review of australian privacy law - alrc · contents 5 18. collection 599 introduction 599...

VOLUME 1 DISCUSSION PAPER 72SEPTEMBER 2007

Review of Australian Privacy LawDISCUSSION PAPER

You are invited to provide a submission or comment on this Discussion Paper

This Discussion Paper reflects the law as at 31 July 2007

Commonwealth of Australia 2007

This work is copyright. You may download, display, print and reproduce this material in whole or part, subject to acknowledgement of the source, for your personal, non-commercial use or use within your organisation. Apart from any use as permitted under the Copyright Act 1968 (Cth), all other rights are reserved. Requests for further authorisation should be directed by letter to the Commonwealth Copyright Administration, Copyright Law Branch, Attorney-Generals Department, Robert Garran Offices, National Circuit, Barton ACT 2600 or electronically via www.ag.gov.au/cca.

ISBN- 978-0-9758213-9-8

Commission Reference: DP 72

The Australian Law Reform Commission was established on 1 January 1975 by the Law Reform Commission Act 1973 (Cth) and reconstituted by the Australian Law Reform Commission Act 1996 (Cth). The office of the ALRC is at Level 25, 135 King Street, Sydney, NSW, 2000, Australia.

All ALRC publications can be made available in a range of accessible formats for people with disabilities. If you require assistance, please contact the ALRC.

Telephone: within Australia (02) 8238 6333

International +61 2 8238 6333

TTY: (02) 8238 6379

Facsimile: within Australia (02) 8238 6363

International +61 2 8238 6363

E-mail: [email protected]

ALRC homepage: www.alrc.gov.au

Printed by Ligare Pty Ltd

Making a submission

Any public contribution to an inquiry is called a submission and these are actively sought by the ALRC from a broad cross-section of the community, as well as those with a special interest in the inquiry.

Submissions are usually written, but there is no set format and they need not be formal documents. Where possible, submissions in electronic format are preferred.

It would be helpful if comments addressed specific proposals and questions or numbered paragraphs in this paper.

Open inquiry policy In the interests of informed public debate, the ALRC is committed to open access to information. As submissions provide important evidence to each inquiry, it is common for the ALRC to draw upon the contents of submissions and quote from them or refer to them in publications. As part of ALRC policy, non-confidential submissions are made available to any person or organisation upon request after completion of an inquiry, and also may be published on the ALRC website. For the purposes of this policy, an inquiry is considered to have been completed when the final report has been tabled in Parliament.

However, the ALRC also accepts submissions made in confidence. Confidential submissions may include personal experiences where there is a wish to retain privacy, or other sensitive information (such as commercial-in-confidence material). Any request for access to a confidential submission is determined in accordance with the federal Freedom of Information Act 1982, which has provisions designed to protect sensitive information given in confidence.

In the absence of a clear indication that a submission is intended to be confidential, the ALRC will treat the submission as non-confidential.

Submissions should be sent to: The Executive Director Australian Law Reform Commission GPO Box 3708 SYDNEY NSW 2001 Email: [email protected] Submissions may also be made using the online form on the ALRCs homepage:

The closing date for submissions in response to DP 72 is Friday 7 December 2007.

Contents

Terms of Reference 15 List of Participants 17 List of Proposals and Questions 21 List of Proposed Unified Privacy Principles 89

Volume 1

Part A Introduction 101 1. Introduction to the Inquiry 103

Introduction 103 Key proposals for reform 105 Background 107 Privacy Act 110 The scope of the Inquiry 111 Related privacy references 112 Defining privacy 114 Privacy beyond the individual 122 Organisation of this paper 136 Process of reform 140

2. OverviewPrivacy Regulation in Australia 145 Introduction 145 The Australian Constitution and privacy 145 Federal regulation of privacy 146 State and territory regulation of privacy 148 Legislative rules, codes and guidelines 167 Non-legislative rules, codes and guidelines 168

3. The Privacy Act 169 Introduction 169 Overview of the Privacy Act 171 The structure of the Act 182 The name of the Act 184 The objects of the Act 187 Some important definitions 194 Deceased individuals 219

2 Review of Australian Privacy Law

4. Achieving National Consistency 235 Introduction 235 The federal system 237 Is national consistency important? 238 National legislation 241 Commonwealth-state cooperative scheme 247 A model for national consistency 253 A permanent standing body 262 A single privacy regulator? 267 Other methods to achieve national consistency 270

5. Protection of a Right to Personal Privacy 277 Introduction 277 Background 278 Right to personal privacydevelopments in Australia and elsewhere 280 NSWLRC Consultation Paper on invasion of privacy 290 Recognising an action for breach of privacy in Australia 291 ALRCs view 294

Part B Developing Technology 309

6. OverviewImpact of Developing Technology on Privacy 311 Introduction 311 Privacy enhancing technologies 312 The internet 315 Radio frequency identification 321 Other wireless technologies 325 Data-matching and data-mining 325 Smart cards 327 Biometric technologies 330 DNA-based technologies 333 Voice over internet protocol 334 Location detection technologies 335 Surveillance technologies 337 Other developing technologies 339

7. Accommodating Developing Technology in a Regulatory Framework 341 Introduction 341 Should the Privacy Act be technologically neutral? 342 Designing a technologically aware framework 346 Statutory protection 350 Standards 354 The role of the regulator 358

Contents 3

Proactive regulation 358 Oversight functions of the OPC 359 Guidance on particular technologies 361 Co-regulation 372 Other regulatory mechanisms 374

8. Individuals, the Internet and Generally Available Publications 375 Introduction 375 Individuals acting in a personal capacity 376 Generally available publications 383

9. Identity Theft 393 Introduction 393 What is identity theft? 394 How prevalent is it? 395 Criminalising identity theft 396 Other responses to identity theft 398 Identity theft and privacy laws 399

Part C Interaction, Inconsistency and Fragmentation 404

10. OverviewInteraction, Inconsistency and Fragmentation 405 Introduction 405 The costs of inconsistency and fragmentation 406 Federal information laws 408 Required or authorised by or under law 412 Interaction with state and territory laws 415

11. The Costs of Inconsistency and Fragmentation 419 Introduction 419 Sharing information 420 Compliance burden and cost 428 Multiple regulators 435 Government contractors 438

12. Federal Information Laws 447 Introduction 447 Terms and definitions 447 Freedom of Information Act 1982 (Cth) 449 Archives Act 1983 (Cth) 468


A single information Act? 472 A single regulator? 474 Secrecy provisions 476 Obligations of confidence 482

13. Required or Authorised by or Under Law 487 Introduction 487 Required or authorised by or under law 487 Census and Statistics Act 1905 (Cth) 498 Corporations Act 2001 (Cth) 502 Commonwealth Electoral Act 1918 (Cth) 506 Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) 510

14. Interaction with State and Territory Laws 519 Introduction 519 Interaction of federal, state and territory regimes 519 Privacy rules, codes and guidelines 526 Residential tenancy databases 528

Volume 2

Part D The Privacy Principles 541

15. Structural Reform of the Privacy Principles 543 Introduction to Part D 543 Development of current Australian privacy principles 544 Principles-based regulation of privacy 548 Level of detail, guidance and protection 554 Towards a single set of privacy principles 560 Scope and structure of Unified Privacy Principles 567

16. Consent 571 Introduction 571 Consent and bundled consent in the Privacy Act 572 A separate privacy principle dealing with consent? 583

17. Anonymity and Pseudonomity 587 Introduction 587 Expansion of anonymity principle 588 The option to transact anonymously or pseudonymously 593 Summary of proposed Anonymity and Pseudonymity principle 597

Contents 5

18. Collection 599 Introduction 599 Collection from the individual 601 Unsolicited personal information 605 Other aspects of the Collection principle 608 Summary of proposed Collection principle 610

19. Sensitive Information 613 Introduction 613 Expansion of sensitive information principle to agencies? 615 Regulation of other aspects of sensitive information handling 618 Emergency situations 622 Research 625

20. Specific Notification 627 Introduction 627 Location of notification requirements: separate principle? 628 Notification of collectors identity and individuals rights 630 Notification of the fact and circumstances of collection 633 Standardising requirements of agencies and organisations 635 Notification where information collected from a third party 640 Meaning of reasonable steps 645 Summary of proposed Specific Notification principle 648

