Federal Register of Legislation - Australian Government

Primary content

Privacy Regulation 2013

Authoritative Version
  • - F2013L02126
  • In force - Superseded Version
  • View Series
SLI 2013 No. 262 Regulations as made
This regulation updates and consolidates certain provisions that were contained in the principal regulations. It also gives effect to the Privacy Amendment (Enhancing Protection) Act 2012.
Administered by: Attorney-General's
Made 12 Dec 2013
Registered 17 Dec 2013
Tabled HR 11 Feb 2014
Tabled Senate 11 Feb 2014

EXPLANATORY STATEMENT

 

Select Legislative Instrument No. 262, 2013

 

Issued by the authority of the Attorney-General

 

Privacy Act 1988

 

Privacy Regulation 2013

 

The Privacy Amendment (Enhancing Protection) Act 2012 (Privacy Amendment Act) will come into force on 12 March 2014 and will introduce significant amendments to the Privacy Act 1988 (Privacy Act). Subsection 100(1) of the Privacy Act as amended provides that the Governor-General may make regulations, not inconsistent with the Privacy Act, prescribing matters required or permitted by the Privacy Act to be prescribed, or necessary or convenient to be prescribed for carrying out or giving effect to the Privacy Act.

 

Section 4 of the Acts Interpretation Act 1901 allows for the making of regulations under the Privacy Amendment Act before that Act commences, as long as the new Regulation does not commence before the Privacy Amendment Act.  Section 6F of the amended Privacy Act provides that the Governor-General may make regulations prescribing a State or Territory authority or instrumentality of a State or Territory as if the authority or instrumentality were an organisation for the purposes of the Privacy Amendment Act.  New Part IIIA of the amended Privacy Act will repeal and substitute Part IIIA in the Privacy Act. The relevant regulation-making powers related to credit reporting under the amended Privacy Act are set out in
Attachment A.

 

The Regulation repeals the Privacy (Private Sector) Regulations 2001 and the Privacy Regulations 2006 and updates and consolidates certain provisions that were contained in these regulations.  The primary purpose of the Regulation is to give effect to the Privacy Amendment Act.  The Privacy Amendment Act amends the Privacy Act to, among other things, create a single set of privacy principles—the Australian Privacy Principles (APPs)— replacing the existing Information Privacy Principles and the National Privacy Principles and applying this to both Commonwealth agencies and private sector organisations; introduces a more comprehensive credit reporting system with improved privacy protections; strengthens the functions and powers of the Commissioner; and creates new provisions on privacy codes and the credit reporting code.

 

The Regulation makes certain regulations necessary for the implementation of the provisions in Part IIIA of the amended Privacy Act that are intended to regulate the handling and maintenance of certain kinds of personal information concerning consumer credit to be used for domestic, family or household purposes. This includes:

·         identifying the terms and conditions of consumer credit that may be included in an individual’s credit information;

·         setting the frequency with which an individual’s repayment history information can be listed by credit providers;

·         exempting certain businesses and undertakings that provide personal information solely for the purpose of verifying or validating information from the definition of credit reporting business; and

·         inserting a transitional provision to allow for information requests made for credit reporting purposes to be processed under the existing Part IIIA of the Privacy Act up to, and including 31 March 2014.

 

The Regulation prescribes Indigenous Business Australia (IBA) as a credit provider.  This is consistent with Credit Provider Determination 2011–12 (Class of Credit Providers), in which the Privacy Commissioner identified IBA as a credit provider. The Regulation also exempts IBA from the obligation to be a member of an external dispute resolution scheme and exempts IBA from the obligation to be a licensee for the purposes of the amended Privacy Act.  These exemptions are consistent with the current exemptions for IBA from external dispute resolution and licensee obligations under the National Consumer Credit Protection Act 2009

 

The Regulation also prescribes certain State authorities following requests from the New South Wales Minister for Resources and Energy and the South Australian Minister for Housing and Urban Development, respectively, to ensure that they are treated as organisations and can therefore participate in the credit reporting system under the amended Privacy Act.  It updates the list of organisations that may use or disclose Centrelink identifiers to access Centrelink Confirmation eServices in order to determine whether an individual is entitled to access concessions and other services.  It also updates the list of agencies that may disclose to superannuation organisations Commonwealth employee payroll numbers for superannuation purposes.  This is for the benefit of the individuals concerned and the
Attorney-General has consulted the Privacy Commissioner about the amendments pursuant to subsection 100(3) of the amended Privacy Act. The Regulation also removes references to certain corporations that have been abolished and repeals certain prescribed standards for making complaints under privacy codes to the Privacy Commissioner where the enabling provision is abolished by the Privacy Amendment Act. 

