|Executive summary | Chapter 1 | Chapter 2 |Chapter 3 |Chapter 4 |Chapter 5 |Chapter 6 |Chapter 7 |Chapter 8 |Chapter 9 |Chapter 10 |Chapter 11 |Chapter 12 |Chapter 13|
1. The Office believes that principle-based law remains the best way to regulate information handling and in general, the Office believes that the existing privacy principles in the Privacy Act are operating well.
2. In responding to the questions posed in this chapter, the Office explores the IPPs and NPPs in detail and makes suggestions for their improvement based on its experience as regulator of the Privacy Act.
3. A key theme of this chapter is the proposal for a single set of principles to replace the IPPs and NPPs. In the Office's view, a single set of privacy principles would provide greater regulatory consistency and simplicity. The Office suggests that a single set of principles include principles relating to: anonymity; notice and openness; collection; collection of sensitive information; use and disclosure; quality; security; access and correction; transborder data flows; and identifiers.
4. Currently notice and collection are addressed together in the NPPs (NPP 1) and separately in the IPPs (in IPPs 2 and 1 respectively). The Office believes that this may encourage an impression that the responsibilities related to the handling of personal information begin with the collection of that information. To address this concern, the Office suggests that provisions for the notice and collection of personal information should be addressed separately in the Privacy Act, specifically by separate principles.
5. The Office has provided an approach for a principle addressing notice and openness for both agencies and organisations as part of the single set of privacy principles recommended in responding to question 4-35 below.
6. Agencies and organisations should be required to provide notice in a format that is easily accessible, understandable and appropriate. The use of short-form privacy notices, as referred to in Recommendation 19 of the Office's Private Sector Review46 , addresses this issue and acknowledges that notice enhances the notion of openness. The Government agreed with this Recommendation in principle. 47
7. In the proposal for a single set of principles discussed in the response to question 4-35, the Office suggests a model that separates notice and collection and positions the requirement to provide notice before collection activities are undertaken where practicable.
8. The Office believes that developing a principle for notice and openness (separate to collection) is an important step in ensuring individuals are notified about the purposes for which their personal information is collected and how their personal information will be handled by the agency or organisation collecting it.
9. Positioning the notice and openness principle before the collection principle may also assist agencies and organisations in considering what their stated reasons for collection are and how they may use and disclose and handle the personal information they intend to collect before it is collected.
10. The Office believes that appropriate notification allows individuals to make an informed choice. This approach promotes the idea of informing the individual and may also assist an individual to make informed decisions regarding the extent to which they provide their personal information to an agency or organisation.
11. The Office acknowledges that in certain circumstances an individual will effectively have no choice but to provide their personal information to an agency or organisation, for example, when applying for essential services or dealing with a monopolistic provider. However, the need to inform the individual regarding the purpose of the collection, proposed uses, disclosures and how their information will be handled before collection remains fundamental. 48
12. The Office notes the following international standards and approaches in relation to the principle of notice:
13. Notwithstanding the Office's opinion that notice be addressed as a single, separate principle for both agencies and organisations, the Office provides the following responses to the specific issues raised in question 4-1.
14. As discussed in the Office's Private Sector Review, the Office believes that an organisation collecting personal information from an individual must take reasonable steps to notify that individual of likely disclosures, including to Australian government agencies, state or local governments, other bodies and private individuals.52 This approach is consistent with the policy intent of NPP1.3(d) that individuals should be informed about the types of organisations to which their information is usually disclosed,53 and is contrary to a narrow interpretation that would require organisations collecting personal information to tell an individual only about likely disclosures to private sector organisations. The information provided by an organisation to make people aware of likely disclosures should be required to be as specific as possible or necessary to make it meaningful and helpful to an individual.54 Additionally, this provision should also incorporate the intention of IPP 2(e) which is to advise an individual of any fourth party that may be in receipt of their personal information.55 If the current IPPs and NPPs remain in place, rather than an alternative single set of principles being adopted as suggested in the response to question 4-35, then NPP 1.3(d) should be amended to reflect this requirement.56
15. Further, the Office believes that organisations should be required to provide notice in a format that is easily accessible and understandable. Additionally, the Office believes that this requirement should be extended to agencies. The use of short-form privacy notices,57 addresses this issue and acknowledges that notice enhances the concept of openness. The Australian Government has agreed in principle with this Recommendation. 58
16. The Office believes that consideration should be given to introducing a requirement that organisations take reasonable steps, on request, to advise an individual where and how they can make a complaint about the handling of their personal information or interferences with their privacy. This could also include notification that if a complaint is not resolved, the individual may also complain to the Privacy Commissioner.59 In a similar sense, agencies could also be required to advise individuals about the avenues of complaint open to them.
17. The Office believes that consideration should be given to amending the Privacy Act to require organisations to take reasonable steps, on request, to advise an individual where it acquired the individual's personal information.60 Under the provisions of NPP 1.5, when personal information is collected from a third-party the individual should be notified whenever possible and in circumstances where a reasonable person would expect to be notified. Similarly, this obligation should apply to agencies. However, in relation to applying any requirement to advise the source of information, the Office acknowledges that it is important that this advice does not impact adversely on the privacy of a third-party individual.
18. The Office believes that an amendment to NPP 1 should be considered to clarify that there may be circumstances in which it is reasonable for organisations to take no steps to ensure that an individual is aware of specified matters relating to the collection of their personal information.61 For example, such circumstances may include when an organisation receives information from a related body corporate, especially if the individual could reasonably expect that the information would be handed on.62
19. This issue is also discussed in the Office's response to question 4-35 as part of a proposed single set of privacy principles under the heading 'Notice and Openness'. As part of this discussion the Office recommends that a 'reasonable person test' be included in this provision, rather than leaving completely to the discretion of organisations the decision of what 'reasonable steps' may constitute. This suggestion would see organisations taking steps that a reasonable person would expect in the circumstances to ensure that an individual is aware of certain matters relating to collection.
20. As stated in the response to question 4-1 above, the Office believes that the notice and collection provisions of the Privacy Act should reside in separate principles and that a consistent approach be taken for both agencies and private sector organisations
21. As such, the Office believes that agencies should be required to comply with the same provisions as private sector organisations and where reasonable and practicable they should collect information about an individual only from the individual concerned.
