|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Australian Senate Standing Committee for the Scrutiny of Delegated Legislation - Monitor |
Privacy (Australian Government Agencies – Governance) APP Code 2017 [F2017L01396] |
|
|
Purpose
|
Sets out how Australian Privacy Principle 1.2 (contained in Schedule 1 to
the Privacy Act 1988) is to be complied with by Australian government
agencies
|
|
Authorising legislation
|
|
|
Portfolio
|
Attorney-General's
|
|
Disallowance
|
15 sitting days after tabling (tabled Senate 13 November 2017)
Notice of motion to disallow currently must be given by
8 February 2018[1]
|
|
Scrutiny principle
|
Standing Order 23(3)(a)
|
Legislative authority: power to make instrument
Scrutiny principle 23(3)(a) of the committee's terms of reference requires the committee to ensure that an instrument is made in accordance with statute. This principle requires that instruments are made in accordance with their authorising legislation. This may include any limitations or conditions on the power to make the instrument set out in the authorising legislation.
The instrument was made under section 26G of the Privacy Act 1988 (Privacy Act). Section 26G provides for the development of Australian Privacy Principle (APP) codes by the Information Commissioner (Commissioner). Subsection 26G(1) of the Privacy Act provides that section 26G applies (that is, the Commissioner may develop an APP code) if the Commissioner has made a request under section 26E for an APP code developer[2] to develop an APP code, and either:
• the request has not been complied with; or
• the request has been complied with but the Commissioner has decided not to register the APP code that was developed as requested.
It appears to the committee that subsection 26G(1) is a precondition to the exercise of the Commissioner's power to make an APP code under subsection 26G(2). This view is supported by the explanatory memorandum to the bill that inserted section 26G into the Privacy Act, which stated:
The Commissioner can only develop an APP code in circumstances where a code developer has failed to comply with a request to develop a code, or where a code developer has produced a code as requested by the Commissioner, and the Commissioner has decided not to register the code.[3]
In relation to compliance with subsection 26G(1) of the Privacy Act, the explanatory statement (ES) to the instrument only states that 'the Commissioner has developed this APP code in compliance with section 26G of the Privacy Act'.
Neither the instrument nor the ES clarifies whether the Commissioner made a request, under subsection 26E of the Privacy Act, for an APP code developer to develop an APP code prior to making the instrument under subsection 26G(2).
It is therefore unclear to the committee whether the precondition in subsection 26G(1) to the exercise of the Commissioner's power to develop a Code under subsection 26G(2) was satisfied.
The committee requests the minister's advice as to:
• whether the Commissioner made a request under section 26E of the Privacy Act 1988 for an APP code developer to develop an APP code prior to making the instrument under section 26G; and
• if the Commissioner did not make such a request, the legislative authority relied on to make the instrument.
Drafting: unclear meaning of 'senior official'
Subsection 11(1) of the instrument provides that an agency must, at all times, have
a designated Privacy Champion. Subsection 11(3) provides that the Privacy Champion must be a senior official within the agency.
The committee notes that neither the instrument nor the accompanying ES provides any definition of 'senior official', nor any guidance in relation to the level of official that the agency may designate as Privacy Champion under section 11 of the instrument. The committee also notes that 'senior official' is not defined within the Privacy Act.
The committee is concerned that agencies may have different understandings of the term 'senior official'. For example, some agencies may consider that officers at the APS 5 and APS 6 levels (or equivalent) are sufficiently senior to be designated as Privacy Champion,[4] while others may view the term 'senior official' as restricting the role of Privacy Champion to SES officers.[5]
It is unclear to the committee whether the instrument envisages that an officer at or above a particular APS level (or equivalent) would be designated as Privacy Champion. The committee is concerned that the lack of clarity regarding the meaning of 'senior official' may make it difficult for agencies to ensure they comply with their obligations under section 11 of the instrument.
The committee requests the minister's advice as to the intended meaning of 'senior official' in section 11 of the instrument, and whether guidance in that regard could be included in the explanatory statement.
[2] Under section 6 of the Privacy Act, 'APP code developer' means an APP entity, a group of
APP entities, or a body or organisation representing one or more APP entities; and 'APP entity' means an agency or organisation.
[3] Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012,
p. 205.
[4] The Australian Public Service Commission (APSC) indicates that APS 5 and 6 officers hold 'senior administrative, technical, project and service positions, which may have supervisory roles'. See APSC, Fact sheet 3: Understanding APS jobs (May 2012), www.apsc.gov.au/ publications-and-media/current-publications/cracking-the-code/factsheet-3.
[5] Under subsection 11(4) of the instrument, the functions of the Privacy Champion include promoting a culture of privacy within the agency, providing strategic leadership on privacy issues, reviewing and/or approving the agency's privacy management plan. These functions appear broadly consistent with those of SES officers. See e.g. APSC, Senior Executive Service (SES) (July 2017), www.apsc.gov.au/managing-in-the-aps/ses.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/other/cth/AUSStaCSDLM/2017/425.html