (NEVDIS). Queensland Transport has experienced resistance from counterpart agencies in other states with privacy legislation regarding sharing of information.[55]

14.40 A number of stakeholders noted that a failure to share information because of privacy concerns can impede investigations by law enforcement bodies;[56] prevent health studies;[57] make it impossible to track customers who have stolen rental goods;[58] prevent former ‘wards of the state’ reconnecting with their family members;[59] and result in decisions in family law matters being made without a complete picture of family circumstances.[60] Further, a failure to share information can have grave consequences, such as the death of children who are at risk of abuse and neglect.[61]

14.41 The complexity of privacy laws is a particular issue in the context of service provision to vulnerable people.[62] The Community Services Ministers’ Advisory Council (CSMAC) noted that the range of differing privacy regimes across Australia creates problems for information exchange between jurisdictions, including in the critical area of child protection, where state and territory specific legislation applies. Issues also arise in relation to information exchange within jurisdictions, where some non-government welfare organisations are subject to the Privacy Act, and state and territory agencies must comply with state and territory regimes. CSMAC noted that this inconsistency creates difficulties in relation to the development of memorandums of understanding and other protocols governing the exchange of information.[63]

14.42 Real or perceived restrictions on information sharing by agencies also can have an impact on business. The Regulatory Taskforce noted that barriers to sharing data between different agencies can mean that businesses often are required to supply the same information to multiple agencies, which can contribute to compliance cost.[64]

14.43 Inconsistency and fragmentation in privacy laws should not prevent appropriate information sharing. Information sharing opportunities, which are in the public interest and recognise privacy as a right to be protected, should be encouraged. Rather than preventing appropriate information sharing, privacy laws and regulators should encourage agencies and organisations to design information-sharing schemes that are compliant with privacy requirements or, where necessary, seek suitable exemptions or changes to legislation to facilitate information-sharing projects.

14.44 The ALRC makes a number of recommendations in relation to information sharing throughout this Report. Perhaps the most significant recommendation is the adoption of the model UPPs, any relevant regulations that modify the application of the UPPs, and key definitions at the federal, state and territory level.[65] Many of the real and perceived impediments to information sharing would be removed if the federal, state and territory public sectors and the private sector were required to comply with the same set of privacy principles. Adoption of the same privacy principles also would simplify the task of developing information-sharing protocols and memorandums of understanding. Other relevant recommendations include:

  • redrafting the Act to achieve greater logical consistency, simplicity and clarity;[66]

  • amending the ‘Use and Disclosure’ principle to permit the use and disclosure of a person’s information for a secondary purpose where there is a threat to a person’s life, health or safety that is serious (even if not necessarily imminent);[67]

  • the inclusion of a new exception to allow the sharing of personal information (including sensitive information) for the purposes of non-medical research;[68] and

  • the adoption of provisions that allow public interest determinations and temporary public interest determinations in state and territory laws regulating the public sectors.[69]

Education

14.45 Submissions to the Inquiry have established that many agencies and organisations are not aware of, or do not understand, their obligations under the Privacy Act and state and territory privacy laws. This can have a ‘chilling effect’ on information sharing.

14.46 The NSW Independent Pricing and Regulatory Tribunal (IPART) identified similar issues in its report, Investigation into the Burden of Regulation in NSW and Improving Regulatory Efficiency. IPART recommended that the NSW Government provide guidance to agencies on privacy requirements affecting information sharing between agencies.[70] In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC proposed that the OPC provide further guidance to agencies and organisations on privacy requirements affecting information sharing.[71]

Submissions and consultations

14.47 A number of stakeholders, including the OPC,[72] supported this proposal.[73] The Centre for Law and Genetics submitted that:

Privacy must not promote a culture of secrecy, particularly as e-health develops with a capacity for beneficial transmission of personal health information. This Proposal will hopefully promote information sharing in a responsible, ethical and professional fashion within the overriding UPPs and developed contextual rules.[74]

14.48 The National Health and Medical Research Council (NHMRC) also supported the proposal. It noted that the recommended Privacy (Health Information) Regulations will need to be supported by health-specific guidance on privacy requirements affecting information sharing in health care contexts and in health and medical research.[75]

