JANE LYE and TARA MCNEILLY
AUSTRALIAN INSTITUTE OF ADMINISTRATIVE LAW
2006 NATIONAL ADMINISTRATIVE LAW FORUM
Administrative Law: Protection of Individual and Community Interests
Surfers Paradise Marriott Resort
22-23 June 2006
JANE LYE
Senior Lawyer, Australian Government Solicitor, Brisbane
T 07 3360 5736 | F 07 3360 5669
TARA MCNEILLY
Counsel, Australian Government Solicitor, Canberra
T 02 6253 7421 | F 02 6253 7304
To win this fight against terrorism, it appears that the good guys have
to build a better information and knowledge sharing network than the bad guys.[1]
Introduction
The theme for this year’s forum is the role of administrative law in protecting individual and community interests. Post September 11, 2001 national security is an issue of great priority for government. The evidence of this fact in Australia has been the implementation of various policies and the introduction (or non-introduction, as the case may be) of legislation aimed at increasing national security.
These changes have been accompanied by vigorous and lengthy debate, mostly centred around the apparent conflict between the national interest in combating terrorism and the privacy rights of individuals.
The paper has been prepared as a basis for further discussion on these legal and policy developments connected to national security. That discussion surrounds whether they properly strike a balance between the protecting of personal information held by government, the national interest in preserving national security and improving the ability of law enforcement agencies to function.
The potential breadth of this topic is staggering. However, bearing in mind the theme of the forum and the other papers being presented on related issues (such as security and anti-terrorism legislation), we have chosen to focus on the following:
— issues relating to the exchange of personal information between Commonwealth, State and Territory government transport agencies for national security purposes,[2] and
— current methods for intelligence gathering and the application of the Privacy Act 1988 (Cth) (the Privacy Act) to these proposals.
It is not possible to consider these matters in isolation, linked as they are to issues relating to a person’s ability to have access to, and seek the amendment or correction of, their own information even where such information has been collected, or is proposed to be used or disclosed, for national security or disaster control purposes. While it has not been possible to discuss the FOI implications for these issues in detail here, the final part of the paper provides a short overview of them.
Part 1 – Exchange of
personal information between government agencies for national security purposes
(transport security)
The exchange of personal information between Commonwealth, State and Territory government agencies for national security is, in most instances, regulated by privacy legislation or administrative schemes.[3] Employees of these agencies are also subject to various secrecy obligations, which prohibit the disclosure of official information without authorisation.[4] These obligations may prevent the disclosure of personal information in various instances and are discussed in further detail below in the context of using or disclosing personal information when required or authorised to do so by or under law.
Due to legislative or other privacy obligations, Government agencies across Australia are generally required to adhere to privacy principles in relation to their handling of personal information. To do otherwise results in an interference with privacy. Essentially, ‘personal information’ is any information about an identifiable individual, i.e. a natural person rather than a legal person such as a company or a trust.* For example, section 13 of the Privacy Act relevantly provides that an act or practice engaged in by an agency is an interference with the privacy of an individual if the act or practice breaches an Information Privacy Principle (IPP) in relation to personal information about an individual (paragraph 13(a)).
The Australian Law Reform Commission[5] (ALRC) (in its report on Privacy in 1983) recognised the need to balance individual privacy rights against law enforcement activities. In recommending that law enforcement activities be the subject of exceptions under the proposed Commonwealth Privacy Act, the Commission conceded that traditional policing activities such as the surveillance of suspects, the investigation of crimes and the management of informants should not be unfairly compromised by privacy.
Consistent with this view, the Privacy Act permits the collection of personal information in connection with law enforcement where that process is necessary for and directly supported by an agency’s functions. It also creates permitted exceptions to support the secondary use of personal information and also the disclosure of information beyond the agency.
The eleven IPPs are set out in section 14 of the Privacy Act and broadly relate to:
— collection of personal information for inclusion in an agency’s records (IPPs 1–3);
— storage and security of agency records containing personal information and access to those records (IPPS 4–7); and
— using and disclosing agency records containing personal information (IPPs 8–11).[6]
Where the best advice available to an agency is that compliance with the IPPs is not possible in relation to a particular process, there are other options. The first is to enact legislation to authorise the proposed handling process. The second is to apply to the Privacy Commissioner under section 72 of the Privacy Act for a public interest determination to permit the process to occur in breach of the IPPs.
