|Executive summary | Chapter 1 | Chapter 2 |Chapter 3 |Chapter 4 |Chapter 5 |Chapter 6 |Chapter 7 |Chapter 8 |Chapter 9 |Chapter 10 |Chapter 11 |Chapter 12 |Chapter 13|
1. The privacy of vulnerable members of the community is of considerable interest and concern to the Office and the Australian public. This response discusses two groups that are particularly at risk. Each presents comparable but different challenges for privacy regulation, which must balance community, representative and individual expectations across a range of circumstances. In the Office's view, the protection of individual's interests should be a primary consideration.
2. The Privacy Act is based around providing rights to individuals and does not distinguish individuals by age. Children are therefore provided with equal rights to adults, with the flexibility to determine, on a case by case basis, who should be responsible for exercising those rights. Other mechanisms supplement the Privacy Act's protections, such as legislation specific to child protection, and particular sectoral procedures. The Office believes the Privacy Act is generally functioning effectively in relation to children and young people, although in some areas, protections may be improved by amendments to the small business exemption. The Office welcomes consideration of further mechanisms beyond the Privacy Act which may be necessary to safeguard child privacy, for example, in the areas of online protections and photographic images.
3. In relation to individuals with a decision-making disability, the Office believes that certain problems can be addressed without legislative amendment. In its Private Sector Review, the Office undertook to provide additional guidance on when personal information can currently be disclosed to representatives under the Privacy Act, in order to help minimise any misunderstanding of these provisions. The Office also believes consideration could be given to whether the disclosure of non-health information to responsible persons should be permitted under NPP 2.4. Other areas for consideration include the ability of formal representatives to seek access on an individual's behalf, how best to protect individuals' privacy from their own representatives, and whether the Privacy Act operates effectively in cases of sudden or unexpected incapacity.
4. The Office believes that the personal information of children and young people needs to be protected through a combination of the Privacy Act and other legislation as appropriate.451 The Office does not consider that there are widespread problems with the current privacy protections for children and young people. However, greater guidance on the application of current legislation will assist organisations to interact with children and young people appropriately. In addition, there may be limited circumstances where information of children and young people may not be protected sufficiently, due to the operation of the small business exemption under the Privacy Act452 (for example, in relation to some child care centres and dispute resolution services).
5. Further comments on each area identified in question 9-1 of IP31 are set out below.
6. The Privacy Act does not currently make special reference to children and young people. Rather, the Act operates on the basis that children and young people have the same rights to privacy as adults. The application of the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs) will therefore regulate the interactions of children with agencies and organisations, respectively. In practice, the responsibility for exercising a child or young person's rights under the Privacy Act falls to another person (usually a parent), until the child reaches a level of maturity where they are able to make decisions independently.
7. The Office uses a common law approach to assess capacity. In practice, this means that wherever possible, capacity should be assessed on an individual basis, rather than upon attaining a prescribed age. This ensures that mature young people are entitled to make decisions about their personal information as soon as they are able, rather than being constrained by an arbitrarily imposed age of capacity. The Office considers that this approach to the privacy of young people is appropriate, as it accommodates different rates of development.
8. The Office understands that in some circumstances, privacy rights will necessarily give way where there is a compelling reason to do so. In these instances, the Office seeks to ensure that the least privacy intrusive solution is implemented.
9. For example, the Privacy Act permits disclosure of information by agencies and organisations where it is required or authorised by law, such as mandatory reporting of suspected child abuse. The Office recognises that there are significant benefits to such mandatory reporting, and that allowing this disclosure of personal information accords with community expectations surrounding the welfare of children.
10. The Privacy Act expressly permits these types of disclosures by organisations and agencies where it is required or authorised by law (NPP 2.1(g) and IPP 11.1 (c)), or where there is a serious and imminent threat to an individual's life or health (NPP 2.1(e) or IPP 11.1(d)).
11. The Office does not consider that the Privacy Act inhibits the appropriate disclosure of information in child welfare circumstances, and as such, does not consider there is a need to amend the Act.
12. Juvenile justice generally lies within the ambit of the state and territory courts and correctional facilities, and as such falls outside the jurisdiction of the Privacy Act.
13. As IP31 indicates, there are generally restrictions in state and territory law regarding information, particularly identifying information, relating to children in the juvenile justice system.453
14. The Office does not consider that the Privacy Act is interfering with the operation of juvenile justice, and is not aware of particular privacy issues for children and young people in the juvenile justice system that need to be addressed through the amendment of the Act.
15. Confidentiality provisions in the Family Law Act 1975 (Cth) establish restrictions on the disclosure of information obtained in family counselling and dispute resolution, respectively.454 However, the Office believes other protections to information under the NPPs (such as accuracy, security, destruction of information and access) should also apply to information handled by family counsellors and dispute resolution centres.
