Legal challenges to sharing information
On April 24, 2004, Dr Peter Shergold launched the Management Advisory Committee’s Report No. 4 Connecting Government: Whole of Government Responses to Australia’s Priority Challenges.
Launching the report, Dr Shergold said that most pressing problems of public policy do not respect organizational boundaries and that it was now clear that the economic, social and security challenges that confront Australia as a representative democracy are best addressed in a whole-of-government manner.
The report defines “whole-of-government” in the Australian Public Service as “public service agencies working across portfolio boundaries to achieve a shared goal and an integrated government response to particular issues . . .”
One of the challenges identified by the report to successful whole-of-government activity is effective sharing of information between agencies, and with other entities.
Collecting, analyzing and using information is a key government function. Information is essential to enable agencies to produce the government’s expected outcomes and to meet community expectations. Information sharing will increasingly play a critical role in generating better and cheaper decision-making and program delivery.
It is generally recognized that technical barriers to information sharing have been reduced through advances in information and communications technology, and that this trend will continue. Much, of course, still needs to be done to be “integration-ready”.
But while the report alludes to “the rules governing information sharing”, and suggests that these need to be understood and interpreted appropriately by agencies, the report does not examine the extremely complex legal and administrative regime that governs the collection, storage, use and disclosure of information by Australian government agencies, or how this regime will impact on sharing information they currently hold.
Agencies collect, receive and develop vast amounts of information to carry out their functions. The information collected includes information that is publicly available, information supplied to government by third parties about their private, personal or business affairs, and information about government that has been generated by government. This information varies significantly in character and sensitivity.
Whether and in what circumstances an agency can share information it is holding with another entity will depend on what the particular information is, and the legal and/or administrative framework applicable to it. Any proposals to share information need to take account of this. The legal and administrative regime consists of requirements that are generally applicable (though maybe only to a particular category of information), and requirements that only apply in specific circumstances or to a particular activity or program.
Generally the ability of agencies to share public information does not present legal difficulties. The ability of agencies to share third-party information and government information may.
Information created by government is not subject to many of the restrictions that third-party information in the hands of government is subject to, but it is subject to a range of specific and generally applicable legislation. Administratively, it must be handled in accordance with the Commonwealth Protective Security Manual (PSM).
Under the general law, the courts have held that there is a “public interest” in government information being made available to the public. The leading case in this area is the Commonwealth of Australia v. John Fairfax and Sons Ltd, where the High Court held that unless disclosure is likely to “injure the public interest”, the courts will not act to protect government information from disclosure.
In general therefore, government information should, subject to any specific legal restraints, be available for an agency to share with other entities. However, the PSM effectively operates to reduce, rather than enhance, the amount of government information that is shared by the custodian agency.
Third-party information held by government is very often personal or business information.
Personal information is an extremely significant category of third-party information, and this is recognized by the report. The Privacy Act 1988 lays down strict requirements, focused on the Information Privacy Principles, that agencies must observe when handling such information. It is likely that much of the personal information currently held by agencies will not be able to be shared widely for whole-of-government activities unless measures are taken to prevent identification of the subject.
When an agency is provided with genuinely sensitive third-party information (e.g. personal, business) it is likely that the agency will be under an obligation, either pursuant to a contract or through the creation of an equitable obligation, to protect this information as confidential information. Prior to the current Australian government policy of minimizing the amount of third-party information that agencies agree to protect as confidential information, agencies had agreed to protect vast amounts of such information as confidential information. The extent to which this information can consequently be shared is therefore not clear.
Broad protection against disclosure of information by agencies is provided for in the Crimes Act 1914, the Public Service Act 1999 and in hundreds of specific secrecy provisions in Commonwealth legislation. While each statutory secrecy provision operates within its own terms, the general thrust of these provisions is that the information protected by these provisions should not be disclosed by the custodian of the relevant information. Any proposed information sharing activity would need to assess the impact of these provisions on such a proposal.
In addition, there will in many cases be specific legislation that will apply to the collection, use and disclosure of particular information. For example, the Health Insurance Act 1973 and the National Health Act 1953 also apply to protect personal information collected by the Health Insurance Commission. As well, any proposed information sharing by agencies would also need to consider the applicability of the Archives Act 1983, the Freedom of Information Act 1982 and copyright law.
Great benefits should flow from effectively managed whole-of-government activities: a more citizen-centric approach, and better and cheaper policy development, programs and service delivery. But before agencies embark on any information-sharing activity they need to understand the different categories of information that they are dealing with and the applicable legal regime. As part of a comprehensive risk management approach, a legal risk analysis should be done with the aim of ensuring that the rights of citizens are protected, and that agencies do not subject themselves to unnecessary legal risk.
Anne Caine is a partner with legal firm Corrs Chambers Westgarth. This column should not be relied on in place of legal advice
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.