Chapter 8
Australian Privacy Principle 5–notification of the collection of personal
information
Introduction
8.1
Australian Privacy Principle 5 (APP 5) stipulates that entities are
obliged to notify an individual of certain matters at the time that the
individual's personal information is being collected. In particular, an entity
is required to ensure that the individual is aware of how and why the
information will be collected and how the entity will manage the personal
information.[1]
Background
8.2
The Privacy Act 1988 does not contain an express obligation
regarding notification. Rather, the relevant privacy principles which relate to
the collection of personal information, provide that agencies and organisations
are required, in particular circumstances, 'to ensure that an individual whose
personal information has been, or is to be, collected, is aware of a number of
specific matters'. Provisions along these lines are contained in both the
Information Privacy Principles (IPPs) in relation to entities and the National
Privacy Principles (NPPs) in relation to organisations.[2]
8.3
Where information is collected directly from the individual, IPP 2
and NPP 1.3 both list the matters which an individual should be made aware
of before, or as soon as practicable after, their personal information is
collected, or in the case of organisations under NPP 1.3, at the time of
collection. NPP 1.5 also provides that in cases where information about an
individual is collected from a third party, the individual must be made aware
of the matters listed in NPP 1.3, 'except to the extent that making the
individual aware of the matters would pose a serious threat to the life or
health of any individual'.
8.4
The ALRC's consideration of notification included:
-
whether requirements relating to notification should be set out
in a separate principle;
-
the nature and timing of the obligation to notify;
-
the circumstances in which an obligation to notify might arise;
and
-
which matters an individual should be notified of when personal
information is collected.[3]
8.5
The ALRC noted that there were examples in other jurisdictions of both a
separate notification principle and notification requirements within the
privacy principle regarding collection. The ALRC came to the view that
requirements relating to notification of individuals should be provided in a
discrete principle, as it plays an important role in the information cycle,
promotes transparency and 'is essential in informing individuals about the
treatment of their personal information, and their rights in this regard'.[4]
Obligation to notify
8.6
In respect of the obligation to notify, the ALRC noted that 'notification
is one way of ensuring awareness.' The ALRC commented that while agencies and organisations
should be required to notify or ensure that an individual is aware of specific
matters regarding the handling of their personal information, it would be
prescriptive to insist on notification in all cases. Indeed, insisting on
notification could increase the compliance cost and burden for agencies and
organisations, as well as possibly overloading individuals with information.
Consequently, the ALRC formed the view that agencies and organisations could
ensure that an individual is aware of required matters by drawing the
individual's attention to specific parts of the privacy policy or other
relevant documents. The ALRC suggested that guidance on the circumstances under
which this would be acceptable should be issued by the Office of the Privacy
Commissioner (OPC).[5]
8.7
The ALRC noted that ideally, obligations to notify should be complied
with before, or at the time of collection of personal information, allowing the
individual adequate opportunity to make an informed choice about disclosing
their personal information. However, the ALRC recognised that it would be
unreasonable to insist on compliance with this obligation in all circumstances
and stated that the principle needs to be flexible enough to adapt to these
circumstances. However, the ALRC noted that the agency or organisation 'will
need to demonstrate the basis upon which impracticability is asserted, if the
issue arises'.[6]
8.8
Agencies and organisations currently need to ensure individuals are
aware of certain matters when information is collected directly from the
individual; in addition organisations are required to notify individuals if the
information is collected from a third party. The ALRC considered that all
agencies and organisations should be required to notify individuals of
particular matters pertaining to the collection of their personal information,
regardless of whether the information is collected directly from the individual
or from a third party.[7]
Reasonable steps
8.9
Under the current provisions, organisations must take 'reasonable
steps', and agencies are required to 'take such steps (if any) as are, in the
circumstances, reasonable' to ensure that an individual from whom personal
information is being collected, is aware of certain matters.[8]
The ALRC considered both terms and formed the view that there may be
circumstances in which it is reasonable for an agency or organisation to take
no steps to notify or otherwise ensure an individual is aware of particular
matters. The ALRC considered that this should be expressly provided for in the
legislation, and that the OPC should issue guidelines addressing the
circumstances in which it would be reasonable not to take any steps to notify
individuals about the collection of their personal information.[9]
8.10
The ALRC further noted that providing the qualification that an agency
