Home page
> Management Advisory Committee > Note for file > How recordkeeping interacts with information collection, use and disclosure obligations > Next: Assessing the current and future recordkeeping environment
‹ Previous page

Last updated: : 31 August 2007

Note for file: A report on recordkeeping in the Australian Public Service

Chapter 5. How recordkeeping interacts with information collection, use and disclosure obligations

Key messages in this chapter

The Commonwealth owns the real and intellectual property in all Commonwealth records and they can only be used and disclosed for the Commonwealth purposes.
Commonwealth records can only be disposed of in accordance with the Archives Act using a records disposal authority or a general disposal authority such as the Administrative Functions Disposal Authority, or for low-value or ephemeral records under normal administrative practice provisions.
An APS employee who misapplies, improperly disposes of, or improperly uses Commonwealth records may be in breach of the Financial Management and Accountability Act.
Most Commonwealth records are subject to the Freedom of Information Act. The real possibility that documents may be released under this Act reinforces the responsibility on APS employees to maintain a high degree of professionalism in their work.
Records that contain ‘personal information’ require special treatment under the Privacy Act.

Commonwealth records are the property of the Commonwealth

Archives Act

As explained in Chapter 1, if an APS employee makes a record or creates a document in the course of their employment then it is a ‘Commonwealth record’ as defined by the Archives Act 1983.

The Commonwealth owns Commonwealth records—not just the physical records/documents but also their inherent intellectual property, typically the copyright (which essentially is the right to make copies of all or part of the record/document).

This means a Commonwealth record can be used only as authorised by the Commonwealth or by the law and an APS employee can only use or copy Commonwealth records for the purposes of the Commonwealth. To do otherwise is against the law.²⁰

In addition, information contained in Commonwealth records is only to be disclosed with authorisation or in accordance with the law.²¹

The Archives Act sets out the legal framework for managing Commonwealth records.

The main provisions of the Archives Act are discussed in the previous chapters.

As noted in Chapter 2, Commonwealth records may only be disposed of in accordance with the Archives Act. Section 24 of the Archives Act explains how this can be done. For practical purposes, generally records can be disposed of either:

under normal administrative practice
under a record disposal authority.

Many low-value records can be disposed of under a normal administrative practice. However, disposal under a normal administrative practice is not available for records which are covered by a record disposal authority.

Disposal authorities essentially prohibit the disposal of classes of Commonwealth records before a certain time or, occasionally, at all, for those records classified as ‘retained as national archives’ (RNA).

Guidance on which, if any, records can be disposed of under normal administrative practice needs to be provided to employees by their agency.

There are two types of disposal authorities:

general disposal authorities (GDA) that cover common functions across government. The most important GDA that every government agency can use is the Administrative Functions Disposal Authority (ADFA) which covers 17 common functions, carried out by every Commonwealth agency including Community Relations, Financial Management, Government Relations and Personnel and Property Management.
records disposal authorities (RDA) that cover agency specific records (see Chapter 4).

The National Archives is currently updating the Administrative Functions Disposal Authority (AFDA), including expanding its coverage and taking into account changes to legislation and user feedback.

The National Archives is also developing practical guidance for agencies on when and how to use each of these different disposal methods and how they can be better coordinated and integrated.

Staff should take care not to unintentionally dispose of a Commonwealth record outside of the provisions of the Archives Act. Inappropriate and unlawful disposal is an offence under the Archives Act, and a breach of the APS Code of Conduct.

FInancial Management and Accountability Act

Commonwealth records also fall within the meaning of ‘public property’ as defined in the Financial Management and Accountability Act 1997.

An APS employee who misapplies, improperly disposes of, or improperly uses Commonwealth records may be in breach of the Financial Management and Accountability Act.²²

Freedom of InformatIon Act

APS employees should be familiar with the basic operation of the Freedom of Information Act 1982 (FOI Act).²³ A brief description of the Act follows, however employees should make further inquiries and seek advice where necessary. The Attorney-General’s Department provides guidance on the operation and effect of the FOI Act.²⁴

Most documents of most agencies are subject to the FOI Act.²⁵ For practical purposes, a document includes any, or any part of, a Commonwealth record.

The FOI Act generally requires agencies, if presented with a valid FOI request, to provide access to ‘documents’ in their possession within certain timeframes. Where access is granted it is unconditional. Agencies cannot grant access subject to conditions such as confidentiality, or impose any other limitation on the applicant, although agencies have some control over the form of access granted.²⁶

The real possibility that documents may be released under the FOI Act reinforces the responsibility on APS employees to maintain a high degree of professionalism in their work.

