Privacy

Overview of the Privacy Act 1988 (Cth)

16.127 The Privacy Act aims to protect personal information and to give individuals some control over how such information is handled. In contrast to secrecy provisions—which predominantly regulate individuals, for example, Commonwealth officers—the Privacy Act imposes obligations on both public sector agencies and private organisations, as defined in the Act.[173]

16.128 The requirements of the Privacy Act are largely set out in two sets of privacy principles—the Information Privacy Principles (IPPs) and National Privacy Principles (NPPs). These provide a primarily principles-based framework for the manner in which Australian Government agencies[174] and private sector organisations, respectively, can collect, store, use and disclose personal information.[175] They also give individuals rights of access to, and correction of, their own personal information.

16.129 The privacy principles, and other requirements of the Privacy Act, only apply insofar as an agency or organisation is handling ‘personal information’, defined as:

information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.[176]

16.130 In 2008, the ALRC released the report, For Your Information: Australian Privacy Law and Practice (ALRC 108),[177] including 295 recommendations for the reform of privacy laws and practices. Most relevantly to this Inquiry, the ALRC recommended that there should be: a uniform set of privacy principles to apply to all federal government agencies and the private sector; rationalisation of exemptions and exceptions to Privacy Act requirements; improved complaint-handling procedures; and stronger penalties for breach. On 14 October 2009, the Australian Government released its response to 197 of the recommendations in ALRC 108. It accepted the vast majority of these recommendations, including that there should be a uniform set of privacy principles.[178]

Interaction between the Privacy Act and secrecy provisions

16.131 Protection of private personal and commercial information has frequently been a driving factor in the enactment of secrecy laws. The current diversity of secrecy provisions has been attributed to the greatly increased collection of personal and commercially sensitive information by the government since the mid-1940s, in areas such as taxation, health and welfare.[179] As noted in Chapter 3, approximately one third of secrecy provisions specifically protect personal information.

16.132 The role of secrecy laws in protecting personal information was particularly apparent in the era prior to the enactment of the Privacy Act. However, many secrecy provisions enacted more recently continue to emphasise the importance of secrecy laws operating alongside the Privacy Act. Secrecy provisions in the context of taxation information are a clear illustration. For example, the explanatory memorandum accompanying the Inspector-General of Taxation Bill 2003(Cth) states that the secrecy provision in cl 23 was drafted, not only to mirror secrecy provisions across tax law, but also ‘to be consistent with privacy laws’.[180] Similar objectives have been expressed in the area of health information, with the secrecy provision in the Australian Organ and Tissue Donation and Transplantation Authority Act 2008 (Cth) designed ‘as an additional safeguard’ to operate in tandem with the Privacy Act.[181]

16.133 A different interaction between secrecy provisions and the Privacy Act takes place where secrecy provisions are used to facilitate information sharing, which—outside the legislative authorisation provided by a secrecy provision—would be impermissible under the Privacy Act. This issue is particularly relevant in the context of whole of government policies and programs, which are becoming an increasingly prevalent feature of modern government.[182]

16.134 The only part of the Privacy Act that addresses the interaction with secrecy provisions is pt VIA,[183] which provides for the handling of personal information in emergencies or disasters. In this part, s 80P(1) provides that when an emergency declaration is in force, an entity may collect, use or disclose personal information in certain circumstances. Section 80P(2) provides that an entity is not liable to any proceedings for contravening a secrecy provision in respect of a use or disclosure of personal information authorised by s 80P(1), unless the secrecy provision is a ‘designated secrecy provision’. Designated secrecy provisions include provisions under the Australian Security Intelligence Organisation Act 1979 (Cth) and the Intelligence Services Act 2001 (Cth).[184]

16.135 The following discussion focuses on issues raised where information is subject to both information-handling requirements under the Privacy Act and secrecy provisions. These include ambiguities that may result from the use of inconsistent terminology in privacy and secrecy laws, and the application of secrecy provisions to lessen the minimum standards set out in the privacy principles.

