Home | Databases | WorldLII | Search | Feedback Australian Senate Standing Committee for the Scrutiny of Bills - Scrutiny Digests

Identity-Matching Services Bill 2018 - Commentary on Ministerial Responses [2018] AUSStaCSBSD 138 (9 May 2018)

Identity-matching Services Bill 2018

2.57 The committee dealt with this bill in Scrutiny Digest No. 2 of 2018. The minister responded to the committee's comments in a letter dated 4 April 2018. Set out below are extracts from the committee's initial scrutiny of the bill and the minister's response followed by the committee's comments on the response. A copy of the letter is available on the committee's website.^[25]

Privacy^[26]

Initial scrutiny – extract

2.58 The bill seeks to facilitate the exchange of identity information between the Commonwealth and state and territory governments and certain other agencies in accordance with an intergovernmental agreement entered into in October 2017. The type of identity information that may be shared includes a person's name (current and former); address (current and former); place and date of birth; current or former sex, gender identity or intersex status; any information contained in a driver's licence, passport or visa and a facial image of the person.^[27]

2.59 The bill seeks to provide that the secretary of the Home Affairs department may develop, operate and maintain an interoperability hub.^[28] The explanatory memorandum explains that this hub will facilitate data-sharing between agencies on a query and response basis without storing any personal information (with passport, visa and citizenship images continuing to be held by the Commonwealth agencies that issue the documents).^[29] The bill also seeks to provide that the Home Affairs secretary may develop, operate and maintain a National Driver Licence Facial Recognition Solution (NDLFRS), which the explanatory memorandum states will consist of 'a federated database of identification information contained in government identification documents (initially driver licences) issued by state and territory authorities' and a facial recognition system for biometric comparison of facial images against those held in the database.^[30] This would appear to authorise the creation of a database that does store personal information. In addition, the bill provides that the Home Affairs department may collect, use or disclose identification information about an individual if that collection occurs via the interoperability hub or the NDLFRS and is for a specified purpose.^[31] Identification information may be collected or disclosed for the following purposes:^[32]

• providing or developing an identity-matching service for identity and community protection activities, being an activity for:

• preventing and detecting identity fraud;

• preventing, detecting, investigating or prosecuting a federal, state or territory offence or starting or conducting proceedings for proceeds of crime;

• investigating or gathering intelligence relevant to national security;

• checking the background of a person with access to an asset, facility or person associated with government or protecting a person with a legally assumed identity or under witness protection;

• promoting community safety, including identifying a person suffering or at risk of suffering physical harm (including missing or deceased persons or those affected by disaster) and a person reasonably believed to be involved in a significant risk to public health or safety;

• promoting road safety, including the integrity of driver licensing systems; and

• verifying the identity of an individual;^[33]

• developing, operating or maintaining the NDLFRS; or

• protecting the identities of persons who have legally assumed identities or are under witness protection.

2.60 An identity-matching service is defined as including a number of listed services, including:

• the Face Identification Service (FIS): for use by law enforcement, national security and corruption agencies to identify unknown individuals from a facial image, or detect persons using multiple identities;^[34]

• the Facial Recognition Analysis Utility Service (FRAUS): for use by state and territory agencies (including local government authorities and non-government entities that meet certain conditions) to compare facial images to test the accuracy and quality of their data;^[35]

• the Face Verification Service (FVS): for use by state and territory agencies (including local government authorities and non-government entities that meet certain conditions) to verify a person's claimed or suspected identity;^[36]

• the Identity Data Sharing Service (IDSS): for use by Commonwealth, state and territory agencies to share identification information from one entity to another through the interoperability hub;^[37]

• the One Person One Licence Service (OPOLS); for use by state and territory authorities to compare facial images and other biographical information held in the NDLFRS;^[38] and

• a service prescribed by the rules that involves the collection, use and disclosure of identification information and involves the interoperability hub or the NDLFRS. Rules can only be made to authorise a request from a local government authority or non-government entity if it is reasonably necessary to verify the individual's identity and the individual has given consent for this.^[39]

2.61 These provisions would give a broad power for the Home Affairs department to collect, use and disclose personal information for a wide range of purposes to a wide range of government agencies (and some local government authorities and private entities). The committee notes its terms of reference include considering whether provisions of a bill would unduly trespass on personal rights and liberties.^[40] This bill has clear implications for the privacy of the millions of individuals whose facial images and other biographical information will be available for collection, use and disclosure. The committee's view is that when provisions of a bill trespass on privacy the explanatory materials accompanying the bill should contain a clear explanation justifying this interference. In this instance, the statement of compatibility has provided a detailed analysis of the privacy implications of the bill.

