Chapter 2

Chapter 2

Key issues

2.1        Submissions received by the committee supported the bills' objective of providing Australian law enforcement agencies with centralised access to comprehensive criminal information and intelligence resources. However, some submitters expressed concern about two aspects of the merger bill:

2.2        No issues were raised with the committee in regard to the charges bill. As such, references in this chapter to 'the bill' are to the merger bill, unless otherwise specified.

Privacy impacts of the merger bill

2.3        The submission from the Office of the Australian Information Commissioner (OAIC) raised concerns about the potential privacy implications of the merger bill. CrimTrac's information and activities are currently subject to the Privacy Act, but under Section 7 of the Privacy Act, the ACC is exempt from its obligations, including from compliance with the Australian Privacy Principles (APPs).[1]

2.4        The OAIC pointed out that while the explanatory memorandum to the merger bill acknowledged that the bill engaged the right to privacy, it did not make all of the privacy impacts of the bill explicit. In particular, the explanatory memorandum did not explain that by merging the two agencies, the bill would remove national policing information from the coverage of the Privacy Act.[2] The Acting Information Commissioner suggested that consideration should be given to further explaining in the explanatory memorandum how the provisions in the merger bill were compatible with Article 17 of the International Covenant on Civil and Political Rights (ICCPR), and how its specific privacy impacts would be addressed.[3] 

2.5        The OAIC pointed out that merging CrimTrac into the ACC under the terms of the bill would mean that the Australian Information Commissioner no longer had oversight or enforcement powers in relation to national policing information functions. While a level of supervision would remain in place through other agencies with jurisdiction in relation to the ACC, such as the Commonwealth Ombudsman, the Australian Commission for Law Enforcement Integrity and the Parliamentary Joint Committee on Law Enforcement, the submission advised that the scope of their oversight differed from that provided by the OAIC.[4] Under the Privacy Act the Information Commissioner can:

2.6        Should the merger bill be passed in its current form, these powers would no longer apply in respect of information handled by the merged agency.[5]

2.7        The OAIC acknowledged that it was possible for the ACC to use non-legislative means, such as technical and administrative arrangements, to protect the quality and security of national policing information. However, the OAIC advised that the ACC would not have obligations under APPs 10 and 11 to ensure the quality and security of the personal information, as CrimTrac currently does.[6]

2.8        The OAIC noted that, while individuals may be able to access and correct their personal information by applying to the state or territory agency from which it originated, not all state and territory jurisdictions had privacy or other legislation giving individuals equivalent rights and protections for their personal information to those in the Commonwealth Privacy Act. The ACC would also not be obliged under APPs 12 and 13 to provide access to, or correct, any personal information for which it was the sole holder, as CrimTrac was currently required to do.[7]

2.9        The OAIC added that the Privacy (Persons Reported as Missing) Rule 2014, under the Privacy Act, would no longer apply to personal information currently held by CrimTrac. The Rule acknowledges that a person reported as missing may have exercised their free choice to disassociate themselves from friends and family for legitimate reasons. The ACC would not be subject to the obligation in the Rule to respect any known wishes of persons reported as missing when using or disclosing information about them.[8]

2.10      The OAIC argued that while some measures for the protection of national policing information were included in the bill, including strengthened non-disclosure provisions and mechanisms for oversight by the ACC Board, these would not provide protections equivalent to those contained in the APPs. The Acting Information Commissioner stated that:

It is not apparent to me why it is necessary to remove the information currently held by CrimTrac from the protections, oversight and enforcement arrangements in the Privacy Act...

Given the volume and sensitivity of the information currently held by CrimTrac, I am of the view that there would need to be cogent reasons for exempting that information, and the activities associated with it, from the Privacy Act entirely. I consider that the objectives of the regime could be met, while at the same time retaining the protections and oversight offered by the Privacy Act.[9]

2.11      The Acting Information Commissioner recommended 'that the Committee consider whether the obligations and oversight mechanisms in the Privacy Act could continue to apply to national policing information following CrimTrac's merger with the ACC'.[10]

2.12      The OAIC advised the committee that coverage of the Privacy Act over national policing information could be retained by:

including in the [merger] Bill an amendment to s 7(1) of the Privacy Act (which exempts acts and practices of the ACC from the application of the Privacy Act), providing that ACC acts or practices in relation to the handling of national policing information are not exempt.[11]

2.13      The OAIC stated that it was not uncommon for agencies to be subject to the Privacy Act in relation to the performance of certain functions, or in handling certain information, and exempt from other functions. This situation existed in a number of other agencies including federal courts and tribunals, the Department of Defence, the Attorney-General's Department, and AUSTRAC.[12]

2.14      The department, the ACC and CrimTrac argued in their joint submission that while CrimTrac would no longer be subject to the Privacy Act under the merger, this would not result in a diminution of protection of the personal information currently held by CrimTrac. The submission stated that '[t]he information held by CrimTrac will become subject to the same robust accountability, oversight and information protection mechanisms that protect the sensitive information that the ACC currently handles'.[13]

