Data matching

14.94 Data matching has been described by the Privacy Commissioner as ‘the large scale comparison of records or files … collected or held for different purposes, with a view to identifying matters of interest’.[106] The sharing of information through data matching may need to take place:

    • where there is a crisis or national emergency;

    • to better examine information held by government, by analysing and integrating information held across a number of different portfolios;

    • to integrate service delivery, for example, between the ATO and Centrelink, or between Centrelink and a private employment service provider; and

    • to manage areas of joint activity by encouraging the sharing of information with the Australian Government, across jurisdictions and with the private sector.[107]

14.95 In a submission to this Inquiry, the Australian Commission for Law Enforcement Integrity said that ‘[a]s in many other areas of government, collecting, analysing and sharing information is at the heart of law enforcement activity’:[108]

In recent decades, digital data storage and retrieval systems have become powerful intelligence aids in the investigation of serious crime. Technology and enhanced cooperation between jurisdictions have enabled unprecedented sharing of information about individuals, groups, property and other assets, and events.

Together, these advances and the legal framework have allowed law enforcement officers to perform their legitimate work more quickly and effectively than has previously been the case.[109]

14.96 However, data-matching is also associated with privacy risks and community concern. As noted by the Privacy Commissioner, data matching may involve the:

    • use of personal information for purposes other than the reasons it was collected—which may not be within the reasonable expectations of the individuals to whom the information relates;

    • examination of personal information where there are no grounds for suspicion, sometimes without the knowledge of the individuals to whom the information relates; and

    • retention of matched information by agencies for potential future use.[110]

Legislative framework

14.97 Agencies wishing to undertake data-matching activities must comply with a number of laws including the Privacy Act 1988 (Cth), Data-matching Program (Assistance and Tax) Act 1990 (Cth) and secrecy provisions.

Privacy Act

14.98 As discussed in Chapter 16, the Privacy Act imposes obligations on Australian Government agencies and private-sector organisations (as defined in that Act) in relation to the handling of personal information, which may impact on data-matching activities. For example, under Information Privacy Principle (IPP) 10, an agency may only use personal information for a purpose other than the primary purpose of collection where one of the specified requirements has been met—for example, where the individual has consented or the use is reasonably necessary for the purpose of law enforcement.[111] Similar requirements apply to disclosure of information under IPP 11.[112]

Data-matching Program (Assistance and Tax) Act

14.99 The Data-matching Program (Assistance and Tax) Act and related guidelines regulate the use of tax file numbers to match data held by certain agencies, such as the ATO and Centrelink. The Privacy Commissioner monitors, and has powers to enforce, compliance with the Act and the Guidelines. However, the Data-matching Program (Assistance and Tax) Act and Guidelines only apply to a limited subset of data-matching activities.

14.100 The Privacy Commissioner has issued voluntary guidelines for agencies that engage in other data-matching practices, which aim to ensure that these programs ‘are designed and conducted in accordance with sound privacy practices’.[113] Although the guidelines are not legally binding, a number of agencies have agreed to comply with them.[114] In summary, the voluntary guidelines require agencies to give public notice of any proposed data-matching program; prepare and publish a ‘program protocol’ outlining the nature and scope of a data-matching program; provide individuals with an opportunity to comment on matched information if the agency proposes to take administrative action on the basis of it; and destroy personal information that does not lead to a match.[115]

14.101 The ALRC considered the application of these laws and guidelines in the 2008 Report, For Your Information: Australian Privacy Law and Practice (ALRC 108), including whether there was a need for the data-matching programs that fall outside the Data-matching Program (Assistance and Tax) Act to be regulated more formally.[116] The ALRC did not consider that a case had been made out for making these guidelines mandatory. Rather, the ALRC suggested that the Office of the Privacy Commissioner could exercise its function of researching and monitoring technology to review the adequacy of, and compliance with, the existing guidelines if it deemed this to be necessary.[117]

Secrecy provisions

14.102 Unless a relevant exception applies, secrecy provisions may prevent the disclosure of Commonwealth information for the purpose of data matching. The impact of a secrecy provision on potential data-matching activities will be most acute where the provision regulates a broad category of information in the absence of an express harm requirement. Any exceptions or defences that are available will also be relevant.

