Systematic government access to private-sector data in Australia

268

International Data Privacy Law, 2012, Vol. 2, No. 4

ARTICLE

Systematic government access to private-sector data in Australia Dan Jerker B. Svantesson*

National legal context and fundamental principles

*

1

#

Dr Dan Jerker B. Svantesson is Professor in the Faculty of Law Bond University, Gold Coast Queensland 4229 Australia, Ph: þ61 7 5595 1418, E-mail: [email protected] and Researcher at the Swedish Law & Informatics Research Institute, Stockholm University (Sweden). Department of Foreign Affairs and Trade, at: ,http://www.dfat.gov.au/ facts/legal_system.html. accessed 10 January 2012.

† This study of systematic government access to private-sector data in Australia suggests that, while the Australian government has a range of powers to obtain such data, those powers appear primarily aimed at obtaining specific data for specific purposes. † Little was found by way of direct unmediated access by the government to private-sector data or government access to private-sector data in bulk. † However, recent initiatives suggest that, in a not too distant future, Australian law may well cater for extensive, not to say excesive, systematic government access to private-sector data.

Territory introduced its Human Rights Act in 2004. Section 12 of that Act specifically protects privacy.4 Similarly, the Charter of Human Rights and Responsibilities Act 2006 (Vic) of Victoria contains such protection.5 Further, other states, for example New South Wales, have also considered implementing such human rights protection.

Statutory and regulatory overview In addition to the key areas of data access focused on below, other examples of more or less systematic government access to private-sector data can be found, such as in the context of government use of private 2 3 4 5

ALRC, Report 108 (May 2008). Available at: ,http://www.humanrightsconsultation.gov.au/. accessed 10 January 2012. Human Rights Act 2004 (ACT). Charter of Human Rights and Responsibilities Act 2006 (Vic), s. 13.

The Author 2012. Published by Oxford University Press. All rights reserved. For Permissions, please email: [email protected]

Downloaded from http://idpl.oxfordjournals.org/ by guest on September 14, 2016

Australia has a federal system of government with power distributed between six states, two territories and the federal government. The Australian Constitution provides the federal government with the exclusive power to make laws on matters such as trade and commerce, taxation, defence, external affairs, and immigration and citizenship. It also outlines concurrent powers where both tiers of government are able to enact laws. The states and territories have independent legislative power in all matters not specifically assigned to the federal government.1 Both state/territory law and federal law affect the issues examined here. However, the most significant legislative initiatives are found on the federal level. Australian privacy law is currently undergoing a major overhaul which takes its point of departure in a 2,694 page report, from 2008, by the Australian Law Reform Commission.2 That report made a number of recommendations and at the time of writing, the government is working on reforming the relevant law. Discussions3 have taken place recently aimed at the possible introduction of a federal Bill of Rights, but Australia currently lacks such an instrument. The Australian Human Rights Commission is responsible for promoting and encouraging protection of human rights in Australia. However, while Australia is a signatory to international instruments, such as the International Covenant on Economic, Social and Cultural Rights and the International Covenant on Civil and Political Rights with its Optional Protocol 2, there are no binding human rights principles on a federal level. Turning to state/territory level, the Australian Capital

Abstract

Dan Jerker B. Svantesson . Systematic government access to private-sector data in Australia

entity CCTV footage,6 ID scanning at clubs,7 special reporting duties placed on selected health care providers,8 private, or semi-private, operators of toll roads, and public transport smartcards.9

Laws requiring, explicitly authorizing, or restricting governmental access to private-sector data

6

See eg Victorian Law Reform Commission, Surveillance in Public Places: Final Report [2010] VLRC 18, available at: ,http://www.austlii.edu.au/ cgi-bin/disp.pl/au/other/lawreform/VLRC/2010/18.html?stem= 0&synonyms=0&query=CCTV. accessed 16 January 2012. 7 See further: Identity Scanning by Registered Clubs, at: ,http://www. privacy.org.au/Papers/ClubIDScans.html. accessed 16 January 2012. 8 See eg Health Insurance Act 1973 (Cth), s. 23DS. 9 See further: Nigel Waters, Government Surveillance in Australia, available at: ,http://www.pacificprivacy.com.au/Government%20Surveillance% 20in%20Australia%20v6.pdf .; accessed 16 January 2012. 10 Note that it is highly likely that these principles will be replaced by a similar set of principles to govern both the private and public sector. 11 Privacy Act 1988 (Cth), s. 6.