22. A single principle for notice and openness, as proposed in the Office's response to question 4-35, could also include that agencies and organisations be required to notify an individual of his or her rights of access to the information, the consequences of not providing the information, the various avenues of complaint available, and the source of the information where it has not been directly collected from the individual.
23. The Office believes it is likely that some agencies and organisations will receive unsolicited personal information about individuals from time to time. It may not, however, be necessary for an agency or organisation to 'collect' such information after it has been recieved. In these circumstances, collection would occur when an agency or organisation keeps personal information that it has received, but that it did not asked for, in a record.63
24. The Office believes that notice about collection of unsolicited personal information should be given to the subject as soon as possible after the collection.64 When personal information is collected from a third-party, including the collection of unsolicited personal information, the organisation must take reasonable steps to notify the individual whenever possible and in circumstances where a reasonable person would expect to be notified.
25. Further to this, as outlined in the suggested collection principle at question 4-35, the Office is of the opinion that agencies and organisations should not collect information unless it is for a specific reason for which the individual has been previously notified. Accordingly, unsolicited information that is received but would not be considered by a reasonable person as legitimate or necessary for the organisation or agency to collect (with reference to stated reasons for collection) should be destroyed or returned to the source.
26. The Office is aware that information collected from some third-parties and unsolicited sources may not be completely accurate. The accuracy of such information should be checked as soon as possible with the subject, where possible, unless the source is a publicly available source such as a public telephone directory. This is particularly important in instances where individuals could be denied access to essential services based on inaccurate information. Agencies and organisations could be required to check the accuracy of information received from an unsolicited source if it intends to include that information in a record. This issue is discussed further in 4-35 under the heading 'Principle 6-Quality'.
27. As the Office has previously recommended65 and has stated in guidance material,66 an agency or organisation should be under an obligation to take reasonable steps to provide notice to an individual when collecting their personal information indirectly, irrespective of the source of the personal information. Such a requirement, however, should not adversely affect the privacy of another individual.
28. The Office considers that use and disclosure should be included in the same principle as in the NPPs. This will assist in providing a consistent approach for the handling of personal information and may go some way to alleviating the confusion that surrounds the identification of whether certain activities and information handling practices are considered a 'use' or a 'disclosure' and which provisions and principles should apply.
29. In response to question 4-35, the Office has proposed a single principle for use and disclosure to cover both agencies and organisations. The issues of use and disclosure are addressed further in the recommendations for this principle.
30. In responding to question 4-35 of IP31, the Office proposes a single set of privacy principles to apply to both agencies and organisations, including a principle to cover the use and disclosure of personal information. In addition to this recommendation, the Office also wishes to provide the following comments to address the specific issues raised in question 4-7.
31. The Office believes that the current exceptions in NPP 2 and IPPs 10 and 11 of the Privacy Act are adequate, achieve the right balance and are appropriate for the circumstances of a missing person. The Office acknowledges that there may be circumstances where an individual may choose not to remain in contact with the people they know and believes that allowing the disclosure of personal information generally for the use in locating missing persons would adversely impact upon the privacy rights of those individuals. Further, the Office notes that the Commissioner's power to make Public Interest Determinations (PIDs) provide a mechanism to deal with possible circumstances in which the provisions are not adequate. Use of PIDs in times of emergency is discussed below.
32. In question 4-7 the ALRC asks if agencies and organisations should be permitted to disclose personal information where it is necessary to prevent a 'serious and/or imminent' threat to an individual's safety or welfare, or a serious threat to public health, public safety or public welfare. The Office believes that it is important for both the serious and imminent requirements to be retained in the Privacy Act.
33. The threshold of protection afforded by this exception to non disclosure in IPPs 10 and 11 and NPP 2 is important in the maintenance of privacy protections for individuals. The requirement of both a 'serious and imminent threat'67 indicates that a situation in which an exception to non-disclosure may be permitted is one of urgency. Should this be the case, then due to the immediate nature of that threat, disclosure may be justified. However, should the gravity of the threat not involve a measure of imminence, then the individual should retain the usual level of privacy protection as other mechanisms may be available to provide for the disclosure of the information. For example, an agency or organisation could seek the individual's consent before disclosure of personal information occurs (should none of the other exceptions apply).
34. The ALRC makes reference to 'life, health, safety or welfare' rather than 'life or health'68 or 'life, health or safety.'69 The Office believes that the reference to 'life and health' of an individual provides an appropriately higher test for allowing an exception to non-disclosure and thus better privacy protection for individuals. The use of the term 'safety' could be problematic in this context as it is not clear if this term enhances the usefulness of the exception without lowering protections for individuals. The Office suggests that the ALRC examines this issue further.
35. It should be noted that NPP 2, and IPPs 10 and 11, currently allow use and disclosures in some emergency situations. For Australian Government-declared emergencies, under the Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006 70 disclosure would be allowed in an emergency situation. In addition to this, the Commissioner's Temporary Public Interest Determination (TPID) power may be invoked where an activity would otherwise conflict with the Privacy Act. For example, the effects of Public Interest Determinations 7 and 7A allows The Department of Foreign Affairs and Trade to disclose personal information about Australians travelling overseas in certain limited circumstances such as when there are reasonable grounds to believe there is a threat to the life or health of an individual. The Office considers that these measures address issues such as those raised by the Department of Foreign Affairs and Trade regarding its ability to meet its consular obligations in times of disaster or emergency.71
36. The Office also believes that the disclosure provisions should be extended to allow disclosures of personal information to a 'responsible person' in times of national emergency.72 It is also the Office's view that, the meaning of a 'responsible person' should be extended beyond that already provided for in NPP 2.5 to include a person nominated by the family to act on behalf of the family. The mechanism to establish the existence of an emergency for the purpose of an exception to non-disclosure of information has been addressed by the Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006.
37. The Office has included a principle addressing use and disclosure for agencies and organisations as part of the single set of privacy principles suggested in the response to question 4-35. The approach proposed suggests that a direct relationship should be required between the primary and secondary use and that the secondary use should be one which an individual would reasonably expect. Notwithstanding this recommendation, the Office has provided the following responses to the separate parts of question 4-9.
