Chapter 6
Australian Privacy Principle 3–collection of solicited personal information
Introduction
6.1
Australian Privacy Principle 3 (APP 3) deals with the collection of
solicited personal information including sensitive information. The Companion
Guide notes that personal information should only be collected where it is
necessary for, or directly related to, one or more of the entity's functions or
activities (the functions test). It also provides that an entity must collect
information directly from an individual unless it is unreasonable, or
impracticable, to do so. If the personal information is sensitive information,
the individual must also consent to the collection.[1]
6.2
However, APP 3 provides for a number of exemptions on public interest
grounds. These exemptions included exemptions based on National Privacy
Principle 10.1 and a number of new provisions. The new provisions reflect
the application of this principle to both agencies and organisations.
Background
6.3
Information Privacy Principles (IPPs) 1–3 cover the collection of
personal information by agencies. Personal information is not to be collected
by agencies unless the purpose is lawful and directly related to the functions
or activities of the collector and the collection is necessary. Agencies are to
take reasonable steps to ensure that the individual is aware of, among other
things, the purpose for which the information is collected and that the
information collected is relevant, up-to-date and complete and the collection
does not intrude unreasonably on the individual's personal affairs.[2]
The IPPs do not regulate the collection of sensitive information separately
from other forms of personal information.
6.4
National Privacy Principles (NPPs) provide that an organisation may only
collect personal information that is necessary for its functions or activities;
and by lawful and fair means. Organisations are to take reasonable steps to
ensure that the individual is aware of certain matters including that he or she
can access the information. In addition, the collection may be from the
individual, if it is reasonable and practicable to do so, or from someone else
if reasonable steps are taken to ensure that the individual is aware of certain
matters except in the case where making the individual aware would pose a
serious threat to anyone's life or health.[3]
In relation to sensitive information, the NPPs prohibit the collection of
sensitive information except in certain circumstances including that the
individual has consented and the collection is required by law. In addition,
non-profit organisations are permitted to collect sensitive personal
information in certain circumstances.[4]
6.5
The ALRC noted that neither the IPPs nor NPPs require that an individual
give his or her consent before an agency or organisation is permitted to
collect the individual's personal information.
6.6
The ALRC's review canvassed the issue of collection of personal
information directly from an individual, where reasonable and practicable to do
so. The ALRC concluded that both agencies and organisations should only collect
information from the individual to whom the information relates, where it is
reasonable and practicable to do so, and noted that 'such a requirement will
increase the likelihood that personal information collected will be accurate,
relevant, complete and up-to-date. It also gives individuals an opportunity to
participate in the collection process'.[5]
The ALRC was of the view that the 'reasonable and practicable' requirement
would not limit the coercive information gathering powers of agencies or the
exercise of their intelligence, investigative and compliance functions.
However, the ALRC recommended that the Office of the Privacy Commissioner (OPC)
develop and publish guidance to clarify when it would not be reasonable or
practicable to collect personal information only from the individual concerned.[6]
6.7
The ALRC's consideration of the collection of sensitive personal
information focused on whether agencies should also be subject to restrictions
in collecting sensitive information. The ALRC concluded that there were strong
policy reasons to extend restrictions on collection of sensitive information to
agencies and noted:
The risks associated with sensitive information being
subsequently misused are sufficiently serious to justify imposing an obligation
on agencies to abide by restrictions on the collection of sensitive
information. Such restrictions however, should allow for the collection of
sensitive information by agencies for legitimate reasons.[7]
6.8
In addition, the ALRC saw no reason for a separate privacy principle to
deal with the collection of sensitive information. Rather, it recommended a
single principle dealing with the collection of all personal information.[8]
6.9
There are a range of exceptions to the prohibition against the
collection of sensitive personal information. The ALRC commented as follows:
-
required or authorised by or under law: the ALRC concluded
that an exception where the collection of sensitive information is required by
law is too narrow; rather, the legitimate collection of sensitive information
authorised by law should be included in the principle. Concerns that 'specific'
authorisation to collect sensitive information is rarely provided for in
legislation were acknowledged in the review and it was noted that a review of
current legislation may be required to ensure that, where needed, the
collection of sensitive information is specifically authorised;[9]
and
-
emergency situations: in emergency situations, where an
individual is unable to give consent, the ALRC noted that the Privacy Act
contains a separate regime for the collection, use and disclosure of personal
information in situations where the Prime Minister or a minister has declared
an emergency or disaster. In addition, NPP 10 generally allows for the
collection of sensitive information by organisations where it is necessary to
prevent or lessen a serious and imminent threat to the life or health of any
individual and the individual is incapable of giving consent. The ALRC considered
the application of NPP 10 to both agencies and organisations and concluded
that it should apply to agencies. However, the ALRC did not support the current
requirement of NPP 10 that the threat must be both serious and imminent as
it saw this as too difficult to satisfy. The ALRC was of the view that the
wording should be relaxed so that it is triggered where the threat is serious,
but not necessarily imminent.[10]
6.10
The ALRC also considered other circumstances where exceptions may be
warranted; for example, collecting sensitive personal information where
essential services are to be provided to individuals incapable of giving
consent. The ALRC did not consider that the benefits would outweigh the
difficulties of the creation and implementation of such an exception.[11]
6.11
In relation to the other exceptions currently contained in
NPP 10.1, the ALRC commented:
-
consent exception: NPP 10 allows for sensitive
personal information to be collected where the individual has given consent.