Terminology

16.136 As noted above, a large number of secrecy provisions apply to information about individuals. In a small number of situations, secrecy provisions expressly or impliedly mirror the definition of personal information in the Privacy Act. Section 16 of the Customs Administration Act 1985 (Cth), for example,defines personal information as having the same meaning as that set out in the Privacy Act.[185] Section 86-2(1) of the Aged Care Act defines personal information in identical terms to the Privacy Act, butwithout reference to that Act.[186]

16.137 However, other provisions use a variety of formulations. For example, s 30 of the A New Tax System (Australian Business Number) Act 1999 (Cth) protects information that ‘relates to the affairs of a person other than the entrusted person’.[187] The term ‘affairs of a person’ is used in more than 50 other secrecy provisions, which both pre-date[188] and post-date[189] enactment of the Privacy Act. Secrecy provisions directed to the protection of information held by health and welfare agencies commonly protect information ‘about’ or ‘concerning’ a person’.[190] Approximately 30 secrecy provisions prevent the disclosure of information only where it could identify a person. For example, s 323 of the Commonwealth Electoral Act 1918 (Cth) prohibits the disclosure of information that is ‘likely to enable the identification of the elector’.

16.138 Quite different meanings attach to the above formulations. For example, in Young v Wicks, ‘personal affairs’ was interpreted as ‘matters of private concern to a person’.[191] Since the relevant factor is the nature of the information, the ‘personal affairs’ criterion might be satisfied even where any matters which could identify a person have been removed.[192] In comparison, the definition of ‘personal information’ under the Privacy Act[193] focuses on whether an individual’s identity is clear, or reasonably capable of being ascertained, from the information.

16.139 The Acts Interpretation Act 1901 (Cth) provides that the word ‘person’ includes a body politic or corporate as well as an individual.[194] Where a secrecy provision regulates the handling of information that, for example, relates to the ‘affairs of a person’, this may extend to information related to a corporate or political entity as well as an individual.

Minimum standards of privacy protection

16.140 The IPPs and the NPPs set out baseline standards with which agencies and organisations must comply in their handling of personal information. As explained by the Office of the Privacy Commissioner in the context of IPPs 8 to 11:

IPPs only set out minimum standards

The IPPs only set out minimum legal standards for agencies in dealing with personal information. A higher standard may be appropriate, even if the IPPs do not require it.

It may be appropriate for an agency to take more care to protect people’s privacy (than the IPPs require) if:

(a) particularly sensitive personal information is involved, or

(b) using or disclosing personal information is likely to have serious consequences for the person the information is about.[195]

16.141 However, through exceptions in the IPPs and NPPs for acts or practices ‘required or authorised by or under law’, secrecy provisions may lower standards of privacy protection by allowing information-handling practices that are not expressly permitted in the privacy principles—most notably, in the principles in relation to access and correction and disclosure.

Access and Correction

16.142 IPP 6, ‘Access to records containing personal information’, provides an individual with the right to access personal information that an agency holds about him or her

except to the extent that the recordkeeper is required or authorised to refuse to provide the individual with access to that record under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.

16.143 Many secrecy provisions reflect the idea that individuals should generally have access to information held about them by public authorities. For example, s 86-2 of the Aged Care Act creates an offence for the unauthorised handling of ‘protected information’. However, the section contains an exception for information disclosed ‘only to the person to whom it relates’.[196] A further illustration is s 94 of the Australian Trade Commission Act 1985 (Cth), which restricts the disclosure to any person of ‘any information concerning the affairs of another person acquired by the first-mentioned person by reason of his or her employment’. By limiting the prohibition to information of ‘another’ person, disclosure appears to be permitted to the person to whom the information relates.

16.144 In contrast, however, s 44 of the Surveillance Devices Act 2004 (Cth) does not allow the disclosure to an individual of personal information about that individual. This section creates two offences for the disclosure of ‘protected information’.[197] Protected information is defined to include ‘any information that is likely to enable the identification of a person, object or premises specified in a warrant’. This could include personal information. Section 44 sets out a number of exceptions to these offences—however, none of these are equivalent to the exception contained in s 86-2 of the Aged Care Act.

Disclosure

16.145 IPP 11.1 sets out a general prohibition on the disclosure of personal information by government agencies other than in limited circumstances. Permissible secondary disclosures include where:

(a) the individual concerned is reasonably likely to have been aware, or made aware under [the Collection principle], that information of that kind is usually passed to that person, body or agency;

(b) the individual concerned has consented to the disclosure;

(c) the recordkeeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person;

(d) the disclosure is required or authorised by or under law; or

(e) the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue.

