Chapter 8

Australian Privacy Principle 5–notification of the collection of personal information

Introduction

8.1 Australian Privacy Principle 5 (APP 5) stipulates that entities are obliged to notify an individual of certain matters at the time that the individual's personal information is being collected. In particular, an entity is required to ensure that the individual is aware of how and why the information will be collected and how the entity will manage the personal information.[1]

Background

8.2 The Privacy Act 1988 does not contain an express obligation regarding notification. Rather, the relevant privacy principles which relate to the collection of personal information, provide that agencies and organisations are required, in particular circumstances, 'to ensure that an individual whose personal information has been, or is to be, collected, is aware of a number of specific matters'. Provisions along these lines are contained in both the Information Privacy Principles (IPPs) in relation to entities and the National Privacy Principles (NPPs) in relation to organisations.[2]

8.3 Where information is collected directly from the individual, IPP 2 and NPP 1.3 both list the matters which an individual should be made aware of before, or as soon as practicable after, their personal information is collected, or in the case of organisations under NPP 1.3, at the time of collection. NPP 1.5 also provides that in cases where information about an individual is collected from a third party, the individual must be made aware of the matters listed in NPP 1.3, 'except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual'.

8.4 The ALRC's consideration of notification included:

whether requirements relating to notification should be set out in a separate principle;
the nature and timing of the obligation to notify;
the circumstances in which an obligation to notify might arise; and
which matters an individual should be notified of when personal information is collected.[3]

8.5 The ALRC noted that there were examples in other jurisdictions of both a separate notification principle and notification requirements within the privacy principle regarding collection. The ALRC came to the view that requirements relating to notification of individuals should be provided in a discrete principle, as it plays an important role in the information cycle, promotes transparency and 'is essential in informing individuals about the treatment of their personal information, and their rights in this regard'.[4]

Obligation to notify

8.6 In respect of the obligation to notify, the ALRC noted that 'notification is one way of ensuring awareness.' The ALRC commented that while agencies and organisations should be required to notify or ensure that an individual is aware of specific matters regarding the handling of their personal information, it would be prescriptive to insist on notification in all cases. Indeed, insisting on notification could increase the compliance cost and burden for agencies and organisations, as well as possibly overloading individuals with information. Consequently, the ALRC formed the view that agencies and organisations could ensure that an individual is aware of required matters by drawing the individual's attention to specific parts of the privacy policy or other relevant documents. The ALRC suggested that guidance on the circumstances under which this would be acceptable should be issued by the Office of the Privacy Commissioner (OPC).[5]

8.7 The ALRC noted that ideally, obligations to notify should be complied with before, or at the time of collection of personal information, allowing the individual adequate opportunity to make an informed choice about disclosing their personal information. However, the ALRC recognised that it would be unreasonable to insist on compliance with this obligation in all circumstances and stated that the principle needs to be flexible enough to adapt to these circumstances. However, the ALRC noted that the agency or organisation 'will need to demonstrate the basis upon which impracticability is asserted, if the issue arises'.[6]

8.8 Agencies and organisations currently need to ensure individuals are aware of certain matters when information is collected directly from the individual; in addition organisations are required to notify individuals if the information is collected from a third party. The ALRC considered that all agencies and organisations should be required to notify individuals of particular matters pertaining to the collection of their personal information, regardless of whether the information is collected directly from the individual or from a third party.[7]

Reasonable steps

8.9 Under the current provisions, organisations must take 'reasonable steps', and agencies are required to 'take such steps (if any) as are, in the circumstances, reasonable' to ensure that an individual from whom personal information is being collected, is aware of certain matters.[8] The ALRC considered both terms and formed the view that there may be circumstances in which it is reasonable for an agency or organisation to take no steps to notify or otherwise ensure an individual is aware of particular matters. The ALRC considered that this should be expressly provided for in the legislation, and that the OPC should issue guidelines addressing the circumstances in which it would be reasonable not to take any steps to notify individuals about the collection of their personal information.[9]

