The Commonwealth Registers Bill 2018 (Cth) and Treasury Laws Amendment (Registries Modernisation and Other Measures) Bill 2018 (Cth) provide for a new Act called the Commonwealth Registers Act 2018, with amendments to a suite of existing laws to create a new Commonwealth business registry regime.
The two Bills set out
•what information is subject to the new regime;
• who may be appointed to administer the new regime as its registrar;
• the functions and powers of the registrar;
• how the registrar performs its functions and exercises its powers;
• the framework for protecting and disclosing information held by the registrar; and
• other matters that support the new regime.They also provide for a new Director Identification Number regime, discussed in the following post.
In relation to registries the Explanatory Memo states
1.2 The Australian Government has committed to simplifying its interactions with business to support growth, innovation and employment.
1.3 The National Business Simplification Initiative, announced in 2016, aims to reduce the time that businesses spend complying with regulations and interacting with government so that they can focus on growing their business, creating more jobs, and developing new products and market opportunities. The Initiative is a Commonwealth led agreement between federal, state and territory governments to work together to make it simpler to do business in Australia.
1.4 As part of the Initiative, the Government is developing a modern approach to managing Commonwealth registers to provide more user-friendly and streamlined registry services. The initial focus of this modernisation process is on the registers kept by ASIC as well as the Australian Business Register, which is kept by the Commissioner of Taxation (Commissioner).
1.5 The new law facilitates a modern government registry regime that is flexible, technology neutral and governance neutral. The regime initially applies to the business registers administered by ASIC and the Australian Business Register. Additional government registers may be brought into the regime by future legislative reforms.
1.6 Under the new regime the Minister appoints an existing Commonwealth body to be the registrar. Different registrars can be appointed for different functions or powers of the registrar.
1.7 The functions and powers of the registrar are largely set out in existing Commonwealth laws. In particular, most powers and functions are set out in the Commonwealth acts that contain the registers being brought into the new regime. These acts include the:
Corporations Act;
the ABN Act;
the Business Names Act;
the Credit Act; and,
the SIS Act.
1.8 The registrar performs its functions and exercises its powers in accordance with the data standards and other Commonwealth laws. The data standards are disallowable instruments made by the registrar. They may deal with a variety of matters including what information may be collected for the purposes of performing the registrar’s functions, how such information is to be given to the registrar, and how information held by the registrar is to be stored.
1.9 The new law provides for the protection and disclosure of information held by the registrar. It is an offence for an official to disclose information held by the registrar unless the disclosure is authorised. A disclosure is authorised where: it is for the purposes of the new registry regime; it happens in the course of the performance of an official’s duties; each person to whom the information relates consents to the disclosure; the information is disclosed to a government agency for the performance of its functions; or, the benefits associated with the disclosure outweigh the risks (including privacy risks) after those risks have been mitigated.
1.10 All decisions made by the registrar under the new Act are reviewable by the Administrative Appeals Tribunal except those made by disallowable instrument.Overall, the legislative package creates the new Act and makes consequential amendments to a suite of existing laws to create a new Commonwealth business registry regime.
It sets out:
• what information is subject to new regime;
• who may be appointed to administer the new regime as its registrar;
• the functions and powers of the registrar;
• how the registrar performs its functions and exercises its powers;
• the framework for protecting and disclosing information held by the registrar; and • other matters that support the new regime.
1.12 The objective of the new regime is to facilitate a modern government registry regime that is flexible, technology neutral and governance neutral. The new Act includes a simplified outline of its contents to assist readers understand the new regime.
What information is subject to the new regime?
1.13 Initially, information related to 35 existing business registers would be subject to the new registry regime. The existing business registers comprise 34 registers currently kept by ASIC and the Australian Business Register, which is currently kept by the Commissioner.The new Registrar is of particular interest. The Memo states
How does the registrar perform its functions and powers?
1.29 The registrar performs its functions and powers in accordance with the data standards and other Commonwealth laws.
Data standards
1.30 The new law allows the registrar to make data standards on matters relating to the performance of the registrar’s functions and the exercise of the registrar’s powers. The data standards may deal with a variety of registry related matters that are currently dealt with by prescriptive rules in primary legislation that are not uniform, technology neutral or governance neutral.
1.31 To assist readers to understand the role of the data standards, the new Act provides examples of what the data standards may cover. These examples clarify that the data standards may provide for matters such as the following:
• what information may be collected for the purposes of the performance of the registrar’s functions and the exercise of the registrar’s powers;
• how such information may be collected;
• the manner and form in which such information is given to the registrar;
• when information is to be given to the registrar
• how information held by the registrar is to be authenticated, verified or validated;
• how information held by the registrar is to be stored; • the correction of information held by the registrar;
• the manner and form of communication between the registrar and persons who give information to the registrar or seek to access to information held by the registrar; and;
• integrating or linking information held by the registrar.
