Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s):

Public Interest Determination Procedure Guidelines

document icon pdf (50.07 KB)

Office of the Federal Privacy Commissioner

Summary

Division 1 of Part VI of the Privacy Act 1988 gives the Privacy Commissioner the power to determine that an act or practice shall be disregarded for the purposes of the Act where the act or practice might otherwise constitute a breach of:

1) an Information Privacy Principle (IPP) in the case of a Commonwealth public sector agency; or

2) a National Privacy Principle (NPP), or an approved privacy code, in the case of a private sector organisation.

The Privacy Commissioner shall make such a determination (known as a Public Interest Determination, or PID) only when satisfied that the public interest in the agency or organisation doing the act, or engaging in the practice, outweighs to a substantial degree the public interest in adhering to that IPP, NPP or approved privacy code.

Division 2 of Part VI gives the Privacy Commissioner the power to issue a Temporary Public Interest Determination (TPID) under certain circumstances. A TPID provides a means by which the Privacy Commissioner can respond to a request for a PID that raises urgent issues.

The Privacy Commissioner has formulated the following guidelines for the assistance of applicants, and others, in relation to the application procedures for PIDs and TPIDs. Accordingly, agencies or organisations that are engaging in, or considering engaging in, an act or practice that may breach the IPPs (in the case of an agency), or the NPPs or an approved code (in the case of an organisation), may need to apply to the Privacy Commissioner for a PID in accordance with these guidelines.

Agencies and organisations are encouraged to approach the Office of the Federal Privacy Commissioner (OFPC) for advice on their application, and the application procedures, before an application is submitted.

Outline of procedures

The following steps should be considered when preparing an application for a PID. They describe the process through which the Privacy Commissioner determines an application for a PID. The steps are discussed in more detail later in this document:

1. Applicant prepares the application after consulting with the OFPC and these guidelines;

1A. If the application raises issues of an urgent nature, the Privacy Commissioner may consider issuing a TPID (following the steps set out on p.6);

2. The Privacy Commissioner publishes a notice of receipt of the application in a form he or she considers appropriate, and calls for expressions of interest and/or submissions on the issue;

3. In light of the information and views presented, the Privacy Commissioner prepares a draft determination. The applicant and other interested parties will be invited to notify the Privacy Commissioner whether they wish a conference to be held to discuss the draft determination;

4. The Privacy Commissioner convenes a conference, if any interested person so requests;

5. In light of all the information before the Privacy Commissioner, including that which is presented throughout the consultation and conference processes, the Privacy Commissioner may make a final determination.

Preliminary matters

Meaning of key terms

Applicant – the agency or organisation that has lodged the application for a PID, for which the determination in question is being considered.

Approved Privacy Code – a code approved by the Privacy Commissioner under s.18BB of the Privacy Act. Organisations in the private sector may elect to be bound by an approved code instead of the National Privacy Principles – see also section 6.

Interested person – section 71 of the Act states that a person maybe considered to be interested in an application ‘if, and only if, the Commissioner is of the opinion that the person has a real and substantial interest in the application’.

Other terms such as ‘agency’ and ‘organisation’ are defined in the Privacy Act, mostly at section 6.

Procedures

Prior to making an application, agencies and organisations are encouraged to approach the OFPC to discuss the application procedures.

Contents of Application

1. Only an agency or organisation may make an application^[1].

1.1 An application for a PID may be made only by the agency or organisation doing, or proposing to do the act or engaging in, or proposing to engage in the practice that may otherwise breach an IPP, NPP or an approved privacy code.

1.2 Applicants are encouraged to contact the OFPC to discuss any issues that might arise in the course of preparing an application for a PID. An applicant should identify if there is, in their view, any urgency about the application.

1.3 In order for a PID to be granted, the Privacy Act requires that the Privacy Commissioner be satisfied that the act or practice outweighs to a substantial degree the public interest in adhering to the IPP, NPP or the approved privacy code. Agencies and organisations considering submitting an application for a PID should carefully explain the public interest aspects of the act or practice in question.

1.4 In determining the public interest aspect of an application the Privacy Commissioner may consider matters such as:

the potential for the proposed act or practice to harm the interests of individuals;
the extent to which the proposed act or practice is inconsistent with an individual’s reasonable expectation of privacy;
the nature of the public interest objectives served by the proposed interference with privacy;
the need to balance the competing interests contained in section 29 of the Privacy Act; and
the impact on the public interest if the proposed act or practice is not permitted.

Note: section 29 of the Privacy Act states that the Privacy Commissioner shall ‘have due regard for the protection of important human rights and social interests that compete with privacy, including the general desirability of a free flow of information (through the media and otherwise) and the recognition of the right of government and business to achieve their objectives in an efficient way.’

The Commissioner must (s.29 (b)) also have regard for ‘international obligations accepted by Australia, including those concerning the international technology of communications’ and ‘developing general international guidelines relevant to the better protection of individual privacy.’

In developing its application, an agency or organisation should consider and set out those factors that it believes make the case for the public interest in permitting the act or practice, such as the benefits to business and the Australian economy more generally, to government and hence to the broader Australian community.

1.5 Applications should, as far as is practicable, cover the following:

Identification of the IPPs, NPPs or approved privacy code provisions with which, in the opinion of the applicant, non-compliance is necessary and the reasons for this;
A detailed and precise description of the personal information involved, as well as a detailed and precise description of the relevant act or practice and the context in which that act or practice takes place;
Where applicable, identification of the class of individuals to whom the act or practice relates, include the approximate number of individuals whose information may be involved in the relevant act or practice;
Details of any other agencies, organisations or bodies involved and their role in relation to the act or practice;
Arguments demonstrating where the balance of the public interest lies, including specific examples;
Alternative courses of action that have been considered that would not lead to a breach of an IPP, NPP or an approved privacy code, with explanations as to why such alternatives are not feasible;
Anticipated nature, extent and frequency of the act or practice in question.

1.6 Where applications relate to the disclosure of personal information (for example, applications concerning acts or practices that may breach IPP 11, NPPs 2, 7.2 and 9 or equivalent provisions under an approved privacy code) additional information is required. Such applications must also cover the following:

Names of agencies, organisations or bodies that will receive the information. (The distinction should be made between recipients covered by the Act and recipients not covered by the Act);
Safeguards preventing further use and disclosure of the information by the recipient, specifically:
- assurances/agreements between the parties;
- sanctions in case of a breach of the agreement; and
- security/access arrangements on the part of the recipient;
Details about any conditions placed upon, or agreements made with, the recipient on the use and storage/security of the information;
If the information is to be transferred outside Australia, the safeguards that will ensure the protection of the information, including the limitation of the information’s further use and disclosure to the purposes provided for by the determination (if made). Consideration should be given to the provisions set out under National Privacy Principle 9 (‘Transborder Data Flows);
The scope of the proposed disclosure;
Whether the application follows an external request for disclosure of the information, and if so, by whom?;
Details about current procedures in relation to notifying affected individuals and/or obtaining their consent;
Whether the recipient has been alerted to their privacy obligations;
Whether the disclosure is considered necessary in light of the recipient’s functions;
Any methods employed to determine whether the agency, organisation or other body is an appropriate recipient of the information in terms of their functions and interests; and
Any additional information that might be relevant regarding the applicant’s information handling practices, including whether internal procedures exist to assess if information should be disclosed.

1.7 An agency must indicate whether it considers any of the information or documents contained in its application to be exempt documents within the meaning of Part IV of the Freedom of Information Act 1982;

The Privacy Commissioner will not make such information or such documents available to interested parties (under Procedures 2 and 3) without the consent of the agency – subsection 74(2).

1.8 In drafting an application for a PID, an agency or organisation should attempt to indicate the conditions, if any, under which it would operate should the application be granted. Conditions might consist of, for example, proposed safeguards under which the act or practice would take place.

1.9 As the Privacy Commissioner must be satisfied that the applicant is an agency or an organisation (as defined in sections 6 and 6C of the Privacy Act), the application should include a statement to this effect.

1A. Temporary Public Interest Determinations

1A.1 Under subsection 80A(1)(a), a TPID must relate to an application for a PID. That is, the agency or organisation must make an application for a PID; thereafter, the Privacy Commissioner may determine from this application that a TPID is warranted, whether or not one has not been requested. Under subsection 80A(2)(a), an application for a PID may include a request that the application be dealt with, in the first instance, by way of a TPID.

1A.2 Where it is practicable and appropriate to do so, the OFPC will publish a notice of receipt of the application for a PID that requires urgent attention (see procedures stated below) prior to the issuing of a TPID.

1A.3 As is the case with a PID, the Privacy Commissioner must be satisfied that the public interest in the agency or organisation doing the act, or engaging in the practice, outweighs to a substantial degree the public interest in adhering to the IPP, NPP or approved privacy code.

1A.4 In determining the public interest aspect of an application the Privacy Commissioner may consider matters such as::

the potential for the proposed act or practice to harm the interests of individuals;
the extent to which the proposed act or practice is inconsistent with an individual’s reasonable expectation of privacy;
the nature of the public interest objectives served by the proposed interference with privacy;
the need to balance the competing interests contained in section 29^{^[2]} of the Privacy Act; and
the impact on the public interest if the proposed act or practice is not permitted.

Note: in considering whether to make a TPID, the Privacy Commissioner will take into account, amongst other things, the public interest in not appearing to subvert the will of the Parliament. For example, the Commissioner may agree to make a PID, but not a TPID permitting an act or practice that would be completed and irrevocable prior to the determination completing its passage of 15 sitting days for disallowance before both Houses of the Parliament.

1A.5 The Privacy Commissioner must be satisfied that the application raises issues that require an urgent decision.

1A.6 The Act allows the Privacy Commissioner to make a TPID of up to 12 months duration. The duration must be specified in the TPID. Regardless of the duration, the TPID ceases to have effect when the application is resolved either through the making of a PID (subsection 80D(2)(a)) or through the dismissal of the application (subsection 80D(2)(b)).

1A.7 The TPID must include a statement of reasons for the determination.

Note: explanation of how these procedures apply to TPIDs:

Procedure 1 (Contents of Application) – will assist agencies or organisations that are applying for a determination, which may require attention via a TPID;
Procedure 2 (Notice of Receipt of Application) – OFPC will follow this procedure where practicable and appropriate to do so – see 1A;
Procedures 3 (Draft Determination ) and 4 (Conference) – do not apply;
Procedure 5 (Determination) – these procedures apply, except that a TPID comes into effect once it is published in the Commonwealth Government Gazette and does not require the passage of 15 sitting days in the Parliament.

Notice of Receipt of Application

2. The Commissioner shall publish notice of receipt of an application for a PID – subsection 74(1).

2.1 Publication of a notice of receipt of an application for a PID will normally occur in a national newspaper (such as The Australian), in the Commonwealth Government Gazette, and on the OFPC website at www.privacy.gov.au. The notice will invite expressions of interest and/or submissions.

2.2 In its notice of receipt of an application, the OFPC will indicate that persons making a submission should advise whether their submission is a ‘public’ submission or a ‘confidential’ submission;

‘Public’ submissions may be viewed by, or released to, interested parties during the process leading to the making of a determination (or the dismissal of an application) by the Privacy Commissioner, used and referred to in the course of a conference (if one occurs) or published, such as on the OFPC website.

2.3 The OFPC will issue the notice of receipt to its Privacy Connections network and its Privacy Contact Officers network via its email list serves.

2.4 The OFPC will provide information about an application for a PID to persons expressing an interest. Information provided may include:

a copy of the application (or a summary if the application is extensive);
a copy of these guidelines; and
copy of the advertisement notifying receipt of the application for a PID.

Where primary documents are extensive, a summary of the application for a PID may be provided.

Arrangements will be made for inspection of the additional information at the OFPC, or where reasonable a copy of the additional information will be supplied.

2.5 Where an agency or organisation makes an application for a PID, but before the OFPC has published a notice of receipt of the application (in the manner set out above), the agency or organisation withdraws the application through a statement in writing to the Privacy Commissioner, then it will be taken that there is no application before the Commissioner. In these circumstances, no notice of application will be published.

Discretion to Postpone Procedure 2: Notice of Receipt of Application

The Privacy Commissioner may postpone Procedure 2 – this may occur in limited circumstances when handling an application for a PID and the effects of the act or practice in question are clearly ‘minor’ and ‘non-controversial’.

Factors to be considered in deciding to proceed in this manner include:

Whether the act or practice is a continuation of an existing act or practice, or whether the act or practice is newly proposed (this will not be decisive in itself, but it may be considered relevant); and
Whether, following from the act or practice, there is any possibility of adverse consequences for individuals concerned, or whether there is any basis upon which third parties may criticise or object to the act or practice.

Where ‘minor’ or ‘non-controversial’ status is accorded to an application, the ‘Notice of Receipt of Application’ may be postponed, and the pre-draft determination consultation set aside.

The Privacy Commissioner may proceed immediately to issue a draft determination on the basis of the information provided in the application only.

Thereafter, the process outlined in Procedure 2 will occur, as the publication of a notice of receipt of the application by the Privacy Commissioner is statutorily required for all applications.

In effect, in such cases, the Privacy Commissioner may issue a draft determination simultaneously with publishing notification of receipt of the application for a PID.

Draft Determination

3. The Privacy Commissioner shall prepare a draft determination – subsection 75(1).

3.1 The Privacy Commissioner may take into consideration any matters of which he or she is aware in making the draft determination, including the content of submissions and expressions of interest received and the matters set out in procedures (e.g. 1.3 and 1.A3);

The Privacy Commissioner may also make a draft determination generalising the effect of the (substantive) draft determination – subsection 72(4) (or subsection 80B(3) for a TPID), where this relates to organisations in the private sector. A generalising determination has the effect of permitting other organisations (not just the applicant or those organisations specifically named in the substantive determination) to undertake the act or practice that is the subject of the (substantive) draft determination, and for this not to be considered a breach of the Privacy Act. Where this is proposed, either by the applicant (or in dealing with the application, by the Privacy Commissioner), a draft of the generalising determination will be issued with the (substantive) draft determination.

Note: where these guidelines refer to a draft determination, and a generalising determination is also proposed, the consultation and explanatory steps to be undertaken for the former, will be taken to apply also to the latter.

3.2 The draft determination will be accompanied by a discussion of such things as the basis (so far as it is apparent at this stage) upon which the application may be said to be justified, and the reason/s, if any, why the determination may be necessary.

3.3 A copy of the draft determination will be provided to interested parties, including all parties who expressed an interest through the consultation/submissions phase arising from Procedure 2.

3.4 In limited circumstances, the draft determination may be summarised to assist interested parties in understanding the issues raised. While, ordinarily, determinations should be as brief and easy to understand as possible, this step may be taken where a given determination is especially long and complex. Parties may still request a copy of the full determination.

3.5 Persons/bodies that the Privacy Commissioner considers have a ‘real and substantial’ interest in the application (‘interested persons’ – section 71) will be invited to request a conference.

Note: this may be a smaller class of persons than those who expressed an interest in response to the notice of receipt of the application – see guideline 2.1.

3.6 The invitation will specify a period in which the offer to request a conference will remain open – subsection 75(3). This period will start on the day on which the invitation is sent. A minimum period of 15 (calendar) days will be allowed.

Conference

4. An applicant or any invited interested person may request a conference, and if such a request is made, the Commissioner will hold a conference – subsection 76(1).

4.1 If a request is made (in accordance with guideline 4, above); the Privacy Commissioner will convene a conference.

4.2 An applicant agency or organisation is entitled to appear at the conference, they can be represented by an officer or an employee – subsection 77(1).

4.3 Any invitee, or interested person that the Privacy Commissioner considers it appropriate to attend the conference, can attend in person – subsection 77(2). In the case of a body corporate, it may be represented by a director, officer or employee – subsection 77(2).

4.4 The Privacy Commissioner has the power to exclude a person from attendance at a conference in certain circumstances – subsection 77(3).

4.5 Interested persons are requested to notify the Privacy Commissioner about the numbers attending the conference and the reasons for their attendance.

4.6 It is expected that representatives of the applicant will have a direct operational knowledge of the act or practice in question and the authority to speak on policy issues. Any interested person seeking to bring an expert witness, or a person with direct operational experience, should advise the Privacy Commissioner in advance.

4.7 Generally, legal representation at a conference is not necessary. If an interested person wishes to have legal representation, the Privacy Commissioner’s agreement must be obtained prior to the conference.

4.8 Attendees are to provide a brief outline of their arguments to be put at the conference. These will be made available, on request, to the other interested parties, together with a summary of the submissions received, but not to be presented, in person, at the conference.

4.9 The conduct of the conference will be at the discretion of the Privacy Commissioner. The Privacy Commissioner may vary the conduct of conferences according to the circumstances of the case and the nature of the application. In most cases, an informal tribunal approach will be adopted allowing the opportunity for all parties to put their case, and for discussion and questioning.

4.10 The conference will normally be divided into three stages:

Introduction and Statements of Case

The Privacy Commissioner (or delegate), who will chair the conference, opens proceedings and tables the draft determination.
The Privacy Commissioner makes preliminary points in relation to either the application and/or the conduct of the conference.
The applicant comments on the adequacy of the draft determination.
The interested parties, in turn, comment on the adequacy of the draft determination.

Discussion

The Privacy Commissioner (or delegate) comments on proceedings to this point.
The applicant responds to comments from interested parties.
Discussion and questions to and from the applicant, through the Chair.

Review

The Privacy Commissioner (or delegate) reviews points of agreement and disagreement.
Adjournment.

(Recesses will be held at appropriate points during the meeting at the Chair’s discretion)

4.12 The conference may, at the discretion of the Privacy Commissioner, be adjourned and reconvened at a later date.

Determination

5. The Privacy Commissioner shall either make a determination in writing (pursuant to section 72) or dismiss the application by a determination in writing (pursuant to section 78).

Note: The Privacy Commissioner may make a determination, or dismiss an application, after considering all the available information, including submissions and arguments presented at the conference, as well as those submissions and materials submitted prior to the conference (i.e. during the consultation phase).

5.1 The determination will clearly set out the circumstances in which the act or practice is to occur.

Note: Public Interest Determination No.8 provides a helpful example of how the circumstances of the act or practice are set out. A copy is available on the OFPC website at: http://gov.au/act/public_interest/index.html

5.2 The determination will include ‘a statement of reasons’ – subsection 79(3). The determination will include the Privacy Commissioner’s findings on material questions of fact, and will refer to the evidence or other material on which the Commissioner’s determination is based.

The material accompanying the determination will also normally include:
- The relevant factual information;
- The substantive matters raised at the conference; and
- A list of the submissions received.

5.3 The determination will be submitted to the Parliament for tabling.

5.4 A copy of the determination and the accompanying material will be sent to all parties who attended the conference and to other parties on request.

5.5 The determination shall take effect from the first day on which the determination is no longer liable to be disallowed by the Parliament – subsection 80(2).

5.6 The period for disallowance is 15 sitting days in each of the Houses of Parliament.

Note: the period required to pass before a determination takes effect may be considerably longer than 15 calendar days if tabling occurs on a day when either of the Houses has fewer than 15 sitting days remaining before the end of the sitting period.

This is particularly the case where the period for disallowance includes sitting days across two sessions of the Parliament.

[1] The National Health and Medical Research Council (NHMRC) may act as an agent on behalf of other agencies concerned with medical research or the provision of health services – subsections 73(1) and 73(2).

[2] See also guideline 1.4