Submission Home | Executive Summary | Submission Summary | Summary of Positions | Part A | Part B | Part C | Part D | Part E | Part F | Part G | Part H | Part I | Part J | Bibliography

PART A

INTRODUCTION

CHAPTER 1

Proposal 1 -1 The Office of the Privacy Commissioner should, either on its own motion or where approached in appropriate cases, encourage and assist agencies and organisations, in conjunction with Indigenous and other ethnic groups in Australia, to create publicly available protocols that adequately respond to the particular privacy needs of those groups.

1. The Office agrees that it should encourage and assist agencies and organisations, in collaboration with Indigenous and other culturally diverse groups in Australia, to create publicly available protocols in response to the privacy needs of those groups.

2. As previously discussed in its submission to the ALRC's Issues Paper 31 (IP 31) at question 1-1, the Office agrees that the Privacy Act 1988 (Cth) (‘Privacy Act') itself should not be amended to provide differing standards of protection to specific groups such as Indigenous or other cultural groups or commercial entities.[14] This position is based on the fact that privacy regulations have evolved to operate at an individual (rather than collective) level, both in Australia and internationally. In the Office's view this should continue to be the case. Uniform protections under the Privacy Act are likely to promote equality under the law and consistency of obligations, which is beneficial to individuals, agencies and organisations.

3. Notwithstanding the argument against amending the Privacy Act itself to recognise collective privacy interests, the Office acknowledges there are circumstances in which identified groups in the community may have privacy needs or preferences that relate to their membership of a particular group. As such, guidance may in some cases assist interaction between agencies or organisations and identified community groups.

4. An existing example of such guidance is the Office's publication: Minding our own business: Privacy protocol for Commonwealth agencies in the Northern Territory handling personal information of Aboriginal and Torres Strait Islander people (1998).[15] The Office therefore welcomes the opportunity to assist agencies and organisations to improve upon and facilitate the creation of further guidance material on privacy (within the framework of the Privacy Act) for specific cultural or community groups, where appropriate, in consultation with the affected groups themselves.

CHAPTER 2

OVERVIEW - PRIVACY REGULATION IN AUSTRALIA

1. The Office notes the Australian Law Reform Commission's (ALRC's) overview of the regulation of personal information in Australia.

2. In describing the legislative and non-legislative rules, codes and guidelines operating across jurisdictions, the chapter highlights a need for greater consistency and uniformity in the way that privacy is interpreted and regulated across Australia.

3. In its previous submission to the ALRC's Issues Paper 31 (IP 31), the Office noted the importance of ensuring that privacy regulations are interoperable, consistent and comprehensive, with national consistency being the ultimate goal of such a privacy framework. Suggestions for ways in which the current privacy regulations could be harmonised across sectors and jurisdictions included adopting a single set of privacy principles to replace the Information Privacy Principles (IPPs) and National Privacy Principles (NPPs) and to be uniformly adopted across jurisdictions.[16]

4.The Office views this approach to privacy reform as mutually beneficial to governments, businesses and individuals. Harmonising privacy regulations will reduce compliance difficulties for those with obligations, and empower individuals to better understand and exercise their privacy rights.

5.Chapter 4 of the ALRC's Discussion Paper (DP 72) outlines specific measures to promote national consistency. In its response to chapter 4, the Office supports many of the ALRC's proposals for reform.

CHAPTER 3

THE PRIVACY ACT

Proposal 3-1 The Privacy Act should provide for the making of regulations that modify the operation of the proposed Unified Privacy Principles (UPPs) to impose different or more specific requirements in particular contexts, including imposing more or less stringent requirements on agencies and organisations than are provided for in the UPPs.

1. The Office does not agree with the proposal to establish a general regulation making power that permits any regulation to derogate from the protections afforded by the Privacy Act 1988 (Cth) (Privacy Act).

2. The Office recognises that a provision creating a general regulation making power is not unusual in legislation. Section 100(1) of the Privacy Act currently provides such a general regulation making power. This section states:

• (1) The Governor General may make regulations, not inconsistent with this Act, prescribing matters:
• (a) required or permitted by this Act to be prescribed; or
• (b) necessary or convenient to be prescribed for carrying out or giving effect to this Act.

3. In the Office's view, the significant element of section 100(1) is that any regulation must not be ‘inconsistent with this Act'. Proposal 3-1 would seem to envisage regulations being made that could be inconsistent with the Privacy Act in that they would be able to derogate from established statutory protections.

4. The Office notes that the existing general regulation making power in section 100(1) is consistent with other legislation relating to similar oversight and accountability agencies. For example, the legislation applying to the Commonwealth Ombudsman, the Human Rights and Equal Opportunity Commission and the Australian Competition and Consumer Commission each establish a general regulation making power that may only be exercised in a manner not ‘inconsistent with this Act'.[17]

5. Notably, each of the Acts cited above create rights and protections for individuals. The Australian Government Legislation Handbook, published by the Department of Prime Minister and Cabinet, states in regard to determining when primary or delegated legislation should be pursued, that ‘rules which have a significant impact on individual rights...' should ‘...be implemented only through Acts of Parliament'.[18] Accordingly, establishing a general regulation making power that could be used to significantly impact on individual rights would seem inconsistent with existing legislative practice and policy.

6. If the ALRC envisages that the regulation making power might be used to derogate from the protections offered in the Privacy Act in specific areas only, such as credit reporting, then this should be a facilitated by a specific regulation making power (though it should be noted that the Office does not support proposals for either health information or credit information to be subject to regulations).[19] The Office would expect that a specific regulation making power would be accompanied by measures aimed at assuring the community that compensatory measures are provided.

7. Such measures can be seen in the regulation making powers established under sections 100(2) and (3) of the Privacy Act. These sections, applying to regulations made in regard to National Privacy Principle (NPP) 7, include such requirements as mandatory consultation with the Privacy Commissioner and that any such regulations be to the overall benefit of individuals. In chapter 50 of this submission, the Office has suggested that a public interest test should also be applied to any specific regulation making power.

8. In addition to the issue raised above, the Office also notes that such a general regulation making power could:

• contribute to a proliferation of instruments, leading to complexity and fragmentation in privacy regulation;
• create the risk of inconsistent regulation applying to organisations and agencies; and
• lead to the creation of instruments that have not been subject to appropriate consultation.

9. The Office suggests that this proposal be amended such that the existing general regulation making function of the Privacy Act be retained in its current form.

Proposal 3-2 The Privacy Act should be amended to achieve greater logical consistency, simplicity and clarity. For example, the Information Privacy Principles and the National Privacy Principles should be consolidated into a set of UPPs; the exemptions should be clarified and grouped together in a separate part of the Act; and the Act should be restructured and renumbered.

10. The Office agrees with proposal 3-2.

11. The proposal is consistent with the Office's position in its submission to IP 31.[20]

Proposal 3-3 If the Privacy Act is amended to incorporate a cause of action for invasion of privacy, the name of the Act should remain the same. If the Act is not amended in this way, however, the Privacy Act should be renamed the Privacy and Personal Information Act.

12. The Office submits that the Privacy Act should be renamed the ‘Australian Privacy Act' regardless of whether or not a cause of action is introduced. If this position is not adopted, the Office's view is that the legislation should retain its existing title.

13. In its submission to ALRC IP 31,[21] the Office proposed the name ‘Australian Privacy Act' on the basis that it differentiates Commonwealth legislation from the various State and Territory enactments.[22] The ALRC did not support the name ‘Australian Privacy Act' because, in its view, ‘Australian' is generally only used for an Act's name when that Act creates a body that shares a name with its title (for example, the Australian Law Reform Commission Act).[23]

14. While the Office understands the ALRC's position, it submits that ‘Australian Privacy Act' would be the most appropriate nomenclature for this legislation. The Office notes that there are currently around 70 pieces of legislation that begin with ‘Australia' or ‘Australian'. Of these, approximately 13 do not create a body that shares the same name. These include the Australian Passports Act 2005, Australian Citizenship Act 2007, AustralianLandTransport Development Act 1988 and the Australian Energy Market Act 2004. The Office notes that the last example establishes the Australian Energy Market Commission; the Office proposes that the Australian Privacy Act similarly establish an Australian Privacy Commission.

15. Accordingly, the Office submits that there is clear precedent for establishing legislation titled the ‘Australian Privacy Act'. Such a title would clearly distinguish the scope and jurisdiction of this legislation. The Office also notes that the traditional convention of indicating a Commonwealth statute with the abbreviation ‘Cth' would not be widely understood by the general community; ‘Australian' would much more clearly indicate the source and coverage of the legislation.

