This document has been archived and is no longer in use by the Office.
A list of the Office's current publications is available on the publications page @ http://www.privacy.gov.au/publications/index.html
INTRODUCTION - BACKGROUND TO THE DRAFT GUIDELINES AND CONSULTATION PROCESS
CHAPTER 1 - INTRODUCTION TO GUIDELINES
CHAPTER - 2 EXPLANATION OF TERMS
Access, Act (the Act), Authorised by law, Collection, Commissioner (the
Commissioner), Cookie, Directly related purpose, Direct marketing,
Disclosure, Enforcement bodies, Health information, Health service,
Individual, Law, Lawful, List renter, Necessary, Organisation, Personal
information, Practicable and impracticable, Primary purpose,
Reasonable, Record, Related corporation, Related purpose, Required by
law, Secondary purpose, Sensitive information, Serious and imminent
threat, Serious threat to public health or public safety, Use, Web bug.
CHAPTER 3 - CONSENT AND PRIVACY
CHAPTER 4 - COLLECTING PERSONAL INFORMATION
CHAPTER 5 - USING AND DISCLOSING PERSONAL INFORMATION
CHAPTER 6 - KEEPING INFORMATION ACCURATE COMPLETE AND UP TO DATE - NPP 3
CHAPTER 7 - MAINTAINING DATA SECURITY
CHAPTER 8 - NPP 5 OPENNESS ABOUT INFORMATION HANDLING PRACTICES
CHAPTER 9 - ACCESS AND CORRECTION (NPP 6)
CHAPTER 12 - TRANSBORDER DATA FLOWS
CHAPTER 13 - HEALTH RESEARCH, HEALTH MANAGEMENT AND THE NPPS
APPENDIX I - NATIONAL PRIVACY PRINCIPLES
APPENDIX II - INFORMATION SHEET 3 (CODES)
APPENDIX III - INFORMATION SHEET 4 (PRIVACY COMMISSIONER'S POWERS)
APPENDIX IV - INFORMATION SHEET 6 (DOES THE PRIVACY ACT APPLY TO MY ORGANISATION?)
APPENDIX V - INFORMATION SHEET 9 (WHICH NPPS APPLY WHEN)
On December 21 2001, new privacy laws will come into effect that regulate the way private sector organisations handle personal information. The new laws, which will be part of the Privacy Act 1988 (Cth) (the Privacy Act), include ten National Privacy Principles (NPPs) that set standards for the way organisations handle personal information.
The new privacy laws will give individuals new privacy rights including the right to get access to the personal information an organisation holds. Individuals will also have the right to complain if they think an organisation has breached their privacy rights and to get redress if the breach is proven.
The Federal Privacy Commissioner (the Commissioner) has the power to make guidelines about the NPPs and this document is a draft of those guidelines. The guidelines do not cover a number of other aspects of the new privacy laws that organisations will need to know about, although information about which organisations the new provisions cover is included in an appendix to the guidelines.
For more information about the new laws see the Office of the Privacy Commissioner (the Office) website at www.privacy.gov.au or ring its hotline on 1300 363 992. NPPs one of three sets of guidelines
The NPP guidelines are one of three sets the Commissioner is developing this year on the operation of the new legislation. These are:
The Commissioner places great importance on consulting the Australian community about these guidelines. For each set of guidelines, the Office has developed a consultation process including a two-month period of wide public consultation. In each case, the Office has developed a consultation document that includes draft guidelines and identifies issues on which it would like community and stakeholder views.
This paper is a consultation document for the NPP guidelines. The first chapter is an introduction to the guidelines. The following chapters set out draft guidelines and in some places ask specific questions for consultation. The appendices include the NPPs so that people can refer to them as they read the draft guidelines and some information sheets about the new private sector scheme.
The NPPs are the starting point for developing the guidelines. The policy underlying the NPPs is now settled and part of the law. The NPPs set out Federal Parliament's decision about the balance to be struck between the protection of privacy and the protection of other important human rights and social interests that complement those relating to privacy,
"including the general desirability of a free flow of information (through the media and otherwise) and the recognition of the right of government and business to achieve their objectives in an efficient way." (Section 29 Privacy Act)
The role of this paper is to seek views within the framework of the balance Federal Parliament has settled on.
The Government has also announced that there will be a review of the Privacy Act two years after it commences. During this period the Commissioner expects to examine closely a number of areas of the new legislation to assess whether the right balance of interests has been struck. These areas include the various exemptions in the Act and the provision in the NPPs for direct marketing.
However, there are a number of areas where Parliament has deliberately chosen to leave flexibility in the NPPs. Examples of this are where the NPPs use such words as "reasonably expect" and "practicable". In the draft guidelines outlined in this paper, the Commissioner has reached a preliminary view on what factors organisations should consider when applying these kinds of words to a particular business practice.
The Commissioner seeks the views of all stakeholders including members of the public, businesses, non-profit associations, peak industry bodies, organisations in a range of sectors, consumer bodies and relevant State and federal government agencies about:
It will help the Office collate and analyse views if submissions follow the structure of the guidelines in making comments.
This paper is available in a range of formats. It is available in hard copy and on the Commissioner's website at www.privacy.gov.au. We can also make it available on disk on request.
