17.08.2010

Part E—Exemptions

33. Overview: Exemptions from the Privacy Act

Recommendation 33–1 The Privacy Act should be amended to group together in a separate part of the Act exemptions for certain categories of agencies, organisations and entities or types of acts and practices.

Recommendation 33–2 The Privacy Act should be amended to set out in a schedule to the Act exemptions for specific, named agencies, organisations and entities. The schedule should distinguish between agencies, organisations and entities that are completely exempt and those that are partially exempt from the Privacy Act. With respect to partially exempt agencies, organisations and entities, the schedule should specify the particular acts and practices that are exempt.

34. Intelligence and Defence Intelligence Agencies

Recommendation 34–1 (a) The privacy rules and guidelines that relate to the handling of intelligence information concerning Australian persons by the Australian Security Intelligence Organisation, the Australian Secret Intelligence Service, the Defence Imagery and Geospatial Organisation, the Defence Intelligence Organisation, the Defence Signals Directorate and the Office of National Assessments, should be amended to include consistent rules and guidelines relating to:

(i) the handling of personal information about non-Australian individuals, to the extent that this is covered by the Privacy Act;

(ii) incidents involving the incorrect use and disclosure of personal information (including a requirement to contact the Inspector-General of Intelligence and Security and advise of incidents and measures taken to protect the privacy of the individual);

(iii) the accuracy of personal information; and

(iv) the storage and security of personal information.

(b) The privacy rules and guidelines should be made available without charge to an individual: electronically on the websites of those agencies; and on request, in hard copy or, where reasonable, in an alternative form accessible to individuals with special needs.

Recommendation 34–2 Section 15 of the Intelligence Services Act 2001 (Cth) should be amended to provide that the ministers responsible for the Australian Secret Intelligence Service, the Defence Imagery and Geospatial Organisation, the Defence Signals Directorate and the Defence Intelligence Organisation:

(a) are required to make written rules regulating the handling of intelligence information concerning individuals by the relevant agency, except where:

(i) the agency is engaged in activity outside Australia and the external territories; and

(ii) that activity does not involve the handling of personal information about an Australian citizen or a person whose continued presence in Australia or a territory is not subject to a limitation as to time imposed by law; and

(b) should consult with the relevant agency head, the Privacy Commissioner, the Inspector-General of Intelligence and Security and the minister responsible for administering the Privacy Act before making privacy rules about the handling of intelligence information.

Recommendation 34–3 The Office of National Assessments Act 1977 (Cth) should be amended to provide that the minister responsible for the Office of National Assessments (ONA):

(a) is required to make written rules regulating the handling of intelligence information about individuals by the ONA, except where:

(i) the ONA is engaged in activity outside Australia and the external territories; and

(b) should consult with the Director-General of the ONA, the Privacy Commissioner, the Inspector-General of Intelligence and Security and the minister responsible for administering the Privacy Act before making privacy rules about the handling of intelligence information.

Recommendation 34–4 Section 8A of the Australian Security Intelligence Organisation Act 1979 (Cth) should be amended to provide that the:

(a) guidelines issued by the minister responsible for the Australian Security Intelligence Organisation (ASIO) must include guidelines regulating the handling of intelligence information about individuals by ASIO, except where ASIO:

(i) is engaged in activity outside Australia and the external territories; and

(b) minister responsible for ASIO should consult with the Director-General of Security, the Privacy Commissioner, the Inspector-General of Intelligence and Security and the minister responsible for administering the Privacy Act before making privacy guidelines about the handling of intelligence information.

Recommendation 34–5 The Privacy Act should be amended to apply to the Inspector-General of Intelligence and Security in respect of the administrative operations of that office.

Recommendation 34–6 The Inspector-General of Intelligence and Security, in consultation with the Office of the Privacy Commissioner, should develop and publish information-handling guidelines in respect of the non-administrative operations of that office.