16.146 Exceptions to the prohibition on non-disclosure in secrecy provisions will often invoke IPP 11.1(d)—the ‘required or authorised by or under law’ exception. For example, s 56 of the Australian Prudential Regulation Authority Act 1998 (Cth) prohibits the disclosure of protected information (including personal information) except in specific circumstances. These include, for example, where the disclosure is approved by APRA in writing, or is to an APRA member or staff member ‘for the purpose of the performance of APRA’s functions or the exercise of APRA’s powers, under a law of the Commonwealth or of a State or a Territory’. Section 56(12) makes clear that:

A disclosure of personal information is taken to be authorised by law for the purposes of paragraph (1)(d) of Information Privacy Principle 11 in section 14 of the Privacy Act 1988 if:

(a) the information is protected information and the disclosure is made in accordance with any of subsections (4), (5), (5AA), (6), (7A), (7B) and (7C); or

(b) the information is contained in a protected document and the disclosure is made by the production of the document in accordance with any of those subsections.

Options for reform in ALRC 108

16.147 In ALRC 108, the ALRC considered possible reforms to deal with the overlap between privacy and secrecy laws, including whether the Privacy Act—rather than specific secrecy provisions—should regulate the disclosure of personal information by Australian government agencies. The ALRC did not recommend such a reform. First, retaining secrecy provisions in specific statutes ‘ensures that an agency’s secrecy responsibilities are tailored to the agency’s circumstances and grouped with other obligations’.[198] Secondly:

Secrecy provisions do not relate solely to personal information. They also protect, for example, commercial, security and operational information. Secrecy provisions provide separate and specific standards of protection beyond those afforded by the privacy principles … Unlike the privacy principles, the level of protection afforded by secrecy provisions will often vary with the sensitivity of the information concerned.[199]

16.148 Given that secrecy provisions may adversely affect the privacy of an individual, however, the ALRC considered the use of privacy impact assessments (PIA) in this context.

16.149 A PIA has been described as ‘an assessment of any actual or potential effects that [an] activity or proposal may have on individual privacy and the ways in which any adverse effects may be mitigated’.[200] Currently, there are no requirements in the Privacy Act for an agency to undertake a PIA. However, the Office of the Privacy Commissioner has published a Privacy Impact Assessment Guide, which recommends that agencies undertake a PIA as part of their advice on certain legislative proposals and policy submissions.[201]

16.150 In ALRC 108, the ALRC recommended that the Privacy Commissioner should be empowered under the Privacy Act to direct an agency to provide a PIA ‘in relation to a new project or development that the Privacy Commissioner considers may have a significant impact on the handling of personal information’.[202] Consistently with this recommendation, the ALRC expressed the view that a PIA should be prepared when a secrecy provision is proposed that may have a significant impact on the handling of personal information.[203]

16.151 The ALRC also suggested that, where a secrecy provision regulates personal information, it should address how the requirements under the provision interact with the privacy principles.[204]

Submissions and consultations

16.152 In IP 34, the ALRC sought views on the relationship between secrecy provisions and the Privacy Act. In particular, the ALRC questioned whether secrecy provisions should regulate personal information and, if so, whether they should refer to or use the terminology of the Privacy Act[205] and allow individuals to access and correct personal information about themselves.[206] Finally, the ALRC asked whether there were situations in which it was appropriate for secrecy provisions to authorise a lower standard of privacy protection than would be permissible under the Privacy Act.[207]

Overlap between secrecy and privacy laws

16.153 A number of stakeholders noted the complementary nature of secrecy and privacy laws, and the need to retain both of these regimes to regulate the disclosure of personal information effectively.[208] As stated in the submission of the Office of the Privacy Commissioner:

the Privacy Act provides an overarching framework for how personal information should be handled by an agency and this framework is complemented by information type or agency specific secrecy provisions which address where the agency needs to protect the confidentiality of personal information as they carry out their particular activities and functions.[209]

16.154 The Office expressed the view that:

secrecy provisions should continue to regulate personal information in circumstances where a need has been identified for that information to be subject to additional confidentiality protections or specific handling requirements over and above those afforded by the Privacy Act.[210]

16.155 The Office also recognised that secrecy provisions may apply to an array of Commonwealth information, of which personal information is a subset:

To establish a situation where the handling of a portion of the information contained in a record is regulated by a secrecy provision and the handling of personal information in other parts of the same record is regulated exclusively by the Privacy Act could result in confusion and inconsistency in the application of both the laws. For example, trying to delineate information relating to the taxation matters of a small business and its owner would be impractical and could prove very difficult in determining what information is regulated by the Privacy Act and what is regulated by a secrecy provision.[211]