When considering issues relating to agencies exchanging information for national security purposes, the privacy principles relating to the use and disclosure of personal information are most relevant. These principles broadly operate as follows: personal information can only be used within an agency for the purpose(s) for which it was collected unless a stated exception applies and personal information can only be disclosed outside of an agency, other than to the person concerned, unless a stated exception applies.
The IPPs in the Privacy Act do not apply to the acts and practices of intelligence agencies (the Australian Security and Intelligence Organisation (ASIO), the Australian Secret Intelligence Service (ASIS) and the Office of National Assessments). In addition, various provisions in Australian privacy legislation exempt agencies from the operation of privacy principles in relation to their disclosure of information in response to requests received from ASIO or ASIS and in relation to their use and disclosure of information that originated with or has been received from ASIO or ASIS.[7]
However, outside of these specific provisions which apply only in the described circumstances, the privacy principles do not operate to provide exceptions which automatically allow for personal information to be used and disclosed for broad purposes relating to national security. Instead, it is necessary for agencies to fall back to the general exceptions set out in the principles and determine their application (or otherwise), taking the following types of matters into account - any relevant legislative provisions, the circumstances of the request, the functions of the agency from which the request has been received and the specific type of information that has been requested.
The common exceptions in privacy principles that may have particular application in the context of using or disclosing information for national security purposes are as follows:
— where use or disclosure of personal information is required or authorised by or under law;
— where use or disclosure is reasonably necessary for the enforcement of the criminal law; and
— where there is a reasonable belief that use or disclosure is necessary to prevent or lessen a serious and imminent threat to life or health.
However, as discussed in further detail below, such exceptions do not apply to allow use or disclosure in every instance, the result being that agencies may be prevented by their privacy obligations from releasing personal information on request.
The operation of such an exception depends on the proposed use or disclosure for national security being ‘required or authorised by or under law’. It can be relied upon in circumstances such as:
— the proposed use or disclosure is consistent with the operation of legislative secrecy provisions applying generally to public sector employees or to employees of particular agencies;
— there is a specific legislative regime which enables agencies to exchange personal information in specific instances for stated purposes relating to national security or law enforcement; or
— a warrant, subpoena, summons or discovery order is issued in related proceedings.
Privacy obligations will not be breached in circumstances where employees of one agency are able to disclose personal information to employees of other agencies either generally or in specified circumstances. Where personal information is exchanged between agencies consistently with relevant secrecy provisions, the disclosure will be ‘required or authorised by or under law’ for the purposes of this exception. However, the exception can only apply where there is a positive requirement or authorisation to disclose information. It cannot operate where the legislation is silent on the point. The absence of prohibition does not amount to authorisation.
Secrecy provisions sometimes provide that information can be disclosed where express permission to do so is given by the most senior officer in the agency. Where such permission is lawfully given, this will be an authorised disclosure for the purposes of this exception.
Secrecy provisions also routinely provide that information may be disclosed ‘in the course of [an officer’s] duties’. Generally, this not sufficient to overcome the prohibition, which requires an express permission. In any event, acting in the course of duties would include adherence to privacy obligations. In general terms, disclosure in the 'performance of duties' exceptions within statutory secrecy provisions have been interpreted broadly by the courts. The classic statement of what falls within the course of an officer or employee's duties or functions is found in Canadian Pacific Tobacco Co Ltd v Stapleton:[8]
The word 'duty' there is not, I think, used in a sense that is confined to a legal obligation, but really would be better represented by the word 'function'. The exception governs all that is incidental to the carrying out of what is commonly called 'the duties of an officer's employment'; that is to say, the functions and proper actions which [his or her] employment authorizes.
General provisions such as these require satisfaction of the following: that the disclosure of the particular information was reasonably capable of being considered appropriate and adapted to particular duties of an officer under the relevant legislation. The disclosure must be relevantly related to the duties or functions of the person disclosing the information and not the duties or functions of the person receiving the information. For this reason, disclosure of information to another agency merely because it will be beneficial for its purposes in upholding national security principles will not be sufficient reason for a disclosure to be authorised under a ‘required or authorised by or under law’ provision. Similarly, wanting information to check whether certain regulatory systems are appropriate and operating effectively is unlikely to be sufficient. In each case, consideration must be given to what makes disclosure of the particular information appropriate and adapted to achieving a particular duty or function. The fact that a disclosure might be permitted in the sense that it would be consistent with an officer's general responsibilities is not sufficient to establish that it is authorised for the purposes of the exception.
