37.73 With the exception of the ACC, the Integrity Commissioner and staff members of ACLEI, law enforcement agencies and other agencies with law enforcement functions are covered by the Privacy Act and therefore must comply with the IPPs. Section 6(1) of the Privacy Act relevantly provides that, with certain exceptions, an agency includes ‘a body … established or appointed for a public purpose by or under a Commonwealth enactment’. Accordingly, agencies with law enforcement functions, such as ASIC and the Australian Customs Service, fall within the definition of ‘agency’ under the Privacy Act. In addition, the AFP is included expressly within the definition of ‘agency’ under the Act.
37.74 Given the need to balance the interests of privacy with the public interest in law enforcement and the regulatory objectives of government, however, the Privacy Act provides for specific exceptions to a number of the IPPs. Under IPPs 10 and 11, agencies are permitted to use or disclose personal information in certain circumstances. In the context of law enforcement, two exceptions are of particular relevance. IPPs 10.1(c) and 11.1(e) authorise the use or disclosure of personal information if it is ‘reasonably necessary for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue’. IPPs 10.1(c) and 11.1(d) also allow the use or disclosure of personal information by agencies if the use or disclosure is ‘required or authorised by or under law’.
37.75 In addition, some IPPs have been interpreted to include law enforcement considerations within their terms. For example, IPP 2 provides that an agency collecting personal information about an individual is to ‘take such steps (if any) as are, in the circumstances, reasonable’ to ensure that the individual concerned generally is aware of the purpose for which the information is being collected and other matters. In the context of the investigation of unlawful activities, ‘reasonable steps’ have been interpreted as including taking no step at all, in circumstances where a suspect should not be alerted to the fact of the collection of personal information about him or her.
37.76 Furthermore, under IPPs 5.2, 6 and 7, if an agency is required or authorised under an applicable federal law to do so, it may refuse to provide an individual with information about what personal information is held about him or her, access to a record or the right to correct or amend documents containing personal information about the individual held by the agency. For example, s 37 of the FOI Act provides that an agency does not have to provide access to, or allow correction of, documents if the disclosure of the document would, or could reasonably be expected to:
prejudice the conduct of an investigation or the enforcement or proper administration of the law in a particular instance;
disclose the existence or identity of a confidential source of information in relation to the enforcement or administration of the law;
endanger the life or physical safety of any person;
prejudice the fair trial or impartial adjudication of a particular case;
disclose lawful methods for dealing with breaches or evasions of the law that would, or would be reasonably likely to, prejudice the effectiveness of those methods; or
prejudice the maintenance or enforcement of lawful methods for the protection of public safety.
37.77 In addition to exceptions to the IPPs that apply to law enforcement agencies, the Privacy Act also contains exceptions to the National Privacy Principles (NPPs) that allow organisations to cooperate lawfully with agencies performing law enforcement functions. These exceptions may allow an organisation to use, disclose, or deny access to, personal information for certain law enforcement or regulatory purposes.
37.78 NPP 2.1 provides that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection except in specified circumstances. These include the use and disclosure of personal information where it is: for the purposes of reporting or investigating unlawful activity; required or authorised by or under law; and reasonably necessary for a range of activities carried out by, or on behalf of, an enforcement body. The range of activities include:
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;
(iii) the protection of the public revenue;
(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.
37.79 NPP 6.1 provides further that an organisation must, on request by an individual, provide the individual with access to personal information it holds about him or her, subject to certain exceptions. These exceptions include where: providing access would be unlawful; denying access is required or authorised by or under law; providing access would be likely to prejudice an investigation of possible unlawful activity; providing access would be likely to prejudice certain law enforcement activities; and an enforcement body performing a lawful security function asks the organisation not to provide access to the information, on the basis that providing access would be likely to cause damage to the security of Australia.
37.80 The Privacy Act, therefore, in conjunction with other federal legislation (such as the FOI Act), provides a number of exceptions to the privacy principles that allow agencies to carry out their law enforcement activities. One issue raised in this Inquiry is whether these exceptions should instead be provided for by way of an exemption.
