16.08.2010
23.95 Many individuals find general privacy notices confusing, too long and difficult to relate to their particular situation.[116] Professor Fred Cate has criticised modern privacy notices, by stating:
Notices are frequently meaningless because individuals do not see them or choose to ignore them, they are written in either vague or overly technical language, or they present no meaningful opportunity for individual choice.[117]
23.96 The ALRC examined the matters in respect of which a person should be notified or otherwise made aware of, at or about the time that his or her personal information is collected.
23.97 As noted above, the IPPs and NPPs currently set out a number of matters about which agencies and organisations are required to ensure that individuals are aware of at or about the time that their personal information is collected. The specified matters share some common ground but are not consistent. Both agencies and organisations are required to ensure that an individual is aware:
of the purposes for which the information is collected;
that the personal information collected is required by law; and
of the entities to whom personal information of that kind is usually disclosed.
23.98 The two last-mentioned obligations, however, are somewhat different in scope. Agencies are required to ensure that an individual is aware of the fact that either a collection of personal information is required or authorised by or under law, while organisations are required to ensure that an individual is aware of any law that requires the particular information to be collected.
23.99 Agencies are required to ensure that an individual is aware of any entity to which it is the agency’s usual practice to disclose personal information of the kind collected.[118] Agencies also are required to ensure that an individual is aware of the usual disclosure practices of the entities to which they disclose, if it is known to them. Organisations, on the other hand, are required only to ensure that an individual is aware of the organisations (or the types of organisations) to which information of that kind is usually disclosed.
23.100 Further, only organisations are obliged to ensure that an individual is aware of the: collector’s identity and contact details; fact that the individual is able to gain access to the information; and main consequences of not providing the information.
23.101 In other jurisdictions, such as New Zealand, agencies are required to make an individual aware of the: collector’s identity and contact details; fact that the individual can access and correct the information; and consequences for the individual if the information is not provided.[119]
23.102 The discussion below addresses specific categories of matters that potentially could be the subject of a notification requirement.
The fact and circumstances of collection
23.103 Neither the IPPs nor the NPPs require an agency or organisation to notify an individual that it has collected, or is about to collect, personal information about that individual. It is arguably implicit in the existing notification provisions that the agency or organisation needs to provide the individual with notice that his or her personal information has been collected.
23.104 An individual may not always be aware that his or her personal information has been collected. This is so particularly in light of existing and developing technology that allows or facilitates the collection of personal information about an individual without the individual knowing that this has occurred.[120] In response to IP 31, the Victorian Society for Computers and the Law (VSCL) noted that certain types of biometric information, such as iris scanning collected for the purposes of inclusion in a biometrics template, are likely to require the active cooperation of the individual in the process of collection. In comparison, biometrics such as facial and voice recognition may be collected without the knowledge or cooperation of the individual.[121]
23.105 The VSCL also noted that rapid developments in technology—including in the field of biometrics systems—may result in the widespread availability of technologies that are capable of collecting personal information without the knowledge of the individual.[122] Other technologies, such as invisible information collecting devices on web pages or hidden radio frequency identification (RFID) tags, already may be collecting personal information without the knowledge of the individuals concerned.
Submissions and consultations
23.106 In DP 72, the ALRC proposed that, where an agency or organisation collects personal information about an individual either directly from the individual or from someone other than the individual, it should be required to take reasonable steps to ensure that the individual is aware of the fact and circumstances of collection (for example, how, when and from where the information was collected).[123]
23.107 Some stakeholders expressed support for the ALRC’s approach.[124] Other stakeholders noted that this requirement would be new to both agencies and organisations,[125] and expressed strong concerns about its application. These concerns included that:
the drafting did not appear to reflect the intention that the obligation should arise only where an individual might not be aware of the collection of his or her personal information;[126]
because an individual would generally know if, how, and to whom he or she was providing personal information, the wording should make it clear that this requirement only arises in specific circumstances;[127]
the obligation, together with others proposed, would: be impractical, costly, inconsistent with environmental and economic objectives; inconvenience customers;[128] and impose a resource intensive burden on agencies;[129]
the potential additional compliance burden that this obligation would impose is questionable on a costs and benefits analysis;[130]
the obligation is inconsistent with certain requirements and practices in law enforcement;[131] and
its application to circumstances where law enforcement agencies obtain personal information about an individual from someone other than the individual, including from anonymous or confidential sources, is problematic.[132]
ALRC’s view
23.108 Agencies and organisations should be required to notify or otherwise ensure that an individual is aware of the fact and circumstances of the collection of his or her personal information where the individual may not be aware of such collection. Circumstances of collection may include how and when the information was collected.
23.109 Such an obligation is necessary to address, for example, circumstances where an individual’s personal information is collected by technology—such as RFID tags, software such as ‘cookies’, and biometrics—without the individual’s knowledge. It also will be of particular significance where an individual’s personal information is collected from a third party, without the individual’s knowledge. It is essential that an individual is equipped with knowledge of the fact and circumstances of collection to enable the exercise of any available rights relating to that information, such as those relating to access and correction. Such an approach also promotes transparency in the collection practices of agencies and organisations.
