16.08.2010
23.17 The current obligations in the IPPs and NPPs do not refer specifically to an obligation to notify individuals. The obligation is to take steps to ensure that an individual is aware of specified matters.
23.18 An agency is currently obliged to take such steps before it collects personal information or, if that is not practicable, as soon as practicable after the information is collected.[22] An organisation is currently obliged to take such steps at or before the time of collection or, if that is not practicable, as soon as practicable after collection.[23]
23.19 Guidance issued by the Office of the Privacy Commissioner (OPC) on the obligation in the NPPs states, in part, that:
An organisation could put off giving NPP 1.3 information until after the time of collection if there are practical problems in doing so that the organisation cannot overcome by any reasonable means.[24]
23.20 The OPC’s guidance sets out a number of factors to be considered in assessing whether it is impracticable to notify individuals of relevant matters at or before the time of collection. These include, for example, the sensitivity of the information; the privacy implications for the individual of not receiving the information at or before collection; what is accepted as industry practice by consumers and industry; and the cost of providing the information at or before collection.[25]
Submissions and consultations
23.21 In DP 72, the ALRC proposed that agencies and organisations should take reasonable steps to ensure that an individual is aware of a number of specified matters relating to the collection of his or her personal information. The ALRC proposed that such an obligation should arise at or before the time an agency collects personal information or, if that is not practicable, as soon as practicable after collection.[26]
Nature of obligation
23.22 A number of stakeholders expressed the view that the principle should refer expressly to a requirement to notify individuals of the specified matters.[27] The Public Interest Advocacy Centre (PIAC), for example, submitted that:
The focus on the individual’s awareness is potentially problematic. ‘Awareness’ is a difficult concept to prove as it involves making assumptions about what was in the individual’s consciousness at a particular time. This will inevitably involve some degree of subjectivity. A better test would be to look at whether the individual had, in fact, been notified. This will be easier to prove from an enforcement point of view.[28]
23.23 The Australian Privacy Foundation came to a similar conclusion, but for different reasons. It stated that:
We are concerned that leaving the obligation as ‘ensuring awareness’ (as in NPP 1.3) is too open to abuse. For instance … data users could deliberately omit privacy notices from routine communications even where there is minimal marginal cost in repeating it, relying instead on an initial communication constituting ‘reasonable steps’…
We agree that the objective of this principle is to ensure awareness, but a better way of consistently achieving this objective would be, in our view, to change this principle from one of reasonable steps to ‘ensure awareness’ to reasonable steps to specifically ‘notify’, with a conditional exception where the data user could establish that at least the typical data subject had been made aware by other means.[29]
23.24 The Australian Bankers’ Association (ABA), on the other hand, emphasised that an individual could be made aware of matters, other than by way of notification. For example, it stated that the requirement to ensure awareness could be met if an individual was aware of information in a bank’s Privacy Policy.[30]
Timing of obligation
23.25 PIAC expressed concern that, under the proposed approach, an individual may sometimes not be made aware of the specified matters until after his or her personal information has been collected. It stated:
The circumstances in which notification after the time of collection will be acceptable should be very limited. Strong justification should be necessary where notice is not provided before or at the time of collection.[31]
23.26 The Cyberspace Law and Policy Centre supported the proposal relating to the time at which the obligation to is to arise. It submitted, however, that the OPC should be required to issue guidance about the ‘limited circumstances in which “after the event” notification is acceptable’.[32] It stated:
Clearly, the objective of awareness—to put the individual in a position of knowledge before they decide whether to give up their personal information—is severely compromised if the information is not provided beforehand. On the other hand, there clearly are some circumstances where it is simply not practicable to convey all or, in some cases, any of the information in advance. The risk of providing an ‘if impracticable then later’ exception is that it can be abused, with data users who could provide the information prior to collection, perhaps with some cost or creativity, spuriously claiming ‘impracticability’.[33]
ALRC’s view
Nature of obligation
23.27 An agency or organisation should be required to notify or otherwise ensure that an individual is aware of specified matters relating to the collection of his or her personal information. Notification is one way of ensuring awareness. It is clearly appropriate to refer expressly to notification in the context of the ‘Notification’ principle.
23.28 Agencies and organisations, however, should be able to rely on other means of ensuring that an individual is aware of specified matters. To insist on notification in every case would be prescriptive. It could increase unnecessarily the compliance burden and costs, as well as overloading individuals with information of which they are already aware.
23.29 For example, a collecting agency or organisation could make inquiries or otherwise satisfy itself that an individual has been made aware of the specified matters by the agency or organisation which disclosed the information to it. This is consistent with the approach in the Revised Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000, which stated:
If organisation A collected information from an individual, and organisation A usually discloses that type of information to organisation B, then at the very minimum, organisation A would be required to tell the individual that it usually discloses the information to organisation B … Before organisation B could collect the information it would need to be satisfied that the individual was aware of the other [specified] matters as they pertain to organisation B. If organisation A has given these details to the individual, then organisation B does not have to do any notifying itself … The aim of [the requirement] in NPP 1.5 is to ensure that the individual knows what happens to his or her personal information.[34]
23.30 In other circumstances, it may be legitimate for an agency or organisation to ensure that an individual is aware of specified matters by alerting the individual to specific sections of its Privacy Policy or other general documents containing relevant information. As discussed below, avoiding duplication of material in privacy notices and Privacy Policies reduces compliance costs, and may also have the benefit of reducing unnecessary detail in privacy notices.
23.31 The OPC should develop and publish guidance to assist agencies and organisations in complying with the ‘Notification’ principle. This guidance should address the circumstances in which an agency or organisation can comply with specific requirements under the ‘Notification’ principle by alerting an individual to specific sections of its Privacy Policy or other general documents containing the requisite information.
Timing of obligation
23.32 The obligations under the ‘Notification’ principle should be complied with before or at the time an agency or organisation collects personal information or, if that is not practicable, as soon as practicable thereafter.
23.33 Ideally, agencies and organisations should endeavour to comply with the principle before, or at, the time of collecting personal information. This maximises the potential for an individual to make an informed choice before relinquishing his or her personal information.
23.34 It would be prescriptive and unreasonable, however, to insist that, in all circumstances, the requirement be met before or at the time of collection. The ‘Notification’ principle needs to be flexible enough—as are the current obligations in the IPPs and NPPs—to adapt to circumstances in which compliance before, or at, the time of collection, is impracticable. Agencies and organisations will need to demonstrate the basis upon which impracticability is asserted, if the issue arises.
[22]Privacy Act 1988 (Cth) s 14, IPP 2.
[23] Ibid sch 3, NPP 1.3.
[24] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 28.
[25] Ibid, 28.
[26] See Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposals 20–2, 20–5.
[27] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[28] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.
[29] Australian Privacy Foundation, Submission PR 553, 2 January 2008.
[30] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.
[31] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.
[32] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[33] Ibid.
[34] Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), [338] (emphasis added).