28.07.2010
28.20 Concern was expressed in some submissions about the quality of consent required to meet the standards set out in the NPPs. Consent may be required under the NPPs in a range of circumstances such as the collection of sensitive information (including most genetic information); use for any purpose other than the primary purpose of collection; and transfer of personal information out of Australia. The OFPC’s Guidelines to the National Privacy Principles set out the requirements for valid consent under the Privacy Act:
Consent means voluntary agreement to some act, practice or purpose. It has two elements: knowledge of the matter agreed to, and voluntary agreement. Consent can be express or implied. Express consent is given explicitly, either orally or in writing. Implied consent arises where consent may reasonably be inferred in the circumstances from the conduct of the individual and the organisation. Consent is invalid if there is extreme pressure or coercion.[16]
28.21 The two elements for valid consent identified in the Guidelines—the informed nature of the consent and its voluntariness—are discussed separately below. This section also considers the related issue of ‘bundled consents’, which goes to the voluntariness of consent.
Informed consent
Submissions and consultations
28.22 A number of submissions raised concerns about whether applicants for insurance are sufficiently well informed about the collection and use of genetic information by insurers to give valid consent. UnitingCare NSW & ACT stated in its submission:
One problem with privacy legislation is that a wide range of things can be done with information provided that the individual gives their consent to a company to disclose the information. This assumes that individuals are aware of the implications, for themselves and others, of information being disclosed. This is likely to be untrue in many situations. People lack the information necessary to give informed consent. This makes legislative requirements hollow.[17]
28.23 The Centre for Law and Genetics was of the view that, in relation to genetic information in particular, there were grounds for ensuring that particular care is taken in collecting and using the information:
There are good grounds for suggesting that a heightened level of protection of this form of information is appropriate in some particular areas—not necessarily because genetic information should be regarded as ‘unique’, but because there are a number of factors associated with it, the combined effect of which justifies taking particular care in the collection and use of this information. We would accordingly support an enhanced level of consent being required from the applicant in relation to genetic information to ensure that it is only collected when necessary, as one measure which would assist in the better protection of genetic information.[18]
28.24 Privacy NSW expressed a similar point in relation to medical authority forms used by insurers:
In the case of insurance contracts, it seems that no ‘standard’ medical authority is in use. If insurance companies are to collect genetic testing information, the consent form should be standardised and include a separate section on genetic testing with precise information as to the exact and specific nature of the test requested, why it is requested, and how it will be used and/or disclosed.[19]
28.25 In response to DP 66, IFSA submitted:
IFSA believes that the current consent and medical authority forms fully satisfy National Privacy Principle (NPP) 1 Collection and NPP 10 Sensitive Information with respect to the collection of human genetic test information. However, in the interests of establishing public confidence, IFSA would support a review by insurers of their consent forms and medical authority forms. Such a review would examine what additional information might be provided (e.g. the definition of a ‘Genetic Test’ based on the IFSA Genetic Testing Policy) so that applicants for insurance are better informed about this issue and its relevance to the assessment of their insurance proposal.[20]
28.26 A number of submissions suggested that such a review be conducted in consultation with the Human Genetics Commission of Australia (HGCA).[21]
Inquiry’s views
28.27 In the Inquiry’s view, the collection and use of genetic information by insurers does give rise to the need to ensure that applicants are adequately informed. Genetic information has some special characteristics, such as its predictive and familial nature, which need to be raised with and considered by applicants at the time of collection. While applicants have a duty to disclose relevant information to insurers, that duty only arises if the applicant decides to proceed with the insurance application. An applicant should be given sufficient information to enable the applicant to make an informed decision about whether to proceed.
28.28 The Inquiry recommends, therefore, that insurers review their consent and medical authority forms to ensure that they contain sufficient information about the collection, use and disclosure of genetic information to allow applicants to make an informed decision about whether to proceed with the application and consent to the collection of the information. The review would also provide an opportunity to ensure that consent and medical authority forms are consistent with the NPPs, any approved privacy codes and IFSA’s Genetic Testing Policy, where applicable. The Inquiry considers that the review should be conducted in consultation with the HGCA and the OFPC, and might usefully be streamlined by engaging IFSA and the ICA in the process.