16. At present, dispute resolution services offered in conjunction with family law services may not fall within the jurisdiction of the Privacy Act due to the small business exemption, even though they often handle information that individuals consider to be particularly private. The Office has been able to investigate complaints about family counselling services, for example, where those services deal with an individual's psychological wellbeing (and therefore fall within the scope of providing a 'health service'455 under the Privacy Act). However, many dispute resolution services are arguably distinct from health services.
17. The potential impact of the small business exemption is of concern in these circumstances. For example, the Office is aware of a recent complaint which was declined on the basis that the dispute resolution service (operating out of a community legal centre) was a small business organisation, not a health service provider. The Office believes that individuals should have recourse to complain to the Privacy Commissioner where they feel that their information has been handled inappropriately by a dispute resolution centre, without having to rely on that service being considered a health service provider under the Privacy Act.
18. The Office supports the common law approach of establishing the capacity of young people to make decisions about their health information, based on the professional opinion of a medical practitioner determined on a case by case basis. This approach ensures that there is adequate flexibility available to health professionals to consider the relative maturity and intelligence of young people.
19. The Office accepts that the test of individual capacity is to some degree subjective. In addition, as decisions on the issue of capacity are not generally reviewable by any particular body, this can weigh against a young person's sense of control over their personal information. However, it should be noted that there have not been significant complaints regarding the operation of the Privacy Act in this respect. The Office also recognises the special training of health professionals in matters of confidentiality and capacity.
20. As IP31 indicates, there are clear benefits in ensuring that young people feel confident about the handling of their person information. This includes the increased likelihood that young people will seek treatment or advice from a health service provider.
21. Considering the nature of a parent's representative role before a child is mature enough to make decisions about their own information, there is a possibility that, when the child attains capacity, they will not agree with the decisions that have been made on their behalf. The move towards shared electronic health records (SEHR) systems presents a significant example of where, once participation has been initiated, information is likely to be stored in the system, even if a participant (including a young person) later chooses to opt out.
22. The Office considers it appropriate that consent provided by a parent (or other representative) on behalf of a child who lacks capacity, is taken to be provided by the child themselves. Generally speaking, once valid consent has been provided, an individual (or appropriate representative) may make decisions with regard to ongoing interactions with the organisation. However, under the NPPs, the individual does not have the right to have information deleted if it is still needed for the purpose for which it was collected, or for a secondary purpose as set out in NPP 2.456
23. The NPP access provision (NPP6) does not specifically address access to a child's personal information by a parent or guardian.457 Guidance provided by the Office indicates that a person acting on behalf of an individual may exercise the individual's right of access, where they have a legal authority to do so (such as a guardianship order).458 However, this guidance also indicates that where parents are seeking health information about their children from a health service provider, they should utilise the provisions relating to disclosure of information to a responsible person in NPP 2.4-2.6.459 The Office notes that obtaining information by way of a disclosure under NPP 2 remains at the organisation's discretion. That is, disclosures under NPP 2 are permitted, but are not required.
24. In order to provide a 'positive' right for parents or guardians to access information about children, it is likely that there would need to be an amendment to NPP 6. It is relevant to consider the community expectations that a parent ought to be able to access information, particularly health information, about their child. This should be weighed against the expectation that, once a child attains the capacity to make their own decisions regarding the handling of their information, the parent's right to access may no longer be appropriate. Similarly, the Office understands this may also be a pertinent issue in relation to financial affairs, such as where a parent is a signatory to a young person's account.
25. The issue of whether a responsible person should have a right to access information about the individual for whom they are making decisions, rather than relying upon a discretionary disclosure, is discussed further in relation to adults with decision-making disabilities in response to question 9-3.460 Careful consideration will be necessary regarding whether a child's representative should expressly be given a right to access the child's information. The benefits and risks may be different, though no less significant, when considering an access right in relation to all individuals who lack the capacity to make decisions about their own information.
26. Schools collect a significant amount of information about children and young people regarding their scholastic activities or performance. Most private schools will be within the jurisdiction of the Privacy Act, except where their turnover is $3 million or less.461 As such, use and disclosure of a private school student's personal information will ordinarily be restricted to the primary purpose for which it was collected, a related (or directly related) secondary purpose that is within the individual's reasonable expectations, or where the individual consents.462
27. The Privacy Act requires a case by case assessment of a young person's capacity to make decisions about their personal information independently from their parents.
28. The Office considers that, unless there are special circumstances, providing scholastic information to parents (for example, in the form of scholastic reports) is likely to be a related secondary purpose to the purpose of collection, and within the reasonable expectations of the child or young person.
29. The Office notes that a use or disclosure of information by a school, such as providing reports to a child or young person's parent, may be within the child or young person's expectations even if they would prefer the use or disclosure not to take place. In this way, the issue of whether a use or disclosure falls within an individual's reasonable expectations may be separated from whether the individual would agree or consent to the use or disclosure.
30. However, where a school offers a health service or counselling, the disclosure of that information to their parents may not fall within the reasonable expectations of a child or young person. It is not clear to the Office that law reform is necessary to address this. However, if there is considered to be a need for further clarification, the Office could provide additional guidance on this issue to schools.
