|
|
[Home] [Databases] [Search] [Feedback] [Help] | |
Privacy Law Resources |
Submission to the Australian Law Reform Commission
on the Review of Privacy Issues Paper
Graham Greenleaf, Nigel Waters & Lee Bygrave[*]
Graham Greenleaf
Professor of Law
University of New South Wales
Nigel Waters
Principal Researcher, Interpreting Privacy Principles Project
Cyberspace Law & Policy Centre, UNSW Faculty of Law
Lee Bygrave
Associate Professor, Department of Private Law
University of Oslo
Visiting Fellow, Faculty of Law, University of New South Wales
31 January 2007
|
Research for this submission is part of the Interpreting
Privacy Principles Project, an Australian Research Council Discovery
Project
|
 |
This submission follows the order of chapters in the Issues Paper. Where we do not wish to make a submission at this stage on a question, or a Chapter, or have been unable to do so in time for the completion of this submission, we have deleted the question or Chapter. Otherwise, to increase the utility of this submission to the ALRC and others, the order of questions asked in the Issues Paper has been followed for the most part. However, it was difficult to do this in relation to Chapter 4 on privacy principles, because more detail was required, so those submissions are not strictly in the order of questions asked. However, there is a consolidated list of submissions made at the end of the submission. Where we wish to raise issues that do not seem to be covered by any of the questions asked, we have listed them following the most relevant question and using its numbering.
We have not made submissions on quite a few of the Chapters of the Issues Paper, not because of their lack of importance but because we have limited ourselves to those Chapters where we were able to provide support and argument for the submissions made. We are otherwise in general agreement with the submissions made by the Australian Privacy Foundation, to which we contributed, and by Lee Bygrave in his earlier submission on a number of issues.
Research for this submission has been undertaken as part of a Discovery project funded by the Australian Research Council, ‘Interpreting Privacy Principles’. The home page for the project, and other publications relating to the project, are at <http://www.cyberlawcentre.org/ipp/>The iPP Project is based at the Cyberspace Law & Policy Centre at UNSW Law Faculty. The principal objective of this research is to conduct over the course of the project (2006-09) a comprehensive Australian study of (i) the interpretation of information privacy principles (IPPs) and ‘core concepts’ in Australia’s various privacy laws, particularly by Courts, Tribunals and privacy regulators; (ii) the extent of current statutory uniformity between jurisdictions and types of laws, and (iii) proposals for reforms to obtain better uniformity, certainty, and protection of privacy.
Concerning the first element, a small but rapidly growing body of cases has developed in Australia over the last few years. Around a hundred Tribunal decisions, a similar quantity of mediated complaint summaries, and relatively small number of relevant Court decisions have become available. There has been little systematic analysis of this material. The relative scarcity of Australian interpretative materials means that the objective necessitates consideration of the interpretation of similar IPPs and core concepts in the privacy laws of other Asia-Pacific countries (particularly New Zealand, which has the largest quantity of reported cases) and European jurisdictions. The iPP Project, as it develops this analysis, will aim to make further inputs into the ALRC’s review and similar privacy reform projects at State level.
In developing this submission, we have been influenced by a number of general considerations. First, while the Privacy Act can be improved considerably, more effective enforcement of the Act’s provisions is needed as much as reforms to the Act itself – hence the title of this submission. Any reforms to the Act must improve its enforceability and responsiveness as regulation, or they will be a waste of time.
Second, consistency with international standards for privacy protection is a desirable goal for Australia’s privacy laws, as with other areas of regulation of activities which cross national borders, provided this is also consistent with Australian interests.. For this reason we have examined wherever appropriate the extent to which the Privacy Act and its enforcement seems consistent with this international standard. These standards, and the approach that Australia should take to them, are discussed at the start of Chapter 4, and again in Chapter 13.
In this submission we have not yet taken into account in any detail the recently revised Guidelines by Privacy Victoria to the IPPs made under their legislation in 2006[1]. We would like to draw this very valuable source to the ALRC’s attention.
The ALRC Review is still at an early stage, as is the iPP Project. Some of our submissions are recommendations that the forthcoming Discussion Paper canvasses particular issues, rather than stating any concluded view of our own on those issues.
In this submission, we have used the following terms:
These two terms are used in European privacy or ‘data protection’ laws. By using them as shorthand in this submission, we do not mean to suggest that they be adopted in Australian legislation – they carry an undesirable implication of limitation to computerised information, and the broader concept of ‘personal information’ is preferable to ‘personal data’. The ALRC may wish to canvass views about whether a hybrid term such as ‘information user’ might be desirable in the context of a single set of principles (see below).
Where this submission draws on previous publications and submissions by any of us, we have referred to those earlier publications by notes in the text. We request that the earlier publications or submissions as well as the current submission be cited where appropriate, to make it clear that much of the argument about the deficiencies of the Privacy Act has been known for many years.
1–2 Should a cause of action for breach of privacy be recognised by the courts or the legislature in Australia? If so, and if legislation is preferred, what should be the recognised elements of the cause of action, and the defences?
Whether a cause of action for breach of privacy should be recognised by the Courts is something about which it is irrelevant to speculate and pointless to wait for resolution, which could take another 50 years. Consideration of the justification for a statutory privacy tort is independent of this question.
A statutory privacy tort is desirable because of the inadequacy of other tortious and equitable remedies. The elements of such a tort are to be addressed by the NSW Law Reform Commission, and we will not discuss them here. A useful guide to the potential elements of such a tort are the provisions recommended by the Hong Kong Law Reform Commission.
Submission 1-2: A statutory privacy tort is desirable because of the inadequacy of other tortious and equitable remedies. A useful guide to the potential elements of such a tort are the provisions recommended by the Hong Kong Law Reform Commission.
Where should the cause of action be located? For example, should the cause of action be located in state and territory legislation or federal legislation? If it should be located in federal legislation, should it be in the Privacy Act or elsewhere?
Given that the Commonwealth has asserted constitutional power in relation to the protection of privacy in the private sector, it may be consistent with this for the Commonwealth to also legislate, in the Privacy Act, for a statutory tort or torts to protect other aspects of privacy in relation to the private sector. It will be necessary to carefully align the elements of a statutory privacy tort with what is already protected by privacy principles. If this approach is adopted, it would start to resemble a comprehensive privacy code such as is attempted in the Asia-Pacific Privacy Charter.
The danger of this approach is that, since it will also overlap the regulation of surveillance activities, it could easily be used to diminish the ability of States and Territories to apply higher standards of protection against surveillance activities in the private sector than the Commonwealth is willing to provide. National consistency is preferred here, but not by Commonwealth fiat prohibiting higher standards at State level.
Submission 1.2.1: The preferable location for such statutory privacy torts, insofar as they apply to the private sector, is the Privacy Act. Such legislation should preserve the right of States or Territories to enact higher standards of privacy protection. At the same time, national consistency by agreement should be sought.
2–1 Is national consistency in the regulation of personal information important? If so, what are the most effective methods of achieving nationally consistent and comprehensive laws for the regulation of personal information in Australia?
Consistency is a valuable objective, but should not be pursued to the detriment of the level of protection. Levelling down to the lowest common denominator of State or Territory willingness to protect privacy is undesirable. It would also not be desirable to have a referral of powers, leaving only a federal law. At least where there are separate fields of activity being regulated, such as the activities of the various public sectors, to have several privacy regulators is a healthy way to ensure that different standards of performance of regulators can be compared, and to observe the effects of different regulatory arrangements and learn from them.
Submission 2-1: National consistency is a valuable objective, but should not be pursued to the detriment of the level of protection. Agreement on model or uniform laws to be implemented in all jurisdictions would be the best way forward, at least in regard to the various public sectors.
Important aims in reform of privacy laws in addition to national consistency are discussed at the start of Chapter 4 concerning privacy principles. They include the desirability of international consistency, and reasons why privacy principles may have fallen below community expectations.
3–1 Is the structure of the Privacy Act logical? Does the Privacy Act need to be redrafted to achieve a greater degree of simplicity and clarity?
It should be possible to simplify the Act. Some of the definitions and their interaction with the application provisions and exemptions are particularly opaque. Only one set of principles should apply to both private and public sectors. Although there is justification for some specific sectoral rules (eg for credit reporting and TFNs), it is preferable if there is only one ‘core’ set of privacy principles, plus a set of specific legislative variations of those principles to the extent needed for special sectors.
Submission 3-1: The Act should be simplified by providing one ‘core’ set of principles applying to both the private sector and the (Commonwealth) public sector. To the extent that there needs to be special sub-sectoral rules, they should be be legislative exception to the ‘core’ set of principles.
3–2 Insofar as the Privacy Act is primarily concerned with data protection, is the name of the Privacy Act accurate and appropriate?
‘Data protection’, though used in Europe and elsewhere, is not familiar to the public in Australia and runs the risk of misleading. The law is not and should not be just about computerised information, and ‘data protection’ also reinforces the unfortunate perception that it is just about security.
Submission 3-2: ‘Information Privacy Act’ (as in Victoria) would be a better name, given the current scope of the Act. However, if the scope of the Act is broadened to make it more comprehensive (eg include privacy torts), then ‘Privacy Act’ is appropriate.
We acknowledge that the ALRC has chosen to focus primarily on information privacy, and to a lesser extent on communications privacy (paragraph 1.89). However, we note that the terms of reference are not so restricted, being as broad as ‘an effective framework for the protection of privacy in Australia’. We submit that the ALRC should either separately review wider aspects of privacy such as bodily and territorial privacy and surveillance, or recommend to the government that this wider review be conducted as a subsequent exercise. Such a review should address the desirability of a general presumption in Australian law against unreasonable search and seizure, as embodied in the Fourth Amendment to the US Constitution. The Asia-Pacific Privacy Charter is one attempt to develop such a comprehensive code (see Greenleaf and Waters, 2003).