23.110 The obligation, however, should not be imposed on agencies and organisations where it is clear that an individual is aware that his or her personal information has been collected. This would cover many circumstances where individuals provide the information themselves and, therefore, are directly involved in the collection process. The ALRC agrees that providing notification in such circumstances cannot be justified on a cost and benefits basis. Notifying individuals directly involved in the collection process about the fact and circumstances of collection is a process of limited, if any, utility. It delivers little by way of additional privacy protection. Further, the provision of such information could detract the individual’s attention from other important information relating to the collection, required to be provided by the agency or organisation, of which he or she is not aware. Imposing an arguably unnecessary requirement on agencies and organisations also would be onerous and costly, adding significantly to their compliance burden.
23.111 Professor Cate has made a similar point:
If the collection from data subjects is not reasonably obvious, then there should be prominent notice of the fact. If data collection is reasonably obvious, additional notice requirements are superfluous.[133]
23.112 As noted above, an agency or organisation should be required only to take reasonable steps, if any, to notify or otherwise ensure that an individual is aware of the matters the subject of the ‘Notification’ principle. Where notification of the fact and circumstances of collection would prejudice the purpose of collection, for example, then it may be reasonable for no steps to be taken.
Collector’s identity and an individual’s rights
23.113 As noted above, only the NPPs contain obligations relating to notification of: a collector’s identity; an individual’s rights relating to access; and the main consequences of not providing the information.
Submissions and consultations
23.114 In IP 31, the ALRC asked whether these notification obligations should be extended to agencies.[134] In response to IP 31, a majority of stakeholders supported such an amendment to bring the notification requirements of agencies in line with those that currently apply to organisations.[135]
23.115 One stakeholder suggested that such a provision has become necessary because it is now more difficult for individuals to know which government agency they are dealing with, given the ‘increasing use of campaign names and brands by the public sector and with ever-changing administrative arrangements and “portfolios”’.[136]
23.116 A small number of stakeholders, however, opposed this approach.[137] One stakeholder argued that it would place an unreasonable impediment on law enforcement agencies.[138]
23.117 In DP 72, the ALRC proposed that where an agency or organisation collects personal information about an individual either directly from the individual or from someone other than the individual, it should be required to take reasonable steps to ensure that the individual is aware of: the identity and contact details of the agency or organisation; the fact that the individual is able to gain access to the information; and the main consequences of not providing the information.[139]
23.118 The Cyberspace Law and Policy Centre supported the inclusion of all of these matters. It also suggested that the ‘Notification’ principle should require that the contact details provided are to be ‘functional’.[140]
23.119 A number of stakeholders expressed the view that the notification requirement relating to access also should refer specifically to the ability of an individual to seek correction of his or her personal information.[141]
ALRC’s view
23.120 Agencies should be subject to the same notification requirements that apply to organisations. There are compelling policy reasons, essentially based on fairness, to justify the imposition of an obligation on agencies and organisations to notify the individuals from whom they collect personal information of their identity and contact details. It is implicit that the contact details to be provided should be functional. In other words, individuals should know who to contact in order to exercise any rights that they may have relating to their personal information, and the means by which contact can be made.
23.121 It is important and fair for individuals also to be informed of their rights of access to, and correction of, personal information, as provided for in the UPPs.[142] The provision of such information promotes accountability and transparency. Informing individuals of their rights relating to access and correction arguably increases the likelihood that individuals will exercise those rights in order to check the accuracy of their personal information. Such notification, therefore, may assist agencies and organisations in complying with their obligations to ensure that the personal information they collect is accurate, complete, up-to-date and relevant under the ‘Data Quality’ principle.[143]
23.122 Individuals also should be informed of the main consequences of not providing personal information, regardless of whether the entity seeking the information is an agency or organisation. For example, it would be important for an individual to be informed that the failure to provide an agency with personal information will result in the withholding of a service or benefit.
Purposes for which information is collected
23.123 As noted above, both the IPPs and NPPs require agencies and organisations to ensure that an individual generally is aware of the purposes for which the information is collected.