37.81 In Chapter 33, a distinction is drawn between exemptions and partial exemptions to the requirements set out in the Privacy Act, and exceptions to the privacy principles. An exemption applies where a specified entity or a class of entity is not required to comply with any of the requirements in the Privacy Act. A partial exemption applies where a specified entity or a class of entity is required to comply with either: some, but not all, of the provisions of the Privacy Act; or some or all of the provisions of the Privacy Act, but only in relation to certain of its activities. An exception, as applied to the privacy principles, applies where a requirement in the privacy principles does not apply to any entity in a specified situation or in respect of certain conduct.
International privacy instruments
37.82 International privacy instruments commonly provide for exceptions to the principles that apply to criminal investigations. The Guidelines on the Protection of Privacy and Transborder Flows of Personal Data issued by the Organisation for Economic Co-operation and Development (OECD Guidelines) recognise that member countries may apply the OECD Guidelines differently to different kinds of personal data or in different contexts, such as criminal investigations. The OECD Guidelines also state that criminal investigative activities are one area where, for practical or policy reasons, an individual’s knowledge or consent cannot be considered necessary for the collection of his or her personal data.
37.83 The Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (EU Directive) issued by the European Parliament contains exceptions to the privacy principles, including for the processing of data necessary for the prevention, investigation, detection and prosecution of criminal offences, and concerning public security, state security and the activities of the state in areas of criminal law. Article 13 of the EU Directive provides that member states may provide for exceptions from specified data processing principles if they are necessary to safeguard public security or for the prevention, investigation, detection and prosecution of criminal offences. The principles from which such exceptions are permitted include those relating to: data quality; information to be given to the individual concerned; an individual’s right of access to data; and the publicising of data processing operations.
37.84 Like the EU Directive, the Asia-Pacific Economic Cooperation (APEC) Privacy Framework states that it is not intended to impede governmental activities authorised by law to protect national security, public safety, national sovereignty and other public policy interests.
37.85 Criminal investigation also is a common exception to data protection principles in overseas jurisdictions, such as the United Kingdom, New Zealand and Hong Kong. Under the Data Protection Act 1998 (UK), certain data protection principles do not apply if the application of those principles would be likely to prejudice the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty or of any imposition of a similar nature. The principles that do not apply include: further processing of personal data should be compatible with the original purpose of collection; fair processing by notification to the individual concerned; an individual’s rights of access and correction; data quality; data retention; and an individual’s right to prevent processing.
37.86 The Privacy Act 1993 (NZ) provides for exceptions to some of the information privacy principles contained in that Act, where non-compliance is necessary to avoid prejudice to the maintenance of the law by any public sector agency, including: the prevention, detection, investigation, prosecution, and punishment of offences; and the enforcement of a law imposing a pecuniary penalty. The relevant principles include those concerning collection of personal data directly from the individual concerned, notification to individuals about certain matters, and use and disclosure of personal information.
37.87 Hong Kong privacy legislation provides for exceptions to the use and access principles contained in that legislation, where compliance with those principles is likely to prejudice: the prevention or detection of crime; apprehension, prosecution or detention of offenders; and prevention, preclusion or remedying of other unlawful conduct.
37.88 In contrast, some Australian states provide for law enforcement activities in their privacy legislation by way of exemptions rather than exceptions. In New South Wales, for example, there are detailed exemptions for law enforcement bodies, such as the state and territory police force, the New South Wales Crime Commission, the AFP, the ACC, and the state and territory directors of public prosecutions. Similarly, in Victoria, a law enforcement agency is exempt from compliance with certain privacy principles under the Information Privacy Act 2000 (Vic) in specified circumstances.
Discussion Paper question
37.89 In DP 72, the ALRC recognised the need to consider ‘how the protection of personal and sensitive information is best balanced with the broad and unpredictable nature of policing activities’. The AFP observed that, although law enforcement functions and requirements can be understood to be within the terms of the IPPs, there is no explicit recognition of operational policing in the privacy principles concerning collection (IPPs 1–3), and access and correction (IPPs 6 and 7). It suggested that an option for reform would be to extend the exceptions to the IPPs in line with the approach under the EU Directive, and the New South Wales and Victorian privacy legislation. The AFP submitted that this approach would be a more transparent way for the Privacy Act to set out the range of circumstances in which police can collect, analyse, and disclose personal and sensitive information. It stated that this also would clarify the interaction between the Privacy Act, and the secrecy and disclosure provisions in other legislation.