38. See also the Office's response to question 8-17 for a more detailed response to use and disclosure of sensitive information in the health context. Are the criteria in NPP 2.1(a) for using personal sensitive and non-sensitive information for a secondary purpose adequate and appropriate? 'Primary' and 'secondary' purposes for use and disclosure
39. NPP 2.1 allows organisations to use and disclose personal information for the primary purpose of collection without consent, provided they have complied with the collection/notice obligations under NPP 1 (and also NPP 10 for sensitive information).
40. The policy intent of NPP2.1 is to maintain the individual's knowledge and control over when personal information may be used and disclosed. If 'primary purpose' is interpreted too broadly, use and disclosure are harder to regulate, and the original policy intent is more difficult to achieve.
41. When an organisation collects personal information, the collection should be for a particular purpose, such as to sell a particular product or provide a service. This is the primary purpose of collection. 73 Determining the primary purpose of collection should always be possible. Where an organisation collects personal information directly from the individual the context in which the information is collected will help identify the primary purpose of collection. When personal information is collected indirectly, the organisation's use of the information soon after collection is a good indication of the primary purpose of collection.
42. NPP 2.1(a) requires the secondary use or disclosure to be related to the primary purpose of collection and be reasonably expected by the individual. To be related in this way, the secondary purpose must be something that arises in the context of the primary purpose. If the personal information is sensitive information, there must be a stronger connection to the primary purpose for collection.
43. Reasonable expectations are the expectations that a reasonable individual with no specialist knowledge of the purpose or function of the organisation would have in regard to how the organisation would handle their personal information in the circumstances.
44. If an organisation is unsure of what an individual would reasonably expect in relation to the use and disclosure of their personal information, the organisation could seek the individual's consent for the use or disclosure as provided for by NPP 2.1(b).
45. For example, is it necessary or desirable that there also be a 'direct' relationship between the secondary and primary purpose of collection before non-sensitive personal information can be used or disclosed for a secondary purpose?
46. The Office believes that thorough compliance with NPP 1.3 notice requirements provide an organisation with the ability to rely on an individual's reasonable expectations regarding likely use and disclosure of their personal information. In this way, the requirement for the secondary purpose to be directly related to the primary purpose and reasonably expected by the individual may not be onerous.
47. This issue is addressed also by previous Office recommendations74 to improve the operation of NPP 1.3 and also the recommendations for a separate notice and openness principle provided in question 4-35.
48. As stated in the response to question 4-8, the Office recommends that there be a single set of privacy principles relating to both organisations and agencies, which include recommendations for a use and disclosure principle. In addition, the Office has provided the following comments to address the specific issues raised by question 4.9.
49. IPP10.1(e) allows an agency to use personal information for any purpose that is directly related to the purpose for which it originally collected the information. This principle applies only to uses of personal information. The concept of 'directly related' in this context means that there is a close relationship between the purpose of the use and the purpose for which the personal information was collected in the first place. 75 For example, an agency might use information collected for the purpose of investigating complaints to conduct follow-up surveys.
50. When an agency collects personal information, it must have a specific, well defined purpose for doing so, regardless of whether the information is collected directly from the individual or another source. As the Office has stated previously, the purpose for which information is obtained should be interpreted narrowly.76 This approach is also consistent with the rules for collecting personal information in IPPs 1 to 3.
51. The general policy concept behind IPP 10.1 is that people usually give personal information to an agency with a specific purpose in mind, such as receiving a benefit payment or a tax refund and they should be able to expect the information to be used for that purpose only. In other words, the Office believes that IPP 10.1 already includes the concept of reasonable expectation and the addition of such provisions for agencies through the adoption of a single set of privacy principles would not represent an extra burden for agencies.77
52. The Office would like to address the following issues in relation to recording the use and disclosure of personal information for a purpose other than the primary purpose.
53. The Office believes that individuals are interested in the handling of their personal information by agencies and organisations to the same extent that they are interested in the actual collection of that information. For example, in a community survey, the Office found that the practice of using information for a purpose other than that which was originally intended was of concern for 68% of those surveyed. Additionally, 41% of those who reported being concerned said that this was of great concern to them. In the same survey 95% of people said that they were prepared to act if they believed a company they were dealing with was misusing their information. 78
54. If an agency or organisation gains consent from an individual for the use or disclosure of their personal information for a purpose other than the primary purpose, it would seem unnecessary for the organisation to also make a note of this subsequent use or disclosure.
55. Another possible issue for an agency or organisation in relation to keeping records of use and disclosure of personal information for a purpose other than the primary purpose is that this could interfere with the privacy of an individual to whom the information is disclosed. It would be necessary to ensure that any additional provisions or amendments to the Privacy Act to record the secondary use and disclosure do not adversely impact on the privacy of another individual through the collection of their personal information.
56. It may also be the case that the accumulated logging of secondary use and disclosure in a record containing an individual's personal information may change the nature of that information and, in some cases, could be contrary to the initial primary reason for the collection of the personal information.
57. One approach for addressing this issue for organisations may be to expand the current provisions of NPP 2.2 to include not only the exception at 2.1(h) but all exceptions from 2.1(c) - (h).
58. In relation to agencies, IPP 10.2 could be expanded to also explicitly include the exceptions at IPP 10.1(b) - (e) and IPP 11.2 could be expanded to explicitly include disclosures under IPP11.1 (c) - (e).
59. The Office believes that consent is a cornerstone of privacy, and gaining consent should be taken seriously, especially where it offers individuals real choice about their transactions with organisations. Consent has two key components:
60. In responding to question 4-35, the Office has made recommendations about separate principles for notice and collection. These recommendations include that agencies and organisations should only collect information from an individual that is required for the purposes identified in its notification. The effect of such a principle would be that where an agency or organisation wants to use information for a purpose other than for which it was collected, then the individual's consent should be sought for the extended use of that information but it should not be made a condition of the original service.
61. In addressing this issue in the Office's Private Sector Review, the Office undertook to provide further guidance material to business in relation to bundled consent and providing clearer privacy notices to consumers.79
62. The Office recommends that the current conditions under which direct-marketing occurs should be changed through an amendment of the Privacy Act to provide that consumers have a general right to opt-out of direct marketing approaches at any time. This recommendation is consistent with the Office's previous recommendation made in the Office's Private Sector Review.80
63. Further, the Office recommends amending the Privacy Act to require organisations to take reasonable steps, on request, to advise an individual where it acquired the individual's personal information. This recommendation is consistent with the recommendation made in the Office's Private Sector Review.81
64. NPP 2 provides a number of mechanisms by which personal information may be used and disclosed for social research, including where:
65. Additionally, personal information could be used or disclosed for social research where it is de-identified and thus not covered by the Privacy Act.