 

Consistent with the Privacy Amendment Act, the Regulation makes a number of consequential amendments that remove references to the National Privacy Principles and replace them with references to the new APPs where appropriate.  Updates to certain definitions are also made.

 

Details of the Regulation are set out in Attachment B.

 

A Statement of Compatibility with Human Rights is set out in Attachment C prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny Act) 2011.

 

The Office of Best Practice Regulation was consulted on this Regulation and advised that no Regulation Impact Statement was required.

 

The Regulation is a legislative instrument for the purposes of the Legislative Instruments Act 2003.

 

The Regulation commences on 12 March 2014, the same day as the commencement of the Privacy Amendment Act.


ATTACHMENT A

 

AUTHORISING PROVISIONS

 

The relevant regulation-making powers related to credit reporting under the amended Privacy Act are:

 

·         paragraph 6(1)(e), which provides that regulations may prescribe the terms and conditions of the consumer credit for the purposes of the definition of consumer credit liability information set out in subsection 6(1) of the amended Privacy Act;

 

·         subparagraph 6G(1)(d)(ii), which provides that the term ‘credit provider’ may mean an agency, organisation or small business operation that carries on a business or undertaking that involves providing credit and that is prescribed by the regulations;

 

·         subsection 6G(6), which provides that the regulations may prescribe classes of organisations or small business operators that are not credit providers;

 

·         subsection 6P(4), which provides that the regulations may prescribe a class of businesses or undertakings that are not credit reporting businesses;

 

·         subsection 6V(2), which provides that the regulations may make provision in relation to whether or not an individual has met an obligation to make a monthly payment that is due and payable in relation to consumer credit;

 

·         subparagraph 21D(2)(a)(i), which provides that the regulations may prescribe credit providers who are exempt from the requirement to be a member of an external dispute resolution scheme; and

 

·         subparagraph 21D(3)(c)(i), which provides that the regulations may prescribe credit providers who are exempt from the requirement to be a licensee.

 

 

 


ATTACHMENT B

 

Privacy Regulation 2013

 

Part 1—Preliminary

 

Section 1 – Name of Regulation

 

This section describes how the Regulation is to be cited.

 

Section 2 – Commencement

 

This section provides that the Regulation commences on 12 March 2014.

 

Section 3 – Authority

 

This section provides that the Regulation is made under the Privacy Act 1988.

 

Section 4 – Schedule(s)

 

This section provides that amendments or repeals have effect according to the terms set out in the Schedule(s).

 

Section 5 – Definitions

 

This section defines a number of terms used in the Regulation.  Some of the definitions have been updated to reflect changes resulting from machinery of government or as a result of structural amendments to certain entities, such as their privatisation or dissolution.  

 

‘Act’ is defined as meaning the Privacy Act 1988.

 

‘Agency’ is defined for the purposes of Part 2 of the Regulation.  The definition of ‘agency’ includes those agencies referred to in the specified provisions of the Financial Management and Accountability Regulations 1997 and the Commonwealth Authorities and Companies Regulations 1997.  The definition of ‘agency’ is discussed further below in relation to Part 2 of the Regulation.

 

This section continues to define ‘AustralianSuper’ (however, following the merger between AGEST and AustralianSuper on 27 February 2013, the Regulation now only defines AustralianSuper),  ‘AvSuper’, ‘Centrelink program’, ‘Customer Reference Number’, ‘DVA File Number’, ‘payroll contractor’ and ‘payroll number’ for Part 2 of the Regulation. 

 

This section defines ‘Ausgrid’, ‘Endeavour Energy’, ‘Essential Energy’, and ‘HomeStart Finance’ for the purposes of sections 8 and 9.

 

‘Residential tenancy database’ continues to be defined for the purposes of section 7.