8.10 The ALRC further noted that providing the qualification that an agency or organisation only needs to take such steps, if any, as are reasonable in the circumstances ensures that the principles remain sufficiently high-level, so that they can be widely applied without having to incorporate any specific exceptions into the legislation itself.[10]

Matters for notification

8.11 The ALRC considered a series of matters which agencies and organisations might notify an individual of. The NPPs and IPPs both list various matters about which individuals must be made aware. However, while some of the matters share common ground, they are not consistent.[11]

8.12 The ALRC noted that notification is particularly important in light of existing and developing technology, as an individual may not always be aware that their personal information has been collected. The ALRC clarified that this obligation should not be imposed on agencies and organisations in circumstances in which it is clear that the individual is aware that their information has been collected – particularly in circumstances in which the individual provided the information themselves. The ALRC further noted that this requirement would be subject to the 'reasonable steps' test.[12]

8.13 The ALRC formed the view that both agencies and organisations should be obliged to notify individuals who they are collecting information from, of the following details:

the collecting entity's identity;
functional contact details for the collecting entity;
the purpose for which the information is collected;
the individual's right of access to and correction of, the personal information that they provide; and
the main consequences of not providing the requested personal information.[13]

8.14 In addition, the ALRC noted that NPP 1.3 currently only requires organisations to ensure an individual is aware of other organisations that it usually discloses such information to; however, the OPC guidelines indicate that this should be interpreted broadly. Given the current obligations and the OPC guidelines, the ALRC formed the view that:

Agencies and organisations should be required to notify, or otherwise ensure that individuals are aware of the actual or types of agencies, organisations, or entities to which, or other persons to whom, agencies and organisations usually disclose personal information of the kind collected.[14]

8.15 The ALRC also stated that the level of specificity provided to comply with this requirement would depend on the circumstances and should be the subject of guidance from the OPC.[15]

8.16 While it is not currently required to inform individuals of available avenues of complaint, the ALRC noted that the OPC had called for such a provision in its 2005 review, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988. However, the ALRC did not support such an approach as this information should already be provided in the privacy policy. Drawing the individual's attention to the fact that such avenues exist, and are set out in the privacy policy, should suffice.[16]

8.17 The ALRC considered that the obligations currently in place under the NPPs and IPPs regarding notification that collection of information is authorised or required under law, are similar but differ, as do the guidelines issued on each by the OPC. It was noted that IPP 2 appears less onerous than the obligation under the NPPs as it only requires an individual to be made aware of 'the fact' that the collection of information is authorised or required by or under law. However, the guidance provided on IPP 2 by the OPC takes a stricter approach, requiring an 'IPP 2 notice' to contain reference to the particular provisions of legislation which require or authorise the collection of information, whereas the guidance provided on the NPPs is more lenient.[17]

8.18 Noting that such an obligation is particularly important with regard to the agencies which have coercive information-gathering powers, the ALRC suggested that the current IPP obligation provided the most appropriate form of words for this requirement, and should be extended to apply to organisations as well. Consequently, the ALRC concluded that agencies and organisations 'should be required, where applicable, to notify, or otherwise ensure that an individual is aware of, the fact that the collection is required or authorised by or under law.' This of course was to be complemented by guidance developed by the OPC.[18]

8.19 The ALRC also recommended that to facilitate compliance, the OPC should develop and publish guidance on matters including when it would be reasonable to take no steps and appropriate level of specificity when notifying individuals about anticipated disclosures.

Government response

8.20 In its response, the Government agreed that requirements relating to notification should be set out in a separate privacy principle. The Government further agreed that provision should be made in the principle for circumstances in which it would be reasonable for an entity not to take any steps to notify an individual about certain matters pertaining to the collection of their personal information, and that the OPC would be encouraged to provide guidance on such circumstances.[19]

8.21 The Government response indicated that it would make amendments to the ALRC's recommendation on the matters to be notified. It was noted that information on the fact and circumstances of the collection of an individual's personal information would only need to be provided in circumstances in which an individual was not aware that their personal information had been collected. Consequently, the Government suggested that the intent of this requirement might be better expressed in a different form.[20]

