Scope of the Privacy Impact Assessment

Contents

1.Introduction

Scope of the privacy impact assessment

2.Executive Summary

3.Methodology

4.Analysis

Proposed legislative amendments

Section 409 of the Military Rehabilitation and Compensation Act 2004

Proposed amendment of s 409

Proposed s 151A of the Safety, Rehabilitation and Compensation (Defence-related Claims) Act 1988

Transitional arrangements

Implications for privacy of the proposed amendments

Privacy implications for the MRCC

Privacy implications of the amendments for CSC

Amended provisions will not otherwise displace the ordinary operation of the Privacy Act

5.Matters for further consideration and Recommendations

Procedures to ensure accuracy of personal information

Update privacy policy and collection notices

Appendix 1 - Veterans’ Affairs Legislation Amendment (Omnibus) Bill 2017 – Schedule 5

Military Rehabilitation and Compensation Act 2004

1Subsection 409(2) (after table item2)

2At the end of section409

3Applicationprovision

Safety, Rehabilitation and Compensation(Defence-related Claims) Act1988

4Subsection 151A(1)

5At the end of section151A

6Applicationprovision

Appendix 2 - Military Rehabilitation and Compensation Act 2004 – s 409

Appendix 3 - Safety, Rehabilitation and Compensation Act 1988 – s 151A

Appendix 4 – Privacy Act 1988 – Relevant extracts

PRIVACY IMPACT ASSESSMENT - VETERANS’ AFFAIRS LEGISLATION AMENDMENT (OMNIBUS) BILL 2017 – SCHEDULE 5 Page1

22042227

REPORT

PRIVACY IMPACT ASSESSMENT - VETERANS’ AFFAIRS LEGISLATION AMENDMENT (OMNIBUS) BILL 2017 – SCHEDULE 5

1. Introduction
2. The Minister for Veterans Affairs through the Department of Veteran’s Affairs has asked AGS to conduct an independent privacy impact assessment (PIA) of Schedule 5 of the Veterans’ Affairs Legislation Amendment (Omnibus) Bill 2017 (the Bill).[1]

Scope of the privacy impact assessment

1.2.The purpose of this PIA is to assess and make observations about the potential privacy implications of the proposed legislative amendments to be implemented by Schedule5 of the Bill.

1.3.The PIA analyses how these proposed amendments balance the protection of personal privacy with the public interest in disclosing personal information in specified circumstances. It is limited to consideration of Schedule 5 of the Bill and does not address the Bill more generally.

1. Executive Summary
2. If enacted, Schedule 5 of the Bill will amend s 409 of the Military Rehabilitation and Compensation Act 2004 (MRC Act) andproposed s 151A of the Safety, Rehabilitation and Compensation (Defence-related Claims) Act 1988 (DRC Act)to facilitate the disclosure of certain information held by the Military Rehabilitation and Compensation Commission (MRCC) to the Commonwealth Superannuation Corporation (CSC).
3. Information disclosed under theamended provisions would clearly include personal information of individuals within the meaning of the Privacy Act 1988 (Privacy Act). It wouldalso include a subset of personal information defined in the Privacy Act as sensitive information, in particular health information.
4. The use and disclosure of personal information under the amended provisions will be authorised use and disclosure of that information for the purposes of the Privacy Act. This will ensure the MRCC is authorised, for the purposes of the Privacy Act, to disclose personal information to the CSC to assist it in the performance or exercise of its’ statutory functions or powers. The MRCC will not require the consent of the individuals concerned before making a relevant disclosure of personal information.
5. However, the disclosure of personal information by the MRCC to the CSC must be for a purpose relating to the performance of a function, or the exercise of a power, by the CSC under an Act administered by the CSC, or an instrument made under such an Act. The CSC will be limited to using and further disclosing personal information itreceives from the MRCC for the specified purpose for which it was disclosed. This is more limited than the requirements in the Privacy Act and provides a balance between the policy objectives to be achieved by the authorised disclosure and the interests in protecting the privacy of personal information.
6. The MRCC and the CSC will otherwise continue to besubject to the ordinary operation of the Privacy Act, particularly in relation to the collection of personal information and associated notification requirements.
7. Clearly the proposed legislative changes raise personal privacy issues for consideration. Nevertheless, significant privacy protections remain and the recommendations made in this PIA are essentially consequential to the enactment of the legislative amendments.
8. Methodology
9. To prepare this PIA, we have considered the following material:

—Veterans’ Affairs Legislation Amendment (Omnibus) Bill 2017 – Schedule 5 (extracted at Appendix 1)

—Veterans’ Affairs Legislation Amendment (Omnibus) Bill 2017 – Second Reading speech, House of Representatives, 30 March 2017

—Veterans’ Affairs Legislation Amendment (Omnibus) Bill 2017 – Explanatory Memorandum

—Safety, Rehabilitation and Compensation Legislation Amendment (Defence Force) Bill 2016

—Safety, Rehabilitation and Compensation Legislation Amendment (Defence Force) Bill 2016 – Second Reading speech, House of Representatives, 9November 2016

—Safety, Rehabilitation and Compensation Legislation Amendment (Defence Force) Bill 2016 – Explanatory Memorandum

—Military Rehabilitation and Compensation Act 2004(relevant extracts are at Appendix 2)

—Safety, Rehabilitation and Compensation Act 1988 (relevant extracts are at Appendix 3)

—Governance of Australian Government Superannuation Schemes Act 2011

—Privacy Act 1988 (relevant extracts are at Appendix 4).

1. Analysis

Proposed legislative amendments

Section 409 of the Military Rehabilitation and Compensation Act 2004

4.1.Section 409 of the MRC Act provides for the giving of information by the MRCC to certain persons or agencies and is extracted in full at Appendix 2.

4.2.Section 409(2) of the MRC Act provides for the MRCC (or a staff member assisting the MRCC) to provide ‘any information obtained in the performance of his or her duties’ under the MRC Act to a person or agency specified in the table in that section, for the purpose specified in that table.

4.3.The person or agency to whom the information is disclosed must not:

• use the information for a purpose other than the specified purpose (s409(3)(a)), or
• further disclose the information for a purpose other than the specified purpose (s 409(3)(b)).

1. To avoid doubt, s 409(4) provides that if information is disclosed or used in accordance with the section, the disclosure or use is taken, for the purposes of the Australian Privacy Principles (APPs), to be authorised by the MRC Act.

Proposed amendment of s 409

4.5.If enacted, Part 1 of Schedule 5 of the Bill (extracted at Appendix 1) will amend the table in s 409(2) to insert new table item 2A. This item will insert the Commonwealth Superannuation Corporation (CSC) as a person or agency to whom the MRCC can disclose information under the section and for the following purpose:

A purpose relating to the performance of a function, or the exercise of a power, by that Corporation under:

(a)an Act administered by CSC; or

(b) an instrument under an Act administered by CSC.

4.6.An ‘Act administered by CSC’ will be defined for the purposes of s 409 as having the meaning given by the Governance of Australian Government Superannuation Schemes Act 2011.[2] That Act relevantly defines this term as follows:

Act administered by CSC means:

(a) the Defence Act 1903, to the extent that the Act deals with superannuation benefit in Part IIIAA; or

(b) the Defence Force Retirement and Death Benefits Act 1973; or

(c) the Defence Forces Retirement Benefits Act 1948; or

(d) the Military Superannuation and Benefits Act 1991; or

(da) the Australian Defence Force Superannuation Act 2015; or

(db) the Australian Defence Force Cover Act 2015; or

(e) the Papua New Guinea (Staffing Assistance) Act 1973, to the extent that the Act deals with superannuation; or

(f) the Superannuation Act 1922; or

(g) the Superannuation Act 1976; or

(h) the Superannuation Act 1990; or

(i) the Superannuation Act 2005.

Proposed s 151A of the Safety, Rehabilitation and Compensation (Defence-related Claims) Act 1988

4.7.Analogous amendments to those discussed above in relation to the MRC Actwill be made by Part 2 of Schedule 5 of the Bill (extracted at Appendix 1)to s151A of the DRC Act, once enacted.