Outside general secrecy provisions, there
are many instances where legislation requires or authorises the disclosure of
specific information between agencies for purposes related to national security
or law enforcement. It is not possible for this paper to refer to each of these
in any detail.[9]
There are, however, a number of common points about the operation of such
provisions that are worth noting here:
— their operation is limited to certain agencies;
— they are expressed to operate only in limited circumstances and their operation is triggered by the existence of those circumstances; and
— the authorised use or disclosure is for specified purposes relating to national security or disaster control – these provisions do not authorise use or disclosure for broader, unrelated purposes despite the fact that the information may be (or appear to be) relevant to these purposes.
Where such a provision operates, the use or disclosure of personal information will be ‘required or authorised by or under law’ and will be consistent with the privacy obligations of the agencies concerned.
The operation of such an exception depends on the use or disclosure of personal information for purposes relating to national security being ‘reasonably necessary’ for the enforcement of the criminal law.
For the purpose of this exception, the phrase ‘criminal law’ generally includes the criminal law of the Commonwealth, States and Territories, but does not include the criminal law of foreign jurisdictions in all instances.[10]
However, such an exception does not mandate disclosure in relation to every activity which involves in some way the enforcement of the criminal law. For an agency to be satisfied that the exception applies, the proposed use or disclosure must be 'reasonably necessary' to enforce the criminal law. Whether this is in fact the case needs to be determined by an examination of all the relevant circumstances, which will include:
— the value that the disclosure of the information would have in enforcing the criminal law;
— any alternative sources of the information (a lack of alternative sources for the particular information in question may help to make disclosure 'reasonably necessary');
— the veracity of the information which is available from alternative sources as compared to the information in question; and
— the relative cost, both in monetary and other terms, of obtaining the information from an alternative source.
A disclosure is 'reasonably necessary' for the stated purpose where the disclosure would reveal personal information which would be of some demonstrable benefit or assistance in enforcing the criminal law and without which there would be an increased likelihood that such enforcement or protection could not occur.
The operation of such an exception requires satisfaction of the following: a serious and imminent threat to life or health (which does not include threat to finances or reputation). In practice, while the subject matter of this exception appears to be closely linked to national security, its application is likely to be fairly limited. It would however operate to allow for use or disclosure in circumstances where there is a specific, significant and immediate threat to public safety and the proposed use or disclosure of information would operate to remove, reduce or minimise this threat.
In line with the general increase in awareness of national security issues in particular, it seems clear that the level and complexity of privacy issues relating to the use and disclosure of personal information for national security and law enforcement generally are similarly increasing.
This has led to recommendations for legislative reform to address specific problems that have been identified as resulting from agencies not being able to exchange personal information due to privacy and secrecy obligations. Examples of such recommendations can be found in the report handed down in September 2005 following the Airport Security and Policing Review.[11]
Part 2 – Collection of intelligence information
This second part of the paper discusses the growing emphasis on the collection of pre-emptive intelligence information by law enforcement and regulatory agencies and considers whether these new methods of law enforcement could comply with the Privacy Act.
It is not unusual to hear the following complaint ‘the Privacy Act never lets us do anything’. This is of course untrue. The Act rather than preventing the handling of personal information, usually operates to restrict the manner in which that process will occur and rewards (in the form of compliance with the IPPs) those collectors who have taken the time to properly plan their information handling process and have a framework in place which regulates the collection, storage, use and any disclosures of the personal information collected.
But would the Act accommodate the latest trends in large-scale collection of intelligence by law enforcement agencies? Recent history suggests it will not and that in the absence of specific legislation, these information collection proposals would breach the Privacy Act.
IPP1 in the Privacy Act regulates the collection of personal information by Commonwealth agencies. IPP 1.1 states that personal information may only be collected by an agency for a lawful (i.e. ‘not unlawful’) purpose and it should not be collected unnecessarily. The Privacy Commissioner’s Guidelines on the IPPs make it clear that the purpose of any collection is to be interpreted narrowly in regard to in the legislation and the agency’s functions. The guidelines also require that the purpose of the collection should be specific and relate to the current reason for collecting the information. The personal information to be collected is only necessary for the purpose of collection if the information directly helps to achieve that stated purpose. The guidelines provide that collecting information just because it may be useful in the future is generally not acceptable.
