6. The privacy principles
Updates and background for this project (Digest)
INTRODUCTION
6.1 This and the following chapter identify specific problems with the application of particular provisions of the Privacy and Personal Information Protection Act 1998 (NSW) (“PPIPA”) and the Health Records and Information Privacy Act 2002 (NSW) (“HRIPA”). There is, however, overlap between this and the following chapter and Chapter 5. The three chapters should, therefore, be read together. For example, problems have arisen with a number of provisions that exempt certain information from the definition of “personal information” because they have been found to be too broad and/or imprecise. While these provisions are discussed in Chapter 5 in the context of the potential extension of the scope of PPIPA and HRIPA, they could also have appropriately been dealt with in this or the following chapter. Chapter 7 includes discussion of two exemptions arising from s 24 and 25 of PPIPA. The reason the exemptions have been evaluated in that chapter, and not included in the discussion of other exemptions in Chapter 5, is that the issues arising do not relate to extending the scope of PPIPA, the focus of Chapter 5. The issues relate to the functioning of the legislation. We raise concerns that there is a dichotomy in the way s 24 of PPIPA applies and an ambiguity in the application of s 25. If anything, resolution of the problems with these sections may result in a narrowing, rather than a widening, of PPIPA’s application to personal information.
6.2 Many of the difficulties that agencies and the public experience in relation to the operation of privacy legislation arise out of the Privacy Principles. This chapter is, therefore, devoted to analysing these difficulties. Chapter 7 continues the examination of operational issues, focusing on issues relating to: s 37 and 38 of PPIPA; privacy codes of practice; public interest directions; complaints about, and review of, agency/organisation conduct; and s 24 and 25 of PPIPA, mentioned above.
6.3 PPIPA contains 12 Information Protection Principles (“IPPs”) set out in Part 2, s 819 and HRIPA contains 15 Health Privacy Principles (“HPPs”) set out in Schedule 1 to the Act. These are set out in detail in Chapter 3. The focus in submissions to the Commission has been on the IPPs and, obviously, submissions to the Attorney General’s review of PPIPA focused on the IPPs. Accordingly, this consultation paper does not raise as many issues in relation to the HPPs as it does for the IPPs. The Commission intends to consult further with the Department of Health and other relevant bodies, following release of this paper, to inquire more extensively into how the HPPs are working in practice. We also welcome submissions on this subject.
COLLECTION FOR LAWFUL PURPOSES – IPP 1; HPP 1
6.4 IPP 1 (PPIPA s 8) and HPP 1 regulate the collection of personal information “for a lawful purpose” by reasonable means (PPIPA) or as reasonably necessary (HRIPA). Privacy NSW has recommended that IPP 1 be amended to include a specific limitation on the collection of sensitive classes of personal information.1
6.5 While there is no specific definition of “sensitive information” in PPIPA, s 19 refers to categories of information that can be taken to be sensitive information. That section (IPP 12) applies restrictions to the disclosure of “personal information relating to an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities”. HRIPA does not refer to “sensitive information” at all.
6.6 Privacy NSW has submitted that the collection of particularly sensitive information should be more strictly regulated. It argues that, although IPP 12 regulates disclosure of such information, the best means of preventing misuse is to restrict its collection in the first place to that which is strictly necessary.2
6.7 The Department of Health disagrees with this view and is not persuaded that change is needed.3
6.8 The Unified Privacy Principles (“UPPs”) proposed by the Australian Law Reform Commission (“ALRC”)4 bring together in one UPP, namely UPP 2, the collection privacy principles. The ALRC proposes, in UPP 2.6 that, “in addition to the other requirements in UPP 2, an agency or organisation must not collect sensitive information about an individual” unless certain conditions are met.5 Generally speaking, consent to the collection from the individual is required, unless there are certain prevailing circumstances, including a serious threat to life or health.6 There is no restriction on the collection of sensitive information to that which is strictly necessary.
ISSUE 30
Should IPP 1 be amended to include a provision that a public sector agency must not collect personal information relating to an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, sexual activities or criminal record (defined as “sensitive information”) unless the collection is strictly necessary?
ISSUE 31
Should collection of sensitive information be allowed if necessary to prevent a serious and imminent threat to the life or health of the individual concerned or another person?
COLLECTION DIRECTLY FROM THE INDIVIDUAL – IPP 2; HPP 3
6.9 IPP 2 (PPIPA s 9) provides that personal information must be collected directly from the individual to whom it relates unless that individual authorises indirect collection, or the information is about a child under the age of 16 and provided by a parent or guardian.
6.10 The Crown Solicitor has suggested that IPP 2 is one of the most difficult of the IPPs for agencies to comply with. Examples of situations that cause difficulties include where an individual is incapable of authorising collection from another person due to the individual’s illness or mental disability or because the individual is deceased or missing. While s 26(1) exempts the agency from complying with s 9 if this “would, in the circumstances, prejudice the interest of the individual to whom the information relates”, in many cases, it is difficult for agencies to know whether, or to assume that, compliance would result in such prejudice.7
6.11 Another example is where an agency seeks professional legal or financial advice and needs to disclose personal information to the professional in order for the advice to be prepared, and, in turn, to collect personal information contained in the advice. The Crown Solicitor has submitted that an agency could effectively be precluded from seeking professional advice, even where the advice merely repeats information that has been derived from the agency, because “[i]n many contexts, it is impracticable and often impossible to obtain the individual’s authorisation for collection” from someone else.8
6.12 The Crown Solicitor has suggested that many of the problems associated with s 9 could be overcome by introducing an “unless unreasonable or impracticable” rider to the s 9 requirement.9 In addition, or alternatively, a provision could be introduced into PPIPA equivalent to s 7 of HRIPA. Section 7 of HRIPA provides that an individual is incapable of doing an act authorised, permitted or required by HRIPA if that individual is incapable, by reason of age, injury, illness or physical or mental impairment, of understanding the nature of the act or communicating his or her intentions with respect to the act.