4.8.The DRC Act will be established by the Safety, Rehabilitation and Compensation Legislation Amendment (Defence Force) Bill 2016, once enacted. In effect, the DRC Act will be a re-enacted version of the existing Safety, Rehabilitation and Compensation Act 1988 (SRC Act) that is modified to apply only to members of the Defence Force and their dependants. The DRC Act will apply in relation to an injury, disease, death, loss or damage that relates to certain employment in the Defence Force that occurred before the commencement of the MRC Act on 1 July 2004. Accordingly, it will provide Defence Force members with access to a ‘military specific’ compensation and rehabilitation scheme. It is also envisaged the MRCC will be able to bring the DRC Act into closer alignment with the MRC Act as part of future amendments to these Acts, over time.[3]

4.9.This PIA proceeds on the basis that proposed s 151A of the DRC Act will be in analogous terms to s 151 of the SRC Act as currently enacted (extracted at Appendix 3).

4.10.Accordingly, once enacted, and as amended by Part 2 of Schedule 5 of the Bill, s151A will relevantly provide that the MRCC (or a staff member assisting the MRCC) may provide any information obtained in the performance of duties under the DRC Act to the CRC for a purpose relating to the performance of a function, or the exercise of a power, under an Act administered by the CSC or an instrument made under such an Act. It will also provide the CSC must not use or further disclose the information disclosed to it by the MRCC for a purpose other than those purposes. To avoid doubt, information that is used or disclosed in accordance with s 151A will be taken, for the purposes of the Privacy Act, to be authorised by law.

Transitional arrangements

4.11.We understand it is intended that if enacted these amendments will operate so that the MRCC may disclose information to the CSC in accordance with the amended provisions, whether that information was obtained by the MRCC before, on or after the amendments commenced.

Implications for privacy of the proposed amendments

4.12.The Privacy Act regulates the collection, use, disclosure, security and storage of personal information held by Commonwealth government agencies and certain organisations. Personal information is defined in the Privacy Act to mean:

….information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a)whether the information or opinion is true or not; and

(b)whether the information or opinion is recorded in a material form or not.

4.13.Section 13 of the Privacy Act provides that an act or practice (which includes use and disclosure of personal information) that is not authorised under the Australian Privacy Principles (APPs) will be an interference with the privacy of the individual concerned. The APPs are set out in Schedule 1 to the Privacy Act.

Privacy implications for the MRCC

4.14.The proposed legislative amendments to be made by Schedule 5 of the Bill will expressly authorise the MRCC to disclose certain information to the CSC for specified purposes. Such disclosures of information will be taken to be authorised use and disclosurefor the information purposes of the APPs in the Privacy Act.

4.15.The information the MRCC will be authorised to disclose under the amendments is information obtained by the MRCC in the performance of its statutory functions under the MRC Act and the DRC Act. This is consistent with the existing terms of s409 of the MRC Act and s 151A of the SRC Act (as currently in force), which each authorise the MRCC to disclose information to certain listed persons or entities. The amendments to these provisions by the Bill will therefore provide consistency for the MRCC in relation to the disclosure of information obtained by it in the performance of its functions to specified persons or entities. These arrangements will be extendedto the CSC for certain purposes as discussed below. In practical effect, however, the information disclosed by the MRCC under the amended provisions will be limited by the nature of the CSC request. Generally speaking, information disclosed to the CSC under the new legislative arrangements is expected to include information such as service, medical and claims information relating to individuals.

4.16.Clearlythe information disclosed by the MRCC to the CSC will be‘personal information’ for the purposes of the Privacy Act. Additionally, some information, particularly medical recordsand assessments, will be ‘sensitive information’ for the purposes of the Privacy Act.

4.17.Sensitive information is a sub-category of personal information for which the Privacy Act provides a higher standard of protection. It is defined in s 6 of the Privacy Act and includes health information about an individual and other information such as sexual orientation, race and ethnicity. Health information is further defined in s 6FA and includes information or an opinion about the injury, illness or disability of an individual, their expressed wishes about the future provision of health services and the health service provided.

Disclosure must be for a specified purpose

4.18.The disclosure of personal information to the CSC will only be authorised if it is for a purpose relating to the performance of a function, or the exercise of a power, by the CSC under the legislation it administers. This places limits on the disclosure of personal information by the MRCC, as it will only be authorisedto disclose personal information necessary for the CSC to perform or exercise a statutory function or power concerning (broadly) the assessment of superannuation claims. That is, the CSC must require the information for the performance or exercise of a function or power with respect to a particular individual. It would not be sufficient, for the purposes of disclosure under the provisions if the information were required for reasons of mere administrative simplicity, such as the routinedisclosure of information by the MRCC to CSC unrelated to the exercise of its functions, or in response to a purely anticipatory requests of information in the absence of a specific claim being assessed by the CSC.