IPP 1.2 provides that information shall not be collected by an agency by unlawful or unfair means. Examples of collection by unlawful means would include illegal covert surveillance or trespass to the person. ‘Unfair means’ would include methods of collection involving deceit or trickery.
Covert surveillance involves the collection of personal information about an individual/s without their knowledge and consent.
In 1983, the ALRC Report ‘Privacy’ referred to covert surveillance technology such as miniature tape records hidden inside cigarette packets and microphones concealed in watches, buttonholes, pens and ties as posing a significant threat to the privacy of Australian citizens.[12] 22 years on, the technology and techniques used for surveillance have advanced considerably, enabling the tracking of electronic messaging by phone or email, the profiling of a person from their banking transactions, credit card usage and purchasing history, television viewing habits and even online dating preferences. It seems that while the nature of the technology has changed the original concerns voiced in the ALRC report in relation to covert surveillance remain relevant.
While the Privacy Act does not prohibit the conduct of covert surveillance activities, the effect of the IPPs and in particular IPP 1 has always been to restrict the circumstances in which an agency can participate in covert surveillance without specific legislation which authorises such a process.
The Privacy
Commissioner issued Guidelines, Covert Surveillance in Commonwealth
Administration in 1992. These can be found at <http://www.privacy.gov.au/publications
/covertsurveillance.pdf>. These guidelines remain in force and should be
applied by Commonwealth agencies considering collecting personal information by
means of covert surveillance.
The Guidelines emphasise the need for agencies to closely scrutinise any proposed covert collection of personal information to ensure compliance with IPPs and in particular IPPs 1.1 and 1.2 and IPP 3 (Solicitation of Personal Information Generally).
a) that there be reasonable suspicion to believe that an offence or an unlawful activity is about to be committed, is being committed or has been committed;
b) that other forms of investigation have been considered by the agency and have been assessed to be unsuitable, or have been tried and have been found to be inconclusive or unsuitable; and
c) the benefits arising from obtaining relevant information by covert surveillance are considered to outweigh to a substantial degree the intrusion on the privacy of the surveillance subject/s.
Use of covert surveillance post September 11, 2001
In June 2001 the then Privacy Commissioner Malcolm Crompton addressed an Australian Institute of Criminology Symposium and acknowledged that ‘the landscape for law enforcement as well as the community is in a state of flux’.[13] However at that time the Commissioner stressed that it would be dangerous to assume that the Australian community was now willing to completely give up its privacy in the interests of law enforcement.
The Commissioner acknowledged that there would be pressure on government agencies to identify and implement new strategies to combat crime. Nonetheless he posed a list of questions to be asked by agencies when considering new options for the prevention and detection of criminal activity,[14] namely:
— whether the proposal has a large impact on the privacy of individuals (e.g. the large-scale collection of personal information);
— whether the proposal will unfairly and intrusively target/profile a particular group/sector of the community;
— what impact the proposed activity would have on the community; and
— proportionality (is the approach commensurate with the identified risk?).
The Office of the Privacy Commissioner has continued to view these questions as a relevant guide to determine whether any proposed system for the collection of personal information for law enforcement purposes will comply with the IPPs.[15]
The questions create a presumption that large-scale or routine collection activities which are not linked with a particular investigation are less likely to comply with the IPPs in the Privacy Act and in particular IPPs 1 and 3. They also continue to discriminate against the covert collection of personal information generally.
Post September 11, 2001, government agencies across the world have been searching for new ways to prevent and solve crime, particularly when associated with terrorism or terrorist activity.
Information collection processes associated with traditional methods of investigation (i.e. focusing on individuals (suspects)) are increasingly being viewed as inadequate to identify and prevent the establishment and activity by terrorist networks. This view was reinforced by the discovery in 2001 that the CIA had intelligence on individuals linked to all 19 al-Quida terrorists responsible for the events of September 11 but had failed to link this information with the 19 suspects prior to the event.
Social network analysis (SNA) has gained popularity as an intelligence gathering mechanism better suited to combat and prevent terrorism. Experts argue that SNA has long been applied as a method for the successful prosecution of crime. However the adaptation of SNA for use in connection with the prevention of terrorist activity is a very recent and largely untested development.[16]
SNA is a technique for the analysis of relationships between people and groups. It was recently described by Alexander Dryer, a journalist with the New Yorker in Washington DC, as the formal use of the social parlour game ‘Six Degrees of Separation’.[17] The process involves the collection and analysis of large-scale information about groups of individuals to assess the links between individuals with other ‘groups’ of individuals, to create network connections between them and then to rank them for use in further targeted surveillance.
