AustLII Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

Privacy Law and Policy Reporter (PLPR)
You are here:  AustLII >> Databases >> Privacy Law and Policy Reporter >> 1995 >> [1995] PrivLawPRpr 48

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Greenleaf, Graham --- "Plain English Guidelines to collecting personal information" [1995] PrivLawPRpr 48; (1995) 2(4) Privacy Law & Policy Reporter 74

Plain English Guidelines to collecting personal information

Australian Privacy Commissioner - Plain English Guidelines to Information Privacy Principles

1-3 (October 1994)

These guidelines are the first in a series of the Privacy Commissioner's view of how the Information Privacy Principles (IPP) affect government agencies, covering IPPs 1 to 3 concerning the collection of information. Further 'plain English' guidelines to the other IPPs are planned, and a more technical version of the guidelines is also to be published in the Federal Privacy Handbook. The guidelines are presumably issued under s 27(1)(e) of the Privacy Act 1988 (Cth).

The guidelines give the first public indication, other than limited and sporadic indications which can be gleaned from the few public interest determinations or published complaints, of how the Commissioner interprets these IPPs. Some agencies know the Commissioner's views, because they seek his advice, are subject to his complaint investigations, or are privy to bureaucratic gossip, but the public rarely finds out except by systematic publications such as this. They are therefore to be welcomed, despite arriving six years after the Act, particularly as such effort has been made to make them understandable.

There is little point trying to summarise plain English guidelines, but some of their more significant or controversial content deserves mention.

Scope of IPPs 1-3

The guidelines identify three ways in which an agency's collection of information about a person can come within IPPs 1 to 3:

  1. Someone gives information to an agency about a person without the agency asking for it.
  2. The agency asks someone else (for example, another agency) for information about a person.
  3. The agency directly asks a person for information about himself or herself (for example, it asks a person to fill in a form).

IPP 1 applies in all three cases, IPP 3 in situations 2 and 3, and IPP 2 only in situation 3.

'Asking for' information is considered to include encouraging people to provide it, for example, by setting up a 'hotline'.

These IPPs do apply to information collected for inclusion in a 'generally available publication', though other IPPs do not. Although it makes no difference here, it is surprising to see the guidelines stating that a 'generally available publication' includes 'public databases like the electoral roll'. If this is intended to cover all forms of the electoral roll, it seems at odds with the Commissioner's previous views in Public Interest Determination No 5 concerning the telephone 'white pages'.

Another definition of interest is that the guidelines say that 'personal information' is 'information or opinions that can identify a living person'. The definitions in the Privacy Act are not explicitly limited to 'living' persons, and it would be valuable to know the basis of the Commissioner's interpretation.

IPP 1 guidelines

IPP 1 is summarised as - (1.1) agencies can only collect information that is: for a lawful purpose related to their functions; and necessary for or directly related to that purpose, and (1.2) an agency must not collect personal information in a way that is unlawful or unfair.

Some important points in the guidelines to IPP 1 are:

  1. To protect people, the Privacy Commissioner usually interprets the 'purpose of collection' narrowly. Purposes should be more specific than just to administer an agency or a set of laws.
  2. Agencies should have a clear purpose for collecting each piece of personal information. 'Collecting information just because it may be useful in future is generally not acceptable.'
  3. Collecting information about a whole group of people (for example, security checks) when it is only needed about some people in the group may breach IPP 1.
  4. Very few agencies (for example, Australian Federal Police, AUSTRAC) have the job of collecting general intelligence.
  5. Agencies should only record information in a way that identifies people if they need to.
  6. If an agency inadvertently collects irrelevant information (for example, because it is volunteered to them), 'the agency should not keep it in its records'.
  7. If an agency often receives information it does not need (for example, doctor's reports containing more information than is needed) it should try to stop this happening.
  8. Tricking a person into giving information, or using too much pressure, is unfair collection of information. An agency representative should not pretend to be someone else. A misleading statement about the benefits a person could obtain by providing information (for example, that people who answer an ad 'will learn something to their advantage') will be unfair.
  9. It is also unfair to tell people that information will be kept confidential if it is sometimes given to others.
  10. It is unfair to for an agency to collect personal information as if it was compulsory when it really is voluntary. Agencies should not conduct voluntary surveys as if they were compulsory. Nor should their forms fail to make clear which information must be provided and which is voluntary.
  11. Visual surveillance can be an unfair collection practice, and agencies should consult the Commissioner's guidelines 'The Conduct of Covert Optical Surveillance in Commonwealth Administration'.