We will also be shortly releasing a summary document that sets out some key issues from the guidelines on which we would like responses.
We propose to issue the final guidelines in a range of formats including html with hotlinks as well as an easily accessible hard copy and through various legal and other publications.
You can make a written submission either in electronic form by email, or in hard copy. You can also ring us on TTY 1800 620 241.
E-mail address for submissions is: mailto:privacy@privacy.gov.au
Office of the Federal Privacy Commissioner (consultation on
NPP Guidelines)
GPO Box 5218,
Sydney, NSW 1042
Closing date for submissions is Friday, 6 July 2001. This Office will accept submissions after this date. However, because of the tight deadline for publishing the final guidelines, the Office will have an increasingly limited ability to take them into account.
The Office will publish the final guidelines in early October 2001.
This Office will use the submissions it receives for the purpose of preparing the NPP guidelines. It may publish a list of those who made submissions and we may make submissions public. If you wish your submission to be treated as confidential you should either write it on your submission or tell us at the time you make your submission.
New privacy provisions in the Privacy Act 1988 (Cth) (the Privacy Act) affecting private sector organisations came into effect on 21 December 2001. Organisations covered by the legislation will need to consider how they are to implement the provisions, and in particular, the NPPs (NPPs). Organisations that hold significant amounts of personal information are likely to have to make a number of changes to the way they collect, use, disclose, keep secure and give people access to that personal information.
Federal government agencies are covered by other parts of the Privacy Act. They must comply with Information Privacy Principles. Credit Providers are bound by Part IIIA of the Act as well as these new provisions.
These guidelines will help organisations to implement the NPPs. They will also be of interest and use to consumers and consumer advocates who wish to understand in detail what the NPPs mean and how they can be applied.
These guidelines are not the only way this Office is proposing provide information about the NPPs to the community. In addition to these and other guidelines, the Office is developing other material and other strategies specifically aimed at ensuring consumers and other key stakeholders are aware of organisations' obligations, consumer rights and how to enforce them.
The NPPs are high-level principles that are spelt out in the Privacy Act. They do not spell out in detail exactly what an organisation must do to comply with them. There are a number of places where very general words such as "reasonable", "practicable", and "impracticable" appear. This approach to the NPPs enables them to be technology neutral and to be applicable in a wide range of organisations and industries. It also recognises that people's view of privacy is contextual and may change depending on such things as the kind of information involved, the level of trust in the holder of the information, cultural background and the nature of business practice.
Another benefit of having a high-level, rather than a highly prescriptive approach, is that it is less likely that the NPPs will have to be changed as technology develops, new industries develop or public attitudes about privacy change.
On the other hand the high level approach means that for organisations and consumers that are unfamiliar with how privacy works, it may not be clear how to apply the principles to a particular business or circumstance. Having guidelines that spell out the principles in more detail is a way of providing greater clarity.
The Commissioner has developed these NPP guidelines to give organisations practical help on how to apply the NPPs to their operations and to explain:
These guidelines are made under section 27(1)(e) of the Privacy Act which gives the Commissioner a general power to make guidelines to help organisations avoid breaching the Privacy Act. Guidelines made under this power are advisory and so are not directly legally binding. (Other provisions in the Privacy Act give the Commissioner power to make guidelines covering more specific circumstances. In some cases these are binding.) These NPP guidelines cannot cover every situation. An organisation that does not follow the guidelines may not necessarily be in breach of the Privacy Act. However, they are an indication of how the Commissioner would interpret and, where appropriate, apply the principles when exercising relevant powers and functions under the Privacy Act. In other words, the guidelines are directly relevant to the way the Commissioner will apply the law, for example, when handling complaints.
Privacy is about protecting our sense of self - that is, who we are; what we know; what we think; what we have done; and what we want to do. One important aspect of this is the extent of control we have over personal information about us. Exercising choice about our own information can also be an important aspect of retaining personal dignity and humanity in a relationship with another party.
Privacy is not about protecting wrongdoing or encouraging secrecy. There is no absolute right to privacy. Society accepts that there are public interest reasons for particular limitations on individuals' right to privacy. These include law enforcement, fraud control and public safety.
A certain amount of information sharing occurs in most relationships that individuals have with other people or organisations. As a consequence there may be a reduction in control over that information because someone else holds it. The individual's right to privacy sometimes must be balanced against a particular benefit that the individual receives from such relationships.
On December 21 2000 the Privacy Amendment (Private Sector) Act 2000 (Cth) received Royal Assent. It amended the Privacy Act (which currently covers federal public sector agencies and private sector credit providers) to include provisions that regulate the way private sector organisations handle personal information. The new law came into force on 21 December 2001 although for small businesses that are not exempt from the new law, other than health services, it comes into force on 21 December 2002. (More information on when the NPPs come into effect is available in Information Sheet 9 "Which NPPs apply when" included at Appendix V.)
The Act does not apply to small businesses provided that they do not handle personal information for a benefit, service or advantage or handle health information. For more information on who the Act applies to, see the Commissioner's Information Sheet 6 "Does the Privacy Act apply to my organisation?" (included at Appendix IV).