31. The Office notes that there may be different expectations where a student is at a high school compared to a student at a higher educational facility (such as a TAFE), even where the students are of similar age. These expectations may extend to the provision of assessment results.
32. Where parents are separated or divorced and there are legal orders in place, there may be some uncertainty as to whether a school is able to provide information about a child or young person to both parents. The Office has issued advice that in some circumstances it will not be reasonable to disclose a student's personal information to a parent. This may include where there is demonstrable risk to the child (for example, where a court protection order is in place to prevent a parent's contact with a child, or limiting the parent's access to information about the child), or where the information reveals contact details of the custodial parent.463 The Office advises schools to carefully consider the particular circumstances when deciding whether disclosure is appropriate.
33. In some cases, it may be argued that information provided to parents by a school is provided under NPP 6, as a right to access information that is exercised on behalf of the child. Alternatively, it may be considered that the information is provided under NPP 2 as an authorised, but not required, disclosure of the child's information to a third party (the parent). Depending on which NPP applies in the circumstances, the provision of the child or young person's information to a parent may or may not be at the discretion of the school. However, access may be withheld for certain reasons set out in NPP 6, including where information would unreasonably impact upon the privacy of a third party (such as the custodial parent).
34. The Office notes that the small business exemption may result in some child care centres falling outside the jurisdiction of the Privacy Act. Child care centres may hold, and in some cases are required to hold, detailed information about children, such as their care arrangements, their health information and dietary requirements.
35. The Office believes that there is a community expectation that those responsible for the care and supervision of children behave in a manner that protects the best interests of the child. In the Office's view, this includes an expectation that children's information should be protected, and that individuals who feel that their child's information has been mishandled should have the right to complain to this Office.
36. The Office believes there would be merit in the ALRC consulting further with consumer and business representatives on the operation of the small business exemption in relation to child care centres. This could include an assessment of the likely regulatory costs for child care centre operators if the exemption did not apply.
37. Protecting children's privacy in an online environment is particularly challenging given the difficulty for agencies and organisations to assess an individual's capacity to consent. However, in general, the Office considers that the particular nature of the electronic environment may be better addressed outside the Privacy Act.
38. The Privacy Act provides principle-based regulation, which applies to all industries, including organisations interacting with individuals online. In order to comply with their Privacy Act obligations, it is important that an organisation ensures that the individual they are dealing with has the necessary capacity to make decisions. If greater specificity in regulation is warranted to address particular concerns about online privacy, then further consideration should be given to industry-targeted legislation, a binding code of conduct or an industry standard.
39. The United States has introduced legislation, the Children's Online Privacy Protection Act 1998 (COPPA legislation), to deal with online privacy for children.464 There have been some successful outcomes under this legislation, including a recent settlement with the weblog company, Xanga.com, which involved specific performance orders regarding corporate practices and a $1 million penalty.465 However, IP31 also sets out some of the challenges to the effectiveness of the COPPA legislation.466 The main challenges appear to centre on the difficulty of an organisation authenticating individuals (both in relation to parents, and children who claim to be older than they are). This is likely to be an ongoing issue until online verification becomes more reliable.
40. In Australia, the Internet Industry Association (IIA) has proposed a privacy code, which the Privacy Commissioner has accepted for assessment under s 18BB of the Privacy Act. This code proposed to confer capacity to all children at the age of 13, which is consistent with the age adopted under the COPPA legislation. However, the COPPA legislation does not address the issue of the varying levels of maturity among children and young people of the same age. Nor does it resolve the problems of verifying an individual's age in an online environment. These issues are still being considered in relation to the IIA's proposed code.
41. In taking reasonable steps to determine the capacity of individuals operating in an online environment, an organisation may use the services of a third party verification system (subject to NPP requirements, where applicable). Such a system could assign a digital signature or other verifiable electronic token, which represents that the individual has satisfied an assessment of their capacity to provide consent. While this may be one way of addressing capacity issues, the Office does not advocate legislative change to require such specific action.
42. Nevertheless, it is important that organisations are aware of the need to take such reasonable steps as are available and appropriate to meet their Privacy Act obligations, including determining individual capacity at the outset. The steps that will be reasonable will depend on the circumstances, including the sensitivity of the information, the intended uses of the information, the available technological measures, and the size and resources of the organisation.
43. A key practical question appears to be an organisation's capability to provide restitution if an improper collection of information has occurred, particularly in the online environment. The Office considers that, where personal information has been collected from a child (or another individual) who lacks capacity, the most important issue for parents is to re-establish control over their child's information. This may include requesting that the information be deleted, or that subsequent use and disclosure is curtailed.
44. The question of whether the Privacy Act will protect the handling of a photograph taken of a child or young person depends on the nature of the entity involved.
45. Where an organisation takes or publishes photographs of children or young people, the NPPs do, and in the Office's view should, apply to the collection and handling of the information. However, there may be circumstances where the handling of photographs will not be subject to the protections in the Privacy Act. This includes where the photographs are taken or published by a small business operator, and where an individual takes or publishes the photographs in a private capacity.
