Submission Home | Executive Summary | Submission Summary | Summary of Positions | Part A | Part B | Part C | Part D | Part E | Part F | Part G | Part H | Part I | Part J | Bibliography
1. The Office agrees with the proposal that a longitudinal study representative of the Australian population, using both qualitative and quantitative methods and including participants under the age of eighteen, would add significant value to the body of evidence underpinning privacy policy and regulation.
2. Such research would also enhance the Office's existing role in:
3. It is unclear why the ALRC's Discussion Paper (DP 72) suggests the Office is not an appropriate body to conduct or commission such a study[584]. There are various prescribed functions of the Privacy Commissioner under section 27 of the Privacy Act that would support the Office undertaking research of this type and providing the Minister with advice on its findings. Research of this type may help to ensure that the Government, and other stakeholders, are kept informed about significant societal changes that may impact on Australians' understanding of their rights and responsibilities under the Privacy Act. Such changes may in turn require an informed response based on sound evidence gained through various forms of enquiry, including formal research (For further information on the role and functions of the Privacy Commissioner refer to Section 27 of the Privacy Act[585] or visit the Office's website).[586]
4. Accordingly, the Office should play a central part in the overall management of such a large scale study of the attitudes and behaviours of Australians with respect to privacy. As this is to be a longitudinal study, strategic input by the Office at the planning stages will be of particular importance.
5. The Office agrees with proposal 59-2 that it should develop and publish educational material aimed at informing children and young people about privacy issues. The ALRC notes that children and young people need a sound foundation from which to make informed decisions about protecting their own privacy and about how their information should be handled.
6. Available evidence suggests that more effort needs to be directed to ensuring young people gain the skills needed to make sensible decisions around privacy and to understand their rights and obligations under privacy legislation. Results from the Office's 2007 Community Attitudes Survey suggested that while awareness of privacy issues has increased overall in comparison to 2004, younger respondents (in this case, aged 18-24) continue to be less aware of their privacy rights than older respondents.[587] This may correspond with levels of awareness of legal rights more generally.
7. Further, in the case of online social networking, the ALRC cites anecdotal evidence that young people's main source of privacy information is their peers, who ‘do not always know or pass on the important safety and privacy awareness tips that need to be learned'.[588]
8. The popularity of online social networking sites has been accompanied by a growing public discourse on the potential privacy risks of these social networking activities, as well as steps that individuals and organisations might take to minimise the risks.
9. For example, the issue of identity and information theft was recently the subject of an online experiment by an IT security company in which a fictional character sent out 200 ‘friend' requests (invitations to strangers to become friends for online social networking purposes). The experiment found that 41 percent of the 200 Facebook users who were approached revealed personal information, such as email address, date of birth and phone number, to the fictional character.[589]
10. The proliferation of online social networking activities and associated privacy risks, coupled with the fact that young users are less aware of the risks, suggests it is important for the Office to increase its activities aimed at raising privacy awareness among children and young people.[590]
11. The Office agrees in principle with the proposal that NetAlert, in consultation with stakeholders, include specific guidance on the use of social networking sites.
12. In its earlier submission to Issues Paper (IP) 31, the Office suggested that the protection of children's privacy in an online environment be addressed through measures such as industry-targeted legislation, a binding code of conduct or an industry standard.[591] At the same time, the Office recognises the importance of targeted consumer education to increase awareness.
13. As discussed in section 59-2, the Office believes it should play a central role in the development of educational material on internet privacy. As such, the Office would work collaboratively with NetAlert to ensure development of appropriate guidance for young internet users on privacy issues in a social networking context.
14. The Office agrees in principle with the proposal that privacy training resources should be incorporated into state and territory school curricula. Taken in parallel with proposal 59-2, this could entail development of online learning and teaching resources that can be readily accessed by boards of study, teachers and students.
15. The Office notes that the 2007 round of Australian Research Council (ARC) Linkage Projects scheme includes a three year Queensland University of Technology study titled: Cyber bullying: An evidence-based approach to the application and reform of law, policy and practice in schools.[592]
16. The Office welcomes and encourages initiatives which bring the research community together with other key education stakeholders to deepen understanding of key and emerging issues and educational needs facing young people.
