Chapter 3 - Key issues

3.1 The majority of submissions and witnesses expressed in-principle support for the Bill and its objectives, insofar as the Bill establishes a centralised and uniform regime for background checking for the ASIC and MSIC schemes.[1] However, submissions and witnesses raised a number of concerns with respect to the Bill, including:

the breadth of the Bill's regulation-making power;
privacy issues relating to personal information collected, used, disclosed and stored by AusCheck;
the Bill's lack of transparency, natural justice and independent review mechanisms; and
practical issues relating to implementation of the Bill.

3.2 This chapter examines the main issues and concerns raised in the course of the committee's inquiry.

Breadth of regulation-making power

3.3 Many submissions and witnesses expressed concern about the broad drafting of the Bill, particularly subclause 5(d) and paragraph 8(1)(c) which allow for future expansion of the AusCheck scheme by regulation.[2]

Increasing tendency to expand primary legislation by regulation

3.4 The Australian & International Pilots Association (AIPA) articulated its concern about the 'increasingly apparent trend of utilising regulation making powers to extend the scope and purpose of legislation'. In the context of the Bill, the AIPA expressed the view that 'it is fundamentally inappropriate for the scope of legislation to be expanded in this manner, particularly in relation to an area as sensitive as background security checking'.[3]

3.5 In its submission, the Australian Council of Trade Unions (ACTU) expressed its general dissatisfaction at the 'apparent growth in the general use of regulation making powers as a mechanism to extend the operation of Acts of Parliament'[4] and noted that the Bill 'continues th[is] growing trend'.[5] The ACTU submitted further that:

The purpose of regulations should be to give effect to the substantive legislation. To enable the scope of the legislation to be extended through regulation is not, in our view, an appropriate use of the regulation making powers.

Whilst it may be argued that regulations made pursuant to legislation are subject to scrutiny, that process is a different process to the level and detail of scrutiny of a Bill before the parliament. It is our view that a Bill before the parliament provides greater opportunities for the public to forensically examine, dissect and publicly debate the contents of a Bill.[6]

Setting parameters in regulations

3.6 Many submissions and witnesses commented on the Bill's lack of detail with respect to the information which can be sought as part of a background check (subclause 5(d)) and the purposes for which a background check may be conducted (paragraph 8(1)(c) and clause 10).

3.7 For example, the NSW Council for Civil Liberties argued that, given the sensitive nature of the information that is being handled by the AusCheck scheme, paragraph 8(1)(c) is too broad and that it is inappropriate that the purposes of the scheme can be extended simply by regulation.[7]

3.8 The Law Council of Australia (Law Council) also argued that 'too much important detail about the scheme has been deferred to the regulations'.[8] At the public hearing, Ms Helen Donovan from the Law Council expanded on this argument:

We appreciate that the bill is intended to be enabling legislation which provides a framework only for the operation of AusCheck, but, to the extent that the notion of a framework implies at least the setting of some parameters, the Law Council believes the bill is less of a framework and more of a jumping-off point. We expect that the bill would at least set some limits on the purposes for which a background check may be required and conducted and the type of information which may be gathered as part of such a check. However, in both these respects, the bill sets no substantive limits.[9]

3.9 Ms Donovan continued in this vein:

The more general assurance that has been offered in response to criticisms about the rudimentary nature of the bill, and the correspondingly broad regulation-making power it provides for, is essentially that the relevant details will be contained in other legislation—that is, in the legislation which establishes the background-checking schemes which will simply be administered by AusCheck. However, the bill does not limit AusCheck to administering schemes provided for under other legislation. Clauses 5, 8 and 10 read together clearly envisage that a wide range of background-checking schemes might be devised and implemented by way of AusCheck regulations alone—that is, without the authorisation of any other primary legislation. Given the sensitive nature and function of background checks, which can both be intrusive and adversely impact on people's livelihoods, the Law Council believes this is highly undesirable. Parliament should retain closer control over determining the purposes for which background checks are necessary.[10]

3.10 The Office of the Privacy Commissioner (OPC) agreed, noting the particularly broad scope of the phrase 'other purposes' (for which the AusCheck scheme may be used) in paragraph 8(1)(c):

[OPC] acknowledges that the current Bill seeks to regulate the purposes for which it will undertake background checks by requiring them to either be enacted in other primary legislation or through regulations under this Bill. However, [OPC] believes that in the interests of maximum public confidence and legislative transparency potential future purposes of the AusCheck scheme should be able to be undertaken only after primary legislation has been enacted, either through amendments to the AusCheck legislation or through other new or amended primary legislation.[11]

3.11 At the hearing, Mr Andrew Solomon from the OPC acknowledged that the Bill puts in place some degree of legislative oversight; however, he noted that 'an ideal privacy outcome' would be for each of the purposes for which AusCheck will undertake background checks to be enacted in primary legislation.[12]

3.12 The Law Council also pointed to the breadth of clause 10 of the Bill, arguing that it goes further than paragraph 8(1)(c) by allowing for AusCheck regulations to be promulgated which, in themselves, create new screening regimes independent of any other legislation:

The Law Council believes that the Executive should not be given such broad regulation making power, particular in this sensitive area. The Bill should only enable AusCheck to administer background checking regimes already authorised by Parliament in the context of other legislative schemes. This is what has occurred with the ASIC and MSIC schemes.