21. Openness 651

Introduction 651 Separate Openness principle? 652 Regulatory structure: Privacy Policies 654 Matters to be included in a Privacy Policy 656 Availability of Privacy Policy 660 Short form privacy notices 662 Summary of proposed Openness principle 664

22. Use and Disclosure 667 Introduction 667 Towards a single Use and Disclosure principle 670 Use and disclosure of personal information for a related secondary purpose 674 Emergencies, disasters and threats to life or health 679 Missing persons 685 Disclosure of incidents by insured professionals to insurers 688 Use and disclosure in other contexts 690 Logging disclosures 694


Summary of proposed Use and Disclosure principle 697

23. Direct Marketing 699 Introduction 699 Direct marketing generally 701 Scope of direct marketing privacy principle 703 Relationship between privacy principles and other legislation 706 Opt-in or opt-out requirement? 708 Other possible requirements 713 Summary of proposed Direct Marketing principle 716

24. Data Quality 719 Introduction 719 Application of data quality principle to agencies 720 Scope of data quality principle 721 Clarification of data quality principle 726 Summary of proposed Data Quality principle 727

25. Data Security 729 Introduction 729 Towards a single data security principle 731 Protection of personal information 733 Destruction versus retention of personal information 739 Extension of destruction and de-identification requirements to agencies 741 When is destruction or deletion appropriate? 745 General right to destruction of personal information? 748 Meaning of destroy or permanently de-identify 750 Summary of proposed Data Security principle 753

26. Access and Correction 755 Introduction 755 Scope of proposed Access and Correction principle 757 Access by intermediaries 759 Barriers to access: fees and timeframe 761 Right to correction of personal information 763 Incorrect information: notification of third parties 765 Consequential amendments 769 Notification of access rights 770 Summary of proposed Access and Correction principle 771

27. Identifiers 775 Introduction 776 Separate principle to regulate identifiers? 778

Contents 7

Application of Identifiers principle to agencies? 779 Definition of identifier 783 Content of privacy principle dealing with identifiers 787 Unique multi-purpose identifiers 794 Regulation of Tax File Numbers 805 Summary of proposed Identifiers principle 811

28 Transborder Data Flows 815 Introduction 815 Extra-territorial operation of the Privacy Act 817 National Privacy Principle 9 821 Related bodies corporate 836 The role of the Privacy Commissioner 838 Requirement of notice that personal information is being sent overseas 844 International privacy protection 848 Summary of proposed Transborder Data Flows principle 862

29. Additional Privacy Principles 865 Introduction 865 Accountability principle 866 Prevention of harm principle 869 No disadvantage principle 872

Part E Exemptions 875

30. OverviewExemptions from the Privacy Act 877 Introduction 877 Exemptions under the Privacy Act 878 Exemptions under international instruments 881 Should there be any exemptions from the Privacy Act? 883 The number and scope of exemptions 887 Complexity of the exemption provisions 892 Location of the exemption provisions 894

31. Defence and Intelligence Agencies 899 Introduction 899 The exempt agencies 900 Rationale for the exemption of the AIC agencies 903 Issues concerning the exemption of the IGIS 916 Submissions and consultations 918 ALRCs view 922


32. Federal Courts and Tribunals 927 Introduction 927 Federal courts 927 Federal tribunals 942

33. Exempt Agencies under the Freedom of Information Act 1982 (Cth) 955 Introduction 955 Australian Fair Pay Commission 956 Schedule 2 Part I Division 1 of the Freedom of Information Act 959 Schedule 2 Part II Division 1 of the Freedom of Information Act 963 ALRCs view 971

34. Other Public Sector Exemptions 975 Introduction 976 Royal commissions 976 Australian Crime Commission 978 Integrity Commissioner 987 Other agencies with law enforcement functions 991 Parliamentary departments 994 State and territory authorities and prescribed instrumentalities 996

35. Small Business Exemption 1007 Introduction 1007 Current law 1007 Retention of the exemption 1010 Removal of the exemption 1019 Voluntary compliance and opting in 1035 ALRCs view 1036

36. Employee Records Exemption 1039 Introduction 1039 Current law 1039 Adequacy of privacy protection for employee records 1043 Evaluative material 1056 Location of privacy provisions concerning employee records 1061

37. Political Exemption 1065 Introduction 1065 Current law 1065 Government inquiries 1069 International instruments 1070 Electoral databases 1071 Implied freedom of political communication 1072

Contents 9

Submissions and consultations 1073 ALRCs view 1077

38. Media Exemption 1081 Introduction 1081 Scope of the exemption 1090 Criteria for media privacy standards 1100 Adequacy of the self-regulatory and co-regulatory models 1106 Enforcement mechanisms 1110

39. Other Private Sector Exemptions 1113 Introduction 1113 Personal or non-business use 1113 Related bodies corporate 1115 Change in partnership 1121

40. New Exemptions 1123 Introduction 1123 New exemptions and partial exemptions 1123 Declared emergencies 1137

Part F Office of the Privacy Commissioner 1141

41. OverviewOffice of the Privacy Commissioner 1143 Introduction 1143 Facilitating compliance with the Privacy Act 1144 Structure of the OPC 1145 Powers of the OPC 1146 Investigation and resolution of privacy complaints 1147 Enforcing the Privacy Act 1148 Data breach notification 1148 Summary of proposals to address systemic issues 1149

42. Facilitating compliance with the Privacy Act 1151 Introduction 1151 Compliance-oriented approach to privacy regulation 1152

43. Structure of the Office of the Privacy Commissioner 1159 Introduction 1160 Structure, functions and powers 1160 Manner of exercise of powers 1166


Accountability mechanisms 1169 Criminal liability 1172 Immunity 1172 Privacy Advisory Committee 1175

44. Powers of the Office of the Privacy Commissioner 1185 Introduction 1186 Oversight powers 1186 Guidelines 1193 Personal Information Digest 1196 Privacy impact assessments 1199 Compliance powers 1210 Audit functions 1211 Self-auditing 1218 Functions under other Acts 1221 Public interest determinations 1223 Privacy codes 1226

45. Investigation and Resolution of Privacy Complaints 1239 Introduction 1239 Investigating privacy complaints 1240 Transferring complaints to other bodies 1244 Resolution of privacy complaints 1248 Accountability and transparency 1259 Other issues in the complaint-handling process 1264

46. Enforcing the Privacy Act 1275 Introduction 1275 Enforcing own motion investigations 1276 Enforcing a determination 1279 Reports by the Commissioner 1281 Injunctions 1281 Other enforcement mechanisms following non-compliance 1283

47. Data Breach Notification 1293 Overview 1293 Rationale for data breach notification 1294 Models of data breach notification laws 1297 Submissions and consultations 1306 ALRCs view 1309

Contents 11

Volume 3

Part G Credit Reporting Provisions 1321

48. OverviewCredit Reporting 1323 Introduction 1323 What is credit reporting? 1325 Credit reporting agencies 1327 Background to national regulation 1328 Legislative history 1331

49. The Credit Reporting Provisions 1337 Introduction 1337 Application of the credit reporting provisions 1339 Content of credit information files 1342 Accuracy and security of personal information 1345 Disclosure of personal information 1346 Use of personal information 1350 Rights of access, correction and notification 1352 Responsibilities and powers of the OPC 1353 Remedies and penalties 1358

50. The Approach to Reform 1359 Introduction 1359 Part IIIA and the NPPs 1360 Options for reform 1362 Repeal and new regulation under the Act 1363 Approaches to the new credit reporting regulations 1372 Application of the regulations 1377 Credit reporting industry code 1398

51. More Comprehensive Credit Reporting 1401

Introduction 1401 Positive or more comprehensive credit reporting? 1402 Australias approach to more comprehensive credit reporting 1404 The argument for more comprehensive credit reporting 1408 Benefits of more comprehensive credit reporting 1409 Problems with more comprehensive credit reporting 1418 Empirical studies 1421 Regulation in other jurisdictions 1426 Models of more comprehensive credit reporting 1429


Privacy safeguards 1436 Should more comprehensive reporting be permitted? 1437 ALRCs view 1440

52. Collection of Credit Reporting Information 1445 Introduction 1445 Collection and notification 1446

53. Use and Disclosure of Credit Reporting Information 1475 Introduction 1475 Use and disclosure 1475 Consent and credit reporting 1497

54. Data Quality and Security 1503 Introduction 1503 Data quality 1504 Improving data quality 1513 Regulating data quality 1520 Deletion of credit reporting information 1523 Data security 1526

