16.08.2010
Background
44.3 ADR has been described as dispute resolution processes, other than judicial determination, in which an impartial person helps those involved in a dispute to resolve their issues.[2] ADR occurs in a broad range of settings, including services provided by
a sole practitioner, a partnership, a for profit organisation, a not for profit organisation, as an ancillary role in an organisation whose main business is something else (including government agencies, private companies, courts and tribunals) or by an organisation established for that specific purpose under an industry scheme.[3]
44.4 The Privacy Act does not include an exemption or exception for ADR bodies or processes. ADR providers that fall within the definition of agency or organisation in the Privacy Act must operate in accordance with the Information Privacy Principles (IPPs) or National Privacy Principles (NPPs), respectively. Agencies and organisations that take part in ADR also must comply with privacy laws during the dispute resolution process.[4]
44.5 In DP 72 the ALRC asked whether the Privacy Act or other relevant legislation should be amended to provide exemptions or exceptions applicable to the operation of ADR schemes. Specifically, the ALRC sought views on whether the proposed:
‘Specific Notification’ principle should exempt or except ADR bodies from the requirement to inform an individual about the fact of collection of personal information, including unsolicited personal information, where to do so would prejudice an obligation of privacy owed to a party to the dispute, or could cause safety concerns for another individual;
‘Use and Disclosure’ principle should authorise the disclosure of personal and sensitive information to ADR bodies for the purpose of dispute resolution; and
‘Sensitive Information’ principle should authorise the collection of sensitive information without consent by an ADR body where necessary for the purpose of dispute resolution.[5]
Submissions and consultations
44.6 Stakeholders that commented on this question almost universally supported an amendment to the Privacy Act to provide exemptions or exceptions for ADR schemes.[6] The National Alternative Dispute Resolution Advisory Council (NADRAC), for example, commented that:
ADR processes largely rely on the good faith of the parties to the dispute and the truthfulness of their statements … ADR processes are aimed at getting each party to outline the full context of the dispute from their perspectives with a view to identifying the underlying interests of each party … In the course of ‘telling their story’ many parties will include information that seems to them to be important and which may help to indicate how they came to their position but which would be deemed irrelevant in legal proceedings. The accounts will often include personal information including sensitive information about themselves and others whom the person considers to be directly or indirectly involved.[7]
44.7 The Australian Privacy Foundation supported a ‘review of the application of privacy principles in the context of dispute resolution (both internal and external) with a view to justifying selective exemptions’.[8] The Department of Broadband, Communications and the Digital Economy suggested that the ALRC consult more widely before coming to a view.[9]
44.8 The Office of the Privacy Commissioner (OPC) recognised the difficulties that some NPP obligations place on the dispute resolution process and supported exceptions from the ‘Use and Disclosure’ principle and the ‘Sensitive Information’ principle. It submitted, however, that it would not be appropriate for ADR bodies to be granted an exemption from the requirement to inform an individual about the fact of collection of personal information. It submitted that the situations where applying the principle would be problematic—where informing an individual about the fact of collection of personal information would breach an obligation of privacy owed to a party to the dispute or would cause safety concerns for another individual—were accommodated adequately in the relevant privacy principle. That is, an agency or organisation is only required to take ‘reasonable steps’, which may include ‘no steps’, to make an individual aware of personal information that has been collected about them from a third party.[10] The Cyberspace Law and Policy Centre also considered safety concerns to be addressed adequately by the exception to the ‘Specific Notification’ principle that is already available.[11]
44.9 The Mortgage and Finance Association of Australia suggested that ‘an ADR (like a court) should be able to collect and use personal information without having to comply with the NPPs (except in relation to members of the ADR)’. [12]
44.10 A number of stakeholders addressed the potential scope of an exemption or exception for ADR. The Cyberspace Law and Policy Centre suggested that the exemption should apply to the function of dispute resolution, rather than being limited to ADR bodies.[13] It noted, however, that it will ‘be necessary to impose some conditions on such a wide exemption to prevent abuses under the guise of internal dispute resolution’.[14] National Legal Aid also commented that the definition of an ADR scheme needed to be developed further, given the wide variety of schemes that potentially fall within this class.[15]
