Senate debates

Thursday, 10 May 2012

Committees

Government Response to Report

8:37 pm

Photo of Jan McLucasJan McLucas (Queensland, Australian Labor Party, Parliamentary Secretary for Disabilities and Carers) Share this | Hansard source

I present four government responses to committee reports as listed at item 17 on today’s Order of Business. In accordance with the usual practice, I seek leave to incorporate the documents in Hansard.

Leave granted.

The documents read as follows—

Government Response to the Senate Finance and Public Administration Legislation Committee Report:

Exposure Drafts of Australian Privacy Amendment Legislation: Part 1 – Australian Privacy Principles

May 2012

Summary table of Government response to recommendations

The following tables summarise the Government's response to the recommendations from the Committee's report.

Of the Committee's twenty nine recommendations:

            References in this table to chapters and recommendation numbers generally reflect references used in the Committee's report.

            CHAPTER 3 – General issues

            Recommendation 1

            3.30 The committee recommends that the Department of the Prime Minister and Cabinet

            re-assess the draft Australian Privacy Principles with a view to improving clarity through the use of simpler and more concise terms and to avoid the repetition of requirements that are substantially similar.

            Response: Accept in principle

            The Government will consider options to improve overall clarity. In particular the Government will review the drafting of the Australian Privacy Principles to avoid repetition of requirements that are substantially similar.

            Recommendation 2

            3.32 The committee recommends that reconsideration be given to the inclusion of agency specific provisions in the Australian Privacy Principles in the light of the Office of the Privacy Commissioner's suggestion that agency specific matters should, in the first instance, be dealt with in portfolio legislation.

            Response: Not accept

            The Government does not agree that it is appropriate for all specific agency activities to be included in portfolio legislation. While portfolio legislation will normally provide the lawful authority for an agency to undertake certain powers, functions and activities, it is also necessary in exceptional circumstances to take the additional step of including specific exceptions in the APPs to make clear that specific activities of agencies will not contravene APPs obligations.

            Some of the exceptions have been included to provide additional certainty about the operation of the APPs on legitimate activities undertaken overseas, including those in urgent or emergency situations. Others preserve existing exceptions in the Information Privacy Principles (IPPs), eg that enable the collection, use/disclosure etc of personal information for law enforcement purposes.

            In the case of the Defence Force exceptions in APP 3(3)(f) and APP 8(2)(i), they are intended to clarify the circumstances where the collection of sensitive information may occur without consent outside Australia, and where personal information generally may be disclosed to an overseas recipient. The Defence Force undertakes a range of activities in other countries that involve the collection and disclosure of personal information (sometimes in remote and emergency situations) and it is important that there is certainty about its ability to undertake these activities without breaching the APPs. For readability purposes, it is also important to clearly outline how these activities interact with APPs obligations.

            Similarly, in the case of agencies with diplomatic and consular functions or activities, there are exceptions in APP 3(3)(e), APP 6(2)(f) and APP 8(2)(h), that are intended to clarify that such agencies can collect, use/disclose etc such information both within and outside Australia. Government officials from agencies such as the Department of Foreign Affairs and Trade (DFAT) who are based overseas regularly collect and disclose to their agencies in Australia personal information as part of its diplomatic and consular functions. It would be impractical for DFAT and other agencies to seek the consent of foreign government officials and other individuals, about whom these agencies report to Australia, to collect and disclose their personal information to the Australian Government. Moreover, the act of seeking this consent would undermine the success of DFAT's core operations by revealing to the subject of such information flows that they are occurring. Similarly, it is necessary for government officials based overseas to report to DFAT in Australia in discharging its consular responsibilities, especially in the event of an overseas crisis where overseas officials are expected to assist Australians. The exceptions in APP 3(3)(e), APP 6(2)(f) and APP 8(2)(h) are not new exemptions to existing privacy laws, but seek to clarify the interactions between DFAT's and other agencies' existing functions and the APPs.

            As with the Defence Force exception, it is important that there is certainty about the ability of these agencies to undertake these activities without breaching the APPs. For readability purposes, it is also important to clearly outline how these activities interact with APPs obligations. The Government will work with the OAIC to develop appropriate guidelines on the exceptions relating to diplomatic and consular functions and activities.

            It is important to note that certain Commonwealth agencies, such as CrimTrac, operate in a unique fashion within the APP framework. In the majority of circumstances, CrimTrac operates as the custodian of personal and sensitive information; it is not the primary collection agencies. The allowances at APP 3 (3)(d) will ensure that CrimTrac can continue operating effective national sharing solutions that support law enforcement and policing across Australia, without breach.