The Bill should not allow for the creation of new background checking regimes which, except for the broad, unfettered regulation making power granted under the Bill, have not received parliamentary authorisation.[13]

3.13 With respect to clause 10, the Australian Privacy Foundation (APF) expressed an analogous view:

...it is not appropriate to locate the requirement for a check in legislation which should be about the establishment and operation of the checking 'infrastructure'. The requirements for a check should be in other specific legislation dealing with particular jobs or roles, such as those in the maritime and aviation industries. It is appropriate for the AusCheck scheme to keep a central register of the purposes for which checks are required, but it should not itself be the source of the authority for checks.[14]

3.14 Some submissions and witnesses argued that subclause 5(d) and paragrapah 8(1)(c) should be removed from the Bill in their entirety.[15]

3.15 The Law Council suggested that paragraph 8(1)(c) of the Bill should, at the very least, be amended to confine AusCheck to conducting and coordinating background checking for the purposes of other Commonwealth Acts which directly authorise the screening of persons for a specified reason.[16] In the Law Council's view, such an amendment would ensure that:

Parliament retains greater control over when and why Australians might be subjected to background checks; and
the AusCheck scheme, which is being established to facilitate the centralised performance of an administrative function, is not used to implement policies which are not otherwise supported by legislative authorisation.[17]

Department response

3.16 The Department advised the committee that it is intended that AusCheck regulations will authorise AusCheck to provide services for each new class of background check under any future screening programs. The Department explained the reason why expansion of AusCheck's services by way of regulation was the preferred approach:

The alternatives would be either a Bill giving AusCheck very broad powers capable of catering to every possible future background checking purpose or a Bill that restricts AusCheck to coordinating only the existing ASIC and MSIC schemes. The present Bill offers flexibility to take on new background checking services for government but will allow Parliamentary scrutiny of regulations authorising new areas of AusCheck activity.[18]

3.17 At the public hearing, a representative from the Department provided the following justification for the broad drafting of the Bill:

When government directed that AusCheck be established, it was in the context of a direction that a scheme be established to centralise the aviation and maritime schemes but also that the Commonwealth was conscious that a significant amount of background checking occurred within the Commonwealth and there might be opportunities to minimise duplication and improve efficiencies by creating a framework within AusCheck that could subsequently, after the aviation and maritime schemes had been settled, move on and look at other opportunities for background checking that was occurring within the Commonwealth. So the bill really reflects that direction from government to create a vehicle for centralising background checking and the coordination of background checking for aviation and maritime identification cards but also with the ability to at a later point expand into increasing efficiencies and minimising duplication in other areas of background checking in which the Commonwealth is involved.[19]

3.18 The representative informed the committee that 'there are no specific plans' in relation to the expanded use of AusCheck but that the Australian Government is involved in a range of background checking schemes beyond those established for the aviation and maritime sectors:

There is a scheme that was established in January in relation to people working with persons in aged-care facilities. The Commonwealth is also involved in background checking in the exercise of its executive power in relation to security clearances of employees. Also its employees are actually subject to a range of background checking regimes in that they interact with state and territory functions, so its employees are involved in obtaining checks for working with children in the range of background checking schemes that are conducted by various states on that issue.

The Commonwealth was also involved in the establishment of the ammonium nitrate background-checking regime. That was done under state and territory legislation but the Commonwealth was involved in its establishment. So there are a variety of areas in which the Commonwealth is involved, in different ways, and, whilst AusCheck was directed initially to look at the aviation and maritime schemes, it was very much with a view to providing a vehicle to later look at other opportunities when those activities are settled.[20]

3.19 The representative acknowledged that the provisions of the Bill are so broad that they would allow the Australian Government to expand the AusCheck scheme, by way of regulation, to include any activities which are within a Commonwealth head of constitutional power and which are listed in subclause 8(2). This could, at least theoretically, cover any background checking programs relating to the provision of services, pensions or allowance through Medicare or Centrelink, or indeed government initiatives such as the Access Card proposal (to the extent that these initiatives might involve background checking).[21]

3.20 While the representative stated that there were currently no plans to expand the AusCheck scheme to background checks beyond the aviation and maritime sectors, she explained that establishing background checking schemes by way of regulation is the Australian Government's standard practice:

It is...important to understand that the background checking that the Commonwealth is currently involved in is also established by way of regulation and through a variety of other means...[T]his method of establishing background-checking schemes is already the current precedent within the Commonwealth.[22]

3.21 The representative explained that the context and the framework of the ASIC and MSIC background checking schemes are established under current regulations. Therefore, if the components or criteria of those schemes are changed in the future, any involvement of AusCheck in those schemes would need to be supported by amendment to the definition of 'background check' in clause 5.[23] This would also apply to any subsequent background checking schemes:

We can amend the definition and that definition of course relates to AusCheck's involvement in a scheme. If AusCheck were to be involved in a background checking scheme, however that was constituted, then we would want the definition to be amended of what a background check included in [subclause 5(d)].[24]

3.22 However, the representative did not agree with the suggestion that subclause 5(d) is a 'Henry VII clause' that would allow a definition in the primary legislation to be amended through regulation:

I do not think that it is a Henry VIII clause. What it purports to do is provide a menu of components of a background check for which AusCheck can assist in providing a service. If, for example, DOTARS were to add an additional element to their background checking scheme for ASICs and MSICs, we would expect that to be fully reflected in either DOTARS legislation or regulations. But this provision would merely allow AusCheck to be involved in coordination of that scheme.

