Cross-border data flows: meeting privacy obligations in the realm of multi-jurisdiction law enforcement within Australia
By Kate Oliver• 17 March 2015 • 4 min read
Guidance to government agencies receiving requests for personal information from interstate or inter-territory agencies
Effective law enforcement often involves intelligence gathering and the sharing of personal information across state, territory and national borders.
Increasingly, government agencies are requested to provide personal information to law enforcement agencies. Agencies are then faced with the sometimes difficult task of determining whether providing the personal information requested will breach the agency's privacy obligations. This question becomes more complex when the request is made by a law enforcement agency in another jurisdiction.
The exchange of personal information for law enforcement purposes is regulated by Commonwealth, state and territory privacy legislation. In particular, the Australian Privacy Principles (Commonwealth) (APPs), Information Privacy Principles (Victoria) (IPPs) and the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) all permit the disclosure of personal information by an agency where this disclosure is:
- required or authorised 'by or under law'
- otherwise reasonably necessary for law enforcement purposes by, or on behalf of, a law enforcement agency.
The question is – how does this operate when the request for information is made by an agency in another jurisdiction?
Required or authorised by or under law
With respect to the first point, upon receiving a request from an agency (law enforcement or otherwise) in another state or territory, the agency should first consider whether it is bound to comply with the request. This requires the agency to determine whether the requesting agency has a statutory power to compel others to provide information and, if so, whether that statutory power operates extraterritorially so as to apply in the agency's jurisdiction.
Whether an agency can be compelled to provide personal information to an agency in another jurisdiction is largely a matter of fact, to be determined on a case-by-case basis. It will turn very much on a consideration of the applicable provisions of the relevant legislation, including whether there is a nexus between the operation of the relevant statutory provision and the jurisdiction in which it usually operates and whether the application of the legislation was intended to operate beyond that jurisdiction.
If the agency is compelled to disclose the information sought by the requesting agency, complying with the request to provide personal information (even to an agency in another state or territory), will not offend Commonwealth, New South Wales or Victorian privacy legislation.
Reasonably necessary for law enforcement purposes
In the event that the requesting interstate agency cannot compel disclosure of the personal information requested, privacy legislation may still permit the disclosure where it is necessary for law enforcement purposes (or for any other permitted purposes under the applicable privacy principles).
In Victoria, for example, IPP 2.1(g) permits the disclosure of personal information where it is reasonably necessary for the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction, as well as other specific law enforcement purposes. A similar position exists under the APPs and PPIP Act.
The disclosure of personal information within these jurisdictions will, therefore, generally be permitted if the elements of the relevant privacy principle regarding law enforcement purposes have been met.
The position is less straightforward for disclosures to law enforcement agencies operating in other states or territories. Whether disclosure to an interstate or inter-territory law enforcement agency is permitted depends largely on whether the relevant local privacy legislation (and relevant privacy principle) operates extraterritorially to permit disclosure of information to law enforcement agencies outside of the agency's jurisdiction.
Where requests from Commonwealth law enforcement agencies are concerned, issues of jurisdiction are less likely to arise, given that the Commonwealth legislation will generally prevail over any applicable local legislation.
Where requests are received from interstate or inter-territory law enforcement agencies (as opposed to Commonwealth), it is necessary to determine whether the local privacy legislation, such as IPP 2.1(g) and equivalent provisions in other state and territory privacy principles, operate extraterritorially to permit the disclosure. It is likely that, in most instances, they will operate beyond their jurisdiction and enable disclosures to and between other Australian states or territories.
The approach outlined above provides general guidance to agencies receiving requests for personal information from interstate or inter-territory agencies, and broadly accords with the position established by the authorities considering extraterritorial operation of legislation.
MICTA/ICTA contracting framework mandated for use by NSW Government from 1 September
MICTA/ICTA framework must be used in place of the previous ProcureIT v3.2 framework
‘Contracting out' of limitation periods – a guide for Government entities
The relevance of Price v Spoor for Government clients.
New case on clause 4.6 requests – is it a development standard?
By Joshua Same & Georgia Appleby
Recent judgment in Elimatta Pty ltd v Read and Anor  NSWLEC 75, implicating the drafting of clause 4.6 requests