            On the general exemptions for law enforcement activities, these already exist in the IPPs (eg IPP 10(1)(d) and IPP 11(1)(e). It is important that these are retained to ensure that law enforcement bodies have clarity that the activities they can undertake with personal information at the moment will continue to be the case under the new APPs.

            There has been careful consideration given to the inclusion and breadth of agency specific provisions in the proposed APPs and the Government considers that each is justifiable.

            Recommendation 3

            3.73 The committee recommends that the Office of the Australian Information Commissioner develop guidance on the interpretation of 'personal information' as a matter of priority.

            Response: Support

            The Government agrees that OAIC guidance on the interpretation of the 'personal information' would be useful in assisting entities and individuals to understand the application and scope of the new definition, especially given the contextual nature of the definition.

            The Government encourages the development of appropriate guidance by the OAIC. The Government notes that the allocation of OAIC's resources to develop guidance and its timing is a matter for the OAIC. The Government will encourage the OAIC to liaise with entities in developing guidance.

            Recommendation 4

            3.90 The committee recommends that the Office of the Australian Information Commissioner develop guidance on the meaning of 'consent' in the context of the Privacy Act as a matter of priority.

            Response: Support

            The Government agrees that OAIC guidance on the meaning of 'consent' would be useful to provide clarity to entities and individuals about the application and operation of that term. The Government notes that this is consistent with ALRC recommendation 19-1 that also recommends that the OAIC should develop and publish further guidance about what is required of agencies and organisations to obtain an individual's consent under the Privacy Act.

            The Government encourages the development of appropriate guidance by the OAIC. The Government notes that the allocation of OAIC's resources to develop guidance and its timing is a matter for the OAIC. The Government will encourage the OAIC to liaise with entities in developing guidance.

            Recommendation 5

            3.114 The committee recommends that the Government, in consultation with the Office of the Australian Information Commissioner, give consideration to the provision of a transition period for entities to fully comply with the implementation of the new Privacy Act.

            Response: Accept

            The Government agrees with the Committee that the introduction of the new Australian Privacy Principles will require entities to develop and implement changes to practices and policies.

            The Government will therefore consult with the OAIC and other relevant stakeholders in determining an appropriate transition period.

            CHAPTER 4 – Australian Privacy Principle 1 – open and transparent management of personal information

            Recommendation 6

            4.45 The committee recommends that a note be added at the end of APP 1(5) which indicates that the form of an entity's privacy policy 'as is appropriate' will usually be an online privacy policy.

            Response: Accept in principle

            The Government notes the Committee's concerns on APP 1(5) and will look to develop appropriate amendments to the draft legislation.

            The Government also notes that the Committee considered that the provision should be re-drafted to clarify that privacy policies must be available to both individuals and entities (para 4.44). The Government will also look to develop appropriate amendments to the draft legislation on that issue.

            CHAPTER 5 – Australian Privacy Principle 2 – anonymity and pseudonymity

            Recommendation 7

            5.37 The committee recommends that the wording of APP 2(2)(a) be reconsidered to ensure that the exception to the anonymity and pseudonymity principle cannot be applied inappropriately.

            Response: Accept in principle

            The Government will reconsider the wording of APP 2(2)(a) and consider options to clarify that the 'required or authorised by or under an Australian law' exception applies at the time that the identification of the individual is required by the entity.

            Further, as noted in the Committee's report (para 5.32), the Government accepted an ALRC recommendation (16-2) that encourages the development and publication of appropriate guidance by the OAIC to clarify when an act or practice will be required or authorised by or under law.

            The Government notes that the allocation of OAIC's resources to develop guidance and its timing is a matter for the OAIC. The Government will encourage the OAIC to liaise with entities in developing guidance.

            CHAPTER 6 – Australian Privacy Principle 3 – collection of solicited personal information

            Recommendation 8

            6.35 The committee recommends that in relation to the collection of solicited information principle (APP 3), further consideration be given to:

                Response: Accept in part

                The Government does not support the removal of the term 'reasonably' from the 'necessary' test in APP 3.

                The requirement on entities to collect only personal information that is reasonably necessary to their functions, requires the collection of personal information to be justifiable on objective grounds, rather than on the subjective views of the entity itself. This is intended to expressly clarify that the test is objective (rather than implied) and to enhance privacy protection.

                Making it clear that the necessity of the collection must be reasonable is intended to reduce instances of inappropriate collection of personal information by entities.

                The Government notes the Committee's view that it remains to be persuaded that the inclusion of 'reasonably' provides a higher, or even the same, level of privacy protection as the wording in NPP 1. To give reassurance to the Committee, this will be made clear in the Explanatory Memorandum when the final bill is introduced in Parliament.