Submission 3-2.1: The Discussion Paper should consider whether a more comprehensive legislative code is desirable to cover all aspects of privacy, including bodily and territorial privacy and surveillance as well as information privacy.
The ALRC’s questions 4-34 to 4-36 should be answered before those on the individual principles.
Q4–36 asks ’Should federal privacy principles be prescriptive or should they provide high-level guidance only? Should they aim for a minimum or maximum level of protection of personal information or aim to adopt a best practice approach?’
Submission 4-36: The starting point is that it is desirable to adopt principles (i) which are consistent, at least within Australia, and (ii) which represent best practice in terms of promoting internationally accepted privacy standards.
Comparative study of the different formulations of the principles, and of the way in which they have been interpreted, should be used to ‘level up’ or raise standards, where doing so can be demonstrated to strengthen the effectiveness of the principles. Weakening or ‘levelling down’ should only be accepted if there is clear evidence of a particular standard being unworkable in practice or demonstrably inefficient (e.g. by imposing significant compliance costs for little benefit).
Q4–34 asks ’Should the Privacy Act provide a uniform set of privacy principles that are to apply to both the public (currently covered by the IPPs) and private (currently covered by the NPPs) sectors? If so, what model should be used? Are there any particular principles or exceptions to principles that should apply only to either the public or private sector?’
Submission 4-34: There should be a single set of principles to apply to both Commonwealth agencies and private sector businesses (and ideally to all State and Territory public sector agencies and to all other organisations including those currently exempt from any of the existing laws). We submit that there are no particular principles that should apply only to either the public or private sector, but that there are exceptions which will be more or less relevant to different sectors. As argued above, there is no single existing model which should be preferred as all have been shown to have weaknesses – a new set of common principles should be derived from analysis of the various precedents. In some cases the resulting principles will be very close to the existing NPPs or IPPs, thereby minimising any adjustment of compliance requirements.
The question of additional principles (Q.4-35) is addressed separately below.
Australia’s interests in the better protection of human rights, and in the facilitation of the free flow of personal information between countries consistent with privacy protection, will be advanced if it is possible for Australia’s privacy laws to be consistent with the privacy laws of as many other countries as possible. This can be achieved to some extent by consistency with the main international privacy agreements.
Three such agreements are of particular significance to Australia, and we will set out briefly our views concerning them:
Submission 4-34.1: Wherever possible and consistent with Australian interests, Australian privacy principles should be consistent with the main international privacy standards, of which the three most important instances for Australian interests are the European Union’s privacy Directive, the OECD’s privacy Guidelines and the APEC Privacy Framework.
In addition to these agreements, the Issues Paper notes at [13.86]-[13.90] that the Asia-Pacific Privacy Charter provides another standard to which Australia’s privacy laws may be compared, a ‘high water mark’ synthesis of privacy principles emerging primarily from the strongest aspects of existing privacy laws in the Asia-Pacific region. We refer to the Privacy Charter where appropriate, as we consider it is more useful, for Australia’s purposes, than the ‘low water mark’ of the APEC Privacy Framework, which is a standard that Australian privacy protection already exceeds.
There are additional general reasons why there is a need for reform of information privacy principles.
Submission 4–34.2: There are three reasons, apart from the important objective of consistency, why the information privacy principles in Australian Privacy Laws may need to be revised: (i) where a principle as currently legislated clearly falls short ‘on its face’ of meeting community expectations; (ii) where the practice of government agencies or businesses in complying with the principle have exposed shortcomings; and (iii) where courts or tribunals have ‘read down’ the meaning of a principle (often in conjunction with interpretation of core concepts) so that it does not in law have the anticipated effect.
The first is where a principle as currently legislated clearly falls short ‘on its face’ of meeting community expectations. This may in turn be either because it was never adequate – most often because of compromises to meet government or business efficiency objectives – or because community expectations have become clearer.
The second reason for reform is where the practice of government agencies or businesses in complying with the principle have exposed shortcomings – i.e. where the principle has not operated as anticipated. To some extent this category of failure could in theory be addressed by the exercise of discretion by the regulator, but the history of privacy law in Australia is mostly of timidity on the part of Privacy Commissioners both in interpreting principles and of enforcing their interpretations. While more effective privacy protection could be achieved by more assertive regulation, this is an unreliable solution and some reform of the principles themselves will in some cases be a more satisfactory approach.
The third reason is where courts or tribunals have ‘read down’ the meaning of a principle (often in conjunction with interpretation of core concepts) so that it does not in law have the anticipated effect. The role of the judiciary is properly to decide what the law actually says and requires – informed to some extent by the legislative intent as expressed in Explanatory Memoranda and second reading speeches. It is not the role of the courts to decide whether the statutory principles as enacted strike the right balance in terms of community expectations – that is ultimately the prerogative of legislatures. But we submit that it is an important objective of the ALRC review to make recommendations directed to meeting community expectations in light of experience.
We acknowledge that all three of these reasons are based on a perception that information privacy principles have not delivered expected outcomes. Other stakeholders, in business and government, may have different perceptions.
The collection principles raise a number of important issues, only some of which are explored in the Issues Paper.
It seems clear that in most privacy jurisdictions, collection of personal information can be in the form of photographs, video or sound recordings.[2] The position in relation to bodily samples, and to information receive by the use of tracking devices or thermal imaging[3] has yet to be tested in Australia, but there is no ‘in-principle’ reason why these would not all involve ‘collection’, as well as, in some cases, being subject to specific surveillance laws. This hinges more on the definitions of personal information than of collection itself (see our responses to Chapter 3).
At least the following methods of receiving information about a person require separate consideration as to whether they are ‘collection’ for IPP purposes, and if so what obligations should apply:
The first two categores are clearly within the meaning of ‘collected’, whether solicited from the individual to whom the information relates (data subject) or from a third party. It is implicit from the distinctions between IPPs 2 and 3 in s.14 of the PA, between NPPs 1.4 and 1.5 in Schedule 3, and between s.9 and ss. 10-11 of PPIPA, that there can be collection from both the data subject and from third parties.
However, the distinction between solicitation from the data subject and from third parties can be important in two respects:
The Commonwealth Privacy Act 1988 imposes requirements on private sector organisations concerning collection from third parties but imposes no such requirement on Commonwealth agencies. National Privacy Principle 1.4 provides: ‘If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.’ This requirement contributes to the fairness and transparency of processing personal data by helping to ensure that the data subjects participate in that processing. The requirement may also promote accuracy, relevance etc of personal data.
Under the NSW PPIPA, IPP 2 (s9) requires that personal information must be collected ‘directly from the individual to whom the information relates’ unless, inter alia, ‘the individual has authorised collection of the information from someone else’ (s.9(a)). In DO v University of New South Wales [2002] NSWADT 211 the Tribunal held that a declaration the complainant had signed authorising the respondent to obtain information ‘from any tertiary institutions previously attended by me’ was not qualified in any way and therefore did authorise the collection that took place. It is not clear if, having obtained personal information directly from an individual, it is then permissible under PPIPA to ‘check’ the information with a third party source. The preferable view is that the individual must give express authority for verification (unless another exception applies).
Unlike the obligation on NSW agencies under PPIPA, there is no obligation under NPP 1.4 to obtain the individual’s authorisation to collect from third parties. The NSW agency provisions impose a higher standard than the Commonwealth private sector provisions while the Commonwealth agency provisions impose none.
Q 4–3 (first part) asks ‘… In particular, should agencies also be subject to a general requirement that where reasonable and practicable, they should collect information about an individual only from the individual concerned?’
Submission 4-3.1: Commonwealth agencies should have an obligation to collect wherever possible directly from the data subject, as is currently the case with NSW, Victorian and NT government agencies, and private sector organizations.
However, the NPP 1.4 wording is to be preferred as it allows for third party collection from third parties where it is unreasonable or impracticable to collect directly. The NSW principle is too ‘absolute’ and the many circumstances where it is not reasonable or practicable have had to be addressed through very broad and sweeping exemptions – an unsatisfactory solution (see separate section of this submission on Chapter 5 – Exemptions).
Submission 4-3.2: The wording of a ‘direct collection’ principle should be based on NPP 1.4 but should omit ‘only’ which does not readily accommodate situations where some information can be obtained directly with supplementary information justifiably obtained from a third party.
Drawing a clear line between solicited and unsolicited information can be very difficult. When is unsolicited information ‘collected’ (if at all)?
Australian commentators suggest that under the Privacy Act 1988 unsolicited information, whether obtained from the data subject or from third parties, can be ‘collected’.[4] The Australian Privacy Commissioner took a similar view in the IPP 1-3 Guidelines. The leading commentators on the HK Ordinance also accept that unsolicited information can be ‘collected’, but not ‘until the data user takes active steps to incorporate them into the official working material of the organisation’ (Berthold & Wacks, 1997, p. 97). This ‘trigger’ has its equivalent in the Privacy Act 1988 concept of ‘collection for inclusion in a record or generally available publication’ (IPP 2(a) and s16B (for the NPPs).
In contrast, the NSW PPIPA expressly excludes unsolicited information from ‘collection’ (s4(5)). And in NZ a majority of the Court of Appeal has held unsolicited information is not ‘collected’ under their Privacy Act 1993.[5]
In light of the NZ decision, and in the absence of court or tribunal decisions on the Privacy Act 1988, the question of whether unsolicited information is ‘collected’ must also be considered open in Australia.