The ALRC concluded that it is undesirable to amend the consent exception to
require express consent for the collection of sensitive information;
-
exception relating to non-profit organisations: non-profit
organisations may collect information in the course of their activities where
certain specified conditions are met. The ALRC commented that concerns about
the drafting of this exception are best addressed by the Office of the
Parliamentary Counsel;
-
exception relating to legal and equitable claims:
collection is permitted where it is necessary for the establishment of,
exercise or defence of, a legal or equitable claim. The ALRC was not convinced
that there was a need to broaden this exception but did not receive sufficient
feedback from stakeholders to make a proper assessment of the merits of broadening
the exception. The ALRC did not recommend an amendment to this exception; and
-
exception relating to alternative dispute resolution: the
ALRC was of the view that collecting sensitive information should be permitted
where it is necessary for the purpose of confidential alternative dispute
resolution.[12]
Government response
6.12
The Government accepted in full all but one of the ALRC's
recommendations in relation to collection of sensitive information. The
Government accepted in part the ALRC's recommendation that the sensitive
information provisions should contain an exception permitting the collection of
sensitive information by an entity where it is necessary to lessen or prevent a
serious threat to life or health or the individual is legally or physically
incapable of giving or communicating consent. The Government response noted
that for consistency, a 'serious threat' should refer to 'life, health or
safety'.[13]
Issues
6.13
Some submitters expressed their supported for APP 3.[14]
However, Professor Graham Greenleaf and Mr Nigel Waters argued that APP 3
is 'significantly weaker than the equivalent NPP(1)' and pointed to a number of
concerns including the use of the term 'reasonably necessary' rather than
'necessary'.[15]
The matters raised by Professor Greenleaf and Mr Waters and other submitters
are addressed below.
Structure
6.14
The committee received a range of comments relating to the structure of
APP 3. While welcoming the concept of distinguishing between the
collection of solicited and collection of unsolicited information, the
Australian Institute of Credit Management (AICM) was of the view that the
collection of sensitive information should also be placed in a separate
principle. The AICM commented that entities did not always recognise
information that is necessary to the entity's functions as being 'sensitive
information' and that it should be managed with considerable care.[16]
6.15
The OPC also commented on a number of matters related to the structure
of APP 3. First, the OPC was of the view that the principle should be
titled 'Collection of personal information' and secondly, that the collection
of unsolicited information be incorporated into the principle. This latter
matter is considered by the committee in chapter 7.
6.16
Secondly, the OPC suggested that APP 3 could be simplified by
removing matters which it considered to be repetitious and redundant
(APP 3(2)(a)(i)) and consolidating the exceptions as a simpler list under
APP 3(2). This would reflect the structure of NPP 10 and the ALRC's
model Unified Privacy Principles.[17]
Similarly, Professor Greenleaf and Mr Waters suggested consolidation of APP 3(2)
and APP 3(3) to simplify the principle.[18]
6.17
Privacy NSW commented that the complex wording of APP 3 'defeats
the purpose in choosing principle-based rules rather than legislation' and
argued for a more simply expressed principle.[19]
Qantas also argued that APP 3 contained 'unnecessary verbiage' with
APP 3(2)(a)(i) merely repeating the provisions contained in APP 3(1)
while APP 3(5) (third person collection), which replicates NPP 1.4,
does so in a less clear and more verbose way.[20]
Conclusion
6.18
In chapter 3, the committee has commented on the need to refine the
APPs. The committee considers that APP 3 is another example of where
simplifying the approach taken would improve the readability of the principle.