23.124 The OPC’s guidance on the relevant obligation in the IPPs provides that:
The Privacy Commissioner usually interprets the purpose of collection narrowly. For example, the Privacy Commissioner normally does not accept the view that an agency collects personal information just to administer an agency or a set of laws. The purpose of collection should be more specific than this and it should relate to the current reason for collecting the information … [144]
Normally the purpose of collection depends on the reason the agency is collecting the personal information at the time it collects the information. However, sometimes the agency knows the information will be used for other purposes. If so, the agency should normally tell the person about the other uses when it collects the information.[145]
23.125 The OPC’s guidance on the equivalent obligation in the NPPs states that:
An organisation could keep the description of the purposes reasonably general as long as the description is adequate to ensure that the individual is aware of what the organisation is going to do with information about them. The organisation does not have to describe internal purposes that form part of normal business practices, such as auditing, business planning or billing.[146]
Submissions and consultations
23.126 In DP 72, the ALRC proposed the retention of a requirement relating to notification of the purposes of collection of personal information by agencies and organisations, whether the collection is directly from the individual concerned, or from someone other than the individual.[147]
23.127 Two agencies submitted that the proposal concerning the specification of purpose was problematic.[148] Medicare Australia stated:
There is a challenge with expressing ‘purposes’ of collection in privacy notes for agencies like Medicare Australia. The information is often collected to administer one particular program, but that same information is also relevant to other programs which the individual is participating in (either at that time or as new government programs or incentives are added). To reduce the burden on both the individual and the agency, the notification requirement needs to encompass that the information may be used for related purposes, which would remove the necessity of repeatedly having to collect the same information or seek new consent for use, especially where we believe the individual would expect us to use their information to update the relevant parts of programs they are participating in.[149]
23.128 The ATO stated:
In some circumstances the [ATO] collects information initially for the purpose of making an assessment or amended assessment but after analysis of the information the purpose changes and prosecution or other civil action is initiated … Proposal 20–2 does not appear to address this situation of subsequent change of purpose.[150]
ALRC’s view
23.129 Agencies and organisations should continue to be obliged to notify or otherwise ensure that the individuals from whom they collect personal information are aware of the purposes for which the information is collected. There is no policy reason to amend or remove this requirement.
23.130 The concerns expressed by agencies about complying with this requirement appear to be addressed by OPC guidance. To the extent that agencies and organisations know at the time of collection that they intend to use the personal information for purposes related to the purpose of collection, those related purposes also should be the subject of notification. This would not extend, however, to a situation, such as that described by the ATO, where an agency collects personal information for a purpose unrelated to law enforcement but subsequently forms the intent to use the information for a purpose related to law enforcement. Such use would, however, be authorised under the ‘Use and Disclosure’ principle in the model UPPs.[151]
Entities to which information usually disclosed
23.131 As noted above, the obligations imposed on agencies and organisations respectively to ensure individuals are aware of the entities to which they usually disclose personal information of the kind collected, are different in scope.
23.132 Specifically, NPP 1.3 requires an organisation to ensure that an individual is aware only of the ‘organisations’ to which it usually discloses information of that kind. ‘Organisation’, however, has a restricted meaning for the purposes of the Privacy Act, excluding, for example, political parties and state or territory agencies. The OPC recommended in 2005 that the Australian Government consider amending NPP 1.3(d) to extend its coverage to disclosures generally, including to public sector agencies of the Australian Government, state or local governments, other bodies and private individuals.[152] The OPC stated that a narrow interpretation of this requirement seems inconsistent with the policy intent of the legislation, given that the Explanatory Memorandum envisaged disclosure to state government licensing authorities, which do not fall within the definition of ‘organisation’.[153]
23.133 The OPC’s guidance on the relevant obligation in the NPPs provides that:
‘Reasonable steps’ to inform an individual about the disclosures an organisation usually makes would ordinarily mean either giving general descriptions of sets of people and organisations (for example, ‘State Government licensing authorities’, ‘health insurers’ and ‘list renters’) or to list each member of the set.
An organisation does not need to mention disclosures that the NPPs permit, but in practice happen only rarely. For example, it does not need to mention disclosures under warrant or to intelligence agencies.[154]
23.134 The OPC’s guidance on the equivalent obligation in the IPPs provides that:
Information is usually given to another party by an agency if the agency has a regular arrangement to give information to that party … [155]
If possible, an agency should name each individual person or body to which it usually gives personal information. But if an agency can give information to a large number of third parties, naming all of them could make the notice given to a person too long or unclear to be of help …
Suggestions
Agencies should generally name all federal organisations which they usually give personal information to.
Generally, agencies should name other parties which they usually give personal information to. However, if an agency usually gives personal information to a group of organisations that do similar jobs (for example, State police forces), the agency can name the group rather than listing its individual members …
If it is impractical to put the names of all the third parties that the agency gives information to on the form, the agency could give a leaflet with the form containing the IPP 2 notice.[156]
Submissions and consultations
23.135 In response to IP 31, one stakeholder supported expanding the obligation on organisations to ensure that individuals are aware of the disclosures made by organisations generally.[157] Another stakeholder suggested that, while agencies and organisations should be permitted to give generic descriptions of the entities to which they usually disclose personal information, they also should be required ‘to answer any specific inquiries about whether a particular named agency or organisation is a recipient’.[158]
23.136 In DP 72, the ALRC proposed that, where agencies and organisations collect personal information from an individual either directly or from someone other than the individual, they should take reasonable steps to ensure that the individual is aware of the ‘types of people, organisations, agencies or other entities to whom the agency or organisation usually discloses personal information’.[159]
23.137 Some stakeholders expressed concern that the obligation did not go ‘far enough’ because it required notification only of ‘types’ of entities to which the information is ‘usually’ disclosed.[160] For example, one stakeholder stated:
This appears to readily allow various components of ‘personal information’ to be disclosed to another entity without notification because it is not ‘usual’ to disclose everyone’s personal information to that particular entity.[161]
23.138 PIAC stated:
While PIAC accepts that it would be impossible to identify every specific agency or entity to whom information may be released, a notification that it will be released to generic categories such as ‘solicitors’ or ‘accountants’ is likely to be of very limited use to an individual who is trying to decide whether or not to provide his or her personal information in the first place. In PIAC’s view … data collectors should have to answer specific questions from the individual about the identity of actual recipients.[162]
23.139 Medicare Australia questioned the distinction between the current requirement on agencies to provide details of bodies or agencies in respect of which it is their usual practice to disclose personal information of the kind collected, and the proposed requirement which requires details of ‘types’ of bodies.[163]
23.140 Another stakeholder noted that the organisations to which personal information are usually disclosed is stated in a Privacy Policy. It expressed the view that to require a description of disclosures, specifically tailored to each collection of personal information, would be onerous and expensive.[164]
23.141 The ALRC also proposed that the OPC ‘should provide guidance to assist agencies and organisations in ensuring that individuals are properly informed of the persons to whom their personal information is likely to be disclosed’.[165] This proposal was generally supported.[166] PIAC, while agreeing that guidance in this area is needed, expressed a preference for that guidance to be included in the Privacy Act, regulations or binding codes.[167] Another stakeholder expressed concern that guidance may require organisations to be more specific in the descriptions that they are to give.[168]
ALRC’s view
23.142 Agencies and organisations should be required to notify, or otherwise ensure that individuals are aware of the actual or types of agencies, organisations, or entities to which, or other persons to whom, agencies and organisations usually disclose personal information of the kind collected.