8.22 In addition, the Government indicated that agencies and organisations should identify the particular law under which the collection of the personal information is authorised, rather than simply the fact that the information is required by law. However, the response explained that it was expected that the particular provision under which the collection of information is required or authorised would not need to be identified.[21]

8.23 Community concern regarding the flow of personal information overseas was noted, and, in light of this, the Government stated that agencies and organisations should also be required to notify individuals whether their personal information is likely to be transferred overseas, and where it might be transferred to. However, the response recognised that an agency or organisation may not know at the time of collection whether the information would be transferred overseas, or the particular jurisdiction to which the information might be transferred, therefore, this requirement would be subject to the 'reasonable steps' test.[22]

Issues

8.24 The matters raised in relation to APP 5 went principally to the need for clarity, the interpretation of the reasonableness test and matters to be notified.

Structure and terminology

8.25 Submitters commented on the structure and complexity of the principle. APP 5 was supported by Privacy NSW, but it was suggested that the principle be simplified as follows:

When an entity collects personal information it must notify the individual about the following matters, unless it is reasonably unable to do so [suggest that there be a reference to guidance by the Privacy Commissioner on these matters]:...[23]

8.26 The OPC also suggested that APP 5 be simplified and shortened, with APP 5(1) becoming a single provision, the removal of repeated phrases, and incorporating APP 5(2) into APP 5(1). The OPC noted that this type of simplified structure would more closely reflect the structure of the existing NPP 1.3 and IPP 2.[24]

8.27 Professor Greenleaf and Mr Waters noted that there was some inconsistency in the terminology used in the exposure draft, as APPs 1, 5, and 8 use the term 'overseas', while elsewhere the phrase 'outside Australia' is used.[25] Professor Greenleaf and Mr Waters also commented that on the definition of term 'collects', as they argued that currently there is a risk that collection methods which do not involve a third party may be excluded from the requirements under APP 5. Consequently, Professor Greenleaf and Mr Waters suggested that:

...the definition of 'collects', should expressly include collection by observation, surveillance or internal generation in the course of transactions, to ensure that the notification principle is not read as applying only to collection resulting from 'requests'.[26]

8.28 In response to this matter, the Department of the Prime Minister and Cabinet (the department) commented that the ALRC found that it was unnecessary to amend the Privacy Act to refer to specific methods of collection because it was clear that personal information could be collected through lawful and fair means (as required by NPP 1) by surveillance, and from publicly available sources, such as books. In addition, the department stated the ALRC noted that OPC guidance on the requirement for 'fair and lawful' collection recognised that there will be some circumstances, for example, investigation of fraud or other unlawful activity, where covert collection of personal information by surveillance or other means would be fair. The department concluded:

As the new draft does not alter the existing position that the means of collection of personal information must be 'lawful and fair' (see APP 3(4)), APP 3 or APP 5 do not expressly refer to 'observation, surveillance or internal generation'.

8.29 The Law Institute of Victoria (LIV) suggested that, in order to maintain consistency with earlier provisions in the legislation, the term 'collects' in APP 5(1) be replaced with 'receives', thereby also ensuring that both solicited and unsolicited information are covered by APP 5.[27]

8.30 The department commented on the LIV's suggestion and noted that the use of the term 'collects' is necessary in APP 5 to ensure consistency with the operation of, and terminology used in, APP 3 (collecting solicited information) and APP 4 (receiving unsolicited information). Pursuant to the provisions of APP 4, an entity upon receiving unsolicited personal information is to determine whether the entity could have collected the information under APP 3 if the entity had solicited the information. If the answer to that is yes, APP 5 immediately applies as if the information had been 'collected' as solicited information and the notification requirements under APP 5 must be complied with. If the entity could not have collected the personal information, the entity must destroy or de-identify the information, as soon as practicable but only if it is lawful and reasonable to do so (APP 4(4)). There is no notification requirement in this instance because the personal information is not being retained for any purpose relating to the identification of the individual.[28]

8.31 The Law Council of Australia (LCA) expressed concern that as currently drafted the requirements relating to collection in APPs 4, 5 and 6 'do not, expressly permit the sale of a medical business as a going concern.' The LCA suggested that the legislation should:

...specifically allow the collection of sensitive information in circumstances where an entity is buying a medical business as a going concern. Principle 10 in the Health Records Act 2001 (Vic) and Principle 11 of the Health Records (Privacy and Access) Act 1997 (ACT) provide useful examples of how this issue might be addressed.[29]

Conclusion

8.32 In chapter 3, the committee made general comments on the structure of the APPs. The committee considers that further consideration should be given to the structure of APP 5 in light of those comments.