37.90 The ALRC considered that, before it could make a proposal, it would require submissions from a larger number of stakeholders. The ALRC therefore asked whether the Privacy Act should be amended to set out, in the form of an exemption, the range of circumstances in which agencies that perform law enforcement functions are not required to comply with specific privacy principles.
Submissions and consultations
37.91 Some stakeholders opposed the idea of setting out law enforcement functions in the form of an exemption from the Privacy Act, rather than exceptions to the privacy principles. The OPC submitted that exceptions to the privacy principles provide more flexibility and consistency than exemptions.
One of the major advantages of prescribing exceptions to the principles of the Privacy Act, rather than exemptions, is that they could apply to a range of entities when performing certain types of functions … In contrast, given their absolute nature, exemptions may not be sufficiently flexible to accommodate the variety of activities for which an agency may handle personal information. The Office notes that only a portion of an agency’s normal activities may clearly merit being placed outside the general scope of the principles.
37.92 Given the wide range of entities that fall within the definition of an ‘enforcement body’ in the Privacy Act, the OPC submitted that ‘it is unclear how select activities of this diverse group could be adequately captured by an exemption provision without affecting privacy protections relating to other functions’. In addition, the OPC suggested that:
by exempting a limited number of enforcement agencies when performing particular functions, there is a risk that other agencies that occasionally perform similar enforcement functions would have to meet different requirements for handling the personal information. This would create additional inconsistencies and promote regulatory complexity and uncertainty … exceptions are arguably better placed to deal with the handling of personal information by a broader range of entities in specific contexts.
37.93 In addition, the OPC submitted that information-handling practices required under the Privacy Act improve data quality and promote better decision making, especially in the law enforcement context. It noted that decisions based on poor information can have an adverse impact on individuals and the reputation of enforcement agencies, which could in turn undermine community trust and confidence in these agencies and the administration of the law. It was of the view that:
the Privacy Act includes the right balance of requirements and necessary exceptions for the efficient and effective operation of enforcement agencies including intelligence, investigations and public safety functions.
37.94 While PIAC accepted that there is a conflict between law enforcement work and compliance with the privacy principles in some circumstances, it was of the view that a general exemption for agencies that perform law enforcement functions ‘may lead to a perception that these agencies somehow stand outside privacy law’.
37.95 Both the OPC and PIAC also noted that there already are a number of exceptions to the privacy principles that take into account law enforcement considerations, which were reflected in the UPPs.
37.96 Law enforcement and regulatory bodies, on the other hand, supported setting out law enforcement functions as exemptions from the operation of the Privacy Act. The AFP supported a general exemption that allows it to perform all of its functions under the Australian Federal Police Act 1979 (Cth). The Australian Taxation Office (ATO) submitted that both law enforcement and regulatory bodies should be provided with an exemption from compliance with specific privacy principles in a range of circumstances. The ATO argued that its functions in intelligence gathering (such as activities to identify tax avoidance arrangements and promoters), and in safeguarding the financial interests of the state, are recognised as acceptable bases for an exemption from the operation of privacy laws.
37.97 Victoria Police submitted that exemptions for law enforcement agencies are essential in the areas of law enforcement, intelligence, and community policing functions and activities. It suggested that, given the changing nature of policing, community policing functions should be included in a law enforcement exemption.
37.98 It also was submitted that some law enforcement agencies perform both law enforcement and regulatory functions, and that any distinction made in the Privacy Act between law enforcement and regulatory agencies should indicate clearly that some agencies perform both types of functions.
37.99 The Australian Privacy Foundation submitted that law enforcement functions should be set out as exemptions, provided that such exemptions can be justified through a process of public consultation. It suggested that, while some information may need to be withheld from the public consultation process on security grounds, a wholly secret process would not be justified.
37.100 The United Nations Youth Association, the Flinders Law Students’ Association and the Adelaide University Law Students’ Society submitted that privacy laws should not prevent the collection and storage of personal information of convicted offenders, on the basis of an online survey they conducted. The online survey of 332 respondents—the majority of whom were young people undertaking tertiary studies— showed that 73% of respondents believed that new laws allowing the permanent retention of DNA samples from suspects, convicted criminals and prisoners were justified. The student and youth bodies suggested that the result of this survey was ‘broadly consistent with widespread trust in government’, and that the respondents generally seemed ‘unconcerned by mass accruement of information by government’.
