Privacy Law and Policy Reporter
1-3 (October 1994)
These guidelines are the first in a series of the Privacy Commissioner's view of how the Information Privacy Principles (IPP) affect government agencies, covering IPPs 1 to 3 concerning the collection of information. Further 'plain English' guidelines to the other IPPs are planned, and a more technical version of the guidelines is also to be published in the Federal Privacy Handbook. The guidelines are presumably issued under s 27(1)(e) of the Privacy Act 1988 (Cth).
The guidelines give the first public indication, other than limited and sporadic indications which can be gleaned from the few public interest determinations or published complaints, of how the Commissioner interprets these IPPs. Some agencies know the Commissioner's views, because they seek his advice, are subject to his complaint investigations, or are privy to bureaucratic gossip, but the public rarely finds out except by systematic publications such as this. They are therefore to be welcomed, despite arriving six years after the Act, particularly as such effort has been made to make them understandable.
There is little point trying to summarise plain English guidelines, but some of their more significant or controversial content deserves mention.
The guidelines identify three ways in which an agency's collection of information about a person can come within IPPs 1 to 3:
IPP 1 applies in all three cases, IPP 3 in situations 2 and 3, and IPP 2 only in situation 3.
'Asking for' information is considered to include encouraging people to provide it, for example, by setting up a 'hotline'.
These IPPs do apply to information collected for inclusion in a 'generally available publication', though other IPPs do not. Although it makes no difference here, it is surprising to see the guidelines stating that a 'generally available publication' includes 'public databases like the electoral roll'. If this is intended to cover all forms of the electoral roll, it seems at odds with the Commissioner's previous views in Public Interest Determination No 5 concerning the telephone 'white pages'.
Another definition of interest is that the guidelines say that 'personal information' is 'information or opinions that can identify a living person'. The definitions in the Privacy Act are not explicitly limited to 'living' persons, and it would be valuable to know the basis of the Commissioner's interpretation.
IPP 1 is summarised as - (1.1) agencies can only collect information that is: for a lawful purpose related to their functions; and necessary for or directly related to that purpose, and (1.2) an agency must not collect personal information in a way that is unlawful or unfair.
Some important points in the guidelines to IPP 1 are:
The guidelines summarise IPP 2 as:
When an agency asks for personal information directly from the person who that information is about, it has to take whatever steps are reasonable to make sure the person is aware of these details: why the agency is collecting the information; the agency's legal authority (if any ) to collect the information; and to whom the agency usually gives that kind of information.
Some interesting aspects of the IPP 2 guidelines are:
A suggested wording is given for simple IPP 2 notices:
[Name of agency] is collecting the information on this form to [statement of purpose]. This is [authorised / required] by [provision / name of Act].
[Name of agency] usually gives some or all of this information to [names of recipients].
The guidelines state that
IPP 3 says that an agency asking for personal information must: take reasonable steps to make sure that the information it collects is relevant, up to date and complete (see IPP 3(c)); and take reasonable steps to make sure that it does not collect information in an unreasonably intrusive way (see IPP 3 (d)).
The guidelines do not have a lot to say about the IPP 3(c) requirements. They note that the requirement of 'relevance' is similar in practice to the IPP 1 requirement that agencies only collect information that is 'necessary for or directly related to' the purpose of collection, and some of the guidelines here are equally relevant to IPP 1. However, the guidelines stress that one way for agencies to ensure that information is up-to-date and complete is to check it with the person concerned, and also to consider that or other checks if there is any reason to think the source of the information is unreliable.
Collection of information can be intrusive if it involves asking questions about 'sensitive personal affairs', which are listed as including information about medical history, relationships, sexual preferences, personal finances, political loyalty, or religious or philosophical beliefs.
Methods of collecting information may also be intrusive (and this overlaps with unfair collection practices under IPP 1). Intrusive practices are likely to occur if collection involves 'physically touching people, observing their bodily functions, or [invading] their private property'.
Whether a practice is unreasonably intrusive is to be measured by balancing the importance of the information to the agency's purpose, and the public interest in that purpose, against the intrusiveness of the collection practice, and taking into account any specific legal authority and whether there is any choice in the provision of the information.
Where law enforcement agency information collection practices are concerned the Privacy Commissioner 'chooses to follow the decisions of courts'.
Unlike the Commissioner's advice concerning credit reporting (see (1994) 1 PLPR 74, 94, 112), the IPP guidelines are not explicitly linked to specific complaints or advice requests to which the Commissioner has responded. It would be very valuable if these guidelines (and the proposed technical guidelines) could be supplemented by summaries of actual situations (suitably anonymised where necessary) and responses drawn from the Commissioner's dealings with agencies.