Submission Home | Executive Summary | Submission Summary | Summary of Positions | Part A | Part B | Part C | Part D | Part E | Part F | Part G | Part H | Part I | Part J | Bibliography
20. The Office believes that the Privacy Act has generally worked well in protecting individual privacy while allowing appropriate information-flows to occur. To further enhance the comprehensibility, consistency and accessibly of privacy regulation, the Office has, in chapter 3, supported the ALRC's proposals that the Privacy Act contain:
21. The Office emphasises that substantive privacy rights and obligations should be set out in the Privacy Act itself, and that unless there is a clear and compelling case to the contrary, privacy regulation should maintain the levels of protections under the Act. Accordingly, while the Office recognises that it is appropriate for some specific matters to be subject to a regulation making power, the Office does not support ALRC proposal 3-1, which would create a general power to make regulations on any matter that lessen privacy protections.
22. The Office believes that the legislation should be renamed the 'Australian Privacy Act' to distinguish from other statutes of similar effect in the state and territories. The Office points to precedent for this approach to nomenclature.
Deceased persons' information23. Except in regard to health information, the Office does not see a strong need for introducing a broader regime of privacy protections regarding deceased individuals' personal information.
24. However, the Office believes that there is scope for privacy regulation to facilitate the appropriate flows of deceased individuals' health information, such as by permitting organisations to disclose health information about deceased individuals to a 'responsible person.' In chapter 3, the Office has proposed that this intent be given effect by extending NPPs 1, 2 and 4 to deceased persons' health information, together with a small number of consequential amendments.
'Cover the field' to reduce uncertainty and complexity25. In order to reduce the potential confusion arising from overlapping legislation, the Office has supported a number of proposals in chapter 4, including that the Privacy Act be amended to clarify that it covers information handling by private sector organisations to the exclusion of state and territory privacy legislation. This would resolve existing regulatory uncertainty regarding whether state, territory or Commonwealth law applies to the private sector in various jurisdictions and would be a significant step forward in promoting simplicity and uniformity in privacy regulation, particularly in regard to health information.
Support for a cause of action26. In chapter 5, the Office generally supports the ALRC's proposal to introduce into the Privacy Act a statutory cause of action for an invasion of privacy. This proposed cause of action would extend beyond information privacy - the current focus of the Unified Privacy Principles - to encompass areas including:
27. In addition to these areas, the Office suggests that consideration be given to whether the cause of action should cover bodily privacy. The Office also suggests some modifications as to how the cause of action could be implemented. For example, a provision could be introduced allowing applications by the Office to assist the court during proceedings. This role, similar to the common law doctrine of amicus curae could allow the Office to offer its experience on disputed areas of law, and advise on broader privacy implications of the proceedings.
28. In its response to Part B of DP 72, the Office affirms that the Privacy Act should remain technologically-neutral and principles-based to ensure it remains technology neutral.
29. The Office submits that this approach, coupled with provision for the Privacy Commissioner to make binding codes where a clearly defined privacy risk emerges, is the best way to accommodate developing technology in a regulatory framework (see chapter 7).
30. In addition, where technology issues of substantial public interest arise (such as the regulation of online content), the Office suggests that separate and widespread public consultation should be undertaken concerning the possible need for regulatory intervention. Further, the analysis underlying any such change should take account of whether the proposed reforms are in keeping with the spirit and intent of the Privacy Act (chapter 8).
31. As technology continues to evolve, the Office believes that having appropriate strategies in place to manage the development of new technologies, as well as a range of regulatory mechanisms, will ensure the Privacy Act can be flexible as well as responsive.
32. In Part C, the Office responds to the privacy issues raised in relation to interaction, inconsistency and fragmentation and their impact on personal information handling. Issues considered include information sharing, multiple regulation, freedom of information, terms and definitions and issues related to the 'required or authorised' exception.