Under the NSW PPIPA, and under the Commonwealth PA if the Harder approach is adopted, any contact with an organisation initiated by the data subject will result in any information so provided not being regarded as ‘collected’, limiting the application of collection principles. (However, it is still personal information, and other principles may still apply).
Q4–4 asks ‘Should any obligations attach to an agency or organisation which receives unsolicited personal information that it intends to include in a record or generally available publication? If so, what obligations should be imposed?’
Submission 4-4: The law should make it clear that collection principles apply, to the maximum practicable extent, to unsolicited information.
Personal information is obtained and recorded in many situations from observations of the data subject:
The observation may take place in the presence of and/or with the knowledge of the data subject, but may also be ‘remote’ and without their knowledge.[7] In many cases, observation will be by audio or video/CCTV. Given that most laws define personal information and/or records to include different storage media, it seems that the collection of personal information may also be in any medium, such as sound[8], photo[9] or video, and not only text.
Most privacy laws are silent as to whether such observation constitutes ‘collection’, leaving the question to the ordinary meaning of collection. If the obtaining of these types of observed personal information did not constitute ‘collection’, then data protection laws would be drastically limited in scope and would ineffective in a wide range of practical situations. The requirements of minimum collection and fair collection methods should apply to collection by observation as much as to other forms of collection. The remedial nature of privacy laws suggests that observation should be included as collection. The practice of Privacy Commissioners seems to assume that such observation constitutes collection, and case law to the contrary is not known.
Submission 4-4.1: The law should make it clear that the collection principles apply to the maximum practical extent to information obtained from observation or surveillance.
The more difficult question is whether the obligations to give notice on collection do apply in relation to collection by observation, or should apply. The IPP notice requirements only apply if data is ‘solicited… from the individual’, so it is unlikely that collection by observation requires notice. Similarly, the Hong Kong DPP 1(3) requires collection ‘from’ the data subject before notice is required, and DPP 1(3)(a)(I) also refers to ‘supply’ of the data by the data subject. The NPP 1(3) notice requirement is that there be collection ‘from the individual’. NSW IPP 3 (s10) is similar. Whether observation is collecting ‘from’ a person seems uncertain.
Whatever the position is under the current privacy principles, there is also uncertainty about under what circumstances notice should be required when information is collected by observation. One of the main functions of surveillance regulation laws is to specify under what circumstances notice of surveillance must be given, and under what circumstances covert surveillance is permitted. Should information privacy laws leave this question to separate surveillance laws? Some surveillance laws make a distinction between covert and overt surveillance, with lesser controls applying to ‘overt’ surveillance – defined as surveillance about which the individuals concerned have been made generally aware.[10] Whatever position is taken on this question, the collection principle needs to clarify whether it requires notice to be given on collection by observation.
Submission 4-4.2: Further consideration needs to be given to the policy issues concerning a requirement of notice when information is collected by observation, and the law needs to be clarified on this point.
Much personal information is extracted from documentary or other sources. If information is not solicited from, or observed in relation to, any person, but extracted from a book or a database, is it ‘collected’? This is a similar question to the one above concerning information collected by observation or surveillance. In relation to Australian Federal legislation, commentators have differed as to whether ‘extracted’ information is collected (Greenleaf 2001). The preferable view is that extraction is collection under current law, but the law would benefit from clarification on this point.
From a policy perspective, it is desirable that collection includes extraction, so that the principles concerning minimum collection and fair collection will apply.
Submission 4-4.3: The law should make it clear that the collection principles apply to the maximum practical extent to information extracted from other records.
As with collection by observation, it may however be appropriate to modify the notification requirements where information is obtained by extraction. Current privacy principles do not seem to require notice when information is collected by extraction, though this is not free from doubt. NPP 1.5 only applies to collection ‘from someone else’, and collection from a book or (less clearly) a database is unlikely to be considered to be collection from another person. IPP 2 only applies to collection from the data subject, and NSW IPP 3 (s10) requires collection ‘from an individual’. In Hong Kong, it is not ‘from’ the data subject, and not ‘supply’.
The question remains whether there are situations where collection by extraction should give rise to an obligation to give notice. It could be argued that while the default position should be ‘no’, the actions of some types of large scale data aggregators should give rise to an obligation to give notice.
Submission 4-4.4: Further consideration needs to be given to the policy issues concerning a requirement of notice when information is collected by observation, and the law needs to be clarified on this point.
A possible further category of information held about individuals is information generated by the data user in the course of transactions – eg records of enquiries, service provision, purchases etc. In some instances this could be described as collection by observation, but in others that does not seem apt. Our provisional view is that it is appropriate for all forms of collection of personal information to comply with the collection requirements that the collection be lawful, necessary, not unduly intrusive. However, whether it is practical to apply the notification aspects of collection principles to generated information is a more difficult question, as it is in relation to information collected by observation or extraction.
Q 4–5 asks ‘Should the obligations imposed on an organisation or agency at or soon after collection apply irrespective of the source of personal information?’
Submission 4-5: All collection obligations should apply to all forms of collection, irrespective of the source from or means by which the data is collected. However, different requirements of notice may apply depending on how the data is collected, with the default position being that notice is required unless an exemption is provided.
This approach avoids the need to exhaustively address all of the possible modalities of collection, except that certain types of collection will be defined where the requirement of notice is reduced or removed.
Most privacy laws share a common requirement that collection of personal information be lawful, necessary, relevant and ‘minimal’[11], but there are significant differences in the precise wording, and consequently the meaning, of each of these component requirements. The Issues Paper does not enquire into this aspect of collection principles[12] and yet it is fundamental to the concepts of purpose specification (an express element of the OECD Guidelines) and proportionality (an implicit element underlying all sets of privacy principles).
NPP 1.1 only requires collection by a private sector organisation to be ‘necessary for one of more of its purposes’. The reference to ‘purposes’ could imply ‘lawful purposes’. IPP1, PPIPA s.8 and HKDPO DPP 1(1) include the specific additional requirement that the collection must be for ‘a lawful purpose directly related to a function or activity of the collector’. The law should make it clear that collection can only be for a lawful purpose.
This does not of course mean that there would need to be express legal authority for the collection. In common law jurisdictions any action that is not unlawful is, by default, lawful. It will generally only operate as a negative condition preventing collection of personal information to further an unlawful purpose.
Data users also need to consider express prohibitions on the collection of certain information. In Australia, for example, Federal and State legislation aimed at rehabilitation of offenders prohibits the collection of some information about old criminal convictions. Telecommunications and Surveillance legislation also prohibits collection of certain information by specified means (see below under fair and lawful means of collection).
Submission 4-5.1: The law should make it clear that collection can only be for a lawful purpose.
‘Purpose justification’ essentially means that there should be some test of public interest which is satisfied before a personal information system is established at all. A key weakness of the collection principles in most laws is shown by the question : ‘how do you define the function or activity of the collector?’ In the absence of a ‘purpose justification principle’, it is largely self-defined. While the negative requirement of a ‘lawful purpose’ is in most privacy principles, positive tests of justifiable purposes of collection can be found in the EU Directive and Canadian laws.
The European privacy Directive has a form of ‘purpose justification’ principle in Article 7 which requires that, where legitimate processing has to be justified by the interests of the data collector or a third party, it must be ‘necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject ...’.[13] A ‘purpose justification’ principle seems also to be expressed in Article 6(1)(b), which stipulates, inter alia, that the purpose(s) of data collection shall be ‘legitimate’.[14]
A clearer recognition of such a principle is found in the Canadian private sector law, which requires that: ‘An organisation may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.’[15] This effectively limits the purposes for which information systems may be developed with a form of public interest test. This has no counterpart in other Asia-Pacific legislation.
There is no purpose justification requirement[16] in the Privacy Act 1988 either in IPP1 or in NPP 1. Data users are not required to have ‘legitimate’ purposes for establishing a system (beyond the requirement of a lawful purpose in relation to the IPPs), but instead they measure privacy protection against how well it adheres to the original purpose for which the system operator declared that it collected the information, which Europeans often call the ‘finality’ test (see also discussion under Use & Disclosure below).
Submission 4-5.1: Consideration should be given to whether Australian law should adopt any form of ‘purpose justification’ test, along Canadian, European or other appropriate lines.
IPP 1 requires that collection be ‘necessary for or directly related to [the purpose]’. HK DPP1 uses the IPP wording but adds a requirement that ‘the data are adequate but not excessive in relation to [that purpose]’. PPIPA s.8(1) requires collection to be reasonably necessary for [that purpose] ((1(b)). NPP1 says ‘necessary for one or more of its functions’, without any express linkage to the purpose of collection.
Limiting the amount of personal information collected about a person is one of the cornerstones of data protection. The most effective limitation is the purpose of collection, because that limits it to what is relevant to the transaction at hand and prevents stockpiling of personal information. Limitation to what is ‘necessary’ for the transaction is a strong and appropriate measure of relevance.
In one of the Determinations on the TICA tenancy database operation[17], the Privacy Commissioner concluded that assessing whether a collection by TICA was ‘necessary’ “requires consideration of whether or not it is clearly appropriate and relevant to the functions or activities of the organisation’ - can they be done without it? - how sensitive is the information?” The Commissioner concluded that the TICA Enquiries Database was necessary on this basis (without considering the overall privacy detriment that its operation might cause).