17. In collaboration with equivalent agencies in the states and territories, the Office could assist education departments to develop resources aimed at promoting awareness and understanding of the interaction between open sources of information, such as the internet, and the responsibility of all Australians to respect the privacy of others. This is consistent with the Office's statutory function under section 27(1)(m), and with the Office's strategic plan.
1. The Office supports the general intention of this proposal. However, the Office considers that the current wording of the proposal is unclear and needs further consideration. In particular, it is not clear that an individual assessment must be conducted, wherever practicable, for young people aged 15 or over.
Need for greater clarity on the requirement for individual assessment of young people over the age of 15
2. As the Office understands it, it is intended that the age of presumption would be a supplementary measure only applying in circumstances where it is not practicable to conduct an individual assessment. This accords with the ALRC's statement ‘...[i]n all circumstances where an individual assessment is possible, any individual under the age of 18 should be assessed to determine if he or she has the capacity to give consent, make a request or exercise a right of access under the Act.'[593]
3. However, the ALRC has proposed in paragraph (a), that ‘an individual aged 15 or over is assumed to be capable of giving consent, making a request or exercising a right of access unless found to be incapable ...'. This wording does not make it clear that an agency or organisation must, wherever practicable, conduct an individual assessment to determine the capacity of young people aged 15 or over (that is, aged 15 to 17 years).
4. The Office suggests that, in its final report, the ALRC reconsider the wording of (a) to make it clear that an individual assessment of capacity must be undertaken, wherever practicable, for young people aged 15 or over.
The Office's approach
5. The Office maintains the view that, wherever practicable, capacity of young people should be assessed on an individual basis, rather than upon attaining a prescribed age. As discussed in the Office's response to IP 31, this ensures that mature and capable young people are permitted to make decisions about the handling of their personal information, rather than being constrained by an arbitrarily imposed age of capacity.[594] The Office considers that this approach to the privacy of young people is appropriate and has worked effectively in most contexts.
6. The Office recognises, however, that decisions relating to personal information arise in a wide variety of contexts, some of which do not allow for individual assessment by the relevant agency or organisation. In particular, individual assessment of capacity is difficult in an on-line environment. The Office agrees that setting a minimum age, to be used only where individual assessment is not practicable, would have the benefit of protecting those under that age by requiring an authorised representative to make decisions on their behalf.
7. As the ALRC acknowledges, however, there is a risk that setting an age of presumption in the legislation may have an adverse effect on the system of individual assessment. In particular, agencies and organisations might apply the age as the default determinant of whether a young person has capacity, with individual assessment only undertaken in exceptional circumstances.
8. The ALRC notes that there is a need for guidance material that encourages individual assessment to be undertaken properly. However, the Office suggests that the wording in paragraph (b) be altered to clarify that the provision would create an obligation that an assessment of an individual's capacity aged under 14 ‘must' be taken, ‘where reasonable and practicable'.
9. Whether it is ‘reasonable and practicable' to assess an individual's capacity, aged under 14, might be influenced by such factors as the personal information in question, the proposed handling of that information, the degree to which appropriately skilled staff are able to conduct the assessment, and how much younger than 14 the child is. For example, in absence of evidence that they may have decision making capacity, it is unlikely to seem reasonable to conduct an assessment of a 7 year old child.
Age and capacity authentication in an online environment
10. The Office notes that there remain particular challenges raised when trying to authenticate attributes, such as age or capacity, in online environments. As the Office understands it, effective mechanisms for authenticating the age of children and young people online remain formative and relatively unproven. The online verification of capacity would likely add further complexity.
11. The Australian Communications and Media Authority (ACMA) is currently preparing a draft Restricted Access System Declaration (RAS Declaration), that will require hosting service providers to verify that individuals seeking access to internet and mobile content that is or would be classified MA15+ and R18+ are at least 18 years old.[595] The draft RAS Declaration requires that a hosting service provider must have an age verification plan, comprising a risk analysis, age verification measures ad quality assurance measures. The draft RAS declaration does not prescribe how age verification should be achieved.