Overcoming 'BOTPAs'33. In chapter 10, the Office discusses 'BOTPAs', an abbreviated form of the expression 'because of the Privacy Act', and the various circumstances where the Privacy Act may be inappropriately attributed with preventing an information handling practice. The Office has suggested that continuing to provide education and guidance to agencies, organisations and individuals will assist in clarifying the scope and application of the Privacy Act.
Access to personal information held by agencies34. The Office considers that access to one's own personal information is one of the cornerstones of privacy protection and where possible individuals should not be subject to prescriptive Freedom of Information ('FOI') processes to access their personal information. Accordingly, in chapter 12, the Office supports the introduction of a new part in the Privacy Act to deal with access to and correction of personal information held by agencies.
Issues relating to the 'required or authorised by law' exceptions35. In chapter 13, the Office notes that it maybe useful toclarify the meaning of'law'for the purposesofthe 'required or [specifically] authorised by law' exceptions under the Privacy Act. However, as different laws will apply to different entities, agencies and organisations need to determine whether a law applies to them beforerelying on it. In some cases, this may be complex, particularly where there is uncertainty as to whether state laws apply to Australian Government agencies.
36. The Office also notes itsstrong supportfor theterm 'specifically authorised' by law, in the interests of clarity, stabilityand robust privacy protections (question 13-1).
37. The Office also explores the relationship between privacy andother specific laws,including under the Census and Statistics Act 1905 (Cth), the Corporations Act 1901 (Cth), the Commonwealth Electoral Act 1918 (Cth) and the Anti-Money Laundering and Counterterrorism Financing Act 2006 (Cth). In some cases, thisincludes the need to clarify or review privacy and information-handling practices under such legislation (see proposals 13-1 to 13-4). For example, the Office supports the regulation, under the Privacy Act, of personal information that state and territory entities receive from AUSTRAC,unless those entitiesare bound by equivalent state or territory legislation (proposal 13-4).
38. The ALRC proposes that the Information Privacy Principles ('IPPs') and National Privacy Principles ('NPPs') be brought together into a single set of principles that would generally apply to both agencies and organisations. The Office supports this consolidation and simplification of privacy regulation.
39. In considering the proposed UPPs, the Office has taken the existing level of protections under the IPPs and NPPs as an appropriate benchmark. The Office has discussed in detail each of the proposed UPPs in chapters 16-28. The Office has generally supported proposals regarding the single set of principles, with some exceptions.
Maintaining the co-tests of 'serious' and 'imminent'40. One proposal that the Office does not agree with concerns how the UPPs allow organisations and agencies to respond to perceived threats to individuals' life or health. At present, a number of IPPs and NPPs provide exceptions to the relevant principle in order to lessen or prevent a threat that is both serious and imminent. The ALRC proposes removing the requirement of 'imminence' from this test in the areas of collecting sensitive information, use and disclosure of personal information, and access to personal information. The Office does not support these changes.
41. In the Office's view, the case for removing imminence has not been clearly demonstrated - many of the scenarios raised by the ALRC could be adequately addressed through existing provisions, or by seeking consent. The Office discusses this issue in greater detail in response to proposal 22-3.
Enhancing the proposed collection principle42. In chapter 18, the Office has supported several aspects of the proposed Collection principle. In particular, it welcomes new provisions on how agencies and organisations should handle unsolicited information. This proposal would be enhanced by requiring that collection be necessary for a purpose that would be deemed a 'reasonable' purpose for that organisation or agency (see question 18-3).
Taking reasonable steps, if any, to provide notice at the time of collection43. The ALRC has proposed that notification be addressed in a separate principle. In chapter 20, the Office has supported elements of the ALRC's approach, though has suggested that the specific notification principle should require that organisations and agencies take 'reasonable steps, if any' to provide notice when personal information is collected.
44. The Office believes that the insertion of the expression 'if any' clarifies that there may be circumstances where it is reasonable not to provide notice. This approach is consistent with the principle based approach to regulation intended for the Privacy Act. This is discussed in detail in response to proposal 20-2.