The Privacy Act gives basic protection to personal information and gives extra protection to sensitive information including health information. It requires organisations to which it applies to implement NPPs or a code that the Commissioner has approved. More information on codes and code approval process is available from the Commissioner's Information Sheet 3 - "Codes" (included at Appendix II) and from the Draft Code Development Guidelines which the public are currently being consulted on (and are available on the internet at http://www.privacy.gov.au/ or on request to the Commissioner's Office.)
The most common way in which the law will be enforced is likely to be through the Commissioner resolving individual complaints against an organisation that has not complied with the principles. The Commissioner can make a formal determination to resolve a complaint and, if necessary, seek to have the Federal Court or Federal Magistracy enforce the determination. If an organisation is operating under an approved code, complaints would be investigated by the "code adjudicator" for that code, if the code includes its own complaints handling process. (More information about complaints under a code is included in the Draft Code Development Guidelines referred to above. More information about complaints generally is in Information Sheet 4 - "Powers", included at Appendix III.)
The Commissioner can enforce the Privacy Act in other ways, including through investigations the Commissioner can initiate (without first receiving a complaint) and through injunction powers, all of which are spelt out in the Act.
If you have any questions about the NPPs or the way the new private sector amendments work you can look at the Commissioner's website at http://www.privacy.gov.au/ or phone the Office toll-free on 1300 363 992; TTY 1800 620 241.
There are ten NPPs that set standards for the way
organisations handle personal information. They cover
Collection of personal information - NPP 1
Use and disclosure of personal information - NPP 2
Quality of personal information - NPP 3
Security of personal information - NPP 4
Openness - NPP 5
Access of individuals to personal information - NPP 6
Identifiers - NPP 7
Anonymity - NPP 8
Transborder data flows - NPP 9
Collection of sensitive information NPP 10
You can find a copy of the NPPs at Appendix I of these guidelines. Application of guidelines to information collected before the new provisions commence Some of the NPPs only apply to information collected after the new private sector provisions commence. Details about which NPPs apply when can be found in an information sheet the Commissioner has issued and included in Appendix V to these guidelines.
The private sector amendments give the Commissioner a number of additional powers to make guidelines about particular matters to do with the new private sector law. In addition to these NPP guidelines, the Commissioner has developed:
NPP and health guidelines
These guidelines give guidance on the privacy of personal information generally. Health Privacy Guidelines cover how the NPPs apply to the specific circumstances of health service providers. The Commissioner will use the NPP guidelines and the Health Privacy Guidelines, in combination with the NPPs, as the benchmark to assess whether a code has obligations that are at least equivalent to those in the NPPs and so can be approved.
Section 95A guidelines
The National Health and Medical Research Council (NHMRC) is developing guidelines made under section 95A of the Privacy Act (section 95A guidelines) on the collection, use and disclosure of health information for research purposes. Some of the principles refer to these guidelines and organisations wishing to collect, use or disclose health information for research purposes must comply with them.
Relationship of NPPs with other standards
The Commissioner strongly encourages organisations with significant holdings of personal information to meet appropriate Australian Standards, get auditors to give certificates of compliance, or seek other ways to get independent assurance that they are meeting the provisions of the Privacy Act. Measures of this kind will reassure customers that they are dealing with a privacy friendly organisation. Also, the Commissioner will take actions such as this into consideration as privacy positive steps when investigating a complaint.
Chapter 2 explains terms
At the front of the guidelines is a chapter that explains terms that appear in a number of places in the guidelines. It includes explanations of key terms in the Privacy Act such "personal information", "sensitive information" and "health information" as well as some general information about terms that appear frequently in the principles such as what is "reasonable" and "practicable".
"Consent" is a key concept that appears in a number of places in the NPPs. It is the key to best practice in implementing privacy. Rather than discuss it in a number of different places, the guidelines deal with this in a separate chapter. It includes a general discussion about what is consent and how organisations should go about getting it.
This chapter covers the NPPs that deal with how organisations should go about collecting information including NPP 1 and NPP 10 (which deals with collecting sensitive information).
This chapter covers when and for what purposes an organisation can use and disclose personal information as set out in NPP 2.
This chapter covers NPP 3 which deals with how organisations should go about keeping information accurate complete and up-to-date.
This chapter covers NPP 4 and how organisations should go about keeping their information secure.
This chapter deals with NPP 5 and how organisations should go about meeting their obligation to be open about the way they handle personal information.
This chapter deals with NPP 6 and explains how organisations should go about meeting their obligation to give individuals access to their personal information.
This chapter covers NPP 7 and the obligation not to adopt, use or disclose Commonwealth Government identifiers.
This chapter deals with NPP 8 and explains when an organisation should allow an individual to deal with it anonymously.
This chapter deals with NPP 9 and explains when an organisation can send personal information overseas.
This chapter deals with the aspects of NPP 10 and NPP 2 that deal with collection, use and disclosure of health information for research, statistical analysis and management purposes.
Link to each NPP
The text is closely linked to and cross-referenced to the relevant NPP.
The Office does not intend that the guidelines are stand-alone. It
proposes that the guidelines should be used in close partnership with
the NPPs which set the underlying standard.
Background followed by further
explanations
To help you find information, we have written the guidelines in a
consistent format under the following headings.