16. The ALRC's alternative name, the Privacy and Personal Information Act, is markedly similar to NSW's legislation, the Privacy and Personal Information Protection Act 1998. This may exacerbate the confusion surrounding overlapping state, territory and Commonwealth legislation, as well as promote confusion among complainants and respondents as to which piece of legislation they are subject to at a given time. As the Office noted in its submission to IP 31, the ‘Privacy Act' provides simple and effective branding that helps to distinguish it from the various state and territory information privacy laws.

17. DP 72 discusses the role played by legislative nomenclature in providing ‘a snapshot of the content of the legislation' and ensuring that the public is not mislead as to what the legislation covers. The Office submits that ‘Privacy and Personal Information Act' would offer little in terms of advancing understanding of the content of the legislation. Privacy is a complex and multifaceted concept, and it seems unlikely that any title would be able to articulate distinctions between differing notions of privacy. The Office submits that the proposed title would promote more confusion than clarity (such as why ‘privacy' and ‘personal information' are treated as semantically different concepts).

18. The Office reiterates its view that ‘Privacy Act' provides a clear and simple form of nomenclature, which helps to distinguish the federal legislation from the laws in the state and territories, which are generally more esoterically named. ‘Privacy Act' also succinctly describes the functions of the Privacy Commissioner in broad terms, including the functions to provide advice on matters that may extend beyond information privacy. Markedly changing the title would offer little, if any, benefit, and would risk undermining 20 years of promoting awareness of the Privacy Act.

Proposal 3-4 The Privacy Act should be amended to include an objects clause.  The objects of the Act should be to:

(a) implement Australia's obligations at international law in relation to privacy;

(b) promote the protection of individual privacy;

(c) recognise that the right to privacy is not absolute and to provide a framework within which to balance the public interest in protecting the privacy of individuals with other public interests;

(d) establish a cause of action to protect the interests that individuals have in the personal sphere free from interference from others;

(e) promote the responsible and transparent handling of personal information by agencies and organisations;

(f) facilitate the growth and development of electronic commerce, nationally and internationally, while ensuring respect for the right to privacy; and

(g) provide the basis for nationally consistent regulation of privacy.

19. The Office supports an objects clause being included in the Privacy Act. This aspect of the proposal is consistent with the Office's submission to ALRC IP 31.[24] Comments on specific clauses proposed by the ALRC are below.

20. The Office supports the inclusion of the following objects proposed by the ALRC:

• (a) implement Australia's obligations at international law in relation to privacy;
• (b) promote the protection of individual privacy;
• ...
• (d) establish a cause of action to protect the interests that individuals have in the personal sphere free from interference from others'
• (e) promote the responsible and transparent handling of personal information by agencies and organisation; and
• (f) facilitate the growth and development of electronic commerce, nationally and internationally, while ensuring respect for the right to privacy; and
• (g) provide the basis for nationally consistent regulation of privacy.

21. Paragraphs (a), (b), (e) and (g) are consistent with the Office's response to ALRC IP 31.[25] Paragraph (d) is consistent with the Office's response to question 1-2.[26]

22. In addition, the Office recognises that paragraph (f) is consistent with a key policy driver underpinning the introduction of the NPPs in 2000.[27]

23. The ALRC may wish to consider if paragraph (b) should also include reference to promoting individuals' rights to privacy. Such a right is referred to in paragraphs (c) and (f), though the current objects do not include reference to the legislation codifying such a right.

24. The Office does not support the following provision being included:

• (c) recognise that the right to privacy is not absolute and to provide a framework within which to balance the public interest in protecting the privacy of individuals with other public interests...

‘Recognise that the right to privacy is not absolute...'

25. The Office recognises the intent of this proposed form of words, but is concerned that the proposal may be perceived as suggesting that privacy is implicitly a barrier to agency and organisation effectiveness. As an alternative, the Office proposes the following words, drawn largely from its submission to ALRC IP 31, question 3-3:

• ‘...recognise that the right to privacy is not absolute and to provide a framework within which agencies and organisations may conduct their legitimate functions and activities in a manner that respects individuals' right to privacy'.

26. The Privacy Act includes mechanisms intended to provide that, in certain cases, a clearly identified public interest may require that privacy protections be qualified. This may be seen in the structure of the Information Privacy Principles (IPPs) and NPPs themselves, which create principle-based obligations subject to specified exceptions, and the public interest test contained in the Privacy Act's mechanisms for Public Interest Determination and Temporary Public Interest Determinations under Part VI of the Privacy Act.

27. However, the Office holds a number of concerns about the form of words used by the ALRC in its proposed objects clause.

28. Firstly, the ALRC's form of words does not reflect article 17 and 50 of the International Covenant on Civil and Political Rights, and therefore contradicts clause (a) regarding implementing international obligations. Article 17 states:

• i. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
• ii. Everyone has the right to the protection of the law against such interference or attacks

29. Individuals should be absolutely protected from unlawful or arbitrary interferences with their privacy.

30. Secondly, the notion of balancing interests in this context overlooks the situations in which good privacy practice actually supports agencies and organisation's objectives. For example, the Office's submission to ALRC IP 31 addressed the importance of privacy protections for effective health service delivery. In response to question 8-1, the Office noted that:

• ‘...if individuals do not believe that their personal health information will be treated privately, they may avoid treatment or withhold information that may be crucial to their clinical care.'[28]

31. It may not be accurate, therefore, to frame privacy as inevitably in competition with other public interests; in many instances, privacy advances other public interests by promoting trust, participation and engagement.

32. The notion of balancing interests is often a useful short-hand phrase for explaining how privacy intersects with other interests. However, for the reasons outlined above, it may not accurately describe all cases, and therefore does not merit inclusion in the objects clause.

33. Lastly, the Office is concerned that the ALRC's form of words may not assist in effectively promoting the protection of individual privacy, as per proposed objects clause (b). In particular, the Office is concerned that the objects clause is phrased in negative terms - ‘the right to privacy is not absolute.' This may not encourage agencies and organisations to take their privacy responsibilities seriously.

34. As an alternative, the Office suggests that this concept be expressed in positive terms emphasising how the Privacy Act provides a framework for managing intersecting interests. To this end, the Office suggests that the ALRC further consider the Office's form of words set out above.

35. The Office suggests that the objects clause reflect the Office's compliance function. This clause would supplement the reference in proposed clause (c) to promoting the protection of individual privacy which particularly reflects the Office's education and policy-advice functions. Accordingly, the Office proposes the following provision:

• (h) to provide a means for addressing complaints about an alleged interference with an individuals' information privacy.

36. Lastly, the Office notes that the ALRC's proposed objects clause does not refer to any entity to carry out functions under the Privacy Act. Accordingly, consideration may be given to including the following provisions:

• 2) To assist in achieving these objects, this Act establishes:
• a) the position of Privacy Commissioner; and
• b) the Australian Privacy Commission.

37. The Office has drawn this model from section 3(2) of the Law Enforcement Integrity Commissioner Act 2006 (Cth). By comparison, section 19(1) of the current Act states that:

• (1)  The Office of the Privacy Commissioner is established by this section.
• (2)  The Office of the Privacy Commissioner consists of the Privacy   Commissioner and the staff as mentioned in section 26A.

38. In the Office's view, the benefits of the Law Enforcement Integrity Commissioner Act model are that it refers to both the statutory office being created, and the body created to assist the office-holder.

Proposal 3-5 (a) The Privacy Act should define ‘personal information' as ‘information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified or reasonably identifiable individual'.

39. The Office supports proposal 3-5(a). The Office views this definition as retaining the significant elements from the current definition of ‘personal information.'

40. The Office notes the proposed change from the Privacy Act's current reference to ‘about an individual whose identity is apparent or can reasonably be ascertained, from the information or opinion' to the ALRC's proposed words: ‘about an identified or reasonably identifiable individual.' The ALRC's proposal appears to express essentially the same principle, but with greater clarity.

(b) The Explanatory Memorandum of the amending legislation should make clear that an individual is ‘reasonably identifiable' when the individual can be identified from information in the possession of an agency or organisation or from that information and other information the agency or organisation has the capacity to access or is likely to access.

41. The Office supports proposal 3-5(b), and notes that explanatory memoranda of this kind may provide useful aids in interpreting the relevant provision.

(c) The Office of the Privacy Commissioner should provide guidance on the meaning of ‘identified or reasonably identifiable'.