14.49 Centrelink and the Australian Government Department of Human Services submitted that such guidance would be beneficial, but noted that it will need to take into consideration confidentiality provisions that also may protect personal information.[76]

14.50 The Australian Government Department of Human Services submitted that the guidance also should deal with data-matching. The Department noted that much of the information sharing and data-matching undertaken by the agencies within the Human Services portfolio is undertaken pursuant to confidentiality provisions and to that extent would fall outside the OPC’s responsibility. Additionally, legislation that deals with data-matching based on tax file numbers is the responsibility of the Minister for Families, Housing, Community Services and Indigenous Affairs. The Department submitted that the proposal may create a lack of clarity and accountability in relation to responsibilities regarding information sharing and data-matching.[77]

14.51 The School of Public Health at the University of Sydney submitted that the OPC’s guidance should give due regard to the potential cost and privacy benefits of routine linkage of information and the provision of routine de-identified datasets to researchers and organisations concerned with the monitoring and improvement of health and health services.[78]

14.52 The OVPC submitted that the production of guidance alone does not provide adequate privacy protection. It submitted that the Privacy Act and state and territory privacy legislation should include rules about matters such as data-matching, similar to Part X of the Privacy Act 1993 (NZ).[79]

ALRC’s view

14.53 The ALRC notes that information sharing already is the subject of guidance published by the OPC, such as the Plain English Guidelines to Information Privacy Principles and Guidelines to the National Privacy Principles.

14.54 Rather than making a separate recommendation for guidance, in the ALRC’s view, the OPC should consider including some additional matters in existing guidance. For example, the guidance could explain: how the privacy principles operate to allow or prevent the sharing of information in certain circumstances; when a public interest determination, temporary public interest determination or a code will be appropriate; when a privacy impact assessment should be prepared; and on the development of memorandums of understanding and protocols in relation to information-sharing schemes.

14.55 This guidance could be prepared in consultation with other bodies with responsibility for information privacy, including state and territory privacy regulators and industry-specific dispute resolution schemes.[80] The guidance should note that agencies and organisations may be subject to confidentiality provisions under federal, state and territory legislation, and that a body other than the OPC may be responsible for the administration of those provisions.

14.56 The ALRC notes the various issues raised by stakeholders in relation to data-matching. In Chapter 10, the ALRC discusses data-matching by agencies and organisations, and recommends that the OPC provide further guidance to organisations on the implications of data-matching.[81]

Guidelines and protocols

14.57 In DP 72, the ALRC proposed that, in the interest of greater transparency, agencies that are required or authorised by legislation or a public interest determination to share personal information should develop and publish documentation that addresses the sharing of personal information; and, where appropriate, publish other documents (including memorandums of understanding and ministerial agreements) relating to the sharing of personal information.[82]

Submissions and consultations

14.58 A number of stakeholders supported this proposal.[83] For example, the ATO submitted that the ALRC’s approach would assist information sharing activities across agencies and promote consistency, awareness of obligations, and a more collaborative approach. The ATO also noted that it already has a number of memorandums of understanding with Australian Government and state government agencies with which it regularly shares information.[84]

14.59 The Queensland Government supported the proposal, provided the publication of such policies does not hinder the intent or purpose of that information sharing.[85] Other stakeholders noted that the publication of documentation relating to the sharing of information could be subject to secrecy provisions and confidentiality considerations.[86]

14.60 The Australian Federal Police (AFP) supported the proposal on the basis that there would be appropriate exemptions for operationally sensitive matters—for example, police methodology.[87] The Australian Government Department of Human Services supported the proposal, but noted that it may not be appropriate to divulge some business processes relating to fraud and compliance.[88]

14.61 Privacy NSW supported the proposal, but suggested that it should apply more broadly to any derogation from the UPPs. It submitted that complainants sometimes find out, after bringing their complaint, that the agency was permitted by law, a public interest direction,[89] or a code to engage in the conduct giving rise to the complaint, including the sharing of information between agencies. Privacy NSW submitted that this information should be made apparent to the individual at the time of collection or at the time of the intended secondary use or disclosure so that individuals do not bring a complaint about a matter that is lawful.[90]

ALRC’s view

14.62 There is a public interest in the subject of the personal information and the public, where appropriate, knowing how agencies share personal information. The ‘Notification’ and ‘Openness’ principles require agencies to divulge when they may use or disclose personal information. These, however, do not require an agency to communicate how personal information will be shared.

