1
Sophie Higgins meeting with Angelene – 31 October 2016
S.22 - Irrelevant
Released under FOI - OAIC
2
Sophie Higgins meeting with Angelene – 31 October 2016
s.22 - Irrelevant
Email to AGD re Veterans’ Affairs Legislation Amendment (Digital Readiness and
Other Measures) Bill 2016 (Rebecca – coming due 3/11)
s.22 - Irrelevant
Released under FOI - OAIC
3
From:
Sophie Higgins
To:
Rebecca Brown
Subject:
RE: FOR CLEARANCE: due cob 3 Nov pls - Veterans’ Affairs Legislation Amendment (Digital Readiness and
Other Measures) Bill 2016 [DLM=Sensitive:Legal]
Date:
Wednesday, 2 November 2016 8:07:00 PM
Attachments:
image001.png
Hi Beck
Thanks for reviewing the provisions of the Bill and drafting this response so well. It looks good to
me – my only changes were two small typos I noticed (highlighted in yellow below). Maybe just
add that these are officer level comments (Angelene suggested we added that to Clare’s email to
AGD earlier this week as she had not reviewed it, but it looks like AGD took that out when
forwarding on to OPC). Anyway, let’s put it in again in our response to AGD!
Happy for you to send to Kathryn tomorrow.
Thanks again
Sophie
From: Rebecca Brown
Sent: Wednesday, 2 November 2016 6:00 PM
To: Sophie Higgins s.22 - Irrelevant
Subject: FOR CLEARANCE: due cob 3 Nov pls - Veterans’ Affairs Legislation Amendment (Digital
Readiness and Other Measures) Bill 2016 [DLM=Sensitive:Legal]
Hi Sophie
Please see our draft comments re this Bill below. I’ve also attached a Word doc containing the
text below in case that’s easier to edit. Happy to incorporate any feedback/amendments you
may have.
Beck
Thank you for the opportunity to comment on the Veterans’ Affairs Legislation Amendment
(Digital Readiness and Other Measures) Bill 2016 (the Bill).
We understand the Bill will make a number of amendments to the
Military Rehabilitation and
Compensation Act 2004 (MRCA), the
Safety, Rehabilitation and Compensation (Defence-related
Claims) Act 1988 (SRCA) and the
Veterans’ Entitlements Act 1986 (VEA). Our comments below
relate to Schedule 2 of the Bill, which will amend the three Acts to enable the disclosure of
information in certain circumstances.
Schedule 2 of the Bill will insert a ‘public interest disclosure’ provision in the MRCA, SRCA and
VEA. This provision provides that the Secretary may, if the Secretary certifies that it is necessary
in the public interest to do so in a particular case or class of cases, disclose any information
obtained by any person in the performance of that person’s duties under the relevant Act to
such persons or for such purposes as the Secretary determines.
The Bill will also insert a provision in each Act that states that the disclosure is authorised by law
for the purposes of the Australian Privacy Principles (APPs). Specifically, the disclosure of
personal information under the new provisions will be permitted by the ‘required or authorised
Released under FOI - OAIC
4
by or under law’ exception in APP 6.2(b). This authorisation means that the privacy protections in
APP 6, which limit the circumstances in which personal information can be used and disclosed,
will not apply to any disclosures made in accordance with the new provisions.
Where legislation proposes to authorise the disclosure of personal information, the OAIC
generally suggests that consideration should be given to whether those measures are
reasonable, proportionate and necessary. That is, whether they appropriately balance the
intrusion on individuals’ privacy with the overall public policy objectives of the proposal. This is
consistent with the approach taken in applying Article 17 of the International Covenant on Civil
and Political Rights and are matters which the Department will likely need to address in its
Statement of Compatibility with Human Rights. Further, any such provisions should be drafted in
a manner that is consistent with the spirt and intent of the Privacy Act. This includes ensuring
that any authorisation is drafted narrowly, and, to the extent possible, clearly describes:
· the types of personal information that may be disclosed
· who may disclose the information, and who may receive the information
· the purpose for which the personal information may be disclosed, and, once received,
for which the information may be subsequently disclosed by the recipient.
The current drafting of the disclosure provisions in the Bill is broad, and authorises the Secretary
to disclose any information to any persons and for any purposes that the Secretary certifies is in
the public interest. Greater certainty and transparency about the scope of the disclosures
allowed under the provisions could be achieved by specifying some of the detail in the Bill (such
as the types of information that may be disclosed and the main purposes for which information
may be disclosed). Alternatively, limitations on the operation of the disclosure provision could be
prescribed by regulations. The provisions in the Bill enable the Minister to, by legislative
instrument, make rules for and in relation to the exercise of the Secretary’s power to give
certificates under the provision. We note that existing legislation (such as the
Social Security
(Administration) Act 1999 and the
Paid Parental Leave Act 2010) includes similar disclosure
provisions and Rules issued under those Acts set out the matters to which the Secretary must
have regard in giving a public interest certificate and the circumstances in which a public interest
certificate may be given, which include: to prevent, or lessen, a threat to the life, health or
welfare of a person; for the enforcement of laws; to correct a mistake of fact; to brief a Minister
or to locate missing persons etc. For example, see the Paid Parental Leave Rules 2010, Social
Security (Administration) (Public Interest Certificate Guidelines) (DEEWR) Determination 2013,
Social Security (Public Interest Certificate Guidelines) (DSS) Determination 2015.
We note that the Bill does contain some privacy protections, including the requirement for the
Secretary to notify an individual of the Secretary’s intention to disclose their personal
information. This provision also states that the individual must be provided with the opportunity
to make comments on the proposed disclosure and that these comments must be considered by
the Secretary. The Bill also makes it an offence if the Secretary fails to comply with the provision
in relation to any disclosures made under that provision. These protections in the Bill could be
further enhanced by, for example, addressing the issues raised above in terms of limiting the
purposes for which disclosures can be made and by making it clear, either in the Bill or in
regulations, that the privacy of individuals is a relevant matter for the Secretary to consider
before disclosing personal information.
Released under FOI - OAIC
Pages 5 through 6 redacted for the following reasons:
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
s.22
7
7 November 2016
s.22 - Irrelevant
Email to AGD re Veterans’ Affairs Legislation Amendment (Digital Readiness and
Other Measures) Bill 2016. The Bill would insert a provision in Military Rehabilitation
and Compensation Act 2004, the Safety, Rehabilitation and Compensation (Defence-related
Claims) Act 1988 and the Veterans’ Entitlements Act 1986 that states that the disclosure
is authorised by law for the purposes of the APPs. We provided our usual comments
about proportionality and including greater certainty in the Bill about the scope of
disclosures (or in the regs).
s.22 - Irrelevant
Released under FOI - OAIC
8
s.22 - Irrelevant
Released under FOI - OAIC
9
THE SENATE
STANDING COMMITTEE ON FOREIGN AFFAIRS, DEFENCE AND TRADE
6 December 2016
Mr Timothy Pilgrim PSM
Australian Information Commissioner and Australian Privacy Commissioner
Office of the Australian Information Commissioner
Email: xxxxxxxxx@xxxx.xxx.xx
Dear Mr Pilgrim
Veterans' Affairs Legislation Amendment (Digital Readiness and Other Measures)
Bill 2016 [provisions]
On 1 December 2016, the Senate referred the provisions of the Veterans' Affairs
Legislation Amendment (Digital Readiness and Other Measures) Bill 2016 to the
Senate Foreign Affairs, Defence and Trade Legislation Committee for inquiry and
report by 14 February 2017.
The purpose of this letter is to draw your attention to the inquiry and to invite you, or
your organisation, to make a written submission to the committee.
Also, the committee is seeking to publicise its work as widely as possible and would
appreciate you referring this letter of invitation to any individual, group or organisation
that you think would like to contribute to the inquiry.
Information and notes to assist in preparing submissions are available from the
website www.aph.gov.au/senate_fadt or the secretariat (ph: s.22 - Irrelevant
fax: 02 6277 5818).
The committee asks that submissions be lodged by 25 January 2017 to allow
members adequate time before the committee considers its public hearing program.
The committee would prefer to receive written submissions in electronic form
submitted online or sent by email to xxxx.xxx@xxx.xxx.xx as an attached Adobe PDF
or MS Word format document. The email must include full postal address and contact
details.
PO Box 6100, Parliament House, Canberra ACT 2600 Tel: +61 2 6277 3535 Fax: +61 2 6277 5818
Email: xxxx.xxx@xxx.xxx.xx Internet: www.aph.gov.au
Released under FOI - OAIC
10
Alternatively, written submissions may be sent to:
Committee Secretary
Senate Foreign Affairs, Defence and Trade Committee
PO Box 6100
Parliament House
Canberra ACT 2600
At some stage during the inquiry, the committee normally makes submissions public.
Please indicate if you want your submission kept confidential.
The committee hopes to hear from you soon. If you would like further information,
please do not hesitate to contact me.
Yours sincerely
Senator Chris Back
Chair
Senate Foreign Affairs, Defence and Trade Legislation Committee
Released under FOI - OAIC
11
From:
Melanie Drayton
To:
Sophie Higgins
Subject:
FW: Call from CW Ombudsman re Veterans affairs bill [SEC=UNCLASSIFIED]
Date:
Monday, 13 February 2017 10:19:13 AM
From: Angelene Falk
Sent: Friday, 3 February 2017 4:34 PM
To: Sarah Ghali s.22 - Irrelevant
Jacob Suidgeest
Melanie Drayton
s.22 - Irrelevant
Subject: Call from CW Ombudsman re Veterans affairs bill [SEC=UNCLASSIFIED]
Hello
I had a call from the Legal officer on Richard Glenn’s ask to give us the heads up that they are making a second submission to
this inquiry
http://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Foreign_Affairs_Defence_and_Trade/VetAffairsDigitalBill
and will be stating that any development of legislation or policy relating to disclosure of PI should occur in consultation with
us. There are apparently new disclosure provisions.
Can you please remind me if we had been consulted and if we made comment on the Bill: Veterans' Affairs Legislation
Amendment (Digital Readiness and Other Measures) Bill 2016 [provisions]?
If we haven’t, can someone take a look at the privacy impacts and let me know if there are any issues (so I can brief TP in case
he’s asked about it) and whether we need to make any last minute representations to the Committee or the Department?
Many thanks
Angelene
Angelene Falk | Deputy Commissioner |
Office of the Australian Information Commissioner GPO Box 5218 SYDNEY NSW 2001 | www.oaic.gov.au |
s.22 - Irrelevant
Released under FOI - OAIC
12
From:
Melanie Drayton
To:
Sophie Higgins
Subject:
Fwd: Public Hearing Invitation - Inquiry into the Digital Readiness Bill - Senate Foreign Affairs, Defence and
Trade Committee [SEC=UNCLASSIFIED]
Date:
Monday, 13 February 2017 7:30:35 AM
Hello Sophie
Can we please discuss this request first thing this morning?
Thanks very much
Mel
Sent from my iPhone
Begin forwarded message:
From: Melanie Drayton s.22 - Irrelevant
Date: 10 February 2017 at 4:06:14 PM AEDT
To: Timothy Pilgrim s.22 - Irrelevant
Angelene Falk
s.22 - Irrelevant
Cc: Brenton Attard s.22 - Irrelevant
Subject: RE: Public Hearing Invitation - Inquiry into the Digital
Readiness Bill - Senate Foreign Affairs, Defence and Trade Committee
[SEC=UNCLASSIFIED]
Hello
Sorry for the delay on this one.
I put in a call to the Committee’s Research Officer and she has sent me the
questions the Committee intends to ask. They’re quite specific.
1) Under the bill’s proposed public interest disclosure provision, the Secretary
of DVA will have the power to correct ‘mistakes’ or ‘misinformation’.
a. Please advise the committee what is the current situation that DVA
or other agencies require this power?
b. Why does DVA require these provisions so urgently?
c. Is there not already a mechanism for agencies to report crimes to
police?
d. Over the last 5 years, how many cases were there of mistake
and/or misinformation that agencies did not have the power to
respond to?
I told them we will get back to them either this afternoon or Monday about our
attendance. Obviously it’ll be Monday now.
I will send you a more fulsome email about the issue later today.
We could possibly provide a written response if those are the issues the Committee
Released under FOI - OAIC
13
wants to hear about. I will give it more thought.
Thanks
M
From: Timothy Pilgrim
Sent: Friday, 10 February 2017 1:21 PM
To: Angelene Falk s.22 - Irrelevant
Cc: Brenton Attard s.22 - Irrelevant
Melanie Drayton
s.22 - Irrelevant
Subject: Re: Public Hearing Invitation - Inquiry into the Digital Readiness Bill -
Senate Foreign Affairs, Defence and Trade Committee [SEC=UNCLASSIFIED]
Ok
On 10 Feb 2017, at 1:20 pm, Angelene Falk s.22 - Irrelevant
wrote:
Yes a bit. I'll get Melanie to fill you in on the details. I had a call from
the cw ombos legal officer to let us know they were submitting.
On 10 Feb 2017, at 1:16 pm, Timothy Pilgrim
s.22 - Irrelevant
wrote:
Do we know much about this?
On 10 Feb 2017, at 1:08 pm, Angelene Falk
s.22 - Irrelevant
wrote:
FYI possible Committee appearance next
Thursday evening. Please hold the diary
Melanie will come to us.
Begin forwarded message:
From: Melanie Drayton
s.22 - Irrelevant
Date: 10 February 2017 at
12:01:40 pm AEDT
To: Angelene Falk
s.22 - Irrelevant
Subject: FW: Public Hearing
Invitation - Inquiry into the
Digital Readiness Bill - Senate
Foreign Affairs, Defence and
Trade Committee
[SEC=UNCLASSIFIED]
Released under FOI - OAIC
14
Hello
This came in this morning.
Stay tuned for a plan of attack.
M
From: Jacob Suidgeest
Sent: Friday, 10 February
2017 10:02 AM
To: Melanie Drayton
s.22 - Irrelevant
Subject: FW: Public Hearing
Invitation - Inquiry into the
Digital Readiness Bill - Senate
Foreign Affairs, Defence and
Trade Committee
[SEC=UNCLASSIFIED]
Hi Mel
Can I give this one to you to
consider and action. See the
attached email for previous
comments. I’ll acknowledge
the email.
Regards,
Jacob
From: Balaga, Kimberley (SEN)
s.22 - Irrelevant
On Behalf Of FADT,
Committee (SEN)
Sent: Friday, 10 February
2017 9:16 AM
To: Enquiries
<xxxxxxxxx@xxxx.xxx.xx>
Cc: FADT, Committee (SEN)
<xxxx.xxx@xxx.xxx.xx>
Subject: Public Hearing
Invitation - Inquiry into the
Digital Readiness Bill - Senate
Foreign Affairs, Defence and
Trade Committee
Released under FOI - OAIC
15
Good morning
I called yesterday afternoon in
regards to the following
matter and was advised to
send an email to your office so
that it may be directed to the
relevant officers.
The Senate Foreign Affairs,
Defence and Trade
Committee is currently
conducting an inquiry into the
Veterans’ Affairs Legislation
Amendment (Digital
Readiness) Bill 2016.
The committee is holding a
public hearing next Thursday,
16 February 2017 from
5.00pm to 6.00pm at
Parliament House and would
like to invite the Office of the
Information Commissioner to
appear and give evidence. The
Commonwealth Ombudsman
and officers of DVA have also
been invited to appear.
If you could please call me on
to
s.22 - Irrelevant discuss, I
would be most appreciative.
Regards
Kimberley Balaga | Research
Officer
<image001.gif>
Standing Committee on Foreign
Affairs, Defence and Trade |
Department of the Senate
s.22 - Irrelevant
Disclaimer
This email, and any attachments,
may be confidential and may be
protected by privilege. You should not
copy, use or disclose it for any
unauthorised purpose.
Released under FOI - OAIC
16
<mime-attachment>
Released under FOI - OAIC
17
From:
Sophie Higgins
To:
Melanie Drayton
Subject:
FOR CLEARANCE: draft email to TP - Veterans’ Affairs Legislation Amendment (Digital Readiness and Other
Measures) Bill 2016 [SEC=UNCLASSIFIED]
Date:
Monday, 13 February 2017 11:15:00 AM
Hi Mel
Below is a draft email to TP with overview and chronology. I will ask Renee to prepare the
briefing paper and response to the Committee’s questions today. Please let me know if you need
any additional info for TP in the meantime, or if you would like to discuss approach further
Thanks
Sophie
Hi Timothy
You have been invited to appear before the Senate Foreign Affairs, Defence and Trade
Legislation Committee on
Thursday, 16 February from 5-6pm in relation to the Veterans’ Affairs
Legislation Amendment (Digital Readiness and Other Measures) Bill 2016 (the Bill). A brief
overview and chronology of our involvement with the Bill is below. We will also prepare and
send you more a detailed briefing paper for the hearing, including written responses to specific
questions the Committee has sent us, by COB tomorrow.
In the meantime, please let us know if you would like to discuss.
Sophie
Overview
The Bill:
· inserts a provision in each of the
Veterans’ Entitlements Act 1986 (VEA),
Military
Rehabilitation and Compensation Act 2004 (MRCA) and the
Safety Rehabilitation and
Compensation (Defence-related Claims) Act 1988 (DRCA), that would enable the
Secretary to authorise the use of computer programmes to make decisions and
determinations, exercise powers or comply with obligations etc under those Acts.
Safeguards include that the Commissioner may make a decision or determination in
substitution for a decision or determination made by a computer program, if satisfied
that decision or determination is incorrect.
· also inserts a provision in each of the VEA, MRCA and DRCA that would enable the
Secretary to disclose information about a particular case or class of cases to such
persons and for such purposes as the Secretary determines, if he or she certifies that it is
necessary in the public interest to do so. Safeguards include that the power cannot be
delegated by the Secretary to anyone, the Secretary must act in accordance with rules
that the Minister makes, the Minister cannot delegate his or her rule making power, and,
unless the Secretary complies with certain notification requirements before disclosing
personal information, he or she commits an offence, punishable by 60 penalty units.
Released under FOI - OAIC
18
·
inserts three information sharing provisions in the DRCA between the Military
Rehabilitation and Compensation Commission and the Secretary of the Department of
Defence or the Chief of the Defence Force.
Chronology
· On 31 October 2016, OPC contacted AGD seeking comment on the Bill. AGD contacted
OAIC seeking any comments by 3 November 2016. The OAIC was only provided with the
Bill and not any EM.
· On 3 November 2016, Rebecca Brown emailed AGD, the OAIC’s comments on the Bill
(cleared by me, as acting Director). The comments focused on the scope of broad new
disclosure powers. We suggested that any authorisation which permits secondary
disclosures under the Privacy Act should clearly describe the types of PI that may be
disclosed; who may disclose the information and who may receive the information and
the purpose for which the information may be disclosed and on-disclosed.
· The AGD sent these comments to OPC on 3 November 2017, along with a very brief AGD
comment that ‘public interest disclosure provisions in the Bill would need to be justified
in the EM including in its Statement of Compatibility with Human Rights D2016/008459.
· On 7 November 2016, DVA confirmed by email that ‘it is intended that, should this Bill
be enacted, the Minister for Veterans’ Affairs would make rules setting out the
circumstances in which the Secretary may make a public interest disclosure (subitem (3)
of items 1, 7 and 10 of Schedule 2) before the Secretary exercises that power. The
nature and content of those rules is likely to be similar to the
Social Security (Public
Interest Certificate Guidelines) (DSS) Determination 2015. They also noted that the sorts
of situations in which we envisage the public interest disclosure power being exercised
are: where there is a threat to life, health or welfare, for the enforcement of laws, in
relation to proceeds of crime orders, mistakes of fact, research and statistical analysis,
APS code of conduct investigations, misinformation in the community and provider
inappropriate practices (this is subject to the Minister agreeing to make rules along these
lines.)’ D2016/008500
· The Bill was introduced and read for a first and second time in Parliament on 24
November 2016. It was referred to the Senate Foreign Affairs, Defence and Trade
Legislation Committee on 1 December 2016, with a reporting dated of 14 February 2017
(the Committee Inquiry). Submissions closed on 25 January 2017. The OAIC did not make
a submission.
· On 3 February 2017, a Legal Officer from the Commonwealth Ombudsman contacted AF
and noted that they would be making a second submission to the Committee Inquiry –
noting that any development of legislation or policy relating to disclosure of PI should
occur in consultation with the OAIC.
· On 10 February 2017, a Research Officer from the Senate Committee contacted the
OAIC to advise that it is holding a public hearing on Thursday, 16 February 2017 and
invites the information Commissioner to appear from 5:00pm – 6:00pm. The
Commonwealth Ombudsman and officers of DVA have also been invited to appear. They
have provided the OAIC with specific questions in relation to the public interest
disclosure provisions – which the OAIC intends to submit a written response to before
the hearing, as well as other questions D2017/001180.
Released under FOI - OAIC
19
Sophie Higgins |
Director (a/g)| Regulation & Strategy Branch
Office of the Australian Information Commissioner
GPO Box 5218 SYDNEY 2001 |www.oaic.gov.au
s.22 - Irrelevant
Released under FOI - OAIC
20
1
Commissioner brief: Briefing notes – Inquiry into the Digital
Readiness Bill – Senate Foreign Affairs, Defence and Trade
Committee
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bill
For:
The Australian Information Commissioner
Key points
1. The Veteran’s Affairs Legislation Amendment (Digital Readiness) Bill 2016 seeks to
amend the
Veteran’s Entitlements Act 1986 (VEA),
Military Rehabilitation and
Compensation Act 2004 (MRCA) and the
Safety Rehabilitation and Compensation
(Defence-related claims) Act 1988 (DRCA). The Bill and Explanatory memorandum are
at
Annexure A.
2. On 31 October 2016, the Attorney General’s Department Information Law Unit (AGD)
requested that the OAIC provide any comments on the Bill, and these would be
provided to the Office of Parliamentary Counsel (OPC). On 3 November 2016, the OAIC
provided comments on the Bill to the AGD, which AGD passed on to OPC and then to
Department of Veterans’ Affairs (DVA).
3. The OAIC’s comments focused on the public interest disclosure provisions in
Schedule 2 of the Bill. These authorise the Secretary to make disclosures that the
Secretary certifies as ‘necessary in the public interest’, and invoke the ‘required or
authorised’ by law exception in APP 6 in the Privacy Act. The AGD did not make any
substantive comments on the Bill.
4. The Commonwealth Ombudsman outlined in their second submission on the
disclosure provisions (and also notified Angelene Falk by telephone of their intention
to make such a submission) that any development of legislation or policy relating to
the disclosure of personal information should occur in consultation with the OAIC.
5. The Bill states that the Secretary must, in giving such a ‘public interest certificate’, act
in accordance with Rules made by legislative instrument, by the Minister. While not
included in the OAIC’s comments to OPC, the OAIC’s email to the Committee on 14
February noted that the OAIC would welcome the opportunity to be consulted on any
such draft rules. The OAIC will have regard to whether any permitted disclosures
accord with the social license given to government to handle and disclose individuals’
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - Irrelevant
Melanie Drayton
Released under FOI - OAIC
21
2
personal information, and are generally consistent with the spirit and intent of the
Privacy Act.
6. Even where the disclosure is required or authorised by law under APP 6, the APPs will
still govern the Department of Veteran’s Affairs (DVA) information handling practices
and would continue to apply to that personal information held by the DVA (such as the
requirements in relation to transparency, data quality, security, and rights to access
and correction).
7. The OAIC welcomes the safeguard in the Bill that before disclosing personal
information about a person under the ‘public interest disclosure’ provisions, the
Secretary must notify the person in writing of the Secretary’s intention to disclose the
information; give the person a reasonable opportunity to make written comments on
the proposed disclosure of the information and consider any written comments made
by the person. This is consistent with the emphasis on transparency in the Privacy Act,
and may in some circumstances give the individual a ‘reasonable expectation’ that
their personal information will be disclosed for a particular purpose.
8. The OAIC acknowledges that automated decision-making is likely to provide a number
of advantages for DVA and for Australians accessing their services, particularly in
regards to efficiencies. However, the OAIC would encourage consideration be given at
an early stage, to ensuring that any privacy impacts are identified and minimised to
the extent possible, including by undertaking a privacy impact assessment, and that an
integrated approach to privacy management is taken.
Background – the Digital Readiness Bill
The Bill will insert a provision into the VEA, MRCA, and DRCA to enable the Secretary to
authorise the use of computer programmes to make decisions and determinations,
exercise powers or comply with obligations etc. under these Acts (Schedule 1).
Safeguards in the Bill include that the Secretary may make a decision or determination in
substitution for a decision or determination made by a computer program, if satisfied
that the decision or determination is incorrect (Schedule 1).
The Bill will also insert a provision into each of these Acts that give the Secretary broad
disclosure powers: ‘the Secretary may, if the Secretary certifies that it is necessary in the
public interest to do so in a particular case or class of cases, disclose any information
obtained by any person in the performance of that person’s duties under this Act to
such persons and for such purposes as the Secretary determines’ (Schedule 2).
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - Irrelevant
Melanie Drayton
Released under FOI - OAIC
22
3
Safeguards in the Bill include that:
o the power cannot be delegated by the Secretary to anyone
o the Secretary must act in accordance with rules that the Minister makes and the
Minister cannot delegate his or her rule making power
o before disclosing information, the Secretary must notify the person concerned in
writing about the proposed disclosure and consider any written comments made
by the person, and
o unless the Secretary complies with the above notification requirements before
disclosing personal information, he or she commits an offence, punishable by 60
penalty units (Schedule 2).
The Explanatory Memorandum to the Bill gives as examples of circumstances in which it
might be appropriate for the Secretary to disclose such information as including ‘where
there is a threat to life, health or welfare, for the enforcement of laws, in relation to
proceeds of crime orders, mistakes of fact, research and statistical analysis, APS code of
conduct investigations, misinformation in the community and provider inappropriate
practices’ (p. 11).
The Bill also inserts three information sharing provisions in the DRCA between the
Military Rehabilitation and Compensation Commission and the Secretary of the
Department of Defence or the Chief of the Defence Force.
OAIC’s responsibilities to examine proposed enactments impact privacy
A range of the OAIC’s responsibilities involve examining proposals that may restrict the
exercise of individuals’ privacy protections in favour of another public interest objective.
The Privacy Act recognises that the protection of individuals’ privacy, through the
protection of their personal information, is not an absolute right. Rather, those interests
must be balanced with the broader interest of the community in ensuring that APP
entities are able to carry out their legitimate functions and activities.
This balancing is reflected in the exceptions to a number of the APPs, which except from
the operation of those APPs, certain information handling practices considered to be in
the public interest when balanced with the interest in protecting an individual’s privacy.
Disclosures of personal information
APP 6 outlines when an APP entity may use or disclose personal information. It generally
provides that an APP entity can only use or disclose personal information for a purpose
for which the information was collected (known as the ‘primary purpose’), or for a
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - Irrelevant
Melanie Drayton
Released under FOI - OAIC
23
4
secondary purpose where one of the exceptions listed in APP 6 apply. The exceptions
include where ‘a use or disclosure of personal information is authorised or required by
Australian law’ (APP 6.2(b)).
The OAIC is regularly invited to comment on draft laws that require or authorise the
collection, use or disclosure of personal information in a manner that would otherwise
be inconsistent with one or more of the APPs. The effect of such laws is that one or
more APPs will not apply to the use or disclosure of personal information, described in
the law.
Consistent with the approach taken in applying Article 17 in the International Covenant
on Civil and Political Right (ICCPR), the OAIC’s advice generally suggests consideration
should be given to whether those measures are proportionate and necessary. That is,
whether they appropriately balance the intrusion on individuals’ privacy with the overall
public policy objectives of the proposal. Additionally, when handling of individuals’
personal information is authorised in the broader interests of the community, it is
generally recommended that those activities be accompanied by an appropriate level of
privacy safeguards and accountability. Should such a proposal be considered to
appropriately balance these objectives, it is generally recommended that the scope of
the proposal be drafted consistent with the spirit and intent of the Privacy Act.
Even where the disclosure is required or authorised by law under APP 6, the APPs will
still govern the Department of Veteran’s Affairs (DVA) information handling practices
and would continue to apply to that personal information held by the DVA (such as the
requirements in relation to transparency, data quality, security, and rights to access and
correction).
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - Irrelevant
Melanie Drayton
Released under FOI - OAIC
24
5
OAIC engagement with the Bill
On 31 October 2016, the OPC contacted the AGD seeking comment on the Bill, and that
request was passed onto the OAIC for comment. The OAIC was not provided with the
Explanatory Memorandum. The OAIC’s comments on the Bill were provided to AGD, and
passed on to the OPC on 3 November 2016. The AGD did not make any substantive
comments on the Bill. The comments provided to OPC, along with a response provided
by DVA are at
Annexure B.
The OAIC’s comments focused on the public interest disclosure provisions in Schedule 2
of the Bill outlined above.
Key points made in the OAIC’s comments were:
o the OAIC noted that the disclosure of personal information under the new
provisions will be permitted by the ‘required or authorised by or under law’
exception in APP 6.2(b).
o The OAIC suggested that where a Bill invokes this exception in the Privacy Act,
consideration should be given to whether those measures are reasonable,
proportionate and necessary.
o The OAIC referred to similar disclosure provisions in the
Social Security
(Administration) Act 1999 and the
Paid Parental Leave Act 2010, noting that rules
issued under that legislation set out the matters to which the Secretary must
have regard to in giving a public interest certificate and the circumstances in
which a public interest certificate may be given, which include: to prevent, or
lessen, a threat to the life, health or welfare of a person; for the enforcement of
laws; to correct a mistake of fact; to brief a Minister or to locate missing persons
etc.
On 7 November 2017, DVA responded by email to the OAIC that:
o rules would be made setting out the circumstances in which the Secretary may
make a public interest disclosure before the Secretary exercises that power. The
nature and content of those rules is likely to be similar to the Social Security
(Public Interest Certificate Guidelines) (DSS) Determination 2015, mentioned
below.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - Irrelevant
Melanie Drayton
Released under FOI - OAIC
25
6
o The sorts of situations in which it is envisage the public interest disclosure power
being exercised are will be set out in the EM, including: where there is a threat to
life, health or welfare, for the enforcement of laws, in relation to proceeds of
crime orders, mistakes of fact, research and statistical analysis, APS code of
conduct investigations, misinformation in the community and provider
inappropriate practices (this is subject to the Minister agreeing to make rules
along these lines.)
On 6 December 2016, the Committee invited the OAIC to make a comment on the Bill,
but the OAIC inadvertently did not action this request. Melanie has apologied to the
Committee for this oversight.
Seven submissions have been made to the Committee – see
Annexure C. These include
a lengthy submission from DVA and two submissions made by the Commonwealth
Ombudsman.
Key matters to note from the DVA submission include:
o DVA sets out a range of efficiency-related justifications for provisions in the Bill
that automate the decision-making process
o the Committee appears to have raised concerns with DVA about the breadth of
the disclosures that may be made under the Bill, including disclosures to ‘correct
misinformation’ and the submission purports to respond to these concerns.
o DVA notes that the proposed public interest disclosure provisions ‘are modelled
on paragraph 208(1)(a) of the
Social Security (Administration) Act 1999. That
public interest disclosure provision has been in operation for 17 years and has
operated successfully with the approval of Parliament. The Privacy Commissioner
has not raised any concern about the Department of Social Services/ Department
of Human Services’ provision…’
The most recent iteration of the
Social Security (Public Interest Certificate Guidelines)
(DSS) Determination 2015 were registered on FRLI in August 2015. The explanatory
memorandum refers to consultation with the AGD and others, but does not specifically
refer to consultation with the OAIC. We have not been able to find any engagement
with the OAIC on the Determination following a brief TRIM search and discussion with
Sarah Ghali. A more fulsome search could be undertaken if necessary.
The Commonwealth Ombudsman has made a submission to the Committee in relation
to automation aspects of the Bill (see below).
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - Irrelevant
Melanie Drayton
Released under FOI - OAIC
26
7
They also made a second submission on the new disclosure provisions, (and notified
Angelene Falk by telephone, of their intention to make such a submission). This
supplementary submission recommends that any development of legislation or policy
relating to disclosure of PI should occur in consultation with the OAIC.
On 10 February 2017, a Research Officer from the Senate Committee contacted the
OAIC to advise that it is holding a public hearing on Thursday, 16 February 2017 and
invites the information Commissioner to appear from 5:00pm – 6:00pm. The
Commonwealth Ombudsman and officers of DVA have also been invited to appear. They
have provided the OAIC with specific questions in relation to the public interest
disclosure provisions – which the OAIC intends to submit a written response to before
the hearing, as well as other questions
On 14 February, Melanie Drayton, Assistant Commissioner, sent a detailed response to
the Committee noting that the Information Commissioner and Deputy Commissioner
would appear at the public hearing; outlining the OAIC’s role; attaching the OAIC’s
comments on the Bill that were sent to OPC (via AGD); and responding to the specific
questions where possible (noting that a number of the questions may be directed to
DVA). This email also noted that the OAIC would welcome the opportunity to be
consulted on the draft rules to be made by the Minister in relation to public interest
disclosures. The OAIC’s email to the Committee is at
Annexure D. The OAIC’s answers to
the Committee’s questions are at
Annexure E.
Key additional points that the Commissioner may make at the Committee meeting are:
o The OAIC welcomes the safeguard in the Bill that before disclosing personal
information about a person under the ‘public interest disclosure’ provisions, the
Secretary must notify the person in writing of the Secretary’s intention to
disclose the information; give the person a reasonable opportunity to make
written comments on the proposed disclosure of the information and consider
any written comments made by the person. This is consistent with the emphasis
on transparency in the Privacy Act, and may in some circumstances give the
individual a ‘reasonable expectation’ that their personal information will be
disclosed for a particular purpose (consistent with the ‘reasonable expectation’
exception in APP 6.2(a).
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - Irrelevant
Melanie Drayton
Released under FOI - OAIC
27
8
o The Bill states that the Secretary must, in giving such a ‘public interest
certificate’, act in accordance with Rules made by legislative instrument, by the
Minister. The OAIC would welcome the opportunity to be consulted on any such
draft rules. The OAIC will have regard to whether any permitted disclosures
accord with the social license given to government to handle and disclose
individuals’ personal information, and are generally consistent with the spirit and
intent of the Privacy Act.
Automated decision-making
The Commonwealth Ombudsman’s written submission to the Committee commented
on several matters that related to automated decisions. These comments related to
accuracy of automated decisions, and errors that can arise from incorrect data entry
and system errors, and the fact that the onus is predominately placed on the customer
to identify these errors.
The Commonwealth Ombudsman also outlined issues with automated decisions
following basic legal values of lawfulness, fairness, transparency and efficiency.
The objects of the Privacy Act recognise that the protection of individuals’ privacy is
balanced with the interests of entities in carrying out their functions or activities (s
3(b)). The OAIC acknowledges that automated decision-making is likely to provide a
number of advantages for DVA and for Australians accessing their services, including
associated with reduced costs and enhanced efficiency. However, consideration
should be given at an early stage, to ensuring that any privacy impacts are identified
and minimised to the extent possible, and that an integrated approach to privacy
management is taken.
Some key privacy considerations that may arise where decision-making is automated
include:
o whether the entity has taken reasonable steps to implement practices,
procedures and systems to ensure that the entity complies with the APPs
and to enable the entity to deal with inquiries and complaints from
individuals about the entity’s compliance with the APPs (APP 1.2). Entities
will be better placed to meet these obligations if they embed privacy
protections in the design of the information handling practice at an early
stage.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - Irrelevant
Melanie Drayton
Released under FOI - OAIC
28
9
o whether the entity has taken reasonable steps to ensure that the personal
information it collects, uses and discloses is accurate, up-to-date and
complete (as required by APP 10). This may be particularly challenging
where the onus is on the individual to identify errors or discrepancies with
automated decisions.
o whether the entity has processes in place to allow the individual to request
access to, and correction of his or her personal information used in
automated processes (APPs 11 and 12).
The OAIC also suggests consideration be given to the privacy risks arising from personal
information processed as part of an automated decision-making process. For example,
due to the higher privacy risks involved with handling sensitive information, the OAIC
would generally suggest greater caution be exercised when considering whether this
information should be subject to automated processing. The OAIC welcomes the DVA’s
comments in its written submission to the Committee that ‘in regards to automated
debt collection, the Department does not intend this provision for this purpose’. This
intent could be included in the Bill or the Explanatory Memorandum.
DVA could conduct a privacy impact assessment (PIA) of the amendments proposed by
the Bill that have privacy implications to identify and assess the privacy risks associated
with the amendments. A PIA is a written assessment which may assist in identifying the
privacy impacts of the proposal, and provides an opportunity to set out any
recommendations for managing, minimising or eliminating those impacts.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - Irrelevant
Melanie Drayton
Released under FOI - OAIC
29
Commissioner brief: Opening statement talking points for
Australian Information Commissioner
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bill
For:
The Australian Information Commissioner
Thank you for the opportunity to appear before the Committee today in
relation to
the Veteran’s Affairs Legislation Amendment (Digital Readiness
and Other Measures) Bill 2016.
As the Australian Information Commissioner and Australian Privacy
Commissioner, I am responsible for ensuring compliance with the Privacy
Act, and promoting access to government information through the
Freedom of Information Act.
The Privacy Act regulates the handling of personal information by most
Australian Government agencies and many private sector organisations.
The cornerstone of this privacy protection framework are the Australian
Privacy Principles (or APPs). These set out standards, rights and obligations
in relation to the way individuals’ personal information is handled.
The APPs are underpinned by notions of transparency and accountability. In
general terms, this requires entities to give careful consideration to
ensuring that individuals are aware of an entity’s information handling
practices, so that the individual may make appropriate choices about their
personal information. Accountability includes ensuring good privacy
governance mechanisms are implemented at an early stage.
The Privacy Act recognises that the protection of individual’s privacy,
through the protection of their personal information, is not an absolute
right. Rather, those interests must be balanced with the broader interest of
the community in ensuring that Australian government agencies and
private sector organisations are able to carry out their legitimate functions
and activities.
Released under FOI - OAIC
30
This balancing is reflected in the exceptions to a number of the Australian
Privacy Principles, which exclude from the operation of those APPs, certain
information handling practices considered to be in the public interest when
balanced with the interest in protecting an individual’s privacy.
The OAIC’s responsibilities include examining proposals that may restrict
the exercise of individuals’ privacy protections in favour of another public
interest objective. Our approach is generally to ensure that any changes
that authorise a disclosure of personal information by invoking an exception
in the Privacy Act, are reasonable, necessary and proportionate to the
expected benefits.
My Office provided comments to the Office of Parliamentary Counsel
(through Attorney General’s Department), on a draft version of the Bill on
3 November 2016. These comments focused on the public interest
disclosure provisions in Schedule 2 of the Bill. These permit the Secretary to
make ‘public interest’ disclosures and have the effect that the privacy
protections in the ‘use and disclosure’ APP - Australian Privacy Principle 6 -
would not apply. I understand my Office has provided a copy of these
comments to the Senate Committee inquiry for its information.
There are, however, a few additional matters which I believe warrant
further mention before the Committee. In summary these are:
o Even though the disclosure is required or authorised by law, the Australian
Privacy Principles govern the Department of Veteran’s Affairs (DVA) information
handling practices and would continue to apply to that personal information held
by the DVA (such as the requirements in relation to transparency, data quality,
security, and rights to access and correction).
o The OAIC would welcome the opportunity to be consulted on draft rules to be
made by the Minister under the ‘public interest disclosure’ provisions in Schedule
2 of the Bill.
o The OAIC acknowledges that automated decision-making is likely to provide a
number of advantages for DVA and for Australians accessing their services,
particularly in regards to efficiencies. However, I would encourage consideration
to be given at an early stage, to ensuring that any privacy impacts are identified
Released under FOI - OAIC
31
and minimised to the extent possible, and that an integrated approach to privacy
management is taken.
o If it has not done so already, the Department of Veteran’s Affairs could conduct a
privacy impact assessment of the amendments proposed by the Bill that have
privacy implications to identify and assess the privacy risks associated with the
amendments. A privacy impact assessment is a written assessment which may
assist in identifying the privacy impacts of the proposal, and provides an
opportunity to set out any recommendations for managing, minimising or
eliminating those impacts.
I would be happy to answer any questions the Committee has.
Released under FOI - OAIC
32
From:
Melanie Drayton
To:
Renee Alchin
Subject:
FW: Public Hearing Invitation - Inquiry into the Digital Readiness Bill - Senate Foreign Affairs, Defence and
Trade Committee [SEC=UNCLASSIFIED]
Date:
Tuesday, 14 March 2017 8:38:06 AM
Attachments:
image001.gif
From: Melanie Drayton
Sent: Tuesday, 14 February 2017 8:46 PM
To: Renee Alchin s.22 - Irrelevant
Subject: FW: Public Hearing Invitation - Inquiry into the Digital Readiness Bill - Senate Foreign
Affairs, Defence and Trade Committee [SEC=UNCLASSIFIED]
Another to be filed please, thanks very much
M
From: Balaga, Kimberley (SEN) [mailto: s.22 - irrelevant
On Behalf Of FADT,
Committee (SEN)
Sent: Friday, 10 February 2017 3:28 PM
To: Melanie Drayton s.22 - irrelevant
Cc: Enquiries <xxxxxxxxx@xxxx.xxx.xx>; Carl English s.22 - irrelevant
Jacob Suidgeest
s.22 - irrelevant
Subject: RE: Public Hearing Invitation - Inquiry into the Digital Readiness Bill - Senate Foreign
Affairs, Defence and Trade Committee [SEC=UNCLASSIFIED]
Hi Melanie
Thank you for your time on the phone today. As discussed, we look forward to your confirmation
either today or on Monday regarding the OAIC’s attendance at the hearing. I will issue a formal
invitation from the committee once we have confirmation.
In anticipation of the OAIC’s attendance, the committee has asked that the OAIC give particular
consideration to the following questions in relation to the bill, and come prepared to provide a
response at the hearing:
1) Under the bill’s proposed public interest disclosure provision, the Secretary of DVA will
have the power to correct ‘mistakes’ or ‘misinformation’.
a. Please advise the committee what is the current situation that DVA or other
agencies require this power?
b. Why does DVA require these provisions so urgently?
c. Is there not already a mechanism for agencies to report crimes to police?
d. Over the last 5 years, how many cases were there of mistake and/or
misinformation that agencies did not have the power to respond to?
Please contact me if you wish to discuss any of these matters further.
Regards
Released under FOI - OAIC
33
Kimberley Balaga | Research Officer
Standing Committee on Foreign Affairs, Defence and Trade | Department of the Senate
s.22 - Irrelevant
www.aph.gov.au/senate
Disclaimer
This email, and any attachments, may be confidential and may be protected by privilege. You should not copy, use or
disclose it for any unauthorised purpose.
From: Jacob Suidgeest s.22 - Irrelevant
Sent: Friday, 10 February 2017 10:04 AM
To: Balaga, Kimberley (SEN)
Cc: Enquiries; Carl English; Melanie Drayton
Subject: RE: Public Hearing Invitation - Inquiry into the Digital Readiness Bill - Senate Foreign
Affairs, Defence and Trade Committee [SEC=UNCLASSIFIED]
Dear Kimberley
Thank you for your email. We’ll consider and contact you.
Regards,
Jacob Suidgeest | Director
Regulation and Strategy Branch
Office of the Australian Information Commissioner GPO Box 5218 SYDNEY NSW 2001 |www.oaic.gov.au
s.22 - Irrelevant
From: Balaga, Kimberley (SEN) s.22 - Irrelevant
On Behalf Of FADT,
Committee (SEN)
Sent: Friday, 10 February 2017 9:16 AM
To: Enquiries <xxxxxxxxx@xxxx.xxx.xx>
Cc: FADT, Committee (SEN) <xxxx.xxx@xxx.xxx.xx>
Subject: Public Hearing Invitation - Inquiry into the Digital Readiness Bill - Senate Foreign Affairs,
Defence and Trade Committee
Good morning
I called yesterday afternoon in regards to the following matter and was advised to send an email
to your office so that it may be directed to the relevant officers.
The Senate Foreign Affairs, Defence and Trade Committee is currently conducting an inquiry into
the Veterans’ Affairs Legislation Amendment (Digital Readiness) Bill 2016.
The committee is holding a public hearing next Thursday, 16 February 2017 from 5.00pm to
6.00pm at Parliament House and would like to invite the Office of the Information Commissioner
to appear and give evidence. The Commonwealth Ombudsman and officers of DVA have also
been invited to appear.
Released under FOI - OAIC
34
If you could please call me on
to
s.22 - irrelevant discuss, I would be most appreciative.
Regards
Kimberley Balaga | Research Officer
Standing Committee on Foreign Affairs, Defence and Trade | Department of the Senate
s.22 - irrelevant
www.aph.gov.au/senate
Disclaimer
This email, and any attachments, may be confidential and may be protected by privilege. You should not copy, use or
disclose it for any unauthorised purpose.