...

...this is actually intended to be something that would sanction AusCheck's involvement in a scheme established elsewhere. So, to that extent, it is not a Henry VIII clause.[25]

3.23 In an answer to a question on notice, the Department advised that '(i)t is not possible to more precisely define [the types of information that may be gathered and assessed as part of a background check under the AusCheck scheme] without sacrificing AusCheck's flexibility and its ability to become involved in other areas where the Australian Government is involved in background checking'.[26]

3.24 The Department also pointed out that not all of the background checking in which the Australian Government is involved is established under Commonwealth legislation:

For example, the background checking conducted for the purposes of security clearances is conducted under the executive power of the Commonwealth and schemes in relation to ammonium nitrate are established under state and territory legislation. The structure of AusCheck makes it appropriate that any involvement in other background checking schemes is established by regulation. As a result, clause 10 of the Bill provides that AusCheck may establish a statutory scheme for background checking for the purposes of its involvement in such a scheme.[27]

3.25 The Department also responded directly to the suggestion from the Law Council that the Bill be narrowed to confine AusCheck to conducting and coordinating background checking for the purposes of other Commonwealth Acts which directly authorise the screening of persons for a specified reason:

Background checking schemes in which the Commonwealth is involved are frequently established by regulation, legislative instrument or non-legislative power rather than primary legislation. An amendment to confine AusCheck to conducting and coordinating background checks for the purposes of other Commonwealth Acts which directly authorise the screening of persons for a specified reason, would prevent AusCheck from becoming involved in a number of areas in which the Australian Government is involved in background checking.[28]

3.26 The departmental representative emphasised that any expansion of the AusCheck scheme by regulation would be subject to scrutiny prior to implementation, despite such scrutiny not being expressly allowed for in the Bill itself:

We obviously would have to be satisfied that it was a process that could be conducted under the AusCheck Bill. Certainly, in the way that the AttorneyGeneral's Department scrutinises all processes involving rights, we would obviously look at that process as well. We would also expect that any significant changes to any regulatory scheme in which we were involved or any new AusCheck scheme would be submitted to a privacy impact assessment process where all of those issues would be fully considered. Certainly it is intended that we have a privacy impact assessment to fully canvass all of those issues in any new scheme in which AusCheck is involved.

...

That is the normal Attorney-General's Department practice and it is what we are observing in relation to this bill and what we intend to observe in relation to any future AusCheck scheme.[29]

3.27 In an answer to a question on notice, the Department stated that the Bill would 'in fact increase the transparency and the opportunity for scrutiny of Australian Government involvement in background checking' since 'all AusCheck involvement in background checking will be traceable to regulations under the AusCheck Act, rather than in a range of regulations, statutory instruments and other non-legislative sources'.[30] The Department also noted that regulations are subject to parliamentary scrutiny as they are disallowable instruments in the Senate and are scrutinised by the Senate Standing Committee on Regulations and Ordinances.[31]

3.28 The departmental representative also advised the committee that the Department will consult with industry stakeholders on the content of the AusCheck regulations:

We will certainly be consulting fully with our stakeholders on the development of those regulations. The content of these schemes is already fully set out under the DOTARS regulations, under the aviation and maritime acts. Our regulations will merely set out the application information and also how we relate to the individual applicant in our component of the process. So the full details of the scheme will still remain under the maritime and aviation transport security legislation regulations.[32]

Privacy issues

3.29 Several submissions and witnesses raised concerns that the Bill's provisions dealing with: the collection of information; information to be assessed; retention of information; and use and disclosure of personal information, are too broad and likely to impact adversely on an individual's right to privacy.

3.30 In a generic sense, the Australian Privacy Foundation (APF) expressed the view that the Bill is 'fundamentally flawed' because:

...it authorises the establishment of a background checking infrastructure with very few limits on what information can be held in the database; the purposes for which it can be used or the range of bodies to be covered by the scheme and given access to the database. It is a wholly disproportionate general response to a series of specific needs, and offends against a number of information privacy principles.[33]

Collection of information

3.31 The OPC expressed concern about clause 13 of the Bill which authorises the collection, use and disclosure of information. The OPC stated that subclause 13(a) 'may result over time in a broadening of the scope of information that AusCheck may collect' since it authorises the collection of information for 'the purposes of, or for purposes relating to [AusCheck's function]'.[34] Mr Solomon from the OPC told the committee that:

...section 13 could be aligned more appropriately with the information privacy principles in the Privacy Act if the collection of information was directly related to AusCheck's purposes. If there is a specific reason for the current wording which requires the information to be only related rather than directly related perhaps the section could be modified to specify that reason.[35]