Possible impact of notification of collection

8.33 While Microsoft welcomed the flexibility introduced into APP 5(1) with the inclusion of the test of reasonableness, other submitters voiced concern about the lack of flexibility in relation to the consideration of the impact on individuals.[30]

8.34 Various submitters raised concerns about the possible implications of notifying individuals of the collection of information, noting that that this may result in the disclosure of information which may impact on the health, safety or privacy of other individuals. The Australian Bankers' Association (ABA) suggested that APP 5(2)(b) should make provisions to ensure that notification does not have an unreasonable impact on other individuals. The Office of the Guardian for Children and Young People (GCYP) requested guidance on the term 'reasonable in the circumstances', arguing that notifying individuals of the collection or disclosure of information may pose a risk to health and safety in some circumstances. Consequently, the GCYP noted 'a risk assessment is required to determine if notification or the seeking of consent is safe, reasonable and appropriate'.[31]

8.35 In its submission, the GCYP suggested a series of considerations to be taken into account before seeking consent or notifying individuals of the collection or disclosure of personal information, designed to ascertain whether notification of, or seeking of consent for, the collection or disclosure of information is likely to cause harm to the individual, the public, or others.[32]

8.36 Abacus Australian Mutuals raised similar concerns, and noted that APP 5 does not contain the exceptions provided under NPP 1.5, which provides that individuals must be notified of collection of personal information, except where notification would pose a serious risk to the life or health of an individual. Abacus Australian Mutuals explained that its members have used these exemptions in the past, and argued that the exemptions should continue under future legislation.[33]

8.37 Abacus Australian Mutuals also expressed concerns that APP 5 could be inconsistent with the Anti-Money Laundering and Counter Terrorism Financing Act 2006 (AML/CTF Act) tipping off obligations. Abacus Australian Mutuals explained that 'section 123 of the AML/CTF Act requires that an institution must not disclose to any non-AUSTRAC person that a suspect matter report (SUSMR) has been lodged (or that a suspicion has been formed that a SUSMR needs to be lodged).' To ensure clarity, it recommended that APP 5 be amended to explicitly state that any requirements to notify individuals of collection of personal information will be overridden if a tipping off issue exists.[34]

8.38 The Office of the Information Commissioner, Queensland (OIC), noted that the obligation to notify individuals of information provided by a third party under APP 5 raises practical issues. In terms of privacy, the OIC argued that it is not always practical or desirable to disclose information received by a third party; for example, in a confidential complaints process, the person being complained about would have to be notified, thereby compromising the confidentiality of the process. In addition, information is often quite routinely and legitimately passed between entities in the performance of their functions; for example, the Queensland Police Service will access the data held by the Queensland Department of Transport when dealing with traffic infringements. The OIC explained that in order to avoid these practical difficulties, Queensland's privacy legislation only obliges an entity to notify individuals of collection of information if the information is collected directly from the individual.[35]

8.39 Despite its concerns, the GCYP agreed that seeking informed consent for the collection or disclosure of personal information, and providing advice about the purpose of the collection of personal information, and to whom the information may be disclosed, at the time of the collection, is preferred and recommended where it is safe to do so.[36]

Conclusion

8.40 The committee notes that the ALRC review concluded that there are certain circumstances in which it would be reasonable for an agency or organisation not to notify an individual of particular matters pertaining to the collection of their personal information. The Government response agreed with this conclusion. Consequently, the exposure draft of APP 5 provides that any obligation to notify is subject to the 'reasonable steps' test, which provides that 'the entity must take such steps (if any) as are reasonable in the circumstances'.[37] This recognises that there may be circumstances in which it would not be reasonable to take any steps to notify an individual of particular matters regarding the collection of their personal information.[38]

