Response to Consultation Paper on Common Statement for Information Sharing

Response to Consultation Paper on Common Statement for Information Sharing

P a g e 1 | 16

2

Contents Introduction ............................................................................................................................................................. 5 Recommendations ................................................................................................................................................. 6 Background to the Consultation Paper ............................................................................................................ 7 Legislative and policy framework ...................................................................................................................... 9 Relevant rights and their protection ........................................................................................................ 9 Key legal obligations on government and non-government organisations ............................ 10 Privacy and confidentiality obligations ............................................................................................ 10 Right to be heard ....................................................................................................................................... 11 Other current legal and policy considerations ................................................................................... 13 Other information sharing approaches ......................................................................................................... 14 The proposed principles and ‘brief guide’ in the Appendix ..................................................................... 15

P a g e 3 | 16

P a g e 4 | 16

Introduction Thank you for the opportunity to respond to the Consultation Paper on the Common Statement for Information Sharing (the Consultation Paper).1 Established in 1961, the mission of the Tasmanian Council of Social Services (TasCOSS) is twofold:  

to act as the peak body for the community sector in Tasmania, and to challenge and change the systems, behaviours and attitudes that create poverty, inequality and exclusion.

We work with integrity and compassion to amplify the voices of Tasmanians and we name up bold, brave leadership when we see it. TasCOSS is contributing to this consultation for two reasons. Firstly, TasCOSS has a key role to play because of its impact on member organisations that may be ‘asked to “sign on” to the Common Statement once it has been finalised’.2 Second, TasCOSS has a key role to play because of its work to promote the interests and needs of those members of the Tasmanian community who face poverty, inequality and exclusion, including children and others who have interactions with the Child Safety System. TasCOSS supports a Child Safety System that is able to respond appropriately and in a timely way to the needs of children facing risks to their safety. However, the proposed approach in the Consultation Paper does not, in the view of TasCOSS, sufficiently recognise the significant risks to safety that may arise from breaches of privacy and inappropriate disclosure of personal information. Nor does it provide sufficient clarity in its proposed guidance or appropriately reflect the existing legal frameworks. It places too much onus on individuals to understand the detail underpinning many of the principles and, as such, is insufficient as an effective and appropriate guidance tool or legal framework for information sharing.

1

Department of Health and Human Services (Tas), Common Statement on Information Sharing: Consultation Paper

(2017). 2

Ibid, 2.

P a g e 5 | 16

Recommendations 1. That any further work on guidance for information sharing, particularly as it relates to the sharing of information relevant to the wellbeing and safety of children and young people, be undertaken by a specialist working group convened by the Tasmanian Government that includes representatives of all key stakeholders as well as relevant experts on privacy and legislative obligations. It should take place as part of an integrated and co-ordinated approach to Child Protection and Out-of-Home Care redesign implementation. 2. That the working group ensure advice is received from the Federal Privacy Commissioner, the Commissioner for Children and Young People, and the Solicitor General before any further draft is made available for consultation. 3. That the guidance for information sharing developed for Tasmania: a. clearly recognise the right of young people to be involved in decisions affecting them and ensure the guidance assists decisions makers to support this involvement; b. have clear legal effect that is explained in the document; c. specifically indicate that all entities seeking to rely on the guidance must develop clear and binding protocols in relation to who has authority to make decisions about information sharing; d. indicate the need for and scope of record keeping in relation to information sharing (both decisions to share and decisions not to share information); e. give priority to seeking informed consent and a presumption against sharing where such consent is not obtained; f. provide guidance on how to ensure consent is informed and how to deal with consent where the information to be shared relates to a person under 18 years of age; g. provide clear guidance on personal information concepts including, but not limited to sensitive personal information, factual information, commentary and opinions, solicited information and unsolicited information, collection retention and disposal, and notification.