SNA programs have the capacity to operate both as a method for the collection of publicly available personal information and as a format for covert surveillance. In late 2001, a United States network analyst Valdis Krebs created the network from publicly available information which demonstrated that all 19 hijackers were connected to al-Quida members known to the CIA in 2001.[18]
There is evidence that the Pentagon’s National Security Agency (NSA) is funding research into SNA programs designed to collect profiling information which is publicly available on the internet (for example social networking sites).[19] However it appears that the preferred end use for such information by the CIA would be to combine it with other personal information which has been covertly collected from non-public sources (for example financial transaction histories).
Experts argue that on one level the collection of information for the purpose of SNA has positive implications in the context of privacy protection. This is because on average less personal information can be collected about an individual under SNA processes than under traditional methods of police investigation (for example phone-tapping and other forms of covert surveillance of suspects).[20] However the downside is that SNA programs are less targeted than traditional forms of surveillance and therefore tend to require the collection of information about a very large sector of the community. For example, recent history in the United States has revealed that the use of SNA by the National Security Agency (NSA) to collect metadata on targeted phone calls and email traffic across the country resulted in the collection without legislative oversight of personal information about many hundreds of thousands of American citizens with no links to terrorism.[21]
Any proposed large-scale collection of personal information without specific link to an agency’s function will reduce the likelihood of compliance with IPP 1.1 of the Privacy Act. There is also a risk that the collection would be viewed as unreasonably intrusive and therefore offend IPP 3.
There is also a legitimate concern about how information collected under SNA programs will be stored and kept up to date. This has implications for agency compliance with other IPPs (for example IPP 4). There is also a concern about whether SN information once collected could be used by government agencies for secondary purposes (for example employment assessment purposes).[22] Whether these concerns are proven to be justified will be a matter for future assessment and it is important to bear in mind that there is no privacy legislation to restrict the operation of SNA programs in the United States.
Risk analysis is a related process which can arguably be employed to reduce the breadth and focus of the collection of pre-emptive intelligence information and particularly SNA information. Experts such as Professor Malcolm Sparrow argue that by understanding and properly analysing risk, government agencies can reduce the resources which need to be devoted to law enforcement. He also argues regulatory activity can avoid/ minimise wasting scarce resources on traditional methods of law enforcement which focus upon the surveillance and interrogation of individual suspects. [23]
In their paper Catastrophic Terrorism: Tackling the New Danger, Ashton Carter, John Deutch and Philip Zelikow identify the following as a systematic approach to risk analysis by law enforcement agencies in response to a threat of terrorist attack: area surveillance, specific threat identification, targeted surveillance and warning, interdiction and covert surveillance, post attack consequence management, forensic analysis and punitive action and learning lessons.[24]
Used properly these stages of risk analysis will define the risks associated with a potential threat, prioritise those risks and then allow the agency to target particular areas/issues/targets based upon its own resource capabilities. However experts such as Professor Sparrow readily admit that in order to properly use risk analysis, an agency may be required to collect large amounts of additional information and then be prepared to use it either on its own or in combination with other information in new ways to derive appropriate analysis.[25]
The experts justify these additional collections and uses on the basis that significant percentages of the information collected will be general namely about patterns, problems and trends rather than about targeted individuals.[26] However it is reasonable to assume that risk analysis must still involve the collection and or use of large amounts of personal information in order to support the consequent analysis of trends and risk. The process also increases the chance of ‘rainy day’ collection of information about individuals by agencies; a fact which gives rise to potential conflict with privacy and in particular IPP 1 of the Privacy Act.
There seems to be little doubt that an SNA program such as that employed by the NSA in the United States would have breached the IPPs in the Privacy Act and in particular IPPs 1.1, 1.2 and 3. However unlike Australia, the United States has not enacted Privacy legislation and government agencies in that country are not burdened by the privacy constraints which are imposed on Australian government agencies.
It is arguable that techniques such as SNA and risk analysis could reduce the overall handling of personal information by Australian government agencies by helping to ensure that any eventual surveillance of individuals is well targeted and more likely to be accurate. However this theory has not been borne out in practice in the United States where the bases for the initial collections of personal information have been extremely broad.