Use of the term 'reasonably
necessary for, or directly related to'
6.19
The committee received a range of comments in relation to the use of the
term 'reasonably necessary for, or directly related to' in APP 3. The AFC
supported the inclusion of the term 'reasonably' necessary as reflecting a
'compliance framework that appropriately balances privacy and public interest
rights'. However, the AFC did not support the addition of the 'directly' to the
'related to' element as it was argued that this did not appear to be in line
with the recommendations of the ALRC. Such wording, it was argued, adds an
'unnecessarily prescriptive aspect to this component of the principle and is at
odds with the Government's high-level, non-prescriptive approach and an
appropriate balance between the interests of the individual and the public'.[21]
6.20
Other submitters, including Professor Greenleaf and Mr Waters, commented
that the proposed wording of APP 3 would result in weaker privacy
protections as it was argued that the 'reasonably necessary' test broadened the
principle.[22]
The Victorian Privacy Commissioner voiced concern about the use of both the
terms 'reasonably necessary' and 'directly related to' and commented on the
need to ensure that protections were not lowered:
The APPs should represent the highest standard of privacy
protection currently enjoyed in Australia, not the lowest common denominator.
Agencies or organisations should only collect personal information that is necessary
for their functions or activities (as provided by the current VIPP 1.1 in the
Information Privacy Act), not information that an agency or organisation
reasonably believes may be necessary for their functions or activities, or which
is directly related to them.[23]
6.21
One of the weaknesses, it was argued, arises as APP 3(1) 'allows
multi-function entities to request personal information that is not directly
related to the goods or services actually requested by the individual' as the
information may be reasonably necessary for any one of the entity's functions.[24]
Dr Colin Bennett was of the same view that the use of 'reasonably necessary'
allowed entities to state a very broad set of goals and purposes and thereby
allows for any collection of personal information to be 'reasonably necessary'
or 'directly related to' their functions and activities.[25]
6.22
Both the LIV and Dr Bennett noted that the Companion Guide indicates
that 'reasonably necessary' means that 'from the perspective of a reasonable
person the function or activity is legitimate for that type of entity', and is
intended to be interpreted objectively and in a practical way. However, Dr
Bennett argued that the proposed drafting of APP 3 does not make this
clear.[26]
The LIV stated APP 3 focuses only on the entity's functions and not on the
individual's reasons for disclosing personal information or dealing with the
entity.[27]
Professor Greenleaf and Mr Waters also commented that the test should be 'the
reasonableness of the purpose' rather than merely the reasonableness of
information collection in the context of the entity's functions or activities.[28]
6.23
The LIV recommended that the wording be amended to include 'reasonably
necessary for the function or activity in which the person is engaging'.[29]
Professor Greenleaf and Mr Waters suggested that 'necessary' alone or
preferably 'necessary and directly related to' the entity's functions or
activities would strengthen APP 3.[30]
6.24
The OPC noted that the Government had accepted the ALRC's recommendation
on 'collection' and it had stated that 'necessary' should be interpreted
objectively and in a practical sense.[31]
The OPC considered that, in line with the Government response, and the ALRC's
recommendation, the phrase 'necessary for one or more of the entity's functions
or activities' was sufficient for all entities under a single set of
principles. However, APP 3 includes the 'directly related to' alternative.
The OPC argued that this is unnecessary for agencies as often agency functions
and activities are tied to enabling legislation, object clauses or related
instruments and are thus more easily defined. The OPC concluded that it was not
aware of examples where the 'necessary' requirement would prevent an agency
from collecting personal information to pursue legitimate functions or
activities.
6.25
In relation to organisations, the OPC was of the view that the wording
of APP 3 appears to lower the existing NPP standard for organisations, including
when collecting sensitive information. The OPC was concerned that uncertainty
had been introduced and that this would allow a broader range of personal
information to be collected, including sensitive personal information. The OPC
concluded that this 'could be inconsistent with the intent of enhanced, not
diminished, privacy protections' and recommended that, to maintain the current
level of protection in NPP 1, the words 'or directly related to' be
removed from APP 3(1) and corresponding provisions.[32]
6.26
Privacy Law Consulting provided a further view in relation to the
interpretation of APP 3 contained in the Companion Guide.[33]
Privacy Law Consulting suggested that the interpretation provided does not
appear to be consistent with the literal reading of APP 3 and continued:
The interpretation referred to in the Companion Guide would
result in the Privacy Act effectively regulating, and limiting, the types of
functions and activities an entity could perform or engage in (based on a test
relating to whether they were reasonably legitimate for that type of entity).
