Chapter 2
Key issues
2.1
Submissions received by the committee supported the bills' objective of
providing Australian law enforcement agencies with centralised access to
comprehensive criminal information and intelligence resources. However, some
submitters expressed concern about two aspects of the merger bill:
-
the impacts on individual privacy; and
-
access of state crime and corruption commissions to national
policing information.
2.2
No issues were raised with the committee in regard to the charges bill.
As such, references in this chapter to 'the bill' are to the merger bill,
unless otherwise specified.
Privacy impacts of the merger bill
2.3
The submission from the Office of the Australian Information
Commissioner (OAIC) raised concerns about the potential privacy implications of
the merger bill. CrimTrac's information and activities are currently subject to
the Privacy Act, but under Section 7 of the Privacy Act, the ACC is exempt from
its obligations, including from compliance with the Australian Privacy
Principles (APPs).[1]
2.4
The OAIC pointed out that while the explanatory memorandum to the merger
bill acknowledged that the bill engaged the right to privacy, it did not make
all of the privacy impacts of the bill explicit. In particular, the explanatory
memorandum did not explain that by merging the two agencies, the bill would
remove national policing information from the coverage of the Privacy Act.[2]
The Acting Information Commissioner suggested that consideration should be
given to further explaining in the explanatory memorandum how the provisions in
the merger bill were compatible with Article 17 of the International Covenant
on Civil and Political Rights (ICCPR), and how its specific privacy impacts
would be addressed.[3]
2.5
The OAIC pointed out that merging CrimTrac into the ACC under the terms
of the bill would mean that the Australian Information Commissioner no longer
had oversight or enforcement powers in relation to national policing
information functions. While a level of supervision would remain in place
through other agencies with jurisdiction in relation to the ACC, such as the
Commonwealth Ombudsman, the Australian Commission for Law Enforcement Integrity
and the Parliamentary Joint Committee on Law Enforcement, the
submission advised that the scope of their oversight differed from that
provided by the OAIC.[4]
Under the Privacy Act the Information Commissioner can:
-
make court-enforceable determinations;
-
award compensation and other remedies;
-
seek court-enforceable undertakings; and
-
apply for civil penalty orders, where appropriate.
2.6
Should the merger bill be passed in its current form, these powers would
no longer apply in respect of information handled by the merged agency.[5]
2.7
The OAIC acknowledged that it was possible for the ACC to use
non-legislative means, such as technical and administrative arrangements, to
protect the quality and security of national policing information. However, the
OAIC advised that the ACC would not have obligations under APPs 10 and 11 to
ensure the quality and security of the personal information, as CrimTrac
currently does.[6]
2.8
The OAIC noted that, while individuals may be able to access and correct
their personal information by applying to the state or territory agency from
which it originated, not all state and territory jurisdictions had privacy or
other legislation giving individuals equivalent rights and protections for
their personal information to those in the Commonwealth Privacy Act. The ACC
would also not be obliged under APPs 12 and 13 to provide access to, or
correct, any personal information for which it was the sole holder, as CrimTrac
was currently required to do.[7]
2.9
The OAIC added that the Privacy (Persons Reported as Missing) Rule
2014, under the Privacy Act, would no longer apply to personal information
currently held by CrimTrac. The Rule acknowledges that a person reported as
missing may have exercised their free choice to disassociate themselves from
friends and family for legitimate reasons. The ACC would not be subject to the
obligation in the Rule to respect any known wishes of persons reported as
missing when using or disclosing information about them.[8]
2.10
The OAIC argued that while some measures for the protection of national
policing information were included in the bill, including strengthened non-disclosure
provisions and mechanisms for oversight by the ACC Board, these would not
provide protections equivalent to those contained in the APPs. The Acting Information
Commissioner stated that:
It is not apparent to me why it is necessary to remove the
information currently held by CrimTrac from the protections, oversight and
enforcement arrangements in the Privacy Act...