16.156 In a submission in response to DP 74, the Office of the Privacy Commissioner suggested that the ‘uncertainty regarding the intersection of obligations imposed by both pieces of legislation’ could be lessened by adopting a drafting direction requiring any proposed secrecy provision that will regulate the handling of personal information to indicate expressly how it will interact with the agency’s responsibilities under the Privacy Act. In the view of the Office:

Such a requirement provides a specific trigger for agencies to consider their obligations in relation to the handling of that personal information. It would also provide clarification regarding the interaction between the secrecy provision and the Privacy Act at the time of drafting to avoid subsequent confusion.[212]

16.157 The AGD commented favourably on the potential for secrecy provisions to regulate the disclosure of personal information in situations where the remedies available under the Privacy Act are not considered to have sufficient deterrent effect.[213]

16.158 Although the ARTK coalition accepted the need for secrecy provisions and the Privacy Act to operate concurrently, it raised concerns about the potential for agencies to use privacy as ‘a shroud to the provision of information to the public’.[214] Dr Ian Turnbull also commented on detrimental consequences that may flow where the concepts of privacy and secrecy are confused, suggesting that:

Secrecy provisions should regulate personal information where that information (primarily identifying information) has become or been made secret. Examples are unlisted or secret telephone numbers, or addresses of protected witnesses or domestic violence victims.[215]

16.159 In contrast, the Non-Custodial Parents Party noted the need for strong privacy protection and submitted that privacy provisions should always prevail over secrecy laws.[216]

16.160 Ron Fraser commented on the expanded role that privacy law is likely to play if there is a reduction in the number of specific secrecy provisions. This includes the provision of ‘a floor below which privacy protection in relation to personal information cannot fall except with specific legal authority’.[217]

Terminology

16.161 The Office of the Privacy Commissioner expressed the view that secrecy provisions that relate to the handling of personal information should refer to or use the terminology of the Privacy Act, where possible:

For example, the Office suggests that either using the Privacy Act’s definition of ‘personal information’ or making reference to the definition and specifically stating what additional information, if any, is included in the secrecy provision’s scope of ‘personal information’ would help clarify the interaction between the Privacy Act and the secrecy provision.

Alternatively, where using the Privacy Act’s terminology is not practical or feasible, it may be useful for secrecy provisions that relate to personal information to address how the terminology used interacts with that of the Privacy Act. For example, where a secrecy provision uses the term ‘release’ information, it would assist to note how, if at all, that differs from ‘disclose’ in the Privacy Act.[218]

16.162 The SSAT agreed that consistent terminology would be useful, given that the ‘plethora of provisions and definitions give rise to a great deal of confusion and difficulty of application’.[219] The AGD also supported such consistency, noting that:

Terms such as ‘affairs of a person’ have the potential to cause uncertainty as to their scope, because section 22 of the Acts Interpretation Act 1901 provides that, unless the contrary intention appears, the term person includes bodies corporate and bodies politic. To avoid doubt, it would be helpful for secrecy provisions using the term ‘person’ to clarify whether it is intended to only mean a natural person or whether it has the broader meaning given by the Acts Interpretation Act.[220]

16.163 Although the Department of Education, Employment and Workplace Relations recognised the benefits of consistent terminology, it cautioned that there would be ‘little value’ in a secrecy provision simply mirroring the Privacy Act since ‘specific secrecy provisions are designed to cater for the particular context and nature of the information [that is] being regulated’.[221]

16.164 A similar issue was raised by the Department of Human Services (DHS), which submitted that secrecy provisions apply to a wider range of information than the Privacy Act. Adopting Privacy Act terminology would only be appropriate where there is an intention to restrict the coverage of secrecy laws to correlate to information protected under the Privacy Act.[222]

Rights to access and correction

16.165 In IP 34, the ALRC asked whether secrecy provisions should allow individuals to access and correct personal information about themselves.[223] The ATO submitted that:

the Privacy Act provides an appropriate mechanism for allowing individuals to access and correct information about themselves, and that it is unnecessary for secrecy provisions to duplicate the Privacy Act in this regard. Further, tax secrecy provisions will never apply to restrict a taxpayer from accessing his or her own tax information.[224]

16.166 A similar point was made by the DHS, which advised that the secrecy provisions applying to agencies in the human services portfolio do not raise barriers to the processes of access and correction set out in the Privacy Act and FOI Act.[225]

