PRIVACY IMPACT ASSESSMENT
FOR
NATIONAL CODE OF PRACTICE FOR CHEMICALS OF
SECURITY CONCERN
For: Attorney-General’s Department
MAY 2013
TABLE OF CONTENTS
1
EXECUTIVE SUMMARY ........................................................................................................... 3
1.1
1.2
1.3
2
INTRODUCTION...................................................................................................................... 9
2.1
2.2
2.3
2.4
2.5
3
BACKGROUND .............................................................................................................................. 3
SCOPE OF THE PIA AND METHODOLOGY ........................................................................................... 3
FINDINGS AND RECOMMENDATIONS ................................................................................................ 4
1.3.1 Overall Finding ................................................................................................................. 4
1.3.2 Recommendations ........................................................................................................... 5
BACKGROUND .............................................................................................................................. 9
PURPOSE AND SCOPE OF PIA .......................................................................................................... 9
ASSUMPTIONS AND QUALIFICATIONS APPLIED TO THE PIA.................................................................... 9
METHODOLOGY .......................................................................................................................... 10
GLOSSARY.................................................................................................................................. 10
DESCRIPTION OF THE DRAFT CODE ....................................................................................... 11
3.1
3.2
BACKGROUND TO THE DRAFT CODE ............................................................................................... 11
DECISION REGULATION IMPACT STATEMENT ................................................................................... 12
3.2.1 Policy context ................................................................................................................. 12
3.2.2 International developments........................................................................................... 13
3.2.3 Cost-benefit analysis ...................................................................................................... 14
3.2.4 Evaluation of the Draft Code .......................................................................................... 15
3.3 CONTENT OF THE DRAFT CODE ...................................................................................................... 16
3.4 PRIVACY IMPLICATIONS OF THE DRAFT CODE ................................................................................... 17
3.4.1 Key issues ....................................................................................................................... 17
3.4.2 Scope .............................................................................................................................. 18
4
ISSUES RAISED IN STAKEHOLDERS CONSULTATIONS UNDERTAKEN FOR THE PIA .................... 20
5
POSSIBLE PRIVACY RISKS IDENTIFIED .................................................................................... 22
6
FINDINGS ON KEY PRIVACY RISKS AND RECOMMENDATIONS ................................................ 27
6.1
6.2
OVERALL FINDING ....................................................................................................................... 27
COLLECTION OF PERSONAL INFORMATION ....................................................................................... 28
6.2.1 At point of sale – Authority for collection ...................................................................... 28
6.2.2 Collection of copies of photo ID ..................................................................................... 29
6.2.3 Avoid excessive collection of personal information – company CD .............................. 30
6.2.4 Targeting collection of CD to higher risk circumstances ................................................ 30
6.2.5 Fair collection – Voluntary nature of code and basis for CD collection ......................... 32
6.2.6 Employee and contractor checking ................................................................................ 33
6.3 NOTICE AND TRANSPARENCY ......................................................................................................... 34
6.4 USE OF PERSONAL INFORMATION FOR FURTHER UNRELATED PURPOSES ................................................ 35
6.5 DISCLOSURE TO LENSAS .............................................................................................................. 35
6.6 SECURITY OF FORMS STORED BY BUSINESSES .................................................................................... 36
6.7 SAFETY MECHANISMS .................................................................................................................. 36
6.8 EXPANSION OF DRAFT CODE TO FURTHER CHEMICALS AND MONITORING AND REVIEW ........................... 38
7
APPENDIX ONE .................................................................................................................... 39
7.1
7.2
MATERIALS REVIEWED ................................................................................................................. 39
ORGANISATIONS CONSULTED IN THE COURSE OF THE PIA .................................................................. 40
EXECUTIVE SUMMARY
1.1 BACKGROUND
The Attorney‐General’s Department (AGD) engaged Information Integrity Solutions Pty Ltd (IIS) to
carry out a Privacy Impact Assessment (PIA) of the privacy issues that could arise in the context of
the draft National Code of Practice for Chemicals of Security Concern (the Draft Code).
The objectives of the Draft Code are to promote effective chemical security management practices
throughout the chemical supply and use chain, and in particular to:

Protect against the diversion of chemicals for terrorist or criminal purposes

Encourage cooperation between businesses and organisations that handle chemicals and
law enforcement agencies on chemical security matters and

Educate and train staff to be alert to warning signs and report suspicious behaviours.
The Draft Code encourages businesses to self‐assess their individual level of risk and suggests action
that can be taken to reduce risk. The suggested actions include employee and contractor checking,
reporting suspicious behaviour to the National Security Hotline and seeking identity information
from purchasers in some circumstances.
These actions will necessarily involve the collection and possibly storage of personal information and
therefore raise issues of compliance with privacy law as well as other privacy issues.
1.2 SCOPE OF THE PIA AND METHODOLOGY
The scope of work for the PIA required the exploration of privacy issues including the areas of
potential concern highlighted in the AGD’s consultations, taking account of the Privacy Act 1988 and
recent privacy reforms, and the development of recommendations about ways to address identified
privacy issues, including through changes to the Draft Code or development of specific guidance
materials.
In conducting the PIA IIS:

Consulted with AGD and finalised the work plan

Gathered information

Analysed the information and prepared a draft report with AGD

Held consultation based on the draft PIA report with some stakeholders including privacy
and civil liberties advocates, industry representative bodies and government agencies

Finalised the report, including amending draft recommendations where needed, taking
account of feedback received from AGD and other stakeholders.
1.3 FINDINGS AND RECOMMENDATIONS
1.3.1 OVERALL FINDING
This PIA was undertaken on an initiative to protect community safety where there is a low likelihood
of an event but where the impact could be high.
IIS recognises how difficult it is to make a judgement about proportionality of a measure in such
circumstances. In this instance the Draft Code is a result of considerable government process over a
number of years. In the course of that process the rationale for the Draft Code has been debated
extensively. Although to date there has been limited consideration of privacy issues, debate has
been detailed, relatively transparent and has balanced the interests of a range of stakeholders.
Given this background, IIS has focussed its analysis on where privacy impacts might fall rather than
whether the code should proceed.
IIS recognises that there are legitimate law enforcement and national security interests in collecting
personal information for the purposes of the Draft Code.
At the same time, IIS considers that there are some real concerns in relation to privacy risks that
need to be addressed. These include:

The range of circumstances in which a customer might be asked to complete a customer
declaration

The collection of the photocopy of photo ID that could, amongst other things, add to risks of
identity theft or fraud

The potential harm to individuals including harm to reputation, discrimination, or the
potentially significant impacts of being included on a national security database without due
cause

The potential for personal information obtained via a customer declaration and held by a
participating business to be lost, subject to unauthorised access or other misuse

The fact that a sizeable proportion of the approximately 5,000 businesses that could be
offering chemical precursors for sale would be considered ‘small businesses’ that are exempt
from application of the Privacy Act.
IIS recognises that at this point there is no clear indication of the impact of the Draft Code in terms
of the number of customer declarations that might be collected; if businesses tend to focus on
suspicious transactions the numbers could be quite low. Nevertheless, it is vital that the personal
information of individuals is protected no matter the extent of collection or which business they
frequent.
While the AGD may be able to provide guidance on matters such as the proper collection and
storage of personal information, IIS considers that the most pressing issue that needs to be
addressed if the Draft Code proceeds, is providing mechanism(s) for individuals to receive help and
redress if something goes wrong.
1.3.2 RECOMMENDATIONS
Recommendation 1 – Authority to collect personal information
IIS recommends that AGD consider obtaining legal advice on the application of NPP 1 to the
requirement to obtain customer declarations. IIS also recommends that the proposed evaluation of
the Code after 3 years of operation consider if there is a need for it to be backed by a legislative
provision authorising the collection and storage of specified personal information. The evaluation
should assess the extent to which the Code provisions for customer declarations have been taken up
and also customer, as well business, experience of the collection process and of the handling of
personal information once collected.
Recommendation 2 – Remove the requirement to collect a copy of photographic identification
IIS recommends that the AGD remove the advice in the Draft Code, including on the customer
declaration form, to attach a photocopy of the customer’s photo ID.
Recommendation 3 – Remove the requirement to obtain a customer declaration for company
purchases for known account customers
IIS recommends that the AGD remove the advice in the Draft Code, including on the customer
declarations, to collect a customer declaration for an employee who is making a purchase on behalf
of a known company account customer.
Recommendation 4 – Customer Declaration only for non-traceable transactions at the business’
discretion
IIS recommends that the AGD amend the Draft Code so that its focus is on customer transactions
where the customer is not otherwise traceable. A qualification should be provided that in the
interests of flexibility, participating businesses do not have to seek customer declarations for every
such transaction, for example with repeat customers or customers that the sales person knows well.
IIS notes this recommendation is limited to ‘bricks and mortar’ sales. There is insufficient
information at this point to extend it to mail order or online sales.
Recommendation 5 – Change the compulsory wording of the customer declarations
IIS recommends that the current wording of the customer declaration, which provides that
declaration ‘must’ be completed be amended to remove any impression that collection of personal
information is legally mandated.
Recommendation 6 – Code Title to accurately reflect its ‘voluntary’ status
IIS recommends that the AGD rename the Draft Code as ‘Guidance’, or if this is not accepted that it
amend the Draft Code’s name to the ‘National Voluntary Code of Practice for Chemicals of Security
Concern’ or take other measures to dispel ambiguity as to its legal binding status. If this
recommendation is not adopted, IIS recommends that the voluntary nature be fully explained in all
other engagement material including documents, forms, signage and education material.
Recommendation 7 – Draft Code to advise on appropriate targeting and management of employee
background and criminal checking
IIS recommends that the AGD amend the Draft Code so that the responsibility is assigned for
developing the organisation’s policy on background and criminal history checks and so that the
current security measure for ‘Employee and Contractor checking’ is limited to circumstances where
there is a clear risk related to the inherent requirements of the position.
Recommendation 8 – Transparency about information handling in relation to the customer
declarations
IIS recommends that the privacy statement AGD has undertaken to develop for the customer
declaration form for the Code provides information about:

The purpose of collection, for example that the personal information provided will be kept
by the participating business to facilitate the effective provision of information for law
enforcement and national security purposes

The period for which the information will be retained, for example that the customer
declaration will be kept securely for two years and then securely disposed of

The consequences of not providing the information, for example, that if the individual does
not provide the information, the participating business may refuse to sell him or her the
product

How to contact the participating business including its name and a contact number within
the organisation for complaints and/or queries in relation to the operation of the Code.
Recommendation 9 – Develop guidance on assessing and responding to a LENSA request
IIS recommends that the AGD provide guidance on how participating businesses should assess a
LENSA’s request for information and respond to it in an appropriate and privacy-respecting manner.
Recommendation 10 – Code to specifically address protection and security of personal
information
IIS recommends that AGD amend the Draft Code to include a requirement for businesses to ‘Assign
responsibility’ for ensuring that personal information gathered on customer declarations is
protected from loss and unauthorised access, use and disclosure and that it is disposed of securely
within the specified period, which should be the minimum necessary to achieve the objectives of the
Code.
Recommendation 11 – Monitor security practices
IIS recommends that AGD, or another appropriate body, should monitor the handling of personal
information collected in the context of the Code, keep a record of incidents and take further action
as needed to ensure appropriate privacy and security practices are maintained.
Recommendation 12 – Draft Code should not be implemented without effective redress
mechanism(s) for individuals
IIS recommends that the Draft Code should not proceed without effective redress mechanisms in
the event of interferences with individuals’ privacy.
Recommendation 13 – Options for redress in the event of an interference with privacy
IIS recommends that the AGD identify and implement effective mechanisms for individual redress in
the event of interferences with privacy by participating businesses that are not subject to the Privacy
Act. Mechanism might involve:

Establishing a single point of contact for individuals if they have a complaint or query. The
number would need to be prominently displayed in the Code, the CD and on AGD websites.
Outcomes of calls can also serve as an important record for monitoring and review or

Engaging with the Privacy Commissioner to explore options for the Commissioner to take on
an advocacy/brokering role to assist individuals including in relation to dealings with
organisations not otherwise covered by the Privacy Act or

Engaging with industry to explore options for establishment/appointment of an industry
body to take on an advocacy/brokering role to assist individuals or

Using regulation to bring exempted participating businesses under the coverage of the
Privacy Act when handling personal information in the context of the Code; this option
should be pursued in the absence of other workable solutions.
Recommendation 14 – Apply the Code to other chemicals of security concern only after any
privacy issues in the review have been addressed
IIS recommends that neither the Code nor AGD’s Chemicals of Security Concern website encourage
organisations to apply the Code to chemicals other than the 11 chemical precursor of home made
explosives until a RIS process, which considers privacy risks to community members in its cost
benefit analysis has been completed. IIS recommends that the RIS consider evidence on the
handling of personal information in the context of the Code and the impact of an increase in the
span of chemicals on the extent of collection of personal information under the Code.
Recommendation 15 – Conduct review of the Code, including privacy impacts, within three years
of operation
IIS recommends that following implementation, the AGD or an appropriate body continue to
monitor the Code and provide a formal, written report on its operation within three years. This
report would be a significant input to the three-year review. Privacy benchmarks to monitor
include:

Number of complaints made to the Privacy Commissioner relating to the Code

Number of complaints made to the special contact number and other relevant bodies

Number of customer declarations collected by participating businesses

Number of reported data breaches/incidents concerning customer declarations

Comments and feedback from participating businesses regarding use of customer
declarations and their security measures

Comments and feedback from relevant industry groups

Comments and feedback from privacy, civil liberties and community interest groups.
INTRODUCTION
1.4 BACKGROUND
The Attorney‐General’s Department (AGD) has asked Information Integrity Solutions Pty Ltd (IIS) to
carry out a Privacy Impact Assessment (PIA) that explores the potential privacy issues that could
arise through businesses implementing any aspect of the draft National Code of Practice for
Chemicals of Security Concern (the Draft Code).
The objectives of the Draft Code are to promote effective chemical security management practices
throughout the chemical supply and use chain, and in particular to:

Protect against the diversion of chemicals for terrorist or criminal purposes

Encourage cooperation between businesses and organisations that handle chemicals and
law enforcement agencies on chemical security matters and

Educate and train staff to be alert to warning signs and report suspicious behaviours.
The Draft Code encourages businesses to self‐assess their individual level of risk and suggests action
that can be taken to reduce risk. The suggested actions include employee and contractor checking,
reporting suspicious behaviour to the National Security Hotline and seeking identity information
from purchasers in some circumstances.
These actions will necessarily involve the collection and possibly storage of personal information and
therefore raise issues of compliance with privacy law as well as other privacy issues.
1.5 PURPOSE AND SCOPE OF PIA
In accordance with the AGD’s requirements, the scope of work for the PIA included:

Exploring privacy issues arising from the Draft Code including the areas of potential concern
highlighted in the AGD’s consultations

Considering issues in light of the current Privacy Act 1988 (the Privacy Act) and recent
privacy reforms in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (the
Amendment Act)

Undertaking some consultation with privacy, community and civil liberties representatives
and other stakeholders and

Making recommendations to the AGD about ways to address any potential privacy issues
(including through changes to the Draft Code or release of specific guidance materials).
1.6 ASSUMPTIONS AND QUALIFICATIONS APPLIED TO THE PIA
IIS applied the following assumptions and qualifications to the PIA:

That all systems and policies were up-to-date at the point when IIS examined them

Those reading the PIA are familiar with the project

The PIA provides general policy advice – it is not intended to be and should not be relied
upon as legal advice.
1.7 METHODOLOGY
In conducting this PIA IIS worked closely with the relevant AGD staff. The approach applied is based
on the OAIC’s Privacy Impact Assessment Guide. 1 IIS also drew on other current PIA best practice in
Australia and internationally, as well as its own framework for analysis and solution identification.
In undertaking this PIA, IIS took the following steps:

Gathered information about the Draft Code – a list of the material reviewed is at Appendix 1

Read and analysed the data, considering the issues from the perspective of the various
participants – the PIA used the National Privacy Principles (NPPs) in the Privacy Act as the
analytical framework because the organisations applying the Draft Code will be private
sector organisations. The analysis also drew on the Australian Privacy Principles (APPs) in
the Amendment Act, and also wider privacy challenges including the fair allocation of risks
between organisations and individuals

Prepared a draft report and recommendations that were provided to AGD

Held consultations with some stakeholders including privacy and civil liberties advocates,
industry representative bodies and government agencies as listed at Appendix 1. The
consultation process involved:

o
Contacting stakeholders in April 2013 alerting them to the consultation on the PIA
and canvassing interest
o
Circulating the draft PIA and inviting written or oral submissions
o
Conducting a series of meetings in the period 14 May to 22 May 2013
Finalised the report, including amending draft recommendations where needed, taking
account of feedback received from AGD and other stakeholders.
1.8 GLOSSARY
Term
Description
APPs
Australian Privacy Principles
CD
Customer declaration
Chemical precursor
Any of the 11 chemicals that are precursors to homemade explosives to
which the Draft Code applies
Decision RIS
Decision Regulation Impact Statement
Draft Code
Draft National Code of Practice for Chemicals of Security Concern
1
Office of the Australian Information Commissioner, Privacy Impact Assessment Guide, May 2010. Available at
<http://www.oaic.gov.au/publications/guidelines/Privacy_Impact_Assessment_Guide.html>.
Term
Description
LENSA
Law enforcement or national security agency
NPPs
National Privacy Principles
Participating business
A business that is voluntarily adhering to the Draft Code
The Privacy Act
The Privacy Act 1988
DESCRIPTION OF THE DRAFT CODE
1.9 BACKGROUND TO THE DRAFT CODE
In December 2002, the Council of Australian Governments (COAG) agreed to a national review of the
regulation, reporting and security surrounding the storage, sale and handling of hazardous materials.
The review was primarily a response to the Bali bombings of 12 October 2002. The aim of the
review was to assist counter-terrorism efforts by limiting opportunities for, and enhancing the
detection of, the illegal or unauthorised use of hazardous materials.
As part of the review, there was a Report on the Control of Chemicals of Security Concern. On
26 March 2008, COAG agreed to its recommendations, which included:

A set of six overarching principles to guide the development of strategies to manage
chemicals of security concern

The establishment of a Chemical Security Management Framework (‘the Framework’)

The development of a methodology to assess the risks of chemicals of security concern

The prioritised application of this risk assessment methodology to chemicals of concern that
are precursors to homemade explosives (‘chemical precursors’)

The identification of 96 chemical of security concern that should be prioritised for
assessment, with an initial focus on 11 key chemical precursors.
In October 2008, the Commonwealth and State and Territory governments signed the
Intergovernmental Agreement on Australia’s National Arrangements for the Management of
Security Risks Associated with Chemicals (‘the IGA’). The objective of the IGA was to establish an
effective, coordinated and collaborative national approach to the management of chemical security.
The key governance and coordination arrangements established under the IGA include:

A Chemical Security Coordination Unit (CSCU) – set up within the AGD to coordinate the
national implementation of the Framework

A Chemical Security Risk Assessment Unit (CSRAU) – set up within the AGD to develop the
risk assessment methodology and conduct risk assessments

A National Government Advisory Group on Chemical Security (NGAG) – the main decisionmaking body comprising officials from the Commonwealth, State and Territory governments,
including appropriate representation from jurisdictional police

A National Industry Reference Group on Chemical Security (NIRG) – an advisory body
comprising representatives from relevant industry sectors.
The CSRAU applied a specially developed risk assessment to all of the chemical precursors.
Following completion of the risk assessments, the CSCU, in consultation with industry and
government representatives, drafted a range of risk treatment measures to address the identified
vulnerabilities that were agreed in mid-2011. Four broad approaches that governments could use to
encourage industry to adopt the risk treatment measures were canvassed, in ascending order of
prescription:

Targeted awareness campaign – treatment measures form the basis of an educational
campaign directed at businesses about what constitutes ‘best practice’ security
management

Series of industry-developed codes of practice – seven industry led/developed codes of
practice that cover the representative groupings of businesses, informing them about ‘best
practice’ security management. The codes would be voluntary and non-binding

Single government code of practice – similar to the above, except the AGD would develop a
single code of practice in collaboration with governments and industry groups

Regulation – the AGD would develop a model amendment for each jurisdiction’s criminal
code that would create a new criminal offence relating to the negligent possession or supply
of chemical precursors. Furthermore, the proposed treatment measures would comprise an
enforceable code of practice.
Following stakeholder consultations and detailed analysis, the Decision Regulation Impact Statement
(‘the Decision RIS’) identified Option 3 – government code of practice – as the preferred option.
Based on this determination, the AGD has drafted the Draft Code that forms the basis of this PIA.
1.10 DECISION REGULATION IMPACT STATEMENT
The AGD commissioned PricewaterhouseCoopers to undertake the Decision RIS, which was
delivered in August 2012.
1.10.1 POLICY CONTEXT
The chemical industry in Australia is extensive, with an estimated 40,000 chemicals approved for use
in Australia which are formulated into over 400,000 trademarked products.2 There are
approximately 25,000 businesses that use, handle or sell at least one of the chemical precursors in
Australia. While these chemicals have a wide range of legitimate and productive uses, they can also
be misused in ways that threaten the health and safety of the public.
Australia has a system of occupational health and safety, public health and transport safety
regulation designed in part to prevent and mitigate the consequences of accidental and negligent
misuse of chemicals. In the wake of the 2002 Bali bombings, there has been increasing government
concern about the intentional misuse of chemicals.
2
COAG, Report on the Control of Chemicals of Security Concern, 2008.
The available evidence suggests that individuals and groups have an ongoing interest in using
homemade explosives for criminal purposes, in particular terrorism and organised crime. High
profile international terrorist attacks involving the use of homemade explosives include:

The 2005 London bombings

The attempted Christmas Day bombing in 2009 involving Northwest Airlines Flight 253

The Oslo car bomb in the 2011 Norway attacks.
Several people have been convicted over the past decade in Australia for known or alleged
involvement in terrorism through the use of homemade explosives made by chemical precursors.3
There has also been a broader interest in using homemade explosives driven by financial gain (such
as bombing automatic teller machines), retaliation and other psychological factors.4
The material reviewed for the PIA indicates that the majority of international and domestic
perpetrators have acquired, or sought to acquire chemical precursors legitimately through the
supply chain, particularly by retail purchase. The Decision RIS has identified two primary gaps in the
current capacity of businesses to manage the security risks associated with chemical precursors that
should be addressed by government intervention:

Ability of businesses to deter, prevent and detect the theft and diversion of chemical
precursors

Ability of businesses to facilitate law enforcement through effective information provision.
1.10.2 INTERNATIONAL DEVELOPMENTS
Many overseas jurisdictions similar to Australia have adopted security measures in order to address
the potential use of chemicals for criminal purposes, albeit with different regulatory approaches.
On one end of the spectrum, the United Kingdom has adopted a non-regulatory approach. The aim
is to improve how legitimate users and handlers of chemicals manage security risks through public
awareness campaigns.
The United States employ a set of federal security regulations known as the Chemical Facility AntiTerrorism Standards that focus on high-risk chemical facilities. The Department of Homeland
Security requires all chemical facilities that possess ‘chemicals of interest’ (approximately 300) at
prescribed threshold levels to prepare a Security Vulnerability Assessment, and those deemed to be
high risk to develop and implement a Site Security Plan.
3
See, eg, Gary Hughes, ‘Lies, bombs and jihad’, The Australian (online), 18 September 2008
<http://www.theaustralian.com.au/news/features/lies-bombs-and-jihad/story-e6frg6z6-1111117491538>;
Lisa Davies, ‘What home raids found’, The Daily Telegraph, 15 November 2005, p 2.
4
See, eg, David Braithwate, ‘Big dreams but alleged bomb gang nervous about explosives’, The Sydney
Morning Herald (online), 30 August 2007 <http://www.smh.com.au/news/national/alleged-bomb-gangnervous-about-explosives/2007/08/29/1188067191570.html>; Michael Vincent, ‘Homemade bomb found
outside top bikie’s house’, ABC Online, 31 March 2009 <http://www.abc.net.au/news/2009-03-31/homemadebomb-found-outside-top-bikies-house/1636908>; Anthony Dowsley, ‘Alleged bomb-maker’s home still unsafe
as bail application adjourned’, Herald Sun (online), 26 July 2011 <http://www.heraldsun.com.au/news/morenews/heavily-armed-police-arrest-accused-would-be-bomb-maker-in-castlemaine/story-fn7x8me21226101958518>.
Under the Restricted Components Regulations 2008 (made under the Explosives Act 1985), Canada
has made a number of regulatory requirements pertaining to the security of ‘restricted components’
(that is, chemicals that can be components of an explosive). These requirements include:
registration of sellers; restricted physical and personnel access; ongoing stock management;
restricted sales; adequate record-keeping; and the provision of information about suspicious activity
to relevant authorities.
Since 2008, the member states of the European Union have been implementing a number of crosscollaboration, prevention, detection and response measures contained in the EU Action Plan on
Enhancing the Security of Explosives.
In January 2013 – after publication of the Decision RIS – a new EU Regulation concerning the
marketing and use of explosives precursors (No 98/2013) came into force.5 The Regulation requires
member states to establish a licensing regime for members of the public with a legitimate interest to
acquire, introduce, possess or use 15 restricted explosives precursors. Member states may establish
a register to collect an individual’s name, address, identity document number and details of the
transaction. Any processing of personal data that is carried out must be in accordance with the Data
Protection Directive (95/46/EC).
1.10.3 COST-BENEFIT ANALYSIS
As noted above, the Decision RIS considered four options for businesses to adopt the risk treatment
measures, ranging from least to most prescriptive:
 Option 1 – Targeted awareness campaign
 Option 2 – Series of industry-developed codes of practice
 Option 3 – Single government code of practice
 Option 4 – Regulation.
The Decision RIS based its cost-benefit analysis on the increased likelihood of uptake and the cost of
implementation (for both government and businesses). Due to the lack of publicly available data
about the current risk posed by individuals and groups using homemade explosives, the Decision RIS
was unable to reliably quantify or qualify the difference in reduction of risk between the options.
Instead, it used a break-even analysis to estimate the number of terrorist attacks each option would
need to prevent over the decade between 2012 and 2021 to cover the costs associated with the
measures.
Total costs (Net
Present Value over
10 years, $ millions)
No. of terrorist
attacks that would
need to be prevented
% of annual gross
household income
Awareness campaign
$67.59
0.03-0.09
0.01%
Industry-developed codes
$68.86
0.03-0.09
0.01%
5
Regulation (EU) No 98/2013 of the European Parliament and of the Council of 15 January 2013 on the
marketing and use of explosives precursors.
Total costs (Net
Present Value over
10 years, $ millions)
Government code of practice
Regulation
No. of terrorist
attacks that would
need to be prevented
% of annual gross
household income
$78.04
0.03-0.10
0.01%
$5,126.65
2.20-6.77
0.70%
Summary of total benefits, Options 1-4 (Decision Regulation Impact Assessment, Table 3, p 13)
Overall, the Decision RIS identified Option 3 – government code of practice – as the preferred option
based on five factors:

Under Option 1, it is questionable how sustainable the impacts of the targeted awareness
campaign will be in the medium-to-long term compared to the other options

Option 3 is more practical and manageable than Option 2 because only one body would be
responsible for developing and promulgating a code of practice, and is also likely to have
higher uptake due to the difficulty in Option 2 of encouraging non-member businesses to
adopt the measures of a different industry body

It would be easier under Option 3 for law enforcement and intelligence agencies to ensure
the code of practice is adaptive to emerging risks

It is more appropriate for governments to develop a code of practice, given its role in
relation to national security and its capacity to coordinate across stakeholder groups

Option 3 received support from the greatest number of submissions during stakeholder
consultations.
1.10.4 EVALUATION OF THE DRAFT CODE
The Decision RIS foresees that the effects of the proposal will be monitored and evaluated within
three years after the end of the implementation period.
Core indicators relating to impact include:

Enhanced business capacity to prevent, detect and deter illegitimate and legitimate access
to chemical precursors by individuals and groups wanting to formulate homemade
explosives for criminal purposes

Increased business and community contribution to intelligence and law enforcement efforts
to prevent the use of homemade explosives for criminal purposes

Increased harmonisation and uniformity of outcomes across the Commonwealth, state and
territories.
Core indicators relating to outcomes include:

Increased number of suspicious transactions identified and reported

Increased number of incidents involving homemade explosives detected and prevented

Increased number of terrorists and other criminals apprehended.
1.11 CONTENT OF THE DRAFT CODE
The stated objectives of the Draft Code are to promote effective chemical security management
practices throughout the chemical supply and use chain, and in particular to:

Protect against the diversion of chemicals for terrorist or criminal purposes

Encourage cooperation between businesses and organisations that handle chemicals and
law enforcement agencies on chemical security matters

Educate and train staff to be alert to warning signs and report suspicious behaviours.
The Draft Code identifies 96 chemicals of security concern but the initial focus of actions is on 11
chemical precursors to homemade explosives that have been assessed to be of primary concern.
The Draft Code will be voluntary; it will be up to each business to decide if and how it will be
implemented. Businesses are also encouraged to adopt the Draft Code in relation to any of the
other 85 chemicals they may handle.
The Draft Code encourages businesses to adopt security risk management as part of its business
culture. It makes recommendations in three areas:

Assess and treat the security risk

Assign responsibility

Investigate and report security breaches and suspicious behaviour.
Next, the Draft Code features a table with suggested actions in relation to security measures. The
contents of the table reflect the proposed risk treatment measures that were developed by the
CSCU. The measures cover 10 areas of concern within the chemical precursor business lifecycle:

Employee and contractor checking – limit terrorist access to chemicals of security concern
by acquisition through a trusted insider

Personnel security awareness – reinforce efficacy of other proposed measures by ensuring
that personnel are appropriately aware of the security risk profile of the business in relation
to chemicals of security concern

Inventory control measures – determine whether chemicals of security concern have been
stolen, misplaced or otherwise diverted

Receipt of chemical – detect if chemicals of security concern have been stolen or otherwise
diverted prior to receiving the product, and, if so, report to a relevant authority as soon as
possible

Theft and diversion procedures – consider the individual risk of chemicals of security
concern being stolen or otherwise diverted and plan steps to reduce the likelihood of these
events occurring

Physical access – restrict physical access to chemicals of security concern commensurate
with the risk profile of the business

Personnel access – limit access to chemicals of security concern only to persons who have a
legitimate need to access the chemicals

Point of sale procedures – adopt responsible practices designed to limit the capacity of
terrorists or their associates to acquire chemicals of security concern through direct
purchase from the business

Sales and distribution procedures – ensure that delivery of orders will be made to persons
who have legitimately purchased the chemical in order to reduce the likelihood of the
chemical being diverted to terrorists or their associates

Transporting chemicals of security concern procedure – institute effective physical security
and inventory control processes to reduce the likelihood of chemicals of security concern
being accidentally or deliberately delivered to or stolen by terrorists or their associates
during transport.
Appendix C of the Draft Code contains sample customer declarations (CDs) to assist businesses in
keeping records of transactions involving chemicals of security concern. There are two CDs, one for
companies and one for individuals. The completion of CDs is a suggested action for the point of sale
risk treatment measure. The Draft Code states that CDs are not intended to be used for all
transactions, but they could be used:

On a per-transaction basis

On a per customer basis (particularly for new and cash customers)

When the sales person feels that suspicious indicators are present.
Appendices E, F and G of the Draft Code contain respective guides for detecting suspicious behaviour
for retailers, wholesalers and transporters.
1.12 PRIVACY IMPLICATIONS OF THE DRAFT CODE
1.12.1 KEY ISSUES
The Privacy Act protects personal information, which includes information about an individual
whose identity is apparent, or can reasonably be ascertained, from the information. The Draft Code
has privacy implications because it entails the potential collection and storage of personal
information about individuals.
The collection of personal information is a suggested action at the point of sale. The example CD for
companies instructs the company representative and the end-user distributor/supplier to provide
their full name and photographic identification (‘photo ID’) number. A photocopy of the photo ID
must also be collected. The example CD for individuals has similar requirements, with the addition
of collecting the person’s residential address.
For employee and contractor checking, suggested actions include basic background checking prior to
and during employment, and conducting a criminal history check. In both cases, businesses may
collect and use personal information in ways that may have adverse impacts on individuals.
During the consultation process for the Draft Code, stakeholders raised the following privacy
concerns:

Completed CDs may not always be securely stored

The CDs should not have to require collection of photocopy of photo ID

The CD for companies should not contain an individual’s personal information; signature of
senior representative and stamp of the company seal should be enough

Customers may resist and/or ask why personal details need to be provided for the purchase
of a non-regulated chemical

A privacy notice should be included on the CD to notify individuals about prescribed matters
in the Privacy Act

Background checks undertaken during employment may create industrial relations and
consent issues.
1.12.2 SCOPE
One important consideration in the discussion of privacy is the size and composition of the overall
market of businesses that use or handle chemical precursors. The Decision RIS contains an estimate
of the total number of businesses in the Australian market for the different nodes in the chemical
precursor supply chain:

Introducer – first point in the supply chain and either import or manufacture the chemical

Processor – reformulate or package the chemical and on sell to wholesalers, retailers or end
users

Wholesaler – sell primarily to businesses and institutions and do not repackage or
reformulate

Retailer – sell primarily to individuals and do not repackage or reformulate the chemical

End-user (business) – consumer the chemical in their business/institutional processes

Transport/logistics – multiple points in the supply and chain and includes transport and
storage of chemicals.
NSW
VIC
QLD
WA
SA
TAS
ACT
NT
TOTAL
Introducer
22
19
14
8
4
1
0
0
68
Processor
126
112
81
47
24
5
1
2
398
6
14
3
5
6
0
0
0
33
Wholesaler
NSW
VIC
Retailer
1,635
1,198
928
496
436
123
58
31
4,906
End-user
(business)
4,206
5,452
2,896
1,682
2,065
632
235
100
17,268
646
505
405
342
165
33
23
16
2,135
6,641
7,301
4,326
2,580
2,700
794
317
150
24,809
Transport /
Logistics
TOTAL
QLD
WA
SA
TAS
ACT
NT
TOTAL
Total population of businesses that use or handle chemical precursors, by State and Territory
(Decision Regulation Impact Assessment, Table 61, p 182)
Privacy issues relating to background/criminal history checks will be relevant to all businesses in the
supply chain. Privacy issues relating to the use of CDs will only apply to wholesalers and retailers.
According to the Decision RIS, wholesalers and retailers of chemical precursors encompass a diverse
range of businesses:

Supermarkets – most sell personal and household products containing hydrogen peroxide,
such as bleach and cleaning agents

Pharmacies – most sell health and beauty products containing hydrogen peroxide

Pool and spa shops – an estimated 70 per cent sell cleaning products containing hydrogen
peroxide

Hairdressers/salons – an estimated 3 per cent sell bleaching products containing hydrogen
peroxide at the prescribed concentrations

Hobby stores – most sell nitromethane, a fuel component used in radio-controlled models

Cleaning suppliers – an estimated 5 per cent sell cleaning products containing nitric acid

Industrial and agricultural suppliers – an estimated 33 per cent sell potassium nitrate, most
commonly used as a fertiliser.6
Gaining an overall picture of the market is important because the Privacy Act exempts from its
application small businesses with an annual turnover of $3 million or less.7 Based on the above
estimates, a considerable number of businesses that choose to adopt the voluntary Draft Code
(‘participating businesses’) may not be subject to the Privacy Act. As IIS outlines below, the AGD
may need to take further steps to ensure that in such cases individuals will receive adequate privacy
protection.
6
Decision Regulation Impact Assessment, Table 60, p 174-175 Retailer node, notes columns
7
Privacy Act 1988 (Cth) ss 6C(1) and 6D.
ISSUES RAISED IN STAKEHOLDERS CONSULTATIONS
UNDERTAKEN FOR THE PIA
The issues raised by stakeholders in the consultation conducted as part of this PIA are noted here
and have also been taken into account in the PIA Findings and Recommendations at section 6 below.
Some issues raised might not have a direct impact on privacy, for example, the regulatory approach
for the Draft Code and concern about Code changes at this point. However, they could affect the
way the Draft Code is implemented and so are relevant considerations.
The stakeholders who provided comments in the PIA consultation process raised issues similar to
those raised in earlier consultations or submissions as summarised at section 3.4.1 above.
Some additional issues emerged, in particular:

The fact that the early stages of the development of the Draft Code did not include specific
attempts to obtain privacy input meaning that privacy issues were not necessarily
considered in the risk assessments and RIS processes

The difficulty in assessing proportionality given lack of detailed evidence on the nature and
extent of terrorism or criminal activity

The possible efficacy of the Draft Code measures and, in the absence of confidence here,
further questioning the proportionality of the Draft Code measures

The range and nature of organisations that may be involved in handling or sale of the
chemicals of security concern adds to the possible privacy risks in the handling of personal
information, including because many of these could be small businesses and therefore not
subject to the Privacy Act

The lack of any specific requirements in the Draft Code with respect to privacy, for example
in relation to limits on use, security measures, retention and disclosures for law
enforcement purposes

Possibility of the Draft Code being backed by law

The fact that complying organisation are likely to apply all Code provisions as ‘best practice’
emphasising the need for provisions to be as clear and specific as possible

Similarly, the fact that organisations are asked to ‘self assess’ their risk profile may lead to
more, or indeed fewer measures than may be needed

Potential for significant changes to the Draft Code at this late stage to affect its effective
implementation

