Cross-border data flows: meeting privacy obligations in the realm of multi-jurisdiction law enforcement within Australia
By Kate Oliver• 17 March 2015 • 4 min read
Guidance to government agencies receiving requests for personal information from interstate or inter-territory agencies
Effective law enforcement often involves intelligence gathering and the sharing of personal information across state, territory and national borders.
Increasingly, government agencies are requested to provide personal information to law enforcement agencies. Agencies are then faced with the sometimes difficult task of determining whether providing the personal information requested will breach the agency's privacy obligations. This question becomes more complex when the request is made by a law enforcement agency in another jurisdiction.
The exchange of personal information for law enforcement purposes is regulated by Commonwealth, state and territory privacy legislation. In particular, the Australian Privacy Principles (Commonwealth) (APPs), Information Privacy Principles (Victoria) (IPPs) and the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) all permit the disclosure of personal information by an agency where this disclosure is:
- required or authorised 'by or under law'
- otherwise reasonably necessary for law enforcement purposes by, or on behalf of, a law enforcement agency.
The question is – how does this operate when the request for information is made by an agency in another jurisdiction?
Required or authorised by or under law
With respect to the first point, upon receiving a request from an agency (law enforcement or otherwise) in another state or territory, the agency should first consider whether it is bound to comply with the request. This requires the agency to determine whether the requesting agency has a statutory power to compel others to provide information and, if so, whether that statutory power operates extraterritorially so as to apply in the agency's jurisdiction.
Whether an agency can be compelled to provide personal information to an agency in another jurisdiction is largely a matter of fact, to be determined on a case-by-case basis. It will turn very much on a consideration of the applicable provisions of the relevant legislation, including whether there is a nexus between the operation of the relevant statutory provision and the jurisdiction in which it usually operates and whether the application of the legislation was intended to operate beyond that jurisdiction.
If the agency is compelled to disclose the information sought by the requesting agency, complying with the request to provide personal information (even to an agency in another state or territory), will not offend Commonwealth, New South Wales or Victorian privacy legislation.
Reasonably necessary for law enforcement purposes
In the event that the requesting interstate agency cannot compel disclosure of the personal information requested, privacy legislation may still permit the disclosure where it is necessary for law enforcement purposes (or for any other permitted purposes under the applicable privacy principles).
In Victoria, for example, IPP 2.1(g) permits the disclosure of personal information where it is reasonably necessary for the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction, as well as other specific law enforcement purposes. A similar position exists under the APPs and PPIP Act.
The disclosure of personal information within these jurisdictions will, therefore, generally be permitted if the elements of the relevant privacy principle regarding law enforcement purposes have been met.
The position is less straightforward for disclosures to law enforcement agencies operating in other states or territories. Whether disclosure to an interstate or inter-territory law enforcement agency is permitted depends largely on whether the relevant local privacy legislation (and relevant privacy principle) operates extraterritorially to permit disclosure of information to law enforcement agencies outside of the agency's jurisdiction.
Where requests from Commonwealth law enforcement agencies are concerned, issues of jurisdiction are less likely to arise, given that the Commonwealth legislation will generally prevail over any applicable local legislation.
Where requests are received from interstate or inter-territory law enforcement agencies (as opposed to Commonwealth), it is necessary to determine whether the local privacy legislation, such as IPP 2.1(g) and equivalent provisions in other state and territory privacy principles, operate extraterritorially to permit the disclosure. It is likely that, in most instances, they will operate beyond their jurisdiction and enable disclosures to and between other Australian states or territories.
The approach outlined above provides general guidance to agencies receiving requests for personal information from interstate or inter-territory agencies, and broadly accords with the position established by the authorities considering extraterritorial operation of legislation.
Commonwealth security snapshot – NSW Cyber Security Standards Harmonisation Taskforce recommendations report
Partner Gavan Mackenzie and senior associate Nick Topfer provide updates on issues related to Commonwealth procurement...
Staying vigilant: A new tool to mitigate against data re-identification risks
By Katherine Armytage & Tara Dhanushkoti & Darcy Gilligan
A newly developed privacy tools to assess the privacy and security risks involved with de-identification datasets.
New year, new contracts – tips and tricks for ICT contracting in 2021
ICT contracting tips and tricks from 2020
An audit of New South Wales local government procurement
By Joshua Same
We provide an overview of the NSW Audit Office performance audit on ‘Procurement Management in Local Government’