46. In November 2005, the Office made a submission to a Standing Committee of Attorneys General (SCAG) discussion paper on privacy issues surrounding unauthorised photographs. The Office argued that criminal sanctions for individuals who inappropriately take, use or disclose photographs of children or young people may be more appropriate than dealing with this issue through the Privacy Act.467
47. There are two main privacy issues identified in this section. The first relates to the taking of photographs (in particular, without adequate consent). As a photograph is a 'record' for the purposes of the Privacy Act, this is a collection of information.468 The second issue is the publishing of those photographs. Depending on the distribution of the publication, this could be a use or a disclosure of information.
48. It is important to ensure that the Privacy Act accords with community expectations. If requirements for compliance with the Privacy Act are disproportionate to its benefits, then there is a risk that privacy regulation will be seen as an obstacle to individuals, rather than a protection of their rights. Accordingly, the reasonable taking and publishing of photographs by an organisation, such as a private school which publishes photos in the school newsletter, should not be unnecessarily complicated. On the other hand, the Office acknowledges the considerable public interest in safeguarding children's privacy.
49. Currently, NPP 1 requires that the collection of information by an organisation be necessary for a legitimate function or activity of the organisation, and that it be collected in a way that is lawful, fair and not unreasonably intrusive. Individuals must also be informed about the collection and the likely uses and disclosures of the photographs, and other matters of 'notice' set out in NPP 1.3.469 In the context of providing notice, the Office has previously advised the following:
Organisations are strongly encouraged to use particular care in the handling the images and other personal information of children. Depending on the age and ability of the child to understand your explanation about what is going to happen with their picture and to make a truly informed choice, you should discuss these things with their parent or guardian first. You should also be aware of and meet the requirements of any other legislation that protects children.470
50. Organisations may also need to consider whether photographs contain information that is sensitive, such as whether the photographs reveal information about an individual's health, racial or ethnic origin, political opinions or membership of a political organisation or trade union. In these circumstances, extra protections (such as obtaining consent for collection) will apply to the collection of the information.471 However, the Office does not consider that this is an onerous burden. For example, in some cases it may be adequate for consent to be implied. Where an organisation intends to rely upon implied consent, they will need to ensure that the photographer is clearly apparent and identified, and that the opportunity exists for a young person, or a responsible adult, to indicate if they do not want their photograph taken.
51. Conversely, in the Office's view, the unreasonable, inappropriate and potentially criminal taking of photos of children and young people should be addressed.472 These circumstances will generally involve the actions of an individual, rather than an organisation or an agency. As such, a legislative response is likely to be most effective if it is implemented in legislation with broader coverage than the Privacy Act, such as criminal sanctions. The 2005 SCAG Discussion Paper, referred to above, examined the option of criminal offences to deal with the publication of photographs. The Office's submission to that Discussion Paper noted that the problem may be best addressed through a combination of mechanisms, including education campaigns as well as legislative options.473
52. Where there has been an unauthorised publication of photographs, one appropriate form of redress could be to reinstate the individual or representative's control over the photograph, and provide information and choices over whether and how the photograph continues to be used. It may also be beneficial to establish systems whereby an affected individual can request the removal of unauthorised images from a publication, such as a website.
53. Regulation of broadcasting generally falls under the jurisdiction of the Australian Communications and Media Authority (ACMA). ACMA's most recent guidance on privacy was released in August 2005. This guidance material seeks to protect the privacy of all individuals but notes the particular care and diligence required where children are involved.474
54. Recommendation 59 of the Office's Private Sector Review indicated that the Office would provide additional guidance to media organisations on the appropriate levels of privacy protection, especially in relation to health information, and to make organisations aware that the media exemption is not a blanket exemption. In December 2006, the Privacy Commissioner gave a speech to an ACMA conference which discussed this issue. The Commissioner reinforced that the exemption only applies to those activities done in the course of journalism, and where the organisation has subscribed to a relevant industry code.475
55. The regulation of court records generally falls outside the realm of the Privacy Act. Federal Court records are expressly excluded under s7(1)(a)(ii) of the Act,476 while the practices of state and territory courts are generally covered by legislation under those specific jurisdictions.
56. The Office acknowledges there are two competing interests at play regarding court records. On the one hand, that justice is served by a transparent and public process, and on the other, that individuals' rights to privacy are protected. It is the court's role to determine what information is appropriately included on the public record, and the Office believes this should involve considerations of the child's or young person's privacy.
57. The Office notes that children and young people are particularly vulnerable to stigmatisation, psychological damage and embarrassment which may result from identifying information about them being included in a court record. As indicated in IP31, this vulnerability is recognised by particular court procedures which allow the suppression of information that may identify children.477 In assessing the adequacy of these provisions, it should be noted that in some instances, an individual's identity can be apparent from cumulative information other than the individual's name (particularly where the individual is from a small community). Although such provisions lie outside the Privacy Act, the Office would welcome further consideration of their effectiveness in protecting children's privacy.478
58. Notably, the move to electronic record keeping has increased the potential privacy risk to all individuals identified in court records, including those incidentally involved in a court case. Electronic records are more easily accessed, searched, distributed, manipulated and compiled in various ways. The particular privacy issues raised by electronic storage of, and access to, court records is addressed in the Office's response to question 11-5.