2.62 While the committee considers there are a number of safeguards in the bill to help to protect privacy, the committee remains concerned that the bill may unduly trespass on personal rights and liberties in that it seeks to enable the sharing of an extensive amount of personal information for a broad range of purposes to a broad range of agencies (including private sector agencies), in particular that:

• information can be shared for preventing, detecting, investigating or prosecuting any federal, state or territory offence, for road safety or for identity verification more broadly. This could allow state and territory agencies to share and seek to match facial images and other biographical information for persons suspected of involvement in very minor offences, such as jaywalking, or for verifying the identity of an individual for any purpose; and

• one-to-many face matching, which involves comparing a facial image against multiple facial images, can involve the collection, use and disclosure of information about individuals who may not be the subject of the request (but who may look similar to the subject of the request), meaning such persons may become caught up in an investigation despite having no link to the investigation.^[41]

2.63 The committee is also concerned that while the explanatory materials state that a number of privacy safeguards will apply in relation to the sharing of personal identification information, many of these stated safeguards are not contained in the bill:

• the statement of compatibility notes that under the intergovernmental agreement there are a range of steps that the entities seeking access to the services will need to comply with.^[42] However, these requirements are not set out in the bill. There is also no information in the bill as to what the agency which receives the personal information does with that information following receipt. The statement of compatibility notes that the bill has been developed on the basis that 'other agencies or organisations participating in the identity-matching services must have their own legal authority to do so, and must comply with legislated privacy protections that apply to them';^[43]

• the statement of compatibility states that the design of the FIS will limit the amount of identification information released about an individual, stating:

It will do this by first returning a limited gallery of possible facial matches against the facial image submitted in the request, without providing any other identification information about the individuals. The user will then need to nominate a smaller shortlist of the particular facial matches for further investigation, and will only then have access to any biographic information about those individuals.^[44]

However, the statement of capability notes that these requirements are contained in the intergovernmental agreement, but not in the bill;

• while the explanatory memorandum states that 'any private sector usage of the FVS will only return a "match or no match" response, without returning images or biographic information about the person'^[45] this will be achieved under 'access policies and data sharing agreements supporting the implementation of the Bill'^[46] rather than any legislative criteria; and

• the explanatory materials provide that there will be policy and administrative safeguards in place in addition to the obligations in the bill, noting that 'requirements for privacy impact assessments before agencies access the services and compliance audits will also help to ensure the use of the FVS remains proportionate to the need, and prevent any misuse of identification information'.^[47] However, these will not be legislative requirements.

2.64 The committee seeks the minister's advice as to whether all or any of the intended policy and administrative safeguards identified in the explanatory materials can be included as legal requirements in the bill or, at a minimum, that there be a requirement in the bill that such safeguards be implemented by agencies seeking to access identification information.