16.167 The Office of the Privacy Commissioner was of the view that the Privacy Act, rather than secrecy provisions, was the most appropriate avenue for individuals to obtain access to, or correction of, personal information:

Having these individual rights expressed in the Privacy Act is consistent with the nature of the Act but may sit at odds with the majority of secrecy provisions as they focus on the protection of information through obligations of confidentiality or secrecy, rather than the accessibility to or quality of personal information.[226]

16.168 Further, the Office suggested that retaining access and correction provisions in the Privacy Act, rather than in various secrecy provisions, ‘will assist in reducing fragmentation and inconsistency’. The Office suggested, however, that for agencies that are not covered by the Privacy Act—for example, ASIO—it might be appropriate to include any applicable access and correction provisions in relevant secrecy provisions.[227]

Permissible disclosure of personal information

16.169 In IP 34, the ALRC sought views on when it might be appropriate for a secrecy provision to authorise the handling of personal information that would otherwise breach the Privacy Act.[228]

16.170 The AGD suggested that legitimate reasons for authorising the handling of personal information through secrecy provisions could include, for example, for the purposes of law enforcement or the detection and prevention of fraud.[229]

16.171 From the perspective of the Office of the Privacy Commissioner, however:

The protections afforded through the IPPs should be considered fundamental obligations that agencies should not legislate to reduce. … [S]hould an agency identify a need to handle personal information in a way that is inconsistent with or would otherwise breach the IPPs, then there needs to be a clear policy basis or public policy need for doing so.[230]

16.172 The Office raised particular concerns about the exception to obligations of agencies under several IPPs for conduct that is ‘required or authorised by law’:[231]

The Office strongly believes that this exception should not be used as the basis for requiring or authorising practices that are detrimental to the individual or included without a strong policy rationale. As far as practicable, reliance on this exception should also be careful not to remove more of the baseline protections provided by the Privacy Act than absolutely necessary and should still reflect the spirit and intent of the Act wherever possible.[232]

16.173 Where an agency authorises activities that are potentially in conflict with its obligations under the IPPs, the Office expressed the view that the agency should complete a PIA:

The completion of a PIA is a useful process for agencies to gain an understanding of the implications of any proposed secrecy provisions which relate to the handling of personal information. A PIA is a practical tool to assess information flows and determine whether provisions are necessary and reflective of best privacy practice. Conducting a PIA through the use of an independent specialist builds transparency into the decision making process and enhances confidence that the need for provisions has been assessed objectively. As such, the Office recommends that PIAs should be completed when either a new secrecy provision or a significant amendment to a current secrecy provision is being proposed.[233]

16.174 The DHS sought greater clarity in the application of the ‘required or authorised by or under law’ exception in IPP 11:

In relation to disclosure, the Department understands that in general terms a disclosure which is authorised under a secrecy provision will be authorised by law, and therefore permitted under IPP 11.1(d) in s 14 of the Privacy Act. However, not all provisions are clear on this point. For example, the Centrelink provisions contain explicit authorisations for various dealings (see, s 202 of the Social Security (Administration) Act) but there is a question whether very broad provisions permitting disclosure ‘in the performance of duties’ are sufficiently precise to enliven IPP 11.1(d).[234]

ALRC’s views

16.175 Many secrecy provisions were enacted prior to the introduction of the Privacy Act in order to deal with what were essentially privacy concerns. In Chapter 8, the ALRC recommends that specific secrecy offences are only warranted where they are necessary and proportionate to the protection of essential public interests of sufficient importance to justify criminal sanctions.[235] As discussed in Chapter 8, the ALRC considers that the unauthorised disclosure of personal or commercial information does not, without more, warrant criminal sanctions under specific secrecy offences, except in very limited circumstances. In these limited circumstances, personal information will be governed by both a specific secrecy offence and the Privacy Act.[236] In other circumstances, personal information may be regulated by a non-criminal specific secrecy provision and the Privacy Act.

16.176 The ALRC agrees with the comments of many stakeholders that there are benefits in having a tiered system for protecting personal information. The Privacy Act provides an overarching framework for the manner in which Australian Government agencies handle personal information, complemented by secrecy provisions, which focus on individuals in particular agencies, or who handle certain types of information where a greater degree of confidentiality is warranted.

16.177 Consequently, the ALRC sees two key roles for reform:

    • ensuring that privacy protections are upheld to the greatest possible extent; and

    • clarifying the interaction between the Privacy Act and secrecy provisions that apply to personal information.