1.32 These examples are just an inclusive list of the matters that may be dealt with by the data standards. Their inclusion in the new Act is not intended to limit the matters that may properly be dealt with by the data standards.
1.33 The new Act clarifies that the data standards may include different provisions relating to different functions or powers of the registrar. This ensures that the data standards do not need to adopt a ‘one size fits all’ approach to the administration of registry functions and powers. The variety of functions and powers given to the registrar necessitates that the registrar be able to tailor data standards so that they are appropriate for the different purposes for which they may be made.
1.34 This approach of enabling the registrar to make data standards facilitates the efficient and effective administration of registry services. Data standards can be readily amended over time to keep up with changes in best practice, industry preference, the needs of those using registry services, and technology. The flexibility offered also enables a ‘tell us once’ approach to the collection of information, minimising the number of interactions clients have with the registrar. Currently, a reporting entity may have to provide the same information to multiple registers increasing regulatory burden and the cost of administering registry services.
1.35 To ensure these benefits can be realised the new law includes provisions that ensure the data standards may request information in a wide variety of ways that make best use of available technology. In particular, the new law expressly clarifies that: • the data standards may provide that information is to be given to the registrar in electronic form, or any other specified form; and, • a requirement under a law that information is to be provided to the registrar in a particular form or manner (however described), including a requirement that information is to be “lodged” or “furnished”, is not taken to restrict by implication what the data standards may provide in relation to that information.
1.36 The new law includes provisions designed to promote the smooth transition of registry functions and powers from one registrar to another. As already noted, under the new regime the Minister may appoint any government body as registrar for particular functions and powers and may change the appointed body at any time. Should the body appointed as registrar for particular functions and powers change, the new law provides that any existing data standards continue to apply until the new registrar has prepared replacement standards.
1.37 Data standards are disallowable instruments for the purposes of the Legislation Act 2003. Under that Act, legislative instruments and their explanatory statements must be tabled in both Houses of the Parliament within six sitting days after the date of registration of the instrument on the Federal Register of Legislation. Once tabled, the instruments will be subject to the same level of parliamentary scrutiny as regulations (including consideration by the Senate Standing Committee on Regulations and Ordinances), and notice of a motion to disallow the instruments may be given in either House of the Parliament within 15 sitting days after the date the instruments are tabled.From an information management (including data protection and privacy) perspective the Memo notes
How is information held by the registrar protected and disclosed?
1.41 The new law provides for the protection and disclosure of information held by the registrar, including disclosure via a disclosure framework made by the registrar.
Protection of registry information
1.42 It is an offence for an official to record or disclose information held by the registrar unless the recording or disclosure is authorised. In particular, unless authorised, a person commits an offence if:
• the person is, or has been, in official employment ;
• the person makes a record of information, or discloses information to another person; and
• the information is protected information that was obtained by the person in the course of their official employment.
1.43 The maximum penalty for disclosing registry information in breach of this offence provision is imprisonment for two years. The penalty is consistent with comparable provisions in other Acts, including the ASIC Act , the ABN Act and the Taxation Administration Act 1953. The principles set out in the Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers were also considered in determining the applicable penalty.
Disclosure of registry information
1.44 As mentioned above, the prohibition against recording and disclosing registry information does not apply where the recording or disclosure is authorised. A recording or disclosure is authorised if:
• the recording or disclosure is for the purposes of the new Act or happens in the course of the performance of the duties of a person’s official employment;
• the disclosure is to another person for use, in the course of the performance of the duties of the other person’s official employment, in relation to the performance of the functions of a government entity ;
• each person to whom the information relates consents to the disclosure; or
• the disclosure is in accordance with the disclosure framework.
1.45 A defendant carries an evidential burden for establishing that a recording or disclosure of registry information was authorised. To satisfy this eventual burden the defendant must adduce or point to evidence that suggests a reasonable possibility that the recording or disclosure was authorised. Once this is done, the prosecution bears the burden of proof.
1.46 The new law expressly authorises disclosure to a government entity in relation to the performance or exercise of its functions or powers. The intent of this authorisation is to, for example, ensure ASIC has real-time access to all the registry information it requires in order to exercise its regulatory functions or powers.
1.47 The new law clarifies how its protection and disclosure regime relates to other secrecy provisions in Commonwealth law. The effect of the new law is that other Commonwealth secrecy provisions do not apply in addition to the new law’s protection and disclosure regime unless expressly designated. The following secrecy provisions have been designated for this purpose:
• sections 18, 18A, 18B and 92 of the Australian Security Intelligence Organisation Act 1979;
• section 34 of the Inspector-General of Intelligence and Security Act 1986;
• sections 39, 39A, 40, 40A to 40M and 41 of the Intelligence Services Act 2001;
• a provision of a law of the Commonwealth prescribed by the rules;
• a provision of a law of the Commonwealth of a kind prescribed by the rules; and,
• section 8WB of the Taxation Administration Act 1953 (which contains special rules relating to the disclosure of tax file numbers) .