Use and disclosure of personal information without consent45. In regard to the regulation of how personal information may be used or disclosed, the Office supports the core of the ALRC's proposed UPP 5, which regulates uses and disclosures for secondary purposes in a similar manner to the current NPP 2.1(a). This submission also provides comments on the remaining exceptions considered by the ALRC. In particular, the Office supports:
46. As indicated above, the Office supports the retention of the 'imminence' test for uses and disclosures to respond to perceived threats. However, in the event that arguments in support of this test are rejected, the Office suggests an alternative: that in such circumstances, organisations or agencies be required to obtain the individual's consent for the use or disclosure where reasonable and practicable.
Regulation of direct marketing under the proposed UPPs47. The ALRC has proposed that direct marketing should be addressed by a separate principle that would apply to both primary and secondary purposes, and has framed the proposal so as to apply only to organisations. In response to question 23-1, in recognition of the particular functions of agencies, the Office has submitted that the direct marketing principle should be limited to organisations.
48. Also in chapter 23, the Office has proposed that requests to be removed from direct marketing lists should be actioned within a specified number of days, such as within 30 days.
Access and correction under the proposed UPPs49. In general, the Office supports the access and correction principle as proposed by the ALRC. This principle would only cover access and correction rights relating to organisations, with agencies being addressed in a separate Part to the Privacy Act. However, the Office is concerned at the proposal that an individual requesting correction of their personal information, would have to 'seek to establish' their case. This appears to place an unreasonably onerous burden on individuals, and is unclear as to how, or to whose satisfaction the correctness of the information should be demonstrated. This is discussed in greater detail in chapter 26.
Handling of unique identifiers under the proposed UPPs50. In chapter 27, the Office supports the ALRC's proposal that the identifier principle be extended to apply to both agencies and organisations. The Office also welcomes the ALRC's proposal that the principle regulate handling of state and territory-issued identifiers (such as drivers licence numbers) by organisations and Commonwealth agencies.
51. The Office has reiterated its view that the principle regulating identifiers should not include a mechanism allowing individuals to consent to any unspecified handling. While the Office generally supports individuals being afforded as much choice as possible over the handling of their personal information, the special characteristics and risks of unique identifiers require that this choice be limited.
52. In response to Part E of DP 72, the Office expresses the view that to achieve uniformity and consistency of application of the privacy legislation, exemptions should be minimised and only established where there are clear and compelling policy reasons for doing so.
53. The Office generally supports the ALRC proposals to remove exemptions, except where there appears to be a reasonable public interest supporting their retention, such as for small businesses, acts or practices of journalism and some matters of national security (these are discussed in chapters 35, 38 and 31, respectively).
54. The Office, on balance, supports the removal of the employee records exemption (chapter 36), as well as affording additional protections to how political parties handle personal information.
55. Where exemptions do exist, the Office takes the view that organisations and agencies should still be encouraged to implement good information handling practices. The Office also submits entities with similar functions should be treated consistently under the exemption provisions of the Privacy Act.
56. In achieving simplification of privacy principles and privacy legislation, the Office supports the ALRC proposals to structure the Privacy Act in a manner that enhances clarity, by grouping exemptions together in one part of the Act, and setting out in a schedule to the Act, exemptions for specific, named entities.
57. Finally, the Office considers additional guidance material may be required as a result of any changes to the exemptions.
58. In Part F, the Office responds to a number of proposals and questions relating to the powers of the Office and its enabling legislation.
Approach to compliance and regulation59. The Office takes a facilitative approach to its regulatory role, whereby emphasis is placed on working with agencies and organisations to promote compliance with the Privacy Act, including through the provision of high quality guidance and advice. The Office believes that this approach is consistent with the expectation Parliament held when the Privacy Act was enacted.
60. The Office supports the general approach to compliance and regulation taken in DP 72, as well as many of the specific proposals, particularly those aimed at encouraging voluntary compliance with the Privacy Act. The Office agrees that an appropriate enforcement regime should be available where voluntary compliance is not met.