                The Government agrees that the application of the 'directly related to' test to organisations should be reconsidered. The Government will look to develop appropriate amendments to the draft legislation.

                CHAPTER 7 – Australian Privacy Principle 4 – receiving unsolicited information

                Recommendation 9

                7.44 The committee recommends that the term 'no longer personal information' contained in APP 4(4)(b) be clarified.

                Response: Accept in principle

                The Government agrees that further clarification about the term 'no longer personal information' would be beneficial for entities in applying APP 4.

                The Government considers this should come from guidance developed by the OAIC. Such guidance would provide clarification about the process of rendering personal information 'non-identifiable', or the steps necessary to destroy personal information. This flexibility is necessary because de-identification procedures may evolve over time and may differ depending on the form the information is held in (eg electronic v non-electronic). In addition, OAIC guidance will be useful in outlining how to destroy or render non-identifiable personal information that forms part of other information or records (eg historical records).

                The OAIC guidance would also be useful in advising about the other elements in APP 4(4) that are relevant to the requirement to destroy or de-identify, ie how to apply the 'as soon as practicable', and 'lawful and reasonable to do so' test in APP 4(4).

                The Government notes that this is consistent with ALRC recommendation 28-5 (which the Government accepted) that the OAIC should develop and publish guidance about the destruction of personal information, or rendering such information non-identifiable.

                The Government encourages the development and publication of appropriate guidance by the OAIC. The Government notes that the allocation of OAIC's resources to develop guidance and its timing is a matter for the OAIC. The Government will encourage the OAIC to liaise with entities in developing guidance.

                CHAPTER 10 – Australian Privacy Principle 7 – direct marketing

                Recommendation 10

                10.46 The committee recommends that the drafting of APP 7 be reconsidered with the aim of improving structure and clarity to ensure that the intent of the principle is not undermined.

                Response: Accept in principle

                The Government notes the Committee's general concerns about the drafting of APP 7 and will consider options to improve clarity and structure.

                Recommendation 11

                10.60 The committee recommends that the note to APP 7(1) be redrafted to better reflect the position outlined in the Government response.

                Response: Accept in principle

                The Government will look to develop appropriate amendments to the draft legislation to clarify the operation of the 'Direct Marketing' Principle to agencies.

                Recommendation 12

                10.66 The committee recommends that the Australian Information Commissioner develop guidance in relation to direct marketing to vulnerable people.

                Response: Support

                The Government agrees that OAIC guidance about direct marketing to vulnerable people would be beneficial to entities in understanding their privacy responsibilities when engaging in direct marketing to individuals such as children.

                The Government notes that this is consistent with ALRC recommendation 26.7(e) (which the Government supported) that the OAIC should develop and publish guidance to assist organisations in complying with the 'Direct Marketing' principle including 'the obligations of organisations involved in direct marketing under the Privacy Act in dealing with vulnerable people'.

                The Government accepted that recommendation and encouraged the development and publication of appropriate guidance by the OAIC. The Government notes that the allocation of OAIC's resources to develop guidance and its timing is a matter for the OAIC. The Government will encourage the OAIC to liaise with entities in developing guidance.

                Recommendation 13

                10.81 The committee recommends that the structure of APP 7(2) and APP 7(3) in relation to APP 7(3)(a)(i) be reconsidered.

                Response: Accept in principle

                The Government notes the Committee's concerns about the structure of APP 7(2) and APP 7(3) and the need to consider further simplification of these provisions. The Government will look to develop appropriate amendments to the draft legislation.

                CHAPTER 11 – Australian Privacy Principle 8 – cross-border disclosure of personal information and sections 19 and 20

                Recommendation 14

                11.41 The committee recommends that a note be added to the end of APP 8 making reference to section 20 of the new Privacy Act.

                Response: Accept in principle

                The Government agrees that there would be benefit in outlining the interaction between APP 8 (cross border disclosure of information) and section 20 (Acts and practices of overseas recipients of personal information). The Government will look to develop appropriate amendments to the draft legislation.

                Recommendation 15

                11.53 The committee recommends that the Department of the Prime Minister and Cabinet develop explanatory material to clarify the application of the term 'disclosure' in Australian Privacy Principle 8.

                Response: Accept

                The Government will provide more explanation about the application of the term 'disclosure' in APP 8 in the Explanatory Memorandum of the finalised Bill.

                Recommendation 16

                11.64 The committee recommends that the Office of the Australian Information Commissioner develop guidance on the types of contractual arrangements required to comply with APP 8 and that guidance be available concurrently with the new Privacy Act.