2.15      The Privacy Impact Assessment (PIA) prepared by the three agencies outlined that one of the key issues state and territories raised during consultation on the merger was that they must retain 'ownership' of the information they provided through CrimTrac's systems, and the integrity of that information must be preserved. For that reason, 'the practices and procedures that underpin CrimTrac's handling of personal information will largely continue to apply within the merged agency'.[14] 

2.16      The PIA stated that although national policing information would no longer be subject to the APPs, individuals would be able to access and correct records relevant to them under privacy mechanisms in their state or territory. While personal information may be used for ACC intelligence purposes, the underlying information would not be altered by the merged agency and it would continue to be subject to state and territory privacy regimes, which 'will continue to govern the management, collection, use, disclosure, quality, integrity, access and correction of this information'.[15]

2.17      The PIA pointed out that the ACC was subject to the Freedom of Information Act 1982, which enabled an individual to apply to the ACC to access or correct their personal information. Where appropriate, the merged agency would direct the individual back to the originating police jurisdiction.[16] The PIA conceded that the ACC may refuse access to personal records where FOI exemptions applied.[17]

2.18      Once CrimTrac was merged into the ACC, the information in its holdings would be subject to the information protection mechanisms that currently applied to the ACC under the ACC Act.[18] The PIA argued that the ACC Act contained strict limitations on the dissemination of any information in the ACC's possession, emphasising extant protections in the ACC Act as well as additional protections to be introduced by the bill, including that:

2.19      The PIA argued that with the inclusion of criminal offences for unauthorised disclosure, the protections under the ACC Act 'arguably' provided greater protection to ACC information than that currently afforded to CrimTrac-held information under the Privacy Act.[20]

2.20      Noting that the ACC's conduct can be examined by the Commonwealth Ombudsman, the Integrity Commissioner, and the Parliamentary Joint Committee onLaw Enforcement, the PIA argued that '[t]he ACC is already subject to a strict system of oversight and accountability that is specifically designed to ensure that the ACC exercises its powers appropriately while maintaining the appropriate balance between secrecy and accountability'.[21]

2.21      In regard to the possibility of national policing information and functions being carved out of the ACC's Privacy Act exemption, the government expressed the view that it was critical that the entire agency be subject to the same overarching information oversight regime.[22] The PIA stated that cultural and technical barriers had hitherto prevented and obstructed the capacity of ACC and CrimTrac to share important information quickly and easily.[23] The policy aims of the merger were to break down these barriers, and having exemptions on certain types of CrimTrac information could instead perpetuate the cultural issues that prevented CrimTrac from legitimately sharing information with the ACC in a timely manner.[24]

2.22      The PIA stated that:

While these disclosures would always be for law enforcement purposes (and would therefore fit within the APPs), having to demonstrate this each and every time the merged agency shares information between different functions would be time consuming, resource intensive and could prevent the merged agency from accessing the information it needs to provide time-critical intelligence to police. In essence, this approach would maintain the information silos that the merger seeks to break down by perpetuating the existing connectivity and information sharing issues currently faced by the agency and preventing front line officers from having the most up-to-date and comprehensive information and intelligence. Removing these barriers is not expected to have an adverse impact on individual privacy.[25]

2.23      The OAIC did not agree with this rationale, advising that the application of the Privacy Act to national policing information would not prevent the ACC from sharing and using that information internally. Information currently held by CrimTrac is permitted to be shared with the ACC under the exception in APP 6.2(e), which allows the sharing of information for enforcement-related activities. In addition, information once subject to analysis by the ACC would no longer fall under the definition of national policing information.[26]

2.24      The Acting Information Commissioner considered that:

any cultural changes that are required to ensure appropriate sharing of information within the ACC following its merger with CrimTrac would be better addressed and managed through clear policies, training and guidance to staff, rather than diminishing the protections that apply to the personal information that is currently handled by CrimTrac.[27]

2.25      The PIA recommended that the merged agency develop an information handling protocol that addressed the way in which the agency would treat personal information.[28] This would include the collection of personal information; the storage, security and use or disclosure of the information; and access to and correction of it.[29] The PIA also recommended that ACC staff be appropriately trained to ensure they complied with the information handling protocol.[30]

2.26      The PIA stated that the protocol should reflect the standards set out in the APPs and be developed in consultation with the OAIC.[31] The submission stated that the agencies were in the process of developing the information handling protocol in consultation with the OAIC and that the protocol would be published.[32]

Access to information by state crime and corruption commissions

2.27      The Crime and Corruption Commission (CCC) Queensland, the Corruption and Crime Commission of Western Australia (CCC WA) and the Independent Broad-based Anti-corruption Commission Victoria (IBAC) all made submissions to the inquiry raising the issue of their access to national policing information.