14.63 Legislation, codes and public interest determinations that provide for information-sharing programs will not always set out clearly how agencies should implement those programs and protect personal information. Agencies that are required or authorised by legislation, a code or a public interest determination to share personal information, therefore, should develop and publish documentation that addresses the sharing of such information. This documentation may include guidance to assist officers to implement an information-sharing scheme, and protocols that detail how an agency can share information in compliance with privacy requirements.

14.64 Agencies often prepare documents that deal with information sharing. Ministerial agreements to share information and memorandums of understanding between agencies are examples of such documents. In Essentially Yours: The Protection of Human Genetic Information in Australia (ALRC 96), the ALRC and the Australian Health Ethics Committee (AHEC) of the NHMRC considered the legislative scheme establishing the National Criminal Investigation DNA Database—a national DNA database administered by the CrimTrac agency. To achieve greater transparency, the ALRC and AHEC recommended that the Commonwealth, states and territories publish all ministerial agreements for sharing genetic information required under the scheme,[91] as well as protocols for interjurisdictional matching.[92]

14.65 In the interest of greater transparency, agencies that are required or authorised by legislation or a public interest determination to share personal information should develop and publish documentation that addresses the sharing of personal information; and where appropriate, publish other documents (including memorandums of understanding and ministerial agreements) relating to the sharing of personal information.

14.66 The ALRC notes stakeholders’ concerns that it may not always be possible to publish this documentation. The ALRC accepts that it will not always be appropriate to publish this documentation, particularly where the personal information is protected by secrecy provisions or confidentiality, or the publication would reveal operationally sensitive information.

Recommendation 14-1 Agencies that are required or authorised by legislation, a code or a Public Interest Determination to share personal information should, where appropriate, develop and publish documentation that addresses the sharing of personal information; and publish other documents (including memorandums of understanding and ministerial agreements) relating to the sharing of personal information.

Inter-agency working groups

14.67 In its report, Investigation into the Burden of Regulation in NSW and Improving Regulatory Efficiency,IPART considered how regulation in New South Wales, including privacy regulation, has the potential to impede information sharing. IPART concluded that the New South Wales Government should

[c]onvene an inter-agency working group of senior officers (including representatives from Privacy NSW) to identify further opportunities where it would be appropriate (ie, where it would provide net benefits to the community) to share or streamline information among government agencies. This may require an initial stock-take or inventory of current government information requirements.[93]

14.68 In DP 72, the ALRC proposed that the Australian Government should convene an inter-agency working group of senior officers to identify circumstances where it would be appropriate to share or streamline the sharing of personal information among Australian Government agencies.[94]

Submissions and consultations

14.69 A number of stakeholders supported this proposal.[95] The Public Interest Advocacy Centre (PIAC) supported the proposal on the condition that the working group includes, or at a minimum consults with, consumer groups and privacy advocates.[96] The School of Public Health at the University of Sydney submitted that the OPC should work closely with the inter-agency working group and organisations that match or link information to ensure that all such activities occur to consistently high standards.[97]

14.70 Some stakeholders suggested there should be state and territory representation on the working group. For example, the Queensland Government submitted that it would seek representation if a working group on the sharing of information between federal, state and territory law enforcement or related agencies is convened.[98] Another stakeholder noted that a working group should include state government agencies, including licensing authorities, as these agencies are increasingly being used as identity verification agencies.[99]

14.71 Others opposed the proposal. The OPC submitted that the intent of the proposal is unclear and that the working group does not provide the necessary specific and reasoned consideration of privacy obligations.

