Chapter 7


Chapter 7

Australian Privacy Principle 4–receiving unsolicited personal information

Introduction

7.1        Australian Privacy Principle 4 (APP 4) ensures that personal information that is received by an entity is still afforded privacy protection, even where the entity has done nothing to solicit the information. When unsolicited personal information is received, an entity must, as a first step, decide whether it could have collected the information in accordance with APP 3. If this is the case, then the other Australian Privacy Principles apply to that personal information in the same way as if it had been solicited. If the entity would not have been permitted to collect the personal information under APP 3, then it must take steps to destroy the information or ensure that it is no longer personal information; for example, de-identify the information.[1]

Background

7.2        The ALRC noted that the Information Privacy Principles (IPPs), to some extent, make a distinction between the obligations imposed on an agency that solicits personal information and one that receives unsolicited personal information. IPP 1 does not specifically refer to unsolicited information; however, it has been said to apply to unsolicited information. NPP 1 does not distinguish between the obligations imposed on organisations in respect of solicited or unsolicited information although it does address separately personal information obtained directly from the individual and from a third party.[2]

7.3        The ALRC also noted that many agencies and organisations receive large amounts of unsolicited personal information and commented that 'the fact that an agency or organisation has done nothing to cause personal information to be sent to it should not mean, however, that such information falls outside the protection of the privacy principles'. The ALRC saw a risk to a person's privacy arising when entities retain unsolicited information and was of the view that if this occurred, then the entity should comply with the privacy principles in respect of that information.[3]

7.4        When considering the implications of the requirement to comply with the privacy principles in respect of unsolicited information, the ALRC noted that some stakeholders had expressed concern that they would not always be able to comply with the obligations imposed by the privacy principles in respect of certain information; for example, the 'Notification' principle. However, the ALRC commented that in some circumstances it will be reasonable for entities to take no steps to notify an individual about collection.

7.5        The ALRC also considered the destruction of unsolicited personal information and came to the conclusion that an obligation to immediately destroy such information was impractical. Rather an entity requires time to consider whether it can lawfully collect the unsolicited information and whether it wishes to retain the information. If there is an affirmative outcome to both these matters, then the obligations that apply to the 'active' collection of personal information should apply. If it is not the case, then the entity should destroy the information as soon as practicable without using or disclosing it—if it is lawful and reasonable to do so.

7.6        The ALRC concluded that this approach:

...ensures that the spectrum of personal information that an agency or organisation may lawfully retain, use and disclose is not expanded merely because the entity has taken no steps to collect the information. The threshold requirement that an agency or organisation is only permitted to collect personal information that is "necessary for one or more of its functions or activities" also should apply to the retention of unsolicited personal information.[4]

7.7        The ALRC also recommended that the Office of the Privacy Commissioner (OPC) should develop and publish guidance about the meaning of 'unsolicited' in the context of the 'Collection' principle.

Government response

7.8        The Government accepted the ALRC's recommendations in relation to unsolicited personal information and noted that such information should be afforded privacy protections. Unsolicited personal information that is not necessary for an entity's functions or activities should be destroyed or de-identified, where lawful and practicable to do so, and this should apply if the information is received either from the individual themselves or from any other third party. The Government also accepted the ALRC's recommendation in relation to guidance from the OPC and noted that:

...it would be important for such guidance to explain how this principle may apply to unsolicited personal information that is necessary for compliance, enforcement and regulatory functions, including where confidential "tip-offs" are received.[5]

Issues

Structure

7.9        Some submitters supported APP 4 as it was seen to clarify how an entity should address the management of unsolicited personal information.[6] However, a number of submitters argued that the inclusion of a separate privacy principle dealing with unsolicited personal information was unnecessary and added complexity to the legislation.[7] Qantas, for example, stated that the distinction between 'solicited' and 'unsolicited' personal information has resulted in a much more verbose principle than NPP 1 and 'the proposed new principles [APP 3 and APP 4] are difficult to interpret and the distinction appears to be unnecessary and artificial'.[8] The OPC also suggested that the receipt of unsolicited personal information should be addressed within APP 3, rather than as a separate dedicated principle, as the general collection principle is the logical location for the provision relating to unsolicited information.[9]

7.10      Other submitters, for example, the National Australia Bank, noted that APP 3 already protects against the inappropriate collection of any personal information by the overriding obligation not to collect personal information unless it is reasonably necessary for, or directly related to, one or more of the entity's functions or activities.[10] Similarly, Telstra argued that APP 4 did not afford any additional protections and was unnecessary as APP 11 requires that an entity should destroy any personal information that is no longer required for the purposes permitted by the APPs.[11]

7.11      The Australian Finance Conference (AFC) was of the view that APP 4 'is not necessary and potentially devalues the Government's reform objective'. The AFC noted that APP 4 appears to reflect the intent of the ALRC recommendation that personal information received by an entity, even if not solicited, should still be afforded privacy protections and encourage the entity to collect that information directly from the individual where reasonable. However, the AFC argued that draft APP 4 'requires a sophisticated compliance approach that is, in our view, unwarranted' and that the ALRC's  Unified Privacy Principle 2.4 would achieve the same result 'with minimal compliance process and consequently cost'.[12]

7.12      The Office of the Information Commissioner, Queensland (OIC) recommended that if it is determined that the unsolicited information could have been collected under APP 3, words should be added to APP 4 that clearly require personal information which is not destroyed or de-identified under APP 4(4) to be managed in accordance with APPs 6 through 13.[13]

7.13      The Department of the Prime Minister and Cabinet (the department) responded to these comments and stated that the insertion of a separate APP covering the collection of unsolicited information is aimed at clarifying the application of the principles explicitly in relation to unsolicited information, rather than implicitly as currently occurs with the NPPs. It also confirms that, where an entity could have collected the unsolicited information, it should be treated in accordance with all the privacy principles that apply to the collection of solicited information. As to the OPC's comments about the location of the requirement, the department stated that 'it is an important standalone principle of collection that should be included in a separate principle'.[14]

Compliance burden

7.14      Submitters also raised concerns that entities would face an increased compliance burden. The Australian Bankers' Association (ABA) commented that additional training of staff would be required 'to recognise that the receipt of certain information may require the determination to be made as required under APP 4', and this will be a very significant practical exercise. The ABA concluded that there would be no clear benefit to privacy principles arising from that additional burden.[15] Telstra also commented on the compliance burden and stated that entities would have to take steps to identify and distinguish between solicited and unsolicited information. This, Telstra suggested, would shift the emphasis away from whether the information in the entity's possession, however collected, is necessary and relevant for its purposes.[16]

7.15      Westpac and Abacus Australian Mutuals provided an example of the practical difficulties with this APP: if both solicited and unsolicited information are provided during a phone call, it may be extremely difficult to extract only the solicited information. Abacus Australian Mutuals suggested that the record of the whole phone call may need to be destroyed if the entity is unable to separate the non-required information from the required information. Westpac commented that in such circumstances the entity would have to rely on the separation activity being not 'reasonable' (APP 4(4)). Given the 'risk' of this approach, Westpac recommended that the principle be amended to focus on the subsequent 'use' of such information.[17]

7.16      Abacus Australian Mutuals suggested another option: that APP 4 be re-worded so that if information can't reasonably be disposed of, steps must be taken to ensure it is not used, thereby achieving the same result for the customer.[18]

7.17      Yahoo!7 also pointed to a practical difficulty arising from APP 4 in the case where personal information is provided to another entity and that entity 'cannot secure the same consents as were provided to the original collector but has nevertheless obtained the information in a lawful and privacy abiding manner'.[19] Telstra also commented on such instances and stated that an alternative function for APP 4 would be to:

...focus on personal information that is 'passed along' from an individual or entity to a different entity. It could ensure the pass along entity has the authority to do so and provides the receiving entity with the purpose for which the personal information may be used or disclosed. This would ensure that an entity receiving information being "passed along" has been given proper assurances by the first entity that the individual consented to that information transfer and the purposes for which that information may be used.[20]

7.18      The department responded to concerns about compliance and stated that to address compliance concerns, APP 4 includes a 'reasonable period' element within which to determine whether or not the entity could have collected the information under APP 3 if the entity had solicited the information, and a 'soon as practicable' test (rather than a requirement to do it immediately) relating to destruction or de-identification.[21]

7.19      The department also responded specifically to the concerns raised by Abacus and Westpac. It noted that under the process to determine whether the information could have been collected under APP 3, the entity would be able to determine which information was unsolicited (for example, a recorded phone call may involve standard questions being asked). The department went on to comment that the solicited information obtained in these instances would, in practice, be converted into other means such as another form, a document or on a computer. Therefore, if the entity decided to destroy the electronic recording of the phone discussion, it would still have the solicited information.[22]

7.20      The department also noted that, as pointed out by Westpac, if it is not reasonable to do so, the entity is not required to destroy or de-identify the information (APP 4(4)).

7.21      In concluding its response to this concern, the department noted that the ALRC recognised that there was a need to clarify the meaning of 'unsolicited' personal information. In accepting this recommendation, the Government stated that it encouraged the development and publication of appropriate guidance by the OPC, noting that the decision to provide guidance is a matter for the OPC. While it is ultimately a matter for the Australian Information Commissioner, the department anticipates that the guidelines will address matters such as those raised by the Abacus Australian Mutuals and Westpac.[23]

Determining if information could have been collected under APP 3

7.22      Under APP 4(1), if an entity received unsolicited personal information it is required, within a reasonable period, to determine if it could have collected the information under APP 3 if it had solicited the information. The committee received a range of comments in relation to this provision.

7.23      The Health Services Commissioner, Victoria, commented that APP 4 may be difficult to implement in health settings and gave the example of a relative or other person providing unsolicited information about a client. The Commissioner noted that it would not be easy to determine if the information could have been collected under APP 3. The Commissioner recommended that consideration be given to how APP 4 would apply in the health care area and pointed to Victorian Health Privacy Principle 1.7(d) which deals with information provided in confidence.[24]

7.24      The ABA also commented on the need to ensure that the 'reasonable period requirement' allows entities sufficient time to meet the requirements of APP 4(1). Organisations such as banks have large volumes of information being provided by a wide range of sources. The ABA argued that what is determined to be 'within a reasonable period', must take account of the dimensions of this obligation to make the requisite determination. The ABA suggested that clarification of the term be provided by either a legislative note or by guidance from the OPC.[25]

7.25      The Insurance Council of Australia also noted that large amounts of personal information, often unsolicited, are received by insurers and this would require time to evaluate under the proposed 'lawful and reasonable test'.[26]

7.26      The Law Council of Australia (LCA) raised the concern that APPs 4 to 6 do not 'expressly permit the sale of a medical business as a going concern'. The LCA noted that the relevant legislation in Victoria and the Australian Capital Territory provide useful examples of how this might be addressed.[27]

Destruction/de-identification of unsolicited personal information – APP 4(4)

7.27      APP 4(4) provides that where an entity determines that it could not have collected the unsolicited information under APP 3, it must, as soon as practicable and if lawful and reasonable to do so, either destroy the information or ensure that the information is no longer personal information. Comments received in relation to this provision of APP 4 went to the need for greater clarity of meaning of the terms used, the application of the provision in certain cases and the destruction requirement.

7.28      The Office of the Guardian for Children and Young People commented that the benefit of ensuring that the information is no longer personal information is unclear and creates confusion about what constitutes 'personal information'.[28] Abacus Australian Mutuals suggested that the words '(for example, by taking steps to remove any reference to the individual to whom the information relates)' should be added to the words 'no longer personal information' to provide greater clarity.[29]

7.29      The ABA recommended clarification of the term 'could not have collected' in APP 4(4) so that it means the collection is prohibited by law rather than simply because it is information that the individual could not provide. For example, the opinion given by a third party or information that is obtained in connection with an insurance claim where the insurer's duty of disclosure is in issue.[30]

7.30      The OIC and Privacy Law Consulting raised concerns about the effect of APP 4(4) in instances where personal information is provided in error to an agency and which, as a standard practice, the receiving agency forwards to the correct agency. It was argued by Privacy Law Consulting that APP 4 may prohibit this practice on the basis that, as soon as an agency receives any unsolicited personal information in this way, it is in effect generally obliged to destroy the information. The Office of the Information Commissioner, Queensland, suggested that to ensure that in such cases information could be passed on to the relevant agency, a form of wording such as the following could be added:

If the entity determines that the entity could not have collected the personal information but is able to determine that another entity could have collected the personal information, the first entity can, as soon as practicable and only if it is lawful and reasonable to do so:

(a)          pass the information onto the appropriate entity; and

(b)          inform the individual about the passage.[31]

7.31      The department responded to these concerns and stated that correspondence received by Ministers, members of parliament and government departments and agencies would, in normal circumstances, be unsolicited. It is clear that the unsolicited information could have been collected under APP 3 because considering and responding to concerns of members of the public, and referring them to appropriate recipients, are functions of these entities. Once an entity has determined that the personal information could have been collected under APP 3, it would be possible for the entity to use or disclose the information under APP 6. Under that APP, disclosure to another Minister or government department would be permitted where the individual has consented to the use and disclosure. As the individual has written with queries, views or representations on particular issues, it is within their legitimate expectation that their correspondence will be referred to the appropriate entity within parliament or government.

