One of the most frequent Code of Conduct breaches occurs when an APS employee inappropriately accesses information held by their agency. The collection, use and disclosure of personal information is subject to the protections and obligations of the Privacy Act 1988.
5.1 Information privacy
5.1.1 Privacy Act—Australian Privacy Principles
The Privacy Act 1988 establishes 13 Australian Privacy Principles (APPs) which generally apply to Commonwealth agencies. APP 6 provides that agencies should only use or disclose personal information about an individual for the purpose for which that information was collected (the 'primary purpose') or for a secondary purpose if an exemption applies.
According to the APP Guidelines issued by the Office of the Australian Information Commissioner, the exceptions in APP 6 include:
- where the individual has consented to a secondary use or disclosure, or
- where the individual concerned would 'reasonably expect' their personal information would be used or disclosed for the secondary purpose, and the secondary purpose is related to the primary purpose of collection.
5.1.2 Public Service Regulation 9.2
APP 6 also permits a use or disclosure of personal information where it is authorised by or under an Australian law. Public Service Regulation 9.2 provides that authority where the use or disclosure is relevant or necessary to the exercise of an agency head's employer powers.
Tools and resources
5.1.3 Public Service Regulation 2.1
Public Service Regulation 2.1 details the duty of an APS employee not to disclose certain information they have as a consequence of their employment, and sets out the allowable exceptions to this principle. A breach of Regulation 2.1 may lead to a criminal prosecution under the Crimes Act 1914 and is liable to a penalty of imprisonment for up to two years.
See Section 4.2 of APS Values and Code of Conduct in Practice for more information on disclosure of information.
5.1.4 Other legislation
The management and protection of information may also be regulated by specific legislation such as the Social Security Act 1991.
5.2 Sharing risk information within agencies
Many agencies will have different business areas with overlapping responsibilities in relation to integrity. Managing integrity risks can be improved through increased information sharing between relevant areas, such as human resources, security, information technology and fraud control. While agencies need to be mindful of their obligations relating to personal information under the Privacy Act 1988, these areas should be encouraged to share relevant employee information to obtain a broader perspective on an individual's behaviours and risk profiles.
5.3 Sharing risk information between agencies
In some circumstances, agencies may be required to report allegations or incidents to other agencies, such as the Australian Government Security Vetting Agency or law enforcement bodies. See information sheet three Managing risks in the workplace section 3.4.