Protecting personal information

16.178 Secrecy provisions can infringe on the protection of an individual’s personal information by:

    • removing his or her right to obtain access to, and correction of, personal information; or

    • expanding the scope of permissible disclosures of personal information by requiring or authorising the sharing of certain information.

16.179 In ALRC 108, the ALRC emphasised the importance of encouraging agencies to conduct PIAs voluntarily. The ALRC further recommended that where the Privacy Commissioner considers that a new project or development would have a ‘significant impact on the handling of personal information’, he or she should have the power to direct an agency to prepare a PIA.[237] The ALRC remains of the view that PIAs provide a suitable mechanism for agencies and others to identify and consider the privacy implications of a proposed secrecy provision.

16.180 In particular, the ALRC recommends that an agency should conduct a PIA where a proposed secrecy provision would require or authorise information-handling practices that significantly detract from the standards set out in the Privacy Act. In the event that an agency chose not to undertake such an assessment, the Privacy Commissioner may wish to exercise his or her power of direction in this regard.

Clarity of application

16.181 Stakeholders have identified situations where it is unclear whether a secrecy provision operates as an exception to the privacy principles for acts ‘required or authorised by or under law’. For example, does an exception for disclosures in the course of an officer’s duties authorise the release of information under the disclosure principle in IPP 11.1?

16.182 In ALRC 108, the ALRC considered possible reforms to the operation of the ‘required or authorised by or under law’ exception in the Privacy Act, including whether provisions in federal legislation that require or authorise practices for the purpose of the Privacy Act should clearly refer to the exception. The ALRC stated that ‘it would be too onerous to amend all existing federal, state and territory legislation that may require or authorise an act or practice relating to the handling of personal information’.[238] However, where possible, proposed laws that are intended to rely on the required or authorised exception should state this expressly.[239] The ALRC also recommended that the Office of the Privacy Commissioner should ‘develop and publish guidance to clarify when an act or practice will be required or authorised by or under law’.[240]

16.183 The ALRC affirms these recommendations, and considers that these strategies would largely resolve the potential ambiguities identified in the context of the interaction between the Privacy Act and secrecy provisions. In Chapter 11, the ALRC recommends that Australian Government agencies should review specific secrecy offences. This review would provide an opportunity for the Australian Government to consider any interaction between a provision and the Privacy Act, including the need to include clear references to the exception for acts and practices required or authorised by or under law.[241] Accordingly, no further recommendations are made in this regard.

16.184 Another source of potential ambiguity is the inconsistent use of terminology such as ‘personal information’, ‘affairs of a person’ and other similar formulations. The ALRC acknowledges the clear benefits of using the definition of personal information set out in the Privacy Act in secrecy provisions. The Privacy Act provides a comprehensive and nuanced definition of the information which warrants protection in order to satisfy personal privacy objectives.[242] Consistent terminology also provides a ready body of precedent for Commonwealth officers and others seeking to understand whether a secrecy provision applies to specific information.

16.185 However, the definition of personal information in the Privacy Act is only applicable to those secrecy provisions whose objects are directed towards the protection of personal privacy. A term such as ‘affairs of a person’ may be warranted, for example, where a secrecy provision is also intended to apply to information about commercial entities. Accordingly, the ALRC is not recommending that secrecy provisions should adopt Privacy Act terminology as a matter of course. Rather, this is an issue that should be considered as a part of the drafting process. The review of specific secrecy provisions recommended in Chapter 11 provides an opportunity to consider whether a secrecy provision that regulates personal information should adopt the Privacy Act definitions.

Recommendation 16–7 The Australian Government should conduct a Privacy Impact Assessment for a proposed secrecy provision that would require or authorise information-handling practices that significantly detract from the standards set out in the Privacy Act 1988 (Cth).

[173] Note, however, that under the Australian Public Service (APS) Code of Conduct, APS employees are required to comply with all applicable Australian laws: Public Service Act 1999 (Cth) s 13(4). This would include compliance with the Privacy Act 1988 (Cth).

[174] Note, however, that the acts and practices of some Australian Government agencies—including the intelligence agencies ASIS, ASIO and the Office of National Assessments—are completely exempt from the operation of the Privacy Act: Privacy Act 1988 (Cth) s 7.

[175] Ibid s 14 (IPPs), sch 3 (NPPs).