55. Rights of Access, Complaint Handling and Penalties 1529 Introduction 1529 Access and correction 1529 Complaint handling 1540 Penalties 1554

Part H Health Services and Research 1557

56. Regulatory Framework for Health Information 1559 Introduction 1559 National consistency 1561 A separate set of Health Privacy Principles? 1570 Electronic health information systems 1581

57. The Privacy Act and Health Information 1595 Introduction 1595 Privacy Act 1988 (Cth) 1595 Privacy (Health Information) Regulations 1614

Contents 13

58. Research 1653 Introduction 1653 The current arrangements 1654 Research other than health and medical research 1663 Definition of research 1667 The public interest balance 1670 Impracticable to seek consent 1676 Human Research Ethics Committees 1681 An exception to the proposed Unified Privacy Principles 1689 Identifiable personal information 1692 Databases and data linkage 1699

Part I Children, Young People and Adults Requiring Assistance 1713

59. Children, Young People and Privacy 1715 Introduction 1715 Generational difference 1716 Attitudes of young people 1719 ALRC consultations with young people 1723 Online social networking 1728 Photographs and other images 1735 ALRCs view 1744

60. Decision Making by Individuals Under the Age of 18 1751 Introduction 1751 Privacy rights of children and young people at international law 1753 Existing Australian laws relating to privacy of individuals under the age of 18 1756 Assessing the decision-making capacity of children and young people 1759 Specific privacy issues affecting children and young people 1787

61. Adults with a Temporary or Permanent Incapacity 1815 Introduction 1815 Equality and the presumption of capacity 1816 Problems with the Privacy Act 1819 Suggestions for reform 1822 ALRCs view 1829

62. Other Third Party Assistance 1839 Introduction 1839


Problems with the Privacy Act in practice 1839 Existing third party arrangements 1841 ALRCs view 1844

Part J Telecommunications 1847

63. Telecommunications Act 1849 Introduction 1849 Telecommunications Act 1997 (Cth) 1851 Are two privacy regimes necessary? 1853 Does the Telecommunications Act provide adequate privacy protection? 1858 Interaction between the Privacy Act and the Telecommunications Act 1859 Exceptions to the use and disclosure offences 1860 Integrated public number database 1878 Small business exemption 1889 Criminal or civil penalties 1891 New technologies 1893 Telecommunications regulators 1896 A redraft of the Part 1899

64. Other Telecommunications Privacy Issues 1901 Introduction 1901 Interception and access 1901 Spam and telemarketing 1916 Telecommunications regulators 1930

Appendix 1. List of Submissions 1939 Appendix 2. List of Agencies, Organisations and Individuals Consulted 1955 Appendix 3. List of Abbreviations 1965

Terms of Reference

REVIEW OF THE PRIVACY ACT 1988

I, Philip Ruddock, Attorney-General of Australia, having regard to:

the rapid advances in information, communication, storage, surveillance and other relevant technologies

possible changing community perceptions of privacy and the extent to which it should be protected by legislation

the expansion of State and Territory legislative activity in relevant areas, and

emerging areas that may require privacy protection,

refer to the Australian Law Reform Commission for inquiry and report pursuant to subsection 20(1) of the Australian Law Reform Commission Act 1996, matters relating to the extent to which the Privacy Act 1988 and related laws continue to provide an effective framework for the protection of privacy in Australia.

1. In performing its functions in relation to this reference, the Commission will consider:

(a) relevant existing and proposed Commonwealth, State and Territory laws and practices

(b) other recent reviews of the Privacy Act 1988

(c) current and emerging international law and obligations in this area

(d) privacy regimes, developments and trends in other jurisdictions

(e) any relevant constitutional issue

(f) the need of individuals for privacy protection in an evolving technological environment

(g) the desirability of minimising the regulatory burden on business in this area, and


(h) any other related matter.

2. The Commission will identify and consult with relevant stakeholders, including the

Office of the Federal Privacy Commissioner, relevant State and Territory bodies and the Australian business community, and ensure widespread public consultation.

3. The Commission is to report no later than 31 March 2008.

Dated 30th January 2006

[signed]

Philip Ruddock

Attorney-General

List of Participants

Australian Law Reform Commission

Division The Division of the ALRC constituted under the Australian Law Reform Commission Act 1996 (Cth) for the purposes of this Inquiry comprises the following:

Professor David Weisbrot (President) Professor Les McCrimmon (Commissioner in-charge) Professor Rosalind Croucher (Commissioner) Justice Robert French (part-time Commissioner) Justice Susan Kenny (part-time Commissioner) Justice Susan Kiefel (part-time Commissioner) (until August 2007)

Senior Legal Officers Carolyn Adams Bruce Alston Jonathan Dobinson

Legal Officers Lisa Eckstein (from August 2007) Althea Gibson (until March 2007) Lauren Jamieson Huette Lam Erin Mackay (from March 2007) Edward Santow Peter Turner (until August 2006)

Research Manager Lani Blackman

Librarian Carolyn Kearney

Project Assistant Tina OBrien


Legal Interns Megan Caristo Justin Carter Elizabeth Crook Joash Dache Maggie Fung Dawnie Lam Robert Mullins Danni Nicholas-Sexon Elnaz Nikibin Michael Ostroff Christina Raymond Fiona Roughley Keelyann Thomson Christina Trahanas Teneille Steptoe Michelle Tse Jocelyn Williams SooJin Yoon Advisory Committee Members Dr Bridget Bainbridge, National E-Health Transition Authority Ms Robin Banks, Public Interest Advocacy Centre Mr Paul Chadwick, Consultant (formerly Victorian Privacy Commissioner) (until

January 2007) Ms Karen Curtis, Privacy Commissioner (Cth) Mr Peter Ford, Privacy, Security and Telecommunications Consultant Mr Ian Gilbert, Australian Bankers Association Mr Duncan Giles, Freehills Solicitors Professor Margaret Jackson, School of Accounting & Law, RMIT University Ms Helen Lewin, Telstra Corporation Associate Professor Roger Magnusson, Faculty of Law, University of Sydney Associate Professor Moira Paterson, Faculty of Law, Monash University Ms Joan Sheedy, Australian Government Attorney-Generals Department Mr Peter Shoyer, Executive Director of Court Support & Independant Offices NT Professor Colin Thomson, National Health and Medical Research Council Mr Nigel Waters, Pacific Privacy Consulting Ms Beth Wilson, Health Services Commissioner (Vic) Ms Sue Vardon, Department for Families & Communities (SA) Credit Reporting Advisory SubCommittee Ms Carolyn Bond, Consumer Action Law Centre Ms Christine Christian, Dun and Bradstreet Pty Ltd

List of Participants 19

Ms Karen Cox, Consumer Credit Legal Centre (NSW) Mr Ian Gilbert, Australian Bankers Association Ms Helen Gordon, Australian Finance Conference Mr David Grafton, Commonwealth Bank of Australia Ms Loretta Kreet, Legal Aid Queensland Mr Andrew Want, Veda Advantage Mr Nigel Waters, Pacific Privacy Consulting Ms Kerstin Wijeyewardene, Treasury (Cth) Developing Technology Advisory SubCommittee Mr Paul Budde, Managing Director, BuddeComm Professor William Caelli, Director Information Assurance, International Information

Security Consultants Pty Ltd and Faculty of Information Technology, QUT Mr Chris Cheah, Australian Communications and Media Authority Professor Peter Croll, Professor of Software Engineering, Faculty of Information

Technology, QUT Mr Malcolm Crompton, Information Integrity Solutions Pty Ltd Professor Graham Greenleaf, Faculty of Law, University of New South Wales Professor Margaret Jackson, School of Accounting and Law, RMIT University David Jonas, Convergence e-Business Solutions Pty Ltd Mr Greg Stone, National Technology Officer, Microsoft Pty Ltd Mr Martin Stewart Weeks, Internet Business Solutions Group, Cisco Systems Australia

Pty Ltd Professor Michael Wagner, National Centre for Biometric Studies, University of

Canberra Mr Stephen Wilson, Lockstep Consulting Health Advisory SubCommittee Ms Amanda Adrian, Australian Nursing Federation Ms Melanie Cantwell, Consumers Health Forum of Australia Inc Professor David Hill, The Cancer Council (Vic) Ms Anna Johnston, Australian Privacy Foundation Dr Graeme Miller, Family Medicine Research Centre Ms Julia Nesbitt, Australian Medical Association Professor Margaret Otlowski, Faculty of Law, University of Tasmania Ms Dianne Scott, Department of Human Services (Vic) Dr Heather Wellington, Peter MacCallum Cancer Centre

List of Proposals and Questions

Part AIntroduction 1. Introduction to the Inquiry

Proposal 11 The Office of the Privacy Commissioner should, either on its own motion or where approached in appropriate cases, encourage and assist agencies and organisations, in conjunction with Indigenous and other ethnic groups in Australia, to create publicly available protocols that adequately respond to the particular privacy needs of those groups.