269

undermined by the ease by which it can be circumvented. For example, AusCheck—a branch of the National Security Law and Policy Division of the Attorney-General’s Department—has the role of undertaking background checking of persons in order for them to hold certain identification cards. The AusCheck Act 2007 (Cth) explicitly authorizes AusCheck to collect, use, and disclose personal information for AusCheck purposes. Importantly for the discussion here, such collection, use, and disclosure is ‘taken to be authorised by law for the purposes of the Privacy Act 1988’.15 Thus, specific legislation can be used to nominate data use practices as being authorized by law so as to fit within the regulation discussed above. On a more general level, it is worth noting how one expert has observed that: Government agencies generally appear to consider any information lawfully obtained as ‘fair game’ for any subsequent lawful function. Moreover, the cumulative effect of the various statutory disclosure provisions is that information obtained by one agency for a specific purpose becomes at least potentially available to a range of other agencies for quite different purposes. Information privacy laws, in those Australian jurisdictions which have them, purport to limit use and disclosure to the purpose for which information is obtained, but this principle is substantially undermined by the many exceptions, including where ‘required or authorised by law’ and ‘where reasonably necessary for [a range of public purposes]’.16

Separate laws for law enforcement access, regulatory access, and/or national security access Under current law, ‘the intelligence and defence intelligence agencies are either partially or completely exempt from the Privacy Act 1988 (Cth)’17 and there are special rules regulating law enforcement and national security access. The Crimes Act 1914 (Cth), Part 1AA, Division 4B, gives the Australian Federal Police (AFP) ‘notice to 12 Refer to: Privacy and Personal Information Protection Act 1998 (NSW), Information Privacy Act 2000 (Vic), Information Privacy Act 2009 (Qld), Personal Information Protection Act 2004 (Tas), and Information Act 2002 (NT). 13 Information Privacy Principle 1. 14 Information Privacy Principle 3. 15 AusCheck Act 2007 (Cth), s. 13(1). 16 Nigel Waters, Government Surveillance in Australia, available at: ,http ://www.pacificprivacy.com.au/Government%20Surveillance%20in% 20Australia%20v6.pdf. accessed 16 January 2012, p. 5 (internal footnote omitted). 17 ALRC, Report 108 (May 2008), p. 1166. See e.g. Privacy Act 1988 (Cth), s. 7(2)(a). The term ‘intelligence agencies’ is defined in s. 6(1) of the Privacy Act 1988 (Cth).

Downloaded from http://idpl.oxfordjournals.org/ by guest on September 14, 2016

The Privacy Act 1988 (Cth) contains 11 Information Privacy Principles (IPPs)10 that regulate, in general terms, the information use of federal and Australian Capital Territory ‘agencies;’ a term used to include, for example, Ministers, Departments, bodies, and tribunals established or appointed for a public purpose, persons holding or performing the duties of a government office, federal courts, and the Australian Federal Police.11 State and local government bodies are not covered (except for ACT agencies) and are instead regulated in state law.12 There are also exceptions for intelligence agencies and government business enterprises. Agencies regulated by this scheme shall not collect information unless the collection is for a ‘lawful purpose directly related to a function or activity of the collector’ and ‘the collection of the information is necessary for or directly related to that purpose’.13 Further, the collector must take reasonable steps to ensure that, having regard to the purpose for which the information is collected, ‘the information collected is relevant to that purpose and is up to date and complete’ and that ‘the collection of the information does not intrude to an unreasonable extent upon the personal affairs of the individual concerned’.14 Similar regulation can be found at the state-level in some states. The impact of this regulation on systematic government access to private-sector data is interesting. On the one hand, it clearly restricts governmental access to private-sector data and its broad scope of application means that it affects a wide range of government functions. On the other hand, this regulation is significantly