44.11 Some stakeholders linked exceptions to the Privacy Act with other legal and ethical requirements that attach to the ADR process.[16] The Recruitment and Consulting Services Association (RCSA), for example, submitted that mediators should be exempt in all circumstances where they are operating in accordance with mediation principles established under a scheme such as the LEADR Association of Dispute Resolvers (LEADR), the Institute of Arbitrators and Mediators Australia (IAMA), or schemes established by the state bar associations and law societies and institutes. The RCSA argued that the confidentiality that attaches to these schemes provided adequate protection for third parties.[17] The Office of the Victorian Privacy Commissioner submitted that:
rules concerning collection, use and disclosure of personal and/or sensitive information … would ordinarily be dealt with by the ADR practitioner’s duties of confidentiality, the consent to conciliate or mediate obtained from parties to the dispute and the confidentiality agreements entered into by parties as a condition of the ADR process.[18]
44.12 The OPC suggested that, in order to provide certainty regarding the exception, those bodies that are deemed ADR bodies for the purposes of the Privacy Act should be set out in regulations.[19]
44.13 The Australian Bankers’ Association (ABA) noted that authorising the disclosure of personal information by a bank to an ADR scheme for the purpose of dispute resolution may not overcome the bank’s duty of confidentiality. It recommended, therefore, that an entity should be protected from proceedings for contravening a duty of confidence where it has disclosed personal information in accordance with an ADR exception. It was suggested that this could be modelled on the Privacy Legislation Amendment (Emergencies and Disaster) Act 2006 (Cth).[20]
Options for reform
44.14 If adopted, the scope of an ADR exception could be clarified in a number of ways, including:
defining ADR for the purposes of the Privacy Act;
limiting the exception to specified ADR schemes or bodies; or
limiting the exception to ADR processes that meet specified standards, for example, confidentiality requirements.
Definition of ADR
44.15 The scope of an exception to the Privacy Act for ADR could be qualified by including a definition of ADR processes for the purposes of the Act. An example of federal legislation that has defined ADR processes is the Administrative Appeals Tribunal Act 1975 (Cth), which sets out a non-exhaustive list of processes that might be included within ADR:
‘alternative dispute resolution processes’ means procedures and services for the resolution of disputes, and includes
(a) conferencing;
(b) mediation;
(c) neutral evaluation;
(d) case appraisal;
(e) conciliation;
(f) procedures or services specified in the regulations;
but does not include:
(g) arbitration; or
(h) court procedures or services.
Paragraphs (b) to (f) of this definition do not limit paragraph (a) of this definition.[21]
44.16 Due to the diverse settings in which ADR operates, however, one commentator has stated that it is ‘impossible to construct a concise definition of ADR processes that is accurate in respect of the range of processes available and the context in which they operate’.[22] NADRAC has advised that it is not generally helpful to provide definitions of ADR in legislation, except where it is proposed to: list the types of ADR that are permitted in a particular context; limit the categories or qualifications of persons authorised to carry out ADR; or provide defined circumstances for certain outcomes, such as non-admissibility on court actions.[23]
Accreditation of ADR providers
44.17 Another way of qualifying an ADR exception is by restricting its application to ‘authorised’ ADR providers. For example, for a corporation to be licensed to provide financial services it must have dispute resolution systems in place, including an internal dispute resolution process and membership of an external dispute resolution scheme approved by the Australian Securities and Investments Commission (ASIC).[24] Before approving dispute resolution schemes, ASIC takes into account a number of factors, including, for example, whether the scheme: reports any systemic, persistent or deliberate misconduct to ASIC; is independent from the parties to the complaint; and has appropriate published procedures.[25]
44.18 Under recent amendments to the Family Law Act 1975 (Cth), all family dispute resolution practitioners must be accredited under the Accreditation Rules or be authorised by an organisation designated by the Attorney-General or a designated court.[26] All individuals applying for accreditation also must have access to a complaints process. Accredited practitioners are publicly listed on the Family Dispute Resolution Register.[27]
44.19 On 1 January 2008, the National Mediator Accreditation System—a voluntary accreditation system for mediators—commenced. Under the system, Recognised Mediator Accreditation Bodies accredit mediators, where they meet set training and education standards in addition to ongoing practice and competency requirements.[28] ADR providers also may be accredited through professional associations, such as the LEADR and IAMA.