In the view of the Office, any proposal for sharing information between agencies should be considered and assessed on its own merits by the respective agencies involved, with a view to the necessary legislative requirements and obligations governing the handling of the information. A Privacy Impact Assessment (PIA) of the proposed information sharing project would be a crucial, underpinning element of these considerations. Agencies are encouraged to consult with the Office in regard to privacy risks identified in a PIA.[100]

14.72 The Australian Privacy Foundation submitted that it should not be a function of a privacy law to search out data-sharing opportunities—the immediate need is for a standing body to review any such proposals, whatever their origin, in light of privacy obligations.[101]

ALRC’s view

14.73 Submissions and consultations with stakeholders suggested that regular discussion through an inter-agency working group facilitated information sharing while still accommodating privacy requirements.

14.74 The ALRC notes that it may be useful to convene interjurisdictional inter-agency working groups when the Australian Government wants to share personal information with state and territory government agencies. This will be the case particularly where Australian Government and state and territory government agencies are subject to different legislative requirements, including privacy requirements—although the ALRC’s recommendation for the application of the UPPs across the federal, state and territory public sectors and the private sector should minimise the circumstances in which this issue may arise.

14.75 As noted above, the ALRC encourages information-sharing opportunities that are in the public interest and lessen compliance burdens on agencies, businesses and the community. The ALRC is not of the view, however, that the Australian Government should convene an inter-agency working group of senior officers to identify circumstances where it would be appropriate to share or streamline personal information.

14.76 In the ALRC’s view, it is not appropriate or necessary to convene such a working group. The ALRC agrees with the OPC that any proposal for sharing information between agencies should be considered and assessed on its own merits with a view to the necessary legislative requirements and obligations governing the handling of the information.

Information sharing by law enforcement and intelligence agencies

14.77 Government agencies across the world increasingly are searching for new ways to prevent and solve crime, particularly crimes associated with terrorism.[102] These new methods include new forms of intelligence gathering and the sharing of personal information, often across state, territory and national borders.[103]

14.78 The exchange of personal information among Australian Government agencies and state and territory government agencies for law enforcement purposes is, in most instances, regulated by privacy legislation or administrative schemes.[104] There is, however, a number of exemptions and exceptions that apply to law enforcement and intelligence agencies.

14.79 The Information Privacy Principles (IPPs) do not apply to the acts and practices of certain Australian Government law enforcement and intelligence agencies such as the Australian Crime Commission (ACC), the Australian Security Intelligence Organisation (ASIO) and the Australian Secret Intelligence Service (ASIS).[105] While some of these agencies are regulated by statutory guidelines that address the handling of personal information, the guidelines do not address interjurisdictional information sharing (the sharing of information among federal, state and territory law enforcement and intelligence agencies).[106]

14.80 Section 7 of the Privacy Act exempts the acts and practices of agencies from the operation of privacy principles, if the act or practice relates to personal information that has originated with, or has been received from, specified law enforcement and intelligence agencies; or if the act or practice involves disclosure of personal information to ASIO, ASIS or the Defence Signals Directorate (DSD).

14.81 Law enforcement agencies that are not exempt from the operation of the Privacy Act often will be able to share personal information under one of the exceptions set out in the IPPs. These exceptions include where:

  • the use or disclosure of personal information is required or authorised by or under law;

  • the use or disclosure of personal information is reasonably necessary for the enforcement of the criminal law; or

  • there is a reasonable belief that use or disclosure is necessary to prevent or lessen a serious and imminent threat to life or health.[107]

14.82 A law enforcement exception or exemption often is found in state and territory privacy legislation. For example, the Privacy and Personal Information Protection Act 1998 (NSW) provides that a New South Wales government agency is not required to comply with certain privacy principles if the handling of personal information is reasonably necessary for law enforcement purposes.[108]

14.83 Codes and guidelines on the handling of personal information by law enforcement agencies have been developed by privacy regulators in some jurisdictions.[109] These documents do not, however, deal with interjurisdictional information sharing. Further, law enforcement agencies in some jurisdictions are not subject to any privacy regulation.[110]