6.13 UPP 2.3 of the UPPs proposed by the ALRC incorporates this test but as a leading phrase, rather than as a rider. UPP 2.3 states that: “If it is reasonable and practical to do so, an agency or organisation must collect personal information about an individual only from that individual.”
6.14 However, further amendment of s 9 may still be needed to ensure that agencies can obtain external professional advice. Section 12(d) of PPIPA provides that, if it is necessary for an agency to give information that it holds to a person in connection with the provision of a service to the agency (such as providing financial or legal advice), it will do everything reasonably within its power to prevent unauthorised use or disclosure of that information. The Crown Solicitor has argued that “it is difficult to see how, as a matter of statutory construction, this impliedly authorises the disclosure and subsequent collection of personal information to and from the service provider”.10
6.15 Privacy NSW is of the view that IPP 2 is too inflexible in the context of human services.11 It has submitted that IPP 2 should be amended to allow indirect collection of personal information without the individual’s authorisation where this is reasonably necessary in order to provide a service to a client. However, this should only be where indirect collection is solely for the purpose of, and necessary for, the provision of services, diagnosis, treatment or care to the client. Subsequent use and disclosure of the information should therefore be extremely limited.12
6.16 HPP 3: Unlike IPP 2, HPP 3 does not allow exceptions to the injunction to collect information directly from the individual. Even if an individual consents to third party collection, HPP 3 neither expressly nor impliedly permits this. The only exception to direct collection of information from the individual concerned is if “it is unreasonable or impracticable to do so”.
6.17 The Crown Solicitor is of the view that “the existence of consent” to collection of information would be a significant factor “to be taken into account in determining whether collection from an individual would be ‘unreasonable’”.13 It is unclear what the Crown Solicitor means by “existence of consent”. Whether or not there is consent can only be relevant where an individual refuses to provide, or withholds consent to collection of, personal information from him or herself, in which case the organisation may be able to rely on the “unreasonable or impracticable” exception to collect from a third party. An individual’s consent to collection from a third party is irrelevant. The Commission is of the view that the approach of IPP 2 is to be preferred over that of HPP 3. We propose that, if there is to be one Act covering information privacy, IPP 2 be adopted, but if two separate Acts continue to operate, HPP should be amended to allow an individual to authorise collection by an organisation from a third party. We welcome submissions on our proposal.
PROPOSAL 8
If the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW) are merged, the provision governing collection of personal information directly from an individual should contain the two exceptions currently provided for in IPP 2 together with a third exception currently provided for in HPP 3, namely that information must be collected from the individual unless it is “unreasonable or impractical to do so”.
PROPOSAL 9
If two separate Acts continue to operate:
HPP 3 should be amended to allow an individual to authorise collection of his or her personal information by an organisation from someone else and to allow collection of information about an individual under 16 years from a parent or guardian; and
IPP 2 should be amended by introducing a further exemption, namely, that information must be collected from the individual unless it is “unreasonable or impractical to do so”.
ISSUE 32
Should the Privacy and Personal Information Protection Act 1998 (NSW) be amended by introducing a provision equivalent to s 7 of the Health Records and Information Privacy Act 2002 (NSW) that an individual is incapable of doing an act authorised, permitted or required by the Health Records and Information Privacy Act 2002 (NSW) if that individual is incapable, by reason of age, injury, illness or physical or mental impairment, of understanding the nature of the act or communicating his or her intentions with respect to the act?
FURTHER COLLECTION REQUIREMENTS – IPP 3 AND IPP 4; HPP 4
6.18 IPP 3 (PPIPA s 10) provides that before information is collected from an individual, or as soon after as is practicable, the agency must make the individual to whom the information relates aware of a number of things. These include: the fact and the purpose of the collection; the intended recipients of the information; whether collection is required by law; rights to access and correct the information; and contact details of the collecting and holding agency (or agencies).
6.19 IPP 4 (PPIPA s 11) imposes further requirements on an agency for collection of information. It requires that the information be relevant to the purpose for which it is collected, not excessive, up to date and complete and that the collection does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates.
6.20 Privacy NSW has argued that s 10 is ambiguous in relation to whether the agency must notify the individual of the matters referred to in s 10, if the information was collected indirectly.14 If, for example, the information was collected from a third party agency, Privacy NSW queries whether, in that case, the collecting agency must make the individual aware of these s 10 matters. Likewise, Privacy NSW has argued that s 11 does not make clear whether the requirements are equally applicable when information is collected from a third party as when it is collected directly from the individual.15
6.21 Around the time Privacy NSW issued its submission to the Attorney General’s review of PPIPA, the ADT handed down a decision on the interpretation of s 10 and 11. In HW v The Director of Public Prosecutions (No 2), the ADT held that s 10 and 11 only apply where an agency “collects personal information from an individual” to whom the information relates, not in relation to personal information from any individual.16 The ADT stated that:
[o]ne of the purposes of section 10 is to enable an individual to be fully informed of the relevant factors before deciding whether to provide the information to the agency. This would not be a relevant consideration if the information is collected from a third party, and the individual to whom the information relates is separately informed of the collection.17
6.22 The Crown Solicitor has commented that it is unclear whether Parliament intended this distinction.18 However, the Crown Solicitor argues that an expanded distinction would lead to practical difficulties (particularly where the information is collected in breach of s 9), such as where an agency was permitted under an exemption to s 9 to collect personal information from someone other than the individual. It has submitted that the status quo should be maintained.19
6.23 The Commission is not convinced that an individual should not have the opportunity of knowing: the fact that personal information about him or her has been collected from a third party; the purpose of the collection; the intended recipients of the information; whether collection is required by law; his or her rights to access and correct the information; and contact details of the collecting and holding agency (or agencies). We also question why an individual should not be protected by the requirements in s 11 just because the information has been collected from someone other than him or herself. This position is strengthened by the fact that the obligations imposed are not onerous. Each section carries the proviso that the agency need only “take such steps as are reasonable in the circumstances” to comply.
6.24 UPP 3.2 of the ALRC’s proposed UPPs states that where collection is indirect, the agency or organisation must take reasonable steps to ensure that the individual is, or has been made aware of, the same matters as would have been conveyed if collection had been direct, as well as the source of the information, if requested by the individual.
6.25 HPP 4 takes a different, and clear, approach to making an individual aware of matters equivalent to the s 10 matters. It uses unequivocal wording in cl 4(1) that the subclause applies where an organisation “collects health information about an individual from the individual”. Then, cl 4(2) applies to situations where “an organisation collects health information about an individual from someone else”. It provides that the organisation must make the individual generally aware of the matters listed in subclause (1), except to the extent that this would pose a serious threat to the life or health of any individual; or the collection is exempted from compliance with subclause (2) by guidelines issued by the Privacy Commissioner.
PROPOSAL 10
IPPs 3 and 4 should be amended to stipulate that the requirements imposed by those sections apply whether the information is collected directly from the individual to whom the information relates or indirectly from someone else.
ISSUE 33
Should IPP 3 be amended to adopt the wording of HPP 4 or UPP 3.2, or some combination of the two?
APPLICATION OF IPPs TO RECORDS OF OBSERVATIONS OR CONVERSATIONS
6.26 A further issue with IPPs 3 and 4 raised by the Crown Solicitor relates to their application to records of observations or conversations. The Crown Solicitor has also pointed out a difficulty with IPP 9 (PPIPA s 16) in cases where the personal information has come from observations of, or conversations with, an individual and conclusions are drawn or opinions expressed based on those observations or conversations.20
6.27 Vice-Chancellor, Macquarie University v FM has established that personal information in the minds of employees is not “personal information held by” the agency.21 Based on this authority, the Crown Solicitor has argued that the point at which information derived from observations or conversations is collected can only be the point at which it is recorded (such as in a file note). The Crown Solicitor is of the view that “[t]his arguably requires agencies to then comply with the notification requirements in s 10 and 11”, but that “[t]his issue warrants clarification”.22
6.28 With respect to IPP 9, there have been cases in the ADT where applicants have expected agencies to verify the accuracy of opinions or conclusions with them, which, the Crown Solicitor has argued, “effectively makes the external review provisions of PPIPA a quasi-defamation proceeding”.23 The Crown Solicitor has commented that the proviso in s 16 (also present in HPP 9) that the agency need only take “such steps as are reasonable in the circumstances” may act as a sufficient safeguard. Nonetheless, the Crown Solicitor has submitted that, as with s 10 and 11, the application of s 16 to personal information that has come from observations of, or conversations with, an individual would benefit from clarification.24
PROPOSAL 11
IPPs 3 and 4 should be amended to clarify that the word “collects” means, in relation to information derived from observations of, or conversations with, an individual, the point at which information is recorded.
ISSUE 34
Should IPP 9 and HPP 9 apply to personal information that consists of conclusions drawn, or opinions expressed, based on observations of, or conversations with, an individual, providing a record is made of those conclusions or opinions? If so, do these provisions require amendment to clarify this?
RETENTION AND SECURITY OF INFORMATION – IPP 5; HPP 5
6.29 IPP 5 (PPIPA s 12) and HPP 5 require an agency/organisation to ensure that information is: held for no longer than necessary; disposed of securely; and protected against loss and unauthorised access, use, modification or disclosure. In addition, if it is necessary to give the information to a service provider, the agency/organisation must do everything reasonably within its power to prevent unauthorised use or disclosure.
6.30 Privacy NSW has made the point that missing from the requirements imposed by IPP 5 and HPP 5 is the requirement for secure collection of information.25 This is particularly relevant in the electronic age when information is frequently collected by email and from the internet. There are no obligations imposed by IPP 5 and HPP 5 for an agency to provide a secure website or email address and to limit access to these collection points by others. While the question of secure disposal of hard drives (on which material is retained even if the user deletes the file) and access to back-up tapes is relevant to storage of information, it is also relevant to providing secure collection.
ACCESS TO, AND ALTERATION OF, INFORMATION – IPP 7 AND IPP 8; HPP 8
6.31 IPP 7 (PPIPA s 14) gives an individual a right to access his or her personal information, and IPP 8 (PPIPA s 15) and HPP 9 give the individual a right to request amendments to ensure that the information is accurate, relevant to the purpose of collection, up to date, complete and not misleading.
6.32 Privacy NSW has submitted, in relation to PPIPA, that the usefulness of s 14 and 15 is diminished by s 20(5) due to a “lack of clarity about the breadth of [their] application”.26 The lack of clarity lies with s 20(5) of PPIPA rather than with s 14 and 15 themselves. Section 20(5) of PPIPA and s 22(3) of HRIPA are equivalent provisions. To make for easier reading, the following discussion focuses on s 20(5) of PPIPA but the comments apply equally to s 22(3) of HRIPA, as does Privacy NSW’s criticism of the interaction between s 20(5) and s 14 and 15. Section 22(3) of HRIPA applies to HPPs 6, 7 and 8, which correspond to IPPs 6, 7 and 8 (s 13, 14 and 15 of PPIPA).