                Response: Support

                The Government supports this recommendation and notes it is consistent with the Government response to ALRC recommendation 31-7 that the OAIC should develop and publish guidance on certain matters including 'the issues that should be addressed as part of a contractual agreement with an overseas recipient of personal information'.

                The Government encourages the development and publication of appropriate guidance by the OAIC. The Government notes that the allocation of OAIC's resources to develop guidance and its timing is a matter for the OAIC. The Government will encourage the OAIC to liaise with entities in developing guidance.

                Recommendation 17

                11.103 The committee recommends that, when the Australian Government enters into an international agreement relating to information sharing which will constitute an exception under APP 8(2)(d), the agency or the relevant minister table in the Parliament, as soon as practicable following the commencement of that agreement, a statement indicating:

                    Response: Not accept

                    The Government does not agree that the tabling in Parliament of an international agreement relating to information sharing is warranted.

                    As noted by the Committee, the Parliament is able to scrutinise treaties through the Joint Standing Committee on Treaties. Lower level agreements are subject to scrutiny and accountability by the Executive.

                    In some instances, international partners may not enter into agreements where the terms are to be made publicly available. In addition, the provisions of some agreements should remain confidential where disclosure could be reasonably expected to cause damage to international relations, the enforcement of law and protection of public safety.

                    Recommendation 18

                    11.105 The committee recommends that further consideration be given to the wording of the law enforcement exception in APP 8(2)(g) to ensure that the intention of the provision is clear.

                    Response: Not accept

                    The Government does not consider it necessary to further clarify the law enforcement exception in APP 8(2)(g), which is available to Australian law enforcement bodies for the disclosure of information to overseas bodies 'similar' to Australian law enforcement bodies, where it is necessary for law enforcement activities by, or on behalf or, an Australian law enforcement body.

                    The Committee noted concerns raised by the OAIC that the term 'similar' could result in the exception being broadly interpreted.

                    The Government believes the use of the term 'similar' is sufficiently clear and narrow to ensure that an enforcement body can only disclosure personal information to an overseas recipient that is a like body. There are additional safeguards that require the enforcement body to 'reasonably believe' that disclosure is 'reasonably necessary for one or more 'enforcement related activities' before disclosure can occur.

                    Recommendation 19

                    11.120 The committee recommends that section 19, relating to the extraterritorial application of the Act, be reconsidered to provide clarity as to the policy intent of the provision.

                    Response: Accept in principle

                    The Government will look to develop appropriate amendments to the draft legislation to provide clarity as to the operation of proposed s 19 (extraterritorial operation) of the Act.

                    Recommendation 20

                    11.133 The committee recommends that the Department of the Prime Minister and Cabinet develop explanatory material in relation to the application of the accountability provisions of section 20.

                    Response: Accept

                    The Government agrees that there would be benefit in providing additional explanation about the application of section 20, and will therefore include this in the Explanatory Memorandum to the final Bill when it is prepared.

                    CHAPTER 12 – Australian Privacy Principle 9 – adoption, use or disclosure of government related identifiers

                    Recommendation 21

                    12.33 The committee recommends that the term 'reasonably necessary' be replaced with 'necessary' in APP 9(2)(a), (b) and (f).

                    Response: Not accept

                    The Government notes the Committee's view that any exception to the identifiers principle should only be applied where it has been objectively determined that it is necessary for a permitted purpose. The Government believes the inclusion of 'reasonably' in the current wording of the exceptions in APP 9 expressly (rather than impliedly) clarifies that the test for disclosure is objective. This will have the effect of enhancing privacy protection by encouraging more appropriate disclosures of government related identifiers by organisations.

                    The Government notes the Committee's comments elsewhere in the report about whether the use of 'reasonably' when used with 'necessary' provides a sufficiently high level of privacy protection compared to the existing NPPs, where an objective test is implied. To give reassurance to the Committee, it will be made clear in the Explanatory Memorandum to the final bill that the use of 'reasonably' is intended to confirm the use of an objective test, and therefore to provide the same level of protection.

                    Recommendation 22

                    12.38 The committee recommends that the Office of the Australian Information Commissioner undertake a review of agency voluntary data-matching guidelines, including emerging issues with the use of government identifiers, and that the outcome inform further consideration of the extension of APP 9 to agencies.

                    Response: Support

                    The Government believes a review of agency voluntary data-matching guidelines would be a useful basis for any future consideration about APP 9.

                    The Government notes that the Information Commissioner has an existing function in relation to interferences with privacy to undertake research into, and to monitor developments in, data processing and computer technology (including data-matching and data-linkage) to ensure that any adverse effects of such developments on the privacy of individuals are minimised, and to report to the Minister the results of such research and monitoring (s 27(1)(c) of the Privacy Act).