14.84 Should the Australian Government develop a framework for the sharing of personal information among Australian Government, and state and territory law enforcement and intelligence agencies? The United States Government has released Guidelines to Ensure that the Information Privacy and Other Legal Rights of Americans are Protected in the Development and Use of the Information Sharing Environment (the Guidelines).[111] The Guidelines reflect ‘basic privacy protections’, requiring agencies to: identify, among other things, any privacy-protected information to be shared; assess and document applicable legal and policy rules and restrictions; put in place accountability and audit mechanisms, implement data quality and, where appropriate, redress procedures; and appoint a Privacy Official to ensure compliance with the Guidelines.[112]

14.85 In DP 72, the ALRC proposed that the Australian Government, in consultation with state and territory governments, intelligence agencies, law enforcement agencies, and various accountability bodies,[113] should:

  • develop and publish a framework relating to interjurisdictional sharing of personal information within Australia by intelligence and law enforcement agencies; and

  • develop memorandums of understanding to ensure that accountability bodies can oversee interjurisdictional information sharing within Australia by law enforcement and intelligence agencies.[114]

Submissions and consultations

14.86 A number of stakeholders supported this proposal.[115] For example, the OPC submitted that the proposal would be a welcome addition to the public’s understanding of what, when and how information is shared among law enforcement agencies and the accountability mechanisms that govern such activities. The OPC noted that in its submission to the 2007 Parliamentary Joint Committee on the ACC Inquiry into the future impact of serious and organised crime on Australian society,[116] it had suggested that:

government agencies not subject to the statutory privacy regulation should develop and implement information handling practices that incorporate principles similar to those contained within the Privacy Act; and privacy guidelines could be included as part of any memorandum of understanding or agreement between jurisdictions.[117]

14.87 Privacy NSW submitted that Australians should be aware of the information-sharing arrangements in place among Australian intelligence and law enforcement agencies and their international counterparts.[118]

14.88 The AFP supported the proposal if there were appropriate exemptions for operationally sensitive matters—for example, police or intelligence methodology.[119]

14.89 The Australian Government Department of Agriculture, Fisheries and Forestry submitted that the Australian Quarantine and Inspection Service should be included in developing this framework because it has similar interests to those of a law enforcement agency.[120] The Australian Government Department of Human Services supported the proposal. It noted that assistance regarding proof of identity documentation could be provided by other agencies, including those within the Human Services portfolio.[121]

14.90 Some stakeholders supported the proposal, but submitted that the framework should:

  • facilitate information sharing with private sector organisations such as airlines and airports with important security responsibilities;[122]

  • consider the interaction between the law enforcement and intelligence agencies and other agencies that routinely become involved in such processes, such as birth, deaths and marriages, Centrelink and licensing authorities;[123] and

  • include an effective mechanism to ensure consumer input into any consultative process.[124]

14.91 Other stakeholders opposed the proposal. One stakeholder argued that law enforcement agencies already have a framework of information sharing or intelligence exchange.[125] Foreign Intelligence Agencies of the Australian Intelligence Community submitted that the ALRC should provide a clearer rationale for the proposal. The Agencies submitted that it is not clear, for example, how existing arrangements might be defective, or might have led to unreasonable intrusions into the privacy of Australians.[126]

ALRC’s view

14.92 The ALRC acknowledges that the broader social interest in national security and law enforcement issues often will override privacy interests. The ALRC is concerned, however, that agencies with responsibility for national security and law enforcement often are exempt from privacy legislation. Further, not all exempt law enforcement and intelligence agencies are subject to statutory guidelines or other rules that govern the sharing of personal information. The ALRC also has found that these rules are not always publicly accessible.

14.93 In the absence of comprehensive rules to deal with the sharing of personal information among federal, state and territory law enforcement and intelligence agencies, the Australian Government should develop a framework relating to interjurisdictional sharing of personal information within Australia by such agencies. In the interest of transparency, this framework should be made available to the public.

14.94 While national security and law enforcement are important, implementation of measures to protect Australian citizens often results in an invasion of an individual’s privacy. The development and publication of a framework relating to interjurisdictional sharing and the development of memorandums of understanding between accountability bodies will help to ensure an appropriate balance between national security, law enforcement and an individual’s right to privacy.