Such an outcome appears to be beyond the intended scope and purpose of the Act.
Further, this would be inconsistent with the general demise of the doctrine of
ultra vires in respect of corporations (which placed limitations on activities
a corporation could engage in based on its objects clause in its memorandum of
association) – see, for example, s 124(1) of the Corporations Act 2001
(Cth) which generally provides that companies have the legal capacity and
powers of an individual, effectively abolishing the application of the doctrine
in relation to corporations established under that Act.
It is important that any uncertainty in this regard be
eliminated, otherwise entities operate under the spectre that functions or
activities they perform or engage in could be challenged on privacy grounds.[34]
6.27
At the committee's hearing on the exposure draft, Professor Rosalind
Croucher, President, ALRC was asked to respond to concerns about the possible
weakening of the collection principle under proposed APP 3.[35]
In a written response, Professor Croucher stated that the UPP recommended by
the ALRC followed NPP 1.1 rather than IPP 1.1 as the ALRC was of the
view that the NPPs should form the general template for the drafting and
structuring of the new unified principles.
6.28
Professor Croucher went on to state that 'it is not entirely clear
whether the formulation in APP 3(1) provides more or less privacy
protection than that in NPP 1.1' and commented:
Arguably, allowing the collection of information where it is
"directly related" to a function or activity, as well as where it is
"necessary", broadens the scope for collection. However, as discussed
in ALRC Report 108, the Office of the Privacy Commissioner's 2001 guidelines on
collection of information by organisations provide that:
The Commissioner interprets "necessary" in
a practical sense. If an organisation cannot in practice effectively pursue a
legitimate function or activity without collecting personal information, then
the Commissioner would ordinarily consider it necessary for that function or
activity. (p 27)
Further, the High Court of Australia has noted that there is
a long history of judicial and legislative use of the term 'necessary', not as
meaning 'essential or indispensable', but as meaning 'reasonably appropriate
and adapted' (see Mulholland v Australian Electoral Commission (2004)
220 CLR 181, [39].
It should also be observed that, arguably, APP 3 is more
privacy protective than NPP 1 in that it requires that collection is
'reasonably' necessary. The addition of this objective element was an option
considered, but rejected as unnecessary, in ALRC Report 108, [21.77].[36]
6.29
The Department of the Prime Minister and Cabinet (the department) also
provided answers to questions on notice in relation to APP 3. The
department commented that the wording in APP 3(1) is intended to strike the
appropriate balance between the need to protect against the unnecessary
collection of personal information and the need for organisations and agencies
to collect personal information reasonably necessary for, or directly related
to, one or more of the their functions or activities.
6.30
The department explained the basis of APP 3 as follows. There are
two key elements to APP 3(1): first, a 'reasonably necessary' test is
included in relation to the collection of 'personal information other than
sensitive information'. This is consistent with the views of the ALRC that an
objective test should continue to apply as is currently the case for
organisations under NPP 1 (although the ALRC believed that an objective
test was implied even with the use of only 'necessary'). The department argued
that the requirement on entities to collect only personal information that is
reasonably necessary to their functions, requires the collection of personal
information to be justifiable on objective grounds, rather than on the
subjective views of the entity itself. The department concluded that this will
limit inappropriate collection by entities.
6.31
Secondly, the term 'directly related to' one or more of the entity's
functions or activities ensures that there must be a clear connection between
the collection and the entity's functions or activities. The department
commented that that aspect of the test appears in the existing IPPs, which bind
agencies. The department also noted that IPP 1 has operated under the
existing regime in circumstances where it may not be possible to meet the
'reasonably necessary' test. This element is being retained because there may be
agencies (less so for organisations) that need to collect personal information
to effectively carry out defined functions or activities but who may not meet
an objective 'reasonably necessary' test.[37]
Conclusion
6.32
The committee agrees that an objective test is a necessary element in
the collection principle. However, given the comments in relation to the addition
of the word 'reasonably' in the 'necessary' test, the committee remains to be
persuaded that this provides a higher, or even the same, level of privacy
protection as the wording of NPP 1.
