This document has been archived and is no longer in use by the Office.
A list of the Office's current publications is available on the publications page @ http://www.privacy.gov.au/publications/index.html
INTRODUCTION - BACKGROUND TO THE DRAFT GUIDELINES AND CONSULTATION PROCESS
CHAPTER 1 - INTRODUCTION TO GUIDELINES
CHAPTER - 2 EXPLANATION OF TERMS
Access, Act (the Act), Authorised by law, Collection, Commissioner (the
Commissioner), Cookie, Directly related purpose, Direct marketing,
Disclosure, Enforcement bodies, Health information, Health service,
Individual, Law, Lawful, List renter, Necessary, Organisation, Personal
information, Practicable and impracticable, Primary purpose,
Reasonable, Record, Related corporation, Related purpose, Required by
law, Secondary purpose, Sensitive information, Serious and imminent
threat, Serious threat to public health or public safety, Use, Web bug.
CHAPTER 3 - CONSENT AND PRIVACY
CHAPTER 4 - COLLECTING PERSONAL INFORMATION
CHAPTER 5 - USING AND DISCLOSING PERSONAL INFORMATION
CHAPTER 6 - KEEPING INFORMATION ACCURATE COMPLETE AND UP TO DATE - NPP 3
CHAPTER 7 - MAINTAINING DATA SECURITY
CHAPTER 8 - NPP 5 OPENNESS ABOUT INFORMATION HANDLING PRACTICES
CHAPTER 9 - ACCESS AND CORRECTION (NPP 6)
CHAPTER 12 - TRANSBORDER DATA FLOWS
CHAPTER 13 - HEALTH RESEARCH, HEALTH MANAGEMENT AND THE NPPS
APPENDIX I - NATIONAL PRIVACY PRINCIPLES
APPENDIX II - INFORMATION SHEET 3 (CODES)
APPENDIX III - INFORMATION SHEET 4 (PRIVACY COMMISSIONER'S POWERS)
APPENDIX IV - INFORMATION SHEET 6 (DOES THE PRIVACY ACT APPLY TO MY ORGANISATION?)
APPENDIX V - INFORMATION SHEET 9 (WHICH NPPS APPLY WHEN)
On December 21 2001, new privacy laws will come into effect that regulate the way private sector organisations handle personal information. The new laws, which will be part of the Privacy Act 1988 (Cth) (the Privacy Act), include ten National Privacy Principles (NPPs) that set standards for the way organisations handle personal information.
The new privacy laws will give individuals new privacy rights including the right to get access to the personal information an organisation holds. Individuals will also have the right to complain if they think an organisation has breached their privacy rights and to get redress if the breach is proven.
The Federal Privacy Commissioner (the Commissioner) has the power to make guidelines about the NPPs and this document is a draft of those guidelines. The guidelines do not cover a number of other aspects of the new privacy laws that organisations will need to know about, although information about which organisations the new provisions cover is included in an appendix to the guidelines.
For more information about the new laws see the Office of the Privacy Commissioner (the Office) website at www.privacy.gov.au or ring its hotline on 1300 363 992. NPPs one of three sets of guidelines
The NPP guidelines are one of three sets the Commissioner is developing this year on the operation of the new legislation. These are:
The Commissioner places great importance on consulting the Australian community about these guidelines. For each set of guidelines, the Office has developed a consultation process including a two-month period of wide public consultation. In each case, the Office has developed a consultation document that includes draft guidelines and identifies issues on which it would like community and stakeholder views.
This paper is a consultation document for the NPP guidelines. The first chapter is an introduction to the guidelines. The following chapters set out draft guidelines and in some places ask specific questions for consultation. The appendices include the NPPs so that people can refer to them as they read the draft guidelines and some information sheets about the new private sector scheme.
The NPPs are the starting point for developing the guidelines. The policy underlying the NPPs is now settled and part of the law. The NPPs set out Federal Parliament's decision about the balance to be struck between the protection of privacy and the protection of other important human rights and social interests that complement those relating to privacy,
"including the general desirability of a free flow of information (through the media and otherwise) and the recognition of the right of government and business to achieve their objectives in an efficient way." (Section 29 Privacy Act)
The role of this paper is to seek views within the framework of the balance Federal Parliament has settled on.
The Government has also announced that there will be a review of the Privacy Act two years after it commences. During this period the Commissioner expects to examine closely a number of areas of the new legislation to assess whether the right balance of interests has been struck. These areas include the various exemptions in the Act and the provision in the NPPs for direct marketing.
However, there are a number of areas where Parliament has deliberately chosen to leave flexibility in the NPPs. Examples of this are where the NPPs use such words as "reasonably expect" and "practicable". In the draft guidelines outlined in this paper, the Commissioner has reached a preliminary view on what factors organisations should consider when applying these kinds of words to a particular business practice.
The Commissioner seeks the views of all stakeholders including members of the public, businesses, non-profit associations, peak industry bodies, organisations in a range of sectors, consumer bodies and relevant State and federal government agencies about:
It will help the Office collate and analyse views if submissions follow the structure of the guidelines in making comments.
This paper is available in a range of formats. It is available in hard copy and on the Commissioner's website at www.privacy.gov.au. We can also make it available on disk on request.
We will also be shortly releasing a summary document that sets out some key issues from the guidelines on which we would like responses.
We propose to issue the final guidelines in a range of formats including html with hotlinks as well as an easily accessible hard copy and through various legal and other publications.
You can make a written submission either in electronic form by email, or in hard copy. You can also ring us on TTY 1800 620 241.
E-mail address for submissions is: mailto:privacy@privacy.gov.au
Office of the Federal Privacy Commissioner (consultation on
NPP Guidelines)
GPO Box 5218,
Sydney, NSW 1042
Closing date for submissions is Friday, 6 July 2001. This Office will accept submissions after this date. However, because of the tight deadline for publishing the final guidelines, the Office will have an increasingly limited ability to take them into account.
The Office will publish the final guidelines in early October 2001.
This Office will use the submissions it receives for the purpose of preparing the NPP guidelines. It may publish a list of those who made submissions and we may make submissions public. If you wish your submission to be treated as confidential you should either write it on your submission or tell us at the time you make your submission.
New privacy provisions in the Privacy Act 1988 (Cth) (the Privacy Act) affecting private sector organisations came into effect on 21 December 2001. Organisations covered by the legislation will need to consider how they are to implement the provisions, and in particular, the NPPs (NPPs). Organisations that hold significant amounts of personal information are likely to have to make a number of changes to the way they collect, use, disclose, keep secure and give people access to that personal information.
Federal government agencies are covered by other parts of the Privacy Act. They must comply with Information Privacy Principles. Credit Providers are bound by Part IIIA of the Act as well as these new provisions.
These guidelines will help organisations to implement the NPPs. They will also be of interest and use to consumers and consumer advocates who wish to understand in detail what the NPPs mean and how they can be applied.
These guidelines are not the only way this Office is proposing provide information about the NPPs to the community. In addition to these and other guidelines, the Office is developing other material and other strategies specifically aimed at ensuring consumers and other key stakeholders are aware of organisations' obligations, consumer rights and how to enforce them.
The NPPs are high-level principles that are spelt out in the Privacy Act. They do not spell out in detail exactly what an organisation must do to comply with them. There are a number of places where very general words such as "reasonable", "practicable", and "impracticable" appear. This approach to the NPPs enables them to be technology neutral and to be applicable in a wide range of organisations and industries. It also recognises that people's view of privacy is contextual and may change depending on such things as the kind of information involved, the level of trust in the holder of the information, cultural background and the nature of business practice.
Another benefit of having a high-level, rather than a highly prescriptive approach, is that it is less likely that the NPPs will have to be changed as technology develops, new industries develop or public attitudes about privacy change.
On the other hand the high level approach means that for organisations and consumers that are unfamiliar with how privacy works, it may not be clear how to apply the principles to a particular business or circumstance. Having guidelines that spell out the principles in more detail is a way of providing greater clarity.
The Commissioner has developed these NPP guidelines to give organisations practical help on how to apply the NPPs to their operations and to explain:
These guidelines are made under section 27(1)(e) of the Privacy Act which gives the Commissioner a general power to make guidelines to help organisations avoid breaching the Privacy Act. Guidelines made under this power are advisory and so are not directly legally binding. (Other provisions in the Privacy Act give the Commissioner power to make guidelines covering more specific circumstances. In some cases these are binding.) These NPP guidelines cannot cover every situation. An organisation that does not follow the guidelines may not necessarily be in breach of the Privacy Act. However, they are an indication of how the Commissioner would interpret and, where appropriate, apply the principles when exercising relevant powers and functions under the Privacy Act. In other words, the guidelines are directly relevant to the way the Commissioner will apply the law, for example, when handling complaints.
Privacy is about protecting our sense of self - that is, who we are; what we know; what we think; what we have done; and what we want to do. One important aspect of this is the extent of control we have over personal information about us. Exercising choice about our own information can also be an important aspect of retaining personal dignity and humanity in a relationship with another party.
Privacy is not about protecting wrongdoing or encouraging secrecy. There is no absolute right to privacy. Society accepts that there are public interest reasons for particular limitations on individuals' right to privacy. These include law enforcement, fraud control and public safety.
A certain amount of information sharing occurs in most relationships that individuals have with other people or organisations. As a consequence there may be a reduction in control over that information because someone else holds it. The individual's right to privacy sometimes must be balanced against a particular benefit that the individual receives from such relationships.
On December 21 2000 the Privacy Amendment (Private Sector) Act 2000 (Cth) received Royal Assent. It amended the Privacy Act (which currently covers federal public sector agencies and private sector credit providers) to include provisions that regulate the way private sector organisations handle personal information. The new law came into force on 21 December 2001 although for small businesses that are not exempt from the new law, other than health services, it comes into force on 21 December 2002. (More information on when the NPPs come into effect is available in Information Sheet 9 "Which NPPs apply when" included at Appendix V.)
The Act does not apply to small businesses provided that they do not handle personal information for a benefit, service or advantage or handle health information. For more information on who the Act applies to, see the Commissioner's Information Sheet 6 "Does the Privacy Act apply to my organisation?" (included at Appendix IV).
The Privacy Act gives basic protection to personal information and gives extra protection to sensitive information including health information. It requires organisations to which it applies to implement NPPs or a code that the Commissioner has approved. More information on codes and code approval process is available from the Commissioner's Information Sheet 3 - "Codes" (included at Appendix II) and from the Draft Code Development Guidelines which the public are currently being consulted on (and are available on the internet at http://www.privacy.gov.au/ or on request to the Commissioner's Office.)
The most common way in which the law will be enforced is likely to be through the Commissioner resolving individual complaints against an organisation that has not complied with the principles. The Commissioner can make a formal determination to resolve a complaint and, if necessary, seek to have the Federal Court or Federal Magistracy enforce the determination. If an organisation is operating under an approved code, complaints would be investigated by the "code adjudicator" for that code, if the code includes its own complaints handling process. (More information about complaints under a code is included in the Draft Code Development Guidelines referred to above. More information about complaints generally is in Information Sheet 4 - "Powers", included at Appendix III.)
The Commissioner can enforce the Privacy Act in other ways, including through investigations the Commissioner can initiate (without first receiving a complaint) and through injunction powers, all of which are spelt out in the Act.
If you have any questions about the NPPs or the way the new private sector amendments work you can look at the Commissioner's website at http://www.privacy.gov.au/ or phone the Office toll-free on 1300 363 992; TTY 1800 620 241.
There are ten NPPs that set standards for the way
organisations handle personal information. They cover
Collection of personal information - NPP 1
Use and disclosure of personal information - NPP 2
Quality of personal information - NPP 3
Security of personal information - NPP 4
Openness - NPP 5
Access of individuals to personal information - NPP 6
Identifiers - NPP 7
Anonymity - NPP 8
Transborder data flows - NPP 9
Collection of sensitive information NPP 10
You can find a copy of the NPPs at Appendix I of these guidelines. Application of guidelines to information collected before the new provisions commence Some of the NPPs only apply to information collected after the new private sector provisions commence. Details about which NPPs apply when can be found in an information sheet the Commissioner has issued and included in Appendix V to these guidelines.
The private sector amendments give the Commissioner a number of additional powers to make guidelines about particular matters to do with the new private sector law. In addition to these NPP guidelines, the Commissioner has developed:
NPP and health guidelines
These guidelines give guidance on the privacy of personal information generally. Health Privacy Guidelines cover how the NPPs apply to the specific circumstances of health service providers. The Commissioner will use the NPP guidelines and the Health Privacy Guidelines, in combination with the NPPs, as the benchmark to assess whether a code has obligations that are at least equivalent to those in the NPPs and so can be approved.
Section 95A guidelines
The National Health and Medical Research Council (NHMRC) is developing guidelines made under section 95A of the Privacy Act (section 95A guidelines) on the collection, use and disclosure of health information for research purposes. Some of the principles refer to these guidelines and organisations wishing to collect, use or disclose health information for research purposes must comply with them.
Relationship of NPPs with other standards
The Commissioner strongly encourages organisations with significant holdings of personal information to meet appropriate Australian Standards, get auditors to give certificates of compliance, or seek other ways to get independent assurance that they are meeting the provisions of the Privacy Act. Measures of this kind will reassure customers that they are dealing with a privacy friendly organisation. Also, the Commissioner will take actions such as this into consideration as privacy positive steps when investigating a complaint.
Chapter 2 explains terms
At the front of the guidelines is a chapter that explains terms that appear in a number of places in the guidelines. It includes explanations of key terms in the Privacy Act such "personal information", "sensitive information" and "health information" as well as some general information about terms that appear frequently in the principles such as what is "reasonable" and "practicable".
"Consent" is a key concept that appears in a number of places in the NPPs. It is the key to best practice in implementing privacy. Rather than discuss it in a number of different places, the guidelines deal with this in a separate chapter. It includes a general discussion about what is consent and how organisations should go about getting it.
This chapter covers the NPPs that deal with how organisations should go about collecting information including NPP 1 and NPP 10 (which deals with collecting sensitive information).
This chapter covers when and for what purposes an organisation can use and disclose personal information as set out in NPP 2.
This chapter covers NPP 3 which deals with how organisations should go about keeping information accurate complete and up-to-date.
This chapter covers NPP 4 and how organisations should go about keeping their information secure.
This chapter deals with NPP 5 and how organisations should go about meeting their obligation to be open about the way they handle personal information.
This chapter deals with NPP 6 and explains how organisations should go about meeting their obligation to give individuals access to their personal information.
This chapter covers NPP 7 and the obligation not to adopt, use or disclose Commonwealth Government identifiers.
This chapter deals with NPP 8 and explains when an organisation should allow an individual to deal with it anonymously.
This chapter deals with NPP 9 and explains when an organisation can send personal information overseas.
This chapter deals with the aspects of NPP 10 and NPP 2 that deal with collection, use and disclosure of health information for research, statistical analysis and management purposes.
Link to each NPP
The text is closely linked to and cross-referenced to the relevant NPP.
The Office does not intend that the guidelines are stand-alone. It
proposes that the guidelines should be used in close partnership with
the NPPs which set the underlying standard.
Background followed by further
explanations
To help you find information, we have written the guidelines in a
consistent format under the following headings.
Background to the NPPs
In each chapter of the guidelines dealing with the NPPs the first part
discusses such matters as:
In many cases this part may be enough to give a general idea of how the NPP works.
More detailed information
The second part of each chapter has more detail about the relevant NPP
or NPPs.
We have included the NPPs in full in Appendix I of the guidelines so that the guideline reader can refer to them when reading the guidelines.
|
Questions for consultation 1.1 Do you have any comments to make about this introduction? 1.2 Do you have any comments about the structure we have adopted for the guidelines? |
In NPP 6 "access" refers to an individual's right to see or know about his or her own information an organisation holds.
The Privacy Act 1988 (Cth)
"Authorised by law" refers to circumstances where the law permits, but does not require, an organisation to use, disclose, or deny access to, personal information. The word "authorised" suggests that an organisation has some discretion as to whether or not to use or disclose or deny access to information (see NPP 2.1(g) and NPP 6.1(j)).
An organisation collects personal information if it gathers, acquires or obtains information from any source, by any means, in circumstances where the individual is identified or is identifiable. It includes information that:
The Federal Privacy Commissioner.
A cookie is a piece of information that an Internet web site sends to your browser when you access information at that site. Most of the popular browsers support the use of cookies. Cookies indicate to a web site that you have been there before and they can be used to record what parts of a web site your computer is visiting. While cookies in themselves may not identify you in the way a name or address does, a cookie could potentially be linked with other identifying information. Cookies can also be used to build up a profile of your buying habits and what you are interested in, for example, if you provide extra information about yourself to the web site by buying something online or by subscribing to a free service.
A directly related purpose is one that has a strong connection with the primary purpose of collection. It is closely associated with the original purpose, even if it is not strictly necessary to achieve that purpose. Uses or disclosures for a directly related purpose would include uses or disclosures for:
See NPP 2.1(a) also Primary Purpose, Related Purpose and Secondary Purpose.
The Privacy Act does not define direct marketing. However, the Commissioner considers that direct marketing includes activities that promote the sale or purchase of products or services or promote charitable fundraising where the individual is approached directly. It includes in-person approaches to people's houses and approaches by mail, e-mail, telex, facsimile and phone. It includes individually targeted approaches by these means where people are encouraged to buy services at a distance (for example to buy by phone, mail or website) or to visit retail and service outlets or to donate to a cause by one of these means. It also includes automated processes such as Spam e-mail and computer generated voice calls over the phone.
An organisation discloses information when it releases information outside the organisation. Examples of disclosures include:
The enforcement bodies referred to in NPP 2.1(h) are specified in section 6(1) of the Privacy Act as:
Health information means information or an opinion about the:
Health information can include details such as an individual's name, address, billing information and Medicare number, for example, if it is part of the information about an individual's health.
Health service means an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it to:
Health service providers can range from hospitals and general practitioners to organisations that may not traditionally have been considered health service providers such as gyms and weight loss clinics.
The word "individual" is used in the NPP Guidelines in relation to the person whose personal information an organisation holds. The words "person" or "people" are used when referring to anyone other than the individual.
The reference to law in the NPPs means Commonwealth, State and Territory legislation as well as the common law.
Lawful means something that is not prohibited by law. This is a wider concept that "authorised by law" or "required by law".
A list renter is an organisation that rents or buys lists containing personal information from organisations and then rents or sells the lists on to other organisations.
The Commissioner interprets "necessary" in a practical sense but will tend to a narrow interpretation in any particular circumstance. If an organisation cannot, in practice, effectively pursue a function or activity without collecting personal information, then that personal information would be regarded as "necessary" for that function or activity. Necessary should not be interpreted as a reason for collecting information on the off chance that it may be useful for a function or activity in the future.
The private sector provisions in the Privacy Act apply to "organisations". In summary, an organisation under the Privacy Act means an individual or a body corporate or a partnership or any other unincorporated association or a trust that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory authority (section 6C of the Privacy Act). For more information about which private sector entities are organisations covered by the Privacy Act, see Appendix IV.
Personal information means information or an opinion (including information or an opinion forming part of a database) whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. (section 6 Privacy Act)
Personal information must relate to a natural person. A natural person is a human being rather than, for example, a company, which may in some circumstances be recognised as legal "person" under the law.
Personal information can range from the very sensitive (for example, political beliefs, medical history, sexual preference or medical records) to the everyday (for example, hair colour, address, phone number). The information need not be accurate, it may include opinion and speculation and it may simply be false information. It doesn't matter whether the information is held in a computer database, or in paper records, or in any other medium. If the information itself makes it clear which individual it is about then the person is identifiable. Whether a person's identity is reasonably ascertainable will depend on the context and on who holds the information.
What is practicable or impracticable involves assessing the facts of the particular situation. It is not determined by an individual's or organisation's view of what is practicable or impracticable. The Commissioner would not accept that doing something is impractical just because it involves expense, inconvenience or effort on the part of an organisation. The guidelines set out factors the Commissioner will take into account in deciding what is practicable or impracticable for the particular NPP concerned (for example, see NPPs 1.3, 1.4, 2.1(c) and (d), 8 and 9).
The primary purpose is the dominant or fundamental reason for information being collected in a particular transaction.
There can only be one primary purpose of collection for a particular transaction. When an individual gives (and an organisation collects) personal information, the individual and the organisation almost always do so for a particular purpose, for example, to buy or sell a particular product or to receive a service. This is the primary purpose of collection, even if the organisation has some additional purposes in mind. These additional purposes will always be secondary purposes for that transaction, even if the organisation tells the person about them, and even if the organisation gets the individual's consent to use or disclose the information for those additional purposes. For more information about primary purpose see Chapter 4 - Collecting personal information.
See also directly related purpose, related purpose and secondary purpose.
The terms "reasonable" and "unreasonable" appear frequently throughout the NPPs. Generally speaking, they relate to decisions or steps to be taken by organisations in particular circumstances (for example, when collecting, correcting or using and disclosing information) or to expectations of individuals in those circumstances.
Determining what is reasonable involves considering the factual circumstances in which a person or organisation is acting rather than the individual's or organisation's view of what is reasonable or unreasonable.
The guidelines set out factors the Commissioner will take into account in deciding what is reasonable or unreasonable for the particular NPP concerned (for example, see NPPs 1.2, 1.3, 1.4, 1.5, 2.1(d)(3), 2.1(h), 3, 4, 5.2, 6.1(c), 6.3, 6.5 and 9(f)).
A record is a document, a database, a photograph or picture of an individual or individuals.
Under the Privacy Act, the question of whether one corporation is related to another corporation is determined in the same way as it is determined under the Corporations Law. This means that where a body corporate is:
the first mentioned body and the other body are related to each other. (From Corporations Law- Section 50)
A related purpose includes all the purposes that are directly related purposes as well as some additional ones. Related purposes must have some connection to, and arise in the context of, the primary purpose. Uses or disclosures for a related purpose would include uses or disclosures:
See also directly related purpose, primary purpose and secondary purpose.
Required by law refers to circumstances where a law (other than the Privacy Act) requires an organisation to collect, use or disclose or deny access to, personal information. In certain instances, failing to comply with such a legal requirement may be an offence. Such a law may specifically require an organisation to collect, use, disclose or deny access. It may also be a law that gives another body, such as a government agency, a general information gathering power that includes the power to require an organisation to disclose information to it (see 2.1(g), 6.1(h), 10.1(b)).
Secondary purposes are purposes other than the primary purpose that an organisation has in mind for the information it collects. Related and directly related purposes are secondary purposes.
Organisations must not use or disclose information for secondary purposes except in limited circumstances, such as where the organisation has the consent of the individual, or where the secondary purpose is related or directly related and within reasonable expectations. NPP 2 allows very limited unrelated secondary use for the purpose of direct marketing where it is impracticable to get consent.
See also directly related purpose, primary purpose and related purpose.
Sensitive information is information or an opinion about an individual's:
that is also personal information or health information about an individual (section 6, Privacy Act). (See NPP 2.1(c), NPP 10.)
A number of the NPPs provide for circumstances where an organisation might need to consider whether there is a "serious and imminent" threat to an individual's life, health or safety. For there to be a serious and imminent threat to an individual's life, health or safety:
Imminent means that the threatened harm must be about to happen.
The threat must be serious, for example, murder or assault or threat of spreading an infectious disease. A specific threat of physical harm to a particular person in an organisation usually counts as a serious threat. Threats to finances or reputation are not threats to life or health. Abuse, without a threat, directed to staff in general does not usually count as a serious threat (see NPP 1.5, NPP 2, NPP 6.1(a), NPP 10.1(c)).
Public health and public safety are not defined in the Privacy Act. Various Public Health Acts while not necessarily defining public health give some indication of the range of conditions and threats that have been considered to be significant enough to warrant legislating about them in the interest of pubic health. Examples of conditions mentioned in public health acts are management of:
Use of personal information relates to the handling of the personal information within the organisation. Examples of uses of information are:
A web bug is often used with cookies on the internet. Web bugs are tools designed to monitor who is reading the web page or e-mail. They have no other use or purpose. They are often used for online profiling, advertising, marketing and to measure website statistics. For many users of the internet the main practical difference between a cookie and a web bug is that web bugs are much more difficult to detect or neutralise.
One of the most effective ways an organisation can protect privacy is to get an individual's consent for the collection, use and disclosure of their personal information. Breaches of privacy usually occur in circumstances where personal information is collected, used or disclosed without an individual's knowledge or permission. To respect privacy an organisation must keep individuals informed about its information handling practices and give individuals as much choice as possible about how their personal information is handled.
The NPPs require an organisation to seek the consent of an individual in a range of circumstances. The collection of sensitive personal information generally requires an individual's consent under NPP 10. Gaining consent for use and disclosure of will operate to ensure that the privacy of individuals is protected more effectively. Consent is also mentioned in NPP 2 - use and disclosure (2.1(b), 2.1(c)(i), 2.1(d)(i), 2.4(a)(i) and (ii), 2.4 (c)(i)) and NPP 9 - transborder data flow (9(b), 9(e)(ii)).
Consent generally means agreement, approval or permission to some act, practice or purpose. In the Commissioner's view, valid consent must be informed, voluntary and given by a competent person.
In seeking consent an organisation must give enough information to enable an individual to make an informed decision. Informed consent depends on full and adequate disclosure of relevant matters. Consent may be invalid if an organisation has given insufficient or incorrect information about its likely use or purpose.
When it must seek consent for the purposes of the NPPs, an organisation should clearly state:
An organisation should not seek a broader consent than is necessary for its purposes. Consent forms need to be specific about the matter, act or purpose that is intended with regards to the personal information. Broad and vaguely worded consent clauses such as "may disclose to other businesses, as appropriate" will not be enough to satisfy the requirement for consent because they do not inform an individual about what they are consenting to. Consent will be ineffective if the act an organisation performs is of a significantly different nature to the act the individual consented to.
To ensure that an individual's consent is genuine, an organisation must give an individual enough time to absorb the relevant information and to ask any questions so that he or she can make an informed decision. Organisations should also provide materials in languages other than English and/or make interpreters and translators available if this is applicable.
For consent to be voluntary, a person must be free to make a choice. Consent will not be valid if there is evidence of fraud (for example, evidence that an organisation has misrepresented the kind of activity or procedure involved or the need for such activity or procedure). It is also invalid if there is too much pressure or coercion. An individual's consent may not be voluntary and valid if the individual is denied some benefit or is disadvantaged in some way because they refused consent.
The individual consenting must be competent to do so. In other words, they must be able to understand the issues and how they will affect them, to form a view based on a reasoned judgment, and to communicate their decision. This need not be a judgement that anyone else may consider reasonable, provided that the individual has been able to weigh up the costs and benefits to their own satisfaction.
The individual abilities of the person, the requirements of the task at hand, and the consequences likely to flow from the decision may influence the steps that an organisation should take to ensure that consent is informed and voluntary. The capacity of young people to give consent and the principles that apply when people are not competent are discussed below.
Consent usually involves positive acceptance and can be expressed in words or implied from conduct. Organisations should get express consent where consent is required by the NPPs. Implied consent is only acceptable where it is clear from the circumstances that the individual has made an informed and voluntary decision. An individual's failure to respond to an organisation's request for consent does not constitute consent. Neither does failure to object to a proposal except in the extremely limited circumstances outlined below.
Express consent refers to consent that is clearly and unmistakably stated in writing or orally. As a general rule, an organisation should gain a person's express consent wherever the NPPs require consent, such as for the collection of sensitive information or for secondary use and disclosure of personal information.
Consent is most clearly expressed in writing. However, an individual's signature on a form may not indicate genuine consent if the person has not been informed or does not understand what they are consenting to. When an individual gives oral consent an organisation should make a written record of the time of consent and exactly what was consented to. This will help to avoid any disputes in the future about whether an individual had consented.
Implied consent is consent that may be inferred from a person's conduct rather than from what they say or write down. Genuine consent can only be implied in circumstances where it is clear that a person knows and understands what they are consenting to and clearly indicates from their behaviour that they have agreed.
For example, consent can be implied when a person uses a telephone service for banking services and proceeds after hearing a recorded message that the call may be monitored or recorded for staff training purposes. In these circumstances, the primary purpose is the collection and use of personal information for the provision of banking services and the secondary purpose is staff training. Consent for the secondary purpose is implied by the person's action of continuing with the call.
Except in the most limited circumstances it is questionable whether implied consent can be inferred from a failure to opt out, or an individual's objection to a proposal.
An example of an opt-out procedure is where a form states that the organisation will disclose personal information to a third party unless the individual contacts the organisation to object.
Failure to object does not imply consent in these circumstances because it will not be clear that the individual exercised an informed choice (for example, the individual may have thrown the form in the bin without reading it). It will also often not be clear that the individual's failure to respond was a positive decision. In many cases it will be likely that individual did not respond because doing so involved cost or too much effort.
The Commissioner is likely to regard consent to have been inferred from an individual's failure to opt out if all of the following conditions are met (an even then, not in all circumstances):
An example of such an arrangement might be a power company seeking to include direct marketing material with later invoices and including a suitable opt out box on the invoice. However, whether it is acceptable as a way of getting consent may depend on how individuals pay their bills.
|
Questions for consultation 3.1 Do you think that the opt-out approach can constitute valid consent? If so, why? If not, why. 3.2 What are the implications for consumers and organisations for allowing opt-out consent in the circumstances outlined? |
Consent can be withdrawn at any time. Once an individual has withdrawn consent, the organisation cannot rely on past consent for any future uses or disclosures. When organisations are asking individuals to consent to secondary use or disclosure of personal information, it is good practice to tell them that they are free to change their mind and what they should do if they want to withdraw consent.
It is not possible to gain consent from a person who does not have the capacity to make a decision. The general law about competence and incapacity will apply to the issue of consent.
Sometimes decisions about the collection, use or disclosure of personal information relate to an individual who lacks legal decision-making capacity. A lack of capacity may be temporary or permanent, depending on the underlying medical cause or the individual's disability.
The NPPs allow, in certain circumstances, for the disclosure of an individual's health information to a person who is "responsible for" them. Such disclosure occurs chiefly to ensure that the individual receives appropriate treatment and care, or for compassionate reasons.
However, there are situations where the NPPs require that an organisation seek consent before certain uses or disclosures of an individual's personal information. The organisation will need to consider who is appropriately authorised to give substitute consent in these circumstances. Where a person has a guardian with appropriate decision-making functions, the organisation should discuss the proposed action with the guardian.
It is the Commissioner's view that people with a disability who lack decision-making capacity should not miss out on necessary health care, support and other services because of privacy-related consent issues. However, neither should an individual's privacy rights be undermined by virtue of their inability to give consent.
Therefore, if the NPPs require that an organisation seek consent to use or disclose information about an individual who lacks capacity, it may be necessary for that organisation to contact its local Guardianship Tribunal or Board to determine how to proceed according to State guardianship laws.
Where an individual lacks decision-making capacity, every effort should still be made to include them in the decision-making process to the degree possible, even if another person may be the final provider of consent.
Organisations must be wary of assuming that a person with a disability is necessarily incapable of giving consent to the handling of their personal information. Most people with disabilities are able to make their own privacy decisions and have the legal right to do so.
|
Questions for consultation 3.3 Does there need to be an explicit mechanism for identifying who can consent on behalf of another person (where that person lacks legal capacity) in relation to privacy issues? 3.4 Alternately, should organisations be able to proceed in collecting, using or disclosing information (regarding a person with a disability who lacks decision-making capacity) without consent, if this is undertaken in the person's best interests? |
As a general principle, a young person is able to give consent when he or she has sufficient understanding and intelligence to understand what is being proposed.
A parent or guardian may provide consent in relation to a person under the age of 18 years, only if the child is very young, or the young person is unable to do so for themselves. A parent or guardian may only make decisions on behalf of a young person that are in the best interests of the child or young person.
Whether or not a young person is capable of making a choice about the collection, use and disclosure of personal information will depend on the circumstances. Due weight should be given to any views expressed by a young person, taking into account their age, intelligence and understanding. When dealing with a young person or child, an organisation should also take into account:
Information policy
Organisations that target young people should set out in their
information policy (see NPP 5) who may consent and who has a right of
access to information concerning a person who is under the age of 18
years. Such a policy should have general guidelines about how the
organisation will make decisions relating to young people and the
factors it will take into account. The policy should also deal with
parental involvement, particularly factors that would indicate that a
parent should be involved in the decision-making process.
The Federal Attorney-General has announced that there will be an inquiry into children and privacy.
|
Questions for consultation 3.5 What is the appropriate approach to take when getting consent where a young person is involved? For example, are these the right considerations or are there other considerations to take into account? 3.6 Does this chapter strike the right balance between parents and children? If not, what is a better approach? 3.7 Are there reasons why there should be a different approach in relation to privacy than in other areas of the law? |
The sensitivity of some personal information may vary between ethnic communities. Personal information that is regarded as culturally sensitive within a community requires increased protection. Culturally sensitive information should only be asked for on a voluntary basis, or by getting informed consent. If there is no choice but to require culturally sensitive information, the request should be made carefully, and with all possible steps to minimise the intrusion. The methods of collecting information should also be culturally sensitive. Organisations should be sensitive to, and ensure that staff are properly trained in, cross-cultural issues regarding personal information.
Concepts of what is consent and how it is communicated or gained may vary from culture to culture or from group to group. In some cultures or groups, collective consent may be the norm.
In 1998 the then Commissioner released a privacy protocol (called "Minding Our Own Business") for Commonwealth agencies in the Northern Territory handling personal information of Aboriginal and Torres Strait Islander people. The protocol is available from the Office website at www.privacy.gov.au.
|
Questions for consultation 3.8 Are there any cultural issues concerning consent that the guidelines should take into account? If so what are they? 3.9 How should the guidelines accommodate them? |
When an organisation collects personal information it will need to consider a number of the NPPs.
An organisation will also have to consider NPP 2 (which deals with use and disclosure for secondary purposes) because what the organisation tells an individual at the time it collects information and whether it has the individual's consent or not may affect whether it can use or disclose the information for secondary purposes later on (see Chapter 5).