59. There are no further issues that the Office wishes to raise concerning the privacy protections of children and young people outside the scope of the Privacy Act. However, the Office would welcome the opportunity to examine other relevant matters that may be raised with the ALRC in submissions to this review.
60. The Office submits that there may be a need to make some amendments to the Privacy Act in order to better protect the privacy of adults with a decision-making disability. There are also some situations where the better option appears to be non-legislative, such as the provision of further and more detailed guidance material.
61. This section discusses key issues in relation to adults with decision-making disabilities. These include difficulties experienced in the handling of personal information other than health information, difficulties experienced when individuals have an urgent or unexpected need for a representative, and at times, the desirability of privacy from representatives.
62. The Office recognises that individuals with a decision-making disability are particularly vulnerable to abuse or inadvertent invasions of their privacy.
63. The Privacy Act must ensure adequate protection for individual rights while allowing for a reasonable flow of information for the individual's benefit. It is important that the Privacy Act works to prevent information-handling practices, including disclosures to representatives, that do not align with individual and community expectations, or which result in inappropriate risks to individual privacy.
64. A decision-making disability may be a permanent or a temporary condition. In some cases, it may only affect an individual's decision-making ability some of the time, such as where an individual has a particular mental illness which may be episodic in nature. Further, it may be that the individual can make decisions about the handling of their information if they are provided with the necessary support. The Privacy Act should ensure that privacy protections are able to be tailored to these sorts of scenarios, while not unreasonably restricting the appropriate flow of information.
65. Generally, the Office does not support amendments to the Privacy Act unless there is evidence that the difficulty encountered is as a result of a deficiency in the current legislation. Where non-legislative measures, such as improved guidance, can adequately address problematic interpretation of otherwise appropriate legislative measures, this should be favoured over changes which jeopardise certainty and continuity of interpretation, and risk unintended and unforeseen consequences.
66. The Office considers that wherever possible, it is important to frame this discussion in terms of the rights and difficulties experienced by the individuals who have a decision-making disability. That is, the protection of the interests of the individual should be the primary consideration. Nevertheless, the Office recognises the important work of representatives of those with decision-making disabilities, and seeks to ensure that regulations do not go beyond what is necessary to protect this vulnerable section of our community.
67. NPP 2 provides a range of exceptions allowing the appropriate use and disclosure of an individual's personal information. This includes where consent has been given, or where it would lessen or prevent a serious threat to life, health or safety.479
68. In addition, NPP 2.4 states that a health service provider may (though notably not 'must') disclose an individual's health information to a 'responsible person'480 where the individual is incapable of giving consent, and certain other conditions are satisfied. These conditions include that the disclosure:
69. The Australian Guardianship and Administration Committee, in its submission to the Office's Private Sector Review, stated that it did not believe there were deficiencies in the Privacy Act or associated regulations, '[h]owever there would appear to be significant room for improvement in how a range of service providers interpret and apply the legislation...'.481
70. The Office is aware that there may be a lack of understanding of the existence and operation of NPP 2.4, both in the health sector and amongst consumers. This may indicate that health service providers have been approaching the disclosure of health information to representatives in a particularly risk-averse manner, rather than being evidence of a need for legislative amendment.
71. The Office has undertaken to provide further and more practical guidance regarding the operation of NPP 2 in its Private Sector Review.482 In the Office's view, this would be a more effective means of addressing the relevant difficulties with NPP 2.4, rather than pursuing a legislative solution. Possible amendments to NPP 2.4 for other purposes are discussed in the section below, and in the Office's response to question 3-5 in Chapter 3.483
72. The Office is aware that in some circumstances, agencies and organisations have been reluctant to disclose the personal information (other than health information) of adults with a decision-making disability to representatives. This may include information held by agencies such as Centrelink, financial institutions and utility companies.
73. As discussed below, the nature of the representative relationship may be a formal legal arrangement, such as a guardianship order or an enduring power of attorney, or it may be an informal assistance arrangement. Whether a disclosure to a representative is permitted will depend on whether a formal legal arrangement exists, or whether the individual has communicated to the agency or organisation that information may be provided to a representative.
74. Under the IPPs, there are currently no express provisions which relate to agencies dealing with representatives. This means that agencies must determine whether disclosing information about a person to a representative is permitted under IPP 11, which governs disclosure of information.
75. Under the NPPs, organisations must ensure (among other obligations) that any disclosure of information to a representative is permitted under NPP 2. NPP 2.4, which allows a health service provider to disclose health information to a representative, is discussed in the section above.