A simple Google search reveals a growing emphasis being placed upon pre-emptive intelligence and analysis by Commonwealth government agencies with responsibilities for law enforcement and regulation. While the Privacy Commissioner has not published any determinations on the lawfulness of such programs, her submission to the Senate Legal and Constitutional Committee on the information collecting powers in the Anti-Terrorism Bill (No.2) 2005 (Cth) suggest that such collection programs in Australia would be unlikely to comply with the IPPs without the authority of legislation.
This suggests that proposed strategies by agencies for the collection of preventive intelligence are likely to meet with objection from the Privacy Commissioner. However for agencies considering implementing these measures, there is some guidance from the Privacy Commissioner on what the Office considers to be essential criteria for systems for the covert collection of information by ‘invasive powers’, namely:
— that the power be conferred expressly by an Act
— the grounds for the intrusion be stated expressly and in objective terms
— the authority to obtain documents or obtain evidence compulsorily should be subject to the approval of an appropriately senior officer.*
Additionally, the Commissioner has recommended accountability and review mechanisms be established in relation to any intrusive collection processes to ensure the proper application of legislation by the relevant agency.
It seems inevitable that Commonwealth agencies with law enforcement or regulatory functions will be drawn to these new methods of intelligence gathering in the short to medium term. Given this fact, the challenge will be to ensure that any processes adopted by agencies are transparent where this is possible, are accountable and comply with the IPPs in the Privacy Act. The Privacy Commissioner has offered the following advice:
Each law enforcement response needs to be thought about in a framework. The aim of a framework would be to have law enforcement responses that are considered, consistent, measured and accountable. Law enforcement activities- whether they involve traditional or new techniques- carried out in this way are likely to build and keep trust with the community.[27]
It remains to be seen whether agencies decide to follow it.
Part 3 – Amendment and annotation of personal information
Any discussion of privacy issues relating to the use and disclosure of personal information for national security is incomplete without some attention being given to the obligations imposed on government agencies by privacy principles to allow individuals to have access to records containing their own personal information, and to seek to ensure that the personal information held by agencies is accurate, relevant, up to date, complete and not misleading. These obligations are particularly significant in the present context given the ramifications for an individual and the adverse consequences that may result in circumstances where incorrect personal information is held by an agency, which is subsequently used or disclosed by that or another agency for national security or disaster control purposes.
Given these potential consequences, it is incumbent on agencies to ensure that individuals are made aware of their entitlement to have access to records containing their information, and to seek to correct information where needed. However, at the same time, these access and alteration rights may need to be balanced against identified law enforcement objectives. This balance is not always an easy one to strike.
Importantly, an individual’s entitlement to have access to their own personal information as set out in relevant privacy principles is expressed to be subject to other law. For example, IPP 6 in the Privacy Act provides that ‘the individual concerned shall be entitled to have access to [that record], except to the extent that the [agency concerned] is required or authorised to refuse to provide the individual with access to records under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents’.
The effect of this and similar provisions is that a person may be refused access to their own information in circumstances where doing so is required or authorised by or under specific secrecy provisions or in FOI legislation. In the present context, there is a very broad range of legislative provisions that will be potentially relevant here. In the FOI context alone, the various exemptions directed towards national security and international relations, Commonwealth / State / Territory relations, law enforcement, confidentiality and third party personal information may singularly or in combination operate to limit a person’s entitlement to access their own information.
[1] Valdis E Krebs Uncloaking Terrorist Networks, First Monday, Volume 7 Number 4, April 2002 at p14 with reference to David Ronfeld and John Arquilla, Networks, Netwars and the Fight for the Future, First Monday, Vol 6, Number 10 March 2002.
[2] Where the operation of specific legislative privacy provisions is discussed, we have referred to the relevant provisions in the Commonwealth Privacy Act 1988 (Privacy Act) – where possible, the equivalent provisions in State and Territory legislation or administrative schemes are footnoted.
[3] ACT: Privacy Act; NSW: Privacy and Personal Information Protection Act 1998; Vic: Information Privacy Act 2000; Qld: No privacy legislation but note Information Standard No 42 – Information Privacy (IS42) and Information Standard 42 – Information Privacy Guidelines; SA: No privacy legislation but note Cabinet Administrative Instruction No. 1 of 1989: PCO12 – Information Privacy Principles Instruction; Tas: Personal Information Protection Act 2004; NT: Information Act 2002; WA: No privacy legislation.