***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************
Released under FOI - OAIC
35
From:
Melanie Drayton
To:
Renee Alchin
Subject:
FW: Invitation to Attend Public Hearing - Veterans" Affairs Legislation Amendment (Digital Readiness and
Other Measures) Bill 2016 [SEC=UNCLASSIFIED]
Date:
Tuesday, 14 March 2017 8:37:43 AM
Attachments:
image001.jpg
image002.png
From: Melanie Drayton
Sent: Tuesday, 14 February 2017 6:38 PM
To: Sophie Higgins s.22 - irrelevant
Renee Alchin s.22 - irrelevant
Subject: FW: Invitation to Attend Public Hearing - Veterans' Affairs Legislation Amendment
(Digital Readiness and Other Measures) Bill 2016 [SEC=UNCLASSIFIED]
Thank you very much for your work on this issue today. It’s much appreciated.
Can you please add this email to the briefing packs?
Thanks again
Mel
From: Melanie Drayton
Sent: Tuesday, 14 February 2017 6:35 PM
To: s.22 - irrelevant
FADT, Committee (SEN)
<xxxx.xxx@xxx.xxx.xx>
Cc: Sophie Higgins s.22 - irrelevant
Subject: RE: Invitation to Attend Public Hearing - Veterans' Affairs Legislation Amendment
(Digital Readiness and Other Measures) Bill 2016 [SEC=UNCLASSIFIED]
Good evening
Thank you for inviting the Information Commissioner and Australian Privacy Commissioner,
Timothy Pilgrim, and the Deputy Commissioner, Angelene Falk, to appear at the Senate
Committee’s public hearing into the Veterans’ Affairs Legislation Amendment (Digital Readiness
and Other Measures) Bill 2016 (the Bill) on Thursday, 16 February 2017. They are pleased to
accept.
In advance of the hearing, we thought it may assist the Committee to provide:
· a brief outline of the role and responsibilities of the Office of the Australian Information
Commissioner (OAIC)
· an overview of the OAIC’s engagement with the Bill
· a response, where possible, to the Committee’s questions provided to the OAIC on 10
February 2017.
This email is provided as background information only and is not a submission.
Released under FOI - OAIC
36
OAIC
The OAIC is an independent Commonwealth statutory agency. It was established by the
Australian Parliament to bring together three functions:
· privacy functions (protecting the privacy of individuals under the Privacy Act
1988 (Privacy Act), and other Acts)
· freedom of information functions (access to information held by the Commonwealth
Government in accordance with the Freedom of Information Act 1982 (FOI Act)), and
· information management functions (as set out in the Information Commissioner Act
2010).
The integration of these three interrelated functions into one agency has made the OAIC well
placed to strike an appropriate balance between promoting the right to privacy and broader
information policy goals.
The OAIC’s responsibilities include examining proposals that may restrict the exercise of
individuals’ privacy protections in favour of another public interest objective.
The Privacy Act
The Privacy Act contains thirteen legally-binding Australian Privacy Principles (APPs). These set
out standards, rights and obligations relating to the handling, holding, accessing and correction
of personal information. Personal information is information or an opinion about an identified
individual, or an individual who is reasonably identifiable.
The APPs apply to most Australian Government agencies, all private sector organisations with an
annual turnover of more than $3 million, all private health service providers and some small
businesses – collectively referred to as APP entities.
The APPs are principles-based law. This provides APP entities with the flexibility to tailor their
personal information handling practices to their diverse needs and business models and to the
diverse needs of individuals. The APPs are also technology neutral, applying equally to paper-
based and digital environments. This is intended to preserve their relevance and applicability, in
a context of continually changing and emerging technologies.
The Privacy Act recognises that the protection of individuals’ privacy, through the protection of
their personal information, is not an absolute right. Rather, those interests must be balanced
with the broader interest of the community in ensuring that APP entities are able to carry out
their legitimate functions and activities. This balancing is reflected in the exceptions to a number
of the APPs. Exceptions cover a range of matters including where a use or disclosure of personal
information is authorised or required by Australian law or where an entity reasonably believes
that a use or disclosure is reasonably necessary for an enforcement related activity conducted by
an enforcement body.
OAIC comments on the Bill
Released under FOI - OAIC
37
APP 6 outlines when an APP entity may use or disclose personal information. It generally
provides that an APP entity can only use or disclose personal information for a purpose for which
the information was collected (known as the ‘primary purpose’), or for another purpose where
one of the exceptions listed in APP 6 apply. As noted above, the exceptions include where ‘a use
or disclosure of personal information is authorised or required by Australian law’.
The OAIC is regularly invited to comment on draft laws that require or authorise the collection,
use or disclosure of personal information. Consistent with the approach taken in applying Article
17 in the International Covenant on Civil and Political Right (ICCPR), the OAIC’s advice generally
suggests consideration should be given to whether those measures are proportionate and
necessary. That is, whether they appropriately balance the intrusion on individuals’ privacy with
the overall public policy objectives of the proposal. Additionally, when handling of individuals’
personal information is authorised in the broader interests of the community, it is generally
recommended that those activities be accompanied by an appropriate level of privacy
safeguards and accountability. Should such a proposal be considered to appropriately balance
these objectives, it is generally recommended that the scope of the proposal be drafted
consistent with the spirit and intent of the Privacy Act.
On 31 October 2016, the OAIC was invited to comment on the Bill, following a request from the
Office of Parliamentary Counsel (OPC), via the Attorney General’s Department, Information Law
Unit (the AGD). The OAIC’s comments on the Bill were provided to the AGD on 3 November
2016, and we understand that they were then passed on to the OPC and the Department of
Veterans’ Affairs (DVA). The comments focused on the public interest disclosure provisions in
Schedule 2 of the Bill which permit certain disclosures and invoke the ‘required or authorised’ by
law exception in APP 6 in the Privacy Act. The OAIC’s comments are attached.
The OAIC has reviewed the Commonwealth Ombudsman’s written submissions to the
Committee and notes its suggestion to involve the OAIC in the development of laws and policies
raising privacy issues (Commonwealth Ombudsman, Supplementary submission). In this regard,
the OAIC would welcome the opportunity to be consulted on rules made by the Minister in
relation to public interest disclosure certificates under the proposed amendments in Schedule 2
of the Bill.
Committee questions
Please advise the committee what is the current situation that DVA or other agencies require
this power?
As outlined above, the OAIC’s role includes examining proposed enactments that would require
or authorise acts or practices that might otherwise interfere with privacy (s 28A(2), Privacy Act)
and ensuring that any adverse effects of a proposed enactment on the privacy of individuals are
minimised (s 28A(2)(c), Privacy Act). The OAIC provided some brief comments on the Bill. At that
time, the OAIC did not have access to the Explanatory Memorandum (including Statement of
Compatibility with Human Rights). Details about the current situation that necessitates this
power may be a matter for DVA. As the ‘public interest disclosure’ provisions in Schedule 2 of
the Bill broaden the circumstances in which personal information can be used and disclosed, we
suggest that DVA use the Explanatory Memorandum (including its Statement of Compatibility
Released under FOI - OAIC
38
with Human Rights), to explain the need for such provisions.
Why does DVA require these provisions so urgently?
This may be a matter for DVA.
Is there not already a mechanism for agencies to report crimes to police?
As noted above, APP 6 generally provides that an APP entity can only use or disclose personal
information for a purpose for which the information was collected (known as the ‘primary
purpose’), or for another purpose where one of the exceptions listed in APP 6 apply. The
following exceptions to APP 6 would permit agencies to disclose personal information to the
police, where:
· the APP entity reasonably believes that the use or disclosure of the information is
reasonably necessary for one or more enforcement related activities conducted by, or
on behalf of, an enforcement body (examples include the Australian Federal Policy or a
State or Territory Police force or service) (APP 6.2(e)), and
· the entity reasonably believes that the collection, use or disclosure is necessary to
lessen or prevent a serious threat to the life, health or safety of any individual, or to
public health or safety (and it is unreasonable or impracticable to obtain the individual’s
consent) (APP 6.2(c) and s 16A, item 1)
· the use or disclosure of the information is required or authorised by or under an
Australian law or a court/ tribunal order (APP 6.2(b)).
Over the last 5 years, how many cases were there of mistake and/or misinformation that
agencies did not have the power to respond to?
This may be a matter for DVA.
Invitation to make a written submission
I would also like to take this opportunity to thank the Committee for the invitation of 6
December 2016 to make a submission to this inquiry. I apologise that the OAIC did not respond.
The OAIC had overlooked the invitation due to a clerical error.
Please feel free to contact Sophie Higgins on s.22 - irrelevantor by email, if we can assist by
providing any further information.
Kind regards
Melanie Drayton
Melanie Drayton | Assistant Commissioner, Regulation and Strategy
Office of the Australian Information Commissioner GPO Box 5218 SYDNEY NSW 2001 |www.oaic.gov.au
s.22 - irrelevant
Released under FOI - OAIC
39
From: Balaga, Kimberley (SEN) s.22 - irrelevant
On Behalf Of FADT,
Committee (SEN)
Sent: Monday, 13 February 2017 6:20 PM
To: Melanie Drayton s.22 - irrelevant
Cc: Sophie Higgins s.22 - irrelevant
FADT, Committee (SEN)
<xxxx.xxx@xxx.xxx.xx>
Subject: Invitation to Attend Public Hearing - Veterans' Affairs Legislation Amendment (Digital
Readiness and Other Measures) Bill 2016
THE SENATE
STANDING COMMITTEE ON FOREIGN AFFAIRS, DEFENCE AND TRADE
13 February 2017
Ms Melanie Drayton
Office of the Australian Information Commissioner
Email: s.22 - irrelevant
Dear Ms Drayton
Inquiry into the Veterans' Affairs Legislation Amendment (Digital Readiness and Other
Measures) Bill 2016
The Senate Foreign Affairs, Defence and Trade Legislation Committee is pleased to confirm
arrangements for the Commissioner and the Deputy Commissioner to give evidence at a public
hearing for the above inquiry. The public hearing will be held on
Thursday, 16 February 2017 in
Committee Room 2S3,
Parliament House, Canberra. Your appearance time is indicated on the
attached public hearing program.
It would be appreciated if you could arrive about 10 minutes before your appearance time and
make yourself known to the committee's secretariat staff. I would be grateful if you could advise
me if you intend to table any documents with the committee during the hearing.
A Hansard witness form is also attached. Could you please complete it and email back to the
secretariat as soon as possible to xxxx.xxx@xxx.xxx.xx or by fax to 02 6277 5818. This is used to
ensure details are correctly recorded and to provide contact details so you can check the
transcript of evidence.
If persons attending the public hearing have any special requirements please contact the
secretariat beforehand so that any necessary arrangements can be made. If there are any
additional witnesses whose details you have not already provided, please speak to the
secretariat officers as early as possible at the hearing.
Released under FOI - OAIC
40
After the formalities have been concluded at the beginning of the hearing, the Chair will invite
you to make a short opening statement, which should be around three minutes, or you may
decline to make any opening remarks. The remainder of the hearing will be devoted to a
question and answer session.
Please note that the hearing is open to the public and the media. The committee prefers all
evidence to be given in public but should you wish to give any evidence in private, you may make
a request to the Chair and the committee will consider the request. You are welcome to listen to
the evidence of other witnesses.
A ‘proof’ (draft) copy of the Hansard transcript of evidence will be forwarded to you for
correction of transcription errors. Hansard transcripts of evidence will also be available from the
committee's website.
A copy of general information for witnesses, procedures to be observed by Senate Committees
for the protection of witnesses, the public hearing program and the chair's opening statement
are enclosed for your information.
If you require any further information please contact me on s.22 - irrelevant
Yours sincerely
David Sullivan
Secretary
Senate Standing Committee on Foreign Affairs, Defence and Trade
s.22 - irrelevant
Attachments:
Hearing Program
Information Sheet: witnesses at hearings
Information Sheet: protection of witnesses
Chair's opening statement
Hansard Witness Form
Released under FOI - OAIC
41
From:
Renee Alchin
To:
Sophie Higgins
Subject:
RE: [CLEARANCE} Commissioner briefing notes and opening statements - Digital Readiness Bill
[SEC=UNCLASSIFIED]
Date:
Tuesday, 14 February 2017 3:26:00 PM
Hi Sophie,
I’ve incorporated the comments and tracks in TRIM into the briefing notes (I’ll tidy it up once
we’re happy with the content)
I’ve also completed the Hansard Witness Forms for Timothy and Angelene, saved in the same
TRIM folder: 15/000188-40
Thanks
Renee
From: Renee Alchin
Sent: Tuesday, 14 February 2017 12:24 PM
To: Sophie Higgins s.22 - irrelevant
Subject: [CLEARANCE} Commissioner briefing notes and opening statements - Digital Readiness
Bill [SEC=UNCLASSIFIED]
Hi Sophie,
These may be a bit ‘rough’ and could be condensed a bit, but seeing as I’m conscious of the
deadline, would you mind having a look over the briefing notes and opening statement:
- Briefing notes: D2017/001199
- Opening statement talking points: D2017/001200
I’m happy to keep working on them this afternoon.
Also, with the section that discusses DHS’ automated debt recovery program (and possibly
relevance the automated decisions the Bill with allow), I haven’t actually been able to find any
comments in TRIM that we provided to DHS expressing our actual view on the automated
process, but I have summarised some of the risks that we identified/discussed with DHS. Happy
to discuss this section / research it a bit further to see if I can dig anything else up, subject to
what you think.
Thanks
Renee
Renee Alchin | Adviser
Regulation and Strategy
Office of the Australian Information Commissioner
GPO Box 5218 SYDNEY NSW 2001 | www.oaic.gov.au
s.22 - irrelevant
Released under FOI - OAIC
42
Commissioner brief: Briefing notes – Inquiry into the Digital
Readiness Bil – Senate Foreign Affairs, Defence and Trade
Committee
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bil
For:
The Australian Information Commissioner
Key points
1. The Veteran’s Affairs Legislation Amendment (Digital Readiness) Bill 2016 seeks to
amend the
Veteran’s Entitlements Act 1986 (VEA),
Military Rehabilitation and
Compensation Act 2004 (MRCA) and the
Safety Rehabilitation and Compensation
(Defence-related claims) Act 1988 (DRCA). The Bill and Explanatory memorandum are
at
Annexure A.
2. On 31 October 2016, the Attorney General’s Department Information Law Unit (AGD)
requested that the OAIC provide any comments on the Bill, and these would be
provided to the Office of Parliamentary Counsel (OPC). On 3 November 2016, the OAIC
provided comments on the Bill to the AGD, which AGD passed on to OPC and then to
Department of Veterans’ Affairs (DVA).
3. The OAIC’s comments focused on the public interest disclosure provisions in
Schedule 2 of the Bil . These authorise the Secretary to make disclosures that the
Secretary certifies as ‘necessary in the public interest’, and invoke the ‘required or
authorised’ by law exception in APP 6 in the Privacy Act. The AGD did not make any
substantive comments on the Bil .
4. The Commonwealth Ombudsman outlined in their second submission on the
disclosure provisions (and also notified Angelene Falk by telephone of their intention
to make such a submission) that any development of legislation or policy relating to
the disclosure of personal information should occur in consultation with the OAIC.
5. The Bill states that the Secretary must, in giving such a ‘public interest certificate’, act
in accordance with Rules made by legislative instrument, by the Minister. While not
included in the OAIC’s comments to OPC, the OAIC’s email to the Committee on 14
February noted that the OAIC would welcome the opportunity to be consulted on any
such draft rules. The OAIC will have regard to whether any permitted disclosures
accord with the social license given to government to handle and disclose individuals’
Released under FOI - OAIC
43
personal information, and are generally consistent with the spirit and intent of the
Privacy Act.
6. Even where the disclosure is required or authorised by law under APP 6, the APPs will
still govern the Department of Veteran’s Affairs (DVA) information handling practices
and would continue to apply to that personal information held by the DVA (such as the
requirements in relation to transparency, data quality, security, and rights to access
and correction).
7. The OAIC welcomes the safeguard in the Bil that before disclosing personal
information about a person under the ‘public interest disclosure’ provisions, the
Secretary must notify the person in writing of the Secretary’s intention to disclose the
information; give the person a reasonable opportunity to make written comments on
the proposed disclosure of the information and consider any written comments made
by the person. This is consistent with the emphasis on transparency in the Privacy Act,
and may in some circumstances give the individual a ‘reasonable expectation’ that
their personal information will be disclosed for a particular purpose.
8. The OAIC acknowledges that automated decision-making is likely to provide a number
of advantages for DVA and for Australians accessing their services, particularly in
regards to efficiencies. However, the OAIC would encourage consideration be given at
an early stage, to ensuring that any privacy impacts are identified and minimised to
the extent possible, including by undertaking a privacy impact assessment, and that an
integrated approach to privacy management is taken.
Background – the Digital Readiness Bil
• The Bill will insert a provision into the VEA, MRCA, and DRCA to enable the Secretary to
authorise the use of computer programmes to make decisions and determinations,
exercise powers or comply with obligations etc. under these Acts (Schedule 1).
• Safeguards in the Bil include that the Secretary may make a decision or determination in
substitution for a decision or determination made by a computer program, if satisfied
that the decision or determination is incorrect (Schedule 1).
• The Bill will also insert a provision into each of these Acts that give the Secretary broad
disclosure powers: ‘the Secretary may, if the Secretary certifies that it is necessary in the
public interest to do so in a particular case or class of cases, disclose any information
obtained by any person in the performance of that person’s duties under this Act to
such persons and for such purposes as the Secretary determines’ (Schedule 2).
Released under FOI - OAIC
44
• Safeguards in the Bill include that:
o the power cannot be delegated by the Secretary to anyone
o the Secretary must act in accordance with rules that the Minister makes and the
Minister cannot delegate his or her rule making power
o before disclosing information, the Secretary must notify the person concerned in
writing about the proposed disclosure and consider any written comments made
by the person, and
o unless the Secretary complies with the above notification requirements before
disclosing personal information, he or she commits an offence, punishable by 60
penalty units (Schedule 2).
• The Explanatory Memorandum to the Bill gives as examples of circumstances in which it
might be appropriate for the Secretary to disclose such information as including ‘where
there is a threat to life, health or welfare, for the enforcement of laws, in relation to
proceeds of crime orders, mistakes of fact, research and statistical analysis, APS code of
conduct investigations, misinformation in the community and provider inappropriate
practices’ (p. 11).
• The Bill also inserts three information sharing provisions in the DRCA between the
Military Rehabilitation and Compensation Commission and the Secretary of the
Department of Defence or the Chief of the Defence Force.
OAIC’s responsibilities to examine proposed enactments impact privacy
• A range of the OAIC’s responsibilities involve examining proposals that may restrict the
exercise of individuals’ privacy protections in favour of another public interest objective.
• The Privacy Act recognises that the protection of individuals’ privacy, through the
protection of their personal information, is not an absolute right. Rather, those interests
must be balanced with the broader interest of the community in ensuring that APP
entities are able to carry out their legitimate functions and activities.
• This balancing is reflected in the exceptions to a number of the APPs, which except from
the operation of those APPs, certain information handling practices considered to be in
the public interest when balanced with the interest in protecting an individual’s privacy.
Disclosures of personal information
• APP 6 outlines when an APP entity may use or disclose personal information. It generally
provides that an APP entity can only use or disclose personal information for a purpose
for which the information was collected (known as the ‘primary purpose’), or for a
Released under FOI - OAIC
45
secondary purpose where one of the exceptions listed in APP 6 apply. The exceptions
include where ‘a use or disclosure of personal information is authorised or required by
Australian law’ (APP 6.2(b)).
• The OAIC is regularly invited to comment on draft laws that require or authorise the
collection, use or disclosure of personal information in a manner that would otherwise
be inconsistent with one or more of the APPs. The effect of such laws is that one or
more APPs will not apply to the use or disclosure of personal information, described in
the law.
• Consistent with the approach taken in applying Article 17 in the International Covenant
on Civil and Political Right (ICCPR), the OAIC’s advice generally suggests consideration
should be given to whether those measures are proportionate and necessary. That is,
whether they appropriately balance the intrusion on individuals’ privacy with the overall
public policy objectives of the proposal. Additionally, when handling of individuals’
personal information is authorised in the broader interests of the community, it is
generally recommended that those activities be accompanied by an appropriate level of
privacy safeguards and accountability. Should such a proposal be considered to
appropriately balance these objectives, it is generally recommended that the scope of
the proposal be drafted consistent with the spirit and intent of the Privacy Act.
• Even where the disclosure is required or authorised by law under APP 6, the APPs will
stil govern the Department of Veteran’s Affairs (DVA) information handling practices
and would continue to apply to that personal information held by the DVA (such as the
requirements in relation to transparency, data quality, security, and rights to access and
correction).
Released under FOI - OAIC
46
OAIC engagement with the Bil
• On 31 October 2016, the OPC contacted the AGD seeking comment on the Bil , and that
request was passed onto the OAIC for comment. The OAIC was not provided with the
Explanatory Memorandum. The OAIC’s comments on the Bill were provided to AGD, and
passed on to the OPC on 3 November 2016. The AGD did not make any substantive
comments on the Bill. The comments provided to OPC, along with a response provided
by DVA are at
Annexure B.
• The OAIC’s comments focused on the public interest disclosure provisions in Schedule 2
of the Bil outlined above.
• Key points made in the OAIC’s comments were:
o the OAIC noted that the disclosure of personal information under the new
provisions will be permitted by the ‘required or authorised by or under law’
exception in APP 6.2(b).
o The OAIC suggested that where a Bil invokes this exception in the Privacy Act,
consideration should be given to whether those measures are reasonable,
proportionate and necessary.
o The OAIC referred to similar disclosure provisions in the
Social Security
(Administration) Act 1999 and the
Paid Parental Leave Act 2010, noting that rules
issued under that legislation set out the matters to which the Secretary must
have regard to in giving a public interest certificate and the circumstances in
which a public interest certificate may be given, which include: to prevent, or
lessen, a threat to the life, health or welfare of a person; for the enforcement of
laws; to correct a mistake of fact; to brief a Minister or to locate missing persons
etc.
• On 7 November 2017, DVA responded by email to the OAIC that:
o rules would be made setting out the circumstances in which the Secretary may
make a public interest disclosure before the Secretary exercises that power. The
nature and content of those rules is likely to be similar to the Social Security
(Public Interest Certificate Guidelines) (DSS) Determination 2015, mentioned
below.
Released under FOI - OAIC
47
o The sorts of situations in which it is envisage the public interest disclosure power
being exercised are wil be set out in the EM, including: where there is a threat to
life, health or welfare, for the enforcement of laws, in relation to proceeds of
crime orders, mistakes of fact, research and statistical analysis, APS code of
conduct investigations, misinformation in the community and provider
inappropriate practices (this is subject to the Minister agreeing to make rules
along these lines.)
• On 6 December 2016, the Committee invited the OAIC to make a comment on the Bill,
but the OAIC inadvertently did not action this request. Melanie has apologied to the
Committee for this oversight.
• Seven submissions have been made to the Committee – see
Annexure C. These include
a lengthy submission from DVA and two submissions made by the Commonwealth
Ombudsman.
• Key matters to note from the DVA submission include:
o DVA sets out a range of efficiency-related justifications for provisions in the Bill
that automate the decision-making process
o the Committee appears to have raised concerns with DVA about the breadth of
the disclosures that may be made under the Bill, including disclosures to ‘correct
misinformation’ and the submission purports to respond to these concerns.
o DVA notes that the proposed public interest disclosure provisions ‘are modelled
on paragraph 208(1)(a) of the
Social Security (Administration) Act 1999. That
public interest disclosure provision has been in operation for 17 years and has
operated successfully with the approval of Parliament. The Privacy Commissioner
has not raised any concern about the Department of Social Services/ Department
of Human Services’ provision…’
• The most recent iteration of the
Social Security (Public Interest Certificate Guidelines)
(DSS) Determination 2015 were registered on FRLI in August 2015. The explanatory
memorandum refers to consultation with the AGD and others, but does not specifically
refer to consultation with the OAIC. We have not been able to find any engagement
with the OAIC on the Determination following a brief TRIM search and discussion with
Sarah Ghali. A more fulsome search could be undertaken if necessary.
• The Commonwealth Ombudsman has made a submission to the Committee in relation
to automation aspects of the Bil (see below).
Released under FOI - OAIC
48
• They also made a second submission on the new disclosure provisions, (and notified
Angelene Falk by telephone, of their intention to make such a submission). This
supplementary submission recommends that any development of legislation or policy
relating to disclosure of PI should occur in consultation with the OAIC.
• On 10 February 2017, a Research Officer from the Senate Committee contacted the
OAIC to advise that it is holding a public hearing on Thursday, 16 February 2017 and
invites the information Commissioner to appear from 5:00pm – 6:00pm. The
Commonwealth Ombudsman and officers of DVA have also been invited to appear. They
have provided the OAIC with specific questions in relation to the public interest
disclosure provisions – which the OAIC intends to submit a written response to before
the hearing, as well as other questions
• On 14 February, Melanie Drayton, Assistant Commissioner, sent a detailed response to
the Committee noting that the Information Commissioner and Deputy Commissioner
would appear at the public hearing; outlining the OAIC’s role; attaching the OAIC’s
comments on the Bill that were sent to OPC (via AGD); and responding to the specific
questions where possible (noting that a number of the questions may be directed to
DVA). This email also noted that the OAIC would welcome the opportunity to be
consulted on the draft rules to be made by the Minister in relation to public interest
disclosures. The OAIC’s email to the Committee is at
Annexure D. The OAIC’s answers to
the Committee’s questions are at
Annexure E.
• Key additional points that the Commissioner may make at the Committee meeting are:
o The OAIC welcomes the safeguard in the Bill that before disclosing personal
information about a person under the ‘public interest disclosure’ provisions, the
Secretary must notify the person in writing of the Secretary’s intention to
disclose the information; give the person a reasonable opportunity to make
written comments on the proposed disclosure of the information and consider
any written comments made by the person. This is consistent with the emphasis
on transparency in the Privacy Act, and may in some circumstances give the
individual a ‘reasonable expectation’ that their personal information will be
disclosed for a particular purpose (consistent with the ‘reasonable expectation’
exception in APP 6.2(a).
Released under FOI - OAIC
49
o The Bil states that the Secretary must, in giving such a ‘public interest
certificate’, act in accordance with Rules made by legislative instrument, by the
Minister. The OAIC would welcome the opportunity to be consulted on any such
draft rules. The OAIC will have regard to whether any permitted disclosures
accord with the social license given to government to handle and disclose
individuals’ personal information, and are generally consistent with the spirit and
intent of the Privacy Act.
Automated decision-making
• The Commonwealth Ombudsman’s written submission to the Committee commented
on several matters that related to automated decisions. These comments related to
accuracy of automated decisions, and errors that can arise from incorrect data entry
and system errors, and the fact that the onus is predominately placed on the customer
to identify these errors.
• The Commonwealth Ombudsman also outlined issues with automated decisions
following basic legal values of lawfulness, fairness, transparency and efficiency.
• The objects of the Privacy Act recognise that the protection of individuals’ privacy is
balanced with the interests of entities in carrying out their functions or activities (s
3(b)). The OAIC acknowledges that automated decision-making is likely to provide a
number of advantages for DVA and for Australians accessing their services, including
associated with reduced costs and enhanced efficiency. However, consideration
should be given at an early stage, to ensuring that any privacy impacts are identified
and minimised to the extent possible, and that an integrated approach to privacy
management is taken.
• Some key privacy considerations that may arise where decision-making is automated
include:
o whether the entity has taken reasonable steps to implement practices,
procedures and systems to ensure that the entity complies with the APPs
and to enable the entity to deal with inquiries and complaints from
individuals about the entity’s compliance with the APPs (APP 1.2). Entities
wil be better placed to meet these obligations if they embed privacy
protections in the design of the information handling practice at an early
stage.
Released under FOI - OAIC
50
o whether the entity has taken reasonable steps to ensure that the personal
information it collects, uses and discloses is accurate, up-to-date and
complete (as required by APP 10). This may be particularly challenging
where the onus is on the individual to identify errors or discrepancies with
automated decisions.
o whether the entity has processes in place to al ow the individual to request
access to, and correction of his or her personal information used in
automated processes (APPs 11 and 12).
• The OAIC also suggests consideration be given to the privacy risks arising from personal
information processed as part of an automated decision-making process. For example,
due to the higher privacy risks involved with handling sensitive information, the OAIC
would general y suggest greater caution be exercised when considering whether this
information should be subject to automated processing. The OAIC welcomes the DVA’s
comments in its written submission to the Committee that ‘in regards to automated
debt col ection, the Department does not intend this provision for this purpose’. This
intent could be included in the Bil or the Explanatory Memorandum.
• DVA could conduct a privacy impact assessment (PIA) of the amendments proposed by
the Bill that have privacy implications to identify and assess the privacy risks associated
with the amendments. A PIA is a written assessment which may assist in identifying the
privacy impacts of the proposal, and provides an opportunity to set out any
recommendations for managing, minimising or eliminating those impacts.
Released under FOI - OAIC
51
Commissioner brief: Opening statement talking points for
Australian Information Commissioner
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bil
For:
The Australian Information Commissioner
• Thank you for the opportunity to appear before the Committee today in
relation to
the Veteran’s Affairs Legislation Amendment (Digital Readiness
and Other Measures) Bil 2016.
• As the Australian Information Commissioner and Australian Privacy
Commissioner, I am responsible for ensuring compliance with the Privacy
Act, and promoting access to government information through the
Freedom of Information Act.
• The Privacy Act regulates the handling of personal information by most
Australian Government agencies and many private sector organisations.
The cornerstone of this privacy protection framework are the Australian
Privacy Principles (or APPs). These set out standards, rights and obligations
in relation to the way individuals’ personal information is handled.
• The APPs are underpinned by notions of transparency and accountability. In
general terms, this requires entities to give careful consideration to
ensuring that individuals are aware of an entity’s information handling
practices, so that the individual may make appropriate choices about their
personal information. Accountability includes ensuring good privacy
governance mechanisms are implemented at an early stage.
• The Privacy Act recognises that the protection of individual’s privacy,
through the protection of their personal information, is not an absolute
right. Rather, those interests must be balanced with the broader interest of
the community in ensuring that Australian government agencies and
private sector organisations are able to carry out their legitimate functions
and activities.
Released under FOI - OAIC
52
• This balancing is reflected in the exceptions to a number of the Australian
Privacy Principles, which exclude from the operation of those APPs, certain
information handling practices considered to be in the public interest when
balanced with the interest in protecting an individual’s privacy.
• The OAIC’s responsibilities include examining proposals that may restrict
the exercise of individuals’ privacy protections in favour of another public
interest objective. Our approach is general y to ensure that any changes
that authorise a disclosure of personal information by invoking an exception
in the Privacy Act, are reasonable, necessary and proportionate to the
expected benefits.
• My Office provided comments to the Office of Parliamentary Counsel
(through Attorney General’s Department), on a draft version of the Bil on
3 November 2016. These comments focused on the public interest
disclosure provisions in Schedule 2 of the Bil . These permit the Secretary to
make ‘public interest’ disclosures and have the effect that the privacy
protections in the ‘use and disclosure’ APP - Australian Privacy Principle 6 -
would not apply. I understand my Office has provided a copy of these
comments to the Senate Committee inquiry for its information.
• There are, however, a few additional matters which I believe warrant
further mention before the Committee. In summary these are:
o Even though the disclosure is required or authorised by law, the Australian
Privacy Principles govern the Department of Veteran’s Affairs (DVA) information
handling practices and would continue to apply to that personal information held
by the DVA (such as the requirements in relation to transparency, data quality,
security, and rights to access and correction).
o The OAIC would welcome the opportunity to be consulted on draft rules to be
made by the Minister under the ‘public interest disclosure’ provisions in Schedule
2 of the Bil .
o The OAIC acknowledges that automated decision-making is likely to provide a
number of advantages for DVA and for Australians accessing their services,
particularly in regards to efficiencies. However, I would encourage consideration
to be given at an early stage, to ensuring that any privacy impacts are identified
Released under FOI - OAIC
53
and minimised to the extent possible, and that an integrated approach to privacy
management is taken.
o If it has not done so already, the Department of Veteran’s Affairs could conduct a
privacy impact assessment of the amendments proposed by the Bil that have
privacy implications to identify and assess the privacy risks associated with the
amendments. A privacy impact assessment is a written assessment which may
assist in identifying the privacy impacts of the proposal, and provides an
opportunity to set out any recommendations for managing, minimising or
eliminating those impacts.
• I would be happy to answer any questions the Committee has.
Released under FOI - OAIC
54
From:
Melanie Drayton
To:
Renee Alchin
Subject:
FW: Invitation to Attend Public Hearing - Veterans" Affairs Legislation Amendment (Digital Readiness and
Other Measures) Bill 2016 [SEC=UNCLASSIFIED]
Date:
Tuesday, 14 March 2017 8:37:16 AM
Attachments:
image001.jpg
image002.png
From: Melanie Drayton
Sent: Tuesday, 14 February 2017 6:24 PM
To: Melanie Drayton s.22 - irrelevant
Subject: RE: Invitation to Attend Public Hearing - Veterans' Affairs Legislation Amendment
(Digital Readiness and Other Measures) Bill 2016 [SEC=UNCLASSIFIED]
Good evening
Thank you for inviting the Information Commissioner, Timothy Pilgrim, and the Deputy
Commissioner, Angelene Falk, to appear at the Senate Committee’s public hearing into the
Veterans’ Affairs Legislation Amendment (Digital Readiness and Other Measures) Bill 2016 (the
Bill) on Thursday, 16 February 2017. They are pleased to accept.
In advance of the hearing, we thought it may assist the Committee to provide:
· a brief outline of the role and responsibilities of the Office of the Australian Information
Commissioner (OAIC)
· an overview of the OAIC’s engagement with the Bill
· a response, where possible, to the Committee’s questions provided to the OAIC on 10
February 2017.
This email is provided as background information only and is not a submission.
OAIC
The OAIC is an independent Commonwealth statutory agency. It was established by the
Australian Parliament to bring together three functions:
· privacy functions (protecting the privacy of individuals under the Privacy Act
1988 (Privacy Act), and other Acts)
· freedom of information functions (access to information held by the Commonwealth
Government in accordance with the Freedom of Information Act 1982 (FOI Act)), and
· information management functions (as set out in the Information Commissioner Act
2010).
The integration of these three interrelated functions into one agency has made the OAIC well
placed to strike an appropriate balance between promoting the right to privacy and broader
information policy goals.
The OAIC’s responsibilities include examining proposals that may restrict the exercise of
Released under FOI - OAIC
55
individuals’ privacy protections in favour of another public interest objective.
The Privacy Act
The Privacy Act contains thirteen legally-binding Australian Privacy Principles (APPs). These set
out standards, rights and obligations relating to the handling, holding, accessing and correction
of personal information. Personal information is information or an opinion about an identified
individual, or an individual who is reasonably identifiable.
The APPs apply to most Australian Government agencies, all private sector organisations with an
annual turnover of more than $3 million, all private health service providers and some small
businesses – collectively referred to as APP entities.
The APPs are principles-based law. This provides APP entities with the flexibility to tailor their
personal information handling practices to their diverse needs and business models and to the
diverse needs of individuals. The APPs are also technology neutral, applying equally to paper-
based and digital environments. This is intended to preserve their relevance and applicability, in
a context of continually changing and emerging technologies.
The Privacy Act recognises that the protection of individuals’ privacy, through the protection of
their personal information, is not an absolute right. Rather, those interests must be balanced
with the broader interest of the community in ensuring that APP entities are able to carry out
their legitimate functions and activities. This balancing is reflected in the exceptions to a number
of the APPs. Exceptions cover a range of matters including where a use or disclosure of personal
information is authorised or required by Australian law or where an entity reasonably believes
that a use or disclosure is reasonably necessary for an enforcement related activity conducted by
an enforcement body.
OAIC comments on the Bill
APP 6 outlines when an APP entity may use or disclose personal information. It generally
provides that an APP entity can only use or disclose personal information for a purpose for which
the information was collected (known as the ‘primary purpose’), or for another purpose where
one of the exceptions listed in APP 6 apply. As noted above, the exceptions include where ‘a use
or disclosure of personal information is authorised or required by Australian law’.
The OAIC is regularly invited to comment on draft laws that require or authorise the collection,
use or disclosure of personal information. Consistent with the approach taken in applying Article
17 in the International Covenant on Civil and Political Right (ICCPR), the OAIC’s advice generally
suggests consideration should be given to whether those measures are proportionate and
necessary. That is, whether they appropriately balance the intrusion on individuals’ privacy with
the overall public policy objectives of the proposal. Additionally, when handling of individuals’
personal information is authorised in the broader interests of the community, it is generally
recommended that those activities be accompanied by an appropriate level of privacy
safeguards and accountability. Should such a proposal be considered to appropriately balance
these objectives, it is generally recommended that the scope of the proposal be drafted
Released under FOI - OAIC
56
consistent with the spirit and intent of the Privacy Act.
On 31 October 2016, the OAIC was invited to comment on the Bill, following a request from the
Office of Parliamentary Counsel (OPC), via the Attorney General’s Department, Information Law
Unit (the AGD). The OAIC’s comments on the Bill were provided to the AGD on 3 November
2016, and we understand that they were then passed on to the OPC and the Department of
Veterans’ Affairs (DVA). The comments focused on the public interest disclosure provisions in
Schedule 2 of the Bill which permit certain disclosures and invoke the ‘required or authorised’ by
law exception in APP 6 in the Privacy Act. The OAIC’s comments are attached.
The OAIC has reviewed the Commonwealth Ombudsman’s written submissions to the
Committee and notes its suggestion to involve the OAIC in the development of laws and policies
raising privacy issues (Commonwealth Ombudsman, Supplementary submission). In this regard,
the OAIC would welcome the opportunity to be consulted on rules made by the Minister in
relation to public interest disclosure certificates under the proposed amendments in Schedule 2
of the Bill.
Committee questions
Please advise the committee what is the current situation that DVA or other agencies require
this power?
As outlined above, the OAIC’s role includes examining proposed enactments that would require
or authorise acts or practices that might otherwise interfere with privacy (s 28A(2), Privacy Act)
and ensuring that any adverse effects of a proposed enactment on the privacy of individuals are
minimised (s 28A(2)(c), Privacy Act). The OAIC provided some brief comments on the Bill. At that
time, the OAIC did not have access to the explanatory memorandum (including Statement of
Compatibility with Human Rights).
As the ‘public interest disclosure’ provisions in Schedule 2 of the Bill broaden the circumstances
in which personal information can be used and disclosed, we suggest that DVA may use the
Explanatory Memorandum (including its Statement of Compatibility with Human Rights), to
explain the need for such provisions.
Why does DVA require these provisions so urgently?
This may be a matter for DVA.
Is there not already a mechanism for agencies to report crimes to police?
As noted above, APP 6 generally provides that an APP entity can only use or disclose personal
information for a purpose for which the information was collected (known as the ‘primary
purpose’), or for another purpose where one of the exceptions listed in APP 6 apply. The
following exceptions to APP 6 would permit agencies to disclose personal information to the
police, where:
· the APP entity reasonably believes that the use or disclosure of the information is
reasonably necessary for one or more enforcement related activities conducted by, or
Released under FOI - OAIC
57
on behalf of, an enforcement body (examples include the Australian Federal Policy or a
State or Territory Police force or service) (APP 6.2(e)), and
· the entity reasonably believes that the collection, use or disclosure is necessary to
lessen or prevent a serious threat to the life, health or safety of any individual, or to
public health or safety (and it is unreasonable or impracticable to obtain the individual’s
consent) (APP 6.2(c) and s 16A, item 1)
· the use or disclosure of the information is required or authorised by or under an
Australian law or a court/ tribunal order (APP 6.2(b)).
Over the last 5 years, how many cases were there of mistake and/or misinformation that
agencies did not have the power to respond to?
This may be a matter for DVA.
Invitation to make a written submission
I would also like to take this opportunity to thank the Committee for the invitation of 6
December 2016 to make a submission to this inquiry. I apologise that the OAIC did not respond.
The OAIC had overlooked the invitation due to a clerical error.
Please feel free to contact Sophie Higgins on s.22 - irrelevant or by email, if we can assist by
providing any further information.
Kind regards
Melanie Drayton
Melanie Drayton | Assistant Commissioner, Regulation and Strategy
Office of the Australian Information Commissioner GPO Box 5218 SYDNEY NSW 2001 |www.oaic.gov.au
s.22 - irrelevant
From: Balaga, Kimberley (SEN) s.22 - irrelevant
n Behalf Of FADT,
Committee (SEN)
Sent: Monday, 13 February 2017 6:20 PM
To: Melanie Drayton s.22 - irrelevant
Cc: Sophie Higgins s.22 - irrelevant
FADT, Committee (SEN)
<xxxx.xxx@xxx.xxx.xx>
Subject: Invitation to Attend Public Hearing - Veterans' Affairs Legislation Amendment (Digital
Readiness and Other Measures) Bill 2016
Released under FOI - OAIC
58
THE SENATE
STANDING COMMITTEE ON FOREIGN AFFAIRS, DEFENCE AND TRADE
13 February 2017
Ms Melanie Drayton
Office of the Australian Information Commissioner
Email: s.22 - irrelevant
Dear Ms Drayton
Inquiry into the Veterans' Affairs Legislation Amendment (Digital Readiness and Other
Measures) Bill 2016
The Senate Foreign Affairs, Defence and Trade Legislation Committee is pleased to confirm
arrangements for the Commissioner and the Deputy Commissioner to give evidence at a public
hearing for the above inquiry. The public hearing will be held on
Thursday, 16 February 2017 in
Committee Room 2S3,
Parliament House, Canberra. Your appearance time is indicated on the
attached public hearing program.
It would be appreciated if you could arrive about 10 minutes before your appearance time and
make yourself known to the committee's secretariat staff. I would be grateful if you could advise
me if you intend to table any documents with the committee during the hearing.
A Hansard witness form is also attached. Could you please complete it and email back to the
secretariat as soon as possible to xxxx.xxx@xxx.xxx.xx or by fax to 02 6277 5818. This is used to
ensure details are correctly recorded and to provide contact details so you can check the
transcript of evidence.
If persons attending the public hearing have any special requirements please contact the
secretariat beforehand so that any necessary arrangements can be made. If there are any
additional witnesses whose details you have not already provided, please speak to the
secretariat officers as early as possible at the hearing.
After the formalities have been concluded at the beginning of the hearing, the Chair will invite
you to make a short opening statement, which should be around three minutes, or you may
decline to make any opening remarks. The remainder of the hearing will be devoted to a
question and answer session.
Please note that the hearing is open to the public and the media. The committee prefers all
evidence to be given in public but should you wish to give any evidence in private, you may make
a request to the Chair and the committee will consider the request. You are welcome to listen to
the evidence of other witnesses.
A ‘proof’ (draft) copy of the Hansard transcript of evidence will be forwarded to you for
correction of transcription errors. Hansard transcripts of evidence will also be available from the
committee's website.
A copy of general information for witnesses, procedures to be observed by Senate Committees
for the protection of witnesses, the public hearing program and the chair's opening statement
are enclosed for your information.
Released under FOI - OAIC
59
If you require any further information please contact me on s.22 - irrelevant
Yours sincerely
David Sullivan
Secretary
Senate Standing Committee on Foreign Affairs, Defence and Trade
s.22 - irrelevant
Attachments:
Hearing Program
Information Sheet: witnesses at hearings
Information Sheet: protection of witnesses
Chair's opening statement
Hansard Witness Form
Released under FOI - OAIC
60
Good morning
Thank you for inviting the Information Commissioner, Timothy Pilgrim, and the Deputy
Commissioner, Angelene Falk, to appear at the Senate Committee’s public hearing into the
Veterans’
Affairs Legislation Amendment (Digital Readiness and Other Measures) Bill 2016 (the Bill) on
Thursday, 16 February 2017. They are pleased to accept.
In advance of the hearing, we thought it may assist the Committee to provide:
a brief outline of the role and responsibilities of the Office of the Australian Information
Commissioner (OAIC)
an overview of the OAIC’s engagement with the Bill
a response, where possible, to the Committee’s questions provided to the OAIC on 10
February 2017.
This background information is provided for the Committee’s information only and is not a
submission.
OAIC
The OAIC is an independent Commonwealth statutory agency. It was established by the Australian
Parliament to bring together three functions:
privacy functions (protecting the privacy of individuals under the
Privacy Act 1988 (Privacy
Act), and other Acts)
freedom of information functions (access to information held by the Commonwealth
Government in accordance with the
Freedom of Information Act 1982 (FOI Act)), and
information management functions (as set out in the
Information Commissioner Act 2010).
The integration of these three interrelated functions into one agency has made the OAIC well placed
to strike an appropriate balance between promoting the right to privacy and broader information
policy goals.
The OAIC’s responsibilities include examining proposals that may restrict the exercise of individuals’
privacy protections in favour of another public interest objective.