The fact that the chemicals industry is already highly regulated and the approach in the Draft
Code varies from, for example, the regime for chemicals classified as drug precursors that is
backed by State/Territory law.
POSSIBLE PRIVACY RISKS IDENTIFIED
This table identifies possible privacy risks that might arise in the context of the measures proposed in the Draft Code. It uses the NPPs in the Privacy Act as
the framework for analysis and also takes account of broader privacy issues, including those identified in the consultation process.
PRIVACY PRINCIPLE
POSSIBLE RISK
COMMENTS
Overall proportionality and
efficacy of the measure
The Draft Code proposes measures that are not
proportionate in their impact on privacy
compared to their effectiveness in protecting
against possible terrorist or criminal activity
This is a difficult issue to assess; recommendations therefore focus
on specific privacy risks.
Collection limitation, including
anonymity
Risk that participating businesses’ collection of
personal information in the context of the Draft
Code is not (reasonably) necessary for their
functions or activities.
Risk arises particularly as the Draft Code is voluntary and is not
backed by law or regulation requiring the collection.
Risk that more information than necessary is
collected at the point of sale for law
enforcement purposes.
Submissions to AGD raise the question of the collection of
photocopy of photo ID and whether the CD for companies should
require additional information about the employee making the
purchase.
NPPs 1.1 & 8; APP 2 & 3
IIS also considers that the Draft Code advice that businesses might
seek a CD on a per-transaction, per customer or ‘suspicious
indicators’ basis is very broad and could lead to unnecessary
collection.
Risk that participating businesses collect more
information than necessary in the context of
expansive background and/or criminal history
checks and in a way that is not targeted to the
The likelihood of the risk is small but the consequences are large,
including embarrassment, discrimination and unfair dismissal.
This risk is exacerbated by the employee records exemption in the
PRIVACY PRINCIPLE
Fair, lawful and not
unreasonably intrusive means
of collection
NPP 1.2; APP 3.5
Consent to collect sensitive
information
NPP 10; APP 3.3
Notice and transparency
NPPs 1.3 & 5; APPs 1.3, 1.4 &
5.2
Use and disclosure
POSSIBLE RISK
COMMENTS
inherent requirements of the position.
Privacy Act, which exempts records of pre-employment checks
from the Act’s protection once an employment relationship exists.
Risk that the collection is carried out by unfair
means or in an unreasonably intrusive way. For
example, the manner of the request or the
inferences drawn by sales staff or other
customers may lead to embarrassment, abuse
or discrimination.
Collection that is known to target ‘suspicious’ transactions raise
privacy issues as well as potentially leading to awkward real-life
scenarios and/or confrontations.
Risk that individuals are given the misleading
impression that collection of their personal
information at point of sale is legally required.
This risk arises from the wording of the CDs and the name of the
Draft Code.
Risk that individuals will be asked to consent to
a criminal history check that is more expansive
than needed and which could lead to
employment difficulties if it is revealed, for
example, past drug offences and previous runins with the legal system as a result of mental
illness.
The likelihood of the risk is small but the consequences are large,
including embarrassment, discrimination and unfair dismissal.
Risk that individuals are not fully informed or
are misled about why their personal
information is being collected.
IIS understands that the CD will include a privacy statement but
has not been provided a draft at this point.
Risk that as a result of the Draft Code
IIS recognises that the National Security Hotline is intended to cast
This risk is exacerbated by the employee records exemption in the
Privacy Act, which exempts records of pre-employment checks
from the Act’s protection once an employment relationship exists.
AGD is preparing guidance to assist organisations apply the Draft
Code; it will include information to assist with background and
criminal history checking.
PRIVACY PRINCIPLE
POSSIBLE RISK
COMMENTS
NPP 2; APP 6 & 7
businesses make more and/or unjustified
reports to the National Security Hotline.
a wide net but there are privacy and civil liberty risks for
individuals reported. IIS also recognises that the Draft Code does
not introduce new circumstances in which reports are encouraged
and that the guides to suspicious indicators contained in
Appendices E, F and G of the Draft Code provide reasonable advice
and information.
Risk that participating businesses use or
disclose the personal information collected by
the CD for a purpose other than what is stated
on the form (for example, for private security or
for marketing).
This seems likely to be a low risk but as noted by privacy and civil
liberties advocates the risk might be exacerbated by the fact that
many businesses may not be aware of the obligation. This risk can
be mitigated by a change to the Draft Code as well as proper
monitoring and review to ensure that participating businesses are
not taking advantage of the personal information in any way.
Risk that participating businesses disclose
information to a law enforcement or national
security agency (LENSA) inconsistently with the
Privacy Act.
Risk arises because employees of participating businesses may not
know how to assess and/or respond to a LENSA’s request for
information.
Risk that the personal information participating
businesses collect and store is not accurate,
complete or up-to-date.
This is a low risk as individuals are providing the information
themselves and it should only be used for the very specific purpose
for which it was collected.
Risk that CDs are not securely kept on the
premises.
The Draft Code calls for the collection of paper based records.
Such systems are inefficient and are currently a problem in relation
to other legislatively mandated collections by businesses.
Data quality
NPP 3; APP 10
Data security
NPP 4.1; APP 11.1
Consequences of security breach include
embarrassment, reputation loss and potential
for identity theft or fraud.
The risk is exacerbated by the fact that individuals will have no
avenues of redress in the event of mishandling or misuse if the
PRIVACY PRINCIPLE
POSSIBLE RISK
COMMENTS
participating business is not subject to the Privacy Act8.
Destruction or de-identification
of data when no longer needed
Risk that CDs are not destroyed after the
suggested storage period.
NPP 4.2; APP 11.2
Access and correction
NPP 6; APPs 12 & 13
The longer the period that the CDs are held by a participating
business, the greater the likelihood that something will go wrong.
This is an area that requires appropriate monitoring and review.
Risk that individuals are not able to see what
information is held about them by the business,
or correct the information if it is wrong.
This is a low risk as individuals are providing the information
themselves, so they know what information is held about them
and the context in which it is held.
Furthermore, under NPPs 6.1(i)-(j) and APPs 12.3(h)-(i), an
organisation is not required to provide access to personal
information if doing so would be likely to prejudice any action
relating to suspected unlawful activity or prejudice a law
enforcement related activity.
Restriction on use of
government identifiers
Risk that Commonwealth identifiers are
inappropriately collected, used or disclosed.
This is not a risk as the CD does not involve collection of
Commonwealth identifiers.
Risk that individuals will lose control of their
information if it travels outside Australia or is
stored offshore.
This is not a risk as the CD does not involve transferring or
disclosing information outside of Australia.
NPP 7; APP 9
Transborder data flows / crossborder disclosures
NPP 9; APP 8
OTHER PRIVACY RISKS
8
The Privacy Act provides an exception for small businesses with an annual turnover of $3M or less unless they are subject to the Privacy Act because another provision,
for example relating to the handling of health information, applies. See http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6d.html.
PRIVACY PRINCIPLE
POSSIBLE RISK
COMMENTS
Safety-net for individuals
Risk that individuals will not receive timely and
adequate redress if something goes wrong.
This risk is especially acute in relation to participating businesses
that are not subject to the Privacy Act because of the small
business exemption.
In such cases the individual will have no avenues of redress if they
suffer harm including from loss or misuse of their personal
information, unless additional mechanisms are introduced to
protect them.
Monitoring and review
Risk that systemic privacy issues associated with
adhering to the Draft Code are not discovered
and addressed in an appropriate fashion.
The AGD has committed to monitoring and reviewing
implementation of the Draft Code and whether it is meeting
certain targets.
Risk that Organisations will apply the Draft Code
to all 96 chemicals without information to assist
them ‘self assess’ risks, and further RIS
processes find this is not necessary or
appropriate.
The Draft Code and the Chemicals of Security Concern website
(http://www.chemicalsecurity.gov.au/Pages/default.aspx),
encourage organisations to apply the measures to all 96 chemicals
without reference to coming risk assessment or RIS processes.
FINDINGS ON KEY PRIVACY RISKS AND
RECOMMENDATIONS
This section of the report sets out IIS’s findings and recommendations in relation to the privacy
impact of the Draft Code. It discusses the key privacy risks identified in the table at section 5 and
makes a series of recommendations to address the issues raised.
The findings and recommendations are based on the proposals as set out in the Draft Code as well as
other briefing material provided and input from privacy and civil liberty advocates and industry and
other stakeholders.
1.13 OVERALL FINDING
A privacy impact assessment needs to take account of the circumstances of a proposal, including
alternatives considered, and in the case of privacy intrusive measures whether these are
‘proportionate’ to the potential harm that a proposal is seeking to address.
As noted by some consultees it is difficult to assess the proportionality of the measures in the Draft
Code. The supporting material mentions some anecdotal evidence but detailed analysis of the
likelihood of a terrorist incident involving the 11 chemical precursors or the other 84 chemicals of
security concern is not available. IIS recognises how difficult it is to make a judgement about
proportionality where there is a low likelihood of an event but where the impact could be high. In
this instance the Draft Code, as described in section 3 is a result of considerable government process
over a number of years. In the course of that process the rationale for the Draft Code has been
debated extensively. Although to date there has been limited consideration of privacy issues,
debate has been detailed, relatively transparent and has balanced the interests of a range of
stakeholders. Given this background, IIS has focussed its analysis on where privacy impacts might
fall rather than whether the code should proceed.
IIS recognises that there are legitimate law enforcement and national security interests in collecting
personal information for the purposes of the Draft Code. At the same time, IIS considers that there
are some real concerns in relation to privacy risks that need to be addressed. These include:

The range of circumstances in which a customer might be asked to complete an CD

The collection of the photocopy of photo ID that could, amongst other things, add to risks of
identity theft or fraud

The potential harm to individuals including harm to reputation, discrimination, or the
potentially significant impacts of being included on a national security database without due
cause