Recommendation 28–1 Insurers should review their consent forms, including medical authority forms, to ensure that they contain sufficient information about the collection, use and disclosure of genetic information to allow applicants to make an informed decision about whether to proceed with their application and consent to the collection of the information. In undertaking this review, insurers should consult with the Human Genetics Commission of Australia and the Office of the Federal Privacy Commissioner.
Voluntary consent
28.29 As noted above, legislation requires an applicant to disclose to the insurer all information that is relevant to underwriting the risk. A number of submissions expressed concern that this obligation may have implications for the voluntariness of an applicant’s consent, which is the second element identified by the OFPC as necessary for valid consent under the Privacy Act.
Submissions and consultations
28.30 Privacy NSW expressed the concern that, in the insurance context, the voluntariness of consent may be compromised:
In any event, even the full provision of accessible information will not support fully free consent in the insurance and employment context where penalties may apply if an applicant declines to provide information. Applicants may feel unable to refuse where there is a possibility of their application for employment or insurance being rejected if they do not agree to the disclosure of genetic testing information.
It is questionable as to whether this situation of coerced consent is adequately addressed in the existing privacy legislation. For instance, the guidelines to the Privacy Act, cite ‘extreme pressure’ as vitiating voluntary consent. This does not equate to the ‘take it or leave it’ option that is likely to arise when genetic testing information is solicited for insurance and employment purposes.[22]
28.31 UnitingCare NSW & ACT was also of the view that:
Reliance on individual consent also ignores the difference in power in the relationship of individuals with organizations. Employers and insurance companies have considerable power compared to individuals, based on their economic power, knowledge power, and coercive power. Individuals can feel powerless to say ‘no’ to insurance companies or employers. They need the law to protect them from unnecessary invasion of their privacy and erosion of their interests.[23]
28.32 Margaret Otlowski described the interaction between the disclosure obligations in the Insurance Contracts Act 1984 (Cth) (Insurance Contracts Act) and the obligations in the Privacy Act in the following terms:
Information disclosed to the insurer pursuant to these disclosure obligations would be regarded as information provided with the consent of the individual even though individuals may feel they have no real choice about this and in that sense one might question the ‘voluntary’ nature of this disclosure.[24]
28.33 Kathy Liddell also emphasised that privacy laws are directed towards how information is handled rather than what information is required in particular contexts:
Usually, privacy laws allow information to be used consistent with an individual’s consent. The fundamental tenet of these statutory schemes is that an individual ought to have control over their personal information. The response by insurers is simply to refuse to enter into an insurance contract if the individual does not consent to the use of their information. In these circumstances there is no breach of information privacy law.[25]
Inquiry’s views
28.34 The Inquiry is of the view that in a properly regulated environment the duty of ‘utmost good faith’ of contracting parties is necessary and appropriate in relation to mutually rated insurance products in the private sector. While there may be a tension between an applicant’s legal obligation to disclose all relevant information to the insurer and the voluntariness of consent to disclosure for the purposes of the Privacy Act, the tension is created by the applicant’s desire to enter into a contractual arrangement in which there is an established duty of disclosure.
28.35 Some submissions identified the problem of coerced consent as arising in the contexts of both employment and insurance. The Inquiry considers that a relevant distinction can be drawn between these situations. The right to work has been recognised as a fundamental human right by many countries within the international community.[26] A person’s ability to work is important to his or her financial security, self-esteem and community involvement. If access to employment were made conditional on the provision of genetic information to an employer, there may be a real sense in which consent to provide that information is coerced—the alternative to the offered employment may be unemployment.