The Privacy Act
Formatted: Font: Bold
The Privacy Act contains thirteen legally-binding Australian Privacy Principles (APPs). These set out
standards, rights and obligations relating to the handling, holding, accessing and correction of
personal information. Personal information is information or an opinion about an identified
individual, or an individual who is reasonably identifiable.
The APPs apply to most Australian Government agencies, all private sector organisations with an
annual turnover of more than $3 million, all private health service providers and some small
businesses – collectively referred to as APP entities.
The APPs are principles-based law. This provides APP entities with the flexibility to tailor their
personal information handling practices to their diverse needs and business models and to the
diverse needs of individuals. The APPs are also technology neutral, applying equally to paper-based
Released under FOI - OAIC
61
and digital environments. This is intended to preserve their relevance and applicability, in a context
of continually changing and emerging technologies.
The Privacy Act recognises that the protection of individuals’ privacy, through the protection of their
personal information, is not an absolute right. Rather, those interests must be balanced with the
broader interest of the community in ensuring that APP entities are able to carry out their legitimate
functions and activities. This balancing is reflected in the exceptions to a number of the APPs, which
except from the operation of those APPs, certain information handling practices considered to be in
the public interest when balanced with the interest in protecting an individual’s privacy. Exceptions
cover a range of matters including where a use or disclosure of personal information is authorised or
required by Australian law or where an entity reasonably believes that a use or disclosure is
reasonably necessary for an enforcement related activity conducted by an enforcement body.
The OAIC’s responsibilities include examining proposals that may restrict the exercise of individuals’
privacy protections in favour of another public interest objective.
OAIC comments on the Bill
APP 6 outlines when an APP entity may use or disclose personal information. It generally provides
that an APP entity can only use or disclose personal information for a purpose for which the
information was collected (known as the ‘primary purpose’), or for another purpose where one of
the exceptions listed in APP 6 apply. As noted above, the exceptions include where ‘a use or
disclosure of personal information is authorised or required by Australian law’.
The OAIC is regularly invited to comment on draft laws that require or authorise the collection, use
or disclosure of personal information. in a manner that would otherwise be inconsistent with one or
more of the APPs. The effect of such laws is that one or more APPs will not apply to the use or
disclosure of personal information, described in the law. Consistent with the approach taken in
applying Article 17 in the International Covenant on Civil and Political Right (ICCPR), the OAIC’s
advice generally suggests consideration should be given to whether those measures are
proportionate and necessary. That is, whether they appropriately balance the intrusion on
individuals’ privacy with the overall public policy objectives of the proposal. Additionally, when
handling of individuals’ personal information is authorised in the broader interests of the
community, it is generally recommended that those activities be accompanied by an appropriate
level of privacy safeguards and accountability. Should such a proposal be considered to
appropriately balance these objectives, it is generally recommended that the scope of the proposal
be drafted consistent with the spirit and intent of the Privacy Act.
On 31 October 2016, the OAIC was invited to comment on the Bill, following a request from the
Office of Parliamentary Counsel (OPC), and viathe Attorney General’s Department, Information Law
Unit (the AGD). The OAIC’s comments on the Bill were provided to the AGD, the OPC and the
Department of Veterans’ Affairs (DVA) on 3 November 2016. The comments focused on the public
Commented [MD1]: Did we provide to all three or just
interest disclosure provisions in Schedule 2 of the Bill which permit certain disclosures and invoke
AGD?
the ‘required or authorised’ by law exception in APP 6 in the Privacy Act. The OAIC’s comments are
attached. [
do I need to take out names?]
Commented [MD2]: I don’t think so. This isn’t evidence
it’s just a general email so it is only for their information.
Committee questions
Please advise the committee what is the current situation that DVA or other agencies require this
power?
Released under FOI - OAIC
62
As outlined above, the OAIC’s role includes examining proposed enactments that would require or
authorise acts or practices that might otherwise interfere with privacy (s 28A(2), Privacy Act) and
ensuring that any adverse effects of a proposed enactment on the privacy of individuals are
minimised (s 28A(2)(c), Privacy Act) (noting that an act or practice that is required or authorised by
or under an Australian law is generally excepted from the requirements around the collection of
sensitive information and the use and disclosure of personal information in the APPs). The OAIC
provided some brief comments on the Bill within a compressed timeframe. At that time, the OAIC
did not have an opportunity to reviewaccess to the explanatory memorandum (including Statement
of Compatibility with Human Rights).
As the ‘public interest disclosure’ provisions in Schedule 2 of the Bill broaden the circumstances in
which personal information can be used and disclosed, we understand that DVA would be expected
to justify in the Explanatory Memorandum (including its Statement of Compatibility with Human
Rights), the need for such provisions.
Why does DVA require these provisions so urgently?
This may be a matter for DVA.
Is there not already a mechanism for agencies to report crimes to police?
As noted above, APP 6 generally provides that an APP entity can only use or disclose personal
information for a purpose for which the information was collected (known as the ‘primary purpose’),
or for another purpose where one of the exceptions listed in APP 6 apply. The following exceptions
to APP 6 would permit agencies to disclose personal information to the police, where:
the APP entity reasonably believes that the use or disclosure of the information is
reasonably necessary for one or more enforcement related activities conducted by, or on
behalf of, an enforcement body (examples include the Australian Federal Policy or a State or
Territory Police force or service) (APP 6.2(e)), and
the entity reasonably believes that the collection, use or disclosure is necessary to lessen or
prevent a serious threat to the life, health or safety of any individual, or to public health or
safety (and it is unreasonable or impracticable to obtain the individual’s consent) (APP 6.2(c)
and s 16A, item 1)
the use or disclosure of the information is required or authorised by or under an Australian
law or a court/ tribunal order (APP 6.2(b)).
Over the last 5 years, how many cases were there of mistake and/or misinformation that agencies
did not have the power to respond to?
This may be a matter for DVA.
Invitation to make a written submission
Formatted: Font: Bold
I would also like to take this opportunity to thank the Committee for the invitation of 6 December to
make a submission to the inquiry.
I apologise that the OAIC did not response. The OAIC had overlooked the invitation due to a clerical
error.
Released under FOI - OAIC
63
Please feel free to contact Sophie Higgins on
or by
s.22 - irrelevant email, if we can assist by providing
any further information.
Kind regards
Released under FOI - OAIC
64
From:
Melanie Drayton
To:
Renee Alchin
Subject:
FW: Email to committee [SEC=UNCLASSIFIED]
Date:
Tuesday, 14 March 2017 8:36:43 AM
Attachments:
Document1.docx
Importance:
High
From: Melanie Drayton
Sent: Tuesday, 14 February 2017 3:03 PM
To: Sophie Higgins s.22 - irrelevant
Renee Alchin s.22 - irrelevant
Subject: Email to committee [SEC=UNCLASSIFIED]
Importance: High
Hello
I have a few suggestions – let’s make this email a little more general.
Thanks
Mel
Released under FOI - OAIC
65
Good morning
Thank you for inviting the Information Commissioner, Timothy Pilgrim, and the Deputy
Commissioner, Angelene Falk, to appear at the Senate Committee’s public hearing into the
Veterans’
Affairs Legislation Amendment (Digital Readiness and Other Measures) Bil 2016 (the Bill) on
Thursday, 16 February 2017. They are pleased to accept.
In advance of the hearing, we thought it may assist the Committee to provide:
• a brief outline of the role and responsibilities of the Office of the Australian Information
Commissioner (OAIC)
• an overview of the OAIC’s engagement with the Bil
• a response, where possible, to the Committee’s questions provided to the OAIC on 10
February 2017.
OAIC
The OAIC is an independent Commonwealth statutory agency. It was established by the Australian
Parliament to bring together three functions:
• privacy functions (protecting the privacy of individuals under the
Privacy Act 1988 (Privacy
Act), and other Acts)
• freedom of information functions (access to information held by the Commonwealth
Government in accordance with the
Freedom of Information Act 1982 (FOI Act)), and
• information management functions (as set out in the
Information Commissioner Act 2010).
The integration of these three interrelated functions into one agency has made the OAIC well placed
to strike an appropriate balance between promoting the right to privacy and broader information
policy goals.
The OAIC’s responsibilities include examining proposals that may restrict the exercise of individuals’
privacy protections in favour of another public interest objective.
The Privacy Act
Formatted: Font: Bold
The Privacy Act contains thirteen legally-binding Australian Privacy Principles (APPs). These set out
standards, rights and obligations relating to the handling, holding, accessing and correction of
personal information. Personal information is information or an opinion about an identified
individual, or an individual who is reasonably identifiable.
The APPs apply to most Australian Government agencies, all private sector organisations with an
annual turnover of more than $3 million, all private health service providers and some small
businesses – collectively referred to as APP entities.
The APPs are principles-based law. This provides APP entities with the flexibility to tailor their
personal information handling practices to their diverse needs and business models and to the
diverse needs of individuals. The APPs are also technology neutral, applying equal y to paper-based
and digital environments. This is intended to preserve their relevance and applicability, in a context
of continually changing and emerging technologies.
Released under FOI - OAIC
66
The Privacy Act recognises that the protection of individuals’ privacy, through the protection of their
personal information, is not an absolute right. Rather, those interests must be balanced with the
broader interest of the community in ensuring that APP entities are able to carry out their legitimate
functions and activities. This balancing is reflected in the exceptions to a number of the APPs, which
except from the operation of those APPs, certain information handling practices considered to be in
the public interest when balanced with the interest in protecting an individual’s privacy. Exceptions
cover a range of matters including where a use or disclosure of personal information is authorised or
required by Australian law or where an entity reasonably believes that a use or disclosure is
reasonably necessary for an enforcement related activity conducted by an enforcement body.
The OAIC’s responsibilities include examining proposals that may restrict the exercise of individuals’
privacy protections in favour of another public interest objective.
OAIC comments on the Bil
APP 6 outlines when an APP entity may use or disclose personal information. It generally provides
that an APP entity can only use or disclose personal information for a purpose for which the
information was collected (known as the ‘primary purpose’), or for another purpose where one of
the exceptions listed in APP 6 apply. As noted above, the exceptions include where ‘a use or
disclosure of personal information is authorised or required by Australian law’.
The OAIC is regularly invited to comment on draft laws that require or authorise the collection, use
or disclosure of personal information. in a manner that would otherwise be inconsistent with one or
more of the APPs. The effect of such laws is that one or more APPs will not apply to the use or
disclosure of personal information, described in the law. Consistent with the approach taken in
applying Article 17 in the International Covenant on Civil and Political Right (ICCPR), the OAIC’s
advice general y suggests consideration should be given to whether those measures are
proportionate and necessary. That is, whether they appropriately balance the intrusion on
individuals’ privacy with the overall public policy objectives of the proposal. Additionally, when
handling of individuals’ personal information is authorised in the broader interests of the
community, it is generally recommended that those activities be accompanied by an appropriate
level of privacy safeguards and accountability. Should such a proposal be considered to
appropriately balance these objectives, it is generally recommended that the scope of the proposal
be drafted consistent with the spirit and intent of the Privacy Act.
On 31 October 2016, the OAIC was invited to comment on the Bill, following a request from the
Office of Parliamentary Counsel (OPC), and viathe Attorney General’s Department, Information Law
Unit (the AGD). The OAIC’s comments on the Bil were provided to the AGD, the OPC and the
Department of Veterans’ Affairs (DVA) on 3 November 2016. The comments focused on the public
Commented [MD1]: Did we provide to al three or just
interest disclosure provisions in Schedule 2 of the Bill which permit certain disclosures and invoke
AGD?
the ‘required or authorised’ by law exception in APP 6 in the Privacy Act. The OAIC’s comments are
attached. [
do I need to take out names?]
Commented [MD2]: I don’t think so. This isn’t evidence
it’s just a general email so it is only for their information.
Committee questions
Please advise the committee what is the current situation that DVA or other agencies require this
power?
As outlined above, the OAIC’s role includes examining proposed enactments that would require or
authorise acts or practices that might otherwise interfere with privacy (s 28A(2), Privacy Act) and
ensuring that any adverse effects of a proposed enactment on the privacy of individuals are
Released under FOI - OAIC
67
minimised (s 28A(2)(c), Privacy Act) (noting that an act or practice that is required or authorised by
or under an Australian law is generally excepted from the requirements around the collection of
sensitive information and the use and disclosure of personal information in the APPs). The OAIC
provided some brief comments on the Bill within a compressed timeframe. At that time, the OAIC
did not have an opportunity to reviewaccess to the explanatory memorandum (including Statement
of Compatibility with Human Rights).
As the ‘public interest disclosure’ provisions in Schedule 2 of the Bill broaden the circumstances in
which personal information can be used and disclosed, we understand that DVA would be expected
to justify in the Explanatory Memorandum (including its Statement of Compatibility with Human
Rights), the need for such provisions.
Why does DVA require these provisions so urgently?
This may be a matter for DVA.
Is there not already a mechanism for agencies to report crimes to police?
As noted above, APP 6 generally provides that an APP entity can only use or disclose personal
information for a purpose for which the information was collected (known as the ‘primary purpose’),
or for another purpose where one of the exceptions listed in APP 6 apply. The following exceptions
to APP 6 would permit agencies to disclose personal information to the police, where:
• the APP entity reasonably believes that the use or disclosure of the information is
reasonably necessary for one or more enforcement related activities conducted by, or on
behalf of, an enforcement body (examples include the Australian Federal Policy or a State or
Territory Police force or service) (APP 6.2(e)), and
• the entity reasonably believes that the collection, use or disclosure is necessary to lessen or
prevent a serious threat to the life, health or safety of any individual, or to public health or
safety (and it is unreasonable or impracticable to obtain the individual’s consent) (APP 6.2(c)
and s 16A, item 1)
• the use or disclosure of the information is required or authorised by or under an Australian
law or a court/ tribunal order (APP 6.2(b)).
Over the last 5 years, how many cases were there of mistake and/or misinformation that agencies
did not have the power to respond to?
This may be a matter for DVA.
Invitation to make a written submission
Formatted: Font: Bold
I would also like to take this opportunity to thank the Committee for the invitation of 6 December to
make a submission to the inquiry.
I apologise that the OAIC did not response. The OAIC had overlooked the invitation due to a clerical
error.
Please feel free to contact Sophie Higgins on
or by
s.22 - irrelevant email, if we can assist by providing
any further information.
Kind regards
Released under FOI - OAIC
68
From:
Renee Alchin
To:
"xxxx.xxx@xxx.xxx.xx"
Cc:
Sophie Higgins
Subject:
Hansard witness forms - 16 February 2017 Public Hearing - Digital Readiness Bill [SEC=UNCLASSIFIED]
Date:
Wednesday, 15 February 2017 9:32:00 AM
Attachments:
Hansard Witness Form - Timothy Pilgrim.doc
Hansard Witness Form - Angelene Falk.doc
Good morning,
Please find the attached Hansard Witness forms for Timothy Pilgrim, Australian Information
Commissioner and Australian Privacy Commissioner and Angelene Falk, Deputy Commissioner,
for the Senate Committee’s public hearing into the Veteran’s Affairs Legislation Amendment
(Digital Readiness and Other Measures) Bill 2016.
Regards
Renee
Renee Alchin | Adviser
Regulation and Strategy
Office of the Australian Information Commissioner
GPO Box 5218 SYDNEY NSW 2001 | www.oaic.gov.au
s.22 - irrelevant
Released under FOI - OAIC
69
HANSARD WITNESS FORM
Name of Committee (in full):
Senate Standing Committee on Foreign Affairs, Defence and Trade
House of Representatives Joint Senate
Legislation References
Date & Venue:
Thursday 16 February 2017, Committee Room 2S3, Parliament House,
Canberra
Short reference:
Veterans' Affairs Legislation Amendment (Digital Readiness and Other
Measures) Bill 2016
Hansard may wish to check words, phrases or acronyms after you have given evidence. Be
aware that the Hansard editor may need to contact you before you leave. Please also supply
the most appropriate telephone number where you may be contacted.
Telephone no: s.22 - irrelevant
Mobile no:
To ensure accuracy of the Hansard, please PRINT all information.
NOTE: Your surname and given names will appear in the Hansard transcript and should be provided in
ful . Your address will not appear in the Hansard.
Surname: Pilgrim
Given name/s: Timothy
Title (eg: Mr, Mrs, Ms, Miss, Prof., Dr): Mr
Address to which you want the Hansard transcript sent:
GPO box 5218, Sydney NSW 2001
E-mail address (if available):
s.22 - irrelevant
Appearing as a private individual
Appearing on behalf of an organisation
Organisation: Office of the Australian Information Commissioner
Address: 175 Pitt St, Sydney NSW 2000
Position: Australian Information Commissioner, Australian Privacy Commissioner
Released under FOI - OAIC
70
HANSARD WITNESS FORM
Name of Committee (in full):
Senate Standing Committee on Foreign Affairs, Defence and Trade
House of Representatives Joint Senate
Legislation References
Date & Venue:
Thursday 16 February 2017, Committee Room 2S3, Parliament House,
Canberra
Short reference:
Veterans' Affairs Legislation Amendment (Digital Readiness and Other
Measures) Bill 2016
Hansard may wish to check words, phrases or acronyms after you have given evidence. Be
aware that the Hansard editor may need to contact you before you leave. Please also supply
the most appropriate telephone number where you may be contacted.
Telephone no: s.22 - irrelevant
Mobile no:
To ensure accuracy of the Hansard, please PRINT all information.
NOTE: Your surname and given names will appear in the Hansard transcript and should be provided in
ful . Your address will not appear in the Hansard.
Surname: Falk
Given name/s: Angelene
Title (eg: Mr, Mrs, Ms, Miss, Prof., Dr): Ms
Address to which you want the Hansard transcript sent:
GPO box 5218, Sydney NSW 2001
E-mail address (if available):
s.22 - irrelevant
Appearing as a private individual
Appearing on behalf of an organisation
Organisation: Office of the Australian Information Commissioner
Address: 175 Pitt St, Sydney NSW 2000
Position: Deputy Commissioner
Released under FOI - OAIC
71
From:
Melanie Drayton
To:
Renee Alchin
Subject:
FW: Commissioner Brief - Briefing notes - Digital Readiness Bill public hearing (002).docx
[SEC=UNCLASSIFIED]
Date:
Tuesday, 14 March 2017 8:38:57 AM
Attachments:
Commissioner Brief - Briefing notes - Digital Readiness Bill public hearing (002).docx
From: Melanie Drayton
Sent: Wednesday, 15 February 2017 2:31 PM
To: Sophie Higgins s.22 - irrelevant
Renee Alchin s.22 - irrelevant
Subject: Commissioner Brief - Briefing notes - Digital Readiness Bill public hearing (002).docx
[SEC=UNCLASSIFIED]
My apologies, I have whipped through his document very, very quickly. I have to dash off to do
the school pick up.
I have a couple of minor suggestions here and there.
It’s probably worthwhile sending it to AF as an attachment for her to run her eye over, to ensure
she is generally happy with the content, before you print out.
Thanks
Mel
Released under FOI - OAIC
72
Commissioner brief: Briefing notes – Inquiry into the Digital
Readiness Bil – Senate Foreign Affairs, Defence and Trade
Committee
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bill
For:
The Australian Information Commissioner
Key points
1. The Veteran’s Affairs Legislation Amendment (Digital Readiness) Bill 2016 seeks to
amend the
Veteran’s Entitlements Act 1986 (VEA),
Military Rehabilitation and
Compensation Act 2004 (MRCA) and the
Safety Rehabilitation and Compensation
(Defence-related claims) Act 1988 (DRCA). The Bill and Explanatory memorandum are
at
Annexure A.
2. On 31 October 2016, the Attorney General’s Department Information Law Unit (AGD)
requested that the OAIC provide any comments on the Bill, and these would be
provided to the Office of Parliamentary Counsel (OPC). On 3 November 2016, the OAIC
provided comments on the Bill to the AGD, which AGD passed on to OPC and then to
Department of Veterans’ Affairs (DVA).
3. The OAIC’s comments focused on the public interest disclosure provisions in
Schedule 2 of the Bil . These authorise the Secretary to make disclosures that the
Secretary certifies as ‘necessary in the public interest’, and invoke the ‘required or
authorised’ by law exception in APP 6 in the Privacy Act. The AGD did not make any
substantive comments on the Bill.
4. The Bill states that the Secretary must, in giving such a ‘public interest certificate’, act
in accordance with Rules made by legislative instrument, by the Minister. While not
included in the OAIC’s comments to OPC, the OAIC’s email to the Committee on 14
February noted that the OAIC would welcome the opportunity to be consulted on any
such draft rules. The OAIC will have regard to whether any permitted disclosures
accord with the social license given to government to handle and disclose individuals’
personal information, and are generally consistent with the spirit and intent of the
Privacy Act.
Commented [MD1]: I think we need to add in here that AF got a
call from the Ombo saying it has suggested the Privacy
5. Even where APP 6 does not apply – by reason that a disclosure is ‘authorised by law’ -
Commissioner be consulted on any draft rules.
most of the other APPs would continue to apply to that personal information when it
is held by the agency or organisation (such as the requirements in relation to
Commented [MD2]: Please see comment in opening statement.
transparency, data quality, security, and rights to access and correction).
Released under FOI - OAIC
73
6. The OAIC welcomes the safeguard in the Bill that before disclosing personal
information about a person under the ‘public interest disclosure’ provisions, the
Secretary must notify the person in writing of the Secretary’s intention to disclose the
information; give the person a reasonable opportunity to make written comments on
the proposed disclosure of the information and consider any written comments made
by the person. This is consistent with the emphasis on transparency in the Privacy Act,
and may in some circumstances give the individual a ‘reasonable expectation’ that
their personal information will be disclosed for a particular purpose.
7. The OAIC acknowledges that automated decision-making is likely to provide a number
of advantages for DVA and for Australians accessing their services, particularly in
regards to efficiencies. However, the OAIC would encourage consideration to be given
at an early stage, to ensuring that any privacy impacts are identified and minimised to
the extent possible, and that an integrated approach to privacy management is taken.
Released under FOI - OAIC
74
Background – the Digital Readiness Bil
• The Bill will insert a provision into the VEA, MRCA, and DRCA to enable the Secretary to
authorise the use of computer programmes to make decisions and determinations,
exercise powers or comply with obligations etc. under these Acts (Schedule 1).
• Safeguards in the Bill include that the Secretary may make a decision or determination in
substitution for a decision or determination made by a computer program, if satisfied
that the decision or determination is incorrect (Schedule 1).
• The Bill will also insert a provision into each of these Acts that give the Secretary broad
disclosure powers: ‘the Secretary may, if the Secretary certifies that it is necessary in the
public interest to do so in a particular case or class of cases, disclose any information
obtained by any person in the performance of that person’s duties under this Act to
such persons and for such purposes as the Secretary determines’ (Schedule 2).
• Safeguards in the Bill include that:
o the power cannot be delegated by the Secretary to anyone
o the Secretary must act in accordance with rules that the Minister makes and the
Minister cannot delegate his or her rule making power
o before disclosing information, the Secretary must notify the person concerned in
writing about the proposed disclosure and consider any written comments made
by the person, and
o unless the Secretary complies with the above notification requirements before
disclosing personal information, he or she commits an offence, punishable by 60
penalty units (Schedule 2).
• The Explanatory Memorandum to the Bill gives as examples of circumstances in which it
might be appropriate for the Secretary to disclose such information as including ‘where
there is a threat to life, health or welfare, for the enforcement of laws, in relation to
proceeds of crime orders, mistakes of fact, research and statistical analysis, APS code of
conduct investigations, misinformation in the community and provider inappropriate
practices’ (p. 11).
OAIC’s responsibilities to examine proposed enactments impact privacy
• A range of the OAIC’s responsibilities involve examining proposals that may restrict the
exercise of individuals’ privacy protections in favour of another public interest objective.
• The Privacy Act recognises that the protection of individuals’ privacy, through the
protection of their personal information, is not an absolute right. Rather, those interests
Released under FOI - OAIC
75
must be balanced with the broader interest of the community in ensuring that APP
entities are able to carry out their legitimate functions and activities.
• This balancing is reflected in the exceptions to a number of the APPs, which except from
the operation of those APPs, certain information handling practices considered to be in
the public interest when balanced with the interest in protecting an individual’s privacy.
Disclosures of personal information
• APP 6 outlines when an APP entity may use or disclose personal information. It generally
provides that an APP entity can only use or disclose personal information for a purpose
for which the information was collected (known as the ‘primary purpose’), or for a
secondary purpose where one of the exceptions listed in APP 6 apply. The exceptions
include where ‘a use or disclosure of personal information is authorised or required by
Australian law’ (APP 6.2(b)).
• The OAIC is regularly invited to comment on draft laws that require or authorise the
collection, use or disclosure of personal information in a manner that would otherwise
be inconsistent with one or more of the APPs. The effect of such laws is that one or
more APPs will not apply to the use or disclosure of personal information, described in
the law.
• Consistent with the approach taken in applying Article 17 in the International Covenant
on Civil and Political Right (ICCPR), the OAIC’s advice generally suggests consideration
should be given to whether those measures are proportionate and necessary. That is,
whether they appropriately balance the intrusion on individuals’ privacy with the overall
public policy objectives of the proposal. Additionally, when handling of individuals’
personal information is authorised in the broader interests of the community, it is
general y recommended that those activities be accompanied by an appropriate level of
privacy safeguards and accountability. Should such a proposal be considered to
appropriately balance these objectives, it is generally recommended that the scope of
the proposal be drafted consistent with the spirit and intent of the Privacy Act.
• It should also be noted that even where APP 6 does not apply – by reason that a
disclosure is ‘authorised by law’ - most of the other APPs would continue to apply to
that personal information when it is held by the agency or organisation (such as the
requirements in relation to transparency, data quality, security, and rights to access and
correction).
Commented [MD3]: Please see previous comment re
application of APP 6.
Released under FOI - OAIC
76
OAIC engagement with the Bil
• On 31 October 2016, the OPC contacted the AGD seeking comment on the Bil , and that
request was passed onto the OAIC for comment. The OAIC was not provided with the
Explanatory Memorandum. The OAIC’s comments on the Bil were provided to AGD, and
passed on to the OPC on 3 November 2016. The AGD did not make any substantive
comments on the Bill. The comments provided to OPC, along with a response provided
by DVA are at
Annexure B.
• The OAIC’s comments focused on the public interest disclosure provisions in Schedule 2
of the Bil outlined above.
• Key points made in the OAIC’s comments were:
o the OAIC noted that the disclosure of personal information under the new
provisions will be permitted by the ‘required or authorised by or under law’
exception in APP 6.2(b).
o The OAIC suggested that where a Bil invokes this exception in the Privacy Act,
consideration should be given to whether those measures are reasonable,
proportionate and necessary.
o The OAIC referred to similar disclosure provisions in the
Social Security
(Administration) Act 1999 and the
Paid Parental Leave Act 2010, noting that rules
issued under that legislation set out the matters to which the Secretary must
have regard to in giving a public interest certificate and the circumstances in
which a public interest certificate may be given, which include: to prevent, or
lessen, a threat to the life, health or welfare of a person; for the enforcement of
laws; to correct a mistake of fact; to brief a Minister or to locate missing persons
etc.
Released under FOI - OAIC
77
• On 7 November 2017, DVA responded by email to the OAIC that:
o rules would be made setting out the circumstances in which the Secretary may
make a public interest disclosure before the Secretary exercises that power. The
nature and content of those rules is likely to be similar to the Social Security
(Public Interest Certificate Guidelines) (DSS) Determination 2015, mentioned
below.
o The sorts of situations in which it is envisage the public interest disclosure power
being exercised are wil be set out in the EM, including: where there is a threat to
life, health or welfare, for the enforcement of laws, in relation to proceeds of
crime orders, mistakes of fact, research and statistical analysis, APS code of
conduct investigations, misinformation in the community and provider
inappropriate practices (this is subject to the Minister agreeing to make rules
along these lines.)
• On 6 December 2016, the Committee invited the OAIC to make a comment on the Bill,
but the OAIC inadvertently did not action this request. Melanie has apologised to the
Committee for this oversight.
• Seven submissions have been made to the Committee – see
Annexure C. These include
a lengthy submission from DVA and two submissions made by the Commonwealth
Ombudsman.
• Key matters to note from the DVA submission include:
o DVA sets out a range of efficiency-related justifications for provisions in the Bill
that automate the decision-making process
o the Committee appears to have raised concerns with DVA about the breadth of
the disclosures that may be made under the Bill, including disclosures to ‘correct
misinformation’ and the submission purports to respond to these concerns.
o DVA notes that the proposed public interest disclosure provisions ‘are modelled
on paragraph 208(1)(a) of the
Social Security (Administration) Act 1999. That
public interest disclosure provision has been in operation for 17 years and has
operated successfully with the approval of Parliament. The Privacy Commissioner
has not raised any concern about the Department of Social Services/ Department
of Human Services’ provision…’
Released under FOI - OAIC
78
• The most recent iteration of the
Social Security (Public Interest Certificate Guidelines)
(DSS) Determination 2015 were registered on FRLI in August 2015. The explanatory
memorandum refers to consultation with the AGD and others, but does not specifically
refer to consultation with the OAIC. We have not been able to find any engagement
with the OAIC on the Determination fol owing a brief TRIM search and discussion with
Sarah Ghali. A more fulsome search could be undertaken if necessary.
• The Commonwealth Ombudsman has made a submission to the Committee in relation
to automation aspects of the Bil (see below).
• They also made a second submission on the new disclosure provisions, (and notified
Angelene Falk by telephone, of their intention to make such a submission). This
supplementary submission recommends that any development of legislation or policy
relating to disclosure of PI should occur in consultation with the OAIC.
• On 10 February 2017, a Research Officer from the Senate Committee contacted the
OAIC to advise that it is holding a public hearing on Thursday, 16 February 2017 and
invites the information Commissioner to appear from 5:00pm – 6:00pm. The
Commonwealth Ombudsman and officers of DVA have also been invited to appear. They
have provided the OAIC with specific questions in relation to the public interest
disclosure provisions – which the OAIC intends to submit a written response to before
the hearing, as well as other questions
• On 14 February, Melanie Drayton, Assistant Commissioner, sent a detailed response to
the Committee noting that the Information Commissioner and Deputy Commissioner
would appear at the public hearing; outlining the OAIC’s role; attaching the OAIC’s
comments on the Bill that were sent to OPC (via AGD); and responding to the specific
questions where possible (noting that a number of the questions may be directed to
DVA). This email also noted that the OAIC would welcome the opportunity to be
consulted on the draft rules to be made by the Minister in relation to public interest
disclosures. The OAIC’s email to the Committee is at
Annexure D.
Commented [MD4]: I wonder if we don’t pull these questions
out and add them as a separate Annexure? So it’s easy for TP to find
• Key additional points that the Commissioner may make at the Committee meeting are:
the answers if the Committee ask him to revisit the questions?
o The OAIC welcomes the safeguard in the Bill that before disclosing personal
information about a person under the ‘public interest disclosure’ provisions, the
Secretary must notify the person in writing of the Secretary’s intention to
disclose the information; give the person a reasonable opportunity to make
written comments on the proposed disclosure of the information and consider
any written comments made by the person. This is consistent with the emphasis
on transparency in the Privacy Act, and may in some circumstances give the
individual a ‘reasonable expectation’ that their personal information will be
Released under FOI - OAIC
79
disclosed for a particular purpose (consistent with the ‘reasonable expectation’
exception in APP 6.2(a).
o The Bill states that the Secretary must, in giving such a ‘public interest
certificate’, act in accordance with Rules made by legislative instrument, by the
Minister. The OAIC would welcome the opportunity to be consulted on any such
draft rules. The OAIC will have regard to whether any permitted disclosures
accord with the social license given to government to handle and disclose
individuals’ personal information, and are generally consistent with the spirit and
intent of the Privacy Act.
Automated decision-making
• The Commonwealth Ombudsman’s written submission to the Committee
commented on several matters that related to automated decisions. These
comments related to accuracy of automated decisions, and errors that can arise
from incorrect data entry and system errors, and the fact that the onus is
predominately placed on the customer to identify these errors.
• The Commonwealth Ombudsman also outlined issues with automated decisions
following basic legal values of lawfulness, fairness, transparency and efficiency.
• The objects of the Privacy Act recognise that the protection of individuals’ privacy
is balanced with the interests of entities in carrying out their functions or activities
(s 3(b)). The OAIC acknowledges that automated decision-making is likely to
provide a number of advantages for DVA and for Australians accessing their
services, including associated with reduced costs and enhanced efficiency.
However, consideration should be given at an early stage, to ensuring that any
privacy impacts are identified and minimised to the extent possible, and that an
integrated approach to privacy management is taken.
Released under FOI - OAIC
80
• Some key privacy considerations that may arise where decision-making is
automated include:
o whether the entity has taken reasonable steps to implement practices,
procedures and systems to ensure that the entity complies with the
APPs and to enable the entity to deal with inquiries and complaints
from individuals about the entity’s compliance with the APPs (APP 1.2).
Entities wil be better placed to meet these obligations if they embed
privacy protections in the design of the information handling practice at
an early stage.
o whether the entity has taken reasonable steps to ensure that the
personal information it collects, uses and discloses is accurate, up-to-
date and complete (as required by APP 10). This may be particularly
challenging where the onus is on the individual to identify errors or
discrepancies with automated decisions.
o whether the entity has processes in place to allow the individual to
request access to, and correction of his or her personal information
used in automated processes (APPs 11 and 12).
• The OAIC also suggests consideration be given to the privacy risks arising from
personal information processed as part of an automated decision-making process.
For example, due to the higher privacy risks involved with handling sensitive
information, the OAIC would generally suggest greater caution be exercised when
considering whether this information should be subject to automated processing.
The OAIC welcomes the DVA’s comments in its written submission to the
Committee that ‘in regards to automated debt col ection, the Department does
not intend this provision for this purpose’. This intent could be included in the Bil
or the Explanatory Memorandum.
• DVA could conduct a privacy impact assessment (PIA) of the amendments
proposed by the Bill that have privacy implications to identify and assess the
privacy risks associated with the amendments. A PIA is a written assessment which
may assist in identifying the privacy impacts of the proposal, and provides an
opportunity to set out any recommendations for managing, minimising or
eliminating those impacts.
Released under FOI - OAIC
81
From:
Melanie Drayton
To:
Renee Alchin
Subject:
FW: Commissioner Brief - Opening statement talking points - Digital Readiness Bill public hearing (002).docx
[SEC=UNCLASSIFIED]
Date:
Tuesday, 14 March 2017 8:38:47 AM
Attachments:
Commissioner Brief - Opening statement talking points - Digital Readiness Bill public hearing (002).docx
Importance:
High
From: Melanie Drayton
Sent: Wednesday, 15 February 2017 2:17 PM
To: Sophie Higgins
s.22 - irrelevant
s.22 - irrelevant
Renee Alchin
Subject: Commissioner Brief - Opening statement talking points - Digital Readiness Bill public
hearing (002).docx [SEC=UNCLASSIFIED]
Importance: High
Once again, thank you both so much for the stellar job you’ve done in turning this around so
quickly – very, very much appreciated.
I have a couple of suggestions in relation to the opening statement. Have a look and see what
you think. Happy to discuss if you like.
Thanks
Mel
Released under FOI - OAIC
82
Commissioner brief: Opening statement talking points for
Australian Information Commissioner
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bill
For:
The Australian Information Commissioner
• Thank you for the opportunity to appear before the Committee today in
relation to
the Veteran’s Affairs Legislation Amendment (Digital Readiness
Formatted: Font: Italic
and Other Measures) Bil 2016.
• As the Australian Information Commissioner and Australian Privacy
Commissioner, I am responsible for ensuring compliance with the Privacy
Act, and promoting access to government information through the
Freedom of Information Act.
• The Privacy Act regulates the handling of personal information by most
Australian Government agencies and many private sector organisations.
The cornerstone of this privacy protection framework are the Australian
Privacy Principles (or APPs). These set out standards, rights and obligations
in relation to the way individuals’ personal information is handled.
• The APPs are underpinned by notions of transparency and accountability. In
general terms, this requires entities to give careful consideration to
ensuring that individuals are aware of an entity’s information handling
practices, so that the individual may make appropriate choices about their
personal information. Accountability includes ensuring good privacy
governance mechanisms are implemented at an early stage.
• The Privacy Act recognises that the protection of individual’s privacy,
through the protection of their personal information, is not an absolute
right. Rather, those interests must be balanced with the broader interest of
the community in ensuring that Australian government agencies and
private sector organisations are able to carry out their legitimate functions
and activities.
Released under FOI - OAIC
83
• This balancing is reflected in the exceptions to a number of the Australian
Privacy Principles, which except exclude from the operation of those APPs,
certain information handling practices considered to be in the public
interest when balanced with the interest in protecting an individual’s
privacy.
• The OAIC’s responsibilities include examining proposals that may restrict
the exercise of individuals’ privacy protections in favour of another public
interest objective. Our approach is general y to ensure that any changes
that authorise a disclosure of personal information by invoking an exception
in the Privacy Act, are reasonable, necessary and proportionate to the
expected benefits.
• My Office provided comments to the Office of Parliamentary Counsel
(through Attorney General’s Department), on a draft version of the Bil on 3
November 2016. These comments focused on the public interest disclosure
provisions in Schedule 2 of the Bil . These permit the Secretary to make
‘public interest’ disclosures and have the effect that the privacy protections
in the ‘use and disclosure’ APP - Australian Privacy Principle 6 - would not
apply. I understand my Office has provided a copy of these comments to
the Senate Committee inquiry for considerationits information.
• There are, however, a few additional matters which I believe warrant
further mention before the Committee. In summary these are:
o Even though the ‘use and disclosure principle’ – APP 6 – would not apply to the
‘public interest disclosures’ proposed in the Bil , most of the other Australian
Commented [MD1]: Is it strictly true that APP 6 does not
Privacy Principles would continue to apply to that personal information held by
apply? Doesn’t APP 6.2(b) apply by way of empowering the
disclosure, given it is authorised or required by law?
DVA (such as the requirements in relation to transparency, data quality, security,
and rights to access and correction).
Is it better to say that even though the disclosure is required
or authorised by law, the APPs govern DVA’s info handling
practices.
o The OAIC would welcome the opportunity to be consulted on draft rules to be
made by the Minister under the ‘public interest disclosure’ provisions in Schedule
2 of the Bil .
o The OAIC acknowledges that automated decision-making is likely to provide a
number of advantages for DVA and for Australians accessing their services,
particularly in regards to efficiencies. However, I would encourage consideration
to be given at an early stage, to ensuring that any privacy impacts are identified
Released under FOI - OAIC
84
and minimised to the extent possible, and that an integrated approach to privacy
management is taken.
Commented [MD2]: Shal we add in that they should do a
PIA (unless they already have)?
• I would be happy to answer any questions the Committee has.
Released under FOI - OAIC
85
From:
Melanie Drayton
To:
Renee Alchin
Subject:
FW: Invitation to Attend Public Hearing - Veterans" Affairs Legislation Amendment (Digital Readiness and Other
Measures) Bill 2016 [SEC=UNCLASSIFIED]
Date:
Tuesday, 14 March 2017 8:38:19 AM
Attachments:
image003.gif
image001.jpg
image002.png
From: Melanie Drayton
Sent: Wednesday, 15 February 2017 9:27 AM
To: Sophie Higgins s.22 - irrelevant
Subject: Fwd: Invitation to Attend Public Hearing - Veterans' Affairs Legislation Amendment (Digital
Readiness and Other Measures) Bill 2016 [SEC=UNCLASSIFIED]
Hi Sophie, I just realised I didn't attach Rebecca's email.
Would you mind sending it to Kimberly along with a short note saying you'll send
over the Witness Forms.
Thanks
M
Sent from my iPhone
Begin forwarded message:
From: "FADT, Committee (SEN)" <xxxx.xxx@xxx.xxx.xx>
Date: 15 February 2017 at 9:14:17 AM AEDT
To: 'Melanie Drayton' s.22 - irrelevant
"FADT,
Committee (SEN)" <xxxx.xxx@xxx.xxx.xx>
Cc: Sophie Higgins s.22 - irrelevant
Subject: RE: Invitation to Attend Public Hearing - Veterans' Affairs
Legislation Amendment (Digital Readiness and Other Measures) Bill
2016 [SEC=UNCLASSIFIED]
Hi Melanie
Thank you for the additional information, it will shortly be circulated to the
committee. Grateful if you could please send through the two completed Hansard
Witness forms as well when you can before the hearing tomorrow.
Regards
Kimberley Balaga | Research Officer
Standing Committee on Foreign Affairs, Defence and Trade | Department of the Senate
s.22 - irrelevant
www.aph.gov.au/senate
Disclaimer
This email, and any attachments, may be confidential and may be protected by privilege. You should not
copy, use or disclose it for any unauthorised purpose.
Released under FOI - OAIC
86
From: Melanie Drayton s.22 - irrelevant
Sent: Tuesday, 14 February 2017 6:35 PM
To: Balaga, Kimberley (SEN); FADT, Committee (SEN)
Cc: Sophie Higgins
Subject: RE: Invitation to Attend Public Hearing - Veterans' Affairs Legislation
Amendment (Digital Readiness and Other Measures) Bill 2016 [SEC=UNCLASSIFIED]
Good evening
Thank you for inviting the Information Commissioner and Australian Privacy
Commissioner, Timothy Pilgrim, and the Deputy Commissioner, Angelene Falk, to
appear at the Senate Committee’s public hearing into the Veterans’ Affairs Legislation
Amendment (Digital Readiness and Other Measures) Bill 2016 (the Bill) on Thursday,
16 February 2017. They are pleased to accept.
In advance of the hearing, we thought it may assist the Committee to provide:
· a brief outline of the role and responsibilities of the Office of the Australian
Information Commissioner (OAIC)
· an overview of the OAIC’s engagement with the Bill
· a response, where possible, to the Committee’s questions provided to the
OAIC on 10 February 2017.
This email is provided as background information only and is not a submission.
OAIC
The OAIC is an independent Commonwealth statutory agency. It was established by
the Australian Parliament to bring together three functions:
· privacy functions (protecting the privacy of individuals under the Privacy Act
1988 (Privacy Act), and other Acts)
· freedom of information functions (access to information held by the
Commonwealth Government in accordance with the Freedom of Information
Act 1982 (FOI Act)), and
· information management functions (as set out in the Information
Commissioner Act 2010).
The integration of these three interrelated functions into one agency has made the
OAIC well placed to strike an appropriate balance between promoting the right to
privacy and broader information policy goals.
The OAIC’s responsibilities include examining proposals that may restrict the exercise
of individuals’ privacy protections in favour of another public interest objective.
The Privacy Act
The Privacy Act contains thirteen legally-binding Australian Privacy Principles (APPs).
These set out standards, rights and obligations relating to the handling, holding,
Released under FOI - OAIC
87
accessing and correction of personal information. Personal information is information
or an opinion about an identified individual, or an individual who is reasonably
identifiable.
The APPs apply to most Australian Government agencies, all private sector
organisations with an annual turnover of more than $3 million, all private health
service providers and some small businesses – collectively referred to as APP entities.
The APPs are principles-based law. This provides APP entities with the flexibility to
tailor their personal information handling practices to their diverse needs and
business models and to the diverse needs of individuals. The APPs are also technology
neutral, applying equally to paper-based and digital environments. This is intended to
preserve their relevance and applicability, in a context of continually changing and
emerging technologies.
The Privacy Act recognises that the protection of individuals’ privacy, through the
protection of their personal information, is not an absolute right. Rather, those
interests must be balanced with the broader interest of the community in ensuring
that APP entities are able to carry out their legitimate functions and activities. This
balancing is reflected in the exceptions to a number of the APPs. Exceptions cover a
range of matters including where a use or disclosure of personal information is
authorised or required by Australian law or where an entity reasonably believes that a
use or disclosure is reasonably necessary for an enforcement related activity
conducted by an enforcement body.
OAIC comments on the Bill
APP 6 outlines when an APP entity may use or disclose personal information. It
generally provides that an APP entity can only use or disclose personal information for
a purpose for which the information was collected (known as the ‘primary purpose’),
or for another purpose where one of the exceptions listed in APP 6 apply. As noted
above, the exceptions include where ‘a use or disclosure of personal information is
authorised or required by Australian law’.
The OAIC is regularly invited to comment on draft laws that require or authorise the
collection, use or disclosure of personal information. Consistent with the approach
taken in applying Article 17 in the International Covenant on Civil and Political Right
(ICCPR), the OAIC’s advice generally suggests consideration should be given to
whether those measures are proportionate and necessary. That is, whether they
appropriately balance the intrusion on individuals’ privacy with the overall public
policy objectives of the proposal. Additionally, when handling of individuals’ personal
information is authorised in the broader interests of the community, it is generally
recommended that those activities be accompanied by an appropriate level of privacy
safeguards and accountability. Should such a proposal be considered to appropriately
balance these objectives, it is generally recommended that the scope of the proposal
be drafted consistent with the spirit and intent of the Privacy Act.