Background to the NPPs
In each chapter of the guidelines dealing with the NPPs the first part
discusses such matters as:
In many cases this part may be enough to give a general idea of how the NPP works.
More detailed information
The second part of each chapter has more detail about the relevant NPP
or NPPs.
We have included the NPPs in full in Appendix I of the guidelines so that the guideline reader can refer to them when reading the guidelines.
|
Questions for consultation 1.1 Do you have any comments to make about this introduction? 1.2 Do you have any comments about the structure we have adopted for the guidelines? |
In NPP 6 "access" refers to an individual's right to see or know about his or her own information an organisation holds.
The Privacy Act 1988 (Cth)
"Authorised by law" refers to circumstances where the law permits, but does not require, an organisation to use, disclose, or deny access to, personal information. The word "authorised" suggests that an organisation has some discretion as to whether or not to use or disclose or deny access to information (see NPP 2.1(g) and NPP 6.1(j)).
An organisation collects personal information if it gathers, acquires or obtains information from any source, by any means, in circumstances where the individual is identified or is identifiable. It includes information that:
The Federal Privacy Commissioner.
A cookie is a piece of information that an Internet web site sends to your browser when you access information at that site. Most of the popular browsers support the use of cookies. Cookies indicate to a web site that you have been there before and they can be used to record what parts of a web site your computer is visiting. While cookies in themselves may not identify you in the way a name or address does, a cookie could potentially be linked with other identifying information. Cookies can also be used to build up a profile of your buying habits and what you are interested in, for example, if you provide extra information about yourself to the web site by buying something online or by subscribing to a free service.
A directly related purpose is one that has a strong connection with the primary purpose of collection. It is closely associated with the original purpose, even if it is not strictly necessary to achieve that purpose. Uses or disclosures for a directly related purpose would include uses or disclosures for:
See NPP 2.1(a) also Primary Purpose, Related Purpose and Secondary Purpose.
The Privacy Act does not define direct marketing. However, the Commissioner considers that direct marketing includes activities that promote the sale or purchase of products or services or promote charitable fundraising where the individual is approached directly. It includes in-person approaches to people's houses and approaches by mail, e-mail, telex, facsimile and phone. It includes individually targeted approaches by these means where people are encouraged to buy services at a distance (for example to buy by phone, mail or website) or to visit retail and service outlets or to donate to a cause by one of these means. It also includes automated processes such as Spam e-mail and computer generated voice calls over the phone.
An organisation discloses information when it releases information outside the organisation. Examples of disclosures include:
The enforcement bodies referred to in NPP 2.1(h) are specified in section 6(1) of the Privacy Act as:
Health information means information or an opinion about the:
Health information can include details such as an individual's name, address, billing information and Medicare number, for example, if it is part of the information about an individual's health.
Health service means an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it to:
Health service providers can range from hospitals and general practitioners to organisations that may not traditionally have been considered health service providers such as gyms and weight loss clinics.
The word "individual" is used in the NPP Guidelines in relation to the person whose personal information an organisation holds. The words "person" or "people" are used when referring to anyone other than the individual.
The reference to law in the NPPs means Commonwealth, State and Territory legislation as well as the common law.
Lawful means something that is not prohibited by law. This is a wider concept that "authorised by law" or "required by law".
A list renter is an organisation that rents or buys lists containing personal information from organisations and then rents or sells the lists on to other organisations.
The Commissioner interprets "necessary" in a practical sense but will tend to a narrow interpretation in any particular circumstance. If an organisation cannot, in practice, effectively pursue a function or activity without collecting personal information, then that personal information would be regarded as "necessary" for that function or activity. Necessary should not be interpreted as a reason for collecting information on the off chance that it may be useful for a function or activity in the future.
The private sector provisions in the Privacy Act apply to "organisations". In summary, an organisation under the Privacy Act means an individual or a body corporate or a partnership or any other unincorporated association or a trust that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory authority (section 6C of the Privacy Act). For more information about which private sector entities are organisations covered by the Privacy Act, see Appendix IV.
Personal information means information or an opinion (including information or an opinion forming part of a database) whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. (section 6 Privacy Act)
Personal information must relate to a natural person. A natural person is a human being rather than, for example, a company, which may in some circumstances be recognised as legal "person" under the law.
Personal information can range from the very sensitive (for example, political beliefs, medical history, sexual preference or medical records) to the everyday (for example, hair colour, address, phone number). The information need not be accurate, it may include opinion and speculation and it may simply be false information. It doesn't matter whether the information is held in a computer database, or in paper records, or in any other medium. If the information itself makes it clear which individual it is about then the person is identifiable. Whether a person's identity is reasonably ascertainable will depend on the context and on who holds the information.
What is practicable or impracticable involves assessing the facts of the particular situation. It is not determined by an individual's or organisation's view of what is practicable or impracticable. The Commissioner would not accept that doing something is impractical just because it involves expense, inconvenience or effort on the part of an organisation. The guidelines set out factors the Commissioner will take into account in deciding what is practicable or impracticable for the particular NPP concerned (for example, see NPPs 1.3, 1.4, 2.1(c) and (d), 8 and 9).
The primary purpose is the dominant or fundamental reason for information being collected in a particular transaction.