or organisation only needs to take such steps, if any, as are reasonable in the
circumstances ensures that the principles remain sufficiently high-level, so
that they can be widely applied without having to incorporate any specific
exceptions into the legislation itself.[10]
Matters for notification
8.11
The ALRC considered a series of matters which agencies and organisations
might notify an individual of. The NPPs and IPPs both list various matters
about which individuals must be made aware. However, while some of the matters
share common ground, they are not consistent.[11]
8.12
The ALRC noted that notification is particularly important in light of
existing and developing technology, as an individual may not always be aware
that their personal information has been collected. The ALRC clarified that
this obligation should not be imposed on agencies and organisations in
circumstances in which it is clear that the individual is aware that their
information has been collected – particularly in circumstances in which the
individual provided the information themselves. The ALRC further noted that
this requirement would be subject to the 'reasonable steps' test.[12]
8.13
The ALRC formed the view that both agencies and organisations should be
obliged to notify individuals who they are collecting information from, of the
following details:
-
the collecting entity's identity;
-
functional contact details for the collecting entity;
-
the purpose for which the information is collected;
-
the individual's right of access to and correction of, the
personal information that they provide; and
-
the main consequences of not providing the requested personal
information.[13]
8.14
In addition, the ALRC noted that NPP 1.3 currently only requires
organisations to ensure an individual is aware of other organisations that it
usually discloses such information to; however, the OPC guidelines indicate
that this should be interpreted broadly. Given the current obligations and the
OPC guidelines, the ALRC formed the view that:
Agencies and organisations should be required to notify, or
otherwise ensure that individuals are aware of the actual or types of agencies,
organisations, or entities to which, or other persons to whom, agencies and
organisations usually disclose personal information of the kind collected.[14]
8.15
The ALRC also stated that the level of specificity provided to comply
with this requirement would depend on the circumstances and should be the
subject of guidance from the OPC.[15]
8.16
While it is not currently required to inform individuals of available
avenues of complaint, the ALRC noted that the OPC had called for such a
provision in its 2005 review, Getting in on the Act: The Review of the
Private Sector Provisions of the Privacy Act 1988. However, the ALRC did not
support such an approach as this information should already be provided in the privacy
policy. Drawing the individual's attention to the fact that such avenues exist,
and are set out in the privacy policy, should suffice.[16]
8.17
The ALRC considered that the obligations currently in place under the
NPPs and IPPs regarding notification that collection of information is
authorised or required under law, are similar but differ, as do the guidelines
issued on each by the OPC. It was noted that IPP 2 appears less onerous
than the obligation under the NPPs as it only requires an individual to be made
aware of 'the fact' that the collection of information is authorised or
required by or under law. However, the guidance provided on IPP 2 by the
OPC takes a stricter approach, requiring an 'IPP 2 notice' to contain
reference to the particular provisions of legislation which require or
authorise the collection of information, whereas the guidance provided on the
NPPs is more lenient.[17]
8.18
Noting that such an obligation is particularly important with regard to
the agencies which have coercive information-gathering powers, the ALRC
suggested that the current IPP obligation provided the most appropriate form of
words for this requirement, and should be extended to apply to organisations as
well. Consequently, the ALRC concluded that agencies and organisations 'should
be required, where applicable, to notify, or otherwise ensure that an
individual is aware of, the fact that the collection is required or authorised
by or under law.' This of course was to be complemented by guidance developed
by the OPC.[18]
8.19
The ALRC also recommended that to facilitate compliance, the OPC should develop
and publish guidance on matters including when it would be reasonable to take
no steps and appropriate level of specificity when notifying individuals about
anticipated disclosures.
Government response
8.20
In its response, the Government agreed that requirements relating to
notification should be set out in a separate privacy principle. The Government
further agreed that provision should be made in the principle for circumstances
in which it would be reasonable for an entity not to take any steps to notify
an individual about certain matters pertaining to the collection of their
personal information, and that the OPC would be encouraged to provide guidance
on such circumstances.[19]
8.21
The Government response indicated that it would make amendments to the
ALRC's recommendation on the matters to be notified. It was noted that
information on the fact and circumstances of the collection of an individual's
personal information would only need to be provided in circumstances in which
an individual was not aware that their personal information had been collected.
