Home | Databases | WorldLII | Search | Feedback Australian Parliamentary Joint Committee on Human Rights

Treasury Laws Amendment (Registries Modernisation and Other Measures) Bill 2019 and Related Bills [2020] AUPJCHR 13 (5 February 2020)

Treasury Laws Amendment (Registries Modernisation and Other Measures) Bill 2019 and related bills^[1]

Collection and disclosure of personal information

1.187 The Commonwealth Registers Bill 2019, Treasury Laws Amendment (Modernisation and Other Measures) Bill 2019, Business Names Registration (Fees) Amendment (Registries Modernisation) Bill, Corporations (Fees) Amendment (Registries Modernisation) Bill 2019 and the National Consumer Credit Protection (Fees) Amendment (Registries Modernisation) Bill 2019 constitute a legislative package designed to establish a new business registry regime.^[2]

1.188 The package seeks to consolidate the business registers administered by the Australian Securities and Investments Commission (ASIC) and Australian Business Registry, and provides for the appointment and functions of a registrar who would be responsible for administering the new registers regime.^[3]

1.189 The bills would establish a legal framework by which all directors of bodies corporate registered under the Corporations Act 2001 (Corporations Act) or Corporations (Aboriginal and Torres Strait Islander) Act 2006 would be required to apply for, and hold, a permanent unique director identification number (DIN). The new registrar would be required to issue a director with a DIN, where they are satisfied the director's identity has been established, and keep a record of the DINs issued to directors.^[4] This process would involve the disclosure of personal information to the registrar.

1.190 The bills would enable the registrar to make, by legislative instrument, data standards on matters relating to the performance of their functions and exercise of their powers.^[5] These may address a range of issues relating to the collection and disclosure of information, including:

• the type of information which may be collected by the registrar to perform their functions and exercise their powers;

• how such information may be collected;

• the manner and form in which such information is given to the registrar;

• what information is given to the registrar;

• how information held by the registrar is to be stored; and

• the integration or linking of information held by the registrar.^[6]

1.191 The Commonwealth Registers Bill would regulate the disclosure of 'protected information' by the registrar,^[7] which could include personal information. 'Protected information' is defined broadly to mean information which is obtained by a person in the course of the person's official employment; and disclosed to the person or another person, or obtained by the person or another person under, or in relation to, this bill, or under another law of the Commonwealth in connection with particular functions or powers of the Registrar.^[8]

1.192 The Commonwealth Registers Bill would empower the registrar to make a disclosure framework relating to disclosing protected information.^[9] The framework may set out the circumstances in which: protected information must not be disclosed without the consent of the person to whom the information relates; de-identified personal information may be disclosed; protected information may be disclosed to the general public; and confidentiality agreements are required for disclosure of protected information.^[10] The framework may also impose conditions on the disclosure of protected information.^[11] The framework must not permit the disclosure of protected information unless the registrar is satisfied that the benefits of disclosure outweigh the risks of disclosure, taking into account any mitigation of those risks in accordance with the disclosure framework.^[12]

1.193 The Commonwealth Registers Bill would create an offence for a person who is, or has been, in official employment to make a record of information or disclose information to another person, where they obtained that information in the course of their official employment.^[13]

Preliminary international human rights legal advice

Right to privacy

1.194 As these bills seek to confer a range of powers and functions on the new registrar, including the collection and disclosure of personal information, the measures engage and may limit the right to privacy. This is acknowledged in the statement of compatibility accompanying the suite of bills.^[14] The right to privacy encompasses respect for informational privacy, including the right to respect for private and confidential information, particularly the storing, use and sharing of such information; and the right to control the dissemination of information.^[15] The right to privacy may be subject to permissible limitations which are provided by law and are not arbitrary. In order for limitations not to be arbitrary, the measure must pursue a legitimate objective and be rationally connected and proportionate to achieving that objective.^[16]

Legitimate objective and rational connection

1.195 The statement of compatibility explains that the collection of personal information by the registrar in accordance with data standards 'is required for the effective operation of the registry regime'.^[17] In relation to the disclosure of information, the statement of compatibility explains that there are a number of circumstances in which disclosure is authorised, including:

• where it is for the purposes of the new regime, or in the course of the person's official employment, or to be used by another official in the course of their employment;

• where the person to whom the information relates consents to the disclosure; or

• in accordance with the disclosure framework.^[18]