On 31 October 2016, the OAIC was invited to comment on the Bill, following a request
from the Office of Parliamentary Counsel (OPC), via the Attorney General’s
Released under FOI - OAIC
88
Department, Information Law Unit (the AGD). The OAIC’s comments on the Bill were
provided to the AGD on 3 November 2016, and we understand that they were then
passed on to the OPC and the Department of Veterans’ Affairs (DVA). The comments
focused on the public interest disclosure provisions in Schedule 2 of the Bill which
permit certain disclosures and invoke the ‘required or authorised’ by law exception in
APP 6 in the Privacy Act. The OAIC’s comments are attached.
The OAIC has reviewed the Commonwealth Ombudsman’s written submissions to the
Committee and notes its suggestion to involve the OAIC in the development of laws
and policies raising privacy issues (Commonwealth Ombudsman, Supplementary
submission). In this regard, the OAIC would welcome the opportunity to be consulted
on rules made by the Minister in relation to public interest disclosure certificates
under the proposed amendments in Schedule 2 of the Bill.
Committee questions
Please advise the committee what is the current situation that DVA or other agencies
require this power?
As outlined above, the OAIC’s role includes examining proposed enactments that
would require or authorise acts or practices that might otherwise interfere with
privacy (s 28A(2), Privacy Act) and ensuring that any adverse effects of a proposed
enactment on the privacy of individuals are minimised (s 28A(2)(c), Privacy Act). The
OAIC provided some brief comments on the Bill. At that time, the OAIC did not have
access to the Explanatory Memorandum (including Statement of Compatibility with
Human Rights). Details about the current situation that necessitates this power may
be a matter for DVA. As the ‘public interest disclosure’ provisions in Schedule 2 of the
Bill broaden the circumstances in which personal information can be used and
disclosed, we suggest that DVA use the Explanatory Memorandum (including its
Statement of Compatibility with Human Rights), to explain the need for such
provisions.
Why does DVA require these provisions so urgently?
This may be a matter for DVA.
Is there not already a mechanism for agencies to report crimes to police?
As noted above, APP 6 generally provides that an APP entity can only use or disclose
personal information for a purpose for which the information was collected (known as
the ‘primary purpose’), or for another purpose where one of the exceptions listed in
APP 6 apply. The following exceptions to APP 6 would permit agencies to disclose
personal information to the police, where:
· the APP entity reasonably believes that the use or disclosure of the
information is reasonably necessary for one or more enforcement related
activities conducted by, or on behalf of, an enforcement body (examples
include the Australian Federal Policy or a State or Territory Police force or
service) (APP 6.2(e)), and
· the entity reasonably believes that the collection, use or disclosure is
Released under FOI - OAIC
89
necessary to lessen or prevent a serious threat to the life, health or safety of
any individual, or to public health or safety (and it is unreasonable or
impracticable to obtain the individual’s consent) (APP 6.2(c) and s 16A, item 1)
· the use or disclosure of the information is required or authorised by or under
an Australian law or a court/ tribunal order (APP 6.2(b)).
Over the last 5 years, how many cases were there of mistake and/or misinformation
that agencies did not have the power to respond to?
This may be a matter for DVA.
Invitation to make a written submission
I would also like to take this opportunity to thank the Committee for the invitation of
6 December 2016 to make a submission to this inquiry. I apologise that the OAIC did
not respond. The OAIC had overlooked the invitation due to a clerical error.
Please feel free to contact Sophie Higgins on
or
s.22 - irrelevant by email, if we can
assist by providing any further information.
Kind regards
Melanie Drayton
Melanie Drayton | Assistant Commissioner, Regulation and Strategy
Office of the Australian Information Commissioner GPO Box 5218 SYDNEY NSW 2001 |www.oaic.gov.au
s.22 - irrelevant
From: Balaga, Kimberley (SEN) s.22 - irrelevant
On Behalf Of
FADT, Committee (SEN)
Sent: Monday, 13 February 2017 6:20 PM
To: Melanie Drayton s.22 - irrelevant
Cc: Sophie Higgins s.22 - irrelevant
; FADT, Committee (SEN)
<xxxx.xxx@xxx.xxx.xx>
Subject: Invitation to Attend Public Hearing - Veterans' Affairs Legislation Amendment
(Digital Readiness and Other Measures) Bill 2016
THE SENATE
STANDING COMMITTEE ON FOREIGN AFFAIRS, DEFENCE AND
TRADE
Released under FOI - OAIC
90
13 February 2017
Ms Melanie Drayton
Office of the Australian Information Commissioner
Email: s.22 - irrelevant
Dear Ms Drayton
Inquiry into the Veterans' Affairs Legislation Amendment (Digital Readiness and
Other Measures) Bill 2016
The Senate Foreign Affairs, Defence and Trade Legislation Committee is pleased to
confirm arrangements for the Commissioner and the Deputy Commissioner to give
evidence at a public hearing for the above inquiry. The public hearing will be held on
Thursday, 16 February 2017 in
Committee Room 2S3,
Parliament House, Canberra.
Your appearance time is indicated on the attached public hearing program.
It would be appreciated if you could arrive about 10 minutes before your appearance
time and make yourself known to the committee's secretariat staff. I would be
grateful if you could advise me if you intend to table any documents with the
committee during the hearing.
A Hansard witness form is also attached. Could you please complete it and email back
to the secretariat as soon as possible to xxxx.xxx@xxx.xxx.xx or by fax to 02 6277
5818. This is used to ensure details are correctly recorded and to provide contact
details so you can check the transcript of evidence.
If persons attending the public hearing have any special requirements please contact
the secretariat beforehand so that any necessary arrangements can be made. If there
are any additional witnesses whose details you have not already provided, please
speak to the secretariat officers as early as possible at the hearing.
After the formalities have been concluded at the beginning of the hearing, the Chair
will invite you to make a short opening statement, which should be around three
minutes, or you may decline to make any opening remarks. The remainder of the
hearing will be devoted to a question and answer session.
Please note that the hearing is open to the public and the media. The committee
prefers all evidence to be given in public but should you wish to give any evidence in
private, you may make a request to the Chair and the committee will consider the
request. You are welcome to listen to the evidence of other witnesses.
A ‘proof’ (draft) copy of the Hansard transcript of evidence will be forwarded to you
for correction of transcription errors. Hansard transcripts of evidence will also be
available from the committee's website.
A copy of general information for witnesses, procedures to be observed by Senate
Committees for the protection of witnesses, the public hearing program and the
chair's opening statement are enclosed for your information.
If you require any further information please contact me on s.22 - irrelevant
Yours sincerely
Released under FOI - OAIC
91
David Sullivan
Secretary
Senate Standing Committee on Foreign Affairs, Defence and Trade
s.22 - irrelevant
Attachments:
Hearing Program
Information Sheet: witnesses at hearings
Information Sheet: protection of witnesses
Chair's opening statement
Hansard Witness Form
***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************
Released under FOI - OAIC
92
From:
Renee Alchin
To:
Sophie Higgins
Subject:
RE: FOR CLEARANCE: draft email to TP - Veterans’ Affairs Legislation Amendment (Digital Readiness and
Other Measures) Bill 2016 [SEC=UNCLASSIFIED]
Date:
Wednesday, 15 February 2017 4:02:00 PM
Hi again,
I spoke with Brenton, he advised to send the pack to Angelene.
He said to include the TRIM links in the email and also attach the all of the documents to the
email as well (just in case she has problems with the TRIM links).
We don’t need to email her Annexure C (the submissions to the Committee) or Annexure D
(Mel’s email of 14 Feb to the Committee) as Angelene already has those.
We also need to ‘cc him into the email to Angelene, he will then follow up with Angelene re:
whether she has capacity to print all the docs or whether he needs to fly up to Brisbane with the
briefing pack.
I can pull all this together in an email if you like?
Thanks
Renee
From: Sophie Higgins
Sent: Wednesday, 15 February 2017 3:52 PM
To: Renee Alchin s.22 - irrelevant
Subject: RE: FOR CLEARANCE: draft email to TP - Veterans’ Affairs Legislation Amendment
(Digital Readiness and Other Measures) Bill 2016 [SEC=UNCLASSIFIED]
Just changed the highlighted link – thanks!
From: Renee Alchin
Sent: Wednesday, 15 February 2017 3:42 PM
To: Sophie Higgins s.22 - irrelevant
Subject: RE: FOR CLEARANCE: draft email to TP - Veterans’ Affairs Legislation Amendment
(Digital Readiness and Other Measures) Bill 2016 [SEC=UNCLASSIFIED]
Hi,
I’ve incorporated Mel’s comments into both the opening statement and the briefing notes.
And as discussed, I’ve added in the third amendment that the Bill proposes (as per the last dot
point in the yellow below), into the ‘Background’ section on page 2 of the briefing notes
Annexures:
Regarding the Annexures, I spoke with Brenton, and he advised he has downloaded all of the
Released under FOI - OAIC
93
Submissions made to the Committee, and has the email sent by Mel confirming OAIC attendance
at the hearing.
So we can easily track all the annexures, I’ve developed a cover page: D2017/001247, but I’m not
sure if we want to add that to the brief?
I’ve also pulled together all the other Annexures as follows, except for the submissions seeing as
Brenton has those (note sure how we’re getting this to Angelene and Timothy i.e. if we need to
print them or email them through?):
Annexure A: D2017/001249 and D2017/001250
Annexure B: D2016/008500
Annexure C: Brenton advised he has the Submissions made to the Committee
Annexure D: D2017/001251
Annexure E: D2017/001252
Thanks
Renee
From: Sophie Higgins
Sent: Wednesday, 15 February 2017 2:58 PM
To: Renee Alchin s.22 - irrelevant
Subject: FW: FOR CLEARANCE: draft email to TP - Veterans’ Affairs Legislation Amendment
(Digital Readiness and Other Measures) Bill 2016 [SEC=UNCLASSIFIED]
Just wondering if we should add as ‘key point 2’ in the briefing, the highlighted text below (which
summarises the key provisions in the Bill?) As long as this doesn’t overlap with other parts of the
key points…
From: Melanie Drayton
Sent: Tuesday, 14 February 2017 9:13 AM
To: Timothy Pilgrim s.22 - irrelevant
Cc: Angelene Falk s.22 - irrelevant
Sophie Higgins s.22 - irrelevant
Renee Alchin s.22 - irrelevant
Subject: FW: FOR CLEARANCE: draft email to TP - Veterans’ Affairs Legislation Amendment
(Digital Readiness and Other Measures) Bill 2016 [SEC=UNCLASSIFIED]
Hi Timothy
As you know, you have been invited to appear before the Senate Foreign Affairs, Defence and
Trade Legislation Committee on
Thursday, 16 February from 5-6pm in relation to the Veterans’
Affairs Legislation Amendment (Digital Readiness and Other Measures) Bill 2016 (the Bill).
Released under FOI - OAIC
94
Sophie has prepared a brief overview and chronology of our involvement with the Bill is below.
We will prepare and send you more a detailed briefing paper for the hearing, including written
responses to specific questions the Committee has sent us.
At the Committee secretariat’s request we will also be sending it an informal email today
outlining our role, a broad response to the specific questions we have been sent and our Bill
scrutiny comments. This is to assist the Committee in drafting questions for you.
In the meantime, please let us know if you would like to discuss.
Thanks
M
Overview
The Bill:
· inserts a provision in each of the
Veterans’ Entitlements Act 1986 (VEA),
Military
Rehabilitation and Compensation Act 2004 (MRCA) and the
Safety Rehabilitation and
Compensation (Defence-related Claims) Act 1988 (DRCA), that would enable the
Secretary to authorise the use of computer programmes to make decisions and
determinations, exercise powers or comply with obligations etc under those Acts.
Safeguards include that the Commissioner may make a decision or determination in
substitution for a decision or determination made by a computer program, if satisfied
that decision or determination is incorrect.
· also inserts a provision in each of the VEA, MRCA and DRCA that would enable the
Secretary to disclose information about a particular case or class of cases to such
persons and for such purposes as the Secretary determines, if he or she certifies that it is
necessary in the public interest to do so. Safeguards include that the power cannot be
delegated by the Secretary to anyone, the Secretary must act in accordance with rules
that the Minister makes, the Minister cannot delegate his or her rule making power, and,
unless the Secretary complies with certain notification requirements before disclosing
personal information, he or she commits an offence, punishable by 60 penalty units.
· inserts three information sharing provisions in the DRCA between the Military
Rehabilitation and Compensation Commission and the Secretary of the Department of
Defence or the Chief of the Defence Force.
Chronology
· On 31 October 2016, OPC contacted AGD seeking comment on the Bill. AGD contacted
OAIC seeking any comments by 3 November 2016. The OAIC was only provided with the
Bill and not any EM.
· On 3 November 2016, Rebecca Brown emailed AGD, the OAIC’s comments on the Bill
(cleared by me, as acting Director). The comments focused on the scope of broad new
disclosure powers. We suggested that any authorisation which permits secondary
disclosures under the Privacy Act should clearly describe the types of PI that may be
disclosed; who may disclose the information and who may receive the information and
Released under FOI - OAIC
95
the purpose for which the information may be disclosed and on-disclosed.
· The AGD sent these comments to OPC on 3 November 2017, along with a very brief AGD
comment that ‘public interest disclosure provisions in the Bill would need to be justified
in the EM including in its Statement of Compatibility with Human Rights D2016/008459.
· On 7 November 2016, DVA confirmed by email that ‘it is intended that, should this Bill
be enacted, the Minister for Veterans’ Affairs would make rules setting out the
circumstances in which the Secretary may make a public interest disclosure (subitem (3)
of items 1, 7 and 10 of Schedule 2) before the Secretary exercises that power. The
nature and content of those rules is likely to be similar to the
Social Security (Public
Interest Certificate Guidelines) (DSS) Determination 2015. They also noted that the sorts
of situations in which we envisage the public interest disclosure power being exercised
are: where there is a threat to life, health or welfare, for the enforcement of laws, in
relation to proceeds of crime orders, mistakes of fact, research and statistical analysis,
APS code of conduct investigations, misinformation in the community and provider
inappropriate practices (this is subject to the Minister agreeing to make rules along these
lines.)’ D2016/008500
· The Bill was introduced and read for a first and second time in Parliament on 24
November 2016. It was referred to the Senate Foreign Affairs, Defence and Trade
Legislation Committee on 1 December 2016, with a reporting dated of 14 February 2017
(the Committee Inquiry). Submissions closed on 25 January 2017. The OAIC did not make
a submission.
· On 3 February 2017, a Legal Officer from the Commonwealth Ombudsman contacted AF
and noted that they would be making a second submission to the Committee Inquiry –
noting that any development of legislation or policy relating to disclosure of PI should
occur in consultation with the OAIC.
· On 10 February 2017, a Research Officer from the Senate Committee contacted the
OAIC to advise that it is holding a public hearing on Thursday, 16 February 2017 and
invites the information Commissioner to appear from 5:00pm – 6:00pm. The
Commonwealth Ombudsman and officers of DVA have also been invited to appear. They
have provided the OAIC with specific questions in relation to the public interest
disclosure provisions – which the OAIC intends to submit a written response to before
the hearing, as well as other questions D2017/001180.
Released under FOI - OAIC
96
From:
Sophie Higgins
To:
xxxx.xxx@xxx.xxx.xx
Cc:
Melanie Drayton; Renee Alchin
Subject:
FW: Invitation to Attend Public Hearing - Veterans" Affairs Legislation Amendment (Digital Readiness and Other
Measures) Bill 2016 [SEC=UNCLASSIFIED]
Date:
Wednesday, 15 February 2017 9:33:45 AM
Attachments:
image003.gif
image001.jpg
image002.png
RE due cob 3 Nov pls - Veterans Affairs Legislation Amendment (Digital Readiness and Other Measures) Bill
2016 DLMSensitiveLegal.msg
Hi Kimberley
Further to Melanie’s email last night, please find attached the OAIC’s comments on the
Digital Readiness Bill that were sent to OPC (via AGD) on 3 November 2016. These are
referred to in Melanie’s email below.
Please feel free to contact me if you need to discuss further.
Kind regards
Sophie
Sophie Higgins |
Director (a/g)| Regulation & Strategy Branch
Office of the Australian Information Commissioner
GPO Box 5218 SYDNEY 2001 |www.oaic.gov.au
s.22 - irrelevant
Sent from my iPhone
Begin forwarded message:
From: "FADT, Committee (SEN)" <xxxx.xxx@xxx.xxx.xx>
Date: 15 February 2017 at 9:14:17 AM AEDT
To: 'Melanie Drayton' s.22 - irrelevant
"FADT,
Committee (SEN)" <xxxx.xxx@xxx.xxx.xx>
Cc: Sophie Higgins s.22 - irrelevant
Subject: RE: Invitation to Attend Public Hearing - Veterans' Affairs
Legislation Amendment (Digital Readiness and Other Measures) Bill
2016 [SEC=UNCLASSIFIED]
Hi Melanie
Thank you for the additional information, it will shortly be circulated to the
committee. Grateful if you could please send through the two completed Hansard
Released under FOI - OAIC
97
Witness forms as well when you can before the hearing tomorrow.
Regards
Kimberley Balaga | Research Officer
Standing Committee on Foreign Affairs, Defence and Trade | Department of the Senate
s.22 - irrelevant
www.aph.gov.au/senate
Disclaimer
This email, and any attachments, may be confidential and may be protected by privilege. You should not
copy, use or disclose it for any unauthorised purpose.
From: Melanie Drayton s.22 - irrelevant
Sent: Tuesday, 14 February 2017 6:35 PM
To: Balaga, Kimberley (SEN); FADT, Committee (SEN)
Cc: Sophie Higgins
Subject: RE: Invitation to Attend Public Hearing - Veterans' Affairs Legislation
Amendment (Digital Readiness and Other Measures) Bill 2016 [SEC=UNCLASSIFIED]
Good evening
Thank you for inviting the Information Commissioner and Australian Privacy
Commissioner, Timothy Pilgrim, and the Deputy Commissioner, Angelene Falk, to
appear at the Senate Committee’s public hearing into the Veterans’ Affairs Legislation
Amendment (Digital Readiness and Other Measures) Bill 2016 (the Bill) on Thursday,
16 February 2017. They are pleased to accept.
In advance of the hearing, we thought it may assist the Committee to provide:
· a brief outline of the role and responsibilities of the Office of the Australian
Information Commissioner (OAIC)
· an overview of the OAIC’s engagement with the Bill
· a response, where possible, to the Committee’s questions provided to the
OAIC on 10 February 2017.
This email is provided as background information only and is not a submission.
OAIC
The OAIC is an independent Commonwealth statutory agency. It was established by
the Australian Parliament to bring together three functions:
· privacy functions (protecting the privacy of individuals under the Privacy Act
1988 (Privacy Act), and other Acts)
· freedom of information functions (access to information held by the
Commonwealth Government in accordance with the Freedom of Information
Act 1982 (FOI Act)), and
· information management functions (as set out in the Information
Commissioner Act 2010).
The integration of these three interrelated functions into one agency has made the
Released under FOI - OAIC
98
OAIC well placed to strike an appropriate balance between promoting the right to
privacy and broader information policy goals.
The OAIC’s responsibilities include examining proposals that may restrict the exercise
of individuals’ privacy protections in favour of another public interest objective.
The Privacy Act
The Privacy Act contains thirteen legally-binding Australian Privacy Principles (APPs).
These set out standards, rights and obligations relating to the handling, holding,
accessing and correction of personal information. Personal information is information
or an opinion about an identified individual, or an individual who is reasonably
identifiable.
The APPs apply to most Australian Government agencies, all private sector
organisations with an annual turnover of more than $3 million, all private health
service providers and some small businesses – collectively referred to as APP entities.
The APPs are principles-based law. This provides APP entities with the flexibility to
tailor their personal information handling practices to their diverse needs and
business models and to the diverse needs of individuals. The APPs are also technology
neutral, applying equally to paper-based and digital environments. This is intended to
preserve their relevance and applicability, in a context of continually changing and
emerging technologies.
The Privacy Act recognises that the protection of individuals’ privacy, through the
protection of their personal information, is not an absolute right. Rather, those
interests must be balanced with the broader interest of the community in ensuring
that APP entities are able to carry out their legitimate functions and activities. This
balancing is reflected in the exceptions to a number of the APPs. Exceptions cover a
range of matters including where a use or disclosure of personal information is
authorised or required by Australian law or where an entity reasonably believes that a
use or disclosure is reasonably necessary for an enforcement related activity
conducted by an enforcement body.
OAIC comments on the Bill
APP 6 outlines when an APP entity may use or disclose personal information. It
generally provides that an APP entity can only use or disclose personal information for
a purpose for which the information was collected (known as the ‘primary purpose’),
or for another purpose where one of the exceptions listed in APP 6 apply. As noted
above, the exceptions include where ‘a use or disclosure of personal information is
authorised or required by Australian law’.
The OAIC is regularly invited to comment on draft laws that require or authorise the
collection, use or disclosure of personal information. Consistent with the approach
taken in applying Article 17 in the International Covenant on Civil and Political Right
(ICCPR), the OAIC’s advice generally suggests consideration should be given to
Released under FOI - OAIC
99
whether those measures are proportionate and necessary. That is, whether they
appropriately balance the intrusion on individuals’ privacy with the overall public
policy objectives of the proposal. Additionally, when handling of individuals’ personal
information is authorised in the broader interests of the community, it is generally
recommended that those activities be accompanied by an appropriate level of privacy
safeguards and accountability. Should such a proposal be considered to appropriately
balance these objectives, it is generally recommended that the scope of the proposal
be drafted consistent with the spirit and intent of the Privacy Act.
On 31 October 2016, the OAIC was invited to comment on the Bill, following a request
from the Office of Parliamentary Counsel (OPC), via the Attorney General’s
Department, Information Law Unit (the AGD). The OAIC’s comments on the Bill were
provided to the AGD on 3 November 2016, and we understand that they were then
passed on to the OPC and the Department of Veterans’ Affairs (DVA). The comments
focused on the public interest disclosure provisions in Schedule 2 of the Bill which
permit certain disclosures and invoke the ‘required or authorised’ by law exception in
APP 6 in the Privacy Act. The OAIC’s comments are attached.
The OAIC has reviewed the Commonwealth Ombudsman’s written submissions to the
Committee and notes its suggestion to involve the OAIC in the development of laws
and policies raising privacy issues (Commonwealth Ombudsman, Supplementary
submission). In this regard, the OAIC would welcome the opportunity to be consulted
on rules made by the Minister in relation to public interest disclosure certificates
under the proposed amendments in Schedule 2 of the Bill.
Committee questions
Please advise the committee what is the current situation that DVA or other agencies
require this power?
As outlined above, the OAIC’s role includes examining proposed enactments that
would require or authorise acts or practices that might otherwise interfere with
privacy (s 28A(2), Privacy Act) and ensuring that any adverse effects of a proposed
enactment on the privacy of individuals are minimised (s 28A(2)(c), Privacy Act). The
OAIC provided some brief comments on the Bill. At that time, the OAIC did not have
access to the Explanatory Memorandum (including Statement of Compatibility with
Human Rights). Details about the current situation that necessitates this power may
be a matter for DVA. As the ‘public interest disclosure’ provisions in Schedule 2 of the
Bill broaden the circumstances in which personal information can be used and
disclosed, we suggest that DVA use the Explanatory Memorandum (including its
Statement of Compatibility with Human Rights), to explain the need for such
provisions.
Why does DVA require these provisions so urgently?
This may be a matter for DVA.
Is there not already a mechanism for agencies to report crimes to police?
As noted above, APP 6 generally provides that an APP entity can only use or disclose
Released under FOI - OAIC
100
personal information for a purpose for which the information was collected (known as
the ‘primary purpose’), or for another purpose where one of the exceptions listed in
APP 6 apply. The following exceptions to APP 6 would permit agencies to disclose
personal information to the police, where:
· the APP entity reasonably believes that the use or disclosure of the
information is reasonably necessary for one or more enforcement related
activities conducted by, or on behalf of, an enforcement body (examples
include the Australian Federal Policy or a State or Territory Police force or
service) (APP 6.2(e)), and
· the entity reasonably believes that the collection, use or disclosure is
necessary to lessen or prevent a serious threat to the life, health or safety of
any individual, or to public health or safety (and it is unreasonable or
impracticable to obtain the individual’s consent) (APP 6.2(c) and s 16A, item 1)
· the use or disclosure of the information is required or authorised by or under
an Australian law or a court/ tribunal order (APP 6.2(b)).
Over the last 5 years, how many cases were there of mistake and/or misinformation
that agencies did not have the power to respond to?
This may be a matter for DVA.
Invitation to make a written submission
I would also like to take this opportunity to thank the Committee for the invitation of
6 December 2016 to make a submission to this inquiry. I apologise that the OAIC did
not respond. The OAIC had overlooked the invitation due to a clerical error.
Please feel free to contact Sophie Higgins on (02) 9284 9775 or by email, if we can
assist by providing any further information.
Kind regards
Melanie Drayton
Melanie Drayton | Assistant Commissioner, Regulation and Strategy
Office of the Australian Information Commissioner GPO Box 5218 SYDNEY NSW 2001 |www.oaic.gov.au
s.22 - irrelevant
From: Balaga, Kimberley (SEN) s.22 - irrelevant
On Behalf Of
FADT, Committee (SEN)
Sent: Monday, 13 February 2017 6:20 PM
To: Melanie Drayton s.22 - irrelevant
Cc: Sophie Higgins s.22 - irrelevant
FADT, Committee (SEN)
<xxxx.xxx@xxx.xxx.xx>
Released under FOI - OAIC
101
Subject: Invitation to Attend Public Hearing - Veterans' Affairs Legislation Amendment
(Digital Readiness and Other Measures) Bill 2016
THE SENATE
STANDING COMMITTEE ON FOREIGN AFFAIRS, DEFENCE AND
TRADE
13 February 2017
Ms Melanie Drayton
Office of the Australian Information Commissioner
Email: s.22 - irrelevant
Dear Ms Drayton
Inquiry into the Veterans' Affairs Legislation Amendment (Digital Readiness and
Other Measures) Bill 2016
The Senate Foreign Affairs, Defence and Trade Legislation Committee is pleased to
confirm arrangements for the Commissioner and the Deputy Commissioner to give
evidence at a public hearing for the above inquiry. The public hearing will be held on
Thursday, 16 February 2017 in
Committee Room 2S3,
Parliament House, Canberra.
Your appearance time is indicated on the attached public hearing program.
It would be appreciated if you could arrive about 10 minutes before your appearance
time and make yourself known to the committee's secretariat staff. I would be
grateful if you could advise me if you intend to table any documents with the
committee during the hearing.
A Hansard witness form is also attached. Could you please complete it and email back
to the secretariat as soon as possible to xxxx.xxx@xxx.xxx.xx or by fax to 02 6277
5818. This is used to ensure details are correctly recorded and to provide contact
details so you can check the transcript of evidence.
If persons attending the public hearing have any special requirements please contact
the secretariat beforehand so that any necessary arrangements can be made. If there
are any additional witnesses whose details you have not already provided, please
speak to the secretariat officers as early as possible at the hearing.
After the formalities have been concluded at the beginning of the hearing, the Chair
will invite you to make a short opening statement, which should be around three
minutes, or you may decline to make any opening remarks. The remainder of the
hearing will be devoted to a question and answer session.
Please note that the hearing is open to the public and the media. The committee
prefers all evidence to be given in public but should you wish to give any evidence in
private, you may make a request to the Chair and the committee will consider the
Released under FOI - OAIC
102
request. You are welcome to listen to the evidence of other witnesses.
A ‘proof’ (draft) copy of the Hansard transcript of evidence will be forwarded to you
for correction of transcription errors. Hansard transcripts of evidence will also be
available from the committee's website.
A copy of general information for witnesses, procedures to be observed by Senate
Committees for the protection of witnesses, the public hearing program and the
chair's opening statement are enclosed for your information.
If you require any further information please contact me on s.22 - irrelevant
Yours sincerely
David Sullivan
Secretary
Senate Standing Committee on Foreign Affairs, Defence and Trade
s.22 - irrelevant
Attachments:
Hearing Program
Information Sheet: witnesses at hearings
Information Sheet: protection of witnesses
Chair's opening statement
Hansard Witness Form
***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************
Released under FOI - OAIC
103
Annexure E - Committee questions and OAIC answers
Please advise the committee what is the current situation that DVA or other agencies require this
power?
As outlined above, the OAIC’s role includes examining proposed enactments that would require or
authorise acts or practices that might otherwise interfere with privacy (s 28A(2), Privacy Act) and
ensuring that any adverse effects of a proposed enactment on the privacy of individuals are
minimised (s 28A(2)(c), Privacy Act). The OAIC provided some brief comments on the Bil . At that time,
the OAIC did not have access to the Explanatory Memorandum (including Statement of Compatibility
with Human Rights). Details about the current situation that necessitates this power may be a matter
for DVA. As the ‘public interest disclosure’ provisions in Schedule 2 of the Bil broaden the
circumstances in which personal information can be used and disclosed, we suggest that DVA use the
Explanatory Memorandum (including its Statement of Compatibility with Human Rights), to explain
the need for such provisions.
Why does DVA require these provisions so urgently?
This may be a matter for DVA.
Is there not already a mechanism for agencies to report crimes to police?
As noted above, APP 6 general y provides that an APP entity can only use or disclose personal
information for a purpose for which the information was col ected (known as the ‘primary purpose’),
or for another purpose where one of the exceptions listed in APP 6 apply. The fol owing exceptions to
APP 6 would permit agencies to disclose personal information to the police, where:
• the APP entity reasonably believes that the use or disclosure of the information is reasonably
necessary for one or more enforcement related activities conducted by, or on behalf of, an
enforcement body (examples include the Australian Federal Policy or a State or Territory
Police force or service) (APP 6.2(e)), and
• the entity reasonably believes that the col ection, use or disclosure is necessary to lessen or
prevent a serious threat to the life, health or safety of any individual, or to public health or
safety (and it is unreasonable or impracticable to obtain the individual’s consent) (APP 6.2(c)
and s 16A, item 1)
• the use or disclosure of the information is required or authorised by or under an Australian
law or a court/ tribunal order (APP 6.2(b)).
Over the last 5 years, how many cases were there of mistake and/or misinformation that agencies did
not have the power to respond to?
This may be a matter for DVA.
Released under FOI - OAIC
104
From:
Renee Alchin
To:
Angelene Falk
Cc:
Sophie Higgins; Brenton Attard
Subject:
Briefing pack - Senate Committee Public Hearing on the Digital Readiness Bill [SEC=UNCLASSIFIED]
Date:
Wednesday, 15 February 2017 4:32:00 PM
Attachments:
Commissioner Brief - Opening statement talking points - Digital Readiness Bill public hearing.docx
Commissioner Brief - Briefing notes for Digital Readiness Bill.docx
Annexure A - Digital Readiness Bill.pdf
Annexure A - Explanatory Memorandum.pdf
RE Information Law Unit + OAIC comments - Veterans Affairs Legislation Amendment (Digital Readiness
and Other Measures) Bill 2016 DLMSensitiveLegal.msg
Annexure E - Committee Questions and Answers.docx
Hi Angelene,
Here is the briefing pack for tomorrow’s Senate Committee public hearing on the Digital
Readiness Bill.
The Briefing Pack:
The TRIM links are provided, and I’ve also attached the documents to this email:
· The opening statement and talking points for Timothy: D2017/001200
· The Commissioner brief: D2017/001199
If you have any changes to either documents, please let me know.
The Annexures for the Commissioner brief are as follows (and are also attached to this email):
· Annexure A: D2017/001249 and D2017/001250
· Annexure B: D2016/008500
· Annexure C: Brenton gave you a copy of the Submissions made to the Committee
· Annexure D: Brenton has also given you a copy of Mel’s email to the Committee dated
14 February 2017
· Annexure E: D2017/001252
Contacts for tomorrow:
Sophie asked me to include her mobile number in case you need to speak with her tomorrow (as
she is not in the office on Thursdays) Ph:
– she should be available in the morning
s.22 - irrelevant
if you have any questions.
Otherwise, I’m in tomorrow if you need anything.
Other matters
Andrew spoke with DVA today and advised them that Timothy will be attending tomorrow. He
advised DVA that the main point in our comments is that we be consulted on the draft rules to
Released under FOI - OAIC
105
be made by the Minister under the ‘public interest disclosure’ provisions in the Bill.
Regards
Renee
Renee Alchin | Adviser
Regulation and Strategy
Office of the Australian Information Commissioner
GPO Box 5218 SYDNEY NSW 2001 | www.oaic.gov.au
s.22 - irrelevant
Released under FOI - OAIC
106
Commissioner brief: Opening statement talking points for
Australian Information Commissioner
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bil
For:
The Australian Information Commissioner
• Thank you for the opportunity to appear before the Committee today in
relation to
the Veteran’s Affairs Legislation Amendment (Digital Readiness
and Other Measures) Bil 2016.
• As the Australian Information Commissioner and Australian Privacy
Commissioner, I am responsible for ensuring compliance with the Privacy
Act, and promoting access to government information through the
Freedom of Information Act.
• The Privacy Act regulates the handling of personal information by most
Australian Government agencies and many private sector organisations.
The cornerstone of this privacy protection framework are the Australian
Privacy Principles (or APPs). These set out standards, rights and obligations
in relation to the way individuals’ personal information is handled.
• The APPs are underpinned by notions of transparency and accountability. In
general terms, this requires entities to give careful consideration to
ensuring that individuals are aware of an entity’s information handling
practices, so that the individual may make appropriate choices about their
personal information. Accountability includes ensuring good privacy
governance mechanisms are implemented at an early stage.
• The Privacy Act recognises that the protection of individual’s privacy,
through the protection of their personal information, is not an absolute
right. Rather, those interests must be balanced with the broader interest of
the community in ensuring that Australian government agencies and
private sector organisations are able to carry out their legitimate functions
and activities.
Released under FOI - OAIC
107
• This balancing is reflected in the exceptions to a number of the Australian
Privacy Principles, which exclude from the operation of those APPs, certain
information handling practices considered to be in the public interest when
balanced with the interest in protecting an individual’s privacy.
• The OAIC’s responsibilities include examining proposals that may restrict
the exercise of individuals’ privacy protections in favour of another public
interest objective. Our approach is general y to ensure that any changes
that authorise a disclosure of personal information by invoking an exception
in the Privacy Act, are reasonable, necessary and proportionate to the
expected benefits.
• My Office provided comments to the Office of Parliamentary Counsel
(through Attorney General’s Department), on a draft version of the Bil on
3 November 2016. These comments focused on the public interest
disclosure provisions in Schedule 2 of the Bil . These permit the Secretary to
make ‘public interest’ disclosures and have the effect that the privacy
protections in the ‘use and disclosure’ APP - Australian Privacy Principle 6 -
would not apply. I understand my Office has provided a copy of these
comments to the Senate Committee inquiry for its information.
• There are, however, a few additional matters which I believe warrant
further mention before the Committee. In summary these are:
o Even though the disclosure is required or authorised by law, the Australian
Privacy Principles govern the Department of Veteran’s Affairs (DVA) information
handling practices and would continue to apply to that personal information held
by the DVA (such as the requirements in relation to transparency, data quality,
security, and rights to access and correction).
o The OAIC would welcome the opportunity to be consulted on draft rules to be
made by the Minister under the ‘public interest disclosure’ provisions in Schedule
2 of the Bil .
o The OAIC acknowledges that automated decision-making is likely to provide a
number of advantages for DVA and for Australians accessing their services,
particularly in regards to efficiencies. However, I would encourage consideration
to be given at an early stage, to ensuring that any privacy impacts are identified
Released under FOI - OAIC
108
and minimised to the extent possible, and that an integrated approach to privacy
management is taken.
o If it has not done so already, the Department of Veteran’s Affairs could conduct a
privacy impact assessment of the amendments proposed by the Bil that have
privacy implications to identify and assess the privacy risks associated with the
amendments. A privacy impact assessment is a written assessment which may
assist in identifying the privacy impacts of the proposal, and provides an
opportunity to set out any recommendations for managing, minimising or
eliminating those impacts.
• I would be happy to answer any questions the Committee has.
Released under FOI - OAIC
109
Commissioner brief: Briefing notes – Inquiry into the Digital
Readiness Bil – Senate Foreign Affairs, Defence and Trade
Committee
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bil
For:
The Australian Information Commissioner
Key points
1. The Veteran’s Affairs Legislation Amendment (Digital Readiness) Bill 2016 seeks to
amend the
Veteran’s Entitlements Act 1986 (VEA),
Military Rehabilitation and
Compensation Act 2004 (MRCA) and the
Safety Rehabilitation and Compensation
(Defence-related claims) Act 1988 (DRCA). The Bill and Explanatory memorandum are
at
Annexure A.
2. On 31 October 2016, the Attorney General’s Department Information Law Unit (AGD)
requested that the OAIC provide any comments on the Bill, and these would be
provided to the Office of Parliamentary Counsel (OPC). On 3 November 2016, the OAIC
provided comments on the Bill to the AGD, which AGD passed on to OPC and then to
Department of Veterans’ Affairs (DVA).
3. The OAIC’s comments focused on the public interest disclosure provisions in
Schedule 2 of the Bil . These authorise the Secretary to make disclosures that the
Secretary certifies as ‘necessary in the public interest’, and invoke the ‘required or
authorised’ by law exception in APP 6 in the Privacy Act. The AGD did not make any
substantive comments on the Bil .
4. The Commonwealth Ombudsman outlined in their second submission on the
disclosure provisions (and also notified Angelene Falk by telephone of their intention
to make such a submission) that any development of legislation or policy relating to
the disclosure of personal information should occur in consultation with the OAIC.
5. The Bill states that the Secretary must, in giving such a ‘public interest certificate’, act
in accordance with Rules made by legislative instrument, by the Minister. While not
included in the OAIC’s comments to OPC, the OAIC’s email to the Committee on 14
February noted that the OAIC would welcome the opportunity to be consulted on any
such draft rules. The OAIC will have regard to whether any permitted disclosures
accord with the social license given to government to handle and disclose individuals’
Released under FOI - OAIC
110
personal information, and are generally consistent with the spirit and intent of the
Privacy Act.
6. Even where the disclosure is required or authorised by law under APP 6, the APPs will
still govern the Department of Veteran’s Affairs (DVA) information handling practices
and would continue to apply to that personal information held by the DVA (such as the
requirements in relation to transparency, data quality, security, and rights to access
and correction).
7. The OAIC welcomes the safeguard in the Bil that before disclosing personal
information about a person under the ‘public interest disclosure’ provisions, the
Secretary must notify the person in writing of the Secretary’s intention to disclose the
information; give the person a reasonable opportunity to make written comments on
the proposed disclosure of the information and consider any written comments made
by the person. This is consistent with the emphasis on transparency in the Privacy Act,
and may in some circumstances give the individual a ‘reasonable expectation’ that
their personal information will be disclosed for a particular purpose.
8. The OAIC acknowledges that automated decision-making is likely to provide a number
of advantages for DVA and for Australians accessing their services, particularly in
regards to efficiencies. However, the OAIC would encourage consideration be given at
an early stage, to ensuring that any privacy impacts are identified and minimised to
the extent possible, including by undertaking a privacy impact assessment, and that an
integrated approach to privacy management is taken.
Background – the Digital Readiness Bil
• The Bill will insert a provision into the VEA, MRCA, and DRCA to enable the Secretary to
authorise the use of computer programmes to make decisions and determinations,
exercise powers or comply with obligations etc. under these Acts (Schedule 1).
• Safeguards in the Bil include that the Secretary may make a decision or determination in
substitution for a decision or determination made by a computer program, if satisfied
that the decision or determination is incorrect (Schedule 1).
• The Bill will also insert a provision into each of these Acts that give the Secretary broad
disclosure powers: ‘the Secretary may, if the Secretary certifies that it is necessary in the
public interest to do so in a particular case or class of cases, disclose any information
obtained by any person in the performance of that person’s duties under this Act to
such persons and for such purposes as the Secretary determines’ (Schedule 2).
Released under FOI - OAIC
111
• Safeguards in the Bill include that:
o the power cannot be delegated by the Secretary to anyone
o the Secretary must act in accordance with rules that the Minister makes and the
Minister cannot delegate his or her rule making power
o before disclosing information, the Secretary must notify the person concerned in
writing about the proposed disclosure and consider any written comments made
by the person, and
o unless the Secretary complies with the above notification requirements before
disclosing personal information, he or she commits an offence, punishable by 60
penalty units (Schedule 2).
• The Explanatory Memorandum to the Bill gives as examples of circumstances in which it
might be appropriate for the Secretary to disclose such information as including ‘where
there is a threat to life, health or welfare, for the enforcement of laws, in relation to
proceeds of crime orders, mistakes of fact, research and statistical analysis, APS code of
conduct investigations, misinformation in the community and provider inappropriate
practices’ (p. 11).
• The Bill also inserts three information sharing provisions in the DRCA between the
Military Rehabilitation and Compensation Commission and the Secretary of the
Department of Defence or the Chief of the Defence Force.
OAIC’s responsibilities to examine proposed enactments impact privacy
• A range of the OAIC’s responsibilities involve examining proposals that may restrict the
exercise of individuals’ privacy protections in favour of another public interest objective.
• The Privacy Act recognises that the protection of individuals’ privacy, through the
protection of their personal information, is not an absolute right. Rather, those interests
must be balanced with the broader interest of the community in ensuring that APP
entities are able to carry out their legitimate functions and activities.
• This balancing is reflected in the exceptions to a number of the APPs, which except from
the operation of those APPs, certain information handling practices considered to be in
the public interest when balanced with the interest in protecting an individual’s privacy.
Disclosures of personal information
• APP 6 outlines when an APP entity may use or disclose personal information. It generally
provides that an APP entity can only use or disclose personal information for a purpose
for which the information was collected (known as the ‘primary purpose’), or for a
Released under FOI - OAIC
112
secondary purpose where one of the exceptions listed in APP 6 apply. The exceptions
include where ‘a use or disclosure of personal information is authorised or required by
Australian law’ (APP 6.2(b)).
• The OAIC is regularly invited to comment on draft laws that require or authorise the
collection, use or disclosure of personal information in a manner that would otherwise
be inconsistent with one or more of the APPs. The effect of such laws is that one or
more APPs will not apply to the use or disclosure of personal information, described in
the law.
• Consistent with the approach taken in applying Article 17 in the International Covenant
on Civil and Political Right (ICCPR), the OAIC’s advice generally suggests consideration
should be given to whether those measures are proportionate and necessary. That is,
whether they appropriately balance the intrusion on individuals’ privacy with the overall
public policy objectives of the proposal. Additionally, when handling of individuals’
personal information is authorised in the broader interests of the community, it is
generally recommended that those activities be accompanied by an appropriate level of
privacy safeguards and accountability. Should such a proposal be considered to
appropriately balance these objectives, it is generally recommended that the scope of
the proposal be drafted consistent with the spirit and intent of the Privacy Act.
• Even where the disclosure is required or authorised by law under APP 6, the APPs will
stil govern the Department of Veteran’s Affairs (DVA) information handling practices
and would continue to apply to that personal information held by the DVA (such as the
requirements in relation to transparency, data quality, security, and rights to access and
correction).
Released under FOI - OAIC
113
OAIC engagement with the Bil
• On 31 October 2016, the OPC contacted the AGD seeking comment on the Bil , and that
request was passed onto the OAIC for comment. The OAIC was not provided with the
Explanatory Memorandum. The OAIC’s comments on the Bill were provided to AGD, and
passed on to the OPC on 3 November 2016. The AGD did not make any substantive
comments on the Bill. The comments provided to OPC, along with a response provided
by DVA are at
Annexure B.
• The OAIC’s comments focused on the public interest disclosure provisions in Schedule 2
of the Bil outlined above.
• Key points made in the OAIC’s comments were:
o the OAIC noted that the disclosure of personal information under the new
provisions will be permitted by the ‘required or authorised by or under law’
exception in APP 6.2(b).
o The OAIC suggested that where a Bil invokes this exception in the Privacy Act,
consideration should be given to whether those measures are reasonable,
proportionate and necessary.
o The OAIC referred to similar disclosure provisions in the
Social Security
(Administration) Act 1999 and the
Paid Parental Leave Act 2010, noting that rules
issued under that legislation set out the matters to which the Secretary must
have regard to in giving a public interest certificate and the circumstances in
which a public interest certificate may be given, which include: to prevent, or
lessen, a threat to the life, health or welfare of a person; for the enforcement of
laws; to correct a mistake of fact; to brief a Minister or to locate missing persons
etc.
• On 7 November 2017, DVA responded by email to the OAIC that:
o rules would be made setting out the circumstances in which the Secretary may
make a public interest disclosure before the Secretary exercises that power. The
nature and content of those rules is likely to be similar to the Social Security
(Public Interest Certificate Guidelines) (DSS) Determination 2015, mentioned
below.