2.28      The CCC Queensland noted that for the purpose of sharing information with the ACC, it was not expressly defined as a relevant 'information collecting entity' in the proposed amendments to the definitions in subsection 4(1) of the ACC Act, although it may be so prescribed by regulation. The CCC Queensland considered it 'both necessary and appropriate' upon enactment of the Bills that it be so prescribed, in order to allow intelligence obtained and given by the CCC in the performance of its functions to be managed under the national policing information legislative framework.[33]

2.29      All three commissions raised the matter of enabling disclosure of national policing information to them by the merged agency, under proposed new subsection 59AA(1B) of the ACC Act. Under the amendments proposed in the merger bill, the ACC CEO would not be required to obtain Board approval to disclose national policing information to law enforcement agencies which are expressly referred to in subsection 59AA(1B) or which are prescribed by regulation.[34]

2.30      The CCC WA, CCC Queensland and IBAC all considered, as law enforcement agencies, that it was necessary and appropriate for the purposes of subsection 59AA(1B) for them to be either added to the list of named enforcement agencies, or else expressly prescribed by regulation, to allow the dissemination by the ACC of national policing information without case-by-case board approval.[35] The CCC WA stated that having access to national policing information would allow it to support investigations of serious misconduct and enforcement of the criminal law where reasonably necessary,[36] while IBAC added that prescription under the Act would 'negate the need for it to be subject to an often lengthy review procedure before disclosure of national policing information'.[37]

2.31      The CCC WA and IBAC advised that they had both been seeking access to the CrimTrac database for some time and their applications to become approved external agencies remained pending. Both were concerned about the lengthy approval process, during which their applications had not been accepted or refused.[38]

2.32      They advocated for a transitional provision to be incorporated into the merger bill to ensure the continuation after the merger of access approval processes already undertaken by CrimTrac, to avoid having to repeat or restart the application process.[39]

2.33      The department responded that since national policing information was provided by state and territory police forces, it was appropriate that the ACC Board, on which their representatives held a majority, should have the authority to approve the disclosure of national policing information to other bodies, including the states' crime and corruption commissions. The department advised that the government had not yet formed a view on which agencies may be prescribed by regulation under subsection 59AA(1B), but that existing information-sharing arrangements would be taken into account as part of that process.[40]

Committee view

2.34      The committee welcomes the merger of CrimTrac and the Australian Crime Commission (ACC). While submitters offered various proposals with a view to improving the legislation, all acknowledged the importance of ensuring that Australia is using its national law enforcement information and intelligence capabilities as effectively as possible to support police in protecting the community.

2.35       The committee has considered the matters raised by submitters, including those relating to the impacts on personal privacy. The committee notes the government's advice that while merging CrimTrac into the ACC would result in national policing information no longer being subject to the Privacy Act and Australian Privacy Principles (APP), it would not result in a diminution of protection for the personal information currently held by CrimTrac.

2.36      The committee is cognisant of the advice provided by the Office of the Australian Information Commissioner (OAIC), that elements of privacy protection afforded to personal information held by CrimTrac could be reduced or lost upon the merger. This includes the more robust oversight, enforcement and personal access obligations currently applied to that information under the Privacy Act.

2.37      The committee has noted that the department and relevant agencies intend to develop and publish an information handling protocol in consultation with the OAIC to address in more detail the information handling procedures and protections that would apply, and the assurance provided that the principles in this document would be consistent with the APP.

2.38      The committee believes that the government takes the protection of individuals' privacy seriously, and is convinced that the scheme contemplated by the bill provides for the protection of personal privacy. The committee is persuaded that the Privacy Impact Assessment conducted by the department adequately addresses any privacy concerns. The committee also notes that state and territory privacy mechanisms and Freedom of Information arrangements will augment these protections. 

2.39      On the other key issue raised in submissions, the committee notes the concerns raised by the Queensland, WA and Victorian crime and corruption commissions about their continued interaction with the national policing information legislative regime.

2.40      The committee considers it appropriate that the state and territory police commissioners continue to play a key role in determining which bodies have access to national policing information, which would now occur through the decisions of the ACC Board. The committee notes that the government will consult with board agencies before prescribing any bodies by regulation under subsection 59AA(1B), and that existing arrangements would be taken into account as a part of that process.

2.41      The committee notes the transitional issues raised by CCC WA and IBAC in relation to their pending application processes with CrimTrac, and encourages the ACC Board to ensure that sensible measures are taken to ensure the transition of CrimTrac's work to the ACC in this regard.

2.42      With these matters in mind, and provided that the protection of personal privacy is adequately assured, the committee is of the view that the proposed merger of CrimTrac and the ACC should proceed.

Recommendation 1

2.43             The committee recommends that the bills be passed.

Senator the Hon Ian Macdonald

Navigation: Previous Page | Contents | Next Page