Consequently, the Government suggested that the intent of this requirement
might be better expressed in a different form.[20]
8.22
In addition, the Government indicated that agencies and organisations
should identify the particular law under which the collection of the personal
information is authorised, rather than simply the fact that the information is
required by law. However, the response explained that it was expected that the
particular provision under which the collection of information is required or
authorised would not need to be identified.[21]
8.23
Community concern regarding the flow of personal information overseas
was noted, and, in light of this, the Government stated that agencies and
organisations should also be required to notify individuals whether their
personal information is likely to be transferred overseas, and where it might
be transferred to. However, the response recognised that an agency or
organisation may not know at the time of collection whether the information
would be transferred overseas, or the particular jurisdiction to which the
information might be transferred, therefore, this requirement would be subject
to the 'reasonable steps' test.[22]
Issues
8.24
The matters raised in relation to APP 5 went principally to the
need for clarity, the interpretation of the reasonableness test and matters to
be notified.
Structure and terminology
8.25
Submitters commented on the structure and complexity of the principle.
APP 5 was supported by Privacy NSW, but it was suggested that the
principle be simplified as follows:
When an entity collects personal information it must notify
the individual about the following matters, unless it is reasonably unable to
do so [suggest that there be a reference to guidance by the Privacy Commissioner
on these matters]:...[23]
8.26
The OPC also suggested that APP 5 be simplified and shortened, with
APP 5(1) becoming a single provision, the removal of repeated phrases, and
incorporating APP 5(2) into APP 5(1). The OPC noted that this type of
simplified structure would more closely reflect the structure of the existing NPP 1.3
and IPP 2.[24]
8.27
Professor Greenleaf and Mr Waters noted that there was some
inconsistency in the terminology used in the exposure draft, as APPs 1, 5, and
8 use the term 'overseas', while elsewhere the phrase 'outside Australia' is
used.[25]
Professor Greenleaf and Mr Waters also commented that on the definition of term
'collects', as they argued that currently there is a risk that collection
methods which do not involve a third party may be excluded from the
requirements under APP 5. Consequently, Professor Greenleaf and Mr Waters
suggested that:
...the definition of 'collects', should expressly include
collection by observation, surveillance or internal generation in the course of
transactions, to ensure that the notification principle is not read as applying
only to collection resulting from 'requests'.[26]
8.28
In response to this matter, the Department of the Prime Minister and
Cabinet (the department) commented that the ALRC found that it was unnecessary
to amend the Privacy Act to refer to specific methods of collection because it
was clear that personal information could be collected through lawful and fair
means (as required by NPP 1) by surveillance, and from publicly available
sources, such as books. In addition, the department stated the ALRC noted that
OPC guidance on the requirement for 'fair and lawful' collection recognised
that there will be some circumstances, for example, investigation of fraud or
other unlawful activity, where covert collection of personal information by
surveillance or other means would be fair. The department concluded:
As the new draft does not alter the existing position that
the means of collection of personal information must be 'lawful and fair' (see
APP 3(4)), APP 3 or APP 5 do not expressly refer to 'observation,
surveillance or internal generation'.
8.29
The Law Institute of Victoria (LIV) suggested that, in order to maintain
consistency with earlier provisions in the legislation, the term 'collects' in
APP 5(1) be replaced with 'receives', thereby also ensuring that both
solicited and unsolicited information are covered by APP 5.[27]
8.30
The department commented on the LIV's suggestion and noted that the use
of the term 'collects' is necessary in APP 5 to ensure consistency with
the operation of, and terminology used in, APP 3 (collecting solicited
information) and APP 4 (receiving unsolicited information). Pursuant to
the provisions of APP 4, an entity upon receiving unsolicited personal
information is to determine whether the entity could have collected the
information under APP 3 if the entity had solicited the information. If
the answer to that is yes, APP 5 immediately applies as if the information
had been 'collected' as solicited information and the notification requirements
under APP 5 must be complied with. If the entity could not have collected
the personal information, the entity must destroy or de-identify the
information, as soon as practicable but only if it is lawful and reasonable to
do so (APP 4(4)). There is no notification requirement in this instance because
the personal information is not being retained for any purpose relating to the
identification of the individual.[28]
8.31
The Law Council of Australia (LCA) expressed concern that as currently
drafted the requirements relating to collection in APPs 4, 5 and 6 'do not,
expressly permit the sale of a medical business as a going concern.' The LCA
suggested that the legislation should:
...specifically allow the collection of sensitive information
in circumstances where an entity is buying a medical business as a going
concern. Principle 10 in the Health Records Act 2001 (Vic) and
Principle 11 of the Health Records (Privacy and Access) Act 1997 (ACT)
provide useful examples of how this issue might be addressed.[29]
Conclusion
8.32
In chapter 3, the committee made general comments on the structure of
the APPs. The committee considers that further consideration should be given to
the structure of APP 5 in light of those comments.