6.33 Section 20(5) provides that the provisions of the Freedom of Information Act 1989 (NSW) (“FOI Act”) that impose conditions or limitations on any matter referred to in IPPs 6, 7 or 8 are not affected by PPIPA and the FOI Act provisions continue to apply as if part of PPIPA. The difficulty with s 20(5) is the uncertainty, and lack of guidance, as to what are “conditions” or “limitations” in the FOI Act.27
6.34 Privacy NSW has argued that it is uncertain exactly how “the access and correction provisions of the FOI Act relate to or are imported into” PPIPA.28 It queries, as examples of this uncertainty, whether s 20(5) has the effect of importing into PPIPA from the FOI Act: the requirement to lodge a request in writing, or to pay prescribed fees; the Schedule 1 list of exempt documents; the Schedule 2 list of exempt bodies; or the consultation requirements in Part 3.29 Privacy NSW concludes that the benefits of the less formal approach to request access to, or amendment of, one’s own personal information in IPPs 7 and 8 are lost “if the request must in effect become an FOI application”.30
6.35 Privacy NSW has further pointed out that the FOI Act only applies to “documents” and it is unclear how this affects, by reason of s 20(5), the much broader definition of “information” under PPIPA.31 The operation of IPP 8 in particular is made unclear by the application of s 20(5) because the FOI Act does not provide for the deletion of “information”. How does this affect the requirement in IPP 8 to delete personal information where appropriate?
PROPOSAL 13
The meaning and effect of s 20(5) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 22(3) of the Health Records and Information Privacy Act 2002 (NSW), and their application to the IPPs and HPPs respectively, should be clarified.
6.36 A further issue arises specifically in relation to s 15 of PPIPA because of an apparent inconsistency between sub-sections (1) and (2).32 Section 15(1) provides that an agency must amend personal information if requested, whereas s 15(2) provides that, if the agency is not prepared to make the amendments as requested then certain steps follow. The ADT has been reluctant to read down s 15(1) so as to hold that the only amendments that can be made under that sub-section are notations made in accordance with s 15(2).33
6.37 Both the Crown Solicitor and the Ombudsman make the point that although s 15(1) provides that an agency “must” make appropriate amendments, s 15(2) suggests that the agency may choose not to make the requested amendments.34 Possibly, the use of the word “ensure” in s 15(1) (the agency must amend information “to ensure” its accuracy etc) means that an agency is only under an obligation to make amendments if it can “ensure” the matters set out in s 15(1)(a) and (b). However, if this is the correct interpretation, PPIPA provides no guidance on the level of proof required to meet the “ensure” requirement.
6.38 The Ombudsman has suggested that the effect of the section is that it requires a threshold test: first, the agency must determine whether or not the personal information is accurate, relevant, up-to-date, complete and not misleading; if not, the information must be amended. Section 15(2) should then only relate to the situation where the information is accurate, relevant, up-to-date, complete and not misleading but the individual still asks for an amendment.
6.39 Two ways of clarifying the operation of s 15 have been suggested. First, “must” in s 15(1) can be construed as “may”. The Commission does not favour this approach as the statutory construction is clear. Further, it is proper that an individual have the right to correct his or her personal information. Why should inaccurate, irrelevant, out-of-date, incomplete or misleading information be allowed to remain in the agency’s possession and control? Alternatively, s 15(2) could be amended to provide: “if a public sector agency is not required to amend personal information under s 15(1)(a) and believes on reasonable grounds that it has complied with s 15(1)(b), the agency must, if so requested by the individual concerned, take such steps as are reasonable to attach to the information, in such manner as is capable of being read with the information, any statement provided by that individual of the amendment sought”.
THE DICHOTOMY BETWEEN “USE” AND “DISCLOSURE” – IPPs 9, 10, 11 AND 12; HPPs 9, 10, 11 AND 12
6.40 IPP 9 (PPIPA s 16) and HPP 9 require an agency/organisation to take reasonable steps to check that information is relevant, accurate, up to date, complete and not misleading before it uses the information. IPP 10 (PPIPA s 17) and HPP 10 limit an agency’s use of personal information, but not disclosure. Limits on disclosure are separately dealt with in IPPs 11 and 12 (PPIPA s 18 and 19), the latter focusing on disclosure of sensitive information, and in HPP 11.
6.41 Although HRIPA separates “use “ and “disclosure” in HPP 10 and HPP 11, the grounds in HPP 10 for allowing “use” are repeated in HPP for allowing “disclosure”. The only difference between the two provisions is that HPP 11 adds a further exception in HPP 11(g) of “compassionate reasons”.
6.42 Privacy NSW points out that this dichotomy between “use” and “disclosure” is largely a peculiarity of Australasian privacy legislation and that in other jurisdictions use and disclosure are dealt with together, often under a generic expression like “processing”.35 It is interesting to note that the original OECD Guidelines covered both concepts within the one “Use Limitation” principle, which applied to information “disclosed, made available or otherwise used”.36 Privacy NSW also explains that separating the concepts of “use” and “disclosure” has its historical roots in the original privacy principles in the Commonwealth Privacy Act. However, history has overtaken this legislative approach. The distinction has been removed in more recently drafted privacy laws such as the National Privacy Principles for the private sector inserted into the Privacy Act 1988 (Cth) in 2000.37 The UPPs proposed by the ALRC, although not adopting a single word to encompass use and disclosure, deal with “use and disclosure” together in one UPP, namely UPP 5.
6.43 Any argument that rules of statutory interpretation would suggest that the references to “use” and “disclosure” should be construed as having the same meaning, has been rejected by the ADT. In NZ v Director General, New South Wales Department of Housing, the ADT held that “use” refers to “the handling of personal information within the collecting agency” and “disclosure” to “the giving of the information by the collecting agency to a person or body outside the agency”.38 Similarly, in JD v Department of Health, the Appeal Panel held that “‘use’ normally bears the connotation of employing information for a purpose” and if an agency “merely retrieves information in its possession and discloses that to an external person or body, there is no ‘use’ involved”.39
6.44 However, the Crown Solicitor has suggested that the distinction between “use” and “disclosure” is not as clear-cut as the ADT has assumed.40 The issue is complicated by s 28(3) because it implies that s 17 deals with “disclosure”.41 In addition, the distinction between “use” and “disclosure” has been blurred in relation to s 16 by the conclusion in Director General, Department of Education and Training v MT that s 16 “applies a data quality standard to all uses of personal information by an agency including conduct involving disclosure of personal information by the agency”.42
6.45 Privacy NSW argues that having different IPPs apply to use and disclosure is untenable for two reasons. First, it gives rise to technical arguments as to when processing of information involves use or disclosure. Secondly, it involves an unjustifiable application of different standards.43 For example, IPP 12 gives sensitive information a higher degree of protection with respect to disclosure than it receives with respect to use. Specifically in relation to s 16, the Commission is of the view that logically, and in fairness to the individual to whom the information relates, the provision should place an agency/organisation under the same obligation to check information before disclosing it as applies to use of the information.