66. A similar range of provisions exist in the Information Privacy Principles.
67. The Office submits that these provisions provide broad scope for personal information to be handled for the purpose of non-health research. The Office does not believe that additional provisions are necessary without strong evidence to the contrary. In particular, the Office would not to support an additional exception permitting uses or disclosures without the consent of the individual, such as that available under the s 95 and 95A guidelines.
68. The Office has noted in its response to Chapter 8, that many individuals express concern about the handling of their personal information for research purposes without their consent. Submissions to the Office's Private Sector Review called for the scope of the Privacy Act to be broadened to include research on humans, not just medical research.82 One submission argued that the Privacy Act was limiting research needed for forming effective and responsive government policy.83 The precise nature and extent of this problem, however, was not articulated in the submissions.
69. Community attitude research indicates that individuals' desire to retain control over the use of their personal information extends to non-health areas. For example, a US Survey found that 77% of respondents wanted opt-in 'all the time' before information about browsing habits or shopping patterns could be collected. In addition, 86% of those polled wanted opt-in consent arrangements for all collection of personally identifiable information such as name, address, and phone number. 84
70. A New Zealand survey found that 22% of individuals surveyed did not want their general information (name, address, occupation etc) shared with researchers.
71. While the s 95 and 95A mechanisms provide for personal information to be used without consent for medical research (subject to consent being impracticable and oversight by institutional ethics committees), the Office submits that the public interest in such research is likely to outweigh the public interest in non-health social research. While social research will often offer benefits to the community, those benefits, on balance, are likely to be less than is the case with health and medical research.
72. In some limited circumstances, the public interest in conducting social research by using personal information without the consent of the individuals involved may substantially outweigh the public interest in maintaining privacy. Where such circumstances arise, and the use or disclosure cannot otherwise be accommodated within the relevant privacy principles, the Public Interest Determination mechanism provided in the Privacy Act could be drawn upon to facilitate the research.
73. Therefore, the Office submits that the existing exceptions under NPP 2, as well as IPPs 10 and 11 provide an appropriate range of mechanism for allowing individuals' personal information to be used for non-health research.
74. In relation to data quality, the Office believes that the quality of personal information is fundamental in any information handling context, especially in the context of information gathering which may lead to individuals being denied access to services. The principle of good information quality goes hand in hand with the notion of, where possible, obtaining personal information directly from the individual to ensure it is of the highest quality and also minimises the risk of mistaking identities or identity fraud.
75. Obligations under NPP3 are not absolute and it may at times be reasonable to take no steps under NPP3 to ensure data accuracy, especially if there are no privacy benefits for the individual. 85
76. It may also be onerous to require organisations to be subject to NPP 3 obligations if they are not collecting, using or disclosing personal information, but only controlling it. Organisations that have copies of personal information for legitimate reasons but not for the purpose of a use or disclosure should not have to continually take steps to comply with NPP 3. For example, organisations that provide services under contract, such as data back-up and disaster recovery services may control copies of personal information collected by another organisation but should not be responsible for the accuracy of the information. Notwithstanding this view, it is also the case that under the current requirements of NPP 4, organisations are obliged to destroy or de-identify personal information once the purposes of collection have passed.
77. In response to question 4-35, the Office takes the position that agencies and organisations should only collect information that is relevant to the stated purpose and is reasonable to collect.
78. In general, the Office believes that the scope of NPP 3 should be to oblige organisations to keep personal information accurate and complete for the stated purpose of collection and not to import an obligation onto organisation to constantly contact individuals to ensure information is accurate.
79. In the Office's Private Sector Review the Office recommended that it provide further guidance to organisations about their obligations under NPP 3, particularly to ensure they take a proportional approach to complying with the principle. In that review the Office suggested that this guidance include advice to help organisations understand whether or not there are good privacy reasons for seeking to update an individual's personal information. 86
80. In addition to this, the Office suggests in the response to question 4-35 that a single set of principles, applying to both agencies and organisations, include a data quality principle.
81. The obligations on agencies should be clear and unambiguous, as this would promote better compliance, as well as greater public confidence in the agencies. The Office believes that agencies should be subject to the same quality principle that organisations must comply with. 82. In response to question 4-35, the Office has provided recommendations for one set of privacy principles for agencies and organisations, including a principle for quality.
83. As stated in the Office's Private Sector Review,87 the Office recommends that the Australian Government should consider amending NPP 4 to impose an obligation on an organisation to ensure that personal information it discloses to a contractor is protected. One way an organisation can ensure that a contractor protects personal information is through the inclusion of specific clauses within the contract relating to the protection of the personal information.
84. The Office takes the view that in the case of outsourcing arrangements between private sector organisations, as opposed to those between federal or state agencies and private sector organisations, each organisation is separately responsible for meeting its obligations, if any, under the Privacy Act.88 This works well in many respects. For example it is appropriate for each organisation to take some steps to look after the personal information it is holding and for each organisation to consider the accuracy of personal information in the context in which it is using or disclosing it.
85. However, there are some circumstances where the approach may cause confusion, or possibly unnecessary compliance requirements and some where it may be more appropriate for the 'lead' 89 organisation to carry the full obligation and responsibility. For example:
86. The Office has provided some guidance on the application of the current provisions of the Privacy Act to contracting arrangements in Information Sheet 8 Contractors. However, the Office believes there may be benefit in giving further consideration to the transfer of personal information to another organisation where the first organisation wants to retain control of the personal information. The Privacy Act currently has specific provisions in relation to Commonwealth service providers (s 95B) and also provides for agency to agency arrangements where one agency has possession but not control of a record (s.12). The Office recommends that a similar provision is developed for contracting between private sector organisations.
87. The Office holds the view that agencies should be under an obligation to destroy or permanently de-identify personal information in instances where it is no longer needed and where they are under no legal obligation to continue to retain the information.
