09 March 2017

Veterans' Privacy

The Turnbull Government will seek 'independent scrutiny' of new powers - proposed under the Veterans’ Affairs Legislation Amendment (Digital Readiness and Other Measures) Bill 2016 (Cth) - to unilaterally disclose personal information about veterans in 'correcting' what are deemed to be deliberately misleading statements.

That disregard for privacy, at odds with the Prime Minister's 2012 Alfred Deakin Lecture, is consistent with recent disclosure of personal information about people who deal with Centrelink, the subject of much comment about that agency's defective identification of supposed overpayments to a range of social service recipients.

Centrelink - and the Human Services  Minister, who has now been referred to the Australia Federal Police - appears  to have taken over the view that it is appropriate, legal and necessary to publicly disclose personal information of recipients who have claimed they have not been overpaid. The Department of Human Services states
You have a right to have your personal information kept private. The department is bound by strict confidentiality and secrecy provisions in social security, families, health, child support and disability services law.
The Human Services disclosure serves to chill what might be regarded as a legitimate expression of concern by citizens, particularly given the apparent scale of problems with the agency and its cavalier approach to addressing systemic failures.

In considering the permissibility of the Centrelink disclosure under the Privacy Act 1988 (Cth) it is worth noting L v Commonwealth Agency [2010] PrivCmrA 14. The Privacy Commissioner there noted that a complainant made adverse comments in the media and on a blog about a Commonwealth agency's handling of an application, resulting in the agency receiving several media enquiries. The agency then disclosed the complainant’s personal information, with the complainant consequently alleging the agency improperly disclosed personal information to a journalist.

The Commissioner stated that
 IPP 11 prohibits agencies from disclosing personal information to anyone other than the individual concerned, unless an exception applies.
The exception at IPP 11.1(a) permits disclosure where the individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that information of that kind is usually passed to that person, body or agency.
Outcome: The Commissioner investigated this matter under section 40(1) of the Privacy Act. The Commissioner’s Plain English Guidelines to Information Privacy Principles 8-11 provide examples of when an individual may be considered to be reasonably likely to be aware that information may be disclosed under IPP 11.1(a).
The Guidelines state: a person who complains publicly about an agency in relation to their circumstances (for example, to the media) is considered to be reasonably likely to be aware that the agency may respond publicly – and in a way that reveals personal information relevant to the issues they have raised.
The Commissioner took into account that the complainant had complained publicly about the agency’s handling of their application. The information provided by the agency was confined to responding to the issues raised publicly by the complainant.
The Commissioner considered that the complainant was reasonably likely to have been aware that the agency may respond, in the way it did, to the issues raised. Therefore, the Commissioner took a preliminary view that IPP 11.1(a) permitted that disclosure.
The complainant withdrew and the matter was closed.

The Commissioner's current guidelines appear to be broader. In relation to APP 6 () they state
6.20 The ‘reasonably expects’ test [regarding permissible disclosure] is an objective one that has regard to what a reasonable person, who is properly informed, would expect in the circumstances. This is a question of fact in each individual case. It is the responsibility of the APP entity to be able to justify its conduct.
6.21 An APP entity should consider whether an individual would reasonably expect it to use or disclose for a secondary purpose only some of the personal information it holds about the individual, rather than all of the personal information it holds. The entity should only use or disclose the minimum amount of personal information sufficient for the secondary purpose. ...
6.22 Examples of where an individual may reasonably expect their personal information to be used or disclosed for a secondary purpose include where:
  • the individual makes adverse comments in the media about the way an APP entity has treated them. In these circumstances, it may be reasonable to expect that the entity may respond publicly to these comments in a way that reveals personal information specifically relevant to the issues that the individual has raised.
In response to the Centrelink controversy the  Australian Information and Privacy Commissioner stated last month
I am aware of the media reports concerning this issue. My office is making inquiries with the Department of Human Services. 
Government agencies are entrusted with a significant amount of personal information. This information must be handled in accordance with the Australian Privacy Principles. 
An agency may only disclose an individual’s personal information in a limited range of circumstances.
The Explanatory Memo for the Veterans Bill states
In certain limited circumstances it may be appropriate for the Secretary of the Department of Veterans’ Affairs to disclose information about a person that was obtained by a delegate performing their duties under the MRCA [Military Rehabilitation and Compensation Act 2004], DRCA [Safety, Rehabilitation and Compensation (Defence-related Claims) Act 1988] and the VEA [Veterans’ Entitlements Act 1986].
Examples of the circumstances in which it might be appropriate for the Secretary to disclose information about a case or class of cases include where there is a threat to life, health or welfare, for the enforcement of laws, in relation to proceeds of crime orders, mistakes of fact, research and statistical analysis, APS code of conduct investigations, misinformation in the community and provider inappropriate practices.
The Privacy Act 1988 legitimately limits the circumstances surrounding the handling and disclosure of a person’s personal information, as set out in the Australian Privacy Principles. The purpose of the public interest disclosure provisions is to put beyond doubt that the Secretary may, in accordance with items 1, 7 and 10, release information about a case or class of cases.
The information sharing provisions, and related consequential amendments, are necessary because, with the creation of a stand-alone version of the SRCA with application to Defence Force members, the ability of the MRCC to share claims information about current serving members with either the Secretary of the Department of Defence or the Chief of the Defence Force is more limited than it is under the MRCA . These amendments will align information sharing under the DRCA with arrangements under the MRCA. ...
Public interest disclosures
The public interest disclosure provisions are modelled on paragraph 208(1)(a) of the Social Security Administration Act 1999 and would enable the Secretary to disclose information about a particular case or class of cases where the Secretary certifies that it is necessary in the public interest to do so. In deciding whether to make a public interest disclosure, the Secretary must follow rules set by the Minister and there are limits about disclosing personal information, which could result in the Secretary committing an offence.
Examples of the circumstances in which it might be appropriate for the Secretary to disclose information about a case or class of cases include where there is a threat to life, health or welfare, for the enforcement of laws, in relation to proceeds of crime orders, mistakes of fact, research and statistical analysis, APS code of conduct investigations, misinformation in the community and provider inappropriate practices.
It is expected that the “class of cases” disclosure would be particularly relevant for research and statistical analysis purposes.
Because this is a new power, five safeguards have been incorporated to ensure that it is exercised appropriately. They are described in further detail below but, briefly, they are: ·
  • the Secretary must act in accordance with rules that the Minister makes about how the power is to be exercised ( s ubitem (2) of items 1, 7 and 10 ) 
  • the Minister cannot delegate his or her power to make rules about how the power is to be exercised ( item 11 ) 
  • the Secretary cannot delegate the public interest disclosure power ( item 12 ) 
before disclosing personal information about a person, the Secretary must notify the person in writing about his or her intention to disclose the information, give the person a reasonable opportunity to make written comments on the proposed disclosure of the information and consider any written comments made by the person ( subitem (6) of items 1, 7 and 10 ), and
  • unless the Secretary complies with the above requirements before disclosing personal information, he or she will commit an offence, punishable by a fine of 60 penalty units (approximately $10,800) ( subitem (7) of items 1, 7 and 10. )
In addition to the above safeguards, the Department (on behalf of the MRCC and the Repatriation Commission) manages clients’ personal information in compliance with the Privacy Act 1988 , and the Department can be required to pay compensation for breaches of the Privacy Act 1988.
In addition, departmental staff may face sanctions under the Australian Public Service Code of Conduct if they handle a client’s personal information in an unauthorised manner.
Some citizens are more equal than others. In response to criticism of the Bill the Veterans' Affairs Minister  has now announced that he had listened to concerns from the veteran community and would accordingly ask the Australian Government Solicitor to provide an independent privacy impact assessment.