76. Where a formal legal arrangement establishes the representative's role, such as a power of attorney or legal guardianship, an organisation may rely on NPP 2.1(g), which allows disclosure of personal information where the disclosure is required or authorised by law. However, where there is an informal representation arrangement, it is likely that the organisation will need to be satisfied that the individual consents to the disclosure of the information to that representative (NPP 2.1(b)), or that the disclosure is related to the primary purpose for which the information was collected and is within the individual's reasonable expectations (NPP 2.1(a)).
77. The Office is aware that some representatives currently experience difficulties in obtaining information about individuals for whom they provide assistance. As one possible way of addressing this, the Office's Private Sector Review recommended that the Government consider amending the Privacy Act to extend NPP 2.4.484 These amendments could permit the disclosure of personal information other than health information to a responsible person. The Government notes this recommendation in its response to the Office's Private Sector Review, and refers the issue to the ALRC for consideration.485
78. The Office considers that there would be merit in the ALRC undertaking further consultation on this issue. Some of the factors that may need to be considered further are whether:
79. The Government may also wish to consider whether the IPPs adequately provide for disclosures to a responsible person where the individual either lacks capacity, or is unable to communicate their consent to particular information-handling practices.
80. While the proposed extension of NPP 2.4 to allow the disclosure of non-health information may be of assistance, it is unlikely to resolve all the difficulties experienced by representatives and individuals with a decision-making disability (particularly where no formal legal arrangement exists). For instance, the disclosure is still at the organisation's discretion. In addition, allowing an organisation to disclose information to a representative will not in itself enable that representative to take further action on behalf of the individual, such as paying a bill.
81. The Office notes that allowing an informal representative to take action on an individual's behalf raises significantly more risks than an organisation merely providing information. Where such action is necessary, for the certainty and convenience of all parties, it will often be appropriate to establish a formal legal arrangement for a representative (such as a guardianship order). However, if the problem is obtaining information in the first place, then for example, a permitted disclosure about whether a bill has been paid, or an address has been changed, may allow the representative to remind the individual that certain actions may need to be taken.
82. It is important to recognise that there are significant practical challenges in the construction of a relevant amendment to NPP 2.4. At present, where health information is provided by a health service provider, the health professional is qualified to assess the individual's capacity, and decide whether the information should be shared with a responsible person. In contrast, it may be difficult for other organisations, without comparable training or experience, to adequately make the same assessment. This will be even more difficult if the nature of the incapacity is episodic. As such, careful consideration must be given to the practical decisions that an organisation would need to make, in order to appropriately disclose non-health information under an extended NPP 2.4.
83. A formal legal arrangement, such as a guardianship order or an enduring power of attorney, establishes the legal authority for a representative to act on behalf of an individual with a decision-making disability. Depending on the arrangement, this may include exercising rights under the Privacy Act, such as consenting to a particular use or disclosure of personal information, or making a request for access.
84. However, the Office understands that most adults with a decision-making disability do not have such formal arrangements in place. In many cases, a family member or trusted friend will act as an informal carer, and deal with agencies and organisations on behalf of the individual.
85. Where a guardianship order is not considered to be necessary, it may be possible for the individual to make some decisions with additional explanation. The individual should be presumed to have capacity to make decisions unless there is evidence of a lack of capacity.
86. Generally, an individual's decision-making ability, or capacity to consent, should be assessed with regard to the particular decision required to be made. This allows maximum opportunity for autonomy and self-determination, by acknowledging that an individual may have capacity in some circumstances, and not in others. Such a model is used in Queensland when determining guardianship matters:
Capacity for a person for a matter, means the person is capable of -
- understanding the nature and effects of decisions about the matter; and
- freely and voluntarily making decisions about the matter; and
- communicating the decision in some way.486
87. This has also been the approach in Ontario, Canada:
Ontario has deliberately chosen a decisional test to protect the rights of capable individuals who could otherwise be deemed in need of guardians simply because they have certain physical conditions; have received a certain medical or psychiatric diagnosis; or have made decisions considered foolish or which lead to a socially 'deviant' lifestyle.487
88. In order to facilitate the efficient flow of information, an individual who has capacity to make decisions, but finds the process difficult or requires additional explanation to assist them, may choose to authorise a person to act on their behalf on a day-to-day basis. This may take the form of a written notice provided to the organisation or agency allowing a representative to access their information, make particular decisions about their dealings with that body, or act generally on their behalf.
89. The Office is aware that some causes of decision-making disabilities (such as a mental illness or a gradual degenerative condition), may affect an individual's ability or willingness to decide that someone should act on their behalf, and decide whom that representative should be. Accordingly, there must be an appropriate balance between the individual's right to make autonomous decisions, and addressing the particular needs of individuals with impaired decision-making capacity. It is important to ensure that an individual whose capacity is in question retains the right to make decisions where they are able, even if others disagree with those decisions. This may minimise the possibility that a representative could take advantage of an individual, or the possibility of conflicting decisions made by a number of representatives.
