Thank you for your question, and it's really a big question.
To deal with any privacy legislation, how do you strike the right balance between the rights of the individual and the legitimate service needs of government agencies?
The Privacy Act is based on a theory. It's based on a principle that when individuals give information to an organization, they do so for a specified, transparent, and confined purpose. That principle is under threat by the data processing activities of government and the private sector in the belief that in this era of big data analytics, you can take information from a variety of different silos, correlate it, and find correlations that are going to be of interest to government in the implementation of public policy.
The Privacy Act is based, as I said, on this dated assumption that information can be categorized and put in silos, put in data banks. I think that is under severe challenge. The Info Source tool is dated and reflects a reality that is 30 years out of date.
Finally, government can do an awful lot in making public policy and delivering services without personally identifiable information. In answer to your question, you should identify the information and anonymize the information in an appropriate way, so that you can have both worlds. This comes under the title of privacy by design, whereby you build privacy in at the beginning. Those are the kinds of tools that the Privacy Commissioner should have, and that should be made more explicit in the Privacy Act.