The ‘Review of Privacy’ (Report) recently published by the Australian Law Reform Commission (ALRC) recommends a number of significant changes to the Federal privacy regime in Australia. Some of the key changes include the introduction of a statutory cause of action for invasion of privacy, the removal of some exemptions, and the introduction of ‘Unified Privacy Principles’ (to govern the handling of personal information by both the public and private sectors).
The Report also proposes several changes to the provisions of the Privacy Act 1988 (Cth), such as the removal of the small business and employee records exemptions, the introduction of a ‘data breach notification’ requirement, and the amendment of the direct marketing and credit reporting provisions. These and other key proposals are discussed below.
Statutory Cause Of Action For Invasion Of Privacy
There is currently no ‘tort of privacy’ in Australia. However, the tide seems to be turning, both here and overseas. Increasingly, public and judicial sentiment favour the protection of individuals from unwanted intrusions into their private lives and affairs.
The ALRC considers that there is a need for a tort of privacy, but believes there are inherent problems associated with allowing a tort of privacy to be developed incrementally at common law. It takes the view that the courts will be forced to attempt to fit all the circumstances that may give rise to an invasion of privacy into a pre-existing cause of action- or to formulate a previously unrecognised cause of action or a tort of privacy.
The ALRC has also recognised the need for national uniformity in this area and has recommended the insertion of a statutory cause of action for invasion of privacy into the Commonwealth Privacy Act.
The ALRC has proposed that the following elements exist to establish liability for an invasion of privacy:
- the plaintiff had, in all the circumstances, a reasonable expectation of privacy in relation to the relevant conduct or information; and
- the defendant's invasion of that privacy in relation to that conduct or information is, in all the circumstances, sufficiently serious to cause substantial offence to a person of ordinary sensibilities.
It has also proposed a non-exhaustive list of the types of conduct that will fall within the cause of action, such as:
- there has been an interference with an individual's home or family life;
- an individual has been subjected to unauthorised surveillance;
- an individual's correspondence or private written, oral or electronic communication has been interfered with, misused or disclosed; or
- sensitive facts relating to an individual's private life have been disclosed.
The following defences to the cause of action have been proposed:
- the act or conduct was incidental to the exercise of a lawful right of defence of person or property;
- the act or conduct was authorised or required by law;
- disclosure of the information was of public interest or was fair comment on a matter of public interest; or
- disclosure of information was, under defamation law, privileged.
Currently, the Privacy Act includes a ‘journalism’ exception, meaning that media organisations are not subject to the provisions of the Act when engaging in ‘journalism’. However, there is no journalism exception proposed in the defences suggested. The introduction of this new cause of action could therefore have a significant chilling effect on free speech because when reporting ‘private’ information, media organisations will be forced to rely solely on a public interest defence to justify publication.
The Unified Privacy Principles
The Privacy Act currently provides for two sets of privacy principles in relation to the handling of personal information – the Information Privacy Principles (IPPs), which apply to federal government agencies, and the National Privacy Principles (NPPs), which apply to private sector organisations.
The requirements for both sets of principles are similar but not identical. The NPPs contain additional, and in some respects, more comprehensive obligations.
To achieve national consistency, the ALRC has proposed bringing the NPPs and IPPs in line to form a single, unified set of privacy principles (the Unified Privacy Principles (UPPs)). These would apply to both the public and private sectors. As a result, agencies would be subject to a number of requirements including:
- allowing individuals to deal with the agency on an anonymous basis where this would be lawful and practicable;
- rules about sending information offshore (transborder data flows, see below); and
- specific obligations in relation to the handling of health and other sensitive information.
Unlike the NPPs, the IPPs do not currently treat health and other sensitive information as a special subset of 'personal information'. The ALRC has proposed that specific requirements should apply to the handling of health information by both agencies and organisations, which would be separately set out under the proposed Privacy (Health Information) Regulations.