ARTICLE

270

International Data Privacy Law, 2012, Vol. 2, No. 4

ARTICLE

special powers relating to matters such as search warrants,23 requesting information or documents from operators of aircraft or vessels,24 inspection of postal articles and delivery service articles,25 the use of listening devices,26 and the use of tracking devices.27 Most importantly here, section 25A grants computer access powers. The Director-General may request the Minister to issue a warrant for computer access. The Minister must only issue such a warrant if: ‘satisfied that there are reasonable grounds for believing that access by the Organisation to data held in a particular computer (the target computer) will substantially assist the collection of intelligence in accordance with this Act in respect of a matter (the security matter) that is important in relation to security’.28 In a submission in May 2011, I cautioned against the use of the phrase ‘data held in a particular computer’ and suggested that with an increasing uptake in cloud computing, it may be difficult for ASIO to accurately predict in advance whether a person has stored relevant data locally on the ‘target computer’ or ‘in the cloud’.29 I also noted that, under the chosen wording, ASIO would appear restricted from accessing data stored in the cloud where a warrant has been granted for access to a target computer, even if, for example, the suspect in question has stored his/her login details for the cloud storage on that computer.30 It is also worth noting that the Attorney-General has issued guidelines for the operation of ASIO. Under those Guidelines, information is to be obtained by ASIO in a lawful, timely, and efficient way. Further, the obtaining of information must take place in accordance with the following: (a) any means used for obtaining information must be proportionate to the gravity of the threat posed and the probability of its occurrence; and (b) inquiries and investigations into individuals and groups should be undertaken using as little intrusion into individual privacy as is possible. Further, the more intrusive the investigative technique, the higher the level of officer that should be required to approve its use and wherever possible, the least

18 19 20 21 22 23 24 25

28 Australian Security Intelligence Organisation Act 1979 (Cth), s. 25A(2). 29 Dan Svantesson, Submission in relation to the Legal and Constitutional Affairs Legislation Committee’s inquiry into the Intelligence Services Legislation Amendment Bill 2011 (26 May 2011), at: ,https://senate.aph. gov.au/submissions/comittees/viewdocument.aspx?id=3da24ca1-98644c55-8183-c17d01d48698. accessed 16 January 2012. 30 Dan Svantesson, Submission in relation to the Legal and Constitutional Affairs Legislation Committee’s inquiry into the Intelligence Services Legislation Amendment Bill 2011 (26 May 2011), at: ,https://senate.aph. gov.au/submissions/comittees/viewdocument.aspx?id=3da24ca1-98644c55-8183-c17d01d48698. accessed 16 January 2012.

Crimes Act 1914 (Cth), s. 3ZQM. Crimes Act 1914 (Cth), s. 3ZQM. Crimes Act 1914 (Cth), s. 3ZQN. Crimes Act 1914 (Cth), s. 3ZQO. Waters (n 16), at 4. Australian Security Intelligence Organisation Australian Security Intelligence Organisation Australian Security Intelligence Organisation 27AA. 26 Australian Security Intelligence Organisation 27 Australian Security Intelligence Organisation and 26C.

Act 1979 (Cth), s. 25. Act 1979 (Cth), s. 23. Act 1979 (Cth), s. 27 and Act 1979 (Cth), s. 26. Act 1979 (Cth), s. 26A, 26B