3. The Privacy Act

Proposal 31 The Privacy Act should provide for the making of regulations that modify the operation of the proposed Unified Privacy Principles (UPPs) to impose different or more specific requirements in particular contexts, including imposing more or less stringent requirements on agencies and organisations than are provided for in the UPPs.

Proposal 32 The Privacy Act should be amended to achieve greater logical consistency, simplicity and clarity. For example, the Information Privacy Principles and the National Privacy Principles should be consolidated into a set of UPPs; the exemptions should be clarified and grouped together in a separate part of the Act; and the Act should be restructured and renumbered.

Proposal 33 If the Privacy Act is amended to incorporate a cause of action for invasion of privacy, the name of the Act should remain the same. If the Act is not amended in this way, however, the Privacy Act should be renamed the Privacy and Personal Information Act.

Proposal 34 The Privacy Act should be amended to include an objects clause. The objects of the Act should be to:

(a) implement Australias obligations at international law in relation to privacy;

(b) promote the protection of individual privacy;

(c) recognise that the right to privacy is not absolute and to provide a framework within which to balance the public interest in protecting the privacy of individuals with other public interests;


(d) establish a cause of action to protect the interests that individuals have in the personal sphere free from interference from others;

(e) promote the responsible and transparent handling of personal information by agencies and organisations;

(f) facilitate the growth and development of electronic commerce, nationally and internationally, while ensuring respect for the right to privacy; and

(g) provide the basis for nationally consistent regulation of privacy.

Proposal 35 (a) The Privacy Act should define personal information as information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified or reasonably identifiable individual.

(b) The Explanatory Memorandum of the amending legislation should make clear that an individual is reasonably identifiable when the individual can be identified from information in the possession of an agency or organisation or from that information and other information the agency or organisation has the capacity to access or is likely to access.

(c) The Office of the Privacy Commissioner should provide guidance on the meaning of identified or reasonably identifiable.

Proposal 36 The definition of sensitive information in the Privacy Act should be amended to include: (a) biometric information collected for the purpose of automated biometric authentication or identification; and (b) biometric template information.

Proposal 37 The definition of sensitive information in the Privacy Act should be amended to refer to sexual orientation and practices rather than sexual preferences and practices.

Proposal 38 The definition of record in the Privacy Act should be amended in part to include: (a) a document; and (b) information stored in electronic or other forms.

Proposal 39 The definition of generally available publication in the Privacy Act should be amended to clarify that a publication is generally available whether or not a fee is charged for access to the publication.

Proposal 310 The personal information of deceased individuals held by agencies should continue to be regulated by the Freedom of Information Act 1982 (Cth) and the Archives Act 1983 (Cth).

Proposal 311 The Privacy Act should be amended to include a new Part dealing with the personal information of individuals who have been dead for 30 years or less

List of Proposals and Questions 23

where the information is held by an organisation. The new Part should provide as follows:

(a) Use and disclosure

Organisations should be required to use or disclose the personal information of deceased individuals in accordance with the proposed Use and Disclosure principle in the UPPs. Where the principle requires consent, the organisation should be required to consider whether the proposed use or disclosure would involve an unreasonable use or disclosure of personal information about any person, including the deceased person.

(b) Access

Organisations should be required to consider providing third parties with access to the personal information of deceased individuals in accordance with the access elements of the proposed Access and Correction principle in the UPPs. Organisations should be required to consider in each case whether providing access to the information would have an unreasonable impact on the privacy of other individuals, including the deceased individual.

(c) Data quality

Organisations should be required to ensure that the personal information of deceased individuals is, with reference to a use or disclosure permitted under the UPPs, accurate, complete, up-to-date and relevant before they use or disclose the information.

(d) Data security

Organisations should be required to take reasonable steps to protect the personal information of deceased individuals from misuse and loss and from unauthorised access, modification or disclosure.

Organisations should be required to take reasonable steps to destroy or render personal information of deceased individuals non-identifiable if it is no longer needed for any purpose permitted under the proposed UPPs.

Organisations should be required to take reasonable steps to ensure that personal information of deceased individuals they disclose to a person pursuant to contract, or otherwise in connection with the provision of a service, is protected from being used or disclosed by that person otherwise than in accordance with the Privacy Act.

Proposal 312 The proposed provisions dealing with the use or disclosure of personal information of deceased individuals should make clear that it is reasonable for an organisation to use or disclose genetic information to a genetic relative of a


deceased individual where the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of a genetic relative. Any use or disclosure of genetic information of deceased individuals should be in accordance with rules issued by the Privacy Commissioner.

Proposal 313 Breach of the proposed provisions relating to the personal information of a deceased individual should be considered an interference with privacy under the Privacy Act. The following individuals should have standing to lodge a complaint with the Privacy Commissioner alleging an interference with the privacy of a deceased individual:

(a) in relation to an alleged breach of the use and disclosure, data quality or data security provisions, the deceased individuals parent, child or sibling who is at least 18 years old, spouse, de facto partner or legal personal representative; and

(b) in relation to an alleged breach of the access provision, any person who has made a request for access to the personal information of a deceased individual.

4. Achieving National Consistency

Proposal 41 The Privacy Act should be amended to provide that the Act is intended to apply to the exclusion of state and territory laws dealing specifically with the handling of personal information by organisations. In particular, the following laws of a state or territory would be excluded to the extent that they apply to organisations:

(a) Health Records and Information Privacy Act 2002 (NSW);

(b) Health Records Act 2001 (Vic);

(c) Health Records (Privacy and Access) Act 1997 (ACT); and

(d) any other laws prescribed in the regulations.

Proposal 42 States and territories with information privacy legislation that purports to apply to private sector organisations should amend that legislation so that it is no longer expressed to apply to private sector organisations.

Proposal 43 The Privacy Act should not apply to the exclusion of a law of a state or territory so far as the law deals with any non-excluded matters set out in the legislation. The Australian Government, in consultation with state and territory governments, should develop a list of non-excluded matters, for example matters such as:

(a) reporting for child protection purposes;


(b) reporting for public health purposes; and

(c) the handling of personal information by state and territory government contractors.

Proposal 44 The states and territories should enact legislation that regulates the handling of personal information in that state or territorys public sector that:

(a) applies the proposed Unified Privacy Principles (UPPs) and the proposed Privacy (Health Information) Regulations as in force under the Privacy Act from time to time; and

(b) includes at a minimum:

(i) relevant definitions used in the Privacy Act (including personal information, sensitive information and health information);

(ii) provisions allowing public interest determinations and temporary public interest determinations;

(iii) provisions relating to state and territory incorporated bodies (including statutory corporations);

(iv) provisions relating to state and territory government contracts; and

(v) provisions relating to data breach notification.

The legislation also should provide for the resolution of complaints by state and territory privacy regulators and agencies with responsibility for privacy regulation in that state or territorys public sector.

Proposal 45 The Australian Government should initiate a review in five years to consider whether the proposed Commonwealth-state cooperative scheme has been effective in achieving national consistency. This review should consider whether it would be more effective for the Australian Parliament to exercise its legislative power in relation to information privacy in the state and territory public sectors.

Proposal 46 To promote and maintain uniformity, the Standing Committee of Attorneys-General (SCAG) should adopt an intergovernmental agreement which provides that any proposed changes to the proposed:

(a) UPPs must be approved by SCAG; and


(b) Privacy (Health Information) Regulations must be approved by SCAG, in consultation with the Australian Health Ministers Advisory Council (AHMAC).

The agreement should provide for a procedure whereby the party proposing a change requiring approval must give notice in writing to the other parties to the agreement, and the proposed amendment must be considered and approved by SCAG before being implemented.