                    The Government will encourage the review of agency voluntary data-matching guidelines by the OAIC. The Government notes that the allocation of OAIC's resources to review the guidelines and its timing is a matter for the OAIC. The Government will encourage the OAIC to liaise with entities in reviewing the guidelines.

                    CHAPTER 13 – Australian Privacy Principle 10 – quality of personal information

                    Recommendation 23

                    13.35 The committee recommends that proposed APP 10(2), pertaining to the quality of personal information disclosed by an entity, be re-drafted to make clear the intended use of the term 'relevant'.

                    Response: Accept in principle

                    The Government will look to develop appropriate amendments to the draft legislation to make it clear that the 'relevance' requirement in APP 10(2) relates to the purpose of use or disclosure of the personal information.

                    CHAPTER 14 – Australian Privacy Principle 11 – security of personal information

                    Recommendation 24

                    14.36 The committee recommends that a definition of the term 'interference' used in proposed APP 11(1)(a), pertaining the security of personal information, be provided or a note included in the legislation to explain its meaning in this context.

                    Response: Accept in principle

                    The Government agrees that further clarity could be provided on the meaning of 'interference' in APP 11(1)(a) and will therefore look to develop appropriate amendments to the draft legislation.

                    Recommendation 25

                    14.38 The committee recommends that the Australian Information Commissioner provide guidance on the meaning of 'destruction' in relation to personal information no longer required and the appropriate methods of destruction of that information.

                    Response: Support

                    The Government supports this recommendation and notes that it is consistent with the Government response to ALRC recommendation 28-5 that the OAIC should develop and publish guidance about the destruction of personal information, or rendering such information non-identifiable.

                    The Government encourages the development and publication of appropriate guidance by the OAIC. The Government notes that the allocation of OAIC's resources to develop guidance and its timing is a matter for the OAIC. The Government will encourage the OAIC to liaise with entities in developing guidance.

                    CHAPTER 15 – Australian Privacy Principle 12 – access to personal information

                    Recommendation 26

                    15.43 The committee recommends that, in relation to the proposed exceptions provided for in APP 12(3):

                          Response: Accept in principle

                          The Government agrees that there would be value in providing further clarification about the operation of the exceptions in APP 12(3).

                          The Government supports the development of OAIC guidance about the operation of the 'frivolous and vexatious' exception to assist in addressing concerns that it may be used to deny an individual access to their own personal information, eg in the circumstances identified in the Committee's report relating to health information or where individuals might be in conflict with a particular organisation. The Government encourages the development and publication of appropriate guidance by the OAIC. The Government notes that the allocation of OAIC's resources to develop guidance and its timing is a matter for the OAIC. The Government will encourage the OAIC to liaise with entities in developing guidance.

                          The Government agrees with the Committee's view that further clarity would be beneficial about the stage at which the negotiations exception in APP 12(3)(e) could be invoked. The Government will consider options for providing this additional clarity in the Explanatory Memorandum to the final bill.

                          The Government agrees that it would be beneficial for further clarity to be provided about the interaction between APP 12(3)(j), 12(5) and 12(9) with a view to ensuring that the rights currently provided for in NPP 6.2 in the Privacy Act are not diminished. The Government will consider how further clarification can be best achieved.

                          Recommendation 27

                          15.46 The committee recommends that a note be added to proposed APP 12(4)(a) to clarify that a reasonable period of time in which an organisation must respond to a request for access would not usually be longer than 30 days.

                          Response: Accept in principle

                          The Government considers this would best be achieved through OAIC guidance which notes that, if granting access is straight forward, it would often be appropriate for an organisation to grant access within 14 days, or if giving it is more complicated, within 30 days.

                          Recommendation 28

                          15.47 The committee recommends that APP 12(8) be amended so that it is made clear that access charges imposed by organisations should only be charged at a level reasonably necessary to recoup costs incurred by the entity.

                          Response: Accept in principle

                          The Government notes that this provision is based on existing NPP 6.4. There has been no suggestion that, in practice, NPP 6.4 been applied unreasonably by organisations. However, the addition of a new requirement for organisations to make an assessment about charges reasonably necessary to recoup costs would be a useful measure to prevent unreasonable amounts being charged. The Government will make it clear in the Explanatory Memorandum that an excessive charge amount would include recouping costs above the actual amount incurred by the organisation.

                          CHAPTER 16 – Australian Privacy Principle 13 – correction of personal information

                          Recommendation 29

                          16.34 That the decision to omit the term 'misleading' in APP 13, relating to the correction of personal information, be reconsidered.

                          Response: Accept

                          Comments

                          No comments