P a g e 6 | 16

Background to the Consultation Paper The Consultation Paper references the report of the Reference Group chaired by Professor Maria Harries, Redesign of Child Protection Services: ‘Strong Families – Safe Kids’.3 The following appear to be the relevant recommendations from Strong Families – Safe Kids: Recommendation 2 That the Tasmanian Government and non-government services work together to implement and embed the Common Approach framework across the service system to increase the capacity of practitioners in first contact with children and families to identify both their strengths and needs, build on these strengths within families, and link families with the supports they need before problems escalate into crises.4 Recommendation 5 That the Tasmanian Government works with the non-government sector to identify an appropriate mechanism, such as a cross sectoral consultative committee, for ongoing collaboration and planning.5 Recommendation 10 That, in developing the Child Protection Advice and Referral Service, the Tasmanian Government consider how best it can build on the Safe Families Tasmania initiative (Safe Families Coordination Unit and Safe Choices) and Safe at Home to provide cross Agency and cross sectoral support for children at risk and their families.6 Recommendation 25 That the Child Protection workforce is supported through increased investment in fit-for-purpose information systems and hardware, as well as process support that allows workers to spend more time with children, families and support services.7 Recommendation 26 That the Tasmanian Government includes as a core design principle, that the sharing of information across Government is a priority in redesigning or replacing case management systems.8 Recommendation 27 That the State Government ensures that the system for protecting children and promoting the well-being of children and their families is supported by a commitment of system partners to collect, share and analyse data and report on outcomes for children and their families.9 Recommendation 28 The Tasmanian Government publishes a register of reforms that are seeking to build increased strength in children and families for the purposes of ensuring that reforms are progressed collaboratively and with a shared vision and purpose.10

3

Child Protection System Redesign Reference Group, Department of Health and Human Services (Tas), Redesign of Child Protection Services: ‘Strong Families – Safe Kids’ (2016) <http://www.dhhs.tas.gov.au/children/strongfamilies-safekids> at 26 April 2017. 4 Ibid, 8. 5 Ibid. 6 Ibid. 7 Ibid, 9. 8 Ibid (emphasis added). 9 Ibid. 10 Ibid.

P a g e 7 | 16

Recommendations 11 and 12 deal specifically with partnerships between Child Protection Services and Tasmania Police, and Child Protection Services and the Department of Education, which would be likely to contemplate information sharing. The report indicated that one of the aspects of the current system that participants in those consultations indicated was not currently working well is: ‘Disconnect and barriers to information sharing with NGO service providers’.11 It also noted that participants expected that the redesigned system would need to demonstrate it is: Supported by a user-friendly integrated case management data system that enables the sharing of information seamlessly across services, both internal and external including nongovernment organisations and other Government Agencies.12

It appears that the Consultation Paper is a stand-alone development aimed at responding to some aspects of these recommendations and the report more broadly. The Consultation Paper indicates, however, that it was not developed in collaboration with key stakeholders. Rather, it states it is ‘[b]ased on initial consultation with internal government stakeholders and research on the approaches other jurisdictions have taken’.13 This apparent lack of engagement with external stakeholders and their representatives is reflected in the proposed approach, which fails to acknowledge the scope of legislative obligations on stakeholders in relation to privacy and confidentiality, and the rights of key stakeholders in the form of children and their families.

11 12 13

Ibid, 22. Ibid, 23. Department of Health and Human Services (Tas), above n1, 3 (emphasis added).

P a g e 8 | 16

Legislative and policy framework Relevant rights and their protection As a party to the international Convention on the Rights of the Child14, Australia (and its constituent states and territories) are obligated to protect, promote and fulfil the rights and freedoms set out in that Convention. The Convention contains the following relevant rights: Article 3 1. In all actions concerning children, whether undertaken by public or private social welfare institutions, courts of law, administrative authorities or legislative bodies, the best interests of the child shall be a primary consideration. 2. States Parties undertake to ensure the child such protection and care as is necessary for his or her well-being, taking into account the rights and duties of his or her parents, legal guardians, or other individuals legally responsible for him or her, and, to this end, shall take all appropriate legislative and administrative measures. States Parties shall ensure that the institutions, services and facilities responsible for the care or protection of children shall conform with the standards established by competent authorities, particularly in the areas of safety, health, in the number and suitability of their staff, as well as competent supervision. Article 12 1. States Parties shall assure to the child who is capable of forming his or her own views the right to express those views freely in all matters affecting the child, the views of the child being given due weight in accordance with the age and maturity of the child. 2. For this purpose, the child shall in particular be provided the opportunity to be heard in any judicial and administrative proceedings affecting the child, either directly, or through a representative or an appropriate body, in a manner consistent with the procedural rules of national law. Article 16 1. No child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, or correspondence, nor to unlawful attacks on his or her honour and reputation. 2. The child has the right to the protection of the law against such interference or attacks. Article 19 1. States Parties shall take all appropriate legislative, administrative, social and educational measures to protect the child from all forms of physical or mental violence, injury or abuse,