The organisation will also have to consider whether the information it is collecting is sensitive personal information and whether any of that sensitive information is health information (see Chapter 2) because this affects whether or not an organisation can collect the information without consent.
If an organisation takes the collection principles seriously and implements them well it will be in a very good position to ensure it complies with the Privacy Act. The collection principles are also the key to ensuring that individuals are in control of their information. It ensures that individuals are informed about proposed uses and disclosures and informed about their right to access their information and to correct it if it is wrong. In the case of sensitive information, it ensures that consent to collect includes consent to the proposed use and disclosure.
Limits to collection
NPP 1.1 requires an organisation to limit the information it collects to information it really needs for its functions and activities. NPP 1 aims to prevent organisations from collecting information just because it would be nice to have it, or because the organisation might need it sometime in the future. The Commissioner views this as a very important principle and expects organisations to take a narrow interpretation of the range of information that is "necessary". The Commissioner considers that any other interpretation will only add to community fears that private sector collection of personal information is out of control.
Requires collection to be lawful and fair
NPP 1.2 aims to protect unwary individuals by requiring organisations to use only fair and lawful ways to collect information. Organisations should at all times bear in mind that the obligations under the Privacy Act are in addition to obligations they may have under fair trading laws or the Trade Practices Act 1974 (Cth) (for example the misleading and deceptive conduct provisions).
Gives individuals control over their personal information
The NPPs do not aim to stop organisations from collecting personal information. Their main role is to require organisations to be disciplined in collecting information and to give individuals control over what happens to it. NPP 1.3 gives individuals control over their information by requiring an organisation to tell them:
These requirements help ensure that individuals will be able to make a fully informed decision about whether or not they want to give the information. NPP 1.3 also requires an organisation to tell individuals they have a right of access to their information and how to contact the organisation to get access.
Getting consent to collect is the ideal way to collect personal information and the simplest way to ensure compliance with the NPPs. However, the NPPs do not require an organisation to get consent to collect information unless the information collected is sensitive information.
The NPPs recognise that individuals are concerned to have more control over some kinds of information. The Privacy Act has called this "sensitive information" (see Chapter 2 - Explanation of terms) and has added some stronger protections. NPP10 requires organisations collecting sensitive information, with few exceptions, to get the individual's consent before they collect it. There are some exceptions that apply to all sensitive information including health information, and there some additional ones that apply just to health information. Unless these circumstances apply, an organisation must get individual consent to collect sensitive information.
Individuals are best able to control what happens to their personal information if organisations collect it directly from individuals. So as a general rule, and if it is reasonable and practicable to do so, NPP1.4 requires organisations to collect information about an individual only from that individual. As spelt out more fully in the next section, the Commissioner clearly expects organisations to collect personal information directly from the individual.
Where an organisation collects information about an individual from someone else NPP1.5 requires the organisation to take reasonable steps to make sure that individuals are aware of the information outlined in NPP 1.3. It aims to ensure that individuals have control over their information even where an organisation collects information indirectly. An organisation does not have to take reasonable steps to make an individual aware of this information if doing so would pose a serious threat to the life or health of any individual.
An organisation collects personal information if it gathers, acquires, or obtains information from any source, including third parties, by any means in circumstances where the individual is identified or is identifiable. It includes information that an organisation comes across by accident or has not asked for but nevertheless keeps. It also includes information the organisation receives directly from the individual as well as information about an individual an organisation receives from somebody else.
Examples of collection include where an organisation:
NPP 1.1 says that an organisation must not collect personal information unless it is necessary for one or more of its functions or activities.
Practical interpretation
The Commissioner interprets "necessary" in a practical but narrow sense. If an organisation cannot, in practice, effectively pursue a function or activity without collecting personal information, then that personal information would be regarded as necessary for that function or activity. An organisation should not collect information on the off chance that it may become necessary for one of its functions or activities in the future. If an organisation receives information that is not necessary for one of its functions or activities, it should not keep that information.
Functions and activities
Functions and activities include:
Examples of when organisation may breach NPP 1.1
An organisation may breach NPP 1.1 if it:
If an individual gives an organisation a full copy of a document and the organisation only needs some of the information the organisation should think about:
It should also consider whether collecting de-identified information will service the purpose for which it collecting information.
Where information is sensitive it is especially important that an organisation consider if there are other ways of achieving the purpose than to collect that information. For example, an organisation providing a service to a person with a disability might consider outlining the range of options it can make available and leave the individual to choose an option on the basis of their own knowledge of their needs. This would save the organisation from having to collect a whole range of sensitive information in order for it to be able decide what services it needs to provide.
If an organisation provides services to Aboriginal or Torres Strait Islander peoples, it may need to be aware of information that may be highly culturally sensitive, for example, the name of a person who has passed away. An organisation should avoid collecting such information unless it is absolutely essential and done in a way that meets any concerns that members of the particular community may have. See also "Minding our own business" published in 1998 by the Office.
See Chapter 2 - Explanation of terms.
When collection could be illegal
Collecting personal information could be illegal if an organisation:
Examples of illegal collection
If the law does not specifically allow it the following collections might be against the law:
Meaning of fair collection
Fair collection means collecting without tricks, deception or too much pressure. An organisation is likely to breach NPP 1.2 if, because of its collection practice, it gets information that the individual would not otherwise give it. But there will be some circumstances - for example, investigations of possible fraud or other unlawful activity - where collecting information by surveillance or other ways would be fair. Organisations should also be aware of their obligations under the Trade Practices Act 1974 (Cth).
Example of unfair collection may include:
An organisation that collects personal information without telling an individual (for example, via a banner on a website or using software that trawls the net for email addresses) for the purpose of sending Spam will be engaging in unfair collection in breach of NPP 1.2 unless it gives individuals proper notice.
Depending on the circumstances, examples of unreasonably intrusive ways of collecting information may include:
The guidelines refer to these as "NPP 1.3 information".
Factors in deciding practicability
No step reasonable where information obvious
Purposes means primary and secondary purposes
Description of purpose must not misleadLevel of detail about usual discloses
Listing each organisation is one approach
Where it is practicable and informative it would be reasonable for an organisation to list each organisation to which it usually discloses information of the kind being collected.Listing types of organisations may be better in some cases
Listing disclosure to contractors
Third party disclosures should be listed if known
Do not need to mention rare disclosures
Disclosures to related bodies corporate
Examples of descriptions of possible consequences might be:
"if you don't tell us this, we won't be able to process your application"; "if you don't tell us this, we won't be able to identify you if you want to use telephone transactions"; "we won't enter you in the competition if you don't give this information".Factors the Commissioner would take into account in deciding whether steps were reasonable include:
Getting express consent from the individual to collect sensitive information about them would also allow the organisation to get the individual's consent for all legitimate uses or disclosures of that information. For information about getting an individual's consent see Chapter 3.
For information on what is sensitive information see Chapter 2 of the guidelines.
For sensitive information generally (including health information) the following are four main circumstances where an organisation does not need to get consent to collect sensitive information (including health information).
For further information about what is a serious or imminent threat to life and health see Chapter 2 of these guidelines.
An individual may be legally incapable of consenting to the collection of sensitive information about themselves for the purposes of NPP10.1(c)(i) because of a mental or psychological state, or their age. An individual may be legally incapable of giving consent regardless of whether a court or competent tribunal has made a formal determination about their incapacity. In the case of a young person, the ability of the individual to give consent is to be determined on a case by case basis. For further information about legal incapacity to give consent see Chapter 3 of these guidelines.
|
Questions for consultation 4.1 What are some more examples of circumstances when 10.1 would apply? 4.2 Are there any other matters you think the Commissioner should be aware of about the interpretation or application of NPP 10.1? |
For more information about the meaning of "required by law" and "rules of confidentiality issued by competent health or medical bodies which are binding on the organisation see Chapter 13 in relation to NPP 10.3(d)(i) and 10.3(d)(ii).
|
Questions for consultation 4.3 What are some examples of where 10.2 applies? 4.4 What are some examples where an organisation that does not provide health services might need to use this provision? 4.5 What information might organisations need to have to apply this provision? |
All organisations undertaking research, or compiling or analysing statistics involving personal information must abide by the NPPs. Organisations collecting personal information for a primary purpose will be required by NPP 10.1 to get the individual's consent to collect the information.
However, NPP 10 provides some flexibility where an organisation collects health information:
In these circumstances, if it is impracticable to get consent and de-identified information will not serve the purpose, and certain procedures and guidelines are followed, NPP 10.3 allows an organisation to collect health information without consent.
For more information about how the NPPs apply to organisations seeking to collect use or disclose health information for these purposes see Chapter 13.
Principles that apply to use and disclosure
No restrictions on use or disclosure for the primary purpose of collection
NPP 2 allows organisations to use and disclose personal information for the primary purpose of collection. The primary purpose is the main reason an individual gives an organisation information (but see below for more information on how to work out what this is).Use and disclosure for other purposes not allowed except in limited circumstances
NPP 2 does not allow an organisation to use and disclose information for other (secondary) purposes except in the following limited circumstances.Consent
An organisation can use or disclose information for a secondary purpose where the individual has consented (see NPP 2.1(b)).
Related and directly related purposes within reasonable expectations
An organisation can use or disclose personal information for a secondary purpose if it is related or (in the case of sensitive information) directly related to the primary purpose of collection and is within the individual's reasonable expectations (NPP 2.1(a)). The Commissioner suggests that a sensible approach to NPP 2.1(a) is to think of it as setting out the circumstances in which it is reasonable for an organisation to expect that if asked, a reasonable individual would have agreed to the use or disclosure.
Very limited circumstances where consent not required to direct market
NPP 2.1(c) allows for a very limited circumstance where an organisation can use (but not disclose) personal information for the secondary purpose of direct marketing without getting the individual's consent. This exception does not apply to sensitive information. Also, an organisation cannot use this exception if it is practicable to seek the individual's consent to receive direct marketing. Other requirements also apply. There is more information about direct marketing later in this Chapter.
Other health and public interest circumstances where consent to secondary use or disclosure not needed
NPP 2.1 and NPP 2.4 also allow an organisation to use or disclose information for a secondary purpose without consent in some circumstances relating to health and the public interest. There is more information about these later in this Chapter.Use
Use of personal information refers to handling personal information within the organisation. Examples of uses of information are:
Disclosure
An organisation discloses personal information when it releases information outside the organisation.
Examples of disclosures are:
Individuals usually give their personal information to an organisation for a particular reason (the primary purpose). They expect it to be used for that reason. However if the information is used or disclosed for another reason (secondary purpose) without their consent they may not like or expect it. Individuals might not want their information used for other purposes or they may have wanted to give additional or less information for the other purpose. NPP 2.1 gives individuals control over their information by restricting the uses and disclosures an organisation can make of personal information to the primary purpose of collection and only allowing other secondary uses and disclosures in very limited circumstances.
When considering questions of use and disclosure the NPPs are written from the perspective of the individual and not that of the using or disclosing organisation. Whether or not a purpose is primary or secondary and whether use is within "reasonable expectations" and similar questions must all be considered from the point of view of the individual involved.
An organisation does not need consent to use or disclose personal information for a secondary purpose if the use or disclosure is related (or in the case of sensitive information) directly related to the primary purpose and within reasonable expectations.
However, an organisation proposing to use or disclose personal information for an unrelated secondary purpose must get the individual's consent unless the very limited circumstances outlined in NPP 2.1(c)-(j) apply. In the case of use for direct marketing for unrelated purposes (2.1(c)), it must be impracticable to get the individuals consent. The other circumstances outlined in NPP 2.1(d)-(j) where consent is not needed are included to provide for various aspects of the public interest.
NPP 2 never compels an organisation to disclose personal information, although other laws might. Although NPP 2 might allow an organisation to disclose personal information for a secondary purpose, the organisation can choose not to unless some other law requires it to. An organisation must comply with any law that says either that they must or must not disclose certain information.
NPP 2 does not override ethical or professional standards that impose obligations on an organisation not to use or disclose personal information it holds. Even if NPP 2.1 would allow a use or disclosure an organisation will need to consider whether a professional code of ethics or an industry standard (such as those applying to general practitioners or financial services providers) applies to the situation.
Some professional codes of ethics will only allow disclosure if it is required by law. Common law duties of confidence (such as the duty owed by doctors to their patients or lawyers or banks to their clients) will also limit an organisation's ability to disclose personal information. If in doubt, professionals should check with their professional body.
If an organisation is able to disclose information under the NPPs but not under its code of ethics, the common law or for another reason, it should refer to those reasons, not the Privacy Act, when refusing to disclose personal information.
An organisation should use or disclose only the personal information necessary to for the secondary purpose permitted under NPP 2. It might not be necessary to use or disclose all the information it holds.
An organisation should also consider if de-identified information would satisfy the proposed purpose and use de-identified information where practicable. This is consistent with NPPs 1.1 and 8 which limit organisations to collecting personal information only when necessary and require organisations to allow individuals to interact anonymously where practicable.
NPP 2.1(b) allows an organisation to use or disclose information for a secondary purpose if it has the individual's consent to do so. In many cases getting the individual's consent for a proposed secondary use or disclosure can be simpler than relying on some of the other exceptions outlined in NPP 2. To work out how an organisation should get consent for the purposes of NPP 1.2(b) see Chapter 3.
What NPP 2.1(a) says
NPP 2.1(a) allows an organisation to use or disclose information for a secondary purpose if:
In applying NPP 2.1(a) the Commissioner suggests that it may help an organisation if it considers whether a reasonable individual in the circumstances, if asked, would have agreed to the proposed use or disclosure. In the case of sensitive information, an organisation should expect that, in general, individuals are less likely to agree to secondary uses or disclosures of health information.
What an individual would reasonably expect
Organisations should note that for an organisation to rely on 2.1(a) to use or disclose information the purpose must be within reasonable expectations.
Expectation is more than awareness. Telling an individual in NPP 1.3 information or by some other method about the proposed secondary use or disclosure is not necessarily enough to create a reasonable expectation although it may help.
To determine that a proposed use or disclosure is what the individual would reasonably expect the organisation would need to conclude that the ordinary person in the street who has no special knowledge of the organisation or the industry would expect the information to be used or disclosed for the other purpose. The organisation does not necessarily have to conclude that the particular individual actually expects the information to be used or disclosed for the other purpose.
People's expectations about how an organisation may use information (within the organisation) could differ from their expectations about why information may be disclosed (that is released outside the organisation). Generally speaking, individuals are probably less likely to expect related disclosures than related uses.
Examples relating to reasonable expectations
Considerations in deciding reasonable expectations
In deciding what an individual would reasonably expect, an organisation could consider the following.
If the Commissioner receives a complaint about the secondary use or disclosure of information and an organisation argues that the use or disclosure was within the reasonable expectations of the individual the Commissioner will ask the organisation to demonstrate how it reached that conclusion. The Commissioner would consider the outcome of consultations the organisation has had with its client groups (including minority groups) as strong evidence about what is or is not a reasonable expectation.
Directly related purpose and sensitive information
When a directly related purpose is relevant
An organisation must consider whether a purpose is a directly related purpose if it holds sensitive personal information and proposes to use or disclose it for a secondary purpose. (For information about sensitive information see Chapter 2 of the guidelines.)
What is a directly related purpose?
A directly related purpose is one that has a strong connection with the primary purpose of collection. It is closely associated with the original purpose, even if it is not strictly necessary to achieve that purpose. Uses or disclosures for a directly related purpose may include uses or disclosures:
Related purpose and NPP 2.1(a)
A related purpose includes all the purposes that are directly related purposes as well as some additional ones. Related purposes must have some connection to, and arise in the context of, the primary purpose. Uses or disclosures for a related purpose would include uses or disclosures for:
They would not include the use of information collected about the individual's visits to other web sites.
An organisation should be aware that although NPP 2 might allow an organisation to use information for direct marketing without the individual's consent when it has collected the information for the primary purpose of direct marketing, it might be in breach of NPP 1 if it has not taken reasonable steps to make the individual aware that the organisation has collected the information for this purpose (see Chapter 3 on NPP 1.5). It might also be in breach of NPP 1 if it has collected information from someone other than the individual when it would have been reasonable and practicable to collect the information directly from the individual (see Chapter 3 on NPP 1.4).
NPP 2.1(c) does not apply to disclosure for direct marketing
Must be impracticable to seek the individual's consent
Impracticable in only limited circumstances
Factors the Commissioner will use to decide if impracticable
Not impracticable if the organisation could have got consent at the time of collection
Never impracticable to get consent for Spam and other online direct marketing
Only one use without consent before opt-out must be given
Cannot use sensitive information for direct marketing under NPP 2.1(c)
Not charging individuals for deleting them from a direct marketing list - NPP 2.1(ii)
Requests not to receive direct marketing communications - NPP 2.1(c)(iii)
Organisations in regular communication with an individual who has said no
Comply with requests not to receive direct marketing
Telling individuals that they may ask not to receive any more direct marketing NPP 2.1(c)(iv)
Giving contact details in the direct marketing material.
For more information about how the NPPs apply to organisations seeking to use or disclose health information for the secondary purpose of research or the compilation or analysis of statistics see Chapter 13.