The use of intemperate, ill-considered or careless language is unprofessional and is potentially a breach of the APS Values and Code of Conduct, and may expose the author, their agency, and perhaps innocent third parties, to unnecessary embarrassment.

The FOI Act allows individuals to seek amendment or annotation of their personal information held by an agency if the information is incomplete, incorrect, misleading or out-of-date. This right to amend personal information is also legally enforceable. This means it is essential that agencies maintain their capability to amend or annotate records containing personal information.

Agencies can refuse to provide access to a document where an exemption provision applies. Exemptions are based on what is ‘necessary for the protection of essential public interests and the private and business affairs of persons in respect of whom information is collected and held’.²⁷ The exemptions are designed to provide a balance between the rights of applicants to access documents and the need to protect the legitimate interests of the government and third parties who deal with government.

Exemptions exist to protect classes of documents, such as Cabinet documents and documents subject to legal professional privilege, irrespective of their content. Exemptions also exist to protect documents based on their content, where release would impact on an identified public or private interest. These would include documents concerning the deliberative processes of agencies, and documents containing personal or commercially valuable information. For most of these ‘contents exemptions’ to apply, agencies must be satisfied that real harm to the relevant public or private interest would result from release of a document.

Agencies can also refuse to process FOI requests where to do so ‘would substantially and unreasonably divert the resources of the agency from its other operations’.²⁸ Therefore, overly broad FOI requests can be declined after giving the applicant reasonable assistance and opportunity to narrow their request.

Exemptions in the FOI Act should not be considered lightly or assumed to apply. The objective of the FOI Act is ‘to extend as far as possible the right of the Australian community to access to information in the possession of the Government of the Commonwealth’, and the Administrative Appeals Tribunal (AAT) and courts have interpreted exemptions in light of this objective.

The FOI Act provides for a Minister and certain principal officers to issue certificates which state conclusively that the documents specified in them are exempt documents. Such conclusive certificates can be issued only in relation to particular kinds of documents, for example, documents affecting national security, relations with other countries or the states, or documents created for the deliberative processes of an agency.

Applicants who are dissatisfied with an agency’s decisions under the FOI Act can seek a review of those decisions.²⁹ In most cases, an agency is required to undertake an internal review of its original decision before an applicant has a right to seek review by the AAT. The AAT can review most decisions of agencies under the FOI Act, including the decision to issue a conclusive certificate.

Privacy Act

The Privacy Act 1988³⁰ contains the Information Privacy Principles (IPPs) which apply generally to Commonwealth agencies. The IPPs regulate the handling of ‘personal information’, from collection and storage to use and disclosure.

Personal information is any information or an opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. It is a very wide definition, and might, for example, include information about an individual whose identity might be ascertainable only when the information is combined with other information that is available to the agency.

Collecting personal information

Consistent with the IPPs, personal information should only be collected for a lawful purpose directly related to a function or activity of the agency collecting the information. Where an agency collects personal information, the agency must take steps to ensure the person providing the information is generally aware of the purpose for which the information is sought, any law requiring the collection of the information, and any other person, agency or organisation which will usually receive the information from the agency.

Agencies collecting personal information are required to ensure, as far as possible, that the personal information they collect is relevant to the purpose for which it is collected, up-to-date and complete, and that the collection of the information does not intrude to an unreasonable extent on the personal affairs of the person providing the information.

Storing personal information

Agencies storing personal information must take reasonable steps to ensure the information is protected against unauthorised access, use, modification or disclosure (i.e. the information must be stored securely).

Agencies are required to maintain records of holdings of personal information for inspection by members of the public.

Individuals are entitled to access their personal information held by agencies. Access provided in accordance with the provisions of the FOI Act (discussed above) is also considered to be compliant with the Privacy Act.

As is the case under the FOI Act, agencies have an obligation under the Privacy Act to make corrections to personal information to ensure that their records are accurate, and, having regard to the purpose for which the information was collected, up-to-date, complete and not misleading. It follows that agencies must include this capability in any recordkeeping system that contains personal information.

Agencies should not use personal information in their records, without first taking reasonable steps to ensure that the information is accurate, up-to-date, and complete. The more important the purpose (e.g. the greater the consequences of getting the information wrong), the more effort is needed to ensure the information is correct—and, of course, agencies should only use personal information in records for relevant purposes.

More information on the IPPs under the Privacy Act is available from the Office of the Privacy Commissioner.

Disclosing personal information

‘Disclosure’ means letting the information go outside the control of the agency, whether intentionally or not.

