Privacy Law and Policy Reporter
(These Notes accompany the Principles issued by the Federal Privacy Commissioner in February 1998 — General Editor)
These notes do not form part of the principles themselves. They are intended as an initial guide to the Privacy Commissioner’s preferred interpretation of the principles, based both on her experience in interpreting the Information Privacy Principles in the federal Privacy Act and on discussions she had with key stakeholders when these principles were being developed.
Of course, how the principles are interpreted in practice depends on which organisations adopt them; whether the principles are given legislative backing (for example, through a code under the Telecommunications Act 1997); whether they are applied to personal information about employees; whether they are applied, in part or in whole, to information previously collected; and what mechanisms are put in place for dealing with complaints, compliance and disputes. Furthermore, it is likely that new issues will arise as a result of changes in individuals’ expectations and advances in information technology and these may require further consideration.
The principles apply to personal information collected, held, used or disclosed by an organisation. Many organisations employ contractors or agents to handle personal information on their behalf. Organisations that adopt these principles would be encouraged to do everything they reasonably can to make sure that their contractors and agents also comply with the principles.
‘Necessary’ would be interpreted in a practical, not a theoretical or in-principle, sense. If an organisation cannot in practice effectively pursue a legitimate function or activity without collecting personal information, then that personal information would be regarded as necessary for that function or activity.
In general, fair would mean without intimidation or deception. This would usually require organisations not to collect personal information covertly but there will be some circumstances — for example, investigations of possible fraud or other unlawful activity — where covert collection of information by surveillance or other means would be fair.
Where information is being collected on a form, an organisation’s obligations under 1.3 can be satisfied by a statement on the form. This could be introduced, if it does not already appear, when the organisation next reprints its forms. It would not be necessary to destroy existing stocks of forms.
Where information is being collected over the counter, a brief notice could be prominently displayed and more detailed information provided in a leaflet available on request.
Where information is collected over the phone, it may not be practicable to cover all the 1.3 matters at the time of collection. People should be informed of them as soon as possible, for example, in any confirmatory documentation.
Where the circumstances of collection make any of the matters listed in 1.3(a) to (f) obvious, a ‘reasonable step’ would be to do nothing and let the circumstances speak for themselves. For example, in the large majority of cases the identity of the organisation collecting the information is obvious from the circumstances (but this will not always be so, for example, on the Internet).
Where the person has recently been informed of the matters in 1.3(a) to (f) it would not usually be necessary to inform them of the same information a few days later. The main point is that the individual needs to be made aware of these matters; the principles would not require an individual to be repeatedly and specifically told the same things every time they have contact with an organisation.
The description of the purposes can be kept reasonably general, and if the collection is made for only one purpose, it would often be apparent simply from the title of a form, for example, ‘Application for Membership’. Internal purposes that form part of normal business practice — auditing, business planning and so on — need not be mentioned.
‘Reasonable steps’, in this context, would mean giving generic descriptions of sets of individuals and organisations (eg, ‘debt collectors’ or ‘State government licencing authorities’ or ‘health insurers’) where it is not practicable to list each member of the set. Disclosures which may happen but in practice happen only rarely — like disclosures under warrant or to intelligence agencies — would not usually need to be mentioned.
This would cover telling the person about any legal obligation to provide the information or any legal obligation on the organisation to collect it. In describing such an obligation, it would not be necessary to specify the exact piece of legislation that imposes the obligation (though it would be desirable to do this where feasible). A statement like ‘Taxation law requires us to collect this; if you don’t provide it, we can’t process your application’ would often suffice.
An organisation would not be required to try to describe all possible consequences of not providing information. For example, an airline asking for a holiday address would not have to make statements like ‘if you don’t tell us, and your return flight is cancelled we won’t be able to contact you and you may then be inconvenienced.’ The requirement would only apply to significant (and non-obvious) consequences, like ‘if you don’t tell us this, we won’t be able to process your application’. Often this would mean no more than the organisation making clear which items are essential to fulfill the primary purpose of collection and which are not.
Situations in which it would not be reasonable and practicable’ to collect directly would include:
This would often not require the organisation to do any notifying itself. Provided the third party has complied with 1.3, the organisation would not have to do anything more than obtain an assurance that the third party has complied.
Determining the primary purpose of collection will not always be easy, but should always be possible. Where the information is collected directly from the individual, it is possible to refer to the context: when an individual provides and an organisation collects personal information, the individual and the organisation almost always do so for a particular purpose — to buy/sell a particular product or to enter/conduct a competition or make/receive a donation or get/give a discount. This is the primary purpose of collection, even if the organisation has some additional purposes in mind. Where the information is not collected from the individual, the organisation usually uses the information soon after it collects it and this is a guide to the primary purpose of collection. For example, if an insurance company consults an insurance reference service in the course of considering an applicant, it seems clear that the primary purpose of collection is to decide whether or not to insure the individual.
The ‘reasonable expectations’ test would be applied from the point of view of the person in the street, that is, an organisation should be able to use or disclose personal information in ways in which a person with no special knowledge of the industry or activity involved, would expect. For example, if a person has several different types of contact with one bank, he or she could expect the information about themselves to be shared within that bank. If the banking group also ran a health insurance business, the individual would not expect their health claims record to be matched with banking information.