Relevance And Quality Of Information
Currently, the Privacy Act requires that personal information held by organisations be ‘accurate, complete and up-to-date’. However, it has been suggested that these criteria are ambiguous, and that it would be desirable to clearly state the purpose for which the personal information was collected, or another purpose permitted under the privacy principles.
Accordingly, the ALRC has proposed that the current criteria be amended to require an organisation to take reasonable steps to ensure the personal information that it handles (with reference to a purpose of collection permitted by the proposed UPPs), is accurate, complete, up-to-date and now, in addition, relevant.
The purpose behind the relevance requirement appears to be to prevent organisations from disclosing irrelevant personal information to third parties. For example, a financial planner may collect personal information about a client’s finances and marital status. It would not be necessary for the financial planner to disclose all of this information to a third party organisation for the purpose of buying shares on behalf of the client. By inserting an additional criterion of relevance, the ALRC hopes to restrict the use and disclosure of personal information to only that information which is relevant in the circumstances, although arguably this is already implicit in the privacy principles, which require that an organisation only collect personal information that is necessary for the performance of its functions.
The proposed amendment also means that, where personal information held by an organisation is no longer relevant to the purpose for which the information was collected (or another purpose under the Privacy Act), it should be removed from the organisation’s record or de-identified. This could potentially place an onerous burden on organisations to constantly revise and update their data records.
Expansion Of The Definition Of Personal Information – IP Addressees
Given the advances in technology that have taken place since the Privacy Act was enacted, the ALRC has reviewed the adequacy of the definition of ‘personal information’. Currently, the definition requires that information enables a person’s identity to be ‘reasonably ascertained’. This potentially excludes IP addresses, mobile telephone numbers, email addresses and biometric addresses from the scope of the Act because arguably alone, they do not enable a person’s identity to be reasonably ascertained.
However, the development of new technology means that this type of information may enable individuals to be contacted, tracked or profiled, in turn enabling indirect identification. In order to ensure that such information is captured by the ambit of the Privacy Act, the ALRC has proposed the expansion of the current definition of personal information. It would include information ‘about an identified or reasonably identifiable individual’. Once information can be linked to an individual, making them ‘reasonably identifiable’, that information would become personal information for the purposes of the Privacy Act.
Agencies and organisations can use and disclose personal information under the Privacy Act where they obtain the concerned individual’s consent. ‘Consent’ is defined under the Privacy Act as express or implied consent, however no further guidance is provided on what is required to obtain it and when consent can be said to have been given. Generally, consent should be given voluntarily, subject to the individual being informed of the nature and reasons for the use or disclosure.
Further issues arise in the context of ‘bundled consent’, where individuals are asked to consent to a range of uses and disclosures of personal information, often in the context of the supply of goods and services. There is a risk that consent provided in these circumstances is not true consent because it is not given willingly, particularly where an individual has not been given the option of choosing which uses and disclosures they agree to.
There may, however, be practical reasons for obtaining bundled consent. For example, where an agency or organisation has multiple interactions with an individual (say in the context of an ongoing business relationship, or managing a claim for ongoing government benefits), it may not be practical to obtain consent on each occasion that the personal information is used or disclosed.
Rather than provide a statutory definition of consent which could be interpreted too narrowly, the ALRC has recommended that the Privacy Commissioner provide further guidance on what is required to obtain consent in various contexts, including advice on the appropriate use of ‘bundled consent’.
The ALRC has also made a number of proposals regarding consent in the context of health information. These include:
- allowing a health service provider to collect health information about a third party from a person (e.g. patient or other health consumer), without the third party's consent where it relates to the person's social, family and medical history and is necessary in the context of providing a health service to the person;
- where an individual is incapable of giving consent, allowing an 'authorised representative' to give consent on their behalf;
- allowing a health service provider to disclose health information about an individual who is incapable of giving consent to a person who is responsible for the individual, subject to a number of circumstances being met; and
- permitting the collection of health and other sensitive information where it is necessary to prevent a serious threat to the life of an individual, and where the individual whom the information concerns is incapable of giving consent.