Application of the proposed UPPs to law enforcement agencies
37.101 Law enforcement and regulatory bodies raised concerns about the application of some of the proposed UPPs to their activities. In relation to the proposed ‘Anonymity and Pseudonymity’ principle, it was submitted that some law enforcement agencies may require individuals to provide accurate identification. It was argued that a legislative right for an individual to deal with an agency or organisation anonymously or pseudonymously may interfere substantially with the law enforcement agency’s functions.
37.102 Particular concerns were raised about the application of the proposed ‘Collection’ principle to the collection of sensitive information by law enforcement agencies, including that:
law enforcement agencies often collect sensitive information from third parties and therefore should not be required to collect personal information about an individual only from that individual;
it would be impractical and undesirable for law enforcement agencies either to seek the consent of individuals to collect sensitive information, or to prove in every case that the collection is necessary to prevent or lessen a serious threat to the life or health of an individual; and
in some circumstances, it may be difficult for a law enforcement agency to make a case that the collection of sensitive information was ‘required or specifically authorised by or under law’, as some legislation may not specifically authorise certain investigative and intelligence-gathering activities that are a part of the agency’s law enforcement functions.
37.103 Some stakeholders submitted that the application of the proposed ‘Notification’ principle to law enforcement agencies would be problematic, because notifying individuals in relation to personal information collected through intelligence-gathering activities of such agencies would alert the individuals to the fact that they are under investigation. The ATO submitted that a requirement to notify individuals also would be inappropriate where the information used for prosecution or other civil action by law enforcement agencies was initially collected for a different purpose; and when the ATO receives anonymous information about an individual taxpayer that may identify potential tax avoidance and promotional activities. The ATO considered that the requirement to notify individuals in these circumstances would: impose a significant administrative burden on the ATO; reduce the likelihood of detection of tax avoidance arrangements and tax avoidance scheme promoters by putting them on notice of the ATO’s intent; and increase ill-feeling within the community as taxpayers attempt to identify anonymous informants.
37.104 Victoria Police submitted that law enforcement agencies should not be required to comply with the proposed ‘Data Quality’ principle. It argued that, since law enforcement agencies often collect information in anticipation that it may be relevant, the requirement that law enforcement agencies collect only relevant information would hinder their law enforcement capabilities and intelligence capacity.
37.105 One stakeholder submitted that the proposed ‘Identifiers’ principle—which prevents an agency or organisation from adopting an identifier of an individual except in prescribed circumstances—would affect the ability of law enforcement agencies to cooperate on information exchange across government. Concern also was raised as to whether the proposed ‘Cross-border Data Flows’ principle would prevent the transfer of personal information by law enforcement agencies to recipients in other countries where this is required or authorised by legislation.
37.106 Agencies with law enforcement functions should continue to operate within the privacy principles and the applicable exceptions to those principles. The model UPPs are sufficiently flexible to accommodate the functions and operations of agencies with law enforcement and regulatory functions. Exceptions to the UPPs have the advantage of flexibility as they can apply to a range of entities when performing specific functions, and they also are capable of adapting to changing circumstances—for example, when agencies are given or stripped of law enforcement functions—without requiring any amendment to privacy legislation.
37.107 In addition, it is doubtful whether an exhaustive list of exempt activities in relation to each of these agencies would provide more clarity than the exceptions to the UPPs. Currently, there are a number of agencies that perform a diverse range of law enforcement functions—for example, the AFP, the Australian Customs Service, ASIC, the ATO and Centrelink. An exhaustive list of the numerous law enforcement and regulatory functions that these agencies perform in the Privacy Act would render the Act unnecessarily detailed and unwieldy.