Section 6 – Consumer credit liability information

This section prescribes the terms or conditions of the consumer credit (as defined in subsection 6(1) of the amended Privacy Act) for the purposes of paragraph 6(1)(e) of the Act.  These are:

 

(a)    how the principal and interest on the consumer credit are to be paid (with the regulation specifying that payments be classified as either principal and interest, principal plus interest with a residual balloon, or interest only);

(b)   whether the term of the consumer credit is fixed or revolving;

(c)    if the term of the consumer credit is fixed – the length of the term;

(d)   whether the individual is a guarantor to another individual is in relation to that particular line of credit of the other individual;

(e)    whether the consumer credit is secured or unsecured; and

(f)    any variation that may be made to items contained in the above paragraphs (a) to (e).

 

Section 7 – Small business operator treated as organisations

 

This section continues to provide that small businesses operating a residential tenancy database and undertaking certain acts and practices are organisations for the purposes of the amended Privacy Act.

 

Section 8 – State authorities treated as organisations

 

This section prescribes the New South Wales (NSW) electricity distribution businesses Essential Energy, Ausgrid and Endeavour Energy as organisations for the purposes of the Privacy Act.

 

This section updates the list of state authorities prescribed as organisations for the purpose of section 6F of the amended Privacy Act.  This update reflects changes made to certain NSW electricity distribution businesses and follows a request from the NSW Minister for Resources and Energy.  This section refers to Essential Energy, Endeavour Energy and Ausgrid.  The NSW Minister advises that these entities are required to access, retain and share the personal information of their customers in order to undertake their functions.  The effect of the Regulation is to ensure that these State-owned entities are treated as organisations under the amended Privacy Act.

 

Section 9 – State instrumentality treated as an organisation

 

This section prescribes the South Australian authority called HomeStart Finance as an organisation for the purposes of the amended Privacy Act. This follows a request from the South Australian Minister for Housing and Urban Development.  HomeStart Finance is a statutory authority established by the
South Australian Government and is a licensed credit provider for the purposes of the National Consumer Credit Protection Act 2009.  The purpose of prescribing HomeStart Finance is to ensure that it is treated as a credit provider under the amended Privacy Act.  Subsection 9(2) exempts HomeStart Finance from Australian Privacy Principle 11.2.  The South Australian Minister advises that HomeStart Finance, as an agency of the South Australian Government has
record-keeping obligations pursuant to the South Australian State Records Act 1997. The purpose of this exemption is to ensure that HomeStart Finance can continue to meet its record-keeping obligations under the South Australian State Records Act 1997.

 

Section 10 – Meaning of credit provider

 

The Explanatory Memorandum to the Privacy Amendment Act foreshadowed that regulations would be made to prescribe Indigenous Business Australia (IBA) as a credit provider. 

 

Subsection 10(1) prescribes IBA as a credit provider for the purposes of the Privacy Act.

 

Subsection 10(2) excludes from the definition of credit provider under subsection 6G(6) of the amended Privacy Act any organisation or small business operators acting in the capacity of a current or prospective landlord in relation to the individual with whom an organisation or small business may be transacting.  It is possible that any landlord which receives rent in arrears may be brought within the definition of a credit provider.  Excluding any such landlords from the definition of a credit provider is consistent with the existing exclusion of real estate agents in paragraph 6G(5)(a).

 

Section 11 – Meaning of credit reporting business

 

This section excludes from the definition of credit reporting business under subsection 6P(4) of the amended Privacy Act those businesses or undertakings which provide personal information to a credit provider for the purposes of verifying an individual’s identity or validating other information relating to the individual’s financial position (such as real property assets).  It was not the policy intention of the new definition of ‘credit reporting business’ in subsection 6P(1) of the amended Privacy Act to bring within its scope any business or undertaking that provides personal information solely for the purposes of verifying or validating information that has been provided by an individual to a credit provider.

 

Further, as the Explanatory Memorandum of the Privacy Amendment Act foreshadowed, a credit provider is permitted to disclose certain information to another credit provider in certain circumstances. It is recognised that this sharing of information is necessary to support the credit reporting system and sharing information in these circumstances does not make the credit provider subject to the obligations of a credit reporting body.

 

Section 12 – Meaning of repayment history information

 

This section specifies the circumstances in which an individual has not met an obligation to make a monthly payment that is due and payable, pursuant to subsection 6V(2) of the amended Privacy Act.  The Regulation provides that where an individual misses any or all repayments due in a month, irrespective of the actual payment cycle for that obligation, then the individual is taken to have missed a payment.  The intention of this section is to ensure that there is only one report each month per credit account of an individual’s repayment history information.