Minister's response

2.65 The minister advised:

Privacy safeguards in policy and administrative arrangements
The Committee has sought my advice as to whether all or any of the intended policy and administrative safeguards identified in the explanatory materials can be included as legal requirements in the Bill or, at a minimum, that there be a requirement in the Bill that such safeguards be implemented by agencies seeking to access identification information.
The identity-matching services referred to in the Bill are supported by a broad system of controls and arrangements that govern the provision and use of the services. This includes the Intergovernmental Agreement on Identity Matching Services (the IGA) signed by the Prime Minister and first ministers of each of the states and territories in October 2017, and the formal data-sharing agreements between the Department of Home Affairs (the Department) and each of the participating agencies.
The Bill is just one aspect of these arrangements, and forms part of a broader network of legislation, both Commonwealth and state/territory, that will govern the sharing of identification information through the services. The Bill is primarily intended to provide the Department with the legal authority to operate the interoperability hub through which the majority of the services are transmitted, and to host of the National Driver Licence Facial Recognition Solution (NDLFRS), which will make state and territory driver licences available through the services.
The Committee has noted that the Bill does not set out what an agency which receives information through the services does with the information following its receipt. The Bill does not seek to, nor does it, authorise other agencies to share information through the services. Each agency's use of information it receives through the services will be governed by its own legal authority to collect, use and disclose the information for particular purposes, including any legislated protections that apply to the agency under Commonwealth, state or territory privacy legislation.
By taking this approach, the Bill avoids providing a blanket authorisation for all information-sharing that occurs through the services. Where an agency seeks to obtain information from another agency through the services, both the requesting agency and data-holding agency will need to have a legal basis to share information with the other. This is no different to current data-sharing arrangements. Much of the information-sharing that will occur through the services is already taking place based on existing legal authorities and using existing systems. The Bill will simply enable the Department to develop and operate the technical systems needed to offer agencies the tools to conduct their information-sharing in a more secure, accountable and auditable way.

The Government considers that the protections already contained in the Bill, and the obligations imposed by the IGA, provide a strong degree of protection for the information transmitted through the identity-matching services. The Bill is appropriately focused on providing authorisations that are required by the Department in order to operate the systems supporting the services, and place appropriate safeguards around the operation of those systems by the Department. Any expansion of this scope to regulate users of the services, or otherwise impose obligations on other entities will add significant complexity to the Bill and may be inconsistent with, or unnecessarily duplicate, other Commonwealth, state and territory legislation that already regulates the handling of information by the various users of the services.

Committee comment

2.66 The committee thanks the minister for this response. The committee notes the minister's advice that the identity-matching services in the bill are supported by a broad system of controls and arrangements, including the Intergovernmental Agreement on Identity Matching Services (IGA) and formal data-sharing agreements between the Department of Home Affairs and participating agencies. The committee also notes the minister's advice that the bill forms part of a broader network of both Commonwealth and state and territory legislation that will govern the sharing of information and is primarily intended to provide the legal authority for the Department to operate the interoperability hub and host the NDLFRS. The committee also notes the advice that the bill does not authorise other agencies to share information through the services and each agency's use of information it receives 'will be governed by its own legal authority to collect, use and disclose the information for particular purposes'. The committee also notes the advice that the government considers that the protections in the bill and the obligations in the IGA provide a strong degree of protection for the information transmitted through the identity-matching services, and any expansion of the scope to regulate or impose obligations on users or entities will add significant complexity to the bill and may be inconsistent or duplicative of existing information handling laws.

2.67 The committee reiterates that this bill has clear implications for the privacy of the millions of individuals whose facial images and other biographical information will be available for collection, use and disclosure. The committee reiterates its concern that the bill may unduly trespass on personal rights and liberties in that it seeks to enable the sharing of an extensive amount of personal information for a broad range of purposes to a broad range of agencies (including private sector agencies). The committee remains concerned that while the explanatory materials and the minister's response states that a number of privacy safeguards will apply in relation to the sharing of personal identification information, many of these stated safeguards are not contained in the bill, and rely on assurances that there are appropriate safeguards in processes that are outside the Commonwealth Parliament's control. The committee considers that the bill should provide, at a minimum, that agencies seeking to access identification information are bound by and satisfy certain minimum privacy safeguards.

2.68 The committee considers that the bill may unduly trespass on personal rights and liberties and draws its scrutiny concerns to the attention of senators and leaves to the Senate as a whole the appropriateness of establishing a scheme to allow for the collection, use and disclosure of an extensive amount of personal information for a broad range of purposes to a broad range of agencies and entities, without adequate safeguards being contained in the bill.

Consultation prior to making delegated legislation^[48]

2.69 The bill seeks to facilitate the exchange of identity information between the Commonwealth and state and territory governments. Clause 5 sets out a definition of 'identification information' which includes any information that is prescribed by the rules and relates to the individual (subject to subclause 5(2) which sets out the type of information which is not identification information). Subclause 5(4) provides that before making rules prescribing such information the minister must, in addition to being satisfied that the information is reasonably necessary to identify the person and assist in the activities set out in the bill, consult the Human Rights Commissioner and the Information Commissioner. In addition, clause 7 sets out the definition of an 'identity-matching service', which includes certain services prescribed by the rules. Subclause 7(5) also provides that before making such rules the minister must consult the Human Rights Commissioner and the Information Commissioner.