12. Many existing forms of age verification are unreliable in an online environment. For example, the provision of credit card details only verifies that an individual has sourced a valid credit card number (whether legitimately or not) - it does not verify that the individual entering the data is a given age (nor even the cardholder). The provision of valid birth certificate details is prone to the same weakness that it does not actually verify who is providing the details. Systems which request individuals to enter their age or dates of birth are inherently unreliable as individuals can simply misrepresent their true details. While DP 72 offers some support for the US approach enacted in the Children's Online Privacy Act 1998 (COPPA),[596] the Office is less convinced that this offers opportunity to progress solutions to age (or capacity) authentication (indeed, COPPA prescribes that an individual younger than 13 can not have capacity).[597]
13. The Office is aware of various developments in online authentication, stemming largely from the need to authenticate identity in an online context, including for the purpose of so-called ‘federated' models of identity management.[598] At least some of these systems are premised on a single trusted third-party providing authentication to individuals, who are then issued with digital certificates for use in an online environment. This current inquiry could usefully contribute to promoting work aimed at developing models for online authentication of age or capacity (or, indeed, any given characteristic that may need to be authenticated online).
14. In the Office's view, while it may be beyond the terms of this current inquiry to develop a model of online age and capacity authentication, the final report could usefully offer options as to how solutions could be progressed.
15. The Office agrees with proposal 60-2.
16. The Privacy Act is currently expressed only in terms of the individual. In the Office's view, legal representatives, such as parents of young children are implicitly recognised as able to exercise rights on behalf of the individual as they are ‘standing in the individual's shoes'. It is likely to promote certainty by expressly recognising this in the Privacy Act.
17. Issues relating to the definition of ‘authorised representative' are discussed in this submission in response to proposal 61-2 and question 61-2.
18. The Office considers that the meaning and scope of the term ‘any other circumstance' is potentially very broad and there is a risk therefore that the term could be interpreted in a way that was not intended by the ALRC. The Office suggests that, in its final report, the ALRC clearly indicate the scope of this term, which could also be usefully described in any explanatory material that might accompany legislation giving effect to this proposal.
19. The Office agrees with proposal 60-3.
20. The proposal is in line with the Office's position in its submission to IP 31.[599]
21. The Office agrees in principle with proposal 60-4.
22. However, the Office notes that the phrase ‘from the information available' is imprecise, and could be interpreted to cover situations where information about an individual's age has not been sought. As the ALRC notes in IP 31, in the US, operators of general websites do not have to comply with COPPA without ‘actual knowledge' of the age of the child, and so can evade the rule simply by not asking the age of the person submitting personal information.[600] The ALRC may therefore wish to consider wording which makes clear that the onus is on the agency or organisation to exercise due diligence in determining if an individual is aged 14 or under.
23. The ALRC comments that the proposed limitation on the liability of an agency is intended to cover situations where the individual deliberately avoided or misled the agency or organisation. The Office is concerned that given the lack of effective online age verification mechanisms this could lead to significant instances where limited liability is invoked. As discussed in response to proposal 60-1, one of the main problems with the operation of COPPA is that it is easy for children to circumvent the law by lying about their age or opening email accounts in their parent's name.
24. This reinforces the need for a robust age verification mechanism system that limits the potential for young persons to deliberately mislead an agency or organisation about their age.
25. The Office agrees with proposal 60-5.
26. The proposal is consistent with the requirements of National Privacy Principle (NPP) 5 and good privacy practice.
27. The Office agrees with proposal 60-6.
28. The proposal is consistent with good privacy practice.
29. The Office agrees with proposal 60-7 to the extent that it applies to those private schools that fall within the coverage of the NPPs.
30. The proposal is consistent with NPP 5. 1 and good privacy practice.
31. The Office agrees in principle with proposal 60-8, if proposal 38-2 (relating to establishment of criteria for assessing the adequacy of media privacy standards for the purpose of the media exemption) proceeds.
32. In view of the particular vulnerabilities of children and young people, the Office considers that the privacy of children and young people should be addressed in media privacy standards. Issues relating to the media exemption are discussed more generally in chapter 38 of this submission.
1. The Office considers that there is merit in having an express statement in the Privacy Act 1988 (Cth) (Privacy Act) that clarifies that every individual aged 18 and over is capable of making a decision under the Act unless found to be incapable.
2. This accords with the Office's view that an individual has capacity unless found not to have capacity for a particular decision, as discussed in its response to question 9-2 of the Australian Law Reform Commission's (ALRC) IP 31.[601]
3. The ALRC refers in Discussion Paper (DP) 72 to a submission from Legal Aid Queensland which conveyed its experience of individuals who, once it is disclosed they have some form of intellectual disability, are required by certain organisations to produce a signed power of attorney or guardianship order and have all decisions made by the authorised third party, regardless of their actual degree of decision making capacity.[602]This suggests that there may be benefit in having an express statement in the Privacy Act as outlined above.
