Secrecy provisions

15.109 Federal legislation contains a large number of secrecy provisions that impose duties on public servants not to disclose information that comes to them by virtue of their office. Secrecy provisions usually are based on the need to preserve the secrecy of government operations in order for government to function effectively.

15.110 The secrecy interests of agencies and the privacy interests of individuals will sometimes be complementary. For example, both an agency and the subject of information held by the agency might have an interest in non-disclosure of that information to third parties. Those interests, however, may sometimes conflict. For example, a person may want access to his or her personal information to check that it has been recorded correctly and is not being disclosed without his or her consent; but to grant that access could intrude upon the secrecy interests of the agency.

15.111 There are a number of provisions in federal legislation that create general offences in relation to the unauthorised disclosure of official information.[126] There are also secrecy provisions in federal legislation that deal with unauthorised disclosure of information in specific circumstances.[127] Secrecy provisions in federal legislation create criminal offences that attract criminal penalties. The Privacy Act, however, operates as an administrative regime that allows for private remedies such as the award of compensation.[128]

15.112 As noted above, the Privacy Act includes exceptions to some of the IPPs if acts or practices are required or authorised by or under law. Secrecy provisions that prevent disclosure of information will be consistent with IPP 6 as that principle provides an exception for record-keepers that are required or authorised by a federal law to refuse to provide an individual with access to a record.[129] Further, secrecy provisions that provide for disclosure of protected information in certain circumstances will be consistent with IPP 11, as the disclosure is required or authorised by or under law.[130] The exception under IPP 11.1(e) in relation to law enforcement, the enforcement of a pecuniary penalty or the protection of the public revenue also may be relevant in some contexts.[131]

15.113 In 2006, the Privacy Act was amended to insert a new Part VIA into the Act.[132] The object of the Part is to make special provision for the collection, use and disclosure of personal information in emergencies and disasters. Section 80P(1) provides that at any time when an emergency declaration is in force in relation to an emergency or disaster, an entity may collect, use or disclose personal information in certain circumstances. Section 80P(2) provides that an entity is not liable to any proceedings for contravening a secrecy provision in respect of a use or disclosure of personal information authorised by s 80P(1), unless the secrecy provision is a ‘designated secrecy provision’. Designated secrecy provisions include provisions under the Australian Security Intelligence Organisation Act 1979 (Cth) and the Intelligence Services Act 2001 (Cth).[133]

15.114 A number of reviews have considered secrecy provisions in federal legislation.[134] For example, the ALRC considered secrecy provisions in its report Keeping Secrets: The Protection of Classified and Security Sensitive Information (ALRC 98). The ALRC made a number of recommendations, including that the Australian Government should undertake a review of federal secrecy provisions.[135]

15.115 In DP 72, the ALRC considered whether the various secrecy provisions under federal legislation that prohibit Commonwealth public servants from disclosing information contribute to inconsistency and fragmentation in personal information privacy regulation. In particular, the ALRC considered whether the Privacy Act, rather than secrecy provisions in specific statutes,should regulate the disclosure of personal information by Australian Government agencies.

15.116 The ALRC also considered whether there is a need to clarify the relationship between the Privacy Act and other legislation containing secrecy provisions. Some secrecy provisions address the operation of the Privacy Act.[136] Other provisions, however, do not address this issue.[137]

15.117 A number of government agencies noted that they are subject to secrecy provisions, and that the provisions work well.[138] There was no support for having the Privacy Act, rather than secrecy provisions in specific statutes,regulate the disclosure of personal information by Australian Government agencies.[139] In particular, it was noted that the use of specific statutes allows secrecy provisions to be tailored to particular types of protected information and the situation of the agency,[140] and that protecting all personal information under the Privacy Act would not, in some circumstances, provide the level of protection that may be necessary.[141]

15.118 It was also noted in submissions that secrecy provisions can apply to information that includes, but is not limited to, ‘personal information’, enabling a wider range of information to be protected.[142] The Australian Government Department of Health and Ageing noted that providing offences in the Privacy Act could be seen as contrary to the ‘light-touch’ approach that has underpinned the regulation of privacy under the Privacy Act to date.[143] The OPC submitted that it was not appropriate for the Privacy Commissioner to administer and enforce secrecy laws.[144]

15.119 In DP 72, the ALRC did not make any proposals in relation to secrecy provisions, and expressed the preliminary view that information that is currently protected by various secrecy provisions in federal legislation should not be regulated by the Privacy Act. The ALRC also stated that secrecy provisions in federal legislation should be reviewed, noting that the need for this review has been established by a number of inquiries. No submissions on secrecy provisions were received in response to the views expressed in DP 72.

15.120 Information that is currently protected by secrecy provisions in federal legislation should not be regulated by the Privacy Act. In the ALRC’s view, it is appropriate that specific statutes include secrecy provisions designed to protect information. This ensures that an agency’s secrecy responsibilities are tailored to the agency’s circumstances and grouped with its other obligations.

15.121 Secrecy provisions do not relate solely to personal information. They also protect, for example, commercial, security and operational information. Secrecy provisions provide separate and specific standards of protection beyond those afforded by the privacy principles under the Privacy Act. Unlike the privacy principles, the level of protection afforded by secrecy provisions will often vary with the sensitivity of the information concerned.