28.36 The inability to access insurance products creates problems of a different order. While some insurance products provide financial support for the insured, or his or her family, on the occurrence of the insurance event, the consequences of being unable to purchase an insurance product are different in degree from the consequences of being unable to sell one’s labour to earn a livelihood. In a practical sense, the voluntariness of consent may depend on the nature of the insurance and the circumstances of the insured. To a self-employed individual whose access to a mortgage depends on having income protection insurance, the disclosure of information may not seem entirely free. Yet, in general, consumers do voluntarily choose whether to apply for insurance, and thus enter into a commercial relationship with the insurer. One aspect of that commercial relationship is that the consumer gives up the right to decide what information should be disclosed and what may be withheld.
28.37 In the Inquiry’s view, the essence of the problem does not appear to be that consent to providing the information is vitiated by coercion in purchasing the insurance product. The real problems appear to be whether genetic information is scientifically reliable and actuarially relevant to the application for insurance and the extent to which insurers’ use of the information is fair and reasonable. The Inquiry considers that these problems are better addressed by examining industry practice and the operation of anti-discrimination laws (see Chapters 26 and 27), than by amending privacy laws.
Bundled consents
28.38 A related issue, which also goes to the voluntariness of consent, is the question of ‘bundled consents’. The OFPC set out the problem as follows:
The OFPC’s concerns around ‘bundled consents’ are directed against the practice of financial institutions making it a condition of an individual’s access to their services that the individuals agree to a wide range of further uses and disclosures of their information. In other words, the individual’s consent to those further uses and disclosures in some circumstances may lack the requisite voluntariness and range of options. In other circumstances, the consents sought from the individual are unduly broad or loosely worded, allowing an organisation to interpret the consents in a manner which is ultimately intrusive or harmful to the individual. While the practice of bundled consents may not be in breach of the Act, it must be regarded as contrary to the spirit of the legislation.[27]
28.39 The OFPC has received a small number of complaints in relation to bundled consents in insurance claims forms[28] and, in a May 2002 Media Release, the Federal Privacy Commissioner made the following comment:
Bundled consents are not good privacy or business practices and are totally contrary to the spirit of the Privacy Act …
Where the exchange of personal information for a service is necessary, the information collected should be required to undertake that particular service—this is the whole thrust of National Privacy Principle One. If the organisation wants to use that information for a purpose other than that for which it was collected, then the individual’s consent should be sought for the extended use of that information but it should not be made a condition of the original service.[29]
28.40 DP 66 asked whether the practice of ‘bundling consents’ undermines the ability of an applicant for insurance to validly consent to the collection of genetic information and, if so, what measures should be taken to address the problem.
Submissions and consultations
28.41 In response to DP 66, a number of submissions expressed the view that provisions seeking consent to the collection of genetic information should be specific to genetic information.[30] The Queensland Government commented that
including consent provisions about the use and release of genetic information into bundled consent packages may not be appropriate. There is a need to ensure this difficult subject receives sufficient attention from the applicant to enable informed consent to be given.[31]
28.42 The Androgen Insensitivity Syndrome Support Group expressed the view that:
The practice of blanket or bundled consents should not be applied to genetic information. It should be clear where a person consents to their genetic information being used for any purpose, the purposes for which the information can be used and any other person to whom the information can be disclosed. A person who gives consent for access to their genetic information should also have the option of specifying the purpose or purposes for which the consent is given, not the all or nothing approach offered by blanket consents. They should also be told that they could withdraw their consent at a later date.[32]
28.43 In its submission to the Inquiry IFSA stated:
When insurers seek consent from an individual to the provision of health information (including medical, genetic test or family history information) in order to underwrite the relevant life insurance policy, the consent is used for that purpose and that purpose alone.[33]
28.44 The submission went on to make clear that:
IFSA does not support the bundling of consents not related to the primary purpose of collection as a practice. The issue of bundling consents is irrelevant to the collection of genetic test information, which is for the sole purpose of providing life insurance services in accordance with the Insurance Contracts Act.[34]
28.45 The OFPC noted in its submission that it is continuing to monitor the use of bundled consents and to encourage best practice through consultation with industry members. If this issue continues to be of concern, the OFPC intends to consider bundling of consents in its review of the private sector provisions of the Privacy Act to be conducted once the legislation has been in operation for two years.[35]
Inquiry’s views
28.46 The Inquiry recognises that, while the bundling of consents may not be in breach of the Privacy Act, the practice has the potential to undermine the voluntariness of the consent of an applicant for insurance. The Inquiry agrees with the OFPC that this is contrary to the spirit of the NPPs and is not good business practice.