Information to be assessed

3.32 The OPC noted that the definition of 'background check' in subclause 5(d) allows, through regulations, an open-ended expansion of the information that may be assessed without reference to any specific criteria. To overcome this and to assist AusCheck in clearly identifying the relevant information required to be collected and assessed during background checks, the OPC suggested that:

The scope of the regulations that may expand the types of information that can be assessed in a background check could benefit from being referenced to the risk associated with particular employment situations or other reasons the background check is being undertaken.[36]

3.33 This might be achieved by including more definitive parameters in subclause 5(d), along the lines of 'such other matters as are relevant, necessary and proportionate to a particular purpose of a background check as prescribed by the regulations'.[37]

3.34 Ms Donovan from the Law Council concurred with this view:

[Clause 5] does not limit the definition of a background check and therefore allows for other matters in addition to the first three listed to be inquired into as part of a background check. The Law Council is concerned that the type of information that would allow to be gathered is too broad. The Law Council believes that the more information that is gathered about a person the more likely the risk that that information will be improperly used for a discriminatory purpose or a purpose which does not legitimately relate to the scheme itself.[38]

3.35 The APF submitted that it is 'completely unacceptable' that there are no limits on what personal information might be assessed pursuant to the AusCheck scheme.[39]

Retention of information

3.36 The APF argued that the Bill should specify retention periods or, at least, specify criteria for disposal of personal information in the AusCheck database.[40]

3.37 Similarly, Liberty Victoria argued that the Bill should provide for the deletion of data from the AusCheck database after a fixed period (for example, five years after the making of a background check).[41]

3.38 The OPC suggested that consideration be given to an additional clause to require AusCheck to delete information that is not relevant to the background check for which it is being collected, used or disclosed (noting that this would be in addition to any requirements under spent convictions schemes and the Privacy Act). However, Mr Solomon acknowledged that this may be difficult in a practical sense:

Our understanding is that some of the criminal history checks that are now undertaken...are unfettered—and that not all of that information may be relevant to the particular background check that is being undertaken. So our general position would be that that which is not relevant could be deleted; it would not need to be kept. I am not suggesting that operationally that is going to be an easy process.[42]

3.39 The OPC informed the committee that, while it is not aware of any legislative schemes that provide guidance regarding the removal of information that is not relevant to background checks, the OPC's Guidelines to the Information Privacy Principles provide guidance regarding the handling of personal information. The OPC expressed the view that AusCheck 'would benefit from observing these Guidelines in the development of their operational procedures to ensure that the personal information they collect is handled appropriately and in line with their obligations' under the Privacy Act.[43]

3.40 Liberty Victoria and the Law Council submitted that the Bill should allow a person the subject of a background check to have access to data collected for that check, to have the ability to challenge its accuracy, and to apply for deletion of data on the grounds that it is inaccurate.[44]

Department response

3.41 A departmental representative told the committee that AusCheck will be required to comply with the Privacy Act at all times:

...in terms of access to personal information, a person in relation to whom AusCheck has stored personal information will have all of the rights under the Privacy Act to access and correct information held in that way...The [Bill] actually seeks to clarify and expand and further explain the way the [Bill] applies by specifying the uses for which we propose to collect and disclose information. But certainly we are covered by the Privacy Act and the IPP regime.[45]

3.42 The Department also advised that information on the AusCheck database will be kept and disposed of in accordance with the Department's Records Disposal Authority which has been approved by the National Archives of Australia. Once AusCheck is operational, 'the Department will undertake an assessment of its business process, areas of risk and the records required to be created and kept by AusCheck to determine the retention requirements for all AusCheck's records'.[46]

Use and disclosure of information

3.43 Many submissions and witnesses expressed concern that subparagraphs 14(2)(b)(ii) and (iii) of the Bill allow increased opportunities for data matching and data sharing of personal information. These clauses enable information collected and stored by AusCheck to be used for a number of broad purposes, including the collection, correlation, analysis or dissemination of criminal intelligence or security intelligence.

3.44 In particular, submissions and witnesses pointed to the undefined terms 'criminal intelligence' and 'security intelligence' which may allow for the provision of information to a wide range of both national and international bodies for these broad purposes.[47]

3.45 The APF submitted that subparagraph 14(2)(b)(iii) will 'result in a much broader exception than the 'law enforcement' exceptions' to Information Privacy Principles 10 and 11 in the Privacy Act, 'which implement the fundamental privacy principle that information should only be used or disclosed for the purpose for which it is collected'.[48]

3.46 The APF also argued that 'it is completely unacceptable for the AusCheck database to be available as a general intelligence resource for an unspecified range of agencies for...undefined purposes'.[49]

3.47 The Law Council also expressed concern about the potential provision of information to a wide range of agencies under clause 14.[50] In this context, the committee also notes evidence received from Victoria Police and South Australia Police suggesting that access to information held in the AusCheck database would be beneficial for a wide range of their investigations, including investigations extending beyond the aviation and maritime industries.[51]