23.143 Agencies and organisations are currently subject to requirements to inform individuals of the actual entities to which they disclose personal information. The OPC’s interpretation of this obligation as it applies to agencies and organisations, however, allows expressly for generic descriptions to be given in certain circumstances. NPP 1.3(d) also allows generic descriptions to be given. Framing the obligation in the manner recommended by the ALRC below more closely resembles the current position than that proposed in DP 72, and is therefore less likely to cause confusion in its application.
23.144 There are sound policy reasons for clarifying that the obligations of an organisation concerning notification of usual disclosures extends beyond disclosures to organisations. The obligations also encompass disclosures to agencies, state and territory bodies, individuals and other entities. First, this appears to reflect better the original intention of the provision. Secondly, it is unhelpful and unfair to individuals whose personal information is collected by organisations to be informed only of usual disclosures to other organisations. Presenting individuals with a complete picture of usual disclosures—as they are currently entitled to receive in relation to the collection of their personal information by agencies—allows them to make more informed decisions about withholding, or otherwise taking steps to protect, their personal information.
23.145 The specificity of the information required to comply with this requirement will depend on the circumstances. There is a need to strike a balance between providing useful and digestible information to an individual and ensuring that the costs and compliance burden in meeting the obligation are not unduly onerous.
23.146 The OPC should develop and publish guidance to assist agencies and organisations in complying with the ‘Notification’ principle. In particular, this guidance should address the appropriate level of specificity when notifying individuals about the entities to which personal information of the kind is usually disclosed.
Notification of avenues of complaint
23.147 Neither the IPPs nor NPPs require an agency or organisation to notify an individual, at the time of collection of personal information, of the avenues of complaint available to the individual if he or she has a privacy complaint. The OPC Review recommended that the Australian Government consider amending the relevant obligation in the NPPs, in order to impose such an obligation on organisations.[169]
Submissions and consultations
23.148 In response to IP 31, stakeholders expressed strong support for requiring agencies and organisations to make individuals aware of the avenues of complaint available when personal information is collected.[170] In supporting such reform, the Australian Privacy Foundation stated that the principle should require notification of ‘both internal and external dispute resolution options’.[171]
23.149 In DP 72, the ALRC proposed that, where agencies and organisations collect personal information from an individual, either directly or from someone other than the individual, they should take reasonable steps to ensure that the individual is aware of avenues of complaint available to the individual if he or she has a complaint about the collection or handling of his or her personal information.[172]
23.150 The Office of the Victorian Privacy Commissioner expressed strong support for this proposal.[173] A number of stakeholders, however, expressed concerns about the level of detail in the ‘Notification’ principle and, in particular, the duplication of requirements in the proposed ‘Notification’ and ‘Openness’ principles.[174] They suggested that complaint management was relevant to general processes, and should be dealt with only in the ‘Openness principle’.[175]
23.151 The ABA opposed such an approach, on the basis that banks already provide complaint handling and dispute resolution information under the Corporations Act, the Code of Banking Practice,[176] and the Electronic Funds Transfer Code of Conduct.[177] It stated that:
If the proposed specific notification principle proceeds, then the compliance note at the end of the proposed principle should make reference to existing notification requirements under another law or code that reflect best practice and should be treated as capable of meeting the proposed requirement.
This approach would also facilitate layered short form privacy information statements that supplement other information statements that banks are required to make under other laws.[178]
ALRC’s view
23.152 There should not be unnecessary overlap between the requirements in the ‘Notification’ and ‘Openness’ principles. Duplicating requirements wastes resources and is likely to increase compliance costs—for example, increasing costs associated with publishing material in privacy notices and Privacy Policies. To the extent that information to be provided to individuals relates to an agency’s or organisation’s general processes for the handling of personal information, that information should be located in a Privacy Policy, pursuant to the requirements of the ‘Openness’ principle. This also will reduce any unnecessary detail in privacy notices, making such notices more meaningful for individuals whose personal information is collected.