2.70 Where the Parliament delegates its legislative power in relation to significant regulatory schemes the committee considers that it is appropriate that specific consultation obligations (beyond those in section 17 of the Legislation Act 2003) are included in the bill, and so welcomes the inclusion of this specific requirement to consult. However, the committee also considers that it would be appropriate for the bill to provide that compliance with these obligations is a condition of the validity of the legislative instrument. The committee also notes that, given the significant privacy implications of defining what constitutes 'identification information', it may be appropriate that the minister provide reasons if rules are made that are inconsistent with any advice provided by the Human Rights Commissioner or Information Commissioner, to ensure the expertise of such commissioners has been given appropriate weight in the decision making process.

2.71 The committee also notes that these significant matters are to be included in 'rules' rather than in 'regulations'. The issue of the appropriateness of providing for significant matters in legislative rules (as distinct from regulations) is discussed in the committee's First Report of 2015.^[49] In relation to this matter, the committee has noted that regulations are subject to a higher level of executive scrutiny than other instruments as regulations must be approved by the Federal Executive Council and must also be drafted by the Office of Parliamentary Counsel (OPC). Therefore, if significant matters are to be provided for in delegated legislation (rather than primary legislation) the committee considers they should at least be provided for in regulations, rather than other forms of delegated legislation which are subject to a lower level of executive scrutiny.^[50]

2.72 The committee seeks the minister's advice as to the appropriateness of amending the bill to provide:

• that the minister must, after consulting the Human Rights Commissioner and the Information Commissioner, have regard to any submissions made by those commissioners prior to making any rules; and

• if the minister makes rules that are inconsistent with the advice provided by the commissioners, that the minister provide reasons explaining why the rules depart from that advice.

2.73 The committee also requests the minister's advice as to why it is appropriate to include these matters in rules rather than regulations.

Minister's response

2.74 The minister advised:

Consideration of submissions by Human Rights Commissioner and Information Commissioner when making rules
The Committee has also sought my advice as to the appropriateness of amending the Bill to provide that the Minister must, after consulting the Human Rights Commissioner and the Information Commissioner, have regard to any submissions made by those commissioners prior to making any rules; and, if the Minister makes rules that are inconsistent with the advice provided by the commissioners, that the Minister provide reasons explaining why the rules depart from that advice.
The requirements already contained in the Bill to consult with the Human Rights Commissioner and the Information Commissioner when making rules are important accountability measures that will ensure that human rights and privacy issues are appropriately considered. The additional requirements recommended by the Committee would be an appropriate addition to these measures that will further enhance their efficacy. I accept the Committee's proposal in this regard, and will propose government amendments to this effect.
The appropriateness of rules rather than regulations
The Committee has also sought my advice as to why it is appropriate to include additional types of identification information or new identity-matching services in rules rather than regulations.
I am advised that the use of rules rather than regulations is consistent with the Office of Parliamentary Counsel's Drafting Direction No. 3.8 - Subordinate Legislation. Paragraph 2 of that Drafting Direction states that:
"OPC's starting point is that subordinate instruments should be made in the form of legislative instruments (as distinct from regulations) unless there is good reason not to do so".
Consistent with paragraph 16 of the Drafting Direction, the approach of including new identification information or identity-matching services in rules rather than regulations has a number of advantages including:

• it facilitates the use of a single type of legislative instrument when needed for the Act, thereby reducing the complexity that would otherwise exist if different matters were to be prescribed across more than one type of instrument,

• it enables the number and content of legislative instruments made under the Act to be rationalised,

• it simplifies the language and structure of the provisions in the Bill that provide the authority for the legislative instruments, and

• it shortens the Bill.