28.47 The Inquiry is of the view that, where an insurer seeks consent from an applicant to collect genetic information, the original consent should be limited to collection for the primary purpose of assessing the application for insurance. Consent to collection of genetic information for the purpose of assessing the application should not be bundled together with consents to other, unrelated or secondary uses of the genetic information. Where the insurer wishes to seek consent for other uses, consent should be sought separately and the application for insurance should not be made dependent on the provision of consent to those other uses. This approach is consistent with the ethical principle of respect for persons and their autonomy, discussed in Chapter 6 in relation to the use of genetic information in health care and research. The Inquiry recommends that, in conducting the review of consent forms in accordance with Recommendation 28–1, insurers should ensure that consent provisions in relation to the collection of genetic information are limited in this way.
28.48 In addition, some submissions suggested that provisions seeking consent to the collection of genetic information in insurance applications should be separate to provisions seeking consent to the collection of other health information. While the Inquiry has not formed a view on this matter, insurers should consider this issue in conducting the review of consent forms.
Recommendation 28–2 In reviewing consent and medical authority forms in accordance with Recommendation 28–1, insurers should ensure that consent to collect genetic information for the purpose of assessing an application for insurance is not bundled together with consent for other purposes. The provision of insurance should not be made conditional on the giving of consent to other, unrelated or secondary uses of the genetic information.
[16] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), OFPC, Sydney.
[17] UnitingCare NSW & ACT, Submission G052, 14 January 2002.
[18] Centre for Law and Genetics, Submission G048, 14 January 2002.
[19] Office of the Privacy Commissioner (NSW), Submission G118, 18 March 2002.
[20] Investment and Financial Services Association, Submission G244, 19 December 2002.
[21] Human Genetics Society of Australasia, Submission G267, 20 December 2002; Centre for Genetics Education, Submission G232, 18 December 2002.
[22] Office of the Privacy Commissioner (NSW), Submission G118, 18 March 2002.
[23] UnitingCare NSW & ACT, Submission G052, 14 January 2002.
[24] M Otlowski, Submission G159, 24 April 2002. The Centre for Law and Genetics also addressed the tension between the need for voluntary consent under the Privacy Act and the requirement to disclose all relevant information to insurers. See Centre for Law and Genetics, Submission G048, 14 January 2002.
[25] K Liddell, Submission G147, 10 April 2002.
[26]International Covenant on Economic, Social and Cultural Rights, opened for signature 19 December 1966, 993 UNTS 3, (entered into force on 10 March 1976), art 6(1).
[27] Office of the Federal Privacy Commissioner, Submission G294, 6 January 2003.
[28] Ibid. See A v Insurer (2002) PrivCmrA 1: see Office of the Federal Privacy Commissioner, <www.privacy.gov.au/publications/casenotes/ccn1_02.doc>, 18 March 2003.
[29] Office of the Federal Privacy Commissioner, Announcement: Bundled Consents and the Privacy Act, The Office of the Federal Privacy Commissioner, <www.privacy.gov.au/news/media/02_8.html>, 20 February 2003.
[30] Cancer Council Victoria Cancer Genetics Advisory Committee, Submission G195, 27 November 2002; Centre for Genetics Education, Submission G232, 18 December 2002; Genetic Support Council WA, Submission G243, 19 December 2002; Human Genetics Society of Australasia, Submission G267, 20 December 2002.
[31] Queensland Government, Submission G274, 18 December 2002.
[32] Androgen Insensitivity Syndrome Support Group Australia, Submission G290, 5 January 2003.
[33] Investment and Financial Services Association, Submission G244, 19 December 2002.
[34] Ibid.
[35] Office of the Federal Privacy Commissioner, Submission G294, 6 January 2003.