There can only be one primary purpose of collection for a particular transaction. When an individual gives (and an organisation collects) personal information, the individual and the organisation almost always do so for a particular purpose, for example, to buy or sell a particular product or to receive a service. This is the primary purpose of collection, even if the organisation has some additional purposes in mind. These additional purposes will always be secondary purposes for that transaction, even if the organisation tells the person about them, and even if the organisation gets the individual's consent to use or disclose the information for those additional purposes. For more information about primary purpose see Chapter 4 - Collecting personal information.
See also directly related purpose, related purpose and secondary purpose.
The terms "reasonable" and "unreasonable" appear frequently throughout the NPPs. Generally speaking, they relate to decisions or steps to be taken by organisations in particular circumstances (for example, when collecting, correcting or using and disclosing information) or to expectations of individuals in those circumstances.
Determining what is reasonable involves considering the factual circumstances in which a person or organisation is acting rather than the individual's or organisation's view of what is reasonable or unreasonable.
The guidelines set out factors the Commissioner will take into account in deciding what is reasonable or unreasonable for the particular NPP concerned (for example, see NPPs 1.2, 1.3, 1.4, 1.5, 2.1(d)(3), 2.1(h), 3, 4, 5.2, 6.1(c), 6.3, 6.5 and 9(f)).
A record is a document, a database, a photograph or picture of an individual or individuals.
Under the Privacy Act, the question of whether one corporation is related to another corporation is determined in the same way as it is determined under the Corporations Law. This means that where a body corporate is:
the first mentioned body and the other body are related to each other. (From Corporations Law- Section 50)
A related purpose includes all the purposes that are directly related purposes as well as some additional ones. Related purposes must have some connection to, and arise in the context of, the primary purpose. Uses or disclosures for a related purpose would include uses or disclosures:
See also directly related purpose, primary purpose and secondary purpose.
Required by law refers to circumstances where a law (other than the Privacy Act) requires an organisation to collect, use or disclose or deny access to, personal information. In certain instances, failing to comply with such a legal requirement may be an offence. Such a law may specifically require an organisation to collect, use, disclose or deny access. It may also be a law that gives another body, such as a government agency, a general information gathering power that includes the power to require an organisation to disclose information to it (see 2.1(g), 6.1(h), 10.1(b)).
Secondary purposes are purposes other than the primary purpose that an organisation has in mind for the information it collects. Related and directly related purposes are secondary purposes.
Organisations must not use or disclose information for secondary purposes except in limited circumstances, such as where the organisation has the consent of the individual, or where the secondary purpose is related or directly related and within reasonable expectations. NPP 2 allows very limited unrelated secondary use for the purpose of direct marketing where it is impracticable to get consent.
See also directly related purpose, primary purpose and related purpose.
Sensitive information is information or an opinion about an individual's:
that is also personal information or health information about an individual (section 6, Privacy Act). (See NPP 2.1(c), NPP 10.)
A number of the NPPs provide for circumstances where an organisation might need to consider whether there is a "serious and imminent" threat to an individual's life, health or safety. For there to be a serious and imminent threat to an individual's life, health or safety:
Imminent means that the threatened harm must be about to happen.
The threat must be serious, for example, murder or assault or threat of spreading an infectious disease. A specific threat of physical harm to a particular person in an organisation usually counts as a serious threat. Threats to finances or reputation are not threats to life or health. Abuse, without a threat, directed to staff in general does not usually count as a serious threat (see NPP 1.5, NPP 2, NPP 6.1(a), NPP 10.1(c)).
Public health and public safety are not defined in the Privacy Act. Various Public Health Acts while not necessarily defining public health give some indication of the range of conditions and threats that have been considered to be significant enough to warrant legislating about them in the interest of pubic health. Examples of conditions mentioned in public health acts are management of:
Use of personal information relates to the handling of the personal information within the organisation. Examples of uses of information are:
A web bug is often used with cookies on the internet. Web bugs are tools designed to monitor who is reading the web page or e-mail. They have no other use or purpose. They are often used for online profiling, advertising, marketing and to measure website statistics. For many users of the internet the main practical difference between a cookie and a web bug is that web bugs are much more difficult to detect or neutralise.
One of the most effective ways an organisation can protect privacy is to get an individual's consent for the collection, use and disclosure of their personal information. Breaches of privacy usually occur in circumstances where personal information is collected, used or disclosed without an individual's knowledge or permission. To respect privacy an organisation must keep individuals informed about its information handling practices and give individuals as much choice as possible about how their personal information is handled.
The NPPs require an organisation to seek the consent of an individual in a range of circumstances. The collection of sensitive personal information generally requires an individual's consent under NPP 10. Gaining consent for use and disclosure of will operate to ensure that the privacy of individuals is protected more effectively. Consent is also mentioned in NPP 2 - use and disclosure (2.1(b), 2.1(c)(i), 2.1(d)(i), 2.4(a)(i) and (ii), 2.4 (c)(i)) and NPP 9 - transborder data flow (9(b), 9(e)(ii)).
Consent generally means agreement, approval or permission to some act, practice or purpose. In the Commissioner's view, valid consent must be informed, voluntary and given by a competent person.