Proposal 47 The Standing Committee of Attorneys-General should be assisted by an expert advisory committee to:

(a) provide advice in relation to the amendment of the proposed UPPs and Privacy (Health Information) Regulations;

(b) address issues related to national consistency such as the scrutiny of federal, state and territory bills that may adversely impact on national consistency in the regulation of personal information; and

(c) address issues related to the enforcement of privacy laws, including information sharing between privacy regulators and cooperative arrangements for enforcement.

Appointments to the expert advisory committee should ensure a balanced and broad-based range of expertise, experience and perspectives relevant to the regulation of personal information. The appointments process should involve consultation with state and territory governments, business, privacy and consumer advocates and other stakeholders.

5. Protection of a Right to Personal Privacy

Proposal 51 The Privacy Act should be amended to provide for a statutory cause of action for invasion of privacy. The Act should contain a non-exhaustive list of the types of invasion that fall within the cause of action. For example, an invasion of privacy may occur where:

(a) there has been an interference with an individuals home or family life;

(b) an individual has been subjected to unauthorised surveillance;

(c) an individuals correspondence or private written, oral or electronic communication has been interfered with, misused or disclosed; or

(d) sensitive facts relating to an individuals private life have been disclosed.


Proposal 52 The Privacy Act should provide that, in determining what is considered private for the purpose of establishing liability under the proposed statutory cause of action, a plaintiff must show that in all the circumstances:

(a) there is a reasonable expectation of privacy; and

(b) the act complained of is sufficiently serious to cause substantial offence to a person of ordinary sensibilities.

Proposal 53 The Privacy Act should provide that:

(a) only natural persons should be allowed to bring an action under the Privacy Act for invasion of privacy;

(b) the action is actionable without proof of damage; and

(c) the action is restricted to intentional or reckless acts on the part of the defendant.

Proposal 54 The Office of the Privacy Commissioner should provide information to the public concerning the proposed statutory cause of action for invasion of privacy.

Proposal 55 The range of defences to the proposed statutory cause of action for invasion of privacy provided for in the Privacy Act should be listed exhaustively. The defences should include that the:

(a) act or conduct was incidental to the exercise of a lawful right of defence of person or property;

(b) act or conduct was required or specifically authorised by or under law;

(c) information disclosed was a matter of public interest or was a fair comment on a matter of public interest; or

(d) disclosure of the information was, under the law of defamation, privileged.

Question 51 In addition to the defences listed in Proposal 55, are there any other defences that should apply to the proposed statutory cause of action for invasion of privacy?

Proposal 56 To address an invasion of privacy, the court should be empowered by the Privacy Act to choose the remedy that is most appropriate in all the circumstances, free from the jurisdictional constraints that may apply to that remedy in


the general law. For example, the court should be empowered to grant any one or more of the following:

(a) damages, including aggravated damages, but not exemplary damages;

(b) an account of profits;

(c) an injunction;

(d) an order requiring the defendant to apologise to the plaintiff;

(e) a correction order;

(f) an order for the delivery up and destruction of material;

(g) a declaration; and

(h) other remedies or orders that the court thinks appropriate in the circumstances.

Proposal 57 Until such time as the states and territories enact uniform legislation, the state and territory public sectors should be subject to the proposed statutory cause of action for invasion of privacy in the Privacy Act.

Part BDeveloping Technology 7. Accommodating Developing Technology in a Regulatory

Framework

Proposal 71 The Privacy Act should be technologically neutral.

Proposal 72 The Privacy Act should be amended to empower the Minister responsible for the Privacy Act, in consultation with the Office of the Privacy Commissioner, to determine which privacy and security standards for relevant technologies should be mandated by legislative instrument.

Proposal 73 In exercising its research and monitoring functions, the Office of the Privacy Commissioner should consider technologies that can be deployed in a privacy enhancing way by individuals, agencies and organisations.

Proposal 74 The Office of the Privacy Commissioner should educate individuals, agencies and organisations about specific privacy enhancing technologies and the privacy enhancing ways in which technologies can be deployed.

Proposal 75 The Office of the Privacy Commissioner should provide guidance in relation to technologies that impact on privacy (including, for example, guidance for


use of RFID or data collecting software such as cookies). Where appropriate, this guidance should incorporate relevant local and international standards. The guidance should address:

(a) when the use of a certain technology to collect personal information is not done by fair means and is done in an unreasonably intrusive way;

(b) when the use of a certain technology will require, under the proposed Specific Notification principle, agencies and organisations to notify individuals at or before the time of collection of personal information;

(c) when agencies and organisations should notify individuals of certain features of a technology used to collect information (for example, how to remove an RFID tag contained in clothing; or error rates of biometrics systems);

(d) the type of information that an agency or organisation should make available to an individual when it is not practicable to provide access to information held in an intelligible form (for example, what biometric information is held about an individual when the information is held as an algorithm); and

(e) when it may be appropriate for an agency or organisation to provide human review of a decision made by automated means.

Proposal 76 The Office of the Privacy Commissioner should provide guidance to organisations on the privacy implications of data-matching.

8. Individuals, the Internet and Generally Available Publications

Question 81 Should the online content regulation scheme set out in the Broadcasting Services Act 1992 (Cth), and in particular the ability to issue take down notices, be expanded beyond the National Classification Code and decisions of the Classification Board to cover a wider range of content that may constitute an invasion of an individuals privacy? If so, what criteria should be used to determine when a take down notice should be issued? What is the appropriate body to deal with a complaint and issue the take down notice?

Proposal 81 The Office of the Privacy Commissioner should provide guidance that relates to generally available publications in an electronic form. This guidance should:

(a) apply whether or not the agency or organisation is required by law to make the personal information publicly available;


(b) set out certain factors that agencies and organisations should consider before publishing personal information in an electronic form (for example, whether it is in the public interest to publish on a publicly accessible website personal information about an identified or reasonably identifiable individual); and

(c) set out the requirements in the proposed Unified Privacy Principles with which agencies and organisations need to comply when collecting personal information from generally available publications for inclusion in a record or another generally available publication (for example, when a reasonable person would expect to be notified of the fact and circumstances of collection).

Part CInteraction, Inconsistency and Fragmentation 11. The Costs of Inconsistency and Fragmentation

Proposal 111 The Office of the Privacy Commissioner should provide further guidance to agencies and organisations on privacy requirements affecting information sharing.

Proposal 112 Agencies that are required or authorised by legislation or a public interest determination to share personal information should develop and publish documentation that addresses the sharing of personal information; and where appropriate, publish other documents (including memoranda of understanding and ministerial agreements) relating to the sharing of personal information.

Proposal 113 The Australian Government should convene an inter-agency working group of senior officers to identify circumstances where it would be appropriate to share or streamline the sharing of personal information among Australian Government agencies.

Proposal 114 The Australian Government, in consultation with: state and territory governments, intelligence agencies, law enforcement agencies, and accountability bodies (including the Office of the Privacy Commissioner; the Inspector-General of Intelligence and Security; the Australian Commission for Law Enforcement Integrity; state and territory privacy commissioners and agencies with responsibility for privacy regulation; and federal, state and territory ombudsmen), should:

(a) develop and publish a framework relating to interjurisdictional sharing of personal information within Australia by intelligence and law enforcement agencies; and

(b) develop memoranda of understanding to ensure that accountability bodies can oversee interjurisdictional information sharing within Australia by law enforcement and intelligence agencies.


Question 111 Are the definitions of contracted service provider and State contract under the Privacy Act adequate? For example, do they cover all the types of activities that organisations might perform on behalf of agencies?

12. Federal Information Laws

Proposal 121 The Australian Government and state and territory governments should ensure the consistency of definitions and key terms (for example, personal information, sensitive information and health information) in federal, state and territory legislation that regulates the handling of personal information.

Proposal 122 Section 41(1) of the Freedom of Information Act 1982 (Cth) should be amended to provide that a document is exempt if it:

(a) contains personal information, and the disclosure of that information would constitute a breach of the proposed Use and Disclosure principle and disclosure would not, on balance, be in the public interest; or

(b) contains personal information of a deceased individual, and the disclosure of that information would constitute a breach of the proposed Use and Disclosure principle (but where the principle would require consent the agency must consider whether the proposed disclosure would involve the unreasonable disclosure of personal information about any individual including the deceased individual) and disclosure would not, on balance, be in the public interest.

Proposal 123 Personal information should be defined in the Freedom of Information Act 1982 (Cth) as information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified or reasonably identifiable individual.