6.46 Privacy NSW has recommended either collapsing the concepts of “use” and “disclosure” into one concept or matching exactly the privacy standards, and exemptions from those standards, for “use” and “disclosure” contained in the HPPs.44
ISSUE 36
(a) Should “use” and “disclosure” be treated as one concept such as “processing”, or as a combined phrase such as in the proposed UPP 5, with the one set of privacy standards and exemptions applying?
(b) Alternatively, should the same privacy standards, and exemptions from those standards, contained in the HPPs apply equally to “use” and “disclosure” of information?
IDENTIFICATION OF THE PURPOSE FOR COLLECTION – IPPs 10 AND 11; HPPs 10 AND 11
6.47 Although IPPs 10 and 11 (PPIPA s 17 and 18) and HPPs 10 and 11 regulate separate matters (“use” in 10; “disclosure” in 11), these privacy principles all limit the agency’s/organisation’s use or disclosure of the information to a purpose “for which it was collected”.45 Note that the wording is not “for which the agency/organisation collected it” or similar.
6.48 The Crown Solicitor has argued that these provisions fail to recognise that there may be multiple lawful acts of collection, such as where an agency is entitled to collect information from someone other than the individual pursuant to the exemptions in s 9 of PPIPA.46 The purpose for which the individual gave his or her personal information to a third party may be quite different from the purpose for which an agency collects that information from the third party.
APPLICATION OF IPPs 10 AND 11 AND HPPs 10 AND 11 TO UNSOLICITED INFORMATION
6.49 Section 4(5) of PPIPA and s 10 of HRIPA provide that personal information is not “collected” if receipt of the information by the agency/organisation is unsolicited. Accordingly, the collection IPPs 1-4 (PPIPA s 8-11) and HPPs 1-4 do not apply to unsolicited information. The question that arises is, if IPPs 10 and 11 and HPPs 10 and 11 depend on identification of the purpose for which information was “collected”, how can these provisions be applied where there is no “collection”?
6.50 In KD v Registrar, New South Wales Medical Board, the ADT held that s 17 and 18(1) of PPIPA can have no application where the information is unsolicited.47 However, in OA v New South Wales Department of Housing, the ADT held that “the principles in the Act that have to do with ‘holding’ of information come into play; as do the principles in relation to ‘use’ and ‘disclosure’ [where an agency] decides to ‘hold’ information that was originally received as an unsolicited communication”.48 The ADT considered that “collection” occurred “when the Department decided to retain the unsolicited information and keep it essentially as intelligence information”.49 The deemed purpose of collection is, in effect, the purpose for which it was retained. The Crown Solicitor questions whether this approach is correct.50 It argues that, taken to its logical conclusion, if a “collection” occurs when the agency decides to keep the information, then all the collection IPPs (and, by extension, HPPs), including s 9, should apply.
6.51 In AW v Vice Chancellor, University of Newcastle, the ADT held that IPP 10 and HPP 10 applied to unsolicited information.51 Health and other information was provided by the applicant to the University to support his complaint to the University that he was suffering harassment and discrimination at the hands of students and lecturers. The applicant applied to the ADT for review of conduct whereby his information was, he alleged, disclosed by the University to others in breach of the IPPs and HPPs. The ADT found that the information was unsolicited and that the “collection” IPPs and HPPs did not therefore apply.52 However, the ADT then went on to hold that the information was “held” by the University and that the “use” privacy principles (IPP 10; HPP 10) accordingly applied.53 While the ADT found that the information was unsolicited and hence not “collected” by virtue of s 4(5) of PPIPA and s 10 of HRIPA, it found that the meaning of “collected” in the context of IPP 10 and HPP 10 was wider. That is, IPP 10 and HPP 10 state that an agency/organisation must not use information for a purpose other than that for which it was collected but in this context, “collected” could mean “obtained”.54
6.52 The approach taken by the ALRC in its proposed UPP 2.5 is to provide that, if an agency or organisation receives unsolicited personal information, it must either: destroy it without using or disclosing it; or comply with all relevant UPPs as if the agency/organisation had actively collected the information.
ISSUE 38
Do IPPs 10 and 11 and HPPs 10 and 11 apply to unsolicited information? If not, should they apply?
ISSUE 39
Should the privacy principles include a principle in terms identical, or equivalent, to the proposed UPP 2.5?
DISCLOSURE TO THIRD PARTIES – IPP 11
6.53 IPP 11, specifically s 18(1)(b) of PPIPA, exempts from the requirement not to disclose information to a third party the situation where the individual to whom the information relates “is reasonably likely to have been aware, or has been made aware in accordance with s 10, that information of that kind is usually disclosed” to that third party.
6.54 The Crown Solicitor has pointed out that missing from this sub-section is the wording in s 18(1)(a) “and the agency … has no reason to believe that the individual concerned would object to the disclosure”.55 Hence, under s 18(1)(b), even if the individual objects, an agency could still lawfully disclose information if the other prerequisites are met. This may be acceptable if the individual is aware, or made aware, before providing the information that it may be disclosed to a third party. However, if the individual is in fact not aware, and given that s 10 allows the agency to inform the individual “as soon as practicable after collection” and that s 18 contains no mechanism to retract the information, it is arguable that the provision operates unfairly.