88. Where the personal information is no longer needed and/or the agency's statutory obligation of retention is complete, agencies must have an appropriate disposal regime in place to ensure that the information is destroyed or de-identified in a secure manner.90 Undertaking the destruction or de-identification of personal information to prevent misuse and/or unauthorised access, use, modification or disclosure can be considered a key element of good information handling practices.
89. Furthermore, as stated in IP31, such a requirement has been included in State legislation and there appears to be no solid policy reason why this cannot be extended to Commonwealth agencies.
90. See question 4-35 for further discussion of the security principle.
91. The Office continues to support the obligation prescribed in the current NPP 4.2 that, where information is no longer needed for the purpose for which it was collected, agencies and organisations should be under an obligation to 'take reasonable steps to destroy or permanently de-identify personal information'.
92. The Office holds the view that the obligations imposed by NPP 5 require more specificity to remain relevant and effective. The Office believes that the amendments proposed in the notice and openness principle outlined in the response to question 4 35 will ensure the openness provisions continue to remain adequate and appropriate for both agencies and organisations.
93. More specifically, the Office contends that the provisions of NPP 5.1 could be amended to provide more guidance on the content of the document. In Recommendation 19 of its Private Sector Review the Office suggested that the Government '?should consider amending NPP 5.1 to provide for short form privacy notices.' 91 The Office continues to support the introduction of short form privacy notices.92 However, as discussed previously, the requirement for short form privacy notices may sit more comfortably with an enhanced requirement to provide notification, whenever possible, before or at the time of collection as proposed by the single set of principles suggested at question 4-35. This is consistent with the notion that individuals must be provided with fundamental information in order to make an informed decision and provide meaningful consent at the time of collection.
94. The appropriate place for more detailed information regarding the personal information management policies of an organisation or agency should lie in a separate document that should be made available to individuals as required. As stated in the Office's Private Sector Review, '[a] consumer who is satisfied with the information provided in the short form notice need not read the longer notice, yet all the information is available to the consumer who wants it.' 93
95. Consequently, the Office acknowledges that further guidance and clarification should be provided around this openness principle. 94 In particular, agencies and organisations should be under an obligation to provide generally for the requirements currently outlined in NPP 5.2, that is, the 'sort of personal information [an organisation or agency] holds, for what purposes, and how it collects, holds, uses and discloses that information'. The Office believes that these general types of information should be provided to the public and such provision of information only serves to enhance the notions of corporate and government openness and transparency.
96. Similarly, the Office contends that the principle pertaining to an agency's or organisation's personal information management policies should also provide information on the steps an individual should take if they wish to gain access to their personal information.
97. However, beyond the inclusion of the abovementioned, the Office is not convinced that more prescriptive obligations are required. The introduction of more prescriptive obligations is contrary to the principle-based form of the Privacy Act. Instead, greater guidance could be provided for in the form of guidelines.
98. Additionally, the Office holds the view that the openness principle should impose a requirement to provide a more specific response to a request for the types or 'sort' of information held about an individual. Specifically, the current wording of NPP 5.2 is not completely clear and potentially results in the information that is provided by the organisation being too broad for it to be informative or of assistance to an individual.
99. As such, the Office believes that this issue could be dealt with by requiring agencies or organisations, upon a request from an individual, to provide the individual with a confirmation as to whether they have collected or handle personal information about that individual. If so, the entity should be under an obligation to advise the individual what 'type' or 'sort' of personal information it is - subject to any legal obligations to the contrary. For example, an individual calling an insurance company should be able to ascertain that the company holds 'current income' and 'past and current employment' information about that individual.
100. The Office believes that this will permit a degree of transparency in the relationship between the agency or organisation and the individual. This in turn will serve to promote consumer confidence and organisational accountability. Furthermore, if these general types or categories of information are available to individuals upon their request, this may result in individuals only requesting access to information as needed or required, rather than requesting access in an effort to determine what the agency or organisation holds.
101. The Office believes that such an amendment would be applicable and appropriate to agencies as well as organisations.
102. A detailed discussion about the obligations for agencies in IPP 5.3 and 5.4 (resulting in the formulation of Personal Information Digests) is provided by the Office in its response to question 6-8.
103. The Office believes that, should the notification requirements on agencies and organisations be enhanced as outlined by the principles proposed at question 4-35, then it remains appropriate for certain obligations under openness to only come into effect upon an individual's request.
104. As discussed in question 4-20, the Office believes that the provision of the specific 'sort' or 'types' of information held about an individual should be triggered by that individual's request. This trigger mechanism seems to be the most practicable method of providing this information to an individual.
105. It is not anticipated that such an obligation will cause an undue administrative burden on either agencies or organisations as it is envisaged that a request under openness would be the pre-cursor to an individual making a request for access and, in some instances, may satisfy an individual's enquiries and therefore alleviate the need to request access.
106. As discussed generally in question 4-20, Recommendation 19 of the Office's Private Sector Review stated that short form privacy notices may provide a useful way of clarifying the links between NPP 1.3 and NPP 5.1 in their current format. The Office continues to support the recommendation that short form privacy notices are an important aspect of assisting the individual to be meaningfully informed.
107. Providing greater detail at the point of collection may, in fact, be counter productive as research shows that many people do not read or do not understand lengthy privacy notices or policies. 95 As such, it may be concluded that in many instances, too much information at this stage may reduce the meaningfulness of the notification.
108. Whilst information of greater detail regarding the personal information management policies of an agency or organisation should be made available to an individual, this greater detail should be made available to those individuals who seek it.
109. The Office believes that introducing the notion of openness about the general types of personal information held and requiring agencies and organisations to include that in their personal information management policies may not be overly burdensome and may in fact assist agencies and organisations in promoting consumer confidence.
110. The Office believes that several provisions of NPP 6 require amendment or further clarification. While a number of these provisions could benefit from legislative amendment in the form of re-drafting, there are several provisions that, in the view of the Office, may only require further guidance.
111. As discussed in the Private Sector Review96 , the Office proposes that guidance should be developed around NPP 6.1(b) to explain that a serious threat to a therapeutic relationship could be a serious threat to a person's health. Whether this takes the form of greater legislative guidance or guidelines produced by the Office, the issue is that some practitioners have interpreted the provision too narrowly and clarification is required. Further discussion of this issue is provided in the Office's response to question 8-20.