3.48 At the hearing, Ms Donovan from the Law Council queried the necessity of such a provision in the Bill:

...the submission from the Attorney-General's Department states that Australian law enforcement and national security agencies have their own information-gathering powers and could get more up-to-date information from their own databases. I think this is supposed to act as an assurance, but it raises the question of why this broad disclosure provision is even included in the bill if the Attorney-General's Department thinks it is unnecessary. More to the point, as the Office of the Privacy Commissioner has appropriately pointed out, doesn’t this broad authorisation to store and use personal information for criminal and security intelligence purposes go significantly beyond the stated object of the bill?[52]

3.49 Mr Solomon from the OPC suggested that some additional information in clause 14 about the agencies or organisations, or the types of agencies or organisations to which information could be disclosed would be of assistance.[53]

3.50 The Law Council further observed that the Bill does not require AusCheck to provide any advance notice to a person who applies for a background check about the uses which may be made of the information obtained by AusCheck.[54]

3.51 The Law Council of Australia also noted that, while the Bill creates an offence for AusCheck staff who disclose information for an unlawful purpose, once information is lawfully disclosed to another agency, the Bill does not impose any limitations on how that agency may then use or disclose the information.[55]

3.52 The Australian Rail, Tram and Bus Industry Union expressed concern that the Bill allows the performance of background checks by contractors which 'increases the risk of a breakdown in the security arrangements and, inadvertently or otherwise, the leak of private information into the public domain'.[56]

Department response

3.53 A representative from the Department informed the committee that clause 14 of the Bill would allow AusCheck to disclose information contained in its database to the AFP and the Australian Crime Commission:

I think the obvious persons that the bill was drafted around, having their needs in mind and the direction from government in mind, would be the AFP and the Australian Crime Commission.[57]

3.54 The representative explained that the AFP would have access to the database in accordance with paragraph 14(2)(b) of the Bill, in addition to its rights under Information Privacy Principles 10 and 11 which relate to its functions as a law enforcement agency.[58]

3.55 According to the representative, ASIO would not need to rely on any powers under the Bill; instead it would use its own powers under the Australian Security Intelligence Organisation Act 1979.[59] In its submission, the Department also pointed out that Australia's law enforcement and national security agencies 'could more quickly acquire up-to-date personal information about specific individuals by accessing their own databases and databases specifically constructed for law enforcement purposes'.[60]

3.56 The Department advised further that:

...individually listing every law enforcement and national security organisation in Australia in the text of the Bill would cause difficulties whenever a new organisation is created or an existing organisation changes its name and administrative structure. With each occasion of this type, the AusCheck Act would need to be amended to provide for the newly created organisation.[61]

3.57 With respect to the undefined terms 'criminal intelligence' and 'security intelligence' in subparagraph 14(2)(b)(iii), the representative stated that the meaning of these terms is the 'ordinary English meaning of the words'.[62] In an answer to a question on notice, the Department noted further that there are 'many instances' where the terms 'criminal intelligence' and 'security intelligence' are used but not defined in Australian legislation.[63]

3.58 The departmental representative also explained that AusCheck is still in the process of establishing its procedures in relation to access to its database:

We are still in the process of establishing the procedures in relation to access to our database. One of the options would be to create guidelines which would have the content of what was required before access could be achieved. That is something that we are still considering, but certainly the sorts of things that we would consider would be the sort of detail that would be required. We will take expert advice on that from those involved in criminal intelligence in order to assist us in that process.[64]

3.59 In response to the Law Council's concern that there are no limitations on how third party agencies may use or disclose information from the AusCheck database, the Department advised that law enforcement and national security agencies 'either have their own legislative sanctions for inappropriate conduct and the misuse of information or have strict internal guidelines for the secure use and disclosure of information'.[65]

3.60 In relation to access to the database by ASIC and MSIC issuing bodies, the representative advised that only issuing bodies who make applications to AusCheck for background checks will have access to information provided on the relevant application form:

Any issuing body that lodges an application to us will be able to access that application information. So the individual issuing body that provides the information will be able to access that information. All issuing bodies will be able to use our card verification facility whereby they can determine whether a card presented to them is a validly issued card from the AusCheck database. That search will only reveal to them the information on the face of the card. They will not be able to look behind and receive any of the background information or proof of identity or identifying information in relation to the individual; merely that the card is a valid card and the details that are presented on the card that is before them.

...

...So for their own applications they will have access to that information. They will not have access to that information for applications made by other issuing bodies.[66]

3.61 The Department also responded to the concern that contractors would perform background checks as follows:

It is not unusual for a Commonwealth agency to engage contractors and consultants from time to time. The definition of AusCheck staff member does not 'allow' this arrangement as such, but merely ensures that where such persons are engaged, they will be bound by the same confidentiality requirements as Australian Public Service employees. In particular, the definition ensures that such contractors and consultants will be covered by the offence provisions in clause 15 of the Bill. This clause provides that it is an offence to disclose information relating to the AusCheck scheme without proper authority.[67]

Privacy Impact Assessment

3.62 Several submissions informed the committee that a Privacy Impact Assessment (PIA) is currently being prepared in relation to the AusCheck scheme.[68]