23.153 It is important that, at or about the time that personal information is collected, persons are notified, or otherwise made aware, of the fact that there are avenues of complaint available to them, in the event that they have a privacy complaint. The provision of such information promotes accountability and transparency. It also assists in creating a regulatory environment in which individuals are aware that they may take steps to protect their personal information. The benefits attached to the provision of such information are therefore analogous to those relating to informing individuals about their rights of access to, and correction of, personal information.
23.154 It is unnecessary, however, for an individual to be provided with notification at the time of the collection of his or her personal information about the actual avenues of complaint available. This type of information is situated more appropriately in the Privacy Policy of an agency or organisation. The ALRC recommends, therefore, that at or about the time of collecting personal information, an agency or organisation should notify, or otherwise ensure that individuals are aware of, the fact that the avenues of complaint available to the individual are set out in the agency’s or organisation’s Privacy Policy.[179]
Information required or authorised by or under law
23.155 Agencies are currently required, where applicable, to ensure that individuals are aware of the fact that a collection of information is authorised or required by or under law.[180] The OPC’s guidance on this obligation provides that:
An IPP 2 notice should refer to each provision of legislation which:
requires an agency to collect the personal information; or
specifically authorises an agency to collect the information.
If legislation does not refer to a specific power, but only gives the agency a general function which includes collecting personal information, the IPP 2 notice should still refer to the legislation.[181]
23.156 Organisations are currently required to ensure that individuals are aware of ‘any law that requires the particular information to be collected’.[182] The OPC’s guidance on this obligation provides that:
In describing the law the organisation need not specify the exact piece of legislation (although it would be desirable to do so where possible). A statement like ‘taxation law requires us to collect this’ would ordinarily be adequate.[183]
23.157 Stakeholders did not express concerns about the application of these requirements to agencies or organisations.
ALRC’s view
23.158 An obligation relating to notification of personal information required or authorised by or under law should be retained and standardised for agencies and organisations. Standardising the obligation is consistent with creating a single set of privacy principles.[184]
23.159 The obligation imposed on agencies in the IPPs, on its face, is less onerous than the equivalent obligation imposed on organisations by the NPPs. The OPC’s guidance, however, takes a stricter approach in the interpretation of the obligation as it applies to agencies.
23.160 The obligation is of particular relevance to the many agencies that have coercive information-gathering powers.[185] In recognition of this fact, from a practical perspective, it is appropriate to use the current IPP as the template for drafting this particular obligation.[186] Agencies and organisations, therefore, should be required, where applicable, to notify, or otherwise ensure that an individual is aware of, the fact that the collection is required or authorised by or under law.
23.161 The OPC should develop and publish guidance to assist agencies and organisations in complying with the ‘Notification’ principle. This guidance should address, in particular, what is required of organisations in light of the recommended rewording of the obligation as it applies to them.
Source of information
23.162 Neither the NPPs or IPPs impose a requirement that an individual be notified of the source of personal information, where that information was provided by a third party.
23.163 There is some precedent for this requirement in other jurisdictions. For example, German law provides that a data subject should be provided with information about stored data concerning him or her, including any reference to the origin of the data.[187]
Submissions and consultations
23.164 In IP 31, the ALRC sought views about whether agencies and organisations should be obliged to inform individuals of the source of their personal information, where it is not collected directly from the individual.[188]
23.165 In response to IP 31, some stakeholders supported the imposition of such a requirement.[189] Others expressed reservations about such an approach. Stakeholders stated that, in some circumstances, it is necessary to protect the identity of the source.[190] They noted that revealing the source could place an individual at risk of domestic violence,[191] or otherwise present a serious threat to life or health.[192]
23.166 UNITED Medical Protection Ltd submitted that such a notification requirement is unnecessary because it ‘will either occur as a matter of necessity or be obvious on its face’.[193]
23.167 In DP 72, the ALRC proposed that, where agencies and organisations collect personal information from someone other than the individual, they should take reasonable steps, on the request of the individual, to ensure that the individual is aware of the source of the information.[194]
23.168 Some stakeholders expressed strong opposition to the proposal. Organisations expressed the view that such a requirement would be unreasonable, impractical, highly onerous, unnecessary for data integrity purposes, and, in some circumstances, likely to interfere with the privacy of other individuals. They also said that it would impose excessive compliance costs while rendering marginal privacy protection to individuals.[195] Telstra, for example, noted that, in many cases, organisations would be unable to identify the source of the information but would have to ‘expend significant time, cost and effort to endeavour to do so’.[196]
23.169 The ABA stated that such a requirement would duplicate disclosure to individuals made by the third parties that collected the personal information in the first place. Those third parties have obligations to ensure that an individual is aware of the entities to which the personal information is usually disclosed. The ABA stated:
It seems an unnecessary compliance burden and cost to organisations that collect information from such third parties to in effect repeat the exercise upon request of the individual.[197]
23.170 The ABA also noted that systems would need to be put in place, regardless of whether the information about source was requested by an individual.