Requirements of confidentiality
44.20 Confidentiality obligations are another way of limiting the scope of an ADR exception under the Privacy Act. Requirements for confidentiality often are contained in a contractual agreement entered into by the parties and the provider. For example, the LEADR Model Mediation Agreement provides:
The Parties and the Mediator will not unless required by law to do so, disclose to any person not present at the Mediation, nor use, any confidential information furnished during the Mediation unless such disclosure is to obtain professional advice or is to a person within that Party’s legitimate field of intimacy, and the person to whom the disclosure is made is advised that the confidential information is confidential.[29]
44.21 Confidentiality conditions also may be set out in legislation. The Family Law Act, for example, provides that ‘a family dispute resolution practitioner must not disclose a communication made to the practitioner while the practitioner is conducting family dispute resolution, unless the disclosure is required or authorised under [the Act]’.[30] The Evidence Act 1995 (Cth) prevents evidence from being adduced where it is connected to a settlement negotiation between persons in dispute and a third party.[31]
44.22 Confidentiality of ADR processes also may be inferred at common law.[32] This inference, however, is not self-evident. In Esso Australia Resources Ltd v Plowman (Minister for Energy and Minerals), for example, the High Court held that there was no implied term in an agreement to arbitrate preventing parties from disclosing information provided in and for the purposes of arbitration. Confidentiality only applied to documents produced compulsorily.[33] The scope of confidentiality protections also varies—for example, although the ADR provider generally will be bound by obligations of confidentiality, this often will not extend to the parties to the dispute. NADRAC has noted that
in the absence of any overarching legislative or common law requirement [for confidentiality] … it is impossible for NADRAC to say either that confidentiality is always maintained or that information revealed in the dispute resolution process is never used for other purposes.[34]
ALRC’s view
44.23 Australian society is increasingly recognising the integral role that ADR plays in the effective, efficient and fair resolution of disputes. This is reflected by its integration both into the formal justice system—by making referral of disputes to ADR mandatory and access to legal aid and advice contingent on a requirement to try ADR—and more broadly across the community and commercial sectors. In this Inquiry, the ALRC recommends a greater role for industry-based ADR schemes in the resolution of complaints about credit reporting.[35]
44.24 The resolution of disputes through ADR is facilitated by the disclosure of all relevant information by the parties to dispute resolution bodies, including personal information about third parties. As NADRAC has noted,
in a web of social interaction, the affairs of one person will be inextricably linked to the affairs of others. Disputes between some members of a community will frequently be linked to the conduct of others, and resolution of those disputes will often rely on the sharing of information that relates to others.[36]
44.25 The Privacy Act has the potential to present significant barriers to this information exchange. Under the ‘Collection’ principle, agencies and organisations providing ADR services may be prevented from collecting sensitive personal information about third parties where it does not have that person’s consent. Similarly, under the ‘Use and Disclosure’ principle, an agency or organisation that is participating in the dispute resolution process may be prevented from disclosing personal information relating to third parties. It also may be prevented from disclosing sensitive personal information that relates to a party to the dispute if that person withholds consent. This may occur, for example, where the information could undermine that party’s position.
44.26 The ALRC recommends, therefore, that agencies and organisations be permitted to use and disclose personal information under the ‘Use and Disclosure’ principle; and to collect sensitive information under the ‘Collection’ principle, where the collection, use or disclosure is necessary for the purpose of an ADR process.
44.27 Another concern is the need to make individuals aware of certain information upon collection of personal information about them. In some situations, it may be impracticable for an agency or organisation that is providing ADR services to notify third parties that personal information about them has been collected during a dispute resolution process. This may be the case, for example, where it would breach an obligation of confidentiality owed to a party to the dispute or would cause safety concerns for another individual. The ALRC is recommending a broader change to the ‘Notification’ principle to make clear that ‘reasonable steps’ to make an individual aware that personal information about him or her has been collected from a third party may include taking no steps.[37] This change will accommodate sufficiently the concerns of agencies and organisations providing ADR services.