8.41 The Government further supported the ALRC's recommendation that the OPC should issue guidelines on the circumstances in which it would be reasonable to not take any steps to notify an individual. In its report, the ALRC provided a list of circumstances which the guidance should address, as circumstances in which it may be reasonable to take no steps to notify.[39] The committee notes that the list includes provision for circumstances in which:

notification would pose a serious threat to the life or health of an individual;
notification would prejudice the enforcement of laws, or the prevention, detection, investigation and prosecution of offences, breaches of a law imposing penalty or seriously improper conduct; and
non-compliance with the principle is required or authorised under law.[40]

8.42 The committee therefore considers that the 'such steps (if any) as are reasonable in the circumstances' provisions of APP 5, in conjunction with guidance from the Australian Information Commissioner, provides appropriate flexibility to the notification principle to address concerns raised by submitters.

Compliance and notification via privacy policy

8.43 A number of submitters noted strong support for the provision for the notification of collection or disclosure of personal information, as an enhancement of the current requirements.[41] The Office of the Victorian Privacy Commissioner (Privacy Victoria) noted that the provision of information through a notice to an individual ensures that 'individuals are aware of their rights and obligations in respect to giving up (and later accessing) their information', and differs from the provision of information through a privacy policy which is not as comprehensive and often provides more general information.[42]

8.44 However, other submitters sought clarification of how they might ensure they comply with APP 5. Submitters also discussed whether notification obligations could be sufficiently discharged by referring individuals to a privacy policy.

8.45 A series of submitters noted that the notification requirements under APP 5 would create an additional compliance burden for entities, particularly as entities often receive large amounts of unsolicited information.[43] The Australian Institute of Credit Management suggested that this principle should be phased in to ameliorate the possible compliance burden and associated costs.[44]

8.46 The Australian Hotels Association requested guidance as to whether providing signage containing the required privacy information stipulated under APP 5 at the entry of a venue using ID scanning technology would provide sufficient compliance with the Act.[45]

8.47 Telstra Corporation Limited (Telstra) queried whether APP 5 would require an entity to provide a notification every time a collection activity is undertaken. As Telstra confirms customer details at every transaction, if new details are provided, APP 5 could require Telstra to provide a notification at each transaction, which would be administratively burdensome, and could result in the customer being overwhelmed with notices. Telstra argued that it would be more effective to provide customers with a comprehensive privacy policy at the start of their relationship with the entity, to avoid multiple notices. Telstra submitted that APP 5 should be amended to clearly indicate that an entity can adequately discharge its obligations regarding notification by taking reasonable steps to bring its privacy policy to an individual's attention.[46]

8.48 A similar concern was raised by the Financial Services Council (FSC), which requested clarification as to what constitutes 'reasonable steps' to enable the entity to determine whether continuous disclosure notifications are necessary for existing relationships once the initial disclosure is made at the first meeting. FSC also suggested that these requirements might sufficiently be met by referring an individual to information on the entity's website. [47]

8.49 Microsoft expressed concern that increasing requirements for entities to provide notices to individuals does not necessarily provide a real benefit to individuals, who:

...can be overwhelmed but not enlightened by long privacy policies or disclosure statements, even where intended to allow informed consent. This emphasis does not take into account the realities of the way high volumes of personal information are collected used and disclosed in the current and rapidly evolving IT environment let alone the continued aggregation and sharing by third parties. It leaves individual users bearing the risk in circumstances where they are not equipped, and as research is showing, not willing, to bear it.[48]

8.50 Microsoft suggested an alternative approach in providing 'layered' privacy notices, which present short bullet-point summaries of an entity's practices, with links to the full privacy statement for those who require more detailed information. Microsoft suggested this would reduce the compliance obligations on entities, and the information load on individuals, while still making more detailed information available for those who are interested.[49]

8.51 However, Privacy NSW suggested that notification of the matters under APP 5 provided an opportunity to allow individuals to exercise express consent for the intended use and disclosure of their personal information via an 'opt-in' box.[50]