Collection Of Personal Information From Third Parties
Another matter which gives rise to issues of consent is the collection of personal information about an individual from a third party. The provisions of the Privacy Act cover personal information obtained about an individual from a third party, where that information is solicited by agencies and organisations. However the requirements for handling unsolicited information are less clear.
Different obligations apply to public and private sector bodies in relation to unsolicited information. While the IPPs are silent on the collection of personal information from a source other than the individual concerned, NPP1.5 requires the individual concerned be made aware of those matters that apply, in relation to the direct collection of personal information (i.e. purpose for which the information is collected and to whom the organisation normally discloses that kind of information, etc).
However, the risk of improper interference with an individual’s privacy does not tend to arise in the unsolicited receipt of the information, but rather in the retainment of that information by the agency or organisation.
The ALRC has therefore recommended the need for clearer rules about the handling of unsolicited personal information received from third parties. In particular, where an agency or organisation receives personal information about an individual from another person, it should be required to either:
- destroy the information, without using or disclosing it; or
- if the information is retained, take reasonable steps to bring to the individual's attention specified matters similar to those that apply to direct collection, and advise the individual of the source of the information on request.
Therefore, unless certain exceptions apply, the agency or organisation would need to seek the consent of the person in order to use or disclose the information. It is interesting to note that there is no proposed requirement to seek consent from the source of the information to reveal their identity to the individual, nor advise them if this occurs.
The ALRC has also proposed that the requirements in relation to information received from third parties would only apply:
- in circumstances where a reasonable person would expect to be notified;
- to the extent that it would not pose a serious threat to the life or health of any individual; and
- in the case of an agency, except to the extent that it is required or specifically authorised by or under a law not to make the individual aware of one or more of these matters.
Data Breach Notification
Following the recent introduction by Senator Stott-Despoja of the Privacy (Data Security Protection Breach Notification) Amendment Bill in the Senate, the ALRC now proposes to amend the Privacy Act to impose a new data breach notification obligation on agencies and organisations.
Currently, the privacy principles in the Privacy Act only require agencies and organisations to take reasonable steps to maintain the security of the personal information they hold. The ALRC is concerned, amongst other things, about identity theft and identity fraud, particularly given the large amounts of identifiable information that are stored electronically. Also, because identity theft normally occurs where a person’s information is accessed in a place they do not control and of which they are often unaware, the person would not have an opportunity to take steps to mitigate the effects of identity theft.
The ALRC noted that many stakeholders, including the Office of the Privacy Commissioner, were generally supportive of the new notification requirement, mainly to improve accountability, openness and transparency in the handling of personal information. This would encourage compliance and vigilance against identity theft and provide a strong market incentive for organisations to secure their databases and avoid the reputational damage that could arise from a breach.
Those against the change argue that the current requirements are adequate and further obligations would be unnecessary. Interestingly, the Australian Federal Police is not in favour of the requirement, and expressed some concern that it would contribute to the already excessive caution exercised by agencies, organisations and individuals in relation to privacy. The ALRC also recognised that many organisations currently report data breaches if they believe it could result in harmful disclosure of confidential information.
The ALRC has concluded that a legal requirement to notify the individual is necessary to avoid the risk of an undersupply in notification, stating that organisations would not be motivated to inform every individual affected by a security breach because of the potential for reputation damage, lost customers, loss of future profits and exposure to litigation or penalties. It is also of the view that individuals should be notified in order to help them minimise the damage that could be caused, emphasising the importance of early notification. The new law would also provide incentives to improve data security, which is already a requirement in the Privacy Act.
Key features of the proposed law are:
- An agency or organisation is required to notify the Privacy Commissioner and affected individuals when:
- 'specified personal information' has been, or is reasonably believed to have been, acquired;
- by an unauthorised person; and
- the agency, organisation or Privacy Commissioner believes that the unauthorised acquisition may give rise to a real risk of serious harm to any affected individual.