In a NZ case, a trade union’s complaints that a company’s introduction of finger-scanning of employees was unnecessary and ‘overkill’ was dismissed by the Privacy Commissioner In a useful discussion of the same issue, the HK Commissioner discourages the use of fingerprints in an employment context.[18]
Minimality and purpose limitation are key aspects of the EU’s notion of ‘adequacy’. APEC Privacy Principle III is weak on this point, limiting collection only to what is ‘relevant to’ the purpose of collection, not what is necessary for it, and should not be followed.
These requirements all relate to the quantity and relevance of collection, not the means (which are addressed separately – see below for discussion of fair collection). Quantity and relevance are important aspects of proportionality.
Submission 4-5.2: The collection obligations should expressly link the amount of personal data that may be collected to the purpose of collection, and limit it to what is necessary for that purpose.
A strong, albeit under-utilised, aspect of the Australian law concerning minimality and purpose limitation is NPP 8 which provides:
‘Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organization’.
It is appropriate to locate an anonymity principle within ‘collection’, as it is a form of collection limitation. Only the NPPs and the Victorian IPPs currently include an anonymity principle , which was codified for the first time in the Australian Privacy Charter in 1993, then adopted in the Privacy Commissioner’s voluntary privacy principles of 1997. While an anonymity requirement arguably may be implied by certain provisions of the EU Directive (particularly the combination of Articles 6(1)(c), 6(1)(e), 7 and 8), (see further Bygrave, 2002a, p. 346) NPP 8 provides a much stronger statement.
An anonymity principle can be seen as conflicting with a perceived ‘right’ of a business (or government agency) to ‘know its customers’. Leaving aside the increasing range of circumstances where there is a statutory ‘know your customer’ requirement (e.g. financial services, telecommunications), a plain meaning interpretation of NPP 8 suggests that it denies the existence of such a ‘right’. Unless an organisation can show that it needs identifying information to perform a transaction, it must offer an anonymous option.
However, experience shows that it would be better to include the concept of ‘pseudonymity’ in this principle. There are only a limited range of transactions where true anonymity is both lawful and practicable (e.g. making simple enquiries). There is a much wider range of circumstances where it would be possible to ‘protect’ individuals identity through the use of ‘known as’ pseudonyms or codes. Such devices would allow transactions to proceed, without the identity being obvious to most parties, and yet retain the ability to identify an individual (customer or client) only when and if necessary (e.g. for processing payments, making official returns or in the event of justified investigations).
Anonymous or pseudonymous options need to be ‘designed’ in to information systems (see further, eg, Bygrave, 2002a, p. 371). It will be all too easy for data users to argue that it is impracticable to offer these options once design decisions have been made that preclude them. An obvious example is cashless toll roads, where the opportunity for anonymous travel has been removed by the removal of cash booths and the choice of tolling systems and business models that require vehicles (and their registered owners) to be identified. Had sufficient attention been paid to an anonymity/pseudonymity principle at the outset, it should have been possible to design automated toll roads that either respected the right of anonymous travel (through the use of pre-paid debit tags) or at least offered ‘pseudonymous’ accounts where identification of the actual user would only be triggered by exceptional events, (such as non-payment, accidents or crime).
The need for this principle to be incorporated in systems design also exposes one of the weaknesses of the complaints based model of enforcement – complaints that toll roads in Australia do not comply with NPP 8 are wasted because the operators can legitimately argue that it is ‘too late’ and now impracticable. The principle can only effectively be enforced by a pro-active regulator anticipating the compliance issue and intervening at the design stage of information systems.
4–29 Should NPP 8, the anonymity principle, be redrafted to impose expressly an obligation on organisations to give an individual the option of remaining anonymous when entering into transactions with those organisations?
Submission 4-29: The anonymity principle should be retained but redrafted to include the concept of pseudonymity as an alternative where appropriate. The principle should also clarify that it applies at the stage when an information system is being designed, not only ‘after the event’ when a person wishes to enter a transaction with a data user.
Submission 4-29.1: The anonymity principle should impose an obligation on organisations to give an individual the option of remaining anonymous or pseudonymous (as appropriate) when entering into transactions. The touchstone remains ‘minimum collection necessary for the purpose of the transaction’.
Another enhancement of the anonymity principle would be to make it clear that the obligation extended to facilitating anonymous transactions with third parties. As an example, a representative complaint about charging for ‘silent’ telephone lines (unlisted numbers) failed because a telco itself needs to identify its subscribers (both for billing and as a statutory requirement. If NPP 8 required telcos to facilitate the ability for subscribers to remain anonymous in their interaction with third parties then it would be possible to argue that charging for silent lines breached the principle.
Submission 4-29.2: The anonymity principle should impose an obligation on organisations to facilitate, where practicable and lawful, anonymous or pseudonymous transactions between individuals and third parties.
4–30 Is it appropriate or desirable for agencies to be subject to an anonymity principle? In what circumstances, if any, might this be appropriate?
There is currently no equivalent provision in the IPPs. The obligations of governments to expressly limit their collection of personal information to the minimum necessary should be recognized by this explicit principle.
Submission 4-30: The anonymity/pseudonymity principle should also apply to the public sector.
How is the purpose of collection of personal information to be determined, so that it can be ‘used’ in the operation of the various principles that refer to purpose? In some circumstances, such as where collection requires and can accommodate notification, the purpose will need to be specified by the data user. However there are other circumstances, such as where information is obtained by observation or generated by transactions (see above) where there may not be an opportunity for notice. In such cases, the purpose of collection will have to be inferred from the circumstances and context, including any related prior notification (e.g. when individuals initially enter a relationship, such as becoming a welfare beneficiary, taxpayer, insurance policy holder or other customer). An important example is where information is disclosed from one organisation to another.
Where personal information is obtained from a third party which is also subject to privacy principles, what is the relationship between the purpose for which the information was held by the discloser, their intended purpose for disclosing, and the recipient’s purpose of collection? Which purpose governs the recipient's subsequent obligations, including under the collection principles? The obligations of those who receive personal information are complex, and derive from a number of sources.
Privacy principles do not simply say ‘those who receive personal information are bound by the same obligations as the organisation from which they received it’. In fact, privacy principles rarely say anything direct about the obligations of the recipient of personal information (some exceptions are discussed below). Nor do privacy principles require a disclosing organisation to even state the purposes for which information is being disclosed, although they would, if challenged, need to be able to justify the disclosure under the relevant principle (see Use & Disclosure below).
Where a data user receives information legitimately disclosed under a privacy principle, and the recipient is aware of the basis of the disclosure, then that should condition and limit the purposes of their collection. It may be that purposes which would be lawful if the information was obtained elsewhere would not be acceptable under collection principles if they were not compatible with the disclosure authority of the source. But it is not clear if this would be based on the purpose being unlawful, or on the means of collection being unlawful or unfair.
Where a data user knowingly receives information disclosed in breach of a disclosure principle (i.e. the source has no legal basis for the disclosure, and the recipient is aware of that fact) then it would seem clear that the collection is also in breach, in that the collector would be complicit in the unlawful disclosure (or in some cases may even have expressly solicited the unlawful act), and this would constitute unfair collection.
If the recipient data user is unaware of the basis of disclosure, then it cannot be expected to make this judgment, but the question arises ‘is it under any obligation to enquire?’ This would almost certainly depend on the circumstances. It might be reasonable, when collecting from established data users such as government agencies and large corporations, to rely on an assumption that they have a lawful basis for disclosure. In contrast, if there was any good reason to doubt that a disclosure is lawful (perhaps because it is inconsistent with previous experience, or where it was from a questionable source), then there might be an onus on the recipient to enquire or this would make the method of collection unfair. However, this is uncertain.
If a recipient’s intended purpose(s) of collection are narrower than the purposes for which the source could disclose, the narrower purposes will be the relevant ones for privacy compliance purposes. Similarly, it the source only agrees to release information for a narrow purpose, even if they could themselves use the information for other purposes (e.g. where a finance company discloses data to a debt collector), it is the narrower purposes that will constrain the recipient.
The above propositions would make the law workable, but there is no authority for them. This is a key area where the meaning of privacy principles is uncertain.
Submission 4-5.3: Australian law should clarify the relationships between collection and disclosure of personal information, and in particular the limitations that the purposes of collection of a first organisation play in limiting the uses of a second organisation to which the information is disclosed.
The law of breach of confidence can play a role in determining the purpose of collection and subsequent use and disclosure options (assuming circumstances of confidence apply and the information is confidential). The relationships to which confidentiality attaches is (surprisingly) still uncertain for many modern commercial and professional relationships beyond the well known relationships such as banker/customer and doctor/patient. We will not go further into this issue here as it is more relevant to the parallel Inquiry by the NSW Law Reform Commission, but the ALRC should ensure that its Discussion Paper takes account of developments in relation to statutory powers and duties of confidence.
There is less uncertainty about the role of obligations of confidence is relation to government. Statutory obligations of confidence may also constrain uses and disclosures. The High Court’s decision in Johns v Australian Securities Commission (1993) 178 CLR 408 that, in effect information obtained through the use of compulsory powers by a statutory body could not be used for purposes inconsistent with those powers has considerable but largely unexplored potential for interaction with privacy principles. Recently, the government has flagged its intention to seek legislative amendments to remove this constraint, but it would be appropriate for the ALRC to canvass views about the desirability of such a change, which would represent a significant undermining of the purpose specification and limitation foundations of privacy law.
Submission 4-5.4: The Discussion Paper should consider the role that the law of breach of confidence plays in determining the circumstances under which the use or disclosure of personal is limited, and in particular whether the principles in Johns v ASC and similar cases needs to be supported by statutory provisions .