Released under FOI - OAIC
114
o The sorts of situations in which it is envisage the public interest disclosure power
being exercised are wil be set out in the EM, including: where there is a threat to
life, health or welfare, for the enforcement of laws, in relation to proceeds of
crime orders, mistakes of fact, research and statistical analysis, APS code of
conduct investigations, misinformation in the community and provider
inappropriate practices (this is subject to the Minister agreeing to make rules
along these lines.)
• On 6 December 2016, the Committee invited the OAIC to make a comment on the Bill,
but the OAIC inadvertently did not action this request. Melanie has apologied to the
Committee for this oversight.
• Seven submissions have been made to the Committee – see
Annexure C. These include
a lengthy submission from DVA and two submissions made by the Commonwealth
Ombudsman.
• Key matters to note from the DVA submission include:
o DVA sets out a range of efficiency-related justifications for provisions in the Bill
that automate the decision-making process
o the Committee appears to have raised concerns with DVA about the breadth of
the disclosures that may be made under the Bill, including disclosures to ‘correct
misinformation’ and the submission purports to respond to these concerns.
o DVA notes that the proposed public interest disclosure provisions ‘are modelled
on paragraph 208(1)(a) of the
Social Security (Administration) Act 1999. That
public interest disclosure provision has been in operation for 17 years and has
operated successfully with the approval of Parliament. The Privacy Commissioner
has not raised any concern about the Department of Social Services/ Department
of Human Services’ provision…’
• The most recent iteration of the
Social Security (Public Interest Certificate Guidelines)
(DSS) Determination 2015 were registered on FRLI in August 2015. The explanatory
memorandum refers to consultation with the AGD and others, but does not specifically
refer to consultation with the OAIC. We have not been able to find any engagement
with the OAIC on the Determination following a brief TRIM search and discussion with
Sarah Ghali. A more fulsome search could be undertaken if necessary.
• The Commonwealth Ombudsman has made a submission to the Committee in relation
to automation aspects of the Bil (see below).
Released under FOI - OAIC
115
• They also made a second submission on the new disclosure provisions, (and notified
Angelene Falk by telephone, of their intention to make such a submission). This
supplementary submission recommends that any development of legislation or policy
relating to disclosure of PI should occur in consultation with the OAIC.
• On 10 February 2017, a Research Officer from the Senate Committee contacted the
OAIC to advise that it is holding a public hearing on Thursday, 16 February 2017 and
invites the information Commissioner to appear from 5:00pm – 6:00pm. The
Commonwealth Ombudsman and officers of DVA have also been invited to appear. They
have provided the OAIC with specific questions in relation to the public interest
disclosure provisions – which the OAIC intends to submit a written response to before
the hearing, as well as other questions
• On 14 February, Melanie Drayton, Assistant Commissioner, sent a detailed response to
the Committee noting that the Information Commissioner and Deputy Commissioner
would appear at the public hearing; outlining the OAIC’s role; attaching the OAIC’s
comments on the Bill that were sent to OPC (via AGD); and responding to the specific
questions where possible (noting that a number of the questions may be directed to
DVA). This email also noted that the OAIC would welcome the opportunity to be
consulted on the draft rules to be made by the Minister in relation to public interest
disclosures. The OAIC’s email to the Committee is at
Annexure D. The OAIC’s answers to
the Committee’s questions are at
Annexure E.
• Key additional points that the Commissioner may make at the Committee meeting are:
o The OAIC welcomes the safeguard in the Bill that before disclosing personal
information about a person under the ‘public interest disclosure’ provisions, the
Secretary must notify the person in writing of the Secretary’s intention to
disclose the information; give the person a reasonable opportunity to make
written comments on the proposed disclosure of the information and consider
any written comments made by the person. This is consistent with the emphasis
on transparency in the Privacy Act, and may in some circumstances give the
individual a ‘reasonable expectation’ that their personal information will be
disclosed for a particular purpose (consistent with the ‘reasonable expectation’
exception in APP 6.2(a).
Released under FOI - OAIC
116
o The Bil states that the Secretary must, in giving such a ‘public interest
certificate’, act in accordance with Rules made by legislative instrument, by the
Minister. The OAIC would welcome the opportunity to be consulted on any such
draft rules. The OAIC will have regard to whether any permitted disclosures
accord with the social license given to government to handle and disclose
individuals’ personal information, and are generally consistent with the spirit and
intent of the Privacy Act.
Automated decision-making
• The Commonwealth Ombudsman’s written submission to the Committee commented
on several matters that related to automated decisions. These comments related to
accuracy of automated decisions, and errors that can arise from incorrect data entry
and system errors, and the fact that the onus is predominately placed on the customer
to identify these errors.
• The Commonwealth Ombudsman also outlined issues with automated decisions
following basic legal values of lawfulness, fairness, transparency and efficiency.
• The objects of the Privacy Act recognise that the protection of individuals’ privacy is
balanced with the interests of entities in carrying out their functions or activities (s
3(b)). The OAIC acknowledges that automated decision-making is likely to provide a
number of advantages for DVA and for Australians accessing their services, including
associated with reduced costs and enhanced efficiency. However, consideration
should be given at an early stage, to ensuring that any privacy impacts are identified
and minimised to the extent possible, and that an integrated approach to privacy
management is taken.
• Some key privacy considerations that may arise where decision-making is automated
include:
o whether the entity has taken reasonable steps to implement practices,
procedures and systems to ensure that the entity complies with the APPs
and to enable the entity to deal with inquiries and complaints from
individuals about the entity’s compliance with the APPs (APP 1.2). Entities
wil be better placed to meet these obligations if they embed privacy
protections in the design of the information handling practice at an early
stage.
Released under FOI - OAIC
117
o whether the entity has taken reasonable steps to ensure that the personal
information it collects, uses and discloses is accurate, up-to-date and
complete (as required by APP 10). This may be particularly challenging
where the onus is on the individual to identify errors or discrepancies with
automated decisions.
o whether the entity has processes in place to al ow the individual to request
access to, and correction of his or her personal information used in
automated processes (APPs 11 and 12).
• The OAIC also suggests consideration be given to the privacy risks arising from personal
information processed as part of an automated decision-making process. For example,
due to the higher privacy risks involved with handling sensitive information, the OAIC
would general y suggest greater caution be exercised when considering whether this
information should be subject to automated processing. The OAIC welcomes the DVA’s
comments in its written submission to the Committee that ‘in regards to automated
debt col ection, the Department does not intend this provision for this purpose’. This
intent could be included in the Bil or the Explanatory Memorandum.
• DVA could conduct a privacy impact assessment (PIA) of the amendments proposed by
the Bill that have privacy implications to identify and assess the privacy risks associated
with the amendments. A PIA is a written assessment which may assist in identifying the
privacy impacts of the proposal, and provides an opportunity to set out any
recommendations for managing, minimising or eliminating those impacts.
Released under FOI - OAIC
118
Annexure E - Committee questions and OAIC answers
Please advise the committee what is the current situation that DVA or other agencies require this
power?
As outlined above, the OAIC’s role includes examining proposed enactments that would require or
authorise acts or practices that might otherwise interfere with privacy (s 28A(2), Privacy Act) and
ensuring that any adverse effects of a proposed enactment on the privacy of individuals are
minimised (s 28A(2)(c), Privacy Act). The OAIC provided some brief comments on the Bil . At that time,
the OAIC did not have access to the Explanatory Memorandum (including Statement of Compatibility
with Human Rights). Details about the current situation that necessitates this power may be a matter
for DVA. As the ‘public interest disclosure’ provisions in Schedule 2 of the Bil broaden the
circumstances in which personal information can be used and disclosed, we suggest that DVA use the
Explanatory Memorandum (including its Statement of Compatibility with Human Rights), to explain
the need for such provisions.
Why does DVA require these provisions so urgently?
This may be a matter for DVA.
Is there not already a mechanism for agencies to report crimes to police?
As noted above, APP 6 general y provides that an APP entity can only use or disclose personal
information for a purpose for which the information was col ected (known as the ‘primary purpose’),
or for another purpose where one of the exceptions listed in APP 6 apply. The fol owing exceptions to
APP 6 would permit agencies to disclose personal information to the police, where:
• the APP entity reasonably believes that the use or disclosure of the information is reasonably
necessary for one or more enforcement related activities conducted by, or on behalf of, an
enforcement body (examples include the Australian Federal Policy or a State or Territory
Police force or service) (APP 6.2(e)), and
• the entity reasonably believes that the col ection, use or disclosure is necessary to lessen or
prevent a serious threat to the life, health or safety of any individual, or to public health or
safety (and it is unreasonable or impracticable to obtain the individual’s consent) (APP 6.2(c)
and s 16A, item 1)
• the use or disclosure of the information is required or authorised by or under an Australian
law or a court/ tribunal order (APP 6.2(b)).
Over the last 5 years, how many cases were there of mistake and/or misinformation that agencies did
not have the power to respond to?
This may be a matter for DVA.
Released under FOI - OAIC
119
From:
Renee Alchin
To:
Sophie Higgins
Subject:
RE: FOR REVIEW: draft briefing re Digital Readiness Inquiry [SEC=UNCLASSIFIED]
Date:
Wednesday, 15 February 2017 12:14:00 PM
Hi
FYI – I’ve gone through the briefing notes in TRIM and made just a couple of minor changes
(typos mostly)
Renee
From: Sophie Higgins
Sent: Wednesday, 15 February 2017 11:36 AM
To: Melanie Drayton s.22 - irrelevant
Andrew Solomon
s.22 - irrelevant
Cc: Emma Jelenic s.22 - irrelevant
Renee Alchin s.22 - irrelevant
Brenton Attard s.22 - irrelevant
Subject: FOR REVIEW: draft briefing re Digital Readiness Inquiry [SEC=UNCLASSIFIED]
Hi Mel and Andrew
Attached for your review and clearance is a draft briefing for TP and AF for the Digital Readiness
Committee Inquiry to be held tomorrow afternoon D2017/001199. Please let me know any
comments you may have as soon as possible, so we can send through to AF this afternoon.
Apologies for such a short turn-around time.
Thanks to Renee for all her work on this. Given the timing, we thought it best to send through to
you now, but will have another quick read through to check for typos etc.
I will send through the opening statement in the next half hour.
Sophie
Sophie Higgins |
Director (a/g)| Regulation & Strategy Branch
Office of the Australian Information Commissioner
GPO Box 5218 SYDNEY 2001 |www.oaic.gov.au
s.22 - irrelevant
Released under FOI - OAIC
120
From:
Renee Alchin
To:
Angelene Falk
Subject:
Additional information for the Hearing [SEC=UNCLASSIFIED]
Date:
Thursday, 16 February 2017 11:53:00 AM
Hi Angelene,
As discussed, additional information is provided below in three sections:
1. Public Interest Disclosure provisions and whether APP 6 exceptions
already permits this disclosure:
I’ve provided some further info below on the DVAs reasons provided in their submission to the
Committee. I’ve also copied APP 6 for you. The reasons pretty much align with the Social Security
(Public Interest Certificate Guidelines) (DSS) Determination 2015 (Social Security Determination).
In explaining why DVA is currently unable to disclose certain information under the APPs, the
DVA’s submission, staring on Page 7 states:
In summary, the DVA outline several areas where it needs the public interest disclosure
provisions:
-
Threat to life – DVA basically considers it is currently unable to assist clients who
are planning/threatening self harm to themselves or others in cases where it is not
unreasonable or impracticable to obtain the person’s consent to disclose their
personal information. DVA states such situations may not allow sufficient time to
obtain consent to reduce the threat to life.
I note that the APP Guidelines provide the following examples of where it might be
unreasonable or impracticable to obtain consent, in instances where lessening or
preventing a serious threat to life, health or safety is necessary (they don’t cover
situations where someone is threatening self harm):
1. where an individual is seriously injured while interstate and,
due to their injuries, cannot give informed consent, the
individual’s usual health service provider may be able to
disclose personal information about the individual to another
health service provider who is treating the individual’s
serious injuries on the basis that it is impracticable to obtain
the individual’s consent
2. where an APP entity that provides child protection services
has evidence that a child is at risk of physical or sexual abuse
by their parent, the entity may be able to disclose the
personal information of the parent to another child protection
service on the basis that it would be unreasonable to obtain
the parent’s consent.
Released under FOI - OAIC
121
-
Threat to health or welfare – DVA states it is unable to share certain information
with third parties where the health and welfare of the client is at risk. For example,
with local council community advisors, if DVA was able to make them aware of
significant health issues of a DVA client (provided that this disclosure was allowed under
the Public Interest Disclosure Rules), this would enable DVA to contact the community
advisors to discuss DVA client health problems. Sharing such information would provide
proper treatment for the clients condition.
s.47C - deliberative processes
-
Provider inappropriate practices – I’m not sure that this relates to Personal
Information, as they discuss restrictions on DVA releasing information that would
reveal the circumstances of contract providers to DVA clients. It’s rather
information about contract providers, not individuals.
-
Mistake/misinformation in the community – DVA states misinformation or claims
that are not factual can impact on the integrity of programmes or prevent veterans
from seeking assistance. DVA states it does not have the ability to correct
misinformation or mistake of fact as doing so may disclose information about a
veteran or class of veterans.
s.47C - deliberative processes
-
APS Code of Conduct Investigation – DVA’s submission discusses instances where
personal information may need to be provided to an investigation firm when
investigating staff conduct issues, where a file has been inappropriately access or
client details released. Public Interest disclosure powers could be used to assist
with APS Code of Conduct investigations. The Social Security Determination also
has this provision.
In addition to the above, the Explanatory Memorandum also outlines further situations that it is
envisaged the power might be exercised (subject to the Minister agreeing to the Rules), including
enforcement of laws, proceeds of crime orders, and research and statistical analysis - these are
largely similar to the instances outlined in the Social Security (Public Interest Certificate
Guidelines) (DSS) Determination 2015.
2. Social Security (Public Interest Certificate Guidelines) (DSS)
Released under FOI - OAIC
122
Determination 2015
Dome of the instances outlined in the Social Security Determination where a public interest
certificate may be given:
- Threat to life, health or welfare
- Enforcement of laws (includes proceeds of crime orders)
- Mistake of fact
- Ministerial briefing
- Missing person
- Deceased person
- School enrolment and attendance
- School infrastructure
- Public housing administration
- Vulnerable Welfare Payment Income Management measure
- Establishment and operation of the Family Responsibilities Commission
- Matters of relevance (to portfolio responsibilities)
- Research and Statistical analysis
- APS Code of Conduct investigations
APP 6 is copied below for you:
6 Australian Privacy Principle 6—use or disclosure of personal information
Use or disclosure
6.1 If an APP entity holds personal information about an individual that was collected for a
particular purpose (the
primary purpose), the entity must not use or disclose the information
for another purpose (the
secondary purpose) unless:
(a) the individual has consented to the use or disclosure of the information; or
(b) subclause 6.2 or 6.3 applies in relation to the use or disclosure of the information.
Note: Australian Privacy Principle 8 sets out requirements for the disclosure of personal
information to a person who is not in Australia or an external Territory.
6.2 This subclause applies in relation to the use or disclosure of personal information about
an individual if:
(a) the individual would reasonably expect the APP entity to use or disclose the
information for the secondary purpose and the secondary purpose is:
(i) if the information is sensitive information—directly related to the primary
purpose; or
(ii) if the information is not sensitive information—related to the primary purpose; or
(b) the use or disclosure of the information is required or authorised by or under an
Australian law or a court/tribunal order; or
Released under FOI - OAIC
123
(c) a permitted general situation exists in relation to the use or disclosure of the
information by the APP entity; or
(d) the APP entity is an organisation and a permitted health situation exists in relation to
the use or disclosure of the information by the entity; or
(e) the APP entity reasonably believes that the use or disclosure of the information is
reasonably necessary for one or more enforcement related activities conducted by, or on
behalf of, an enforcement body.
Note: For
permitted general situation, see section 16A. For
permitted health
situation, see section 16B.
6.3 This subclause applies in relation to the disclosure of personal information about an
individual by an APP entity that is an agency if:
(a) the agency is not an enforcement body; and
(b) the information is biometric information or biometric templates; and
(c) the recipient of the information is an enforcement body; and
(d) the disclosure is conducted in accordance with the guidelines made by the
Commissioner for the purposes of this paragraph.
6.4 If:
(a) the APP entity is an organisation; and
(b) subsection 16B(2) applied in relation to the collection of the personal information by
the entity;
the entity must take such steps as are reasonable in the circumstances to ensure that the
information is de-identified before the entity discloses it in accordance with subclause 6.1 or 6.2.
Written note of use or disclosure
6.5 If an APP entity uses or discloses personal information in accordance with
paragraph 6.2(e), the entity must make a written note of the use or disclosure.
Related bodies corporate
6.6 If:
(a) an APP entity is a body corporate; and
(b) the entity collects personal information from a related body corporate;
this principle applies as if the entity’s primary purpose for the collection of the information
were the primary purpose for which the related body corporate collected the information.
Exceptions
6.7 This principle does not apply to the use or disclosure by an organisation of:
(a) personal information for the purpose of direct marketing; or
(b) government related identifiers.
Released under FOI - OAIC
124
3. Information Sharing provisions:
Referring to the below point on page 3 of the briefing notes:
The Bill also inserts three information sharing provisions in the DRCA between the
Military Rehabilitation and Compensation Commission and the Secretary of the
Department of Defence or the Chief of the Defence Force.
These information sharing provisions are outlined at Schedule 2, Item 3, 4 and 5 of the Bill.
Let me know if you need anything else.
Thanks
Renee
Renee Alchin | Adviser
Regulation and Strategy
Office of the Australian Information Commissioner
GPO Box 5218 SYDNEY NSW 2001 | www.oaic.gov.au
s.22 - irrelevant
Released under FOI - OAIC
125
From:
Timothy Pilgrim
To:
Sophie Higgins; Renee Alchin
Cc:
Angelene Falk; Melanie Drayton; Brenton Attard
Subject:
Emailing - report.pdf [DLM=For-Official-Use-Only]
Date:
Tuesday, 21 February 2017 11:20:12 AM
Attachments:
report.pdf
Hello all
Here is the report. As I mentioned to Renee, DVA have already called seeking to meet with
us to discuss the recommendations.
Thanks
TP
Released under FOI - OAIC
126
From:
Renee Alchin
To:
Angelene Falk
Subject:
Accepted: [HOLD] DVA consultation [SEC=UNCLASSIFIED]
Released under FOI - OAIC
127
From:
Angelene Falk
To:
Brenton Attard
Subject:
Accepted: OAIC/DVA consultation on Public Interest Disclosure Rule [SEC=UNCLASSIFIED]
Released under FOI - OAIC
128
From:
Angelene Falk
To:
Timothy Pilgrim; Renee Alchin; Melanie Drayton
Subject:
Pre meeting DVA [SEC=UNCLASSIFIED]
Released under FOI - OAIC
Pages 129 through 134 redacted for the following reasons:
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
s.47E(d)
135
From:
Sophie Higgins
To:
Angelene Falk
Cc:
Renee Alchin
Subject:
FW: Consultation on Public Interest Disclosure Rule [DLM=For-Official-Use-Only]
Date:
Wednesday, 22 February 2017 5:27:19 PM
Attachments:
PID rules 1 of 10.pdf
Hi Angelene
Attached is a memorandum prepared by Renee on the draft DVA Public Interest Disclosure
Certificate Rules D2017/001397. Three key points to note are:
· The disclosures permitted by the draft Rules are very similar to those permitted under
the DSS Rules.
· Some of the disclosures under the draft Rules would already be permitted by the
exceptions (or such disclosures may be consistent with the primary purpose of
collection/ an ‘individual’s reasonable expectation’).
· The draft Rules potentially permit disclosures to a very broad range of recipients ‘a
person who has a genuine and legitimate interest in the information’.
I won’t be in tomorrow, but can be contacted if needed on my mobile.
Sophie
s.22 - irrelevant
From: Angelene Falk
Sent: Wednesday, 22 February 2017 2:59 PM
To: Renee Alchin s.22 - irrelevant
Cc: Sophie Higgins s.22 - irrelevant
Subject: FW: Consultation on Public Interest Disclosure Rule [DLM=For-Official-Use-Only]
Renee can you please consider these and advise thank you
Angelene
From: Brenton Attard
Sent: Wednesday, 22 February 2017 2:56 PM
To: Timothy Pilgrim s.22 - irrelevant
Angelene Falk
s.22 - irrelevant
Sophie Higgins s.22 - irrelevant
Subject: FW: Consultation on Public Interest Disclosure Rule [DLM=For-Official-Use-Only]
Hi all
Please see email below.
I will acknowledge receipt — please let me know if there is anything else you would like me to
flag with DVA.
Released under FOI - OAIC
136
B
From: Spiers, Carolyn s.22 - irrelevant
Sent: Wednesday, 22 February 2017 2:25 PM
To: Brenton Attard s.22 - irrelevant
Cc: Foreman, Lisa s.22 - irrelevant
Whyte, Angela s.22 - irrelevant
Subject: Consultation on Public Interest Disclosure Rule [DLM=For-Official-Use-Only]
Hi Brenton
I understand you have been discussing with Kristy Egan from DVA the proposed meeting this
Thursday 23 February @ 12.00pm – 1.00pm for OAIC members to meet with Ms Lisa Foreman
(First Assistant Secretary Rehabilitation and Support Division) and myself to discuss the draft
Public Interest Disclosure Rules that will be part of the Digital Readiness Bill. While Kristy
arranged for Lisa and I to meet with OIAC in Sydney, we will need to change plans now and
instead have the meeting via telephone. I understand that this arrangement is suitable for
OAIC. Can you confirm which telephone number will be the most appropriate for us to call.
Also to assist in the preparation of this meeting is a draft copy of the proposed rules. Please
understand this is a confidential draft prepared for the Minister and should be used for the
purpose of the consultation only.
If you have any questions, please call Angela Whyte on s.22 - irrelevant
Regards
Carolyn Spiers
Principal Legal Advisor
IMPORTANT
1. Before opening any attachments, please check for viruses.
2. This e-mail (including any attachments) may contain confidential information
for the intended recipient. If you are not the intended recipient,
please contact the sender and delete all copies of this email.
3. Any views expressed in this e-mail are those of the sender and are not
a statement of Australian Government Policy unless otherwise stated.
4. Electronic addresses published in this email are not conspicuous publications and DVA
does not consent to the receipt of commercial electronic messages.
5. To unsubscribe from emails from the Department of Veterans' Affairs (DVA) please go
to
http://www.dva.gov.au/contact_us/Pages/feedback.aspx
, and advise which mailing list you would like to unsubscribe from.
6. Finally, please do not remove this notice.
Released under FOI - OAIC
137
From:
Sophie Higgins
To:
Renee Alchin
Subject:
RE: Memo - Analysis of DVA"s Public Interest Disclosure Certificate Rules [SEC=UNCLASSIFIED]
Date:
Wednesday, 22 February 2017 5:33:17 PM
Attachments:
Memo - DVA Public Interest Disclosure Certificate Rules - with tracking.docx
Thanks Renee for putting this together. I made a few small changes and sent to AF as she wanted
to review tonight.
Hope it goes well tomorrow!
Sophie
From: Renee Alchin
Sent: Wednesday, 22 February 2017 3:53 PM
To: s.22 - irrelevant
Subject: Memo - Analysis of DVA's Public Interest Disclosure Certificate Rules
[SEC=UNCLASSIFIED]
Hi Sophie,
As discussed, I’ve prepared a memo with an analysis of the DVA’s Public Interest Disclosure
Certificate Rules: D2017/001397
Thanks
Renee
Renee Alchin | Adviser
Regulation and Strategy
Office of the Australian Information Commissioner
GPO Box 5218 SYDNEY NSW 2001 | www.oaic.gov.au
s.22 - irrelevant
Released under FOI - OAIC
Pages 138 through 143 redacted for the following reasons:
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
s.47E(d)
144
From:
Angelene Falk
To:
Timothy Pilgrim; Melanie Drayton; Brenton Attard
Subject:
FW: Consultation on Public Interest Disclosure Rule [DLM=For-Official-Use-Only]
Date:
Wednesday, 22 February 2017 5:33:00 PM
Attachments:
PID rules 1 of 10.pdf
For our meeting with DVA tomorrow.
Angelene
From: Sophie Higgins
Sent: Wednesday, 22 February 2017 5:27 PM
To: Angelene Falk s.22 - irrelevant
Cc: Renee Alchin s.22 - irrelevant
Subject: FW: Consultation on Public Interest Disclosure Rule [DLM=For-Official-Use-Only]
Hi Angelene
Attached is a memorandum prepared by Renee on the draft DVA Public Interest Disclosure
Certificate Rules D2017/001397. Three key points to note are:
· The disclosures permitted by the draft Rules are very similar to those permitted under
the DSS Rules.
· Some of the disclosures under the draft Rules would already be permitted by the
exceptions (or such disclosures may be consistent with the primary purpose of
collection/ an ‘individual’s reasonable expectation’).
· The draft Rules potentially permit disclosures to a very broad range of recipients ‘a
person who has a genuine and legitimate interest in the information’.
I won’t be in tomorrow, but can be contacted if needed on my mobile.
Sophie
s.22 - irrelevant
From: Angelene Falk
Sent: Wednesday, 22 February 2017 2:59 PM
To: Renee Alchin s.22 - irrelevant
Cc: Sophie Higgins s.22 - irrelevant
Subject: FW: Consultation on Public Interest Disclosure Rule [DLM=For-Official-Use-Only]
Renee can you please consider these and advise thank you
Angelene
From: Brenton Attard
Sent: Wednesday, 22 February 2017 2:56 PM
To: Timothy Pilgrim s.22 - irrelevant
Angelene Falk
Released under FOI - OAIC
145
s.22 - irrelevant
Sophie Higgins s.22 - irrelevant
Subject: FW: Consultation on Public Interest Disclosure Rule [DLM=For-Official-Use-Only]
Hi all
Please see email below.
I will acknowledge receipt — please let me know if there is anything else you would like me to
flag with DVA.
B
From: Spiers, Carolyn s.22 - irrelevant
Sent: Wednesday, 22 February 2017 2:25 PM
To: Brenton Attard s.22 - irrelevant
Cc: Foreman, Lisa s.22 - irrelevant
Whyte, Angela s.22 - irrelevant
Subject: Consultation on Public Interest Disclosure Rule [DLM=For-Official-Use-Only]
Hi Brenton
I understand you have been discussing with Kristy Egan from DVA the proposed meeting this
Thursday 23 February @ 12.00pm – 1.00pm for OAIC members to meet with Ms Lisa Foreman
(First Assistant Secretary Rehabilitation and Support Division) and myself to discuss the draft
Public Interest Disclosure Rules that will be part of the Digital Readiness Bill. While Kristy
arranged for Lisa and I to meet with OIAC in Sydney, we will need to change plans now and
instead have the meeting via telephone. I understand that this arrangement is suitable for
OAIC. Can you confirm which telephone number will be the most appropriate for us to call.
Also to assist in the preparation of this meeting is a draft copy of the proposed rules. Please
understand this is a confidential draft prepared for the Minister and should be used for the
purpose of the consultation only.
If you have any questions, please call Angela Whyte on s.22 - irrelevant
Regards
Carolyn Spiers
Principal Legal Advisor
IMPORTANT
1. Before opening any attachments, please check for viruses.
2. This e-mail (including any attachments) may contain confidential information
for the intended recipient. If you are not the intended recipient,
please contact the sender and delete all copies of this email.
3. Any views expressed in this e-mail are those of the sender and are not
a statement of Australian Government Policy unless otherwise stated.
4. Electronic addresses published in this email are not conspicuous publications and DVA
does not consent to the receipt of commercial electronic messages.
Released under FOI - OAIC
146
5. To unsubscribe from emails from the Department of Veterans' Affairs (DVA) please go
to
http://www.dva.gov.au/contact_us/Pages/feedback.aspx
, and advise which mailing list you would like to unsubscribe from.
6. Finally, please do not remove this notice.
Released under FOI - OAIC
147
From:
Renee Alchin
To:
Angelene Falk
Subject:
Accepted: Pre meeting DVA [SEC=UNCLASSIFIED]
Released under FOI - OAIC
148
From:
Renee Alchin
To:
Angelene Falk; Timothy Pilgrim; Melanie Drayton
Subject:
Memo - Analysis of the Military Rehabilitation and Compensation (Public Interest Disclosure Certification)
Rules 2017 [SEC=UNCLASSIFIED]
Date:
Thursday, 23 February 2017 9:53:32 AM
Hi everyone,
Here is a link to the memo for today’s meeting with DVA, providing an analysis of the Military
Rehabilitation and Compensation (Public Interest Disclosure Certification) Rules 2017:
D2017/001397
Regards
Renee
Renee Alchin | Adviser
Regulation and Strategy
Office of the Australian Information Commissioner
GPO Box 5218 SYDNEY NSW 2001 | www.oaic.gov.au
s.22 - irrelevant
Released under FOI - OAIC
149
From:
Brenton Attard
To:
Timothy Pilgrim; Angelene Falk; Melanie Drayton
Subject:
[Phone message] Call from Ombo regarding DVA [DLM=For-Official-Use-Only]
Date:
Thursday, 23 February 2017 7:19:05 PM
Hi All
As flagged with Timothy this afternoon, we received a phone call from Kate Wandmaker,
Principal Legal Officer, Commonwealth Ombudsman’s Office, requesting to touch base with
Angelene on our discussion with DVA.
The Ombudsman’s Office has a phone call with DVA tomorrow morning (at 9.30am) and they
would like background details of what we discussed, including our position.
I have flagged that it will be either the Commissioner, Deputy or Assistant Commissioner that will
return the call. I have placed this across the diaries. If some could please return the call at
9.00am Friday morning.
Kate’s contact number is s.22 - irrelevant
Thanks
Brenton
Brenton Attard | Executive Officer |
Office of the Australian Information Commissioner |
GPO Box 5218 SYDNEY NSW 2001 |www.oaic.gov.au|
s.22 - irrelevant
Released under FOI - OAIC
150
Memorandum
From: Renee Alchin
To: Sophie Higgins
Copies: Melanie Drayton
File ref: 15/000188-40
Date: 24 February 2017
Subject: Contact report – meeting of 23 February 2017 – OAIC meeting with DVA to discuss
the Military Rehabilitation and Compensation (Public Interest Disclosure Certificate)
Rules 2017
Attendees:
Lisa Foreman and Carolyn Spiers – DVA
Timothy Pilgrim, Angelene Falk, Melanie Drayton and Renee Alchin – OAIC
Key points
The meeting was arranged to discuss DVA’s draft Military Rehabilitation and Compensation (Public
Interest Disclosure Certificate) Rules 2017 (the Rules).
DVA advised that the Rules largely reflect some of the provisions in the DSS Determination, with the
exception of a few matters:
o Section 6(2) of the rules differs
o The level of disclosure at 10(2) is new
o Section 11 s.47E(d) - operations of agencies ) is new
o Section 16
is new
Timothy and Angelene advised that section 6(b)(ii) of the Rules reference to s.47E(d) - operations of agencies
s.47E(d) - operations of agencies s broad and queried whether this wording could be tightened. It was
further discussed whether the Rules could include requirements that s.47E(d) - operations of agencies
s.47E(d) - operations of agencies
s.47E(d) - operations of agencies
www.oaic.gov.au |
1
Released under FOI - OAIC
151
s.47E(d) - operations of agencies
DVA will consider and send through a
revision of the Rules shortly.
DVA advised that it currently already addresses matters that could be considered under the Rules via
de-identification however, this is not always effective as they are unable to directly relate their
comments to the particular case at hand. In the past 4 years DVA has identified 12 cases that could
have been more effectively addressed via Public Interest Disclosure provisions.
s.47E(d) - operations of agencies
We proceeded to talk through some of the matters listed under the Rules, Timothy explained that
while the OAIC does not have examples to illustrate these matters, it appears disclosure in many of
these matters would already be permitted under the Privacy Act and APPs.
Threat to life, health and welfare: While DVA currently uses APP 6 for such disclosures, in some cases
the threat is subtle.
o For example, a client suffering a mental illness was refusing help and had uncharacteristically
sold all of his possessions and was living out of his car, parking in public car spaces. Local
Council officers were having difficulty engaging with the client and were unaware of his
mental illness. Eventually the council officers became aware that the individual was a DVA
client and initiated contact with DVA. However, as the client was at risk of being robbed or
mugged by sleeping in public places, DVA considers it could have assisted this client better if
the Rules were in place.
OAIC noted that ‘reasonable expectations’ under APP 6.2(a) could permit the disclosure in such cases,
however DVA advised it is seeking clearer Rules on this matter.
Law Enforcement and proceeds of crime: DVA provided an example where the client was threatening
overseas consulate staff. In this case DVA was able to inform the AFP as the client was also
threatening DVA Department staff. The threat to DVA staff was deemed low risk as the client was
living overseas at the time, however the DVA considers it could not take action on the threats to
overseas consulate staff. DVA informed the AFP of the threat to DVA staff, and AFP was able to
ascertain and act on the threat the overseas consulate staff as this was included in the clients email
trail.
OAIC advised many disclosures for this matter would already be permitted under privacy law. OAIC
also advised that we will consider the example provided by DVA further, as there are extraterritorial
provisions in the APP Guidelines that may cover this example.
DVA explained that in general, the reasonable person test under the APPs is not clear, and it is
essentially seeking to eliminate the risk of breaching privacy law by implementing the Rules. DVA
considers this is an important provision, s.47E(d) - operations of agencies
s.47E(d) - operations of agencies
Melanie explained that Parliament sought to implement flexible privacy law for a reason, and
questioned why departments would therefore need to implement rules to circumvent this flexibility.
The reasonable person tests are contextual and a deliberate product of the APPs, it was noted that all
departments would face the same issues in applying this test.
www.oaic.gov.au |
2
Released under FOI - OAIC
152
DVA advised it is aiming to implement elements of natural justice and procedural fairness into the
Rules. Such as by requiring the Secretary to write to the individual first and provide the individual an
opportunity to comment – DVA confirmed such decisions would be subject to ADJR.
Mistake of fact and misinformation in the community: DVA advised that mistake of fact would relate
to matters such as media reports that include incorrect information. Misinformation in the
community would relate more so to, for example, comments made by an individual (including social
media comments) in public forums that they are not receiving benefits, when in fact they may actually
be receiving assistance under various DVA programs but just not the particular assistance/program
that they wanted.
s.47E(d) - operations of agencies
While other Depar
s.47E(d) - operations of agencies tments, such as DHS, may receive similar criticism, individuals will
still seek assistance from DHS when in need. However, DVA clients tend to boycott DVA programs
even if they need the assistance. s.47E(d) - operations of agencies
s.47E(d) - operations of agencies
Timothy discussed the concept of reasonable expectations - APP 6.2(a) and a past case involving a
s.47F - personal privacy
s.47F - personal privacy
Angelene queried how correcting a statement made on Facebook would practically work, as it could
result in a never-ending engagement by the department and the ex-veterans involved, especially
where veterans disagree with the Departments views.
The meeting ran out of time to discuss all matters. Timothy and Angelene both acknowledged the
complex environment that DVA is trying to navigate through however reiterated that consideration
needs to be given to whether the disclosure provisions they are seeking under the Rules are already
permitted under privacy law. It appears privacy law would permit disclosures for most of the matters
in the Rules.
DVA advised that the Minister is keen to have the Bill debated in the next sitting.
Timothy advised the OAIC will provide comments on the Rules, however noted that a quick
turnaround may not be possible due to upcoming Estimates next week.
Follow up actions
DVA to consider section 6 provisions of the Rules and to consider whether de-identification and
can be incorporated (as di
s.47E(d) - operations of agencies scussed above).
OAIC to provide written comments on the Rules.
www.oaic.gov.au |
3
Released under FOI - OAIC
153
From:
Sophie Higgins
To:
Renee Alchin
Subject:
RE: [Correspondence from phone call] New section 6 - Draft PID rules [DLM=For-Official-Use-Only]
Date:
Friday, 24 February 2017 1:26:50 PM
Sounds like a very interesting meeting – thanks for the contact report
From: Renee Alchin
Sent: Friday, 24 February 2017 10:31 AM
To: Sophie Higgins s.22 - irrelevant
Subject: FW: [Correspondence from phone call] New section 6 - Draft PID rules [DLM=For-
Official-Use-Only]
Hi Sophie,
Forwarding the below email trail to you as it relates to the meeting with DVA yesterday to
discuss the Rules.
I’ve written up a contact report for this meeting for you: D2017/001516
You will see below DVA have made some adjustments to the Rules since the meeting, and I’m
currently compiling a letter for our written comments on the Rules.
I’m also considering Angelene’s query below as to whether a requirement could be included in
the Rules for the Secretary to specifically seek consent from the individual (where appropriate).
Happy to discuss next week,
Regards
Renee
From: Angelene Falk
Sent: Thursday, 23 February 2017 10:25 PM
To: Timothy Pilgrim s.22 - irrelevant
Melanie Drayton
s.22 - irrelevant
Renee Alchin s.22 - irrelevant
Subject: RE: [Correspondence from phone call] New section 6 - Draft PID rules [DLM=For-Official-
Use-Only]
Hello
So the redraft picks up most issues but not the issue of seeking consent first where practicable
(ie for research).
Renee, can you go back to the rules please and think about whether it would be reasonable to
seek consent as a first option, and then only apply the rules where its not practicable, or whether
that wouldn’t work in the circumstances?
Jane may have some thoughts based on the s95 guidelines.
Released under FOI - OAIC
154
I may be pursuing something that wouldn’t work in this context, so please let me know if you
think that’s the case.
Thank you
Angelene
From: Brenton Attard
Sent: Thursday, 23 February 2017 7:09 PM
To: Timothy Pilgrim s.22 - irrelevant
Angelene Falk
s.22 - irrelevant
; Melanie Drayton s.22 - irrelevant
Renee Alchin
s.22 - irrelevant
Subject: FW: [Correspondence from phone call] New section 6 - Draft PID rules [DLM=For-
Official-Use-Only]
Importance: High
Hi All
Please see email below from DVA regarding the phone call.
Thanks,
Brenton
From: Spiers, Carolyn [mailto: s.22 - irrelevant
Sent: Thursday, 23 February 2017 4:32 PM
To: Brenton Attard s.22 - irrelevant
Cc: Foreman, Lisa s.22 - irrelevant
Cairns, Louise s.22 - irrelevant
Subject: New section 6 - Draft PID rules [DLM=For-Official-Use-Only]
Dear Brenton
At today’s telephone meeting with the Privacy Commissioner and others, DVA agreed to redraft
a provision of the draft PID rules to be more specific on the use of de-identified data.
The following is a replacement section 6. Could you provide to Commissioner Pilgram and the
others in attendance at the meeting.
Regards
Carolyn Spiers
s.47E(d) - operations of agencies
Released under FOI - OAIC
155
s.47E(d) - operations of agencies
IMPORTANT
1. Before opening any attachments, please check for viruses.
2. This e-mail (including any attachments) may contain confidential information
for the intended recipient. If you are not the intended recipient,
please contact the sender and delete all copies of this email.
3. Any views expressed in this e-mail are those of the sender and are not
a statement of Australian Government Policy unless otherwise stated.
4. Electronic addresses published in this email are not conspicuous publications and DVA
does not consent to the receipt of commercial electronic messages.
5. To unsubscribe from emails from the Department of Veterans' Affairs (DVA) please go
to
http://www.dva.gov.au/contact_us/Pages/feedback.aspx
, and advise which mailing list you would like to unsubscribe from.
6. Finally, please do not remove this notice.
Released under FOI - OAIC
156
From:
Renee Alchin
To:
Sophie Higgins
Subject:
CLEARANCE - Letter to DVA - Comments on the Military Rehabilitation and Compensation (Public Interest
Disclosure Certificate) Rules [SEC=UNCLASSIFIED]
Date:
Wednesday, 1 March 2017 10:22:00 AM
Hi Sophie,
As discussed, I’ve printed this draft for Angelene.
For clearance, the letter is in TRIM: D2017/001636
It is largely based on the memo that we originally drafted for last week’s meeting, however I’m
not sure how far we want to go with our comments – I’ve focused on whether or not the matters
covered by the Rules are already permitted by the APPs.
Happy to discuss
Thanks
Renee
Renee Alchin | Adviser
Regulation and Strategy
Office of the Australian Information Commissioner
GPO Box 5218 SYDNEY NSW 2001 | www.oaic.gov.au
s.22 - irrelevant
Released under FOI - OAIC
Pages 157 through 163 redacted for the following reasons:
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
s.47E(d)
164
From:
Melanie Drayton
To:
Timothy Pilgrim; Angelene Falk
Cc:
Renee Alchin
Subject:
FW: DVA PIA on the Public Interest Disclosure Provisions [SEC=UNCLASSIFIED]
Date:
Friday, 3 March 2017 9:47:55 AM
Good morning
Please see Renee’s email below.
Thanks
M
From: Renee Alchin
Sent: Friday, 3 March 2017 9:13 AM
To: Melanie Drayton s.22 - irrelevant
Subject: DVA PIA on the Public Interest Disclosure Provisions [SEC=UNCLASSIFIED]
Hi,
Yesterday when I listened in on the second reading debate for the Digital Readiness Bill in the
house of reps, they mentioned a PIA.
There is an Executive Summary of the PIA now on DVA’s website:
http://www.dva.gov.au/sites/default/files/files/site-information/drbpi_execsumm.pdf
Thanks
Renee
Renee Alchin | Adviser
Regulation and Strategy
Office of the Australian Information Commissioner
GPO Box 5218 SYDNEY NSW 2001 | www.oaic.gov.au
s.22 - irrelevant
Released under FOI - OAIC
Pages 165 through 177 redacted for the following reasons:
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
s.47E(d)
178
From:
Renee Alchin
To:
Timothy Pilgrim; Angelene Falk; Melanie Drayton
Subject:
UPDATED DRAFT - Comments to DVA on the Military Rehabilitation and Compensation (Public Interest
Disclosure Certificate) Rules [SEC=UNCLASSIFIED]
Date:
Friday, 3 March 2017 1:41:37 PM
Hi everyone,
Here is the link the latest version of the draft letter to DVA: D2017/001692
Regards
Renee
Renee Alchin | Adviser
Regulation and Strategy
Office of the Australian Information Commissioner
GPO Box 5218 SYDNEY NSW 2001 | www.oaic.gov.au
s.22 - irrelevant
From: Renee Alchin
Sent: Thursday, 2 March 2017 8:47 AM
To: RS Clearance s.22 - irrelevant
Deputy Commissioner s.22 - irrelevant
Cc: Sophie Higgins s.22 - irrelevant
Subject: CLEARANCE - Comments to DVA on the Military Rehabilitation and Compensation
(Public Interest Disclosure Certificate) Rules [SEC=UNCLASSIFIED]
Snapshot
Due date
2 March 2017
Fixed or flexible
Fixed
If fixed, why?
As discussed - Aiming to get comments to
DVA asap.
Topic for clearance
Comments to DVA on the Military
Rehabilitation and Compensation (Public
Interest Disclosure Certificate) Rules
Product
Letter
Length / no. of pages
7
External party?
DVA
Clearance &
Sophie
consultation
Released under FOI - OAIC
179
Hi Mel and Angelene,
I’m sending this to both of you, as I know we’re keen to get these comments out as soon as
possible.
Ready for clearance - The letter to DVA providing comments on the public interest disclosure
certificate rules is in TRIM: D2017/001636
Happy to discuss,
Thanks
Renee
Renee Alchin | Adviser
Regulation and Strategy
Office of the Australian Information Commissioner
GPO Box 5218 SYDNEY NSW 2001 | www.oaic.gov.au
s.22 - irrelevant
Released under FOI - OAIC
Pages 180 through 209 redacted for the following reasons:
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
s.47E(d) - operations of agencies
210
Commissioner brief: Briefing notes – Inquiry into the Digital
Readiness Bill – Senate Foreign Affairs, Defence and Trade
Committee
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bill
For:
The Australian Information Commissioner
Key points
1. The Veteran’s Affairs Legislation Amendment (Digital Readiness Bill) 2016 seeks to
amend the Veteran’s Entitlements Act 1986 (VEA),
Military Rehabilitation and
Compensation Act 2004I (MRCA) and the
Safety Rehabilitation and Compensation
(Defence-related claims) Act 1988 (DRCA).
2. The OAIC provided Bill scrutiny comments on the Digital Readiness Bill on 3 November
2016.
3. The OAIC’s comments focused on the public interest disclosure provisions in Schedule
2 of the Bill which permit certain disclosures and invoke the ‘required or authorised’
by law exception in APP 6 in the Privacy Act.
Background – the Digital Readiness Bill
The Bill will insert a provision into the VEA, MRCA, and DRCA to enable the Secretary to
authorise the use of computer programmes to make decisions and determinations,
exercise powers or comply with obligations etc. under these Acts
Safe Safeguards to this provision include that the Commissioner may make a decision or
determination in substitution for a decision or determination made by a computer
program, if satisfied that decision or determination is incorrect
The Bill will also insert a provision into each of these Acts that will enable the Secretary
to disclose information about a particular case or class of cases to such persons as the
Secretary determines if he or she certifies that it is necessary in the public interest to do
so.