Due to these advantages, paragraph 17 of the Drafting Direction states that drafters should adopt this approach where appropriate with new Acts.
The Drafting Direction states that matters such as offence or civil penalty provisions, powers of arrest, detention, entry, search or seizure, the imposition of a tax, appropriations, and amendments to the text of an Act should be included in regulations unless there is a strong justification for prescribing those provisions in another type of legislative instrument. The Bill does not enable rules to include any of these types of provisions, and subclause 30(2) of the Bill specifically prohibits this for the avoidance of doubt. As rules made under the Bill will not be able to provide for these matters, it is appropriate that the matters that are able to be prescribed under the Bill are prescribed in rules rather than regulations.
In addition, clause 30 clarifies that rules made under the Bill will be legislative instruments for the purpose of the Legislation Act 2003. Under sections 38 and 39 of that Act, all legislative instruments and their explanatory statements must be tabled in both Houses of the Parliament within 6 sitting days of the date of registration of the instrument on the Federal Register of Legislation. Once tabled, the rules will be subject to the same level of Parliamentary scrutiny as regulations, including consideration by the Senate Standing Committee on Regulations and Ordinances. Subclauses 30(3) and (4) further clarify that rules made under the Bill will be subject to disallowance and sunsetting, even though they would otherwise be exempt from these requirements because the Bill facilitates the operation of a scheme involving the Commonwealth and one or more States.
These measures will ensure that appropriate oversight mechanisms are in place for any rules made under the Bill.

Committee comment

2.75 The committee thanks the minister for this response. The committee notes the minister's advice that requirements in the bill to consult with the Human Rights Commissioner and the Information Commissioner when making rules are important accountability measures. The committee welcomes the minister's advice that he accepts the committee's recommendations and will propose government amendments to the bill to provide that the minister must, after consulting the Human Rights Commissioner and the Information Commissioner, have regard to any submissions made by those commissioners prior to making any rules and if the minister makes rules that are inconsistent with the advice provided by the commissioners, that the minister provide reasons explaining why the rules depart from that advice.

2.76 The committee also notes the minister's advice as to why it is considered appropriate to include the relevant information in rules rather than regulations, including that the bill provides that the rules are not to include matters such as offence or civil penalty provisions, powers of arrest, detention, entry, search or seizure, the imposition of a tax, appropriations, or amendments to the text of an Act.

2.77 The committee draws this matter to the attention of the Senate Standing Committee on Regulations and Ordinances for information.

2.78 In light of the minister's commitment to amend the bill in line with the committee's proposals, the committee makes no further comment on this matter.

Reversal of evidential burden of proof^[51]

2.79 Subclause 21(1) seeks to make it an offence for an entrusted person who has obtained protected information in his or her capacity as an entrusted person to make a record of the information or to disclose the information to another person. Subclause 21(2) provides an exception (offence-specific defence) to this offence, stating that the offence does not apply if the conduct is authorised by, or is in compliance with a requirement under, a Commonwealth, State or Territory law. The offence carries a maximum penalty of two years imprisonment.

2.80 Subsection 13.3(3) of the Criminal Code Act 1995 provides that a defendant who wishes to rely on any exception, exemption, excuse, qualification or justification bears an evidential burden in relation to that matter.

2.81 At common law, it is ordinarily the duty of the prosecution to prove all elements of an offence. This is an important aspect of the right to be presumed innocent until proven guilty. Provisions that reverse the burden of proof and require a defendant to disprove, or raise evidence to disprove, one or more elements of an offence, interferes with this common law right.

2.82 While in this instance the defendant bears an evidential burden (requiring the defendant to raise evidence about the matter), rather than a legal burden (requiring the defendant to positively prove the matter), the committee expects any such reversal of the evidential burden of proof to be justified. The reversal of the evidential burden of proof in clause 21 has not been addressed in the explanatory materials.

2.83 The committee notes that the Guide to Framing Commonwealth Offences^[52] provides that a matter should only be included in an offence-specific defence (as opposed to being specified as an element of the offence), where:

• it is peculiarly within the knowledge of the defendant; and

• it would be significantly more difficult and costly for the prosecution to disprove than for the defendant to establish the matter.^[53]

2.84 In this case, it is not apparent that whether the conduct is authorised by, or is in compliance with, a requirement under a Commonwealth, State or Territory law are matters peculiarly within the defendant's knowledge, and that it would be difficult or costly for the prosecution to establish the matters. These matters appear to be matters more appropriate to be included as an element of the offence.