The IPPs require that agencies shall not collect personal information ‘by unlawful or unfair’ means (IPP1.2), and, where the information is solicited, that the collection ‘does not intrude to an unreasonable extent upon the personal affairs of the individual concerned’ (IPP 3(d)). For the private sector, NPP 1.2 requires that organisations collect ‘only by lawful and fair means and not in an unreasonably intrusive way’. HK DPP 1(2) requires that ‘Personal data shall be collected by means which are - (a) lawful; and (b) fair in the circumstances of the case.’ Intrusiveness is not mentioned specifically.
Lawfulness of means of collection - Means of collection can be unlawful because of a breach either of criminal law or of civil law requirements (such as by trespass, inducing breach of contract etc). A government agency acting ultra vires in collecting information beyond the scope of express collection powers would be another basis for unlawful collection. As noted above, data users also need to be aware of telecommunications and surveillance legislation which prohibits or regulates the obtaining of particular types or information and/or by specified means.
Fairness of covert data collection - Some means of data collection might not be illegal, but they may still be a breach because they are unfair. This is particularly likely to be the case where the means of collection are covert (i.e. the subject is unaware of them). In several complaint cases under the HKDPO, the Commissioner has found examples of unfair collection practices.[19] But the NZ Court of Appeal has taken a much more restrictive view, stressing in Harder v Proceedings Commissioner [2000] 3 NZLR 80 that the purpose of the fairness requirement ‘is to prevent people from being induced by unfair means into supplying information which they would otherwise not have supplied’.[20] There have been no Australian privacy law cases to date on unfair means of collection. The Australian Privacy Commissioner has issued Guidelines on covert surveillance.[21]
Submission 4-5.7: The Discussion Paper should give more attention to issues concerning fair collection, which are of considerable practical importance.
Q 4–1(generic part) asks: ‘Are the obligations imposed on organisations at the time of collection of personal information adequate and appropriate?’
NPP 1.5 states that ‘If an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in subclause 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual’.
All the Australian privacy principles require the collector of personal information to take reasonable steps to ensure that the subject of the information is aware of certain matters. While the principles do not expressly require the data user to give notice, that is the most common way of complying (see below for exceptions), and these principles are often referred to as requiring ‘notification’.
The requirement to ensure that the data subject is aware of certain matters when collecting personal information is one of the most significant practical aspects of privacy principles. It is significant element of privacy protection because it puts the data subject is put on notice that he/she may need to protect his/her interests.
It is also however a principle that in many cases imposes significant costs on data users, not only for the initial analysis and design of awareness measures, but also their ongoing delivery. In order to comply with the awareness requirements, data users must put in place a system for reviewing every means by which they collect personal information – such as application forms, web sites and callcentres, as well as arrangements with third parties, and ensuring that where appropriate, adequate notice is given.
There is a close relationship between awareness/notification requirements as part of collection principles and the more general separate openness or transparency principle found in most privacy laws. There is a strong argument for dealing with these two overlapping sets of requirements together. This would allow for a more pragmatic discussion of the desirable levels of awareness, and how and when these can be created. This would also sit more comfortably with the concept of layered notices, discussed further below.
Submission 4–1: The Discussion Paper should canvass the possibility of a combined ‘awareness’ principle, covering both notification requirements at the time of collection and more general information provision.
The application of the awareness/notification requirement varies. IPP 2 only applies if ‘the information is solicited from the individual concerned’, and a similar condition applies under the HK DPO (DPP 1.3). In NSW, the Tribunal decided that notice requirements of PPIPA did not apply to information collected from third parties. [ HW v DPP (No 2) [2004] NSWADT 73][22]. NPP 1.3 applies where information is collected ‘from the individual’ (potentially even when it is unsolicited – see discussion above), but in addition, where information is collected ‘from someone else’ (potentially including from documentary sources, public registers and by observation – see discussion above), NPP 1.5 requires the organisation take reasonable steps to ensure the individual is or has been made aware of the matters listed in 1.3
In Determination 2004/4, the Privacy Commissioner found that the tenancy database operator TICA had failed to comply with NPP 1.5, by, amongst other things, giving misleading and incomplete information.[23]
Q 4–2 asks ‘Should NPP 1 be amended to clarify that there may be circumstances in which it is reasonable for organisations to take no steps to ensure that an individual is aware of specified matters relating to the collection of personal information?
The aim of the principle is to ensure that individuals are aware of certain matters. If a data user can be satisfied that individuals about whom it is collecting personal information are aware of these matters there need be no specific notification. This might be because they have been made aware in some other way or by some other party (e.g. generic advertising campaigns), or where they have previously been informed by the same data user.
The HK DPO contains a specific exemption for ‘repeated’ collections (s.35) within 12 months – notice does not have to be given again if all the matters are unchanged. Whilst this may seem like a sensible relief, such a provision can easily be abused if data users deliberately omit privacy notices from routine communications where there is minimal marginal cost in repeating it. It is asking too much of individuals to expect them to remember the details of a privacy notice several months after they have received it, and in most contexts no good reason why notice should not be repeated
A better way of ensuring that the objective of this principle is met consistently would, perhaps paradoxically, be to change this principle from one of ‘ensuring awareness’ to ‘specifically notifying’, with a conditional exception where the data user could establish that at least the typical data subject had been made aware by other means.
Submission 4-2: Consideration should be given to changing the ‘notice’ principle from one of ‘ensuring awareness’ to ‘specifically notifying’, with a conditional exception where the data user could establish that at least the typical data subject had been made aware by other means.
IPP3, PPIPA s.10 and NPP 1.3 both require the reasonable steps (to ensure awareness) to be taken before[24] collection or, if that is not practicable, as soon as practicable after.[25] In contrast, there is no timing condition on NPP 1.5, where information is collected from a third party. Clearly the objective of awareness – to put the individual in a position of knowledge before they decide whether to give up their personal information - is severely compromised if the information is not provided beforehand. On the other hand there clearly are some circumstances where it is simply not practicable to convey all, or in some cases any of the information in advance. The risk of providing a ‘if impracticable then later’ exception is that it can be abused, with data users who could provide the information prior to collection, perhaps with some cost or creativity, spuriously claiming ‘impracticability’.
Submission 4-2.1: Strong justification should be necessary where notice is not provided before or at the time of collection.
Technology constraints on notification
There may be particular difficulties in communicating detailed privacy messages with certain modes of communication such as telephone calls, SMS and television advertising. If communications by these modes invite direct response – for instance by the customer calling or texting, then in theory they should include information about the matters listed in the applicable notification principle.
This is impracticable in many increasingly common scenarios, and the common approach to compliance in relation to the various forms of direct response advertising is to rely on the ‘if impracticable then later’ exception – providing the relevant information either in later contact with the individuals concerned (e.g. when finalising a purchase, or sending a contract) or by reference to a website. Neither of these is satisfactory – both because, as explained above, they deny individuals relevant information at the point of decision, and because there is even less chance than usual of the individuals locating and reading the relevant details.
Privacy laws face a major challenge in addressing ‘non-traditional’ means of communication. An extreme conclusion is that data users cannot comply and should not therefore use such channels to collect personal information, but this is unlikely to be acceptable either to consumers or business/government data users.
Submission 4-2.2: The Discussion Paper needs to canvass a more radical re-appraisal of the awareness and notification requirements in the context of new communications technologies.
One approach to this problem is to accept that there will be an increasing incidence of personal information being collected without the preferred level of awareness, but strictly limiting the use that can be made of that information until such time as further information has been given. This approach is explored further under Use and Disclosure.
Content of notice
Q 4–3(second part), asks: ‘Should agencies also be required to notify an individual of his or her rights of access to the information, the consequences of not providing the information, the various avenues of complaint available, and the source of the information, where it has not been collected directly from the individual?’
The Australian and other privacy principles vary in the precise information that needs to be communicated. It includes the following:
(i) The identity of the data user and contact details (NPP 1.3 (a), PPIPA s.10(f)[26], HK DPP 1.3). - While IPP 1 does not include this requirement, this is presumably because the identity of the data user was assumed, in 1988, to be ‘already’ communicated in the context of transactions with government agencies. If this was ever a safe assumption it is now clearly unreliable – understanding which government agency you are dealing with can be very difficult, particularly with the increasing use of campaign names and brands by the public sector and with ever-changing administrative arrangements and ‘portfolios’. The same difficulty has always applied in the private sector, where the true identity of businesses is often deliberately obscured, for marketing or other reasons.
Submission 4-3: The law should require all data users to identify the party or parties to the transaction, and to expressly require operative contact details to be given.
(ii) The purpose(s) for which the information is collected (IPP 2 (c), NPP 1.3(c), PPIPA s.10(b)) - Specification of purpose is critical in relation to limiting subsequent use and disclosure (determining ‘finality’ – see discussion under Use and Disclosure). The issues involved in identifying purpose have already been explored above.
(iii) Details of any third parties to whom the collector 'usually' discloses this information (IPP 2(e)[27]; NPP 1.3(d), PPIPA s.10(c)[28])
Q 4-1 in part asks: ‘For example, should an organisation also be required to make an individual aware of (a) the types of people, bodies or agencies to whom the organisation usually discloses information of that kind?’