3.63 At the hearing, Mr Solomon from the OPC commended the Department on this measure:

We believe that undertaking this privacy impact assessment will assist the department to identify specific privacy impacts of personal information flows that will occur within the proposed AusCheck process and will enable the department to look at ways of reinforcing the positive privacy impacts of the process and managing or minimising any negative impacts. From an optimum privacy perspective, our office holds the view that the bill could be further enhanced with a few adjustments.[69]

3.64 However, some submissions were critical of the timing of the PIA. For example, the Law Council noted that:

[The PIA] remains a couple of months away from completion. The purpose of doing a PIA is "to identify and recommend options for managing, minimising or eradicating privacy impacts". The Law Council believes that the Parliament should have the benefit of reviewing the finalised PIA before approving this enabling legislation. Parliament may decide that some of the recommendations contained in the finalised PIA are most appropriately translated into legislative safeguards.[70]

3.65 The APF expressed a similar view:

We understand that a Privacy Impact Assessment (PIA) on the AusCheck scheme is in progress (we were invited to provide input and have submitted an early draft of this submission). The timing is not sensible – any PIA should be made public to assist interested parties to assess the Bill. PIAs should not be used as a confidential resource by agencies to anticipate and head off criticism – their public interest value lies in the contribution they make to informed public debate. We submit that the Committee should recommend that the government publish any PIA report on the scheme as soon as possible, but certainly before any further parliamentary debate.[71]

3.66 The Association of Australian Ports & Marine Authorities articulated some concerns with respect to preparation of the PIA:

It was of some concern that only three or four people were being consulted within the maritime industry by the consultant. We were also concerned to learn that the consultant knew nothing of the AusCheck legislation or its history. A considerable amount of time was therefore expended on briefing the consultant. We trust that their report will be made available to this Senate inquiry.[72]

Transparency, natural justice and independent review

3.67 The Law Council of Australia argued that the Bill does not establish minimum standards of fairness with respect to transparency, natural justice, appeal processes or periodic reporting.[73] At the hearing, Ms Donovan noted that the Bill 'fails to properly take advantage of the opportunities that a centralised agency might present'.[74]

3.68 She explained further:

Through the bill, the parliament has the opportunity to set minimum standards for transparency, fairness and accountability in background checking, but the Law Council believes that opportunity has not been seized. If the bill is passed in its current form, parliament would essentially be saying that its only pressing concern with respect to background checking and the only impetus for a piece of subject-specific legislation on the topic of background checking is to ensure that it is coordinated and conducted by a centralised agency. The Law Council believes that the legislature should have more to say about, for example, guaranteed review rights or reporting obligations. The submission from the Attorney-General’s Department offers the assurance that it is intended that the regulations will provide that, if AusCheck makes an adverse finding about a person, that person will have the right to appeal to the AAT. The Law Council believes this type of assurance should be reflected in the primary legislation.[75]

3.69 However, Ms Donovan acknowledged that this may not be easy:

It would not be easy to set out the principles [in generic legislation] which should apply in all cases to facilitate and allow for a review. We have attempted to acknowledge that...by acknowledging that in each case there might be a different type of decision which the affected person wants to challenge and the background check might play a different role in that. The background check might be definitive. The background check might give rise to a recommendation that is non-binding to another agency. It might give rise to a direction which another agency has no option but to follow. In each case, the appeal which the affected person will seek will be different. We acknowledge that, but nonetheless we think that there is room, if appropriate attention is given to the matter, to at least state some basic principles about the nature of the information that an affected person is entitled to about the background check, about the exercise of any discretion on the basis of the background check and how they might appeal that decision.[76]

3.70 The Law Council also suggested that the Bill should require AusCheck to provide periodic reports to Parliament about matters such as:

the number and type of background checks that it conducts;
the average time taken to conduct background checks;
the legislative scheme under which background checks have been conducted;
the number of individuals who have received adverse background checks and the basis for that assessment; and
the agencies to which information obtained by AusCheck has been shared and for what purposes.[77]

Department response

3.71 The Department advised that it does not consider it necessary to establish minimum standards with respect to transparency, natural justice, appeal processes or periodic reporting in the Bill:

All legislation goes through a rigorous scrutiny process within government to ensure that it appropriately conforms with relevant administrative law and criminal law principles, including ensuring that there are appropriate appeals and that natural justice is afforded.[78]

3.72 A departmental representative explained why the Bill does not include specific review provisions:

The reason why the review provision or any review provision was not included in the bill is that each scheme that AusCheck is involved in will have different points at which review is required. So, in relation to the ASIC and the MSIC schemes, they already have a significant number of points at which a decision may be reviewed by the AAT. All those rights remain. There will be additional points where we think that, in the AusCheck process for those two schemes, AAT review rights need to be provided for. Every time we do a scheme, we will look for the appropriate point. Review rights will be provided in all schemes; that is certainly the intention. It is just that it is not able to be predicted in advance exactly at what points those review rights should appropriately be provided. So the detail of those will be provided in the regulations as each scheme is set out there.[79]

3.73 In an answer to a question on notice, the Department noted that any additional review rights provided under the AusCheck regulations will 'be specifically tailored to complement the existing review rights' under the ASIC and MSIC schemes.[80]