Content Author:
Responsible Director:
Responsible Assistant Commissioner
Author’s number: 9284 9xxx
Director’s number: 02 9284 9xxx
Melanie Drayton / Andrew Solomon
Released under FOI - OAIC
211
Safeguards include that the power cannot be delegated by the Secretary to anyone, the
Secretary must act in accordance with rules that the Minister makes, the Minister
cannot delegate his or her rule making power, and, unless the Secretary complies with
certain notification requirements before disclosing personal information, he or she
commits an offence, punishable by 60 penalty units.
Protection of personal information
A range of the OAIC’s responsibilities involve examining proposals that may restrict the
exercise of individuals’ privacy protections in favour of another public interest objective.
The Privacy Act recognises that the protection of individuals’ privacy, through the
protection of their personal information, is not an absolute right. Rather, those interests
must be balanced with the broader interest of the community in ensuring that APP
entities are able to carry out their legitimate functions and activities.
This balancing is reflected in the exceptions to a number of the APPs, which except from
the operation of those APPs, certain information handling practices considered to be in
the public interest when balanced with the interest in protecting an individual’s privacy.
Exceptions cover a range of matters including where a use or disclosure of personal
information is authorised or required by Australian law or where an entity reasonably
believes that a use or disclosure is reasonably necessary for an enforcement related
activity conducted by an enforcement body.
Disclosures of personal information
APP 6 outlines when an APP entity may use or disclose personal information. It generally
provides that an APP entity can only use or disclose personal information for a purpose
for which the information was collected (known as the ‘primary purpose’), or for a
secondary purpose where one of the exceptions listed in APP 6 apply. The exceptions
include where ‘a use or disclosure of personal information is authorised or required by
Australian law’.
The OAIC is regularly invited to comment on draft laws that require or authorise the
collection, use or disclosure of personal information in a manner that would otherwise
be inconsistent with one or more of the APPs. The effect of such laws is that one or
more APPs will not apply to the use or disclosure of personal information, described in
the law.
Consistent with the approach taken in applying Article 17 in the International Covenant
on Civil and Political Right (ICCPR), the OAIC’s advice generally suggests consideration
should be given to whether those measures are proportionate and necessary. That is,
whether they appropriately balance the intrusion on individuals’ privacy with the overall
public policy objectives of the proposal. Additionally, when handling of individuals’
Content Author:
Responsible Director:
Responsible Assistant Commissioner
Author’s number: 9284 9xxx
Director’s number: 02 9284 9xxx
Melanie Drayton / Andrew Solomon
Released under FOI - OAIC
212
personal information is authorised in the broader interests of the community, it is
generally recommended that those activities be accompanied by an appropriate level of
privacy safeguards and accountability. Should such a proposal be considered to
appropriately balance these objectives, it is generally recommended that the scope of
the proposal be drafted consistent with the spirit and intent of the Privacy Act.
Summary of OAIC Bill scrutiny comments
On 31 October 2016, the Office of Parliamentary Counsel contacted the Attorney
General’s Department seeking comment on the Bill, and that request was passed onto
the OAIC for comment. The OAIC’s comments on the Bill were provided to the OPC on
3 November 2016. These comments are provided at
Annexure A.
The comments focused on the public interest disclosure provisions in Schedule 2 of the
Bill, which would enable the Secretary to disclose information about a particular case or
class of cases to such persons and for such purposes as the Secretary determines, if he
or she certifies that it is necessary in the public interest to do so.
The OAIC noted that the Bill would also insert a provision in the
Veterans’ Entitlements
Act 1986 (VEA),
Military Rehabilitation and Compensation Act 2004 (MRCA) and the
Safety Rehabilitation and Compensation (Defence-related Claims) Act 1988 (DRCA), that
states that the disclosure is authorised by law for the purposes of the Australian Privacy
Principles (APPs).
Specifically, the disclosure of personal information under the new provisions will be
permitted by the ‘required or authorised by or under law’ exception in APP 6.2(b). This
authorisation means that the privacy protections in APP 6, which limit the circumstances
in which personal information can be used and disclosed, will not apply to any
disclosures made in accordance with the new provisions.
The OAIC suggested that where a Bill invokes this exception in the Privacy Act,
consideration should be given to whether those measures are reasonable, proportionate
and necessary, and made some specific suggestions for consideration. The OAIC’s
comments are attached.
OAIC position on automated processes
It appears that the amendments that the Bill is proposing, that will authorise computer
programmes to make administrative decisions, will not result in any procedural changes
as to how decisions are made. It is therefore unlikely that any comparisons to the
Department of Human services automated debt recovery will be raised by the
Committee.
Content Author:
Responsible Director:
Responsible Assistant Commissioner
Author’s number: 9284 9xxx
Director’s number: 02 9284 9xxx
Melanie Drayton / Andrew Solomon
Released under FOI - OAIC
213
A key point to note in the event this topic is discussed: DVA should ensure that the
provisions of APP 10 are upheld with any automated processes to ensure the personal
information being used to make automated decisions is accurate, up-to-date and
complete. This can particularly be a challenge where the onus is on the individual to
identify errors or discrepancies with automated decisions. DVA should ensure that it has
appropriately assessed and addressed the risks in this regard.
To this end, DVA could conduct a privacy impact assessment (PIA) of the amendments
proposed by the Bill that have privacy implications. A PIA is a written assessment which
may assist in identifying the privacy impacts of the proposal, and provides an
opportunity to set out any recommendations for managing, minimising or eliminating
those impacts.
Committee Questions
Please advise the committee what is the current situation that DVA or other agencies require
this power?
The OAIC’s role includes examining proposed enactments that would require or
authorise acts or practices that might otherwise interfere with privacy and ensuring
that any adverse effects of a proposed enactment on the privacy of individuals are
minimised. An act or practice that is required or authorised by or under an Australian
law is generally excepted from the requirements around the collection of sensitive
information and the use and disclosure of personal information in the APPs.
The OAIC provided some comments to the OPC, which we understand were provided
to DVA in relation to aspects of the Bill that authorised disclosures under the Privacy
Act. However, it is a matter for DVA to justify in the Explanatory Memorandum
including its Statement of Compatibility with Human Rights, ‘public interest disclosure’
provisions. We understand that the Explanatory memorandum outlines some of DVA’s
reasons.
Why does DVA require these provisions so urgently?
This may be a matter for DVA. Again, we understand that the Explanatory
memorandum outlines some of DVA’s reasons.
Is there not already a mechanism for agencies to report crimes to police?
APP 6 generally provides that an APP entity can only use or disclose personal
information for a purpose for which the information was collected (known as the
‘primary purpose’), or for a secondary purpose where one of the exceptions listed in
APP 6 apply. The following exceptions to APP 6 would permit agencies to disclose
personal information held by the agency to police (in the circumstances described):
Content Author:
Responsible Director:
Responsible Assistant Commissioner
Author’s number: 9284 9xxx
Director’s number: 02 9284 9xxx
Melanie Drayton / Andrew Solomon
Released under FOI - OAIC
214
o the APP entity reasonably believes that the use or disclosure of the
information is reasonably necessary for one or more enforcement related
activities conducted by, or on behalf of, an enforcement body (examples
include the Australian Federal Policy or a State or Territory Police force or
service) (APP 6.2(e)), and
o the entity reasonably believes that the collection, use or disclosure is
necessary to lessen or prevent a serious threat to the life, health or safety of
any individual, or to public health or safety (and it is unreasonable or
impracticable to obtain the individual’s consent) (APP 6.2(c) and s 16A, item
1)
o the use or disclosure of the information is required or authorised by or under
an Australian law or a court/ tribunal order (APP 6.2(b)).
Over the last 5 years, how many cases were there of mistake and/or misinformation that
agencies did not have the power to respond to?
Information about the number of cases of mistake or misinformation, may be a matter
for DVA.
Content Author:
Responsible Director:
Responsible Assistant Commissioner
Author’s number: 9284 9xxx
Director’s number: 02 9284 9xxx
Melanie Drayton / Andrew Solomon
Released under FOI - OAIC
215
Commissioner brief: Briefing notes – Inquiry into the Digital
Readiness Bill – Senate Foreign Affairs, Defence and Trade
Committee
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bill
For:
The Australian Information Commissioner
Key points
1. The Veteran’s Affairs Legislation Amendment (Digital Readiness Bill) 2016 seeks to
amend the Veteran’s Entitlements Act 1986 (VEA),
Military Rehabilitation and
Compensation Act 2004I (MRCA) and the
Safety Rehabilitation and Compensation
(Defence-related claims) Act 1988 (DRCA).
2. The OAIC provided Bill scrutiny comments on the Digital Readiness Bill on 3 November
2016.
3. The OAIC’s comments focused on the public interest disclosure provisions in Schedule
2 of the Bill which permit certain disclosures and invoke the ‘required or authorised’
by law exception in APP 6 in the Privacy Act.
Background – the Digital Readiness Bill
The Bill will insert a provision into the VEA, MRCA, and DRCA to enable the Secretary to
authorise the use of computer programmes to make decisions and determinations,
exercise powers or comply with obligations etc. under these Acts
Safe Safeguards to this provision include that the Commissioner may make a decision or
determination in substitution for a decision or determination made by a computer
program, if satisfied that decision or determination is incorrect
The Bill will also insert a provision into each of these Acts that will enable the Secretary
to disclose information about a particular case or class of cases to such persons as the
Secretary determines if he or she certifies that it is necessary in the public interest to do
so.
Content Author:
Responsible Director:
Responsible Assistant Commissioner
Author’s number: 9284 9xxx
Director’s number: 02 9284 9xxx
Melanie Drayton / Andrew Solomon
Released under FOI - OAIC
216
Safeguards include that the power cannot be delegated by the Secretary to anyone, the
Secretary must act in accordance with rules that the Minister makes, the Minister
cannot delegate his or her rule making power, and, unless the Secretary complies with
certain notification requirements before disclosing personal information, he or she
commits an offence, punishable by 60 penalty units.
Protection of personal information
A range of the OAIC’s responsibilities involve examining proposals that may restrict the
exercise of individuals’ privacy protections in favour of another public interest objective.
The Privacy Act recognises that the protection of individuals’ privacy, through the
protection of their personal information, is not an absolute right. Rather, those interests
must be balanced with the broader interest of the community in ensuring that APP
entities are able to carry out their legitimate functions and activities.
This balancing is reflected in the exceptions to a number of the APPs, which except from
the operation of those APPs, certain information handling practices considered to be in
the public interest when balanced with the interest in protecting an individual’s privacy.
Exceptions cover a range of matters including where a use or disclosure of personal
information is authorised or required by Australian law or where an entity reasonably
believes that a use or disclosure is reasonably necessary for an enforcement related
activity conducted by an enforcement body.
Disclosures of personal information
APP 6 outlines when an APP entity may use or disclose personal information. It generally
provides that an APP entity can only use or disclose personal information for a purpose
for which the information was collected (known as the ‘primary purpose’), or for a
secondary purpose where one of the exceptions listed in APP 6 apply. The exceptions
include where ‘a use or disclosure of personal information is authorised or required by
Australian law’.
The OAIC is regularly invited to comment on draft laws that require or authorise the
collection, use or disclosure of personal information in a manner that would otherwise
be inconsistent with one or more of the APPs. The effect of such laws is that one or
more APPs will not apply to the use or disclosure of personal information, described in
the law.
Consistent with the approach taken in applying Article 17 in the International Covenant
on Civil and Political Right (ICCPR), the OAIC’s advice generally suggests consideration
should be given to whether those measures are proportionate and necessary. That is,
whether they appropriately balance the intrusion on individuals’ privacy with the overall
public policy objectives of the proposal. Additionally, when handling of individuals’
Content Author:
Responsible Director:
Responsible Assistant Commissioner
Author’s number: 9284 9xxx
Director’s number: 02 9284 9xxx
Melanie Drayton / Andrew Solomon
Released under FOI - OAIC
217
personal information is authorised in the broader interests of the community, it is
generally recommended that those activities be accompanied by an appropriate level of
privacy safeguards and accountability. Should such a proposal be considered to
appropriately balance these objectives, it is generally recommended that the scope of
the proposal be drafted consistent with the spirit and intent of the Privacy Act.
Summary of OAIC Bill scrutiny comments
On 31 October 2016, the Office of Parliamentary Counsel contacted the Attorney
General’s Department seeking comment on the Bill, and that request was passed onto
the OAIC for comment. The OAIC’s comments on the Bill were provided to the OPC on
3 November 2016. These comments are provided at
Annexure A.
The comments focused on the public interest disclosure provisions in Schedule 2 of the
Bill, which would enable the Secretary to disclose information about a particular case or
class of cases to such persons and for such purposes as the Secretary determines, if he
or she certifies that it is necessary in the public interest to do so.
The OAIC noted that the Bill would also insert a provision in the
Veterans’ Entitlements
Act 1986 (VEA),
Military Rehabilitation and Compensation Act 2004 (MRCA) and the
Safety Rehabilitation and Compensation (Defence-related Claims) Act 1988 (DRCA), that
states that the disclosure is authorised by law for the purposes of the Australian Privacy
Principles (APPs).
Specifically, the disclosure of personal information under the new provisions will be
permitted by the ‘required or authorised by or under law’ exception in APP 6.2(b). This
authorisation means that the privacy protections in APP 6, which limit the circumstances
in which personal information can be used and disclosed, will not apply to any
disclosures made in accordance with the new provisions.
The OAIC suggested that where a Bill invokes this exception in the Privacy Act,
consideration should be given to whether those measures are reasonable, proportionate
and necessary, and made some specific suggestions for consideration. The OAIC’s
comments are attached.
Possible similarities with DHS’ automated debt recovery
It appears that the amendments that the Bill is proposing, that will authorise computer
programmes to make administrative decisions, will not result in any procedural changes
as to how decisions are made. It is therefore unlikely that any comparisons to the
Department of Human Services (DHS) automated debt recovery will be raised by the
Committee.
Content Author:
Responsible Director:
Responsible Assistant Commissioner
Author’s number: 9284 9xxx
Director’s number: 02 9284 9xxx
Melanie Drayton / Andrew Solomon
Released under FOI - OAIC
218
A key point to note in the event this topic is discussed: DVA should ensure that the
provisions of APP 10 are upheld with any automated decisions to ensure the personal
information being used to make these decisions is accurate, up-to-date and complete.
This can particularly be a challenge where the onus is on the individual to identify errors
or discrepancies with automated decisions. DVA should ensure that it has appropriately
assessed and addressed the risks in this regard.
To this end, DVA could conduct a privacy impact assessment (PIA) of the amendments
proposed by the Bill that have privacy implications. A PIA is a written assessment which
may assist in identifying the privacy impacts of the proposal, and provides an
opportunity to set out any recommendations for managing, minimising or eliminating
those impacts.
Committee Questions
Please advise the committee what is the current situation that DVA or other agencies require
this power?
The OAIC’s role includes examining proposed enactments that would require or
authorise acts or practices that might otherwise interfere with privacy and ensuring
that any adverse effects of a proposed enactment on the privacy of individuals are
minimised. An act or practice that is required or authorised by or under an Australian
law is generally excepted from the requirements around the collection of sensitive
information and the use and disclosure of personal information in the APPs.
The OAIC provided some comments to the OPC, which we understand were provided
to DVA in relation to aspects of the Bill that authorised disclosures under the Privacy
Act. However, it is a matter for DVA to justify in the Explanatory Memorandum
including its Statement of Compatibility with Human Rights, ‘public interest disclosure’
provisions. We understand that the Explanatory memorandum outlines some of DVA’s
reasons.
Why does DVA require these provisions so urgently?
This may be a matter for DVA. Again, we understand that the Explanatory
memorandum outlines some of DVA’s reasons.
Is there not already a mechanism for agencies to report crimes to police?
APP 6 generally provides that an APP entity can only use or disclose personal
information for a purpose for which the information was collected (known as the
‘primary purpose’), or for a secondary purpose where one of the exceptions listed in
APP 6 apply. The following exceptions to APP 6 would permit agencies to disclose
personal information held by the agency to police (in the circumstances described):
Content Author:
Responsible Director:
Responsible Assistant Commissioner
Author’s number: 9284 9xxx
Director’s number: 02 9284 9xxx
Melanie Drayton / Andrew Solomon
Released under FOI - OAIC
219
o the APP entity reasonably believes that the use or disclosure of the
information is reasonably necessary for one or more enforcement related
activities conducted by, or on behalf of, an enforcement body (examples
include the Australian Federal Policy or a State or Territory Police force or
service) (APP 6.2(e)), and
o the entity reasonably believes that the collection, use or disclosure is
necessary to lessen or prevent a serious threat to the life, health or safety of
any individual, or to public health or safety (and it is unreasonable or
impracticable to obtain the individual’s consent) (APP 6.2(c) and s 16A, item
1)
o the use or disclosure of the information is required or authorised by or under
an Australian law or a court/ tribunal order (APP 6.2(b)).
Over the last 5 years, how many cases were there of mistake and/or misinformation that
agencies did not have the power to respond to?
Information about the number of cases of mistake or misinformation, may be a matter
for DVA.
Content Author:
Responsible Director:
Responsible Assistant Commissioner
Author’s number: 9284 9xxx
Director’s number: 02 9284 9xxx
Melanie Drayton / Andrew Solomon
Released under FOI - OAIC
220
Commissioner brief: Briefing notes – Inquiry into the Digital
Readiness Bill – Senate Foreign Affairs, Defence and Trade
Committee
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bill
For:
The Australian Information Commissioner
Key points
1. The Veteran’s Affairs Legislation Amendment (Digital Readiness Bill) 2016 seeks to
amend the Veteran’s Entitlements Act 1986 (VEA),
Military Rehabilitation and
Compensation Act 2004I (MRCA) and the
Safety Rehabilitation and Compensation
(Defence-related claims) Act 1988 (DRCA).
2. The OAIC provided Bill scrutiny comments on the Digital Readiness Bill on 3 November
2016.
3. The OAIC’s comments focused on the public interest disclosure provisions in Schedule
2 of the Bill which permit certain disclosures and invoke the ‘required or authorised’
by law exception in APP 6 in the Privacy Act.
4. [
Appreciate the opportunity to be consulted on the rules]
Background – the Digital Readiness Bill
The Bill will insert a provision into the VEA, MRCA, and DRCA to enable the Secretary to
authorise the use of computer programmes to make decisions and determinations,
exercise powers or comply with obligations etc. under these Acts
Safeguards to this provision include that the Commissioner may make a decision or
determination in substitution for a decision or determination made by a computer
program, if satisfied that the decision or determination is incorrect.
The Bill will also insert a provision into each of these Acts that will enable the Secretary
Formatted: Font: Bold
to disclose information about a particular case or class of cases to such persons as the
Formatted: None, Indent: Left: 1.27 cm, Line spacing:
single, No bul ets or numbering, Don't keep with next,
Secretary determines if he or she certifies that it is necessary in the public interest to do
Don't keep lines together
Deleted: xxx
so.
Deleted: / Andrew Solomon
Deleted: xxx
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
221
The Explanatory Memorandum to the Bill gives as examples of circumstances in which it
might be appropriate for the Secretary to disclose such information as including ‘where
there is a threat to life, health or welfare, for the enforcement of laws, in relation to
proceeds of crime orders, mistakes of fact, research and statistical analysis, APS code of
conduct investigations, misinformation in the community and provider inappropriate
practices.’
Safeguards include that the power cannot be delegated by the Secretary to anyone, the
Secretary must act in accordance with rules that the Minister makes, the Minister
cannot delegate his or her rule making power, and, unless the Secretary complies with
certain notification requirements before disclosing personal information, he or she
commits an offence, punishable by 60 penalty units.
Formatted: Font: Bold
Formatted: None, Indent: Left: 1.27 cm, Line spacing:
single, No bul ets or numbering, Don't keep with next,
[concerns raised by the Committee – it appears that the Committee has concerns about
Don't keep lines together
the breadth of the disclosures that may be made under the Bill, including disclosures to
correct misinformation]
Commented [SH1]: Renee- would you mind fleshing this out
a little please?
Protection of personal information
A range of the OAIC’s responsibilities involve examining proposals that may restrict the
exercise of individuals’ privacy protections in favour of another public interest objective.
The Privacy Act recognises that the protection of individuals’ privacy, through the
protection of their personal information, is not an absolute right. Rather, those interests
must be balanced with the broader interest of the community in ensuring that APP
entities are able to carry out their legitimate functions and activities.
This balancing is reflected in the exceptions to a number of the APPs, which except from
the operation of those APPs, certain information handling practices considered to be in
the public interest when balanced with the interest in protecting an individual’s privacy.
Exceptions cover a range of matters including where a use or disclosure of personal
information is authorised or required by Australian law or where an entity reasonably
believes that a use or disclosure is reasonably necessary for an enforcement related
activity conducted by an enforcement body.
Disclosures of personal information
APP 6 outlines when an APP entity may use or disclose personal information. It generally
provides that an APP entity can only use or disclose personal information for a purpose
for which the information was collected (known as the ‘primary purpose’), or for a
Deleted: xxx
secondary purpose where one of the exceptions listed in APP 6 apply. The exceptions
Deleted: / Andrew Solomon
Deleted: xxx
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
Melanie Drayton
s.22 - irrelevant
Released under FOI - OAIC
222
include where ‘a use or disclosure of personal information is authorised or required by
Australian law’.
The OAIC is regularly invited to comment on draft laws that require or authorise the
collection, use or disclosure of personal information in a manner that would otherwise
be inconsistent with one or more of the APPs. The effect of such laws is that one or
more APPs will not apply to the use or disclosure of personal information, described in
the law.
Consistent with the approach taken in applying Article 17 in the International Covenant
on Civil and Political Right (ICCPR), the OAIC’s advice generally suggests consideration
should be given to whether those measures are proportionate and necessary. That is,
whether they appropriately balance the intrusion on individuals’ privacy with the overall
public policy objectives of the proposal. Additionally, when handling of individuals’
personal information is authorised in the broader interests of the community, it is
generally recommended that those activities be accompanied by an appropriate level of
privacy safeguards and accountability. Should such a proposal be considered to
appropriately balance these objectives, it is generally recommended that the scope of
the proposal be drafted consistent with the spirit and intent of the Privacy Act.
Summary of OAIC Bill scrutiny comments
On 31 October 2016, the Office of Parliamentary Counsel contacted the Attorney
General’s Department seeking comment on the Bill, and that request was passed onto
the OAIC for comment. The OAIC’s comments on the Bill were provided to the OPC on
3 November 2016. These comments are provided at
Annexure A.
The comments focused on the public interest disclosure provisions in Schedule 2 of the
Bill, which would enable the Secretary to disclose information about a particular case or
class of cases to such persons and for such purposes as the Secretary determines, if he
or she certifies that it is necessary in the public interest to do so.
The OAIC noted that the Bill would also insert a provision in the
Veterans’ Entitlements
Act 1986 (VEA),
Military Rehabilitation and Compensation Act 2004 (MRCA) and the
Safety Rehabilitation and Compensation (Defence-related Claims) Act 1988 (DRCA), that
states that the disclosure is authorised by law for the purposes of the Australian Privacy
Principles (APPs).
Deleted: xxx
Deleted: / Andrew Solomon
Deleted: xxx
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
elanie Drayton
Released under FOI - OAIC
223
Specifically, the disclosure of personal information under the new provisions will be
permitted by the ‘required or authorised by or under law’ exception in APP 6.2(b). This
authorisation means that the privacy protections in APP 6, which limit the circumstances
in which personal information can be used and disclosed, will not apply to any
disclosures made in accordance with the new provisions.
The OAIC suggested that where a Bill invokes this exception in the Privacy Act,
consideration should be given to whether those measures are reasonable, proportionate
and necessary, and made some specific suggestions for consideration. The OAIC’s
comments are attached.
Formatted: Font: Bold
Formatted: None, Indent: Left: 1.27 cm, Line spacing:
single, No bul ets or numbering, Don't keep with next,
The OAIC’s comments referred to similar disclosure provisions in the
Social Security
Don't keep lines together
(Administration) Act 1999 and the
Paid Parental Leave Act 2010, noting that rules issued
Formatted: Font: 12 pt, Font color: Auto
under that legislation set out the matters to which the Secretary must have regard in
giving a public interest certificate and the circumstances in which a public interest
certificate may be given, which include: to prevent, or lessen, a threat to the life, health
or welfare of a person; for the enforcement of laws; to correct a mistake of fact; to brief
a Minister or to locate missing persons etc.
Formatted: Font:
We understand from DVA’s submission to the Committee, that these matters are very
Formatted: None, Indent: Left: 1.27 cm, Line spacing:
single, No bul ets or numbering, Don't keep with next,
similar to the matters that the Minister proposes to include in the rules to be made
Don't keep lines together
under the Bill. DVA also notes in that submission that ‘the proposed provisions are
modelled on paragraph 208(1)(a) of the
Social Security (Administration) Act 1999. That
public interest disclosure provision has been in operation for 17 years and has operated
successfully with the approval of Parliament. The Privacy Commissioner has not raised
any concern about the Department of Social Services/ Department of Human Services’
provision…’
Commented [SH2]: Renee – would you mind checking this
on TRIM please? I understand that the most recent iteration of
the Social Security (Public Interest Certificate Guidelines)
Determination was in 2015. Sarah G might know, otherwise we
can check if Mel knows
Formatted: Font:
Formatted: None, Indent: Left: 1.27 cm, Line spacing:
single, No bul ets or numbering, Don't keep with next,
Don't keep lines together
Deleted: xxx
Deleted: / Andrew Solomon
Deleted: xxx
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
224
On 6 December 2016, the Committee invited the OAIC to make a comment on the Bill,
Formatted: Font: Not Bold
but the OAIC inadvertently did not action this request.
The Commonwealth Ombudsman has made a submission to the Committee in relation
to automation aspects of the Bill. They also notified the OAIC that they intend to make a
second submission to the Committee in relation to the new disclosure provisions, which
recommends that any development of legislation or policy relating to disclosure of PI
should occur in consultation with the OAIC.
Formatted: Font:
The OAIC would welcome being consulted on any draft Rules that the Minister makes
(noting the requirement that the Minister makes these rules before the Secretary can
make a ‘public interest’ disclosure under the proposed amendments to the VEA, MRCA,
and DRCA).
Formatted: Font: Not Bold
Possible similarities with DHS’ automated debt recovery
Deleted: It appears that the amendments that the Bill is
proposing, that will authorise computer programmes to make
The Commonwealth Ombudsman’s written submission to the Committee commented
administrative decisions, will not result in any procedural
on
changes as to how decisions are made. It is therefore unlikely
that any comparisons to the Department of Human Services
A key point to note in the event this topic is discussed: DVA should ensure that the
(DHS) automated debt recovery will be raised by the
Committee.
provisions of APP 10 are upheld with any automated decisions to ensure the personal
Formatted: Font: Bold
information being used to make these decisions is accurate, up-to-date and complete.
Commented [SH4]: Could you please pop in a very brief
This can particularly be a challenge where the onus is on the individual to identify errors
overview of the matters set out in the Ombudsman’s submission.
Formatted: Font: Not Bold
or discrepancies with automated decisions. DVA should ensure that it has appropriately
Deleted: ¶
assessed and addressed the risks in this regard.
¶
Commented [SH5]: Should we also outline that entities need
to have processes in place that enable individuals to seek
To this end, DVA could conduct a privacy impact assessment (PIA) of the amendments
correction of incorrect information? Some key issues to make
proposed by the Bill that have privacy implications. A PIA is a written assessment which
sure we cover off – take reasonable steps to ensure PI is
accurate, up-to-date and complete etc; and correction avenues
may assist in identifying the privacy impacts of the proposal, and provides an
available; also maybe APP 1.2(b) – need to implement practices,
opportunity to set out any recommendations for managing, minimising or eliminating
procedures and systems to ‘enable entity to deal with inquiries
and complaints from individuals about the entity’s compliance
those impacts.
with the APPs’. We might also say that the Dept should be
cautious about make decisions based on ‘sensitive PI’ due the
Committee Questions
higher privacy risks involved with handling such information if it
is inaccurate.
Please advise the committee what is the current situation that DVA or other agencies require
For example, while not defined as ‘sensitive’ under the Privacy
this power?
Act, we know that debt information is often considered to be
sensitive in nature by many Australians. We welcome comments
made by the Dept in its written submission to the Committee
The OAIC’s role includes examining proposed enactments that would require or
that ‘in regards to automated debt collection, the Department
authorise acts or practices that might otherwise interfere with privacy and ensuring
does not intent this provision for this purpose’ and query
whether it may be appropriate to refer to these sorts of
that any adverse effects of a proposed enactment on the privacy of individuals are
limitations around the types of matters automated decision
minimised. An act or practice that is required or authorised by or under an Australian
making won’t be used for, in the Bill itself or in the EM.
law is generally excepted from the requirements around the collection of sensitive
information and the use and disclosure of personal information in the APPs.
Deleted: xxx
The OAIC provided some comments to the OPC, which we understand were provided
Deleted: / Andrew Solomon
to DVA in relation to aspects of the Bill that authorised disclosures under the Privacy
Deleted: xxx
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
225
Act. However, it is a matter for DVA to justify in the Explanatory Memorandum
including its Statement of Compatibility with Human Rights, ‘public interest disclosure’
provisions. We understand that the Explanatory memorandum outlines some of DVA’s
reasons.
Why does DVA require these provisions so urgently?
This may be a matter for DVA. Again, we understand that the Explanatory
memorandum outlines some of DVA’s reasons.
Is there not already a mechanism for agencies to report crimes to police?
APP 6 generally provides that an APP entity can only use or disclose personal
information for a purpose for which the information was collected (known as the
‘primary purpose’), or for a secondary purpose where one of the exceptions listed in
APP 6 apply. The following exceptions to APP 6 would permit agencies to disclose
personal information held by the agency to police (in the circumstances described):
o the APP entity reasonably believes that the use or disclosure of the
information is reasonably necessary for one or more enforcement related
activities conducted by, or on behalf of, an enforcement body (examples
include the Australian Federal Policy or a State or Territory Police force or
service) (APP 6.2(e)), and
o the entity reasonably believes that the collection, use or disclosure is
necessary to lessen or prevent a serious threat to the life, health or safety of
any individual, or to public health or safety (and it is unreasonable or
impracticable to obtain the individual’s consent) (APP 6.2(c) and s 16A, item
1)
o the use or disclosure of the information is required or authorised by or under
an Australian law or a court/ tribunal order (APP 6.2(b)).
Over the last 5 years, how many cases were there of mistake and/or misinformation that
agencies did not have the power to respond to?
Information about the number of cases of mistake or misinformation, may be a matter
for DVA.
Deleted: xxx
Deleted: / Andrew Solomon
Deleted: xxx
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
226
Commissioner brief: Briefing notes – Inquiry into the Digital
Readiness Bill – Senate Foreign Affairs, Defence and Trade
Committee
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bill
For:
The Australian Information Commissioner
Key points
1. The Veteran’s Affairs Legislation Amendment (Digital Readiness Bill) 2016 seeks to
amend the Veteran’s Entitlements Act 1986 (VEA),
Military Rehabilitation and
Compensation Act 2004I (MRCA) and the
Safety Rehabilitation and Compensation
(Defence-related claims) Act 1988 (DRCA).
2. The OAIC provided Bill scrutiny comments on the Digital Readiness Bill on 3 November
2016.
3. The OAIC’s comments focused on the public interest disclosure provisions in Schedule
2 of the Bill which permit certain disclosures and invoke the ‘required or authorised’
by law exception in APP 6 in the Privacy Act.
4. The OAIC would welcome the opportunity to be consulted on any draft Rules that the
Minister makes (noting the requirement that the Minister makes these rules before
the Secretary can make a ‘public interest’ disclosure under the proposed amendments
to the VEA, MRCA, and DRCA).
Background – the Digital Readiness Bill
The Bill will insert a provision into the VEA, MRCA, and DRCA to enable the Secretary to
authorise the use of computer programmes to make decisions and determinations,
exercise powers or comply with obligations etc. under these Acts
Safeguards to this provision include that the Commissioner may make a decision or
determination in substitution for a decision or determination made by a computer
program, if satisfied that the decision or determination is incorrect.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
227
The Bill will also insert a provision into each of these Acts that will enable the Secretary
to disclose information about a particular case or class of cases to such persons as the
Secretary determines if he or she certifies that it is necessary in the public interest to do
so.
The Explanatory Memorandum to the Bill gives as examples of circumstances in which it
might be appropriate for the Secretary to disclose such information as including ‘where
there is a threat to life, health or welfare, for the enforcement of laws, in relation to
proceeds of crime orders, mistakes of fact, research and statistical analysis, APS code of
conduct investigations, misinformation in the community and provider inappropriate
practices.’
Safeguards include that the power cannot be delegated by the Secretary to anyone, the
Secretary must act in accordance with rules that the Minister makes, the Minister
cannot delegate his or her rule making power, and, unless the Secretary complies with
certain notification requirements before disclosing personal information, he or she
commits an offence, punishable by 60 penalty units.
Based on the information available, it appears that the Committee has concerns about
the breadth of the disclosures that may be made under the Bill, including disclosures to
correct misinformation. The Committee intends to ask questions focused on matters
such as why the Secretary of the DVA requires these powers, whether there are already
mechanisms in place to report crimes to law enforcement bodies, and whether there
have been any instances of mistake or misinformation in the last five years that agencies
did not have the power to respond to.
Protection of personal information
A range of the OAIC’s responsibilities involve examining proposals that may restrict the
exercise of individuals’ privacy protections in favour of another public interest objective.
The Privacy Act recognises that the protection of individuals’ privacy, through the
protection of their personal information, is not an absolute right. Rather, those interests
must be balanced with the broader interest of the community in ensuring that APP
entities are able to carry out their legitimate functions and activities.
This balancing is reflected in the exceptions to a number of the APPs, which except from
the operation of those APPs, certain information handling practices considered to be in
the public interest when balanced with the interest in protecting an individual’s privacy.
Exceptions cover a range of matters including where a use or disclosure of personal
information is authorised or required by Australian law or where an entity reasonably
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
228
believes that a use or disclosure is reasonably necessary for an enforcement related
activity conducted by an enforcement body.
Disclosures of personal information
APP 6 outlines when an APP entity may use or disclose personal information. It generally
provides that an APP entity can only use or disclose personal information for a purpose
for which the information was collected (known as the ‘primary purpose’), or for a
secondary purpose where one of the exceptions listed in APP 6 apply. The exceptions
include where ‘a use or disclosure of personal information is authorised or required by
Australian law’.
The OAIC is regularly invited to comment on draft laws that require or authorise the
collection, use or disclosure of personal information in a manner that would otherwise
be inconsistent with one or more of the APPs. The effect of such laws is that one or
more APPs will not apply to the use or disclosure of personal information, described in
the law.
Consistent with the approach taken in applying Article 17 in the International Covenant
on Civil and Political Right (ICCPR), the OAIC’s advice generally suggests consideration
should be given to whether those measures are proportionate and necessary. That is,
whether they appropriately balance the intrusion on individuals’ privacy with the overall
public policy objectives of the proposal. Additionally, when handling of individuals’
personal information is authorised in the broader interests of the community, it is
generally recommended that those activities be accompanied by an appropriate level of
privacy safeguards and accountability. Should such a proposal be considered to
appropriately balance these objectives, it is generally recommended that the scope of
the proposal be drafted consistent with the spirit and intent of the Privacy Act.
Summary of OAIC Bill scrutiny comments
On 31 October 2016, the Office of Parliamentary Counsel contacted the Attorney
General’s Department seeking comment on the Bill, and that request was passed onto
the OAIC for comment. The OAIC’s comments on the Bill were provided to the OPC on
3 November 2016. These comments are provided at
Annexure A.
The comments focused on the public interest disclosure provisions in Schedule 2 of the
Bill, which would enable the Secretary to disclose information about a particular case or
class of cases to such persons and for such purposes as the Secretary determines, if he
or she certifies that it is necessary in the public interest to do so.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
Melanie Drayton
s.22 - irrelevant
Released under FOI - OAIC
229
The OAIC noted that the Bill would also insert a provision in the
Veterans’ Entitlements
Act 1986 (VEA),
Military Rehabilitation and Compensation Act 2004 (MRCA) and the
Safety Rehabilitation and Compensation (Defence-related Claims) Act 1988 (DRCA), that
states that the disclosure is authorised by law for the purposes of the Australian Privacy
Principles (APPs).
Specifically, the disclosure of personal information under the new provisions will be
permitted by the ‘required or authorised by or under law’ exception in APP 6.2(b). This
authorisation means that the privacy protections in APP 6, which limit the circumstances
in which personal information can be used and disclosed, will not apply to any
disclosures made in accordance with the new provisions.
The OAIC suggested that where a Bill invokes this exception in the Privacy Act,
consideration should be given to whether those measures are reasonable, proportionate
and necessary, and made some specific suggestions for consideration. The OAIC’s
comments are attached.
The OAIC’s comments referred to similar disclosure provisions in the
Social Security
(Administration) Act 1999 and the
Paid Parental Leave Act 2010, noting that rules issued
under that legislation set out the matters to which the Secretary must have regard to in
giving a public interest certificate and the circumstances in which a public interest
certificate may be given, which include: to prevent, or lessen, a threat to the life, health
or welfare of a person; for the enforcement of laws; to correct a mistake of fact; to brief
a Minister or to locate missing persons etc.
We understand from DVA’s submission to the Committee, that these matters are very
similar to the matters that the Minister proposes to include in the rules to be made
under the Bill. DVA also notes in that submission that ‘the proposed provisions are
modelled on paragraph 208(1)(a) of the
Social Security (Administration) Act 1999. That
public interest disclosure provision has been in operation for 17 years and has operated
successfully with the approval of Parliament. The Privacy Commissioner has not raised
any concern about the Department of Social Services/ Department of Human Services’
Commented [RA1]: That’s correct, the current guidelines
are: Social Security (Public Interest Certificate Guidelines) (DSS)
provision…’
Determination 2015
Commented [SH2]: Renee – would you mind checking this
on TRIM please? I understand that the most recent iteration of
the Social Security (Public Interest Certificate Guidelines)
Determination was in 2015. Sarah G might know, otherwise we
can check if Mel knows
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
230
On 6 December 2016, the Committee invited the OAIC to make a comment on the Bill,
but the OAIC inadvertently did not action this request.
The Commonwealth Ombudsman has made a submission to the Committee in relation
to automation aspects of the Bill. They also notified the OAIC that they intend to make a
second submission to the Committee in relation to the new disclosure provisions, which
recommends that any development of legislation or policy relating to disclosure of PI
should occur in consultation with the OAIC.
The OAIC would welcome being consulted on any draft Rules that the Minister makes
(noting the requirement that the Minister makes these rules before the Secretary can
make a ‘public interest’ disclosure under the proposed amendments to the VEA, MRCA,
and DRCA).
Government automated decisions
The Commonwealth Ombudsman’s written submission to the Committee commented
on several matters that related to automated decisions. These comments related to
accuracy of automated decisions, and errors that can arise from incorrect data entry and
system errors, and the fact that the onus is predominately placed on the customer to
identify these errors.
The Commonwealth Ombudsman also outlined issues with automated decisions
following basic legal values of lawfulness, fairness, transparency and efficiency.
In the end this topic is discussed: DVA should ensure that the provisions of APP 10 are
upheld with any automated decisions to ensure the personal information being used to
make these decisions is accurate, up-to-date and complete. This can particularly be a
challenge where the onus is on the individual to identify errors or discrepancies with
automated decisions. DVA should ensure that it has appropriately assessed and
addressed the risks in this regard.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
231
Additionally, DVA must ensure it has processes in place to allow the access and
correction of personal information used in automated processes, as well as sufficient
practices, procedures and systems in place to enable the agency to handle inquiries and
complaints from individual’s about the agency’s compliance with the APPs in regards to
automated decisions.
DVA should also be cautious about making automated decisions based on personal
information that is sensitive information, due to the higher privacy risks involved with
handling such information if it is inaccurate. The OAIC welcomes the DVA’s comments in
its written submission that ‘in regards to automated debt collection, the Department
does not intend this provision for this purpose’. For transparency purposes and to avoid
function creep, this intent could be included in the Bill or the Explanatory Memorandum.
DVA could conduct a privacy impact assessment (PIA) of the amendments proposed by
the Bill that have privacy implications to identify and assess the privacy risks associated
with the amendments. A PIA is a written assessment which may assist in identifying the
privacy impacts of the proposal, and provides an opportunity to set out any
recommendations for managing, minimising or eliminating those impacts.
Committee Questions
Please advise the committee what is the current situation that DVA or other agencies require
this power?
The OAIC’s role includes examining proposed enactments that would require or
authorise acts or practices that might otherwise interfere with privacy and ensuring
that any adverse effects of a proposed enactment on the privacy of individuals are
minimised. An act or practice that is required or authorised by or under an Australian
law is generally excepted from the requirements around the collection of sensitive
information and the use and disclosure of personal information in the APPs.
The OAIC provided some comments to the OPC, which we understand were provided
to DVA in relation to aspects of the Bill that authorised disclosures under the Privacy
Act. However, it is a matter for DVA to justify in the Explanatory Memorandum
including its Statement of Compatibility with Human Rights, ‘public interest disclosure’
provisions. We understand that the Explanatory memorandum outlines some of DVA’s
reasons.
Why does DVA require these provisions so urgently?
This may be a matter for DVA. Again, we understand that the Explanatory
memorandum outlines some of DVA’s reasons.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
232
Is there not already a mechanism for agencies to report crimes to police?
APP 6 generally provides that an APP entity can only use or disclose personal
information for a purpose for which the information was collected (known as the
‘primary purpose’), or for a secondary purpose where one of the exceptions listed in
APP 6 apply. The following exceptions to APP 6 would permit agencies to disclose
personal information held by the agency to police (in the circumstances described):
o the APP entity reasonably believes that the use or disclosure of the
information is reasonably necessary for one or more enforcement related
activities conducted by, or on behalf of, an enforcement body (examples
include the Australian Federal Policy or a State or Territory Police force or
service) (APP 6.2(e)), and
o the entity reasonably believes that the collection, use or disclosure is
necessary to lessen or prevent a serious threat to the life, health or safety of
any individual, or to public health or safety (and it is unreasonable or
impracticable to obtain the individual’s consent) (APP 6.2(c) and s 16A, item
1)
o the use or disclosure of the information is required or authorised by or under
an Australian law or a court/ tribunal order (APP 6.2(b)).
Over the last 5 years, how many cases were there of mistake and/or misinformation that
agencies did not have the power to respond to?
Information about the number of cases of mistake or misinformation, may be a matter
for DVA.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
233
Commissioner brief: Briefing notes – Inquiry into the Digital
Readiness Bill – Senate Foreign Affairs, Defence and Trade
Committee
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bill
For:
The Australian Information Commissioner
Key points
1. The Veteran’s Affairs Legislation Amendment (Digital Readiness Bill) 2016 seeks to
amend the Veteran’s Entitlements Act 1986 (VEA),
Military Rehabilitation and
Compensation Act 2004I (MRCA) and the
Safety Rehabilitation and Compensation
(Defence-related claims) Act 1988 (DRCA).
2. The OAIC provided Bill scrutiny comments on the Digital Readiness Bill on 3 November
2016.
3. The OAIC’s comments focused on the public interest disclosure provisions in
Schedule 2 of the Bill which permit certain disclosures and invoke the ‘required or
authorised’ by law exception in APP 6 in the Privacy Act.
4. The OAIC would welcome the opportunity to be consulted on any draft rules to made
by the Minister in relation to public interest disclosure certificates, under the
proposed amendments in Schedule 2 of the Bill.
Background – the Digital Readiness Bill
The Bill will insert a provision into the VEA, MRCA, and DRCA to enable the Secretary to
authorise the use of computer programmes to make decisions and determinations,
exercise powers or comply with obligations etc. under these Acts.
Commented [SH1]: Could you pls add references to relevant
parts of the Bill for each of the dot points in this section?
Safeguards to this provision include that the Commissioner may make a decision or
determination in substitution for a decision or determination made by a computer
program, if satisfied that the decision or determination is incorrect.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
234
The Bill will also insert a provision into each of these Acts that will enable the Secretary
to disclose information about a particular case or class of cases to such persons as the
Secretary determines if he or she certifies that it is necessary in the public interest to do
so.
The Explanatory Memorandum to the Bill gives as examples of circumstances in which it
might be appropriate for the Secretary to disclose such information as including ‘where
there is a threat to life, health or welfare, for the enforcement of laws, in relation to
proceeds of crime orders, mistakes of fact, research and statistical analysis, APS code of
conduct investigations, misinformation in the community and provider inappropriate
practices’ (p. 11).