2.85 As the explanatory materials do not address this issue, the committee requests the minister's advice as to why it is proposed to use an offence-specific defence (which reverses the evidential burden of proof) in this instance. The committee's consideration of the appropriateness of a provision which reverses the burden of proof is assisted if it explicitly addresses relevant principles as set out in the Guide to Framing Commonwealth Offences.^[54]

2.86 The committee considers it may be appropriate if proposed subclause 21(1) were amended to provide that a person commits the offence if the conduct is not authorised by, or in compliance with a requirement under, a law of the Commonwealth or of a State or Territory. The committee requests the minister's advice in relation to this matter.

Minister's response

2.87 The minister advised:

The use of an offence-specific defence
The Committee has sought my advice on why it is proposed to reverse the evidential burden of proof in relation to an offence contained in the Bill. Specifically, the Bill contains an offence for the unauthorised disclosure or recording of protected information by entrusted persons (i.e. staff or other persons working for the Department of Home Affairs). The Bill contains an exception to this offence where the conduct is authorised by, or is in compliance with a requirement under, a Commonwealth, State or Territory law. By including this as an exception to the offence, the Bill places the evidential burden of proof on a defendant to establish that their disclosure or recording of protected information was authorised under law, rather than placing the onus on the prosecution to establish that the conduct was not authorised under law. This is contrary to the standard approach that the prosecution must establish all elements of a criminal offence.
The Committee notes that the explanatory material to the Bill does not address this issue, and that the Committee's consideration of the appropriateness of the provision would be assisted if this material explicitly addressed relevant principles set out in the Guide to Framing Commonwealth Offences (the Guide).
The offence in clause 21 of the Bill has been designed to provide the greatest possible protection to the protected information contained in, transmitted through, or related to, the systems that support the identity-matching services. In developing the offence, consideration was given to the best-practice guidance in the Guide. The Guide specifically states that offence-specific defences should only be included in very limited circumstances, namely where the relevant facts are peculiarly within the knowledge of the defendant and would be significantly more difficult and costly for the prosecution to disprove than for the defendant to establish. The provision in the Bill meets these requirements.
For the offence contained in the Bill to be effective, it must be able to be prosecuted. If the defence in subclause 21(2) was included as an element of the offence itself, it would be extremely difficult for the prosecution to establish that the conduct was not authorised under any law of the Commonwealth, or a State or Territory. This could require the prosecution to examine a very large array of legislation in order to establish that there was no authorising law in the particular circumstance to the requisite burden of proof.
By contrast, it would be expected that an entrusted person with access to information in, or about, the systems, would be aware of the authorisation upon which they are relying when disclosing that information. This authorisation should be clearly documented for the particular disclosure, or would be contained in policy, procedural or legal arrangements governing business-as-usual disclosures. Any decision taken by an entrusted person to disclose protected information should be based on one or more legislative authorisations, and the particular authorisation relied on in a particular case will be known to the entrusted person.
As such, it would be considerably less onerous for the defendant to positively establish the specific legislative authorisation for their disclosure in each particular case, than for the prosecution to prove that they had no authorisation for the disclosure under any law.
The Bill has been developed to ensure that disclosure of protected information is appropriately restricted to protect the privacy of individuals whose personal and sensitive information is contained within, or transmitted via, the systems operated by the Department. In placing the burden of proof in relation to the defence on the defendant, subclause 21(2) places the onus on each entrusted person to ensure, in all circumstances, that their level of care when handling the information (including their regard to the legislative authorisations they have to disclose the information) is commensurate with the sensitivity of the information concerned. I also note that the drafting of this defence is consistent with secrecy provisions designed to protect other types of particularly sensitive information in other Commonwealth legislation, such as the Australian Border Force Act 2015.

Committee comment

2.88 The committee thanks the minister for this response. The committee notes the minister's advice that if the defence in subclause 21(2), which provides a defence for an entrusted person to record or disclose information if it was done in accordance with a Commonwealth, State or Territory law, was included as an element of the offence, it would be extremely difficult for the prosecution as it would be required to examine a large array of legislation in order to establish there was no authorising law. The committee also notes the minister's advice that it would be expected that an entrusted person would be aware of the authorisation on which they were relying and the particular authorisation 'will be known to' the entrusted person, and as such it would be 'considerably less onerous' for the defendant to establish the relevant matters.