This kind of exception appears in the NPPs in a number of places. For information about the meaning of this exception see Chapter 2.
Necessary part of investigation
Matters that these guidelines should cover include:
Allows disclosure necessary for law enforcement functions
Law imposing a penalty or a sanction
NPP 2.1(h)(i) extends to the enforcement of a law imposing a penalty or a sanction. An organisation may use or disclose personal information where reasonably necessary for the enforcement of a law imposing a penalty or a sanction.Penalty and sanction and prescribed law
A prescribed law is a law specified in regulations made under the Privacy Act.
Laws relating to the confiscation of the proceeds of crime
The protection of public revenue
Proceedings in a court or tribunal
NPP 2.2 requires an organisation that uses or discloses personal information to enable an enforcement body to carry out one of its functions mentioned in paragraphs (i) to (v) of NPP 2.1(h), to note that use of disclosure on the record containing that information. In other words, each time it uses or disclosure of personal information for any of the purposes in NPP 2.1(h)(i)-(v), the organisation must make a note in the record containing the information.
NPP 2.4 is intended to allow an organisation to disclose an individual's health information in a number of circumstances where disclosure would not be permitted under NPP 2.1(e). NPP 2.1(e) allows an organisation to use or disclose information where it is necessary to lessen or prevent a serious or imminent threat to an individual's life health or safety or a serious threat to public health or safety.
The principle aims to ensure that close relatives or others with a close relationship to an individual, i.e. "responsible persons", can get the information they need to provide appropriate care or treatment in circumstances where the individual cannot give consent to allow that to happen. It also allows disclosure in such circumstances for compassionate reasons.
NPP 2.4 only applies to an organisation that provides a health service and such an organisation can only use it where the individual is unable to give or communicate consent for such a disclosure. It cannot be used if the individual has said he or she did not want such disclosure at a time before he or she became unable to give or communicate consent and the relevant person at the health service is aware of that wish.
NPP 2.4 is not intended to interfere with any existing law governing who may make decisions about the health care or medical treatment of a legally incompetent or incapacitated individual. The fact that an organisation that provides a health service has disclosed health information under 2.4 to a person who is responsible for an individual does not entitle that person to make decisions about the health care or medical treatment of the individual.
A responsible person can be:
See also "Consent on behalf of another person" in Chapter 3 - Consent.
How NPP 2.4 applies to organisations that provide a health service is spelled out in more detail in the Health Privacy Guidelines available from the Office's website at www.privacy.gov.au.
Role in privacy protection
There are risks for both organisations and individuals if organisations use or disclose information that is not accurate, complete and up-to-date as a basis for making decisions that affect individuals. Inaccurate, incomplete or out of date information can create a false picture and lead to incorrect, possibly damaging conclusions. Organisations must take "reasonable steps" to ensure information is complete, accurate and up-to-date. They do not usually have to take extreme measures. What is reasonable will depend on the circumstances and potential risks.
NPP 3 does not require organisations to expend resources ensuring an address is up to date if the privacy consequences for the individual of such an action outweigh the consequences of not doing so. For example, the privacy consequences of an inaccurate address are often minimal and may even be desirable if the individual wants to be removed from a mailing list. However, the consequences of inaccurate, incomplete or out of date health information in relation to an insurance policy could have far more serious implications and risks.
Organisations will only need to consider that the information is accurate, complete and up to date at the time of collecting, using or disclosing personal information, keeping in mind the primary purpose of the collection. Organisations will not have to continually check information held in their records.
Organisations collecting directly from the individual and using the information shortly after would not usually need to take any specific steps to ensure information is accurate and up to date. However, organisations need to think about the completeness of information collected, taking account of the primary purpose for which the information is being collected.
The completeness of information needs to be balanced against the requirement in NPP 1.1 that organisations only collect personal information that is necessary for the organisation's functions or activities.
NPP 3 is not saying organisations should collect information because it may be useful later, or there is some slim chance of it being relevant to the purpose. It is saying that organisations should collect all the information needed for that purpose because incomplete information can be just as misleading as inaccurate information. For example, an organisation may record information on a tenancy database that an individual has left a house in a damaged condition. Subsequently, the organisation maintaining the database discovers that the damage occurred after the individual left the house but does not record this information. The information on the database is incomplete and inaccurate and may have consequences for the individual when he or she tries to rent another property.
Before using or disclosing information an organisation should consider if it needs to take active steps to check the accuracy of the information. The steps that are appropriate will vary with the purpose for which information is being used or the reason it is being disclosed, the probability that the information is not accurate, complete and up to date, and the risks or consequences of using or disclosing inaccurate, incomplete or out of date information.
What steps are reasonable will depend on the circumstances. Factors to consider include:
If the consequences of information being incorrect or incomplete are serious, organisations should take active steps to check information when it is collected, used or disclosed.
The steps that are reasonable before an organisation discloses personal information will vary with the likelihood that the information is accurate, complete and up to date and the foreseeable consequences of disclosing the information. For example, if an organisation is disclosing and not using information, it may be sufficient to tell the recipient that information was collected x years ago and may be out of date, or the information was not collected directly from the individual and its accuracy should be checked. An organisation could consider making it a condition of disclosure that the recipient checks the information with the individual before using it.
|
Questions for consultation 6.1 Do you agree that these are the factors that should be taken into account in deciding what are reasonable steps for the purposes of NPP3? If not, why? 6.2 What other factors should be taken into account? 6.3 What are the implications for organisations and consumers of this approach? |
The types of steps that organisations could take if they think that information should be checked for accuracy, relevance or completeness include:
National Privacy Principle 4 requires an organisation to take reasonable steps to protect personal information it holds from misuse and loss and from unauthorised access, modification and disclosure. NPP 4 also requires an organisation to take reasonable steps to destroy or permanently de-identify personal information that is no longer needed for any purpose.
About NPP 4
Data security is essential to ensuring that personal information is only used and disclosed for purposes that are permissible. Information security consists of confidentiality, integrity and availability.
Confidentiality
Confidentiality involves limiting the availability of information to authorised users for approved purposes in order to prevent unauthorised use and disclosure.
Integrity
Integrity is the assurance that information has been recorded, amended or deleted only by the intended authorised means. Integrity is a primary concern when information is susceptible to unauthorised or unwanted change and when the change will have undesirable consequences.
Availability
Availability refers to the system of access that allows authorised users access to defined information for authorised purposes at the time they need to do so, and prevents unauthorised access to information. Protecting the integrity and availability of personal information is intended to give adequate and appropriate assurance against the risk that information will be subject to unauthorised modification.
How information is stored
Information is stored in a range of forms, including
Protecting the security of personal information will consist of taking reasonable steps to maintain: physical security, computer and network security, the security of communications and the appropriate training of staff.
Destroying or de-identifying information
Information should either be destroyed or de-identified when it is no longer needed for the purpose of collection, any permissible secondary purposes or for the purpose of meeting a legal requirement to retain the information. Destruction or de-identification will permanently prevent misuse and unauthorised access, modification or disclosure. Secure methods of destruction should be used, such as shredding or other certified methods. De-identification requires the removal of any information by which an individual may be identified.
Expert help
Organisations can get expert help about security from a range of sources. A draft code of practice for information security management is available from Standards Australia and provides organisations with a useful guide to better manage information security.
|
Issue for comment: 7.1 What other Australian standards or International standards or other recognised standards should this chapter identify? |
The key to ensuring compliance with NPP 4 is whether an organisation has a culture that respects privacy. Organisations need to ensure that management and staff have a high level of integrity and understanding of their responsibilities for protecting the personal information held by the organisation from misuse, loss, corruption or disclosure, whether deliberate or accidental. Adequate training of management and staff may be necessary to ensure that security procedures are incorporated into the day-to-day practices of an organisation. An organisation can have state of the art information security systems and procedures but if the staff are not well trained, or do not appreciate the need to keep personal information secure, then they are unlikely to effectively utilise them.
Physical security is important to an organisation's information systems, whether paper-based information systems or information technology and telecommunications systems, are used for the processing, storage and transmission of personal information. Physical security refers to the degree to which an organisation's physical accommodation makes it difficult for an external intruder, or employee with no need to know, to gain unauthorised access to information an organisation holds.
A range of physical, procedural and training measures can be used to complement and support the other security mechanisms. An organisation should ensure that it uses a combination of measures to ensure that it provides adequate physical security.
Physical measures could include:
These are complemented by procedural and personnel measures such as:
With the emergence of information and communications technology systems and networks the risk of unauthorised disclosure is compounded by the risk to the integrity of information held on an IT system or to the availability of the system itself. Information held on an IT system can become unavailable or altered in ways that are unparalleled in paper-based systems. Organisations must assess the security measures required to protect the integrity, availability and confidentiality of its information systems and networks in the storing, processing and transmitting of personal information.
A range of protective measures can be implemented and their suitability will vary according to the local circumstances and an assessment of the risks of an organisation's information resources. The following examples provide only a general outline of protective measures with respect to computer security:
It will be appropriate for many organisations to ensure the accountability of people who use their information technology and telecommunication systems for the way they use them and the documents they generate. A number of tools are available for ensuring accountability, including:
This could include storage in desktop computers, databases, and network systems.
Organisations will need to take reasonable steps to avoid transmitting personal information across public networks, by fax, e-mail or other unsecured mediums, especially if the transaction is in plain text or includes sensitive information. Again, where it is reasonable to do so:
NPP 4.1 requires an organisation to take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
However, the Commissioner recognises that the term "reasonable steps" is a relative one and that local variables will have to be factored in to any assessment. The following is a list of factors that the Commissioner may consider when deciding if reasonable steps have been taken to secure personal information. The list is not complete and each organisation should assess its risks as determined by its circumstances.
For example, the Commissioner, when considering a complaint, will assess the risks faced by an organisation that holds personal information when judging if reasonable steps have been taken.
For example, if an organisation holds non-sensitive personal information and improper use or disclosure of that information is unlikely to result in serious consequences to the individual, then a state-of-the-art information security system is unlikely to be a required mechanism. Alternatively, if an organisation is large, holds vast amounts of personal information and the potential detriment from improper access, use or disclosure of that information is great then a state-of-the-art security system may be required to meet the "reasonable steps" requirement.
When judging "reasonable steps" when considering a complaint, the Commissioner will also consider the potential costs of upgrading an organisation's security system. These costs will be calculated in relation to the types of risks mentioned above. Again, some organisations may not need to invest in a costly information security system if the risk associated with improper use or disclosure is minimal.
If an organisation has a sound information security system but routinely allows staff to breach these systems, then the Commissioner will not consider the reasonable steps requirement to have been met. The Commissioner will be looking for evidence of a culture that respects privacy within an organisation before making a decision on whether NPP 4 has been breached. Mistakes will happen in any organisation but the likelihood and severity of a breach will be minimised, as will the potential for penalties to be awarded, if there are good security systems in place that are adhered to by all staff.
The expectations of individuals|
Question for consultation 7.2 Are there any other factors the Commissioner should consider when judging if reasonable steps have been taken? 7.3 What prominence or significance should the Commissioner attach to organisations complying with particular security standards especially where compliance is certified by external bodies? |
Having a security policy is a good way for an organisation to avoid breaches of NPP 4. This would establish strict systems to control the way the personal information it holds is used and disclosed.
Organisations may wish to consider producing a documented policy on the security of personal information that explains what security measures need to be taken, and specifies in each case what needs to be done, when and by who. The policy should be accessible to all staff.
Each organisation will have to assess its risks before developing a security policy that can manage these risks effectively. There is a likely need that a security policy will have to cover physical security, computer system security, and communications security as well as set requirements for outsourcing arrangements that involve the transfer of personal information.
The policy will need to be more than just a statement of principle, and will need to give practical advice on situations that regularly arise in particular areas of the organisation. Each organisation should also put in place systems to ensure that only authorised staff has access to personal information. Computer operating systems should provide for appropriate access controls, using industry standard software. Each security system will also need to account for the sensitivity of the personal information in question.
Where possible, each organisation should have a contact officer available to discuss cases where the appropriate security measures are not clear. The organisation's security adviser would be a logical choice, but other officers may be appropriate depending on the size of the organisation, its range of functions or the type of personal information that is held.
An organisation should establish systematic channels for scrutinising requests or classes of requests for information from outside the organisation (refer to NPP 6). In some cases the best way of doing this may be to pass requests through a central area. Non-routine disclosures should be authorised by one of a small number of staff at an appropriately senior level.
Organisations should conduct regular audits of physical and computer security and follow up the results.
Staff should be trained in good security practices, including the organisation's security policy. Security and other Privacy Act requirements should form a standard part of an organisation's operation, with training options and information available in induction packages and other internal training courses where appropriate.
The Commissioner takes the general view that in any risk assessment of the personal information an organisation holds, contracting out carries high potential risks of compromising the privacy of the personal information involved. The Commissioner therefore expects organisations that outsource handling of personal information they hold to identify, assess and manage that risk particularly carefully.
Organisations that contract out services in ways that require another organisation to have access to personal information stores (including management of databases or IT services) will need to take reasonable steps to ensure personal information remains secure. It is important that in any agreement about a contract for services, the rights of the individual under the Privacy Act are preserved and that the organisations meets its security obligations under NPP 4. It also has obligations under other NPPs (see especially collection chapter and use and disclosure chapter).
While the Privacy Act does not specifically set rules for the outsourcing of services, the Commissioner considers organisations to be ultimately accountable for the way in which personal information given to contractors is handled and emphasises that organisations should undertake contracting out in such a way that does not compromise the privacy of the personal information in any way. Provisions in contracts
NPP 4 requires organisations to protect personal information against misuse by reasonable security safeguards, including doing everything within their power to ensure that service providers handling the information do not misuse it or disclose it without authority. A key means of achieving compliance with NPP 4 is by the inclusion of appropriate provisions in outsourcing contracts. This could include clauses requiring:
The Commissioner would regard including clauses that address these issues in contracts that involve giving the contractor personal information as a reasonable step.
The Commissioner would also expect organisations to ensure no breach of NPP 4 occurs by monitoring the contractor's compliance with the contractual arrangements and, where appropriate, being prepared to prosecute for breach of contract.
|
Question for consultation 7.4 Does this provide adequate guidance as to what is required of organisations that contract for the provisions of services that result in other organisations handling personal information in their care? |
As stated above, individuals that provide organisations with their personal information can reasonably expect that information to be protected from unauthorised, use, access or disclosure. This expectation continues after the information ceases to be of use to an organisation. NPP 4.2 requires an organisation to destroy or permanently de-identify information it no longer needs in a manner that upholds and individual's privacy rights.
Where dilapidated personal information remains in a storage system there is a greater potential for unauthorised access, use or disclosure of this information.
NPP 4.2 provides that an organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose. The reference to "needed for any purpose" includes needed for the purpose of meeting a legal requirement to retain the personal information.
Permanently de-identifying information requires the removal of any information by which an individual may be identified from the record. It also means that an organisation is not able to match the de-identified information with other records to re-establish the identity of individuals.
As a minimum, reasonable steps to destroy or permanently de-identify personal information will require:
NPP 5 requires organisations to be open about the way they handle personal information. An organisation must be prepared to give information about its personal information handling practices to any one who asks for it. The Principle aims to give individuals a window into the organisation before it collects information from them or during the time it holds information about them. NPP 5 provides general information that complements the more specific information organisations must provide under NPP 1.3 or 1.5.
The openness requirement will be best met by providing clear and timely information rather than extremely detailed and complicated responses. In practice, most large organisations will already have information handling policies and manuals that can be readily drawn upon to develop NPP 5 statements. Smaller organisations are likely to find that they can satisfy the requirements of the principle with relatively short statements.
Openness about an organisation's personal information handling practices is divided into two steps, namely:
The Commissioner takes the view that the organisation will have explained how it manages personal information if it addresses the matters contained in NPP 5.2. In other words the document referred to in NPP 5.1 is essentially a summary of the more general information that the organisation will need to provide individuals under NPP 5.2. To comply with NPP 5 organisations should first work out what they would say in relation to a request under 5.2. This information does not have to be written down but many organisation will find it useful to do so. Summarising this information is then one way of complying with 5.1.
Firstly, an organisation must have prepared, in a document, a short, clearly expressed statement about how it manages personal information. This statement must be made available to anyone who asks for it.
An organisation could meet this requirement in a variety of ways, for example including the information from the document:
As noted above, the information in the document is essentially a summary of the way an organisation handles personal information. An important aspect of this is the way the Privacy Act applies to the organisation. Other aspects to cover include the sorts of personal information held and how it is used.
The document does not have to be long but should clearly address the following:
What NPP 5.2 says
If an individual asks for more general information about an organisation's personal information handling practices, an organisation must take reasonable steps to provide that information. The amount of information an organisation has to provide will depend on the circumstances of the organisation and what the individual has asked for. Information may be requested about the following matters.
The sort of personal information held by the organisation
This means the kind of information your organisation collects.
The purposes for holding the information
An organisation should say what the information is actually used for. If there is more than one purpose they should all be listed. For example, information could be held for direct marketing purposes or to send out information to customers via a newsletter.
Collecting the information
The organisation should tell the individual how it collects personal information, for example, whether it collects the information directly from the individual or from list purchases, competitions, recommendations by other individuals, other organisations or other company areas of the parent organisation.