The potential for personal information obtained via a CD and held by a participating business
to be lost, subject to unauthorised access or other misuse.
Assessment of privacy risks is complicated by the fact that a sizeable proportion of the
approximately 5,000 businesses that could be offering chemical precursors for sale would be
considered ‘small businesses’ that are exempt from application of the Privacy Act.
IIS recognises that at this point there is no indication of the impact of the Draft Code in terms of the
number of CDs that might be collected; if businesses tend to focus on suspicious transactions the
numbers could be quite low. Nevertheless, it is vital that the personal information of individuals is
protected no matter the extent of collection or which business they frequent.
While the AGD may be able to provide guidance on matters such as the proper collection and
storage of personal information, IIS considers that the most pressing issue that needs to be
addressed if the Draft Code proceeds, is providing mechanism(s) for individuals to receive help and
redress if and when something goes wrong.
1.14 COLLECTION OF PERSONAL INFORMATION
The threshold requirement for collection of personal information is where it is ‘necessary’ (NPP 1.1)
or ‘reasonably necessary’ (APP 3.2) for an organisation’s functions or activities. IIS considers that the
current advice in the Draft Code might lead to collection that is excessive or possibly not authorised
and therefore might not meet the necessary (or reasonably necessary) test. The issues identified are
as follows:
1.14.1 AT POINT OF SALE – AUTHORITY FOR COLLECTION
The purpose of the collection in the context of the Draft Code is to facilitate the effective provision
of information for law enforcement and national security purposes by keeping records of
transactions involving chemical precursors. This is a purpose not intrinsically linked to the
businesses functions or activities. Complying with a legal requirement to collect information would
clearly be ‘necessary’. The key question from a privacy perspective is whether, in the absence of a
legal authority, the collection can be considered ‘necessary’.
While the Draft Code is not mandatory, it is meeting a community interest, established via a formal
and thought-out process, in the context of intergovernmental and industry concurrence. One on
view, these factors might be sufficient for the collection to be considered ‘necessary’. In addition,
compulsory law may not be the perfect vehicle for defining the scope of collection. Sometimes a
‘softer’ approach will be more flexible and responsive and possibly less likely to lead to excessive
collection. The advantage of a non-binding Draft Code is that it can address and adapt to a problem
without imposing excessive requirements.
On the other hand, from a general privacy perspective, as well as the question of compliance with
NPP 1.1, where a collection required for an external purpose such as law enforcement or national
security it is often considered preferable that the collection is authorised by law. This allows the
process to be open, understandable and subject to Parliamentary scrutiny.
Both perspectives were reflected in the comments from privacy and civil liberties advocates.
Industry comments on the whole tended to be wary about the prospect of a legal framework for the
Code being introduced at this late point Code development process. It was considered likely to
affect the efficacy of the Draft Code, making it more onerous and less likely that industry bodies
would recommend it to their members and in turn that their members would be less willing to
comply. As a voluntary code that represents good practice was considered more likely to garner
support. Both industry and government stakeholders raised questions about the appropriate
legislative vehicle; no immediate State/Territory/Federal legislation was identified. The timeframe
for legislation was also raised as an issue.
On balance IIS considers that a case could be made for the collection of personal information by the
CDs to be considered ‘necessary’ in terms of NPP 1.1. However, IIS also considers that AGD may
wish to seek legal advice on this issue and in any event it should be reconsidered in the context of
the proposed evaluation of the Code after 3 years operation.
Recommendation 1 – Authority to collect personal information
IIS recommends that AGD consider obtaining legal advice on the application of NPP 1 to the
requirement to obtain customer declarations. IIS also recommends that the proposed evaluation of
the Code after 3 years of operation consider if there is a need for it to be backed by a legislative
provision authorising the collection and storage of specified personal information. The evaluation
should assess the extent to which the Code provisions for customer declarations have been taken up
and also customer, as well business, experience of the collection process and of the handling of
personal information once collected.
1.14.2 COLLECTION OF COPIES OF PHOTO ID
The challenge for the Draft Code from a privacy perspective is to collect only the information
necessary to keep an adequate record of transactions involving chemical precursors while intruding
to a minimum extent on the privacy of individuals.
In its comments on the Draft Code, the Office of the Australian Information Commissioner (OAIC)
questioned whether it is necessary for a photocopy of a customer’s photo ID to be collected. The
OAIC suggested that it might be sufficient for the businesses to view the photo ID at the point of sale
and to store only the CD, which includes a record of the photo ID number.9
The utility of collecting the photocopy is that it may be helpful to LENSAs to have a photo of
potential suspects, especially if he or she is using a fake photo ID and the ID number does not match
the suspect in the ID database. However, this must be counterbalanced against the inherent
intrusiveness of collecting and storing an individual’s formal ID document, combined with the risk
that it may contain unnecessary information such as medical conditions and that it may be
improperly accessed or used. There is also no guarantee that the myriad small businesses involved
in the sale of chemical precursors will have sound security measures in place.
IIS notes that in the context of prepaid mobile services – in which identity verification is required by
law – there is no requirement for wholesalers and retailers to store a photocopy of the customer’s
photo ID. Rather, it understands that the requirement is that no details of any identity documents
used to verify identity will be recorded – only the type of identity information used and transaction
information – for example, Medicare card, birth certificate.
IIS understands that prepaid mobiles pose at least comparable risks in terms of their use in criminal
or national security contexts. It suggests that it would be worth investigating the prepaid mobile
regime to gain insights for Draft Code approach. In any event, in light of the potentially risky
9
Office of the Australian Information Commissioner, Submission to Attorney-General’s Department, Draft
National Code of Practice for Chemicals of Security Concern, 1 March 2013, p 2.
collection and storage environment and in the absence of clear evidence that a photocopy of the
photo ID is especially beneficial for LENSA investigations, IIS agrees with the OAIC that participating
businesses should not collect the photocopy of photo ID.
Privacy and civil liberties advocates supported this view. Industry stakeholders were also generally
in favour of removing the requirement; amongst other points it was noted that not all outlets would
have a photocopier or the capacity to store the material securely.
Recommendation 2 – Remove the requirement to collect a copy of photographic identification
IIS recommends that the AGD remove the advice in the Draft Code, including on the customer
declaration form, to attach a photocopy of the customer’s photo ID.
1.14.3 AVOID EXCESSIVE COLLECTION OF PERSONAL INFORMATION – COMPANY CD
As noted earlier, submissions to AGD on the earlier consultation draft of the code argued that the CD
for companies should not contain an individual’s personal information. It was suggested that the
signature of a senior representative and stamp of the company seal should be enough.
In the absence of clear evidence that a CD in these circumstances is especially beneficial for LENSA
investigations, IIS tended to agree with this advice. However, the industry/ government consultation
discussions suggested a more nuanced approach would be preferable. Issues included that a blanket
approach might not address the risk for new customers with unknown reputation or where a bogus
company has been established simply for the purpose of obtaining chemicals.
Recommendation 3 – Remove the requirement to obtain a customer declaration for company
purchases for known account customers
IIS recommends that the AGD remove the advice in the Draft Code, including on the customer
declarations, to collect a customer declaration for an employee who is making a purchase on behalf
of a known company account customer.
1.14.4 TARGETING COLLECTION OF CD TO HIGHER RISK CIRCUMSTANCES
The Draft Code starts with a table that summarises the suggested security measures. The Point of
Sale advice is as follows:
Point of sale
procedures
Adopt practices that limit opportunities for the
acquisition of chemicals for terrorist or criminal use
through direct purchase from the business.
 Only sell to customers with known identity and
verified legitimate use
 Only sell by credit card or on account
 Record a form of customer identification (e.g. via enduser declaration or similar system – see template
declarations at Appendix C) and retain for 2 years
 Report suspicious transactions (including unusual or
different sales to account customers). See
Appendices E, F and G for guides to detecting
suspicious behaviour
Manufacturer, Importer,
Processor, Wholesaler,
Retailer
In addition, in its discussion of measures the current Draft Code states that ‘end user declarations
are not intended to be used for all transactions, and they could be used:

On a per-transaction basis

On a per customer basis (particularly for new and cash customers) or

When the sales person feels that suspicious indicators are present’10
IIS considers that together this advice suggests the possibly of requiring a CD for all or most
transactions could lead to excessive and therefore ‘unnecessary’ collection of personal information.
On the other hand IIS also notes the privacy risks arising from sales people requiring customers to fill
out the CD only based on their subjective determination of suspicion. There is clear potential for
certain individuals to be unfairly targeted due to stereotypes and profiling. Also, if the Code is
clearly targeted to suspicious transactions such a request may cause awkwardness and lead to
confrontations if a customer is made to fill out the CD but others around him or her are not.
A factor worth considering is that in the prepaid mobile regime it is sufficient for customers to verify
their identity through the successful use of credit card or EFTPOS to purchase a prepaid mobile.
Lawmakers seem to consider the record of the credit card transaction to be sufficient, even in light
of the potential for criminal activity through the use of prepaid mobiles. Arguably the same basis
should apply for wholesalers and retailers of chemical precursors.
The criterion for collecting information about the transaction could then be more targeted and more
objective. One option is to use traceability as the criterion – that is, only collect information from
customers who pay with cash, whose identity would not otherwise be apparent. For customers
using credit card, direct bank deposit or cheque, there is already a transaction record that shows
what they have bought and that allows them to be tracked down.
A qualification should be provided that participating businesses do not have to seek CDs for every
cash transaction. This is to provide flexibility, for example with repeat customers or customers that
the sales person knows well.
IIS notes that the above discussion does not preclude the consideration of suspicious indicators for
making calls to the National Security Hotline. Such cases do not require the knowledge or
involvement of the suspected individual, and so while privacy risks are present, they do not raise the
same issues associated with collection from individuals via a CD.
IIS also notes that while most industry stakeholders, including some privacy and civil liberties
advocates supported this approach, there was some views that it limited individuals’ choices,
possibly forcing them into a credit purchase; in this case the preferred approach was to have the
collection specified and authorised by law.
A number of stakeholders raised the issue of Internet transaction querying, if the draft
recommendation limiting CDs to untraceable transactions addressed the risks in an online
environment. AGD advised that the draft Code is intended to apply to Internet sales but also that
CDs would be less relevant here. It was noted that overall the measures in the Draft Code are
10
Attorney-General’s Department, Draft National Code of Practice for Chemicals of Security Concern, v 2, 15
March 2013 (‘Draft Code’), p 16 [Emphasis added].
relevant in that they focus on ‘know your customer’ and in any event that many businesses will not
sell in these circumstances without setting up an account. However, the discussion concluded more
information was needed before extending the recommendation to mail order or Internet sales.
Recommendation 4 – Customer Declaration only for non-traceable transactions at the business’
discretion
IIS recommends that the AGD amend the Draft Code so that its focus is on customer transactions
where the customer is not otherwise traceable. A qualification should be provided that in the
interests of flexibility, participating businesses do not have to seek customer declarations for every
such transaction, for example with repeat customers or customers that the sales person knows well.
IIS notes this recommendation is limited to ‘bricks and mortar’ sales. There is insufficient
information at this point to extend it to mail order or online sales.
1.14.5 FAIR COLLECTION – VOLUNTARY NATURE OF CODE AND BASIS FOR CD COLLECTION
The Privacy Commissioner interprets the ‘fair’ collection of information to mean without
intimidation or deception.11 IIS considers there is a risk that the current wording of the CDs may
result in participating businesses unintentionally misleading customers. There are two potential
problems.
Firstly, the name of the Draft Code – the National Code of Practice for Chemicals of Security Concern
– carries with it a sense of legal or at least quasi-legal status. This may mislead businesses and
customers into thinking they have no choice but to comply with the Draft Code. IIS acknowledges
that the body of the Draft Code does make it clear that its adoption is voluntary. However, as the
advice in the Draft Code is intended to be advisory, IIS considers that it will be vitally important that
the Code is correctly positioned in the minds of the public not just industry. As we understand, the
intention is that companies adopt the Code as best practice and it will be important that this status
is conveyed in signage, document, forms etc. IIS considers this should start with accurate naming –
by including ‘voluntary’ in title, or re-titling the Code as guidance or advice – however if this part of
the recommendation is not adopted, other engagement pieces including education and
documentation, will have to work harder. The need for greater reliance on such mechanisms to
accurately convey the Code’s status may be challenging.
Secondly, the CDs as currently worded are misleading. They state that a ‘signed end-user
declaration must be provided.’12 This gives the impression of legal imprimatur where none exists,
since the use of the CD is an action suggested by a voluntary code of practice. Customers who
provide their personal information may be mistakenly submitting to this apparent authority. Where
a participating business adopts CDs for the sale of chemical precursors, the CD should make clear
that the collection is to meet the suggested action of the Draft Code to which the business
subscribes, as opposed to being a legal requirement. For example, the wording could be changed
11
Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles, September 2001, p
27.
12
Attorney-General’s Department, Draft Code, p 17 (for companies) & p 18 (for private individuals) [Emphasis
added].
from ‘must be provided’ to ‘in accordance with the National Code that this company has adopted as
best practice, it is company policy that the form is provided’.
Privacy and Civil Liberties advocates supported this view. Industry stakeholders did not object to the
issue but both industry and government stakeholders were wary about a name change. This was on
the grounds that it is late in the piece, that the voluntary nature of the Code is very clear in the
content, and that the term ‘Code’ was considered to have some status and therefore ‘encourage’ its
adoption.
Recommendation 5 – Change the compulsory wording of the customer declarations
IIS recommends that the current wording of the customer declaration, which provides that
declaration ‘must’ be completed be amended to remove any impression that collection of personal
information is legally mandated.
Recommendation 6 – Code Title to accurately reflect its ‘voluntary’ status
IIS recommends that the AGD rename the Draft Code as ‘Guidance’, or if this is not accepted that it
amend the Draft Code’s name to the ‘National Voluntary Code of Practice for Chemicals of Security
Concern’ or take other measures to dispel ambiguity as to its legal binding status. If this
recommendation is not adopted, IIS recommends that the voluntary nature be fully explained in all
other engagement material including documents, forms, signage and education material.
1.14.6 EMPLOYEE AND CONTRACTOR CHECKING
The Draft Code suggests that basic background checking should occur prior to and during
employment as part of the risk treatment measure of limiting terrorist access to chemical precursors
through a trusted insider.
In the Draft Proposed Risk Treatment Measures (Draft Options), the security objective of employee
and contractor checking is for the responsible person in the participating business to satisfy him or
herself that the employee who has access to chemical precursors:

Has provided their true and correct identity

Is trustworthy to employ in the business or organisation.
IIS considers there is a risk that, absent of guidance, employers may conduct background checks
where it is not necessary to do so or conduct checking in a way that goes beyond what is required.
The results of such checks may cause embarrassment and distress to the applicant or employee. The
results may also impact on job prospect/tenure by generating an unfavourable opinion within the
responsible person.
The Draft Options have useful commentary that could be incorporated into the guidance material.
For example, in determining whether a person is trustworthy to employ in the business, the
employer is not required to determine that the prospective employee has a predisposition towards
violence or extremist views.
IIS acknowledges that AGD is proposing to develop guidance material. However, it also notes that
the issue of background and criminal history check was a matter of concern for both industry
representatives and privacy and civil liberties advocates. Both were concerned that the provisions in
the Draft Code would lead to excessive checking or to inappropriate or discriminatory decision-
making. IIS considers that, in addition to the proposed guidance, the Draft Code should flag that
such checking should only be undertaken where there is a clear risk and where it is related to an
inherent requirement of the employee’s position. It also considers that an organisation should have
a clear policy, setting out how and when background and criminal history checks will be made and
how the results will be managed, before undertaking such checks.
Recommendation 7 – Draft Code to advise on appropriate targeting and management of employee
background and criminal checking
IIS recommends that the AGD amend the Draft Code so that the responsibility is assigned for
developing the organisation’s policy on background and criminal history checks and so that the
current security measure for ‘Employee and Contractor checking’ is limited to circumstances where
there is a clear risk related to the inherent requirements of the position.
1.15 NOTICE AND TRANSPARENCY
Where practicable, an organisation should provide information about certain prescribed matters
before or at the time of collection of personal information (NPP 1.3 and APP 5). The current draft of
the code indicates a privacy statement will be included but at this point the CDs lack such a
statement.
The makeup of wholesalers and retailers is likely to include a sizeable proportion of small businesses
that are not subject to the Privacy Act. In Recommendation 12 and 13 below, IIS identifies the issues
of effective redress for individuals and suggests that in the absence of other measures, this this can
be achieved by regulation specifying that businesses that adopt the Code, unless otherwise covered,
are subject to the Privacy Act. Even if this recommendation is not adopted, IIS considers that it is
good privacy practice for the CDs to carry the minimum privacy notice requirements under the
Privacy Act.
IIS understands that AGD will proceed to develop a privacy notice, and that it will consider the points
raised in the draft recommendation (and in the final recommendation below which reflects some
small clarifications suggested by stakeholders).
Recommendation 8 – Transparency about information handling in relation to the customer
declarations
IIS recommends that the privacy statement AGD has undertaken to develop for the customer
declaration form for the Code provides information about:

The purpose of collection, for example that the personal information provided will be kept
by the participating business to facilitate the effective provision of information for law
enforcement and national security purposes

The period for which the information will be retained, for example that the customer
declaration will be kept securely for two years and then securely disposed of

The consequences of not providing the information, for example, that if the individual does
not provide the information, the participating business may refuse to sell him or her the
product

How to contact the participating business including its name and a contact number within
the organisation for complaints and/or queries in relation to the operation of the Code.13
1.16 USE OF PERSONAL INFORMATION FOR FURTHER UNRELATED PURPOSES
A key element of the privacy protections in the Privacy Act is limiting the use of personal information
to the purposes for which it was collected unless a specified exception applies (NPP 2, APPs 6 and 7).
IIS identified a risk that participating businesses might use or disclose the personal information
collected on CDs for purposes other than to achieve the objectives of the Draft Code (for example,
for private security purposes or for marketing). This risk was also raised as a concern in the
consultation process by privacy and civil liberties advocates. The lack of any requirements in the
Draft Code on any further use of personal information, or otherwise protecting it, as well as the fact
that smaller businesses might not be aware of such requirements, was considered likely to
exacerbate the risk. IIS considers that it would be preferable for the Code to include requirements
to protect personal information – Recommendation 10 below addresses this issue. The monitoring
and review proposed in Recommendation 11 would also mitigate this risk.
1.17 DISCLOSURE TO LENSAS
There are two types of LENSA disclosures that are envisaged by the Draft Code. Firstly, a member of
a participating business is encouraged to call the National Security Hotline if they witness any
unusual behaviour regarding the sale and/or use of chemicals of security concern. Secondly – and
this is the primary reason for suggesting use of CDs at point of sale – the CDs may be disclosed to
LENSAs to assist with their investigations.
IIS considers that the disclosure to a LENSA would be consistent with the purpose for which the
information was collected under the Code and, where the Privacy Act applies, would also be
consistent with one of the provisions of NPP 2 (or APP 6). Good privacy practice would require the
business concerned to be satisfied that the LENSA request is required by law, authorised by law or is
reasonably necessary; for example the request might involve a warrant or be in writing from a
suitably senior officer. NPP 2.2 also suggests that where an organisation discloses personal
information under the law enforcement exception in NPP 2.1(h), it should make a note of the
disclosure.
The risk is that employees at participating businesses may be overawed and disclose personal
information too readily in circumstances where it did not have to be disclosed.
No additional issues were raised in the consultation process on the draft recommendation for LENSA
disclosures.
Recommendation 9 – Develop guidance on assessing and responding to a LENSA request
IIS recommends that the AGD provide guidance on how participating businesses should assess a
LENSA’s request for information and respond to it in an appropriate and privacy-respecting manner.
13
See below ‘5.5 Processes for handling failure and complaints’.
1.18 SECURITY OF FORMS STORED BY BUSINESSES
The privacy principles require that organisations take reasonable steps to protect personal
information from loss and unauthorised access, use and disclosure (NPP 4.1 and APP 11.1).
During the consultations for the Draft Code prior to this PIA and its associated consultation, several
stakeholders raised concerns over the security of paper-based forms. The Australian SelfMedication Industry – the peak body representing companies in the manufacture and distribution of
consumer healthcare products – noted that members’ experience with the use of CDs for illicit drugs
was that the completed CDs are not routinely filed in a secure fashion, with some being stored in
unlocked filing cabinets in general office areas. IIS is aware of anecdotal evidence about the
practices of retailers who are required to collect personal information about purchasers of prepaid
mobiles or SIMs; it seems similarly lax security arrangements occur.
The risks that could arise from participating businesses’ storage of CDs include loss or misuse of
personal information leading to embarrassment, reputation loss and potentially identity theft or
fraud. These risks can be managed to some extent by guidance and training on proper security
procedures; AGD indicated that is it preparing such guidance referencing OAIC guidelines on
appropriate security measures. However, it must be recognised that many participating businesses
might be unaware of the need for, or be unwilling to implement, appropriate measures, and that
unless Recommendations 11 and 12 below are adopted individuals might have no recourse in the
event of problems.
Privacy and civil liberties advocates as well as industry representatives reaffirmed security practices
as a strong concern in the course of the PIA consultation process. Again, the lack of any
requirements in the Draft Code for participating business to store CDs securely and to dispose of
them securely after a specified period was considered likely to exacerbate the risk.
IIS suggested in its draft recommendation that in all the circumstances it would be important for
AGD to monitor the overall environment, keep a record of incidents and to take further action as
needed to ensure appropriate security is maintained. AGD advised that it would need to refer this
issue to the NGAG, as it was not currently part of its work program under the IGA.
Recommendation 10 – Code to specifically address protection and security of personal information
IIS recommends that AGD amend the Draft Code to include a requirement for businesses to ‘Assign
responsibility’ for ensuring that personal information gathered on customer declarations is
protected from loss and unauthorised access, use and disclosure and that it is disposed of securely
within the specified period, which should be the minimum necessary to achieve the objectives of the
Code.
Recommendation 11 – Monitor security practices
IIS recommends that AGD, or another appropriate body, should monitor the handling of personal
information collected in the context of the Code, keep a record of incidents and take further action
as needed to ensure appropriate privacy and security practices are maintained.
1.19 SAFETY MECHANISMS
While the above discussion has focused on what the AGD and participating businesses should do to
address key privacy risks, attention must also be paid to what happens when something goes wrong.
Given the number and size of participating businesses, the likelihood of this happening is potentially
high. The Draft Code features a number of risk treatment measures that may assist in the
prevention and investigation of criminal and terrorist attacks involving chemical precursors. At the
same time, some of the suggested actions – in particular the collection of CDs at the point of sale –
introduce privacy risks that are likely to occur, some with potentially large consequences for
individuals.
In some cases, the consequence of loss or misuse of the CDs may be minor, such as embarrassment.
In other cases, the personal information contained on the CDs may be misused for identity theft or
fraud, causing significant financial damage.
Strong mechanisms need to be in place to protect individuals when something goes wrong. This is
particularly the case because a sizeable proportion of participating businesses are not subject to the
Privacy Act, meaning that if no action were taken, some individuals would not have access to any
redress at all.
There could be a range of ways to provide redress; examples are listed in the recommendation
below including the option of using regulation to bring exempted participating businesses back into
the Privacy Act. There are precedents for this; for example small businesses are subject to the
Privacy Act for acts or practices relating to the collection, maintenance and disclosure of personal
information on a residential tenancy database.14
Privacy and civil liberties advocates supported IIS’s draft recommendations addressing this issue.
However, for industry representatives the question at this point became whether together the PIA
recommendations were making the process too complicated and bigger than necessary. This led to
a discussion about whether the requirement for CDs be removed from the Draft Code. Points raised
included that:

Many businesses already take customer details upfront as standard practice; CDs are
perhaps only needed as a back up when customer behaviour is suspicious, the Draft Code
would give a bit of strength when customers are reluctant to provide information

Many retailers only sell to account customers and therefore will only use CDs as a back up
perhaps not often at all.
AGD indicated it pursue the question of the value of CDs as well as possible avenues for redress.
Recommendation 12 – Draft Code should not be implemented without effective redress
mechanism(s) for individuals
IIS recommends that the Draft Code should not proceed without effective redress mechanisms in the
event of interferences with individuals’ privacy.
Recommendation 13 – Options for redress in the event of an interference with privacy
IIS recommends that the AGD identify and implement effective mechanisms for individual redress in
the event of interferences with privacy by participating businesses that are not subject to the Privacy
Act. Mechanism might involve:
14
Privacy (Private Sector) Amendment Regulations 2007 (No. 3).

Establishing a single point of contact for individuals if they have a complaint or query. The
number would need to be prominently displayed in the Code, the CD and on AGD websites.
Outcomes of calls can also serve as an important record for monitoring and review or

Engaging with the Privacy Commissioner to explore options for the Commissioner to take on
an advocacy/brokering role to assist individuals including in relation to dealings with
organisations not otherwise covered by the Privacy Act or

Engaging with industry to explore options for establishment/appointment of an industry
body to take on an advocacy/brokering role to assist individuals or

Using regulation to bring exempted participating businesses under the coverage of the
Privacy Act when handling personal information in the context of the Code; this option
should be pursued in the absence of other workable solutions.
1.20 EXPANSION OF DRAFT CODE TO FURTHER CHEMICALS AND MONITORING AND REVIEW
While the Draft Code applies specifically to 11 chemical precursors to homemade explosives that
have been identified as top priority it also encourages businesses to adopt the Draft Code in relation
to any of the listed remaining 84 listed chemicals of security concern. The recently launched AGD
website for chemicals of security concern also encourages organisations to apply the Code to all the
listed chemicals.
IIS considers there are significant privacy risks in this approach without further assessment of the
risks associated with the additional chemicals. Some of the privacy and civil liberties advocates
participating in the consultation process also raised this as a particular concern, querying the ability
of organisation to ‘self assess’ the risks of particular chemicals without further guidance.
IIS understands that there will be an ongoing risk assessment and RIS process considering the
remaining 84 chemicals. It points out that in considering risk in a RIS the impact on privacy is one of
the risks that needs to be assessed. The issues raised in this PIA, and how they are playing out as the
Code is implemented will be one consideration. IIS also considers that the most likely impact on
privacy as the number of chemicals to which the Code is specifically applied increases is that a CD is
likely to be required for a greater number of people or for a greater number of times for any one
person. In other words, expansion of the number of chemicals may not introduce new risks but
could increase the risk likelihood. A moderate increase, say a doubling in numbers, might not call for
specific action but any significant increase, say a tenfold increase, would be a cause of concern and
require deeper consideration.
More broadly, due to the uncertainty in quantifying the benefits of implementing the Draft Code, it
is imperative that the tangible effects of the Draft Code are measured and assessed, including in
regard to the privacy impact. The Decision RIS foresees that the impacts and outcomes of the Draft
Code will be evaluated within three years after implementation of the code. AGD has indicated that
an evaluation framework is to be developed over the next 6 months.
Before the AGD amends the Draft Code to apply to other chemicals of security concern (in particular
the use of CDs at point of sale), IIS considers that the AGD should first review the Draft Code’s
operation in relation to the 11 current chemical precursors and be satisfied that:

There have in fact been benefits from its application to the initial 11 chemical precursors

All privacy issues arising from implementation of suggested actions have been or will be
addressed

No additional privacy risks will arise.
For example, if it is found that there are significant problems with the security and storage of CDs,
then the AGD should be slow to introduce a regime that would expand the number of chemical
precursors for which a CD should be sought at point of sale.
Recommendation 14 – Apply the Code to other chemicals of security concern only after any
privacy issues in the review have been addressed
IIS recommends that neither the Code nor AGD’s Chemicals of Security Concern website encourage
organisations to apply the Code to chemicals other than the 11 chemical precursor of home made
explosives until a RIS process, which considers privacy risks to community members in its cost
benefit analysis has been completed. IIS recommends that the RIS consider evidence on the
handling of personal information in the context of the Code and the impact of an increase in the
span of chemicals on the extent of collection of personal information under the Code.
Recommendation 15 – Conduct review of the Code, including privacy impacts, within three years
of operation
IIS recommends that following implementation, the AGD or an appropriate body continue to
monitor the Code and provide a formal, written report on its operation within three years. This
report would be a significant input to the three-year review. Privacy benchmarks to monitor include:

Number of complaints made to the Privacy Commissioner relating to the Code

Number of complaints made to the special contact number and other relevant bodies

Number of customer declarations collected by participating businesses

Number of reported data breaches/incidents concerning customer declarations

Comments and feedback from participating businesses regarding use of customer
declarations and their security measures

Comments and feedback from relevant industry groups

Comments and feedback from privacy, civil liberties and community interest groups.
APPENDIX ONE
1.21 MATERIALS REVIEWED
Attorney-General’s Department, Draft Proposed Risk Treatment Measures for Precursor Chemicals
to Homemade Explosives, v 2.0
Attorney-General’s Department, Chemicals of Security Concern website at
http://www.chemicalsecurity.gov.au/Pages/default.aspx
Attorney-General’s Department, Decision Regulation Impact Statement, Chemical Security:
Precursors to homemade explosives, August 2012.
Attorney-General’s Department, Draft National Code of Practice for Chemicals of Security Concern, v
2, 15 March 2013.
Australian Self-Medication Industry Inc, Submission to Attorney-General’s Department, Draft
National Code of Practice for Chemicals of Security Concern, 4 March 2013.
COAG, Intergovernmental Agreement on Australia’s National Arrangements for the Management of
Security Risks Associated with Chemicals, 2 October 2008.
Graincorp, Submission to Attorney-General’s Department, Draft National Code of Practice for
Chemicals of Security Concern, 2013.
Office of the Australian Information Commissioner, Submission to Attorney-General’s Department,
Draft National Code of Practice for Chemicals of Security Concern, 1 March 2013.
Plastics and Chemicals Industries Association, Submission to Attorney-General’s Department, Draft
National Code of Practice for Chemicals of Security Concern, 6 March 2013.
1.22 ORGANISATIONS CONSULTED IN THE COURSE OF THE PIA
Privacy and Civil Liberties groups
The Australian Privacy Foundation
Liberty Victoria
NSW Council of Civil Liberties
Industry Bodies
ACCORD Australasia Ltd
Australian Chamber Of Commerce And Industry
Australian Retailers Association
Department of Mines and Petroleum
National Farmers Federation
National Retail Association
Pharmacy Guild
Plastics and Chemical Industry Association (PACIA)
Pool & Spa Poppits
Science Industry Australia & Australasian Laboratory Managers Association (ALMA)
Swimming Pool and Spa Alliance (SPASA)
Universities Aust.
Government Bodies
Department of Environment and Primary Industry
Fair & Safe Work QLD
Innovation
NSW Ministry for Police and Emergency Services
NSW Police