1.48 The intent of the new law in this regard is to avoid unnecessary overlap in the operation of secrecy provisions in relation to registry information. It is not optimal for multiple secrecy provisions to unnecessarily apply to the same piece of information. For example, the Productivity Commission identified over 500 different secrecy provisions and found that they often interacted in a way that leads to undesirable complexity, resulting in unnecessary barriers to data access that stifles socially beneficial activities.
1.49 Similarly, the new regime’s disclosure framework is expressly authorised for the purposes of paragraph 6.2(b) of the Privacy Act 1988. Paragraph 6.2(b) of the Privacy Act 1988 allows disclosure of personal information where it is authorised by an Australian law. As the new disclosure framework is such an Australian law, this provision simply clarifies the operation of the current law.
1.50 The new regime exempts a person from being required to provide registry information to a court except where the disclosure is necessary for giving effect to a taxation law or an Australian business law. What constitutes a taxation law is defined in section 995-1 of the Income Tax Assessment Act 1997 to include: a provision of an Act for which the Commissioner has general administration; legislative instruments made under such a provision; or the Tax Agent Services Act 2009 or regulations made under that Act. The new law defines Australian business law to mean a law of the Commonwealth, or of a State or Territory, that is a law that regulates, or relates to the regulation of, business or persons engaged in business. This definition is based on the definition of ‘business law’ in section 3 of the Mutual Assistance in Business Regulation Act 1992.
1.51 The new law in this respect is based on existing subsection 30(5) of the ABN Act, which is being repealed by the new law. That subsection currently exempts a person from having to provide protected documents or information (as defined in the ABN Act) to a court except where the proceedings relate to a taxation law. The provision guards against registry information being required to be produced for purposes unrelated to its collection.
The disclosure framework
1.52 The new law provides that the registrar may make the disclosure framework referred to in the final dot point of paragraph 1.44. Under the disclosure framework the registrar may authorise the disclosure of registry information where it is satisfied that the benefits of disclosure outweigh the risks, after those risks have been mitigated.
1.53 The disclosure framework may provide for any matter related to the disclosure of registry information. For example, the disclosure framework may provide for matters such as:
• the circumstances in which information must not be disclosed without the consent of the person to whom it relates;
• the circumstances in which de-identified information may be disclosed;
• the circumstances in which information may be disclosed to the general public;
• the circumstances in which confidentiality agreements are required for the disclosure of information; and
• the imposition of conditions on disclosure of information.
1.54 In addition, the new law clarifies that the disclosure framework may include different provisions relating to different functions or powers of the registrar. This ensures that the disclosure framework can be tailored to particular functions and powers of the registrar.
1.55 This approach to disclosure aligns with the Productivity Commission’s 2017 recommendation to take a more principled approach to the release of Government data. In particular, the Commission recommended that Government data be able to be released publically where the benefits of the release outweigh the risks involved (including privacy risks) after those risks have been mitigated to the extent practicable. The intention of this recommendation was to capture the benefits of ‘big data’ while managing all risks of disclosure, not just those relating to personal information.
1.56 It is envisaged that the ability to make a disclosure framework will provide the registrar with flexibility regarding the release of registry information. For example, the framework could allow a trusted user (for instance a university whose IT systems, processes and staff have been vetted) to access information that may not be appropriate for wider dissemination where a social benefit exists and appropriate undertakings are made.
1.57 As is the case with respect to data standards, the new law includes provisions designed to promote the smooth transition of registry functions and powers from one registrar to another. Should the body appointed as registrar for particular functions and powers change, the new law provides that any existing disclosure framework continues to apply until the new registrar has prepared a replacement framework.
1.58 The disclosure framework is a disallowable instrument for the purposes of the Legislation Act 2003. Under that Act, legislative instruments and their explanatory statements must be tabled in both Houses of the Parliament within six sitting days after the date of registration of the instrument on the Federal Register of Legislation. Once tabled, the instruments will be subject to the same level of parliamentary scrutiny as regulations (including consideration by the Senate Standing Committee on Regulations and Ordinances), and notice of a motion to disallow the instruments may be given in either House of the Parliament within 15 sitting days after the date the instruments are tabled. In addition to parliamentary oversight, the disclosure framework is subject to a privacy impact assessment under the Privacy Act 1988 and the consultation requirements contained in the Legislation Act 2003.
1.59 The new law also allows a person to apply to the registrar to prevent an inappropriate disclosure of registry information that relates to them. The data standards may provide for how such applications are to be made and decided. However, where the registrar is satisfied that the disclosure is not appropriate, the disclosure is taken to not be in accordance with the disclosure framework.