Consent would be interpreted in a practical way. Implied consent would be acceptable in some circumstances. However, if the consequences for the individual of the use or disclosure were serious, the organisation would have to be able to demonstrate clearly that the individual could have been expected to understand what was going to happen to his or her information; in such circumstances it would generally be more appropriate to seek express consent. Implied consent could legitimately be inferred from the individual’s failure to object to a proposed use or disclosure (that is, a failure to opt out), provided that the option to opt out was clearly and prominently presented and easy to take up.
This allows personal information to be used in order to establish contact with an individual, even if they have not consented and would not reasonably expect the information to be used for this purpose, provided that the individual is given the chance to opt out of any further approaches.
The provision is aimed at emergency situations. A threat to life or health would be interpreted to include threats to safety — bushfires, industrial accidents etc. Health would include mental as well as physical health, although appeals to the threat of stress or anxiety would not generally be sufficient. The principle requires that the threat is serious and imminent.
This explicitly acknowledges that organisations have as a legitimate function the investigation and, where appropriate, reporting of suspected unlawful activity relating to their operations.
This covers situations where the law unambiguously requires or authorises the use or disclosure of personal information. There could be situations where the law requires some actions which, of necessity, involve particular uses or disclosures but this sort of implied requirement would be conservatively interpreted.
This exception deals with circumstances under which law enforcement agencies or other government bodies can seek to obtain information without the exercise of formal powers. Organisations are not obliged to release information without the exercise of a formal power. This formulation adopts the existing exception (e) from Information Privacy Principle 11 in the Privacy Act. The scope of this exception, and 2.1(h) below, are particularly contentious: the law enforcement community, civil liberty and privacy groups and business have concerns. These exceptions will need to be reviewed.
This acknowledges that organisations may legitimately use or disclose personal information where that is necessary for national security reasons. Prejudice to national security would include endangering the defence of Australia or Australia’s international relations or information entrusted on a basis of confidence to an Australian government by the government of another country or an international organisation.
The requirement to make a note would not apply where there is a specific statutory provision prohibiting such a record.
This would not require an organisation to maintain the quality of personal information throughout the period it holds the information. There would be no obligation to check the accuracy, completeness or currency of personal information when it is not in use. But the clear risks posed by sloppy collection practices or by the use or disclosure of old and unchecked personal information suggest that an organisation should take reasonable care to ensure the quality of personal information when it collects it and when it uses or discloses that information.
Of course, in practice, an organisation usually has strong incentives to collect good quality personal information and to take reasonable steps to check that information if it has been held for a long period of time before it is used or disclosed: good decisions cannot be made on the basis of poor information. Well run and responsible businesses would be unlikely to need to change their existing procedures.
This would not prevent an organisation from keeping personal information that may be needed in future for a particular purpose, for example, for taxation or other legal purposes. In addition, ‘reasonable steps’ would be interpreted so as not to require detailed and expensive culling of existing personal information. However, if an organisation does not have in place systems for destroying or de-identifying personal information that is no longer needed for any purpose, this principle would require it progressively to develop such systems. Storing personal information costs money so this provision can result in longer term cost savings and better records management.
This would not necessarily mean a written policy. It is clearly unnecessary for a small business like a fruiterer or smash repairer to have any written policy about its management of personal information. For large organisations or organisations that handle sensitive personal information or handle personal information in complex ways a written policy would probably be a sensible step, though this principle does not require it as such.
This principle would apply to general information about the sort of personal information an organisation holds and how it handles that information. (The obligation to provide a particular individual with access to the information an organisation holds about him or her is covered under Principle 6.) A similar, but much more detailed and formal principle, appears in the federal Privacy Act (Information Privacy Principle 5). If someone asks an organisation what sort of information it holds, this principle could often be satisfied by a statement along these lines: ‘We keep your application form and financial records of our dealings with you. Sometimes we also get credit reports from the Credit Reference Association of Australia and reports from our contractors that have provided services to you on our behalf’.
An individual should usually be able to gain access to personal information about him or herself but not to personal information about others, at least not where that would unreasonably prejudice other people’s privacy or interests. It would not generally be appropriate to deny access to information about the organisation’s employees acting in their business capacity.
This would include situations where the information sought is held by the organisation but could be provided much more easily by some other organisation that also holds it or where the effort needed to find the information is out of all proportion to its significance. To prevent abuse, an organisation would be obliged to take reasonable steps to provide access; it could not simply appeal to this principle in relation to every request for access. A request to provide ‘all information you have collected about me since I became a customer in 1974’ might be too onerous and it would be reasonable to ask the individual to be more specific about the information they are really interested in.
An organisation should not be obliged to provide access to personal information where the individual makes trivial requests for amusement’s sake, or uses access requests as a means of pursuing some unrelated grievance against the organisation, or makes repeated requests for access to the same information. But as with 6.1(c), in order to prevent abuse, ‘frivolous’ and ‘vexatious’ would be narrowly interpreted; a request for access may be legitimate even if it is irritating to the organisation.