Downloaded from http://idpl.oxfordjournals.org/ by guest on September 14, 2016

produce powers’. For example, section 3ZQM provides the power to request information or documents about terrorist acts from operators of aircraft or ships. That section allows an authorized AFP officer, who believes on reasonable grounds that an operator of an aircraft or ship has information or documents (including in electronic form) that are relevant to a matter that relates to the doing of a terrorist act (whether or not a terrorist act has occurred or will occur), to ‘ask the operator questions relating to the aircraft or ship, or its cargo, crew, passengers, stores or voyage, that are relevant to the matter’18 and to ‘request the operator to produce documents relating to the aircraft or ship, or its cargo, crew, passengers, stores or voyage: (i) that are relevant to the matter; and (ii) that are in the possession or under the control of the operator’.19 Section 3ZQN provides similar powers where ‘an authorised AFP officer considers on reasonable grounds that a person has documents (including in electronic form) that are relevant to, and will assist, the investigation of a serious terrorism offence.’20 No prior court approval is required for these categories of requests. In contrast, where an AFP officer considers, on reasonable grounds, that the person has documents (including in electronic form) that are relevant to, and will assist, the investigation of a serious offence, an application can be made to a Federal Magistrate for a ‘notice to produce’ order. To grant such an order, the Magistrate must be satisfied, on the balance of probabilities, by information on oath or by affirmation, that: ‘(a) the person has documents (including in electronic form) that are relevant to, and will assist, the investigation of a serious offence; and (b) giving the person a notice under this section is reasonably necessary, and reasonably appropriate and adapted, for the purpose of investigating the offence’.21 At the state level, most jurisdictions require warrants issued either by judges or magistrates.22 Special rules apply to data gathering by the Australian Security Intelligence Organisation (ASIO). Part III, Division 2 of the Australian Security Intelligence Organisation Act 1979 (Cth) provides ASIO with a range of

Dan Jerker B. Svantesson . Systematic government access to private-sector data in Australia

ARTICLE

271

‘oversupply’ in that telecommunications employees might disclosure more than is necessary.38 Authorized disclosure can relate to data held by the telecommunications operator, or so-called prospective information or documents. ASIO39 and enforcement agencies40 may authorize the disclosure of specific information or documents held by a telecommunications operator. More interestingly, they can also authorize disclosure of prospective data on an ongoing basis, such as specific web browsing activities or the real time location of phones or other devices.41 As far as enforcement agencies are concerned, authorization must not be made unless the disclosure is reasonably necessary for the investigation of an offence punishable by imprisonment for at least three years.42 Further, ‘Before making the authorisation, the authorised officer must have regard to how much the privacy of any person or persons would be likely to be interfered with by the disclosure.’43 Notably, these rules do not apply to ASIO.44 Taken together, this provides Australian law enforcement and national security agencies with broad access to private-sector data. At the same time, it appears that, on most occasions, the regulatory framework outlined in this section would be used for ‘small scale’ access to data in individual cases as the requirements imposed, for example by the Attorney-General Guidelines, ought to ensure that, typically only specific data for specific purposes is collected rather than data in bulk. Having said that, one can of course imagine scenarios where access is sought to larger volumes of, for example, airline cargo or crew data, or indeed, systematic access in the sense of repeated access being sought. Further, the powers granted to ASIO could be used for systematic, direct, and unmediated access to private-sector data.

31 Australian Security Intelligence Organisation, Attorney-General’s Guidelines in relation to the performance by the Australian Security Intelligence Organisation of its function of obtaining, correlating, evaluating and communicating intelligence relevant to security (including politically motivated violence), at: ,http://www.asio.gov.au/img/files/ AttorneyGeneralsGuidelines.pdf. accessed 18 January 2012, Guideline 10.4. 32 Australian Security Intelligence Organisation, Attorney-General’s Guidelines (n 31), Guideline 13.2. 33 That is, somewhat simplified, the holder of a carrier licence. See further: Telecommunications Act 1997 (Cth), s. 7. 34 That is, somewhat simplified, a person who supplies, or proposes to supply, a listed carriage service to the public. See further: Telecommunications Act 1997 (Cth), s. 87. 35 Overview of legislation: The Telecommunications (Interception and Access) Act 1979, available at: ,http://www.ag.gov.au/www/agd/agd.nsf/Page/ Telecommunicationsinterceptionandsurveillance_Overviewoflegislation. accessed 26 January 2012. 36 Telecommunications (Interception and Access) Act 1979 (Cth), s. 174(1).