The organisation must record the source of the information in all cases and secondly provide a telephone or other communication facility for the individual to make the request for the source of the information and for the organisation to comply with that request.
This procedure would become even more complicated if the recipient organisation were required to provide details of the source of the information on request indefinitely.[198]
23.171 Agencies expressed concern about requiring such an obligation in the context of intelligence gathering, investigations and law enforcement. In particular, it was stated that such a requirement could: alert individuals that they are under investigation;[199] place witnesses at risk;[200] and breach the confidence between an agency and a source who provided a confidential ‘tip-off’.[201] Similar concerns were expressed about the application of such a requirement in the context of insurance fraud investigations.[202]
23.172 Others stated that, in some circumstances, disclosing the source of personal information would not be appropriate.[203] This would include circumstances where the requirement would interfere with the privacy of the individual who provided the information;[204] affect adversely the privacy of any other individual;[205] or pose a serious threat to the life or health of any individual.[206]
23.173 IFSA, for example, agreed with the proposal in principle, but stated that further consideration needs to be given to situations where information is collected on relatives, which is relevant to the assessment of insurance cover or the payment of superannuation death benefits to beneficiaries from insurance applicants and superannuation account holders. IFSA stated that:
Life insurance and superannuation customers may not want family members or dependants to know that they are applying for insurance cover or nominating them as a beneficiary.
Any requirement on companies to notify individuals that details have been supplied would impede the customer’s right to their own privacy, particularly where the collection of information was incidental to the product or service offered.[207]
23.174 Agencies also expressed general concerns about the administrative burden and ‘prohibitive’ cost that would be imposed by all the requirements relating to notification in circumstances where an agency collects personal information from someone other than the individual, including the requirement relating to source.[208]
23.175 Some concern also was expressed about the scope of the requirement. The Law Council of Australia submitted that it should be made clear that ‘source’ in this context referred to the entity from which the agency or organisation collected the information, rather than the ultimate source of the information.[209]
23.176 Some stakeholders supported this proposal unconditionally.[210] Privacy advocates supported the proposal but submitted that it should be made clear that the identity of the source of the information should be provided on request.[211]
ALRC’s view
23.177 Imposing a general requirement on agencies and organisations to inform individuals, on request, of the source of personal information is potentially unworkable, costly and impractical. Such a requirement cannot be justified on a cost and benefit basis. Even if the requirement were limited to providing information on request, the reality is that agencies and organisations would have to set up systems to record the source of information in each case of indirect collection in order to comply with any such request. The sheer volume of transactions that agencies and organisations enter into every year, involving the indirect collection of personal information, would render the imposition of such a requirement excessive and burdensome.
23.178 Increasing the compliance burden could be justified, however, if it were likely to be outweighed by the benefits to be conferred on individuals by way of increased privacy protection. Arguably, informing individuals about the source of their personal information increases the control that they have over their personal information, and the likelihood that they will seek access to, and correct, it if necessary. This would promote the quality of personal information kept by agencies and organisations.
23.179 Other protections recommended by the ALRC, however, address the issue of data quality. In particular, under the ‘Notification’ principle, agencies and organisations have an obligation to notify or otherwise ensure that individuals are aware of: the fact of collection; and rights of access to, and correction of, personal information. Provision of this information, in itself, is likely to be sufficient to enable an individual to take steps to ensure the quality of personal information that has been collected from another source. Further, agencies and organisations are under an obligation to take reasonable steps to ensure that the personal information they collect—including from persons other than the individual concerned—is, with reference to the purpose of that collection, use or disclosure, accurate, complete, up-to-date and relevant.[212] Knowledge of the source of the information is therefore not essential to protect data quality.
23.180 Other recommendations made by the ALRC also would increase the level of control that an individual has over his or her personal information. As noted above, the ALRC has recommended that agencies and organisations should be required to notify individuals about usual disclosures to entities of personal information of the kind collected. Because one agency’s or organisation’s disclosure of personal information equates to another entity’s collection of personal information, this requirement increases the likelihood that individuals also will be alerted to the potential sources of collection of their personal information.
23.181 While imposing a general requirement on agencies and organisations to notify individuals about the source of the information on request is, on balance, untenable, there is merit in imposing such a requirement in the direct marketing context. As discussed in Chapter 26, individuals who received unsolicited direct marketing communications were concerned about how the organisations in question obtained their details. The ALRC recommends that an organisation that direct markets to non-existing customers or to persons under the age of 15 must, if requested by the individual, and it is reasonable and practicable to do so, advise the individual of the source from which it acquired the individual’s personal information.[213]
23.182 In light of the above-mentioned recommendations, in the ALRC’s view, the imposition of a general requirement to notify individuals of source of personal information, upon request, is unlikely to deliver any meaningful additional privacy protection to individuals.
