Chapter 7
Australian Privacy Principle 4–receiving unsolicited personal information
Introduction
7.1
Australian Privacy Principle 4 (APP 4) ensures that personal
information that is received by an entity is still afforded privacy protection,
even where the entity has done nothing to solicit the information. When
unsolicited personal information is received, an entity must, as a first step,
decide whether it could have collected the information in accordance with
APP 3. If this is the case, then the other Australian Privacy Principles
apply to that personal information in the same way as if it had been solicited.
If the entity would not have been permitted to collect the personal information
under APP 3, then it must take steps to destroy the information or ensure
that it is no longer personal information; for example, de-identify the
information.[1]
Background
7.2
The ALRC noted that the Information Privacy Principles (IPPs), to some
extent, make a distinction between the obligations imposed on an agency that
solicits personal information and one that receives unsolicited personal
information. IPP 1 does not specifically refer to unsolicited information;
however, it has been said to apply to unsolicited information. NPP 1 does
not distinguish between the obligations imposed on organisations in respect of
solicited or unsolicited information although it does address separately
personal information obtained directly from the individual and from a third
party.[2]
7.3
The ALRC also noted that many agencies and organisations receive large
amounts of unsolicited personal information and commented that 'the fact that
an agency or organisation has done nothing to cause personal information to be
sent to it should not mean, however, that such information falls outside the
protection of the privacy principles'. The ALRC saw a risk to a person's
privacy arising when entities retain unsolicited information and was of the
view that if this occurred, then the entity should comply with the privacy
principles in respect of that information.[3]
7.4
When considering the implications of the requirement to comply with the
privacy principles in respect of unsolicited information, the ALRC noted that some
stakeholders had expressed concern that they would not always be able to comply
with the obligations imposed by the privacy principles in respect of certain
information; for example, the 'Notification' principle. However, the ALRC
commented that in some circumstances it will be reasonable for entities to take
no steps to notify an individual about collection.
7.5
The ALRC also considered the destruction of unsolicited personal
information and came to the conclusion that an obligation to immediately
destroy such information was impractical. Rather an entity requires time to
consider whether it can lawfully collect the unsolicited information and
whether it wishes to retain the information. If there is an affirmative outcome
to both these matters, then the obligations that apply to the 'active'
collection of personal information should apply. If it is not the case, then
the entity should destroy the information as soon as practicable without using
or disclosing it—if it is lawful and reasonable to do so.
7.6
The ALRC concluded that this approach:
...ensures that the spectrum of personal information that an
agency or organisation may lawfully retain, use and disclose is not expanded
merely because the entity has taken no steps to collect the information. The
threshold requirement that an agency or organisation is only permitted to
collect personal information that is "necessary for one or more of its
functions or activities" also should apply to the retention of unsolicited
personal information.[4]
7.7
The ALRC also recommended that the Office of the Privacy Commissioner
(OPC) should develop and publish guidance about the meaning of 'unsolicited' in
the context of the 'Collection' principle.
Government response
7.8
The Government accepted the ALRC's recommendations in relation to
unsolicited personal information and noted that such information should be
afforded privacy protections. Unsolicited personal information that is not
necessary for an entity's functions or activities should be destroyed or
de-identified, where lawful and practicable to do so, and this should apply if
the information is received either from the individual themselves or from any
other third party. The Government also accepted the ALRC's recommendation in
relation to guidance from the OPC and noted that:
...it would be important for such guidance to explain how this
principle may apply to unsolicited personal information that is necessary for
compliance, enforcement and regulatory functions, including where confidential
"tip-offs" are received.[5]
Issues
Structure
7.9
Some submitters supported APP 4 as it was seen to clarify how an
entity should address the management of unsolicited personal information.[6]
However, a number of submitters argued that the inclusion of a separate privacy
principle dealing with unsolicited personal information was unnecessary and
added complexity to the legislation.[7]
Qantas, for example, stated that the distinction between 'solicited' and
'unsolicited' personal information has resulted in a much more verbose
principle than NPP 1 and 'the proposed new principles [APP 3 and
APP 4] are difficult to interpret and the distinction appears to be
unnecessary and artificial'.[8]
The OPC also suggested that the receipt of unsolicited personal information
should be addressed within APP 3, rather than as a separate dedicated
principle, as the general collection principle is the logical location for the provision
relating to unsolicited information.[9]
7.10
Other submitters, for example, the National Australia Bank, noted that
APP 3 already protects against the inappropriate collection of any
personal information by the overriding obligation not to collect personal
information unless it is reasonably necessary for, or directly related to, one
or more of the entity's functions or activities.[10]
Similarly, Telstra argued that APP 4 did not afford any additional