In seeking consent an organisation must give enough information to enable an individual to make an informed decision. Informed consent depends on full and adequate disclosure of relevant matters. Consent may be invalid if an organisation has given insufficient or incorrect information about its likely use or purpose.
When it must seek consent for the purposes of the NPPs, an organisation should clearly state:
An organisation should not seek a broader consent than is necessary for its purposes. Consent forms need to be specific about the matter, act or purpose that is intended with regards to the personal information. Broad and vaguely worded consent clauses such as "may disclose to other businesses, as appropriate" will not be enough to satisfy the requirement for consent because they do not inform an individual about what they are consenting to. Consent will be ineffective if the act an organisation performs is of a significantly different nature to the act the individual consented to.
To ensure that an individual's consent is genuine, an organisation must give an individual enough time to absorb the relevant information and to ask any questions so that he or she can make an informed decision. Organisations should also provide materials in languages other than English and/or make interpreters and translators available if this is applicable.
For consent to be voluntary, a person must be free to make a choice. Consent will not be valid if there is evidence of fraud (for example, evidence that an organisation has misrepresented the kind of activity or procedure involved or the need for such activity or procedure). It is also invalid if there is too much pressure or coercion. An individual's consent may not be voluntary and valid if the individual is denied some benefit or is disadvantaged in some way because they refused consent.
The individual consenting must be competent to do so. In other words, they must be able to understand the issues and how they will affect them, to form a view based on a reasoned judgment, and to communicate their decision. This need not be a judgement that anyone else may consider reasonable, provided that the individual has been able to weigh up the costs and benefits to their own satisfaction.
The individual abilities of the person, the requirements of the task at hand, and the consequences likely to flow from the decision may influence the steps that an organisation should take to ensure that consent is informed and voluntary. The capacity of young people to give consent and the principles that apply when people are not competent are discussed below.
Consent usually involves positive acceptance and can be expressed in words or implied from conduct. Organisations should get express consent where consent is required by the NPPs. Implied consent is only acceptable where it is clear from the circumstances that the individual has made an informed and voluntary decision. An individual's failure to respond to an organisation's request for consent does not constitute consent. Neither does failure to object to a proposal except in the extremely limited circumstances outlined below.
Express consent refers to consent that is clearly and unmistakably stated in writing or orally. As a general rule, an organisation should gain a person's express consent wherever the NPPs require consent, such as for the collection of sensitive information or for secondary use and disclosure of personal information.
Consent is most clearly expressed in writing. However, an individual's signature on a form may not indicate genuine consent if the person has not been informed or does not understand what they are consenting to. When an individual gives oral consent an organisation should make a written record of the time of consent and exactly what was consented to. This will help to avoid any disputes in the future about whether an individual had consented.
Implied consent is consent that may be inferred from a person's conduct rather than from what they say or write down. Genuine consent can only be implied in circumstances where it is clear that a person knows and understands what they are consenting to and clearly indicates from their behaviour that they have agreed.
For example, consent can be implied when a person uses a telephone service for banking services and proceeds after hearing a recorded message that the call may be monitored or recorded for staff training purposes. In these circumstances, the primary purpose is the collection and use of personal information for the provision of banking services and the secondary purpose is staff training. Consent for the secondary purpose is implied by the person's action of continuing with the call.
Except in the most limited circumstances it is questionable whether implied consent can be inferred from a failure to opt out, or an individual's objection to a proposal.
An example of an opt-out procedure is where a form states that the organisation will disclose personal information to a third party unless the individual contacts the organisation to object.
Failure to object does not imply consent in these circumstances because it will not be clear that the individual exercised an informed choice (for example, the individual may have thrown the form in the bin without reading it). It will also often not be clear that the individual's failure to respond was a positive decision. In many cases it will be likely that individual did not respond because doing so involved cost or too much effort.
The Commissioner is likely to regard consent to have been inferred from an individual's failure to opt out if all of the following conditions are met (an even then, not in all circumstances):
An example of such an arrangement might be a power company seeking to include direct marketing material with later invoices and including a suitable opt out box on the invoice. However, whether it is acceptable as a way of getting consent may depend on how individuals pay their bills.
|
Questions for consultation 3.1 Do you think that the opt-out approach can constitute valid consent? If so, why? If not, why. 3.2 What are the implications for consumers and organisations for allowing opt-out consent in the circumstances outlined? |
Consent can be withdrawn at any time. Once an individual has withdrawn consent, the organisation cannot rely on past consent for any future uses or disclosures. When organisations are asking individuals to consent to secondary use or disclosure of personal information, it is good practice to tell them that they are free to change their mind and what they should do if they want to withdraw consent.
It is not possible to gain consent from a person who does not have the capacity to make a decision. The general law about competence and incapacity will apply to the issue of consent.
Sometimes decisions about the collection, use or disclosure of personal information relate to an individual who lacks legal decision-making capacity. A lack of capacity may be temporary or permanent, depending on the underlying medical cause or the individual's disability.
The NPPs allow, in certain circumstances, for the disclosure of an individual's health information to a person who is "responsible for" them. Such disclosure occurs chiefly to ensure that the individual receives appropriate treatment and care, or for compassionate reasons.
