MOU with the Australian Prudential Regulation Authority in relation to Cooperation and Information Sharing

1. Parties to the MOU

1.1 The parties to this Memorandum of Understanding ( MOU ) are the Office of the Australian Information Commissioner ( OAIC ) and the Australian Prudential Regulation Authority ( APRA ) (together the Parties ). In this MOU, the term 'Party' will mean either the OAIC or APRA, as the context allows.

1.2 The OAIC is an independent Commonwealth statutory agency established under the Australian Information Commissioner Act 2010 (Cth) ( AIC Act ), responsible for regulating privacy law and freedom of information law, including relevantly, the Privacy Act 1988 (Cth) ( Privacy Act ). The OAIC is led by the Australian Information Commissioner ( AIC ) who is appointed by the Governor-General under s 14 of the AIC Act.

1.3 APRA is the national prudential regulator in Australia, established on 1 July  1998 under the Australian Prudential Regulation Authority Act 1998 (Cth) ( APRA Act ). APRA administers legislation providing for the supervision of authorised deposit-taking institutions (banks, building societies and credit unions), insurance/reinsurance companies, friendly societies and superannuation funds authorised to operate in Australia.

2. Purpose and function of the MOU

2.1 This MOU facilitates:

1. cooperation and collaboration; and
2. the sharing of information and documents ( information sharing ), between the OAIC and APRA.

2.2 This MOU is intended to facilitate both:

1. proactive information sharing where the Parties, relying on the information and assurances provided in this MOU, share information with each other on their own motion; and
2. information sharing on written request where the Parties, relying on the information and assurances provided in this MOU and in any written request provided, share information with each other in response to a written request made by a Party.

3. Scope of the MOU

3.1 This MOU does not create any enforceable rights or impose any legally binding obligations on either Party.

3.2 The MOU is not intended to be exhaustive in the subject matters within its  scope. The Parties may enter into any other arrangements for cooperation and collaboration to the full extent permitted by the law.

3.3 Nothing in this MOU affects the exercise of the legislative functions, powers, duties or obligations of either Party.

4. Term of this MOU

4.1 This MOU commences on the date it is signed by the last party and continues unless it is terminated in accordance with clause 12.1.

5.  Powers, functions and duties of the Parties

OAIC powers, functions and duties under the Privacy Act

5.1 The AIC has:

1. the information commissioner functions, the freedom of information  functions and the privacy functions as those terms are defined in the AIC Act; and
2. the power to do all things necessary to be done for or in connection with the functions listed in clause 5.1(a).

5.2 Relevantly, section 33A of the Privacy Act provides that:

1. information sharing under that section must be done for the purpose of either:
   1. the AIC exercising powers, or performing functions or duties under the Privacy Act; or
   2. APRA exercising its powers, or performing its functions or duties;>
2. information or documents shared under that section must be acquired by the AIC in the course of exercising powers, or performing functions or duties, under the Privacy Act;
3. the AIC must be satisfied on reasonable grounds that APRA has satisfactory arrangements in place for protecting information or documents proposed to be shared with it under that section; and
4. where information or documents proposed to be shared under that section were acquired by the AIC from an agency, as that term is defined in the Privacy Act, those information or documents can only be shared with an agency, such as APRA.

5.3 APRA is a receiving body capable of receiving information from the AIC under s 33A of the Privacy Act, as APRA falls within the definition of an ‘enforcement body’ pursuant to s 6 and s 33A(2) of the Privacy Act.

5.4 The AIC also has other relevant information sharing powers. For example, subsection 28B(1) of the Privacy Act provides that the AIC may, amongst other things:

1. provide advice to a Minister or entity about any matter relevant to the operation of the Privacy Act;
2. inform the Minister of action that needs to be taken by an agency to comply with the Australian Privacy Principles; and
3. provide reports and recommendations to the Minister in relation to any matter concerning the need for, or the desirability of, legislative or administrative action in the interests of the privacy of individuals.

5.5 Section 29 of the AIC Act makes unauthorised dealing with information an offence where information is acquired in the course of performing functions or exercising powers for the purposes of an information commissioner function, a freedom of information function or a privacy function. Provided the AIC acts pursuant to the powers and functions set out in the AIC Act and has due regard to the objects of the AIC Act (and any other relevant laws) the AIC can share information as intended by this MOU.

