|Executive summary | Chapter 1 | Chapter 2 |Chapter 3 |Chapter 4 |Chapter 5 |Chapter 6 |Chapter 7 |Chapter 8 |Chapter 9 |Chapter 10 |Chapter 11 |Chapter 12 |Chapter 13|
1. This chapter makes suggestions for possible amendments to definitions in the Privacy Act. These suggestions are made in line with the Office's belief that terms should be defined in a way that balances flexibility with regulatory stability. The Office submits that, if approached in this way, definitions in the Privacy Act will reflect the intentions of principle-based law.
2. As noted in IP31, much of the complexity within the Privacy Act stems from its development and amendment over many years. As such, many of the recommendations made below are aimed at updating or clarifying definitions contained within the Privacy Act and better articulating the Act's object and scope.
3.The Office supports a redrafting of the Privacy Act to facilitate a greater degree of understanding and ease of navigation for the reader.
4.The Office agrees with comments made at paragraph 3.8 of IP31 that the location of the IPPs in s 14 and the NPPs in Schedule 3 may be confusing to some stakeholders. The Office submits that the most effective solution to this complexity would be to develop a single set of privacy principles which covers both Australian Government agencies and the private sector (development of a single set of principles is discussed in Chapter 2 and in the response to question 4-34).
5.In the event that the proposal for a single set of principles was not taken up, the Privacy Act should be re-ordered to place the IPPs and NPPs in adjoining sections. A form of restructure along these lines would recognise the similar intentions and equal importance of the IPPs and NPPs.
6.At paragraph 3.9, IP31 notes the complexity surrounding exemptions to the Privacy Act. The Office submits that information relating to coverage of and exemptions to the Privacy Act could be better grouped together, more logically ordered and more clearly titled in the legislation. The Office further discusses exemptions to the Privacy Act in Chapter 5 - Exemptions.
7.As noted in Chapter 1, 'privacy' is a somewhat nebulous term. It can be interpreted in a number of ways depending on context; for instance information privacy as opposed to physical or territorial privacy. While the Privacy Act is concerned primarily with information privacy, it provides for a broader role for the Privacy Commissioner than data protection alone.33
8.The functions of the Privacy Commissioner, outlined under s 27 of the Privacy Act, allow for actions in the interests of privacy rather than exclusively information privacy. For example, s 27(1)(r) states that the Privacy Commissioner may make reports and recommendations to the Minister in relation to any matter that concerns the need for or the desirability of legislative or administrative action in the interests of the privacy of individuals. Subsections (b), (c), (e) and (m) in s 27(1) similarly allow for a broader interpretation of privacy beyond the limits of information privacy.
9.Moreover, the Office observes that information privacy can intersect with other categories of privacy. For example, location detection technologies, which collect information about an individual's whereabouts, might be considered to cut across both information and physical privacy. In the view of the Office, the Privacy Act should therefore continue to be an instrument that can effectively respond to these broader privacy issues.
10.For these reasons, the Office believes that the name of the Privacy Act should continue to contain the broader term of 'privacy' in order to reflect the wider scope of the Commissioner's functions.
11.Since the Privacy Act commenced operation in 1989, privacy laws have been enacted in some states and territories. Multiple privacy laws can create confusion as to the coverage and jurisdiction of the different pieces of legislation.
12.To differentiate the Privacy Act from other jurisdictions that have similar legislation, the Office recommends that the Privacy Act be retitled the 'Australian Privacy Act'34. This would be consistent with the many other Commonwealth Acts which contain the word 'Australian' in their titles. In the view of the Office, this name better reflects the national application of the Privacy Act through its regulation of Commonwealth agencies and private sector organisations regardless of the state or territory in which they operate.
13.Such a change would complement Recommendation 6 of the Office's Private Sector Review in which the Office proposed that the name of the Office be changed to the 'Australian Privacy Commission'35. It is also consistent with the proposal made in Chapter 4 for the development of one set of privacy principles across Australia (see response to questions 4-34 and 4-35).
14. The Office of the Privacy Commissioner supports the inclusion in the Privacy Act of an objects clause that clearly defines the purposes of the Privacy Act and the role of the Office.
15. The Office believes an objects clause should address items such as:
16.The Office notes, however, that the content of an objects clause will be contingent on any amendments to the Privacy Act subsequent to the review process.
17.The Office supports amendment to current definitions in the Privacy Act or the inclusion of additional definitions that would aid in the clarification, understanding and interpretation of the Privacy Act.
18.The definition of personal information is contingent on context for its application. In the view of the Office, this is one of the strengths of the definition, allowing it to respond to change and technological advance. In order to alleviate any confusion generated by the flexibility of the term, the Office intends to issue further guidance material.
19.In its review of the private sector provisions of the Privacy Act, the Office received a number of submissions which supported technology-motivated changes to the definition of personal information.36 This issue was also dealt with in the Senate Committee inquiry into the Privacy Act. 37
20.Currently the definition notes that information is personal information when the individual's identity is apparent or can be reasonably ascertained from the information.38 However with the advent of new technologies it is increasingly difficult to conclude that the identity of an individual can never be ascertained from information that superficially appears to be de-identified, or not identified.
21.In the Office's review of the private sector provisions of the Privacy Act, the Office recommended that it issue further guidance, consistent with current law on what personal information is which takes into account the fact that in the current environment it is more difficult to assume that any information about people cannot be connected.39 The Office will issue guidance material to this effect.
22.The Office notes the concern that some technologically-specific identifiers may fall outside the scope of the definition of personal information. For example, the current definition potentially does not cover IP addresses, email addresses, mobile phone numbers and biometric information (as noted in IP31, paragraph 11.117).
23.However, the Office observes that information such as IP addresses and email addresses may 'fall in and out of' the definition of personal information depending on the context of the information. It may be necessary to clarify that information may become personal information after collection (due, for example, to data aggregation) and that once the information is identifiable, collection principles including notice and so on apply. It might be useful for the Office to provide further guidance materials to clarify how and when the collection principle might apply when data is aggregated.
24.The Office would caution against any amendment that sought to broaden the definition of personal information to take in an indiscriminate amount of information simply for the purpose of extending the definition to cover specific new technologies. Such an amendment may impose an unreasonable regulatory burden without necessarily offering significantly greater privacy protection. An example of this might occur where the definition of personal information was extended in a way that allowed it to cover information collected by Radio Frequency Identification (RFID) chips and in the process took in a vast amount of information that has very little bearing on individual privacy. The Privacy Act as it stands will cover information collected by RFID technology where this identifies an individual. It is the view of the Office that further privacy implications raised by RFID technologies might best be dealt with by technology-specific binding codes(see Chapter 11, question 11-4 and Chapter 6, question 6-20).
25.Further discussion of identifiable, re-identifiable and non-identifiable personal information takes place under question 8-27 and 8-28.
26. The Office believes that the definition of sensitive information should be amended to include biometric information. The justification for additional protections for biometric information is outlined in Chapter 11 at question 11-1.
27. Where sensitive information provisions in the Privacy Act are extended to cover biometric information, it will be important to clarify what form of biometric information is classified as sensitive information. The Office makes recommendations as to how biometric information might be best captured under sensitive information provisions in Chapter 11 under question 11-3(c).
28. Community attitudes research undertaken by the Office in 2001 and 2004 has indicated that individuals consider financial information to be very sensitive. In both community attitudes surveys, financial information was the top response for individuals when rating what types of information they were most reluctant to provide to organisations.40
29. The Office believes that this issue warrants further exploration to determine whether financial information should be afforded the status of sensitive information. Where a decision is made to include financial information under the definition of sensitive information, financial information will need to be adequately defined under the Privacy Act. In general terms 'financial information' may mean account numbers or account details, pin numbers, income and asset information, bank statement information and so on. It would be important to clarify the limits of the definition of financial information in order to ensure that the definition of sensitive information would, in turn, be clear and straight-forward.
30. The definition of record is critical to the operation of the Privacy Act because both the IPPs and NPPs specifically apply to personal information held, or collected for inclusion, in a record.41
31. Generally the Office finds that, used in conjunction with definitions in the Acts Interpretation Act 1901, the definition for record is adequately broad to take in new or evolving information storage media.42 However the Office submits that it may be useful to strengthen the technological relevance of the definition of record within the Privacy Act in order to clarify its scope and allow it to 'stand alone' in the legislation.
32. In particular it will be important to clarify in the definition the coverage of media which can hold or record biometric information.
33. Having said that, the Office would not be in favour of replacing the existing definition of record with a definitive list of specific information storage media. A definitive list may quickly become overtaken by new technology, thereby limiting the application of the definition. Accordingly, the Office would caution against including references along these lines in any amended definition without a broader, overarching definition that provided for technological change.
34. Currently, the definition for record in the Privacy Act includes 'a photograph or other pictorial representation of a person.' The Explanatory Memorandum to the 1988 Privacy Bill observes that 'pictorial representation' is intended to be broadly read and may take in 'a film, videotape, painting, drawing &c., of a person'.43
35. However, the specification that the photograph or pictorial representation must be of a person needlessly restricts this clause. For example, a photograph of a person's house might equally be considered personal information, particularly in the instance that the house address was apparent or the photograph was stored with other documentation from which one could surmise the identity of the resident. The Office believes that the definition of record should only describe the medium of the information rather than the information itself. For this reason, the Office would recommend the removal of 'of a person' from subsection (c) of the definition of a record.