37.108 The ALRC notes the submissions by law enforcement and regulatory bodies that considers that the application of the UPPs, as proposed in DP 72, could be problematic. The ALRC has taken these concerns into account and modified the model UPPs where appropriate. For example, the ALRC has removed the proposed requirement that the collection of sensitive information must be ‘specifically authorised by of under law’ to take into account the fact that some legislation may authorise, but not specifically, the collection of sensitive information. In Chapter 16, the ALRC notes that case law on ‘authorised by or under law’ shows that authorisation requires permission and not merely an absence of prohibition. The ALRC accepts the submissions by agencies that the inclusion of the term ‘specifically authorise’ in the Privacy Act arguably may prevent them from relying on implied authorisations to carry out their statutory functions and exercise their powers. The ALRC therefore expresses the view that the term ‘specifically authorised’ should not be adopted in the Privacy Act.
37.109 Further, the ALRC recommends in Chapter 30 that the ‘Identifiers’ principle should apply only to organisations. In Chapter 31, the ALRC recommends that the ‘Cross-border Data Flows’ principle should provide that, where an agency or organisation transfers personal information to a recipient outside of Australia and an external territory, it remains accountable for that information unless, among other things, it is required or authorised by or under law to make the transfer.
37.110 Other concerns raised by law enforcement agencies relate to the interpretation of what is ‘practicable’, ‘reasonable’ or ‘relevant’ in the circumstances. These are issues that can be addressed by guidance issued by the OPC. One concern raised was that the requirement to give an individual the option of dealing with a law enforcement agency anonymously or pseudonymously could interfere substantially with the agency’s law enforcement functions. The ALRC notes, however, that under the ‘Anonymity and Pseudonymity’ principle, agencies and organisations only are required to provide that option where it is lawful and practicable. It is clear that there will be circumstances where a law enforcement agency would not be required to give individuals that option, on the basis that it would not be lawful or practicable to do so. The ALRC therefore does not share the concern that the ‘Anonymity and Pseudonymity’ principle would interfere with the functions of law enforcement agencies.
37.111 Another concern raised by stakeholders is that the requirements under the ‘Notification’ principle may: conflict with the intelligence-gathering process of law enforcement agencies; alert an individual to the fact that he or she is under investigation; or identify an informant. The ‘Notification’ principle, however, only requires that an agency or organisation take reasonable steps to notify an individual or ensure that the individual is aware of certain matters. While taking reasonable steps has been interpreted to include taking no steps in appropriate circumstances, the ALRC has further clarified the requirement by amending the ‘Notification’ principle so that an agency or organisation only is required to ‘take such steps, if any, as are reasonable in the circumstances’ to notify. It is clearly not reasonable to notify an individual of the fact of collection when a law enforcement agency is collecting intelligence on an individual who is suspected of committing an offence, or where to do so would identify an informant during the investigative process. A law enforcement agency, therefore, would not be required to take any steps to notify the individual in those circumstances.
37.112 The ALRC also notes the concern that requiring agencies to collect only relevant information under the ‘Data Quality’ principle may hinder the activities of law enforcement agencies. In this regard, the ALRC notes that IPP 3 also requires an agency to take reasonable steps to ensure that the information it collects is relevant to the purpose of collection. The OPC has advised that, where personal information is generally related to their intelligence-gathering purposes, law enforcement agencies may collect such information even if they do not have an immediate use for it or do not know exactly what the information will be used for—provided that they have good grounds for believing that this kind of information would be of assistance.
37.113 The ALRC notes that the OPC has issued both general and specific guidance on the application of the Privacy Act in the context of unlawful activities and law enforcement. In addition, elsewhere in this Report, the ALRC makes a number of recommendations concerning the development and publication of guidance by the OPC to assist agencies and organisations in complying with the model UPPs. Guidance issued by the OPC should take into account the application of the model UPPs to law enforcement activities and address the concerns raised by law enforcement and regulatory bodies.
 ASIC was established by s 7 of the Australian Securities and Investments Commission Act 1989 (Cth) (superseded) to regulate companies and financial services, and promote investor, creditor and consumer protection under the Corporations Act 2001 (Cth), the Australian Securities and Investments Commission Act 2001 (Cth) and other legislation: Australian Securities and Investments Commission Act 2001 (Cth) ss 11, 12A; Australian Securities and Investments Commission, ASIC Annual Report 2006–07 (2007), 32. ASIC continues in existence by virtue of s 261 of the Australian Securities and Investments Commission Act 2001 (Cth). The Australian Customs Service was established by s 4 of the Customs Administration Act 1985 (Cth)to manage the security and integrity of Australia’s border, facilitate the movement of legitimate travellers and goods across the border, and collect border-related duties and taxes under the Customs Act 1901 (Cth), the Customs Tariff Act 1995 (Cth) and other legislation: Australian Customs Service, Annual Report 2006–07 (2007), 5.