This notification threshold test is higher than other overseas models considered by the ALRC, allowing organisations to investigate the data breach and assess whether it would give rise to a 'real potential to serious harm'. Serious harm would include more than just identity theft or fraud (e.g. discrimination, if sensitive medical information was released). The reason for the high threshold proposed is to avoid 'notification fatigue' for individuals and reduce compliance burdens on agencies and organisations;
- Breach of the requirements, including failure to notify the Privacy Commissioner, would attract a civil penalty.
- The definition of 'specified personal information' would not just cover financial information but also sensitive information and prescribed combinations of information, which if disclosed without authorisation, would give rise to a real risk of serious harm, such as drivers licences, proof of age cards, Medicare numbers, accounts, credit or debit card numbers, security codes or passwords or access codes and sensitive information, which would allow a person's account or true identity to be taken over.
- Consistent with the ALRC's proposal that the Privacy Act be technologically neutral, the requirement to notify would not be restricted to computerised information.
- Adequately encrypted personal information and acquisition of information in good faith by an employee or agency, otherwise acting for a purpose permitted by the relevant privacy principles would be exempted from the new requirements.
- The Privacy Commissioner would also have a broad discretion to waive the notification requirement if they consider it would not be in the public interest.
- The form of notification would be a stand alone communication with prescribed content. The method of notification will be left to the relevant organisation or agency. The notification should occur as soon as reasonably practicable after notification to the Privacy Commissioner.
Removal Of Employee Records Exemption
Currently, the NPPs do not apply to ‘employee records’, which are records that contain personal information relating to the employment of a current or former employee (although employers have common law obligations to keep employment records private and confidential).
The ALRC has proposed that the employee records exemption be removed from the Privacy Act. It acknowledges that the removal of the exemption may affect the ability of prospective employers to engage in full and frank discussion with a job applicant’s previous employer. To address that concern, an exception is proposed that allows an agency or organisation to deny a request for access to ‘evaluative material’ (material compiled solely for the purpose of determining the suitability, eligibility, or qualifications of an individual for an offer of employment, a contract, scholarship or similar benefits).
Employers will face a number of other difficulties if the employee record exemption is removed. The most immediate risk will be employees having full access to their personnel files. In the new regime employers will be required to provide an employee, upon request, with his or her entire personnel file and other sensitive records integral to the effective operation of the employer’s organisation and human resources department. Employers will be required to take reasonable steps to allow the employee to correct employee records that the employee believes are not accurate. In addition, if there is a workplace investigation into suspected misconduct by an employee, the removal of the exemption will create significant hurdles for employers both in avoiding any subsequent litigation by an aggrieved employee (or ex-employee) and in protecting witnesses to an investigation.
The removal of the exemption will also affect business sales and purchase processes. Business sales are often market sensitive, and as such, are kept confidential until a deal is reached. In these circumstances, it is not practical to gain the consent of employees before providing their employment information to prospective purchasers as part of the due diligence process. The Privacy Commissioner has already issued an Information Sheet on best privacy practice when buying and selling a business, which recommends that only aggregate information regarding employees is provided to prospective purchasers. However, this information may not be sufficient for the purchaser to properly assess any risks in buying the business, especially in relation to senior employees. If the employee record exemption is removed, careful consideration of how this information is provided to a prospective purchaser will be required.
Further, employers that use an off-shore company to administer payroll functions, or who have an overseas parent company that requires access to Australian employees’ personal details, will also have to take additional steps to ensure that these overseas organisations comply with the proposed new UPPs.
Removal Of The Small Business Exemption
Currently, ‘small businesses’ with an annual turnover of less than $3million are exempt from the operation of the Privacy Act. ‘Small businesses’ include businesses, non-profit bodies and unincorporated associations. It is suggested that up to 94% of businesses are protected by this exemption. The original reason for the exemption was that the regulatory burden and compliance cost for small businesses to abide by the privacy requirements, was considered too onerous and that many small businesses are considered low-risk when it comes to violations of individual privacy.