4. The Office sees merit in proposal 61-1, but notes a significant practical issue in implementing the proposal. Specifically, it may be difficult for organisations, other than health service providers, to adequately make an assessment of an individual's capacity to make a decision under the Privacy Act.
5. The proposal is consistent with the Office's previously expressed view that decisions about capacity should be assessed with regard to the particular decision required to be made.[603]
6. Currently, legal representatives are implicitly recognised under the Privacy Act. For example, the Office would generally consider that someone with an enduring power of attorney could lawfully consent on the individual's behalf (that is ‘stand in their shoes'). However, there is no express reference to such arrangements. The closest express provision is the ‘responsible person' mechanism, which is limited in application to National Privacy Principle (NPP) 2.4, and creates a discretion for health service providers to disclose health information in specific circumstances.
7. The Office sees merit in having an express statement in the Privacy Act that clarifies the right of an authorised representative to act on behalf of an individual who lacks capacity. Without this right, people with a temporary or permanent incapacity may be disadvantaged in their access to or use of services and in relation to their privacy.
8. However, the Office considers that where the incapacity is short-term or intermittent, and it is considered reasonably likely that the individual will regain capacity, there is a need for some limits on the right of an authorised representative to act on behalf of an individual. This is discussed further in response to proposal 61-2.
9. The Office suggests that the ALRC reconsider the inclusion of the words ‘any other circumstance'. This proposal has been designed specifically to address circumstances where a person does not have capacity to make a decision under the Privacy Act due to cognitive or mental impairment. The term ‘any other circumstance' could be interpreted as applying in situations that the ALRC did not intend. If the term is retained, then the Office suggest that it would be important that the ALRC, in its final report, clearly describe the narrow parameters of what these circumstances might include.
Assessment of capacity
10. The Office draws attention to a significant practical difficulty with this proposal. At present, where health information is disclosed by a health service provider under NPP 2.4, the health professional is qualified to assess the individual's capacity, and decide whether the information should be shared with a ‘responsible person'. In contrast, it may be difficult for other organisations without comparable training or experience to adequately make the same assessment (despite the provision of written guidance). Front-line staff may not have experience in communicating with people with a disability, and this may lead them to make incorrect assumptions concerning the capacity of the individual to consent.
11. This will be even more problematic if the nature of the incapacity is episodic. People with mental illness, for example, typically have an episodic impairment of capacity for decision-making; even during periods when they are unwell, they will often have capacity for some types of decision-making and not others. Similarly, people in the early stages of dementia, will retain capacity for some types of decisions and not others.
12. The Office agrees with the general intention of proposal 61-2 to amend the Privacy Act to introduce the concept of ‘authorised representative'. However, the Office suggests that several aspects of the proposal would benefit from further consideration. The ALRC has proposed that an ‘authorised' representative ‘...should only be able to make a decision on behalf of an individual where the individual has been assessed as incapable of making the particular decision.'[604]
13. In particular, the Office considers that the legal meaning and scope of paragraph (e) is unclear and potentially too broad. The Office also suggests that where the incapacity is short-term or intermittent, and it is considered reasonably likely that the individual will regain capacity to handle their own affairs, the representative's right of access should be limited to the information necessary to make the required decision.
Definition of authorised representative
14. The Office considers that in the proposed definition of authorised representative, the legal meaning and scope of paragraph (e) is unclear and potentially too broad. The term currently proposed is:
otherwise empowered under law to perform any functions or duties as agent or in the best interests of the individual
15. It is not easy to ascertain the potential scope of the term as there is no one source that can be used to identify all the people or categories of persons who would potentially fall within the definition. It may therefore be very difficult for an agency or organisation to determine whether or not a person is an ‘authorised representative' under the Privacy Act.
16. The Office is also concerned that the proposed limits on the powers of an authorised representative (as expressed in the final paragraph ofproposal 61-2, beginning ‘The Privacy Act should state...') may not always ensure that an authorised representative only exercises a right under the Privacy Act in connection with the functions or duties they otherwise perform.
17. In particular, it appears that the term ‘in contravention of the terms of appointment of law' may only prohibit an authorised representative from acting in direct breach of a provision in an instrument of appointment (and not prohibit an authorised representative from acting outside the scope of the power conferred by an instrument of appointment). Thus, it could unintentionally result in persons being empowered to exercise rights under the Privacy Act that are unconnected to the functions or duties they perform in relation to the individual.