14

Convention on the Rights of the Child, opened for signature 20 November 1989, 1577 UNTS 3, 1991 ATS 4 (entered into force 2 September 1990, entered into force for Australia 16 January 1991).

P a g e 9 | 16

neglect or negligent treatment, maltreatment or exploitation, including sexual abuse, while in the care of parent(s), legal guardian(s) or any other person who has the care of the child. 2. Such protective measures should, as appropriate, include effective procedures for the establishment of social programmes to provide necessary support for the child and for those who have the care of the child, as well as for other forms of prevention and for identification, reporting, referral, investigation, treatment and follow-up of instances of child maltreatment described heretofore, and, as appropriate, for judicial involvement.

Article 17 of the International Covenant on Civil and Political Rights15 provides privacy rights to all people, including for example parents and guardians, in virtually identical terms as Article 16 of the CRC.

Key legal obligations on government and non-government organisations Privacy and confidentiality obligations

The right to privacy is recognised and protected in Australia in respect of personal information through the Privacy Act 1988 (Cth). The Privacy Act applies to both the Commonwealth Government and its entities, and to many non-government entities. State and territory parliaments have also enacted laws to require their government authorities to ensure privacy protection for personal information. In Tasmania, the Personal Information Protection Act 2004 (Tas) (PIPA) applies Personal Information Protection Principles to any person or entity that is a ‘personal information custodian’. This concept is defined in section 3 of the PIPA as meaning any of the following: (a)

a public authority;

(b)

any body, organisation or person who has entered into a personal information contract relating to personal information;

(c)

a prescribed body;

It does not generally apply to non-government entities. Section 4 of PIPA specifically states that if a provision of that Act is ‘inconsistent with a provision made by or under any other Act’, that other provision prevails. This means, in effect, the provisions of the PIPA defer to any other inconsistent provisions. It is likely that both the Privacy Act and the PIPA apply to the proposed information sharing activities. It is vital that all stakeholders, including those who will be ‘asked to sign on’, understand the scope of their obligations under both these laws. It is not sufficient to suggest the PIPA is the relevant privacy law to consider. It is also not sufficient to have a principle that states that information sharing ‘does not violate reasonable expectations of privacy’16, as this suggests the absence of clear legal rights. Similarly, it is not sufficient to have a principle dealing with transfer, storage, updating, 15

International Covenant on Civil and Political Rights, 999 UNTS 171, 1980 ATS 23, UN Doc A/6316 (1966) (entered into force 23 March 1976, entered into force for Australia 13 November 1980, except Article 41 which entered into force on 28 January 1993). 16 Department of Health and Human Services (Tas), above n1, 8 (Principle 4.2).

P a g e 10 | 16

maintaining and disposing of data without clear reference to and guidance on existing legal obligations.17 The absence of a clear principle dealing with legal obligations is particularly concerning. In addition, specific laws often provide targeted privacy and confidentiality protections in respect of personal information and also specify circumstances in which such protections may be overridden. For example, Part 5A of the Children, Young Persons and Their Families Act 1997 (Tas) specifically deals with information sharing. That Act also specifies confidentiality in relation to certain aspects of the Child Protection System.18 Again, it is vital that stakeholders understand the scope of their obligations under this and all other relevant laws. Failing to do so could expose such stakeholders (both individuals and organisations) to liability for breaches of legislative obligations. It is not enough to simply reference a list of potentially relevant Acts. Right to be heard

As noted above, Article 12 of the CRC provides that children and young people have a right to be involved in decisions that affect them and to be heard in any processes that affect their rights: 1. States Parties shall assure to the child who is capable of forming his or her own views the right to express those views freely in all matters affecting the child, the views of the child being given due weight in accordance with the age and maturity of the child. 2. For this purpose, the child shall in particular be provided the opportunity to be heard in any judicial and administrative proceedings affecting the child, either directly, or through a representative or an appropriate body, in a manner consistent with the procedural rules of national law.