Disclosure is taken to be authorised for purposes of the APPs

4.19.The amendments will put beyond doubt that the disclosure of information by the MRCC under s 409 of the MRCC and s 151A of the DRC Act is authorised for the purposes of the APPs, in particular APP 6 (extracted at Appendix 5).

4.20.APP 6 provides that if an APP entity such as the MRCC holds personal information about an individual that was collected for a particular purpose, the entity must not use or disclose that information for another purpose, unless the individual has consented[4] or one of several exceptions apply. One of those exceptions is that the use or disclosure of the information is required or authorised under an Australian law,[5] which is relevantly defined in s 6(1) of the Privacy Act to include an Act of the Commonwealth or regulations or any other instrument made under an Act.

4.21.Presently, the MRCC is prohibited from disclosing personal information it holds to the CSC unless a relevant exception to APP6 applies, such as the individual has consented to the particular disclosure of information. The proposed legislative amendments will ensure that the disclosure of personal information by the MRCC to the CSC for the performance of its statutory functions, will be ‘authorised by or under an Australian law’ for the purposes of APP6.

4.22.This will mean the MRCC may disclose personal information to the CSC in accordance with the amended provisions without the consent of the individual concerned. This is consistent with the policy intention for the proposed amendments.

Privacy implications of the amendments for CSC

4.23.Section 409(3) of the MRC Act and s 151A(3) of the DRC Act will operate to prohibit the CSC from using, or further disclosing, the information disclosed to it by the MRCC under those sections, for a purpose other than the specified purpose for which it was disclosed.

4.24.Such use and further disclosure by the CSC of information received under the amended provisions, in accordance with these requirements, will constitute authorised use and disclosure of the information by the relevant Act for the purposes of the Privacy Act (see ss 409(5) and 151A(5) of those Acts respectively).

4.25.In effect, this means that to the extent personal information is disclosed to the CSC by the MRCC, the CSC can only use that information, or further disclose that information, for a purpose related to the performance or exercise of its statutory functions or powers.

4.26.This limitation is consistent with the existing limitation on the use and further disclosure of information received by other persons or entities to whom the MRCC may disclose information under those provisions.

4.27.This limitation is also more restrictive than that which applies under APP 6. As noted above, an APP entity can use or disclose personal information it holds for a secondary purpose, if a relevant exception applies. By contrast, under the relevant provisions as amended, the CSC will not be able to use or further disclose personal information received by the MRCC in circumstances other than for the performance or exercise of its statutory functions and powers. This is a privacy positive and provides a balance between the policy objectives to be achieved by the authorised disclosure and the interests in protecting the privacy of personal information.

Amended provisions will not otherwise displace the ordinary operation of the Privacy Act

4.28.The amended provisions will not operate to displace the ordinary operation of the Privacy Act, other than to the limited extent discussed above. A range of ordinary Privacy Act protections will continue to apply under the proposed legislative arrangements.

4.29.Sections409 of the MRC Act and s 151A of the DRC Act are concerned with the disclosure of information by the MRCC and place certain restrictions on what can be done with that information by the recipient. These provisions do not concern the collection of the relevant information either initially or by the recipient person or entity. Accordingly, the provisions will not operate to displace the ordinary operation of the Privacy Act with respect to the collection of information either initially by the MRCC, or in turn by the CSC. Relevant requirements in APPs 3 and 5concerning the collection of information are noted briefly in turn below.

4.30.First, APP 3 specifies when an APP entity may collect solicited personal information. Personal information is solicited by an APP entity if it explicitly requests another entity to provide personal information, or it takes active steps to collect personal information.

4.31.For an APP entity that is an agency for the purposes of the Privacy Act, APP 3 relevantly requires:

• the agency:

–must not collect personal information (other than sensitive information)unless the information is reasonably necessary for, or directly related to, the agency’s functions or activities