IPP 2 guidelines

The guidelines summarise IPP 2 as:

When an agency asks for personal information directly from the person who that information is about, it has to take whatever steps are reasonable to make sure the person is aware of these details: why the agency is collecting the information; the agency's legal authority (if any ) to collect the information; and to whom the agency usually gives that kind of information.

Some interesting aspects of the IPP 2 guidelines are:

  1. Practical difficulties, or cost, are unlikely to mean that it is reasonable for an agency not to give any IPP 2 notice at all. However, giving notice might be unreasonable if it would defeat the purpose of collecting the information.
  2. [A]s a general rule, all forms which are used to collect personal information should contain an IPP 2 notice.
  3. It is usually not suitable for an agency to use the same IPP 2 notice for all collections of information directly from a person. The notice should vary depending on what is collected, why, and to whom it is disclosed.
  4. A notice should normally tell a person about all uses made of information, not just the main use.
  5. 'An IPP 2 notice should refer to each provision of legislation' requiring or authorising information collection.
  6. Information is 'usually' given to another party where there is some regular arrangement to do so, but is not 'usually' given if only done in exceptional cases or cases that could not be reasonably predicted (for example, search warrants or subpoenas).
  7. Where information is usually given to other parties, each should normally be named in the IPP 2 notice, unless this would make it too long or unclear. In such cases, classes of recipients may be named (for example, State police forces), but it is recommended that the reason for disclosure should also be stated.

A suggested wording is given for simple IPP 2 notices:

[Name of agency] is collecting the information on this form to [statement of purpose]. This is [authorised / required] by [provision / name of Act].

[Name of agency] usually gives some or all of this information to [names of recipients].

IPP 3 guidelines

The guidelines state that

IPP 3 says that an agency asking for personal information must: take reasonable steps to make sure that the information it collects is relevant, up to date and complete (see IPP 3(c)); and take reasonable steps to make sure that it does not collect information in an unreasonably intrusive way (see IPP 3 (d)).

The guidelines do not have a lot to say about the IPP 3(c) requirements. They note that the requirement of 'relevance' is similar in practice to the IPP 1 requirement that agencies only collect information that is 'necessary for or directly related to' the purpose of collection, and some of the guidelines here are equally relevant to IPP 1. However, the guidelines stress that one way for agencies to ensure that information is up-to-date and complete is to check it with the person concerned, and also to consider that or other checks if there is any reason to think the source of the information is unreliable.

Collection of information can be intrusive if it involves asking questions about 'sensitive personal affairs', which are listed as including information about medical history, relationships, sexual preferences, personal finances, political loyalty, or religious or philosophical beliefs.

Methods of collecting information may also be intrusive (and this overlaps with unfair collection practices under IPP 1). Intrusive practices are likely to occur if collection involves 'physically touching people, observing their bodily functions, or [invading] their private property'.

Whether a practice is unreasonably intrusive is to be measured by balancing the importance of the information to the agency's purpose, and the public interest in that purpose, against the intrusiveness of the collection practice, and taking into account any specific legal authority and whether there is any choice in the provision of the information.

Where law enforcement agency information collection practices are concerned the Privacy Commissioner 'chooses to follow the decisions of courts'.

Comment

Unlike the Commissioner's advice concerning credit reporting (see (1994) 1 PLPR 74, 94, 112), the IPP guidelines are not explicitly linked to specific complaints or advice requests to which the Commissioner has responded. It would be very valuable if these guidelines (and the proposed technical guidelines) could be supplemented by summaries of actual situations (suitably anonymised where necessary) and responses drawn from the Commissioner's dealings with agencies.

Graham Greenleaf


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/PrivLawPRpr/1995/48.html