The ALRC proposes removing the small business exemption providing five key justifications:
- comparable jurisdictions (e.g. the United Kingdom, Canada and New Zealand) do not exempt small businesses from privacy laws requirements;
- the removal of the exemption will make Australia more compliant with the European Union directive and could promote trade with the European Union;
- modification of the small business threshold, either by increasing the turnover threshold or changing the measuring unit to employee numbers, will not be an appropriate solution;
- some small businesses such as debt collectors, ISP providers, private detectives and tenancy operators are involved in some of the most intrusive invasions of privacy, regardless of the size of the business (i.e. focus should by on the types of activities undertaken by the business rather than its size); and
- up to 20% of complaints from December 2001 to January 2005 received by the Privacy Commissioner were deemed to fall within the small business exemption and therefore could not be investigated.
The ALRC acknowledges that removal of the exemption would mean additional costs for small businesses to comply with privacy laws, such as obtaining legal advice, training staff on privacy requirements, maintaining security in respect of the personal information held and dealing with customer requests for access and correction of their personal information.
The ALRC proposes that the Privacy Commissioner provide businesses with assistance and support to minimise compliance costs, before removing the exemption. This support would include free templates, educational materials and a national hotline.
Changes To The Media Exemption – Defining ‘Journalism’
Acts and practices of a ‘media organisation’ undertaken ‘in the course of journalism’ are exempt from the operation of the Privacy Act provided that the organisation is publicly committed to observe privacy standards that have been published in writing, either by the organisation, or by a person or body representing a class of media organisations. Under s 6(1) of the Privacy Act, a ‘media organisation’ is defined as an organisation (which includes an individual) that collects, prepares or disseminates to the public, news, current affairs, information or documentaries, or commentaries and opinions on, or analyses of, such material.
The central justification for the exemption has been the public interest, ensuring that the free flow of information to the public through the media is maintained. The phrase ‘in the course of journalism’ is not defined in the Privacy Act. A proposed definition of ‘journalism’ was abandoned in 2000 so that the ordinary meaning of the word would apply instead.
The ALRC has now recommended that a definition of ‘journalism’ similar to that proposed in 2000 be inserted into the Privacy Act. This is based on concerns that the lack of statutory definition allows the media exemption to apply too broadly, covering content such as infotainment, entertainment and advertising. ‘Journalism’ would be defined as ‘the collection, preparation for dissemination or dissemination of the following material for the purpose of making it public:
- material having the character of news, current affairs or a documentary; or
- material consisting of commentary or opinion on, or analysis of, news, current affairs or a documentary.
The ordinary meaning of the terms ‘news’, current affairs’ and ‘documentary’ would continue to apply, as the ALRC considered defining them would be impracticable. However, it appears that the insertion of a definition of journalism into the Act has the potential to significantly curtail the activities that would come within the current media exemption and thereby limiting the ability of media organisations to publish content which includes personal information in certain contexts.
Use and disclosure of personal information for direct marketing purposes are currently addressed in NNPP2.1. The ALRC proposes introducing a discrete direct marketing principle. The effect of the proposal is minimal and is unlikely to significantly alter the practices of organisations currently conducting direct marketing.
Under NPP2.1, if personal information is collected for the primary purpose of direct marketing, then provided that adequate consent has been given, the data can be used or disclosed for direct marketing with no further obligations on the organisation, or as one submission stated, ‘almost without restraint’.
If, however, the personal information was collected for another purpose, then it may only be used for the secondary purpose of direct marketing if a number of factors are satisfied:
- it is impracticable for the organisation to seek consent before use;
- the organisation will not charge the individual to action an opt-out request;
- the individual has not previously requested not to receive direct marketing; and
- each piece of direct marketing contains an opt-out notice and the contact details of the organisation.
The proposed direct marketing principle would require all organisations conducting direct marketing to obtain consent from the individual or meet the above requirements, regardless of the purpose for which the information was collected.
The ALRC appears to have accepted the view of the Law Council which submitted that: ‘There appears to be no valid policy reason why an organisation which collects information for the primary purpose of direct marketing should be free to use that information in a way which organisations which collect it in the context of a relationship with the individual are not free to use it’.