112. Similarly, NPP 6.3 could be amended to provide the individual the right to use an intermediary if access is denied under an exception contained in NPP 6.1. The current position permitting organisations to 'consider' the use of an intermediary could be seen as being in contrast to the overall intent of principle 6.1 which is to provide an individual with a right to access their personal information.
113. The Office also suggests that NPP 6.4 could be amended to provide for guidance on the timeframe and form in which the information is provided to the individual. Specifically, the agency or organisation should be under an obligation to provide the requested information in the form requested by the individual and within a 'reasonable time' of receiving the request.
114. The Office acknowledges it may be difficult to provide statutorily based guidelines on charges for providing access and has undertaken to develop guidance material in relation to this issue as suggested in Recommendation 31 of the Office's Private Sector Review.
115. Some submissions made to the Office's Private Sector Review expressed the view that the current drafting of NPP 6.5 result in an excessively onerous obligation on individuals to 'establish that the information is not accurate, complete and up-to-date...'.97 The Office suggests that the provision could be amended to require the individual to raise reasonable grounds for the organisation to believe that the information is in need of correction.
116. The Office holds the view that should an individual be denied access, the entity is under an obligation to advise the individual that under NPP 6.3 they may be able to gain access through the use of an intermediary. A detailed discussion of the obligations on organisations in relation to the use of intermediaries in relation to the health sector is provided in the response to question 8-21.
117. An individual may currently make a complaint to the Office if they believe an organisation has breached their obligations under NPP 6, and subsequently has the right of administrative review of a decision made by the Commissioner if the Commissioner was to support an organisation's decision not to grant access. However, it is difficult to envisage a further mechanism for appeal that would cover the private sector more extensively, or alternatively, both agencies and organisations alike.
118. The Office acknowledges the current discrepancy between the IPPs and the NPPs raised in paragraph 4.139 of IP 31. However, the notice and openness provisions recommended by the Office in response to question 4-35 addresses the issue of providing information to individuals about obtaining access as this will be required to be included in the personal information management policies of agencies and organisations.
119. The Office supports the notion that agencies should be required to clearly set out the circumstances in which they can deny access to an individual.
120. This may be achieved by adopting the current NPP 6 and making it applicable to agencies. However, agencies should also make accessible (possibly in their personal information management policy document) information on the legislative obligations they function under which require them to deny access. A discussion of the interaction between the Privacy Act and Freedom of Information Act 1982 is provided in the Office's response to question 7-6.
121. As discussed in the Private Sector Review,98 the current obligations in NPP 6 and IPP 7 do not extend to address the situation where personal information has been provided to third-parties and a subsequent correction has occurred in response to an individual's request.
122. As such, the Office supports the introduction of an obligation on agencies and organisations that where correction has occurred, the organisation or agency should, where reasonable and/or practicable, notify any third-party who has been supplied with the incorrect information.99 A discussion of the requirement for agencies and organisations to notify third-parties about corrections to personal information in relation to the health sector provided in the Office's response to question 8-21.
123. IP31 comments at paragraph 4.142 that the Office's recommendation 'does not go so far as to require an organisation to pass on corrected information'. However, requiring agencies and organisations to pass this information on as a matter of course may result in unintended consequences. For example, if the personal information had been collected and used by a third-party organisation for a single purpose and is no longer needed by that organisation (and therefore had been destroyed or de-identified), requiring a mandatory disclosure of the new, corrected information may result in the third-party organisation unnecessarily collecting information it had no purpose to collect or no longer needed to collect.
124. Therefore, if the obligation imposed upon agencies and organisations is to notify the third-party that they had cause to correct personal information held, rather than provide it, then the third-party could determine whether they needed to have that correction passed onto them to ensure data quality, or whether they no longer needed to collect, use or disclose that information and therefore did not need to be made aware of the correction.
125. Similarly, the Office holds the view that an agency or organisation should also be under the obligation to notify third-parties in the circumstances where the agency or organisation has identified an error and has had cause to correct it in order to comply with data accuracy provisions.
126. The Office believes that NPP 7 serves an important function in protecting information privacy. As discussed further in Chapters 7, 11 and 12, the sharing of unique multi-purpose identifiers between different organisations or agencies can raise significant privacy risks. A unique identifier can make it significantly easier to match or link personal information that has been collected in different contexts and for different purposes. Such linkages can facilitate a range of functions, such as more targeted (and potentially intrusive) direct marketing, through to data surveillance of how individuals go about their day to day lives.
127. In responding to question 12-2, the Office has provided findings of community attitudes research which suggests that many in the community are concerned about how datalinking could come to be employed for malevolent purposes. For example, research from Canada reported that:
'...concern that this kind of information sharing would open a door that would not be easily closed... Others in the group quickly picked up on the theme, saying that they feared a future where there might be a less benevolent government that could use the information to control them, rather than serve them.'100
128. UK research concluded, in regard to the perceived risks of datalinking, that:
'The range of risks perceived by the focus groups is, when aggregated, impressive and thoughtful. For people who had in almost every case not really thought much, if at all, about data sharing across government, to have produced such a list in just two hours each, and with rather little prompting, and then to have had intelligent things to say about just which risks are more and which less serious, deserves the reader's respect. ...Moreover, by far the more frequent unprompted factors and the stronger affect were exhibited in respect of risks than were in respect of benefits...'101
129. These concerns highlight the need for tight regulation of unique identifiers, as currently provided by NPP 7.
130. In regard to a possible data-matching principle, the Office has suggested in response to questions 7-6(g), 11-1 that the current voluntary data-matching guidelines that apply for agencies be given statutory binding effect. The Office has also submitted that consideration be given to giving the Office powers to make guidelines of this type for use by the private sector.
131. The Office is broadly satisfied with the definition of identifiers, though highlights below that further consideration could be valuable in regard to biometric identifiers and state and territory government identifiers.
132. As the Office notes in Chapters 7 and 11, the increasing capacity of technology to link and manipulate previously disparate data sources, including to re-identify formerly de-identified information, underscores the ongoing need for effective regulation of how unique identifiers are handled.
133. As noted in Chapter 11, the Office believes that there is a need to better clarify the parameters of identifiers and make it clear that biometric identifiers fall within the definition of identifier.