The United Nations Committee on the Rights of the Child has issued guidance on interpreting Article 1219, and this should be considered and reflected in any guidance on information sharing. This international law obligation is reflected in Tasmanian legislation, with section 10D of the Children, Young People and Their Families Act 1997 (Tas) stating: 10D. Treating child with respect (1)

A child is a valued member of society and is entitled to be treated in a manner that respects the child's dignity and privacy.

(2)

All children are entitled to have their rights respected and ensured without discrimination.

(3)

Any decision under this Act relating to a child should be made –

17

Ibid (Principle 4.7). See, for example, Children, Young Persons and Their Families Act 1997 (Tas) s 16 and 103. 19 Committee on the Rights of the Child, General Comment No 12: The right of the child to be heard, 51st sess, UN DOC CRC/C/GC/12 (1 July 2009) <http://www2.ohchr.org/english/bodies/crc/docs/AdvanceVersions/CRC-C-GC-12.pdf>. 18

P a g e 11 | 16

(a)

promptly having regard to the child's circumstances; and

(b)

in a manner that is consistent with the cultural, ethnic and religious values and traditions relevant to the child; and

(c)

with, as far as practicable, the informed participation of the child, the child's family and other persons who are significant in the child's life.

This means people making decisions to share information (or not share information) under the guidelines need to be provided with relevant information on how to assess the capacity of a child to given informed consent and to ensure the effective participation of the child, and what is meant in law by the term: ‘as far as practicable’. As stated by the Australian Law Reform Commission in its report, For Your Information: Australian Privacy Law and Practice (ALRC Report 108): 68.18 The Privacy Act sets no minimum age at which an individual can make decisions regarding his or her personal information. The Guidelines to the National Privacy Principles suggest that each case must be considered individually, and give guidance as to when a young person may have the capacity to make a decision on his or her own behalf. As a general principle, a young person is able to give consent when he or she has sufficient understanding and maturity to understand what is being proposed. In some circumstances, it may be appropriate for a parent or guardian to consent on behalf of a young person; for example if the child is very young or lacks the maturity of understanding to do so themselves. 68.19 The Guidelines on Privacy in the Public Health Sector stress that where a young person is capable of making his or her own decisions regarding personal information, he or she should be allowed to do so. The Guidelines further suggest that, even if the young person is not competent to make a decision, his or her views should still be considered.

The current Australian Privacy Principles guidelines relevantly state20: Children and young people B.56 The Privacy Act does not specify an age after which individuals can make their own privacy decisions. An APP entity will need to determine on a case-by-case basis whether an individual under the age of 18 has the capacity to consent. B.57 As a general principle, an individual under the age of 18 has capacity to consent when they have sufficient understanding and maturity to understand what is being proposed. In some circumstances, it may be appropriate for a parent or guardian to consent on behalf of a young person, for example, if the child is young or lacks the maturity or understanding to do so themselves. B.58 If it is not practicable or reasonable for an APP entity to assess the capacity of individuals under the age of 18 on a case-by-case basis, the entity may presume that

20

Office of the Australian Information Commissioner, Australian Privacy Principles guidelines (2015) [12–13] <https://www.oaic.gov.au/resources/agencies-and-organisations/appguidelines/APP_guidelines_complete_version_1_April_2015.pdf> at 28 April 2017.

P a g e 12 | 16

individual aged 15 or over has capacity to consent, unless there is something to suggest otherwise. An individual aged under 15 is presumed not to have capacity to consent.