37 Sharon Rodrick, Accessing Telecommunications Data for National Security and Law Enforcement Purposes, [2009] UMonashLRS 15, at: ,http://www. austlii.edu.au/au/journals/UMonashLRS/2009/15.html. accessed 19 January 2012, p. 28. 38 See further: Rodrick (n 37), at 29. 39 Telecommunications (Interception and Access) Act 1979 (Cth), s. 175. 40 Telecommunications (Interception and Access) Act 1979 (Cth), s. 178, 178A and 179. State legislation, such as the Telecommunications (Interception) (New South Wales) Act 1987, enable certain State authorities to be declared to be agencies for the purposes of the Telecommunications (Interception) Act 1979 of the Commonwealth. 41 For ASIO, see Telecommunications (Interception and Access) Act 1979 (Cth), s. 176, and for enforcement agencies, refer to: Telecommunications (Interception and Access) Act 1979 (Cth), s. 180. See further: Rodrick (n 37), at 31 –5. 42 Telecommunications (Interception and Access) Act 1979 (Cth), s. 180(4). 43 Telecommunications (Interception and Access) Act 1979 (Cth), s. 180(5). 44 Rodrick (n 37), at 34.

Downloaded from http://idpl.oxfordjournals.org/ by guest on September 14, 2016

intrusive techniques of information collection should be used before more intrusive techniques.31 Finally, the Director-General ‘shall take all reasonable steps to ensure that personal information shall not be collected, used, handled, or disclosed by ASIO unless that collection, use, handling, or disclosure is reasonably necessary for the performance of its statutory functions (or as otherwise authorised, or required, by law)’.32 Looking specifically at communications data, section 313 of the Telecommunications Act 1997 (Cth) imposes obligations on all carriers33 and carriage service providers34 ‘to provide all assistance to Commonwealth, State and Territory Government agencies that is reasonably necessary for the enforcement of the criminal law or a law imposing a pecuniary penalty, the protection of the public revenue or the safeguarding of national security’.35 Significantly, this includes, amongst other obligations, providing assistance to agencies in relation to the interception of communications and access to stored communications. Further, while sections 276–278 of the Telecommunications Act 1997 (Cth) place restrictions on the use and disclosure of telecommunications data, special exemptions apply for law enforcement and national security agencies. In more detail, a distinction is drawn between ‘voluntary disclosure’ on the one hand and ‘authorised disclosure’ on the other. Voluntary disclosure of information or a document is allowed provided the disclosure is in connection with the performance by ASIO of its functions.36 Similarly, section 177(1) allows such voluntary disclosure to ‘an enforcement agency if the disclosure is reasonably necessary for the enforcement of the criminal law, or a law imposing a pecuniary penalty, or for the protection of the public revenue’.37 In the context of such disclosure, there is a risk of

272

ARTICLE

Laws requiring broad reporting of personal data by private-sector entities There are some examples of Australian law requiring broad reporting of personal data by private-sector entities, such as the Anti-Money Laundering and CounterTerrorism Financing Act 2006 (Cth), the Income Tax Assessment Act 1997 (Cth), and the Customs Act 1901 (Cth).

45 An introduction to AML/CTF programmes, available at: ,http://www. austrac.gov.au/files/aml_ctf_programs.pdf. accessed 12 January 2012. 46 Available at: ,http://www.austrac.gov.au/aml_ctf_programs.html. accessed 12 January 2012. 47 Available at: ,http://www.austrac.gov.au/. accessed 12 January 2012. 48 Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), s. 5. 49 Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), ss. 41 –42.

matter relates, and any transactions related to the matter.50 † Threshold Transaction Reports (TTRs) (where applicable)51—where a reporting entity provides or commences to provide a designated service to a customer which involves the transfer of physical currency or e-currency of AUS$10,000 or more it must complete a TTR within 10 business days. The information to be provided within a TTR includes details of the customer of the designated service, the individual conducting the transaction (if different from the customer), the recipient of the proceeds of the transaction (if different from the customer), and the transaction, including cash and other components.52 † International Funds Transfer Instruction (IFTI) reports (where applicable)53—where a reporting entity sends or receives a funds transfer instruction to or from a foreign country, it must complete an IFTI report within 10 business days. The information to be provided within an IFTI includes details of the transfer instruction, the parties involved in the transaction, or details of the ordering and beneficiary customers for the remittance, the originating and destination country’s remittance service providers (if applicable), and any additional information relating to the instruction.54