Conclusion

8.52 The committee notes that the ALRC recognised the issues of compliance burden and cost for entities, and information overload of individuals. The ALRC explained that in order to reduce compliance costs and burden, and avoid unnecessary duplication, in some circumstances:

...it may be legitimate for an agency or organisation to ensure that an individual is aware of specified matters by alerting the individual to specific sections of its Privacy Policy or other general documents containing relevant information.^{^[51]}

8.53 The ALRC recommended that the OPC issue guidance on the circumstances in which it would be appropriate for an agency or organisation to refer an individual to particular sections of its privacy policy or other documents to comply with notification obligations. The Government also encouraged the development of appropriate guidance by the OPC, but noted that the decision to provide guidance is a matter for the Privacy Commissioner.[52]

8.54 The committee further notes that in the ALRC's list of circumstances in which it may be reasonable to not take any steps to notify an individual, the ALRC includes circumstances in which an entity collects personal information from an individual 'on repeated occasions'.[53]

Notification of matters –APP 5(2)

8.55 APP 5(2) provides for the matters that an individual is to be made aware of when personal information is collected.

Identity and contact details–APP 5(2)(a)

8.56 Professor Greenleaf and Mr Waters suggested that in order to prevent entities from providing individuals with contact details which are no longer current, this paragraph should specifically require the provision of the 'functional contact details' of the entity.[54]

Collection from third parties or if individual unaware–APP 5(2)(b)

8.57 APP 5(2)(b) provides that an individual must be notified that the entity collected, or so collects personal information from a third party or if the individual is unaware that the entity has collected the personal information. The National Australia Bank (NAB) expressed concern that as currently drafted, APP 5(2)(b) constitutes an absolute obligation. NAB noted that in some circumstances it may 'be unlawful, or interfere with the lawful functions of an entity (particularly enforcement bodies)' to inform individuals that an entity has collected their personal information, and consequently, such notification should only be required when it is 'reasonable and practical to do so'.[55]

8.58 The Australian Finance Conference (AFC) suggested that the two alternatives suggested under APP 5(2)(b) should be 'cumulative rather than alternative', and recommended that the word 'or' at the end of subparagraph (i) should be changed to 'and'. In effect this would only require an entity to notify the individual when information is collected from a third party without the individual's knowledge.[56]

Required or authorised by or under Australian law–APP 5(2)(c)

8.59 A series of submitters argued that the requirement to provide the name of the law or order of a court or tribunal which authorises or requires the collection of the personal information is onerous, and would be costly to comply with. Submitters noted that compliance with this requirement by the financial services sector would be particularly impractical, as the sector is regulated by a number of laws which either directly or indirectly require financial institutions to collect personal information from customers. In order to ensure that all relevant laws and court orders are appropriately identified, entities operating in similarly complex regulatory environments may need to obtain legal advice, incurring further costs.[57] The ABA suggested that it should be sufficient to provide a generic statement about the laws which authorise or require the collection of personal information, rather than identifying each individual law.[58]

8.60 The AFC also expressed concern that regulation requiring detailed disclosure from industry appears to be at odds with the Government's moves to encourage industry to adopt a 'simple but comprehensive approach' to reduce the volume of documentation which is provided to individuals to comply with disclosure obligations.[59] The AFC noted that APP 5(2)(c) would be tempered by the test of reasonableness included in APP 5(1), and consequently it may not be deemed reasonable in the circumstances to name the particular law or order which requires or authorises collection. However, to ensure clarity the AFC recommended the removal of the prescriptive requirement to name the relevant law or order from APP 5(2)(c).[60]

8.61 The NAB put another view and argued that as APP 3 protects individuals from the 'unnecessary' collection of personal information, APP 5(2)(c) is unlikely to provide a real benefit to individuals.[61] Further, NAB noted that the requirement under APP 5(2)(c) was not included in the ALRC's recommendations, and suggested that the legislation should reflect the ALRC's original recommendation, ensuring that individuals be notified of the 'fact, where applicable, that the collection is required or authorised by or under law'.[62]