44.28 One objection that could be raised about the ALRC’s recommendation that the ‘Collection’ principle and the ‘Use and Disclosure’ principle should include specific exceptions for the purpose of ADR is the potential for similar issues to arise in other contexts. For example, an agency or organisation that provides a counselling service or is involved in complaint handling also may need to collect sensitive personal information about third parties. The ALRC did not receive any submissions raising these concerns, however, and has not had an opportunity to consult on the potential ramifications of any such additional exceptions. While this may be an issue that can be explored further when the recommendations are considered, the ALRC has not made a recommendation to expand the ADR exceptions to other contexts.
Limiting the scope of the principle
44.29 As noted above, without further qualification, ADR potentially could include an extremely broad range of situations. Depending on the other information-handling practices associated with the ADR process, this has the potential to result in misuse of the information used or disclosed in accordance with the exceptions. This is a particular concern where the individual or body providing the ADR service falls outside the definition of ‘organisation’ or ‘agency’, and therefore is not required to comply with the Act.[38] Individual participants also are outside the requirements of the Privacy Act.
44.30 The ALRC considers confidentiality requirements to be the most appropriate way of containing personal information shared through the recommended ADR exceptions. That is, provided that the parties to the dispute and the ADR provider are bound by relevant confidentiality obligations—whether these be through contractual agreements or legislative provisions—any personal information that is collected, used or disclosed for the purpose of dispute resolution will remain limited to that domain unless there is express consent of the parties or another relevant exception applies. For example, an agency or organisation that has provided ADR services may be required to disclose personal information where it is connected to suspected child abuse. It also may be appropriate to extend confidentiality obligations to prevent the disclosure of personal information about a third party without the consent of that person.
44.31 The ALRC recommends that the exceptions to the ‘Collection’ principle and the ‘Use and Disclosure’ principle extend only to ‘confidential’ dispute resolution processes. What constitutes confidentiality requirements in particular ADR settings should be articulated in the OPC’s guidance on information handling in the context of ADR. The OPC should consult with NADRAC when formulating this guidance.
44.32 Agencies and organisations that engage in dispute resolution processes also may be required to comply with the other components of the Privacy Act. This will provide additional protection for personal information collected, used and disclosed in an ADR process. For example, where personal information—either relating to a party to the dispute or to a third party—is disclosed for the purpose of the dispute resolution process, the ‘Use and Disclosure’ principle prevents this information from being used or disclosed for any other purpose. When the information is no longer relevant for the purpose of dispute resolution, the ‘Data Security’ principle requires that it must be destroyed or rendered non-identifiable.[39]
44.33 Provided the confidentiality safeguards are in place, it is unnecessary to stipulate an additional requirement that agencies or organisations providing ADR must be ‘authorised’. The practical application of such a requirement would give rise to a number of problems. Those accreditation systems that are presently operating only cover a specific ADR process (such as mediation) or a particular context (such as financial services disputes). Limiting the exceptions to those agencies or organisations that fall within one of these schemes would artificially fragment the application of the exceptions. The alternative accreditation option—that is, introducing a new accreditation system for the purpose of the Privacy Act—would involve a heavy administrative burden. It is also unclear what the criteria should be for such accreditation, and who should be responsible for the administration of the accreditation system.
44.34 Finally, by its very nature, ADR is dynamic and diverse. Provided the confidentiality safeguards outlined above are in place, this diversity should be accommodated. This is best managed by applying the exception to the broad ambit of ADR processes.
Recommendation 44-1 The Privacy Act should be amended to provide an exception to the:
(a) ‘Collection’ principle to authorise the collection of sensitive information, and
(b) ‘Use and Disclosure’ principle to authorise the use and disclosure of personal information,
where the collection, use or disclosure by an agency or organisation is necessary for the purpose of a confidential alternative dispute resolution process.
Recommendation 44-2 The Office of the Privacy Commissioner, in consultation with the National Alternative Dispute Resolution Advisory Council, should develop and publish guidance on what constitutes a confidential alternative dispute resolution process for the purposes of the Privacy Act.