1.196 The statement of compatibility sets out the objectives of these measures:

These disclosures achieve a number of legitimate objectives, and ensure that the new registry regime can be effectively administered.
In relation to disclosure within Government, registry information that is required for the administration of other Australian laws is made available for that purpose. Disclosure with consent achieves the benefit of allowing data to be used for other purposes with a public benefit so long as each person to whom the data relates consents to the disclosure.
Disclosure in accordance with the disclosure framework is intended to provide the registrar with flexibility that will provide broader public benefits in the future. It is envisaged that the ability to make a disclosure framework will provide the registrar with flexibility regarding the release of registry information. For example, the framework could allow a trusted user (for instance a university whose IT systems, processes and staff have been vetted) to access information that may not be appropriate for wider dissemination where a social benefit exists and appropriate undertakings are made.^[19]

1.197 In relation to disclosure within government, ensuring the effective operation of the registry regime and facilitating the administration of other laws may be capable of constituting legitimate objectives under international human rights law. Further, these measures would appear to be rationally connected to those objectives. However, in relation to disclosure in accordance with the disclosure framework, it is unclear what is meant by the term 'public benefit' in the statement of compatibility. Further information as to the nature of this 'public benefit' is required to determine whether the disclosure of personal information under the disclosure framework pursues a legitimate objective for the purposes of international human rights law, bearing in mind that to be capable of justifying a proposed limitation on human rights, a legitimate objective must address a pressing or substantial concern, and not simply seek an outcome regarded as desirable or convenient.^[20]

Proportionality

1.198 It is also necessary to consider whether the power to collect information pursuant to data standards, or to disclose information pursuant to a disclosure framework, is a proportionate limit on the right to privacy. In relation to the scope of information which may potentially be collected and disclosed, the statement of compatibility explains that:

While the making of the data standards is a matter for the registrar, it is likely that personal information about company officers, financial service licensees and other persons on the current business registers will be collected. This is because such information is required for the effective operation of the registry regime.^[21]

1.199 It is not clear what personal details of such officers and licensees is likely to be collected, although it would appear to be restricted to the relevant business context. However, the type of information which may be disclosed under the proposed disclosure framework appears to be quite broad, extending to any information obtained and disclosed by a person in the course of their official employment under the relevant Act, or under another Commonwealth law in connection with the functions or powers of the registrar.^[22] This raises concerns as to whether the measures are sufficiently circumscribed. Further information about the nature and scope of the personal information which is likely to be collected and disclosed under the new regime is therefore necessary to determine whether these measures constitute a proportionate limitation on the right to privacy.

1.200 The availability of adequate safeguards to protect the right to privacy is relevant to assessing the proportionality of a measure that engages and limits that right. In this regard, it is noted that there are penalties in place for persons who engage in unauthorised recording, disclosure or use of protected information.^[23] In addition, the disclosure framework enabled by section 16 of the Commonwealth Registers Bill could potentially contain additional safeguards on the disclosure of protected information. Subsection 16(2) of the Commonwealth Registers Bill 2019 provides that the disclosure framework may require that protected information only be disclosed in circumstances where the person to whom the information relates has consented to the disclosure,^[24] and the intended recipient is subject to the Australian Privacy Principles and has entered into a confidentiality agreement.^[25] However, whether the disclosure framework contains sufficient safeguards to protect the right to privacy will ultimately depend on how the framework is drafted.

1.201 In this regard, it is noted that subsection 16(5) of the Commonwealth Registers Bill states that the disclosure framework must not permit the disclosure of protected information unless the registrar is satisfied that the benefits of disclosure outweigh the risks of disclosure, taking into account any mitigation of those risks in accordance with the disclosure framework. This may serve as a safeguard on the right to privacy, however there is no mandatory requirement that the registrar expressly consider the right to privacy in making such an assessment. Consequently, whether this would be effective safeguard would depend on the content of the disclosure framework and how the measure operates in practice.

1.202 In order to assess the implications of these measures with regards to the right to privacy, further information is required as to:

• what is meant by the term 'public benefit' in relation to the disclosure of information by the registrar in accordance with disclosure framework, and whether it would constitute a legitimate objective for the purposes of international human rights law;

• the nature and scope of the personal information which is likely to be collected and disclosed under the new regime;

• whether the disclosure framework set out in section 16 of the Commonwealth Registers Bill 2019 is sufficiently circumscribed and accompanied by adequate safeguards (having regard to, but not limited to, the matters set out at subsection 16(2));

• whether there exists a detailed outline of the proposed disclosure framework insofar as it relates to the right to privacy; and

• any other matters relevant to the adequacy of safeguards in relation to the collection, use, disclosure and detention of personal information pursuant to this suite of bills.