6.33
In relation to the 'directly related to' test, the committee notes the
department's comments that this test appears in the IPPs as there are
circumstances where an agency may not meet the 'reasonably necessary' test. The
department goes on to comment that this is less of an occurrence for
organisations. The committee has taken note of the comments in relation to the
potential for organisations to use this test to establish a very broad set of
activities and functions on which to base the collection of personal
information and at the same time comply with APP 3.
6.34
The committee considers that APP 3 is a less than elegant solution
to the drafting of a unified collection principle, and may, in effect, lower
privacy protections by allowing organisations to take advantage of a provision
which is more appropriately applied to agencies. The committee considers that
the 'reasonably necessary' test provides organisations with sufficient
flexibility, and is, in fact, substantially similar to what is now provided in
NPP 1. The committee therefore does not support the extension of the
'directly related to' test to organisations and recommends that APP 3
should be reconsidered.
Recommendation 8
6.35
The committee recommends that in relation to the collection of solicited
information principle (APP 3), further consideration be given to:
-
whether the addition of the word 'reasonably' in the 'necessary'
test weakens the principle; and
-
excluding organisations from the application of the 'directly
related to' test to ensure that privacy protections are not compromised.
Consent
6.36
The committee received comments regarding the consent requirements of
APP 3 in relation to sensitive information. APP 3(2) requires that an
entity must not collect sensitive information unless the individual consents or
the collection falls within an exception listed in APP 3(3). The general
issue of consent has been discussed in chapter 3.
Sensitive information
6.37
Generally, the collection of sensitive information should not occur
unless the collection meets the functions test and the individual has consented
(APP 3(2)). However, there are a number of specific exemptions which allow
collection of sensitive information without consent (APP 3(3)).
6.38
The OPC's comments in relation to the collection of sensitive
information went to the use of the 'directly related to' test. The OPC was of
the opinion that collecting sensitive information should be 'necessary' not
'directly related to' the functions or activities of an agency or organisation.
The OPC commented that the drafting of APP 3(2) 'appears to mean that if
an exception in APP 3(3) applies, sensitive information may be collected
even if it is not 'reasonably necessary for' or 'directly related to' the
entity's functions or activities'. As a consequence, APP 3 provides for a
lower threshold for the collection of sensitive personal information than does
the existing NPP 1. The OPC concluded:
If the collection of sensitive information is not subject to
the same basic test of "necessity" as other personal information in
APP 3(1), this is inconsistent with the accepted view that sensitive
information should be accorded higher protection.[38]
6.39
The department agreed with the OPC's interpretation that 'sensitive
information' could be acquired using an exception in APP 3(3) without the information
first needing to be 'reasonably necessary' or 'directly related to' an activity
or function of the entity. However, the department pointed out that these
exceptions are based on circumstances where there is an overriding public
interest in collecting the information and that safeguards have been built into
most of the exceptions. The department stated that the safeguards will ensure
that, even where there are specific special circumstances, there is still a
requirement that collection be based on an objective element (either relating
to reasonable necessity or reasonable belief of necessity).[39]
6.40
Submitters also provided a range views on the individual exceptions
provided for in APP 3(3). Professor Greenleaf and Mr Waters, for example, argued
that the exceptions had been 'dramatically expanded' citing in particular the 'required
by law' and 'emergencies' exceptions.[40]
Other submitters provided comment on specific exceptions.
Required or authorised by or under
Australian law
6.41
APP 3(3)(a) provides an exception in the case of the collection of
sensitive personal information that 'is required or authorised by or under an
Australian law, or an order of a court or tribunal'. The Victorian Privacy
Commissioner voiced concern about this exception, noting that it is similar,
but not as stringent, as that contained in the Victorian privacy legislation.
The Commissioner stated that the APPs should represent the highest level of
current privacy protection in Australia. The Commissioner supported a narrower
drafting of the requirement so that an exception is only permissible when the
requirement to collect sensitive information is mandatory, and not simply
permissive or discretionary.[41]
6.42
Professor Greenleaf and Mr Waters commented that no justification had been
provided as to why the 'deliberately more protective wording' of NPP 10 has
been abandoned. While accepting that "specifically authorised" may be
an appropriate change to this requirement, they did not support 'the wholesale invocation
of the very vague and subjective "authorised"'.[42]
Emergencies
6.43
An exception is provided for when an entity believes the collection is
necessary to 'lessen or prevent a serious threat to the life, health or safety of
any individual or to public health or safety' and it is unreasonable or
impracticable to obtain the consent of the affected person (APP 3(3)(b)).