The AML/CTF Act contains a set of tables in section 6 that outlines in detail what constitutes a ‘designated service’. Examples include: where the service is provided in the course of carrying on a business: opening an account, accepting deposits or allowing withdrawals, making a loan, issuing a debit or credit card, supplying goods through a finance lease, supplying goods by way of hire purchase, issuing traveller’s cheques, providing remittance services which transfer money or property, certain superannuation-related transactions or services, issuing or accepting liability under life insurance policies, issuing or selling securities and derivatives, exchanging foreign currency, receiving or accepting a bet, placing or making a bet, allowing a person to play a game on an electronic gaming machine, paying out 50 Reporting requirements, available at: ,http://www.austrac.gov.au/files/ reporting-requirements_dec2010.pdf. accessed 12 January 2012. 51 Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), ss. 43 –44. 52 Reporting requirements, available at: ,http://www.austrac.gov.au/files/ reporting-requirements_dec2010.pdf. accessed 12 January 2012. 53 Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), ss. 45 –46. 54 Reporting requirements, available at: ,http://www.austrac.gov.au/files/ reporting-requirements_dec2010.pdf. accessed 12 January 2012.

Downloaded from http://idpl.oxfordjournals.org/ by guest on September 14, 2016

Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) On 12 December 2007, Australia introduced its AntiMoney Laundering and Counter-Terrorism Financing programmes. The programmes are regulated in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act). These programmes—which apply to private entities such as banks, non-bank financial services, remittance (money transfer) services, bullion dealers, and gambling businesses45—explicitly require the broad reporting of personal data by private-sector entities. More specifically, the aim is for reporting entities to help identify, mitigate and manage the risk of their products or services facilitating money laundering or terrorism financing.46 The scheme is overseen by the Australian Transaction Reports and Analysis Centre (AUSTRAC).47 Where a private entity provides a ‘designated service’, it is classed as a reporting entity and must adopt, maintain, and comply with an AML/CTF programme.48 Such a programme includes several obligations (eg relating to the training and screening of staff, ensuring that an adequate monitoring system is in place, etc.) but most importantly for our purposes, it includes an obligation to submit three different types of reports. † Suspicious Matter Reports (SMRs)49—where a reporting entity suspects that a matter may be related to an offence, tax evasion, or the proceeds of crime, it must submit an SMR within three business days, or where the suspicion relates to the financing of terrorism, within 24 hours. Such a report is to include all details known about the suspicious matter, the person/organization(s) to which the

International Data Privacy Law, 2012, Vol. 2, No. 4

Dan Jerker B. Svantesson . Systematic government access to private-sector data in Australia

winnings on bets, exchanging money for gaming chips or tokens and vice versa.

Customs Act 1901 (Cth) The Australian Government collects passenger data and where an operator of an international passenger air service fails to provide access to that data in a manner and form requested by the government, it commits an offence.55 The Act makes clear that: ‘The obligation to provide access must be complied with even if the information concerned is personal information (as defined in the Privacy Act 1988 ).’56

Education In Australia, providers of higher education (some of which, such as Bond University, are private entities) must report certain data to the government. In particular, systematic reporting requirements relate to the personal information of students on student visas (international students), and students who have access to government benefits.59

Laws permitting or restricting private-sector entities from providing government officials with voluntary broad access to data The Privacy Act 1988 (Cth), with its ten National Privacy Principles (NPPs), regulates when privatesector entities may provide government officials with voluntary broad access to data, as well as the disclosure of specific data. However, due to a range of significant exemptions (eg the Act does not apply to an organization with an annual turnover of AUS$3 million60 or less), that Act is only applicable to a small proportion of Australian private-sector entities. Thus, the majority 55 56 57 58

Customs Act 1901 (Cth), s. 64AF(1). Customs Act 1901 (Cth), s. 64AF(1) Note 2. Taxation Administration Act 1953 (Cth). Nigel Waters, Government Surveillance in Australia, available at: http ://www.pacificprivacy.com.au/Government%20Surveillance%20in% 20Australia%20v6.pdf accessed 16 January 2012), p. 15.