That assessment will be in addition to one already undertaken by his Department, with both PIAs being released to the public before the rules about disclosure under the statute are tabled in Parliament. Release of the PIAs will form part of what the Minister characterises as "part of the continuing comprehensive consultation process".

The Bill went though the House with with bipartisan support. The ALP veterans' affairs spokesperson  has now referred to  "serious concerns" and foreshadowed action to disallow the new arrangements.

The report of the Senate Standing Committee on Foreign Affairs and Trade inquiry into the Bill features the following -
2.45 The department acknowledged community concerns regarding the proposed power to correct misinformation but asserted that it is important to correct misconceptions about the department's services. It argued that misinformation about the department's services can cause clients unnecessary concern and potentially dissuade veterans from accessing the services they require. It pointed out that following the Parliamentary Joint Committee on Human Rights inquiry into the Social Security (Public Interest Certificate Guidelines) (DSS) Determination 2015, the committee concluded that 'public interest certificate determinations are likely to be compatible with the right to privacy'.
2.46 During the hearing, the Privacy Commissioner noted that the protection of an individual's privacy through the protection of personal information is not an absolute right but must be balanced with the broader interests of the community and allow government agencies to carry out their activities:
Our approach in that context is generally to advise agencies to ensure that any changes that authorise a disclosure of personal information by invoking an exception in the Privacy Act are reasonable, necessary and proportionate to the expected benefits.
2.47 The department's submission argued that the bill contains adequate safeguards which control how the public interest disclosure power will be exercised. In addition to the bill's specific safeguards, it pointed out that the Privacy Act and the Australian Public Service Code of Conduct provide additional protections. It argued that client information is handled in compliance with both the Privacy Act and the Code of Conduct and that staff may face sanctions and the department fined penalties if a client's information is mishandled. Persons concerned about disclosures also have the option to lodge a complaint with the Privacy Commissioner or apply for judicial review under the Administrative Decisions (Judicial Review) Act 1977.
2.48 With regards to the Minister's rules on the exercise of the Secretary's power, the department advised that the final rules were not able to be provided to the committee within the inquiry's timeframe but that Parliament will have an opportunity to consider them once they are drafted as a disallowable instrument. However, during the committee's hearing, DVA indicated that it could provide a draft copy of the rules to the committee to consider in camera.
2.49 During the hearing, the Privacy Commissioner suggested that the department consult with the Commonwealth Ombudsman and the Office of the Australian Information Commissioner on the content of the Minister’s rules before they are finalised and introduced in the Parliament:
... my office, should the bill proceed as it currently is, would like the opportunity to be consulted on the draft rules to be made by the minister under the public interest disclosure provision. Those draft rules will go to many of the areas where the privacy principles currently apply, and if the bill proceeds and then the APP 6 does not apply to those disclosures then I think we could provide some useful guidance in tightening up those particular rules.