2.89 While the committee acknowledges that it may be difficult for the prosecution to establish that a person did not have lawful authority to engage in the conduct set out in the offence, the committee emphasises that it generally considers a matter is appropriate for inclusion in an offence-specific defence when:

• it is peculiarly within the knowledge of the defendant; and

• it would be significantly more difficult and costly for the prosecution to disprove than for the defendant to establish the matter.^[55]

2.90 As the minister's advice does not explain how knowledge of relevant Commonwealth, State or Territory law is peculiarly within the knowledge of the defendant, the committee remains of the view that it may not be appropriate to reverse the evidential burden of proof in relation to this matter.

2.91 The committee requests that the key information provided by the minister be included in the explanatory memorandum, noting the importance of this document as a point of access to understanding the law and, if needed, as extrinsic material to assist with interpretation (see section 15AB of the Acts Interpretation Act 1901).

2.92 The committee draws its scrutiny concerns to the attention of senators and leaves to the Senate as a whole the appropriateness of reversing the evidential burden of proof in relation to a matter that does not appear to be peculiarly within the knowledge of the defendant.

Adequacy of parliamentary oversight
Privacy^[56]

2.93 As noted above, clause 21 seeks to make it an offence for an entrusted person who has obtained protected information in his or her capacity as an entrusted person to make a record of the information or to disclose the information to another person. Clauses 22 to 25 provide exceptions as to when information can be disclosed, which include to lessen or prevent a serious and imminent threat to human life or health,^[57] or to the [Integrity] Commissioner if it relates to corruption.^[58] The committee notes that these provisions impact on privacy as it allows for further disclosure of personal information. This does not appear to have been addressed in the explanatory materials.

2.94 The committee notes that clause 28 seeks to require the secretary of the Home Affairs department to provide the minister with an annual report, which is to be tabled in Parliament, on the operation of the identity-matching services, including statistics relating to requests made under the scheme. However, the committee notes that there is no requirement to record instances of when information was disclosed pursuant to clauses 23 and 24.

2.95 The committee seeks the minister's advice as to the appropriateness of amending clause 28 (which sets out the matters to be included in an annual report on the operation of the scheme) to include a requirement to report on the number of instances in which an entrusted person discloses protected information pursuant to clauses 23 and 24.

Minister's response

2.96 The minister advised:

Annual reporting
The Committee has sought my advice as to the appropriateness of amending clause 28 of the Bill (which sets out the matters to be included in an annual report on the operation of the scheme) to include a requirement to report on the number of instances in which an entrusted person discloses protected information pursuant to clauses 23 (disclosure to lessen or prevent threat to life or health) and 24 (disclosure relating to corruption issue).
The annual reporting requirements in the Bill will ensure that the public has appropriate visibility of the provision of identity-matching services by the Department. Although reporting on disclosures made under clause 23 does not go to the use of the services themselves, I accept the Committee's comments that such disclosures have privacy implications and should be transparent. As such I will propose an amendment to the Bill to accommodate this proposal.
In relation to reporting on the number of disclosures relating to corruption issues, the Department has consulted with the Attorney-General's Department, which administers the Law Enforcement Integrity Commissioner Act 2006 (the LEIC Act). Consistent with their advice, which was informed by consultation with the Australian Commission for Law Enforcement Integrity (ACLEI).
A reporting requirement of this nature has the potential to jeopardise the confidentiality of disclosures made to the Integrity Commissioner under clause 24 of the Bill. Under the Bill, an entrusted person may make a disclosure to the Integrity Commissioner without the Secretary's knowledge. It would be inappropriate to amend the Bill to require an entrusted person to notify the Secretary of any disclosure made by them under clause 24 in order for the Secretary to accurately report on these disclosures. This would remove entrusted persons' ability to make confidential disclosures to the Integrity Commissioner, and may have the effect of deterring them from making corruption-related disclosures altogether. This may have a negative impact on the effective operation of the LEIC Act, which is essential to the detection, prevention and prosecution of corruption-related issues.
I also note that any disclosure made under clause 24 would already be captured by the extensive reporting requirements already imposed upon the Integrity Commissioner under the LEIC Act. This is a more appropriate reporting mechanism for this type of information, which does not compromise the confidentiality of disclosures made to the Integrity Commissioner. Therefore, I do not consider it appropriate to add this to the reporting provisions in the Bill.