134. The Office has noted in Chapter 12 that there may be value in considering whether the definition of government identifier should be extended beyond Australian Government identifiers.
135. In making its submission to the House of Representatives Standing Committee on Legal and Constitutional Affairs inquiry into the Privacy Amendment (Private Sector) Bill 2000, the Office noted in this regard that extending the definition of government identifier would only be intended to regulate how private sector organisations could use government identifiers. It would not be envisaged that it would impose on the rights of State or Territory governments. The Office further submitted that limiting the meaning of identifier to only Australian Government identifiers could limit the protection offered by NPP 7.
136. The Office is opposed to individuals being afforded the choice to consent to the handling of their own unique identifier for any unspecified purposes. In the Office's view, such handling should only occur within clearly prescribed statutory limits.
137. While the Office generally welcomes measures to enhance consumer control over their personal information, a consent mechanism is unlikely to be appropriate for a government issued unique identifier that will be held by most of the adult population. By way of contrast with other government-issued identifiers, a consent mechanism is not available for the handling of Tax File Numbers.
138. The Office's concerns about providing this consent mechanism are due to the fact that the privacy risks of sharing unique identifiers are not always immediate. The risks accumulate as more organisations or agencies adopt the number for their own purposes, and as greater amounts of otherwise unrelated personal information become associated with that number.
139. Such long term risks are suggested in the explanatory memorandum to the Privacy Amendment (Private Sector) Bill 2000 which notes that the policy intent of NPP 7 was to 'to prevent the gradual adoption of government identity numbers as de facto universal identity numbers'.102
140. Accordingly, individuals may not always be aware of the potentially significant long term privacy risks when asked to consent to such handling, especially where they may be offered an immediate and tangible benefit or convenience.
141. If there are specific circumstances where there is a strong public interest in organisations being able to collect, use or disclose unique identifiers then NPP 7 provides a regulation making power to provide the necessary authority. In its Private Sector Review the Office noted, for example, that the regulation making mechanisms could be considered in circumstances where organisations may need to be able to verify concessional details of an individual.
142. In addition, other exceptions are available to NPP 7 which provide a degree of flexibility in defining the limits of how government identifiers may be handled. In particular, NPP 7.2(b), through importing the exceptions contained in NPPs 2.1(e) to 2.1(h), permits organisations to use and disclose identifiers where required or authorised by law.
143. Therefore, if a government of any Australian jurisdiction sought to permit private sector organisations to use or disclosure government identifiers for a specific and well-defined purpose not already provided for under NPP 7, they would be able to legislate to that effect. The Office submits that this process of Parliamentary scrutiny and express statement of intent for specific uses and disclosures is a more appropriate regulatory mechanism than permitting consent for any purpose.
144. If one set of principles is created to regulate both the public and private sectors, the Office believes that to provide regulatory consistency, NPP 7 should apply to all entities, including agencies. This would promote regulatory consistency between agencies and organisations, as well as affording important protections against the privacy risks of unique identifiers discussed above in questions 4-26 and 4-27.
145. However, if there remain separate principles regulating the public and private sectors, the Office believes that there would be merit in limiting the handling of identifiers by agencies in a manner that it consistent with the policy intent of NPP 7.
146. Aligning the existing IPPs with the protections afforded by NPP 7 (and its exceptions) would likely require that agencies not be able to rely on IPPs 10.1(a) (consent) or 10.1(e) (directly related purpose) to use identifiers. Additionally, when disclosing unique identifiers, agencies should not be able to rely on IPP 11.1(a) (individual is reasonable likely to be aware) and 11.1(b) (consent).
147. The Office is of the view that wherever possible personal information should only be collected if necessary and that individuals should be given the opportunity not to provide personal information if it is not required in the course of their interaction with an agency or organisation. Where the collection of personal information is not required, individuals should be given the choice of dealing with an agency or organisation anonymously.
148. As such, it is important that an organisation or agency considers whether they need to identify the individual (and thus collect their personal information) for each and every transaction. For example, an anonymous phone call to an agency or organisation to make an enquiry about a product or service should be possible.
149. The Office believes that the anonymity principle should require organisations and agencies to provide the individual, where possible, with the option of interacting with them anonymously.
150. For further comment, see the anonymity principle outlined in the Office's response to question 4 35 and see also the response to question 11-3 in Chapter 11.
151. The Office holds the view that, wherever possible or practicable, agencies should provide individuals with the opportunity to remain anonymous. In particular, as the principle of anonymity can only apply where practicable, there appears to be no compelling argument or policy reason for not extending the anonymity principle to agencies. Such an obligation would not appear to impose a regulatory or unreasonable administrative impediment to an agency. The ALRC cites that German privacy law, along with Victorian, Tasmanian and Northern Territory privacy legislation all contain an anonymity principle applying to public sector bodies.103
152. The Office acknowledges that there will be many instances in which agencies must collect personal information. For example, the provision of services provided by agencies will be reliant upon the collection of personal information (for example, the payment of social welfare benefits by Centrelink). However, similar to private sector obligations, agencies should have a positive obligation to provide individuals with the choice of dealing with an agency anonymously wherever possible.
153. Consistent with this view, as recently as March 2006, the Office provided comment on the Australian Government e Authentication Framework for Individuals (a framework which provides guidance to agencies whose electronically delivered services require e authentication of individual's identity amongst other things) and stated that 'an individual's identity should only be authenticated by an agency where it is necessary for the transaction between the individual and the agency'104 . The submission went on to state that 'requiring individuals to be identifiable when it is not necessary can serve to limit the choice and control individuals have over their personal information.'105
154. The Office supports the regulation of agencies regarding the transfer of personal information internationally.
155. As national governments increasingly interact and cooperate in a vast array of areas such as health, immigration, law enforcement, and business, increasing amounts of personal information may be exchanged as part of these processes. To ensure that appropriate and consistent practices are in place for the transfer of personal information in these circumstances, the Office believes that agencies could be regulated by a transborder data flow principle similar to NPP 9.