Possible impact of notification of
collection
8.33
While Microsoft welcomed the flexibility introduced into APP 5(1)
with the inclusion of the test of reasonableness, other submitters voiced
concern about the lack of flexibility in relation to the consideration of the
impact on individuals.[30]
8.34
Various submitters raised concerns about the possible implications of
notifying individuals of the collection of information, noting that that this
may result in the disclosure of information which may impact on the health,
safety or privacy of other individuals. The Australian Bankers' Association
(ABA) suggested that APP 5(2)(b) should make provisions to ensure that
notification does not have an unreasonable impact on other individuals. The
Office of the Guardian for Children and Young People (GCYP) requested guidance
on the term 'reasonable in the circumstances', arguing that notifying
individuals of the collection or disclosure of information may pose a risk to
health and safety in some circumstances. Consequently, the GCYP noted 'a risk
assessment is required to determine if notification or the seeking of consent
is safe, reasonable and appropriate'.[31]
8.35
In its submission, the GCYP suggested a series of considerations to be
taken into account before seeking consent or notifying individuals of the
collection or disclosure of personal information, designed to ascertain whether
notification of, or seeking of consent for, the collection or disclosure of
information is likely to cause harm to the individual, the public, or others.[32]
8.36
Abacus Australian Mutuals raised similar concerns, and noted that
APP 5 does not contain the exceptions provided under NPP 1.5, which
provides that individuals must be notified of collection of personal information,
except where notification would pose a serious risk to the life or health of an
individual. Abacus Australian Mutuals explained that its members have used
these exemptions in the past, and argued that the exemptions should continue
under future legislation.[33]
8.37
Abacus Australian Mutuals also expressed concerns that APP 5 could
be inconsistent with the Anti-Money Laundering and Counter Terrorism
Financing Act 2006 (AML/CTF Act) tipping off obligations. Abacus Australian
Mutuals explained that 'section 123 of the AML/CTF Act requires that an institution
must not disclose to any non-AUSTRAC person that a suspect matter report
(SUSMR) has been lodged (or that a suspicion has been formed that a SUSMR needs
to be lodged).' To ensure clarity, it recommended that APP 5 be amended to
explicitly state that any requirements to notify individuals of collection of
personal information will be overridden if a tipping off issue exists.[34]
8.38
The Office of the Information Commissioner, Queensland (OIC), noted that
the obligation to notify individuals of information provided by a third party
under APP 5 raises practical issues. In terms of privacy, the OIC argued
that it is not always practical or desirable to disclose information received
by a third party; for example, in a confidential complaints process, the person
being complained about would have to be notified, thereby compromising the
confidentiality of the process. In addition, information is often quite
routinely and legitimately passed between entities in the performance of their
functions; for example, the Queensland Police Service will access the data held
by the Queensland Department of Transport when dealing with traffic
infringements. The OIC explained that in order to avoid these practical difficulties,
Queensland's privacy legislation only obliges an entity to notify individuals
of collection of information if the information is collected directly from the
individual.[35]
8.39
Despite its concerns, the GCYP agreed that seeking informed consent for
the collection or disclosure of personal information, and providing advice
about the purpose of the collection of personal information, and to whom the
information may be disclosed, at the time of the collection, is preferred and
recommended where it is safe to do so.[36]
Conclusion
8.40
The committee notes that the ALRC review concluded that there are
certain circumstances in which it would be reasonable for an agency or
organisation not to notify an individual of particular matters pertaining to
the collection of their personal information. The Government response agreed
with this conclusion. Consequently, the exposure draft of APP 5 provides
that any obligation to notify is subject to the 'reasonable steps' test, which
provides that 'the entity must take such steps (if any) as are reasonable in
the circumstances'.[37]
This recognises that there may be circumstances in which it would not be
reasonable to take any steps to notify an individual of particular matters
regarding the collection of their personal information.[38]
8.41
The Government further supported the ALRC's recommendation that the OPC
should issue guidelines on the circumstances in which it would be reasonable to
not take any steps to notify an individual. In its report, the ALRC provided a
list of circumstances which the guidance should address, as circumstances in
which it may be reasonable to take no steps to notify.[39]
The committee notes that the list includes provision for circumstances in
which:
-
notification would pose a serious threat to the life or health of
an individual;
-
notification would prejudice the enforcement of laws, or the
prevention, detection, investigation and prosecution of offences, breaches of a
law imposing penalty or seriously improper conduct; and
-
non-compliance with the principle is required or authorised under
law.[40]
8.42
The committee therefore considers that the 'such steps (if any) as are
reasonable in the circumstances' provisions of APP 5, in conjunction with
guidance from the Australian Information Commissioner, provides appropriate
flexibility to the notification principle to address concerns raised by
submitters.
Compliance and notification via
privacy policy
8.43
A number of submitters noted strong support for the provision for the
notification of collection or disclosure of personal information, as an
enhancement of the current requirements.[41]
The Office of the Victorian Privacy Commissioner (Privacy Victoria) noted that
the provision of information through a notice to an individual ensures that
'individuals are aware of their rights and obligations in respect to giving up
(and later accessing) their information', and differs from the provision of
information through a privacy policy which is not as comprehensive and often
provides more general information.[42]
8.44
However, other submitters sought clarification of how they might ensure
they comply with APP 5. Submitters also discussed whether notification
obligations could be sufficiently discharged by referring individuals to a
privacy policy.
8.45
A series of submitters noted that the notification requirements under
APP 5 would create an additional compliance burden for entities,
particularly as entities often receive large amounts of unsolicited
information.[43]
The Australian Institute of Credit Management suggested that this principle
should be phased in to ameliorate the possible compliance burden and associated
costs.[44]
8.46
The Australian Hotels Association requested guidance as to whether
providing signage containing the required privacy information stipulated under
APP 5 at the entry of a venue using ID scanning technology would provide
sufficient compliance with the Act.[45]
8.47
Telstra Corporation Limited (Telstra) queried whether APP 5 would
require an entity to provide a notification every time a collection activity is
undertaken. As Telstra confirms customer details at every transaction, if new
details are provided, APP 5 could require Telstra to provide a
notification at each transaction, which would be administratively burdensome,
and could result in the customer being overwhelmed with notices. Telstra argued
that it would be more effective to provide customers with a comprehensive
privacy policy at the start of their relationship with the entity, to avoid
multiple notices. Telstra submitted that APP 5 should be amended to
clearly indicate that an entity can adequately discharge its obligations
regarding notification by taking reasonable steps to bring its privacy policy
to an individual's attention.[46]
8.48
A similar concern was raised by the Financial Services Council (FSC),
which requested clarification as to what constitutes 'reasonable steps' to
enable the entity to determine whether continuous disclosure notifications are
necessary for existing relationships once the initial disclosure is made at the
first meeting. FSC also suggested that these requirements might sufficiently be
met by referring an individual to information on the entity's website. [47]
8.49
Microsoft expressed concern that increasing requirements for entities to
provide notices to individuals does not necessarily provide a real benefit to
individuals, who:
...can be overwhelmed but not enlightened by long privacy
policies or disclosure statements, even where intended to allow informed
consent. This emphasis does not take into account the realities of the way high
volumes of personal information are collected used and disclosed in the current
and rapidly evolving IT environment let alone the continued aggregation and
sharing by third parties. It leaves individual users bearing the risk in
circumstances where they are not equipped, and as research is showing, not
willing, to bear it.[48]
8.50
Microsoft suggested an alternative approach in providing 'layered'
privacy notices, which present short bullet-point summaries of an entity's
practices, with links to the full privacy statement for those who require more
detailed information. Microsoft suggested this would reduce the compliance
obligations on entities, and the information load on individuals, while still
making more detailed information available for those who are interested.[49]
8.51
However, Privacy NSW suggested that notification of the matters under
APP 5 provided an opportunity to allow individuals to exercise express
consent for the intended use and disclosure of their personal information via
an 'opt-in' box.[50]
Conclusion
8.52
The committee notes that the ALRC recognised the issues of compliance
burden and cost for entities, and information overload of individuals. The ALRC
explained that in order to reduce compliance costs and burden, and avoid
unnecessary duplication, in some circumstances:
...it may be legitimate for an agency or organisation to
ensure that an individual is aware of specified matters by alerting the
individual to specific sections of its Privacy Policy or other general
documents containing relevant information.[51]
8.53
The ALRC recommended that the OPC issue guidance on the circumstances in
which it would be appropriate for an agency or organisation to refer an
individual to particular sections of its privacy policy or other documents to
comply with notification obligations. The Government also encouraged the
development of appropriate guidance by the OPC, but noted that the decision to
provide guidance is a matter for the Privacy Commissioner.[52]
8.54
The committee further notes that in the ALRC's list of circumstances in
which it may be reasonable to not take any steps to notify an individual, the
ALRC includes circumstances in which an entity collects personal information
from an individual 'on repeated occasions'.[53]
Notification of matters
–APP 5(2)
8.55
APP 5(2) provides for the matters that an individual is to be made
aware of when personal information is collected.