Given the volume and sensitivity of the information currently
held by CrimTrac, I am of the view that there would need to be cogent reasons
for exempting that information, and the activities associated with it, from the
Privacy Act entirely. I consider that the objectives of the regime could be
met, while at the same time retaining the protections and oversight offered by
the Privacy Act.[9]
2.11
The Acting Information Commissioner recommended 'that the Committee
consider whether the obligations and oversight mechanisms in the Privacy Act could
continue to apply to national policing information following CrimTrac's merger
with the ACC'.[10]
2.12
The OAIC advised the committee that coverage of the Privacy Act over
national policing information could be retained by:
including in the [merger] Bill an amendment to s 7(1) of the
Privacy Act (which exempts acts and practices of the ACC from the application
of the Privacy Act), providing that ACC acts or practices in relation to the
handling of national policing information are not exempt.[11]
2.13
The OAIC stated that it was not uncommon for agencies to be subject to
the Privacy Act in relation to the performance of certain functions, or in
handling certain information, and exempt from other functions. This situation
existed in a number of other agencies including federal courts and tribunals, the
Department of Defence, the Attorney-General's Department, and AUSTRAC.[12]
2.14
The department, the ACC and CrimTrac argued in their joint submission
that while CrimTrac would no longer be subject to the Privacy Act under the
merger, this would not result in a diminution of protection of the personal
information currently held by CrimTrac. The submission stated that '[t]he
information held by CrimTrac will become subject to the same robust
accountability, oversight and information protection mechanisms that protect
the sensitive information that the ACC currently handles'.[13]
2.15
The Privacy Impact Assessment (PIA) prepared by the three agencies
outlined that one of the key issues state and territories raised during
consultation on the merger was that they must retain 'ownership' of the
information they provided through CrimTrac's systems, and the integrity of that
information must be preserved. For that reason, 'the practices
and procedures that underpin CrimTrac's handling of personal information will
largely continue to apply within the merged agency'.[14]
2.16
The PIA stated that although national policing information would no
longer be subject to the APPs, individuals would be able to access and correct
records relevant to them under privacy mechanisms in their state or territory. While
personal information may be used for ACC intelligence purposes, the underlying
information would not be altered by the merged agency and it would continue to
be subject to state and territory privacy regimes, which 'will continue to
govern the management, collection, use, disclosure, quality, integrity, access
and correction of this information'.[15]
2.17
The PIA pointed out that the ACC was subject to the Freedom of
Information Act 1982, which enabled an individual to apply to the ACC to
access or correct their personal information. Where appropriate, the merged
agency would direct the individual back to the originating police jurisdiction.[16]
The PIA conceded that the ACC may refuse access to personal records where FOI
exemptions applied.[17]
2.18
Once CrimTrac was merged into the ACC, the information in its holdings
would be subject to the information protection mechanisms that currently
applied to the ACC under the ACC Act.[18]
The PIA argued that the ACC Act contained strict limitations on the
dissemination of any information in the ACC's possession, emphasising extant
protections in the ACC Act as well as additional protections to be introduced
by the bill, including that:
-
the ACC Chief Executive Officer (CEO) can only disclose
information to other government agencies if they consider it appropriate to do
so and disclosure is not contrary to a Commonwealth, state or territory law;
-
the ACC can only disclose information to bodies corporate that
have been prescribed by the regulations, and that undertake in writing not to
disclose information except for the purpose it was shared; and
-
the ACC Board would need to approve disclosure to a body that is
not an agency represented on the Board.[19]
2.19
The PIA argued that with the inclusion of criminal offences for
unauthorised disclosure, the protections under the ACC Act 'arguably' provided
greater protection to ACC information than that currently afforded to
CrimTrac-held information under the Privacy Act.[20]
2.20
Noting that the ACC's conduct can be examined by the Commonwealth
Ombudsman, the Integrity Commissioner, and the Parliamentary Joint Committee onLaw Enforcement, the PIA argued that '[t]he ACC is already
subject to a strict system of oversight and accountability that is specifically
designed to ensure that the ACC exercises its powers appropriately while
maintaining the appropriate balance between secrecy and accountability'.[21]
2.21
In regard to the possibility of national policing information and
functions being carved out of the ACC's Privacy Act exemption, the government
expressed the view that it was critical that the entire agency be subject to
the same overarching information oversight regime.[22]
The PIA stated that cultural and technical barriers had hitherto prevented and
obstructed the capacity of ACC and CrimTrac to share important information
quickly and easily.[23]
The policy aims of the merger were to break down these barriers, and having
exemptions on certain types of CrimTrac information could instead perpetuate
the cultural issues that prevented CrimTrac from legitimately sharing
information with the ACC in a timely manner.[24]
2.22
The PIA stated that:
While these disclosures would always be for law enforcement
purposes (and would therefore fit within the APPs), having to demonstrate this
each and every time the merged agency shares information between different
functions would be time consuming, resource intensive and could prevent the merged
agency from accessing the information it needs to provide time-critical
intelligence to police. In essence, this approach would maintain the
information silos that the merger seeks to break down by perpetuating the
existing connectivity and information sharing issues currently faced by the
agency and preventing front line officers from having the most up-to-date and
comprehensive information and intelligence. Removing these barriers is not
expected to have an adverse impact on individual privacy.[25]
2.23
The OAIC did not agree with this rationale, advising that the
application of the Privacy Act to national policing information would not
prevent the ACC from sharing and using that information internally. Information
currently held by CrimTrac is permitted to be shared with the ACC under the
exception in APP 6.2(e), which allows the sharing of information for
enforcement-related activities. In addition, information once subject to
analysis by the ACC would no longer fall under the definition of national
policing information.[26]
2.24
The Acting Information Commissioner considered that:
any cultural changes that are required to ensure appropriate
sharing of information within the ACC following its merger with CrimTrac would
be better addressed and managed through clear policies, training and guidance
to staff, rather than diminishing the protections that apply to the personal
information that is currently handled by CrimTrac.[27]
2.25
The PIA recommended that the merged agency develop an information
handling protocol that addressed the way in which the agency would treat
personal information.[28]
This would include the collection of personal information; the storage,
security and use or disclosure of the information; and access to and correction
of it.[29]
The PIA also recommended that ACC staff be appropriately trained to ensure they
complied with the information handling protocol.[30]
2.26
The PIA stated that the protocol should reflect the standards set out in
the APPs and be developed in consultation with the OAIC.[31]
The submission stated that the agencies were in the process of developing the
information handling protocol in consultation with the OAIC and that the
protocol would be published.[32]
Access to information by state crime and corruption commissions
2.27
The Crime and Corruption Commission (CCC) Queensland, the Corruption and
Crime Commission of Western Australia (CCC WA) and the Independent Broad-based
Anti-corruption Commission Victoria (IBAC) all made submissions to the inquiry
raising the issue of their access to national policing information.