156. The Office suggested such an approach in its 2006 submission to the Attorney-General's Department on its review of Australia's extradition arrangements.106 In this submission, the Office said that personal information should not be disclosed to overseas bodies which are not subject to privacy regulation without legislative, contractual or other administrative arrangements in place to prevent unauthorised uses or disclosures by the recipient. Such arrangements should be publicly available and include easily accessible complaint handling mechanisms and accountability measures.
157. The Office went on to note that this same policy approach underpins NPP 9 which regulates transborder data flows by private sector organisations.107 Effectively, personal information should not be transferred to a foreign jurisdiction unless the foreign jurisdiction offers privacy protections substantially similar to Australian privacy standards. This approach is consistent with international best privacy practice108 and should be provided for in privacy regulation applying to agencies.
158. For further comment regarding this issue, please refer to question 13-1.
159. In considering this question, the Office focuses on the role of NPP 10, which essentially requires that, for the purpose of non-health research, sensitive information must not be collected unless the individual consents (NPP 10.1(a)) or the collection is required by law (NPP 10.1(b)). While other exceptions are available, NPPs 10.1(a) and (b) are the most relevant to the question of research.
160. The Office has noted in response to question 4-13 that the public interest in non-health research is, on the whole, likely to be less compelling than the public interest in health and medical research. Accordingly, the Office submits that the current policy settings for the collection of sensitive information for non-health research remain appropriate.
161. However, in responding to question 8-32, the Office has noted that health and medical research may sometimes be advanced by the linking of health information with other forms of personal information (whether sensitive or not). The Office has noted that this would require amendment to NPP 2.1(d) (which currently only provides for health information to be disclosed for medical research purpose), and NPP 10.3 (which similarly only permits health information to be collected) to provide that any type of personal information may be collected for health and medical research.
162. In regard to collection of non-health sensitive personal information by agencies, the Office has noted in responding to question 8-32 that the current s 95 mechanism is not limited to any particular type of personal information. The Office has submitted that ss 95 and 95A be aligned so that any type of personal information may be collected, used or disclosed (without consent, where it is impracticable) for medical research.
163. Consistent with the second reading speech for the Privacy Amendment (Private Sector) Bill 2000, the community expects that sensitive information will be afforded special privacy protections above and beyond ordinary, non-sensitive personal information.
164. In that speech, the then Attorney-General, the Hon Daryl Williams QC, said:
The national privacy principles also provide strict guidelines for the collection of information that the community considers to be particularly sensitive, such as health information, criminal records, political opinions or religious beliefs. 109
165. The Office believes, in accordance with the proposal for a set of unified principles, that sensitive information should be afforded consistent protections, regardless of the stage of the process in which, or by whom, it is handled.
166. As detailed in the response to question 4-35, the Office proposes that a single sensitive information principle be created, which details what particular approach is required when handling sensitive information at the different stages of the information cycle.
167. Complementing this principle, it is proposed that in each principle, attention is drawn to the special nature of sensitive information and then direction to the stand-alone sensitive information principle is provided, for example:
168. The Office recommends that the NPPs and IPPs be merged into a single set of privacy principles which apply to both the public sector and private sector organisations. This recommendation is consistent with the Office's previous recommendation made in the Private Sector Review. 110
169. The Office is of the view that a single set of privacy principles would be an important step in lessening the complexity of privacy regulation in Australia. Specifically, the uniform principles would reduce the complexity that some businesses face regarding their privacy obligations, particularly those that function as Australian Government contractors. Similarly, a single set of principles would also assist individuals in determining what privacy protections are in place.
170. As evidenced through the consultation undertaken for the Office's Private Sector Review, the lack of a single set of principles can have the effect of increasing the administrative and cost burden of compliance for organisations.111 In particular, submissions to the Office indicated that a lack of consistency often caused compliance difficulties for public sector organisations that undertake commercial activities, and similarly, for private sector organisations that are funded by Australian government agencies or contracted to agencies.112
171. As discussed in the Office's Private Sector Review, there appears to be no clear policy reason why a single set of privacy principles cannot apply to both the public and private sector. Additionally, there appears to be no clear rationale for applying similar, but slightly different, privacy principles to public sector agencies and private sector organisations as is the current situation.113 The Office notes that in other jurisdictions including the UK, Hong Kong and New Zealand, one set of privacy principles applies to the information handling practices of the public and private sectors. As such, if the development of a single set of principles is based relatively closely on the areas of information handling that are currently contained in the NPPs and/or IPPs, the Office could see no underlying policy reason as to why exceptions from particular principles would need to be extended to either public or private sector organisations.
172. In responding to this question, the Office has considered the application of the current privacy principles and whether they achieve the desired level of protection for individuals whilst continuing to be functional for agencies and organisations.
173. The Office has proposed a single set of principles which would be applicable to both private sector organisations and public sector agencies. This is consistent with Recommendation 5 of the Private Sector Review. The Office has based the principles on the current NPPs because of the concise and more user friendly nature of the NPPs when compared to the IPPs. This is due in part to the fact that the NPPs were developed with the consideration that they must cater to a wider range of organisations, from individual health providers to large corporations and therefore were required to be easier to apply in a variety of situations. Similarly, the drafting language of the NPPs utilises plain English in comparison to the earlier drafted IPPs.
174. The Office has taken the decision not to attempt to draft the proposed principles, but rather to recommend and comment on the issues to be considered or addressed by each principle. Moreover, in discussing the issues to be considered or addressed, the Office does not intend to indicate that the entirety of the discussion should be included in the content of each principle. In particular, it is acknowledged that should a high level framework be adopted, as recommended by the Office, much of the content discussed for each of the principles would properly reside in another format rather than in the principle itself.
Privacy Principles
Principle 1 - Anonymity
Principle 2 - Notice and Openness
Principle 3 - Collection
Principle 4 - Collection of Sensitive Information
Principle 5 - Use and Disclosure
Principle 6 - Quality
Principle 7 - Security
Principle 8 - Access and Correction
Principle 9 - Transborder Data Flows
Principle 10 - Identifiers
Principle 1-Anonymity
175. Anonymity could be the first principle because, wherever possible, individuals should be given the choice of dealing with an agency or organisation anonymously. In IP31 the ALRC notes that the principle of anonymity complements the collection principle by limiting organisations from collecting personal information unless it is necessary - bringing the anonymity principle to the foreground serves to highlight that consideration.
176. Principle 1-Anonymity, could include: