Inspector-General of Intelligence and Security

Background

34.110 The Inspector-General of Intelligence and Security (IGIS) is an independent statutory office within the Prime Minister’s portfolio. The IGIS was set up under the IGIS Act to ensure that certain intelligence and security agencies conduct their activities within the law, behave with propriety, comply with ministerial guidelines and directions, and have regard to human rights. He or she monitors the activities of intelligence and defence intelligence agencies regularly, conducts inquiries, investigates complaints about these agencies, makes recommendations to the government and provides annual reports to the Australian Parliament.[166]

34.111 Under existing law, the IGIS, as an agency listed in Schedule 2, Part I, Division 1 of the FOI Act,is exempt from compliance with the IPPs.[167] He or she is subject to other provisions of the Act, however, such as the tax file number provisions. In addition, as an exempt agency under the FOI Act, the IGIS is not required under that Act to provide access to information. No policy justification has been given for the IGIS’s exemption from the operation of the Privacy Act. Therefore, the exemption appears to derive from the fact that the IGIS is listed under Schedule 2, Part I of the FOI Act.

34.112 In the 1994 inquiry into the FOI Act, the ALRC and ARC commented that decisions to exempt particular agencies from the FOI Acthave tended to be selective.[168] The ALRC and ARC were of the view, however, that the exemption of the IGIS from the operation of the FOI Act was warranted and recommended that the IGIS and other intelligence agencies should remain in Part I of the Act as exempt agencies.[169]

34.113 Currently, there are no privacy rules or guidelines that apply to the IGIS. The IGIS is, however, required to comply with the Protective Security Manual and is subject to secrecy provisions. Part C of the Protective Security Manual sets out minimum standards addressing the use, access, copying, storage, security and disposal of classified information. The privacy protections under the Protective Security Manual, however, are restricted to security classified information and do not deal with other matters under the IPPs, such as the accuracy of personal information. In relation to secrecy, under the IGIS Act, the IGIS or a staff member is prohibited from making a record, or divulging or communicating any information acquired by reason of the person holding or acting in that office.[170] The records of the IGIS also are subject to the Archives Act 1983 (Cth), which deals with the custody, destruction and disposal of Commonwealth records, including the records of the IGIS.[171]

34.114 The IGIS is directly accountable to the Prime Minister and must provide the Prime Minister annually with a report on the IGIS’s activities. The Prime Minister may make deletions from the IGIS’s annual report before tabling it in Parliament, if he or she considers that the deletion is necessary ‘to avoid prejudice to security, the defence of Australia, Australian’s relations with other countries or the privacy of individuals’. A full copy of the report is provided to the Leader of the Opposition, who must treat as secret any part of the report that is not tabled in Parliament.[172]

34.115 In Canada and New Zealand, bodies overseeing the work of security and intelligence agencies are subject to privacy legislation, but may refuse to disclose personal information under certain circumstances. In Canada, the Office of the Inspector General of the Canadian Security Intelligence Service and the Security Intelligence Review Committee are subject to federal privacy legislation.[173] They may refuse to disclose any personal information requested, however, if the information was obtained or prepared by any government institution that is a specified investigative body in the course of lawful investigations relating to activities suspected of constituting threats to the security of Canada.[174]

34.116 Similarly, in New Zealand, the Inspector-General of Intelligence and Security and the Intelligence and Security Committee are covered by the Privacy Act 1993 (NZ). They may refuse to disclose any information, however, if the disclosure would be likely to prejudice: the security or defence of New Zealand; the international relations of the Government of New Zealand; or the entrusting of information to the Government of New Zealand on a confidential basis by foreign governments, their agencies or any international organisation.[175]

34.117 In contrast, in the United Kingdom, personal data are exempt from any of the data protection principles and other provisions of the Data Protection Act 1998 (UK) if the exemption from that provision is required for the purpose of safeguarding national security.[176]

34.118 In DP 72, the ALRC considered whether the exemption that applies to the IGIS under the Privacy Act should be retained. The ALRC noted that few stakeholders commented specifically on the exemption that applies to the IGIS. Several stakeholders suggested, however, that the exemption of any Australian Government agencies, including those specified in Schedule 2, Part I, Division 1 of the FOI Act, should be justified and limited to the extent possible.[177] It also was submitted that any difficulties that compliance with privacy principles might cause for such agencies should be dealt with by means of selective exceptions to particular principles.[178]

34.119 The ALRC observed that much of the personal information handled by the IGIS would have originated with, or have been received from, an intelligence agency or a defence intelligence agency, and therefore would be excluded from the operation of the Privacy Act. The ALRC noted, however, that other records held by the IGIS also may contain security sensitive information. Accordingly, the ALRC expressed the preliminary view that some exemption from the Privacy Act should continue to apply to the IGIS, but that there is no policy justification for the exemption to extend to the IGIS’s administrative records. The ALRC therefore proposed that the Privacy Act be amended to apply to the IGIS in respect of the administrative operations of his or her office.[179] In addition, the ALRC proposed that the IGIS, in consultation with the OPC, develop and publish information-handling guidelines to ensure that the personal information handled by the IGIS is protected adequately.[180]

Submissions and consultations

34.120 There was support, including from the IGIS, for the proposal that the Privacy Act be amended to apply to the IGIS in respect of the administrative operations of that office.[181] The IGIS stated that he considered the proposal to be ‘both reasonable and practically achievable’, and noted that it would be

most unlikely that subjecting … administrative records [of the office of the IGIS] to the requirements of the Privacy Act would reduce the effectiveness of the agency or compromise national security.[182]

34.121 The OVPC supported the proposal, on the basis that the exemption provision should be limited to specific acts and practices rather than the entire entity.[183]

34.122 The OPC did not have any specific comment on the substance of the ALRC’s proposal, but suggested that ‘entities with similar functions [should] be treated consistently under the Privacy Act’s exemption provisions’. The OPC also stated that the proposal is consistent with the OPC’s general position that exemptions from the operation of the Privacy Act should be minimised, and justified on the basis of clear and compelling public interest.[184]

34.123 A number of stakeholders supported the proposal that the IGIS, in consultation with the OPC, develop and publish information-handling guidelines.[185] For example, the OPC stated that all entities, regardless of whether they are covered by the Privacy Act, should implement a set of information-handling standards. It suggested that information-handling standards for the IGIS could be adapted from the privacy principles, while taking into account the requirements of national security. The OPC also noted that it would be appropriate for the minister responsible for the IGIS to consult with the Privacy Commissioner specifically, rather than with the OPC.[186]

34.124 The OVPC submitted that guidelines may be an appropriate way to provide some protection for personal information gathered by the IGIS from state databases. The OVPC also argued that, while there may be good reasons for exemptions, guidelines promote transparency by communicating the reasons for the collection of personal information.[187]

34.125 The IGIS, however, did not support the proposal. He suggested that the proposed information-handling guidelines would not increase the level of protection provided by the current ‘robust and reasonable protective framework’ for personal information handled by the IGIS. The IGIS submitted that, while there are currently no information-handling guidelines that are specific to the IGIS, his office

handles personal information in accordance with protocols and procedures that are entirely consistent with the policy objectives of the Privacy Act and necessarily closely aligned with those of the [Australian intelligence community].[188]

34.126 The IGIS advised that his office handles three broad categories of personal information: (a) information relating to employees; (b) information distributed to the office of the IGIS in the intelligence product of the intelligence and defence intelligence agencies or otherwise accessed in the course of the work of that office; and (c) information received from members of the Australian public. In relation to personal information of employees, the IGIS stated that the adoption of the proposal that the IGIS be covered by the Privacy Act in respect of the administrative operations of his or her office would make it unnecessary to subject the IGIS to information-handling standards.[189]

34.127 The IGIS submitted that personal information contained in the intelligence and defence intelligence agencies’ intelligence product is rightly exempt from the Privacy Act. The IGIS considered that subjecting such personal information to information-handling guidelines would be inconsistent with the policy objective underlying s 7(1)(f) of the Privacy Act, which excludes from the coverage of the Act personal information that has originated, or been received from, an intelligence agency or a defence intelligence agency.[190]

34.128 As regards personal information received by the IGIS from members of the public, the IGIS submitted that this category of personal information has a connection with records that originated with, or was received from, an intelligence agency or a defence intelligence agency. The information usually relates to complaints made by members of the public about such an agency. The IGIS stated that the IGIS’s protocols and procedures for the management of that information reflect the existing framework set out in the IGIS Act, the Archives Act and the Protective Security Manual—and, in particular, the secrecy provision under s 34 of the IGIS Act, which establishes a robust legislative regime protecting information handled by the IGIS. The IGIS stated that he was ‘particularly conscious of the impact an allegation or finding of misuse of information, including unauthorised disclosure, would have on [the] office’. He submitted that the effectiveness of the existing protocols and procedures is demonstrated by the fact that ‘in the 20 years since [the] office was established there has never been a credible or substantiated allegation of this kind made’.[191]

ALRC’s view

34.129 The IGIS performs an important oversight role in ensuring that intelligence and defence intelligence agencies act legally, with propriety, in compliance with ministerial directions and with regard to human rights. In performing this role, the IGIS handles records that have originated with, or have been received from, these agencies. Consequently, much of the personal information handled by the IGIS would have originated with, or have been received from, the intelligence and defence intelligence agencies. Although these records are excluded from the operation of the Privacy Act, other records held by the IGIS also may contain security sensitive information—for example, such information may be contained in the IGIS’s internal working documents that relate to the work of the intelligence and defence intelligence agencies. Accordingly, the ALRC is of the view that some exemption from the Privacy Act should continue to apply to the IGIS.