Holding the information
Organisations should give a general description of the way their security systems operate. The description should provide enough information to satisfy the individual that personal information is handled securely by the organisation, archived securely and disposed of securely. For example:
Using and disclosing the information
An organisation, which usually gives or sells information to other organisations should name them and indicate specifically what kinds of organisations they are.
Depends on type of organisation
What is reasonable may depend on the type of organisation. It may also depend on the relationship the individual has with the organisation. In a small, local organisation it may be appropriate for the individual to be given the information verbally. In a large organisation written material might be a better option.
How much information an organisation should provide
How much information an organisation should provide depends on how much information the individual wants, for example the request may only be about the type of personal information held. An organisation that provides a lot of information, or has complex general handling practices needs to think about presenting this information in an accessible, user-friendly way. This is particularly important if the information is provided online.
Understanding the information requested
Whether the information is presented verbally or in writing it should be made as easy as possible for the individual to understand and avoid the use of in-house terms or jargon.
Organisations will have to determine from their client base whether they need to make the information available to individuals with disabilities, who may require the information to be provided in an alternative format. Consideration should also be given to providing information in a range of languages for those individuals from a non-English speaking background and consideration given to literacy difficulties that may be experienced by individuals making requests.
Do organisations have to provide the information immediately?
Good management practices would suggest that an organisation would already have this information readily available as part of good corporate governance procedures. Therefore, in most cases it would be reasonable for organisations to provide the information at the time an individual asks for it.
The document and the general information required under NPP 5 are not the same as a collection statement required by NPP 1.3. However, the information an organisation has to provide under NPP 1.3 might overlap with the requirements of NPP 5.1 or 5.2 A Collection Statement (NPP 1.3)
NPP 1.3 requires an organisation to:
Example:
If an organisation collects information using a web site, it would have to make sure that the information it must provide under NPP 1.3 is clear and relevant to the specific circumstances of the collection. The collection statement should be located on the website in such a way that the individual easily becomes aware of it. Requiring the individual to find that information by clicking through a number of pages would not be acceptable. Depending on the circumstances, this statement may also meet the requirements of NPP 5.1.NPP 5.1 requires an organisation to:
An organisation is not required to provide this document when it is collecting personal information. However, if it has prepared a comprehensive document, it may find it a convenient way to tell individuals about matters such as how to make a complaint or get access to personal information.
NPP 5.2 requires an organisation to:
NPP 6 requires an organisation to give an individual access (with some exceptions) to any information it holds about him or her (NPP 6.1). It also requires an organisation to take reasonable steps to correct that information if the individual shows that the information is not accurate, complete or up-to-date (NPP 6.5).
NPP 6 sets out a narrow range of circumstances where an organisation does not have to give an individual access to some or all of their information (NPP 6.1(a)-(k), 6.2). If an organisation does not have to give an individual access because of one of these circumstances (apart from the circumstance in 6.2) and chooses not to do so it must, if reasonable, consider whether using an intermediary would provide access in a way that met the needs of both parties (NPP 6.3). If an organisation refuses access because one of the exceptions applies, or refuses to correct information it must, in most circumstances, tell the individual the reasons why. The organisation should tell the individual which exception under 6.1 it is relying on to refuse access unless doing so would prejudice an investigation of fraud or other unlawful activity.
An organisation cannot refuse access just because it is costly, inconvenient, irritating or difficult. In the Commissioner's view organisations must give as much access as possible even where an exception applies. This may involve giving access to only a part of a record or blacking out a part or a record.
An organisation can charge for giving access but the charge cannot be excessive. It cannot charge a person for lodging a request for access (NPP 6.4).
In NPP 6 "access" refers to an individual's right to see and have a copy of personal information about him or her that is held by an organisation. It does not refer to the situation where an organisation releases personal information to someone other than the individual the information is about (that is, a third party). The NPPs refer to this activity as "disclosure".
An organisation must give an individual access to all information it holds about the individual that falls within the definition of personal information. This includes information it has collected from third parties, information it has received unsolicited and included in a record and opinions about an individual it has recorded. It also includes health information.
Access
The right of individuals to access their own personal information is a fundamental part of the protection of personal information. Access gives an individual control over the personal information an organisation holds, particularly where the information is collected by third parties, by enabling individuals to find out what information is held about themselves. Access also enables an individual to check whether it is accurate, complete and up-to-date. For this reason, the Commissioner, when handling complaints or undertaking an investigation, will interpret the exceptions to the obligation to give access provided for in NPP 6 very narrowly.
Correction
The individual's right to challenge the accuracy of personal information that an organisation holds and to have it corrected helps to ensure that the organisation does not base its decisions on, or disclose to others, poor quality personal information. The right to correction also gives individuals confidence in the quality and integrity of the personal information organisations hold.
Giving an individual access helps an organisation to meet its obligations under NPP 3 to ensure that the information it holds is accurate, complete and up-to-date.
In circumstances where the individual and the organisation disagree about whether or not the information is accurate, complete or up-to-date and the individual asks the organisation to attach a statement claiming the information is not accurate, complete or up-to-date. The organisation must take reasonable steps to attach such a statement to the record of personal information (NPP 6.6).
Giving access means that on request, and if none of the exceptions apply, an organisation should allow an individual to:
Where possible, an organisation should give an individual a choice about how to receive the information. It should let an individual know that receiving information in an electronic form may not be secure.
Organisations may also need to consider providing an appropriate area where individuals can inspect their personal information or have personal information explained to them with some measure of privacy and convenience. It is not appropriate to explain the contents of personal information to an individual in a busy, open public space such as a reception counter. Nor is it reasonable to expect individuals to inspect large quantities of information, which may take a long time to go through, while standing at a counter.
Individuals do not have to give a reason when asking an organisation for access to their personal information. They can simply ask for access to the information. However, an organisation could ask an individual whether they want access to all their information or just some and if the latter, which particular information they want. Informing individuals about their right of access
NPP 1.3 (b) requires an organisation to tell individuals that they can gain access to personal information. An organisation must make individuals aware of this when they collect information from them or as soon as practicable afterwards. An organisation must also take reasonable steps to do this if it collects information about an individual indirectly. As part of this process an organisation should tell individuals how to go about asking for access, for example, by providing a contact number or giving them a pamphlet outlining the organisation's procedures on access and correction.
An organisation that has contracted out the provision of services it requires (for example, payroll or mail list or other database management) may have set up arrangements in which the contracted service provider is managing holdings of personal information. The NPPs do not allow such arrangements to diminish the individual rights of access established by NPP 6. Regardless of whether personal information is held by a contractor, individuals must be able to access it.
If an organisation that is party to such an arrangement arranges for the access to be provided through a contractor, then it will have to ensure that the level of access and transparency is not diminished.
Organisations should treat requests for access on their merits and with commonsense according to the context. For example, where information held by a contractor is accessible by computer terminal at the organisation's premises through a network, the individual could simply be shown what is on the screen with no formal procedure involved at all.
Written request may be appropriate in some circumstances
An organisation should not necessarily ask an individual to make a request for access in writing. However, in other circumstances, for example, in a large institution that has complex personal information handling systems and functions, it may be appropriate and even preferable to ask individuals to make the request for access in writing. The Commissioner considers that requiring a written request is more likely to be appropriate where:
In some cases, a person may try to use NPP 6 to get access to someone else's personal information. To deal with this risk an organisation should have procedures to establish that the person asking for the information is who they say they are.
Also, in the case of a person seeking access on behalf of an individual whose information it is, the organisation will also need to establish the identity of that person and ensure that he or she has the appropriate authority from the individual to allow this access.
The process the organisation uses to establish an individual's identity or a person's authority to get access on an individual's behalf should be appropriate for the circumstance but should not discourage access.
Having identity checks in place is particularly important if an organisation intends to accept requests for access, or grant access, over the telephone, the Internet or via other online services.
An organisation should respond to a request for access as soon as possible. However, what is an appropriate response time will depend on the organisation, the method of communication, the type or amount of information requested, how the information is held and how complex an organisation's functions and activities are.
In the case of a large organisation where giving access may be a reasonably complex matter and access is not given over the phone or in an electronic environment the Commissioner would generally expect the following kinds of response times.
In the case of organisations largely operating online, it could be reasonable to expect much shorter response times. In some cases the best practice may be an immediate response.
Organisations should consider not charging at all
The Commissioner believes that in most situations an individual should not be charged for accessing their personal information. Organisations do not have to charge for access. Organisations may consider the benefit to the organisation in good will of not charging for access. The cost of providing access should not be onerous for the organisation given the likely number of requests for access being made.
No charge for lodging request
Organisations must not charge an individual simply for lodging a request for access to information. This means that an organisation will not be able to charge people money just for asking for access to information but may charge them when they provide access to the personal information.
Telling the individual about charges
The Commissioner considers that it would generally be appropriate for an organisation to tell an individual when he or she lodges a request for access how much (if anything) access might cost the individual. Once it has agreed to give the individual access the organisation it should tell the individual how much it will actually charge.
Excessive charges
NPP 6.4 says that the cost to the individual should not be excessive. The Commissioner's view of what is excessive will depend on the situation. However the following points are a guide to the Commissioner's views on charges for access.
In determining if a charge for access is excessive the Commissioner will consider what steps an organisation has taken to ensure that giving access to individuals is as easy and cost free as possible. Improvements in information and communication technologies are reducing the costs and difficulty of providing individuals with access to their personal information.
The Commissioner expects that organisations which have had difficulty in meeting requests for access to rectify such difficulties as soon as possible. The Commissioner will not accept circumstances where systems redesigns after 21 December 2001 do not actively seek to remedy any such difficulties.
If the Commissioner receives a complaint that an organisation has not given access because it could not find the information the Commissioner will want to see evidence of the effort the organisation has put in to finding the information and an explanation of why the information is unavailable. This includes systems redevelopment as discussed above.
The Commissioner recommends that in this situation an organisation should advise the individual that it cannot find the information or that it does not hold it and explain what it thinks may have happened to the information.
If an organisation says that it has destroyed the information the Commissioner may ask the organisation to give evidence of how and when it was destroyed. The Commissioner is likely to consider personal information destroyed after an access request has been made as a refusal to grant access if there is no other reasonable and credible explanation.
Where an organisation claims to have lost information the Commissioner is also likely to ask questions about whether the organisation's processes for keeping personal information secure are adequate. (See Chapter 7 on NPP 4 - security.)
Organisation should explain reasons in writing
NPP 6.7 requires an organisation to give an individual reasons for denying access to their personal information. It should tell the individual which exception under 6.1 it is relying on to refuse access. It would be reasonable to expect an organisation to tell the individual at this time if using an intermediary would provide an alternative means of access. As application of the exceptions in particular circumstances might be quite complex, the Commissioner considers that an organisations should give a clear written explanation of why it has denied access. It should also tell the individual;
Give partial access where possible
It would be unusual for an organisation to have grounds for denying access to all the information they hold about an individual. Access should only be denied to the parts of the record that are exempt from access under the exceptions to NPP 6. For example, if one paragraph of the personal information requested would present a serious an imminent threat to someone's health or life (see NPP 6.1(a)), then the organisation should not deny access to the whole record but may delete, block or black out that paragraph when a copy is given to the individual.
NPP 6.5 requires that if an organisation holds information about an individual and the individual can establish that the information is not accurate, complete or up-to-date then the organisation must take reasonable steps to correct the information.
Most organisations already as a matter of course (if identity is established) up-date or correct a telephone number or an address when an individual lets them know that it has changed. The right of correction in NPP 6.5 broadens this to require organisations to take "reasonable steps" to correct a wider range of personal information.
Mostly reasonable to correct if inaccuracy established
If an individual establishes that personal information an organisation holds is not accurate, complete or up-to-date it would usually be reasonable for the organisation to correct it. Allowing poor quality personal information to remain on record may have adverse consequences for the individual. The Commissioner will interpret the question of what are "reasonable steps" broadly where the issue arises in a complaint.
Correction not necessary if information inaccessible and not used
However, where the individual establishes that the personal information is of poor quality but the organisation can demonstrate that it is inaccessible and that the organisation will never use it, the Commissioner would not require the organisation to spend time and resources to no purpose. However, organisations should generally destroy or de-identify information it no longer needs for any purpose (see Chapter 7 Security - NPP 4.2).
In some situations, changing a record may not be appropriate
In some (but not many) situations, it might be necessary for an organisation to keep a record of what the organisation knew or understood at a particular time. It might be reasonable for an organisation to correct information in a way that does not suggest that the organisation knew or understood different information at a certain time. One such situation is that of medical records.
Where it is inappropriate to amend a record by overwriting or deleting the inaccurate information, organisations should consider alternatives. Possible alternatives are to replace the inaccurate information with correct information in the record that is currently in use and store the record with the inaccurate information in an archive. Another options is to note on the relevant section of the record that this information was later found to be inaccurate and where in the record the accurate information can be found. In an electronic record keeping system with hyperlinks to the accurate information might be appropriate. The Commissioner encourages organisations to discuss with the individual concerned the reasons that they think it is inappropriate to delete or write over the original information and the alternative ways of correcting the information that satisfy the needs of both parties.
The Commissioner expects organisations to co-operate with the intention of this principle and do all that they reasonably can to correct the information.
What NPP 6.6 says
When an individual and an organisation disagree about whether the individual's information is accurate, complete or up-to-date and the individual asks the organisation to associate with the information a statement claiming that the information is not accurate, complete or up-to-date, NPP 6.6 requires the organisation to take reasonable steps to do so.
Telling individuals about the right to attach a statement
The Commissioner strongly encourages organisations to tell all individuals that they have a right to ask to have a statement attached to his or her personal information if the individual and the organisation cannot agree on whether the information is accurate, complete or up to date. The Commissioner expects organisations to tell individuals about this right either when they ask for access or when the organisation gives individuals access.
Associated statement should be easy to see
An organisation should associate the individual's statement about the disputed information in such a way that whenever that information is handled in the future it is easy to see both that individual was not satisfied that this particular part of the personal information was accurate, complete or up-to-date, and the statement by the individual.
In most cases, refusing to attach a statement is not reasonable
In most cases associating a statement with disputed information in an existing record will not require much extra effort on the part of an organisation. The Commissioner considers that in most cases it would not be reasonable for an organisation to refuse to associate a short statement with information or to refuse to mark the information in some way.
Long statements should be noted
If an individual provides an excessively long statement which an organisation cannot easily attach to the personal information the organisation should mark the information or add a note to indicate that a statement exists and where the statement can be found.Charging to attach a statement is not reasonable
The Commissioner considers that it is not reasonable for an organisation to charge an individual for asking to associate a statement or having the state associated with their information.
Generally speaking an organisation must give an individual access to their personal information. However NPP 6.1 allows, but does not require, an organisation to refuse to access to that personal information to the extent that (in summary):
Organisations can choose whether to deny access where exception applies
NPP 6.1 allows an organisation to choose whether or not to give access in the circumstances specified in 6.1(a)-(k). However if another law prohibits the organisation from giving an individual access then the organisation must comply with that law.
The Commissioner's approach
The Commissioner's approach to these exceptions is that an organisation should only choose to deny access when there is a strong case for doing so using a narrow interpretation of the listed exceptions. Deciding whether an exception applies to a particular circumstance will often not be straightforward. Where an organisation has little experience in the circumstances when an exception might apply it would be prudent for it to seek legal advice, or advice from a relevant professional body before it chooses to deny access.
In most cases an organisation will need to give some information
Also, in the Commissioner's view, these exceptions would only rarely allow an organisation to refuse access to all the information it holds about an individual. In most cases where an organisation chooses to deny access on the basis of an exception it will still have to take steps to give the individual access to some of their information.
Following details not needed in most cases
Unless an organisation operates in the kind of business where it is likely to have to consider whether an exemption applies it will not need to refer to the following more detailed guidelines about the exceptions.
For information about when this exception might apply see Chapter 2 of the guidelines.
Sometimes an individual may ask for access to personal information that also contains information about another person. In many cases, releasing this information to the individual would be a breach of NPP 2.
In these circumstances an organisation should, as far as possible, not deny access to all the information. The organisation should consider what options it might have to provide access without impacting on the privacy of others by, for example:
An organisation is not obliged to provide access to personal information where, for example, an individual uses requests for access as a way of pursuing an unrelated grievance against an organisation, or makes repeated requests for access to the same information.
Requests for access to personal information may sometimes be irritating, inconvenient or time consuming for an organisation but this does not make them frivolous or vexatious. The Commissioner will take a very narrow view of the circumstances under which organisations can use this exception to deny access.
This exception is not intended to interfere with existing procedures for discovery in legal proceedings. In circumstances where legal proceedings resolutions are under way or anticipated and where discovery would not grant access to the information, the organisation does not have to grant an individual access to the information.
When investigating a complaint, the Commissioner will expect concrete proof that a claim of "anticipated" legal proceedings is genuine. This might include a copy of internal correspondence or notes in the organisation that predates the application for access. However the off chance that legal proceedings might occur will be insufficient.
An organisation is not required to provide access to an individual's personal information if it would show the organisation's intentions and would prejudice or interfere in some negative way in the organisation's negotiations with the individual.