61. The ALRC has described this as an "enforcement pyramid" approach to compliance, central to which is the concept that an escalation of sanctions can occur. DP 72 has discussed a range of measures to give effect to this compliance model.
Privacy impact assessments to manage privacy risks62. Privacy Impact Assessment (PIAs) are potentially highly valuable for their ability to pre-empt and address privacy risks.
63. In responding to proposals 44-4 and 44-5, the Office has submitted that the Privacy Act should require agencies to conduct PIAs for new projects, legislation or initiatives that might have significant impact on the handling of personal information. Organisations should be encouraged to conduct such assessments, which the Office will help promote through the production of PIA guidance material specific for the private sector.
Privacy codes64. The Office welcomes the proposed approach to privacy codes, which build in to the Privacy Act mechanisms that can provide both flexibility and specificity in privacy regulation (see proposals 44-9 and 44-10). While the Office's experience is that there has been only modest demand for codes, they are likely to be valuable in certain circumstances. The provision for a more active role for the Privacy Commissioner in identifying where codes may be useful is welcome (proposal 44-10).
Audits65. The Office recommends the introduction of a qualified audit power to allow the Office to conduct privacy performance assessments of private sector organisations for compliance in certain circumstances.
Streamlining complaint handling66. Maintaining and, wherever possible, improving the efficiency and effectiveness of the Office's complaint handling is fundamental to how well the Office meets its compliance functions. The Office generally welcomes the proposals set out in chapter 45, including to enliven the role of alternate dispute resolution mechanisms (proposal 45-2). The formal statutory recognition of the important role of conciliation in resolving privacy disputes at any time, is in the Office's view, consistent with the underlying intent of the Privacy Act and reflective of the Office's approach to its application (proposal 45-5).
67. At the same time, where conciliation cannot be achieved, the Office believes that it is important and appropriate for the Privacy Commissioner to have powers to make determinations to resolve matters (proposal 45-6).
Enforcement and civil penalties68. While the Office believes that satisfactory outcomes to many privacy disputes can be facilitated through conciliatory processes, it is recognised that there may be occasion where clear and accessible enforcement powers are required.
69. The Office agrees with the proposals made in chapter 46 concerning enforcement, noting that they provide a balanced and reasonable range of measures, including the ability to issue enforceable notices to comply with own motion investigations (proposal 46-1). The Office supports the proposal for the introduction of civil penalties for serious and repeated interferences with privacy (proposal 46-2).
Data breach notifications70. In response to proposal 47-1, the Office has agreed in principle that a data breach notification requirement should be imposed on agencies and organisations. The Office believes that such a requirement has been heightened by the apparent increase in the occurrence of identity theft, and that there is now broadbased community and stakeholder support for such a measure.
71. In the Office's view, the detail of how such a requirement is established will be crucial, so as to ensure that it neither imposes an unreasonable burden for agencies and organisations, nor results in unnecessary or alarmist notifications to individuals.
72. Part G of DP72 discusses in detail the credit reporting provisions of the Privacy Act and proposals for the reform of these provisions. Containing 56 reform proposals and questions, consideration about reform of the credit reporting provisions comprises a significant part of the ALRC's review of the Privacy Act.
73. The Office submits that any approach to reform should continue to reflect what the Office views as the fundamental function of the credit reporting provisions in privacy legislation, that is, to protect the privacy of personal information collected, used, stored, accessed or disclosed for credit reporting purposes while at the same time allowing credit providers and credit reporting agencies to conduct their business in an orderly way.
Simplification and comprehensive structural reform74. There have been relatively few changes to the credit reporting provisions since their commencement in September 1991. Combined with the fact that credit reporting provisions were created before the introduction of the private sector reforms of the Privacy Act and National Privacy Principles (NPPs), the Office agrees that significant structural reform of credit reporting regulation is necessary.