14.103 In the 1995 inquiry into the protection of confidential personal and commercial information held by government conducted by the House of Representatives Standing Committee on Legal and Constitutional Affairs, the Committee heard that secrecy provisions frequently impeded the flow of information from one department to another. In its evidence to the Committee, the AGD took the view that secrecy provisions were developed to prevent disclosure of official information to the public, but were too inflexible to meet the increasing need to transfer information within government, for example across the taxation, health and social security areas.[118]

Submissions and consultations

14.104 In IP 34, the ALRC asked about any concerns arising from the interaction between secrecy provisions and data-matching laws and practices.[119] Liberty Victoria warned that data matching, while ‘an invaluable tool’, is sometimes ‘poorly handled’ and carries the risk of inadvertent disclosure:

Liberty Victoria believes that data matching should only occur after thorough risk and cost/benefit analyses have been done. Moreover, where data from two or more classes is combined, the highest classification standard should apply. If implemented correctly, data matching and secrecy provisions should work together to ensure only necessary data matching is undertaken with appropriate safeguards.[120]

14.105 The importance of robust controls was echoed by AUSTRAC, which stated that the ability to share information is critical to its operations and that current guidelines provided a good framework for meeting privacy concerns:

AUSTRAC’s ability to combat money laundering and terrorism financing depends upon receiving and sharing information with a wide variety of designated agencies. Moreover, the ability to cross reference various sets of data supplied has proved to significantly enrich the value of AUSTRAC financial intelligence and its contribution to operational success for AUSTRAC and designated agencies.

Bulk data matching can have significant benefits. However, it is crucial that any data matching exercise that involves AUSTRAC information be handled securely with robust controls and procedures in place that require compliance by all involved. All data matching exercises are carried out in accordance with the advisory Guidelines for the Use of Data-Matching in Commonwealth Administration issued by the Privacy Commissioner.[121]

14.106 The Office of the Privacy Commissioner expressed the view that ‘data matching activities should continue to be limited to very specific needs and purposes and be subject to clear guidance about how the activities are undertaken’. The Office noted that agencies that wish to undertake data matching must first determine whether information they hold can be released pursuant to their secrecy provisions. Should this be the case, the agency must consider its obligations under the Privacy Act:

The Office supports the ability to share information within and between governments and the private sector where a clear and legitimate purpose is identified. While data matching can be a very useful tool for a wide variety of purposes, it has the potential to significantly change the way that personal information is handled. This includes such risks as a change in the nature of the information, once combined, becoming more sensitive, as well as the context within which it was originally held becoming vastly different. Similarly, data matching may result in information being used in a way that is beyond the normal expectation of an individual.[122]

14.107 The Office submitted that to date, the interaction of secrecy provisions and the Privacy Act has provided satisfactory protection. However, to ensure appropriate protection in the context of future technological advances, it suggested that the ALRC consider making the voluntary public sector data matching guidelines mandatory.[123]

14.108 In DP 74, the ALRC expressed the preliminary view that current legislation and policies, in addition to reforms proposed elsewhere in the Discussion Paper, provided an appropriate framework for data-matching activities in the Australian Government. In particular, the ALRC considered that the proposed exception to the general secrecy offence, and other specific secrecy offences, for disclosures authorised by the relevant agency head or minister could facilitate data-matching in appropriate cases.[124]

14.109 The AGD agreed with an approach of authorising information-sharing activities, including data matching, through agency level agreements. It noted that these agreements should fit within a broader information-management framework.[125]

14.110 The Office of the Privacy Commissioner noted the ALRC’s view that information sharing could best be undertaken through individual agency agreements as part of a broader information-management framework. However, it suggested that these agreements should include a requirement for data-matching activities involving significant volumes of data to be subject to guidelines issued by the Privacy Commissioner. The Office reiterated its view that the ALRC should consider recommending that the voluntary data-matching guidelines be mandatory for the public sector.[126] A similar argument was put forward by the Australian Privacy Foundation, which submitted that the ALRC should recommend compliance with data-matching guidelines, along with the use of Privacy Impact Assessments (PIAs), in the context of information-sharing arrangements.[127]

14.111 The ABS focused on the importance of secrecy provisions enabling Australian Government agencies to disclose information to the ABS for statistical data matching.[128]

ALRC’s views

14.112 As a general principle, information sharing between government agencies, and government and the private sector—including data matching—should be undertaken at the agency level through individual agency agreements. These agreements should be clearly situated within a broader information-handling framework, including the Privacy Act, data-matching guidelines and legislation, and any applicable secrecy provisions. In the ALRC’s view, this framework suitably accommodates the tension between the need for secrecy and openness inherent in data matching.