Privacy Commissioners have taken the view that these principles should not be interpreted literally to mean that each specific agency or organisation to which personal information may be released has to be individually named. In recognition of this, the more recent NPP 1.3(d) expressly allows for this information to refer to ‘types of organisation’. This of course means that individuals are not necessarily notified of particular recipients – knowledge of whom may affect their decision to proceed with a transaction. Most privacy notices use generic descriptors such as contractors, business partners, or government agencies, which are of limited value to the individual. For example, in A v Insurer [2002] PrivCmrA 1, the Commissioner found an insurer’s travel insurance claim form was deficient in not identifying ‘other consultants’ to whom information was disclosed, and in N v Private Insurer [2004] PrivCmrA 1 that ‘any other person necessary for claims determination purposes’ was too broad a description. A possible approach to addressing this dilemma would be for the principle to expressly allow generic descriptors (as NPP 1.3(d) does now) but to add an obligation to answer specific enquiries about whether a particular named agency or organisation is a recipient. In some laws, this is arguably the intention of separate transparency/openness principles (e.g. NPP 5.2) – see later discussion of those principles.
Submission 4-1: The Discussion Paper should consider whether, if notices use generic descriptors of recipients, there should be an additional obligation to answer specific enquiries about the identity of actual recipients.
As already suggested, the Discussion Paper should expressly address the relationship between notification and openness principles in terms of the best way of achieving the objective of awareness, with specific attention to the respective roles of proactive notice vs obligations to respond to enquiries.
(iv) Whether the supply by the individual is required by law or voluntary (IPP2 (d)[29], NPP 1.3(e)[30], PPIPA s.10(d), HK DPP 1.3) - If interpreted strictly, this could require an explanation about each ‘field’ of information requested, which is unreasonable if not impracticable. The commonly accepted approach to this principle is to indicate clearly which fields are mandatory – usually by means of an asterisk. Best practice is to ensure that the explanation of the asterisk precedes the first field in which it is used, rather than having it ‘hidden’ in ‘fine print’ elsewhere. There should also be an explanation of the basis of any ‘mandatory’ requirement – this is typically given as part of a privacy notice also covering the other matters. While it is clear that there is widespread non-compliance, this is an issue of guidance and enforcement. We do not see it as appropriate to suggest a more prescriptive requirement.
(v) Any consequences for the individual if the information (or any part of it) is not provided (NPP 1.3(f), PPIPA s.10(e), HK DPP 1.3) - This is typically covered in a privacy notice – generally associated with the information about mandatory and voluntary information. It does not need to be too detailed but at the least should clearly indicate to individuals that if they don’t give some information then they may not, for example, receive the services in question. As with the mandatory/voluntary information, there is widespread non-compliance, but again this is an issue of guidance and enforcement. We do not see it as appropriate to suggest a more prescriptive requirement.
(vi) The existence of any right of access and correction (NPP 1.3 (b), PPIPA s.10(e), HK DPP 1.3) - This is very important information in relation to the overall scheme of statutory privacy protection. Gaining access is often the key to subsequent challenges about collection, quality, use and disclosure, and correction rights make an important contribution to data quality as well as being of critical importance to the individual. Unless individuals are aware of access and correction rights, they are not in a position to exercise their other rights. Raising awareness is beyond the resources of Privacy Commissioners, and having data users inform individuals of these rights when collecting personal information is by far the most efficient way of meeting this objective.
Q. 4-1 asks specifically if organisations should be required to ensure individuals are aware of (b) the various avenues of complaint available; and (c) the source of the information, where it has not been collected directly from the individual?
Awareness of avenues of complaint is clearly desirable, and a specific requirement to notify individuals of these would be consistent with developments in general consumer protection law and practice – this is now a common requirement in the financial services, telecommunications and utilities sectors.
Submission 4-1.1: The law should require all data users to notify individuals of both internal and external dispute resolution options. Used appropriately, this can be assisted by layered privacy notices.
Notification of sources is a more complex issue. Where collection is only from third parties, any direct contact with the data subjects will typically be after collection, and any such requirement would need to be built into a version of NPP 1.5, which is currently the only principle to apply to third party collection. Where there is some direct collection from the individual and some from third parties, it would be easier to include notice of the third party collection in the obligations at the time of direct collection.
Privacy Commissioners around the world have increasingly been accepting, and even promoting, the concept of layered or staged provision of information. In August 2006, the Australian Privacy Commissioner launched a new presentation of her own office’s privacy policy as an example of a ‘layered notice’ approach. The objective of such approaches is to avoid overloading individuals with too much information initially, but to retain easy options for them to find out more detail if interested.
Many consumer representative organisations, while acknowledging an ‘information overload’ problem, view trends towards layered and short form privacy notices with suspicion, as they can too easily omit information which should be relevant to an individual’s decision whether to proceed with a transaction. Discussion of this issue inevitably involves wider ‘political’ judgments about the extent to which legislators and regulators should ‘force’ information on consumers which they may well not generally welcome or make use of (e.g., because it is perceived as paternalistic and patronising).
Submission 4-1.2: Concerning layered privacy notices, the Discussion Paper should canvass views about the minimum set of information which needs to provided at or before the time of collection to achieve the objective of the awareness principle, and the minimum standard of transparency of links to more detailed information.
These points are also relevant to the openness or transparency principle – see below.
Q 4–6 asks: ‘Is it desirable for the IPPs to deal separately with the principles relating to the use and disclosure of personal information or should use and disclosure be provided for in one principle?
There are competing arguments. A single principle avoids arguments about whether an action is a use or a disclosure and therefore which principle applies. On the other hand, separate principles allow each to deal with issues that arise specifically in the context of internal use or disclosure to third parties. But the concept of a third party is slippery, particularly with large multi-function data users. Corporate entities can have many different ‘business lines’ and government agency boundaries are constantly changing with new administrative arrangements and portfolios. The NSW ADT has ruled that under PPIPA, in relation to agencies with disparate functions, some internal uses can be disclosures[31]. Even with a single principle, it is still necessary to understand the meaning of the two concepts.
Submission 4-6: There are competing arguments. This question deserves to remain open in the Discussion Paper.
The UK case of R v Brown [1996] 1 AC 543, a case on UK privacy legislation, held that merely reading personal information is not 'use' of that information. In contrast, the Federal Privacy Commissioner's Plain English Guidelines to Information Privacy Principles 8-11 (1996) states that ‘As a general rule, any accessing by an agency of personal information in its control is a “use”’, and this includes ‘searching records for any reason’. Even if it is not a breach of an IPP or NPP to merely access (or read) a person’s file, it can easily be a criminal offence under the ‘computer crime’ laws of most jurisdictions.[32] The result in Brown was unfortunate, because evidence was lacking that the information had then been disclosed, though the circumstances raised this suspicion. However, if mere access does constitute use, organisations may be faced with unnecessary requirements to prevent innocuous and/or inadvertent access to files by their staff. It may be better for serious instances where this should be prevented to be regulated by the criminal law, or the regulations of particular institutions (e.g., Police, tax or Centrelink files) as is often currently the case.
Submission 4-6.1: The use principle should clarify whether accessing personal information, without further action being taken as a result of that access, is ‘use’ of personal information.
As noted in paragraph 4.33, the Privacy Act 1988 s.6 provides that ‘use, in relation to information, does not include mere disclosure of the information, but does include the inclusion of the information in a publication.’ The meaning of this has always been unclear. In relation to Commonwealth agencies, the Federal Privacy Commissioner has considered many situations where an agency passes personal information to an outside organisation or agency to be a ‘use’ not a ‘disclosure’, applying a test of ‘whether or not the agency maintains control over that personal information’. It seems that outsourcing of processing of personal information has been dealt with in this way. See Federal Privacy Commissioner, ‘When is passing personal information outside an agency a use?’ in Plain English Guidelines to Information Privacy Principles 8-11 (1996). It is questionable whether this interpretation would be upheld by a Court if challenged, and it would be unwise to simply apply it in the private sector context without further consideration.
The IPPs refer to information being disclosed, not records. Disclosures can be verbal, or by actions (e.g., allowing another person to read a file). The Victorian Privacy Commissioner has noted that disclosure does not necessarily mean physical transfer: ‘To disclose is to reveal. Personal information can be disclosed even though it remains in the possession or control of its original collector. The act of sending the original or a copy to another person is not a necessary element of a disclosure, although it will be a common feature’ (IPP Guidelines Part 1). In Hong Kong ‘disclosing’ ‘includes disclosing information inferred from the data’ (s2). It also of course includes information explicit in the data. No issues seem to have arisen where the form of disclosure has been unnecessarily limited.
Australian commentators are divided on whether ‘disclosure’ includes information already known to the recipient,[33] but in our view it should be so regarded. It is of considerable practical importance. Information received from an earlier non-authoritative source means less than the ‘same’ information confirmed by a later more authoritative source[34]. Organisations could abuse this by simply asking whether other organisations could ‘confirm’ some item of information they purported to know, and the ‘confirmations’ would not be disclosures. Where a recipient of information really does learn nothing from information received, any compensation resulting from that breach by disclosure is likely to be reduced, as the disclosure has had no effect on the data subject. On balance, therefore, it is better for ‘disclosure’ to include previously know information.
Submission 4-6.2: Privacy laws should make it clear that even information already known to the recipient can still be ‘disclosed’.
Q 4–7 starts by asking ‘Are the circumstances in which agencies and organisations are permitted to use and disclose personal information under IPPs 10 and 11, and NPP 2, adequate and appropriate?’
The starting point in considering what should be the allowed uses (and/or disclosures) of personal information is the ‘original purpose of collection’, referred to variously as ‘obtained for a particular purpose’, ‘the primary purpose of collection’, or the purpose ‘for which it was collected’. Common to all these formulations is the key principle (‘finality’ in European nomenclature) that uses and disclosures should prima facie be limited by the purposes of collection. If applied strictly, this is not an ‘efficiency’ measure (in James Rule’s terms) from the point of view of data users – it is not in a data user’s objective interests to have to re-collect information from data subjects when they could re-use what they have or use their `information capital' for exchanges with other data users. In Rule’s analysis, ‘finality’ principles do place objective limits on the surveillance capacity of organisations, but their significance depends on the exceptions to and exemptions from them.
Can there be more than one distinct original purpose of collection? NPP 1.3(c) refers to notice of ‘the purposes for which the information is collected’, but the Commissioner has taken the view that there will only ever be one primary purpose, with all other purposes being secondary (Guidelines to the NPPs - NPP 2.1(a)) The problem with this view is that it invites data users to define their purpose broadly so as to avoid the constraints on secondary purposes. The EU Directive, by contrast, stipulates that the purposes for which data are collected shall be ‘specified’ and ‘explicit’ (Article 6(1)(b)). This is generally taken to mean that the purposes must be delineated in a relatively concrete, precise way (see further Bygrave, 2002a, p. 338).
Submission 4-7: The law should be clarified to expressly allow for the declaration of multiple specific purposes, where collection is necessary for each of these purposes (but see discussion of bundled consent).
How broad an original purpose is allowed is discussed in relation to permitted purposes and purpose justification under Collection above. Disclosure to third parties can be a purpose of collection in itself, i.e. a data user may well have as one of its purposes, or even a sole purpose, the disclosure of personal information.[35] Media organisations are the obvious candidates for this. Other issues relating to purpose specification that have been identified (Berthold & Wacks, 1997, pp. 123–124) include:
A number of specific questions in the Issues Paper about use and disclosure are part of the wider issue of what secondary purposes should be permitted. We choose to deal with this wider issue by discussing each of the main exceptions in turn.
IPP 10 allows only ‘directly related’ secondary uses, but IPP 11 does not include any similar provision for directly related disclosures, and may therefore provide more protection than the Directive. NPP 2 requires that the secondary use or disclose be ‘related’ to the purpose of collection (or ‘directly related’ in the case of sensitive information), but also requires that ‘the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose’. The meaning of these terms has not yet been clarified by case law in Australia, or by reported interpretations by the Privacy Commissioner.
Q 4-8 asks ‘Are the criteria in NPP 2.1(a) for using personal sensitive and non-sensitive information for a secondary purpose adequate and appropriate? For example, is it necessary or desirable that there also be a ‘direct’ relationship between the secondary and primary purpose of collection before non-sensitive personal information can be used or disclosed for a secondary purpose?
Most privacy principles include some use and disclosure for purposes ‘related’ or ‘directly related’ to the purpose of collection.
(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;
(ii) the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or …’
NPP 2.1(a) makes a distinction between ‘related’and ‘directly related’ meaning that for non-sensitive information, a secondary purpose need only be indirectly related to the primary purpose, although the Federal Commissioner says that the secondary purpose must be something that arises in the context of the primary purpose (emphasis added) (Guidelines to the NPPs - NPP 2.1(a)). The Victorian Commissioner says of the identical IPA principle that it must be ‘connected or associated with the primary purpose’. ‘Directly related’ is therefore the test most commonly applied in Australian legislation and that of other Asia-Pacific legislation. Commissioners and Tribunals are not known to have had difficulties in applying a ‘directly related’ test.
International standards have little impact here. The EU Directive allows secondary uses and disclosures (further processing) of personal information in ways which are ‘not incompatible’ with the purpose(s) of collection (Art. 6(1)(b)). The NPP’s additional ‘reasonable expectations’ test seems to impose a standard at least as high as the Directive.[37] There is room for disagreement about the precise meanings of ‘incompatible’, ‘related’ and ‘directly related’, but it is fairly certain that the Directive does not set a clearly higher standard here than the Australian provisions. The APEC Framework principle IV uses the less precise test of ‘other compatible or related purposes’. Neither the APEC test nor the EU ‘not incompatible’ test should be adopted, as they will be more difficult to apply consistently.
Submission 4-8: The general adoption of ‘directly related’ in the related purposes test is appropriate.
Q 4–9 asks ‘Is the scope of IPP 10(e) (which allows agencies to use personal information for a purpose other than the particular purpose of collection, if the purpose for which the information is used is directly related to the purpose of collection) adequate and appropriate? For example, should there be an additional requirement that the individual concerned would reasonably expect an agency to use the information for that other purpose?’
The NPPs and Victorian IPPs contain an additional ‘reasonable expectations’ test for secondary use and disclosure in addition to the ‘related/directly related’ test. It is the ‘individual concerned’ who must have the ‘reasonable expectations’. This might suggest that the level of knowledge of industry practices by the individual may be relevant although the Federal Commissioner says the test will be applied ‘from the point of view of .. an individual with no special knowledge of the industry or activity’, and the Victorian Commissioner agrees: ‘What would a reasonable person, without special knowledge, reasonably expect’. The Commissioners’ views accord with the traditional administrative law concept of reasonableness set out in the Wednesbury case.[38] The Victorian Commissioner states that it is an objective test, and that ‘the expectations of the actual individual involved are a consideration, but they are not determinative’.
Even for those principles which do not expressly include them as an additional test, the ‘reasonable expectations’ of the data subject may affect interpretation of what is ‘directly related’ (or, for that matter, on what is objectively determined to be the ‘purpose ... of the collection’). Hong Kong commentators consider that, where the data subject has not been given notice of the purpose of collection, these reasonable expectations will affect the objective determination of purpose (Berthold & Wacks, 1997, p. 147).
Submission 4-9: The ‘reasonable expectations’ test is desirable as part of a test of related purposes.
In considering the direct marketing exceptions, it is now appropriate to take account of the two specific laws applying to particular forms of direct marketing – the Spam Act 2003 and the Do Not Call Register Act 2006. Both of these, in response to particular public concerns, impose much more rigorous and prescriptive requirements on direct marketing using email, SMS or voice calls. While the Spam Act is ostensibly an ‘opt-in’ regime, the exceptions and definitions combine to make it in effect an ‘opt-out’ scheme, which is what the Do Not Call Register Act is by express design. Given the wide exceptions and exemptions in both these Acts – particularly for political and charity marketing but also for ‘established business relationships’ – it is doubtful if they will fully meet community expectations. Many ‘unwelcome’ marketing approaches will continue to be lawful even where individuals have registered their preference not to receive approaches.
As the ALRC found from its national phone-in, direct marketing is the single most ‘visible’ manifestation of privacy concerns in the community and there is no reason to doubt that individuals would like the same control over traditional postal direct mail as they have now been given over some sources of electronic and telephone marketing.
The specific provision in NPP 2.1(c) for direct marketing is the source of much confusion. Ford seems to be incorrect in asserting that under the Privacy Act ‘Australian consumers are given an unqualified right to ‘opt out’ of receiving direct marketing’ (Ford, 2003, p. 147) As the Commissioner points out in the NPP Guidelines, it is open to organisations to avoid the specific constraints of exception (c) by relying instead on exception (b) - consent - but warns that in most cases express consent will be required (see below). Some businesses, particularly the direct marketing specialists, maintain that much of their activity can be carried out without either express consent or even an opt-out opportunity by relying on the related purpose exception (a), arguing that most consumers have a ‘reasonable expectation’ that organizations they have dealt with before will try to sell them other goods or services. It remains to be seen if litigation in due course pushes most direct marketing into exceptions (b) and (c), with their conditions, or allows it to operate relatively unconstrained under exception (a).
In terms of international standards, the adequacy criteria adopted by the EU’s Article 29 Working Party single out the need for a right to opt-out of direct marketing when personal data are used for direct marketing, in accordance with Art. 14(b) of the Directive, as one of the additional principles needed for adequacy of certain types of processing. In its Opinion 3/2001, the Working Party observes that it has previously stated that ‘allowing personal data to be used for direct marketing without an opt-out being offered cannot in any circumstance be considered adequate’, so this is clearly a significant issue. Hong Kong has a direct marketing provision that is closer to requiring a universal ‘opt-out’.[39]
The Privacy Commissioner’s 2005 private sector review report recommended:
‘23. The Australian Government should consider amending the Privacy Act to provide that consumers have a general right to opt-out of direct marketing approaches at any time. Organisations should be required to comply with the request within a specified time after receiving the request.’ (OPC, 2005, p. 103)
The OPC notes that a general right to opt-out of direct marketing is supported by both consumer and business groups (including the Australian Direct Marketing Association) in Australia, (OPC, 2005, p.100) and in fact appears to be the current practice of most businesses (OPC, 2005, p. 102). The Senate Committee went somewhat further than the OPC and recommended in 2005 that the review it proposed ‘should consider the possibility of an ‘opt in’ regime for direct marketing in line with the Spam Act 2003’ (Bolkus Report, 2005, recommendation 15, p. 158). As noted above, it is arguably misleading to describe the overall effect of the Spam Act regime as ‘opt-in’.
Another recommendation by the Commissioner for a national ‘Do Not Contact’ Register[40] has now been partially implemented in the form of the Do Not Call Register Act 2006 (Cth). This is limited to telephone voice calls, and the breadth of exemptions from the scheme mean that it will not address many of the concerns about direct marketing uses. It is therefore still appropriate for a direct marketing ‘opt out’ to be dealt with in a general use and disclosure principle.
Q 4–12 asks: ‘Is it appropriate that NPP 2 allows for personal non-sensitive information to be used for the secondary purpose of direct marketing? If so, are the criteria that an organisation needs to satisfy in order to use personal information for direct marketing purposes adequate and appropriate?’
Submission 4-12: NPP 2 should be amended to contain a sub-principle dealing expressly with direct marketing, broadly defined, unequivocally giving individuals a right to opt-out of receipt of further communications. No alternatives should be allowed. Such a principle needs to be designed to be consistent with other more specific legislation, which may however continue to apply a higher standard in relation to particular types or modes of communication.
The IPPs governing the federal public sector do not include any opt-out right, which is a gap of increasing significance as government agencies adopt commercial direct marketing techniques to promote government policies and programmes. Given that there are other means by which governments routinely communicate the availability of services (such as general advertising), it is difficult to see why government agencies should not have to respect a clearly expressed preference of individuals not to be contacted. It would greatly assist the exercise of privacy rights if the Do Not Call Register (and any extension to other means of contact) gave individuals choices as to what sources of direct marketing they agreed to (e.g. commercial, fundraising, government information).
Submission 4.12.1: Consideration should be given to providing a right to opt-out of direct marketing from government agencies – subject perhaps to limited exemptions for public health and safety campaigns or where government agencies had specific knowledge of individuals’ eligibility.
A related issue is the ability of individuals to find out from where the contact details used by direct marketers have been obtained. The Privacy Commissioner recommended in 2005 that:
‘24. The Australian Government should consider amending the Privacy Act to require organisations to take reasonable steps, on request, to advise an individual where it acquired the individual’s personal information.’
This would be a significant reinforcement of individuals’ privacy rights, without being too onerous for data users. Such a requirement could already be read into NPP 5.2, but there is no evidence that it is being interpreted in this way, and there would be merit in making it express.
Submission 4-12.2: Privacy law should require that data users take reasonable steps, on request, to advise an individual from where they acquired the individual’s personal information.
Privacy principles always allow data to be used for purposes other than the purpose of collection with some form of consent of the data subject, but what form of consent suffices differs widely. Australian privacy laws all have exceptions for use and disclosure where ‘the individual concerned has consented’. PA IPP 10(a), IPP 11(b) and NPP 2.1(b), Vic IPA IPP 2.1(b) and PPIPA s.17(a) and s.26(2)). The HK PDPO DPP 3 requires ‘prescribed consent’ for data to be used for a different purpose. PDPO s2(3) provides that ‘prescribed consent’ ‘(a) means the express consent of the person given voluntarily’; and (b) may be withdrawn in writing.
Implied consent - The PA and Vic IPA define ‘consent’ as including express consent or implied consent (PA s.6 Vic IPA s.3).
In relation to international standards, the EU Directive requires that ‘the data subject has unambiguously given his consent’ (Art. 7(a)) as one of the bases for any processing of personal data. Insofar as any implied consent is also unambiguous, IPPs 10–11 and NPP 2 are compatible with the standard adopted in the EU Directive, provided they are interpreted as requiring free and informed consent.
Consent vs acknowledgement of conditions - Many data users seek ‘consent’ for uses and disclosures in circumstances where individuals are required to consent in order to proceed with the transaction or receive the service. This is from one perspective not ‘free’ consent, but from another the individual is free not to go ahead with the transaction. Privacy Commissioners have issued advice that in these circumstances data users should not pretend that they are seeking consent, but should instead ask the individual to simply acknowledge that the uses and disclosures specified will take place and are a condition of the transaction.[41] Whilst more ‘honest’, acknowledgement alone might not then be a sufficient basis for the use or disclosure (other than under the IPPs – which have a ‘prior notice’ exception discussed below). One of the other exceptions to the use and disclosure principle would have to apply. The credit reporting provisions of the Privacy Act (Part IIIA) refer expressly to consent in relation to transactions where individuals do not have any choice, other than not to proceed with their application for credit.
Submission 4–12.3: The Discussion Paper should consider the implications of the confusion caused by the lack of any distinction in the Privacy Act between uses or disclosures justified by consent and those justified by acknowledgment of notification.
Bundled consent - Bundled consent means the practice of seeking consent for multiple uses and/or disclosures at the same time (OPC, 2005, p. 85) – typically when collecting personal information. Individuals are given no choice as to the particular uses or disclosures to which they are consenting, or not consenting – it is in effect ‘all or nothing’. The issue of bundled consent has been well canvassed by the Privacy Commissioner. Bundled consent exposes a major flaw in the practical efficacy of the principles in meeting the objective of participation by individuals.
Organisations employ this practice for reasons of efficiency and cost reduction. However, the practice undermines the interests served by the consent requirements of the Privacy Act. Yet the Act gives some leeway for the practice due to the reference in NPP 1.3(c) to a plurality of purposes and the omission of guidance as to the meaning of ‘primary purpose’ in NPP 2.1 (see above). Where secondary uses or disclosures are necessarily incidental the primary purpose e.g. disclosure to a mailing contractor for delivery, or to another agency for verification of details provided, then it may be appropriate to make this a condition of a transaction. But too often, data users seek consent for secondary uses which are neither necessary for nor even necessarily related to the primary purpose – most commonly for marketing other goods or services, but also for more significant and potentially even more unwelcome purposes.
In its 2005 private sector review report, the OPC notes that there is a need to clarify the limits for bundling consent under the Act. The OPC states that it will ‘develop guidance’ on the issue (OPC, 2005, recommendation 22, p. 93), but this has yet to appear. What needs to be made more clear is the extent to which data users are allowed to rely on consent obtained in this way and conversely, the extent to which individuals must be given separate opportunities to consent to different uses/disclosures.
4–11 Are there particular issues or concerns arising from the practice of organisations seeking bundled consent to a number of uses and disclosures of personal information? If so, how are these concerns best addressed?
Submisison 4-11: The law needs to be clarified concerning ‘bundled consent’ in order to prevent abuse of the practice.
In relation to international standards, the ability to bundle consent is arguably reduced (though not extinguished) under the EU Directive, given that the purposes for collecting personal data must be delineated in a relatively concrete, precise way (viz. the reference to ‘specified’ in Art. 6(1)(b))[42] and consent must be ‘specific’ (Art. 2(h)). Canadian legislation, by contrast, places more direct restrictions on the practice.[43]
Information Privacy Principle 11(1)(a) includes an additional exception allowing disclosure where ‘the individual concerned is reasonably likely to have been aware, or made aware under Principle 2 [notice at the time of collection], that information of that kind is usually passed to that person, body or agency’. In this situation, notice is considered sufficient even if it does not amount to implied consent.[44] This exception seems to be an extremely broad ‘bootstrap’ clause by which government agencies can, in effect, write their own exemptions from the disclosure limitation principle, simply by notifying individuals about the disclosures at the time of collection. It has the same effect as the ability to self-define purpose of collection (see above) and means that there is no need for agencies to justify the purpose of disclosure, beyond showing that they are not acting ultra-vires. IPP 11(a) assumes some disclosure practices can be so notorious as to not require specific notice, and may be based on an assumption of implied consent. But this is already provided for in the exceptions for consent (defined as express or implied), and for related secondary uses within reasonable expectations (see above).
It is an anomalous exception. There is no equivalent exception in the NPPs, the EU Directive, or even the APEC Privacy Framework. A separate prior notice exception is at best a historical anachronism and cannot be defended. It should be possible to identify any and all countervailing private or public interests in advance and write a specific exception where this can be justified. There should be no place for a broad discretion to disclose solely on the basis that individuals are notified.
Submission 4-11.1: The exception for mere awareness of disclosure practices without consent to them or acknowledgment of them should be removed.
The following exceptions are intended to cover exceptional situations, and appear to have operated largely satisfactorily, in the case of the Privacy Act 1988 for nearly 20 years:
Q 4–7 goes on to ask specifically ‘In particular, should agencies and organisations be permitted expressly to disclose personal information: (a) to assist in the investigation of missing persons; (b) where there is a reasonable belief that disclosure is necessary to prevent a serious and/or imminent threat to an individual’s safety or welfare, or a serious threat to public health, public safety or public welfare; and (c) in times of emergency? What mechanism should be adopted to establish the existence of an emergency?’
This question appears to relate to concerns expressed by some data users in previous reviews and enquiries, based partly on experience of emergencies such as the Bali bombings and the East Asian Tsunami of early 2006. These concerns have subsequently been addressed by amendments to the Privacy Act in late 2006. [45]
In relation to these questions, it is necessary to clearly distinguish situations where the use and disclosure principles form a genuine barrier to a sensible outcome, and spurious claims to that effect. Most of the examples of what has become known as ‘BOTPA’ (Because of the Privacy Act…) involve a misinterpretation of the constraints – sometimes out of ignorance but too often from laziness; unwillingness to explore the statutory exceptions and discretions or a wilful desire to blame the law for something that the data user does to wish to do for some other reason.
The recent amendments to the Privacy Act 1988 to address this perceived ‘problem’ were arguably unnecessary. The Minister in his Second Reading speech admitted that:
“…, the bill serves to clarify and enhance what is largely already permissible under the Privacy Act.”
In the rare circumstances where a collection, use or disclosure may technically not be permitted by the Act, it is unlikely that the individuals concerned would complain, and in any case, both the Privacy Commissioner and the Courts would have the discretion to treat any such complaint as trivial.
The amendments were drafted so broadly that they could have the unintended consequence of allowing ‘emergency’ declarations to be used to as a loophole for other purposes.
Submission 4-7: The ALRC should canvass the justification for the recent amendments concerning emergencies, which were given relatively little scrutiny in Parliament.
The Australian principles allow secondary uses where ‘required or authorised by or under law’ (IPPs 10 and 11, and NPP 2.1(g)). However, the meaning of ‘law’ in the exception under the IPPs appears to differ from that in NPP 2.1(g). The reference to ‘law’ in NPP 2.1(g) may include