Identity and contact
details–APP 5(2)(a)
8.56
Professor Greenleaf and Mr Waters suggested that in order to prevent
entities from providing individuals with contact details which are no longer
current, this paragraph should specifically require the provision of the 'functional
contact details' of the entity.[54]
Collection from third parties or if
individual unaware–APP 5(2)(b)
8.57
APP 5(2)(b) provides that an individual must be notified that the
entity collected, or so collects personal information from a third party or if
the individual is unaware that the entity has collected the personal
information. The National Australia Bank (NAB) expressed concern that as
currently drafted, APP 5(2)(b) constitutes an absolute obligation. NAB
noted that in some circumstances it may 'be unlawful, or interfere with the
lawful functions of an entity (particularly enforcement bodies)' to inform
individuals that an entity has collected their personal information, and
consequently, such notification should only be required when it is 'reasonable
and practical to do so'.[55]
8.58
The Australian Finance Conference (AFC) suggested that the two alternatives
suggested under APP 5(2)(b) should be 'cumulative rather than
alternative', and recommended that the word 'or' at the end of subparagraph (i)
should be changed to 'and'. In effect this would only require an entity to
notify the individual when information is collected from a third party without
the individual's knowledge.[56]
Required or authorised by or under
Australian law–APP 5(2)(c)
8.59
A series of submitters argued that the requirement to provide the name
of the law or order of a court or tribunal which authorises or requires the
collection of the personal information is onerous, and would be costly to
comply with. Submitters noted that compliance with this requirement by the
financial services sector would be particularly impractical, as the sector is
regulated by a number of laws which either directly or indirectly require
financial institutions to collect personal information from customers. In order
to ensure that all relevant laws and court orders are appropriately identified,
entities operating in similarly complex regulatory environments may need to
obtain legal advice, incurring further costs.[57]
The ABA suggested that it should be sufficient to provide a generic statement
about the laws which authorise or require the collection of personal
information, rather than identifying each individual law.[58]
8.60
The AFC also expressed concern that regulation requiring detailed
disclosure from industry appears to be at odds with the Government's moves to
encourage industry to adopt a 'simple but comprehensive approach' to reduce the
volume of documentation which is provided to individuals to comply with disclosure
obligations.[59]
The AFC noted that APP 5(2)(c) would be tempered by the test of
reasonableness included in APP 5(1), and consequently it may not be deemed
reasonable in the circumstances to name the particular law or order which
requires or authorises collection. However, to ensure clarity the AFC
recommended the removal of the prescriptive requirement to name the relevant
law or order from APP 5(2)(c).[60]
8.61
The NAB put another view and argued that as APP 3 protects
individuals from the 'unnecessary' collection of personal information,
APP 5(2)(c) is unlikely to provide a real benefit to individuals.[61]
Further, NAB noted that the requirement under APP 5(2)(c) was not included
in the ALRC's recommendations, and suggested that the legislation should
reflect the ALRC's original recommendation, ensuring that individuals be
notified of the 'fact, where applicable, that the collection is required or
authorised by or under law'.[62]
8.62
However, Professor Greenleaf and Mr Waters presented a different view
noting their support for the requirement to specify the relevant Australian law
or court or tribunal order in the notice to an individual. They explained that
this would ensure that individuals receive the adequate level of detail in
notifications, as currently entities can get away with providing unhelpful and
generalised information to individuals.[63]
Consequences to the
individual–APP 5(2)(e)
8.63
The LIV commented that while this provision requires an entity to advise
an individual of the consequences of not providing information, it is not
evident that there is any regulation of whether the said consequences of not
providing information are fair and reasonable. Further, there is no provision
requiring the entity to inform the individual of their right not to provide
identity information. The LIV recommends that such a provision be incorporated
into APP 5(2).[64]
Disclosure to third
parties–APP 5(2)(f)
8.64
Professor Greenleaf and Mr Waters noted some inconsistency in
terminology in this paragraph, with the introduction of the term 'body'. They
suggested that the other two terms used in the paragraph, 'entity' and