14.113 The ALRC is not recommending that the voluntary data-matching guidelines should be made mandatory. This issue was considered in ALRC 108, where the ALRC noted that there was a lack of evidence that agencies were failing to comply with the voluntary guidelines. Accordingly, the ALRC did not consider that a case had been made out for making these guidelines mandatory. The ALRC suggested, and remains of the view that, the Office of the Privacy Commissioner could exercise its function of researching and monitoring technology to review the adequacy of, and compliance with, the existing guidelines if it deemed this to be necessary.[129]

14.114 Another regulatory option that may be available in the context of large-scale data-matching programs is a PIA. As discussed in Chapter 16, the ALRC has previously recommended that the Privacy Commissioner should be empowered to direct an agency to provide a PIA in relation to a new project or development that the Privacy Commissioner considers may have a significant impact on the handling of personal information.[130] The Australian Government has accepted this recommendation.[131] This is likely to include, for example, data-matching activities involving significant volumes of data.

[106] Office of the Federal Privacy Commissioner, The Use of Data-Matching in Commonwealth Administration—Guidelines (1998).

[107] Australian Government Management Advisory Committee, Connecting Government: Whole of Government Responses to Australia’s Priority Challenges (2004), 60.

[108] Australian Commission for Law Enforcement Integrity, Submission SR 18, 18 February 2009.

[109] Ibid.

[110] Office of the Federal Privacy Commissioner, The Use of Data-Matching in Commonwealth Administration—Guidelines (1998), 2.

[111]Privacy Act 1988 (Cth) s 14 IPP 10.

[112] Ibid s 14 IPP 11.

[113] The voluntary data-matching guidelines apply to agencies that match data from two or more databases, if at least two of the databases contain information about more than 5,000 individuals.

[114] See discussion in Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, ALRC 108 (2008), Ch 10.

[115] Office of the Federal Privacy Commissioner, The Use of Data-Matching in Commonwealth Administration—Guidelines (1998), [33]–[ 47], [63], [69]. In Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, ALRC 108 (2008), the ALRC suggested that the Office of the Privacy Commissioner could exercise its research and monitoring function to review the data-matching guidelines. The ALRC also recommended that the Office of the Privacy Commissioner develop and publish guidance for organisations that conduct data-matching activities: Rec 10–4.

[116] Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, ALRC 108 (2008), Ch 10.

[117] Ibid, [10.97]–[10.99].

[118] Australian Parliament—House of Representatives Standing Committee on Legal and Constitutional Affairs, In Confidence: A Report of the Inquiry into the Protection of Confidential Personal and Commercial Information Held by the Commonwealth (1995), 61.

[119] Australian Law Reform Commission, Review of Secrecy Laws, Issues Paper 34 (2008), Question 7–6.

[120] Liberty Victoria, Submission SR 19, 18 February 2009.

[121] Australian Transaction Reports and Analysis Centre, Submission SR 31, 2 March 2009.

[122] Office of the Privacy Commissioner, Submission SR 46, 24 June 2009.

[123] Ibid.

[124] Australian Law Reform Commission, Review of Secrecy Laws, Discussion Paper 74 (2009), Ch 3.

[125] Attorney-General’s Department, Submission SR 67, 14 August 2009.

[126] Office of the Privacy Commissioner, Submission SR 66, 13 August 2009.

[127] Australian Privacy Foundation, Submission SR 71, 16 August 2009. PIAs are discussed in Ch 16, and were the subject of several recommendations in Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, ALRC 108 (2008).

[128] Australian Bureau of Statistics, Submission SR 58, 7 August 2009.

[129] Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, ALRC 108 (2008), [10.97]–[10.99].

[130] Ibid, Rec 47–4.

[131] Australian Government, Enhancing National Privacy Protection—Australian Government First Stage Response to the Australian Law Reform Commission Report 108 For Your Information: Australian Privacy Law and Practice (2009).