42. The Office supports this proposal. In its submission to IP 31, question 8-28, the Office noted that:

• ‘Whether an individual's identity is apparent or readily ascertainable will depend on context and circumstance, including the resources available to the recordkeeper.[29]

43. In the review conducted by the Office, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005) (‘Private Sector Review'), the Office has committed to produce guidance on this issue.[30]

Proposal 3-6  The definition of ‘sensitive information' in the Privacy Act should be amended to include: (a) biometric information collected for the purpose of automated biometric authentication or identification; and (b) biometric template information.

44. The Office agrees with proposal 3-6.

45. In its submission to IP 31, question 3-4,[31] the Office supported expanding the definition of sensitive information to include biometric information. Privacy issues associated with biometric information are discussed further in chapter 11.

Proposal 3-7 The definition of ‘sensitive information' in the Privacy Act should be amended to refer to ‘sexual orientation and practices' rather than ‘sexual preferences and practices'.

46. The Office supports proposal 3-7, noting that the ALRC has identified a need for the Privacy Act's terms to be consistent with contemporary usage.[32]

Proposal 3-8 The definition of ‘record' in the Privacy Act should be amended in part to include: (a) a document; and (b) information stored in electronic or other forms.

47. The following comments address parts (a), (b) and (c) of the current definition of ‘Record.'

48. The Office agrees with aspects of proposal 3-8, but suggests that it be reconsidered as described below. In the Office's view, the amended definition of ‘record' should include:

• (a) a document,
• (b) information stored in electronic form; or
• (c) a photograph or other pictorial representation.

49. The Privacy Act currently defines ‘record' , in part, as:

• (a) a document; or
• (b) a database (however kept)
• (c) a photograph or other pictorial representation of a person.

50. Proposal 3-8 suggests removing the current clauses b) and c) and inserting a new clause b) to refer to information stored in electronic or other forms.

51. The Office agrees that the definition of ‘record' should continue to refer to ‘a document.'

52. The Office also agrees with the ALRC's view that the explicit reference to databases is no longer necessary, and could be subsumed within a reference to electronically stored information.

Making the definition accessible

53. The Office wishes to revisit the question of how best to ensure that the Privacy Act's definition of ‘record' is both accessible and consistent with the provisions of other legislation. The ALRC asserts that it is appropriate to rely on the definition of ‘record' found in the Acts Interpretation Act 1901(Cth), as this ‘promotes consistency and brevity in federal legislation.'[33]

54. The Office suggests that given the definition of ‘record' is pivotal to the application of many of the Privacy Act's provisions, it appears appropriate that the meaning of the term be clearly set out within the Privacy Act itself.

55. In the Office's view, the Privacy Act should be drafted with reference to a user's perspective, that is, from the point of view of a person working within an agency or organisation seeking to understand how the Privacy Act applies to them. From the perspective of accessibility the Office suggests that, wherever possible, a person should be able to locate provisions relevant to them without having to navigate across inter-related statues. The Office also suggests that consideration be given to whether users of the legislation would necessarily be cognisant of the Acts Interpretation Act and its effect.

56. Accordingly, the Office suggests that the definition of record should be self-contained.

57. In the Office's view, it is possible to achieve this objective and retain consistency. The Office's submission to IP 31 noted the inconsistencies in the definition of ‘record' and ‘document' across the Privacy Act, the Freedom of Information Act and the Archives Act. The Office suggested in response to question 3-4 that these definitions be harmonised.[34] The Office reiterates this position.

Photographs

58. The Office does not support removing the current reference to photographs and pictorial representation (‘pictures').

59. In its response to question 3-4 of IP 31, the Office supported the reference to photographs and pictures being retained, subject to one amendment.

60. The ALRC asserts that, since section 25 of the Acts Interpretation Act 1901 defines ‘document' to include photographs, it is not necessary for the Privacy Act to make any such reference.[35] Section 25 reads:

• In any Act, unless the contrary intention appears, ‘document' includes:
• (a)  any paper or other material on which there is writing;
• (b)  any paper or other material on which there are marks, figures, symbols or perforations having a meaning for persons qualified to interpret them; and
• (c)  any article or material from which sounds, images or writings are capable of being reproduced with or without the aid of any other article or device.

61. The ALRC asserts that item (c) implicitly includes photographs or pictures.

62. However, the Office suggests that, on an ordinary reading of the Privacy Act, it may not be clear that ‘document' is defined elsewhere to include photographs and pictures. In this instance, the interpretation of the term could be left to the reader's own understanding of the term.

63. The Office also notes that the definition of ‘record' in the Archives Act 1983 and ‘document' in the Freedom of Information Act 1982 both explicitly refer to photographs or pictures.

64. Accordingly, in the Office's view, the current reference to photographs and pictorial representations plays an important role in clarifying the extent of the definition. In the absence of any clear indication that it creates difficulties, the Office submits that it should be retained.

65. In addition, the Office reiterates the view expressed in its submission to IP 31, question 3-4 that the reference to photographs and pictorial representations should not include the phrase ‘of a person', since this restricts the scope of the clause.[36]

Proposal 3-9 The definition of ‘generally available publication' in the Privacy Act should be amended to clarify that a publication is ‘generally available' whether or not a fee is charged for access to the publication.

66. The Office supports proposal 3-9.

67. The proposal is consistent with the Office's position responding to question 3-4 of its submission to IP 31.[37]

Chapter 3 - Other terms to be defined

68. The Office's submission to IP 31 raised a number of other terms used in the Privacy Act which raise definitional issues.

69. At present, the Privacy Act's jurisdiction over collaborations between the Commonwealth and State Governments through the Council of Australian Governments is unclear. As noted in the Office's submission to IP 31, question 3-4, public authorities created under these collaborations could be better provided for under the current definition of ‘agency.'[38]

70. The Office also noted in that submission that the status of public-private partnerships is unclear. The Office raised this issue in relation to the definition of ‘state or territory authority' in section 6C(3), which refers to bodies established or appointed for a public purpose.

71. The Office suggests that the definition of ‘agency' be amended to make it clear that bodies created for the purposes of such collaborations are covered by Commonwealth privacy regulation.

72. In addition, the Office's submission to IP 31, question 5-4 discussed the ambiguities surrounding which acts or practices of a Minister are covered by the Privacy Act.[39] The Office suggested that to help reduce this complexity, the definition of ‘agency' which currently includes a Minister, should add words that describe the specific acts and practices of the Minister that are covered, or that are not excluded.

73. The Office reiterates this suggestion.

Definition of ‘related bodies corporate'

74. The term ‘related bodies corporate' is not currently defined by the Privacy Act. The term draws its meaning from section 50 of the Corporations Act 2001. The Office suggests that consideration be given to amending the Privacy Act to make this connection clear. For example, the following definition could be included:

• related body corporate means a related body corporate within the meaning of section 50 of the Corporations Act 2001.

Chapter 3 - Office of the Privacy Commissioner's Structure

75. In DP 72, the ALRC describes the structure of the Office of the Privacy Commissioner as consisting of the Hotline Section, the Compliance Section, the Policy Section and Corporate and Public Affairs.[40]

76. However, the ‘Hotline Section' is located in the Compliance Section, and is now referred to as the ‘Enquiries Line.' In addition, the Office includes an Executive unit, incorporating the Commissioner, Deputy Commissioner, Assistant Commissioner and staff.

77. The Office requests that the ALRC's final report contain this information.

Proposal 3-10  The personal information of deceased individuals held by agencies should continue to be regulated by the Freedom of Information Act 1982 (Cth) and the Archives Act 1983 (Cth).

78. The Office supports proposal 3-10.

79. The Office notes that the current mechanisms set out under the under the Freedom of Information Act 1982 (Cth) (FOI Act) and the Archives Act 1983 (Cth) are established and familiar to agencies.

80. The Office also notes that in September 2007, the then Attorney-General, the Hon. Phillip Ruddock, asked the Australian Law Reform Commission (ALRC) to ‘ ...examine Freedom of Information (FOI) laws and practice across Australia including existing Commonwealth, State and Territory access laws and practices, with a view to better harmonising ...'[41] these laws and practices. The ALRC may like to further consider this issue under that review.

81. The Office suggests that the arrangements for the personal information of deceased individuals under the FOI Act and Archives Act should be consistent with the arrangement for this information under the Privacy Act. The Office has provided its view on what protections should be afforded to deceased records held by organisations in responses to the proposals below.