Organisations have a right and a responsibility to protect themselves against fraud or other unlawful activity. The access principle would not require the organisation to provide access to records which could prejudice the investigation.
This would be interpreted as covering circumstances where providing access to personal information would ground an action for breach of confidence. This would cover professional privilege.
These principles do not seek to interfere with the existing procedures for discovery in legal proceedings.
This exception to the access principle would cover commercially sensitive decision making processes but would not permit an organisation to deny access to the factual personal information on which those decisions have been based or other personal information it holds. In most cases access is sought in an effort to obtain an explanation for an adverse decision by an organisation and this concern could usually be met by explaining (so far as possible) the reasons for the actual decision.
This is meant to be process neutral’, since the Privacy Commissioner’s consultation process so far has not yet addressed issues of implementation. But the principle does assume that there will be some independent dispute resolution mechanism available. The review envisaged is not a review of the decision not to provide an individual direct access — that is a matter for the commercial judgement of the organisation — but a review of whether the organisation has given an adequate explanation of its decision as an alternative to direct access to the commercially sensitive personal information on which the decision was based.
In many situations where complete, direct access to the personal information held by the organisation would not be appropriate, some measure of access can be given by way of a neutral party acceptable to both the organisation and the individual. The intermediary might be able to negotiate partial direct access or might be able to give the individual some indication of the content of witheld information This principle would not require the organisation and the individual to agree on intermediaries. There will be some cases — investigations of fraud or theft would be an example — where no form of access is appropriate. But in other cases it should be considered as an alternative to complete denial of access.
It is reasonable that organisations should be able to charge for providing access to personal information where that imposes substantial costs on the organisation. But experience with access regimes in the public sector suggests that charges can sometimes artificially be used to discourage request for access. This provision aims to prevent that sort of abuse but it is recognised that what constitutes excessive charging will need to be worked out in the light of experience.
The idea is that an organisation should not be able to charge people money just for asking for access to information about them, that is, an organisation should not be able to say ‘If you want access to the personal information we hold about you, fill in this form, pay us $10 and we’ll think about it.’
One of the functions of an access principle is to ensure that the individual is able to challenge personal information about him or her that the organisation holds. This helps to ensure that the organisation does not base its decisions on, or disclose to others, poor quality personal information. ‘Reasonable steps’ has been included so that, if information is shown to be of poor quality but is inaccessible and will never be used, the organisation would not be obliged to expend resources to no purpose. However, allowing poor quality personal information to remain is most undesirable and ‘reasonable steps’ would be broadly interpreted.
‘Reasonable steps’ here would not require an organisation to associate with the disputed information excessively long statements. Still it is important that disputed information should be marked as such. In practice, disputes about the quality of personal information are usually associated with another dispute about a decision or some other aspect of the individual’s relationship with the organisation, so that in most cases records associated with that dispute would already be kept and this principle would require little extra effort on the part of organisations.
The organisation should endeavour to tell the individual which exception under 6.1 it is appealing to. However, this would not be required where such a disclosure would prejudice an investigation against fraud or other unlawful activity.
This principle would not stop organisations collecting and recording government identity numbers for the purpose of establishing the identity of the individuals they are dealing with. And it would not prevent an organisation from requiring identification required by law like the 100 point identity requirements for opening bank accounts. But it would prevent an organisation from requiring a particular government assigned identifier from all the individuals with which it deals and using that identifier to organise personal information it holds and match it with other personal information organised by reference to the same identifier.
This would allow an organisation to keep a record of government identifiers for identification purposes and use the identifiers for the purpose of identification, but will not allow wholesale use and disclosure. This aims to prevent the gradual adoption of government identity numbers as de facto universal identity numbers.
Anonymity is an important dimension of privacy and has become more so as technology makes possible the greater recording and electronic monitoring of individuals’ activities. Individuals have the reasonable expectation that they can choose to conduct their lawful day to day activities without necessarily having to identify themselves. This principle is not intended to facilitate illegal activity.
In some circumstances, it will not be practicable to do business anonymously; in others, there will be legal obligations that require identification of the individual; but unless there is a good practical or legal reason to require identification, organisations should give people the option to operate anonymously.
In a situation where the principles were adopted by only some organisations, this principle, as currently worded would prevent an organisation from disclosing personal information to a recipient overseas that is not subject to comparable principles but would not prevent it from disclosing personal information to such a recipient in Australia. Consequently, the appropriate wording for this principle depends on the implementation of the principles within Australia and this is an issue yet to be addressed.
This would cover organisations that are subject to a scheme of information privacy protection which is enforceable once entered into but in which participation is not compulsory.
Consent from the individual, either express or implied, would cover practically all legitimate uses or disclosures of these categories or sensitive personal information. For example:
The fact that a person has a particular surname would not usually be regarded as personal information revealing his or her ethnic background.
Throughout the principles, references to reasonable steps’ should not be read as implying that there are any reasonable steps. In most cases there would be, but sometimes there would not. A wordier equivalent, which appears in several places in the federal Privacy Act, and in the principles’ definitions is ‘such steps (if any) as are, in the circumstances, reasonable’.