Other changes that the proposed direct marketing principle would make include:
- where an individual requests not to receive further direct marketing communications, the organisation must comply with this requirement within a reasonable period of time; and
- where an individual requests it, the organisation must take reasonable steps to inform them of the source from which their personal information was obtained.
Consistent with its recommendations that public and private sector privacy principles be made uniform, the ALRC is considering whether the direct marketing principle should apply to agencies as well as organisations. No conclusion has been reached on this issue and the ALRC has called for further input from stakeholders.
Information Sent Overseas
The primary focus of the Privacy Act is to regulate the handling of personal information within Australia. However, due to the regular transfer of information across national borders, the provisions of the Privacy Act also regulate the overseas transfer of personal information by an organisation.
Section 5B of the Privacy Act applies to acts done, or practices engaged in, outside Australia, if the information relates to an Australian citizen or permanent resident. The requirements currently only apply to private sector organisations. The ALRC argues that the requirements should also apply to public sector agencies, as these agencies can compel the collection of personal information. Agencies would therefore remain accountable for the handling of that information and should be prevented from transferring the information to entities operating in countries with lower privacy protection standards.
There are broadly six circumstances in which the transfer of information overseas is currently permitted:
- the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract that upholds the requirements of the Privacy Act;
- the individual has consented to the overseas transfer of information;
- the transfer is necessary to fulfil a pre-contract request by the individual or a contractual agreement between the parties;
- the transfer to a third party is necessary to perform or conclude a contract that is in the interests of the individual;
- the transfer is for the benefit of the individual and it is impracticable to obtain consent for the transfer however, this would likely be supplied if requested; or
- the organisation has taken reasonable steps to ensure that the information is not held, used or disclosed inconsistently with the Privacy Act.
The ALRC’s proposal seeks to clarify options (1) and (6) where a ‘reasonable belief’ or ‘reasonable steps’, are required to ensure a similar level of privacy protection exists in other countries. It is suggested that seeking legal advice would help an organisation establish the reasonable belief and take reasonable steps.
To assist an organisation in determining when the regulations are similar, and therefore a transfer overseas would be acceptable, the ALRC proposes that the Australian Government publish a list of laws or schemes that provide similar protection to that offered by Australian privacy laws.
In addition, when an organisation relies on grounds (3) to (6) above, the ALRC proposes that organisations be accountable for the way the information is dealt with, which means that, in some circumstances where personal information is sent overseas, the organisations would remain liable for the handling of that information.
The Report contains an extensive review of the credit reporting rules set out in Part IIIA of the Privacy Act. These rules are more technical and prescriptive in nature than the NPPs.
The most significant recommendation in the Report relates to the broadening of the types of information that can be included in a ‘credit information file’. The current regime contains strict limits on the types of information that can be included in a credit information file about an individual. This type of information would normally be regarded as ‘negative’ in nature, such as details about defaults by a customer in meeting their obligations under a credit contract.
The ALRC has stopped short of recommending that the limitations on what can be included in a credit information file be scrapped, and instead has recommended expanding the categories of information that may be included in a credit information file to the following:
- type of each current credit account opened (e.g. mortgage, personal loan or credit card);
- date of which each current credit account was opened;
- limit of each current credit account (eg initial advance, amount of credit approved, approved limited); and
- date on which each credit account was closed.
The ALRC has acknowledged that there is little support for the proposition that a more comprehensive credit reporting regime will improve the risk assessment process for lenders. However, it recognises that there was a divergence of views about how this additional information would be used. One view is that a more comprehensive credit reporting regime will reduce the level of defaults. Alternatively, the level of defaults could remain relatively unchanged but the additional information may reduce the number of applications that are rejected, because credit providers would have access to more information and accordingly it may become easier for some applicants to obtain access to credit.
