Let’s talk about discretion and trust. And perhaps also the public interest.
These are not the usual words I would use when introducing a discussion of the Disclosure principles in privacy law, but right now they seem apt. Because right now I am hopping mad about the disclosure by our government of one woman’s personal information to the media.
The matter I am talking about involves a single mother, but at a deeper level it involves all of us. We are all citizens, we are all ‘clients’ of government agencies at various times throughout our lives, and we all entrust our personal information to those government agencies. We expect that our privacy will be respected in return. This is the story of what happens when it isn’t. This is the story of Andie Fox, but it could just as easily be the story of you or me.
So the story is this: About a month ago, single mum Andie Fox wrote an opinion piece about her experiences dealing with Centrelink, which was published in Fairfax newspapers. A few weeks later, a journalist with the Canberra Times, Paul Malone, wrote an article about Centrelink, also published in Fairfax newspapers. That article included details about Ms Fox’s criticisms of Centrelink, but then also says “there are at least two sides to every story”, and in particular that “Centrelink has a different story”. Mr Malone’s article went on to reveal details about Ms Fox’s financial affairs and personal affairs, as well as quotes from Centrelink general manager Hank Jorgen about Centrelink’s dealings with Ms Fox.
(Just who gave Ms Fox’s information to the journalist is unclear. The article attributes comments to Mr Jorgen, but officials claimed the information was collated by DHS officials and approved for release by the Minister’s office. Later it was revealed that two responses were given to the journalist, one from the department and the other from the Minister’s office.)
The personal information about Ms Fox disclosed to the journalist, and revealed by the journalist to the world, included:
“The agency says Ms Fox’s debt is a Family Tax Benefit (FTB) debt for the 2011-12 financial year which arose after she received more FTB than she was entitled to because she under-estimated her family income for that year.
The original debt was raised because she and her ex-partner did not lodge a tax return or confirm their income information for 2011-12.
Centrelink says that after Ms Fox notified the department that she had separated from her partner, the debt due to her partner’s non-lodgement was cancelled.”
and
“Centrelink made numerous attempts to get in touch with Ms Fox via phone and letter but many of these attempts were left unanswered. Between November 16 and January 17 Centrelink made four phone calls and sent six letters to Ms Fox.
Centrelink says it was not until 2015 that she informed them that she had separated from her partner in 2013.
Mr Jongen said the experience described by Ms Fox could have been avoided if she had informed the department she had separated from her partner in a timely way, and if she had lodged her tax returns in a timely way.”
Wow. So much for privacy.
How exactly does a government agency get away with disclosing this kind of deeply intimate information about a person’s relationship history, tax affairs and social security benefits?
Let’s break it down.
Australian Privacy Principle (APP) 6 governs the disclosure of personal information by federal government agencies like Centrelink and the Tax Office. There are various grounds under which personal information can be disclosed, but let’s skip straight to the grounds that might possibly be relevant in this case. (BTW we have ‘untangled’ the Disclosure rules for you under NSW privacy legislation, but haven’t yet tackled the APPs.)
- Consent (APP 6.1(a))
Clearly not. Ms Fox wrote a follow-up blog detailing the “disturbing experience” of having her personal information distributed to the media, and asked “Is this what happens when you criticise government?” I think we can safely say that Ms Fox did not authorise the release herself.
- Individual should reasonably expect the disclosure for a secondary purpose which is related to the primary purpose for which it was collected (APP 6.2(a))
OK, this one is trickier. Let’s say that the primary purpose for which Ms Fox’s personal information was collected was to administer her social security payments. Is providing that information to a journalist a purpose that is somehow related to the administration of her payments? Debatable. Even if it is related, is the disclosure to the journalist something Ms Fox should have reasonably expected?
The guidelines from the OAIC on APP 6.2(a) actually have this to say on the topic:
“Examples of where an individual may reasonably expect their personal information to be used or disclosed for a secondary purpose include where …
the individual makes adverse comments in the media about the way an APP entity has treated them. In these circumstances, it may be reasonable to expect that the entity may respond publicly to these comments in a way that reveals personal information specifically relevant to the issues that the individual has raised”.
And in 2010 the OAIC handled a privacy complaint from someone in a similar position to Ms Fox, and found that the agency had met this test (albeit under an earlier version of the privacy principles). The Privacy Commissioner in that case noted that:
“The information provided by the agency was confined to responding to the issues raised publicly by the complainant. The Commissioner considered that the complainant was reasonably likely to have been aware that the agency may respond, in the way it did, to the issues raised.”
First, I would query whether in this case, the information provided to the journalist was “confined to responding to the issues raised publicly by the complainant”. Most of Ms Fox’s original piece was about the bureaucratic nightmare of dealing with Centrelink processes: queues, being on hold on the phone, being pushed to use an online system which didn’t cater for her circumstances. These experiences were not refuted by Centrelink.