protections and was unnecessary as APP 11 requires that an entity should
destroy any personal information that is no longer required for the purposes
permitted by the APPs.[11]
7.11
The Australian Finance Conference (AFC) was of the view that APP 4
'is not necessary and potentially devalues the Government's reform objective'. The
AFC noted that APP 4 appears to reflect the intent of the ALRC
recommendation that personal information received by an entity, even if not
solicited, should still be afforded privacy protections and encourage the
entity to collect that information directly from the individual where
reasonable. However, the AFC argued that draft APP 4 'requires a
sophisticated compliance approach that is, in our view, unwarranted' and that the
ALRC's Unified Privacy Principle 2.4 would achieve the same result 'with
minimal compliance process and consequently cost'.[12]
7.12
The Office of the Information Commissioner, Queensland (OIC) recommended
that if it is determined that the unsolicited information could have been
collected under APP 3, words should be added to APP 4 that clearly require
personal information which is not destroyed or de-identified under APP 4(4)
to be managed in accordance with APPs 6 through 13.[13]
7.13
The Department of the Prime Minister and Cabinet (the department) responded
to these comments and stated that the insertion of a separate APP covering the
collection of unsolicited information is aimed at clarifying the application of
the principles explicitly in relation to unsolicited information, rather than
implicitly as currently occurs with the NPPs. It also confirms that, where an
entity could have collected the unsolicited information, it should be treated
in accordance with all the privacy principles that apply to the collection of
solicited information. As to the OPC's comments about the location of the
requirement, the department stated that 'it is an important standalone
principle of collection that should be included in a separate principle'.[14]
Compliance burden
7.14
Submitters also raised concerns that entities would face an increased compliance
burden. The Australian Bankers' Association (ABA) commented that additional
training of staff would be required 'to recognise that the receipt of certain
information may require the determination to be made as required under
APP 4', and this will be a very significant practical exercise. The ABA
concluded that there would be no clear benefit to privacy principles arising
from that additional burden.[15]
Telstra also commented on the compliance burden and stated that entities would
have to take steps to identify and distinguish between solicited and
unsolicited information. This, Telstra suggested, would shift the emphasis away
from whether the information in the entity's possession, however collected, is
necessary and relevant for its purposes.[16]
7.15
Westpac and Abacus Australian Mutuals provided an example of the practical
difficulties with this APP: if both solicited and unsolicited information are
provided during a phone call, it may be extremely difficult to extract only the
solicited information. Abacus Australian Mutuals suggested that the record of
the whole phone call may need to be destroyed if the entity is unable to
separate the non-required information from the required information. Westpac
commented that in such circumstances the entity would have to rely on the
separation activity being not 'reasonable' (APP 4(4)). Given the 'risk' of
this approach, Westpac recommended that the principle be amended to focus on
the subsequent 'use' of such information.[17]
7.16
Abacus Australian Mutuals suggested another option: that APP 4 be
re-worded so that if information can't reasonably be disposed of, steps must be
taken to ensure it is not used, thereby achieving the same result for the
customer.[18]
7.17
Yahoo!7 also pointed to a practical difficulty arising from APP 4 in
the case where personal information is provided to another entity and that
entity 'cannot secure the same consents as were provided to the original
collector but has nevertheless obtained the information in a lawful and privacy
abiding manner'.[19]
Telstra also commented on such instances and stated that an alternative
function for APP 4 would be to:
...focus on personal information that is 'passed along' from an
individual or entity to a different entity. It could ensure the pass along
entity has the authority to do so and provides the receiving entity with the
purpose for which the personal information may be used or disclosed. This would
ensure that an entity receiving information being "passed along" has
been given proper assurances by the first entity that the individual consented
to that information transfer and the purposes for which that information may be
used.[20]
7.18
The department responded to concerns about compliance and stated that to
address compliance concerns, APP 4 includes a 'reasonable period' element
within which to determine whether or not the entity could have collected the
information under APP 3 if the entity had solicited the information, and a
'soon as practicable' test (rather than a requirement to do it immediately)
relating to destruction or de-identification.[21]
7.19
The department also responded specifically to the concerns raised by
Abacus and Westpac. It noted that under the process to determine whether the
information could have been collected under APP 3, the entity would be
able to determine which information was unsolicited (for example, a recorded
phone call may involve standard questions being asked). The department went on
to comment that the solicited information obtained in these instances would, in
practice, be converted into other means such as another form, a document or on
a computer. Therefore, if the entity decided to destroy the electronic
recording of the phone discussion, it would still have the solicited
information.[22]
7.20
The department also noted that, as pointed out by Westpac, if it is not
reasonable to do so, the entity is not required to destroy or de-identify the
information (APP 4(4)).