'person', are employed elsewhere in the legislation and would appear to
adequately convey the meaning required.[65]
8.65
In comparing this provision with the NPPs and IPPs, the OPC raised
concern about the lack of specificity in this provision, noting that as
currently drafted, it could be interpreted as requiring that notice be provided
about information that the entity collects 'more generally'. Notice
which relates to the general sort of information collected by an entity would
be lengthier and not as relevant or useful to an individual, and could probably
be covered by a general privacy policy, rather than a specific notification.
Consequently, the OPC suggested that this provision should specifically refer
to the kind of information actually collected, in a similar manner to the NPPs
and IPPs.[66]
Entity's privacy policy–APP 5(2)(g)
and APP 5(2)(h)
8.66
The Health Services Commissioner, Victoria, noted its support for the
requirement to notify an individual of the complaint mechanisms an entity has
in place. However, Professor Greenleaf and Mr Waters expressed concern that
these paragraphs provide 'indirect notice of actual mechanisms' by pointing
individuals to the entity's privacy policy rather than providing them with
direct information about the access, correction and complaint mechanisms in
place. They suggested that in both APP 5(2)(g) and APP 5(2)(h), all
words prior to 'how the individual may' be omitted, to ensure individuals are
provided with express and direct information about the mechanisms in place.[67]
Disclosure to overseas
recipients–APP 5(2)(i) and APP5(2)(j)
8.67
Professor Greenleaf and Mr Waters, and the Health Services Commissioner,
indicated their support for the inclusion of a specific obligation to provide
individuals with details regarding the transfer of information to overseas
recipients. However, some concern was expressed about the inclusion of the
qualification 'if it is practicable'. Professor Greenleaf and Mr Waters argued
that this qualification is subjective, and as a result, many companies may use
this as justification for not providing the information required under
APP 5(2)(j).[68]
8.68
Other submitters raised concerns with this as it was seen as onerous,
administratively burdensome and costly to comply with.[69]
Coles Supermarkets Australia Pty Ltd (Coles) explained that as it outsources a
number of services to contractors, the possibility of personal details being
disclosed overseas, and the location of the overseas recipients, can change
according to the operations and infrastructure arrangements of the service
provider engaged. The ABA further noted that if the entity does not control the
location of the overseas recipient, if the overseas recipient relocates without
the entity's knowledge, the entity will be in breach of the APPs.[70]
8.69
In addition, Privacy Law Consulting Australia and Coles argued that this
obligation could potentially force the disclosure of information about entities'
resources and operational arrangements which may be considered commercial in
confidence information.[71]
8.70
The ABA expressed some uncertainty as to whether the requirement to name
the country in which any overseas recipient may be located in APP 5 has
the same meaning as APP 1. The ABA noted concern that the requirement
under APP 5 could be read as requiring more specific information about the
disclosure of personal details which are to be, or have been collected,
significantly increasing the compliance burden on entities.[72]
8.71
While generally supportive of APP 5, Yahoo!7 expressed some
concerns about the practicality of these particular provisions given the
evolution of technology and the advent of cloud computing:[73]
We consider international data transfer and back up to be
ubiquitous in the online services industry especially when you consider cloud
computing phenomena. We are concerned that it may not be practical to require
companies to specify which countries they transfer data to in their privacy
policies and favour a simple disclosure obligation which refers to
international data transfer and back up more generally.[74]
8.72
A series of submitters commented that it is not clear how the
requirement to notify an individual of which countries an entity is likely to
disclose personal information to, will deliver any real benefit to individuals,
as it simply notifies individuals where the information is going, not how it
will be managed, or what level of privacy protection exists in that
jurisdiction. Privacy Law Consulting Australia supported this view, stating
that the provisions do not:
...require an organisation to state the name of the recipient,
the purpose for which the information is disclosed or the nature of the
activities of, or goods or services provided by, the recipient. Accordingly,
the provisions do not result in consumers being provided with a level of