 Privacy Act 1988 (Cth) s 6(1).
 Office of the Federal Privacy Commissioner, Unlawful Activity and Law Enforcement, Information Sheet 7 (2001), 1.
 Where personal information is used or disclosed for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue, the agency must include in the record containing that information a note of that use or disclosure: Privacy Act 1988 (Cth) s 14, IPPs 10.2, 11.2.
 See also Ch 16.
Office of the Federal Privacy Commissioner, Taking Reasonable Steps to Make Individuals Aware that Personal Information about Them is Being Collected, Information Sheet 18 (2003), 4–5.
 Privacy Act 1988 (Cth) s 6; sch 3, NPPs 2.1, 6.1.
 Ibid sch 3, NPP 2.1(f)–(h).
 Ibid sch 3, NPP 2.1(h).
 Ibid sch 3, NPP 6.1(g)–(k).
 Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), Memorandum, .
 Ibid, Memorandum, .
 European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995), art 13(1)(d).
 Ibid, art 3(2).
 Ibid, art 13. See also European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995), recitals 16, 43.
 Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), . See also Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), .
 Data Protection Act 1998 (UK) s 29.
 Privacy Act 1993 (NZ) ss 6 (Principles 2, 3, 10, 11), 27.
 Personal Data (Privacy) Ordinance (Hong Kong) s 58.
 Privacy and Personal Information Protection Act 1998 (NSW) s 3(1).
 Examples of law enforcement agencies include the state or territory police force, the AFP and the ACC: Information Privacy Act 2000 (Vic) s 3.
 Australian Federal Police, Submission PR 186, 9 February 2007.
 Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Question 34–1.
 Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
 Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
 Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.
 Ibid; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
 Australian Federal Police, Submission PR 545, 24 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007; Victoria Police, Submission PR 523, 21 December 2007.
 Australian Federal Police, Submission PR 545, 24 December 2007.
 Australian Taxation Office, Submission PR 515, 21 December 2007.
 Victoria Police, Submission PR 523, 21 December 2007.
 Confidential, Submission PR 448, 11 December 2007.
 Australian Privacy Foundation, Submission PR 553, 2 January 2008.
 Approximately 15% of respondents disagreed, while 11% of respondents did not know whether the new laws were justified: United Nations Youth Association, Flinders University Students’ Association and Adelaide University Law Students’ Society, Submission PR 557, 7 January 2007.
 See, eg, Victoria Police, Submission PR 523, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007.
 Confidential, Submission PR 448, 11 December 2007.
 Victoria Police, Submission PR 523, 21 December 2007; Confidential, Submission PR 448, 11 December 2007.
 Australian Taxation Office, Submission PR 515, 21 December 2007; Confidential, Submission PR 448, 11 December 2007.
 Australian Taxation Office, Submission PR 515, 21 December 2007.
 Victoria Police, Submission PR 523, 21 December 2007.
 Confidential, Submission PR 448, 11 December 2007.
 See Ch 22.
 See Ch 20.
 Office of the Federal Privacy Commissioner, Taking Reasonable Steps to Make Individuals Aware that Personal Information about Them is Being Collected, Information Sheet 18 (2003), 5.
 See Ch 23.
 Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 1–3: Advice to Agencies about Collecting Personal Information (1994), 24, 28.
 See Office of the Federal Privacy Commissioner, Unlawful Activity and Law Enforcement, Information Sheet 7 (2001); Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 1–3: Advice to Agencies about Collecting Personal Information (1994), 13, 14, 23, 24, 28; Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 4–7: Advice to Agencies about Storage and Security of Personal Information, and Access to and Correction of Personal Information (1998); Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 8–11: Advice to Agencies about Using and Disclosing Personal Information (1996).
 See Recs 16–2, 19–1, 20–2, 21–2, 21–4, 23–3, 25–3, 28–5, 29–9, 31–7.