2.28
The CCC Queensland noted that for the purpose of sharing information
with the ACC, it was not expressly defined as a relevant 'information
collecting entity' in the proposed amendments to the definitions in subsection
4(1) of the ACC Act, although it may be so prescribed by regulation. The CCC Queensland
considered it 'both necessary and appropriate' upon enactment of the Bills that
it be so prescribed, in order to allow intelligence obtained and given by the
CCC in the performance of its functions to be managed under the national
policing information legislative framework.[33]
2.29
All three commissions raised the matter of enabling disclosure of
national policing information to them by the merged agency, under proposed new
subsection 59AA(1B) of the ACC Act. Under the amendments proposed in the merger
bill, the ACC CEO would not be required to obtain Board approval to disclose
national policing information to law enforcement agencies which are expressly
referred to in subsection 59AA(1B) or which are prescribed by regulation.[34]
2.30
The CCC WA, CCC Queensland and IBAC all considered, as law enforcement
agencies, that it was necessary and appropriate for the purposes of subsection
59AA(1B) for them to be either added to the list of named enforcement agencies,
or else expressly prescribed by regulation, to allow the dissemination by the
ACC of national policing information without case-by-case board approval.[35]
The CCC WA stated that having access to national policing information would
allow it to support investigations of serious misconduct and enforcement of the
criminal law where reasonably necessary,[36]
while IBAC added that prescription under the Act would 'negate the need for it
to be subject to an often lengthy review procedure before disclosure of
national policing information'.[37]
2.31
The CCC WA and IBAC advised that they had both been seeking access to
the CrimTrac database for some time and their applications to become approved
external agencies remained pending. Both were concerned about the lengthy
approval process, during which their applications had not been accepted or
refused.[38]
2.32
They advocated for a transitional provision to be incorporated into the
merger bill to ensure the continuation after the merger of access approval
processes already undertaken by CrimTrac, to avoid having to repeat or restart
the application process.[39]
2.33
The department responded that since national policing information was
provided by state and territory police forces, it was appropriate that the ACC
Board, on which their representatives held a majority, should have the
authority to approve the disclosure of national policing information to other
bodies, including the states' crime and corruption commissions. The department
advised that the government had not yet formed a view on which agencies may be
prescribed by regulation under subsection 59AA(1B), but that existing
information-sharing arrangements would be taken into account as part of that
process.[40]
Committee view
2.34
The committee welcomes the merger of CrimTrac and the Australian Crime Commission
(ACC). While submitters offered various proposals with a view to improving the
legislation, all acknowledged the importance of ensuring that Australia is
using its national law enforcement information and intelligence capabilities as
effectively as possible to support police in protecting the community.
2.35
The committee has considered the matters raised by submitters,
including those relating to the impacts on personal privacy. The committee
notes the government's advice that while merging CrimTrac into the ACC would
result in national policing information no longer being subject to the Privacy
Act and Australian Privacy Principles (APP), it would not result in a
diminution of protection for the personal information currently held by
CrimTrac.
2.36
The committee is cognisant of the advice provided by the Office of the
Australian Information Commissioner (OAIC), that elements of privacy protection
afforded to personal information held by CrimTrac could be reduced or lost upon
the merger. This includes the more robust oversight, enforcement and personal
access obligations currently applied to that information under the Privacy Act.
2.37
The committee has noted that the department and relevant agencies intend
to develop and publish an information handling protocol in consultation with
the OAIC to address in more detail the information handling procedures and
protections that would apply, and the assurance provided that the principles in
this document would be consistent with the APP.
2.38
The committee believes that the government takes the protection of
individuals' privacy seriously, and is convinced that the scheme contemplated by
the bill provides for the protection of personal privacy. The committee is persuaded
that the Privacy Impact Assessment conducted by the department adequately addresses
any privacy concerns. The committee also notes that state and territory privacy
mechanisms and Freedom of Information arrangements will augment these protections.
2.39
On the other key issue raised in submissions, the committee notes the
concerns raised by the Queensland, WA and Victorian crime and corruption
commissions about their continued interaction with the national policing
information legislative regime.
2.40
The committee considers it appropriate that the state and territory
police commissioners continue to play a key role in determining which bodies
have access to national policing information, which would now occur through the
decisions of the ACC Board. The committee notes that the government will
consult with board agencies before prescribing any bodies by regulation under
subsection 59AA(1B), and that existing arrangements would be taken into account
as a part of that process.
2.41
The committee notes the transitional issues raised by CCC WA and IBAC in
relation to their pending application processes with CrimTrac, and encourages
the ACC Board to ensure that sensible measures are taken to ensure the
transition of CrimTrac's work to the ACC in this regard.
2.42
With these matters in mind, and provided that the protection of personal
privacy is adequately assured, the committee is of the view that the proposed
merger of CrimTrac and the ACC should proceed.
Recommendation 1
2.43
The committee recommends that the bills be passed.
Senator the Hon Ian
Macdonald
Chair
Navigation: Previous Page | Contents | Next Page