The push for public sector efficiencies has resulted increased information sharing across government agencies. While this has streamlined processes, in some instances agencies have cut corners, as highlighted by a series of reports from the Office of the Privacy Commissioner.
The reports, which cover several public bodies, centre on information-sharing and -matching agreements. These agreements are governed by the Privacy Act, and facilitate the sharing of information between government agencies for a defined purpose. Of the 54 agreements assessed, 22 were found to be non-compliant, and several bodies were found to have "substantial issues".
Most breaches relate to information-matching agreements, which provide for the passing of information relating to an individual from one agency to another, for the purpose of verifying that information. The duty that was breached most often was the duty to destroy information within 60 days. As the reports reiterate, destruction must be complete, and it is insufficient that it be removed from view but retained. Many receiving agencies have simply retained the information. This approach has become the default, unsurprisingly in one sense given that it is the normal practice of agencies to retain information, and that the providing agency still has a right to retain it. However, the policy behind the duty is clear: the information has been provided for one purpose (matching), and any further use must be strictly controlled.
The Government has not responded to these reports. Privacy Commissioner John Edwards has stated public faith in government agencies needs be rebuilt, and that these agencies must be seen to be complying with existing rules. He expressed his confidence in privacy being top of mind in Government, public and private organisations and health organisations. In terms of reform to the Privacy Act, he said including a power for the Commissioner to fine bodies would not be effective, and that naming and shaming still remains the most effective response. The Minister of Justice's office has stated a Bill is expected to be introduced later this year.
The Electronic Data Safety Bill, which is a Member's Bill, is currently before the House. It aims to establish an Electronic Data Safety Commission, which would inquire into government agencies' breaches of privacy, and advise on how to improve the law and best practice in this area.