Safeguards include that the power cannot be delegated by the Secretary to anyone, the
Secretary must act in accordance with rules that the Minister makes, the Minister
cannot delegate his or her rule making power, and, unless the Secretary complies with
certain notification requirements before disclosing personal information, he or she
commits an offence, punishable by 60 penalty units.
Based on the information available, it appears that the Committee has concerns about
the breadth of the disclosures that may be made under the Bill, including disclosures to
correct misinformation. Please see Attachment A for further details. The Committee has
Commented [SH2]: Perhaps we need to extract from DVA’s
submission (as an attachment to the briefing), the description of the
notified the OAIC that it intends to ask questions focused on matters such as why the
circumstances in which DVA plans to disclose this information
Secretary of the DVA requires these powers, whether there are already mechanisms in
(including what they mean by misinformation/
place to report crimes to law enforcement bodies, and whether there have been any
instances of mistake or misinformation in the last five years that agencies did not have
the power to respond to.
Protection of personal information
A range of the OAIC’s responsibilities involve examining proposals that may restrict the
exercise of individuals’ privacy protections in favour of another public interest objective.
The Privacy Act recognises that the protection of individuals’ privacy, through the
protection of their personal information, is not an absolute right. Rather, those interests
must be balanced with the broader interest of the community in ensuring that APP
entities are able to carry out their legitimate functions and activities.
This balancing is reflected in the exceptions to a number of the APPs, which except from
the operation of those APPs, certain information handling practices considered to be in
the public interest when balanced with the interest in protecting an individual’s privacy.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
235
Exceptions cover a range of matters including where a use or disclosure of personal
information is authorised or required by Australian law or where an entity reasonably
believes that a use or disclosure is reasonably necessary for an enforcement related
activity conducted by an enforcement body.
Disclosures of personal information
APP 6 outlines when an APP entity may use or disclose personal information. It generally
provides that an APP entity can only use or disclose personal information for a purpose
for which the information was collected (known as the ‘primary purpose’), or for a
secondary purpose where one of the exceptions listed in APP 6 apply. The exceptions
include where ‘a use or disclosure of personal information is authorised or required by
Australian law’.
The OAIC is regularly invited to comment on draft laws that require or authorise the
collection, use or disclosure of personal information in a manner that would otherwise
be inconsistent with one or more of the APPs. The effect of such laws is that one or
more APPs will not apply to the use or disclosure of personal information, described in
the law.
Consistent with the approach taken in applying Article 17 in the International Covenant
on Civil and Political Right (ICCPR), the OAIC’s advice generally suggests consideration
should be given to whether those measures are proportionate and necessary. That is,
whether they appropriately balance the intrusion on individuals’ privacy with the overall
public policy objectives of the proposal. Additionally, when handling of individuals’
personal information is authorised in the broader interests of the community, it is
generally recommended that those activities be accompanied by an appropriate level of
privacy safeguards and accountability. Should such a proposal be considered to
appropriately balance these objectives, it is generally recommended that the scope of
the proposal be drafted consistent with the spirit and intent of the Privacy Act.
Summary of OAIC Bill scrutiny comments
On 31 October 2016, the Office of Parliamentary Counsel contacted the Attorney
General’s Department seeking comment on the Bill, and that request was passed onto
the OAIC for comment. The OAIC’s comments on the Bill were provided to the OPC on
3 November 2016. These comments are provided at
Annexure A.
The comments focused on the public interest disclosure provisions in Schedule 2 of the
Bill, which would enable the Secretary to disclose information about a particular case or
class of cases to such persons and for such purposes as the Secretary determines, if he
or she certifies that it is necessary in the public interest to do so.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
236
The OAIC noted that the Bill would also insert a provision in the
Veterans’ Entitlements
Act 1986 (VEA),
Military Rehabilitation and Compensation Act 2004 (MRCA) and the
Safety Rehabilitation and Compensation (Defence-related Claims) Act 1988 (DRCA), that
states that the disclosure is authorised by law for the purposes of the Australian Privacy
Principles (APPs).
Specifically, the disclosure of personal information under the new provisions will be
permitted by the ‘required or authorised by or under law’ exception in APP 6.2(b). This
authorisation means that the privacy protections in APP 6, which limit the circumstances
in which personal information can be used and disclosed, will not apply to any
disclosures made in accordance with the new provisions.
The OAIC suggested that where a Bill invokes this exception in the Privacy Act,
consideration should be given to whether those measures are reasonable, proportionate
and necessary, and made some specific suggestions for consideration. The OAIC’s
comments are attached.
The OAIC’s comments referred to similar disclosure provisions in the
Social Security
(Administration) Act 1999 and the
Paid Parental Leave Act 2010, noting that rules issued
under that legislation set out the matters to which the Secretary must have regard to in
giving a public interest certificate and the circumstances in which a public interest
certificate may be given, which include: to prevent, or lessen, a threat to the life, health
or welfare of a person; for the enforcement of laws; to correct a mistake of fact; to brief
a Minister or to locate missing persons etc.
We understand from DVA’s submission to the Committee, that these matters are very
similar to the matters that the Minister proposes to include in the rules to be made
under the Bill. DVA also notes in that submission that ‘the proposed provisions are
modelled on paragraph 208(1)(a) of the
Social Security (Administration) Act 1999. That
public interest disclosure provision has been in operation for 17 years and has operated
successfully with the approval of Parliament. The Privacy Commissioner has not raised
any concern about the Department of Social Services/ Department of Human Services’
Commented [RA3]: That’s correct, the current guidelines are:
Social Security (Public Interest Certificate Guidelines) (DSS)
provision…’
Determination 2015
Commented [SH4]: Renee – would you mind checking this on
TRIM please? I understand that the most recent iteration of the
Social Security (Public Interest Certificate Guidelines) Determination
was in 2015. Sarah G might know, otherwise we can check if Mel
knows
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
237
On 6 December 2016, the Committee invited the OAIC to make a comment on the Bill,
but the OAIC inadvertently did not action this request.
The Commonwealth Ombudsman has made a submission to the Committee in relation
to automation aspects of the Bill. They also notified the OAIC that they intend to make a
second submission to the Committee in relation to the new disclosure provisions, which
recommends that any development of legislation or policy relating to disclosure of PI
should occur in consultation with the OAIC.
The OAIC would welcome being consulted on any draft Rules that the Minister makes
(noting the requirement that the Minister makes these rules before the Secretary can
make a ‘public interest’ disclosure under the proposed amendments to the VEA, MRCA,
and DRCA).
Government automated decisions
The Commonwealth Ombudsman’s written submission to the Committee commented
on several matters that related to automated decisions. These comments related to
accuracy of automated decisions, and errors that can arise from incorrect data entry and
system errors, and the fact that the onus is predominately placed on the customer to
identify these errors.
The Commonwealth Ombudsman also outlined issues with automated decisions
following basic legal values of lawfulness, fairness, transparency and efficiency.
In the end this topic is discussed: DVA should ensure that the provisions of APP 10 are
upheld with any automated decisions to ensure the personal information being used to
make these decisions is accurate, up-to-date and complete. This can particularly be a
challenge where the onus is on the individual to identify errors or discrepancies with
automated decisions. DVA should ensure that it has appropriately assessed and
addressed the risks in this regard.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
238
Additionally, DVA must ensure it has processes in place to allow the access and
correction of personal information used in automated processes, as well as sufficient
practices, procedures and systems in place to enable the agency to handle inquiries and
complaints from individual’s about the agency’s compliance with the APPs in regards to
automated decisions.
DVA should also be cautious about making automated decisions based on personal
information that is sensitive information, due to the higher privacy risks involved with
handling such information if it is inaccurate. The OAIC welcomes the DVA’s comments in
its written submission that ‘in regards to automated debt collection, the Department
does not intend this provision for this purpose’. For transparency purposes and to avoid
function creep, this intent could be included in the Bill or the Explanatory Memorandum.
DVA could conduct a privacy impact assessment (PIA) of the amendments proposed by
the Bill that have privacy implications to identify and assess the privacy risks associated
with the amendments. A PIA is a written assessment which may assist in identifying the
privacy impacts of the proposal, and provides an opportunity to set out any
recommendations for managing, minimising or eliminating those impacts.
Committee Questions
Please advise the committee what is the current situation that DVA or other agencies require
this power?
The OAIC’s role includes examining proposed enactments that would require or
authorise acts or practices that might otherwise interfere with privacy and ensuring
that any adverse effects of a proposed enactment on the privacy of individuals are
minimised. An act or practice that is required or authorised by or under an Australian
law is generally excepted from the requirements around the collection of sensitive
information and the use and disclosure of personal information in the APPs.
The OAIC provided some comments to the OPC, which we understand were provided
to DVA in relation to aspects of the Bill that authorised disclosures under the Privacy
Act. However, it is a matter for DVA to justify in the Explanatory Memorandum
including its Statement of Compatibility with Human Rights, ‘public interest disclosure’
provisions. We understand that the Explanatory memorandum outlines some of DVA’s
reasons.
Why does DVA require these provisions so urgently?
This may be a matter for DVA. Again, we understand that the Explanatory
memorandum outlines some of DVA’s reasons.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
239
Is there not already a mechanism for agencies to report crimes to police?
APP 6 generally provides that an APP entity can only use or disclose personal
information for a purpose for which the information was collected (known as the
‘primary purpose’), or for a secondary purpose where one of the exceptions listed in
APP 6 apply. The following exceptions to APP 6 would permit agencies to disclose
personal information held by the agency to police (in the circumstances described):
o the APP entity reasonably believes that the use or disclosure of the
information is reasonably necessary for one or more enforcement related
activities conducted by, or on behalf of, an enforcement body (examples
include the Australian Federal Policy or a State or Territory Police force or
service) (APP 6.2(e)), and
o the entity reasonably believes that the collection, use or disclosure is
necessary to lessen or prevent a serious threat to the life, health or safety of
any individual, or to public health or safety (and it is unreasonable or
impracticable to obtain the individual’s consent) (APP 6.2(c) and s 16A, item
1)
o the use or disclosure of the information is required or authorised by or under
an Australian law or a court/ tribunal order (APP 6.2(b)).
Over the last 5 years, how many cases were there of mistake and/or misinformation that
agencies did not have the power to respond to?
Information about the number of cases of mistake or misinformation, may be a matter
for DVA.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
240
Commissioner brief: Briefing notes – Inquiry into the Digital
Readiness Bill – Senate Foreign Affairs, Defence and Trade
Committee
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bill
For:
The Australian Information Commissioner
Key points
1. The Veteran’s Affairs Legislation Amendment (Digital Readiness Bill) 2016 seeks to
amend the
Veteran’s Entitlements Act 1986 (VEA),
Military Rehabilitation and
Compensation Act 2004 (MRCA) and the
Safety Rehabilitation and Compensation
(Defence-related claims) Act 1988 (DRCA). The Bill and Explanatory memorandum are
at
Annexure A.
2. On 31 October 2016, the Attorney General’s Department Information Law Unit (AGD),
requested that the OAIC provide any comments on the Bill, and these would be
provided to the Office of Parliamentary Counsel (OPC). On 3 November 2016, the OAIC
provided comments on the Bill to the AGD, which AGD passed on to OPC and then to
Department of Veterans’ Affairs (DVA).
3. The OAIC’s comments focused on the public interest disclosure provisions in
Schedule 2 of the Bill. These authorise the Secretary to make disclosures that the
Secretary certifies as ‘necessary in the public interest’, and invoke the ‘required or
authorised’ by law exception in APP 6 in the Privacy Act. The AGD did not make any
substantive comments on the Bill.
4. The Bill states that the Secretary must, in giving such a ‘public interest certificate’, act
in accordance with Rules made by legislative instrument, by the Minister. While not
included in the OAIC’s comments to OPC, the OAIC’s email to the Committee on 14
February noted that the OAIC would welcome the opportunity to be consulted on any
such draft rules. The OAIC will have regard to whether any permitted disclosures
accord with the social license given to government to handle and disclose individuals’
personal information, and are generally consistent with the spirit and intent of the
Privacy Act.
5. The OAIC also welcomes the safeguard in the Bill that before disclosing personal
information about a person under the ‘public interest disclosure’ provisions, the
Secretary must notify the person in writing of the Secretary’s intention to disclose the
information; give the person a reasonable opportunity to make written comments on
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
241
the proposed disclosure of the information and consider any written comments made
by the person. This is consistent with the emphasis on transparency in the Privacy Act,
and may in some circumstances give the individual a ‘reasonable expectation’ that
their personal information will be disclosed for a particular purpose.
Background – the Digital Readiness Bill
The Bill will insert a provision into the VEA, MRCA, and DRCA to enable the Secretary to
authorise the use of computer programmes to make decisions and determinations,
exercise powers or comply with obligations etc. under these Acts (Schedule 1).
Commented [SH1]: Could you pls add references to relevant
parts of the Bill for each of the dot points in this section?
Safeguards in the Bill include that the Secretary may make a decision or determination in
substitution for a decision or determination made by a computer program, if satisfied
that the decision or determination is incorrect (Schedule 1).
The Bill will also insert a provision into each of these Acts that give the Secretary broad
disclosure powers: ‘the Secretary may, if the Secretary certifies that it is necessary in the
public interest to do so in a particular case or class of cases, disclose any information
obtained by any person in the performance of that person’s duties under this Act to
such persons and for such purposes as the Secretary determines’ (Schedule 2).
Safeguards in the Bill include that:
o the power cannot be delegated by the Secretary to anyone
o the Secretary must act in accordance with rules that the Minister makes and the
Minister cannot delegate his or her rule making power
o before disclosing information, the Secretary must notify the person concerned in
writing about the proposed disclosure and consider any written comments made
by the person, and
o unless the Secretary complies with the above notification requirements before
disclosing personal information, he or she commits an offence, punishable by 60
penalty units (Schedule 2).
The Explanatory Memorandum to the Bill gives as examples of circumstances in which it
might be appropriate for the Secretary to disclose such information as including ‘where
there is a threat to life, health or welfare, for the enforcement of laws, in relation to
proceeds of crime orders, mistakes of fact, research and statistical analysis, APS code of
conduct investigations, misinformation in the community and provider inappropriate
practices’ (p. 11).
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
242
OAIC’s responsibilities to examine proposed enactments impact privacy
A range of the OAIC’s responsibilities involve examining proposals that may restrict the
exercise of individuals’ privacy protections in favour of another public interest objective.
The Privacy Act recognises that the protection of individuals’ privacy, through the
protection of their personal information, is not an absolute right. Rather, those interests
must be balanced with the broader interest of the community in ensuring that APP
entities are able to carry out their legitimate functions and activities.
This balancing is reflected in the exceptions to a number of the APPs, which except from
the operation of those APPs, certain information handling practices considered to be in
the public interest when balanced with the interest in protecting an individual’s privacy.
Disclosures of personal information
APP 6 outlines when an APP entity may use or disclose personal information. It generally
provides that an APP entity can only use or disclose personal information for a purpose
for which the information was collected (known as the ‘primary purpose’), or for a
secondary purpose where one of the exceptions listed in APP 6 apply. The exceptions
include where ‘a use or disclosure of personal information is authorised or required by
Australian law’ (APP 6.2(b).
The OAIC is regularly invited to comment on draft laws that require or authorise the
collection, use or disclosure of personal information in a manner that would otherwise
be inconsistent with one or more of the APPs. The effect of such laws is that one or
more APPs will not apply to the use or disclosure of personal information, described in
the law.
Consistent with the approach taken in applying Article 17 in the International Covenant
on Civil and Political Right (ICCPR), the OAIC’s advice generally suggests consideration
should be given to whether those measures are proportionate and necessary. That is,
whether they appropriately balance the intrusion on individuals’ privacy with the overall
public policy objectives of the proposal. Additionally, when handling of individuals’
personal information is authorised in the broader interests of the community, it is
generally recommended that those activities be accompanied by an appropriate level of
privacy safeguards and accountability. Should such a proposal be considered to
appropriately balance these objectives, it is generally recommended that the scope of
the proposal be drafted consistent with the spirit and intent of the Privacy Act.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
243
OAIC engagement with the Bill
On 31 October 2016, the OPC contacted the AGD seeking comment on the Bill, and that
request was passed onto the OAIC for comment. The OAIC was not provided with the
Explanatory Memorandum. The OAIC’s comments on the Bill were provided to AGD, and
passed on to the OPC on 3 November 2016. The AGD did not make any substantive
comments on the Bill. The comments provided to OPC, along with a response provided
by DVA are at
Annexure B.
The OAIC’s comments focused on the public interest disclosure provisions in Schedule 2
of the Bill outlined above.
Key points made in the OAIC’s comments were:
o the OAIC noted that the disclosure of personal information under the new
provisions will be permitted by the ‘required or authorised by or under law’
exception in APP 6.2(b).
o The OAIC suggested that where a Bill invokes this exception in the Privacy Act,
consideration should be given to whether those measures are reasonable,
proportionate and necessary.
o The OAIC referred to similar disclosure provisions in the
Social Security
(Administration) Act 1999 and the
Paid Parental Leave Act 2010, noting that rules
issued under that legislation set out the matters to which the Secretary must
have regard to in giving a public interest certificate and the circumstances in
which a public interest certificate may be given, which include: to prevent, or
lessen, a threat to the life, health or welfare of a person; for the enforcement of
laws; to correct a mistake of fact; to brief a Minister or to locate missing persons
etc.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
244
On 7 November 2017, DVA responded by email to the OAIC that:
o rules would be made setting out the circumstances in which the Secretary may
make a public interest disclosure before the Secretary exercises that power. The
nature and content of those rules is likely to be similar to the Social Security
(Public Interest Certificate Guidelines) (DSS) Determination 2015, mentioned
below.
o The sorts of situations in which it is envisage the public interest disclosure power
being exercised are will be set out in the EM, including: where there is a threat to
life, health or welfare, for the enforcement of laws, in relation to proceeds of
crime orders, mistakes of fact, research and statistical analysis, APS code of
conduct investigations, misinformation in the community and provider
inappropriate practices (this is subject to the Minister agreeing to make rules
along these lines.)
On 6 December 2016, the Committee invited the OAIC to make a comment on the Bill,
but the OAIC inadvertently did not action this request.
Seven submissions have been made to the Committee – see
Annexure C. These include
a lengthy submission from DVA and two submissions made by the Commonwealth
Ombudsman.
Key matters to note from the DVA submission include:
o DVA sets out a range of efficiency-related justifications for provisions in the Bill
that automate the decision-making process
o the Committee appears to have raised concerns with DVA about the breadth of
the disclosures that may be made under the Bill, including disclosures to ‘correct
misinformation’ and the submission purports to respond to these concerns.
Commented [SH2]: Perhaps we need to extract from DVA’s
submission (as an attachment to the briefing), the description of the
o DVA notes that the proposed public interest disclosure provisions ‘are modelled
circumstances in which DVA plans to disclose this information
(including what they mean by misinformation/
on paragraph 208(1)(a) of the
Social Security (Administration) Act 1999. That
public interest disclosure provision has been in operation for 17 years and has
operated successfully with the approval of Parliament. The Privacy Commissioner
has not raised any concern about the Department of Social Services/ Department
Commented [RA3]: That’s correct, the current guidelines are:
Social Security (Public Interest Certificate Guidelines) (DSS)
of Human Services’ provision…’
Determination 2015
Commented [SH4]:
The most recent iteration of the
Social Security (Public Interest Certificate Guidelines)
Renee – would you mind checking this on
TRIM please? I understand that the most recent iteration of the
(DSS) Determination 2015 were registered on FRLI in August 2015. The explanatory
Social Security (Public Interest Certificate Guidelines) Determination
was in 2015. Sarah G might know, otherwise we can check if Mel
memorandum refers to consultation with the AGD and others, but does not specifically
knows
refer to consultation with the OAIC. We have not been able to find any engagement
with the OAIC on the Determination following a brief TRIM search and discussion with
Sarah Ghali. A more fulsome search could be undertaken if necessary.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
245
The Commonwealth Ombudsman has made a submission to the Committee in relation
to automation aspects of the Bill (see below).
They also made a second submission on the new disclosure provisions, (and notified
Angelene Falk by telephone, of their intention to make such a submission). This
supplementary submission recommends that any development of legislation or policy
relating to disclosure of PI should occur in consultation with the OAIC.
On 10 February 2017, a Research Officer from the Senate Committee contacted the
OAIC to advise that it is holding a public hearing on Thursday, 16 February 2017 and
invites the information Commissioner to appear from 5:00pm – 6:00pm. The
Commonwealth Ombudsman and officers of DVA have also been invited to appear. They
have provided the OAIC with specific questions in relation to the public interest
disclosure provisions – which the OAIC intends to submit a written response to before
the hearing, as well as other questions
On 14 February, Melanie Drayton, Assistant Commissioner, sent a detailed response to
the Committee noting that the Information Commissioner and Deputy Commissioner
would appear at the public hearing; outlining the OAIC’s role; attaching the OAIC’s
comments on the Bill that were sent to OPC (via AGD); and responding to the specific
questions where possible (noting that a number of the questions may be directed to
DVA). This email also noted that the OAIC would welcome the opportunity to be
consulted on the draft rules to be made by the Minister in relation to public interest
disclosures. The OAIC’s email to the Committee is at
Annexure D.
Key additional points that the Commissioner may make at the Committee meeting are:
o The OAIC welcomes the safeguard in the Bill that before disclosing personal
information about a person under the ‘public interest disclosure’ provisions, the
Secretary must notify the person in writing of the Secretary’s intention to
disclose the information; give the person a reasonable opportunity to make
written comments on the proposed disclosure of the information and consider
any written comments made by the person. This is consistent with the emphasis
on transparency in the Privacy Act, and may in some circumstances give the
individual a ‘reasonable expectation’ that their personal information will be
disclosed for a particular purpose (consistent with the ‘reasonable expectation’
exception in APP 6.2(a).
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
246
o The Bill states that the Secretary must, in giving such a ‘public interest
certificate’, act in accordance with Rules made by legislative instrument, by the
Minister. The OAIC would welcome the opportunity to be consulted on any such
draft rules. The OAIC will have regard to whether any permitted disclosures
accord with the social license given to government to handle and disclose
individuals’ personal information, and are generally consistent with the spirit and
intent of the Privacy Act.
Automated decision-making
The Commonwealth Ombudsman’s written submission to the Committee
commented on several matters that related to automated decisions. These
comments related to accuracy of automated decisions, and errors that can arise
from incorrect data entry and system errors, and the fact that the onus is
predominately placed on the customer to identify these errors.
The Commonwealth Ombudsman also outlined issues with automated decisions
following basic legal values of lawfulness, fairness, transparency and efficiency.
The objects of the Privacy Act recognise that the protection of individuals’ privacy
is balanced with the interests of entities in carrying out their functions or activities
(s 3(b)). The OAIC acknowledges that automated decision-making is likely to
provide a number of advantages for DVA and for Australians accessing their
services, including associated with reduced costs and enhanced efficiency.
However, consideration should be given at an early stage, to ensuring that any
privacy impacts are identified and minimised to the extent possible, and that an
integrated approach to privacy management is taken.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
Melanie Drayton
s.22 - irrelevant
Released under FOI - OAIC
247
Some key privacy considerations that may arise where decision-making is
automated include:
o whether the entity has taken reasonable steps to implement practices,
procedures and systems to ensure that the entity complies with the
APPs and to enable the entity to deal with inquiries and complaints
from individuals about the entity’s compliance with the APPs (APP 1.2).
Entities will be better placed to meet these obligations if they embed
privacy protections in the design of the information handling practice at
an early stage.
o whether the entity has taken reasonable steps to ensure that the
personal information it collects, uses and discloses is accurate, up-to-
date and complete (as required by APP 10). This may be particularly
challenging where the onus is on the individual to identify errors or
discrepancies with automated decisions.
o whether the entity has processes in place to allow the individual to
request access to, and correction of his or her personal information
used in automated processes (APPs 11 and 12).
The OAIC also suggests consideration be given to the privacy risks arising from
personal information processed as part of an automated decision-making process.
For example, due to the higher privacy risks involved with handling sensitive
information, the OAIC would generally suggest greater caution be exercised when
considering whether this information should be subject to automated processing.
The OAIC welcomes the DVA’s comments in its written submission to the
Committee that ‘in regards to automated debt collection, the Department does
not intend this provision for this purpose’. This intent could be included in the Bill
or the Explanatory Memorandum.
DVA could conduct a privacy impact assessment (PIA) of the amendments
proposed by the Bill that have privacy implications to identify and assess the
privacy risks associated with the amendments. A PIA is a written assessment which
may assist in identifying the privacy impacts of the proposal, and provides an
opportunity to set out any recommendations for managing, minimising or
eliminating those impacts.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
248
Commissioner brief: Briefing notes – Inquiry into the Digital
Readiness Bill – Senate Foreign Affairs, Defence and Trade
Committee
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bill
For:
The Australian Information Commissioner
Key points
1. The Veteran’s Affairs Legislation Amendment (Digital Readiness) Bill 2016 seeks to
amend the
Veteran’s Entitlements Act 1986 (VEA),
Military Rehabilitation and
Compensation Act 2004 (MRCA) and the
Safety Rehabilitation and Compensation
(Defence-related claims) Act 1988 (DRCA). The Bill and Explanatory memorandum are
at
Annexure A.
2. On 31 October 2016, the Attorney General’s Department Information Law Unit (AGD)
requested that the OAIC provide any comments on the Bill, and these would be
provided to the Office of Parliamentary Counsel (OPC). On 3 November 2016, the OAIC
provided comments on the Bill to the AGD, which AGD passed on to OPC and then to
Department of Veterans’ Affairs (DVA).
3. The OAIC’s comments focused on the public interest disclosure provisions in
Schedule 2 of the Bill. These authorise the Secretary to make disclosures that the
Secretary certifies as ‘necessary in the public interest’, and invoke the ‘required or
authorised’ by law exception in APP 6 in the Privacy Act. The AGD did not make any
substantive comments on the Bill.
4. The Bill states that the Secretary must, in giving such a ‘public interest certificate’, act
in accordance with Rules made by legislative instrument, by the Minister. While not
included in the OAIC’s comments to OPC, the OAIC’s email to the Committee on 14
February noted that the OAIC would welcome the opportunity to be consulted on any
such draft rules. The OAIC will have regard to whether any permitted disclosures
accord with the social license given to government to handle and disclose individuals’
personal information, and are generally consistent with the spirit and intent of the
Privacy Act.
5. Even where APP 6 does not apply – by reason that a disclosure is ‘authorised by law’ -
most of the other APPs would continue to apply to that personal information when it
is held by the agency or organisation (such as the requirements in relation to
transparency, data quality, security, and rights to access and correction).
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
249
6. The OAIC welcomes the safeguard in the Bill that before disclosing personal
information about a person under the ‘public interest disclosure’ provisions, the
Secretary must notify the person in writing of the Secretary’s intention to disclose the
information; give the person a reasonable opportunity to make written comments on
the proposed disclosure of the information and consider any written comments made
by the person. This is consistent with the emphasis on transparency in the Privacy Act,
and may in some circumstances give the individual a ‘reasonable expectation’ that
their personal information will be disclosed for a particular purpose.
7. The OAIC acknowledges that automated decision-making is likely to provide a number
of advantages for DVA and for Australians accessing their services, particularly in
regards to efficiencies. However, the OAIC would encourage consideration to be given
at an early stage, to ensuring that any privacy impacts are identified and minimised to
the extent possible, and that an integrated approach to privacy management is taken.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
250
Background – the Digital Readiness Bill
The Bill will insert a provision into the VEA, MRCA, and DRCA to enable the Secretary to
authorise the use of computer programmes to make decisions and determinations,
exercise powers or comply with obligations etc. under these Acts (Schedule 1).
Safeguards in the Bill include that the Secretary may make a decision or determination in
substitution for a decision or determination made by a computer program, if satisfied
that the decision or determination is incorrect (Schedule 1).
The Bill will also insert a provision into each of these Acts that give the Secretary broad
disclosure powers: ‘the Secretary may, if the Secretary certifies that it is necessary in the
public interest to do so in a particular case or class of cases, disclose any information
obtained by any person in the performance of that person’s duties under this Act to
such persons and for such purposes as the Secretary determines’ (Schedule 2).
Safeguards in the Bill include that:
o the power cannot be delegated by the Secretary to anyone
o the Secretary must act in accordance with rules that the Minister makes and the
Minister cannot delegate his or her rule making power
o before disclosing information, the Secretary must notify the person concerned in
writing about the proposed disclosure and consider any written comments made
by the person, and
o unless the Secretary complies with the above notification requirements before
disclosing personal information, he or she commits an offence, punishable by 60
penalty units (Schedule 2).
The Explanatory Memorandum to the Bill gives as examples of circumstances in which it
might be appropriate for the Secretary to disclose such information as including ‘where
there is a threat to life, health or welfare, for the enforcement of laws, in relation to
proceeds of crime orders, mistakes of fact, research and statistical analysis, APS code of
conduct investigations, misinformation in the community and provider inappropriate
practices’ (p. 11).
OAIC’s responsibilities to examine proposed enactments impact privacy
A range of the OAIC’s responsibilities involve examining proposals that may restrict the
exercise of individuals’ privacy protections in favour of another public interest objective.
The Privacy Act recognises that the protection of individuals’ privacy, through the
protection of their personal information, is not an absolute right. Rather, those interests
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
251
must be balanced with the broader interest of the community in ensuring that APP
entities are able to carry out their legitimate functions and activities.
This balancing is reflected in the exceptions to a number of the APPs, which except from
the operation of those APPs, certain information handling practices considered to be in
the public interest when balanced with the interest in protecting an individual’s privacy.
Disclosures of personal information
APP 6 outlines when an APP entity may use or disclose personal information. It generally
provides that an APP entity can only use or disclose personal information for a purpose
for which the information was collected (known as the ‘primary purpose’), or for a
secondary purpose where one of the exceptions listed in APP 6 apply. The exceptions
include where ‘a use or disclosure of personal information is authorised or required by
Australian law’ (APP 6.2(b)).
The OAIC is regularly invited to comment on draft laws that require or authorise the
collection, use or disclosure of personal information in a manner that would otherwise
be inconsistent with one or more of the APPs. The effect of such laws is that one or
more APPs will not apply to the use or disclosure of personal information, described in
the law.
Consistent with the approach taken in applying Article 17 in the International Covenant
on Civil and Political Right (ICCPR), the OAIC’s advice generally suggests consideration
should be given to whether those measures are proportionate and necessary. That is,
whether they appropriately balance the intrusion on individuals’ privacy with the overall
public policy objectives of the proposal. Additionally, when handling of individuals’
personal information is authorised in the broader interests of the community, it is
generally recommended that those activities be accompanied by an appropriate level of
privacy safeguards and accountability. Should such a proposal be considered to
appropriately balance these objectives, it is generally recommended that the scope of
the proposal be drafted consistent with the spirit and intent of the Privacy Act.
It should also be noted that even where APP 6 does not apply – by reason that a
disclosure is ‘authorised by law’ - most of the other APPs would continue to apply to
that personal information when it is held by the agency or organisation (such as the
requirements in relation to transparency, data quality, security, and rights to access and
correction).
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
252
OAIC engagement with the Bill
On 31 October 2016, the OPC contacted the AGD seeking comment on the Bill, and that
request was passed onto the OAIC for comment. The OAIC was not provided with the
Explanatory Memorandum. The OAIC’s comments on the Bill were provided to AGD, and
passed on to the OPC on 3 November 2016. The AGD did not make any substantive
comments on the Bill. The comments provided to OPC, along with a response provided
by DVA are at
Annexure B.
The OAIC’s comments focused on the public interest disclosure provisions in Schedule 2
of the Bill outlined above.
Key points made in the OAIC’s comments were:
o the OAIC noted that the disclosure of personal information under the new
provisions will be permitted by the ‘required or authorised by or under law’
exception in APP 6.2(b).
o The OAIC suggested that where a Bill invokes this exception in the Privacy Act,
consideration should be given to whether those measures are reasonable,
proportionate and necessary.
o The OAIC referred to similar disclosure provisions in the
Social Security
(Administration) Act 1999 and the
Paid Parental Leave Act 2010, noting that rules
issued under that legislation set out the matters to which the Secretary must
have regard to in giving a public interest certificate and the circumstances in
which a public interest certificate may be given, which include: to prevent, or
lessen, a threat to the life, health or welfare of a person; for the enforcement of
laws; to correct a mistake of fact; to brief a Minister or to locate missing persons
etc.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
253
On 7 November 2017, DVA responded by email to the OAIC that:
o rules would be made setting out the circumstances in which the Secretary may
make a public interest disclosure before the Secretary exercises that power. The
nature and content of those rules is likely to be similar to the Social Security
(Public Interest Certificate Guidelines) (DSS) Determination 2015, mentioned
below.
o The sorts of situations in which it is envisage the public interest disclosure power
being exercised are will be set out in the EM, including: where there is a threat to
life, health or welfare, for the enforcement of laws, in relation to proceeds of
crime orders, mistakes of fact, research and statistical analysis, APS code of
conduct investigations, misinformation in the community and provider
inappropriate practices (this is subject to the Minister agreeing to make rules
along these lines.)
On 6 December 2016, the Committee invited the OAIC to make a comment on the Bill,
but the OAIC inadvertently did not action this request.
Seven submissions have been made to the Committee – see
Annexure C. These include
a lengthy submission from DVA and two submissions made by the Commonwealth
Ombudsman.
Key matters to note from the DVA submission include:
o DVA sets out a range of efficiency-related justifications for provisions in the Bill
that automate the decision-making process
o the Committee appears to have raised concerns with DVA about the breadth of
the disclosures that may be made under the Bill, including disclosures to ‘correct
misinformation’ and the submission purports to respond to these concerns.
o DVA notes that the proposed public interest disclosure provisions ‘are modelled
on paragraph 208(1)(a) of the
Social Security (Administration) Act 1999. That
public interest disclosure provision has been in operation for 17 years and has
operated successfully with the approval of Parliament. The Privacy Commissioner
has not raised any concern about the Department of Social Services/ Department
of Human Services’ provision…’
The most recent iteration of the
Social Security (Public Interest Certificate Guidelines)
(DSS) Determination 2015 were registered on FRLI in August 2015. The explanatory
memorandum refers to consultation with the AGD and others, but does not specifically
refer to consultation with the OAIC. We have not been able to find any engagement
with the OAIC on the Determination following a brief TRIM search and discussion with
Sarah Ghali. A more fulsome search could be undertaken if necessary.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
254
The Commonwealth Ombudsman has made a submission to the Committee in relation
to automation aspects of the Bill (see below).
They also made a second submission on the new disclosure provisions, (and notified
Angelene Falk by telephone, of their intention to make such a submission). This
supplementary submission recommends that any development of legislation or policy
relating to disclosure of PI should occur in consultation with the OAIC.
On 10 February 2017, a Research Officer from the Senate Committee contacted the
OAIC to advise that it is holding a public hearing on Thursday, 16 February 2017 and
invites the information Commissioner to appear from 5:00pm – 6:00pm. The
Commonwealth Ombudsman and officers of DVA have also been invited to appear. They
have provided the OAIC with specific questions in relation to the public interest
disclosure provisions – which the OAIC intends to submit a written response to before
the hearing, as well as other questions
On 14 February, Melanie Drayton, Assistant Commissioner, sent a detailed response to
the Committee noting that the Information Commissioner and Deputy Commissioner
would appear at the public hearing; outlining the OAIC’s role; attaching the OAIC’s
comments on the Bill that were sent to OPC (via AGD); and responding to the specific
questions where possible (noting that a number of the questions may be directed to
DVA). This email also noted that the OAIC would welcome the opportunity to be
consulted on the draft rules to be made by the Minister in relation to public interest
disclosures. The OAIC’s email to the Committee is at
Annexure D.
Key additional points that the Commissioner may make at the Committee meeting are:
o The OAIC welcomes the safeguard in the Bill that before disclosing personal
information about a person under the ‘public interest disclosure’ provisions, the
Secretary must notify the person in writing of the Secretary’s intention to
disclose the information; give the person a reasonable opportunity to make
written comments on the proposed disclosure of the information and consider
any written comments made by the person. This is consistent with the emphasis
on transparency in the Privacy Act, and may in some circumstances give the
individual a ‘reasonable expectation’ that their personal information will be
disclosed for a particular purpose (consistent with the ‘reasonable expectation’
exception in APP 6.2(a).
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
255
o The Bill states that the Secretary must, in giving such a ‘public interest
certificate’, act in accordance with Rules made by legislative instrument, by the
Minister. The OAIC would welcome the opportunity to be consulted on any such
draft rules. The OAIC will have regard to whether any permitted disclosures
accord with the social license given to government to handle and disclose
individuals’ personal information, and are generally consistent with the spirit and
intent of the Privacy Act.
Automated decision-making
The Commonwealth Ombudsman’s written submission to the Committee
commented on several matters that related to automated decisions. These
comments related to accuracy of automated decisions, and errors that can arise
from incorrect data entry and system errors, and the fact that the onus is
predominately placed on the customer to identify these errors.
The Commonwealth Ombudsman also outlined issues with automated decisions
following basic legal values of lawfulness, fairness, transparency and efficiency.
The objects of the Privacy Act recognise that the protection of individuals’ privacy
is balanced with the interests of entities in carrying out their functions or activities
(s 3(b)). The OAIC acknowledges that automated decision-making is likely to
provide a number of advantages for DVA and for Australians accessing their
services, including associated with reduced costs and enhanced efficiency.
However, consideration should be given at an early stage, to ensuring that any
privacy impacts are identified and minimised to the extent possible, and that an
integrated approach to privacy management is taken.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
256
Some key privacy considerations that may arise where decision-making is
automated include:
o whether the entity has taken reasonable steps to implement practices,
procedures and systems to ensure that the entity complies with the
APPs and to enable the entity to deal with inquiries and complaints
from individuals about the entity’s compliance with the APPs (APP 1.2).
Entities will be better placed to meet these obligations if they embed
privacy protections in the design of the information handling practice at
an early stage.
o whether the entity has taken reasonable steps to ensure that the
personal information it collects, uses and discloses is accurate, up-to-
date and complete (as required by APP 10). This may be particularly
challenging where the onus is on the individual to identify errors or
discrepancies with automated decisions.
o whether the entity has processes in place to allow the individual to
request access to, and correction of his or her personal information
used in automated processes (APPs 11 and 12).
The OAIC also suggests consideration be given to the privacy risks arising from
personal information processed as part of an automated decision-making process.
For example, due to the higher privacy risks involved with handling sensitive
information, the OAIC would generally suggest greater caution be exercised when
considering whether this information should be subject to automated processing.
The OAIC welcomes the DVA’s comments in its written submission to the
Committee that ‘in regards to automated debt collection, the Department does
not intend this provision for this purpose’. This intent could be included in the Bill
or the Explanatory Memorandum.
DVA could conduct a privacy impact assessment (PIA) of the amendments
proposed by the Bill that have privacy implications to identify and assess the
privacy risks associated with the amendments. A PIA is a written assessment which
may assist in identifying the privacy impacts of the proposal, and provides an
opportunity to set out any recommendations for managing, minimising or
eliminating those impacts.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
257
Commissioner brief: Briefing notes – Inquiry into the Digital
Readiness Bill – Senate Foreign Affairs, Defence and Trade
Committee
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bill
For:
The Australian Information Commissioner
Key points
1. The Veteran’s Affairs Legislation Amendment (Digital Readiness) Bill 2016 seeks to
amend the
Veteran’s Entitlements Act 1986 (VEA),
Military Rehabilitation and
Compensation Act 2004 (MRCA) and the
Safety Rehabilitation and Compensation
(Defence-related claims) Act 1988 (DRCA). The Bill and Explanatory memorandum are
at
Annexure A.
2. On 31 October 2016, the Attorney General’s Department Information Law Unit (AGD)
requested that the OAIC provide any comments on the Bill, and these would be
provided to the Office of Parliamentary Counsel (OPC). On 3 November 2016, the OAIC
provided comments on the Bill to the AGD, which AGD passed on to OPC and then to
Department of Veterans’ Affairs (DVA).
3. The OAIC’s comments focused on the public interest disclosure provisions in
Schedule 2 of the Bill. These authorise the Secretary to make disclosures that the
Secretary certifies as ‘necessary in the public interest’, and invoke the ‘required or
authorised’ by law exception in APP 6 in the Privacy Act. The AGD did not make any
substantive comments on the Bill.
4. The Commonwealth Ombudsman outlined in their second submission on the
disclosure provisions (and also notified Angelene Falk by telephone of their intention
to make such a submission) that any development of legislation or policy relating to
the disclosure of personal information should occur in consultation with the OAIC.
5. The Bill states that the Secretary must, in giving such a ‘public interest certificate’, act
in accordance with Rules made by legislative instrument, by the Minister. While not
included in the OAIC’s comments to OPC, the OAIC’s email to the Committee on 14
February noted that the OAIC would welcome the opportunity to be consulted on any
such draft rules. The OAIC will have regard to whether any permitted disclosures
accord with the social license given to government to handle and disclose individuals’
personal information, and are generally consistent with the spirit and intent of the
Privacy Act.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
258
6. Even where the disclosure is required or authorised by law under APP 6, the APPs will
still govern the Department of Veteran’s Affairs (DVA) information handling practices
and would continue to apply to that personal information held by the DVA (such as the
requirements in relation to transparency, data quality, security, and rights to access
and correction).
7. The OAIC welcomes the safeguard in the Bill that before disclosing personal
information about a person under the ‘public interest disclosure’ provisions, the
Secretary must notify the person in writing of the Secretary’s intention to disclose the
information; give the person a reasonable opportunity to make written comments on
the proposed disclosure of the information and consider any written comments made
by the person. This is consistent with the emphasis on transparency in the Privacy Act,
and may in some circumstances give the individual a ‘reasonable expectation’ that
their personal information will be disclosed for a particular purpose.
8. The OAIC acknowledges that automated decision-making is likely to provide a number
of advantages for DVA and for Australians accessing their services, particularly in
regards to efficiencies. However, the OAIC would encourage consideration to be given
at an early stage, to ensuring that any privacy impacts are identified and minimised to
the extent possible, and that an integrated approach to privacy management is taken.
Background – the Digital Readiness Bill
The Bill will insert a provision into the VEA, MRCA, and DRCA to enable the Secretary to
authorise the use of computer programmes to make decisions and determinations,
exercise powers or comply with obligations etc. under these Acts (Schedule 1).
Safeguards in the Bill include that the Secretary may make a decision or determination in
substitution for a decision or determination made by a computer program, if satisfied
that the decision or determination is incorrect (Schedule 1).
The Bill will also insert a provision into each of these Acts that give the Secretary broad
disclosure powers: ‘the Secretary may, if the Secretary certifies that it is necessary in the
public interest to do so in a particular case or class of cases, disclose any information
obtained by any person in the performance of that person’s duties under this Act to
such persons and for such purposes as the Secretary determines’ (Schedule 2).
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
259
Safeguards in the Bill include that:
o the power cannot be delegated by the Secretary to anyone
o the Secretary must act in accordance with rules that the Minister makes and the
Minister cannot delegate his or her rule making power
o before disclosing information, the Secretary must notify the person concerned in
writing about the proposed disclosure and consider any written comments made
by the person, and
o unless the Secretary complies with the above notification requirements before
disclosing personal information, he or she commits an offence, punishable by 60
penalty units (Schedule 2).
The Explanatory Memorandum to the Bill gives as examples of circumstances in which it
might be appropriate for the Secretary to disclose such information as including ‘where
there is a threat to life, health or welfare, for the enforcement of laws, in relation to
proceeds of crime orders, mistakes of fact, research and statistical analysis, APS code of
conduct investigations, misinformation in the community and provider inappropriate
practices’ (p. 11).
The Bill also inserts three information sharing provisions in the DRCA between the
Military Rehabilitation and Compentsation Commission,
OAIC’s responsibilities to examine proposed enactments impact privacy
A range of the OAIC’s responsibilities involve examining proposals that may restrict the
exercise of individuals’ privacy protections in favour of another public interest objective.
The Privacy Act recognises that the protection of individuals’ privacy, through the
protection of their personal information, is not an absolute right. Rather, those interests
must be balanced with the broader interest of the community in ensuring that APP
entities are able to carry out their legitimate functions and activities.
This balancing is reflected in the exceptions to a number of the APPs, which except from
the operation of those APPs, certain information handling practices considered to be in
the public interest when balanced with the interest in protecting an individual’s privacy.
Disclosures of personal information
APP 6 outlines when an APP entity may use or disclose personal information. It generally
provides that an APP entity can only use or disclose personal information for a purpose
for which the information was collected (known as the ‘primary purpose’), or for a
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
260
secondary purpose where one of the exceptions listed in APP 6 apply. The exceptions
include where ‘a use or disclosure of personal information is authorised or required by
Australian law’ (APP 6.2(b)).
The OAIC is regularly invited to comment on draft laws that require or authorise the
collection, use or disclosure of personal information in a manner that would otherwise
be inconsistent with one or more of the APPs. The effect of such laws is that one or
more APPs will not apply to the use or disclosure of personal information, described in
the law.