Recommendation 23-2 The ‘Notification’ principle should provide that, at or before the time (or, if that is not practicable, as soon as practicable after) an agency or organisation collects personal information about an individual from the individual or from someone other than the individual, it must take such steps, if any, as are reasonable in the circumstances to notify or otherwise ensure that the individual is aware of the:
(a) fact and circumstances of collection where the individual may not be aware that his or her personal information has been collected;
(b) identity and contact details of the agency or organisation;
(c) rights of access to, and correction of, personal information provided by these principles;
(d) purposes for which the information has been collected;
(e) main consequences of not providing the information;
(f) actual, or types of, agencies, organisations, entities or persons to whom the agency or organisation usually discloses personal information of the kind collected;
(g) fact that the avenues of complaint available to the individual if he or she has a complaint about the collection or handling of his or her personal information are set out in the agency’s or organisation’s Privacy Policy; and
(h) fact, where applicable, that the collection is required or authorised by or under law.
Recommendation 23-3 The Office of the Privacy Commissioner should develop and publish guidance to assist agencies and organisations in complying with the ‘Notification’ principle. In particular, the guidance should address:
(a) the circumstances when it would and would not be reasonable for an agency or organisation to take no steps to notify individuals about the matters specified in the ‘Notification’ principle. In this regard, the guidance should address the circumstances when:
(i) notification would prejudice the purpose of collection, for example, where it would prejudice:
– the prevention, detection, investigation, and prosecution of offences, breaches of law imposing a penalty or seriously improper conduct;
– the enforcement of laws; or
– the protection of the public revenue;
(ii) the collection of personal information is required or authorised by or under law for statistical or research purposes;
(iii) the personal information is collected from an individual on repeated occasions;
(iv) an individual has been made aware of the relevant matters by the agency or organisation which disclosed the information to the collecting agency or organisation;
(v) non-compliance with the principle is authorised by the individual concerned;
(vi) the taking of no steps is required or authorised by or under law;
(vii) notification would pose a serious threat to the life or health of any individual; and
(viii) health services collect family, social or medical histories;
(b) the appropriate level of specificity when notifying individuals about anticipated disclosures to agencies, organisations, entities and persons; and
(c) the circumstances in which an agency or organisation can comply with specific limbs of the ‘Notification’ principle by alerting an individual to specific sections of its Privacy Policy or to other general documents.
[116] See, eg, Roy Morgan Research, Community Attitudes Towards Privacy 2004 [prepared for Office of the Privacy Commissioner] (2004), 39.
[117] F Cate, ‘The Failure of Fair Information Practice Principles’ in J Winn (ed) Consumer Protection in the Age of the ‘Information Economy’ (2007) 341, 341.
[118] See Privacy Act 1988 (Cth) s 14, IPP 2 which refers to ‘any person to whom, or any body or agency to which’ it is the agency’s usual practice to disclose personal information.
[119] See Privacy Act 1993 (NZ) s 6, Principle 3(1)(d), (f), (g).
[120] The impact of developing technology on privacy is discussed in Part B.
[121] Victorian Society for Computers and the Law Inc, Submission PR 137, 22 January 2007.
[122] Ibid.
[123] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposals 20–2(a), 20–5(a)(i).
[124] See, eg, Optus, Submission PR 532, 21 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Carers Australia, Submission PR 423, 7 December 2007.
[125] Confidential, Submission PR 536, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007.
[126] Medicare Australia, Submission PR 534, 21 December 2007. Another stakeholder expressed the view that the notification requirements should apply only where ‘personal information is clearly sourced via unsolicited means and the person is unaware of the collection of their information’ as opposed to circumstances involving ‘a relationship formed through solicited means’: Australian Unity Group, Submission PR 381, 6 December 2007.
[127] Australian Government Centrelink, Submission PR 555, 21 December 2007. Another stakeholder expressed the view that in the direct collection context there should be no requirement to state that the information was collected from the individual: Law Council of Australia, Submission PR 527, 21 December 2007.
[128] Confidential, Submission PR 536, 21 December 2007.
[129] Australian Taxation Office, Submission PR 515, 21 December 2007.
[130] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.
[131] See, eg, Confidential, Submission PR 488, 19 December 2007.
[132] See, eg, Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Communications and Media Authority, Submission PR 522, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007.
[133] F Cate, ‘The Failure of Fair Information Practice Principles’ in J Winn (ed) Consumer Protection in the Age of the ‘Information Economy’ (2007) 341, 370.
[134] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 4–3.
[135] See, eg, Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007; AAMI, Submission PR 147, 29 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007; W Caelli, Submission PR 99, 15 January 2007.
[136] G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007.
[137] Australian Federal Police, Submission PR 186, 9 February 2007; Confidential, Submission PR 165, 1 February 2007; Australian Government Department of Families‚ Community Services and Indigenous Affairs, Submission PR 162, 31 January 2007.
[138] Confidential, Submission PR 165, 1 February 2007.
[139] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposals 20–2(b), (c), (e); 20–5(a)(i).
[140] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[141] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[142] The mechanics of exercising rights of access to, and correction of, personal information, however, should be addressed in an agency’s or organisation’s Privacy Policy: see Ch 24.
[143] The ‘Data Quality’ principle is discussed in Ch 27.
[144] Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 1–3: Advice to Agencies about Collecting Personal Information (1994), 6.
[145] Ibid, 16.
[146] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 30.
[147] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposals 20–2(d); 20–5(a)(i).
[148] Medicare Australia, Submission PR 534, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007.