 

Section 13 – agencies to be treated as organisations

 

This section continues to prescribe the Australian Government Solicitor as an organisation for the purposes of the amended Privacy Act. 

 

Section 14 – Permitted disclosure of credit information to a credit reporting body

 

This section exempts IBA from the obligations to be:

·         a member of an external dispute resolution scheme, as otherwise required by subsection 21D(2) of the amended Privacy Act; and

·         a licensee for the purposes of subsection 21D(3) of the amended Privacy Act.

 

Part 2—Australian Privacy Principles

 

Part 2 of the Regulation contains provisions that relate to the Australian Privacy Principles (APPs).  Currently, all of the sections in Part 2 relate to APP 9.  A number of definitions contained in section 5 are also relevant to the sections in Part 2 and are discussed below.

 

APP 9 deals with the adoption, use or disclosure of government related identifiers by organisations.  APP 9.1 provides that an organisation must not adopt a government identifier in relation to an individual; APP 9.2 provides that an organisation must not use or disclose a government related identifier of an individual; and APP 9.3 provides that regulations may be made to permit the use of government identifiers by organisations.  Sections 15 and 16 provide exceptions to permit specified agencies to disclose certain identifiers to superannuation organisations for staff superannuation purposes, while sections 17, 18 and 19 provide exceptions to APP 9 for specified organisations in relation to their access to the Centrelink Confirmation eServices system.

 

The Regulation updates and simplifies the list of agencies currently prescribed in the Privacy (Private Sector) Regulations 2001 that may disclose Government identifiers for superannuation purposes pursuant to sections 15 and 16.  The definition of ‘agency’ set out in section 5 has been updated to incorporate those agencies listed under the specified provisions of the Financial Management and Accountability Regulations 1997 and the Commonwealth Authorities and Companies Regulations 1997.  This means that the definition of ‘agency’ incorporates the lists of agencies set out in these regulations.  The intention of referring to these sections is to ensure that the Regulation is consistent with those sections and the agencies they prescribe.  However, the lists of agencies in these other regulations are not comprehensive. It is necessary to continue to specifically list those agencies not otherwise identified.  Subparagraph 5(b)(i) refers to Schedule 1 containing a list of agencies for the purposes of this definition.  When read together, the definition of ‘agency’ will include all Commonwealth agencies.

 

Sections 15 and 16 permits prescribed agencies to disclose government payroll numbers to the prescribed superannuation organisations in order for those superannuation organisations to provide superannuation services to individuals employed by the agencies.  Section 15 applies to Airservices Australia and the Civil Aviation Safety Authority, which use a different payroll number system to other agencies.  Section 16 applies to all other agencies and the use of payroll numbers by the prescribed superannuation organisations. 

 

Sections 17, 18 and 19 updates the list of organisations currently permitted under the Privacy (Private Sector) Regulations 2001 to access the Centrelink Confirmation eServices system in order to determine whether an individual is entitled to concessions or to access other services, such as subsidised housing, provided by the organisations.  The sections relate to the use by organisations of an individual’s Customer Reference Number (CRN) issued by the Department of Human Services (DHS), or an individual’s File Number issued by the Department of Veterans’ Affairs (DVA).  The sections continue to allow prescribed organisations to use or disclose an individual’s CRN or DVA File Number for the purpose of using DHS’s Centrelink Confirmation eServices.

 

Subsection 17(1) provides that prescribed organisations may use or disclose an individual’s CRN for the purposes of Customer Confirmation; subsection 17(2) provides that prescribed organisations may use or disclose an individual’s DVA File Number for the purposes of Customer Confirmation; section 18 provides that prescribed organisations may use or disclose an individual’s CRN for the purposes of Income Confirmation; and section 19 provides that prescribed organisations may use or disclose an individual’s CRN for the purposes of Superannuation Confirmation.

 

The DHS has confirmed that the adoption, use or disclosure by a number of additional organisations listed in the schedules of CRNs or DVA File Numbers in the circumstances prescribed by the Regulation are for the benefit of the individual concerned.  In addition, DHS has consulted the Privacy Commissioner about the amendments. 

 

Sections 15 – 19 are as follows:

 

Section 15 – Exceptions to Australian Privacy Principle 9.1

 

This section continues to prescribe AvSuper as an organisation for the purposes of APP 9.1 of the amended Privacy Act, and prescribes payroll numbers assigned by Airservices Australia or the Civil Aviation Safety Authority as prescribed identifiers and allow for the payroll number to be adopted by AvSuper in order to provide superannuation services.

 

Section 16 – Exceptions to Australian Privacy Principle 9.2

 

Subparagraph 16(a) continues to prescribe AustralianSuper and AvSuper as organisations for the purposes of APP 9.1 of the amended Privacy Act.  Subparagraph 16(b) continues to prescribe the payroll numbers assigned by each of those agencies as prescribed identifiers, and subparagraph 16(c) allows the payroll number to be used or disclosed by AustralianSuper or AvSuper to provide superannuation services.

 

Section 17 – Exceptions to Australian Privacy Principle 9.2—Centrelink Confirmation eServices (customer confirmation)

 

Subsection 17(1) continues to authorise the use and disclosure of a Centrelink Customer Reference Number by certain prescribed organisations so that they can access the Centrelink Confirmation eService for the purpose of determining whether certain individuals are entitled to receive a concession.  The result is to allow the use and disclosure of a Centrelink Customer Reference Number by private sector organisations listed in Part 1 of Schedule 2 so that those organisations can access Centrelink Confirmation eServices for the purpose of making a Customer Confirmation enquiry to determine whether an individual is entitled to receive a concession.

 

Subsection 17(2) continues to authorise the use or disclosure of a DVA File Number by certain prescribed organisations so that they can access the Centrelink Confirmation eService for the purpose of determining whether certain individuals are entitled to receive a concession.  The result is to allow the use and disclosure of a DVA File Number by private sector organisations listed in Part 2 of Schedule 2 so that those organisations can access Centrelink Confirmation eServices for the purpose of making a Customer Confirmation enquiry to determine whether an individual is entitled to receive a concession.

 

Section 18 – Exceptions to Australian Privacy Principle 9.2—Centrelink Confirmation eServices (income confirmation)

 

This section continues to authorise the use and disclosure of the Centrelink Customer Reference Number by certain prescribed organisations so that they can access the Centrelink Confirmation eService for the purpose of determining whether certain individuals are entitled to receive a concession.  The result is to allow the use and disclosure of the Centrelink Customer Reference Number by private sector organisations listed in Schedule 3 so that those organisations can access Centrelink Confirmation eServices for the purpose of making an income confirmation enquiry to determine whether the individual is entitled to receive a service or assistance.

 

Section 19 – Exceptions to Australian Privacy Principle 9.2—Centrelink Confirmation eServices (superannuation confirmation)

 

This section continues to authorise the use and disclosure of the Centrelink Customer Reference Number by certain prescribed organisations so that they can access Centrelink Confirmation eService for the purpose of determining whether certain individuals are entitled to receive a concession.  The result is to allow the use and disclosure of the Centrelink Customer Reference Number by private sector organisations listed in Schedule 4 so that those organisations can access Centrelink Confirmation eServices for the purpose of making a superannuation enquiry to determine whether the individual is entitled to the early release of superannuation on the ground of financial hardship.

 

Part 3—Privacy Advisory Committee

 

Section 20 – Travelling allowance—within Australia

 

This section continues to prescribe travel allowance entitlements for appointed members of the Privacy Advisory Committee.

 

Part 4—Secrecy

 

Section 21 – Designated secrecy provisions

 

This section continues to prescribe the secrecy provisions of the Australian Bureau of Statistics (ABS) as designated secrecy provisions for the purposes of paragraph 80P(7)(d) of the amended Privacy Act.  The prescribed secrecy provisions are sections 19 and 19A of the Census and Statistics Act 1905. The effect of the Regulation is to continue to confirm that data collected by the ABS for statistical purposes is used only for statistical purposes.

 

Part 5—Transitional

 

Section 22 – Transitional

 

This section provides a transitional provision to permit the fulfilment of information requests made for credit reporting purposes that may be processed on the date of commencement of the Privacy Amendment Act, which is when the new credit reporting provisions enter into force.  The Regulation provides that information requests that are being processed on or before the commencement date of the Privacy Amendment Act may be processed under the existing Part IIIA of the Privacy Act up to, and including, 31 March 2014.

 

Schedules

 

Schedule 1 – Agencies

 

This item inserts a new Schedule 1 into the Regulation.  This Schedule lists 90 agencies to whom the adoption, use and disclosure of employee payroll numbers by two private sector superannuation bodies is permitted for the purposes of providing superannuation services.  This Schedule amends, updates and renumbers the current list of organisations provided in Schedule 2 to the Privacy (Private Sector) Regulations 2001.

 

Schedule 2 – Centrelink Confirmation eServices (customer confirmation): prescribed organisations

 

This item inserts a new Schedule 2 into the Regulation.  It replaces Parts 1 and 2 of Schedule 3 of the Privacy (Private Sector) Regulations 2001.  Part 1 of this Schedule lists 69 prescribed organisations that may use or disclose the Centrelink Customer Reference Number. Part 2 of this Schedule lists 20 prescribed organisations that may use or disclose the DVA File Number.

 

Schedule 3 – Centrelink Confirmation eServices (income confirmation): prescribed organisations

 

This item inserts a new Schedule 3 into the Regulation.  It replaces Schedule 4 of the Privacy (Private Sector) Regulations 2001.  This Schedule lists 239 prescribed organisations that may use or disclose the Centrelink Customer Reference Number.

 

Schedule 4 – Centrelink Confirmation eServices (superannuation confirmation): prescribed organisations

 

This item inserts a new Schedule 4 into the Regulation.  It replaces Schedule 5 to the Privacy (Private Sector) Regulations 2001.  This Schedule lists 33 prescribed organisations that may use or disclose a Centrelink Customer Reference Number.

 

Schedule 5 – Repeals

 

This section repeals the whole of the Privacy (Private Sector) Regulations 2001 and the Privacy Regulations 2006.

 

 

 


ATTACHMENT C

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Privacy Regulation 2013

This Legislative Instrument is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Legislative Instrument

The Privacy Regulation 2013 repeals the Privacy (Private Sector) Regulations 2001 and the Privacy Regulations 2006.  The Regulation’s purpose is to give effect to the Privacy Amendment (Enhancing Protection) Act 2012 (Amendment Act) which introduces significant amendments to the Privacy Act 1988 (Privacy Act).  The effect of the Regulation is to support the new credit reporting scheme introduced by the Amendment Act.  The Regulation defines certain credit reporting items and prescribes certain credit providers, credit reporting businesses and provides for specified exemptions.

The Regulation prescribes certain instrumentalities of New South Wales, and an authority of South Australia, as organisations for the purposes of the amended Privacy Act.  It consolidates, updates and simplifies existing privacy regulations into a single instrument.  It updates the list of organisations that may disclose Centrelink identifiers in order to determine whether an individual is entitled to access concessions and other services.  It also updates the list of agencies that may disclose the Commonwealth payroll number for superannuation purposes.  Additionally, the Regulation removes references to the National Privacy Principles, replacing them with references to the Australian Privacy Principles as a consequence of the Amendment Act.

Human rights implications

This Legislative Instrument engages the right to the protection against arbitrary interference with privacy, protected in Article 17 of the International Covenant on Civil and Political Rights (ICCPR).  The right to privacy in Article 17 of the ICCPR prohibits unlawful or arbitrary interferences with a person’s privacy, family, home and correspondence.   In order for an interference with a right not to be ‘arbitrary’, the interference must be for a reason consistent with the relevant Convention and reasonable in the particular circumstances.  By prescribing the terms and conditions of consumer credit that may be included in an individual’s credit information, and defining the meaning of monthly cycle in repayment history information, the Regulation positively affects individuals’ privacy rights.  It clearly stipulates what personal information comprised in an individual’s credit information, may be included in a data set within the credit reporting system.  The effect is to protect against arbitrary interferences with privacy that concern such personal information.

The Regulation limits the prohibition against arbitrary interference with privacy in a clearly and narrowly defined way for a purpose that is proportional, appropriate and legitimate.  The Regulation permits specified agencies to disclose certain government identifiers (such as employee payroll numbers) to superannuation organisations for staff superannuation purposes.  The Regulation also prescribes the circumstances in which personal information held in Commonwealth identifiers (such as the Centrelink Customer Reference Number or Department of Veterans’ Affairs File Number) may be used or disclosed, and prescribes those organisations permitted to use or disclose such information.  Such use or disclosure is necessary in order to determine whether an individual is entitled to concessions or to access other services, such as subsided housing, provided by the organisation, for the benefit of the individual.

Conclusion

This Legislative Instrument engages with the right to privacy and does so in a reasonable and proportionate way.

 

 

George Brandis QC

Attorney-General