36. The Privacy Act is commonly grouped with the Freedom of Information Act 1982 (the Freedom of Information Act) and the Archives Act 1983 (the Archives Act), in recognition of the common goal of each to regulate information handling, management and accessibility. As discussed in later chapters, these laws tend to interact with one another.
37. In the interests of facilitating smooth interaction, the Office submits that it may be useful to develop consistent definitions for 'record' and 'document' across the Privacy Act, the Freedom of Information Act and the Archives Act. Currently, the Archives Act and the Privacy Act contain different definitions for 'record' while containing no definition for document. The Freedom of Information Act, on the other hand, while containing no definition for record, does contain a definition for document. The Office believes that consistent terminology would enhance the interoperability of these pieces of legislation.
38. IP31 points out that the existing definition for identifier does not describe what an identifier is; only what it includes. The Office submits that the definition could be clarified to be more explicit as to the meaning of the term.
39. In Chapter 11, the Office argues for the provision of biometric identifiers under the definition of identifier; see the response to question 11-3.
40. Further discussion of identifiers also takes place in the response to question 4-27 and in Chapter 12.
41. Collectors are defined under s 9 of the Privacy Act. The Office notes that in relation to agencies that are 'collectors', s 95B of the Privacy Act ensures that an agency cannot use a contract to avoid its own obligations under the IPPs by authorising a contractor to do something that the agency itself is not permitted to do. For example, if it is not part of an agency's function to collect particular information such as health information, it cannot authorise a contractor to do this for the agency.
42. It may be useful to note in the definition of collector that where services are provided by other entities on behalf of an agency, they must relate to the agency's functions for the Commonwealth contracting provisions to apply.
43. The Office believes that the definition for small business - defined under s 6D of the Privacy Act - would benefit generally from clarification as it is needlessly confusing and complex for organisations attempting to determine their coverage under the Privacy Act.
44. Furthermore, the Office reiterates its recommendation made in the private sector review that the definition of small business be expressed in terms of number of staff rather than annual turnover.44 The Privacy Act could use the Australian Bureau of Statistics definition which currently defines a small business as a business with 20 employees or fewer.
45. Discussion of the small business exemption takes place in Chapter 5 under question 5-6.
46. A 'generally available publication' is defined under s 6(1) of the Privacy Act.
47. The Office notes that the phrase 'generally available publication' may appear to apply only to publications that do not involve fees for access. However, access to generally available publications is not necessarily free. For example, the National Insolvency Index is accessible only by subscribers who pay to view the Index.
48. For this reason, the Office believes that the definition would benefit from the clarification that a generally available publication is generally available even where payment of a fee is necessary to access the information.
49. Possible amendments to the definition of 'health service' are suggested in Chapter 8 in the response to question 8-7.
50. The existing definition for 'agency' in the Privacy Act may benefit from additional clauses to clarify currently ambiguous areas of coverage. In particular, coverage of some public authorities created as collaborations between the Commonwealth and the States and Territories by the Council of Australian Governments (COAG) and other Ministerial Councils could be better provided for under the definition of agency in the Privacy Act.
51. It is also not clear under the current definition whether s 6C(3)(c) captures under 'public purpose' general outsourcing of functions and the myriad of public and private partnerships.
52. State or Territory authorityThe definition of 'State or Territory authority' as defined under s 6C(3) of the Privacy Act is discussed in the response to questions 5-4 and 5-5 under the heading 'Other forms of state and territory bodies.'
53. The explanatory memorandum to the Privacy Amendment (Private Sector) Bill 2000 stated: 'the question of whether one body corporate is related to another body corporate is to be determined in the same way as the question is determined under the Corporations Law45 '. The Corporations Law has since been repealed and replaced by the Corporations Act 2001.
54. The term 'related bodies corporate' is not defined under the Privacy Act. The Office suggests that it would be useful to define the term within the Privacy Act as having the same meaning as in the Corporations Act 2001. This would clarify the original policy intention.
55. In addition, a number of definitions are discussed elsewhere in this submission, reflecting the structure of IP31. In summary these are:
Privacy protection for health information of deceased persons
56. The Office would support an amendment to the Privacy Act to extend some privacy protections to the health information of people after their death. The Office suggests that many individuals engage openly with their health care provider on the understanding that information about their health will continue to be handled in a dignified and respectful way after they are deceased, including by limiting who may access it and for what purposes it may be used or disclosed.
57. In addition, the Office notes that health information about deceased individuals may cause embarrassment or distress to living individuals (such as where an individual may have had a stigmatising condition), and is therefore likely to warrant some protections. In addition, in some cases, the health information of deceased individuals may have bearing on the health information of living individuals (though the nexus may not be sufficiently strong to establish that deceased persons' information would meet the definition of 'personal information' for the living individual under section 6 of the Privacy Act).