Committee view

1.203 The committee notes the package of bills would establish a new Commonwealth business registry regime and sets out when personal information relating to the registry regime may be collected and disclosed. The committee notes the legal advice on these bills. In order to assess whether these measures constitute a proportionate limitation on the right to privacy, the committee seeks the Treasurer's advice as to the matters set out at paragraph [1.202].

[1] Commonwealth Registers Bill 2019; Business Names Registration (Fees) Amendment (Registries Modernisation) Bill 2019; Corporations (Fees) Amendment (Registries Modernisation) Bill 2019; and National Consumer Credit Protection (Fees) Amendment (Registries Modernisation) Bill 2019. The committee commented on these bills as they were previously introduced into the Parliament in Report 2 of 2019, seeking further information. This entry can be cited as: Parliamentary Joint Committee on Human Rights, Treasury Laws Amendment (Registries Modernisation and Other Measures) Bill 2019 and related bills, Report 1 of 2020; [2020] AUPJCHR 13.

[2] Statement of compatibility, p. 63.

[3] Explanatory memorandum, p. 6.

[4] See Corporations (Aboriginal and Torres Strait Islander) Act 2006, proposed section 308-5; Corporations Act 2001 (Corporations Act), proposed section 1272.

[5] Commonwealth Registers Bill, proposed subsection 13(1).

[6] The Treasury Laws Amendment (Registries Modernisation and Other Measures) Bill 2019 inserts equivalent provisions into the National Consumer Credit Protection Act 2009 (NCCP Act) (proposed section 212H), the Business Names Registration Act 2011 (Business Names Registration Act) (proposed section 62H), and the Corporations Act (proposed section 1270G).

[7] Commonwealth Registers Bill, Part 4.

[8] Commonwealth Registers Bill, section 5. The Treasury Laws Amendment (Registries Modernisation and Other Measures) Bill 2019 seeks to insert the same definition of 'protected information' into the Corporations Act, section 9; Business Names Registration Act, section 3; and the NCCP Act, section 5(1).

[9] Proposed section 16.

[10] Commonwealth Registers Bill, proposed subsection 16(2).

[11] Commonwealth Registers Bill, proposed subsection 16(2).

[12] Commonwealth Registers Bill, proposed subsection 16(5).

[13] Commonwealth Registers Bill, proposed section 17. Subsection 17(2) would create an exemption to this offence where the disclosed information is authorised by subsection 17(3), namely where: the recording or disclosure is for the purposes of the Act; the recording or disclosure happens in the course of the performance of the duties of the person's official employment; the disclosure is to another person to use in the course of their official employment and performance or exercise of the functions or powers of a government entity; each person to whom the information relates consents to the disclosure; or the disclosure is in accordance with the disclosure framework.

[14] Statement of compatibility, pp. 69-72.

[15] International Covenant on Civil and Political Rights, article 17.

[16] See, for example, Leyla Sahin v Turkey, European Court of Human Rights (Grand Chamber) Application No. 44774/98 (2005); Al-Adsani v United Kingdom, European Court of Human Rights (Grand Chamber) Application No. 35763/97 (2001) [53] - [55]; Manoussakis and Others v Greece, European Court of Human Rights, Application No. 18748/91 (1996) [36] - [53]. See also the reasoning applied by the High Court of Australia with respect to the proportionality test in Lange v Australian Broadcasting Corporation [1997] HCA 25.

[17] Statement of compatibility, p. 70.

[18] Statement of compatibility, p. 71.

[19] Statement of compatibility, pp. 71-72.

[20] See, Parliamentary Joint Committee on Human Rights, Guidance Note 1 – Drafting Statements of Compatibility.

[21] Statement of compatibility, p. 70.

[22] Commonwealth Registers Bill 2019, section 5.

[23] Commonwealth Registers Bill, subsection 17(1).

[24] Commonwealth Registers Bill, subsection 16(2)(a).

[25] Commonwealth Registers Bill, subsections 16(2)(e)-(f).