273

of Australian private-sector entities are unregulated in their voluntary provision of data to the government.61 Entities that do fall under the Privacy Act’s regulation must not disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless: (a) both of the following apply: (i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection; (ii) the individual would reasonably expect the organization to use or disclose the information for the secondary purpose; or (b) the individual has consented to the use or disclosure; or [. . . ] (c) if the information is health information and the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety: (i) it is impracticable for the organization to seek the individual’s consent before the use or disclosure; and (ii) the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph; and (iii) in the case of disclosure the organization reasonably believes that the recipient of the health information will not disclose the health information, or personal information derived from the health information; or

(d) the organization reasonably believes that the use or disclosure is necessary to lessen or prevent: (i) a serious and imminent threat to an individual’s life, health, or safety; or (ii) a serious threat to public health or public safety; or 59 See further: Higher Education Support Act 2003 (Cth). That Act contains specific provisions dealing with privacy protection. See: Part 5 –4, Division 179. 60 Roughly equal to US $3 million. 61 Waters (n 16), at 3.

Downloaded from http://idpl.oxfordjournals.org/ by guest on September 14, 2016

Taxation and employment The Australian Taxation Office (ATO) collects privatesector data systematically in a range of ways. For example, upon employing a new employee, the employer must collect, and report to the ATO, the employee’s tax file number (a unique identifier allocated by the ATO).57 Systematic reporting is also required under the Income Tax Assessment Act 1997 (Cth) which requires all employers and financial institutions in Australia to report all earned and unearned (investment) income to the ATO.58

ARTICLE

274

ARTICLE

(f) the organization has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or (g) the use or disclosure is required or authorized by or under law; or (h) the organization reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of an enforcement body: (i) the prevention, detection, investigation, prosecution, or punishment of criminal offences, breaches of a law imposing a penalty or sanction, or breaches of a prescribed law; (ii) the enforcement of laws relating to the confiscation of the proceeds of crime; (iii) the protection of the public revenue; (iv) the prevention, detection, investigation, or remedying of seriously improper conduct or prescribed conduct; (v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.62

62 National Privacy Principle 2. 63 Information Privacy Principle 9.

Judicial authorization requirements for major categories of data As noted throughout, warrants issued by judges play a major role in Australia. However, exceptions can be found, such as in relation to the Telecommunications (Interception and Access) Act 1979 (Cth) that, for example, allows an authorized officer of a criminal lawenforcement agency to authorize data disclosure.

Standards for use once the government acquires data The Privacy Act 1988 (Cth)’s Information Privacy Principles (IPPs) also regulate how the federal and ACT government agencies may use data once it has been acquired. Importantly, a record-keeper ‘shall not use the information except for a purpose to which the information is relevant’.63 Further, personal information obtained for a particular purpose may only be used for that purpose unless: (a) the individual concerned has consented to use of the information for that other purpose; (b) the record-keeper believes on reasonable grounds that use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person; (c) use of the information for that other purpose is required or authorized by or under law; (d) use of the information for that other purpose is reasonably necessary for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue; or (e) the purpose for which the information is used is directly related to the purpose for which the information was obtained.64 Significant restrictions are also placed on how an agency may disclose personal information. Such information may not be disclosed unless: (a) the individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that information of that kind is usually passed to that person, body, or agency; (b) the individual concerned has consented to the disclosure;

64 Information Privacy Principle 10.

Downloaded from http://idpl.oxfordjournals.org/ by guest on September 14, 2016

(e) if the information is genetic information and the organization has obtained the genetic information in the course of providing a health service to the individual: (i) the organization reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health, or safety (whether or not the threat is imminent) of an individual who is a genetic relative of the individual to whom the genetic information relates; and (ii) the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95AA for the purposes of this subparagraph; and (iii) in the case of disclosure the recipient of the genetic information is a genetic relative of the individual; or

International Data Privacy Law, 2012, Vol. 2, No. 4

Dan Jerker B. Svantesson . Systematic government access to private-sector data in Australia

Cross-border and multi-jurisdictional issues Section 5B of the Privacy Act regulates the extraterritorial reach of the Act. That section extends the application of the Privacy Act to acts done, or practice engaged in, outside Australia by an organization provided that: (1) the overseas act was not required by an applicable foreign law, (2) the act or practice relates to personal information about an Australian citizen or another person whose continued presence in Australia is not subject to a limitation as to time imposed by law, and (3) the relevant organizations meet one of the following two tests. 65 66 67 68 69 70 71