The ALRC recommendations follow years of debate about perceived limitations in the credit reporting regime in Part IIIA. The recommendations can be contrasted with the views of the Victorian Government in the Victorian Consumer of Credit Review of 2006, to the effect that there was insufficient evidence to support a more comprehensive credit reporting regime.
The Report also contains a number of other recommendations relating to credit reporting. These include:
- a requirement for credit reporting agencies to monitor data quality and establish controls to ensure that information used or disclosed is accurate, complete, up-to-date and relevant;
- that any credit provider wishing to provide information on defaults to a credit reporting agency be required to be a member of an external dispute resolution scheme;
- that collection of credit information about persons under the age of 18 be prohibited; and
- that individuals be permitted to make an notation on their credit information file where they have been the victim of identity theft.
A further recommendation with potentially broad implications is the removal of the distinction between the different rules that apply, depending on whether credit is being obtained for commercial purposes on the one hand or personal, domestic or household purposes on the other. The latter category is currently subject to more onerous controls.
The Privacy Act regulates the collection, use and disclosure of the personal information of individuals. ‘Individual’ is generally defined as a natural (i.e. living) person. The exception to this is in Part VIA (declared emergencies and disasters), where personal information of an individual includes an individual who is not living. This means that the Privacy Act currently offers very little privacy protection for deceased individuals.
Particular problems arise in relation to the access and correction of personal information concerning deceased persons. Access to personal information of deceased persons held by Australian Government agencies is governed by the Freedom of Information Act 1982 (Cth) and the Archives Act 1983 (Cth), with similar state and territory legislation applying to personal information held by state and territory agencies. However, access to personal information in the private sector is inconsistent both across jurisdictions and industries.
The ALRC has proposed that access to personal information of deceased persons held by agencies continue to be governed by the FOI Act and the Archives Act. In relation to private sector organisations, the ALRC has proposed that the Privacy Act be amended to include a new Part which specifically deals with the handling of personal information of deceased individuals who have been dead for 30 years or less. This new Part would reflect the proposed Unified Privacy Principles in relation to use and disclosure, access by third parties, data quality and data security.
In relation to use and disclosure, the ALRC has proposed that where consent is required, the organisation should consider whether there would be an unreasonable use or disclosure in relation to any person, including a deceased person. The ALRC has not proposed that organisations be required to consult with the individual’s family or legal personal representative in determining whether the use or disclosure would be unreasonable, but in the absence of further guidance on what would be considered unreasonable, it would probably be preferable to do so as far as is reasonably practicable.
Further proposals by the ALRC in relation to the personal information of deceased persons include:
- permitting organisations to use or disclose genetic information to a genetic relative of a deceased person where it is necessary to lessen or prevent a serious threat to the life, health or safety of a genetic relative; and
- allowing certain persons to lodge a complaint with the Privacy Commissioner in relation to alleged interference with the privacy of a deceased individual.
Young People And Decision Making
At present, Federal legislation does not specifically address the privacy rights of children and young people.
The ALRC proposes requiring organisations to assess the capacity of all individuals between the ages of 15 and 18 to make privacy decisions. In relation to children aged 14 and under, privacy decisions would be made by the individual’s ‘authorised representative’. This would be done by applying a set of assessment criteria. Specifically, it proposes that an individual would be found incapable of making privacy related decisions, if, despite the provision of reasonable assistance by another person, he or she is incapable, by reason of maturity, injury, disease, illness, cognitive or physical impairment, mental disorder or any other circumstance, of understanding the general nature or effect of these decisions or communicating these decisions.
This proposal is likely to impose a significant burden on organisations that market to and communicate with children and young people, particularly in an online environment where personal information is regularly collected.
There are a number of other proposals in the Report relating to privacy and young people, including Privacy Commissioner guidelines and other educational tools, which have significant implications for schools and other organisations that regularly deal with young people.
The proposed changes will have a considerable impact on agencies and organisations across Australia. Accordingly, the ALRC is accepting submissions from the public on all aspects of the Report until 7 December 2007. Please contact us if you would like assistance in preparing a submission to the ALRC regarding any of the Report’s proposals.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.