When investigating a complaint where an organisation has used this exception, the Commissioner will expect concrete evidence that negotiations were underway before the request for access was lodged, for example correspondence between the parties or a record of discussion. The Commissioner would also be seeking evidence that any claimed prejudice to the negotiations was material.
This exception is intended to cover circumstances where providing access to personal information would ground an action for breach of confidence. This would cover, for example, legal professional privilege.
This exception would also include situations were access is expressly prohibited by Commonwealth, State and Territory law and situations where providing access is in breach of statutory or common law. There is some overlap between this exception and National Privacy Principle 6.1(h).
In applying this exception, organisations should remember that the law in question might be State, Territory or Commonwealth law. There is a difference between required by law and authorised by law.
Organisations have a right and a responsibility to protect themselves against fraud or theft or other unlawful activity. Organisations are not required to provide access to personal information where unlawful activity is reasonably suspected and access would prejudice the investigations into that activity. For example, if an organisation is investigating a fraud within the organisation it does not have to provide access to that information to the individual under investigation if the access would prejudice the investigation.
While it is usually preferable that an individual be informed of any use or disclosure of their personal information, there will be occasions when that information will itself prejudice an investigation or a security function, for example an enforcement body may ask an organisation not to provide access because to do so would be likely to cause damage to the security of Australia. The purpose of NPP 6.1(j) and (k) is to ensure that where such information will prejudice an investigation or a security function, then that information will not be passed on.
What is a sanction?
A sanction generally refers to a penalty, punishment or coercive measure that is imposed for a breach of the law or a failure to comply with a law, rule or order.
What is a penalty?
A penalty is a punishment, particularly a fine or money payment resulting from a failure to comply with a law.
Occasionally the personal information included in an individual's access request will include personal information that will reveal commercially sensitive information about how the organisation evaluates or assesses applications or business propositions. NPP 6.2 provides a narrow avenue to keep confidential the commercially sensitive decision making process. Organisations applying this principle should note that the Commissioner's view of this provisions is:
Principle designed to be narrow
The Commissioner expects that NPP 6.2 will rarely be used as its application is designed to be narrow. It does not apply to raw opinions about or assessments of clients, competitors etc. It is not a blanket exception allowing organisations to refuse access to information that indicates the organisation's opinion of an individual. It allows an organisation the latitude not to release information that would reveal the formulae, or the fine details of the evaluative process the organisation uses in its commercially sensitive business decisions.
In most cases, access in these circumstances is sought to try and find out why an adverse decision has been made by an organisation. This concern can usually be met by explaining (so far as possible) the reasons for the actual decision.
Caution needed in exercising NPP 6.2
An organisation should proceed cautiously when using this principle. An organisation would be in breach if it refused to allow direct access to personal information on the grounds that commercially sensitive information was involved and it was later found that this was not the case. (See Note in Privacy Act to NPP 6.2.)
An individual has applied to a bank for a personal loan. The bank collects information from the individual about income, assets, other loans and employment history. With the individual's consent it might collect some information, for example credit worthiness information from other sources.
The bank makes its decision by giving different weights to each factor. If the bank has a formula, based on its experience, for weighing up the various factors, it is the information that would reveal that internally derived formula or weightings given to various factors that could be withheld under this principle. The individual would continue to have a right to access the raw facts and opinions that were inputs to the evaluative process. Instead of providing access to information that would reveal how much weight is given to the different factors, NPP 6.2 provides a path by which the bank can keep that commercially sensitive information about its processes to itself, and instead provide the individual with the reasons for its decision. The reason for the decision might be as broad as "you did not pass our risk assessment process" or "the combination of your liabilities and employment history meant that you failed our risk assessment process." Individuals would also be entitled to access the raw information that went into the decision making process.
An organisation is required to provide access to an individual's personal information it holds when the individual asks to see that information. However the previous sections illustrate that if one of the exceptions to NPP 6.1 applies, organisations may not have to provide an individual with access to their personal information. In such circumstances the organisation is still able to give access but if it decides not to, NPP 6.3 requires the organisation to consider using an intermediary, if reasonable.
Use of an Intermediary as an alternative to direct access
An intermediary should not be used by an organisation as a way to reduce access to information but as an alternative to denial of access to the individual.
This principle provides room for the organisation and the individual to negotiate alternatives to direct access where the organisation is able to deny access under one of the exceptions to NPP 6.1. The Commissioner suggests that organisations approach the possible use of intermediaries in a facilitative manner - in the spirit of providing the individual with as much access to their information as is reasonable in the circumstances, taking into account the reasons for access being denied in the first instance.
Use of intermediary where there is a serious threat to health and safety
It is anticipated that the use of intermediaries will play an important role where access is denied on the grounds of serious threats to health and safety, particularly where access is expected to be seriously detrimental to the health of the individual concerned. In this situation access via a trusted and appropriately qualified third party may be able to avert the threat.
An intermediary is a person or persons acceptable to both the organisation and the individual. The role of the intermediary is to have access (authorised by the individual) to the personal information requested by the individual and to explain the contents of the individual's personal information as an alternative to denying access to the information altogether. The intermediary must not reveal any explicit information or details of information covered by an exception unless the organisation later decides this is appropriate.
When access is refused to some personal information, an organisation must consider whether access via an intermediary, would meet the needs of both the organisation and the individual.
Matters to consider in using an intermediary
When considering whether to use an intermediary as an avenue to provide an individual with access to information where it would otherwise be denied, the Commissioner suggests organisations consider the following and any other issues relevant to the particular situation.
Steps an organisation take when it is appropriate to use an intermediary
The Commissioner strongly recommends that an organisation obtains the individual's written authority before the intermediary can have access to the individual's personal information. Unless otherwise stated, this authorisation should only apply to this request.
The Commissioner suggests that the organisation should bear the costs of using an intermediary.
The access and correction principle does not apply to all personal information held by an organisation.
If personal information about an individual already held by an organisation at 21 December 2001 is not used or disclosed by the organisation, then access and correction rights only apply to information collected about an individual by the organisation after 21 December 2001.
However, if the personal information already held (at 21 December 2001) is used or disclosed by the organisation after 21 December 2001, then rights of access and correction apply unless to allow access or correction rights would:
(These provisions are in section 16C of the Privacy Act.)
An organisation that is considering adopting, using or disclosing a number or other identifier that a Commonwealth government agency has assigned to uniquely identify an individual will need to consider NPP 7.
NPP 7.1 says that an organisation must not adopt as its own identifier of an individual an identifier that a Commonwealth agency or contracted service provider of a Commonwealth agency has assigned to an individual. However, NPP 7.1A provides some flexibility by allowing regulations to be made that would allow certain organisation to adopt certain identifiers in certain circumstances.
NPP 7.2 places limitations on when an organisation may use or disclose a Commonwealth government identifier. Is says an organisation must not use or disclose an identifier assigned by an agency or a contracted service provider unless such use or disclosure:
Organisations and agencies use identifiers to keep track of information they hold about individuals. They help to prevent the organisation or the agency from using or disclosing information about the wrong person. However, an identifier, if widely used, can also have the potential to enable an agency or organisation to link together very accurately many different kinds of information about an individual collected from many different sources in ways that the individual may not agree with or expect. NPP 7 aims to ensure that an identifier a Commonwealth government agency uses for a particular function or activity does not become more generally adopted and used as an identifier for organisations for a whole range of other unrelated functions and activities and by stealth become a kind of universal identifier.
NPP 7.3 says that an identifier includes a number assigned by an organisation to an individual to identify uniquely the individual for the purposes of its operations. An identifier can be numbers, letters or both, but is not limited to letters or numbers. However, NPP 7.3 says that an individual's name or Australian Business Number (ABN) is not an identifier.
Examples of identifiers include Medicare numbers and pension numbers.
NPP only applies to identifiers that an "agency" or a contracted service provider of an agency has assigned. In the Privacy Act an agency means a Commonwealth Department, Minister, or other Commonwealth body (see s 6).
It does not apply to identifiers, such as a driving licence number, that a State government department has assigned to individuals.
NPP 7 does not stop an organisation for collecting an identifier in some circumstances. For example, an organisation might ask an individual to put his or her pension number on a form, for example, to indicate that the person is entitled to a concession. However, the organisation could not link this number to a person's name and address as a way of finding the individual on the organisation's database or to link other information about the individual together.
Anonymity is an important aspect of privacy. Having the option of entering transaction anonymously enables an individual to exercise greater control over the flow of information about themselves and their activities. People desire anonymity for a variety of reasons. An individual may wish to keep personal information from businesses to avoid being targeted for direct marketing. Anonymity may be necessary to prevent public knowledge of one's whereabouts in order to avoid physical danger, for example from a former abusive partner. One of the rationales of NPP 8 is to enable people to maintain the level of privacy with which they feel comfortable, without being disadvantaged or denied benefits for not providing information about themselves.
Organisations should keep their practices under review and seek anonymous alternatives to the use of identifiers. Improvements in technology may well provide new options in this area.
NPP 8 has substantial implications for the design of information technology systems. Computerised and online databases, electronic processing of information, the use of electronic transactions as a means of doing business and Internet data collection devices such as cookies and web bugs make it possible for detailed monitoring and recording of a person's activities to take place, often without their knowledge or consent.
Technological developments combined with commercial and administrative imperatives have led to organisational practices in which more information than is necessary is collected. Increasingly, the default option is for transactions between organisations and individuals to be identified and for as much personal information as possible to be collected for future use.
NPP 8 along with NPP 1.1 seeks to reverse through law the trend in new and existing information systems to collect more personal information than is necessary for a transaction. NPP 8 provides that as a general rule, individuals should be given the option of dealing with organisations in the real and e-world without identifying themselves.
An anonymous or non-identified transaction is one in which the identities of the parties to the transaction cannot be ascertained. In other words, no personal information is collected during the transaction. Cash payments for goods and services are usually anonymous transactions.
A transaction is identified if a party to the transaction is described with sufficient detail that the transaction can be linked to a specific individual. Some examples of identified transactions include credit card transactions, applications for loans, and websites that require the provision of personal details as a condition of use.
The Privacy Act defines personal information as any information "about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. Data recording a transaction that does not explicitly identify a person may be personal information in circumstances where an organisation can "reasonably ascertain" the person's identity from other sources of information to which it has access
.As a general rule, an organisation must allow an individual to enter a transaction without requiring identifying information. NPP 8 applies wherever it is lawful and practicable, which means that an organisation does not have to provide the option of anonymity when it is either unlawful or impracticable.
NPP 8 recognises that there are some circumstances in which the law requires the parties to a transaction to be identified. It is unlawful to provide the option of transacting anonymously when there is a legal requirement, under Commonwealth, State or Territory legislation or common law, stating that the identity of each party to the transaction must be recorded. Transactions in which identifying information must be collected include transfers of interests in land or property, the opening and operation of bank accounts, significant cash transactions, and income payment and taxation deduction returns by employers to a taxation authority.
An organisation does not have to provide the option of anonymity under NPP 8, where it is impracticable to do so. It may be impracticable where a transaction cannot be carried out without providing identifying information, such as in credit card transactions or payments by cheque. However, additional cost, inconvenience or administrative inefficiency will not be sufficient grounds for refusing an anonymous transaction.
Some of factors that affect whether it is practicable for an individual to enter a transaction without identifying information are:
In establishing or updating information systems, organisations need to examine whether an individual's identity is necessary for the operation of various processes within the system. Anonymous access to information systems should be the default unless it is either unlawful or impracticable. The onus is on an organisation to justify why collecting personal information is necessary. If anonymity is either unlawful or impracticable, the collection and retention of personal identifying information should be kept to a minimum.
Automatic electronic systems should look for ways of not collecting or recording information. For example, transport payment systems can be operated anonymously through the use of stored value cards that are designed to pay for passage through toll roads or to pay for journeys or trams. Because electronic road toll systems now identify where you are going, anonymous ways of paying should be examined, such as pre-paid by cash instead of credit card. Electronic payment systems, such as digital cash (in the sense of an anonymous digital payment system), can facilitate anonymous transactions on the Internet.
The information economy is borderless. While Australian organisations operating online must comply with NPP 8, companies operating outside the jurisdiction of the Privacy Act are not subject to the NPPs. Furthermore, the small business and journalism exemption will exempt many organisations operating online from the application of the NPPs.
In these circumstances, the use of privacy enhancing technologies may enable individuals to enhance or maintain their online privacy. These technologies include disabling and circumventing mechanisms, encryption, secure payment mechanisms and Platform for Privacy Preferences (P3P). For example, it is possible to set web browsers so that they will not automatically accept cookies. The browser will inform the user that a web site requires that cookies be accepted as a condition of access or of undertaking certain activities online, and the user will be able to choose whether or not to accept that cookie.
It is important to note that the existence of privacy enhancing technologies does not derogate from the obligation of an organisation operating a website that permits users to access services without identifying themselves.
This chapter is designed to inform organisations of their obligations under NPP 9 - transborder data flows. It will advise on the circumstances in which organisations can transfer personal information overseas to foreign recipients (other than to the individual that the information is about). This principle is based on Article 25 of the Directive 95/46 of the European Union (EU Directive).
International transfer of information is increasing
There has been a tremendous increase in data flows across national borders in recent years, made possible by advancements in technology. Today, personal information can readily be transferred to a location outside Australia's legal jurisdiction, which has the potential to undermine the rights and obligations provided by domestic law. This means that privacy rights cannot be assured by developing safeguards that apply exclusively at the national level unless the flow of information across jurisdictions remains protected at its destination.
Allowing an unregulated flow of personal information will necessarily be detrimental to the rights of the individual. However, as with the free movement of goods and services there can also be many benefits associated with allowing personal information to be traded across borders. For example, it may be cheaper for organisations to contract certain services in foreign countries where provision of the service necessitates access to the personal information of an organisation's customers.
Role of NPP 9
Taking these factors into account, the aim of NPP 9 is not to halt the transfer of personal information outside Australia. It is to provide a suitable balance by allowing personal information to be moved across jurisdictions in a way that ensures the privacy rights of the individual.
The role NPP 9 plays in protecting privacy is that it gives individuals control over what happens to their personal information. Limiting the flow of personal information overseas to countries or circumstances that can guarantee individuals the same privacy rights as they have in Australia is essential to ensuring control.
Summary of NPP 9
In the simplest terms, NPP 9 prevents an organisation from disclosing personalinformation to someone in a foreign country that is not subject to a comparable information privacy scheme (except with the individual's consent).
NPP 9 does not prevent transfers of personal information outside Australia by an organisation to another part of the same organisation, or to the individual concerned. Where an organisation transfers personal information out of Australia to another part of the same organisation, section 5B of the Privacy Act will apply. Section 5B provides for the Act to operate extra-territorially in some circumstances.
When an organisation can transfer personal information overseas
The limited circumstances in which personal information may be transferred to a recipient in a foreign country other than the organisation or the individual are listed in NPP 9(a)-(f). These guidelines discuss them in turn below.
What NPP 9(a) says
NPP 9 allows an organisation to transfer personal information overseas if it reasonably believes that the recipient of information in a foreign country is subject to a law, binding scheme or contract that places substantially similar obligations on the recipient as would be the case if they were bound by the NPPs.
Forming a reasonable belief
An organisation must take responsibility for judging the adequacy of these obligations, as it is the organisation that is ultimately responsible for ensuring the personal information it has collected is safe from unauthorised access and misuse.
What constitutes grounds for "reasonable belief" is likely to vary with the situation. It will not be sufficient, for example, to claim that the recipient of the data was sent to an organisation in a member state of the EU. Not all EU member states have implemented the EU directive. In most cases the Commissioner will be looking for evidence of an organisation having sought legal advice from an expert suitably qualified in data privacy matters that the receiving organisation meets the requirements of NPP 9(a). The legal advice must also predate any complaint received and be relevant to the timing of the data transaction.
What is substantially similar
For a law, binding scheme or contract to be considered "substantially similar" to the NPPs, the foreign recipient must be required by that law, binding scheme or contract to effectively uphold a set of principles that offers as much protection to an individual's personal information as would be required of the organisation under the NPPs.
Assessing substantial similarity
When assessing whether the obligations faced by the recipient are substantially similar, the organisation must take into consideration all the circumstances surrounding a data transfer. It should give particular consideration to:
Nature of data
An organisation will need to take into account the fact that the NPPs give greater protection to sensitive information and that what is adequate protection will vary in line with what the Commissioner would regard as reasonable in the various relevant circumstances in relation to the NPPs. For example, an organisation will need to ensure greater protection for personal information where the consequences of inappropriate use or disclosure are greater or the data is sensitive.
Complaints and enforcement mechanisms
Part of ensuring that a recipient is bound by substantially similar obligations is ensuring that there is an effective complaints handling process that is accessible to individuals. If an individual can not gain access to a foreign country's legal system, or relevant alternative dispute resolution system, then the Commissioner is most unlikely to deem the recipient to be bound by substantially similar obligations.
Where the recipient is based in a country and the law in that country has not bound the recipient by substantially similar data protection obligations, contracts will be a likely way to secure the privacy rights of individuals.