75. The Office therefore supports the repeal of Part IIIA of the Privacy Act to bring the regulation of credit reporting under the general privacy principles (proposal 50-1). Additional specific credit reporting obligations should also be imposed, although the Office's preferred position is that credit reporting should be regulated via a combination of the privacy principles and a binding Credit Reporting Code issued by the Privacy Commissioner, rather than the ALRC's proposed Privacy (Credit Reporting Information) Regulations (proposal 50-2).
76. Moving specific credit reporting provisions from the Privacy Act to a legislative instrument will facilitate comprehensive restructuring of the provisions while providing a greater degree of flexibility for the regulatory regime to respond to changes in industry practice or privacy risks arising from developing technologies.
77. Structural reform of the credit reporting provisions should focus on improved consistency and ease of application and regulation. To this end, the Office's recommendations seek to achieve greater consistency in the regulation of different categories of personal information handled as part of credit reporting. For example, the Office has submitted that:
78. The Office believes that any reforms to Australia's regulatory regime for credit reporting should not weaken existing privacy protections. Consistent with this, the Office does not support the proposed expansion of the permitted uses and disclosures of credit reporting information from a specified list of circumstances to allowing use and disclosure for a related secondary purpose (proposal 53-2). However, the Office does support the simplification and clarification of the existing use and disclosure provisions (proposal 53-1).
79. The proposed regulations or binding Credit Reporting Code should also make clear that the use or disclosure of credit reporting information for the purposes of direct marketing (proposal 53-3) and 'pre-screening' of credit offers is prohibited (question 53-2).
80. The Office recommends that broadening access to the credit reporting system for purposes unrelated to its original intent (being the assessment of individual's credit worthiness) should not be permitted unless there is a significant public interest.
81. In this regard, the Office supports the inclusion in regulations or a binding Credit Reporting Code of a definition of 'credit provider' that largely reflects the existing range of businesses that have access under PartIIIA of the Privacy Act (proposal 50-7), and submits that there should be no expansion to access through the introduction of a wider definition of 'credit' (question 50-2).
Increased consumer awareness and understanding of credit reporting82. The Office supports a range of reform proposals directed towards increasing consumer awareness of credit reporting and making sufficient information available to individuals to enable them to understand their rights. Apart from a general reform objective to improve the drafting and presentation of the credit reporting provisions so that consumers and credit reporting industry can better understand their rights and obligations, the Office recommends that:
83. With the increasing risk of identity theft and resulting credit fraud, the Office also supports individuals being able to record on their credit information file a note that they have been the subject of identity theft (proposal 52-1).
Greater emphasis on data quality84. The accuracy of information recorded in the credit reporting system is of particular importance given the significant impact that adverse listings and the inability to access credit can have on individuals' lives. Several reform proposals in DP72 are intended to improve the quality of data, in particular by placing greater responsibility on credit reporting agencies in respect of monitoring the accuracy of credit reporting information being supplied by credit providers.
85. The Office supports requiring credit reporting agencies to take proactive steps to ensure data quality, through entering into agreements with credit providers and establishing internal monitoring mechanisms (proposal 54-3) and establishing industry wide procedures in a credit reporting industry code that promote data quality (proposal 54-5).
86. An important part of promoting data quality is facilitating the removal of data that is identified as being inaccurate. To this end the Office supports specific rights for disputed credit reporting information to be removed if a credit provider or credit reporting agency cannot substantiate the information within 30 days.
More comprehensive credit reporting87. The issue of introducing more comprehensive credit reporting in Australia is significant, with the potential to change the underlying character of Australia's credit reporting system from a 'negative' focus-listing of payment defaults and serious credit infringements-to the inclusion of 'positive' information such as an individual's current credit account details, current account balances and repayment history.
88. The Office does not at this stage support the introduction of more comprehensive credit reporting, and submits that further independent research is required to determine what if any model of more comprehensive credit reporting would be appropriate for the Australian context (proposal 51-1). The 'modest' expansion of the permitted categories of credit reporting information proposed by the ALRC appears reasonable to the Office, but it is suggested that this proposed model could be compared with other options as part of the recommended research.
89. The Office's response to chapter 56 deals with the overall regulatory framework for health information under the Privacy Act. Chapter 57 addresses more specific privacy-related issues that arise in the regulation of health information. The response to chapter 58 deals with the handling of health information and other personal information for research purposes, most significantly where individuals' consent is not obtained.
Health privacy regulation through the proposed UPPs90. In chapter 56, the Office explains that while it supports the detail of many of the proposals regarding health services, it believes that health privacy regulation could be comfortably accommodated within the proposed single set of principles, rather than by the creation of an additional instrument. An additional instrument would fragment privacy regulation and may lead to regulatory uncertainty and complexity. This is discussed in detail in the Office's response to proposal 56-2, and is referred to throughout chapter 57.
91. The Office has welcomed the ALRC's recognition of the proposed National Health Privacy Code as a prescriptive and complex instrument, which would have the overall effect of lowering protections currently afforded to health information. The Office agrees that it should not be pursued.
Additional protections regarding transfer of medical records, access when a practice closes and rights to an intermediary92. In chapter 57 of this submission, the Office expresses support for the intent and effect of many of the proposals.
93. In particular, the Office supports the proposals to include procedures for the transfer of medical records between health service providers (proposal 57-8), andto clarify privacyobligations when a health service provider retires, dies or sells their business (proposal 57-7).
94. The Office agrees thatprovisions should be improvedaround the use of intermediaries where access to health informationis denied, and provides suggestions on how the ALRC's current proposal could be enhanced (proposal 57-6).
95. The Office supports amendmentsto the Privacy Actto permanently permit the collection of third party health information without consent where necessary to provide a health service, and relevant to an individual's family, social and medical histories (proposal 57-3). This collection is currently permitted by Public Interest Determinations (PIDs) issued by the Privacy Commissioner.
96. To better align the privacy principles on disclosure and collection, the Office also supports an amendment to permit collection of health information where this is necessary to provide a health service and within the individual's reasonable expectations (question 57-1).
97. The Office welcomes many of the proposals in chapter 57. However, the Office submits that these amendments should be included in the UPPs or equivalent principles, rather than in separate regulations.
Reducing complexity through harmonising non-consensual research mechanisms98. In chapter 58 of DP 72, the ALRC has proposed significant changes to the handling of personal information without consent for research purposes under the Privacy Act.
99. The Office agrees that the existing regulatory framework should be harmonised so that researchers in the private sector and Australian public sector can comply with a single set of rules for health and medical research. The Office has proposed that this should include relevant research into public health and public safety. The Office believes that such a step would significantly reduce complexity in how non-consensual health related research is regulated and would represent an appropriate balance of interests between health research and privacy.
100. The Office submits that the existing framework affords sufficient options for researchers, while giving individuals an appropriate degree of protection for the non-consensual handling of personal information for the purposes of health and medical research.
Inappropriate broadening of non-consensual research mechanism101. However, the Office is concerned about a number of the ALRC's proposals in chapter 58. Taken collectively, these proposals would unnecessarily broaden the scope for the use of personal information for research without individuals' consent, while at the same time lowering the public interest threshold required to use personal information for research purposes.
102. For example, the Office does not support the proposal that personal information should be made available without consent for all forms of research involving human subjects, beyond health and medical research (proposal 58-2).
103. The Office does not support the lowering of the public interest test for the non-consensual handling of personal information, from the current threshold (in which the benefit of the research must 'substantially outweigh' the interest in maintaining privacy protections) to one where it must only 'outweigh' privacy interests (proposal 58-4). Without a clearer standard for the public interest, the Office believes the lower threshold may make decision making more difficult, and create a greater margin for error.
104. Chapter 58 also addresses privacy issues relating to the establishment, use and maintenance of health information databases or registers for research purposes. In order to maintain public confidence, the Office believes such initiatives are best established under legislation setting out their purposes, and appropriate uses of personal information held within them. Reference is also made to theways in which the NPPs and HREC approvalprocesses already support research practices such as sample acquisition.