82. Further discussion of FOI matters can be found in chapters 12 and 33.

Proposal 3-11 The Privacy Act should be amended to include a new Part dealing with the personal information of individuals who have been dead for 30 years or less where the information is held by an organisation.

83. The Office supports the general principle underlying proposal 3-11 that some protections should be afforded to deceased persons' information when it is held by organisations. The Office submits that the model outlined in its previous submission remains preferable to that detailed in proposal 3-11. Each element of this proposal is discussed in turn below.

84. A key benefit of the Office's model is that it requires minimal amendment to the existing structure of the Privacy Act. It would not, for example, require a Part inserted into the legislation, merely a new provision in section 16C and relatively minor amendment to the principles.

85. The Office reiterates the views expressed in its submission to ALRC's IP 31 at question 3-5, that the protections afforded to deceased persons' information should be limited to health information.[42]

86. Currently, FOI legislation protects the personal information of deceased persons held by government agencies. The Office is not convinced that a clear rationale for privacy protection of deceased persons' personal information, held in the private sector, beyond the health context, has been made.

87. In its Private Sector Review, the Office made recommendations related to deceased individuals' personal information.[43]

88. The Office expanded on these recommendations in its submission to IP 31 in responding to question 3-5,[44] and recommended that the Privacy Act be amended to extend some privacy protections to the health information of people after their death. These included that:

• Health information of deceased persons should be covered by NPP 1 (collection) as appropriate (that is, notice would not apply), 2 (use and disclosure) and 4 (security) or their equivalents if a single set of principles were to be developed.
• In recognition that living individuals may have legitimate grounds for seeking to obtain the health records of deceased individuals, the NPPs should include a mechanism for providing such access in defined circumstances.
• Consideration should be given to adding a provision under NPP 2.4 to provide organisations with a discretion to disclose health information about deceased people to ‘a responsible person' (based on terms of NPP 2.5) in the same way in which health information about an individual who lacks capacity may currently be disclosed.
• The Office does not believe that a right of access to a deceased persons' health information should be available to a third-party (unless that third party is, as a matter of law, has legal authority to act on the deceased person's behalf).

89. In its consideration of deceased persons' information, the Office did not discuss the addition of a separate part to the Privacy Act dealing with the handling of personal information of deceased individuals. There did not, in the view of the Office, appear to be a strong need for a broader, more encompassing regime of privacy protection of deceased persons' information beyond the health context.

90. The Office suggested in its submission to IP 31, at question 3-5, that many individuals engage openly with their health care provider on the understanding that information about their health will continue to be handled in a dignified and respectful way after they are deceased, including by limiting who the information might be used or disclosed and for what purposes.

91. This accords with professional practice. For examples, the Office notes that the Declaration of Geneva (2006), adopted by the Australian Medical Association into its code of ethics,[45] provides that health service providers ‘... will respect the secrets that are confided in me, even after the patient has died'.

92. In a recent finding, the United Kingdom Information Tribunal has ruled that medical records of a dead woman should not be released, because there is still a duty of confidentiality in its contents following death.[46]

93. In its submission to IP 31, question 3-5, the Office also noted that health information about deceased individuals may cause embarrassment or distress to living individuals (such as where the deceased individuals may have had a stigmatising condition) and is therefore likely to warrant some protections.

94. The Office submits that the application of the discrete privacy principles related to the handling of deceased persons' health information can be prescribed by inserting a provision into the Privacy Act at section16C (which deals with the application of the NPPs). This provision could set out the circumstances in which the privacy principles dealing with the collection, use and disclosure and security of this information would apply.

95. The Office reiterates its support of an amendment to the Privacy Act to extend certain privacy protections to the health information of deceased individuals, including collection, use and disclosure and data security, IP 31, Chapter 3-5.

96. Further discussion of proposal 3-11 parts (a), (b), (c) and (d) follow.

The new Part should provide as follows:

(a) Use and disclosure

Organisations should be required to use or disclose the personal information of deceased individuals in accordance with the proposed ‘Use and Disclosure' principle in the UPPs. Where the principle requires consent, the organisation should be required to consider whether the proposed use or disclosure would involve an unreasonable use or disclosure of personal information about any person, including the deceased person.

97. In relation to proposal 3-11(a) on use and disclosure in the UPPs, the Office reiterates its support[47] for use and disclosure protections for deceased individual's health information.

98. The Office also notes that proposal 3-11(a) creates a requirement to ‘consider' whether an act would involve unreasonable use or disclosure. This requirement would operate as a substitute for those instances where consent would otherwise be sought from the individual. The Office does not support this model. Instead, ‘consent' could remain a valid exception under a use or disclosure principle, to be exercised by a legal representative of the deceased (such as an executor). This model would require no amendment to the principles.

99. In addition to suggesting that this ‘unreasonable use or disclosure' test is unnecessary, the Office submits that its construction is problematic. The Office submits that it is unclear whether organisations would also be required to act according to this consideration. In the absence of such a requirement, proposals 3-11(a) may be problematical for organisations in a way that is comparable to existing National Privacy Principle (NPP) 6.3.[48] As discussed in the Office's submission to IP 31, NPP 6.3 has been criticised for its lack of obligatory language - organisations are only required to ‘consider' whether an intermediary would be appropriate. This current proposal would appear to be open to the same risk.

100. In addition, the test in proposal 3-11(a) of an ‘unreasonable use or disclosure' appears unclear in its intent. Such a test would not seem to promote certainty or predictability in privacy regulation. This uncertainty would likely be exacerbated if the principle applied to all personal information. Personal information is innumerable in type, and may be handled in an equally wide range of circumstances. It is difficult to envisage how consistent interpretation and application could be applied to this test and how it could determine what is an ‘unreasonable' use or disclosure. While the Office supports principle- based law, this test would appear to be extremely difficult to assess in practice.

(b) Access

Organisations should be required to consider providing third parties with access to the personal information of deceased individuals in accordance with the access elements of the proposed ‘Access and Correction' principle in the UPPs.

Organisations should be required to consider in each case whether providing access to the information would have an unreasonable impact on the privacy of other individuals, including the deceased individual.

Creating a discretion to disclose rather than the provision of ‘access'

101. The Office has concerns with paragraph (b), including because it appears to misconstrue the notion of ‘access' under the Privacy Act. In the view of the Office, framing proposal 3-11(b) in terms of ‘access' to information by third parties is not appropriate. Under the current privacy principle regimes, ‘access' is a concept widely understood and familiar to agencies and organisations as an action specific to the person who is the subject of the personal information.

102. Further, ‘access' is constructed under the Privacy Act to create a positive right for individuals to know what information is held about them by organisations and agencies. Organisations and agencies may only deny it where such denial is specifically permitted by prescribed exceptions. This can be contrasted, for example, with the ‘use and disclosure' principle which creates discretions for parties to use or disclose the information.

103. Accordingly, the provision of a deceased person's information to a third party appears to sit more comfortably as an example of a ‘disclosure', rather than the provision of ‘access'. Further, the Office submits that the mechanism should be discretionary and, therefore, fit neatly as an exception to the ‘disclosure' principle.

Limiting to whom information may be disclosed

104. The Office notes that proposal 3-11(b) is significantly broader in scope than that envisaged by the Office in its submission to IP31. The issue of who would have standing to seek access under this provision is challenging from a privacy perspective in that it would appear that organisations ‘...should be required to consider providing third parties with access to personal information ...'.

105. This ‘access' provision proposed may unintentionally, in the view of the Office, enliven the Privacy Act beyond the intent of protecting individual privacy, to facilitate disclosure of deceased people's information in ways that individuals may not expect.

106. Although this may not be the intent, the proposal would appear to permit any organisation or person to ask for ‘access' to deceased individuals' personal information (including, for example, businesses and others, for commercial purposes). This would, in turn, appear to impose an onerous burden on organisations in that they must consider each and every request for access to a deceased person's personal information whatever its origin or basis in need.

107. In its submission to IP 31,[49] the Office suggested that, in the absence of express ‘access' provisions, a provision similar to NPP 2.4 could be enacted. This provision would permit the discretionary disclosure of a deceased individual's health information to a limited range of persons, such as relatives or persons ‘responsible' for the individual (defined in NPPs 2.5 and 2.6).

108. Further, the Office notes that proposal 3-11 does not provide for the regulation of ‘collection' of that information such as ensuring the information is necessary for a particular function or activity, or ensuring it is collected by fair means as suggested by the Office to IP31.[50] Protecting against unnecessary collection of personal information acts to pre-empt any possibility of later misuse.