If the laws of a foreign country in which the recipient of the data is subject imposes requirements that oblige the recipient to handle personal information in a way that undermines a contractual agreement, then the recipient cannot be deemed to be subject to substantially similar obligations as would be the case if they were bound by the NPPs.
Web seals and similar types of assurances (including industry based codes of conduct) are not in themselves enough to constitute good grounds for an organisation to claim a "reasonable belief". This is because the standards imposed on organisations by the owners of seals or other assurances will vary greatly although some may require appropriate standards. Exporting organisations will still be required to test that substantially similar obligations are in place even if the recipient claims to abide by certain standards. As mentioned above, testing may involve seeking legal advice.
Gaining consent - NPP 9(b)
The Act provides for several exemptions to the above rule regarding substantially similar requirements for the handling of personal information. The first and most important is when the individual gives consent for the information to be transferred overseas. When obtaining consent for the information transfer it is important that the individual in question is aware that the obligations on a foreign recipient are not substantially similar to the obligations of an organisation bound by the NPPs.
If consent has not been gained - NPP 9(e)
NPP9(e) provides an occasion when the transfer can still occur when consent has not been gained. Chapter 3 sets out details of gaining consent. However, in this situation the transfer must be for the benefit of the individual and the organisation will have to show grounds for a belief that if it were practicable to obtain consent the individual would be likely to give it.
Performance of a contract - NPP 9(d)
Data can also be transferred to someone in a foreign country if the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party.
When handling a complaint that relies on this principle the Commissioner will be looking to see whether the contractual provisions that protect the "the interests of the individual" include the privacy rights attributed to individuals under the NPPs.
Reasonable steps - NPP 9(f)
The Privacy Act also allows personal information to be transferred overseas if the exporting organisation has taken all reasonable steps to ensure that the recipient will not hold, use or disclose the information in a manner inconsistent with the NPPs.
When investigating a complaint based on use of NPP 9(f), the Commissioner will be using NPP 9(a) as the benchmark text. In other words, that the reasonable belief has as strong grounds as those behind NPP 9(a). The Commissioner will also be looking for strong evidence behind the formation of the reasonable belief, which in most cases will need to be evidence that the organisation has sought legal advice from an expert suitably qualified in data privacy matters and that the legal advice pre-dated the complaint and was relevant to the timing of the data transmission.
The NPPs provide some flexibility for the collection, use and disclosure of personal health information for research that is relevant to public health and safety and when health information is to be used for managing a health service.
When de-identified information is not suitable for the research or management purpose, and it is impracticable to seek the individual's consent, then so long as certain procedures and guidelines are followed, identifiable health information may be collected, used and disclosed for research, and collected for management purposes.
As is always the case under the NPPs, it is best to get consent to the collection of health information for these purposes. The Commissioner strongly advises organisations to consider all possible (non-coercive) ways of asking for consent, before proceeding with collecting health information without consent for research or statistical purposes relevant to public health or safety or collecting information to manage, fund or monitor a health service.
The NPPs recognise, however, that there may be some limited cases where it is appropriate to conduct research that requires the collection, use or disclosure of health information, without the consent of the individuals concerned. Similarly, the NPPs recognise that there may some limited management procedures where it is appropriate to collect health information without consent.
NPP 10.3 allows an organisation to collect health information without the consent of the individual where it is collecting the information for:
This exception only applies if all of the following requirements are met.
NPP 1 collection requirements still apply
The usual provisions of NPP 1 still apply when information is collected according to NPP 10.3 so that:
Considerations if proposing to collect health information under NPP 10.3
What NPP 10.3 says
NPP10.3 allows for collection of health information without consent for research, statistics and various management purposes in three circumstances:
This part of the Guidelines deals first with collection of health information in accordance with section 95A guidelines and then with collection required by law and in accord with the binding rules of professional medical bodies as the latter two may be used infrequently.
Collection of health information under the proposed guidelines (approved under section 95A of the Privacy Act)
An organisation will need to consider the following questions before going ahead with research, statistical work or management and funding activities that requires personal health information to be collected without consent and where the collection is not required by law.
Can de-identified data achieve the purpose?
The organisation first needs to consider whether the purposes of research, statistics relevant to public health or safety or the management (etc) purposes could be achieved with de-identified data. For more information about what is de identified data see the section at the end of this chapter.
Using de-identified data can overcome the problem faced in some research projects, where the researcher considers that the process of seeking consent to collection of health information would lead to a biased research population and then distorted research results.
In the event of a complaint about collection of personal health data without consent for research the Commissioner would require the organisation to demonstrate that it had considered detail and with care whether de-identified data could be used. For example by providing written reasons for concluding that identified data needed to be collected.
An example of a circumstance in which de-identified health information might not achieve the purposes is where a project involves linking information about individuals from two or more sources and identified information might be needed to correctly link records from each data source.
However, even when identifying information is required, it may not be necessary to store the identified information. In the example above, once the linkage has been achieved, the organisation could consider whether identifying information (e.g. name, date of birth, demographic information) could be deleted from the linked file.
The Commissioner is unlikely to accept that the questions of whether it is impracticable to obtain consent or de-identified information could be used unless they have been considered and sanctioned by a properly constituted Ethics Committee in accordance with the had complied with guidelines approved by the Commissioner under section 95A.
For more on de-identification of data, see below.
Is it impracticable to seek the individual's consent to the collection of their health data?
If the organisation or other relevant body has concluded that that its purposes cannot be achieved without identifying the individual involved, then it should generally seek the consent of the individual or individuals concerned. To be valid consent must be freely given and individuals accurately informed about what they are consenting to. Consent is discussed in more detail in Chapter 3.
In deciding whether it was impracticable for the organisation to seek an individual's consent for the purposes of NPP 10.3 the Commissioner would look at all the circumstances.
The Commissioner would not accept an organisation's argument that seeking consent was impracticable merely because it was inconvenient or would be commercially unprofitable. An example of where it might be impracticable to obtain consent is where there is no current address and insufficient details about identity to find an up to date address. This is most likely to occur where the research involves the use of old records and it is reasonable to assume that a high proportion of people would have changed addresses.
|
Questions for consultation 13.1 Do you agree with the example of a situation where it may be impracticable to obtain consent? 13.2 Can you suggest other examples of where it is impracticable to obtain consent? 13.3 Can you suggest other factors that you think should be taken into account when considering whether it is impracticable to obtain consent? |
In the case of research and statistics - is the research or statistics "relevant to public health or public safety"?
NPP 10.3 applies to research and the compilation or analysis of statistics "relevant to public health or public safety" (as well as the management, funding or monitoring of a health service - addressed in the following part of this chapter).
The Privacy Act does not define "public health or public safety". These terms arediscussed in Chapter 2 - Explanation of Terms.
To be "relevant" the outcome of the research or the statistics must have an impact on or provide information about public health and safety.
Examples of research relevant to public health or public safety might be:
Examples of compilation or analysis of statistics relevant to public health or public safety might be
What is the meant by the "management, funding or monitoring of a health service"?
Examples of collection for the management, funding or monitoring of a health service might be:
|
Question for consultation 13.4 Are these examples of collecting information for management, funding or monitoring of a health service reasonable? 13.5 Do you have other examples of acts that might fall into these categories? |
Collection of health information for research, statistical or management, funding or monitoring of a health service where it is required by law
NPP10.3 d(i) permits the collection of health information where it is required by law.
A law requires collection of information if the individual or the organisation that has the information is compelled to provide it to someone. This is a more stringent threshold than where a law authorises or permits collection of information. (In the latter case, the collector of the information has discretion about whether or not to ask for the information and the holder of the information has discretion over whether to provide the information.)
An example of when health information might need to be collected for statistical purposes as required by law is where collection is required under State or Territory Health Acts as in the case of notifiable diseases.
Collection of health information in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation
NPP 10.3 (d)(ii) permits collection of health information without consent where it is collected in accordance with binding rules dealing with obligations of professional confidentiality of a competent health or medical body.
Two key elements of this requirement are that the rules dealing with obligations of professional confidentiality are binding and that they are issued by competent health and medical bodies
What is a competent health and medical body?
The Commissioner considers that a competent health or medical body would be one that is referred to in Federal, State or Territory health law as a decision making body on registration and regulation of health professionals. The Commissioner is unlikely to accept other bodies as "competent" in terms of NPP10.3(d).
|
Question for consultation 13.6 Are there other or additional criteria that should be used for determining what is a competent health or medical body? |
What are binding rules dealing with obligations of professional confidentiality? In considering whether rules are binding, the Commissioner would in the first instance be looking to see if there are any sanctions or penalties for organisations that do not comply with the rules. Sanctions or penalties would include powers to de-register a professional or prevent the person from practicing in the professional capacity.
The Commissioner considers that a contract binding an organisation to rules of professional confidentiality (issued by a competent health or medical body) is probably insufficient to satisfy the requirement under NPP 10.3(d)(ii) that the rules are binding. Difficulties with contractual obligations are the lack of transparency about what the nature of the obligations and difficulty in enforcing the provisions.
An example of rules established dealing with obligations of professional confidentiality might be rules like those in the RACGP "Code of Practice for the Management of Health Information in General Practice." However the Commissioner understands that these rules are not binding on General Practitioners and consequently they would not satisfy all the requirements in NPP 10.3(d)(ii).
The Commissioner is unaware of any existing rules that would satisfy all the requirement of NPP 10.3(d)(ii).
The Commissioner expects that most commonly, researchers and others making use of the exemption under NPP10.3 will be relying on the guidelines to be approved under section 95A of the Privacy Act. These are discussed in further detail below.
|
Question for consultation 13.7 Are there any existing "rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation"? 13.8 Should contractual obligations to comply with rules of professional confidentiality be considered sufficiently binding for the purpose of National Privacy Principle 10.3(d)(ii)? |
Collection by one organisation from another organisation
Organisations collecting health information from another organisation will need to be aware that the other organisation can only disclose personal health information in accord with NPP 2.
In effect this means that the disclosing organisation can only disclose (identified) personal health information to a researcher:
If an organisation collects data under NPP 10.3, it must take reasonable steps to de-identify it before disclosing it. This means that where an organisation collects information for research and statistical purposes relevant to public health or public safety without the individual's consent, the organisation must not disclose the information without permanently de-identifying it.
Example:
A researcher collects information from a private hospital about patients who were treated 15 years ago. It was not possible to use de-identified information for this project and it was impracticable to seek the consent of the individuals concerned. The project was considered under and conducted in accordance with section 95A guidelines (once they are developed). The research organisation cannot disclose this information without taking reasonable steps to permanently de-identify this information. One effect of this is that the research organisation must ensure any results of the research that are published or disclosed do not reveal the identities of the data subjects. It also means the research organisation cannot pass on identified data to another research organisation for a different research project.
For more information about de-identified data see below.
If an organisation has collected health information for a specific research or statistical purpose, and this is the primary purpose for collecting information, it is permitted to use or disclose the information for that purpose. (See Chapter 5 for more discussion on use and disclosure of personal information for the primary purpose for which it was collected.)
Where the information being used for research or statistical work was not collected for that purpose, and where such research or statistical work is not a directly related secondary purpose for which the individual would expect the information to be used, generally speaking consent is required for that use unless the data is used in de-identified format.
However, NPP 2.1(d) allows an organisation to use health information without consent for:
Organisations wishing to use or disclose health information for research and statistical purposes relevant to public health and public safety should first consider whether there is any practicable way of obtaining consent from individuals to use the information for this purpose. If obtaining consent is impracticable then organisations could consider whether they could comply with NPP 2.1(d) that requires that:
For discussion on the section 95A guidelines see below. The Commissioner anticipates that the section 95A guidelines will address the question of whether NPP 2.1(d) use or disclosure should only proceed when the use or disclosure cannot be served by the collection of information that does not identify the individual or from which the individual's identify cannot reasonably be ascertained.
If an organisation has collected information for the primary purpose of management, funding or monitoring of a health service, then the NPPs allow the organisation to use and disclose the information for that purpose. (See chapter 5 for more discussion on the primary purpose of collection.)
While NPP 10 specifically addresses the collection of health information for the management, funding and monitoring of a health service, NPP 2 does not specifically address the use and disclosure of personal information for these purposes.
Where the information being used or disclosed for managing, funding or monitoring was not collected for that primary purpose, and where this use is not a directly related secondary purpose for which the individual would expect the information to be used, then generally speaking consent is required for that use or disclosure.
Some management, funding and monitoring purposes would be "directly related" uses or disclosures of health information collected by a health service when treating an individual.
It is the Commissioner's view that some kinds of management are "directly related" secondary purposes. (See discussion of "directly related" in Chapter 5.) Uses for a directly related purpose would include uses for:
Examples of disclosures for a directly related purpose would include:
Must also be within reasonable expectations
Note that for an organisation to rely on NPP 2.1(a) to use or disclose sensitive information the use or disclosure must be within the reasonable expectations of the individual as well as directly related. See Chapter 5 for more discussion of NPP 2.1(a).
|
Question for consultation: 13.9 Are there other examples of management, training or monitoring purposes for which de-identified information would not be suitable? |
The Privacy Act (section 95A) gives the Commissioner power to approve guidelines issued by the National Health and Medical Research Council (NHMRC) or a "prescribed authority" for the collection, use and disclosure of personal health information for research, statistics and management, funding or monitoring of a health service where there is a substantial public interest in doing so.
Decisions on whether any other organisations will be prescribed rest with the Federal Attorney General.
National Principles 10.3 (d)(iii) and 2.1(d) refer to the guidelines to be issued under section 95A of the Privacy Act. Both these principles require organisations to comply with the guidelines in certain circumstances. NPP 2.1(d) (which permits use and disclosure of personal health information for research and statistical purposes relevant to public health) will not operate unless the Commissioner has approved guidelines under section 95A.
The Commissioner understands that the NHMRC will be developing guidelines during 2001, which it will be asking the Commissioner to approve under section 95A of the Privacy Act.
The NHMRC has issued guidelines for the protection of privacy in the conduct of medical research that are approved by the Commissioner and issued under section 95 of the Privacy Act. These guidelines require researchers wishing to take advantage of personal information held by Commonwealth agencies for medical research in ways that are not otherwise permitted under the Privacy Act.
The Commissioner expects that the guidelines to be developed under section 95A of the Privacy Act will put in place similar ethical committee structures and cover many of the same issues as the existing NHMRC "Guidelines under section 95 of the Privacy Act" (March 2000) and the NHMRC's "National Statement on Ethical Conduct in Research Involving Humans" (1999).
However, there will be differences due to the different construction in the Privacy Act of the NPPs and the principles applying to Commonwealth agencies (the Information Privacy Principles).
The section 95A guidelines could set a high barrier for deciding when consent for collection, use and disclosure of health information is not required - as the NPPs require consent to be "impracticable". The Commissioner understands that under the existing NHMRC guidelines an Ethics Committee may exempt a researcher from seeking consent in epidemiological research if the Committee is satisfied that seeking consent may cause "unnecessary anxiety for those whose consent would be sought … and there will be no disadvantage to the participants or their relatives or to any collectivity involved" (paragraph 14.4 of the National Statement on Ethical Conduct in Research involving Humans, June 1999).
While responsibility for the content of the guidelines put to the Commissioner for approval rests with the NHMRC, to assist in the understanding of how the guidelines might operate, some of the Commissioner's expectations of the guidelines are outlined below. The Commissioner anticipates that section 95A guidelines:
|
Question for consultation: 13.10 Should more be said about section 95A guidelines for the "management, funding or monitoring of a health service"? |
Permanent De-identification
NPP 10.4 requires organisations collecting information in accordance with NPP 10.3 to take reasonable steps to permanently de-identify the information before disclosing it. De-identified information is information that cannot be re-identified.
The test for whether information is identifiable is whether the identity of the individual is apparent, or may reasonably be ascertained, from the information. (From the definition of "personal information" in the Privacy Act.)
A de-identification procedure therefore fails if, from the resulting information, theidentity of an individual may be reasonably ascertained.
Reasonable steps to de-identify information generally include:
Strict standards for health information
Due to the sensitivity of health information, the Commissioner will interpret the "reasonably ascertained" standard very strictly. In particular, given the availability of sophisticated "data mining" and other data processing techniques, particular care must be taken to ensure that personal health information has been permanently de-identified including in the hands of any recipient of the data.
Consider re-identification capabilities of the organisation to whom you are disclosing
Organisations planning to disclose de-identified health information must take account of the context into which they are releasing the information. Whether or not an individual's identity may be ascertained from a given set of data depends on what other information is available to the receiving organisation. It is the Commissioner's view that unless the disclosure is strictly constrained to individuals or organisations with limited access to re-identification techniques, the de-identification procedure must be robust enough to defeat significant attempts at re-identification.
Simple de-identification techniques may not be adequate
De-identification does not mean simply stripping the information of names and addresses. Organisations undertaking de-identification of health information should carefully consider the extent to which any individual's identity may be reasonably ascertained by the collecting organisation.
Techniques which de-identify most of the information in a large data set may not de-identify all the information in the data set. For example, replacing address information with postcodes may be a sufficient form of de-identification in areas where there are large populations in a given postcode. If, however, the information includes details about unusual conditions or diseases or combinations of characteristics shared by only one or two people in the postcode, then it may be possible to identify the subjects of that information. For this reason, personal health information identified by postcode would not usually be considered de-identified.