14.95 The framework should be developed in consultation with relevant bodies including state and territory governments, intelligence agencies, law enforcement agencies, and various accountability bodies. These accountability bodies include: the OPC, state and territory privacy commissioners and agencies with responsibility for privacy regulation; bodies with responsibility for overseeing law enforcement and intelligence agencies, including the Australian Commission for Law Enforcement Integrity and the Inspector-General of Intelligence and Security; and federal, state and territory ombudsmen.

14.96 The ALRC does not recommend the development of memorandums of understanding to ensure that accountability bodies can oversee interjurisdictional information sharing within Australia. The ALRC was concerned that this proposal suggested that the oversight powers of some accountability bodies should be extended to cover the acts and practices of law enforcement and intelligence agencies that are not currently within their jurisdiction.

14.97 Instead, the ALRC recommends the development of memorandums of understanding to clarify the existing roles of accountability bodies that oversee interjurisdictional information sharing within Australia by law enforcement and intelligence agencies. This oversight would include reporting and the auditing of law enforcement and intelligence agencies.

Recommendation 14-2 The Australian Government, in consultation with: state and territory governments; intelligence agencies; law enforcement agencies; and accountability bodies, including the Office of the Privacy Commissioner, the Inspector-General of Intelligence and Security, the Australian Commission for Law Enforcement Integrity, state and territory privacy commissioners and agencies with responsibility for privacy regulation, and federal, state and territory ombudsmen, should:

(a) develop and publish a framework relating to interjurisdictional sharing of personal information within Australia by intelligence and law enforcement agencies; and

(b) develop memorandums of understanding to clarify the existing roles of accountability bodies that oversee interjurisdictional information sharing within Australia by law enforcement and intelligence agencies.

[48] This phenomenon is not peculiar to Australia. See, eg, M Apuzzo, ‘Privacy Law Confusion Impedes Sharing’, The Daily Texan (online), 14 June 2007, <www.dailytexanonline.com>; T Tsunetsugu and A Nakamura, ‘Personal Information Law Taken Too Literally’, Daily Yomiuri, 7 April 2007, <www.yomiuri.co.jp>; ‘Stop Using the Privacy Act as an Excuse to Do Nothing’, New Zealand Herald (online), 6 May 2007, <www.nzherald.co.nz>. On 25 October 2007, the Prime Minister of the United Kingdom asked the United Kingdom Government Information Commissioner, Richard Thomas, and Dr Mark Walport, Director of the Wellcome Trust, to carry out an independent review of the use and sharing of personal information in the public and private sectors. The review will consider whether there should be any changes to the way the Data Protection Act 1998 (UK) operates. The review also will make recommendations on how data-sharing policy should be developed in a way that ensures proper transparency, scrutiny and accountability. A report of the review will be published in the first half of 2008: United Kingdom Government Ministry of Justice, Data Sharing Review Consultation (2007) <www.justice.gov.uk> at 4 February 2008.

[49] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007. See also Government of South Australia, Submission PR 565, 29 January 2008; Insurance Council of Australia, Submission PR 110, 15 January 2007; Australian Privacy Foundation, Submission to the Senate Legal and Constitutional References Committee Inquiry into the Privacy Act 1988, 1 March 2005.

[50] See, eg, Office of the Privacy Commissioner, Submission PR 215, 28 February 2007. See also I Cuncliffe, Submission to Senate Legal and Constitutional Affairs Committee Inquiry into the Privacy Act, 22 February 2005.

[51] National Privacy Phone-In Comment No 607, June 2006.

[52] Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007; Government of South Australia, Submission PR 187, 12 February 2007; NSW Commission for Children and Young People, Submission PR 120, 15 January 2007.

[53] See, eg, Queensland Government, Submission PR 242, 15 March 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Insolvency and Trustee Service Australia, Submission PR 123, 15 January 2007.

[54] Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007.

[55] Queensland Government, Submission PR 242, 15 March 2007.