18. It is notable that the term ‘otherwise empowered under law to perform any functions or duties as agent or in the best interests of the individual' is similar to provisions in the Health Records Act 2001 (Vic) (‘the Victorian Act') and the Health Records and Information Privacy Act 2002 (NSW) (‘the NSW Act'). However, as the ambit of these Acts is limited to health information, there is less scope for an authorised representative to act outside the terms of their appointment. Moreover, the term ‘in contravention of' is not used in the Victorian Act or the NSW Act.
19. The following examples illustrate the potential for uncertainty in interpreting paragraph (e) in the proposed definition of authorised representative. They also highlight the potential breadth of the definition in terms of authorising information that is unrelated to the functions or duties they perform in relation to an individual.
20. It would appear that a person who is a trustee (that is, who holds property on trust for another) would be an authorised representative (by virtue of paragraph (e)) and may, if the individual lacks capacity, be able to access personal information unrelated to their powers and obligations as trustee. As the Office understands, the restrictions might not preclude a trustee from accessing unrelated information because:
21. The Guardianship Act 1987 (NSW) (‘Guardianship Act') provides a further example of the problematic nature of the term ‘in contravention of the terms of appointment of law'. Section 36(1)(a) of the Guardianship Act provides that a person responsible may consent to minor or major medical treatment of patients who are unable to consent to their own treatment. Section 33A of the Guardianship Act sets out a hierarchy of persons who are ‘a person responsible', and included in that hierarchy are spouses, a person who has the care of a person, and a close friend or relative.
22. A ‘person responsible' would appear to fall within paragraph (e) of the definition of authorised representative because they are given the power under law (the Guardianship Act) to act on behalf of an individual by consenting to medical or dental treatment of the individual. As such a ‘person responsible' could potentially access personal information about the individual for whom they are a ‘responsible person', even though accessing the information may bear no connection to the authority they have (as it would not be in direct breach of the instrument of appointment). For example, even though the empowerment of a person responsible relates to consenting to medical and dental treatment, the person responsible may be able to access an individual's financial information.
23. The Office suggests that the ALRC reconsider the drafting of paragraph (e) in the definition of ‘authorised representative' with a view to specifying the categories of persons that are intended to be captured in the definition.
24. The Office also suggests that the ALRC review the wording of the restriction on the powers of an authorised representative (and in particular the use of the term ‘in contravention of the terms of appointment of law').
Appropriate limits to the rights of an authorised representative where the incapacity is short-tem or intermittent
25. Under proposal 61-2, the rights of an authorised representative to act on behalf of an individual would be limited only in relation to the terms of appointment of the representative.
26. The Office maintains the view that where the incapacity is short-term or intermittent, and it is considered reasonably likely that the individual will regain capacity to handle their own affairs, the representative's right of access should be limited to the information necessary to make the decision required at that time. This issue was discussed in the Office's submission to IP 31 at question 9-3.[605]
27. Limiting the information that a temporary representative is able to access would allow an individual to maintain privacy from their representative, where the matter is not relevant to decisions that the representative must make. Such a limitation accords with the objectives of ensuring that the individual is not disadvantaged in their access to or use of services, whilst also respecting the individual's right to autonomy and privacy to the extent possible (both at the time of the decision and in the future).
28. It is notable that NPP 2.4 provides some equivalent protection of health information. NPP 2.4(c) requires that discretionary disclosures are not contrary to any wish expressed by the individual when they had capacity, of which the ‘carer' (in this sense referring to the provider) is aware of, or could reasonably be expected to be aware of.
29. The Office is aware of situations where providing access to an authorised representative may have an adverse impact on the individual's privacy. In one such situation, a parent carer sought to obtain the medical records of their comatose adult son. The treating doctor was concerned that providing access to all of the son's health information would have inappropriately revealed information about the son's personal life. The clinical judgement was that the individual was likely to recover from their condition and regain full capacity. In the doctor's view, the provision of care for that particular episode did not require the carer to have unfettered access to all of the individual's health information.
30. The Office considers that if the definition of ‘authorised representative' is extended as set out in question 61-2, there must be adequate safeguards to ensure that the person had capacity at the time they made the nomination, and that they were not subject to coercion to sign the nomination.