6.55 Proposed UPP 3.1(f) does not remedy the problem as it too allows an agency or organisation to inform an individual of the “types of people, organisations, agencies or other entities to whom the agency or organisation usually discloses personal information” after collection (albeit as soon as practicable after collection).56
ISSUE 40
(a) Should s 18(1)(b) of the Privacy and Personal Information Protection Act 1998 (NSW) be amended to include the phrase “and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure”?
(b) Alternatively, should s 18(1)(b) be amended to delete the reference to s 10 and to provide instead that the individual must be made aware at the time the information is collected that information of that kind is usually disclosed to a third party?
SPECIAL RESTRICTIONS ON DISCLOSURE – IPP 12
Section 19(1) of PPIPA – disclosure of sensitive information
6.56 As noted above, s 19(1) applies restrictions to the disclosure of “personal information relating to an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities”, which can be loosely termed “sensitive information”. A higher standard must be met before sensitive information can be disclosed.
6.57 Privacy NSW has submitted that a person’s criminal history or record should be included in the types of sensitive information covered by s 19(1).57 This is the approach taken in the Privacy Act 1988 (Cth),58 the Information Privacy Act 2000 (Vic)59 and the Information Act (NT).60 Privacy NSW reports that about six per cent of the complaints and enquiries it receives relate to misuse of a person’s criminal history or record and that “[i]nappropriate disclosure of spent convictions is of particular concern, especially in the employment context”.61
6.58 The statutory review of PPIPA observed that “the legislation in NSW governing criminal records deals only with spent convictions” and that “[i]t is appropriate for privacy legislation to protect personal information concerning a person’s criminal record if it is not otherwise protected”.62 The review recommended that “the definition of sensitive personal information in the Act … include a person’s criminal record”.63
6.59 Privacy NSW has also submitted that the words “sexual activities” in s 19(1) need clarification, as it is unclear whether the reference is to sexual orientation or sexual conduct (for example, adultery, sexual assault, sexual harassment), or both.
6.60 Privacy NSW has further submitted that the structure of s 18 and 19 could be improved. It suggests that the separation of s 19(1) from s 18 has caused confusion and that there have been instances where the stricter requirements for disclosure of sensitive information have been overlooked. Given that the remainder of s 19 deals with trans-border information disclosure, Privacy NSW has suggested that s 19(1) would more logically fit into s 18.
ISSUE 41
Should disclosure of an individual’s criminal history and record be restricted under s 19 of the Privacy and Personal Information Protection Act 1998 (NSW)?
ISSUE 42
Should the meaning of the words “sexual activities” in s 19(1) of the Privacy and Personal Information Protection Act 1998 (NSW) be clarified?
ISSUE 43
Should s 19(1) of the Privacy and Personal Information Protection Act 1998 (NSW) be taken out of s 19 and placed within s 18?
Section 19(2) of PPIPA – disclosure outside NSW
6.61 Section 19(2) of PPIPA prohibits the disclosure of information to any person or body who is in a jurisdiction outside New South Wales or to a Commonwealth agency, unless a relevant privacy law applying to that information is in force in that jurisdiction, or applies to that Commonwealth agency; or the disclosure is permitted under a privacy code of practice. Section 19(4) provides that the Privacy Commissioner “is to prepare a code relating to disclosure of personal information” to external jurisdictions or Commonwealth agencies.
6.62 If, as seems likely, s 19(2) is the sole provision relating to disclosure of information outside New South Wales, and s 18(1) is not also applicable, then both the Crown Solicitor and the Privacy Commissioner have said that s 19(2) will not apply until a code referred to in s 19(4) has been made.64 If this interpretation is correct there are presently no limitations on the disclosure of personal information to interstate bodies and Commonwealth agencies as no such code has been made to date.
6.63 HPP 14 regulates the “transfer” of “transborder data flows and “data flow to Commonwealth agencies”. Transfer of health information to external jurisdictions or Commonwealth agencies is not permitted unless one of eight criteria is satisfied. Either:
(a) the organisation reasonably believes that the recipient of the information is subject to principles for fair handling of the information that are substantially similar to the HPPs;
(b) the individual consents;
(c) and (d) the transfer is necessary to perform a contract either between the individual and the organisation, or between the organisation and a third party in the individual’s interest, or to implement pre-contractual measures at the individual’s request;
(e) the transfer is for the individual’s benefit, it is impracticable to obtain his or her consent and he or she would be likely to consent anyway;
(f) the organisation reasonably believes the transfer to be necessary to lessen or prevent a serious and imminent threat to life, health or safety, or serious threat to public health or safety;
(g) the organisation has taken reasonable steps to ensure the information will be treated consistently with the HPPs; or
(h) the transfer is permitted or required by law.
The operation of the provision is not dependent on a health privacy code of practice being made.
6.64 Proposed UPP 11 similarly regulates transborder data flows to jurisdictions outside Australia by making the transfer conditional upon (at least) one of four circumstances prevailing. Two of these are similar to criteria (a) and (b) of HPP 14 and two differ: (a) the agency or organisation reasonably believes that the recipient of the information is subject to principles for fair handling of the information that are substantially similar to the UPPs; or (b) the individual consents; or (c) the transfer is necessary for an enforcement body to carry out certain enforcement roles; or (d) the agency or organisation continues to be liable for breaches of the UPPs and certain other conditions are met.
6.65 The Commission considers that HPP 14 and UPP 11 are far better provisions to regulate transborder data flow and transfer of information to Commonwealth agencies than s 19(2) of PPIPA, but we are interested to receive responses to our provisional view.