[2]See, National Alternative Dispute Resolution Council, What is ADR? (2007) <www.nadrac.gov.au
agd/www/Disputeresolutionhome.nsf> at 15 May 2008. The ALRC also uses the term ‘external dispute resolution’ (EDR) to refer to the resolution of complaints or disputes by an entity (other than a court, tribunal or government regulator) that is external to the organisation subject to the complaint or dispute, including by EDR schemes approved by the Australian Securities and Investments Commission: see Chs 54, 59.
[3]National Alternative Dispute Resolution Advisory Council, Submission PR 564, 23 January 2008.
[4] One minor exception to these requirements is ADR conducted by a person or persons employed by a court, which will fall within the exemption for federal courts and tribunals. This exemption is discussed in Ch 35.
[5]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Question 40–2.
[6]Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; National Alternative Dispute Resolution Advisory Council, Submission PR 564, 23 January 2008; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; National Legal Aid, Submission PR 521, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Banking and Financial Services Ombudsman Ltd, Submission PR 370, 4 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007; Mortgage and Finance Association of Australia, Submission PR 344, 19 November 2007.
[7]National Alternative Dispute Resolution Advisory Council, Submission PR 564, 23 January 2008.
[8]Australian Privacy Foundation, Submission PR 553, 2 January 2008.
[9]Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007.
[10]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[11]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[12]Mortgage and Finance Association of Australia, Submission PR 344, 19 November 2007.
[13]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[14]Ibid.
[15]National Legal Aid, Submission PR 521, 21 December 2007.
[16]National Alternative Dispute Resolution Advisory Council, Submission PR 564, 23 January 2008; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.
[17]Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.
[18]Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.
[19]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[20]Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008. See Privacy Act 1988 (Cth) s 80P(3).
[21]Administrative Appeals Tribunal Act 1975 (Cth) s 3(1). This definition was inserted by the Administrative Appeals Tribunal Amendment Act 2005 (Cth), following consultation with NADRAC. A similar approach has been adopted in the Workplace Relations Act 1996 (Cth) s 698.
[22]T Sourdin, Alternative Dispute Resolution (2nd ed, 2005), 2.
[23]National Alternative Dispute Resolution Advisory Council, Legislating for Alternative Dispute Resolution: A Guide for Government Policy-Makers and Legal Drafters (2006), 29.
[24]Corporations Act 2001 (Cth) s 912A.
[25]Australian Securities and Investments Commission Act 2001 (Cth) s 21FA. ASIC has published guidelines that set out in more detail how these requirements should be met. See Australian Securities and Investments Commission, Approval of External Complaints Resolution Schemes: ASIC Policy Statement 139, 8 July 1999.
[26]Family Law Act 1975 (Cth) s 10G. Interim Accreditation Rules were implemented in the Family Law Amendment Regulations 2007 (No. 1) (Cth).
[27] Australian Government Attorney-General’s Department, Registration Process for Family Dispute Resolution Providers <www.ag.gov.au> at 14 February 2008.
[28]T Sourdin, Australian National Mediator Accreditation System: Report on Project (2007).
[29]LEADR Association of Dispute Resolvers, Mediation Agreement <www.leadr.com.au> at 11 February 2008, cl 19.
[30]Family Law Act 1975 (Cth) s 10(H). Disclosure is permitted in some circumstances, such as with consent, in order to prevent or lessen a risk of harm, or to report the commission of certain offences.
[31]Evidence Act 1995 (Cth), s 131.
[32] See, eg, AWA Ltd v George Richard Daniels (1992) 7 ACSR 463 (Comm Div).
[33]Esso Australia Resources Ltd v Plowman (Minister for Energy and Minerals) (1995) 183 CLR 10.
[34]National Alternative Dispute Resolution Advisory Council, Submission PR 564, 23 January 2008.
[35] See Ch 59.
[36]National Alternative Dispute Resolution Advisory Council, Submission PR 564, 23 January 2008.
[37] The ‘Notification’ principle is discussed in Ch 23.
[38] Many ADR providers presently fall within the small business exemption. This exemption, including a recommendation that it be removed, is discussed in Ch 39.
[39] The ‘Data Security’ principle is discussed in Ch 28.