Commonwealth Numbered Acts
[Index]
[Table]
[Search]
[Search this Act]
[Notes]
[Noteup]
[Previous]
[Download]
[Help]
DATA-MATCHING PROGRAM (ASSISTANCE AND TAX) ACT 1990 No. 20 of 1991 - SCHEDULE
SCHEDULE Section 12
DATA-MATCHING PROGRAM (ASSISTANCE AND TAX) GUIDELINES Scope of Operation 1.
These Guidelines apply to, and only to, the matching program referred to in
the Data-matching Program (Assistance and Tax) Act 1990 ("the Act").
Definitions 2.1 Any term used in these Guidelines has:
(i) where it is defined in the Act, that meaning; or
(ii) where it is not defined in the Act but is defined in the
Privacy Act 1988, that meaning. 2.2 In addition the following terms
used in these Guidelines have the following meanings:
(a) "Program" refers to the data-matching program as defined in the Act;
(b) "Discrepancy" refers to a result of the program which warrants further
action by any relevant data agency for the purposes of giving effect
to the program;
(c) "action" refers to the actions set out in section 10 of the Act. Basis
of Program 3.1 A program protocol must be prepared by the
matching agency in consultation with the source agencies before 1
April 1991 and must -
(i) identify the matching agency and the source agencies;
(ii) in the case of each data agency, set out the legal basis for any
collection, use or disclosure of personal information involved in the
program;
(iii) outline the objectives of the program, the procedures to be employed,
the nature and frequency of the matching covered by the program, and
the justifications for the program;
(iv) explain what methods other than data-matching were available and why
they were rejected;
(v) detail any cost/benefit analysis or other measures of effectiveness
which were taken into account in deciding to initiate the program;
(vi) outline the technical controls proposed to ensure data quality,
integrity and security in the conduct of the program;
(vii) provide an explanation for any use of identification numbers and, in
particular, the tax file numbers;
(viii) outline the nature of the action proposed to be taken in relation to
the results of the program including the pro formas of any letters to
be used by source agencies when providing notice under section 11 of
the Act;
(ix) indicate what form of notice, if any, of the proposed activities in
relation to their personal information has been given or is intended
to be given to affected individuals; and
(x) specify any time-limits on the conduct of the program.
The Program Protocol must be filed with the Privacy Commissioner and available
for public inspection unless the Privacy Commissioner is satisfied that to do
so would be or would be likely to be contrary to the public interest (e.g. by
prejudicing the integrity of legitimate investigative methods). 3.2 Agencies
must comply with the Program Protocol. 3.3 Source agencies must take all
reasonable steps to ensure that their clients are informed that a Program
Protocol which outlines the nature and purposes of the data-matching program
is available from the Privacy Commissioner. Technical Standards in relation to
data quality, integrity and security 4.1 Technical Standards Report: Detailed
technical standards must be established by the matching agency to govern the
conduct of the program. They should deal with the following matters:
(i) integrity of data supplied by source agencies, referring in particular
to: key terms and their definition, relevance, timeliness and
completeness;
(ii) matching techniques, referring in particular to: the matching
algorithm, any use of identification numbers especially tax
file numbers, the nature of the matters being sought to be identified
by the matching process, the relevant data definitions and the
procedure for recognising matches;
(iii) controls being employed to ensure the continued integrity of the
program including the procedures that have been established to confirm
the validity of matching results;
(iv) security features included within the program to minimise and audit
access to personal information. 4.2 These matters should be dealt with
in a Technical Standards Report to be held by the matching agency and
copies held by the source agencies. A draft Report must be finalised
before 1 April 1991 and the final report before 1 July 1991, taking
account of initial experience of the operation of the program. Any
subsequent variations to the technical standards should be the subject
of a Variation Report appended to the original Report. 4.3 The Privacy
Commissioner has the power to require that the content of the draft
and final Technical Standards Reports be varied. Non-compliance with
the variations will be taken as a breach of the Guidelines and be
subject to investigation in accordance with section 13 of the Act. 4.4
Agencies must comply with the Technical Standards Report. Safeguards
for individuals affected by the results of programs Fairness 5.1 The
source agencies must establish reasonable procedures for confirming
the validity of results before relying on them as a basis for
administrative action against an individual, unless there are
reasonable grounds to believe that such results are not likely to be
in error. In forming that view, regard is to be had to the consistency
in content and context of data being matched. 5.2 Where such
confirmation procedures do not take the form of checking the results
against the source data but instead involve direct communication with
the affected individual, the source agency shall notify the affected
individual that no check has been made against the records which
formed the basis for the data supplied for the program. The
notification must include (either in the letter or by way of an
attachment) an explanation of the procedures that are involved in the
examination of a discrepancy as well as the rights of complaint under
the Privacy Act 1988. 5.3 If there is a dispute as to the accuracy of
the data or the proposed action which the source agency does not
concede, it must inform the individual of the rights of complaint
conferred by the Privacy Act 1988. Any further action taken by the
agency must, unless otherwise provided by law, not interfere with an
individual's opportunity to exercise any rights of appeal or review.