109. The Office reiterates its argument in regard to providing particular protection to a deceased person's health information and its disclosure. That is, the disclosure of the deceased person's health information should only be made to a ‘responsible person' (based on the terms of NPP 2.5). In the Office's view, consideration should be given to amending NPP 2.4,[51] to allow for the disclosure of health information of a deceased person to take place in the same way in which health information about an individual who lacks capacity may currently be disclosed. By setting the parameters discussed in its submission to IP 31[52] the Office's proposed amended provisions would:

• limit the range of sectors and individuals that organisations would have to consider disclosing to and the information that organisations would have to consider disclosing;
• limit the type of information to be disclosed;
• limit the range of persons to whom health information might be disclosed to those ‘responsible' for the individual; and
• allow for a clearer focus by the organisation as to whether to then act on their consideration to disclose (i.e. what information to disclose and to whom).

110. As previously noted, it is unclear if the requirement to ‘consider' also confers an obligations on the organisation to then act on the consideration or whether action remains discretionary. In the view of the Office, the latter would be the ‘best privacy' choice. This would enable the organisation to consider each disclosure of health information on its merits, and then decide whether to disclose and what information should be disclosed.

111. It is also unclear in proposal 3-11(b) if an organisation would be in breach when it does not ‘consider' giving access, or when they do not provide access.

(c) Data quality

Organisations should be required to ensure that the personal information of deceased individuals is, with reference to a use or disclosure permitted under the UPPs, accurate, complete, up-to-date and relevant before they use or disclose the information.

112. The Office supports the intent of proposal 3-11(c).

113. However, in the view of the Office, this proposal may prove difficult to implement and impose unrealistic compliance expectations and costs on organisations. Organisations may not have the means of reliably and readily verifying, with the degree of certainty that proposal 3-11(c) appears to require, that the personal information they are about to use or disclose is about a deceased individual or whether the information is accurate, complete and up-to-date (because they cannot verify this, for example, with the individual the information is about).

114. The Office notes that the current NPP 3[53] on data quality requires that an organisation take ‘reasonable steps' to make sure that information it is about to use is accurate, complete and up-to-date. The Office suggests that consideration should be given to the inclusion of this term in proposal 3-11(c).

(d) Data security

Organisations should be required to take reasonable steps to protect the personal information of deceased individuals from misuse and loss and from unauthorised access, modification or disclosure.

Organisations should be required to take reasonable steps to destroy or render personal information of deceased individuals non-identifiable if it is no longer needed for any purpose permitted under the proposed UPPs.

115. The Office supports proposal 11-3(d) as it applies to a deceased individual's health information (as previously discussed in this section).

116. The proposal accords with the Office's response to IP31,[54] which supported data security provisions for a deceased individual's health information.

Organisations should be required to take reasonable steps to ensure that personal information of deceased individuals they disclose to a person pursuant to contract, or otherwise in connection with the provision of a service, is protected from being used or disclosed by that person otherwise than in accordance with the Privacy Act.

117. The Office supports proposal 11-3(c) in so far as it applies to the health information of a deceased person.

118. This proposal broadly reflects the Office's position in its submission to IP31, question 4-35, paragraph 187.[55]

Proposal 3-12 The proposed provisions dealing with the use or disclosure of personal information of deceased individuals should make clear that it is reasonable for an organisation to use or disclose genetic information to a genetic relative of a deceased individual where the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of a genetic relative. Any use or disclosure of genetic information of deceased individuals should be in accordance with rules issued by the Privacy Commissioner.

119. The Office supports the intent of proposal 3-12. The Office submits that any rules made for the purpose of this proposal should be approved by the Privacy Commissioner, though issued by another appropriate body.

120. If the Privacy Act is amended to cover deceased individuals' personal information, the Office agrees that the Privacy Act should permit disclosures of deceased persons' genetic information in order to lessen or prevent serious threats to a genetic relative's life or health. However, it is not clear to the Office what circumstances would necessitate the inclusion of the term ‘safety' in this context.

121. In its submission to IP 31, the Office explained its view that it believes that the reference to 'life and health' of an individual provides an appropriately higher test for allowing an exception to non-disclosure and thus better privacy protection for individuals. The use of the term 'safety' could be problematic in this context as it is not clear if this term enhances the usefulness of the exception without lowering protections for individuals.'[56]

122. While rules or binding guidelines for such disclosures of genetic information would be appropriate it is also not clear to the Office that such rules should necessarily be issued by the Privacy Commissioner. The Office notes that the NHMRC is currently developing binding guidelines on genetic information to be approved by the Privacy Commissioner under section 95AA of the Privacy Act.[57]

123. Whether the Privacy Act should be extended to cover deceased individuals' personal information is discussed above at proposal 3-11. In its submission to IP 31, question 3-5[58] the Office submitted that certain privacy protections should be extended to deceased persons' health information given its sensitive nature and its potential impact on living individuals. These included protections on collection, use, disclosure and data security of this information.

124. The issue of discretionary disclosure of genetic information issue was the subject of amendments to the Privacy Act in 2006.[59] Those amendments enacted a new provision, NPP 2.1(ea), which states:

• if the information is genetic information and the organisation has obtained the genetic information in the course of providing a health service to the individual:
• (i) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety (whether or not the threat is imminent) of an individual who is a genetic relative of the individual to whom the genetic information relates; and
• (ii) the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95AA for the purposes of this subparagraph; and
• (iii) in the case of disclosure-the recipient of the genetic information is a genetic relative of the individual; or

125. As noted above, in the Office's view, the existing arrangements under NPP 2.1(ea), involving binding guidelines issued by the National Health and Medical Research Council (NHMRC) and approved by the Privacy Commissioner, seem an appropriate means of regulating disclosures of genetic information to lessen or prevent serious threats to life or health.

126. The Office suggests that it would be relatively straightforward to extend the application of NPP 2.1(ea) to deceased persons' information, if the Privacy Act were extended to cover such information. In the Office's view, compelling arguments have not been raised to move away from the existing arrangement whereby the NHMRC develop guidelines and the Privacy Commissioner approves such guidelines. The Office discusses further the issue of the appropriate body to make these rules in chapters 56 and 57.

127. It should be noted that adopting the Office's approach of applying NPPs 1, 2 and 4 to deceased records would achieve the result of permitting disclosures under NPP 2.1(ea).

Proposal 3-13 Breach of the proposed provisions relating to the personal information of a deceased individual should be considered an interference with privacy under the Privacy Act. The following individuals should have standing to lodge a complaint with the Privacy Commissioner alleging an interference with the privacy of a deceased individual:

(a) in relation to an alleged breach of the use and disclosure, data quality or data security provisions, the deceased individual's parent, child or sibling who is at least 18 years old, spouse, de facto partner or legal personal representative; and

(b) in relation to an alleged breach of the access provision, any person who has made a request for access to the personal information of a deceased individual.

128. The Office agrees with paragraph (a) of proposal 3-13. The Office does not agree with paragraph (b) of proposal 3-13.

129. The Office agrees that a breach of the proposed provisions relating to a deceased individual's personal information should be considered an ‘interference with privacy' under the Privacy Act. In relation to the categories of standing to lodge a complaint with the Privacy Commissioner, the Office prefers the terms outlined in proposal 3-13(a), rather than the broad standing for ‘access' conferred in proposal 3-13(b).

130. In its submission to IP 31,[60] the Office submitted that standing for a privacy complaint about the handling of deceased people's health information should be limited to authorised persons and other individuals where standing is recognised at the discretion of the Privacy Commissioner. The Office also noted that discretionary disclosure provisions (similar to NPP 2.4) could be considered as an alternative to express ‘access' provisions for deceased people's information[61].

131. In relation to proposal 3-13(b), the Office submits that, in many cases, it may be inappropriate to consider a denial of ‘access' to a deceased individual's information as an interference with the privacy of the deceased. This is particularly the case, for example, if the interests of the requesting party are commercial rather than personal. Such a construction may not align with a general understanding of what an interference with privacy may entail.

132. Under the broad terms of 3-11(c) and 3-13(b), the Office notes that any person would appear to have standing to make a request for ‘access' - and make a complaint where the provision is breached - regardless of their interests or relationship (if any) to the individual themselves. In contrast, rights of ‘access' under the Privacy Act at present (and generally under the proposed UPPs) are exercisable only by the individual themselves, or their authorised representative as discussed under 3-11 above.

133. The Office has discussed above its concerns about the proposal for an ‘access' mechanism made in DP 72, specifically at proposal 3-11(b).