5.6 The AIC will only share  information as part of this MOU  in  accordance with the  requirements of the Privacy Act and any other applicable laws and regulations in its jurisdiction.

APRA powers, functions and duties

5.7 APRA’s functions, include, but are not limited to:

1. overseeing Australia's banks, credit unions, building societies, general insurers and reinsurance companies, life insurers, private health insurers, friendly societies and superannuation funds (other than self-managed funds);
2. acting as the national statistical agency for the Australian Financial  sector  and playing a role in preserving the integrity of Australia's retirement incomes policy;
3. administering the Financial Claims Scheme when activated by the  Australian Government in the unlikely event an APRA-regulated institution were to fail; and
4. balancing the objectives of financial safety and efficiency, competition, contestability and competitive neutrality and, in balancing these objectives, to promote financial system stability.

5.8 Relevantly, section 11 of the APRA Act provides that APRA has the power to do anything that is necessary or convenient to be done for or in connection with the performance of its functions.

5.9 Section 56(2) of the APRA Act makes the disclosure of protected information or protected documents (as those terms are defined in section 56 of the APRA Act) by a person who is an officer an offence. The term “officer” is defined in section 56 of the APRA Act to include APRA board and staff members and other persons who acquired the information in the course of their employment. Exceptions to this offence include where the disclosure is for the purposes of a prudential regulation framework law (as defined in the APRA Act) and the disclosure is approved by APRA by an instrument in writing.

5.10 APRA will only share information as part of this MOU in accordance with the  requirements of the APRA Act and any other applicable laws and regulations in its jurisdiction.

Change in powers, functions and duties

5.11 The Parties agree to:

1. immediately notify each other should this MOU no longer accurately reflect the powers, functions and duties of the Parties relevant to the information sharing foreseen under it; and
2. as soon as is practicable after having sent or received notification under  paragraph  5.11a), cooperate to vary the MOU in accordance with clause  12  to make it accurate.

6.  Commitment to engage

6.1 The Parties recognise the importance of mutual consultation and cooperation in the effective discharge of their respective responsibilities.

6.2 Each Party commits to developing and maintaining effective arrangements for engagement and, in accordance with legislative and contractual obligations and agreed protocols, having regard to each other’s mandate and broader regulatory objectives.

6.3 The type of engagement employed to support the objectives specified in this MOU will vary but will typically be to:

1. inform – provide appropriate information and documents that are relevant to the other Party and respond promptly to Information Sharing Requests (defined below);
2. consult – where one Party is considering or undertaking an activity that has an impact on the other Party’s responsibilities;
3. collaborate – seek input from, or collaboration with, the other Party to achieve or improve regulatory outcomes; and
4. engage effectively – seek to improve the efficiency of its interaction with the other Party.

7. Security arrangements of each Party

7.1 In addition to any legislative requirements, each Party may impose conditions on the use of information provided to the other Party.

7.2 Each Party agrees to:

1. implement a data breach response process or plan in the event of a data breach, for the purposes of undertaking remedial action to minimise risk of harm, to ensure compliance with the Australian Privacy Principles 1, and the Notifiable Data Breach scheme 2;
2. protect any information or documents shared with it under this MOU in accordance with the arrangements in both the standard information security criteria and the additional criteria, if any, in Appendix A;
3. upon request by the other Party, provide evidence of ongoing compliance with paragraph 7.2a);
4. immediately notify the other Party should this MOU no longer accurately reflect the arrangements put in place by it to protect information and documents shared under this MOU; and
5. as soon as is practicable after notifying the other Party under paragraph 7.2c), arrange for variations to make accurate this MOU.

8. Proactive information sharing

8.1 The Parties agree that they may proactively information share under this MOU, subject to any applicable laws within their respective jurisdictions.

8.2 Where the Parties proactively information share under this clause 7, the Parties will:

1. address all correspondence to the contact officer of the other Party specified in Appendix B; and
2. clearly record:
   1. that information or documents shared under this MOU was shared on its own motion;
   2. the nature or kind of information or documents shared with the other Party; and
   3. the purpose for which the information or documents were shared.

9. Information sharing requests

8.1 Each Party may request that the other Party share information or documents under this MOU ( Information Sharing Request ).

8.2 When an Information Sharing Request is made, each Party will:

1. clearly express each Information Sharing Request as such; and
2. address each Information Sharing Request to the contact officer of the other Party specified in Appendix B.

8.3 Each Information Sharing Request will:

1. be in writing; and
2. contain:
   1. a sufficiently detailed description of the requested information or documents;
   2. the purpose for which the requested information or documents are sought; and
   3. to the extent that the Party seeks the requested information or documents to exercise its powers or perform its functions and duties, the relevant power, function or duty.

8.4 Where either Party perceive a need for expedited action:

1. a Party may make an Information Sharing Request in any form, but will subsequently confirm the request in writing in accordance with the requirements outlined in clause 8.3 within 10 business days; and
2. the Parties will endeavour to provide the information requested to each other as quickly as possible, subject to the terms of this MOU.

8.5 An Information Sharing Request may be denied by the Parties where, amongst other things, the disclosure would interfere with national security or an ongoing investigation, or where it would not be lawful to do so. If an Information Sharing Request has been denied by a Party, that Party should provide the other Party with reasons for the denial.

9. Use of shared information or documents

9.1 The Parties agree to only use information or documents shared with it under this MOU for the purpose for which it was shared, noting that this is also a requirement under s 33A(5) of the Privacy Act for any information shared pursuant to s 33A of the Privacy Act.

9.2 Each Party may impose conditions on the use of information provided to the other Party.

9.3 If a Party is served with a binding legal order or requirement to provide information to a third party, and that information was obtained from the other Party under this MOU, that Party will:

1. notify the other Party of the order or requirement as soon as practicable unless legally compelled not to do so; and
2. to the extent practicable, consult with the other Party as to how to respond to the order or requirement.

9.4 If a Party wishes to disclose information obtained under this MOU to a third party where it is not legally compelled to do so, that Party will:

1. a) obtain the other Party’s consent prior to the disclosure; and
2. b) impose on the third party any conditions which have been made by the other Party concerning the use of that information.

10.Confidentiality

10.1 The Parties understand that they will use their best endeavours to preserve the confidentiality and sensitivity of the information received under this MOU. In this regard, staff members of the Parties will hold confidential all information obtained in the course of their duties. Any confidential information received from either of the Parties is to be used exclusively for lawful purposes.

10.2 Information sharing undertaken in accordance with this MOU is subject to all applicable confidentiality, secrecy and privacy requirements under the laws applicable to the Parties in their respective jurisdictions.

11. Variations

11.1 The Parties will monitor the operation of the MOU and review it as required.

11.2 Any term of this MOU may be varied at any time with the mutual written consent of each Party.

12. Termination of MOU

12.1 Either Party may terminate this MOU by giving at least 30 days' written notice to the other Party. The termination will take effect 30 days after the notice is sent, unless otherwise agreed, in writing, between the Parties.

13. Costs

13.1 Each Party agrees to bear its own costs in performing its functions under this MOU.

13.2 If it appears that a Party is likely to incur substantial costs in responding to an >Information Sharing Request, that Party may consult with the other Party as to how to respond to the Information Sharing Request.

14.Claims or Complaints

14.1 The Parties agree to consult and cooperate with each other in the event of any complaint or claim made against a Party relating to the use of information shared in accordance with this MOU.

15. Dispute Resolution

15.1 Where a dispute arises between the Parties regarding this MOU, the Parties will make reasonable attempts to resolve the dispute at the contact officer level.

16. Notices

16.1 Any notice in relation to this MOU is to be in writing and delivered to the contact officer specified in Appendix B.

16.2 A notice is deemed to be effected:

1. if delivered by hand - upon delivery to the relevant address;
2. if sent by post - upon delivery to the relevant address; or
3. if transmitted electronically - upon actual receipt by the addressee.

16.3 A notice received after 5.00 pm, or on a day that is not a business day in the place of receipt, is deemed to be effected on the next business day in that place.

Signatures and Execution

Appendix A: Receiving body arrangements to protect information or documents shared

The standard information security criteria are as follows.

The additional criteria are as follows.

Appendix B: Contact details

The contact details for each party are as follows.

¹ In particular, Australian Privacy Principle 1  requires entities to take reasonable steps to establish and   maintain practices, procedures, and systems to ensure compliance with the APPs.

²Part IIIC of the Privacy Act 1988 (Cth).