However, there are situations where the NPPs require that an organisation seek consent before certain uses or disclosures of an individual's personal information. The organisation will need to consider who is appropriately authorised to give substitute consent in these circumstances. Where a person has a guardian with appropriate decision-making functions, the organisation should discuss the proposed action with the guardian.
It is the Commissioner's view that people with a disability who lack decision-making capacity should not miss out on necessary health care, support and other services because of privacy-related consent issues. However, neither should an individual's privacy rights be undermined by virtue of their inability to give consent.
Therefore, if the NPPs require that an organisation seek consent to use or disclose information about an individual who lacks capacity, it may be necessary for that organisation to contact its local Guardianship Tribunal or Board to determine how to proceed according to State guardianship laws.
Where an individual lacks decision-making capacity, every effort should still be made to include them in the decision-making process to the degree possible, even if another person may be the final provider of consent.
Organisations must be wary of assuming that a person with a disability is necessarily incapable of giving consent to the handling of their personal information. Most people with disabilities are able to make their own privacy decisions and have the legal right to do so.
|
Questions for consultation 3.3 Does there need to be an explicit mechanism for identifying who can consent on behalf of another person (where that person lacks legal capacity) in relation to privacy issues? 3.4 Alternately, should organisations be able to proceed in collecting, using or disclosing information (regarding a person with a disability who lacks decision-making capacity) without consent, if this is undertaken in the person's best interests? |
As a general principle, a young person is able to give consent when he or she has sufficient understanding and intelligence to understand what is being proposed.
A parent or guardian may provide consent in relation to a person under the age of 18 years, only if the child is very young, or the young person is unable to do so for themselves. A parent or guardian may only make decisions on behalf of a young person that are in the best interests of the child or young person.
Whether or not a young person is capable of making a choice about the collection, use and disclosure of personal information will depend on the circumstances. Due weight should be given to any views expressed by a young person, taking into account their age, intelligence and understanding. When dealing with a young person or child, an organisation should also take into account:
Information policy
Organisations that target young people should set out in their
information policy (see NPP 5) who may consent and who has a right of
access to information concerning a person who is under the age of 18
years. Such a policy should have general guidelines about how the
organisation will make decisions relating to young people and the
factors it will take into account. The policy should also deal with
parental involvement, particularly factors that would indicate that a
parent should be involved in the decision-making process.
The Federal Attorney-General has announced that there will be an inquiry into children and privacy.
|
Questions for consultation 3.5 What is the appropriate approach to take when getting consent where a young person is involved? For example, are these the right considerations or are there other considerations to take into account? 3.6 Does this chapter strike the right balance between parents and children? If not, what is a better approach? 3.7 Are there reasons why there should be a different approach in relation to privacy than in other areas of the law? |
The sensitivity of some personal information may vary between ethnic communities. Personal information that is regarded as culturally sensitive within a community requires increased protection. Culturally sensitive information should only be asked for on a voluntary basis, or by getting informed consent. If there is no choice but to require culturally sensitive information, the request should be made carefully, and with all possible steps to minimise the intrusion. The methods of collecting information should also be culturally sensitive. Organisations should be sensitive to, and ensure that staff are properly trained in, cross-cultural issues regarding personal information.
Concepts of what is consent and how it is communicated or gained may vary from culture to culture or from group to group. In some cultures or groups, collective consent may be the norm.
In 1998 the then Commissioner released a privacy protocol (called "Minding Our Own Business") for Commonwealth agencies in the Northern Territory handling personal information of Aboriginal and Torres Strait Islander people. The protocol is available from the Office website at www.privacy.gov.au.
|
Questions for consultation 3.8 Are there any cultural issues concerning consent that the guidelines should take into account? If so what are they? 3.9 How should the guidelines accommodate them? |
When an organisation collects personal information it will need to consider a number of the NPPs.
An organisation will also have to consider NPP 2 (which deals with use and disclosure for secondary purposes) because what the organisation tells an individual at the time it collects information and whether it has the individual's consent or not may affect whether it can use or disclose the information for secondary purposes later on (see Chapter 5).
The organisation will also have to consider whether the information it is collecting is sensitive personal information and whether any of that sensitive information is health information (see Chapter 2) because this affects whether or not an organisation can collect the information without consent.
If an organisation takes the collection principles seriously and implements them well it will be in a very good position to ensure it complies with the Privacy Act. The collection principles are also the key to ensuring that individuals are in control of their information. It ensures that individuals are informed about proposed uses and disclosures and informed about their right to access their information and to correct it if it is wrong. In the case of sensitive information, it ensures that consent to collect includes consent to the proposed use and disclosure.
Limits to collection
NPP 1.1 requires an organisation to limit the information it collects to information it really needs for its functions and activities. NPP 1 aims to prevent organisations from collecting information just because it would be nice to have it, or because the organisation might need it sometime in the future. The Commissioner views this as a very important principle and expects organisations to take a narrow interpretation of the range of information that is "necessary". The Commissioner considers that any other interpretation will only add to community fears that private sector collection of personal information is out of control.