Ms Fox had also written about the phenomenon known as sexually transmitted debt in the context of our tax and social security system, in which a legitimate payment of the Family Tax Benefit to one parent can later be described as an over-payment and thus a ‘debt’ because the other parent simply has not yet lodged their own tax return for the relevant financial year – something over which you might have little control at the best of times, but which can become impossible if the relationship has since broken down. Her original piece was about the traumatic experience of having to prove to the government that her relationship with the other parent had ended, before she could demonstrate that the ‘debt’ should be cancelled. Again, Ms Fox’s description of the way in which our tax and social security system operates (in particular, to the detriment of newly-single parents) was not refuted.
Instead, we got finger-wagging editorialising about how Ms Fox should have updated her records in a more timely way, and how often Centrelink had tried to contact her. The inferences to be drawn from those comments – perhaps, that Ms Fox is disorganised or disengaged and thus has herself to blame for the ‘debt’ being raised – are in turn disputed by Ms Fox in her follow-up blog. And in any case, they are hardly examples of correcting ‘false statements’, as the Minister later suggested had been made by Ms Fox.
But even if the information provided to the journalist had been a more direct correcting-an-error-of-fact, should Ms Fox have ‘reasonably expected’ Centrelink to brief a journalist in response to her opinion piece? Judging from the outcry on social media and across politics, it would seem that plenty of people did not expect a Centrelink customer’s personal information to be splashed about in the way experienced by Ms Fox. (Apart from anything else: don’t they have anything better to do?)
Despite the OAIC’s guidelines on interpreting this exemption, I think Centrelink would be drawing an extremely long bow to argue that their disclosure was either a related purpose or within reasonable expectations, let alone both.
- Authorised by another law (APP 6.2(b))
Now here is where it gets interesting – this is what Centrelink and the Minister are publicly using to justify the disclosure. Though which law has been harder to pin down.
On 28 February, Minister Alan Tudge told Parliament that “We are able under the Social Services Act (sic) to release information about the person for the purposes of, as I quote, ‘correcting a mistake of fact, a misleading perception or impression or a misleading statement in relation to a welfare recipient’.” However the Minister was quoting not from the Act itself, but from cl.11 of statutory guidelines which constrain the power of the Secretary of the Department of Human Services, of which Centrelink is a part, to disclose personal information under section 208 of the Social Security (Administration) Act 1999. In such a case, a public interest certificate must first be issued by the Secretary. The Department later confirmed that no such public interest certificate had been issued in relation to Ms Fox’s personal information.
Instead, the Department claimed that the disclosure was actually made under section 202 of the same Act, which governs the routine collection, use and disclosure of personal information. Because it is about routine matters necessary “for the purposes of the social security law”, disclosures made under s.202 do not require the Secretary’s authorisation. This is a standard, operational provision, about the normal functioning of Centrelink, and what the 35,000 staff employed by the Department can and can’t do with our personal information as they go about their work.
So the Department has effectively claimed that its disclosure of Ms Fox’s details to a journalist was lawful on the basis that the disclosure was made “for the purposes of the social security law”. What purpose of social security law was being served by the disclosure to the journalist? A Departmental spokesman is quoted as saying: “Unfounded allegations unnecessarily undermine confidence and takes staff effort away from dealing with other claims”.
The Department doubled-down on this rationale a few days later, with the Secretary of the Department Kathryn Campbell telling an Estimates committee in Parliament that the disclosure of personal information about clients to the media does not even need a public interest certificate from the Secretary under s.208, if it is released under s.202 “for the purposes of maintaining the integrity of the system”.
Ms Campbell is also quoted as saying: “That’s why we felt that it was appropriate to release the information, so that people knew it was important to file their tax returns and tell us about changes in their circumstances.”
Just let that sink in for a moment…. so the Secretary of the Department is saying that Ms Fox was made an example of, to remind the rest of us to lodge our tax returns on time?
One journalist summarised the problem thus: “Campbell … described an interpretation of social security law so broad that it effectively adds up to a license for the Department to disclose information against any citizen criticising government policy”.
In fact, if you interpret s.202 that broadly, there is very little limit to what federal public servants could start doing with your or my personal information, regardless of whether we have publicly criticised Centrelink.
Next time it might not be the PR unit releasing the personal information; it might be a limelight-seeking junior Centrelink staffer who decides to tweet about named ‘welfare cheats’ – for the purposes of maintaining the integrity of the system, of course. Or a staffer might decide to tell the media about a celebrity who was late filing their tax returns – as a way of reminding the public about the importance of filing their tax returns on time, clearly. Or perhaps a staffer could get away with telling a mate who pays child support that his ex-wife has a higher income than his mate suspects – for the purposes of maintaining the integrity of the system, obviously.
