31 August 2017

Our reference: 17/000038

Mr Tim Watling
Committee Secretary
Senate Legal and Constitutional Affairs Committee
PO Box 6100
Parliament House
Canberra ACT 2600

Dear Committee Secretary,

Submission to the Inquiry into the Australian Border Force Amendment (Protected Information) Bill 2017

I welcome the opportunity to comment on the Australian Border Force Amendment (Protected Information) Bill 2017 (the Bill), as part of the Inquiry by the Legal and Constitutional Affairs Legislation Committee (the Committee).

I have focussed my comments on the provisions of Schedule 1 Part 1 of the Bill, which seeks to create categories of ‘Immigration and Border Protection information’. I have also focussed on Schedule 1 Part 2, which seeks to remove requirements around the disclosure of personal information, and may therefore have an impact on the privacy of individuals.

Privacy impacts of the Bill

Schedule 1 – Part 1 – Amendments commencing on 1 July 2015

Immigration and Border Protection information

One of the provisions of Schedule 1 Part 1 of the Bill seeks to make amendments to the Australian Border Force Act 2015 (Cth) (ABF Act) to change the types of information, including personal information, that are regulated by the secrecy and disclosure provisions in Part 6 of the ABF Act. The Bill does this by repealing the definition of ‘protected information’, and substituting a new definition of ‘Immigration and Border Protection information’.

Currently, the secrecy and disclosure provisions apply to ‘protected information’, which is any information that was obtained by a person in their capacity as an entrusted person. Briefly, the proposed categories of ‘Immigration and Border Protection information’ include information the disclosure of which would or could reasonably be expected to:

  • prejudice the security, defence or international relations of Australia
  • prejudice the prevention, detection or investigation of, or conduct of proceedings relating to, an offence or a contravention of a civil penalty provision
  • prejudice the protection of public health, or endanger the life or safety of an individual or group of individuals
  • found an action for breach of a duty of confidence
  • cause competitive detriment
  • prejudice the effective working of the Department or otherwise harm the public interest.

Both the current and proposed definitions are broad in their remit and therefore would likely include ‘personal information’. Under the Privacy Act 1988 (Privacy Act), personal information is information about an identified individual, or an individual who is reasonably identifiable.

It is unclear what types of information, and personal information,[1] would be excluded from the proposed definition of ‘Immigration and Border Protection information’ that are currently included in the definition of ‘protected information.’ As I understand it, under the Bill the consequence of falling outside of the new definition would mean that such information is not subjected to regulation under the disclosure and secrecy provisions in Part 6 of the ABF Act.

It is also unclear whether there has been a consideration of any potential privacy risks associated with this change. While the Explanatory Memorandum (EM) to the Bill explores each of the new categories of Immigration and Border Protection information, the policy reasoning behind the change in definitions is not clear.

I would therefore recommend that the Committee consider whether further clarification is required to ensure that there are no unintended impacts on the protections afforded personal information flowing from the change in definition. I would also recommend that the Department undertake a Privacy Impact Assessment (PIA) on this proposed change if one has not been undertaken.[2] Conducting a PIA would assist in identifying any privacy impacts associated with the handling of the relevant personal information due to the change in definition. A PIA would also provide an opportunity to take proactive steps to mitigate any potential impacts.

Schedule 1 – Part 2 – Amendments commencing on the day after Royal Assent

Disclosure to certain bodies and persons

One of the provisions of Schedule 1 Part 2 of the Bill seeks to amend the ABF Act to remove the requirements that a proposed disclosure of Immigration and Border Protection information containing personal information is:

  • of a class of information prescribed in Schedule 3 of the Australian Border Force (Secrecy and Disclosure) Rule 2015 (Cth)(ABF Rule), and
  • made to a body or person prescribed in Schedule 2 Parts 1-10 of the ABF Rule.

The Bill does this by repealing s 44(2)(d).