58. The Office believes that health information of deceased persons should be covered by NPPs 1 (collection), 2 (use and disclosure) and 4 (security) or their equivalents under a single set of principles (the proposal for a single set of principles is discussed in Chapter 4). In the Office's view, such protections balance the interests of both the deceased and living individuals, as well as other interests such as the use of the information for medical research.
59. The Office submits that the protections under NPP 1 that are most likely to be relevant are those that ensure that personal information is collected for a purpose that is necessary for an organisation's functions, and that the collection is lawful and fair. The Office submits that the notice obligations could be exercised in regard to authorised representatives of the individual.
60. Affording the protections of NPP 2 to the health information of deceased individuals is likely to promote the policy objective of ensuring that such information is handled for appropriately limited reasons. Under such a model, deceased person's health information could be used or disclosed for the purpose for which it was collected, or where an exception to NPP 2 applies. For example, state or Commonwealth laws may require or authorise health information about deceased individuals to be provided to health registers, which in turn may serve important research and health policy functions.
61. The Office has also proposed an additional exception to NPP 2 to apply to deceased persons' health information. This is discussed in further detail below.
62. In regard to NPP 4, the Office submits that health information about deceased individuals should be afforded appropriate security protections to prevent its misuse or loss. This is likely to be consistent with general community expectations that such information is handled with care.
63. The Office's views on the importance of health privacy more generally are discussed in Chapter 8.
64. Since the introduction of the NPPs, the Office has taken a number of enquiries from individuals seeking access to the records of deceased friends and family members. In many cases, individuals have been denied such access purportedly because of the Privacy Act. This is an inaccurate application of the NPPs. As the Privacy Act does not currently apply to the records of deceased individuals, it neither restricts nor authorises how such information may be handled.
65. However, the Office recognises that living individuals may have legitimate grounds for seeking access to the health records of a deceased individual, such as compassionate reasons or to seek emotional closure. Accordingly, the Office submits, in line with its general view that health information should be afforded some protections under the NPPs, a mechanism could be inserted into the NPPs to provide such access.
66. At the same time though, in the view of the Office, permitting a broad right of access under NPP 6 (exercisable by some defined class of individual, such as a family member or authorised representative of the deceased) to that health information under the Privacy Act may be problematical. For example:
67. For these reasons, the Office suggests that a provision could usefully be added under NPP 2.4 to provide organisations with a discretion to disclose health information about deceased people to 'a responsible person' (based on the terms of NPP 2.5) in the same way in which health information about an individual who lacks capacity may currently be disclosed.
68. While the Office recognises that some individuals may feel aggrieved by being denied an absolute right to access to a deceased person's records, the protection of the information contained in such records is of sufficient importance and sensitivity to warrant third-party access being restricted and not made a general right under the Privacy Act.
69. The Office submits that a model along the lines proposed would afford organisations a clear discretion to exercise professional judgement and knowledge of specific circumstances in determining whether the health information of a deceased person should be made available to an authorised person.
70. A right to complain should also be extended to authorised persons (and other individuals where standing is recognised at the discretion of the Commissioner).
33 The Privacy Commissioner's functions are set out in sections 27, 28 and 28A of the Privacy Act 1988.
34 For example: Australian Communications and Media Authority Act 2005; Australian Film Commission Act 1975;, Australian Bureau of Statistics Act 1975; Australian Law Reform Commission Act 1996; Australian Passports Act 2005 and so on.
35 Office of the Privacy Commissioner Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (Office's Private Sector Review), 2005, pp47-48.
36 Office's Private Sector Review pp 246-248.
37 Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988, June 2005, pp19-21.
38 See s 6(1) definition of personal information
39 Office's Private Sector Review p257.
40 Office of the Privacy Commissioner, Community Attitudes Research 2001, 2004, available at http://www.privacy.gov.au/business/research/index.html
41 Privacy Act 1988, s16B. S16B(1) also states that the IPPs and NPPs apply to personal information collected for inclusion in a generally available publication.
42 For example, the definition of 'record' in the Privacy Act includes 'a document'. Under the Acts Interpretation Act, a 'document' is; (a) any paper or other material on which there is writing; (b) any paper or other material on which there are marks, figures, symbols or perforations having a meaning for persons qualified to interpret them; and (c) any article or material from which sounds, images or writings are capable of being reproduced with or without the aid of any other article or device.
43 Explanatory Memorandum, Privacy Bill 1988, p12.
44 Office's Private Sector Review, pp184-185.
45 Privacy Amendment (Private Sector) Bill 2000 Explanatory Memorandum, Circulated by authority of the Attorney-General, the Honourable Daryl Williams AM QC MP, Notes on Clauses paragraph 60.