Proposal 124 The Freedom of Information Act 1982 (Cth) should be amended to require that the body that is primarily responsible for administration of the Act is to:

(a) develop and publish guidelines on the interpretation and application of s 41;

(b) consult with the Office of the Privacy Commissioner before issuing guidelines on the interpretation and application of s 41.

Proposal 125 The Freedom of Information Act 1982 (Cth) should be amended to provide that disclosure of personal information in accordance with the Freedom of Information Act 1982 (Cth) is a disclosure that is required or authorised for the purposes of the proposed Use and Disclosure principle under the Privacy Act.


Proposal 126 The Privacy Act should be amended to provide a new Part dealing with access to, and correction of, personal information held by an agency.

Proposal 127 The Freedom of Information Act 1982 (Cth) should be amended to:

(a) provide that an individuals right to access or correct his or her own personal information is dealt with under the Privacy Act; and

(b) repeal Part V of the Act.

Proposal 128 The proposed Part of the Privacy Act dealing with access to, and correction of, personal information held by an agency should provide that:

(a) if an agency holds personal information about an individual the agency must, if requested by the individual, provide the individual with access to the information, subject to a number of exceptions under the Part;

(b) where an individual is given access to personal information, the individual must be advised that he or she may request the correction of that information;

(c) where an agency is not required to provide the individual with access to personal information because of an exception, the agency must take reasonable steps to reach an appropriate compromise, involving the use of a mutually agreed intermediary, provided that the compromise would allow for sufficient access to meet the needs of both parties; and

(d) nothing in the Part is intended to prevent or discourage agencies from publishing or giving access to personal information, otherwise than as required by the Part, where they can do so properly or are required to do so by law.

Question 121 What exceptions should apply to the general provision granting an individual the right to access his or her own personal information held by an agency? For example, should the exceptions mirror the provisions in Part IV of the Freedom of Information Act 1982 (Cth) or should another set of exceptions apply?

Proposal 129 The proposed Part of the Privacy Act dealing with access to, and correction of, personal information held by an agency should provide that, if an agency holds personal information about an individual, the agency must:

(a) if requested by the individual, take such steps to correct (by way of making appropriate corrections, deletions or additions) the information as are, in the circumstances, reasonable to ensure that the information is, with reference to a purpose of collection permitted by the proposed Unified Privacy Principles, accurate, complete, up-to-date, relevant and not misleading;


(b) where the agency has taken the steps outlined in (a) above, if requested to do so by the individual, and provided such notification would be practicable in the circumstances, notify any other entities to whom the personal information has already been disclosed.

Proposal 1210 The proposed Part of the Privacy Act dealing with access to, and correction of, personal information held by an agency should provide that where an agency decides not to correct the personal information of an individual, and the individual requests the agency to annotate the personal information with a statement by the individual claiming that the information is not accurate, complete, up-to-date, relevant, or is misleading, the agency must take reasonable steps to do so.

Proposal 1211 The proposed Part of the Privacy Act dealing with access to, and correction of, personal information held by an agency should set out a process for dealing with a request to access or correct personal information that addresses:

(a) the requirements for making an application for correction or annotation of personal information;

(b) time periods for processing a request to access or correct personal information;

(c) the transfer of a request to access or correct personal information to another agency in certain circumstances (for example, when a document is not in the possession of an agency but is, to the knowledge of that agency, in the possession of another agency);

(d) how personal information is to be made available to the individual (including by giving the individual a reasonable opportunity to inspect the records, or by providing a copy of the record, by giving a summary of the contents of the record, or by providing oral information about the contents of the record);

(e) how corrections are to be made (including by additions and deletions);

(f) the deletion of excepted matter or irrelevant material;

(g) the persons authorised to make a decision on behalf of an agency in relation to a request to access or correct personal information;

(h) when a request for access to personal information may be refused by an agency (for example, when it would substantially and unreasonably divert the resources of the agency from its other operations, or in the case of a minister, would substantially and unreasonably interfere with the performance of the ministers functions); and


(i) the provision of reasons for a decision to deny a request to access or correct personal information.

Proposal 1212 The proposed Part of the Privacy Act dealing with access to, and correction of, personal information held by an agency should provide for:

(a) internal review by an agency of a decision made under the Part;

(b) review by the Administrative Appeals Tribunal of a decision made under the Part (including the power to make an order for compensation); and

(c) complaints to the Commonwealth Ombudsman.

Proposal 1213 The Office of the Privacy Commissioner should issue guidelines on access to, and correction of, records containing personal information held by an agency.

Question 122 Should the Office of the Privacy Commissioners complaint-handling, investigative and reporting functions be exempt under the Freedom of Information Act 1982 (Cth)?

Proposal 1214 Part VIII of the Privacy Act (Obligations of confidence) should be repealed.

13. Required or Authorised by or under Law

Question 131 Should the definition of a law for the purposes of determining when an act or practice is required or specifically authorised by or under a law include:

(a) a common law or equitable duty;

(b) an order of a court or tribunal;

(c) documents that are given the force of law by an Act of Parliament, such as industrial awards; and

(d) statutory instruments such as a Local Environmental Plan made under a planning law?

Question 132 Should a list be compiled of laws that require or authorise acts or practices in relation to personal information that would otherwise be regulated by the Privacy Act? If so, should the list have the force of law? Should it be comprehensive or indicative? What body should be responsible for compiling and updating the list?


Proposal 131 If the exemption that applies to registered political parties and political acts and practices is not removed, the Commonwealth Electoral Act 1918 (Cth) should be amended to provide that prescribed individuals, authorities and organisations to whom the Australian Electoral Commission must give information in relation to the electoral roll and certified lists of voters must take reasonable steps to:

(a) protect the information from misuse and loss and from unauthorised access, modification or disclosure; and

(b) destroy or render the information non-identifiable if it is no longer needed for a permitted purpose.

Proposal 132 The Australian Electoral Commission and state and territory electoral commissions, in consultation with the Office of the Privacy Commissioner, should develop and publish protocols that address the collection, use, storage and destruction of personal information shared for the purposes of the continuous update of the electoral roll.

Proposal 133 The review of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), the regulations and the Anti-Money Laundering and Counter-Terrorism Financing Rules under s 251 of the Act should consider, in particular, whether:

(a) reporting entities and designated agencies are appropriately handling personal information under the legislation;

(b) the number and range of transactions for which identification is required should be more limited than currently provided for under the legislation;

(c) it remains appropriate that reporting entities are required to retain information for seven years; and

(d) it is appropriate that reporting entities are able to use the electoral roll for the purpose of identification verification.

Proposal 134 The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) should be amended to provide that state and territory agencies that access personal information provided to the Australian Transaction Reports and Analysis Centre under the Act be regulated under the Privacy Act in relation to the handling of that personal information, except where they are covered by obligations under a state or territory law that are, overall, at least the equivalent of all the relevant obligations in the Privacy Act.


14. Interaction with State and Territory Laws

Proposal 141 The Privacy Act should be amended to provide that when an Australian Government agency is participating in an intergovernmental body or other arrangement involving state and territory agencies, the Australian Government agency should ensure that a memorandum of understanding is in place so that the intergovernmental body and its members do not act, or engage in a practice, that would breach the Act.

Part DThe Privacy Principles 15. Structural Reform of the Privacy Principles

Proposal 151 The privacy principles in the Privacy Act should be drafted to pursue, as much as practicable, the following objectives:

(a) the obligations in the privacy principles generally should be expressed as high level principles;

(b) the privacy principles should be simple, clear and easy to understand and apply; and

(c) the privacy principles should impose reasonable obligations on agencies and organisations.

Proposal 152 The Privacy Act should be amended to consolidate the current Information Privacy Principles and National Privacy Principles into a single set of privacy principlesthe Unified Privacy Principles (UPPs)that would be generally applicable to agencies and organisations, subject to such exceptions as required.

Proposal 153 The proposed UPPs should apply to information privacy except to the extent that:

(a) the Privacy Act or another piece of Commonwealth primary legislation imposes different or more specific requirements in a particular context; or

(b) subordinate legislation under the Privacy Act imposes different or more specific requirements in a particular context.

Proposal 154 The National Privacy Principles should provide the general template in drafting and structuring the proposed UPPs.


16. Consent

Proposal 161 The Office of the Privacy Commissioner should provide further guidance about what is required of agencies and organisations to obtain an individuals consent for the purposes of the Privacy Act. This guidance should: (a) cover consent as it applies in various contexts; and (b) include advice on when it is and is not appropriate to use the mechanism of bundled consent.