31. In the Office's view, the Privacy Act needs to facilitate appropriate care arrangements for people with incapacity while ensuring that there are appropriate safeguards in place to protect individual rights.
32. State and territory legislation provides for the appointment of an enduring power of attorney or an enduring guardian. As DP 72 notes, such legislation already fulfils the purpose of nominating a person prior to the loss of capacity.[606] The state and territory legislation establishes proper processes for making such an appointment (such as being witnessed by a legal practitioner) and imposes appropriate obligations on the appointed attorney or guardian.
33. The Office understands that there is limited awareness among the general public of the existence of legal mechanisms such as enduring power of attorney. Currently, there are some government initiatives to increase public awareness of such mechanisms. For example, the NSW Department of Ageing, Disability and Home Care has produced the Planning Ahead Kit, which aims to encourage people to plan ahead in case they lose the capacity to make decisions at a later stage. The Office could complement such resources by including information on legal mechanisms such as enduring power of attorney in relevant guidance material.
34. Even with community education, however, some people may be reluctant to use existing legal mechanisms. They may, for example, consider that the process is too time consuming or ‘bureaucratic'. In some situations, such as prior to unexpected or emergency surgery, there may be a lack of time to make a formal appointment.
35. However, if the definition of authorised representative is extended as outlined in question 61-2 (that is, to recognise some form of informal nomination process), it is essential that there be safeguards to ensure that the individual had capacity at the time they made the nomination.
36. The agency or organisation would therefore need to have evidence that the individual had adequate capacity to make the nomination at the time. For example, one way that this might occur is that the individual would make a nomination at the time they visit their doctor, and a clear notation would be made on the doctor's file. The doctor may then be called on to provide a letter verifying the nomination to other service providers at such time when the individual does not have the capacity to make a decision under the Privacy Act.
37. The Office agrees in principle that the Privacy Act should be amended as outlined in proposal 61-3.
38. The proposal is consistent with NPP 4. 1 which requires that an organisation take ‘reasonable steps' to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
39. However, the Office draws attention to a significant practical difficulty that could arise from the ALRC's proposed definition of ‘authorised representative'. As discussed above in response to proposal 61-2, the Office considers that the legal meaning and scope of the term ‘otherwise empowered under law to perform any functions or duties as agent or in the best interests of the individual' is unclear. Therefore, (in instances where them expression is invoked), it would be difficult for an agency or organisation to determine whether or not a person is an authorised representative. Further, it would be difficult for the Office to determine what constitutes ‘reasonable steps' to validate the authority of an authorised representative.
40. The Office agrees in principle with proposal 61-4.
41. The proposal is consistent with the Office's position in its submission to IP 31. [607]
42. As discussed above in response to proposals 61-2 and 61-3, the apparent ambiguity regarding the expression proposed in paragraph (e) of proposal 61-2 could make it difficult for the Office to issue clear guidance on what constitutes ‘reasonable steps' to validate the authority of an authorised representative. The Office has proposed that this expression be revisited by the ALRC.
43. The Office agrees in principle with proposal 61-5.
44. The proposal is consistent with the requirements of NPP 5 and good privacy practice.
45. The Office notes, however, that adults with a disability, mental health issue, or dementia, use (and are entitled to use) the same range of services and facilities as the general community. The majority of agencies and organisations are therefore likely, periodically, to handle personal information about people incapable of making a decision.
46. The ALRC may wish to consider whether the proposal, as currently worded, could place a high compliance burden on small operators, particularly if the small business exemption is removed. One way of addressing this might be to adopt the wording ‘should, where practicable, address in their privacy policies...'
47. The Office agrees with proposal 61-6.
48. The proposal is consistent with good privacy practice.
1. The Office agrees with proposal 62-1.
2. The stakeholder feedback cited in the ALRC's Discussion Paper 72 (DP 72) indicates that there is a need for particular guidance relating to the involvement of third parties where the individual consents.[608]
3. The Office considers that there is merit in having an express statement in the Privacy Act 1988 (Cth) (‘Privacy Act') which allows a third party nominated by the individual to give consent, make a request or exercise a right of access on behalf of the individual.