105. Chapter 59 focuses on the privacy-related issues that children and young people increasingly face in the rapidly changing online environment. The Office proposes that it continue to play a central part in promoting privacy awareness among children and young people directly, through advice and guidance to relevant agencies and schools, and through participation in a proposed longitudinal study of attitudes to privacy (proposal 59-2).
106. The Office has expressed some disagreement with the proposal that it is not an appropriate body to conduct proposed longitudinal research into the attitudes of Australians, including young people, to privacy. In responding to proposal 59-1, the Office suggests that such an activity would comfortably fall within its role and functions.
Determination of capacity in young people107. Chapter 60 examines issues of privacy-related decision making under the Privacy Act by individuals under the age of 18. While the Office favours the continuation of an individual assessment based approach to capacity, the Office sees some merit in combining this with a minimum age test (proposal 60-1). The Office has suggested that the wording of the proposal should make it clear that individual assessment must be conducted for young people aged 15 and over, wherever practicable. The Office also notes logistical issues relating to verification of age and capacity in an online environment.
Adults requiring decision making assistance108. Chapter 61 focuses on issues relating to adults who have temporary or permanent incapacity. The Office supports the intent of many of the proposals in this chapter. In particular, the Office agrees that assessments of capacity should be done with regard to the particular decision required to be made.
109. The Office also agrees in principle with the proposal to introduce the defined concept of an 'authorised representative'. However, the Office suggests that several aspects of the proposal would benefit from further consideration. In particular, the Office submits, in response to proposal 61-1, that where the incapacity is short-term or intermittent, and it is considered reasonably likely that the individual will regain capacity to handle their own affairs, the representative's right of access should be limited to the information necessary to make the required decision.
110. The Office also raises concerns about certain terminology used in the proposed definition of 'authorised representative' (proposal 61-2). The Office considers that the meaning of part (e) in the proposed definition is unclear and potentially too broad. The Office is concerned that this and other aspects of the proposed definition could lead to inappropriate use, disclosure and handling of vulnerable individuals' personal information.
111. The Office considers that if the definition of 'authorised representative' is extended to include informal representatives nominated before the individual lost capacity (as well as legally nominated or appointed representatives), there must be adequate safeguards to ensure that the person had capacity at the time they made the nomination (question 61-2).
112. In chapter 62 of DP 72, the ALRC has sought feedback on whether it is desirable to establish a legislative provision in relation to nominated third parties making decisions on behalf of capable individuals. The Office considers that there is merit in having an express statement in the Privacy Act which allows a third party nominated by the individual to act on that individual's behalf. This view assumes that the type of nomination envisaged in question 62-1 would take effect only where the individual retains capacity to make a decision under the Privacy Act, and accordingly an assessment of capacity is not required.
113. The Office believes that additional guidance material may be required relating to the involvement of third parties in privacy-related decision making where the individual consents.
114. The Office's response to chapters 63 and 64 addresses privacy-related issues pertaining to the Telecommunications Act 1997 (Cth), the Telecommunications (Interception and Access) Act 1979 (Cth), the Do Not Call Register Act 2006 (Cth) and the Spam Act 2003 (Cth). In responding to the ALRC's proposals and questions in these areas, the Office's response seeks to balance the protection of individual privacy in the light of rapid technological change and the use and disclosure of personal information.
115. The discussion identifies parts of both the Telecommunications Act and the Telecommunications (Interception and Access) Acts where exceptions to the prohibitions against use and disclosure may be considered to be too broad and should be confined and, where practicable, aligned with the exceptions in NPP 2 or its equivalent under the proposed UPPs. The Office supports the ALRC's general approach in this area.
116. Part J also highlights that technological convergence brings with it an increasing need for cooperation between the Office and other regulatory bodies dealing with significant current and emerging privacy matters. The Office supports working cooperatively with other regulators such as the Telecommunications Industry Ombudsman, the Australian Communications and Media Authority and the Inspector General of Intelligence and Security to provide guidance on privacy issues in the telecommunications industry.