7.32      The department went on to state that the recipient entity would also be receiving unsolicited personal information. However, it is also clear that it could have been collected under APP 3 because considering and responding to concerns of members of the public on the particular issues within its responsibilities are directly related to the functions or activities of the entity. The entity may then use the information for the purpose of responding to the correspondence.

7.33      The department concluded that therefore, the practice of agencies forwarding incorrectly addressed correspondence will not be prohibited under the new APPs.[32]

7.34      In relation to the destruction provision, the NSW Department of Justice and Attorney General pointed out that the ALRC recommendation would have allowed an agency, if it did not wish to retain unsolicited information, to destroy it without having to decide whether it could have collected the information under APP 3. In addition, the recommendation would have allowed the agency to destroy the information if it decided that it could have lawfully collected it, without the need to then comply with other privacy principles. The NSW Department of Justice and Attorney General commented that 'it may be preferable to give agencies the option of destroying unsolicited information as the ALRC proposed'.[33]

7.35      The ABA submitted that a proportionate and workable approach to the application of this principle would be to require that the obligation to destroy or de-identify personal information applies only to solicited information received from third parties.[34] Privacy NSW suggested that sometimes it is appropriate to return unsolicited personal information to the sender rather than destroying it.[35]

7.36      The OIC also recommended including an example after APP 4(4) which demonstrates when it would be unlawful to destroy the personal information, and which includes a reference to the recordkeeping obligations of agencies.

7.37      Privacy Law Consulting raised two matters. First, it is not clear if the entity is permitted to use or disclose the information for any purpose prior to destroying or de-identifying it. Secondly, while the intention appears to be that unsolicited information contained in a 'Commonwealth record' can be destroyed under APP 4(4) provided destruction is in accordance with the Archives Act, the interrelationship of APP 4 with section 24 of the Archives Act 1983 should be clarified.[36]

Clarifying the relationship between collection and receiving

7.38      The OPC also suggested that a note or explanatory guidance should be provided to clarify that, in the context of APP 4(4), a technical 'collection' will not be a breach of APP 3 (such as unnecessary collection), if the 'collected' information was:

  • unsolicited, but then
  • dealt with appropriately in line with APP 4.[37]

Conclusion

7.39      The committee has considered submitters' comments in relation to the structure of APP 4. While it would appear that it may be beneficial to include the collection of unsolicited information in the 'collection' principle, APP 3, the committee is persuaded by the department's argument that a separate principle clarifies the Government's policy intent that unsolicited information should be provided with the same privacy protections as solicited information.

7.40      In relation to the compliance burden imposed by APP 4, the committee considers that there may be instances where entities experience an increased compliance burden. However, the committee is mindful of the advice provided by the department that the 'reasonable period' aspect of the principle (in relation to determining if the information could have been collected under APP 3) and the 'soon as practicable' requirement (for destruction or de-identification) will address compliance concerns. The committee also believes that these elements will provide sufficient flexibility to allow entities to meet the obligations under this principle.

7.41      The committee notes the NSW Department of Justice and Attorney General's comments in relation to the ALRC's recommendation that would allow an agency, if it did not wish to retain unsolicited information, to destroy it without having to decide whether it could have been collected under APP 3. In addition, the recommendation would have allowed the agency to destroy the information if it decided that it could have lawfully collected it, without the need to then comply with other privacy principles. The committee considers such a provision may address compliance burden concerns; however, Commonwealth agencies, for example, must comply with the requirements of the Archives Act 1983 in relation to the destruction of records. The committee considers that there may be merits for including such a provision but the interaction with other legislation would need to be considered.

7.42      The committee notes with regard to the interrelationship of APP 4 with the Archives Act, that the Government response to the ALRC's recommendations stated that guidance from the OPC 'would also clarify that the proposed principle does not affect the operation of the Archives Act 1983 in relation to agencies'.[38]

7.43      There were a number of concerns raised in submissions about the term 'no longer personal information' and the committee considers that this term requires further clarification to ensure the aims of the principle are achieved.

Recommendation 9

7.44      The committee recommends that the term 'no longer personal information' contained in APP 4(4)(b) be clarified.

Navigation: Previous Page | Contents | Next Page