8.62 However, Professor Greenleaf and Mr Waters presented a different view noting their support for the requirement to specify the relevant Australian law or court or tribunal order in the notice to an individual. They explained that this would ensure that individuals receive the adequate level of detail in notifications, as currently entities can get away with providing unhelpful and generalised information to individuals.[63]

Consequences to the individual–APP 5(2)(e)

8.63 The LIV commented that while this provision requires an entity to advise an individual of the consequences of not providing information, it is not evident that there is any regulation of whether the said consequences of not providing information are fair and reasonable. Further, there is no provision requiring the entity to inform the individual of their right not to provide identity information. The LIV recommends that such a provision be incorporated into APP 5(2).[64]

Disclosure to third parties–APP 5(2)(f)

8.64 Professor Greenleaf and Mr Waters noted some inconsistency in terminology in this paragraph, with the introduction of the term 'body'. They suggested that the other two terms used in the paragraph, 'entity' and 'person', are employed elsewhere in the legislation and would appear to adequately convey the meaning required.[65]

8.65 In comparing this provision with the NPPs and IPPs, the OPC raised concern about the lack of specificity in this provision, noting that as currently drafted, it could be interpreted as requiring that notice be provided about information that the entity collects 'more generally'. Notice which relates to the general sort of information collected by an entity would be lengthier and not as relevant or useful to an individual, and could probably be covered by a general privacy policy, rather than a specific notification. Consequently, the OPC suggested that this provision should specifically refer to the kind of information actually collected, in a similar manner to the NPPs and IPPs.[66]

Entity's privacy policy–APP 5(2)(g) and APP 5(2)(h)

8.66 The Health Services Commissioner, Victoria, noted its support for the requirement to notify an individual of the complaint mechanisms an entity has in place. However, Professor Greenleaf and Mr Waters expressed concern that these paragraphs provide 'indirect notice of actual mechanisms' by pointing individuals to the entity's privacy policy rather than providing them with direct information about the access, correction and complaint mechanisms in place. They suggested that in both APP 5(2)(g) and APP 5(2)(h), all words prior to 'how the individual may' be omitted, to ensure individuals are provided with express and direct information about the mechanisms in place.[67]

Disclosure to overseas recipients–APP 5(2)(i) and APP5(2)(j)

8.67 Professor Greenleaf and Mr Waters, and the Health Services Commissioner, indicated their support for the inclusion of a specific obligation to provide individuals with details regarding the transfer of information to overseas recipients. However, some concern was expressed about the inclusion of the qualification 'if it is practicable'. Professor Greenleaf and Mr Waters argued that this qualification is subjective, and as a result, many companies may use this as justification for not providing the information required under APP 5(2)(j).[68]

8.68 Other submitters raised concerns with this as it was seen as onerous, administratively burdensome and costly to comply with.[69] Coles Supermarkets Australia Pty Ltd (Coles) explained that as it outsources a number of services to contractors, the possibility of personal details being disclosed overseas, and the location of the overseas recipients, can change according to the operations and infrastructure arrangements of the service provider engaged. The ABA further noted that if the entity does not control the location of the overseas recipient, if the overseas recipient relocates without the entity's knowledge, the entity will be in breach of the APPs.[70]

8.69 In addition, Privacy Law Consulting Australia and Coles argued that this obligation could potentially force the disclosure of information about entities' resources and operational arrangements which may be considered commercial in confidence information.[71]

8.70 The ABA expressed some uncertainty as to whether the requirement to name the country in which any overseas recipient may be located in APP 5 has the same meaning as APP 1. The ABA noted concern that the requirement under APP 5 could be read as requiring more specific information about the disclosure of personal details which are to be, or have been collected, significantly increasing the compliance burden on entities.[72]

8.71 While generally supportive of APP 5, Yahoo!7 expressed some concerns about the practicality of these particular provisions given the evolution of technology and the advent of cloud computing:[73]

We consider international data transfer and back up to be ubiquitous in the online services industry especially when you consider cloud computing phenomena. We are concerned that it may not be practical to require companies to specify which countries they transfer data to in their privacy policies and favour a simple disclosure obligation which refers to international data transfer and back up more generally.[74]