90. Further consideration may need to be given to how adequately the Privacy Act and related laws deals with sudden and unexpected cases of incapacity (such as a sudden medical emergency), in allowing a person to act on the individual's behalf in relation to financial affairs.488 For example, the ALRC may wish to consider whether it would be appropriate to allow a representative to act on a person's behalf where:
91. Some important considerations for such a proposal may include:
92. However, the Office notes the significant risks that arise in allowing an individual to act on another's behalf, particularly in relation to financial affairs. It is therefore crucial to evaluate whether the benefits of such additional measures outweigh the risk that individuals in a particularly vulnerable situation could be taken advantage of, unless adequate safeguards are put in place. Any options for amending the Privacy Act should also be examined against the effectiveness (and timeliness) of existing legal mechanisms, and other possible options for managing an incapacitated individual's financial affairs.
93. In Recommendation 64 of the Office's Private Sector Review, the Office committed to providing additional guidance material, to advise organisations and agencies about the use and disclosure of health information where it is permitted by NPP 2.4. As noted earlier, there appears to be a lack of awareness of these provisions, or a reluctance to deal with the representatives of individuals with decision-making disabilities.489
94. NSW Privacy has developed a best practice guide for NSW agencies when dealing with people with decision-making disabilities.490 This provides useful information on the factors that should be taken into account when NSW agencies assess capacity. The Office could prepare similarly-structured guidance for Commonwealth and ACT agencies and private sector organisations, on how the Privacy Act operates in relation to individuals with decision-making disabilities, and their representatives.
95. At present, formal legal representatives may believe they need to rely on agency and organisation discretion to provide an individual's personal information, as a permitted, but not required, disclosure under IPP 11 or NPP 2. That is, the Privacy Act does not explicitly give access rights to representatives.
96. The ALRC may wish to consider whether IPP 6 and NPP 6 should be amended to clarify that legal representatives have a right to access personal information held by agencies and organisations, on behalf of the individual they represent. The Office notes that additional risks may arise if the representative relationship is of an informal nature. There may also be merit in qualifying such a right of access, to respect an incapacitated individual's right to privacy from their own representative, as discussed below.
97. Where the incapacity is short-term, or the individual is considered likely to regain capacity to handle their own affairs, it may be appropriate to limit a carer's right to access information about the individual. These limits could encompass information which is relevant to the individual's care, or is otherwise related to the carer's responsibilities.491
98. There will often be a considerable amount of information contained in an individual's record which is unrelated to the current care, and that the individual may wish to keep private even from carers (particularly in a health context). For example, such information could relate to sexual orientation; or a previous, but unrelated, health service, such as a termination of pregnancy, treatment for a sexually transmitted disease or a history of drug dependency. At present under the Privacy Act, if a legal representative makes a request for access to all information held about an individual, the health service provider will need to provide access to the information unless a particular exception applies.492
99. Limiting the information that a temporary representative is able to access would allow an individual to maintain privacy from their representative, where the matter is not relevant to decisions that the representative must make. Such a limitation accords with the objective of a carer providing assistance, and respects the individual's right to autonomy and privacy to the extent possible (both at the time of the decision, and in the future).
100. What will constitute relevant information may be best determined with reference to the particular circumstances of the representative arrangement. For example, whether a representative is a guardian who can make health decisions, an administrator for financial decisions, or has another particular area of responsibility.
101. Finally, there is a risk that such considerations could increase the administrative burden for agencies and organisations when complying with requests for access from representatives. However, given that such entities are currently required to consider several exceptions, such as whether access to information would have a serious threat to the life or health of any individual,493 it is arguable that agencies and organisations would be able to assume this responsibility.
451 The terms 'children and young people' are used throughout this response to refer to individuals under 18 years of age.
452 Privacy Act 1988 (Cth), ss 6C-6D. Generally, a private sector organisation will be exempt if its annual turnover is $3 million or less. However, if the organisation falls into a category listed in s 6D(4) (such as health service providers), it will not be exempt from the Act.
453 ALRC, Issues Paper 31 (IP31), paragraph 9.31.
454 Family Law Act 1975 (Cth), ss 10D and 10H.
455 As defined in the Privacy Act 1988 (Cth), s 6.
456 Privacy Act 1988 (Cth) See NPP 4.2 on the destruction of personal information when it is no longer needed.
457 Privacy Act 1988 (Cth) The terms of NPP 6 provide a right to 'the individual'.
458 Office of the Privacy Commissioner, Guidelines on Privacy in the Private Health Sector (2001), paragraph 6.3, available at http://www.privacy.gov.au/publications/hg_01.pdf.
459 Ibid, paragraph 2.9.
460 Under the subheading 'Access rights and privacy from representatives'.
461 Public schools fall outside the Privacy Act's jurisdiction, as they are state and territory entities.
462 Privacy Act 1988 (Cth), NPP 2.
463 See the Office of the Privacy Commissioner website, Frequently Asked Questions - Your Privacy Rights, 'Can non-custodial parents whose children attend a private school/college get access to their children's school reports?' available at http://www.privacy.gov.au/faqs/ypr/q23.html.