17. Anonymity and Pseudonymity Proposal 171 The proposed Unified Privacy Principles should contain a principle called Anonymity and Pseudonymity that sets out the requirements on agencies and organisations in respect of anonymous and pseudonymous transactions with individuals.

Proposal 172 The proposed Anonymity and Pseudonymity principle should include a pseudonymity requirement that when an individual is transacting with an agency or organisation, the agency or organisation must give the individual the option of identifying himself or herself by a pseudonym. This requirement is limited to circumstances where providing this option is lawful, practicable and not misleading.

Proposal 173 The proposed Anonymity and Pseudonymity principle should provide that, subject to the relevant qualifications in the principle, an agency or organisation is required to give individuals the clear option to transact anonymously or pseudonymously.

Proposal 174 The Office of the Privacy Commissioner should provide guidance to agencies and organisations on: (a) when it is and is not lawful and practicable to give individuals the option to transact anonymously or pseudonymously; (b) when it would be misleading for an individual to transact pseudonymously with an agency or organisation; and (c) what is involved in providing a clear option to transact anonymously or pseudonymously.

18. Collection

Proposal 181 (a) The proposed Unified Privacy Principles (UPPs) should contain a principle called Collection that requires agencies and organisations, where reasonable and practicable, to collect personal information about an individual only from the individual concerned.

(b) The Office of the Privacy Commissioner should provide guidance to clarify when it would not be reasonable and practicable to collect such information from the individual concerned.


Proposal 182 The Collection principle in the proposed UPPs should provide that, where an agency or organisation receives unsolicited personal information, it must either: (a) destroy the information immediately without using or disclosing it; or (b) comply with all relevant provisions in the UPPs that apply to the information in question, as if the agency or organisation had taken active steps to collect the information.

Proposal 183 The Collection principle in the proposed UPPs should provide that an agency or organisation must not collect personal information unless it reasonably believes the information is necessary for one or more of its functions or activities.

19. Sensitive Information

Proposal 191 The proposed Unified Privacy Principles should set out the requirements on agencies and organisations in relation to the collection of personal information that is defined as sensitive information for the purposes of the Privacy Act. These requirements should be located in the proposed Collection principle.

Proposal 192 The proposed sensitive information provisions should contain an exception permitting the collection of sensitive information by an agency or organisation where the collection is required or specifically authorised by or under law.

Proposal 193 The proposed sensitive information provisions should contain an exception permitting the collection of sensitive information by an agency or organisation where the collection is necessary to lessen or prevent a serious threat to the life or health of any individual, where the individual whom the information concerns is incapable of giving consent.

Question 191 Should the proposed sensitive information provisions provide that sensitive information can be collected where all of the following conditions apply:

(a) the individual is incapable of giving consent;

(b) the collection is necessary to provide an essential service for the benefit of the individual; and

(c) the collection would be reasonable in all the circumstances?

20. Specific Notification

Proposal 201 The proposed Unified Privacy Principles should contain a principle called Specific Notification that sets out the requirements on agencies and organisations to provide specific notification to an individual of particular matters relating to the collection and handling of personal information about the individual.


Proposal 202 The proposed Specific Notification principle should provide that, at or before the time (or, if that is not practicable, as soon as practicable after) an agency or organisation collects personal information about an individual from the individual, it must take reasonable steps to ensure that the individual is aware of the:

(a) fact and circumstances of collection (for example, how, when and from where the information was collected);

(b) identity and contact details of the agency or organisation;

(c) fact that the individual is able to gain access to the information;

(d) purposes for which the information is collected;

(e) main consequences of not providing the information;

(f) types of people, organisations, agencies or other entities to whom the agency or organisation usually discloses personal information; and

(g) avenues of complaint available to the individual if he or she has a complaint about the collection or handling of his or her personal information.

This requirement should only apply: (1) in circumstances where a reasonable person would expect to be notified; (2) except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual; and (3) subject to any other relevant exceptions.

Proposal 203 The Office of the Privacy Commissioner should provide guidance to assist agencies and organisations in ensuring that individuals are properly informed of the persons to whom their personal information is likely to be disclosed.

Proposal 204 An agency should be required to notify an individual of the matters listed in the proposed Specific Notification principle, except to the extent that the agency is required or specifically authorised by or under law not to make the individual aware of such matters.

Proposal 205 (a) The proposed Specific Notification principle should provide that where an agency or organisation collects personal information from someone other than the individual concerned, it must take reasonable steps to ensure that the individual is or has been made aware of:

(i) the matters listed in Proposal 202; and

(ii) on request by the individual, the source of the information.


(b) This requirement should only apply:

(i) in circumstances where a reasonable person would expect to be notified;

(ii) except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual; and

(iii) in the case of an agency, except to the extent that it is required or specifically authorised by or under law not to make the individual aware of one or more of these matters.

Proposal 206 The Office of the Privacy Commissioner should provide guidance on the circumstances in which it is necessary for an agency or organisation to notify an individual when it has received personal information about the individual from a source other than the individual concerned.

Proposal 207 The Office of the Privacy Commissioner should provide guidance on the meaning of the term reasonable steps in the context of an agencys or organisations obligations to fulfil its notification requirements under the proposed Specific Notification principle.

21. Openness

Proposal 211 The proposed Unified Privacy Principles should contain a principle called Openness that sets out the requirements on an agency or organisation to operate openly and transparently by providing general notification in a Privacy Policy of how it manages personal information and how personal information is collected, held, used and disclosed by it.

Proposal 212 The Privacy Policy in the proposed Openness principle should set out an agencys or organisations policies on the management of personal information, including how the personal information is collected, held, used and disclosed. This document should also include:

(a) what sort of personal information the agency or organisation holds;

(b) the purposes for which personal information is held;

(c) the avenues of complaint available to individuals in the event that they have a privacy complaint;

(d) the steps individuals may take to gain access to personal information about them held by the agency or organisation;

(e) the types of individuals about whom records are kept;


(f) the period for which each type of record is kept; and

(g) the persons, other than the individual, who can access personal information and the conditions under which they can access it.

Proposal 213 The Office of the Privacy Commissioner should issue guidance on how agencies and organisations can comply with their obligations in the proposed Openness principle to produce and make available a Privacy Policy.

Proposal 214 An agency or organisation should take reasonable steps to make its Privacy Policy, as referred to in the proposed Openness principle, available without charge to an individual: (a) electronically (for example, on its website, if it possesses one); and (b) in hard copy, on request.

Proposal 215 The Office of the Privacy Commissioner should continue to encourage and assist agencies and organisations to make available short form privacy notices summarising their personal information handling practices. Short form privacy notices should be seen as supplementing the more detailed information that is required to be made available to individuals under the Privacy Act.

22. Use and Disclosure

Proposal 221 The proposed Unified Privacy Principles should contain a principle called Use and Disclosure that sets out the requirements on agencies and organisations in respect of the use or disclosure of personal information for a purpose other than the primary purpose of collecting the information.

Proposal 222 The proposed Use and Disclosure principle should contain an exception permitting an agency or organisation to use or disclose an individuals personal information for a purpose (the secondary purpose) other than the primary purpose of collection if the:

(a) secondary purpose is related to the primary purpose and, if the personal information is sensitive information, directly related to the primary purpose of collection; and

(b) individual would reasonably expect the agency or organisation to use or disclose the information for the secondary purpose.

Proposal 223 The proposed Use and Disclosure principle should contain an exception permitting an agency or organisation to use or disclose an individuals personal information for a purpose (the secondary purpose) other than the primary purpose of collection if the agency or organisation reasonably believes that the use or


disclosure for the secondary purpose is necessary to lessen or prevent a serious threat to: (a) an individuals life, health or safety; or (b) public health or public safety.

Question 221 Should the proposed Use and Disclosure principle contain an exception allowing an agency or organisation to use or disclose personal information for a purpose other than the primary purpose of collection where this is required or specifically authorised by or under law instead of simply required or authorised by or under law?

23. Direct Marketing

Proposal 231 The proposed Unified Privacy Principles should regulate direct marketing by organisations in a discrete privacy principle, separate from the Use and Disclosure privacy principle. This principle should be called Direct Marketing and it should apply irrespective of whether the organisation has collected the individuals personal information for the primary purpose or a secondary purpose of direct marketing.