Currently, for an authorised entrusted person to disclose protected information that is personal information to a body or person, four requirements must be met under s 44(2):

  1. the Secretary must be satisfied that the information will enable or assist that body or person to perform or exercise any of its functions, duties or powers, and
  2. the Secretary must be satisfied that the disclosure of the information to that body or person is necessary for a purpose mentioned in s 46, and
  3. that body or person must have complied with any applicable condition imposed under s 44(6), and
  4. the class of protected information and the body or person must be prescribed in the ABF Rule.

The proposed repeal of s 44(2)(d) would mean that a disclosure of Immigration and Border Protection information would not be controlled by the framework in the ABF Rule that prescribes the classes of information that may be disclosed, and the (Australian and overseas) bodies and persons to whom it may be disclosed. Some bodies and persons are listed in the Rule as being able to receive many (or all) classes of information, while others are restricted to one or only a few classes of information. Without s 44(2)(d), personal information of any class could be disclosed to any body or person, provided the requirements of s 44(2)(a)-(c) are met, some of which are discretionary.

The Explanatory Statement to the ABF Rule noted that a purpose of the Rule was to facilitate the disclosure of sensitive and complex information in appropriately controlled circumstances. The EM to this Bill notes that the repeal of s 44(2)(d) is intended to reduce bureaucratic overlay in the disclosure of personal information by the Department. It is not clear from the EM, however, the extent to which the requirements of s 44(2)(d) are impeding operational efficiency, or whether the Department has considered measures other than removing s 44(2)(d) to achieve this policy objective.

I therefore recommend that the Committee considers whether the potential privacy impacts of this aspect of the Bill are a reasonable, necessary and proportionate response to meeting the specific policy objective of efficiency.

If the Committee is of the view that the repeal of s 44(2)(d) is reasonable, necessary and proportionate, I recommend the implementation of a framework that provides a similar level of assurance about the appropriate disclosure of personal information as the current framework in the ABF Rule. This assurance could, for example, come in the form of added information about the appropriate exercise of powers under s 44(2)(a)-(c) in the EM, or binding guidelines that could require the decision maker to consider the impact on privacy when deciding whether to impose conditions on the disclosure of personal information in accordance with s 44(2)(c).

Disclosure in accordance with agreements

One of the provisions of Schedule 1 Part 2 of the Bill seeks to make amendments to the ABF Act to remove the requirements that a proposed disclosure of Immigration and Border Protection information containing personal information is:

  • of a class of information prescribed in in Schedule 3 of the ABF Rule, and
  • made to a foreign country, agency, authority or organisation prescribed in Schedule 2 Part 10 of the ABF Rule.

The Bill does this by repealing s 45(2)(d).

Many of my comments in the previous section are applicable here. Although the Bill proposes to retain the protections offered in s 45(2)(a)-(c), consideration could be given to whether the potential privacy impacts of this aspect of the Bill are a reasonable, necessary and proportionate response to meeting the specific policy objective of efficiency. If the Committee is of the view that the repeal of s 45(2)(d) is reasonable, necessary and proportionate, as above, I recommend the implementation of a framework that provides a similar level of assurance about the appropriate disclosure of personal information as the current framework in the ABF Rule.

I note that the Bill contains other provisions which seek to make amendments to the ABF Act, such as s 46(na), (nb), and (nc), which propose to add three new permitted purposes for which the disclosure of personal information must be necessary under s 44(2)(b) and s 45(2)(b). The EM to the Bill provides a rationale for these additions, and I am supportive of these measures that aim to guide the disclosure of personal information.

If you wish to discuss any of these matters further, please contact Paula Cheng, Director, Regulation and Strategy, on [contact details removed].

Yours sincerely

Timothy Pilgrim
Australian Information Commissioner
Australian Privacy Commissioner

31 August 2017

Footnotes

[1] The term ‘personal information’ is defined in section 6 of the Privacy Act 1988 (Cth).

[2] A PIA is a written assessment that may assist in identifying the privacy impacts of the Bill, and provides an opportunity to set out any recommendations for managing, minimising or eliminating those impacts. For further information on undertaking a PIA please see the OAIC’s Guide to undertaking a privacy impact assessment.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia