Privacy Protocol 7 – use or disclosure of personal information for the purposes of revenue protection
Privacy principles prohibit disclosure of personal information outside the University (Information Privacy Principle 11). One exception to this general principle is where the use or disclosure is “reasonably necessary for the …protection of revenue”. When any staff member receives a request from revenue protection agencies the following protocol for liaison with the external agency must be used. General advice on the operation of this protocol may be obtained from the Privacy Contact Officer.
Agencies making such enquiries may include the Australian Taxation Office, Office of State Revenue or other government agencies which provide benefits or allowances. This protocol does not apply to the standard reporting arrangements by areas such as Payroll (Australian Taxation Office) or Student Business Services (Centrelink, DEST, DIMIA), where disclosure generally occurs under express legislative authority. Any other staff member who receives an ad hoc request for personal information apparently relating to revenue protection, should refer the matter to either the Director, Student Business Services (in the case of student personal information), or the Director, Human Resources Department (in the case of staff personal information). Any other request should be referred to the Registrar’s Executive Officer.
When dealing with ad hoc requests, these officers should ascertain whether the agency concerned may use other means to obtain the information, for instance, by relying on legal compulsion (for instance, a legislative provision which compels the production of information). The following process should be followed by the officer managing the enquiry if this proves necessary:
- establish the bona fides of the officer making the enquiry;
- discuss the nature of the enquiry with the revenue officer involved with a view to obtaining confirmation that the disclosure of personal information is reasonably necessary for the protection of the public revenue;
- liaise with the relevant sections of the University who hold the information (if required);
- keep a record of the enquiry in order to satisfy the requirements of Information Privacy Principle 11.2 (see below).
Scope of the request
Privacy guidelines issued by the Commonwealth Privacy Commissioner indicate that it is inappropriate to rely on the law enforcement/revenue protection exceptions to justify disclosure of large amounts of personal data for data-matching purposes. Consequently, it is expected that this protocol will apply only to limited requests for information concerning a named individual. Disclosure of large numbers or groupings of personal records should only occur with express legislative authority.
Records of the enquiry
Information Privacy Principle 11 specifies that, where the personal information has been used or disclosed for law enforcement or revenue protection purposes, the University must “include in the record containing that information a note of the disclosure”. With paper records, this is straightforward, and IPP 11 can be satisfied by adding a note or attachment to the document holding the information (the content of the note should be consistent with the requirements for the log which are described below).
It is assumed, however, that most of the personal information which is sought will be recorded in computerised systems rather than paper records. A separate log of these disclosures must therefore be kept, since it will generally be impracticable to keep a note with the electronic record and a computer audit trail recording who accessed particular computer records is insufficient to satisfy the IPP 11 requirements.
The log must contain sufficient detail of the enquiry to record:
- what type of personal information has been used and/or disclosed in accordance with this protocol;
- when the use or disclosure occurred, who did so (ie the name of the University officer who did so), to whom the information was disclosed and for what purpose.
The following information must be included in the log:
- Date of enquiry and date of use or disclosure;
- Name of organisation requesting the personal information;
- Name and contact details of person requesting the personal information;
- Nature of information requested;
- Source of the personal information requested;
- Purpose of and justification for disclosure.
Any records, such as faxes, emails, file notes, which were generated in dealing with the enquiry must be retained. The records and a log of the enquiry (summarising the above information) must be forwarded to Records Management Services on Gardens Point campus.
The information in the log (or in a note attached to paper records) may be made available for audits or FOI applications, but should not be available to staff who routinely access the records for normal administrative purposes only.