7.21
In concluding its response to this concern, the department noted that the
ALRC recognised that there was a need to clarify the meaning of 'unsolicited'
personal information. In accepting this recommendation, the Government stated
that it encouraged the development and publication of appropriate guidance by
the OPC, noting that the decision to provide guidance is a matter for the OPC.
While it is ultimately a matter for the Australian Information Commissioner,
the department anticipates that the guidelines will address matters such as
those raised by the Abacus Australian Mutuals and Westpac.[23]
Determining if information could
have been collected under APP 3
7.22
Under APP 4(1), if an entity received unsolicited personal
information it is required, within a reasonable period, to determine if it
could have collected the information under APP 3 if it had solicited the
information. The committee received a range of comments in relation to this
provision.
7.23
The Health Services Commissioner, Victoria, commented that APP 4
may be difficult to implement in health settings and gave the example of a
relative or other person providing unsolicited information about a client. The
Commissioner noted that it would not be easy to determine if the information
could have been collected under APP 3. The Commissioner recommended that
consideration be given to how APP 4 would apply in the health care area
and pointed to Victorian Health Privacy Principle 1.7(d) which deals with
information provided in confidence.[24]
7.24
The ABA also commented on the need to ensure that the 'reasonable period
requirement' allows entities sufficient time to meet the requirements of
APP 4(1). Organisations such as banks have large volumes of information
being provided by a wide range of sources. The ABA argued that what is
determined to be 'within a reasonable period', must take account of the dimensions
of this obligation to make the requisite determination. The ABA suggested that
clarification of the term be provided by either a legislative note or by
guidance from the OPC.[25]
7.25
The Insurance Council of Australia also noted that large amounts of personal
information, often unsolicited, are received by insurers and this would require
time to evaluate under the proposed 'lawful and reasonable test'.[26]
7.26
The Law Council of Australia (LCA) raised the concern that APPs 4
to 6 do not 'expressly permit the sale of a medical business as a going
concern'. The LCA noted that the relevant legislation in Victoria and the Australian
Capital Territory provide useful examples of how this might be addressed.[27]
Destruction/de-identification of
unsolicited personal information – APP 4(4)
7.27
APP 4(4) provides that where an entity determines that it could not
have collected the unsolicited information under APP 3, it must, as soon
as practicable and if lawful and reasonable to do so, either destroy the
information or ensure that the information is no longer personal information. Comments
received in relation to this provision of APP 4 went to the need for
greater clarity of meaning of the terms used, the application of the provision
in certain cases and the destruction requirement.
7.28
The Office of the Guardian for Children and Young People commented that
the benefit of ensuring that the information is no longer personal information
is unclear and creates confusion about what constitutes 'personal information'.[28]
Abacus Australian Mutuals suggested that the words '(for example, by taking
steps to remove any reference to the individual to whom the information
relates)' should be added to the words 'no longer personal information' to
provide greater clarity.[29]
7.29
The ABA recommended clarification of the term 'could not have collected'
in APP 4(4) so that it means the collection is prohibited by law rather
than simply because it is information that the individual could not provide. For
example, the opinion given by a third party or information that is obtained in
connection with an insurance claim where the insurer's duty of disclosure is in
issue.[30]
7.30
The OIC and Privacy Law Consulting raised concerns about the effect of
APP 4(4) in instances where personal information is provided in error to
an agency and which, as a standard practice, the receiving agency forwards to
the correct agency. It was argued by Privacy Law Consulting that APP 4 may
prohibit this practice on the basis that, as soon as an agency receives any
unsolicited personal information in this way, it is in effect generally obliged
to destroy the information. The Office of the Information Commissioner,
Queensland, suggested that to ensure that in such cases information could be
passed on to the relevant agency, a form of wording such as the following could
be added:
If the entity determines that the entity could not have
collected the personal information but is able to determine that another entity
could have collected the personal information, the first entity can, as soon as
practicable and only if it is lawful and reasonable to do so:
(a)
pass the information onto the
appropriate entity; and
(b)
inform the individual about the
passage.[31]
7.31
The department responded to these concerns and stated that correspondence
received by Ministers, members of parliament and government departments and
agencies would, in normal circumstances, be unsolicited. It is clear that the
unsolicited information could have been collected under APP 3 because
considering and responding to concerns of members of the public, and referring
them to appropriate recipients, are functions of these entities. Once an entity
has determined that the personal information could have been collected under
APP 3, it would be possible for the entity to use or disclose the information
under APP 6. Under that APP, disclosure to another Minister or government
department would be permitted where the individual has consented to the use and
disclosure. As the individual has written with queries, views or
representations on particular issues, it is within their legitimate expectation
that their correspondence will be referred to the appropriate entity within
parliament or government.