CHAPTER 4

ACHIEVING NATIONAL CONSISTENCY

Proposal 4-1 The Privacy Act should be amended to provide that the Act is intended to apply to the exclusion of state and territory laws dealing specifically with the handling of personal information by organisations. In particular, the following laws of a state or territory would be excluded to the extent that they apply to organisations:

(a) Health Records and Information Privacy Act 2002 (NSW);

(b) Health Records Act 2001 (Vic);

(c) Health Records (Privacy and Access) Act 1997 (ACT); and

(d) any other laws prescribed in the regulations.

1. The Office supports the importance of achieving national uniformity in privacy regulation in the private sector and recognises that proposal 4-1 provides one means of achieving such uniformity.

2. As stated in its submission on ALRC IP 31, the Office believes that section 3 of the Privacy Act 1988 (Cth) (Privacy Act) should be amended to clarify that it ‘covers the field' in regard to personal information privacy in the private sector.[62]

3. The Office notes that DP 72 has proposed an alternate model based on section 16(1) of the Workplace Relations Act 1996 (Cth), which states that the Act is intended to apply to the exclusion of a number of listed laws of a state and territory so far as they would otherwise apply in relation to an ‘employee' or ‘employer'.

4. The Office notes the ALRC's view that the Commonwealth could legislate to cover state and territory public sector agencies, with some exceptions.[63]

Proposal 4-2 States and territories with information privacy legislation that purports to apply to private sector organisations should amend that legislation so that it is no longer expressed to apply to private sector organisations.

5. The Office agrees with this proposal.

Proposal 4-3 The Privacy Act should not apply to the exclusion of a law of a state or territory so far as the law deals with any ‘non-excluded matters' set out in the legislation. The Australian Government, in consultation with state and territory governments, should develop a list of ‘non-excluded matters', for example matters such as:

(a) reporting for child protection purposes;

(b) reporting for public health purposes; and

(c) the handling of personal information by state and territory government contractors.

6. While the Office recognises the importance of ensuring that organisations satisfy state and territory laws of this type, the Office is unsure of the merits of this proposal.

7. Laws of the type described are generally mandatory, and will therefore fall clearly under the various ‘required by law' exceptions. Prescribing a list of non-excluded matters may promote confusion as to the status of those state and territory laws that may otherwise satisfy a ‘required or authorised' (or specifically authorised) exception in the privacy principles, but which are not include on the prescribed list.

8. Accordingly, the Office suggests that the non-excluded matters list may have the opposite effect to that intended by creating unnecessary uncertainty.

Implications of introducing a ‘specifically authorised by law' test

9. The Office recognises that if the various ‘required or authorised by law' exceptions are amended to include the expression ‘specifically authorised' then this will alter whether some state and territory laws may be relied upon to satisfy such exceptions. As discussed in chapters 13 and 22 of this submission, the Office believes that such a narrowing in the scope of the exceptions is appropriate and consistent with the intention of Parliament in enacting the National Privacy Principles (NPPs).

10. If this test were amended to ‘required or specifically authorised', then non-excluded matters might not always fall within these exceptions if the relevant legislation was neither mandatory (and thus met the ‘required by law' element) or specific.

11. However, in the Office's view, the type of laws envisaged in this proposal will generally have such clear public interest that they will either be mandatory (and therefore meet the ‘required by law' test) or will specifically authorise information handling practices. Accordingly, the Office does not believe that it is necessary to prescribe non-excluded matters to ensure that such matters are not inadvertently excluded from an amended ‘required or specifically authorised by law' test.

Proposal 4-4 The states and territories should enact legislation that regulates the handling of personal information in that state or territory's public sector that:

(a) applies the proposed Unified Privacy Principles (UPPs) and the proposed Privacy (Health Information) Regulations as in force under the Privacy Act from time to time; and

(b) includes at a minimum:

(i) relevant definitions used in the Privacy Act (including ‘personal information', ‘sensitive information' and ‘health information');

(ii) provisions allowing public interest determinations and temporary public interest determinations;

(iii) provisions relating to state and territory incorporated bodies (including statutory corporations);

(iv) provisions relating to state and territory government contracts; and

(v) provisions relating to data breach notification.

The legislation also should provide for the resolution of complaints by state and territory privacy regulators and agencies with responsibility for privacy regulation in that state or territory's public sector.

12. The Office agrees with the policy intent and most elements of this proposal. In regard to paragraph (a), as discussed in response to proposal 56-2, the Office believes it would be preferable for health privacy amendments to be incorporated into the privacy principles themselves, rather than sit beside them in a separate instrument.

13. The Office is very supportive of national consistency but submits that it will be vital to adopt a mechanism that is likely to achieve consistency in practice. There are two elements to this in particular. Firstly, all states and territories adopting the proposed UPPs and the same definitions is fundamental to consistency, but the other elements, while desirable, are not crucial to consistency. Achieving agreement on those elements should not hold up agreement on the UPPs and definitions. Secondly, the cooperative scheme procedures may, in practice, introduce complexities that may work against achieving national consistency.

Proposal 4-5 The Australian Government should initiate a review in five years to consider whether the proposed Commonwealth-state cooperative scheme has been effective in achieving national consistency. This review should consider whether it would be more effective for the Australian Parliament to exercise its legislative power in relation to information privacy in the state and territory public sectors.

14. The Office agrees with this proposal.

15. As the Office has argued previously, national consistency in privacy regulation is an important objective. The Office supports the ALRC's suggestion that national consistency initially be pursued through a cooperative scheme. However, if this approach is unsuccessful, it should be left open for the Australian Government to consider whether it would be more effective for national consistency to be progressed through the powers of the Australian Parliament.

Proposal 4-6 To promote and maintain uniformity, the Standing Committee of Attorneys-General (SCAG) should adopt an intergovernmental agreement which provides that any proposed changes to the proposed:

(a) UPPs must be approved by SCAG; and

(b) Privacy (Health Information) Regulations must be approved by SCAG, in consultation with the Australian Health Ministers' Advisory Council (AHMAC).

The agreement should provide for a procedure whereby the party proposing a change requiring approval must give notice in writing to the other parties to the agreement, and the proposed amendment must be considered and approved by SCAG before being implemented.

16. The Office supports this approach to the extent that states and territories agree to progress the other proposals that would have a more substantive effect on promoting national consistency in privacy regulation, particularly proposal 4-4. It would seem redundant for the Attorneys-General of the states and territories to be consulted on proposed UPP amendments if such amendments would have little material bearing on their jurisdictions. This consultative mechanism only seems relevant to the extent that the state and territories had undertaken to enact the privacy principles for their own public services.

17. In regard to paragraph (b), as discussed in response to question 56-2, the Office would prefer that specific health privacy regulation sit within the privacy principles, rather than in a separate instrument. Regardless of where these health specific matters are located, the Office would suggest that any consultative mechanism with the Australian Health Ministers' Advisory Council (AHMAC) should also be dependent on jurisdictions agreeing to pursue consistent principles.

18. The Office notes that paragraph (a) envisages that deliberation be conducted by a Ministerial council in the form of the Standing Committee of Attorneys-General. The consultative body proposed in paragraph (b), where health privacy is involved, is not a Ministerial council. The ALRC might usefully consider whether this consultative body should be the Australian Health Ministers' Conference, comprising the health minsters of all Australian jurisdictions.[64]

19. The agreement could also usefully establish a consultative process where states and territories propose to amend their own privacy regulation.

Proposal 4-7 The Standing Committee of Attorneys-General should be assisted by an expert advisory committee to:

(a) provide advice in relation to the amendment of the proposed UPPs and Privacy (Health Information) Regulations;

(b) address issues related to national consistency such as the scrutiny of federal, state and territory bills that may adversely impact on national consistency in the regulation of personal information; and

(c) address issues related to the enforcement of privacy laws, including information sharing between privacy regulators and cooperative arrangements for enforcement.

Appointments to the expert advisory committee should ensure a balanced and broad-based range of expertise, experience and perspectives relevant to the regulation of personal information. The appointments process should involve consultation with state and territory governments, business, privacy and consumer advocates and other stakeholders.

20. While the Office supports the intent of this proposal, it does support the establishment of an expert committee. Such a committee would seem unnecessary and may add to bureaucratic complexity. Instead, the Office suggests that existing bodies, such as the administering agencies for Australian, state and territory information privacy laws, would be well placed to provide advice on the issues listed. Where SCAG has a particular issue drawn to its attention, its deliberations should be informed by broadbased consultation with all stakeholders. An expert committee may raise the risk that it is relied upon as a substitute for such consultation.