[176] Ibid s 6(1). In ALRC 108, the ALRC recommended that the Privacy Act should define ‘personal information’ as ‘information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified or reasonably identifiable individual’: Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, ALRC 108 (2008), Rec 6–1.

[177] Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, ALRC 108 (2008).

[178] The Australian Government accepted 141 of the 197 recommendations in full or in principle, with another 34 recommendations accepted with qualification and two further recommendations noted (but not requiring action): Australian Government, Enhancing National Privacy Protection—Australian Government First Stage Response to the Australian Law Reform Commission Report 108 For Your Information: Australian Privacy Law and Practice (2009).

[179] J McGinness, ‘Secrecy Provisions in Commonwealth Legislation’ (1990) 19 Federal Law Review 49.

[180] Explanatory Memorandum, Inspector General of Taxation Bill 2002 (Cth).

[181] Explanatory Memorandum, Australian Organ and Tissue Donation and Transplantation Authority Bill 2008 (Cth).

[182] The move to open government is discussed in Ch 2.

[183] The Privacy Act was amended in 2006 to insert this Part: Privacy Legislation Amendment (Emergencies and Disasters) Act 2006 (Cth). The Part commenced operation on 7 December 2006.

[184]Privacy Act 1988 (Cth) s 80P(7).

[185]Customs Administration Act 1985 (Cth) s 16(1A), 16(7). See also Air Navigation (Confidential Reporting) Regulations 2006 (Cth) reg 14.

[186]Aged Care Act 1997 (Cth) sch 3.

[187]A New Tax System (Australian Business Number) Act 1999 (Cth) s 41. ‘Protected information’ also must be: obtained by the entrusted person (or any person) in the course of official employment; and disclosed or obtained under the Act. Section 41 also provides that a ‘person’ includes a company, and s 30(1) provides that an ‘entrusted person’ is a person that has obtained protected information in the course of official employment.

[188] For example, Australian Trade Commission Act 1985 (Cth) s 94; Health Insurance Act 1973 (Cth) s 130.

[189] For example, Aboriginal and Torres Strait Islander Act 2005 (Cth) ss 191, 200A;Inspector-General of Taxation Act 2003 (Cth) s 37.

[190] For example, Child Support (Registration and Collection) Act 1988 (Cth) ss 16, 16AA; Health Insurance Act 1973 (Cth) s 130; National Health Act 1953 (Cth) s 135A.

[191]Young v Wicks (1986) 13 FCR 85. See also Commissioner of Police v District Court of New South Wales (1993) NSWLR 606, 625; Colakovski v Australian Telecommunications Corporation (1991) 29 FCR 429, 436;Re F and Health Department (1988) 2 VAR 458, 461.

[192] This issue is discussed in the context of the operation of the secrecy provision exemption in the FOI Act in Australian Government Solicitor, FOI Guidelines—Exemption Sections in the FOI Act (2009) <www.dpmc.gov.au> at 9 September 2009, [9.1.8]–[9.1.9].

[193]Privacy Act 1988 (Cth) s 6(1).

[194]Acts Interpretation Act 1901 (Cth) s 22.

[195] Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 8–11 (1996) <www.privacy.gov.au> at 7 October 2009, 6–7.

[196]Aged Care Act 1997 (Cth) s 86-2(2)(b).

[197]Surveillance Devices Act 2004 (Cth) s 44(3) also prohibits the admission of protected information in evidence in any court proceedings.

[198] Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, ALRC 108 (2008), [15.120].

[199] Ibid, [15.121].

[200] Ibid, [47.44], citing B Stewart, ‘Privacy Impact Assessments’ (1996) 3 Privacy Law and Policy Reporter 61, 62. Privacy impact assessments are discussed in detail in Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, ALRC 108 (2008), Ch 47.

[201] Office of the Privacy Commissioner, Privacy Impact Assessment Guide (2006) <www.privacy.gov.au> at 7 October 2009.

[202] Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, ALRC 108 (2008), Rec 47–4. This proposal was limited to agencies; however, the ALRC further recommended that a review be undertaken five years after the amendment is introduced to consider expansion to the private sector: Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, ALRC 108 (2008), Rec 47–5. The Australian Government has accepted Recs 47–4 and 47–5: Australian Government, Enhancing National Privacy Protection—Australian Government First Stage Response to the Australian Law Reform Commission Report 108 For Your Information: Australian Privacy Law and Practice (2009).