6.44
This exception was criticised by Professor Greenleaf and Mr Waters as it
was argued that it had been broadened by the removal of the 'imminent' threat
criteria. They submitted that it is 'essential to retain a test of
"urgency" to justify why another basis for [collection] cannot be
established'. In addition, they stated that the exception has also been
broadened by the addition of threats to an individual's 'safety' and to 'public
health or safety' and by the replacement of the condition that consent be
physically or legally impracticable with a much weaker 'unreasonable or
impracticable to obtain consent'. Professor Greenleaf and Mr Waters commented
that the last change 'is a major weakening of the principle and will be
interpreted by entities to routinely justify collection of sensitive
information without consent'.[43]
6.45
The Public Interest Advocacy Centre (PIAC) also commented on the absence
of the requirement that the threat be 'imminent'. PIAC argued that there must
be some degree of urgency and, as a result of that urgency, limited access to
other mechanisms available to prevent the threat eventuating. PIAC was of the
view that the requirement of imminence acted as an important safeguard,
particularly when information was being sought about persons with mental
illness. In this case, there may be a potential for serious threat to health,
but no imminence, because at the relevant time the illness is well controlled by
medication or is episodic and the person is currently not unwell. PIAC
concluded that where the threat is serious, but not imminent, other mechanisms
should be used to avoid the threat eventuating without recourse to
non-consensual collection of sensitive information.[44]
6.46
Qantas, however, argued that the reference to 'serious' should be
removed as the question of seriousness is subjective and it 'believed that
employees should not be placed in the position of having to make such a
judgment if they reasonably believe that a serious threat exists and it will be
unreasonable and impractical to obtain consent'.[45]
6.47
The department provided the following information in relation to the emergencies
exception. The ALRC Report stated that the current requirement that a threat
must be both serious and imminent in these provisions is too difficult to
satisfy, sets a 'disproportionately high bar' and can lead to personal
information not being used or disclosed in circumstances where there are
compelling reasons justifying its use or disclosure. The removal of 'imminent' would
also allow an agency or organisation to take preventative action to stop a
threat from developing into a crisis.
6.48
The ALRC's view was accepted by the Government. The department noted
that, to address concerns of a number of stakeholders that the removal of this
element would inappropriately broaden the exception, a requirement was included
that use and disclosure could occur only after consent has first been sought,
where to do so is reasonable and practicable. Thus, the additional elements to
the exception where 'it is unreasonable or impracticable to obtain the affected
individual's consent' to either the collection of sensitive information, or the
use or disclosure of personal information.[46]
Unlawful activity
6.49
It was noted that the exception relating to the investigation of
unlawful activity was not included in the ALRC's recommendations. Professor
Greenleaf and Mr Waters commented that there needs to be some justification for
this exception and that it should be qualified on the condition that the entity
must take some appropriate action within a reasonable period of time. It was argued
that 'without such a condition, the exception invites the compilation and
indefinite maintenance of "blacklists" based on suspicion of
wrongdoing but without any requirement for individuals on such lists to be
afforded natural justice'.[47]
Missing persons
6.50
An exception (APP 3(3)(g)) is available to assist in the location
of missing persons. Collection of the information must comply with the
Australian Privacy Rules. Professor Greenleaf and Mr Waters argued that, if
there is a case for a separate exception for missing persons, the provisions
should be contained in the APP and not in the, as yet unknown, Australian
Privacy Rule.[48]
6.51
The ALRC did not support the creation of an express exception for
disclosing information to assist in missing persons investigations as other
exceptions would assist in broadening the scope of situations in which
disclosure of personal information in missing persons investigations would be
authorised, such as the serious threat exception. The department noted that the
Government agreed with the ALRC's view that using or disclosing personal
information to locate missing persons may often be permitted by other
exceptions. However, the Government considered that 'an express exception
should also apply for those instances where the application of other exceptions
is unclear'. For example, some agencies were concerned that the 'serious threat
to life' etc exception would not allow them to collect information relating to
a missing person who may have gone missing because of health issues. The
department went on to state that, in order to provide safeguards against
improper use of such information, the Government decided that such collection,
uses or disclosures should be in accordance with binding rules issued by the Australian
Information Commissioner. These are to be in the form of a legislative
instrument and therefore subject to the scrutiny of Parliament.[49]
6.52
The department provided further information about the rules and
commented that they will consist of detailed matters relating to the procedures
and protocols used by agencies that are more appropriately dealt with in
subordinate legislation. The department noted that using rules, rather than the
Act, will allow a more flexible response to the wide variety of circumstances
in which this issue may arise (e.g. natural disasters, child abductions).