PROPOSAL 14
Section 19(2) of the Privacy and Personal Information Protection Act 1998 (NSW) should be redrafted in line with HPP 9 and the proposed UPP 11. Alternatively, if the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW) are to become one Act, HPP 9, redrafted to incorporate elements of the proposed UPP 11, is to be preferred over s 19(2) to regulate transborder data flows and transfer of information to Commonwealth agencies.
REGULATING UNIQUE IDENTIFIERS
6.66 An “identifier” is usually, but not necessarily, a number (although, it cannot simply be the individual’s name) assigned to an individual by an agency for the purpose of uniquely identifying that individual.65
6.67 Legislation that regulates identifiers generally does so by providing that an agency/organisation may only assign an identifier to an individual if this is reasonably necessary to carry out its functions efficiently. Also, generally speaking, “identifier” provisions ensure “single purpose use” of identifiers. That is, a private sector person can only adopt as its own identifier of an individual, or use or disclose, an identifier that a public sector agency has assigned to that individual in specific situations. These include where: the individual consents; adopting the identifier is required or authorised by law; or the use or disclosure is required for the purpose the identifier was assigned.66 There are also exceptions to the rule that a private sector person cannot adopt, use or disclose an identifier assigned by a public sector agency in situations where this is necessary for the private sector person to fulfil its obligations to, or the requirements of, the public sector agency.67
6.68 Of all privacy statutes in Australian jurisdictions, including the Commonwealth, PPIPA is the only one that does not include a provision regulating the use of unique identifiers.68 In the Commission’s view, this is an omission that needs to be rectified.
6.69 The danger of an agency disclosing its unique identifier for an individual to other bodies or organisations, other than in restricted circumstances, is that the third party may be able to access information about the individual connected with the unique identifier for unauthorised purposes. There is a belief that threats to privacy are inherent in any unique identifier for individuals. Use of the same identifier by different organisations “increases the threat to privacy by facilitating unauthorized linkages of information about an individual within and across those organizations”,69 particularly in an electronic environment. If a social security number, for example, were to be used as a unique identifier, this could allow access to a large amount of very private information, such as medical, credit and financial data, consumer behaviour information and employment information.
6.70 Individuals whose personal information comes within the jurisdiction of PPIPA are in a vulnerable position in the absence of a provision regulating use and disclosure of identifiers. Furthermore, PPIPA is out of step with other jurisdictions. PPIPA should be amended to include, or a remodelled PPIPA/HRIPA Act should contain, a provision regulating identifiers. Whether the provisions of HPP 12 or the proposed UPP 10, or some combination of the two, should be adopted is a matter for consultation.
6.71 The proposed UPP 10 and HPP 12 are quite different. UPP 10 omits the provision contained in HPP 12(1) permitting an agency to assign an identifier if this is reasonably necessary to carry out its functions efficiently. UPP 10 is focused solely on ensuring “single use” of identifiers by stating that an organisation or an agency must not adopt as its own an identifier that has been assigned by another agency (including a State or Territory agency), an agent or a contractor. HPP 12(2), however, allows a private sector person to adopt as its own an identifier assigned by a public sector agency (or agent or contractor) if: the individual consents to the adoption of the same identifier; or the use or disclosure of the identifier is required or authorised by or under law. Pursuant to UPP 10.4, an agency or organisation identifier must not be disclosed by an agency or organisation unless the use or disclosure: (a) is necessary for the agency or organisation to fulfil its obligations to the agency that assigned the identifier; or (b) is subject to one or more of the use and disclosure UPPs (UPP 5.1(c) to (f)); or (c) would be permitted by the proposed Privacy (Health Information) Regulations where the identifier is genetic information; or (d) is of a prescribed identifier in prescribed circumstances. HPP 12(3), on the other hand, allows use or disclosure by a private sector person of an identifier assigned by a public sector agency (or agent or contractor) if the use or disclosure: (a) is required for the purpose for which it was assigned, or a described secondary purpose; or (b) is consented to by the individual; or (c) is disclosure back to the assigning agency to enable the agency to identify the individual for its own purposes.
PROPOSAL 15
If the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW) are to become one Act, a privacy principle regulating the use and disclosure of identifiers should be contained in the new Act. If the two Acts are to remain separate, the Privacy and Personal Information Protection Act 1998 (NSW) should be amended by the addition of a further IPP regulating the use and disclosure of identifiers.
ISSUE 44
Should the privacy principle regulating the use and disclosure of identifiers be in the same terms as HPP 12 or the proposed UPP 10, or some combination of the two?
FOOTNOTES
1. Crown Solicitor’s Office, New South Wales, Advice (5 October 2007), 44.
2. Crown Solicitor’s Office, New South Wales, Advice, 43. See National Privacy Principle 10 in the Privacy Act 1988 (Cth); IPP 10 in the Information Privacy Act 2000 (Vic); and IPP 10 in the Information Act (NT).
3. NSW Department of Health, Consultation (3 December 2007).
4. See Australian Law Reform Commission, Review of Privacy (Discussion Paper 72, 2007), 89-100.
5. ALRC DP 72, 100.
6. Compare s 19 of the Privacy and Personal Information Protection Act 1998 (NSW), which requires a serious and imminent threat to life or health before sensitive information can be disclosed.
7. Crown Solicitor’s Office, New South Wales, Advice, [3.14].
8. Crown Solicitor’s Office, New South Wales, Advice, [3.14]. Although s 23(2) may permit collection in connection with court proceedings.