Requires collection to be lawful and fair
NPP 1.2 aims to protect unwary individuals by requiring organisations to use only fair and lawful ways to collect information. Organisations should at all times bear in mind that the obligations under the Privacy Act are in addition to obligations they may have under fair trading laws or the Trade Practices Act 1974 (Cth) (for example the misleading and deceptive conduct provisions).
Gives individuals control over their personal information
The NPPs do not aim to stop organisations from collecting personal information. Their main role is to require organisations to be disciplined in collecting information and to give individuals control over what happens to it. NPP 1.3 gives individuals control over their information by requiring an organisation to tell them:
These requirements help ensure that individuals will be able to make a fully informed decision about whether or not they want to give the information. NPP 1.3 also requires an organisation to tell individuals they have a right of access to their information and how to contact the organisation to get access.
Getting consent to collect is the ideal way to collect personal information and the simplest way to ensure compliance with the NPPs. However, the NPPs do not require an organisation to get consent to collect information unless the information collected is sensitive information.
The NPPs recognise that individuals are concerned to have more control over some kinds of information. The Privacy Act has called this "sensitive information" (see Chapter 2 - Explanation of terms) and has added some stronger protections. NPP10 requires organisations collecting sensitive information, with few exceptions, to get the individual's consent before they collect it. There are some exceptions that apply to all sensitive information including health information, and there some additional ones that apply just to health information. Unless these circumstances apply, an organisation must get individual consent to collect sensitive information.
Individuals are best able to control what happens to their personal information if organisations collect it directly from individuals. So as a general rule, and if it is reasonable and practicable to do so, NPP1.4 requires organisations to collect information about an individual only from that individual. As spelt out more fully in the next section, the Commissioner clearly expects organisations to collect personal information directly from the individual.
Where an organisation collects information about an individual from someone else NPP1.5 requires the organisation to take reasonable steps to make sure that individuals are aware of the information outlined in NPP 1.3. It aims to ensure that individuals have control over their information even where an organisation collects information indirectly. An organisation does not have to take reasonable steps to make an individual aware of this information if doing so would pose a serious threat to the life or health of any individual.
An organisation collects personal information if it gathers, acquires, or obtains information from any source, including third parties, by any means in circumstances where the individual is identified or is identifiable. It includes information that an organisation comes across by accident or has not asked for but nevertheless keeps. It also includes information the organisation receives directly from the individual as well as information about an individual an organisation receives from somebody else.
Examples of collection include where an organisation:
NPP 1.1 says that an organisation must not collect personal information unless it is necessary for one or more of its functions or activities.
Practical interpretation
The Commissioner interprets "necessary" in a practical but narrow sense. If an organisation cannot, in practice, effectively pursue a function or activity without collecting personal information, then that personal information would be regarded as necessary for that function or activity. An organisation should not collect information on the off chance that it may become necessary for one of its functions or activities in the future. If an organisation receives information that is not necessary for one of its functions or activities, it should not keep that information.
Functions and activities
Functions and activities include:
Examples of when organisation may breach NPP 1.1
An organisation may breach NPP 1.1 if it:
If an individual gives an organisation a full copy of a document and the organisation only needs some of the information the organisation should think about:
It should also consider whether collecting de-identified information will service the purpose for which it collecting information.
Where information is sensitive it is especially important that an organisation consider if there are other ways of achieving the purpose than to collect that information. For example, an organisation providing a service to a person with a disability might consider outlining the range of options it can make available and leave the individual to choose an option on the basis of their own knowledge of their needs. This would save the organisation from having to collect a whole range of sensitive information in order for it to be able decide what services it needs to provide.
If an organisation provides services to Aboriginal or Torres Strait Islander peoples, it may need to be aware of information that may be highly culturally sensitive, for example, the name of a person who has passed away. An organisation should avoid collecting such information unless it is absolutely essential and done in a way that meets any concerns that members of the particular community may have. See also "Minding our own business" published in 1998 by the Office.
See Chapter 2 - Explanation of terms.
When collection could be illegal
Collecting personal information could be illegal if an organisation:
Examples of illegal collection
If the law does not specifically allow it the following collections might be against the law:
Meaning of fair collection
Fair collection means collecting without tricks, deception or too much pressure. An organisation is likely to breach NPP 1.2 if, because of its collection practice, it gets information that the individual would not otherwise give it. But there will be some circumstances - for example, investigations of possible fraud or other unlawful activity - where collecting information by surveillance or other ways would be fair. Organisations should also be aware of their obligations under the Trade Practices Act 1974 (Cth).
Example of unfair collection may include:
An organisation that collects personal information without telling an individual (for example, via a banner on a website or using software that trawls the net for email addresses) for the purpose of sending Spam will be engaging in unfair collection in breach of NPP 1.2 unless it gives individuals proper notice.
Depending on the circumstances, examples of unreasonably intrusive ways of collecting information may include:
The guidelines refer to these as "NPP 1.3 information".
Factors in deciding practicability
No step reasonable where information obvious
Purposes means primary and secondary purposes
Description of purpose must not misleadLevel of detail about usual discloses
Listing each organisation is one approach
Where it is practicable and informative it would be reasonable for an organisation to list each organisation to which it usually discloses information of the kind being collected.Listing types of organisations may be better in some cases
Listing disclosure to contractors
Third party disclosures should be listed if known