Further, there is already an example of a non-legislative determination (Public
Interest Determination 7) where the Privacy Commissioner has granted a waiver
from compliance with IPP 11.1 which permits the Department of Foreign Affairs
and Trade to disclose personal information of Australians overseas to their
next of kin in certain limited circumstances. The rules will also be subject to
extensive consultation and to parliamentary scrutiny.
6.53
The department noted that the Government response provides a non-exhaustive
list of matters which may be included in the rules.[50]
Exceptions related to Commonwealth agencies
6.54
There are a number of exceptions (APP 3(3)(e) and (f)) which apply
only to Commonwealth agencies; for example, the Defence Force. The Victorian
Privacy Commissioner commented that this was problematic when expressly
included in the APP itself, as this reduces the simplicity, lucidity and
'high-level' nature of the APPs. In addition, the Commissioner stated that it
would reduce the ability of states and territories to readily adopt them with minimal
amendment.[51]
6.55
Professor Greenleaf and Mr Waters saw these special exceptions as
allowing the Defence Forces and diplomatic service 'to avoid the principle [on]
the basis of their own "reasonable belief".' They argued that this
reflected 'a lazy approach to compliance' and that these entities should have
to comply with APP 3 and take advantage of the generic exceptions where
appropriate.[52]
6.56
The OPC's comments on the inclusion of agency specific exceptions in the
APPs are provided in chapter 3.
Implied consent
6.57
Qantas submitted that it often collected sensitive personal information
provided by a third party where it is impracticable to obtain consent from the
individual about whom it is given; for example, in the case of a carer
providing health information while making a booking for the person in their
care. Qantas submitted that in these circumstances the consent exception should
be expanded to include the situation where consent can be reasonably be
inferred from the circumstances of the collection.[53]
Health information
6.58
The NSW Department of Justice and Attorney General raised the concern
that APP 3 did not allow for the collection of sensitive health
information such as where in providing care for a patient, a family history is
taken. It was argued that a health practitioner will not have the patient's
family member's consent and in most circumstances, the information collected
about the patient's family members will not be necessary to lessen or prevent a
serious threat to life, health or safety. The NSW Department of Justice and
Attorney General concluded:
It is imperative that health practitioners can continue to
take a patient's family history without having to seek the consent of each
family member to collect health information about that family member. APP3
should be amended to allow this to occur.[54]
Conclusion
6.59
The committee notes that the exceptions provided for in APP 3 are
'based on circumstances where there is an overriding public interest in
collecting information'. To ensure that these provisions are not abused,
safeguards have been incorporated into the exceptions. In particular the
committee notes that, in relation to the missing persons exception, Australian
Privacy Rules will provide for detailed matters relating to procedures and
protocols. The committee considers that this is an appropriate exception to
deal with the sometimes very difficult circumstances of missing persons. The
use of rules, rather than a non-legislative determination by the Privacy
Commissioner, provides for consultation and the scrutiny of Parliament. The
committee welcomes this approach.
6.60
In relation to the inclusion of agency specific exceptions, the
committee has commented on this matter in chapter 3.
Means of collection
6.61
APP 3(5) provides that entities must collect information only by lawful
and fair means and the entity must collect the information from the individual
concerned. Two exceptions are provided for. The first, APP 3(5)(a), allows
agencies to collect information about a person from a third party if required
or authorised by or under an Australian law, or by a court or tribunal. The
second, APP 3(5)(b), applies where it is 'unreasonable or impracticable'
for an entity to collect the information from the individual.