[203] Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, ALRC 108 (2008), [15.122]–[15.124].

[204] Ibid.

[205] Australian Law Reform Commission, Review of Secrecy Laws, Issues Paper 34 (2008), Question 7–4(a).

[206] Ibid, Question 7–4(b).

[207] Ibid, Question 7–5.

[208] Office of the Privacy Commissioner, Submission SR 46, 24 June 2009; Attorney-General’s Department, Submission SR 36, 6 March 2009; Australia’s Right to Know, Submission SR 35, 6 March 2009; Australian Taxation Office, Submission SR 13, 16 February 2009.

[209] Office of the Privacy Commissioner, Submission SR 46, 24 June 2009.

[210] Ibid.

[211] Ibid.

[212] Office of the Privacy Commissioner, Submission SR 66, 13 August 2009.

[213] Attorney-General’s Department, Submission SR 36, 6 March 2009. See also Australian Press Council, Submission SR 16, 18 February 2009.

[214] Australia’s Right to Know, Submission SR 35, 6 March 2009.

[215] I Turnbull, Submission SR 15, 17 February 2009.

[216] Non-Custodial Parents Party (Equal Parenting), Submission SR 82, 3 September 2009.

[217] R Fraser, Submission SR 78, 21 August 2009.

[218] Office of the Privacy Commissioner, Submission SR 46, 24 June 2009.

[219] Social Security Appeals Tribunal, Submission SR 14, 17 February 2009.

[220] Attorney-General’s Department, Submission SR 36, 6 March 2009.

[221] Department of Education, Employment and Workplace Relations, Submission SR 24, 19 February 2009.

[222] Department of Human Services, Submission SR 26, 20 February 2009. See also Indigenous Business Australia, Submission SR 64, 13 August 2009.

[223] Australian Law Reform Commission, Review of Secrecy Laws, Issues Paper 34 (2008), Question 7–4(b).

[224] Australian Taxation Office, Submission SR 13, 16 February 2009.

[225] Department of Human Services, Submission SR 26, 20 February 2009.

[226] Office of the Privacy Commissioner, Submission SR 46, 24 June 2009.

[227] Ibid.

[228] Australian Law Reform Commission, Review of Secrecy Laws, Issues Paper 34 (2008), Question 7–5.

[229] Attorney-General’s Department, Submission SR 36, 6 March 2009.

[230] Office of the Privacy Commissioner, Submission SR 46, 24 June 2009. See also Office of the Privacy Commissioner, Submission SR 66, 13 August 2009.

[231]Privacy Act 1988 (Cth) s 14 IPPs 10(c), 11(d).

[232] Office of the Privacy Commissioner, Submission SR 46, 24 June 2009. See also Office of the Privacy Commissioner, Submission SR 66, 13 August 2009.

[233] Office of the Privacy Commissioner, Submission SR 46, 24 June 2009. See also Office of the Privacy Commissioner, Submission SR 66, 13 August 2009. The Australian Privacy Foundation also endorsed the use of PIAs. Australian Privacy Foundation, Submission SR 71, 16 August 2009.

[234] Department of Human Services, Submission SR 26, 20 February 2009. See also Community and Disability Services Ministers’ Advisory Council, Submission SR 80, 28 August 2009.

[235] Recommendation 8–1.

[236] The ALRC is not recommending that harm to personal privacy should form an element of the general secrecy offence: see Ch 5.

[237] Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, ALRC 108 (2008), Rec 47–4. This recommendation was accepted by the Australian Government. Australian Government, Enhancing National Privacy Protection—Australian Government First Stage Response to the Australian Law Reform Commission Report 108 For Your Information: Australian Privacy Law and Practice (2009).

[238] Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, ALRC 108 (2008), [16.93].

[239] Ibid.

[240] Ibid, Rec 16–2. The Australian Government accepted this recommendation. Australian Government, Enhancing National Privacy Protection—Australian Government First Stage Response to the Australian Law Reform Commission Report 108 For Your Information: Australian Privacy Law and Practice (2009).

[241] Recommendation 11–1.

[242] In Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, ALRC 108 (2008), the ALRC made several recommendations for reform of the definition of ‘personal information’ in the Privacy Act: Recs 6–1 to 6–3. The Australian Government accepted these recommendations. Australian Government, Enhancing National Privacy Protection—Australian Government First Stage Response to the Australian Law Reform Commission Report 108 For Your Information: Australian Privacy Law and Practice (2009).