3.74 The representative provided the committee with an intimation of the additional review points that might be included in the scheme:

unknown33unknown1There are certainly additional review points when AusCheck makes an assessment of the various components of the background check and then provides a response to the issuing body; that will be a point of review. That decision is also reviewable subsequently by the issuing body of their own motion, and there are also reviews later in the process in relation to the DOTARS involvement in reconsideration.[81]

3.75 Where AusCheck is involved in new background checks:

...it is intended that review rights will be similarly tailored to complement the arrangements in the particular scheme that requires the background check. In this context, the Department does not consider that a general provision providing a right of review to the Administrative Appeals Tribunal would be sufficiently flexible to allow review rights to be tailored so that they are consistent with and appropriate for each scheme.[82]

3.76 With respect to reporting requirements, the representative pointed out that AusCheck, as part of the Department, is subject to annual reporting and portfolio budget statement processes. She noted that information relating to application numbers, processing times, refusals, and AAT appeals would be routinely included in the Department's annual report as part of its accountability obligations.[83]

Implementation issues

3.77 Several submissions and witnesses commented on a number of practical issues relating to implementation of the AusCheck scheme. Some of these issues are discussed briefly below.

Cost recovery

3.78 Some submissions expressed the view that cost recovery from industry is not appropriate in relation to AusCheck background checks on the basis that government should bear the cost of anti-terrorism security measures.[84]

3.79 Melbourne Airport argued that, if full Commonwealth funding is not available to cover fee increases for background checks under the AusCheck scheme, a price freeze for five years on ASIC check prices would be in the best interests of the industry.[85]

3.80 The Australian Rail, Tram and Bus Industry Union expressed concern that the cost of the AusCheck scheme may be borne ultimately by employees since the Bill does not provide expressly that employers (or the Australian Government) will bear the cost.[86]

3.81 Qantas pointed out that the proposed increase in background checking costs will amount to an additional $1 million per annum for the Qantas Group:

This is a significant cost which would need to be offset by a commensurate improvement in the efficiency and effectiveness of the security outcomes which the ASIC background checking regime seeks to deliver but which is not evidenct from information currently available to the industry.[87]

Department response

3.82 A representative from the Department told the committee that cost recovery will be 'from both AusCheck – the AttorneyGeneral’s Department's costs – and our checking partner costs, so that includes costs from CrimTrac and ASIO and potentially DIAC'.[88] DOTARS also noted that cost recovery would be for checks carried out by the AFP.[89]

3.83 DOTARS informed the committee that AusCheck's draft Cost Recovery Impact Statement 'squarely complies with' the Australian Government's Cost Recovery Policy and Cost Recovery Policy Guidelines.[90] The committee understands that AusCheck is currently conducting consultations with industry stakeholders in relation to its draft Cost Recovery Impact Statement.[91]

3.84 The Department also noted that, in the absence of an established pattern of demand (since AusCheck will be providing a new service), it is not possible to provide a price freeze for five years: to do so would involve under or over recovery of the cost of providing services that is inconsistent with the Department of Finance and Administration's guidelines on cost recovery.[92]

3.85 In relation to the concern that employees may bear the cost of background checking, the Department advised that AusCheck will play 'no role in relation to how issuing bodies recover the costs of the background checking application process'.[93]

Delays in processing background checks

3.86 CrimTrac noted that any expansion of the AusCheck scheme could result in duplication of services that CrimTrac already provides through its National Criminal History Record Check process. CrimTrac cautioned that '(t)here is a need to be mindful that we do not add additional layers of administration if this is not necessary' which would in turn lead to slower turnaround times for background checks. [94]

3.87 Qantas argued that the current ASIC background checking regime is 'fundamentally flawed', stressing that processing times are too long and that there is no ability to conduct checks from a 'live' criminal history database.[95]

Department response

3.88 A representative from DOTARS informed the committee that the AusCheck scheme 'will lead to a speedier turnaround on the majority of applications'.[96] In an answer to a question on notice, DOTARS stated that 'the centralised AusCheck service will be faster, more accessible and more consistent'.[97]

3.89 A representative from the Department also emphasised that processing times for applications are expected to improve:

We do expect to speed up the process. We have re-engineered the process of obtaining the background checking information to achieve that. We have told our issuing body clients that, for background checks involving Australian citizens with no actual or potential criminal history, we will do a five-business-day turnaround. We hope to do much better than that, but we feel very confident about a five-business-day turnaround. Seventy per cent to 80 per cent of checks will be done in that time frame. That provides a great advantage to our clients, who get that sort of time frame on some occasions but not on a consistent basis.[98]

3.90 The Department responded to CrimTrac's concern that there could be a duplication of services as follows:

AusCheck centralises coordination of the various elements of background checking that are obtained from its background checking partners, including CrimTrac. AusCheck does not duplicate CrimTrac services that are available broadly to the Australian community and utilised for a range of different purposes. AusCheck merely provides a way to quickly and directly access the National Criminal History Database for the purposes of background checking schemes in which AusCheck is involved.[99]

Committee view

3.91 The committee acknowledges the general in-principle support for the Bill expressed by the majority of submissions and witnesses. However, the committee shares concerns raised during the course of the inquiry, particularly with respect to the breadth of the Bill's regulation-making power, privacy issues, and the lack of accountability mechanisms. The committee therefore recommends several changes to the Bill to clarify the scope of the AusCheck scheme, provide safeguards against the possible misuse of information obtained pursuant to the scheme, and improve transparency and accountability mechanisms.