[56] Commonwealth Ombudsman, Submission PR 202, 21 February 2007; Australian Federal Police, Submission PR 186, 9 February 2007. See also CrimTrac, Submission PR 158, 31 January 2007; Independent Pricing and Regulatory Tribunal of New South Wales, Investigation into the Burden of Regulation in NSW and Improving Regulatory Efficiency: Other Industries—Final Report (2006), 225–226.

[57] Australian Nuclear Veterans Association Inc, Submission PR 324, 24 September 2007.

[58]J Tozzi-Condivi, Submission PR 438, 10 December 2007.

[59]P Slatterie, Submission PR 329, 3 October 2007.

[60] Family Law Council, Submission PR 269, 28 March 2007.

[61] A number of inquiries have considered this issue: see, eg, M Palmer, Report of the Inquiry into the Circumstances of the Immigration Detention of Cornelia Rau (2005) Report to the Australian Government Minister for Immigration and Multicultural Affairs. See also Confidential, Submission PR 327, 28 September 2007; Queensland Government Commission for Children and Young People and Child Guardian, Submission PR 171, 5 February 2007; Community Services Ministers’ Advisory Council, Submission PR 47, 28 July 2006.

[62] D Bowman, Submission PR 330, 19 October 2007; Confidential, Submission PR 326, 28 September 2007; Queensland Government Commission for Children and Young People and Child Guardian, Submission PR 171, 5 February 2007; Community Services Ministers’ Advisory Council, Submission PR 47, 28 July 2006.

[63] Community Services Ministers’ Advisory Council, Submission PR 47, 28 July 2006.

[64] Regulation Taskforce 2006, Rethinking Regulation: Report of the Taskforce on Reducing Regulatory Burdens on Business, Report to the Prime Minister and the Treasurer (2006), 56.

[65] See Ch 3.

[66] Rec 5–2.

[67] Rec 25–3.

[68] See Rec 65–2.

[69] See Rec 3–4.

[70] Independent Pricing and Regulatory Tribunal of New South Wales, Investigation into the Burden of Regulation in NSW and Improving Regulatory Efficiency: Other Industries—Final Report (2006), 228.

[71] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 11–1.

[72]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[73] Government of South Australia, Submission PR 565, 29 January 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Confidential, Submission PR 536, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; P Youngman, Submission PR 394, 7 December 2007.

[74]Centre for Law and Genetics, Submission PR 497, 20 December 2007.

[75]National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[76]Australian Government Centrelink, Submission PR 555, 21 December 2007. See also Australian Government Department of Human Services, Submission PR 541, 21 December 2007.

[77]Australian Government Department of Human Services, Submission PR 541, 21 December 2007.

[78]School of Public Health—University of Sydney, Submission PR 504, 20 December 2007.

[79]Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[80] See Rec 17–3.

[81] See Rec 10–4.

[82]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 11–2.

[83]Government of South Australia, Submission PR 565, 29 January 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Confidential, Submission PR 536, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[84]Australian Taxation Office, Submission PR 515, 21 December 2007.

[85]Queensland Government, Submission PR 490, 19 December 2007.

[86]Medicare Australia, Submission PR 534, 21 December 2007; Confidential, Submission PR 448, 11 December 2007.

[87]Australian Federal Police, Submission PR 545, 24 December 2007.

[88] Australian Government Department of Human Services, Submission PR 541, 21 December 2007.

[89] A public interest direction under the Privacy and Personal Information Protection Act 1998 (NSW) is similar to a public interest determination under the Privacy Act 1988 (Cth).

[90]Privacy NSW, Submission PR 468, 14 December 2007.

[91] Some state crimes legislation provides for the responsible minister in that state to enter into an arrangement with an Australian Government minister or with CrimTrac to provide for the transmission of information recorded in a state DNA database system to form part of the National Criminal Investigation DNA Database: see, eg, Crimes (Forensic Procedures) Act 2000 (NSW); Crimes Act 1958 (Vic); Criminal Law (Forensic Procedures) Act 2007 (SA).

[92] Australian Law Reform Commission and Australian Health Ethics Committee, Essentially Yours: The Protection of Human Genetic Information in Australia, ALRC 96 (2003), Rec 40–4.