7.32
The department went on to state that the recipient entity would also be
receiving unsolicited personal information. However, it is also clear that it
could have been collected under APP 3 because considering and responding
to concerns of members of the public on the particular issues within its
responsibilities are directly related to the functions or activities of the
entity. The entity may then use the information for the purpose of responding
to the correspondence.
7.33
The department concluded that therefore, the practice of agencies
forwarding incorrectly addressed correspondence will not be prohibited under
the new APPs.[32]
7.34
In relation to the destruction provision, the NSW Department of Justice
and Attorney General pointed out that the ALRC recommendation would have
allowed an agency, if it did not wish to retain unsolicited information, to
destroy it without having to decide whether it could have collected the
information under APP 3. In addition, the recommendation would have
allowed the agency to destroy the information if it decided that it could have
lawfully collected it, without the need to then comply with other privacy
principles. The NSW Department of Justice and Attorney General commented that
'it may be preferable to give agencies the option of destroying unsolicited
information as the ALRC proposed'.[33]
7.35
The ABA submitted that a proportionate and workable approach to the
application of this principle would be to require that the obligation to
destroy or de-identify personal information applies only to solicited
information received from third parties.[34]
Privacy NSW suggested that sometimes it is appropriate to return unsolicited
personal information to the sender rather than destroying it.[35]
7.36
The OIC also recommended including an example after APP 4(4) which
demonstrates when it would be unlawful to destroy the personal information, and
which includes a reference to the recordkeeping obligations of agencies.
7.37
Privacy Law Consulting raised two matters. First, it is not clear if the
entity is permitted to use or disclose the information for any purpose prior to
destroying or de-identifying it. Secondly, while the intention appears to be
that unsolicited information contained in a 'Commonwealth record' can be
destroyed under APP 4(4) provided destruction is in accordance with the
Archives Act, the interrelationship of APP 4 with section 24 of the Archives
Act 1983 should be clarified.[36]
Clarifying the relationship between
collection and receiving
7.38
The OPC also suggested that a note or explanatory guidance should be
provided to clarify that, in the context of APP 4(4), a technical
'collection' will not be a breach of APP 3 (such as unnecessary
collection), if the 'collected' information was:
-
unsolicited, but then
-
dealt with appropriately in line with APP 4.[37]
Conclusion
7.39
The committee has considered submitters' comments in relation to the
structure of APP 4. While it would appear that it may be beneficial to
include the collection of unsolicited information in the 'collection'
principle, APP 3, the committee is persuaded by the department's argument
that a separate principle clarifies the Government's policy intent that
unsolicited information should be provided with the same privacy protections as
solicited information.
7.40
In relation to the compliance burden imposed by APP 4, the committee
considers that there may be instances where entities experience an increased compliance
burden. However, the committee is mindful of the advice provided by the
department that the 'reasonable period' aspect of the principle (in relation to
determining if the information could have been collected under APP 3) and
the 'soon as practicable' requirement (for destruction or de-identification)
will address compliance concerns. The committee also believes that these
elements will provide sufficient flexibility to allow entities to meet the
obligations under this principle.
7.41
The committee notes the NSW Department of Justice and Attorney General's
comments in relation to the ALRC's recommendation that would allow an agency,
if it did not wish to retain unsolicited information, to destroy it without
having to decide whether it could have been collected under APP 3. In
addition, the recommendation would have allowed the agency to destroy the
information if it decided that it could have lawfully collected it, without the
need to then comply with other privacy principles. The committee considers such
a provision may address compliance burden concerns; however, Commonwealth
agencies, for example, must comply with the requirements of the Archives Act
1983 in relation to the destruction of records. The committee
considers that there may be merits for including such a provision but the
interaction with other legislation would need to be considered.
7.42
The committee notes with regard to the interrelationship of APP 4
with the Archives Act, that the Government response to the ALRC's
recommendations stated that guidance from the OPC 'would also clarify that the
proposed principle does not affect the operation of the Archives Act 1983
in relation to agencies'.[38]
7.43
There were a number of concerns raised in submissions about the term 'no
longer personal information' and the committee considers that this term
requires further clarification to ensure the aims of the principle are
achieved.
Recommendation 9
7.44
The committee recommends that the term 'no longer personal information'
contained in APP 4(4)(b) be clarified.
Navigation: Previous Page | Contents | Next Page