Committee comment

2.97 The committee thanks the minister for this response. The committee notes the minister's advice that when information is disclosed pursuant to clause 23 (to lessen or prevent a serious and imminent threat to human life or health), he accepts the committee's comments that such disclosures have privacy implications and should be transparent. The committee welcomes the minister's advice that government amendments will be proposed to ensure disclosures of such information will be reported on under clause 28.

2.98 The committee also notes the minister's advice in relation to the disclosure of information pursuant to clause 24 (disclosure to the Integrity Commissioner if it relates to corruption) that reporting on such disclosures would have the potential to jeopardise the confidentiality of disclosures made to the Integrity Commissioner. As an entrusted person is intended to be able to make a disclosure to the Commissioner without the secretary's knowledge, the committee notes the minister's advice that it would be inappropriate to require that the secretary be notified of the disclosure, as this would remove confidentiality and may deter an entrusted person from making corruption-related disclosures. The committee also notes the advice that any disclosure under clause 24 would already be captured by the Integrity Commissioner's existing reporting requirements under the Law Enforcement Integrity Commissioner Act 2006.

2.99 The committee requests that the key information provided by the minister be included in the explanatory memorandum, noting the importance of this document as a point of access to understanding the law and, if needed, as extrinsic material to assist with interpretation (see section 15AB of the Acts Interpretation Act 1901).

2.19 In light of the detailed information provided and the minister's commitment to amend the bill in relation to reporting on disclosures pursuant to clause 23, the committee makes no further comment on this matter.

[25] See correspondence relating to Scrutiny Digest No. 5 of 2018 available at: www.aph.gov.au/senate_scrutiny_digest

[26] Various. The committee draws senators' attention to these provisions pursuant to Senate Standing Order 24(1)(a)(i).

[27] Clause 5.

[28] Clause 14.

[29] Explanatory memorandum, p. 2.

[30] Explanatory memorandum, p. 2.

[31] Clauses 17 and 18.

[32] Subclause 17(2).

[33] See definition of 'identity or community protection activity' at clause 6.

[34] Clause 8. See the statement of compatibility, p. 49.

[35] Clause 9 and statement of compatibility, p. 52.

[36] Clause 10 and statement of compatibility, p. 45.

[37] Clause 11 and explanatory memorandum, p. 26.

[38] Clause 12 and explanatory memorandum, p. 27.

[39] Clause 7 (in particular paragraph (1)(f) and subclauses (2) and (3)).

[40] Senate Standing Order 24(1)(a)(i).

[41] See statement of compatibility, p. 49.

[42] Statement of compatibility, p. 43.

[43] Statement of compatibility, p. 44.

[44] Statement of compatibility, p. 52.

[45] Explanatory memorandum, p. 25.

[46] Explanatory memorandum, p. 25.

[47] Statement of compatibility, p. 48.

[48] Subclauses 5(4) and 7(5) and clause 30. The committee draws senators' attention to these provisions pursuant to Senate Standing Order 24(1)(a)(iv).

[49] Senate Standing Committee for the Scrutiny of Bills, First Report of 2015, 11 February 2015, pp. 21–35.

[50] See also Senate Standing Committee on Regulations and Ordinances, Delegated Legislation Monitor No. 17 of 2014, 3 December 2014, pp. 6–24.

[51] Clause 21. The committee draws senators' attention to this provision pursuant to Senate Standing Order 24(1)(a)(i).

[52] Attorney-General's Department, A Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers, September 2011, pp. 50-52.

[53] Attorney-General's Department, A Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers, September 2011, p. 50.

[54] Attorney-General's Department, A Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers, September 2011, pp. 50-52.

[55] See Attorney-General's Department, A Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers, September 2011, p. 50.

[56] Clauses 23, 24 and 28. The committee draws senators' attention to this provision pursuant to Senate Standing Order 24(1)(a)(i).

[57] Clause 23.

[58] Clause 24.