3.92 In a general sense, the committee again takes the opportunity to express its concern at the use of delegated legislation to extend the scope and operation of primary legislation. This is particularly concerning in the current context, given the sensitive nature and function of background checking. Consistent with its views in previous inquiries, the committee believes that it is imperative that Parliament be afforded the opportunity to consider fully the particulars of any future screening regimes in order to ensure that the background checks they introduce are appropriate and proportionate to the purpose that is sought to be achieved. It is spurious to suggest that the scrutiny of delegated legislation by Parliament is equivalent to, or an adequate substitute for, the positive requirement for new powers to be approved by Parliament in primary legislation.

3.93 The committee agrees that the ambit of the Bill's regulation-making power is too broad, comprising only a minimalist framework and leaving fundamental details about the future scope and operation of background checking schemes to the regulations. The committee does not consider it appropriate that subclause 5(d) is drafted so broadly as to allow unlimited types of information to be assessed for the purposes of background checking; nor is it appropriate that clause 8 allows the Australian Government to implement, by way of regulations alone, a wide range of background checking schemes – related to any activities within a constitutional head of power – without the authorisation of any other primary legislation. The committee also considers clause 10 of the Bill to be too broad in that it enables new screening regimes to be implemented independently of any other legislation.

3.94 The committee is of the view that the particulars of any schemes beyond the ASIC and MSIC schemes would ideally be set out in primary legislation. The committee therefore recommends that subclause 5(d), paragraph 8(1)(c) and clause 10 should be removed from the Bill.

3.95 The committee also considers that several of the Bill's provisions dealing with the collection of information, information to be assessed, retention of information, and use and disclosure of personal information are too broad and have the potential to impact adversely on an individual's right to privacy. The committee accepts assurances from the Department that it is obliged to act in accordance with the Privacy Act and notes evidence indicating that a PIA is currently being prepared in relation to the AusCheck scheme. Nevertheless, the committee considers that some refinements to the Bill could assist in providing increased protection of personal information.

3.96 In particular, the committee recommends that the Bill be amended to:

directly link the collection, use and disclosure of personal information by AusCheck to its function and purposes;
specify retention periods for storage of information in AusCheck's database;
require AusCheck to delete personal information from its database that is not relevant to background checks;
limit the agencies to which AusCheck can use or disclose information for the purposes of criminal intelligence or security intelligence; and
impose conditions and limitations on the use and disclosure of personal information by third party agencies to which AusCheck has lawfully disclosed that information.

3.97 In relation to review rights, the committee is satisfied with the Department's explanation that individual screening regimes will have different points at which review is required and that relevant review rights will be included in each separate scheme. However, while noting advice from the Department about its annual reporting and portfolio budget statement obligations, the committee considers that the Bill would be an appropriate place to set out clear and specific reporting requirements for AusCheck as part of its basic framework.

3.98 Finally, the committee encourages the Department to continue to consult comprehensively with relevant stakeholders in relation to AusCheck's cost recovery proposal, the PIA, and practical implementation of the AusCheck scheme.

Recommendation 1

3.99 The committee recommends that subclause 5(d) of the Bill be removed.

Recommendation 2

3.100 The committee recommends that paragraph 8(1)(c) of the Bill be removed.

Recommendation 3

3.101 The committee recommends that clause 10 of the Bill be removed.

Recommendation 4

3.102 The committee recommends that subclause 13(a) of the Bill be amended to ensure that the collection, use and disclosure of personal information under the AusCheck scheme will be 'directly' related to AusCheck's function and purposes.

Recommendation 5

3.103 The committee recommends that the Bill be amended to specify retention periods for personal information stored by AusCheck in its database.

Recommendation 6

3.104 The committee recommends that the Bill be amended to include a requirement that AusCheck delete any information from its database that is not relevant to the background check for which it has been collected, used or disclosed.

Recommendation 7

3.105 The committee recommends that paragraph 14(2)(b) of the Bill be amended to limit the agencies to which personal information about an individual may be used or disclosed for the purposes of criminal intelligence or security intelligence to:

the Australian Federal Police;
the Australian Crime Commission; and
the Australian Security Intelligence Organisation.

Recommendation 8

3.106 The committee recommends that the Bill be amended to impose appropriate conditions and limitations on the use and disclosure of personal information by a third party agency to which AusCheck has lawfully disclosed that information.

Recommendation 9

3.107 The committee recommends that the Bill be amended to include a specific requirement that AusCheck provide periodic reports to Parliament about matters including:

the number and type of background checks that it conducts;
the average time taken to conduct background checks;
the legislative scheme under which background checks have been conducted;
the number of individuals who have received adverse background checks and the basis for that assessment; and
the agencies to which information obtained by AusCheck has been shared and for what purposes.

Recommendation 10

3.108 Subject to the preceding recommendations, the committee recommends that the Senate pass the Bill.

Senator Marise Payne
Chair

Navigation: Previous Page | Contents | Next Page