Consistent with the approach taken in applying Article 17 in the International Covenant
on Civil and Political Right (ICCPR), the OAIC’s advice generally suggests consideration
should be given to whether those measures are proportionate and necessary. That is,
whether they appropriately balance the intrusion on individuals’ privacy with the overall
public policy objectives of the proposal. Additionally, when handling of individuals’
personal information is authorised in the broader interests of the community, it is
generally recommended that those activities be accompanied by an appropriate level of
privacy safeguards and accountability. Should such a proposal be considered to
appropriately balance these objectives, it is generally recommended that the scope of
the proposal be drafted consistent with the spirit and intent of the Privacy Act.
Even where the disclosure is required or authorised by law under APP 6, the APPs will
still govern the Department of Veteran’s Affairs (DVA) information handling practices
and would continue to apply to that personal information held by the DVA (such as the
requirements in relation to transparency, data quality, security, and rights to access and
correction).
1.
OAIC engagement with the Bill
On 31 October 2016, the OPC contacted the AGD seeking comment on the Bill, and that
request was passed onto the OAIC for comment. The OAIC was not provided with the
Explanatory Memorandum. The OAIC’s comments on the Bill were provided to AGD, and
passed on to the OPC on 3 November 2016. The AGD did not make any substantive
comments on the Bill. The comments provided to OPC, along with a response provided
by DVA are at
Annexure B.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
261
The OAIC’s comments focused on the public interest disclosure provisions in Schedule 2
of the Bill outlined above.
Key points made in the OAIC’s comments were:
o the OAIC noted that the disclosure of personal information under the new
provisions will be permitted by the ‘required or authorised by or under law’
exception in APP 6.2(b).
o The OAIC suggested that where a Bill invokes this exception in the Privacy Act,
consideration should be given to whether those measures are reasonable,
proportionate and necessary.
o The OAIC referred to similar disclosure provisions in the
Social Security
(Administration) Act 1999 and the
Paid Parental Leave Act 2010, noting that rules
issued under that legislation set out the matters to which the Secretary must
have regard to in giving a public interest certificate and the circumstances in
which a public interest certificate may be given, which include: to prevent, or
lessen, a threat to the life, health or welfare of a person; for the enforcement of
laws; to correct a mistake of fact; to brief a Minister or to locate missing persons
etc.
On 7 November 2017, DVA responded by email to the OAIC that:
o rules would be made setting out the circumstances in which the Secretary may
make a public interest disclosure before the Secretary exercises that power. The
nature and content of those rules is likely to be similar to the Social Security
(Public Interest Certificate Guidelines) (DSS) Determination 2015, mentioned
below.
o The sorts of situations in which it is envisage the public interest disclosure power
being exercised are will be set out in the EM, including: where there is a threat to
life, health or welfare, for the enforcement of laws, in relation to proceeds of
crime orders, mistakes of fact, research and statistical analysis, APS code of
conduct investigations, misinformation in the community and provider
inappropriate practices (this is subject to the Minister agreeing to make rules
along these lines.)
On 6 December 2016, the Committee invited the OAIC to make a comment on the Bill,
but the OAIC inadvertently did not action this request. Melanie has apologied to the
Committee for this oversight.
Seven submissions have been made to the Committee – see
Annexure C. These include
a lengthy submission from DVA and two submissions made by the Commonwealth
Ombudsman.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
262
Key matters to note from the DVA submission include:
o DVA sets out a range of efficiency-related justifications for provisions in the Bill
that automate the decision-making process
o the Committee appears to have raised concerns with DVA about the breadth of
the disclosures that may be made under the Bill, including disclosures to ‘correct
misinformation’ and the submission purports to respond to these concerns.
o DVA notes that the proposed public interest disclosure provisions ‘are modelled
on paragraph 208(1)(a) of the
Social Security (Administration) Act 1999. That
public interest disclosure provision has been in operation for 17 years and has
operated successfully with the approval of Parliament. The Privacy Commissioner
has not raised any concern about the Department of Social Services/ Department
of Human Services’ provision…’
The most recent iteration of the
Social Security (Public Interest Certificate Guidelines)
(DSS) Determination 2015 were registered on FRLI in August 2015. The explanatory
memorandum refers to consultation with the AGD and others, but does not specifically
refer to consultation with the OAIC. We have not been able to find any engagement
with the OAIC on the Determination following a brief TRIM search and discussion with
Sarah Ghali. A more fulsome search could be undertaken if necessary.
The Commonwealth Ombudsman has made a submission to the Committee in relation
to automation aspects of the Bill (see below).
They also made a second submission on the new disclosure provisions, (and notified
Angelene Falk by telephone, of their intention to make such a submission). This
supplementary submission recommends that any development of legislation or policy
relating to disclosure of PI should occur in consultation with the OAIC.
On 10 February 2017, a Research Officer from the Senate Committee contacted the
OAIC to advise that it is holding a public hearing on Thursday, 16 February 2017 and
invites the information Commissioner to appear from 5:00pm – 6:00pm. The
Commonwealth Ombudsman and officers of DVA have also been invited to appear. They
have provided the OAIC with specific questions in relation to the public interest
disclosure provisions – which the OAIC intends to submit a written response to before
the hearing, as well as other questions
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
263
On 14 February, Melanie Drayton, Assistant Commissioner, sent a detailed response to
the Committee noting that the Information Commissioner and Deputy Commissioner
would appear at the public hearing; outlining the OAIC’s role; attaching the OAIC’s
comments on the Bill that were sent to OPC (via AGD); and responding to the specific
questions where possible (noting that a number of the questions may be directed to
DVA). This email also noted that the OAIC would welcome the opportunity to be
consulted on the draft rules to be made by the Minister in relation to public interest
disclosures. The OAIC’s email to the Committee is at
Annexure D. The OAIC’s answers to
the Committee’s questions are at
Annexure E.
Key additional points that the Commissioner may make at the Committee meeting are:
o The OAIC welcomes the safeguard in the Bill that before disclosing personal
information about a person under the ‘public interest disclosure’ provisions, the
Secretary must notify the person in writing of the Secretary’s intention to
disclose the information; give the person a reasonable opportunity to make
written comments on the proposed disclosure of the information and consider
any written comments made by the person. This is consistent with the emphasis
on transparency in the Privacy Act, and may in some circumstances give the
individual a ‘reasonable expectation’ that their personal information will be
disclosed for a particular purpose (consistent with the ‘reasonable expectation’
exception in APP 6.2(a).
o The Bill states that the Secretary must, in giving such a ‘public interest
certificate’, act in accordance with Rules made by legislative instrument, by the
Minister. The OAIC would welcome the opportunity to be consulted on any such
draft rules. The OAIC will have regard to whether any permitted disclosures
accord with the social license given to government to handle and disclose
individuals’ personal information, and are generally consistent with the spirit and
intent of the Privacy Act.
Automated decision-making
The Commonwealth Ombudsman’s written submission to the Committee commented
on several matters that related to automated decisions. These comments related to
accuracy of automated decisions, and errors that can arise from incorrect data entry
and system errors, and the fact that the onus is predominately placed on the customer
to identify these errors.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
264
The Commonwealth Ombudsman also outlined issues with automated decisions
following basic legal values of lawfulness, fairness, transparency and efficiency.
The objects of the Privacy Act recognise that the protection of individuals’ privacy is
balanced with the interests of entities in carrying out their functions or activities (s
3(b)). The OAIC acknowledges that automated decision-making is likely to provide a
number of advantages for DVA and for Australians accessing their services, including
associated with reduced costs and enhanced efficiency. However, consideration
should be given at an early stage, to ensuring that any privacy impacts are identified
and minimised to the extent possible, and that an integrated approach to privacy
management is taken.
Some key privacy considerations that may arise where decision-making is automated
include:
o whether the entity has taken reasonable steps to implement practices,
procedures and systems to ensure that the entity complies with the APPs
and to enable the entity to deal with inquiries and complaints from
individuals about the entity’s compliance with the APPs (APP 1.2). Entities
will be better placed to meet these obligations if they embed privacy
protections in the design of the information handling practice at an early
stage.
o whether the entity has taken reasonable steps to ensure that the personal
information it collects, uses and discloses is accurate, up-to-date and
complete (as required by APP 10). This may be particularly challenging
where the onus is on the individual to identify errors or discrepancies with
automated decisions.
o whether the entity has processes in place to allow the individual to request
access to, and correction of his or her personal information used in
automated processes (APPs 11 and 12).
The OAIC also suggests consideration be given to the privacy risks arising from personal
information processed as part of an automated decision-making process. For example,
due to the higher privacy risks involved with handling sensitive information, the OAIC
would generally suggest greater caution be exercised when considering whether this
information should be subject to automated processing. The OAIC welcomes the DVA’s
comments in its written submission to the Committee that ‘in regards to automated
debt collection, the Department does not intend this provision for this purpose’. This
intent could be included in the Bill or the Explanatory Memorandum.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
265
DVA could conduct a privacy impact assessment (PIA) of the amendments proposed by
the Bill that have privacy implications to identify and assess the privacy risks associated
with the amendments. A PIA is a written assessment which may assist in identifying the
privacy impacts of the proposal, and provides an opportunity to set out any
recommendations for managing, minimising or eliminating those impacts.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
266
Commissioner brief: Briefing notes – Inquiry into the Digital
Readiness Bill – Senate Foreign Affairs, Defence and Trade
Committee
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bill
For:
The Australian Information Commissioner
Key points
1. The Veteran’s Affairs Legislation Amendment (Digital Readiness) Bill 2016 seeks to
amend the
Veteran’s Entitlements Act 1986 (VEA),
Military Rehabilitation and
Compensation Act 2004 (MRCA) and the
Safety Rehabilitation and Compensation
(Defence-related claims) Act 1988 (DRCA). The Bill and Explanatory memorandum are
at
Annexure A.
2. On 31 October 2016, the Attorney General’s Department Information Law Unit (AGD)
requested that the OAIC provide any comments on the Bill, and these would be
provided to the Office of Parliamentary Counsel (OPC). On 3 November 2016, the OAIC
provided comments on the Bill to the AGD, which AGD passed on to OPC and then to
Department of Veterans’ Affairs (DVA).
3. The OAIC’s comments focused on the public interest disclosure provisions in
Schedule 2 of the Bill. These authorise the Secretary to make disclosures that the
Secretary certifies as ‘necessary in the public interest’, and invoke the ‘required or
authorised’ by law exception in APP 6 in the Privacy Act. The AGD did not make any
substantive comments on the Bill.
4. The Commonwealth Ombudsman outlined in their second submission on the
disclosure provisions (and also notified Angelene Falk by telephone of their intention
to make such a submission) that any development of legislation or policy relating to
the disclosure of personal information should occur in consultation with the OAIC.
5. The Bill states that the Secretary must, in giving such a ‘public interest certificate’, act
in accordance with Rules made by legislative instrument, by the Minister. While not
included in the OAIC’s comments to OPC, the OAIC’s email to the Committee on 14
February noted that the OAIC would welcome the opportunity to be consulted on any
such draft rules. The OAIC will have regard to whether any permitted disclosures
accord with the social license given to government to handle and disclose individuals’
personal information, and are generally consistent with the spirit and intent of the
Privacy Act.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
267
6. Even where the disclosure is required or authorised by law under APP 6, the APPs will
still govern the Department of Veteran’s Affairs (DVA) information handling practices
and would continue to apply to that personal information held by the DVA (such as the
requirements in relation to transparency, data quality, security, and rights to access
and correction).
7. The OAIC welcomes the safeguard in the Bill that before disclosing personal
information about a person under the ‘public interest disclosure’ provisions, the
Secretary must notify the person in writing of the Secretary’s intention to disclose the
information; give the person a reasonable opportunity to make written comments on
the proposed disclosure of the information and consider any written comments made
by the person. This is consistent with the emphasis on transparency in the Privacy Act,
and may in some circumstances give the individual a ‘reasonable expectation’ that
their personal information will be disclosed for a particular purpose.
8. The OAIC acknowledges that automated decision-making is likely to provide a number
of advantages for DVA and for Australians accessing their services, particularly in
regards to efficiencies. However, the OAIC would encourage consideration to be given
at an early stage, to ensuring that any privacy impacts are identified and minimised to
the extent possible, and that an integrated approach to privacy management is taken.
Background – the Digital Readiness Bill
The Bill will insert a provision into the VEA, MRCA, and DRCA to enable the Secretary to
authorise the use of computer programmes to make decisions and determinations,
exercise powers or comply with obligations etc. under these Acts (Schedule 1).
Safeguards in the Bill include that the Secretary may make a decision or determination in
substitution for a decision or determination made by a computer program, if satisfied
that the decision or determination is incorrect (Schedule 1).
The Bill will also insert a provision into each of these Acts that give the Secretary broad
disclosure powers: ‘the Secretary may, if the Secretary certifies that it is necessary in the
public interest to do so in a particular case or class of cases, disclose any information
obtained by any person in the performance of that person’s duties under this Act to
such persons and for such purposes as the Secretary determines’ (Schedule 2).
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
268
Safeguards in the Bill include that:
o the power cannot be delegated by the Secretary to anyone
o the Secretary must act in accordance with rules that the Minister makes and the
Minister cannot delegate his or her rule making power
o before disclosing information, the Secretary must notify the person concerned in
writing about the proposed disclosure and consider any written comments made
by the person, and
o unless the Secretary complies with the above notification requirements before
disclosing personal information, he or she commits an offence, punishable by 60
penalty units (Schedule 2).
The Explanatory Memorandum to the Bill gives as examples of circumstances in which it
might be appropriate for the Secretary to disclose such information as including ‘where
there is a threat to life, health or welfare, for the enforcement of laws, in relation to
proceeds of crime orders, mistakes of fact, research and statistical analysis, APS code of
conduct investigations, misinformation in the community and provider inappropriate
practices’ (p. 11).
The Bill also inserts three information sharing provisions in the DRCA between the
Military Rehabilitation and Compensation Commission and the Secretary of the
Department of Defence or the Chief of the Defence Force.
OAIC’s responsibilities to examine proposed enactments impact privacy
A range of the OAIC’s responsibilities involve examining proposals that may restrict the
exercise of individuals’ privacy protections in favour of another public interest objective.
The Privacy Act recognises that the protection of individuals’ privacy, through the
protection of their personal information, is not an absolute right. Rather, those interests
must be balanced with the broader interest of the community in ensuring that APP
entities are able to carry out their legitimate functions and activities.
This balancing is reflected in the exceptions to a number of the APPs, which except from
the operation of those APPs, certain information handling practices considered to be in
the public interest when balanced with the interest in protecting an individual’s privacy.
Disclosures of personal information
APP 6 outlines when an APP entity may use or disclose personal information. It generally
provides that an APP entity can only use or disclose personal information for a purpose
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
269
for which the information was collected (known as the ‘primary purpose’), or for a
secondary purpose where one of the exceptions listed in APP 6 apply. The exceptions
include where ‘a use or disclosure of personal information is authorised or required by
Australian law’ (APP 6.2(b)).
The OAIC is regularly invited to comment on draft laws that require or authorise the
collection, use or disclosure of personal information in a manner that would otherwise
be inconsistent with one or more of the APPs. The effect of such laws is that one or
more APPs will not apply to the use or disclosure of personal information, described in
the law.
Consistent with the approach taken in applying Article 17 in the International Covenant
on Civil and Political Right (ICCPR), the OAIC’s advice generally suggests consideration
should be given to whether those measures are proportionate and necessary. That is,
whether they appropriately balance the intrusion on individuals’ privacy with the overall
public policy objectives of the proposal. Additionally, when handling of individuals’
personal information is authorised in the broader interests of the community, it is
generally recommended that those activities be accompanied by an appropriate level of
privacy safeguards and accountability. Should such a proposal be considered to
appropriately balance these objectives, it is generally recommended that the scope of
the proposal be drafted consistent with the spirit and intent of the Privacy Act.
Even where the disclosure is required or authorised by law under APP 6, the APPs will
still govern the Department of Veteran’s Affairs (DVA) information handling practices
and would continue to apply to that personal information held by the DVA (such as the
requirements in relation to transparency, data quality, security, and rights to access and
correction).
1.
OAIC engagement with the Bill
On 31 October 2016, the OPC contacted the AGD seeking comment on the Bill, and that
request was passed onto the OAIC for comment. The OAIC was not provided with the
Explanatory Memorandum. The OAIC’s comments on the Bill were provided to AGD, and
passed on to the OPC on 3 November 2016. The AGD did not make any substantive
comments on the Bill. The comments provided to OPC, along with a response provided
by DVA are at
Annexure B.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
270
The OAIC’s comments focused on the public interest disclosure provisions in Schedule 2
of the Bill outlined above.
Key points made in the OAIC’s comments were:
o the OAIC noted that the disclosure of personal information under the new
provisions will be permitted by the ‘required or authorised by or under law’
exception in APP 6.2(b).
o The OAIC suggested that where a Bill invokes this exception in the Privacy Act,
consideration should be given to whether those measures are reasonable,
proportionate and necessary.
o The OAIC referred to similar disclosure provisions in the
Social Security
(Administration) Act 1999 and the
Paid Parental Leave Act 2010, noting that rules
issued under that legislation set out the matters to which the Secretary must
have regard to in giving a public interest certificate and the circumstances in
which a public interest certificate may be given, which include: to prevent, or
lessen, a threat to the life, health or welfare of a person; for the enforcement of
laws; to correct a mistake of fact; to brief a Minister or to locate missing persons
etc.
On 7 November 2017, DVA responded by email to the OAIC that:
o rules would be made setting out the circumstances in which the Secretary may
make a public interest disclosure before the Secretary exercises that power. The
nature and content of those rules is likely to be similar to the Social Security
(Public Interest Certificate Guidelines) (DSS) Determination 2015, mentioned
below.
o The sorts of situations in which it is envisage the public interest disclosure power
being exercised are will be set out in the EM, including: where there is a threat to
life, health or welfare, for the enforcement of laws, in relation to proceeds of
crime orders, mistakes of fact, research and statistical analysis, APS code of
conduct investigations, misinformation in the community and provider
inappropriate practices (this is subject to the Minister agreeing to make rules
along these lines.)
On 6 December 2016, the Committee invited the OAIC to make a comment on the Bill,
but the OAIC inadvertently did not action this request. Melanie has apologied to the
Committee for this oversight.
Seven submissions have been made to the Committee – see
Annexure C. These include
a lengthy submission from DVA and two submissions made by the Commonwealth
Ombudsman.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
271
Key matters to note from the DVA submission include:
o DVA sets out a range of efficiency-related justifications for provisions in the Bill
that automate the decision-making process
o the Committee appears to have raised concerns with DVA about the breadth of
the disclosures that may be made under the Bill, including disclosures to ‘correct
misinformation’ and the submission purports to respond to these concerns.
o DVA notes that the proposed public interest disclosure provisions ‘are modelled
on paragraph 208(1)(a) of the
Social Security (Administration) Act 1999. That
public interest disclosure provision has been in operation for 17 years and has
operated successfully with the approval of Parliament. The Privacy Commissioner
has not raised any concern about the Department of Social Services/ Department
of Human Services’ provision…’
The most recent iteration of the
Social Security (Public Interest Certificate Guidelines)
(DSS) Determination 2015 were registered on FRLI in August 2015. The explanatory
memorandum refers to consultation with the AGD and others, but does not specifically
refer to consultation with the OAIC. We have not been able to find any engagement
with the OAIC on the Determination following a brief TRIM search and discussion with
Sarah Ghali. A more fulsome search could be undertaken if necessary.
The Commonwealth Ombudsman has made a submission to the Committee in relation
to automation aspects of the Bill (see below).
They also made a second submission on the new disclosure provisions, (and notified
Angelene Falk by telephone, of their intention to make such a submission). This
supplementary submission recommends that any development of legislation or policy
relating to disclosure of PI should occur in consultation with the OAIC.
On 10 February 2017, a Research Officer from the Senate Committee contacted the
OAIC to advise that it is holding a public hearing on Thursday, 16 February 2017 and
invites the information Commissioner to appear from 5:00pm – 6:00pm. The
Commonwealth Ombudsman and officers of DVA have also been invited to appear. They
have provided the OAIC with specific questions in relation to the public interest
disclosure provisions – which the OAIC intends to submit a written response to before
the hearing, as well as other questions
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
272
On 14 February, Melanie Drayton, Assistant Commissioner, sent a detailed response to
the Committee noting that the Information Commissioner and Deputy Commissioner
would appear at the public hearing; outlining the OAIC’s role; attaching the OAIC’s
comments on the Bill that were sent to OPC (via AGD); and responding to the specific
questions where possible (noting that a number of the questions may be directed to
DVA). This email also noted that the OAIC would welcome the opportunity to be
consulted on the draft rules to be made by the Minister in relation to public interest
disclosures. The OAIC’s email to the Committee is at
Annexure D. The OAIC’s answers to
the Committee’s questions are at
Annexure E.
Key additional points that the Commissioner may make at the Committee meeting are:
o The OAIC welcomes the safeguard in the Bill that before disclosing personal
information about a person under the ‘public interest disclosure’ provisions, the
Secretary must notify the person in writing of the Secretary’s intention to
disclose the information; give the person a reasonable opportunity to make
written comments on the proposed disclosure of the information and consider
any written comments made by the person. This is consistent with the emphasis
on transparency in the Privacy Act, and may in some circumstances give the
individual a ‘reasonable expectation’ that their personal information will be
disclosed for a particular purpose (consistent with the ‘reasonable expectation’
exception in APP 6.2(a).
o The Bill states that the Secretary must, in giving such a ‘public interest
certificate’, act in accordance with Rules made by legislative instrument, by the
Minister. The OAIC would welcome the opportunity to be consulted on any such
draft rules. The OAIC will have regard to whether any permitted disclosures
accord with the social license given to government to handle and disclose
individuals’ personal information, and are generally consistent with the spirit and
intent of the Privacy Act.
Automated decision-making
The Commonwealth Ombudsman’s written submission to the Committee commented
on several matters that related to automated decisions. These comments related to
accuracy of automated decisions, and errors that can arise from incorrect data entry
and system errors, and the fact that the onus is predominately placed on the customer
to identify these errors.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
273
The Commonwealth Ombudsman also outlined issues with automated decisions
following basic legal values of lawfulness, fairness, transparency and efficiency.
The objects of the Privacy Act recognise that the protection of individuals’ privacy is
balanced with the interests of entities in carrying out their functions or activities (s
3(b)). The OAIC acknowledges that automated decision-making is likely to provide a
number of advantages for DVA and for Australians accessing their services, including
associated with reduced costs and enhanced efficiency. However, consideration
should be given at an early stage, to ensuring that any privacy impacts are identified
and minimised to the extent possible, and that an integrated approach to privacy
management is taken.
Some key privacy considerations that may arise where decision-making is automated
include:
o whether the entity has taken reasonable steps to implement practices,
procedures and systems to ensure that the entity complies with the APPs
and to enable the entity to deal with inquiries and complaints from
individuals about the entity’s compliance with the APPs (APP 1.2). Entities
will be better placed to meet these obligations if they embed privacy
protections in the design of the information handling practice at an early
stage.
o whether the entity has taken reasonable steps to ensure that the personal
information it collects, uses and discloses is accurate, up-to-date and
complete (as required by APP 10). This may be particularly challenging
where the onus is on the individual to identify errors or discrepancies with
automated decisions.
o whether the entity has processes in place to allow the individual to request
access to, and correction of his or her personal information used in
automated processes (APPs 11 and 12).
The OAIC also suggests consideration be given to the privacy risks arising from personal
information processed as part of an automated decision-making process. For example,
due to the higher privacy risks involved with handling sensitive information, the OAIC
would generally suggest greater caution be exercised when considering whether this
information should be subject to automated processing. The OAIC welcomes the DVA’s
comments in its written submission to the Committee that ‘in regards to automated
debt collection, the Department does not intend this provision for this purpose’. This
intent could be included in the Bill or the Explanatory Memorandum.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
274
DVA could conduct a privacy impact assessment (PIA) of the amendments proposed by
the Bill that have privacy implications to identify and assess the privacy risks associated
with the amendments. A PIA is a written assessment which may assist in identifying the
privacy impacts of the proposal, and provides an opportunity to set out any
recommendations for managing, minimising or eliminating those impacts.
Content Author: Renee Alchin
Responsible Director: Sophie Higgins
Responsible Assistant Commissioner
s.22 - irrelevant
Melanie Drayton
Released under FOI - OAIC
275
Commissioner brief: Opening statement talking points for
Australian Information Commissioner
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bill
For:
The Australian Information Commissioner
Thank you for the opportunity to appear before the Committee today in
relation to the Veteran’s Affairs Legislation Amendment (Digital Readiness
and Other Measures) Bill 2016.
As the Australian Information Commissioner and Australian Privacy
Commissioner, I am responsible for ensuring compliance with the Privacy
Act, and promoting access to government information through the
Freedom of Information Act.
The Privacy Act regulates the handling of personal information by most
Australian Government agencies and many private sector organisations.
The Freedom of Information Act supports an open government agenda and
the objects of that Act make it clear that government held information is to
be managed for public purposes and is a national resource.
The Privacy Act recognises that the protection of individual’s privacy,
through the protection of their personal information, is not an absolute
right. Rather, those interests must be balanced with the broader interest of
the community in ensuring that APP entities are able to carry out their
legitimate functions and activities.
This balancing is reflected in the exceptions to a number of the Australian
Privacy Principles, which except from the operation of those APPs, certain
information handling practices considered to be in the public interest when
balanced with the interest in protecting an individual’s privacy.
Released under FOI - OAIC
276
Exceptions cover a range of matters including where a use or disclosure of
personal information is authorised or required by Australian law or where
an entity reasonably believes that a use or disclosure is reasonably
necessary for an enforcement related activity conducted by an enforcement
body.
The OAIC’s responsibilities include examining proposals that may restrict
the exercise of individuals’ privacy protections in favour of another public
interest objective.
My Office had the opportunity to provide comments on draft versions of
the Bill, with comments provided on 3 November 2016. These comments
focused on the public interest disclosure provisions in Schedule 2 of the Bill
which permit certain disclosures and involve the ‘required or authorised by
law exception in APP 6 in the Privacy Act. I understand my Office has
provided a copy of these comments to the Senate Committee inquiry for
consideration.
I would be happy to answer any questions the Committee has.
Released under FOI - OAIC
277
Commissioner brief: Opening statement talking points for
Australian Information Commissioner
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bill
For:
The Australian Information Commissioner
Thank you for the opportunity to appear before the Committee today in
relation to the Veteran’s Affairs Legislation Amendment (Digital Readiness
and Other Measures) Bill 2016.
As the Australian Information Commissioner and Australian Privacy
Commissioner, I am responsible for ensuring compliance with the Privacy
Act, and promoting access to government information through the
Freedom of Information Act.
The Privacy Act regulates the handling of personal information by most
Australian Government agencies and many private sector organisations.
The Freedom of Information Act supports an open government agenda and
the objects of that Act make it clear that government held information is to
be managed for public purposes and is a national resource.
The Privacy Act recognises that the protection of individual’s privacy,
through the protection of their personal information, is not an absolute
right. Rather, those interests must be balanced with the broader interest of
the community in ensuring that APP entities are able to carry out their
legitimate functions and activities.
This balancing is reflected in the exceptions to a number of the Australian
Privacy Principles, which except from the operation of those APPs, certain
information handling practices considered to be in the public interest when
balanced with the interest in protecting an individual’s privacy.
Released under FOI - OAIC
278
Exceptions cover a range of matters including where a use or disclosure of
personal information is authorised or required by Australian law or where
an entity reasonably believes that a use or disclosure is reasonably
necessary for an enforcement related activity conducted by an enforcement
body.
The OAIC’s responsibilities include examining proposals that may restrict
the exercise of individuals’ privacy protections in favour of another public
interest objective. Our approach is generally to ensure that any changes
that authorise a disclosure of personal information by invoking an exception
in the Privacy Act, are reasonable, necessary and proportionate to the
expected benefits, have considered whether de-identified information
would suffice, and whether it is appropriate to conduct a Privacy Impact
Assessment.
My Office had the opportunity to provide comments on the draft version of
the Bill, with comments provided on 3 November 2016. These comments
focused on the public interest disclosure provisions in Schedule 2 of the Bill
which permit certain disclosures and involve the ‘required or authorised by
law exception in APP 6 in the Privacy Act. I understand my Office has
provided a copy of these comments to the Senate Committee inquiry for
consideration.
There are, however, a few issues which I believe warrant further
consideration. In summary these are:
o
[insert from briefing if wish to pursue]
Commented [SH1]: Shall we say we are aware that the
Ombo is intending to make a second sub and support that
we be consulted on the Rules.
Suggest that a PIA be done to help the Department ascertain
I would be happy to answer any questions the Committee has.
which types of decisions may not be appropriate for
computer-based decision making.
Consider whether to bring up automated decision-making
here, or leave it given it was not raised in our comments
Released under FOI - OAIC
279
Commissioner brief: Opening statement talking points for
Australian Information Commissioner
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bill
For:
The Australian Information Commissioner
Thank you for the opportunity to appear before the Committee today in
relation to the Veteran’s Affairs Legislation Amendment (Digital Readiness
and Other Measures) Bill 2016.
As the Australian Information Commissioner and Australian Privacy
Commissioner, I am responsible for ensuring compliance with the Privacy
Act, and promoting access to government information through the
Freedom of Information Act.
The Privacy Act regulates the handling of personal information by most
Australian Government agencies and many private sector organisations.
The Freedom of Information Act supports an open government agenda and
the objects of that Act make it clear that government held information is to
be managed for public purposes and is a national resource.
The Privacy Act recognises that the protection of individual’s privacy,
through the protection of their personal information, is not an absolute
right. Rather, those interests must be balanced with the broader interest of
the community in ensuring that APP entities are able to carry out their
legitimate functions and activities.
This balancing is reflected in the exceptions to a number of the Australian
Privacy Principles, which except from the operation of those APPs, certain
information handling practices considered to be in the public interest when
balanced with the interest in protecting an individual’s privacy.
Released under FOI - OAIC
280
Exceptions cover a range of matters including where a use or disclosure of
personal information is authorised or required by Australian law or where
an entity reasonably believes that a use or disclosure is reasonably
necessary for an enforcement related activity conducted by an enforcement
body.
The OAIC’s responsibilities include examining proposals that may restrict
the exercise of individuals’ privacy protections in favour of another public
interest objective. Our approach is generally to ensure that any changes
that authorise a disclosure of personal information by invoking an exception
in the Privacy Act, are reasonable, necessary and proportionate to the
expected benefits, have considered whether de-identified information
would suffice, and whether it is appropriate to conduct a Privacy Impact
Assessment.
My Office had the opportunity to provide comments on the draft version of
the Bill, with comments provided on 3 November 2016. These comments
focused on the public interest disclosure provisions in Schedule 2 of the Bill
which permit certain disclosures and involve the ‘required or authorised by
law exception in APP 6 in the Privacy Act. I understand my Office has
provided a copy of these comments to the Senate Committee inquiry for
consideration.
There are, however, a few issues which I believe warrant further
consideration. In summary these are:
o
[insert from briefing if wish to pursue]
Commented [SH1]: Shall we say we are aware that the
Ombo is intending to make a second sub and support that
we be consulted on the Rules.
Suggest that a PIA be done to help the Department ascertain
I would be happy to answer any questions the Committee has.
which types of decisions may not be appropriate for
computer-based decision making.
Consider whether to bring up automated decision-making
here, or leave it given it was not raised in our comments
Released under FOI - OAIC
281
Commissioner brief: Opening statement talking points for
Australian Information Commissioner
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bill
For:
The Australian Information Commissioner
Thank you for the opportunity to appear before the Committee today in
relation to the Veteran’s Affairs Legislation Amendment (Digital Readiness
and Other Measures) Bill 2016.
As the Australian Information Commissioner and Australian Privacy
Commissioner, I am responsible for ensuring compliance with the Privacy
Act, and promoting access to government information through the
Freedom of Information Act.
The Privacy Act regulates the handling of personal information by most
Australian Government agencies and many private sector organisations.
The cornerstone of this privacy protection framework are the Australian
Privacy Principles (or APPs). These set out standards, rights and obligations
in relation to the way individuals’ personal information is handled.
The APPs are underpinned by notions of transparency and accountability. In
general terms, this requires entities to give careful consideration to
ensuring that individuals are aware of an entity’s information handling
practices, so that the individual may make appropriate choices about their
personal information. Accountability includes ensuring good privacy
governance mechanisms are implemented at an early stage.
The Privacy Act recognises that the protection of individual’s privacy,
through the protection of their personal information, is not an absolute
right. Rather, those interests must be balanced with the broader interest of
the community in ensuring that Australian government agencies and
private sector organisations are able to carry out their legitimate functions
and activities.
Released under FOI - OAIC
282
This balancing is reflected in the exceptions to a number of the Australian
Privacy Principles, which except from the operation of those APPs, certain
information handling practices considered to be in the public interest when
balanced with the interest in protecting an individual’s privacy.
The OAIC’s responsibilities include examining proposals that may restrict
the exercise of individuals’ privacy protections in favour of another public
interest objective. Our approach is generally to ensure that any changes
that authorise a disclosure of personal information by invoking an exception
in the Privacy Act, are reasonable, necessary and proportionate to the
expected benefits.
My Office provided comments to the Office of Parliamentary Counsel
(through AGD), on a draft version of the Bill on 3 November 2016. These
comments focused on the public interest disclosure provisions in Schedule
2 of the Bill. These permit the Secretary to make ‘public interest’ disclosures
and have the effect that the privacy protections in the ‘use and disclosure’
APP - Australian Privacy Principle 6 - would not apply. I understand my
Office has provided a copy of these comments to the Senate Committee
inquiry for consideration.
There are, however, a few additional matters which I believe warrant
further mention before the Committee. In summary these are:
o Even though the ‘use and disclosure principle’ – APP 6 – would not apply to the
‘public interest disclosures’ proposed in the Bill, most of the other Australian
Privacy Principles would continue to apply to that personal information held by
DVA (such as the requirements in relation to transparency, data quality, security,
and rights to access and correction).
o The OAIC would welcome the opportunity to be consulted on draft rules to be
made by the Minister under the ‘public interest disclosure’ provisions in Schedule
2 of the Bill.
o The OAIC acknowledges that automated decision-making is likely to provide a
number of advantages for DVA and for Australians accessing their services,
particularly in regards to efficiencies. However, consideration should be given at
an early stage, to ensuring that any privacy impacts are identified and minimised
Released under FOI - OAIC
283
to the extent possible, and that an integrated approach to privacy management
is taken.
I would be happy to answer any questions the Committee has.
Released under FOI - OAIC
284
Commissioner brief: Opening statement talking points for
Australian Information Commissioner
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bill
For:
The Australian Information Commissioner
Thank you for the opportunity to appear before the Committee today in
relation to the Veteran’s Affairs Legislation Amendment (Digital Readiness
and Other Measures) Bill 2016.
As the Australian Information Commissioner and Australian Privacy
Commissioner, I am responsible for ensuring compliance with the Privacy
Act, and promoting access to government information through the
Freedom of Information Act.
The Privacy Act regulates the handling of personal information by most
Australian Government agencies and many private sector organisations.
The cornerstone of this privacy protection framework are the Australian
Privacy Principles (or APPs). These set out standards, rights and obligations
in relation to the way individuals’ personal information is handled.
The APPs are underpinned by notions of transparency and accountability. In
general terms, this requires entities to give careful consideration to
ensuring that individuals are aware of an entity’s information handling
practices, so that the individual may make appropriate choices about their
personal information. Accountability includes ensuring good privacy
governance mechanisms are implemented at an early stage.
The Privacy Act recognises that the protection of individual’s privacy,
through the protection of their personal information, is not an absolute
right. Rather, those interests must be balanced with the broader interest of
the community in ensuring that Australian government agencies and
private sector organisations are able to carry out their legitimate functions
and activities.
Released under FOI - OAIC
285
This balancing is reflected in the exceptions to a number of the Australian
Privacy Principles, which except from the operation of those APPs, certain
information handling practices considered to be in the public interest when
balanced with the interest in protecting an individual’s privacy.
The OAIC’s responsibilities include examining proposals that may restrict
the exercise of individuals’ privacy protections in favour of another public
interest objective. Our approach is generally to ensure that any changes
that authorise a disclosure of personal information by invoking an exception
in the Privacy Act, are reasonable, necessary and proportionate to the
expected benefits.
My Office provided comments to the Office of Parliamentary Counsel
(through AGD), on a draft version of the Bill on 3 November 2016. These
comments focused on the public interest disclosure provisions in Schedule
2 of the Bill. These permit the Secretary to make ‘public interest’ disclosures
and have the effect that the privacy protections in the ‘use and disclosure’
APP - Australian Privacy Principle 6 - would not apply. I understand my
Office has provided a copy of these comments to the Senate Committee
inquiry for consideration.
There are, however, a few additional matters which I believe warrant
further mention before the Committee. In summary these are:
o Even though the ‘use and disclosure principle’ – APP 6 – would not apply to the
‘public interest disclosures’ proposed in the Bill, most of the other Australian
Privacy Principles would continue to apply to that personal information held by
DVA (such as the requirements in relation to transparency, data quality, security,
and rights to access and correction).
o The OAIC would welcome the opportunity to be consulted on draft rules to be
made by the Minister under the ‘public interest disclosure’ provisions in Schedule
2 of the Bill.
o The OAIC acknowledges that automated decision-making is likely to provide a
number of advantages for DVA and for Australians accessing their services,
particularly in regards to efficiencies. However, I would encourage consideration
to be given at an early stage, to ensuring that any privacy impacts are identified
Released under FOI - OAIC
286
and minimised to the extent possible, and that an integrated approach to privacy
management is taken.
I would be happy to answer any questions the Committee has.
Released under FOI - OAIC
287
Commissioner brief: Opening statement talking points for
Australian Information Commissioner
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bill
For:
The Australian Information Commissioner
Thank you for the opportunity to appear before the Committee today in
relation to the Veteran’s Affairs Legislation Amendment (Digital Readiness
and Other Measures) Bill 2016.
As the Australian Information Commissioner and Australian Privacy
Commissioner, I am responsible for ensuring compliance with the Privacy
Act, and promoting access to government information through the
Freedom of Information Act.
The Privacy Act regulates the handling of personal information by most
Australian Government agencies and many private sector organisations.
The cornerstone of this privacy protection framework are the Australian
Privacy Principles (or APPs). These set out standards, rights and obligations
in relation to the way individuals’ personal information is handled.
The APPs are underpinned by notions of transparency and accountability. In
general terms, transparency requires entities to give careful consideration
to ensuring that individuals are aware of an entity’s information handling
practices, so that the individual may make appropriate choices about their
personal information. Accountability includes ensuring good privacy
governance mechanisms are implemented at an early stage.
The Privacy Act recognises that the protection of individual’s privacy,
through the protection of their personal information, is not an absolute
right. Rather, those interests must be balanced with the broader interest of
the community in ensuring that Australian government agencies and
private sector organisations are able to carry out their legitimate functions
and activities.
Released under FOI - OAIC
288
This balancing is reflected in the exceptions to a number of the Australian
Privacy Principles, which except from the operation of those APPs, certain
information handling practices considered to be in the public interest when
balanced with the interest in protecting an individual’s privacy.
The OAIC’s responsibilities include examining proposals that may restrict
the exercise of individuals’ privacy protections in favour of another public
interest objective. Our approach is generally to ensure that any changes
that authorise a disclosure of personal information by invoking an exception
in the Privacy Act, are reasonable, necessary and proportionate to the
expected benefits and include privacy safeguards.
My Office provided comments to the Office of Parliamentary Counsel
(through AGD), on a draft version of the Bill on 3 November 2016. These
comments focused on the public interest disclosure provisions in Schedule
2 of the Bill. These permit the Secretary to make ‘public interest’ disclosures
and have the effect that the privacy protections in the ‘use and disclosure’
APP - Australian Privacy Principle 6 - would not apply. I understand my
Office has provided a copy of these comments to the Senate Committee
inquiry for consideration.
There are, however, a few additional matters which I believe warrant
further mention before the Committee. In summary these are:
o My office recognises that the Bill includes some privacy safeguards
including that the Minister may make rules, by legislative instrument,
that must be complied with before the Secretary gives a public
interest disclosure certificate; and that disclosures may only be made
if the individual is first notified of the disclosure and given an
opportunity to respond.
o Another privacy safeguard is that even though the ‘use and disclosure
principle’ – APP 6 – would not apply to the ‘public interest
disclosures’ proposed in the Bill, most of the other Australian Privacy
Principles would continue to apply to that personal information held
by DVA (such as the requirements in relation to transparency, data
quality, security, and rights to access and correction).
Released under FOI - OAIC
289
o Given the rules act as a privacy safeguard, my office would welcome
the opportunity to be consulted on draft rules to be made by the
Minister under the ‘public interest disclosure’ provisions in Schedule
2 of the Bill.
o As regards the automated decision-making provisions in the Bill,
while I acknowledge that these may provide a number of advantages
including improved efficiencies, I would encourage consideration be
given at an early stage, to ensuring that any privacy impacts are
identified and minimised to the extent possible, and that an
integrated approach to privacy management be taken in
implementing these provisions.
I would be happy to answer any questions the Committee has.
Released under FOI - OAIC
290
Commissioner brief: Opening statement talking points for
Australian Information Commissioner
Type:
Commissioner brief
Purpose: Senate Foreign Affairs, Defence and Trade Committee public hearing inquiry
into the Digital Readiness Bill
For:
The Australian Information Commissioner
Thank you for the opportunity to appear before the Committee today in
relation to
the Veteran’s Affairs Legislation Amendment (Digital Readiness
and Other Measures) Bill 2016.
As the Australian Information Commissioner and Australian Privacy
Commissioner, I am responsible for ensuring compliance with the Privacy
Act, and promoting access to government information through the
Freedom of Information Act.
The Privacy Act regulates the handling of personal information by most
Australian Government agencies and many private sector organisations.
The cornerstone of this privacy protection framework are the Australian
Privacy Principles (or APPs). These set out standards, rights and obligations
in relation to the way individuals’ personal information is handled.
The APPs are underpinned by notions of transparency and accountability. In
general terms, this requires entities to give careful consideration to
ensuring that individuals are aware of an entity’s information handling
practices, so that the individual may make appropriate choices about their
personal information. Accountability includes ensuring good privacy
governance mechanisms are implemented at an early stage.
The Privacy Act recognises that the protection of individual’s privacy,
through the protection of their personal information, is not an absolute
right. Rather, those interests must be balanced with the broader interest of
the community in ensuring that Australian government agencies and
private sector organisations are able to carry out their legitimate functions
and activities.
Released under FOI - OAIC
291
This balancing is reflected in the exceptions to a number of the Australian
Privacy Principles, which exclude from the operation of those APPs, certain
information handling practices considered to be in the public interest when
balanced with the interest in protecting an individual’s privacy.
The OAIC’s responsibilities include examining proposals that may restrict
the exercise of individuals’ privacy protections in favour of another public
interest objective. Our approach is generally to ensure that any changes
that authorise a disclosure of personal information by invoking an exception
in the Privacy Act, are reasonable, necessary and proportionate to the
expected benefits.
My Office provided comments to the Office of Parliamentary Counsel
(through Attorney General’s Department), on a draft version of the Bill on
3 November 2016. These comments focused on the public interest
disclosure provisions in Schedule 2 of the Bill. These permit the Secretary to
make ‘public interest’ disclosures and have the effect that the privacy
protections in the ‘use and disclosure’ APP - Australian Privacy Principle 6 -
would not apply. I understand my Office has provided a copy of these
comments to the Senate Committee inquiry for its information.
There are, however, a few additional matters which I believe warrant
further mention before the Committee. In summary these are:
o Even though the disclosure is required or authorised by law, the Australian
Privacy Principles govern DVA’s information handling practices and would
continue to apply to that personal information held by DVA (such as the
requirements in relation to transparency, data quality, security, and rights to
access and correction).
o The OAIC would welcome the opportunity to be consulted on draft rules to be
made by the Minister under the ‘public interest disclosure’ provisions in Schedule
2 of the Bill.
o The OAIC acknowledges that automated decision-making is likely to provide a
number of advantages for DVA and for Australians accessing their services,
particularly in regards to efficiencies. However, I would encourage consideration
to be given at an early stage, to ensuring that any privacy impacts are identified
Released under FOI - OAIC
292
and minimised to the extent possible, and that an integrated approach to privacy
management is taken.
o The Department of Veteran’s Affairs could conduct a privacy impact assessment
of the amendments proposed by the Bill that have privacy implications to
identify and assess the privacy risks associated with the amendments. A privacy
impact assessment is a written assessment which may assist in identifying the
privacy impacts of the proposal, and provides an opportunity to set out any
recommendations for managing, minimising or eliminating those impacts.
I would be happy to answer any questions the Committee has.
Released under FOI - OAIC
Pages 293 through 325 redacted for the following reasons:
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
s.47E(d)