[4] See for example: Commonwealth: s 70 of the Crimes Act 1914; r 2.1 of the Public Service Regulations 1999; ACT: s 9 of the Public Sector Management Act 1994; s 153 of the Crimes Act 1900; NSW: s 8 of the Independent Commission Against Corruption Act 1988; Vic: ss 7 and 63 of the Public Administration Act 2004; s 98 of the Constitution Act 1975; Qld: s 18 of the Public Sector Ethics Act 1994; s 85 of the Criminal Code Act 1899; SA: s 6 of the Public Sector Management Act 1995; ss 238 and 251 of the Criminal Law Consolidation Act 1935; Tas: s 9 of the State Service Act 2000; s 110 of the Criminal Code Act 1924; NT: ss 76 and 77 of the Criminal Code Act; r 4 of the Public Sector Employment And Management Regulations; WA: s 9 of the Public Sector Management Act 1994; s 81 of the Criminal Code.
[5] Australian Law Reform Commission Report: Privacy 1983 at p115.
* Section 6, Privacy Act.
[6] See also: ACT – Cth IPPs; NSW: Information Protection Principles set out in Part 2 ; Vic: IPPs set out in Schedule 1; Qld: IS42 reflects Cth IPPs; SA: PCO12 reflects Cth IPPs; Tas: Personal Information Protection Principles set out in Schedule 1; NT: IPPs set out in Schedule.
[7] See for example s 7 of the Privacy Act; para 2(1)(h) in the Tasmanian Personal Information Protection Principles.
[8] (1952) 86 CLR 1 at 6 per Dixon CJ.
[9] An example in the security context: the provisions in the Cth Aviation Transport Security Regulations 2005 authorising certain disclosures of personal information between relevant agencies for the purposes of issuing Aviation Security Identification Cards (regs 6.42C and 6.56A). An example in the disaster control context: the provisions in the Cth Crimes Act authorising use and disclosure of information stored on a DNA database system (ss 23YUG and 23YUI).
[10] In the Cth context, see further the Federal Privacy Commissioner’s Plain English Guidelines to IPP 11 which provide that: ‘“Criminal law”’ may include the law of non-Australian jurisdictions if the Commonwealth agrees to it under the Mutual Assistance in Criminal Matters Act [1987].’
[11] The report, by Sir John Wheeler, is titled An Independent Review of Airport Security and Policing for the Government of Australia – a copy of the report is available on the Review’s website at: http://www.aspr.gov.au.
[12] Australian Law Reform Commission Report No 22: Privacy (1983) at p 40.
[13] Malcolm Crompton Federal Privacy Commissioner Preserving Privacy in a Rapidly Changing Environment; Future Directions, Crime Prevention, Legal Responses and Policy, 22 June 2001 at p 2.
[14] Ibid at p 9.
[15] An amended form of this list was submitted to the Senate Legal and Constitutional Legislation Committee Inquiry into Terrorism Bills in 2002.
[16] Valdis E Krebs Uncloaking Terrorist Networks, First Monday, Volume 7 Number 4, April 2002.
[17] Alexander Dryer, ‘How the NSA Does ‘“Social Network Analysis’” Washington Post: Slate.com 15 May 2006.
[18] Ibid.
[19] Paul Marks Pentagon Sets Its Sights on Social Networking Websites New Scientist.com news service 9 June 2006.
[20] Patrick Radden Keefe Can Network Theory Thwart Terrorists? New York Times, 12 March 2006.
[21] The White House has urged Congress not to investigate the NSA program. Paul Marks Pentagon Sets Its Sights on Social Networking Websites New Scientist.com news service 9 June 2006.
[22] Paul Marks Pentagon Sets Its Sights on Social Networking Websites New Scientist.com news service, 9 June 2006.
[23] Malcolm Sparrow The Regulatory Craft; Controlling Risks, Solving Problems and Managing Compliance, Brookings 2000.
[24] Ibid at p 4.
[25] Malcolm Sparrow The Regulatory Craft; Controlling Risks, Solving Problems and Managing Compliance, Brookings 2000 at p 260.
[26] Ibid at 263.
[27] Preserving Privacy in a Rapidly Changing Environment; Future Directions, Crime Prevention, Legal Responses and Policy, Malcolm Crompton Federal Privacy Commissioner, 22 June 2001 at p 6.
* Ibid.