[149] Medicare Australia, Submission PR 534, 21 December 2007.
[150] Australian Taxation Office, Submission PR 515, 21 December 2007.
[151] See Ch 25.
[152] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), rec 74. Note, however, that the definition of ‘organisation’ extends to individuals.
[153] See Ibid, 259; Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), [3.34].
[154] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 30.
[155] Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 1–3: Advice to Agencies about Collecting Personal Information (1994), 18.
[156] Ibid, 19.
[157] See, eg, Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007.
[158] G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007.
[159] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposals 20–2(f), 20–5(a)(i).
[160] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; I Graham, Submission PR 427, 9 December 2007.
[161] I Graham, Submission PR 427, 9 December 2007.
[162] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007. Another stakeholder expressed a similar view about answering specific inquiries: Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[163] Medicare Australia, Submission PR 534, 21 December 2007.
[164] Confidential, Submission PR 536, 21 December 2007.
[165] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 20–3.
[166] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Australian Federal Police, Submission PR 545, 24 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.
[167] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.
[168] Confidential, Submission PR 536, 21 December 2007.
[169] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), rec 41.
[170] See, eg, Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; NSW Disability Discrimination Legal Centre (Inc), Submission PR 105, 16 January 2007; Institute of Mercantile Agents, Submission PR 101, 15 January 2007.
[171] Australian Privacy Foundation, Submission PR 167, 2 February 2007.
[172] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposals 20–2(g), 20–5(a)(i).
[173] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007. It was also expressly supported by privacy advocates: Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[174] Confidential, Submission PR 570, 13 February 2008; Medicare Australia, Submission PR 534, 21 December 2007; Australian Government Department of Defence, Submission PR 440, 10 December 2007.
[175] Confidential, Submission PR 570, 13 February 2008; Medicare Australia, Submission PR 534, 21 December 2007; Australian Government Department of Defence, Submission PR 440, 10 December 2007. Another stakeholder expressed the similar view that some of the detail in the proposed ‘Notification’ principle could be covered by the ‘Openness’ principle: Australian Government Centrelink, Submission PR 555, 21 December 2007.
[176] Australian Bankers’ Association, Code of Banking Practice (1993).
[177] Australian Securities and Investments Commission, Electronic Funds Transfer Code of Conduct [amended March 2002] (2001).
[178] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008. These concerns are addressed in Ch 24.
[179] This is discussed further in Ch 24.
[180]Privacy Act 1988 (Cth) s 14 , IPP 2(d).
[181] Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 1–3: Advice to Agencies about Collecting Personal Information (1994), 17.
[182]Privacy Act 1988 (Cth) sch 3, NPP 1.3(e).
[183] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 31.
[184] See Ch 18.
[185] See Australian Law Reform Commission, Privilege in Perspective, ALRC 107 (2008), ch 4 for an overview of federal bodies with coercive information-gathering powers.
[186] As discussed in Ch 18, as a general proposition, the NPPs are to be preferred as a template for the drafting of the UPPs.
[187] See Federal Data Protection Act 1990 (Germany) ss 19(1), 34(1).
[188] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), [4.59].
[189] See Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; NSW Disability Discrimination Legal Centre (Inc), Submission PR 105, 16 January 2007; W Caelli, Submission PR 99, 15 January 2007.
[190] Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.
[191] Institute of Mercantile Agents, Submission PR 101, 15 January 2007.
[192] National Health and Medical Research Council, Submission PR 114, 15 January 2007.
[193] UNITED Medical Protection, Submission PR 118, 15 January 2007.
[194] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 20–5(a)(ii).
[195] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Confidential, Submission PR 536, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007.
[196] Telstra Corporation Limited, Submission PR 459, 11 December 2007.
[197] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.
[198] Ibid.
[199] Confidential, Submission PR 448, 11 December 2007.
[200] Confidential, Submission PR 488, 19 December 2007.
[201] Australian Government Centrelink, Submission PR 555, 21 December 2007.
[202] Investment and Financial Services Association, Submission PR 538, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007.
[203] Australian Government Department of Human Services, Submission PR 541, 21 December 2007.
[204] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.
[205] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007. See also National Catholic Education Commission and Independent Schools Council of Australia, Submission PR 462, 12 December 2007.
[206] One stakeholder submitted that such situations should be the subject of an exception to the requirement: National Catholic Education Commission and Independent Schools Council of Australia, Submission PR 462, 12 December 2007.
[207] Investment and Financial Services Association, Submission PR 538, 21 December 2007.
[208] See, eg, Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008; Australian Government Department of Families‚ Housing‚ Community Services and Indigenous Affairs, Submission PR 559, 15 January 2008; Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008; Australian Government Centrelink, Submission PR 555, 21 December 2007.
[209] Law Council of Australia, Submission PR 527, 21 December 2007.
[210] Optus, Submission PR 532, 21 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Carers Australia, Submission PR 423, 7 December 2007. The Australian Direct Marketing Association stated that it ‘did not disagree’ with the proposal: Australian Direct Marketing Association, Submission PR 543, 21 December 2007.
[211] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[212] The ‘Data Quality’ principle is discussed in Ch 27.
[213] See Ch 26.