35. Federal Courts and Tribunals

Recommendation 35–1 The Privacy Act should be amended to provide that federal tribunals, boards and commissions whose primary functions involve dispute resolution, administrative review or disciplinary proceedings are exempt from the operation of the Act except in relation to an act done, or a practice engaged in, in respect of a matter of an administrative nature. The schedule to the Act setting out exemptions should list the specific tribunals, boards and commissions that are partially exempt and specify the extent of their exemption.

Recommendation 35–2 Those federal tribunals, commissions and boards that are partially exempt from the operation of the Privacy Act should develop and publish information-handling guidelines that apply to their activities in respect of matters of a non-administrative nature.

Recommendation 35–3 Federal courts that do not have a policy on granting access for research purposes to court records containing personal information should develop and publish such policies.

36. Exempt Agencies under the Freedom of Information Act

Recommendation 36–1 The Privacy Act should be amended to remove the partial exemption that applies to the Australian Fair Pay Commission under s 7(1) of the Act.

Recommendation 36–2 The following agencies listed in Schedule 2, Part I, Division 1 and Part II, Division 1 of the Freedom of Information Act 1982 (Cth) should be required to demonstrate to the minister responsible for administering the Privacy Act that they warrant exemption from the operation of the Privacy Act:

(a) Aboriginal Land Councils and Land Trusts;

(b) Auditor-General;

(d) Department of the Treasury;

(e) Reserve Bank of Australia;

(f) Export and Finance Insurance Corporation;

(g) Australian Communications and Media Authority;

(h) Classification Board;

(i) Classification Review Board; and

(j) Australian Trade Commission.

The Australian Government should remove the exemption from the operation of the Privacy Act for any of these agencies that, within 12 months from the tabling of this Report, do not make an adequate case for retaining their exempt status.

Recommendation 36–3 The Privacy Act should be amended to remove the partial exemption that applies to the National Health and Medical Research Council.

Recommendation 36–4 Subject to the implementation of Recommendation 42–2 (regulations specifying agencies, including the Australian Broadcasting Corporation and the Special Broadcasting Service, as ‘media organisations’ under the Privacy Act), the Privacy Act should be amended to remove the partial exemption that applies to the Australian Broadcasting Corporation and the Special Broadcasting Service.

37. Agencies with Law Enforcement Functions

Recommendation 37–1 (a) The Australian Crime Commission (ACC), in consultation with the Office of the Privacy Commissioner, should develop and publish information-handling guidelines for the ACC and the Board of the ACC. The information-handling guidelines should address the conditions to be imposed on the recipients of personal information disclosed by the ACC in relation to the further handling of that information.

(b) The Parliamentary Joint Committee on the ACC should monitor compliance by the ACC and the Board of the ACC with the information-handling guidelines.

Recommendation 37–2 (a) The Integrity Commissioner, in consultation with the Office of the Privacy Commissioner, should develop and publish information-handling guidelines for the Integrity Commissioner and the Australian Commission for Law Enforcement Integrity (ACLEI). The information-handling guidelines should address the conditions to be imposed on the recipients of personal information disclosed by the Integrity Commissioner or the ACLEI in relation to the further handling of that information.

(b) The Internal Audit Committee of the ACLEI and the Parliamentary Joint Committee on the ACLEI should monitor compliance by the Integrity Commissioner and the ACLEI with the information-handling guidelines.

38. Other Public Sector Exemptions

Recommendation 38–1 The Department of the Prime Minister and Cabinet, in consultation with the Office of the Privacy Commissioner, should develop and publish information-handling guidelines for Royal Commissions.

39. Small Business Exemption

Recommendation 39–1 The Privacy Act should be amended to remove the small business exemption by:

(a) deleting the reference to ‘small business operator’ from the definition of ‘organisation’ in s 6C(1) of the Act; and

(b) repealing ss 6D–6EA of the Act.