Safeguards for disclosing de-identified information
Under certain circumstances, NPP 10.4 requires an organisation to take "reasonable steps to permanently de-identify" information before disclosing it. It is the Commissioner's view that "reasonable steps" include ensuring that the de-identified information cannot be re-identified in the hands of the recipient of the data. This may involve seeking assurances from the collecting organisation regarding the security and future uses and disclosures of the information.
In particular, to ensure that de-identified information does not pose any future privacy risk, the Commissioner recommends that the collecting organisation and the disclosing organisation establish an agreement to the effect that the collecting organisation will not attempt to re-identify de-identified information, and that the collecting organisation will enter into a similar agreement with any other organisations to which it may disclose the de-identified information in the future.
|
Question for consultation:/STRONG> 13.11 Can you suggest other ways to ensure that information is permanently de-identified? |
Extracted from the Privacy Act 1988 The following NPPs are extracted from the compilation of Act No. 155 of 2000 Act No. 119 of 1988 that was prepared on 10 January 2001 incorporating amendments up to as amended.
[Note: The amendments made by the Privacy Amendment (Private Sector) Act 2000 (Act No. 155 of 2000) have been incorporated in this compilation for the convenience of users.
As at 10 January 2001, the amendments and provisions made by Schedule 1 are un-commenced. Schedule 1 of the Privacy Amendment (Private Sector) Act 2000 will commence on 21 December 2001.]
Prepared by the Office of Legislative Drafting, Attorney-General's Department, Canberra
Schedule 3-National Privacy Principles
1.1 An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities.
1.2 An organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.
1.3 At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of:
(a) the identity of the organisation and how to contact it; and
(b) the fact that he or she is able to gain access to the information; and
(c) the purposes for which the information is collected; and
(d) the organisations (or the types of organisations) to which the organisation usually discloses information of that kind; and
(e) any law that requires the particular information to be collected; and
(f) the main consequences (if any) for the individual if all or part of the information is not provided.
1.4 If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.
1.5 If an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in subclause 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.
2.1 An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless:
(a) both of the following apply:
(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;
(ii) the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or
(b) the individual has consented to the use or disclosure; or
(c) if the information is not sensitive information and the use of the information is for the secondary purpose of direct marketing:
(i) it is impracticable for the organisation to seek the individual’s consent before that particular use; and
(ii) the organisation will not charge the individual for giving effect to a request by the individual to the organisation not to receive direct marketing communications; and
(iii) the individual has not made a request to the organisation not to receive direct marketing communications; and
(iv) in each direct marketing communication with the individual, the organisation draws to the individual’s attention, or prominently displays a notice, that he or she may express a wish not to receive any further direct marketing communications; and
(v) each written direct marketing communication by the organisation with the individual (up to and including the communication that involves the use) sets out the organisation’s business address and telephone number and, if the communication with the individual is made by fax, telex or other electronic means, a number or address at which the organisation can be directly contacted electronically; or
(d) if the information is health information and the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety:
(i) it is impracticable for the organisation to seek the individual’s consent before the use or disclosure; and
(ii) the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph; and
(iii) in the case of disclosure—the organisation reasonably believes that the recipient of the health information will not disclose the health information, or personal information derived from the health information; or
(e) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent:
(i) a serious and imminent threat to an individual’s life, health or safety; or
(ii) a serious threat to public health or public safety; or
(f) the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or
(g) the use or disclosure is required or authorised by or under law; or
(h) the organisation reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of an enforcement body:
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;
(iii) the protection of the public revenue;
(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.
Note 1: It is not intended to deter organisations from lawfully co-operating with agencies performing law enforcement functions in the performance of their functions.
Note 2: Subclause 2.1 does not override any existing legal obligations not to disclose personal information. Nothing in subclause 2.1 requires an organisation to disclose personal information; an organisation is always entitled not to disclose personal information in the absence of a legal obligation to disclose it.
Note 3: An organisation is also subject to the requirements of National Privacy Principle 9 if it transfers personal information to a person in a foreign country.
2.2 If an organisation uses or discloses personal information under paragraph 2.1(h), it must make a written note of the use or disclosure.
2.3 Subclause 2.1 operates in relation to personal information that an organisation that is a body corporate has collected from a related body corporate as if the organisation’s primary purpose of collection of the information were the primary purpose for which the related body corporate collected the information.
2.4 Despite subclause 2.1, an organisation that provides a health service to an individual may disclose health information about the individual to a person who is responsible for the individual if:
(a) the individual:
(i) is physically or legally incapable of giving consent to the disclosure; or
(ii) physically cannot communicate consent to the disclosure; and
(b) a natural person (the carer) providing the health service for the organisation is satisfied that either:
(i) the disclosure is necessary to provide appropriate care or treatment of the individual; or
(ii) the disclosure is made for compassionate reasons; and
(c) the disclosure is not contrary to any wish:
(i) expressed by the individual before the individual became unable to give or communicate consent; and
(ii) of which the carer is aware, or of which the carer could reasonably be expected to be aware; and
(d) the disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (b).
2.5 For the purposes of subclause 2.4, a person is responsible for an individual if the person is:
(a) a parent of the individual; or
(b) a child or sibling of the individual and at least 18 years old; or
(c) a spouse or de facto spouse of the individual; or
(d) a relative of the individual, at least 18 years old and a member of the individual’s household; or
(e) a guardian of the individual; or
(f) exercising an enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual’s health; or
(g) a person who has an intimate personal relationship with the individual; or
(h) a person nominated by the individual to be contacted in case of emergency.
2.6 In subclause 2.5:
child of an individual includes an adopted child, a step-child and a foster-child, of the individual.
parent of an individual includes a step-parent, adoptive parent and a foster-parent, of the individual.
relative of an individual means a grandparent, grandchild, uncle, aunt, nephew or niece, of the individual.
sibling of an individual includes a half-brother, half-sister, adoptive brother, adoptive sister, step-brother, step-sister, foster-brother and foster-sister, of the individual.
An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.
4.1 An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
4.2 An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under National Privacy Principle 2.
5.1 An organisation must set out in a document clearly expressed policies on its management of personal information. The organisation must make the document available to anyone who asks for it.
5.2 On request by a person, an organisation must take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.
6.1 If an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual, except to the extent that:
(a) in the case of personal information other than health information—providing access would pose a serious and imminent threat to the life or health of any individual; or
(b) in the case of health information—providing access would pose a serious threat to the life or health of any individual; or
(c) providing access would have an unreasonable impact upon the privacy of other individuals; or
(d) the request for access is frivolous or vexatious; or
(e) the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings; or
(f) providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
(g) providing access would be unlawful; or
(h) denying access is required or authorised by or under law; or
(i) providing access would be likely to prejudice an investigation of possible unlawful activity; or
(j) providing access would be likely to prejudice:
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; or
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime; or
(iii) the protection of the public revenue; or
(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders;
by or on behalf of an enforcement body; or
(k) an enforcement body performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.
6.2 However, where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process, the organisation may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.
Note: An organisation breaches subclause 6.1 if it relies on subclause 6.2 to give an individual an explanation for a commercially sensitive decision in circumstances where subclause 6.2 does not apply.
6.3 If the organisation is not required to provide the individual with access to the information because of one or more of paragraphs 6.1(a) to (k) (inclusive), the organisation must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.
6.4 If an organisation charges for providing access to personal information, those charges:
(a) must not be excessive; and
(b) must not apply to lodging a request for access.
6.5 If an organisation holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up-to-date, the organisation must take reasonable steps to correct the information so that it is accurate, complete and up-to-date.
6.6 If the individual and the organisation disagree about whether the information is accurate, complete and up-to-date, and the individual asks the organisation to associate with the information a statement claiming that the information is not accurate, complete or up-to-date, the organisation must take reasonable steps to do so.
6.7 An organisation must provide reasons for denial of access or a refusal to correct personal information.
7.1 An organisation must not adopt as its own identifier of an individual an identifier of the individual that has been assigned by:
(a) an agency; or
(b) an agent of an agency acting in its capacity as agent; or
(c) a contracted service provider for a Commonwealth contract acting in its capacity as contracted service provider for that contract.
7.1A However, subclause 7.1 does not apply to the adoption by a prescribed organisation of a prescribed identifier in prescribed circumstances.
Note: There are prerequisites that must be satisfied before those matters are prescribed: see subsection 100(2).
7.2 An organisation must not use or disclose an identifier assigned to an individual by an agency, or by an agent or contracted service provider mentioned in subclause 7.1, unless:
(a) the use or disclosure is necessary for the organisation to fulfil its obligations to the agency; or
(b) one or more of paragraphs 2.1(e) to 2.1(h) (inclusive) apply to the use or disclosure; or
(c) the use or disclosure is by a prescribed organisation of a prescribed identifier in prescribed circumstances.
Note: There are prerequisites that must be satisfied before the matters mentioned in paragraph (c) are prescribed: see subsection 100(2).
7.3 In this clause:
identifier includes a number assigned by an organisation to an individual to identify uniquely the individual for the purposes of the organisation’s operations. However, an individual’s name or ABN (as defined in the A New Tax System (Australian Business Number) Act 1999) is not an identifier.
Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.
An organisation in Australia or an external Territory may transfer personal information about an individual to someone (other than the organisation or the individual) who is in a foreign country only if:
(a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles; or
(b) the individual consents to the transfer; or
(c) the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual’s request; or
(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or
(e) all of the following apply:
(i) the transfer is for the benefit of the individual;
(ii) it is impracticable to obtain the consent of the individual to that transfer;
(iii) if it were practicable to obtain such consent, the individual would be likely to give it; or
(f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles.
10.1 An organisation must not collect sensitive information about an individual unless:
(a) the individual has consented; or
(b) the collection is required by law; or
(c) the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns:
(i) is physically or legally incapable of giving consent to the collection; or
(ii) physically cannot communicate consent to the collection; or
(d) if the information is collected in the course of the activities of a non-profit organisation—the following conditions are satisfied:
(i) the information relates solely to the members of the organisation or to individuals who have regular contact with it in connection with its activities;
(ii) at or before the time of collecting the information, the organisation undertakes to the individual whom the information concerns that the organisation will not disclose the information without the individual’s consent; or
(e) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.
10.2 Despite subclause 10.1, an organisation may collect health information about an individual if:
(a) the information is necessary to provide a health service to the individual; and
(b) the information is collected:
(i) as required by law (other than this Act); or
(ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation.
10.3 Despite subclause 10.1, an organisation may collect health information about an individual if:
(a) the collection is necessary for any of the following purposes:
(i) research relevant to public health or public safety;
(ii) the compilation or analysis of statistics relevant to public health or public safety;
(iii) the management, funding or monitoring of a health service; and
(b) that purpose cannot be served by the collection of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained; and
(c) it is impracticable for the organisation to seek the individual’s consent to the collection; and
(d) the information is collected:
(i) as required by law (other than this Act); or
(ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation; or
(iii) in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph.
10.4 If an organisation collects health information about an individual in accordance with subclause 10.3, the organisation must take reasonable steps to permanently de-identify the information before the organisation discloses it.
10.5 In this clause:
non-profit organisation means a non-profit organisation that has only racial, ethnic, political, religious, philosophical, professional, trade, or trade union aims.
The National Privacy Principles set the base line standards for privacy protection. However, organisations or industries may have and enforce their own codes. The Privacy Commissioner must approve the code first. Once the Privacy Commissioner has approved the code it replaces the NPPs for those organisations bound by the code. The Commissioner can revoke a code.
A code can also include its own complaint handling mechanism. If it does, it must provide for the appointment of an independent code adjudicator.
It a code does not have a complaints mechanism, the Office of the Federal Privacy Commissioner will handle complaints and the Privacy Commissioner will be the code adjudicator.
Organisations not bound by a code must comply with The National Privacy Principles set out in the Privacy Amendment Act. The Privacy Commissioner handles complaints in these circumstances.
Before the Privacy Commissioner can approve a code he must be satisfied that
If the code has a complaints mechanism
The Privacy Commissioner will be developing guidelines about how to develop a code, code approved and code complaints mechanisms.
The Privacy Commissioner has the power to
If an organisation does not comply with a Privacy Commissioner’s determination the Privacy Commissioner can ask the Federal Court or the Federal Magistrates Court to order the organisation to comply. An organisation that fails to comply with a court order commits an offence. The person who made the complaint could also ask the Court to enforce the determination.
Like the Privacy Commissioner, if an organisation does not comply with a code adjudicator’s determination the adjudicator can ask the Federal Court or the Federal Magistrates Court to order the organisation to comply. An organisation that fails to comply with a court order commits an offence. A code complainant could also ask the Court to enforce the determination.
Code adjudicators will have to report each year to the Privacy Commissioner on the operation of the code. It will have to include the number and nature of complaints made to the adjudicator under the code during the year. It will also have to include a summary for each complaint finalised identifying regardless of how it was resolved: the nature of the complaint; the relevant provisions of the code; and the outcome arrived at.
The Act also gives the Commissioner the power to review the operation of a code. The Privacy Commissioner might decide to do this if he has concerns after receiving a report on the operation of a code. In reviewing the code the Commissioner can consider the complaints process, inspect the adjudicator’s records, consider the outcome of complaints and interview the adjudicator.
A person who disagrees with the determination of a code adjudicator can ask the Privacy Commissioner to review the determination.
The Privacy (Private Sector) Amendment Act 2000 (the Act) applies to 'organisations'. Section 6C of the Act defines what an organisation is.
The Act defines an Organisation as:
Some organisations are exempt from having to comply with the legislation by being excluded form the definition of Organisation. These include:
Some acts and practices of organisations are exempt from the legislation. These are:
See Information Sheet 5 –Exemptions for further information on exempt acts and practices – or by calling 1300 363 992
Small Business Operators are exempt from the application of the Act. Under Section 6D, an organisation will be deemed to be a Small Business Operator if:
BUT the organisation will not be deemed to be a Small Business Operator for the purposes of the Act if it:
Despite the exclusion of Small Business Operators from the Act, a Small Business Operator may want to take advantage of the benefits that can flow from complying with the legislation, such as increased consumer confidence and trust in its operations. In acknowledgement of this, the Government has included a mechanism in the legislation to allow an otherwise exempt Small Business Operator to opt in to be covered by the Act and to be subject to the jurisdiction of either the Privacy Commissioner or an approved code adjudicator. If a small business operator has opted in to be covered by the Act, it cannot claim the Small Business Operator exemption again unless it specifically opts-out. The Privacy Commissioner will establish the procedures for the opt-in mechanism.
The collection, use and disclosure of personal information by an individual is not covered by this Act unless it is done in the course of running a business. If you operate a business in your own name then any activity undertaken in relation to your business is subject to the Act. The Act does not apply personal information that you collect, hold, use or disclose for the purposes of your personal, family or household affairs. If you do operate a business in your name, you may also be covered by the Small Business Operator exemption. See point 2 for further information.
Bodies Corporate are deemed to be organisation for the purposes of the Act. A body corporate is any entity that has a legal personality under Australian law or the law of another country. For example in Australia this would include entities registered as a company under the Corporations Law; incorporated associations; and can include not for profit entities. Bodies Corporate may also be covered by the Small Business Operator exemption. See point 2 for further information.
Partnerships are deemed to be organisations for the purpose of the Act. It is important to note that any act done or practice engaged in by one of the partners is deemed to be an act or practice of the organisation. Obligations under the Act are imposed on each partner but may be discharged by any of the partners. A partnership may also be covered by the Small Business Operator exemption. See point 2 for further information.
Unincorporated associations, such as cooperatives, are deemed to be organisations for the purposes of the Act. The Act also covers acts or practices engaged in by an individual when undertaken in the capacity of a member of the committee of management. Obligations under the Act are imposed on each member of the committee of management but may be discharged by any of the members of that committee. Unincorporated Associations may also be covered by the Small Business Operator exemption. See point 2 for further information.
Trusts are deemed to be organisations for the purpose of the Act. For the purposes of the Act, an act done or practice engaged in by a trustee is taken to have been done or engaged in by the trust. The Act imposes obligations on each trustee but may be discharged by any of the trustees. A trust may also be covered by the Small Business Operator exemption. See point 2 for further information.
Most state/territory government bodies, such as government departments, agencies, authorities and local government, are not covered by the Act. However, state/territory bodies that are incorporated companies, societies or associations are deemed to be organisations for the purposes of the Act and will be subject to the legislation. There is a provision in the legislation for these bodies to be prescribed out of the coverage of the Act but only on request from the State or Territory and only after the Minister has considered a number of issues outlined in the legislation. These bodies may be covered by the Small Business Operator exemption. See point 2 for further information.
When the new private sector amendments to the Privacy Act 1988 come into force on 21 December 2001 not all the National Privacy Principles (NPPs) will apply to information that organisations have already collected. Section 16C of the Privacy Act sets out which NPPs will apply regardless of when the information was collected, and which NPPs will only apply to information collected after the private sector amendments commence.
See Information Sheet 1 for information about which businesses the new private sector provisions will apply to.