8.72 A series of submitters commented that it is not clear how the requirement to notify an individual of which countries an entity is likely to disclose personal information to, will deliver any real benefit to individuals, as it simply notifies individuals where the information is going, not how it will be managed, or what level of privacy protection exists in that jurisdiction. Privacy Law Consulting Australia supported this view, stating that the provisions do not:

...require an organisation to state the name of the recipient, the purpose for which the information is disclosed or the nature of the activities of, or goods or services provided by, the recipient. Accordingly, the provisions do not result in consumers being provided with a level of information that will enable them to properly consider privacy issues associated with the overseas disclosure.[75]

Further, both ABA and NAB noted that in their consideration APP 8 provides adequate protections in this respect.[76]

Conclusion

8.73 In relation to the matters to be notified (APP 5(2)), much of the evidence argued that there was a lack of flexibility available to entities in the matters to be notified. For example, the NAB commented that there is an 'absolute obligation', even when it may 'be unlawful, or interfere with the lawful functions of an entity (particularly enforcement bodies)', to inform individuals that an entity has collected their personal information. Other submitters pointed to the compliance burden imposed by the requirement to provide the name of the law which requires the collection of personal information and the list of countries where an overseas recipient is located.

8.74 The committee notes the ALRC's view that:

Agencies and organisations should be subject to an obligation to notify or otherwise ensure an individual's awareness of specified matters relating to the collection of his or her personal information, regardless of whether that information is collected directly from the individual or from someone other than the individual.[77]

8.75 As noted previously, the ALRC listed various circumstances in which it may be reasonable for an agency or organisation to not take any steps to notify an individual of certain matters regarding the collection of personal information (see paragraph 8.41). The Government accepted the ALRC's recommendation and also noted that there may be circumstances where it may be reasonable to take no steps to notify an individual about the collection of personal information. In addition, the Government response specifically commented that the 'reasonable steps' test applies to the requirements to notify individuals if their information is likely to be transferred overseas and to where it might be transferred:

...an agency or organisation would not need to include this information in a collection notice if it did not reasonably know at the time of collection whether information will be transferred overseas.

Further, it would not be reasonable to provide specific information if the organisation or agency does not reasonably know to which specific jurisdiction personal information may be transferred.[78]

8.76 The exposure draft of the notification principle reflects the Government view that there should be a reasonableness test for each of the matters to be notified. This is provided for as all of APP 5(2) is subject to the 'reasonableness' test of APP 5(1) as the linkage is given by the term 'matters' in APP 5(2) which links back to APP 5(1)(a). The additional test in APP 5(2)(j) is one of practicality concerning the notification of the range of recipient countries.

8.77 The committee concludes that the inclusion of the reasonableness test and that in some circumstances no steps need by taken, provides entities with the appropriate level of flexibility in relation to the notification of matters.

8.78 In relation to the need to notify an individual about the law under which information was collected, the ALRC report took the less stringent view that agencies and organisations should be required 'to notify, or otherwise ensure that an individual is aware of, the fact that the collection is required or authorised by or under law.' The ALRC also considered that the OPC should develop guidelines to assist agencies and organisations to comply with the provision.[79] However, the Government response indicated that the Government preferred that the principle clearly convey the expectation that the name of the relevant law be provided as a minimum. The Government response stated that:

...agencies or organisations should identify the specific law that requires or authorises the collection of information, though it would not be necessary to identify a specific provision.[80]

8.79 While this provision provides a higher level of specificity, the application of the reasonableness test will provide entities with flexibility.

8.80 In relation to the obligation to notify a person that certain matters are contained in the entity's privacy policy, the committee notes the ALRC's conclusion that agencies and organisations could fulfil their notification obligations by drawing an individual's attention to specific parts of the privacy policy or other relevant documents to ensure that an individual is aware of required matters. The committee also observes the ALRC's suggestion that the OPC should issue guidance on the circumstances under which this would be acceptable.[81]

8.81 Finally, the committee notes that the Government response supports the provision of guidance by the Australian Information Commissioner to assist entities in complying with the notification principle.

Navigation: Previous Page | Contents | Next Page