Recommendation 39–2 Before the removal of the small business exemption from the Privacy Act comes into effect, the Office of the Privacy Commissioner should provide support to small businesses to assist them in understanding and fulfilling their obligations under the Act, including by:

(a) establishing a national hotline to assist small businesses in complying with the Act;

(b) developing educational materials—including guidelines, information sheets, fact sheets and checklists—on the requirements under the Act;

(c) developing and publishing templates for small businesses to assist in preparing Privacy Policies, to be available electronically and in hard copy free of charge; and

(d) liaising with other Australian Government agencies, state and territory authorities and representative industry bodies to conduct programs to promote an understanding of the privacy principles.

40. Employee Records Exemption

Recommendation 40–1 The Privacy Act should be amended to remove the employee records exemption by repealing s 7B(3) of the Act.

Recommendation 40–2 The Office of the Privacy Commissioner should develop and publish guidance on the application of the model Unified Privacy Principles to employee records, including when it is and is not appropriate to disclose to an employee concerns or complaints by third parties about the employee.

41. Political Exemption

Recommendation 41–1 The Privacy Act should be amended to remove the exemption for registered political parties and the exemption for political acts and practices by:

(a) deleting the reference to a ‘registered political party’ from the definition of ‘organisation’ in s 6C(1) of the Act;

(b) repealing s 7C of the Act; and

Recommendation 41–2 The Privacy Act should be amended to provide that the Act does not apply to the extent, if any, that it would infringe any constitutional doctrine of implied freedom of political communication or parliamentary privilege.

Recommendation 41–3 Parliamentary departments should be included within the definition of ‘agency’ in the Privacy Act by removing the words ‘other than the Privacy Act 1988’ from section 81(1) of the Parliamentary Services Act 1999 (Cth).

Recommendation 41–4 Before the removal of the exemptions for registered political parties and for political acts and practices from the Privacy Act comes into effect, the Office of the Privacy Commissioner should develop and publish guidance to registered political parties and others to assist them in understanding and fulfilling their obligations under the Act.

42. Journalism Exemption

Recommendation 42–1 The Privacy Act should be amended to define ‘journalism’ to mean the collection, preparation for dissemination or dissemination of the following material for the purpose of making it available to the public:

(a) material having the character of news, current affairs or a documentary;

(b) material consisting of commentary or opinion on, or analysis of, news, current affairs or a documentary; or

(c) material in respect of which the public interest in disclosure outweighs the public interest in maintaining the level of privacy protection afforded by the model Unified Privacy Principles.

Recommendation 42–2 The definition of ‘media organisation’ in the Privacy Act should be:

(a) amended to ‘an organisation whose activities consist of or include journalism’; and

(b) expanded to include an agency that has been specified in the regulations. The regulations should specify, at a minimum, the Australian Broadcasting Corporation and the Special Broadcasting Service.

Recommendation 42–3 The Privacy Act should be amended to provide that media privacy standards must deal adequately with privacy in the context of the activities of a media organisation (whether or not the standards also deal with other matters).

Recommendation 42–4 The Office of the Privacy Commissioner, in consultation with the Australian Communications and Media Authority and peak media representative bodies, should develop and publish:

(a) criteria for adequate media privacy standards; and

(b) a template for media privacy standards that may be adopted by media organisations.

44. New Exemptions or Exceptions

Recommendation 44–1 The Privacy Act should be amended to provide an exception to the:

(a) ‘Collection’ principle to authorise the collection of sensitive information, and

(b) ‘Use and Disclosure’ principle to authorise the use and disclosure of personal information,

where the collection, use or disclosure by an agency or organisation is necessary for the purpose of a confidential alternative dispute resolution process.

Recommendation 44–2 The Office of the Privacy Commissioner, in consultation with the National Alternative Dispute Resolution Advisory Council, should develop and publish guidance on what constitutes a confidential alternative dispute resolution process for the purposes of the Privacy Act.

Recommendation 44–3 The Australian Government should recommend that the Council of Australian Governments consider models for the regulation of private investigators and the impact of federal, state and territory privacy laws on their operations.