CHAPTER 5

PROTECTION OF A RIGHT TO PERSONAL PRIVACY

Proposal 5-1 The Privacy Act should be amended to provide for a statutory cause of action for invasion of privacy.  The Act should contain a non-exhaustive list of the types of invasion that fall within the cause of action.  For example, an invasion of privacy may occur where:

(a)  there has been an interference with an individual's home or family life;

(b)  an individual has been subjected to unauthorised surveillance;

(c)  an individual's correspondence or private written, oral or electronic communication has been interfered with, misused or disclosed; or

(d)  sensitive facts relating to an individual's private life have been disclosed.

The statutory cause of action

1. The Office generally supports the proposal that a statutory cause of action be included in the Privacy Act 1988 (Cth) (Privacy Act). This proposal accords with the Office's submission to the ALRC's Issues Paper 31 (IP 31).[65]

2. In chapter 12,[66] the ALRC proposes that rather than extending the confidentiality provisions of Part VI of the Privacy Act, it is more appropriate to enact a new statutory cause of action for the invasion of privacy of individuals (statutory cause of action). The Office agrees with this view.

3. The Office believes that such a development would clearly establish that privacy is an important human right that warrants specific recognition and protection within the Australian community, and in a way that accords with the community's expectations and understanding of the meaning of ‘privacy'. The Office reiterates its view that a dedicated privacy based cause of action could serve to complement the already existing legislative based protections afforded to individuals and address some gaps that currently exist both in the common law and legislation.

4. The ALRC proposes that the statutory cause of action should be in federal legislation and cover Australian Government agencies, organisations and individuals. Moreover, state and territory public sector agencies should be covered, according to the ALRC, until such time as uniform state and territory legislation is enacted. This proposal is generally consistent with the Office's submission to IP 31, that it would be preferable to introduce a statutory cause of action in a uniform manner across Australia to avoid fragmentation, inconsistencies and ‘forum shopping' (see also proposal 5-7 below).

5. In the Office's response to IP 31, it noted that the location of the statutory cause of action should depend on the role (if any) played by the Privacy Commissioner. The ALRC has proposed in DP 72 that the statutory cause of action be located in the Privacy Act, which it says is the preferred outcome of a majority of those who supported the proposal and will more accurately reflect the title of the Act. The ALRC suggests that guidance relating to the privacy principles issued by the Office may be a relevant factor in determining not only whether the privacy principles have been breached but also if the statutory cause of action has been made. Moreover, the ALRC states that the Office should play a role in educating the public about the existence of the statutory cause of action. Locating the statutory cause of action in the Privacy Act also promotes Australia's obligations under article 17 of the International Covenant on Civil and Political Rights, according to the ALRC. In light of these reasons, the Office submits that the Privacy Act is the appropriate location for the statutory cause of action.

6. The Office agrees with the ALRC[67] that an individual should be able to choose whether to lodge a complaint or initiate the statutory cause of action depending on which approach is most suitable for the particular circumstances. The statutory cause of action, however, will be broader than information privacy protection in an institutional setting. The choice of forum empowers individual choice and has parallels with the current structure of the Privacy Act which permits the same facts to give rise to an interference of privacy of an individual by businesses under the NPPs, TFN Guidelines or the credit reporting provisions in Part IIIA.

7. The ALRC notes that if pursuing both the statutory cause of action and complaint simultaneouslyis unfair to the respondent, the proceedings in one forum may be stayed pending the outcome in the other forum.[68] The Office notes that it is unclear how the test of unfairness to stay proceedings will be formulated and whether the court or some other body will determine whether a proceeding is unfair.

8. The Office suggests that the proposal would benefit from greater clarity and that careful consideration be given as to how this aspect of the statutory cause of action will work.The Office suggests that if the test of unfairness only relates to a stay of proceedings in terms of a statutory course of action, this option may be costly and complex for respondents, particularly if it means that a respondent is required to apply to a court to invoke the stay of proceedings.It could alsoadd to the complexity ofthe compliance functions in the Privacy Act.

9. In relation to the staying of a complaint where there is a simultaneous proceeding on foot for a statutory cause of action, the ALRC may wish to consider whether to model the proposal along the lines of that existing in section 41(e) of the Privacy Act subject to appropriate modifications. Under those provisions, the Privacy Commissioner (or delegate) may decline to investigate (or cease investigating) a complaint if the act or practice is the subject of an application under another Commonwealth law (in this case the statutory cause of action) and the subject matter of the complaint is being, or has been, dealt with adequately under that law.

10. The Office agrees that the Privacy Act should contain a non-exhaustive list of the types of invasion of privacy that fall within the cause of action. This aspect of the proposal is consistent with the Office's submission to the NSW Law Reform Commission's (NSWLRC) inquiry into the invasion of privacy.[69] The Office submits that this allows scope for flexibility in the development of the law and its application to different contexts, while at the same time providing some guidance as to the scope that such a cause of action would cover.

11. The Office notes that issues of bodily or territorial privacy have not been specifically included in the list of examples (see proposal 5-1 (a) to (d) above) except perhaps indirectly by reference to an interference with a person's home or family life or unauthorised surveillance. The Office notes that it may be useful for the ALRC to consider whether the inclusion of other aspects of personal privacy may result in a more comprehensive list of circumstances in which an individual can bring an action.

12. The Office supports the ALRC's view[70] not to include three possible types of invasion of privacy suggested by the NSWLRC, which appear to fall within doctrines other than privacy.[71] Those suggestions are:

• an unlawful attack on a person's honour and reputation;
• placing a person in a false light; or
• using a person's identity, likeness or voice without authority or consent.

Proposal 5-2  The Privacy Act should provide that, in determining what is considered ‘private' for the purpose of establishing liability under the proposed statutory cause of action, a plaintiff must show that in all the circumstances:

(a) there is a reasonable expectation of privacy; and

(b)  the act complained of is sufficiently serious to cause substantial offence to a person of ordinary sensibilities.

13. The Office supports aspects of the elements of the cause of action. It supports a requirement for a plaintiff to show that in all the circumstances there is a reasonable expectation of privacy. In relation to the second element that the alleged wrong doing is sufficiently serious to cause ‘substantial offence' to a person of ordinary sensibilities, the Office submits the following remarks.

14. The Office supports the requirement that the test of ‘substantial offence' should be measured by an objective standard as proposed.

15. The Office has previously commented in its submission to the NSWLRC's Inquiry into the invasion of privacy that a test of ‘highly offensive' to a reasonable person of ordinary sensibilities' as unattainable in many cases and may excessively limit individuals from bringing an action.[72]

16. The Office observes similarly that the requirement of ‘substantial offence' could be interpreted in a way as to make the cause of action inaccessible in what could be a meritorious case. The Office submits that if this aspect of the test is retained, the ALRC in its final report should give examples illustrating how the test may apply in practice.

Proposal 5-3 the Privacy Act should provide that: 

(a)  only natural persons should be allowed to bring an action under the Privacy Act for invasion of privacy;

(b)  the action is actionable without proof of damage;  and

(c)  the action is restricted to intentional or reckless acts on the part of the defendant.

17. The Office agrees that only natural persons should be entitled to bring an action for invasion of privacy. This view is consistent with the Office's submission to IP 31 that privacy rights should not be provided to commercial or other entities.[73] Such an outcome would be inconsistent with privacy's status as a human right.

18. The Office agrees that the cause of action should be actionable without proof of damage. The Office accepts the ALRC's view[74] that as privacy is a human right that a breach of such a right should not be dependant on proof of damage flowing from the breach.

19. The Office agrees that the cause of action should be fault based and restricted to intentional and reckless acts (but not negligent or accidental) acts of the defendant. It accepts the NSWLRC's view that this limitation will assist to define the scope of the cause of action, and will assist to negate some of the uncertainty inherent in the concept of a general right to privacy.[75]

Power to seek leave to appear or the amicus curiae role

20. The ALRC may wish to consider whether the Privacy Commissioner in the role of amicus curiae should have the power in the Privacy Act to intervene in court proceedings in appropriate cases relating to the statutory cause of action.[76] An amicus does not play an adversarial role in the proceedings but appears to assist the court in a way that the court would not have otherwise been assisted.[77] Such a provision would be similar to that currently provided in section 46PV of the Human Rights and Equal Opportunity Commission Act (1986). Leave to appear would be at the discretion of the court.

