16.08.2010
17.19 The Office of the Privacy Commissioner (OPC) submitted to the Inquiry that:
The existing definition for ‘agency’ in the Privacy Act may benefit from additional clauses to clarify currently ambiguous areas of coverage. In particular, coverage of some public authorities created as collaborations between the Commonwealth and the States and Territories by the Council of Australian Governments (COAG) and other Ministerial Councils could be better provided for under the definition of agency in the Privacy Act.[33]
17.20 In DP 72, the ALRC noted that bodies established by cooperative arrangements, such as intergovernmental working groups and officer working groups that assist ministerial councils, often may have to share personal information. The application of privacy regulation to such entities often will be uncertain, as they may not fall within the Privacy Act definition of organisation or agency. Equally, they may not be considered state and territory agencies for the purpose of privacy regulation in other jurisdictions.
17.21 To ensure the protection of personal information held by Australian Government agencies, the ALRC proposed that the Privacy Act be amended to provide that when an Australian Government agency is participating in an intergovernmental body or other arrangement involving state and territory agencies, the Australian Government agency should ensure that a memorandum of understanding (MOU) is in place. An MOU should help to ensure that the intergovernmental body and its members do not act, or engage in a practice, that would breach the Act.
Submissions and consultations
17.22 A number of stakeholders supported the proposal.[34] The Australian Taxation Office (ATO) noted that the ATO already uses MOUs when it shares personal information with state and territory government bodies. These MOUs impose obligations on the parties to protect personal information in accordance with either the Privacy Act or privacy principles specific to their jurisdiction.[35]
17.23 Privacy NSW noted that any such agreement should include a mechanism for complaint handling, dissemination of information about the existence of the agreement, and the means by which individuals can bring complaints against the intergovernmental body.[36]
17.24 The OPC suggested that the definition of ‘agency’ in the Privacy Act, which currently includes a Minister, should describe the specific acts and practices of the Minister that are covered. This would clarify which practices of a Minister are covered and which are exempt.[37]
17.25 The Queensland Government submitted that the requirement should apply only where the participation involves the provision of personal information to the state or territory agency, and that state or territory does not have an equivalent or superior privacy regime (whether statutory or administrative).[38]
17.26 Other stakeholders did not support the proposal. One stakeholder questioned whether the proposal would apply to meetings of Commonwealth and state officials generally, and how the proposal would operate if an intergovernmental body included foreign government representatives.[39] Some stakeholders noted the resource implications of drafting an MOU every time an intergovernmental body was involved in activities which required the handling of personal information. [40]
17.27 The Australian Federal Police submitted that the proposal was unduly prescriptive and unnecessary.
In a law enforcement context, it is standard operating procedure to only provide personal information to other agencies if it is necessary and if the AFP is satisfied that the other party will take appropriate care of the information. A requirement to codify existing practices in this way may unnecessarily impede operational activity as the proposal appears to go further than the analysis in the discussion paper which focused on policy type working groups.[41]
17.28 The National Transport Council (NTC) submitted that the proposal is unnecessary, as participants in intergovernmental bodies are subject to the Privacy Act or state and territory legislation. The NTC suggested that these obligations would not cease to apply when operating in the context of a COAG created body or some other intergovernmental arrangement. The NTC also questioned whether the definition of ‘agency’ under the Privacy Act should cover intergovernmental bodies and COAG created bodies.[42]
ALRC’s view
17.29 The application of privacy regulation to bodies established by cooperative arrangements (such as intergovernmental working groups and officer working groups that assist ministerial councils) often will be uncertain, as they may not fall within the Privacy Act definition of organisation or agency. Equally, they may not be considered state and territory agencies for the purpose of privacy regulation in other jurisdictions.
17.30 The privacy obligations of participants in intergovernmental bodies should be clear. The ALRC recommends, therefore, that when an Australian Government agency is participating in an intergovernmental body, or other arrangement involving state and territory agencies, that handle personal information, the Australian Government agency should ensure that an MOU or other arrangement is in place to ensure appropriate handling of personal information.
17.31 The ALRC notes stakeholder concerns about the resource implications of drafting an MOU every time an intergovernmental body is involved in the handling of personal information. The ALRC has accommodated these concerns. For example, the development of MOUs should not be a statutory requirement under the Privacy Act. Further, the ALRC’s recommendation acknowledges that an intergovernmental body may wish to use an arrangement other than a MOU. For example, an intergovernmental body may wish to use a less formal agreement or protocol to ensure appropriate handling of personal information. The ALRC also notes that the Australian Government could develop a template agreement, protocol or MOU for use by various intergovernmental bodies.
17.32 The recommendation is intended to apply to meetings of federal, state and territory officials or intergovernmental bodies that are required to handle personal information. The recommendation could, however, apply equally to intergovernmental bodies that include representatives from foreign governments.
17.33 The ALRC acknowledges stakeholder concerns about how a complaint would be brought against an intergovernmental body. The MOU should outline how an individual can bring a complaint against an intergovernmental body.
17.34 One of the concerns in relation to intergovernmental bodies is that the acts and practices of some state participants may not be regulated by privacy legislation. This issue will be dealt with adequately by recommendations made in this Report—namely that the states and territories enact legislation regulating the handling of personal information in that state or territory’s public sector that applies the model UPPs, any relevant regulations that modify the application of the UPPs and relevant definitions used in the Privacy Act. This will ensure that all state and territory participants are subject to privacy regulation and the same privacy principles.
17.35 The ALRC has considered whether the definition of ‘agency’ under the Privacy Act should be amended to cover intergovernmental bodies and COAG created bodies. In the ALRC’s view, it would be inappropriate for a federal law to regulate state and territory Ministers and government officials in this way. Such an amendment would intrude too heavily on state and territory governments and may raise constitutional issues. It could be considered to be a law that interferes with the ‘existence and nature of a state’.[43]
17.36 The ALRC also has considered whether the definition of ‘agency’ in the Privacy Act, which currently includes a minister, should describe the specific acts and practices of the minister that are covered. In Chapter 41, the ALRC recommends the removal of the political exemption, including the partial exemption that relates to ministers. This will clarify that acts and practices of Australian Government Ministers are regulated by the Privacy Act when they are participating in an intergovernmental body.
Recommendation 17-1 When an Australian Government agency is participating in an intergovernmental body or other arrangement involving state and territory agencies that handle personal information, the Australian Government agency should ensure that a memorandum of understanding or other arrangement is in place to provide for the appropriate handling of personal information.
[33] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[34]Government of South Australia, Submission PR 565, 29 January 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; P Youngman, Submission PR 394, 7 December 2007.
[35]Australian Taxation Office, Submission PR 515, 21 December 2007.
[36]Privacy NSW, Submission PR 468, 14 December 2007. See also Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.
[37]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[38]Queensland Government, Submission PR 490, 19 December 2007.
[39]Confidential, Submission PR 448, 11 December 2007. See also Privacy NSW, Submission PR 468, 14 December 2007.
[40]Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008; National Transport Commission, Submission PR 416, 7 December 2007.
[41]Australian Federal Police, Submission PR 545, 24 December 2007.
[42]National Transport Commission, Submission PR 416, 7 December 2007.
[43] Re Australian Education Union; Ex parte Victoria (1995) 184 CLR 188, 233; Austin v Commonwealth (2003) 215 CLR 185. See discussion in Ch 3.