Also relevant is the Tasmanian Government’s Capacity Toolkit, which provides guidance on assessing capacity (but not specific to young people).21

Other current legal and policy considerations This work should also be informed by the report of the Royal Commission into Institutional Responses to Child Sexual Abuse. This Royal Commission has considered in detail the existing legislative and related frameworks for information sharing and its final conclusions on such frameworks should be a key input to the development of a framework for Tasmania.

21

Department of Health and Human Services (Tas), Capacity Toolkit: Information for government and community workers, professionals, families and carers (undated) <http://www.dhhs.tas.gov.au/__data/assets/pdf_file/0008/98513/Web_Capacity_Toolkit_Tasmania.pdf>. It is noted that this document is largely targeted at dealing with issues of capacity in relation to people with disability and older people. It provides no specific guidance in relation to young people.

P a g e 13 | 16

Other information sharing approaches The Consultation Paper references work done in South Australia, the Northern Territory, Western Australia and New Zealand. Of these:  





there is limited current information available about Western Australia (the only document able to be readily located through the internet dates from 2003); the South Australia document, Information Sharing Guidelines for promoting safety and wellbeing is issued by the South Australian Ombudsman with approval from the South Australian Cabinet, has extensive guidance within the document and a broad range of supporting resources provided by the Ombudsman22; the NT Government’s Information Sharing Guidelines provide much more extensive guidance than the Consultation Paper, including on key concepts and obligations and are issued under a specific and mandatory provision within Part 5.1A (‘Sharing information for safety and wellbeing of children) of the Care and Protection of Children Act 2007 (NT)23; and the New Zealand framework is a formal approved information sharing agreement made under the Privacy Act 1993 (NZ) specifically overseen by the Privacy Commissioner of New Zealand, with obligations for reporting to the Minister on specified matters.

These frameworks generally have much clearer information about legal obligations, set out specific requirements of any entity proposing to be able to use the frameworks as the basis of their information sharing, and give much greater emphasis to the right to privacy and confidentiality, and the importance of informed consent.

22 23

Ombudsman SA, Information Sharing Guidelines (2017) <http://www.ombudsman.sa.gov.au/isg/> at 26 April 2017. Care and Protection of Children Act 2007 (NT) s 293H.

P a g e 14 | 16

The proposed principles and ‘brief guide’ in the Appendix The document fails to indicate the existence of Personal Information Protection Principles or Privacy Principles under state and federal laws. Instead, it proposes a set of principles that do not readily link to those existing principles and then sets out in the Appendix a ‘brief guide to the information sharing process’.24 This brief guide is likely to be treated as the key framework documents for those seeking to share information and, as such, needs to be accurate, clear and robust. The current seven-step process does not meet this requirement. The order of the steps does not reflect legal obligations in relation to privacy and confidentiality, and supporting information provides little more guidance. For a person dealing with a request or seeking to share information:       

 

24

there is reference to legislation without giving the person any useful indication of how that legislation is relevant and what the key aspects of it are in respect of the framework; there is virtually no effective guidance for the person on the types of information that are considered sensitive under privacy law and what that means in terms of information sharing; there is nothing to indicate who the person should go to in order to have a decision made on whether or not information should or can be shared in the circumstances; there is no detail of that person’s obligations around documentation of the request or decision to share; there is no effective guidance for the person in relation to seeking consent where the information relates to a child and what the existing law is on the capacity of children to consent; there is little guidance for the person on how to determine whether consent from the affected person can properly be considered to be informed consent; there is no indication about the types of information that are subject to the guidelines and the differences between personal information that identifies the person, personal information that is de-identified, and aggregate information that is not able to be used to identify a person; there is no distinction between situations where there is an immediate risk of harm and those where there is an ongoing need for entities to work together to prevent a risk developing; and there is no guidance on the distinction between sharing in response to a request and sharing pro-actively;

Department of Health and Human Services (Tas), above n1, 10–14.

P a g e 15 | 16

All are significant problems with the Consultation Paper. One aspect of the South Australian approach that is completely absent is the provision of worked examples. These provide extensive guidance for people who may have little experience in dealing with information handling obligations. They would also have been useful as a means of testing the effectiveness of the guidelines in their development.

P a g e 16 | 16