6.62
The Victorian Privacy Commissioner strongly supported the provisions in
relation to the direct collection of information from an individual and noted
that it enables individuals to have some measure of control over what is
collected, by whom and for what purposes as well as allowing individuals to
refuse to participate in the collection.[55]
The inclusion of the 'reasonable and practicable' requirement was also
supported by the Victorian Privacy Commissioner as it allows for circumstances
where it may not be practically possible to collect information directly from
an individual. However, the Commissioner and the LIV saw the need for guidance
as to the circumstances where it would not be reasonable or practicable to
collect information directly from an individual. This should be jointly
prepared by all Privacy (or Information) Commissioners across jurisdictions.[56]
6.63
The LIV also noted that APP 3(5)(b) does not expressly restrict an
entity from on-selling to a third party entity personal information obtained
from an individual if it is 'unreasonable or impracticable' for the third party
to collect the information from an individual. For example, the third party
entity may mount an argument that it was 'unreasonable or impracticable' to
collect the information from the individual because of lack of time. The LIV
expressed concern that individuals may not have control over where information
about them goes, or is used, and recommended guidance on the circumstances in
which collection from an individual is deemed to be 'unreasonable or
impracticable'.[57]
Collection from third parties
6.64
The restriction to agencies of the collection of information from a
third party, if required or authorised by or under an Australian law, was
questioned by the ACF. It commented that it 'was not aware of any policy
justification for confining the permitted means to collection to include third
parties to the public sector' and that this could equally be relevant to the
private sector.[58]
The Australian Bankers' Association also supported this recommendation as there
is increased use of third party verification methods to satisfy legislative requirements,
such as anti-money laundering and counter terrorism legislation as well as
instances where a third party is required to translate for non-English speaking
customers. The ABA recommended that the APP be amended to allow for sensitive
information to be collected from a third party where consent has been given.[59]
6.65
The NSW Department of Justice and Attorney General also commented on the
collection of information from third persons. It pointed to the NSW Law Reform
Commission's recommendation that an entity should be able to collect personal
information about an individual from a third person if the individual consents.
The basis of this recommendation was that it gives autonomy to the individual
about how their personal information may be collected; for example, the person
may find it more convenient to allow the information to be collected from a
third party. In addition, the NSW Department of Justice and Attorney General
pointed to the circumstances facing some agencies. For example, the NSW Department
of Housing may need to collect information from a medical practitioner about
the mental health of an applicant for priority housing. It is possible that in
such a case, it might not be unreasonable or impracticable to obtain the
information from the individual in question. Thus, as presently drafted, APP 3
might not authorise the Department to obtain such information from the medical
practitioner.
6.66
The NSW Department of Justice and Attorney General noted the comments of
the ALRC in relation to this matter: that if personal information is collected
from a third person with their consent, individuals will not have the
opportunity to refuse to provide information and there is a risk that third
parties will not be able to provide up-to-date, complete or accurate
information. However, the NSW Department of Justice and Attorney General
commented that if a 'consent' exception was considered, it may be appropriate that
it relied on 'express' consent. It was concluded that:
While there are some risks in relation to the nature of the
consent and the accuracy and completeness of the information, individuals
should be free to choose to have their information collected from third parties
where they do not wish to provide the information themselves.[60]
6.67
The department responded to issues raised in relation to 'means of
collection', in particular, collection from third parties. The department
commented that the exception in APP3(5)(a) was included to address agency
concerns that they may be in breach of the Privacy Act where another law allows
or requires them to collect from a number of sources other than the individual,
but in the circumstances it would still be practicable and reasonable to go to
the individual. For example, the Australian Electoral Commission obtains information
from Commonwealth agencies and updates the electoral roll using that
information.[61]
6.68
The department went on to explain that currently, NPP 1 allows organisations,
where reasonable and practicable, to collect personal information about an
individual only from that individual. The ALRC did not recommend any
change to this. In relation to the concerns raised by the ABA, the department
commented that when an entity collects information from a third party for
identity verification purposes in accordance with legislative requirements
under anti-money laundering and counter terrorism legislation, because it had a
suspicion that the person is not who they claim to be, it is likely to be
"unreasonable or impracticable" to collect it from the individual
concerned. The department concluded that the alternative second element of the
exception would apply to allow the collection.[62]
Conclusion
6.69
The committee is of the view that the inclusion of the 'unreasonable and
impractical' provision in APP 3(5)(b) provides appropriate flexibility to
organisations and therefore there is no need to extend APP 3(5)(a) to
organisations.
6.70
The committee has noted the comments of The NSW Department of Justice
and Attorney General in relation to the collection of personal information
about an individual from a third party when that individual consents to that
process. The committee considers that, at the present time, it appears that the
risks to privacy outweigh potential benefits.
Navigation: Previous Page | Contents | Next Page