15.122 The ALRC acknowledges, however, that secrecy provisions may affect adversely the privacy interests of an individual. The ALRC is of the view, therefore, that a privacy impact assessment (PIA) should be prepared when a secrecy provision is proposed in new legislation that may have a significant impact on the handling of personal information.[145] PIAs are discussed in Chapter 47. Further, where a secrecy provision regulates personal information, that provision should address how the requirements under the provision interact with the privacy principles in the Privacy Act.

15.123 Secrecy provisions in federal legislation should be reviewed. The need for this review has been established by a number of ALRC inquiries. In ALRC 77, the ALRC recommended that

a thorough review of all federal legislative provisions that prohibit disclosure by public servants of government held information should be conducted as soon as possible to ensure that they do not prevent the disclosure of information that would not be exempt under the FOI Act.[146]

15.124 As noted above, in ALRC 98 the ALRC also recommended a review of secrecy provisions to ensure that each provision is consistent with the Australian Constitution and to consider the lack of consistency in the fundamental principles and penalty structures in the provisions.[147] The Australian Government should undertake a review of secrecy provisions in federal legislation. This review should consider, among other matters, how each of these provisions interacts with the Privacy Act.

Recommendation 15-2 The Australian Government should undertake a review of secrecy provisions in federal legislation. This review should consider, among other matters, how each of these provisions interacts with the Privacy Act.

[126] See, eg, Crimes Act 1914 (Cth) ss 70 and 79; Criminal Code (Cth) s 91.1.

[127] See, eg, Inspector-General of Taxation Act 2002 (Cth) s 37(1); Gene Technology Act 2000 (Cth) s 187(1); Aged Care Act 1997 (Cth) s 86-2; Australian Prudential Regulation Authority Act 1998 (Cth) ss 5, 56; Australian Postal Corporation Act 1989 (Cth) s 90H; Civil Aviation Act 1988 (Cth) s 32AP(1); Australian Institute of Health and Welfare Act 1987 (Cth) s 29(1); Disability Services Act 1986 (Cth) s 28(2); Australian Security Intelligence Organisation Act 1979 (Cth) s 92. In 1995, the House of Representatives Standing Committee on Legal and Constitutional Affairs reported that there were more than 150 secrecy provisions in federal legislation and more than 100 different statutes that contain such provisions: Parliament of Australia—House of Representatives Standing Committee on Legal and Constitutional Affairs, In Confidence: A Report of the Inquiry into the Protection of Confidential Personal and Commercial Information Held by the Commonwealth (1995), xxiv.

[128]Privacy Act 1988 (Cth) pt IIIA creates a range of credit reporting offences: see Part G. The ALRC recommends that the Privacy Act be amended to provide for civil penalties in limited circumstances: see Rec 50–2.

[129] Ibid s 14, IPP 6.

[130] Ibid s 14, IPP 11.1(d).

[131] Taxation legislation includes a number of secrecy provisions which may be said to authorise disclosure of information for the protection of public revenue. See M McLennan, ‘Negotiating Secrecy and Privacy Issues in Government (Pt I)’ (2002) 8 Privacy Law & Policy Reporter 181; M McLennan, ‘Negotiating Secrecy and Privacy Issues in Government (Pt II)’ (2002) 8 Privacy Law & Policy Reporter 193.

[132]Privacy Legislation Amendment (Emergencies and Disasters) Act 2006 (Cth). The Part commenced operation on 7 December 2006.

[133] See Privacy Act 1988 (Cth) s 80P(7).

[134] For example, Parliament of Australia—House of Representatives Standing Committee on Legal and Constitutional Affairs, In Confidence: A Report of the Inquiry into the Protection of Confidential Personal and Commercial Information Held by the Commonwealth (1995);

[135] See Australian Law Reform Commission, Keeping Secrets: The Protection of Classified and Security Sensitive Information, ALRC 98 (2004), Ch 5, Recs 5–1 to 5–5.

[136] See, eg, Australian Prudential Regulation Authority Act 1998 (Cth) s 5(12). The section also contains a note: ‘For additional rules about personal information, see the Privacy Act 1988 (Cth)’.

[137] See, eg, Disability Services Act 1986 (Cth) s 28.

[138] Australian Government Department of Employment and Workplace Relations, Submission PR 211, 27 February 2007; Australian Bureau of Statistics, Submission PR 96, 15 January 2007.

[139] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Australian Government Department of Employment and Workplace Relations, Submission PR 211, 27 February 2007; Australian Federal Police, Submission PR 186, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Australian Bureau of Statistics, Submission PR 96, 15 January 2007.

[140] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Australian Bureau of Statistics, Submission PR 96, 15 January 2007.

[141] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007.

[142] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[143] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007.

[144]Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[145] See Proposal 47–4.

[146]Australian Law Reform Commission and Administrative Review Council, Open Government: A Review of the Federal Freedom of Information Act 1982, ALRC 77 (1995), Ch 4, Rec 13. See also Australian Law Reform Commission, Privacy, ALRC 22 (1983), [1320].

[147]Australian Law Reform Commission, Keeping Secrets: The Protection of Classified and Security Sensitive Information, ALRC 98 (2004), Ch 5, Rec 5–2.