However this interpretation of s.202 is being questioned. Legal academic Darren O’Donovan has questioned whether the Department has read its ‘discretion’ too broadly, as has Legal Aid Victoria. In particular, since s.208 creates a specific mechanism for disclosures of personal information to ‘correct the record’, but which requires a public interest certificate to be issued by the Secretary in compliance with statutory guidelines, can s.202 really be read as also allowing an alternative pathway to disclosure, one which is predicated on broader, vague purposes and which does not require the Secretary’s authorisation at all?
(And even if you believe s.202 is that broad, surely it cannot authorise the disclosure of personal information that was released by the Minister’s office in error?)
So if the Department’s interpretation of the breadth of s.202 is wrong, what then? Well then, a disclosure of information that was not authorised or required by or under the social security law is a crime, punishable by up to two years’ imprisonment for the individual who made the disclosure.
Also, Centrelink would not be able to claim the ‘any other law’ exemption under APP 6.2(b), and therefore could be looking at a possible breach of the APPs. Labor has asked federal police to investigate, and the OAIC is looking into the matter. The OAIC can apply to court for a civil penalty order up to $1.7M, and Ms Fox could seek a remedy for herself, if it is found that there has been a breach of APP 6.
Of course, it is not just legal concerns which have been raised about the department’s decision to publicly respond to Ms Fox’s opinion piece by releasing her personal information. There are plenty who have questioned the ethics of the decision, even if it is found to be lawful. Some have raised the potential chilling effect on free speech and political discourse, while others have noted the power imbalance between a single parent blogger and the might of the government. Where was the concern for Ms Fox’s well-being? Where was the discretion? Did no-one think this might be a bad idea, to go pick a fight with a single mum? Did no-one say: just because we (think we) can disclose, doesn’t mean we should.
I spoke with ABC Radio’s Jon Faine about this case, and described Centrelink’s actions as legally arguable, but morally reprehensible. Paul Shetler, former head of Australia’s Digital Transformation Office, described Centrelink’s actions as “pretty shocking”.
And that was before it was revealed that the Minister had asked for extra information about Ms Fox … or that the Minister’s office had sent ‘For Official Use Only’ material to the Canberra Times journalist … or that that the Minister’s office is regularly receiving updates on Centrelink clients who have made public complaints on social media.
This case just compounds the effect of #censusfail and #notmydebt on a cynical and weary public. We are so often compelled, either by law or by financial need, to hand over details about our private life to government. In return, we expect government agencies to actually mean it when they say “we take your privacy seriously”. Otherwise, that phrase becomes a joke, up there with “your cheque is in the mail”, and “your call is important to us”.
The way the bureaucracy has dealt with Ms Fox has shown to be hollow the privacy promises made by Centrelink. Worse, it also undermines the privacy promises made by other agencies which share personal information with Centrelink, such as the Tax Office. The ATO has confirmed that once tax information about an individual is provided to Centrelink, that data becomes subject to Centrelink’s secrecy laws, rather than the rules found under the taxation legislation. And it is Centrelink’s interpretation of its own ‘secrecy’ provisions which has led us here today.
This case is a stupid and petty own-goal for the government. If Centrelink or the Minister’s office were trying to disprove the accusations of “unprofessionalism and callousness in the way it has tried to crack down on welfare overpayments”, they have spectacularly failed. Maybe they wanted to challenge Ms Fox’s description of feeling ‘terrorised’ by her dealings with the bureaucracy, but instead they simply proved her point. If the purpose of the disclosure was to maintain confidence in the welfare system, they instead caused confidence to plummet. If the idea was to paint Ms Fox as a ‘welfare cheat’, they instead earned her the sympathy of every other working parent who has ever tried to navigate their way through Centrelink to claim FTB or the child-care rebate.
I believe this will rebound not just on Centrelink, but throughout the federal public sector. The long-term impact will be to set back the government’s bigger picture digital transformation agenda, including e-health, digital identity and electronic voting projects, because public trust in how federal government institutions treat citizens’ personal information will simply continue to sink, unless trust is restored.
The repercussions have already included Labor re-thinking its support for veterans’ affairs legislation before Parliament, that would insert a similar provision to s.208, to allow for the disclosure of a veteran’s records, including medical records, at the discretion of the Secretary. The Veterans Affairs Minister has since had to order a new, independent Privacy Impact Assessment be conducted before the Bill proceeds to debate in the Senate. Meanwhile, evidence before a Senate Inquiry has heard that the Tax Office has raised concerns about the impact on the integrity of the ATO, when tax data is used by Centrelink. Just imagine the fight in Parliament next time privacy-invasive laws are proposed.
The UK Information Commissioner’s office has noted that citizen and customer trust is essential for the efficacy of public policy and services: “trust and public engagement is a prerequisite for government systems to work”. The Harvard Business Review has described customer trust as “the key that will unlock” access to data, so critical in the type of forward-thinking information economy our Prime Minister likes to promote.
So when government says “trust us with your personal information”, they have to mean it. Because we are all Andie Fox.
Photograph (c) Shutterstock