34.130 There is, however, no policy justification for the exemption to extend to the IGIS’s administrative records. Unlike the intelligence and defence intelligence agencies, the IGIS is not bound by ministerial privacy rules or guidelines and its operations are subject only to oversight by the Prime Minister. The ALRC recommends, therefore, that the IGIS be brought under the Privacy Act in respect of his or her office’s administrative operations, such as the handling of employee records. The ALRC notes that this was supported by the IGIS, who stated that coverage of IGIS’s administrative operations under the Privacy Act would be unlikely to affect the effectiveness of his office or compromise national security. In light of the above, the ALRC agrees with the IGIS that it would be unnecessary to subject the IGIS’s administrative records to additional information-handling guidelines.

34.131 In Chapter 33, the ALRC expresses the view that, where an entity is exempt, either completely or partially, from the operation of the Privacy Act, appropriate information-handling guidelines should be in place to ensure that the handling of personal information not covered by the Act would be protected adequately. As noted above, the handling of records that have originated with, or have been received from, an intelligence agency or a defence intelligence agency by the IGIS is not subject to any specific privacy rules or guidelines. While the existing framework set out in the IGIS Act, the Archives Act and the Protective Security Manual addresses some privacy issues, it does not deal with other matters under the UPPs, including openness, data quality and cross-border data flows. As a matter of best practice, therefore, the IGIS should be subject to information-handling guidelines in respect of the non-administrative operations of his or her office, to be developed and published in consultation with the OPC. The guidelines should address the full spectrum of privacy issues that are dealt with under the UPPs. The development and publication of such guidelines would promote transparency in the handling of personal information by the IGIS and help to ensure public confidence in the intelligence system.

Recommendation 34-5 The Privacy Act should be amended to apply to the Inspector-General of Intelligence and Security in respect of the administrative operations of that office.

Recommendation 34-6 The Inspector-General of Intelligence and Security, in consultation with the Office of the Privacy Commissioner, should develop and publish information-handling guidelines in respect of the non-administrative operations of that office.

[166] Inspector-General of Intelligence and Security Act 1986 (Cth) pt II; Inspector-General of Intelligence and Security, Frequently Asked Questions <www.igis.gov.au/faq’s.cfm> at 7 April 2008.

[167] Privacy Act 1988 (Cth) s 7(1)(a)(i)(B), (2).

[168] Australian Law Reform Commission and Administrative Review Council, Freedom of Information, IP 12 (1994), [12.4].

[169] Australian Law Reform Commission and Administrative Review Council, Open Government: A Review of the Federal Freedom of Information Act 1982, ALRC 77 (1995), Rec 74.

[170] Inspector-General of Intelligence and Security Act 1986 (Cth) s 34.

[171] Section 6 of the Archives Act 1983 (Cth) empowers the National Archives of Australia to acquire or authorise the disposal or destruction of Commonwealth records, except specified exempt records. Exempt records include, for example, information or matter the disclosure of which could reasonably be expected to cause damage to the security, defence or international relations of the Commonwealth; and information communicated in confidence by or on behalf of a foreign government, an authority of a foreign government or an international organisation, the disclosure of which under the Archives Act would constitute a breach of that confidence: Archives Act 1983 (Cth) s 33(1).

[172] Inspector-General of Intelligence and Security Act 1986 (Cth) s 35.

[173] Privacy Act RS 1985, c P-21 (Canada) s 3 (definition of ‘government institution’).

[174] Ibid s 22.

[175] Privacy Act 1993 (NZ) s 27.

[176] Data Protection Act 1998 (UK) s 28.

[177] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Commonwealth Ombudsman, Submission PR 202, 21 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007.

[178] G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007.

[179]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 31–6.

[180]Ibid, Proposal 31–7.

[181]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Law Council of Australia, Submission PR 527, 21 December 2007; National Legal Aid, Submission PR 521, 21 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Inspector-General of Intelligence and Security, Submission PR 432, 10 December 2007; P Youngman, Submission PR 394, 7 December 2007.

[182]Inspector-General of Intelligence and Security, Submission PR 432, 10 December 2007.

[183] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[184] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[185]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Law Council of Australia, Submission PR 527, 21 December 2007; National Legal Aid, Submission PR 521, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; P Youngman, Submission PR 394, 7 December 2007.

[186] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[187] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[188]Inspector-General of Intelligence and Security, Submission PR 432, 10 December 2007.

[189]Ibid.

[190]Ibid.

[191]Ibid.