5.4 Wherever data supplied by a person prior to 1 January 1991, is to
be used, or is likely to be used, in a data-matching program, the
person who has supplied the data shall be notified in writing either
before the data is first used or as soon as practicable thereafter
that the data is likely to be used for this purpose. Record Controls
6.1 No Discrepancy: Personal information used in a matching cycle that
does not lead to a discrepancy must be destroyed by the
matching agency as soon as is practicable after the beginning of Step
5 in the cycle. In any case, destruction of the information must not
occur later than 24 hours after the beginning of Step 5 of the cycle
unless additional time is required because of a computer malfunction
or industrial action. 6.2 Discrepancy: In cases where a discrepancy
occurs as a result of Steps 1, 4 and 5 in a data-matching cycle, the
results must be supplied to the relevant source agency within 7 days
of completion of the relevant step. Source agencies must deal with the
results in accordance with section 10 of the Act. If, during the
period referred to in that section or at any later time, a decision
not to take further action is made, wherever practicable the
information must be destroyed within 14 days. 6.3 On final completion
of the action commenced in accordance with section 10 (1) of the Act,
all information which gave rise to such action is to be destroyed. For
the purposes of this guideline "final completion of the action" means:
(i) in the situation where, at the expiration of twelve months from
the commencement of action in accordance with section 10 (1),
the case is under the control of the Australian Federal Police
and is proceeding to the satisfaction of the source agency -
when all investigation action, legal proceedings and repayment
of debts due to the Commonwealth is finalised;
(ii) in the situation where, at the expiration of twelve months from
the commencement of action in accordance with section 10 (1),
the case is under the control of the Director of Public
Prosecutions and is proceeding to the satisfaction of the
source agency - when all legal proceedings and repayment of
debts due to the Commonwealth are finalised;
(iii) in the situation where, at the expiration of twelve months from
commencement of action in accordance with section 10 (1), a
debt due to the Commonwealth remains outstanding and action is
being taken to recover it - when the debt is fully recovered,
waived or written off; and
(iv) in all other situations, within twelve months from the date of
commencement of action in accordance with section 10 (1). No
New Databank 7.1 Subject to paragraph 7.2 below, source
agencies must not permit the information used in the program to
be linked or merged in such a way that a new separate permanent
register (or databank) of information is created about any, or
all of the individuals whose information has been subject to
the program. 7.2 Paragraph 7.1 does not prevent a source agency
from maintaining a register of individuals in respect of whom
further inquiries are warranted following the decision required
by section 10 of the Act. 7.3 After the completion of action in
relation to an individual that is taken in accordance with
clause 10, the source agency must delete any information that
relates to that action from any register of the type described
in paragraph 7.2. Reports and Monitoring by the Privacy
Commissioner 8. The Privacy Commissioner is to be responsible
for monitoring the compliance with these Guidelines and giving
advice to the relevant matching and source agencies as to their
responsibilities under the Guidelines. 9. The matching and
source agencies must report to the Privacy Commissioner on a
periodic basis as agreed with the Privacy Commissioner. The
Commissioner may require an agency to report on any relevant
matter, including any of the following matters:
(i) actual costs and benefits flowing from the program;
(ii) any non-financial factors that are considered relevant;
(iii) difficulties in the operation of the program and how these have been
overcome;
(iv) the extent to which internal audits or other forms of assessment have
been undertaken by agencies and their outcome;
(v) examples of circumstances in which the giving of notice under
section 11 would prejudice the effectiveness of an investigation into
the possible Commission of an offence; and
(vi) such other matters as: the total number of matches undertaken, the
proportion of matches that result in discrepancies, the number of
discrepancies, proportion of discrepancies which resulted in action
being taken, the number of instances of subsequent action being taken,
the number of cases in which action proceeded despite a challenge as
to the accuracy of the data, the proportion of discrepancies which did
not proceed to action after the individual was contacted; and the
number of cases where successful recovery action occurred. 10.1 The
Privacy Commissioner must include in his annual report an assessment
of the extent of the program's compliance with the Act, these
Guidelines and the Privacy Act 1988; and to that end, may exercise any
of the powers as to investigation and audit contained in the
Privacy Act 1988. 10.2 Agencies must report their data-matching
activities under this Act in their annual entry for the Personal
Information Digest of the Privacy Commissioner. 11. These Guidelines
are additional to provisions of the Privacy Act 1988 including the
Information Privacy Principles. 12. The matching agency and each
source agency must table a comprehensive report in both Houses of
Parliament six months after the commencement of the first
data-matching cycle. These reports are to include all of the following
details:
(i) actual cost and benefits flowing from the program;
(ii) any non-financial factors that are considered relevant;
(iii) difficulties in the operation of the program and how these have
been overcome;
(iv) the extent to which internal audits or other forms of
assessment have been undertaken by agencies and their outcome; and (v)
such other matters as: the total number of matches undertaken, the proportion
of matches that result in discrepancies, the number of discrepancies, the
proportion of discrepancies which resulted in action being taken, the number
of instances of subsequent action being taken, the number of cases in which
action proceeded despite a challenge as to the accuracy of the data, the
proportion of discrepancies which did not proceed to action after the
individual was contacted; and the number of cases where successful recovery
action occurred.
AustLII: Copyright Policy
| Disclaimers
| Privacy Policy
| Feedback