The Privacy Act prohibits the disclosure of personal information, subject to a number of exceptions.

Disclosures are permitted, for example, where:

the individual has consented to the disclosure (impliedly or explicitly)
disclosure is necessary to save life or limb
disclosure is required or authorised by or under law
disclosure is reasonably necessary for the enforcement of the criminal law, a law imposing a pecuniary penalty, or for the protection of the public revenue
the individual is reasonably likely to have been aware, or made aware by the agency, of such disclosures.

The APS takes compliance with the Privacy Act very seriously. Breaches of the Act, in the course of APS employment may mean that an APS employee has breached the APS Code of Conduct.

Contracting out/outsourcing activities

The Privacy Act imposes obligations on agencies that outsource their functions.

Where the information is given to another person so they can provide a service to an agency, the agency must do everything it reasonably can to prevent unauthorised use or disclosure of the information while the information is in the possession of the other person (e.g. through the use of ‘confidentiality provisions’ in applicable contracts).

Agencies that are outsourcing must include privacy clauses in contracts where the performance of the contract will involve collecting or handling personal information on behalf of the agency.

APS employees involved in preparing contracts need to be aware of these provisions and their implications. This requirement, in effect, imposes the public sector privacy principles on contractors.

Other legal obligatIons to disclose Commonwealth records/documents

While the FOI Act represents the most common way Commonwealth records are ‘released’ under law, APS employees also need to understand there are other times when an agency or an APS employee will be under a legal compulsion to provide Commonwealth records. The most common are:

when required to do so under a valid subpoena or other court ordered discovery process
when required to do so under a valid statutory notice such as under the Auditor-General’s Act or the Ombudsman’s Act. While the vast majority of requests from the Australian National Audit Office or the Ombudsman’s Office will be complied with on a voluntary basis, occasionally these offices may issue formal notices to assist in meeting their statutory responsibilities.

All Commonwealth agencies in receipt of such requests or demands are required to make all reasonable searches of any recordkeeping system, electronic or paper- based, where there is a reasonable belief that such may contain relevant documents.

FOI and discovery processes will be much easier and cheaper for the agency if sound recordkeeping policies and systems are in place, such as those discussed in Chapter 2 (e.g. minimising an agency’s ‘low-value’ record stockpile through disposal under normal administrative practice, and ensuring all useful or important records are corporately managed).

Fraud control

The Commonwealth Fraud Control Guidelines are issued under the authority of the Financial Management and Accountability Act, and fraud control must be a consideration when developing new computer systems.

APS agencies need to consider the possibility of records being used in criminal or civil proceedings. Most state evidence laws contain the following basic requirements relating to the admission of computer-generated evidence:

evidence showing the production of the records by the computer in question
proving the accuracy and reliability of the computer
proving its proper operation.

Authentication of records, in the first instance, is usually possible through the tender of an affidavit or written statement made by the person responsible for the computer systems or processes. The affidavit or statement is generally accompanied by a certificate that:

identifies the document containing the information, and describes how it was produced
gives the particulars of any device used in producing the statement
deals with any matters that relate to the conditions above
is signed by a person who holds a responsible position in relation to either the operation or the management of the relevant computer/activities.

If the evidence is challenged, this person may be called as a witness.

In the development and operation of a computer system, consideration should be given to how the above points will be established before a court if required.

20 Public Service Regulations 1999, Regulation 2.1, <http://scaleplus.law.gov.au/html/pastereg/3/1557/top.htm>

21 Australian Public Service Commission, APS Code of Conduct, <http://www.apsc.gov.au/conduct/> and Crimes Act 1914, s. 70, <http://www.comlaw.gov.au/>

22 Financial Management and Accountability Act 1997, s. 41, <http://www.comlaw.gov.au/>

23 Sourced from FOI advice provided by the Attorney-General’s Department.

24 See <http://www.ag.gov.au/www/agd/agd.nsf/page/Freedom_of_Information>

25 Some agencies are excluded from the operation of the FOI Act completely (e.g. ASIO) and some agencies are excluded from the operation of the FOI Act in relation to certain classes of documents (e.g. CSIRO in relation to documents in respect of its commercial activities).

26 Freedom of Information Act 1982, s. 22.

27 Freedom of Information Act 1982, s. 3(1)(b).

28 Freedom of Information Act 1982, s. 24.

29 Freedom of Information Act 1982, Part VI.

30 Attorney-General’s Department 2007 (2001), An Outline of AGD Obligations under the Privacy Act 1988, <http://www.ag.gov.au/>

Downloads

Contents

On our website:

Site help

Site menu