4. The establishment of such third party arrangements, with the consent of the individual, is consistent with the present operation of the Privacy Act. However, the Office is aware that some agencies and organisations adopt risk-averse behaviour (to ensure that their obligations under the Privacy Act are met) and may not recognise such arrangements. The Office therefore considers that there is merit in making explicit what is already implicit in the Privacy Act.
5. However, in offering this view, ,the Office has assumed that the type of informal nomination envisaged in question 62-1 would take effect only in circumstances where the individual retains capacity to make a decision under the Privacy Act, and accordingly, an assessment of capacity is not required. Otherwise, an agency or organisation could face logistical difficulties in determining whether an individual had capacity at the time consent was given. This would be a particular concern in the case of persons who have declining or intermittent capacity.
6. Therefore, where an individual has previously established an informal nominee when they have capacity, if they subsequently lose capacity, then it would be necessary for a formal arrangement to be made (such as an enduring power of attorney or guardianship order). Alternatively, before the individual lost capacity, a more robustly verifiable arrangement, as envisaged in the Office's response to question 61-2, would need to have been made (such as where a doctor certifies the nomination of an ‘authorised representative').
7. As well as meeting all other NPP obligations, an agency or organisation would need to ensure that it met the obligations under, respectively, IPP 4 or NPP 4 (or UPP equivalent) regarding data security to ensure that personal information was not misused or subject to unauthorised access, modification or disclosure.
8. Some circumstances require a more rigorous process for nomination and verification than others due to the potential consequences of the disclosure of personal information. In general, the Office considers that is good practice to obtain consent in writing. There may be circumstances, however, where it is appropriate for an agency or organisation to accept verbal consent provided that robust identification and security procedures have been followed.
[584] ALRC Review of Australian Privacy Law, paragraph 59.107, p.1745.
[585] See http://www.privacy.gov.au/act/privacyact/
[586] See http://www.privacy.gov.au/about/index.html
[587] See http://www.privacy.gov.au/publications/rcommunity07.pdf
[588] ALRC Review of Australian Privacy Law, paragraph 59.122, p.1748.
[589] See http://www.sophos.com/pressoffice/news/articles/2007/08/facebook.html
[590] See also http://www.smh.com.au/news/technology/facebook-security-loophole-warning/2007/10/28/1192941408684.html and http://www.abc.net.au/news/stories/2007/09/29/2046948.htm
[591] The Office's Submission on IP 31, Question 9-1, Office Position (v)
[592] See http://www.arc.gov.au/pdf/LP08Rd1/QldTU.pdf
[593] ALRC DP 72, chapter 60, paragraph 60. 87,
[594] See chapter 9-1, paragraph 7, p371.
http://www.privacy.gov.au/publications/submissions/alrc/c9.html#L23007
[595] Information on the RASD is available at http://www.acma.gov.au/WEB/STANDARD/pc=PC_310813.
[596] See, http://www.ftc.gov/coppa/ for more information.
[597] See, http://www.ftc.gov/privacy/privacyinitiatives/childrens.html.
[598] See, for example, AGIMO Discussion Paper No. 12, ‘Managing Privacy in Identity Management - The Way Forward - Distributed and Federated Identity', available at http://www.agimo.gov.au/publications/2004/05/egovt_challenges/privacy/identity/distributed
[599] See Chapter 9-1 paragraph 4, p.370. This is available at
http://www.privacy.gov.au/publications/submissions/alrc/c9.html#L23007
[600] ALRC IP 31, chapter 9, paragraph 9. 73.
[601] See chapter 9-3, paragraph 86, p.387, available at
http://www.privacy.gov.au/publications/submissions/alrc/c9.html#Office189
[602] ALRC Discussion Paper 72 Australian Privacy Law, chapter 61, paragraph 61.9, p.1817.
[603] See question 9-3, paragraph 86, p.387. Available at http://www.privacy.gov.au/publications/submissions/alrc/c9.html#Office189
[604] DP 72, paragraph 61.55.
[605] See chapter 9-3, paragraphs 97-100, pp. 389-390. This is available at http://www.privacy.gov.au/publications/submissions/alrc/c9.html#Access3
[606] ALRC DP 72, chapter 61-9, paragraph 61.65, p1834.
[607] See question 9-3, paragraph 93, p.388, available at
http://www.privacy.gov.au/publications/submissions/alrc/c9.html#Additional1
[608] ALRC Discussion Paper 72 Review of Australian Privacy Law, chapter 62, paragraph 62-17.
Back to top