Question 231 Should agencies be subject to the proposed Direct Marketing principle? If so, should any exceptions or exemptions apply specifically to agencies?

Proposal 232 The proposed Direct Marketing principle should set out the generally applicable requirements for organisations engaged in the practice of direct marketing. These requirements should be displaced, however, to the extent that more specific sectoral legislation regulates a particular aspect or type of direct marketing.

Proposal 233 The proposed Direct Marketing principle should require organisations to present individuals with a simple means to opt out of receiving direct marketing communications.

Proposal 234 The proposed Direct Marketing principle should provide that an organisation involved in direct marketing must comply, within a reasonable time, with an individuals request not to receive direct marketing communications.

Proposal 235 The proposed Direct Marketing principle should provide that an organisation involved in direct marketing must, when requested by an individual to whom it has sent direct marketing communications, take reasonable steps to advise the individual from where it acquired the individuals personal information.

Proposal 236 The Office of the Privacy Commissioner should issue guidance to organisations involved in direct marketing, which should:

(a) highlight their obligation to maintain the quality of any database they hold containing personal information and assists them in achieving this requirement; and


(b) clarify their obligations under the Privacy Act in dealing with particularly vulnerable people, such as elderly individuals and individuals aged 14 and under.

24. Data Quality

Proposal 241 The proposed Unified Privacy Principles (UPPs) should contain a principle called Data Quality that applies to agencies and organisations.

Proposal 242 The proposed Data Quality principle should require an agency or organisation to take reasonable steps to make sure that the personal information it collects, uses or discloses is, with reference to a purpose of collection permitted by the proposed UPPs, accurate, complete, up-to-date and relevant.

25. Data Security

Proposal 251 The proposed Unified Privacy Principles (UPPs) should contain a principle called Data Security that applies to agencies and organisations.

Proposal 252 The proposed Data Security principle should require an agency or organisation to take reasonable steps to ensure that personal information it discloses to a person pursuant to a contract, or otherwise in connection with the provision of a service to the agency or organisation, is protected from being used or disclosed by that person otherwise than in accordance with the UPPs.

Proposal 253 The Office of the Privacy Commissioner should provide guidance about the meaning of the term reasonable steps in the context of the proposed Data Security principle. Matters that could be dealt with in this guidance include:

(a) the inclusion of contractual provisions binding a contracted service provider of an agency or organisation to handle personal information consistently with the UPPs;

(b) technological developments in this area and particularly in relation to relevant encryption standards; and

(c) the importance of training staff adequately as to the steps they should take to protect personal information.

Proposal 254 The proposed Data Security principle should require an agency or organisation to take reasonable steps to destroy or render non-identifiable personal information if it is no longer needed for any purpose permitted by the UPPs.


Proposal 255 The Office of the Privacy Commissioner should provide guidance about when it is appropriate for an agency or organisation to destroy or render non-identifiable personal information that is no longer needed for a purpose permitted under the UPPs. This guidance should cover, among other things:

(a) personal information that forms part of a historical record;

(b) personal information, or a record of personal information, that may need to be preserved, in some form, for the purpose of future dispute resolution; and

(c) the interaction between the UPPs and legislative records retention requirements.

Proposal 256 The Office of the Privacy Commissioner should provide guidance about what is required of an agency or organisation to destroy or render non-identifiable personal information, particularly when that information is held or stored in an electronic form.

26. Access and Correction

Proposal 261 The proposed Unified Privacy Principles (UPPs) should contain a principle called Access and Correction that:

(a) sets out the requirements that apply to organisations in respect of personal information that is held by organisations; and

(b) contains a note stating that the provisions dealing with access to, and correction of, personal information held by agencies are located in a separate Part of the Privacy Act.

Proposal 262 (a) The proposed Access and Correction principle should provide that, where an organisation is not required to provide an individual with access to his or her personal information because of an exception to the general provision granting a right of access, the organisation must take reasonable steps to reach an appropriate compromise, involving the use of a mutually agreed intermediary, that would allow for sufficient access to meet the needs of both parties.

(b) The Office of the Privacy Commissioner should provide guidance about the meaning of reasonable steps in this context, making clear, for instance, that an organisation need not take any steps where this would undermine a lawful reason for denying a request for access in the first place.

Proposal 263 The proposed Access and Correction principle should provide that an organisation must respond within a reasonable time to a request from an individual for access to personal information held by the organisation. The Office of


the Privacy Commissioner should provide guidance about the meaning of reasonable time in this context.

Proposal 264 The proposed Access and Correction principle should provide that where, in accordance with this principle, an organisation has corrected personal information it holds about an individual, and the individual requests that the organisation notify any other entities to whom the personal information has already been disclosed prior to correction, the organisation must take reasonable steps to do so, provided such notification would be practicable in the circumstances.

Proposal 265 The proposed Access and Correction principle should provide that, where an organisation holds personal information about an individual that the individual wishes to have corrected or annotated, the individual should seek to establish that the personal information held by the organisation is, with reference to a purpose of collection permitted by the UPPs, not accurate, complete, up-to-date and relevant.

Proposal 266 The proposed Access and Correction principle should provide that, where an organisation holds personal information about an individual, it is not required to provide access to that information to the individual to the extent that providing access would be reasonably likely to pose a serious threat to the life or health of any individual.

27. Identifiers

Proposal 271 The proposed Unified Privacy Principles (UPPs) should contain a principle called Identifiers that applies to agencies and organisations. As a consequence, s 100(2) and (3) of the Privacy Act should be amended to apply also to agencies.

Proposal 272 The proposed Identifiers principle should define identifier inclusively to mean a number, symbol or any other particular that:

(a) uniquely identifies an individual for the purpose of an agencys or organisations operations; or

(b) is determined to be an identifier by the Office of the Privacy Commissioner.

However, an individuals name or ABN, as defined in the A New Tax System (Australian Business Number) Act 1999 (Cth), is not an identifier.

Proposal 273 The proposed Identifiers principle should contain a note stating that a determination referred to in the Identifiers principle is a legislative instrument for the purposes of s 5 of the Legislative Instruments Act 2003 (Cth).


Proposal 274 The proposed Identifiers principle should regulate the use by agencies and organisations of identifiers that are assigned by state and territory agencies.

Question 271 Should the Privacy Act regulate the assignment of identifiers by agencies, organisations or both? If so, what requirements should apply and should these requirements be located in the proposed UPPs or elsewhere?

Proposal 275 Before the introduction by agencies of any unique multi-purpose identifier, the Australian Government, in consultation with the Privacy Commissioner, should consider the need for a privacy impact assessment.

Proposal 276 The Office of the Privacy Commissioner, in consultation with the Australian Taxation Office and other relevant stakeholders, should review the Tax File Number Guidelines issued under s 17 of the Privacy Act.

28. Transborder Data Flows

Proposal 281 The Privacy Act should be amended to clarify that it applies to acts done, or practices engaged in, outside Australia by an agency.

Proposal 282 The proposed Unified Privacy Principles (UPPs) should contain a principle called Transborder Data Flows that applies to agencies and organisations.

Proposal 283 The proposed Transborder Data Flows principle should provide that an agency or organisation in Australia or an external territory may transfer personal information about an individual to a recipient (other than the agency, organisation or the individual) who is outside Australia if the transfer is necessary for one or more of the following by or on behalf of an enforcement body:

(a) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;

(b) the enforcement of laws relating to the confiscation of the proceeds of crime;

(c) the protection of the public revenue;

(d) the prevention, detection, investigation or remedying of seriously improper conduct or proscribed conduct;

(e) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal; or

(f) extradition and mutual assistance.


Question 281 Should the Privacy Act provide that for the purposes of the proposed Transborder Data Flows principle, a transfer:

(a) includes where personal information is stored in Australia in such a way that allows it to be accessed or viewed outside Australia; and

(b) excludes the temporary transfer of personal information, such as when information is emailed from one person located in Australia to another person also located in Australia, but, because of internet routing, the email travels (without being viewed) outside Australia on the way to its recipient in Australia?

Proposal 284 Subject to Proposal 283, the proposed Transborder Data Flows principle should provide that an agency or organisation in Australia or an external territory may transfer personal information about an individual to a recipient (other than the agency, organisation or the individual) who is outside Australia only if at least one of the following conditions is met:

(a) the agency or organisation reasonably believes that the recipient of the information is subje

review of australian privacy law - alrc · contents 5 18. collection 599 introduction 599...

Documents