21. The circumstances in which the Privacy Commissioner may seek leave to appear in an appropriate case could include where:

• the proceedings have significant implications for the administration of the Privacy Act;
• the Privacy Commissioner is of the opinion that an order of the court may affect to a significant extent the privacy of individuals who are not party to the proceedings;
• the proceedings involve special circumstances such that the Privacy Commissioner is of the opinion that it is in the public interest for the Commissioner to assist the court as amicus; or
• the Privacy Commissioner is of the view that intervention in the proceedings would clarify a disputed interpretation of the law.

Proposal 5-4 The Office of the Privacy Commissioner should provide information to the public concerning the proposed statutory cause of action for invasion of privacy.

22. The Office agrees with this proposal.

Proposal 5-5   The range of defences to the proposed statutory cause of action for invasion of privacy provided for in the Privacy Act should be listed exhaustively.  The defences should include that the:

(a)  act or conduct was incidental to the exercise of a lawful right of defence of person or property;

(b)  act or conduct was required or specifically authorised by or under law;

(c)  information disclosed was a matter of public interest or was a fair comment on a matter of public interest; or

(d)  disclosure of the information was, under the law of defamation, privileged.

23. The Office agrees with the list of defences to the proposed statutory cause of action.

24. The Office agrees with the proposal that the list of proposed defences should be listed exhaustively. This will assist in reducing uncertainty and complexity in interpreting the provisions relating to the availability of defences.

25. The Office considers that the proposed defence of public interest or fair comment, which includes freedom of expression, is an important one. In the Office's view, the defence reflects the fact that privacy is not an absolute right and should be balanced with other human rights and social interests that compete with privacy. The Office notes that when the defence is raised the court will be required to determine, in all the circumstances, whether the public interest being asserted outweighs the individual's right to privacy.

26. The Office agrees with the ALRC's view that the Privacy Act should not fetter a government's discretion to require or authorise that personal information be handled in a particular way. The Office discusses the scope of this exception in relation to the proposed Unified Privacy Principles (UPPs) in the answer to question 13-1.

27. The Office notes the ALRC's view that consent, whether expressly or impliedly given by the plaintiff or person entitled to consent on the individual's behalf, is dealt with under each of the elements of the cause of action rather than as a defence to the cause of action. Specifically, the role of consent will be a factor in considering whether there has been a reasonable expectation of privacy or when determining whether the act complained of is sufficiently serious to cause substantial offence to a person of ordinary sensibilities.

Question 5-1 In addition to the defences listed in Proposal 5-5, are there any other defences that should apply to the proposed statutory cause of action for invasion of privacy?

28. The Office is not aware of a compelling case for any other defences to be applied to the proposed statutory cause of action.

Proposal 5-6 To address an invasion of privacy, the court should be empowered by the Privacy Act to choose the remedy that is most appropriate in all the circumstances, free from the jurisdictional constraints that may apply to that remedy in the general law.  For example, the court should be empowered to grant any one or more of the following:

(a)  damages, including aggravated damages, but not exemplary damages;

(b) an account of profits;

(c) an injunction;

(d) an order requiring the defendant to apologise to the plaintiff;

(e) a correction order;

(f) an order for the delivery up and destruction of material;

(g) a declaration; and

(h) other remedies or orders that the court thinks appropriate in the circumstances.

29. The Office agrees with the list of remedies proposed. In addition, apart from listed statutory remedies that a court should be able to award to a plaintiff under the statutory cause of action, it should be permitted to make ancillary orders, such as property preservation orders and search orders.

30. The Office supports the views of the ALRC and the NSWLRC that the court should be able to apply a remedy that is most appropriate to the circumstances of the case without being limited by the jurisdictional restraints that may apply under the general law.[78] As the NSWLRC observes, these limitations have developed because of the historical origins of the remedies in the separate courts of equity and the courts of common law rather than due to inadequacy of the particular remedy.[79]

31. It has been held that the principles which are relevant to an award of compensation in section 52 of the Privacy Act include the following:[80]

• the principles of damages applied in tort law will assist, although the ultimate guide is the words of the statute.
• that there is no conflict between the principles in tort law and the provisions of section52 of the Privacy Act in measuring damages.
• in an appropriate case, aggravated damages[81] may be awarded.

32. The proposal for the Court to have the power in the Privacy Act to award damages including aggravated damages (but not exemplary damages) to address an invasion of privacy under the statutory cause of action is consistent with the assessment of damages under the Commissioner's existing determination making power in section 52 of the Act.

Proposal 5-7 Until such time as the states and territories enact uniform legislation, the state and territory public sectors should be subject to the proposed statutory cause of action for invasion of privacy in the Privacy Act.

33. The Office agrees with the proposal. This proposal is generally consistent with the Office's submission to IP 31, that it would be preferable to introduce a statutory cause of action in a uniform manner across Australia to avoid fragmentation, inconsistencies and ‘forum shopping'.

[14] Office of the Privacy Commissioner, Submission to Issues Paper 31 (February 2007), question 1-1(iii), available at http://www.privacy.gov.au/publications/alrc280207.html.

[15] Available on the Office's website at http://www.privacy.gov.au/publications/HRC_PRIVACY_PUBLICATION.pdf_file.p6_4_79.49.pdf.

[16] See the Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission's Review of Privacy - Issues Paper 31, February 2007, Chapters 2, 4 and 7, available at http://www.privacy.gov.au/publications/alrc280207.html.

[17] Ombudsman Act 1976 (section 38), the Human Rights And Equal Opportunity Commission Act 1986 (section 50) and the Trade Practices Act 1972 (section 172). 

[18] Paragraph 1.12.

[19] The Office's views on regulation making powers for credit reporting are discussed in Part G of this submission, and for health information in chapters 4, 56 and 57.

[20] Question 3-1, paragraph 3 at p 79, available at http://www.privacy.gov.au/publications/submissions/alrc/all.html#L15471.

[21] Question 3-2 available at http://www.privacy.gov.au/publications/submissions/alrc/c3.html#L15502.

[22] Chapter 3, paragraph 12 at p 80, available at http://www.privacy.gov.au/publications/submissions/alrc/all.html#Australian.

[23] Australian Law Reform Commission, Review of the Australian Privacy Act: Discussion Paper 72, paragraph 3.68 at p 186.

[24] Question 3-3, paragraph 14 at p 81, available at http://www.privacy.gov.au/publications/submissions/alrc/all.html#L15560.

[25] Question 3-3, paragraph 15 at p 82, available at http://www.privacy.gov.au/publications/submissions/alrc/all.html#L15560.

[26] Chapter 1, paragraph 22 at p 68, available at http://www.privacy.gov.au/publications/submissions/alrc/all.html#L15220.

[27] The Bills Digest for the Privacy (Private Sector) Amendment Bill 2000 explains that ‘...technological developments have also given rise to more pragmatic economic and trade pressures, which make privacy protection a matter of concern to businesses as well as consumers.' In the second reading speech for the same bill, the then Attorney-General explained that the bill:

‘...will provide comprehensive privacy benchmarks for the handling of personal information by the private sector and will ensure that Australia is well placed to take full advantage of the opportunities presented by electronic commerce.'

(The Hon Daryl Williams, Privacy Amendment (Private Sector) Bill 2000: Second Reading, 8 November 2000, available at http://parlinfoweb.aph.gov.au/piweb/TranslateWIPILink.aspx?Folder=HANSARDR&Criteria=DOC_DATE:2000-11-08%3BSEQ_NUM:8%3B.)

[28] Chapter 8, paragraph 10 at  p 279, available at http://www.privacy.gov.au/publications/submissions/alrc/all.html#Importance.

[29] Chapter 8, paragraph 368 at p 348, available at http://www.privacy.gov.au/publications/submissions/alrc/all.html#L22420.

[30] Office of the Privacy Commissioner, Private Sector Review, p 257, available at http://www.privacy.gov.au/act/review/review2005.htm#8_5.

[31] Chapter 3, paragraph 26 at p 84, available at http://www.privacy.gov.au/publications/submissions/alrc/all.html#L15597.

[32] Australian Law Reform Commission, Review of Australian Privacy Law: Discussion Paper 72, paragraph 3.172 at p 214.

[33] Australian Law Reform Commission, Review of the Australian Privacy Act: Discussion Paper 72, paragraph 3.182 at 217.

[34] Chapter 3, paragraphs 36-37 at p 86.  Available at http://www.privacy.gov.au/publications/submissions/alrc/all.html#Consistenc.

[35] Australian Law Reform Commission, Review o