Information Privacy Principle 11. Information Privacy Principle 7. Information Privacy Principle 8. Information Privacy Principle 6. Information Privacy Principle 5. Information Privacy Principle 4. See further: Dan Svantesson. ‘Protecting Privacy on the “Borderless” Internet—Some Thoughts on Extraterritoriality and Transborder Data

275

The first test, found in section 5B(2) is met where the organization in question is: (1) an Australian citizen; (2) a person whose continued presence in Australia is not subject to a limitation as to time imposed by law; (3) a partnership formed in Australia or an external Territory; (4) a trust created in Australia or an external Territory; (5) a body corporate incorporated in Australia or an external Territory; or (6) an unincorporated association that has its central management and control in Australia or an external Territory. The second test, outlined in section 5B(3) is met where the organization in question: (1) is not described in subsection (2) (ie does not meet the first test); (2) carries on business in Australia or an external Territory; and (3) ‘the personal information was collected or held by the organization in Australia or an external Territory, either before or at the time of the act or practice’.’ Section 5B has not been subject to any extensive judicial interpretation and several aspects of its application (particularly in relation to the second test mentioned above) must be seen as unclear. For example, it is not clear under which circumstances an organization is held to be ‘carrying on business in Australia or an external Territory’.71

Concluding remarks The above suggest that, while the Australian government has a range of powers to obtain access to privatesector data, those powers are currently primarily aimed at obtaining specific data for specific purposes. Little can currently be found by way of direct unmediated access by the government to private-sector data or government access to private-sector data in bulk. However, in a not too distant future, Australian law may well cater for extensive, not to say excessive, systematic government access to private-sector data. That is because of a proposed move by the Attorney-general Nicola Roxon towards a data retention scheme, commonly referred to as OzLog.72 Should the OzLog scheme become a reality as proposed, four key pieces of legislation would be altered, that is the Telecommunications (Interception and Access) Act 1979, the Telecommunications Act 1997, the Australian Security Intelligence Flow’ (2007) 19/1 Bond Law Review. Available at: ,http://works.bepress. com/dan_svantesson/3. accessed 26 January 2012. 72 Stephanie McDonald, ‘Ludlam: OzLog a ‘dodgy premise’, Computerworld, 4 June 2012 available at: ,http://www.computerworld. com.au/article/426514/ludlam_ozlog_dodgy_premise_/. accessed 26 June 2012.

Downloaded from http://idpl.oxfordjournals.org/ by guest on September 14, 2016

(c) the record-keeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person; (d) the disclosure is required or authorized by or under law; or (e) the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue.65 In addition to these obligations, the IPPs impose obligations on agencies to alter records so as to ensure they are accurate, up to date,66 complete and not misleading, to check accuracy of personal information before it is used,67 to provide access to the information it holds on an individual,68 to provide information about the data it holds,69 and to ensure: (a) that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorized access, use, modification, or disclosure, and against other misuse; and (b) that if it is necessary for the record to be given to a person in connection with the provision of a service to the record-keeper, everything reasonably within the power of the record-keeper is done to prevent unauthorized use or disclosure of information contained in the record.70 Examples of similar legislation can be found on statelevel.

ARTICLE

276

ARTICLE

International Data Privacy Law, 2012, Vol. 2, No. 4

major tool for systematic government access to privatesector data in Australia. doi:10.1093/idpl/ips021 Advance Access Publication 20 August 2012

73 Stephanie McDonald, ‘Ozlog: Government pushes ahead with data retention plans’, Computerworld, 28 May 2012 available at: ,http://www. computerworld.com.au/article/425847/ozlog_government_pushes_ ahead_data_retention_plans/. accessed 26 June 2012. For details about

the inquiry into a potential reform of the national security legislation, refer to: ,http://www.aph.gov.au/Parliamentary_Business/Committees/ House_of_Representatives_Committees?url=pjcis/nsl2012/index.htm..

Downloaded from http://idpl.oxfordjournals.org/ by guest on September 14, 2016

Organisation Act 1979, and the Intelligence Services Act 2001.73 It is not possible to anticipate the exact details, or consequences, of the OzLog scheme. But there can be little doubt that, if it goes ahead, it may represent a