9. See, for example, Health Privacy Principle 3(1): Health Records and Information Privacy Act 2002 (NSW).
10. Crown Solicitor’s Office, New South Wales, Advice, [3.16].
11. Crown Solicitor’s Office, New South Wales, Advice, 44.
12. Crown Solicitor’s Office, New South Wales, Advice, 44.
13. Crown Solicitor’s Office, New South Wales, Advice, [4.4].
14. Crown Solicitor’s Office, New South Wales, Advice, 45-46.
15. Crown Solicitor’s Office, New South Wales, Advice, 47.
16. HW v The Director of Public Prosecutions (No 2) [2004] NSWADT 73.
17. HW v The Director of Public Prosecutions (No 2) [2004] NSWADT 73, [23].
18. Crown Solicitor’s Office, New South Wales, Advice, [3.17].
19. Crown Solicitor’s Office, New South Wales, Advice, [3.18].
20. Crown Solicitor’s Office, New South Wales, Advice, [3.23].
21. Vice-Chancellor, Macquarie University v FM [2005] NSWCA 192.
22. Crown Solicitor’s Office, New South Wales, Advice, [3.19].
23. Crown Solicitor’s Office, New South Wales, Advice, [3.23].
24. Crown Solicitor’s Office, New South Wales, Advice, [3.23].
25. Crown Solicitor’s Office, New South Wales, Advice, 48.
26. Crown Solicitor’s Office, New South Wales, Advice, 50.
27. Crown Solicitor’s Office, New South Wales, Advice, 82. The Crown Solicitor, commenting that s 20(5) is “not an easy provision to construe”, has observed that “[t]he difficulty lies in identifying the provisions of the FOI Act that impose ‘conditions or limitations (however expressed)’ with respect to any ‘matter’ referred to in ss 13, 14 or 15": Crown Solicitor’s Office, New South Wales, Advice, [7.1].
28. Crown Solicitor’s Office, New South Wales, Advice, 82.
29. Crown Solicitor’s Office, New South Wales, Advice, 82.
30. Crown Solicitor’s Office, New South Wales, Advice, 83.
31. Crown Solicitor’s Office, New South Wales, Advice, 83.
32. The Crown Solicitor has stated that the effect of s 15(1) and (2) is unclear: Crown Solicitor’s Office, New South Wales, Advice, [3.20].
33. See GR v Department of Housing [2003] NSWADT 268, [41].
34. Crown Solicitor’s Office, New South Wales, Advice, [3.20].
35. Crown Solicitor’s Office, New South Wales, Advice, 52. See, for example, the Personal Information Protection and Electronic Documents Act 2000 (Canada), sch 1, Principle 5; the Data Protection Act 1998 (UK) sch 1, Data Protection Principle 6.
36. Pointed out by Crown Solicitor ’s Office, New South Wales, Advice, 52.
37. See also the Information Privacy Act 2002 (Vic).
38. NZ v Director General, New South Wales Department of Housing [2005] NSWADT 58, [69].
39. JD v Department of Health [2005] NSWADTAP 44, [93], [42].
40. Crown Solicitor’s Office, New South Wales, Advice, [3.41].
41. Crown Solicitor’s Office, New South Wales, Advice, [3.41]. Section 28(3) of Privacy and Personal Information Protection Act 1998 (NSW) provides that “nothing in section 17, 18 or 19 prevents or restricts the disclosure of information …”
42. Director General, Department of Education and Training v MT [2005] NSWADTAP 77, [39].
43. Crown Solicitor’s Office, New South Wales, Advice, 53.
44. Crown Solicitor’s Office, New South Wales, Advice, Recommendation, 53.
45. The phrase used in s 11 of Privacy and Personal Information Protection Act 1998 (NSW) is “for which the information was collected”.
46. Crown Solicitor’s Office, New South Wales, Advice, [3.24-3.32].
47. KD v Registrar, New South Wales Medical Board [2004] NSWADT 5.
48. OA v New South Wales Department of Housing [2005] NSWADT 233, [45].
49. OA v New South Wales Department of Housing [2005] NSWADT 233, [50].
50. Crown Solicitor’s Office, New South Wales, Advice, [3.28].
51. AW v Vice Chancellor, University of Newcastle [2008] NSWADT 86.
52. AW v Vice Chancellor, University of Newcastle [2008] NSWADT 86, [27].
53. AW v Vice Chancellor, University of Newcastle [2008] NSWADT 86, [28]. The ADT ultimately found that the evidence did not disclose any breach of the “use” privacy principles: [30].
54. AW v Vice Chancellor, University of Newcastle [2008] NSWADT 86, [28], relying on MT v Department of Education and Training [2004] NSWADT 194.
55. Crown Solicitor’s Office, New South Wales, Advice, [3.29].
56. UPP 3.2 applies the provisions of UPP 3.1 to information collected from someone other than the individual.
57. Crown Solicitor’s Office, New South Wales, Advice, 57.
58. See National Privacy Principles 2 and 10.
59. See IPP 10.
60. See IPP 10.
61. Crown Solicitor’s Office, New South Wales, Advice, 57.
62. New South Wales Attorney General’s Department, Review of Privacy and Personal Information Protection Act 1998 (NSW) (tabled 25 September 2007, Legislative Assembly), [9.44].
63. New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998 (NSW), Recommendation 17.
64. Crown Solicitor’s Office, New South Wales, Advice, [3.36]; NSW Privacy, Consultation (29 June 2007).
65. See, for example, the definition of “identifiers” in s 4 of the Health Records and Information Privacy Act 2002 (NSW).
66. See, for example, Health Records and Information Privacy Act 2002 (NSW) sch 1, cl 12(2) and (3).
67. See, for example, Health Records and Information Privacy Act 2002 (NSW) sch 1, cl 12(4).
68. See the Privacy Act 1988 (Cth), sch 3 cl 7 (National Privacy Principle 7); Health Records and Information Privacy Act 2002 (NSW) sch 1, cl 12 (HPP 12); Personal Information Protection Act 2004 (Tas) s
24; Information Act (NT), sch 2; Information Privacy Act 2002 (Vic) s 7.
69. U.S. Department of Health and Human Services, Unique Health Identifier for Individuals: A White Paper (1998) http://www.epic.org/privacy/medical/hhs-id-798.html (27 November 2007).