information that will enable them to properly consider privacy issues
associated with the overseas disclosure.[75]
Further, both ABA and NAB noted that in their consideration APP 8
provides adequate protections in this respect.[76]
Conclusion
8.73
In relation to the matters to be notified (APP 5(2)), much of the
evidence argued that there was a lack of flexibility available to entities in
the matters to be notified. For example, the NAB commented that there is an
'absolute obligation', even when it may 'be unlawful, or interfere with the lawful
functions of an entity (particularly enforcement bodies)', to inform
individuals that an entity has collected their personal information. Other
submitters pointed to the compliance burden imposed by the requirement to
provide the name of the law which requires the collection of personal
information and the list of countries where an overseas recipient is located.
8.74
The committee notes the ALRC's view that:
Agencies and organisations should be subject to an obligation
to notify or otherwise ensure an individual's awareness of specified matters
relating to the collection of his or her personal information, regardless of
whether that information is collected directly from the individual or from
someone other than the individual.[77]
8.75
As noted previously, the ALRC listed various circumstances in which it
may be reasonable for an agency or organisation to not take any steps to notify
an individual of certain matters regarding the collection of personal
information (see paragraph 8.41). The Government accepted the ALRC's
recommendation and also noted that there may be circumstances where it may be
reasonable to take no steps to notify an individual about the collection of
personal information. In addition, the Government response specifically commented
that the 'reasonable steps' test applies to the requirements to notify
individuals if their information is likely to be transferred overseas and to
where it might be transferred:
...an agency or organisation would not need to include this
information in a collection notice if it did not reasonably know at the time of
collection whether information will be transferred overseas.
Further, it would not be reasonable to provide specific
information if the organisation or agency does not reasonably know to which
specific jurisdiction personal information may be transferred.[78]
8.76
The exposure draft of the notification principle reflects the Government
view that there should be a reasonableness test for each of the matters to be
notified. This is provided for as all of APP 5(2) is subject to the
'reasonableness' test of APP 5(1) as the linkage is given by the term
'matters' in APP 5(2) which links back to APP 5(1)(a). The additional
test in APP 5(2)(j) is one of practicality concerning the notification of
the range of recipient countries.
8.77
The committee concludes that the inclusion of the reasonableness test
and that in some circumstances no steps need by taken, provides entities with
the appropriate level of flexibility in relation to the notification of
matters.
8.78
In relation to the need to notify an individual about the law under
which information was collected, the ALRC report took the less stringent view
that agencies and organisations should be required 'to notify, or otherwise
ensure that an individual is aware of, the fact that the collection is required
or authorised by or under law.' The ALRC also considered that the OPC should
develop guidelines to assist agencies and organisations to comply with the
provision.[79]
However, the Government response indicated that the Government preferred that
the principle clearly convey the expectation that the name of the relevant law
be provided as a minimum. The Government response stated that:
...agencies or organisations should identify the specific law
that requires or authorises the collection of information, though it would not
be necessary to identify a specific provision.[80]
8.79
While this provision provides a higher level of specificity, the
application of the reasonableness test will provide entities with flexibility.
8.80
In relation to the obligation to notify a person that certain matters
are contained in the entity's privacy policy, the committee notes the ALRC's
conclusion that agencies and organisations could fulfil their notification
obligations by drawing an individual's attention to specific parts of the
privacy policy or other relevant documents to ensure that an individual is
aware of required matters. The committee also observes the ALRC's suggestion
that the OPC should issue guidance on the circumstances under which this would
be acceptable.[81]
8.81
Finally, the committee notes that the Government response supports the
provision of guidance by the Australian Information Commissioner to assist
entities in complying with the notification principle.
Navigation: Previous Page | Contents | Next Page