[93] Independent Pricing and Regulatory Tribunal of New South Wales, Investigation into the Burden of Regulation in NSW and Improving Regulatory Efficiency: Other Industries—Final Report (2006), 228.

[94] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 11–3.

[95]Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008; Australian Federal Police, Submission PR 545, 24 December 2007; Confidential, Submission PR 536, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Confidential, Submission PR 448, 11 December 2007.

[96]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[97]School of Public Health—University of Sydney, Submission PR 504, 20 December 2007.

[98]Queensland Government, Submission PR 490, 19 December 2007.

[99]P Youngman, Submission PR 394, 7 December 2007.

[100]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[101]Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[102] See J Lye and T McNeilly, ‘Current Privacy Issues in National Security’ (Paper presented at Australian Institute of Administrative Law 2006 National Administrative Law Forum, Surfers Paradise, 22–23 June 2006); A Cockfield, ‘Protecting the Social Value of Privacy in the Context of State Investigations Using New Technologies’ (2007) 40(1) University of British Columbia Law Review 41.

[103] See, eg, Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth); Anti-Terrorism Act (No 2) 2005 (Cth); Aviation Transport Security Act 2004 (Cth). See discussion of cross-border data flows in Ch 31.

[104] See discussion of state and territory privacy regimes in Ch 2.

[105] See discussion in Ch 37.

[106] These guidelines are discussed in Chs 34 and 37. These agencies also are subject to oversight by the Inspector-General of Intelligence and Security or the Australian Commission for Law Enforcement Integrity.

[107] The ALRC makes a number of recommendations in relation to these exceptions in Part D.

[108]Privacy and Personal Information Protection Act 1998 (NSW) s 23. See also Information Privacy Act 2000 (Vic) s 13.

[109] Office of the Federal Privacy Commissioner, Unlawful Activity and Law Enforcement, Information Sheet 7 (2001); Office of the NSW Privacy Commissioner, Privacy Code of Practice: Law Enforcement and Investigative Agency Access to Personal Information Contained in Public Registers.

[110] See discussion in Ch 2.

[111] United States Government Office of the Director of National Intelligence, Guidelines to Ensure that the Information Privacy and Other Legal Rights of Americans are Protected in the Development and Use of the Information Sharing Environment (2006). The ‘Information Sharing Environment’ has been described as ‘the combination of policies, procedures, and technologies linking the resources (people, systems, databases, and information) of all federal executive branch entities to facilitate terrorism information sharing, access, and collaboration among users in order to combat terrorism more effectively’: Program Manager—Information Sharing Environment, Information Sharing Environment Privacy Guidelines—Frequently Asked Questions (2006) United States Government Office of the Director of National Intelligence <www.ise.gov> at 7 May 2008. See also United States Government, National Strategy for Information Sharing (2007), 27.

[112] Program Manager—Information Sharing Environment, Information Sharing Environment Privacy Guidelines—Frequently Asked Questions (2006) United States Government Office of the Director of National Intelligence <www.ise.gov> at 7 May 2008.

[113] Including the OPC; the Inspector-General of Intelligence and Security; the Australian Commission for Law Enforcement Integrity; state and territory privacy commissioners and agencies with responsibility for privacy regulation; and federal, state and territory ombudsmen.

[114]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 11–4.

[115] Government of South Australia, Submission PR 565, 29 January 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Law Council of Australia, Submission PR 527, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007.

[116] See Australian Parliament—Parliamentary Joint Committee on the Australian Crime Commission, Inquiry into the Future Impact of Serious and Organised Crime on Australian Society (2007) <www.aph.gov.au> at 6 February 2008.

[117] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[118] Privacy NSW, Submission PR 468, 14 December 2007.

[119]Australian Federal Police, Submission PR 545, 24 December 2007.

[120]Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008.

[121]Australian Government Department of Human Services, Submission PR 541, 21 December 2007.

[122]Confidential, Submission PR 536, 21 December 2007.

[123]P Youngman, Submission PR 394, 7 December 2007.

[124]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[125] Confidential, Submission PR 448, 11 December 2007.

[126] Foreign Intelligence Agencies of the Australian Intelligence Community, Submission PR 466, 13 December 2007.