Part C—Interaction, Inconsistency and Fragmentation

14. The Costs of Inconsistency and Fragmentation

Recommendation 14–1 Agencies that are required or authorised by legislation, a code or a Public Interest Determination to share personal information should, where appropriate, develop and publish documentation that addresses the sharing of personal information; and publish other documents (including memorandums of understanding and ministerial agreements) relating to the sharing of personal information.

Recommendation 14–2 The Australian Government, in consultation with: state and territory governments; intelligence agencies; law enforcement agencies; and accountability bodies, including the Office of the Privacy Commissioner, the Inspector-General of Intelligence and Security, the Australian Commission for Law Enforcement Integrity, state and territory privacy commissioners and agencies with responsibility for privacy regulation, and federal, state and territory ombudsmen, should:

(a) develop and publish a framework relating to interjurisdictional sharing of personal information within Australia by intelligence and law enforcement agencies; and

(b) develop memorandums of understanding to clarify the existing roles of accountability bodies that oversee interjurisdictional information sharing within Australia by law enforcement and intelligence agencies.

15. Federal Information Laws

Recommendation 15–1 The Freedom of Information Act 1982 (Cth) should be amended to provide that disclosure of personal information in accordance with the Freedom of Information Act is a disclosure that is required or authorised by or under law for the purposes of the ‘Use and Disclosure’ principle under the Privacy Act.

Recommendation 15–2 The Australian Government should undertake a review of secrecy provisions in federal legislation. This review should consider, among other matters, how each of these provisions interacts with the Privacy Act.

Recommendation 15–3 Part VIII of the Privacy Act (Obligations of confidence) should be repealed.

16. Required or Authorised by or Under Law

Recommendation 16–1 The Privacy Act should be amended to provide that ‘law’, for the purposes of determining when an act or practice is required or authorised by or under law, includes:

(a) Commonwealth, state and territory Acts and delegated legislation;

(b) a duty of confidentiality under common law or equity (including any exceptions to such a duty);

(c) an order of a court or tribunal; and

(d) documents that are given the force of law by an Act, such as industrial awards.

Recommendation 16–2 The Office of the Privacy Commissioner should develop and publish guidance to clarify when an act or practice will be required or authorised by or under law. This guidance should include:

(a) a list of examples of laws that require or authorise acts or practices in relation to personal information that would otherwise be regulated by the Privacy Act; and

(b) a note to the effect that the list is intended to be a guide only and that omission from the list does not mean that a particular law cannot be relied upon for the purposes of a ‘required or authorised by or under law’ exception in the model Unified Privacy Principles.

Recommendation 16–3 The Australian Electoral Commission and state and territory electoral commissions, in consultation with the Office of the Privacy Commissioner, state and territory privacy commissioners and agencies with responsibility for privacy regulation, should develop and publish protocols that address the collection, use, storage and destruction of personal information shared for the purposes of the continuous update of the electoral roll.

Recommendation 16–4 The review under s 251 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) should consider, in particular, whether:

(a) reporting entities and designated agencies are handling personal information appropriately under the legislation;

(b) the number and range of transactions for which identification is required should be more limited than currently provided for under the legislation;

(c) it remains appropriate that reporting entities are required to retain information for seven years;

(d) the use of the electoral roll by reporting entities for the purpose of identification verification is appropriate; and

(e) the handling of information by the Australian Transaction Reports and Analysis Centre is appropriate, particularly as it relates to the provision of access to other bodies, including bodies outside Australia.

17. Interaction with State and Territory Laws

Recommendation 17–1 When an Australian Government agency is participating in an intergovernmental body or other arrangement involving state and territory agencies that handle personal information, the Australian Government agency should ensure that a memorandum of understanding or other arrangement is in place to provide for the appropriate handling of personal information.

Recommendation 17–2 State and territory privacy legislation should provide for the resolution of complaints by state and territory privacy regulators and agencies with responsibility for privacy regulation in that state or territory’s public sector.

Recommendation 17–3 The Office of the Privacy Commissioner should develop and publish memorandums of understanding with each of the bodies with responsibility for information privacy in Australia, including state and territory bodies and external dispute resolution bodies with responsibility for privacy. These memorandums of understanding should

(b) when a matter will be referred to, or received from, each of the bodies;

(c) processes for consultation between the bodies when issuing Public Interest Determinations and Temporary Public Interest Determinations, approving codes and developing rules; and

(d) processes for developing and publishing joint guidance.