464 Available at the US Federal Trade Commission website, http://www.ftc.gov/ogc/coppa1.htm.
465 US Federal Trade Commission media release, 'Xanga.com to Pay $1 Million for Violating Children's Online Privacy Protection Rule', September 7, 2006, available at http://www.ftc.gov/opa/2006/09/xanga.htm.
466 ALRC, IP31, paragraph 9.73.
467 Office of the Privacy Commissioner, 'Submission to the Standing Committee of Attorneys-General on the Unauthorised Photographs on the Internet and Ancillary Privacy Issues: Discussion Paper', November 2005, available at http://www.privacy.gov.au/publications/photosub.pdf.
468 The meaning of 'record' is defined in the Privacy Act 1988 (Cth), s 6.
469 Privacy Act 1988 (Cth), NPP 1.
470 Office of the Privacy Commissioner website, Frequently Asked Questions for Businesses, 'What do I need to think about if I want to put photos on the web?', available at http://www.privacy.gov.au/faqs/bf/q9.html.
471 Privacy Act 1988 (Cth), NPP 10.
472 For example, the Office notes an incident reported by the media in November 2006, where an individual was charged with possession of child pornography and behaving in an offensive manner in or near a public place or school.
473 Office of the Privacy Commissioner, 'Submission to the Standing Committee of Attorneys-General on the Unauthorised Photographs on the Internet and Ancillary Privacy Issues: Discussion Paper', November 2005, pp 6-7, available at http://www.privacy.gov.au/publications/photosub.pdf.
474 ACMA, Privacy Guidelines for Broadcasters, August 2005, available at http://www.acma.gov.au/acmainterwr/_assets/main/lib100084/privacy_guidelines.pdf. See, for example, Appendix 3, 'Advisory note: Privacy', pp 17-18.
475 Privacy Commissioner, 'Presentation to the Australian Communications and Media Authority's Information Communications Entertainment Conference', 23 November 2006, pp 8-12, available at http://www.privacy.gov.au/news/speeches/sp07_06.pdf.
476 However, the administrative practices of the Federal Court are covered by the Privacy Act 1988 (Cth), s 7(1)(b).
477 ALRC, IP31, paragraphs 9.90-91.
478 The Office also notes that the issue of individuals being identifiable in records, even when their name has been removed, can also be problematic in relation to adults with a decision-making disability (for example, in guardianship tribunal records).
479 Privacy Act 1988 (Cth), NPPs 2.1(b) and NPP 2.1(e), respectively.
480 The meaning of 'responsible person' is clarified in NPP 2.5.
481 'Submission by the Australian Guardianship and Administration Committee (AGAC) to the Review by the Privacy Commissioner of the Private Sector Provisions of the Commonwealth Privacy Act 1988', December 2004, p 1, available at http://www.privacy.gov.au/act/review/revsub114.pdf.
482 Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, March 2005 (Office's Private Sector Review), Recommendation 64, p 219, available at http://www.privacy.gov.au/act/review/revreport.pdf.
483 The Office's response to question 3-5 considers whether NPP 2.4 could be amended to cover the information of deceased individuals, if the Privacy Act were amended to protect those persons' information.
484 Office's Private Sector Review, Recommendation 63, p 219.
485 Government response to the Privacy Commissioner's Report, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (Government response to the Office's Private Sector Review), 30 November 2006, available at http://www.ag.gov.au/www/agd/agd.nsf/Page/Privacy_GovernmentresponsestoPrivacyActreports .
486 Guardianship & Administration Act 2000 (Qld), Dictionary, Schedule 4 (emphasis added), available at http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/G/GuardAdminA00.pdf.
487 Capacity Assessment Office, Ontario Ministry of the Attorney General, Guidelines for Conducting Assessments of Capacity, May 2005, p II.2, available at http://www.attorneygeneral.jus.gov.on.ca/english/family/pgt/capacity/2005-05/guide-0505.pdf.
488 While an enduring power of attorney may assist here, such agreements may not be in place.
489 See 'Disclosure of health information to representatives' above.
490 Office of the NSW Privacy Commissioner (Privacy NSW), Best practice guide - Privacy and people with decision-making disabilities, February 2004, available at http://www.lawlink.nsw.gov.au/lawlink/privacynsw/ll_pnsw.nsf/pages/PNSW_08_bpg01.
491 See, for example, the language used in the requirements under NPP 2.4, in relation to discretionary disclosures.
492 NPP 6.1(c) allows denial of access which would unreasonably impact on other individuals' privacy. However, this is unlikely to allow denial of access to a representative, where this would interfere with the privacy of the individual whose information is being accessed.
493 See NPP 6.1(b) for organisations. Similarly, agencies must consider exceptions under the Freedom of Information Act 1982 (Cth), including whether disclosure of a document is reasonably likely to endanger the life or physical safety of any person (s 37(1)(c)).