Privacy Commissioner releases draft guidelines on Australian Privacy Principles 1 – 5 and on general matters relating to APPs.
August 25, 2013 |
The Privacy Commissioner has released draft chapters of the guidelines as part of the consultation process. Comments close on 20 September 2013. They can be found here.
The Guidelines (absent index)provides:
Chapter A — Introductory matters
Purpose
A.1 The Australian Information Commissioner issues these Australian Privacy Principles Guidelines (APP guidelines) under s 28(1) of the Privacy Act 1988. These guidelines are not a legislative instrument (s 28(4)).
A.2 The APP guidelines outline how the Information Commissioner interprets and applies the APPs when exercising functions and powers under the Privacy Act relating to the APPs.
Australian Privacy Principles (APPs)
A.3 The APPs are the cornerstone of the privacy protection framework in the Privacy Act. The APPs set out standards, rights and obligations in relation to handling, holding, accessing and correcting personal information. They apply to most Australian and Norfolk Island Government agencies and some private sector organisations – collectively referred to as APP entities (see paragraphs A.7 – A.9).
A.4 The APPs are principles-based law. This provides APP entities with the flexibility to tailor their personal information handling practices to their diverse needs and business models, and to the diverse needs of individuals. They are also technology neutral, applying equally to paper based and digital environments. This is intended to preserve their relevance and applicability, in a context of continually changing and emerging technology.
A.5 The APPs are structured to reflect the personal information lifecycle. They are grouped into five parts:
• Part 1 – Consideration of personal information privacy (APPs 1 and 2).
• Part 2 – Collection of personal information (APPs 3, 4 and 5).
• Part 3 – Dealing with personal information (APPs 6, 7, 8 and 9).
• Part 4 – Integrity of personal information (APP 10, APP 11).
• Part 5 – Access to, and correction of, personal information (APP 12, APP 13).
A.6 In developing the APP guidelines, the Information Commissioner has had regard to the objects in s 2A of the Privacy Act, which are:
• promoting the protection of the privacy of individuals
• recognising that the protection of the privacy of individuals is balanced with the interests of entities in carrying out their functions or activities
• providing the basis for nationally consistent regulation of privacy and the handling of personal information
• promoting responsible and transparent handling of personal information by entities
• facilitating an efficient credit reporting system while ensuring that the privacy of individuals is respected
• facilitating the free flow of information across national borders while ensuring that the privacy of individuals is respected
• providing a means for individuals to complain about an alleged interference with their privacy, and
• implementing Australia’s international obligation in relation to privacy.
Who is covered by the APPs?
A.7 The APPs apply to APP entities (s 15). The term ‘APP entity’ means an agency or organisation (s 6(1)) and is discussed in more detail in Chapter B (Key concepts).
A.8 The APPs extend to an act or practice of an APP entity occurring outside Australia and the external Territories (s5B). However, if the APP entity is an organisation, the organisation must also have an Australian link (s 5B(1(A)). The term ‘Australian link’ is discussed in Chapter B (Key concepts).
A.9 In some circumstances an act or practice of an APP entity is exempt from the Privacy Act, including the APPs. For example, an act done, or a practice engaged in by a federal court is exempt, except for acts or practices in respect of a matter of an administrative nature (s 7(1)(a)(ii) and(b)). The ‘employee records’ exemption (s 7B(3)) is an example of an exemption that applies to an act or practice of an organisation.
Do the APPs apply to a contracted service provider under a Commonwealth contract?
A.10 Special provisions apply to a contracted service provider (including a subcontractor) handling personal information under a Commonwealth contract. The terms ‘contracted service provider’ and ‘Commonwealth contract’ are defined in s 6(1).
A.11 An agency entering a Commonwealth contract must take contractual measures to ensure that the contracted service provider does not do an act, or engage in a practice, that would breach an APP if done or engaged in by the agency (s 95B). The contract is the primary source of the contractor’s privacy obligations in relation to its activities under the contract. The contracted service provider must also comply with the APPs, unless the act or practice is authorised by a provision in the contract (s 6A(2)).
Do the APPs apply to a credit reporting participant?
A.12 Part IIIA of the Privacy Act contains requirements for the handling of credit-related personal information by credit reporting participants, including credit reporting bodies, credit providers and some other third party recipients of that information. The provisions in Pt IIIA make clear whether the obligations in Pt IIIA replace relevant APPs or apply in addition to relevant APPs.
A.13 The APPs will apply to any credit reporting participant that is an APP entity in relation to the handling of personal information not regulated by Pt IIIA.
Do the APPs apply to an APP entity bound by a registered APP Code?
A.14 A ‘registered APP code’ is defined as an APP code that is included on the Codes Register and that is in force (s 26B(1)). A registered APP code does not replace the APPs for the entities which it binds, but operates in addition to the requirements of the APPs. Therefore, an APP entity that is bound by an APP code must comply with both the APPs and the APP code.
A.15 Registered APP codes are discussed in more detail in Chapter B (Key concepts).
What happens if an APP entity breaches an APP?
A.16 Where an act or practice of an APP entity occurs on or after 12 March 2014 and breaches an APP in relation to personal information about an individual, this is an interference with the privacy of the individual (s 13(1)).
A.17 The Information Commissioner has powers to investigate possible interferences with privacy, either following a complaint by the individual concerned or on the Commissioner’s own initiative (Part V of the Privacy Act). Where an individual makes a complaint, the Commissioner will generally attempt to conciliate the complaint (s 40A). The Information Commissioner also has a range of enforcement powers and other remedies available.
References in the guidelines
A.18 in these Guidelines, a reference to:
• a paragraph is to a paragraph of text in the same Part of these guidelines
• a section of the law is to a section of the Privacy Act or other Act as specified.
Where do I get more information?
A.19 The OAIC has developed a range of materials to assist entities to comply with the Privacy Act. These include guides, agency and business resources, fact sheets and Frequently Asked Questions. The resources are available on the OAIC website, see <www.oaic.gov.au>.
Chapter B — Key concepts
B.1 This Chapter outlines some key words and phrases that are used in the Privacy Act 1988 and the Australian Privacy Principles (APPs).
APP entity
B.2 An ‘APP entity’ is defined to be an agency or organisation (see ‘APP entity’, s 6(1)).
B.3 An ‘organisation’ is defined to be:
• an individual
• a body corporate
• a partnership
• any other unincorporated association, or
• a trust
unless it is a small business operator, registered political party, State or Territory authority or a prescribed instrumentality of a State (s 6C).
B.4 The following terms are also defined in the Privacy Act: ‘small business operator’ (s 6D), ‘registered political party’ (s 6(1)) and ‘State or Territory authority’ (s 6C).
B.5 In general, a small business operator is a business with an annual turnover of $3,000,000 or less for a financial year, unless an exception applies (s 6C). The exceptions include businesses that provide a health service and hold health information other than in an employee record and businesses that disclose personal information for a benefit, service or advantage, or provide a benefit, service or advantage to collect personal information (s 6D).
B.6 An APP entity may be treated as an organisation in certain circumstances, for example a small business operator that chooses to be treated as an organisation (s 6EA).
B.7 An ‘agency’ is defined to be:
• a Minister
• a Department
• a body (whether incorporated or not), or a tribunal, established or appointed for a public purpose by or under a Commonwealth enactment, not being:
o an incorporated company, society or association; or
o an organisation that is registered under the Fair Work (Registered Organisations) Act 2009 or a branch of such an organisation
• a body established or appointed by the Governor-General, or by a Minister, other than by or under a Commonwealth enactment
• a person holding or performing the duties of an office established by or under, or an appointment made under, a Commonwealth enactment, other than a person who, by virtue of holding that office, is the Secretary of a Department
• a person holding or performing the duties of an appointment, being an appointment made by the Governor-General, or by a Minister, other than under a Commonwealth enactment
• a federal court
• the Australian Federal Police
• a Norfolk Island agency
• the nominated AGHS company
• an eligible hearing service provider, or
• the service operator under the Healthcare Identifiers Act 2010 (s 6(1)).
Australian Link
B.8 The Privacy Act extends to an act done, or practice engaged in, outside Australia and the external Territories by an organisation, or small business operator, that has an Australian link (s 5B(1(A)).
B.9 An organisation or small business operator has an Australian link where it is:
• an Australian citizen or a person whose continued presence in Australia is not subject to a legal time limitation
• a partnership formed, or a trust created in Australia or an external Territory
• a body corporate incorporated in Australia or an external Territory, or
• an unincorporated association that has its central management and control in Australia or an external Territory (s 5B(2)).
B.10 Where an organisation or small business operator does not fall within one of these categories, it will still have an Australian link where:
• it carries on business in Australia or an external Territory (s5B(3)(b)), and
• the personal information was collected or held by the organisation or small business operator in Australia or an external Territory, either before or at the time of the act or practice (s 5B(3)(c)).
‘Carries on business in Australia’
B.11 An APP entity that has an online presence (but no physical presence) in Australia, and that collects personal information from individuals who are physically in Australia, ‘carries on business in Australia or an external Territory’ under s 5B(3)(b).
Personal information collected ‘in Australia’
B.12 Personal information is collected ‘in Australia’ under s 5B(3)(c), if it is collected from an individual who is physically within the borders of Australia or an external Territory. For example, personal information is collected ‘in Australia’ where it is collected from an individual that is physically located in Australia or an external Territory via a website that is hosted outside of Australia. It does not matter if the website is owned by a company that is located outside of Australia or if the company is not incorporated in Australia.
Agency – no ‘Australian link’ requirement
B.13 The Privacy Act extends to the acts and practices of an agency, occurring outside Australia and the external Territories (s5B(1) (‘agency’ is defined in s 6(1) and discussed in paragraph B.7) .
Collection
B.14 An APP entity collects personal information ‘only if the entity collects the personal information for inclusion in a record or generally available publication’ (s 6(1)). The terms ‘record’ and ‘generally available publication’ are also defined in s 6(1) of the Privacy Act.
B.15 An APP entity does not collect personal information where information is acquired but is not included in a record or a generally available publication. For example reading newspaper articles containing personal information without recording it will not be considered a collection. However, if an entity records this personal information, this will be considered a collection.
B.16 This concept applies broadly, and includes gathering, acquiring or obtaining personal information from any source and by any means, including from:
• individuals
• other entities
• generally available publications
• surveillance cameras
• information associated with web browsing, such as information collected from cookies
• biometric technology, such as voice or facial recognition.
Commonwealth record
B.17 A ‘Commonwealth record’ is defined to have the same meaning as in the Archives Act 1983 (Archives Act) (s 6(1)).
B.18 The Archives Act states that a ‘Commonwealth record means:
• a record that is the property of the Commonwealth or a Commonwealth institution, or
• a record that is to be deemed to be a Commonwealth record by virtue of a regulation under subsection (6) or by virtue of section 22,
but does not include a record that is exempt material or is a register or guide maintained in accordance with Part VIII’ (s 3, Archives Act).
B.19 A ‘commonwealth record’ is likely to include, in almost all cases, all personal information collected or received by agencies. Where an organisation is a contracted service provider under a Commonwealth contract, the records created, managed or held by that organisation under the contract may also be Commonwealth records.
B.20 APP 4.3 and APP 11.2 provide for the destruction or de-identification of personal information in certain circumstances (see Chapters 4 (APP 4) and 11 (APP 11)). These requirements do not apply to information ‘contained in a Commonwealth record’. This ensures that the requirements in the Archives Act relating to the retention of Commonwealth records will continue to apply and will override these destruction or de-identification requirements.
Consent
B.21 Consent means ‘express consent or implied consent’ (s 6(1)). The four key elements of consent are that:
• it must be provided voluntarily
• the individual must be adequately informed of what they are consenting to
• it must be current and specific, and
• the individual must have the capacity to understand and communicate their consent.
Express or implied consent
B.22 Express consent is given explicitly, either orally or in writing. This could include a handwritten signature or an oral statement to signify agreement.
B.23 Implied consent arises where consent may reasonably be inferred in the circumstances from the conduct of the individual and the APP entity.
B.24 An APP entity should not assume that an individual has consented to a collection, use or disclosure just because the collection, use or disclosure appears to be advantageous to that person. Similarly, an entity does not establish implied consent by showing that, if the individual knew about the benefits of the collection, use or disclosure, they would probably consent to it.
B.25 Generally, it should also not be assumed that an individual has given consent on the basis that they have not objected to a proposal to handle personal information in a particular way. It is likely to be difficult for an entity to demonstrate that an individual’s silence was intended to mean consent.
B.26 In particular, consent may not be implied if the individual’s intent is ambiguous, such as where there is reasonable doubt about the individual’s intention.
B.27 For example, an individual’s intention may be ambiguous where an APP entity implies an individual’s consent from their failure to opt out. Use of an opt-out mechanism to infer an individual’s consent will only be appropriate in limited circumstances. An entity will be in a better position to establish the individual’s implied consent the more that the following factors, where relevant, are met:
• the option to opt out was clearly and prominently presented
• it is likely that the individual received and read the information about the proposed collection, use or disclosure, and about the offer to opt out
• the individual was aware of the implications of not opting out
• the option to opt out is freely available and not bundled with other purposes
• receiving and exercising the option to opt out is easy to take up. That is, it involves little or no financial cost to, or effort from, the individual
• the consequences of failing to opt out are not serious
• if the individual opts out later, they are fully restored, to the circumstances that they would have been in if they had opted out earlier.
B.28 An APP entity should generally seek the express consent of an individual where it proposes to handle the individual’s sensitive information, given the greater impact that the collection, use or disclosure of sensitive information may have on the privacy of the individual.
B.29 An APP entity should implement procedures and systems to obtain and record consent, which leave no doubt that consent has been given, either on the basis of the express consent of an individual, or clearly implied consent from the conduct of the individual.
Voluntary
B.30 Consent is voluntary if an individual has a genuine opportunity to provide or withhold their consent. Consent is not voluntary where there is duress, coercion or extreme pressure that would equate to an overpowering of will.
B.31 Factors relevant to deciding whether consent is voluntary include:
• the alternatives open to the individual, if they choose not to consent
• the seriousness of any consequences if an individual refuses to consent
• any adverse consequences for family members or associates of the individual if the individual refuses to consent.
Bundled consent
B.32 Bundled consent refers to the practice of an APP entity ‘bundling’ together multiple requests for an individual’s consent to a wide range of collections, uses and disclosures of personal information, without giving the individual the opportunity to choose which collections, uses and disclosures they agree to and which they do not.
B.33 This practice has the potential to undermine the voluntary nature of the consent.
Informed
B.34 An individual must be aware of the implications of providing or withholding consent for example, whether the individual is able to access a service if they do not consent to an APP entity collecting a specific piece of personal information. An APP entity should give information directly to the individual about how their personal information is to be handled, in a way that the individual understands. Particularly, the information should be written in plain English, without legal or industry jargon.
Current and specific
B.35 An APP entity should generally seek consent from an individual at the time that it proposes to collect, use or disclose that individual’s personal information. An entity should not seek a broader consent than is necessary for its purposes, for example, consent for undefined future uses, or consent to ‘all legitimate uses or disclosures’ (see also, discussion of ‘bundled consent’ above).
B.36 An individual may withdraw their consent at any time. If they do, an APP entity would no longer be able to rely on consent having been given when dealing with the individual’s personal information.
Capacity
B.37 An individual must have the capacity to consent. This means that the individual is capable of understanding the issues relating to the decision to consent, including the effect of giving or withholding consent, forming a view based on reasoned judgement and communicating their decision. If an APP entity is uncertain as to whether an individual has capacity to consent, it should not rely on any statement of consent given by the individual.
B.38 Issues that could affect an individual’s ability to consent include:
• age
• physical or mental disability
• temporary incapacity, for example during a psychotic episode, a temporary psychiatric illness, or because they are unconscious or in severe distress, or
• limited understanding of English.
B.39 An APP entity should consider whether these issues could be addressed by providing the individual with appropriate support to enable them to exercise their capacity. If an individual does not have capacity to consent and consent is required, an entity should consider who can act on the individual’s behalf. Options include:
• a guardian
• someone with an enduring power of attorney
• a person recognised by other relevant laws, for example in NSW, a ‘person responsible’ under the Guardianship Act 1987 (NSW) (this may be an individual’s spouse, partner, carer, family member or close friend), or
• a person who has been nominated in writing by the individual while they were capable of giving consent.
B.40 Where an individual lacks the capacity to consent, they should be involved, as far as is practical, in any decision-making process. To the extent possible in the circumstances, an APP entity should ensure that privacy issues are discussed with individuals who have impaired decision making capacity in a way that is understandable and comprehensible.
Children and young people
B.41 The Privacy Act does not specify an age after which individuals can make their own privacy decisions. An APP entity will need to determine whether a young person has the capacity to consent on a case-by-case basis.
B.42 As a general principle, a young person has capacity to consent when they have sufficient understanding and maturity to understand what is being proposed. In some circumstances, it may be appropriate for a parent or guardian to consent on behalf of a young person, for example if the child is very young or lacks the maturity or understanding to do so themselves.
De-identification
B.43 Personal information is de?identified ‘if the information is no longer about an identifiable individual or an individual who is reasonably identifiable’ (s 6(1)). De-identified information is not ‘personal information’ (see paragraph B.69).
B.44 De-identification is a process by which data or information (for example, information in a record) is altered to remove or obscure personal information or government related identifiers so that the individual is no longer identifiable or reasonably identifiable.
B.45 Where de-identification is administered to a high standard, together with appropriate risk management strategies, the risk of re-identification can be minimised. The risk of re-identification will depend on the context and circumstances of the APP entity and the nature of the information. Relevant factors to consider when determining whether information has been effectively de-identified could include the cost, difficulty, practicality and likelihood of re-identification.
B.46 For more information on when and how to de- identify information, including examples of de-identification techniques, see Business Resource – De-identification of Data and Information.
Disclosure
B.47 Disclosure is not defined in the Privacy Act.
B.48 However an APP entity will generally disclose personal information when it releases information from its effective control.
B.49 A release from effective control is generally a disclosure irrespective of the entity’s reason for releasing the information. It includes proactive releases, releases in response to a specific request and accidental releases.
B.50 The following are given as examples of disclosures:
• an APP entity shares a copy of personal information with another entity or individual
• an APP entity publishes personal information on the internet and the information is accessible to other entities (even if not actually collected by another entity)
• an APP entity intends to send a document containing an individual’s personal information to the individual, but accidentally sends their information to another individual
• an APP entity does not take reasonable steps to ensure the security of personal information as required by APP 11 (see Chapter 11) resulting in accessibility of that information to others outside the entity.
B.51 ‘Disclosure’ is a separate concept from access under the APPs. An individual’s right to access their personal information is addressed in APP 12 (see Chapter 12). It is also a separate concept from ‘use’ (see paragraphs B.107 to B.109). For more information about unauthorised access and reasonable steps to ensure security, see Chapter 11 (APP 11).
Enforcement body
B.52 ‘Enforcement body’ is defined to mean:
• the Australian Federal Police
• the Integrity Commissioner
• the ACC
• the CrimTrac Agency
• Customs
• the Immigration Department
• the Australian Prudential Regulation Authority
• the Australian Securities and Investments Commission
• the Office of the Director of Public Prosecutions, or a similar body established under a law of a State or Territory
• another agency, to the extent that it is responsible for administering, or performing a function under, a law that imposes a penalty or sanction or a prescribed law
• another agency, to the extent that it is responsible for administering a law relating to the protection of the public revenue
• a police force or service of a State or a Territory
• the New South Wales Crime Commission
• the Independent Commission Against Corruption of New South Wales
• the Police Integrity Commission of New South Wales
• the Office of Police Integrity of Victoria
• the Crime and Misconduct Commission of Queensland
• the Corruption and Crime Commission of Western Australia
• another prescribed authority or body that is established under a law of a State or Territory to conduct criminal investigations or inquiries
• a State or Territory authority, to the extent that it is responsible for administering, or performing a function under, a law that imposes a penalty or sanction or a prescribed law, or
• a State or Territory authority, to the extent that it is responsible for administering a law relating to the protection of the public revenue (s 6(1)).
Enforcement-related activities
B.53 ‘Enforcement related activity’ is defined to mean:
• the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction
• the conduct of surveillance activities, intelligence gathering activities or monitoring activities
• the conduct of protective or custodial activities
• the enforcement of laws relating to the confiscation of the proceeds of crime
• the protection of the public revenue
• the prevention, detection, investigation or remedying of misconduct of a serious nature, or other conduct prescribed by the regulations
• the preparation for, or conduct of, proceedings before any court or tribunal, or the implementation of court/tribunal orders (s 6(1)).
B.54 This definition recognises that ‘enforcement related activities’ can include surveillance, intelligence gathering or monitoring activities where there may not be an existing investigation. These terms are distinct activities, but may overlap in some circumstances.
B.55 Examples of surveillance activities include optical surveillance of an individual or property where information obtained from that surveillance may lead to an investigation of a criminal offence. Examples of intelligence gathering include the collection of information about an individual to detect whether an offence has occurred, or to determine whether to initiate an investigation into that offence; the collection of information about whether an individual is planning to commit an offence and whether there are fellow criminal associates. Examples of monitoring activities include the monitoring by an enforcement body of a person who has presented themself to that body in compliance with a court order.
Health information
B.56 ‘Health information’ is defined to be:
• information or an opinion, that is also personal information, about:
o the health or a disability (at any time) of an individual, or
o an individual’s expressed wishes about the future provision of health services to him or her, or
o a health service provided, or to be provided, to an individual, or
• other personal information collected to provide, or in providing, a health service, or
• other personal information about an individual collected in connection with the donation, or intended donation, by the individual of their body parts, organs or body substances, or
• genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual (see ‘health information’, s 6(1)).
B.57 Examples of health information include:
• notes of an individual’s symptoms or diagnosis and the treatment given
• specialist reports and test results
• appointment and billing details
• prescriptions and other pharmaceutical purchases
• dental records
• an individual’s healthcare identifier when it is collected to provide a health service
• any other personal information (such as information about an individual’s race, sexuality, religion, date of birth, gender), collected to provide a health service.
B.58 The definition of ‘sensitive information’ in s 6(1) of the Privacy Act includes health information. As a type of sensitive information, health information attracts additional privacy protections compared to other types of personal information (see for example, APP 3 in Chapter 3). There are also a number of provisions and APPs that deal specifically with health information, including the ‘permitted health situation’ exceptions set out in s 16B (for discussion of ‘permitted health situations’, see Chapter D).
Health Service
B.59 ‘Health service’ is defined to mean:
• an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:
o to assess, record, maintain or improve the individual’s health, or
o to diagnose the individual’s illness or disability, or
o to treat the individual’s illness or disability or suspected illness or disability, or
• the dispensing or prescription of a drug or medicinal preparation by a pharmacist (see ‘health service’, s 6(1)).
B.60 The Privacy Act generally applies to all organisations that provide a health service, including an organisation that is a small business. Examples of organisations that provide a health service include:
• traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals
• complementary therapists, such as naturopaths and chiropractors
• gyms and weight loss clinics.
Holds
B.61 An APP entity ‘holds’ personal information if ‘the entity has possession or control of a record that contains the personal information’ (s 6(1)). Whether an APP entity holds a particular item of personal information will depend on its particular information collection, management and storage arrangements.
B.62 For example, an APP entity ‘holds’ personal information where:
• it physically possesses a record containing the personal information, or
• it has the right or power to deal with the information, even if it does not physically possess or own the medium on which the information is stored. For example, where the personal information is stored on servers owned by a third party, but the APP entity has the right to deal with that information, such as by accessing and amending the information, the entity will hold the personal information.
Immigration Department
B.63 ‘Immigration Department’ means ‘the Department administered by the Minister administering the Migration Act 1958’ (s 6(1)). Information about the particular Minister and Department that administer the Migration Act 1958 can be found on ComLaw.
B.64 The definition of ‘enforcement body’ includes the ‘Immigration Department’ (see paragraphs XX above). This means that the exceptions in APPs 3.4(d)(i), 6.2(e) and 8.2(f) extend to the ‘enforcement related activities’ of the Immigration Department (see Chapters 3, 6 and 8).
Necessary and reasonably necessary
B.65 Certain APPs require a collection, use or disclosure to be ‘necessary’ or ‘reasonably necessary’ for a particular purpose – for example APPs 3, 6, 7 and 8. For a discussion of ‘reasonable’ see paragraphs B.82 to B.86.
B.66 ‘Necessary’ is not defined in the Privacy Act. The High Court of Australia has noted that ‘there is, in Australia, a long history of judicial and legislative use of the term “necessary”, not as meaning essential or indispensable, but as meaning reasonably appropriate and adapted.’
B.67 Necessary is interpreted in a practical sense. For example, under APP 3 if an entity cannot in practice effectively pursue a function or activity without collecting personal information, the collection would usually be considered reasonably necessary for that function or activity. However, a collection, use or disclosure usually will not be considered necessary if there are reasonable alternatives available to handling information in this way, for example, where handling de-identified information would be sufficient for the purpose.
B.68 The terms ‘necessary’ and ‘reasonably necessary’ are discussed further in these guidelines, as they arise in the context of each of the relevant APPs.
Personal information
B.69 ‘Personal information’ is defined as any ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable’:
• whether the information or opinion is true or not, and
• whether the information or opinion is recorded in a material form or not (s 6(1)).
B.70 What constitutes personal information will vary, depending on whether an individual can be identified or is reasonably identifiable in the particular circumstances.
Meaning of ‘reasonably identifiable’
B.71 Whether an individual is ‘reasonably identifiable’ from particular information about that individual will depend on considerations including:
• the nature and extent of the information
• the circumstances of its receipt
• whether it is possible for the person or entity that holds or has access to the information to identify the individual using available resources (including other information available to that person or entity). Where it may be possible to identify an individual using available resources, the cost, difficulty, practicality and likelihood of a person or entity doing so will be relevant to deciding whether an individual is ‘reasonably identifiable’.
B.72 For example, most individuals would not be able to use a licence plate number to identify the owner of a car because they would not have access to the resources to do so. In this situation, a licence plate number is not ‘personal information.’
B.73 However an agency responsible for car registration may be able to use its resources to identify the car owners from a licence plate number. In this situation, the licence plate number is ‘personal information’, because the individual is ‘reasonably identifiable’ by the responsible agency. The government department could use its resources and capabilities to link this information with other information that would identify the individual that owns the car.
B.74 In another example, information that an unnamed person with a certain medical condition lives in a specific postcode would generally not enable the individual to be identified. In this situation, the information about the individual is not ‘personal information’.
B.75 However, if the same information was provided to an individual with specific knowledge of those with the medical condition and the suburbs where they live, this individual could use the additional information available to them to identify the individual. In this situation, the information about the individual is ‘personal information’.
B.76 Where it is technically possible to identify an individual from information, but doing so is not practically possible, that individual will not generally be regarded as ‘reasonably identifiable’. For example, the individual may not be reasonably identifiable where steps required to do so are overly expensive or resource intensive.
Deceased persons
B.77 The definition of ‘personal information’ in s 6(1) refers to information or an opinion about an ‘individual.’ An ‘individual’ means as ‘a natural person’ (s 6(1)). The ordinary meaning of ‘natural person’ does not include deceased persons.
B.78 Where information about a deceased person includes information about a living individual, that information may still be ‘personal information’ for the purposes of the Privacy Act. For example, the information that a deceased person had an inheritable medical condition could be personal information about the deceased person’s descendants. The sensitivities of family members, including their privacy, should be considered and respected when handling information about deceased persons.
Purpose
B.79 The purpose of an action is the reason why it is done.
B.80 How broadly a purpose can be described will depend on the circumstances and should be determined on a case-by-case basis. In general, an APP entity’s purpose for collecting, holding, using or disclosing personal information should be construed narrowly. This will assist individuals to understand and retain some control over how their personal information is collected, used and disclosed.
B.81 For example, describing the primary purpose of the collection of an individual’s personal information as being ‘for the functions of the entity’ would generally be considered too broad, as it would not allow the individual to understand how their information will be used or disclosed. Rather, the specific activity for which particular personal information is collected should be identified as the primary purpose. For example, a primary purpose of collection could be to:
• process a payment
• assess an applicant’s suitability for a job
• assess an applicant’s eligibility for a loan
• resolve a complaint
• provide further information about a service
• allow an agency to give someone a particular benefit or service.
Reasonable, Reasonably
B.82 A ‘reasonable’ test is included in the definition of ‘personal information’ and in several of the APPs. For example, APP 3 provides that an entity must not collect personal information unless the information is ‘reasonably necessary’ for one or more of its functions or activities.’
B.83 ‘Reasonable’ and ‘reasonably’ are not defined in the Privacy Act.
B.84 The High Court of Australia has considered that what is reasonable is a judgement of fact and deciding what is reasonable will depend on each particular case and may be influenced by current standards. A reasonableness test implies the application of reasoned and objective judgement to the circumstances.
B.85 The terms ‘reasonable’ and ‘reasonably’ are discussed further in these guidelines, as they arise in the context of each of the relevant APPs.
Reasonably believes
B.86 A number of the exceptions to the APPs require an APP entity to have a ‘reasonable belief’ about a particular matter (see for example, APP 3.4 (Chapter 3), APP 6.2(e) (Chapter 6), APP 8.2 (Chapter 8), Permitted general situations, Chapter C). To form a reasonable belief, the entity must apply a reasoned judgement to the circumstances at the time of making the relevant assessment.
Recognised external dispute resolution scheme
B.87 ‘Recognised external dispute resolution scheme’ is defined as ‘an external dispute resolution scheme recognised under section 35A’ (see ‘recognised external dispute resolution scheme,’ s 6(1)).
B.88 Subsection 35A(1) of the Privacy Act gives the Information Commissioner the power to recognise an external dispute resolution scheme for an entity or a class of entities, or for a specified purpose.
B.89 Where an individual considers that an APP entity has interfered with their privacy, they may make a complaint to a recognised EDR scheme of which the APP entity is a member. For further discussion of recognised EDR schemes, and their role in handling privacy-related complaints, see Guidelines for Recognising External Dispute Resolution Schemes under s 35A of the Privacy Act.
Registered APP code
B.90 A ‘registered APP code’ is defined as an APP code that is included on the Codes Register and that is in force (s 26B(1)). A registered APP code is a legislative instrument (s 26B(2)). The requirements in relation to registered APP codes are set out in Division 2 of Part IIIB of the Privacy Act.
B.91 An ‘APP code’ is defined as a written code of practice about information privacy (s 26C). It can be developed by an APP entity, on its own initiative or on request from the Information Commissioner, or by the Information Commissioner directly (s 26E and 26G). Generally, it may be expressed to apply to an APP entity, industry or type of personal information (s 26C(4)).
B.92 The Information Commissioner has the power to approve and register an APP code (provided certain conditions are met) by including it on the Codes Register (s 26H).
B.93 Once an APP code is registered, an APP entity bound by the code must not do an act, or engage in a practice, that breaches that code. A breach of a registered APP code will be an interference with privacy by the entity under s 13(1)(b) of the Privacy Act.
B.94 A registered APP code does not replace the APPs for the entities which it binds, but operates in addition to the requirements of the APPs. For further discussion about the development of APP codes, and the requirements and process for recognition, see the [Code Development Guidelines].
Related body corporate
B.95 Section 6(8) provides that ‘the question whether bodies corporate are related to each other is determined in the manner in which that question is determined under the Corporations Act 2001.’
B.96 Section 13B(1) permits related bodies corporate to share personal information (unless an exception applies).
B.97 When a body corporate uses or holds personal information collected from a related body corporate it must comply with the APPs and any binding, registered APP code (see Note to s 13B(1)). For example, an entity that collects personal information from a related body corporate is taken to have the same primary purpose of collection as the related body corporate. The entity interferes with the privacy of an individual if it uses that information for another purpose, and an exception to APP 6 does not apply.
Required or authorised by or under an Australian law or a court/tribunal order
Meaning of ‘required’
B.98 An APP entity that is ‘required’ by an Australian law or a court/tribunal to handle information in a particular way has a legal obligation to do so, and no choice in the matter.
B.99 Words such as ‘must’ or ‘shall’ could indicate such a requirement, and may be accompanied by the presence of a sanction for non-compliance. The term ‘required’ is intended to cover situations where a law unambiguously requires a certain act or practice.
Meaning of ‘authorised’
B.100 An APP entity that is ‘authorised’ under an Australian law or a court/tribunal order has discretion as to whether it will handle information in a particular way. Where a law or court/tribunal order authorises an act or practice, an entity is permitted to take the action, but it is not compelled to do so. Words such as ‘may’ could indicate an authorisation.
B.101 An act or practice is not ‘authorised’ solely because there is no law or court/tribunal order prohibiting it. Instead, the law or court/tribunal order must provide a specific discretion. For example, a general provision stating that the head of an agency may do anything necessary or convenient to be done for, or in connection with, a function does not ‘authorise’ conduct. On the other hand, legislation governing an agency that clearly and specifically gives it a discretion to use personal information for a particular purpose, would authorise that use.
Meaning of ‘Australian law’
B.102 ‘Australian law’ is defined as:
• an Act of the Commonwealth, or of a State or Territory
• regulations or any other legislative instrument made under such an Act
• a Norfolk Island enactment, or
• a rule of common law or equity (see ‘Australian law’, s 6(1)).
B.103 This definition is intended to exclude ‘contracts.’
Meaning of ‘court/tribunal order’
B.104 ‘Court/tribunal order’ is defined as an order, direction or other instrument made by a court, a tribunal, a judge (including a judge acting in a personal capacity), a person acting as a judge, a magistrate (including a magistrate acting in a personal capacity), a person acting as a magistrate, or a member or an officer of a tribunal (see ‘Court/ tribunal order’, s 6(1)). The definition includes an order, direction or other instrument that is of an interim or interlocutory nature.
Sensitive information
B.105 ‘Sensitive information’ is a subset of personal information and is defined as:
• information or opinion (that is also personal information) about an individual’s:
o racial or ethnic origin
o political opinions
o membership of a political association
o religious beliefs or affiliations
o philosophical beliefs
o membership of a professional or trade association
o membership of a trade union
o sexual preferences or practices, or
o criminal record.
• health information about an individual
• genetic information (that is not otherwise health information)
• biometric information that is to be used for the purpose of automated biometric verification or biometric identification, and
• biometric templates (see ‘sensitive information’, s 6(1)).
B.106 Sensitive information is generally afforded a higher level of privacy protection under the APPs than other personal information (for example APPs 3, 6 and 7). This recognises that inappropriate handling of sensitive information can have particular ramifications for the individual concerned or those associated with the individual. For example, some kinds of sensitive information, such as information relating to race or ethnic origin, may provide the basis for discrimination or other forms of mistreatment. Mishandling of this information may also lead to humiliation or embarrassment or may undermine an individual’s dignity.
Use
B.107 ‘Use’ is not defined in the Privacy Act.
B.108 Generally, an APP entity uses personal information when it handles and manages that information within the entity. Examples of a ‘use’ may include accessing information in the entity’s control to:
• search records containing personal information
• make a decision
• pass personal information from one part of an entity to another part.
B.109 A use may also include an entity providing personal information to a contractor (for example, under a contract for information technology services, or mailing house services), if the contractor only uses the information to perform a function of the contract, and under the terms of a contract, the entity maintains control over the information.
Chapter C – Permitted general situations
What are permitted general situations?
C.1 The APPs include exceptions where a permitted general situation exists in relation to the collection of sensitive information (APP 3), the use or disclosure of personal information (APPs 6 and 8) and the use or disclosure of a government related identifier (APP 9).
C.2 If an exception applies, an APP entity is permitted to collect, use or disclose personal information and government related identifiers in certain circumstances, however the entity is not compelled to do so.
C.3 The permitted general situations in s 16A relate to:
• serious threats to life, health or safety of any individual, or to public health or safety (see APPs 3.4(b), 6.2(c), 8.2(d) and 9.2(d))
• suspected unlawful activity or serious misconduct (see APPs 3.4(b), 6.2(c), 8.2(d) and 9.2(d))
• missing persons (see APPs 3.4(c), 6.2(c) and 8.2(d))
• legal or equitable claims (see APPs 3.4(c) and 6.2(c))
• alternative dispute resolution processes (see APPs 3.4(b) and 6.2(c))
• diplomatic or consular functions – this only applies to agencies (see APP 3.4(b), 6.2(c) and 8.2(d))
• specified armed forces activities – this only applies to the Defence Force (see APP 3.4(b), 6.2(c) and 8.2(d))
C.4 These exceptions are discussed generally below. For specific examples relevant to APPs 3, 6, 8 and 9, see Chapters 3, 6, 8 and 9.
Serious threats to life, health or safety or to public health or safety
C.5 This permited general situation applies to an APP entity that collects, uses or discloses personal information or a government related identifier where:
• it is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure, and
• the entity reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety (s 16A, item 1).
Unreasonable or impracticable consent
C.6 Consent is defined as ‘express consent or implied consent’ (s 6(1)) and it is discussed in Chapter B (Key concepts). The main criteria for establishing consent are:
• the individual is adequately informed before giving consent
• the individual gives their consent voluntarily
• the consent is current and specific, and
• the individual has the capacity to understand and communicate their consent.
C.7 Whether it is unreasonable or impracticable for an APP entity to obtain an individual’s consent will depend upon circumstances that include:
• the nature of, and potential consequences associated with, the serious threat. For example, the urgency of the situation and level of threatened harm may require collection, use or disclosure before it is possible to seek consent
• the privacy implications for an individual if their consent is not obtained before the collection, use or disclosure. For example, where the collection, use or disclosure of sensitive information may result in an individual being stigmatised, humiliated or losing their dignity, it may be more difficult for an entity to establish that it was unreasonable or impracticable to obtain the individual’s consent
• the source of the threat. For example, it may be unreasonable to seek consent from the individual posing the threat where that individual could reasonably be anticipated to withhold consent, or where the act of seeking that individual’s consent could increase the threat
• the ability to contact the individual to obtain consent. For example, it may be impracticable to obtain consent if the individual’s location is unknown or if they cannot be contacted for another reason
• the number of individuals whose personal information is to be collected, used or disclosed. For example, if the collection, use or disclosure involves personal information of a very large number of individuals, it may be impracticable to obtain consent
• the capacity of the individual to give consent. For example, it may be unreasonable or impracticable to obtain consent where an individual is incapable of communicating consent because of their physical state, their psychological state, or their age. Capacity is discussed as part of ‘consent’ in Chapter B (Key concepts).
Reasonably believes collection, use or disclosure is necessary
C.8 Where it is unreasonable or impracticable to obtain consent, an APP entity must make a judgement about whether the collection, use or disclosure is necessary to lessen or prevent a serious threat. The entity must have a reasonable basis for that judgement at the time of the assessment.
C.9 A collection, use or disclosure would be considered necessary where it is essential to lessen or prevent a serious threat, but not where it is merely helpful, desirable or convenient. An APP entity should consider whether there are alternative reasonable ways to reduce or prevent the serious threat that do not involve the handling of personal information.
C.10 For example, where a serious threat cannot be lessened or prevented without collecting, using or disclosing personal information, the collection, use or disclosure would be considered necessary. On the other hand, if there are reasonable alternatives available at the time of making the assessment, the collection, use or disclosure may not be considered necessary.
C.11 For a more detailed discussion of ‘reasonably believes’ and ‘necessary’, see Chapter B (Key concepts).
Serious threat
C.12 An assessment of the seriousness of a threat involves assessing the consequences and likelihood of the risk being realised.
C.13 A ‘serious’ threat to life, health or safety must reflect significant danger to an individual or individuals. It could include a potentially life threatening situation or one that might reasonably result in other serious injury or illness. A threat to an individual’s finances or reputation would not ordinarily be considered to be a serious threat to life, health or safety.
C.14 A serious threat could include a threat to the physical or mental health and safety of an individual.
C.15 The threat may be to the individual the entity is dealing with or to another person. It may also be a threat of serious harm to an unspecified individual, such as a threat to be randomly inflicted.
C.16 A ‘serious threat to public health or safety’ relates to broader safety concerns affecting a number of people. This could include:
• the potential spread of communicable disease
• harm, or threatened harm, to a group of people due to a terrorist incident
• harm caused by an environmental disaster.
C.17 When assessing the likelihood of a threat being realised, a potentially harmful outcome that is highly unlikely to occur may not constitute a serious threat. On the other hand, a potentially harmful threat that is likely to occur, but at an uncertain time, may represent a serious threat. This allows an APP entity to take preventative action to stop a serious threat from escalating before it materialises. For example, a serious threat may involve a threatened outbreak of an infectious disease that will do serious harm to public health or safety, even if it is unclear precisely when that harm will occur.
Suspected unlawful activity or serious misconduct
C.18 This permitted general situation applies to an APP entity that collects, uses or discloses personal information or a government related identifier where the entity:
• has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being, or may be engaged in, and
• reasonably believes that the collection, use or disclosure is necessary in order for the entity to take appropriate action in relation to the matter (s 16A, item 2).
C.19 This exception is intended to apply to an APP entity’s internal investigations about activities within or related to the entity.
C.20 Unlawful activity is not defined in the Privacy Act so it is appropriate to refer to the ordinary meaning of these words. These are interpreted to apply to acts or omissions that are expressly prohibited under Australian law (‘Australian law’ is defined in s 6(1) of the Privacy Act). The unlawful activity must relate to the entity’s functions or activities. For example, harassment or discrimination within an entity would be an unlawful activity.
C.21 Misconduct is defined in s 6(1) of the Privacy Act to include ‘fraud, negligence, default, breach of trust, breach of duty, breach of discipline or any other misconduct in the course of duty.’ Serious misconduct would not cover minor breaches or transgressions. The serious misconduct must relate to the entity’s functions or activities. For example it may include a serious breach of the Australian Public Service Code of Conduct or fraudulent conduct by a professional adviser or a client, where it relates to the entity’s functions or activities.
C.22 Where an APP entity suspects unlawful activity or serious misconduct relating to its functions and activities, it must make a judgement about whether the collection, use or disclosure is needed to take appropriate action. There should be a factual basis for the judgement.
C.23 An APP entity must reasonably believe that the collection, use or disclosure is necessary. ‘Reasonable belief’ and ‘necessary’ are discussed further in Chapter B (Key concepts).
C.24 Whether action is appropriate will depend on the circumstances and the nature of the action. Appropriate action may include investigating an unlawful activity or serious misconduct and reporting these matters to the police or another relevant person or authority. For example, if an entity has reasonable grounds for believing that it cannot effectively investigate serious misconduct without collecting, using or disclosing personal information, then this exception may apply.
Missing persons
C.25 This permitted general situation applies to an APP entity that collects, uses or discloses personal information where:
• the entity reasonably believes that the collection, use or disclosure is reasonably necessary to assist any APP entity, body or person to locate a person who has been reported as missing, and
• the collection, use or disclosure complies with rules made by the Information Commissioner under s 16A(2) of the Privacy Act (s 16A, item 3).
C.26 For this exception to apply, an APP entity must make a judgement about whether the collection, use or disclosure is reasonably necessary to locate a missing person. It should have a factual basis for that judgement. For further discussion of ‘reasonably believes’ and ‘necessary’ see Chapter B (Key concepts).
Legal or equitable claims
C.27 This permitted general situation applies to an APP entity that collects, uses or discloses personal information where the collection, use or disclosure is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim (s 16A, item 4).
C.28 For this exception to apply, the collection use or disclosure must be ‘reasonably necessary’. Reasonably necessary is interpreted objectively. That is, whether a collection, use or disclosure is reasonably necessary is assessed from the perspective of a reasonable person. The perspective of the APP entity involved is a consideration, but it is not determinative. For example, when an entity receives a request from an individual to disclose another person’s information to establish a legal or equitable claim, it may be difficult for the entity to be satisfied that the disclosure is reasonably necessary, unless the disclosure is required under a court order.
C.29 This exception applies in relation to existing or potential legal proceedings in a court or tribunal. Where legal proceedings have not yet commenced, an entity should only rely on this exception where there is a real possibility that the personal information will be needed to establish, exercise or defend its legal or equitable rights at a future date. For further discussion of ‘necessary’, see Chapter B (Key concepts).
C.30 Where this exception applies, it does not compel an APP entity to disclose personal information in response to a request from a third party. For example, if the collection, use or disclosure is prohibited under another Australian law, an entity should not rely on this exception to collect, use or disclose the information (for example, where disclosure would be a breach of legal professional privilege).
Alternative dispute resolution processes
C.31 This permitted general situation applies to an APP entity that collects, uses or discloses personal information, where the collection, use or disclosure is reasonably necessary for the purposes of a confidential alternative dispute resolution (ADR) process (s 16A, item 5).
C.32 For this exception to apply, the collection use or disclosure must be ‘reasonably necessary’ for a confidential ADR process and not some other function or activity. This may extend to the collection, use or disclosure of personal information in circumstances where professional misconduct by an ADR practitioner is alleged.
C.33 Whether the collection, use or disclosure is reasonably necessary is interpreted objectively. That is, whether a collection, use or disclosure is reasonably necessary is assessed from the perspective of a reasonable person. The perspective of the entity involved is a consideration, but it is not determinative. ‘Necessary’ is discussed further in Chapter B (Key concepts).
C.34 ADR covers processes, other than judicial determinations, in which an impartial person assists those in a dispute to resolve the issues between them. An entity providing ADR may, but is not required to, have any particular form of accreditation. Examples of ADR processes include mediation, conciliation, facilitation, expert, assessment, determination, or neutral evaluation.
C.35 For the exception to apply, the parties to the dispute and the ADR provider must be bound by confidentiality obligations such that any personal information collected, used or disclosed for the purpose of that ADR process will not be used or disclosed for any purpose outside the ADR process, including use or disclosure in subsequent proceedings. The confidentiality obligations may be imposed through contractual agreements or legislative provisions.
Diplomatic or consular functions (agencies only)
C.36 This permitted general situation applies to an agency that collects, uses or discloses personal information, where the agency reasonably believes that the collection, use or disclosure is necessary for the agency’s diplomatic or consular functions or activities (s 16A, item 6).
C.37 The terms ‘diplomatic’ and ‘consular’ are not defined in the Privacy Act. These terms are interpreted narrowly when assessing the nature of an agency’s functions or activities.
C.38 The following are given as examples of when this exception might apply:
• Diplomatic functions or activities: where an agency collects, uses or discloses personal information to grant a diplomatic visa to a foreign national accredited as a member of the diplomatic staff of a mission to Australia.
• Consular functions or activities: where an agency collects, uses or discloses personal information to:
o assist Australian citizens who are in distress overseas, including where an Australian individual is detained or is the victim of crime, or where assistance is required with repatriation in the case of death or serious illness
o provide information to the next of kin of an Australian individual who is overseas where, for example, the individual is seriously injured and the agency considers that there are likely to be significant, serious or undesirable consequences for the individual or their next of kin if it does not disclose the information.
C.39 For a discussion of ‘reasonably believes’ and ‘necessary’, see Chapter B (Key concepts).
Specified armed forces activities (Defence Force only)
C.40 This permitted general situation applies to the collection, use or disclosure of personal information by the Defence Force, where it reasonably believes that the collection, use or disclosure is necessary for any of the following occurring outside Australia and the external Territories:
• war or warlike operations
• peacekeeping or peace enforcement
• civil aid, humanitarian assistance, medical or civil emergency or disaster relief (s 16A, item 7).
C.41 For a discussion of ‘reasonably believes’ and ‘necessary’, see Chapter B (Key concepts).
C.42 The following are given as examples of when this exception might apply:
• War or warlike operations/peacekeeping or peace enforcement: where the Defence Force collects sensitive information, such as biometric information, about an enemy or other hostile adversary and uses and discloses this and other personal information in order to support Defence Force military operations.
• Civil aid, humanitarian assistance, medical or civil emergency or disaster relief: where the Defence Force collects sensitive information about an individual in the immediate aftermath of a natural or man-made disaster outside Australia and the external Territories, and uses or discloses this and other personal information in order to trace the individual or relatives of the individual, or assist in the provision of proper medical care.
Chapter D — Permitted health situations
What are permitted health situations?
D.1 APP 3 and APP 6 contain exceptions where a permitted health situation exists in relation to the collection, use or disclosure of health information or genetic information by an organisation.
D.2 The permitted health situations in s 16B relate to:
• the collection of health information to provide a health service (s 16B(1)) (see APP 3.4(c))
• the collection of health information for certain research and other purposes (s 16B(2)) (see APP 3.4(c))
• the use or disclosure of health information for certain research and other purposes (s 16B(3)) (see APP 6.2(d))
• the use or disclosure of genetic information (s 16B(4)) (see APP 6.2(d))
• the disclosure of health information for a secondary purpose to a responsible person for an individual (s 16B(5)) (see APP 6.2(d)).
D.3 ‘Health information’ is defined in s 6(1). It is a type of sensitive information and is discussed in more detail in Chapter B (Key concepts). Genetic information is not defined in the Privacy Act. In some instances it will be health information. Genetic information is discussed in paragraphs D.24 – D.25.
D.4 The permitted health situations are discussed generally below. For specific examples that are relevant to APPs 3 and 6, see Chapters 3 and 6.
Collection – provision of a health service
D.5 This permitted health situation applies to an organisation that collects health information about an individual, where the information is necessary to provide a health service to the individual, and either:
• the collection is required or authorised by or under an Australian law (other than the Privacy Act), or
• the information is collected in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation (s 16B(1)).
D.6 When deciding whether the collection of health information is ‘necessary’ to provide a health service, an organisation should consider whether there are reasonable alternatives to such collection. An organisation should only handle the minimum amount of health information needed to provide a health service. For further discussion of ‘necessary’ and ‘health service’, see Chapter B (Key concepts).
D.7 For a discussion of ‘required or authorised by or under Australian law’, see Chapter B (Key concepts).
D.8 The rules established by competent health or medical bodies must be binding. Binding rules are rules that must be followed, and will generally give rise to some sort of adverse consequence if breached. Competent bodies might include medical boards and other rule-making bodies recognised in an applicable Australian law.
Collection – research
D.9 This permitted health situation applies to an organisation that collects health information about an individual, where the collection is necessary for research relevant to public health or public safety, the compilation or analysis of statistics relevant to public health or public safety, or the management, funding or monitoring of a health service, and:
• those purposes cannot be served by collecting de-identified information
• it is impracticable to obtain the individual’s consent, and
• the collection is either:
o required by or under an Australian law (other than the Privacy Act)
o in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation, or
o in accordance with guidelines approved under s 95A (s 16B(2)).
Public health or public safety
D.10 ‘Relevant to public health or public safety’ means that the research or the compilation or analysis of statistics should have an impact on, or provide information about, public health or public safety. For example, research and statistics on communicable diseases, cancer, heart disease, mental health, injury control and prevention, diabetes and the prevention of childhood diseases.
Management, funding or monitoring of a health service
D.11 Whether an activity falls within the ‘management, funding or monitoring of a health service’ will depend on the circumstances. For example, an organisation may collect health information for this purpose where:
• a quality assurance body collects data about the quality of a health service provided by a nursing home or hostel
• an oversight body collects information from a private hospital about an incident in which an individual’s operation went wrong
• a health insurer collects health information to investigate the possibility of fraud or incorrect payments.
De-identified information
D.12 Personal information is de-identified, and no longer personal information, if the information ‘is no longer about an identifiable individual or an individual who is reasonably identifiable’ (s 6(1)). ‘De-identified’ is discussed in more detail in Chapter B (Key concepts). An organisation should consider whether the purposes listed in s 16B(2)(a) can be achieved by collecting de-identified information, rather than personal information. If they can, this permitted health situation will not apply.
Impracticable consent
D.13 Consent is defined in s 6(1) of the Privacy Act as ‘express consent or implied consent’ and is discussed generally in Chapter B (Key concepts). The main criteria for establishing consent are:
• the individual is adequately informed before giving consent
• the individual gives their consent voluntarily
• the consent is current and specific, and
• the individual has the capacity to understand and communicate their consent.
D.14 Whether it is impracticable for an organisation to obtain the individual’s consent will depend on the particular circumstances. The following are given as examples of circumstances where it may be impracticable for an organisation to obtain an individual’s consent:
• where obtaining the individual’s consent would adversely impact an investigation or monitoring activity, or could have an unacceptable adverse impact on the integrity and validity of research. For example, in participant observation studies analysing behaviour patterns of ethnic groups or participant observation of self help groups, obtaining consent may affect participant’s behaviour and research results. Before deciding that consent may have this effect, an organisation should consider whether a reasonable person, independent of the research project, would take this view, for example, by taking account of any relevant views of a Human Research Ethics Committee.
• where there are no current contact details for the individual and the organisation has insufficient information to obtain up-to-date contact details.
D.15 Simply incurring some expense, or having to exercise some effort to obtain consent, would not ordinarily make this ‘impracticable’.
Required by or under an Australian law
D.16 An organisation will be ‘required’ by or under law to collect health information where it has a legal obligation to do so. For further discussion, see ‘required or authorised by or under an Australian law or a court/tribunal order’ in Chapter B (Key concepts).
Binding rules
D.17 The rules established by competent health or medical bodies must be binding. For a discussion of this requirement, see paragraph D.8.
Guidelines approved under s 95A
D.18 The ‘guidelines approved under s 95A’ are issued by the National Health and Medical Research Council (NHMRC) or a ‘prescribed authority’, and approved by the Information Commissioner.
Use or disclosure – research
D.19 This permitted health situation applies to an organisation that uses or discloses health information about an individual, if the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety, and:
• it is impracticable to obtain the individual’s consent to the use or disclosure
• the use or disclosure is conducted in accordance with guidelines approved under s 95A, and
• in the case of disclosure – the organisation reasonably believes that the recipient of the information will not disclose the information, or personal information derived from that information (s 16B(3)).
D.20 When considering whether a use or disclosure is ‘necessary’ for a purpose listed in s 16B(3), an organisation should consider whether the relevant purpose could be achieved by using or disclosing de-identified information. If so, the use or disclosure of personal information would not be considered necessary. For further discussion of ‘necessary’, see Chapter B (Key concepts). ‘De-identified’ is discussed in paragraph D.12 and in Chapter B (Key concepts).
D.21 Before disclosing health information, an organisation must make a judgement about whether the recipient will not disclose the information, or personal information derived from that information. The organisation must have a reasonable basis for that judgement at the time of the assessment. For further discussion of ‘reasonably believes’, see Chapter B (Key concepts).
D.22 ‘Relevant to public health or public safety’ is discussed in paragraph D.10, ‘impracticable to obtain an individual’s consent’ is discussed in paragraph D.13 – D.15, and ‘guidelines approved under s 95A’ is discussed in paragraph D.18.
Use or disclosure – genetic information
D.23 This permitted health situation applies to an organisation that uses or discloses genetic information about an individual if:
• the organisation has obtained the information in the course of providing a health service to the individual
• the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of another individual who is a genetic relative of the individual
• the use or disclosure is conducted in accordance with guidelines approved under s 95AA, and
• in the case of disclosure – the recipient of the information is a genetic relative of the individual (s 16B(4)).
D.24 ‘Genetic information’ is not defined in the Privacy Act. Genetic information about an individual is however, included in the definition of ‘sensitive information’ (s 6(1)). Genetic information that is ‘about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual’ is also covered by the definition of ‘health information’ (s 6(1)).’ This permitted health situation applies to genetic information whether it is sensitive information or health information.
D.25 An organisation may obtain genetic information from a range of sources in the course of providing a health service to an individual. These sources may include the results of a parentage test, or information that confirms a condition that is clinically apparent, or which may be predictive of the likelihood of an individual developing a condition.
D.26 A ‘genetic relative’ is defined in s 6(1) to mean an individual who is related by blood, including but not limited to a sibling, a parent or a descendant. The terms ‘health service’, ‘necessary’ and ‘reasonably believes’ are discussed in Chapter B (Key concepts).
D.27 A serious threat to life, health or safety could include a threat to the physical or mental health of the genetic relative of the individual. Whether a threat to life, health or safety is serious, will depend on both the likelihood of the threat eventuating, and the severity of the resulting harm. For further discussion of ‘a serious threat to life, health or safety’, see paragraphs C.12 – C.17 in Chapter C (Permitted general situations).
D.28 The ‘guidelines approved under s 95AA’ are issued by the NHMRC and approved by the Information Commissioner.
D.29 Where an APP entity is permitted to use or disclose genetic information under this exception, the APP entity must handle the personal information of the individual’s genetic relatives in compliance with the APPs.
Disclosure – responsible person for an individual
D.30 This permitted health situation applies to an organisation that discloses health information about an individual if:
• the organisation provides a health service to the individual
• the recipient of the information is a responsible person for the individual
• the individual is either physically or legally incapable of giving consent to the disclosure, or physically cannot communicate consent to the disclosure
• another individual providing the health service (the ‘carer’) is satisfied that either the disclosure is necessary to provide appropriate care or treatment of the individual, or the disclosure is made for compassionate reasons
• the disclosure is not contrary to any wish expressed by the individual before the individual became unable to give or communicate consent of which the carer is aware or of which the carer could reasonably be expected to be aware, and
• the disclosure is limited to the extent reasonable and necessary for providing appropriate care or fulfilling compassionate reasons (s 16B(5)).
D.31 The term ‘health service’ is discussed in Chapter B (Key concepts).
D.32 A ‘responsible person’ is defined in s 6AA of the Privacy Act and includes, for example, a parent, spouse or guardian of an individual.
Capacity to give consent
D.33 Consent is defined as ‘express consent or implied consent’ (s 6(1)). Consent and capacity are discussed generally in Chapter B (Key concepts). An individual may be ‘physically or legally incapable of giving consent’ if they cannot understand the issues relating to the decision to give consent, form a view based on reasoned judgement or communicate their decision.
D.34 Issues that could affect an individual’s capacity to give consent include:
• age
• physical or mental disability
• temporary or incremental incapacity, for example during a psychotic episode, a temporary psychiatric illness, because they are unconscious or in severe distress, or with some forms of dementia
• limited understanding of English.
D.35 An organisation should consider whether these issues could be addressed by providing the individual with appropriate support to enable them to exercise their capacity.
Cannot communicate consent
D.36 Where an individual physically cannot communicate consent to the disclosure, an organisation may disclose the individual’s personal information to a responsible person, without having to form a view as to the individual’s capacity (provided the other criteria in this exception are satisfied).
Carers
D.37 In this permitted health situation, ‘carer’ means the individual providing the health service for the organisation, for example, a doctor, nurse or pharmacist. This should not be confused with the common use of the term ‘carer’, meaning a family member, close friend or other person who cares for the individual but does not provide a health service. In this permitted health situation, a carer could be an employee of the organisation that provides a health service or, for example, a locum or visiting medical officer.
Necessary to provide appropriate care, or compassionate reasons
D.38 An organisation should assess whether the disclosure is necessary to provide appropriate care or treatment in a practical sense. The disclosure does not need to be critically essential, but it must be more than just useful or convenient. For example, if the individual’s ongoing care cannot be guaranteed without the organisation disclosing their personal information, then the disclosure would generally be considered necessary for that purpose.
D.39 Compassionate reasons may include providing an update about the condition or progress of an unconscious patient to family members or an emergency contact.
Wishes of the individual
D.40 An individual’s wishes or preferences do not need to be in writing. An individual may express a wish before they became unable to give or communicate consent, in anticipation of no longer being able to make decisions about their health information, for example, where an individual has a degenerative condition which will lead to a lack of capacity. This allows the individual to have some control over how their information will be handled in the future.
D.41 An example of where a carer (as defined in paragraph D.37, above) could be aware or could reasonably be expected to be aware of an individual’s wishes may be where the wishes are noted on the individual’s medical record. An individual’s wishes may also have been expressed verbally during clinician-patient consultations, prior to the individual losing their capacity to consent.
D.42 An individual’s wishes would be unlikely to override a guardianship order or other relevant legal authority, unless that guardianship order or other legal authority is limited or makes reference to the patient’s wishes. In these circumstances, an organisation should consider whether it can disclose the information under APP 6.2(b).
Australian Privacy Principle 1 – Open and transparent management of personal information
Key points
• APP 1 outlines the steps an APP entity must take to manage personal information in an open and transparent way.
• An APP entity must take reasonable steps to implement practices, procedures and systems that will ensure it complies with the APPs and any binding registered APP code, and is able to deal with related inquiries and complaints.
• An APP entity must have a clearly expressed and up-to-date APP Privacy Policy about how it manages personal information.
• An APP entity must take reasonable steps to make its APP Privacy Policy available free of charge and in an appropriate form (usually on its website).
• An APP entity must, upon request, take reasonable steps to provide a person or body with a copy of its APP Privacy Policy in the particular form requested.
What does APP 1 say?
1.1 The declared object of APP 1 is ‘to ensure that APP entities manage personal information in an open and transparent way.’ (APP 1.1). This enhances the accountability of APP entities for their personal information handling practices and can build community trust and confidence in those practices.
1.2 APP 1 imposes three separate obligations upon APP entities to:
• take reasonable steps to implement practices, procedures and systems that will ensure the entity complies with the APPs and any binding registered APP code, and is able to deal with related inquiries and complaints (APP 1.2)
• have a clearly expressed and up-to-date APP Privacy Policy about how the entity manages personal information (APP 1.3 and 1.4)
• take reasonable steps to make its APP Privacy Policy available free of charge in an appropriate form (APP 1.5) and, where requested, in a particular form (APP 1.6).
1.3 APP 1 lays down the first step in the information lifecycle – planning and explaining how personal information will be handled before it is collected. In effect, APP 1 reflects a principle of ‘privacy by design’. Entities will be better placed to meet their privacy obligations under the Privacy Act if they embed privacy protections in the design of their information handling practices.
Implementing practices, procedures and systems to ensure APP compliance
1.4 APP 1.2 requires an APP entity to take reasonable steps to implement practices, procedures and systems relating to the entity’s functions or activities that will:
• ensure the entity complies with the APPs and any binding registered APP code (see Part IIIB of the Privacy Act), and
• enable the entity to deal with inquiries or complaints from individuals about the entity’s compliance with the APPs or such a code.
1.5 APP 1.2 imposes a distinct and separate obligation upon APP entities, in addition to being a general statement of their obligation to comply with other APPs. The purpose of APP 1.2 is to require entities to take proactive steps to establish and maintain internal practices, procedures and systems that ensure compliance with the APPs. The obligation is a constant one. Entities are advised to keep a record of the steps taken to comply with APP 1.2 to ensure that personal information is managed in an open and transparent way.
1.6 The obligation to implement practices, procedures and systems is qualified by a ‘reasonable steps’ test. The reasonable steps for an entity will depend upon circumstances that include:
• the nature of the entity holding the personal information. Relevant considerations include an entity’s size, resources and its business model. For example, the reasonable steps expected of an entity that operates through franchises or dealerships, or gives database and network access to contractors, may differ from the reasonable steps required of a centralised entity
• the nature of the personal information held. Generally, as the quantity, extent and sensitivity of personal information handled by an APP entity increases, further steps may be required to protect the privacy of that information
• the adverse consequences for an individual if their personal information is not handled as required by the APPs. Generally, more rigorous steps may be required as the risk of adversity increases
• the practicability of implementing particular practices, procedures and systems to ensure compliance with the APPs. A ‘reasonable steps’ test recognises that privacy protection must be viewed in the context of the practical options available to an APP entity. On the other hand, an entity is not automatically excused from adopting appropriate information management practices, procedures and systems by relying on the inconvenience or cost of doing so.
1.7 The following are given as examples of practices, procedures and systems that each entity should consider implementing:
• procedures for identifying and managing privacy risks at each stage of the information lifecycle, including collection, use, disclosure, storage, destruction and de-identification
• security systems for protecting information from misuse, interference and loss and from unauthorised access, modification or disclosure (such as IT systems, internal access controls and audit trails)
• a commitment to conducting a Privacy Impact Assessment for any new project in which personal information will be handled, or when a change is proposed to information handling practices
• procedures for identifying and reporting privacy breaches and for receiving and responding to complaints and inquiries
• procedures that give individuals the option of not identifying themselves, or using a pseudonym, when dealing with the APP entity in particular circumstances
• governance mechanisms to ensure compliance with the APPs (such as designated privacy officers and regular reporting to the entity’s governance body)
• regular staff training and information bulletins on how the APPs apply to the entity, and its practices, procedures and systems developed under APP 1.2
• a program of periodic review of the adequacy and currency of the entity’s APP Privacy Policy and of the practices, procedures and systems implemented under APP 1.2.
Developing an APP Privacy Policy
1.8 APP 1.3 requires an APP entity to have a clearly expressed and up-to-date APP Privacy Policy about how it manages personal information. A Note to APP 1.5 advises that the policy will usually be available on the entity’s website. Accordingly, the policy should be written in a style and length that makes it easy to understand and suitable for web publication.
1.9 An APP Privacy Policy should explain how the entity manages the personal information it collects, and the information flows associated with that information. The policy is not expected to contain the level of detail that may be recorded under APP 1.2 about the practices, procedures and systems adopted to ensure APP compliance. The policy is also not required to contain the same level of detail as a collection notice provided to an individual under APP 5.1, which will provide more specific information relevant to a particular collection of personal information from the individual.
1.10 It is open to an APP entity to choose the style and format for its APP Privacy Policy, so long as the policy is clearly expressed, up-to-date and otherwise complies with the requirements of APP 1.
1.11 Where a privacy policy is made available online, using a layered approach to the provision of the information may assist an individual’s understanding of the information in the policy. A layered approach means providing a condensed version of the full policy outlining key information from the full policy with direct links to the more detailed information in the full policy.
1.12 An APP Privacy Policy should be tailored to the specific information handling practices of an entity. For example, the policy may explain how different categories of personal information are handled within the entity or by separate business or service units in the entity, and the different stages of the information lifecycle in the entity.
1.13 The policy should be directed to the different audiences who may consult it. Primarily this will be individuals whose personal information is or is likely to be collected or held by the entity. If personal information relevant to particular classes of people or segments of the community is handled differently within the entity, this should be explained. For example, different practices may be adopted in the entity for handling personal information relating to young people or people with a disability.
1.14 These differences should be clearly signposted by headings or a separate discussion of issues. An APP Privacy Policy should be easy to navigate, clearly expressed, readable by a diverse community, and avoid jargon, in-house terms and legalistic expressions. The policy should reflect the central object of APP 1, which is ensuring that entities manage personal information in an open and transparent manner.
Information that must be included in an APP Privacy Policy
1.15 APP 1.4 contains a non-exhaustive list of information that an entity must include in its APP Privacy Policy:
• the kinds of personal information collected and held by the entity (APP 1.4(a))
• how personal information is collected and held (APP 1.4(b))
• the purposes for which personal information is collected, held, used and disclosed (APP 1.4(c))
• how an individual may access their personal information and seek its correction (APP 1.4(d))
• how an individual may complain if the entity breaches the APPs or any registered binding APP code, and how the complaint will be handled (APP 1.4(e))
• whether the entity is likely to disclose personal information to overseas recipients (APP 1.4(f)), and if so, the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy (APP 1.4(g)).
Further guidance on each of these items is set out below.
Kinds of personal information collected and held (APP 1.4(a))
1.16 An APP Privacy Policy must describe in general terms the kinds of personal information an entity usually collects and holds. For example, the policy may list personal information holdings as ‘contact details’, ‘employment history’, ‘educational qualifications’, ‘complaint details’.
1.17 ‘Sensitive information’ collected or held by the entity should be separately listed (‘sensitive information’ is defined in s 6(1) and explained in Chapter B (Key concepts)). For example, a policy may list sensitive information relating to ‘mental health’, ‘disability’, ‘racial or ethnic origin’, ‘criminal convictions’, ‘religious affiliation’, ‘political affiliation’, and ‘tax file numbers’.
How personal information is collected and held (APP 1.4(b))
1.18 An APP Privacy Policy must explain an entity’s usual approach to collecting personal information. For example, the policy may explain whether personal information is collected directly from individuals or from list purchases, competitions, or referrals from individuals or other entities.
1.19 The policy must describe an entity’s usual approach to holding personal information, including storing and securing information. For example, the policy may explain that personal information is stored by a third party data storage provider; or is combined or linked to other information held about an individual. The description of security measures should not provide details that jeopardise the effectiveness of those measures.
Purposes for which the entity collects, holds, uses and discloses personal information (APP 1.4(c))
1.20 An APP Privacy Policy must describe the purposes for which personal information is usually collected, held, used and disclosed. This description will usually indicate the range of people or entities that may access that personal information. (Discussion of ‘purpose’ , ‘collects’, ‘holds’, ‘uses’ and ‘discloses’ is in Chapter B (Key concepts).)
Accessing and seeking correction of personal information (APP 1.4(d))
1.21 An APP Privacy Policy must explain the procedure an individual can follow to gain access to or seek correction of personal information the APP entity holds. At a minimum, the policy should state:
• that individuals have a right to request access to their personal information and to request its correction, under APPs 12 and 13 (see Chapters 12 (APP 12) and 13 (APP 13)), and
• the position title, telephone number and email address of a contact person for requests to access and correct personal information. Consideration should be given to establishing a generic telephone number and email address that will not change with staff movements (for example privacy@agency.gov.au).
1.22 An agency’s APP Privacy Policy could also explain whether requests for access to or correction of personal information should be made under the Privacy Act, the FOI Act or an administrative access arrangement the entity has established. (These alternative avenues for access and correction are discussed in Chapters 12 (APP 12) and 13 (APP 13).)
Complaints about a breach of the APPs or a binding registered APP code (APP 1.4(e))
1.23 An APP Privacy Policy must explain how an individual can complain about an entity’s breach of the APPs or a binding registered APP code. Details that should be included are the procedure and contact details for complaining directly to the entity (see for example, the generic contact details in paragraph 1.20); and the procedure for complaining to an external complaint body (such as an external dispute resolution scheme of which the entity is a member and that is recognised by the Information Commissioner or the OAIC). The policy can inform people of the different stages in complaint handling: that a complaint should first be made in writing to the APP entity, as required by the Privacy Act s 40(1A), and that the entity should be given a reasonable time (usually 30 days) to respond; the complaint may then be taken to a recognised external dispute resolution scheme of which the entity is a member; and lastly that the complaint may be taken to the OAIC.
1.24 The policy may refer to other complaint avenues that operate alongside the Privacy Act. For example, banks are required to provide information to customers about complaint handling and dispute resolution in relation to the bank’s obligations under the Corporations Act 2001, the Code of Banking Practice, and the Electronic Funds Transfer Code of Conduct. In these circumstances, the APP Privacy Policy may note the different procedures for privacy and non-privacy complaints (or link to other explanatory material the entity has published).
Likely overseas disclosures (APP 1.4(f) and 1.4(g))
1.25 An APP Privacy Policy must set out whether personal information is likely to be disclosed to overseas recipients and the countries in which such recipients are likely to be located ‘if it is practicable to specify those countries in the policy.’ This includes a likely disclosure to a related body corporate located overseas, and the country in which that body is located. The policy should note the kinds of personal information that are likely to be sent to particular countries.
1.26 The Privacy Act does not provide guidance on when it may be impracticable to specify the countries in which overseas recipients of personal information are likely to be located. A possible example is where personal information is likely to be disclosed to numerous overseas recipients and determining where those recipients are likely to be located is unduly costly. However, in that as in other examples, the onus will rest on the entity to explain why it is impracticable to list the countries.
1.27 If personal information is disclosed to numerous overseas locations, the more practical option may be to list those countries in an appendix to the APP Privacy Policy rather than in the body of the policy.
1.28 This requirement to describe overseas disclosure practices in an APP Privacy Policy complements the obligation on an APP entity under APP 5.2(j) and (i) to notify an individual when personal information is being collected if the information is likely to be disclosed to overseas recipients and the location of those recipients. (Notification requirements are discussed in Chapter 5 (APP 5).)
Other matters for inclusion in an APP Privacy Policy
1.29 The list of matters that must be included in an APP Privacy Policy, as discussed above, is not exhaustive. Consideration should be given to including other details that more fully describe how an APP entity manages personal information.
1.30 Following are examples of other information that could be included:
• whether the APP entity retains a record of personal information about all individuals (or categories of persons) with whom it deals
• who, other than the individual, can access personal information, and the conditions for access
• the period for which personal information records are kept – and, for agencies, the arrangements for transferring personal information records to the National Archives of Australia under a Records Disposal Authority
• the entity’s process or schedule for updating its APP Privacy Policy, and how changes will be publicised
• if the APP entity interacts with and collects personal information about a vulnerable segment of the community (such as children), the criteria that will be applied and the procedure that will be followed in collecting and holding that information
• the situations in which a person can deal with the APP entity by not identifying themselves or using a pseudonym (see Chapter 2 (APP 2))
• information retention or destruction practices or obligations that are specific to the entity.
Making an APP Privacy Policy publicly available
Making an APP Privacy Policy available in an appropriate form
1.31 APP 1.5 requires an APP entity to take reasonable steps to make its APP Privacy Policy available free of charge, and in an appropriate form. This furthers the objective of APP 1 of ensuring that personal information is managed in an open and transparent way.
1.32 An APP entity is generally expected to make its policy available by publishing it on its website (see Note to APP 1.5). The information in the policy may be provided using a layered approach (see paragraph 1.11). The policy should be prominently displayed and be easy to access and download. If it is foreseeable that the policy may be accessed by individuals with special needs (such as individuals with a vision impairment, or individuals from a non-English speaking background), appropriate accessibility measures should be put in place. Agencies are also required to comply with any applicable government accessibility requirements.
1.33 Different publication options may need to be considered where the APP entity does not have an online presence or, where individuals who regularly interact with the entity may not have internet access. Options may include:
• displaying the policy on a stand at the entity’s premises, so that it can be seen by members of the public
• distributing a printout of the policy on request
• including details about how to access the policy at the bottom of all correspondence to individuals
• where the entity interacts with individuals by telephone, informing them during the telephone call of how the policy may be accessed in a particular form.
1.34 The expectation is that an entity’s APP Privacy Policy should be available free of charge, in whatever form it is made available. However, in special circumstances a charge can be imposed consistently with the requirement of APP 1.5 that ‘reasonable steps’ be taken to make the policy freely accessible. If a charge is imposed, the reason for the charge and the basis of calculation should be clearly explained, and the charge should be calculated at the lowest reasonable cost. Making an APP Privacy Policy publicly available in an appropriate form should be treated as part of an APP entity’s normal operating costs.
Making an APP Privacy Policy available in a requested form
1.35 APP 1.6 requires an APP entity, upon request, to take reasonable steps to provide a person or body with a copy of its APP Privacy Policy in the form requested. This should be done as soon as reasonably practicable after the request is received.
1.36 The reference to a ‘body’ requesting a copy of a policy makes it clear that a request may be made other than by an individual or entity that is subject to the Privacy Act.
1.37 An APP entity can decline to provide a copy of its APP Privacy Policy in a particular form if it would not be reasonable in the circumstances to meet the request. For example, doing so may be unduly costly or unnecessary in light of other steps taken by the entity to make its policy publicly available and accessible. Before refusing a particular request, an entity should consider any reasons given by the body or person for requesting the policy in a particular form, any special need the requester may have to be given access in a particular form, whether the entity has unique or unusual information handling practices, and whether the nature, volume or sensitivity of the personal information held by the entity makes it appropriate that its policy is made available in additional forms.
1.38 Inherent in the obligation to take ‘reasonable steps’ is an expectation that a policy will usually be made available free of charge. The cost of doing so should be treated as part of an APP entity’s normal operating costs.
1.39 If a request for access in a particular form is declined, or an access charge is imposed, the APP entity should explain this decision to the person or body making the request. The entity should be prepared to undertake reasonable consultation with the requester about the request. Any charge should be clearly communicated and explained before the policy is made available.
Chapter 2 – Australian Privacy Principle 2 – Anonymity and pseudonymity
Key points
• APP 2 provides that individuals must have the option of dealing anonymously or by pseudonym with an APP entity.
• Anonymity means that an individual dealing with an APP entity cannot be identified and the APP entity does not collect personal information or identifiers.
• A pseudonym is a name, term or descriptor that is different to an individual’s actual name.
• An APP entity is not required to provide those options where:
o the entity is required or authorised by law or a court or tribunal order to deal with identified individuals, or
o it is impracticable for the entity to deal with individuals who have not identified themselves.
• An APP entity must ensure that individuals are made aware of their opportunity to deal anonymously or by pseudonym with the entity.
What does APP 2 say?
2.1 APP 2 provides that individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity in relation to a particular matter.
2.2 That principle does not apply in relation to a particular matter if:
• the APP entity is required or authorised by or under an Australian law, or a court/tribunal order, to deal with individuals who have identified themselves (APP 2.2(a)), or
• it is impracticable for the APP entity to deal with individuals who have not identified themselves or used a pseudonym (APP 2.2(b)).
2.3 ‘Anonymity’ and ‘pseudonymity’ are different concepts. APP 2 requires that both options be made available to individuals dealing with an APP entity unless one of the two exceptions applies. Both options must also be made available each time an individual interacts with the APP entity – that is, when a person is ‘dealing with an APP entity in relation to a particular matter’ (APP 2.1). Similarly, the exceptions (‘required or authorised by law’ and ‘impracticability’) apply to the particular dealing between an individual and the APP entity.
The difference between anonymity and pseudonymity
Anonymity
2.4 Anonymity requires that an individual may deal with an APP entity without providing any personal information or identifiers. The APP entity should not be able to identify the individual at the time of the dealing or subsequently.
2.5 Examples of anonymous dealings include an unidentified individual telephoning an entity to inquire generally about its goods or services, and an individual completing a retail transaction and paying for goods in cash.
Pseudonymity
2.6 Pseudonymity requires that an individual may deal with an APP entity by using a name, term or descriptor that is different to the person’s actual name. Examples include an email address that does not contain the person’s actual name, and a user name that a person uses when participating in an online forum.
2.7 The use of a pseudonym does not necessarily mean that an individual cannot be identified. The individual may choose to divulge their identity, or to volunteer personal information necessary to implement a particular transaction – such as credit information or an address at which goods can be delivered. Similarly, an entity may have in place a registration system that enables a person to participate by pseudonym in a moderated online discussion forum, on condition that the person is identifiable to the forum moderator or the entity.
2.8 APP entities should bear in mind that the object of APP 2 is to provide individuals with the opportunity to deal with APP entities without revealing their identity. Personal information should only be linked to a pseudonym if this is required or authorised by law, it is impracticable for the entity to act differently, or the individual has consented to providing or linking the additional personal information. An entity should also consider restricting access to personal information that is linked to a pseudonym to authorised personnel (for a discussion of the APP 11 security requirements for personal information, see Chapter 11).
Why anonymity and pseudonymity are important
2.9 Anonymity and pseudonymity are important privacy concepts. They enable individuals to exercise greater control over their personal information and decide how much personal information will be shared or revealed to others.
2.10 An individual may prefer to deal anonymously or pseudonymously with an APP entity for various reasons:
• a preference not to be identified or to be ‘left alone’
• to avoid direct marketing from that entity or other entities
• to keep their whereabouts secret from a former partner or family member
• to access services (such as counselling or health services) without this becoming known to others
• to express views in the public arena without being personally identified.
2.11 There can be wider benefits too:
• the community is better informed of products and services that entities provide if individuals are able to inquire without being identified
• freedom of expression is enhanced if individuals can express controversial or minority opinions without fear of reprisal
• the risk of identity fraud is minimised when less personal information is collected, linked and stored by entities
• APP entities can lessen their compliance burden under the APPs by reducing the quantity of personal information they collect
• client feedback will be more forthcoming and robust if individuals have the option of making an unattributed compliment or complaint to an entity.
Providing anonymous and pseudonymous options
2.12 It is implicit in APP 2 that an APP entity must ensure that individuals are made aware of their opportunity to deal anonymously or by pseudonym with the entity. APP 3 also requires that an APP entity not collect an individual’s personal information unless it is reasonably necessary for one or more of the entity’s functions or activities.
2.13 The steps an APP entity should take to draw both options to the attention of individuals will depend on the nature of the dealing between the entity and an individual. At a minimum, an entity’s APP Privacy Policy (APP 1) should explain the circumstances in which an individual may deal anonymously or by pseudonym with the entity, and the procedures for doing so. The APP Privacy Policy may need to go further and explain how the entity manages pseudonyms and any linked personal information, and if an individual will be placed at a disadvantage by dealing anonymously or through a pseudonym (for example, where only a limited service can be provided). In summary, often more than a simple statement in an APP Privacy Policy that individuals can deal anonymously or by pseudonym with the entity will be required.
2.14 Other measures that could be adopted by an APP entity to facilitate anonymous and pseudonymous dealings include:
• if the entity provides a facility on its website for online communication – stating prominently that an individual may use that facility without providing personal information
• if telephone calls to the entity are routed through an automated message – informing callers in that message that they are not required to provide personal information
• if individuals can contact the entity by using an online or printed form – stating on the form that personal identification boxes (such as name and address) are not mandatory fields
• if the entity solicits public submissions or comments from individuals – allowing participants to use a pseudonym that will be published, even if the individual’s name is supplied confidentially to the entity
• in other dealings between the entity and individuals – informing individuals at the beginning of a dealing that they may interact anonymously or by pseudonym.
Requiring identification – required or authorised by law
2.15 APP 2.2(a) provides that an individual may not have the option of dealing anonymously or by pseudonym with an APP entity if the entity ‘is required or authorised by or under an Australian law, or a court/tribunal order, to deal with individuals who have identified themselves’. The meaning of ‘required or authorised’ by a law or order is discussed in Chapter B (Key concepts) of these Guidelines.
2.16 If an entity is ‘required’ by a law or order to deal only with an identified individual it will be necessary for the individual to provide adequate identification. On the other hand, if the entity is ‘authorised’ by a law or order to deal with an identified individual, the entity may have discretion to dispense with the requirement of providing the individual with the option of dealing with the entity anonymously or pseudonymously. Whether a discretion exists, and whether it is appropriate to rely upon it, will depend on the terms of the law or order and the nature of the dealing.
2.17 The following are given as examples of where a law or order may require or authorise an APP entity to deal only with an identified individual:
• processing an individual’s application for an identity document (such as a passport, licence or security pass)
• paying a welfare or healthcare benefit to an eligible individual
• providing assistance to an individual who has been diagnosed with a disease that must be recorded and notified under a public health law
• providing assistance to a suspected victim of child abuse, whose injury is covered by a mandatory reporting requirement
• opening a bank account for an individual
• supplying a pre-paid mobile phone to an individual.
2.18 An APP entity that relies on APP 2.2(a) to collect personal information should ensure that the collection does not go beyond the requirements of the law or court or tribunal order. For example, the legal requirement may be satisfied by collecting a person’s name but not their address, gender or date of birth. APP 3 imposes a similar requirement, that generally an APP entity can only collect personal information that is reasonably necessary for one or more of its functions or activities.
Requiring identification – impracticability
2.19 APP 2.2(b) provides that an individual may not have the option of dealing anonymously or by pseudonym with an APP entity if ‘it is impracticable for the APP entity to deal with individuals who have not identified themselves’.
2.20 The following are given as examples of where it may be impracticable to deal with an individual who is not identified:
• dispute resolution: it may be impracticable to investigate and resolve an individual’s particular complaint about how their case was handled or the staff of an entity behaved unless the complainant provides their name or similar information
• personal information requests: in responding to an individual’s request for personal information made under the Freedom of Information Act, the Privacy Act or a comparable law or administrative scheme, the entity may not be able to provide that information without knowing the requester’s identity
• delivery of goods: an entity may not be able to deliver purchased goods to an individual without knowing that person’s address and/or their name.
2.21 In special circumstances it may be open to an entity to rely on the ‘impracticability’ exception where it would be unduly costly for the entity to provide a service to an unidentified individual or to change an existing system or practice to include the option of anonymous or pseudonymous dealings. However, this is more likely to be a transitional rather than an ongoing justification. All APP entities are expected to design and maintain information collection systems that incorporate anonymous and pseudonymous options.
2.22 Similar to paragraph 2.18, an entity that is relying on APP 2.2(b) should not collect more personal information than is required to facilitate the dealing with an individual.
Australian Privacy Principle 3 – Collection of solicited personal information
Key points
• APP 3 outlines when an APP entity may collect solicited personal information.
• An APP entity solicits personal information if it explicitly requests another entity to provide personal information, or it takes active steps to collect personal information.
• APP 3 deals with when an APP entity can collect personal information, and how an APP entity must collect personal information.
• For personal information (other than sensitive information), an APP entity that is:
o an agency, may only collect this information where it is reasonably necessary for, or directly related to, the agency’s functions or activities
o an organisation, may only collect this information where it is reasonably necessary for the organisation’s functions or activities.
• APP 3 contains different requirements for the collection of sensitive information compared to other types of personal information. Unless an exception applies, an APP entity may only collect sensitive information where the above conditions are met and the individual concerned consents to the collection.
• Personal information must only be collected by lawful and fair means.
• Personal information must be collected from the individual concerned, unless this is unreasonable or impracticable (additional exceptions apply to agencies).
What does APP 3 say?
3.1 The APPs distinguish between an APP entity collecting solicited personal information (APP 3) and receiving unsolicited personal information (APP 4).
3.2 APP 3 deals with two aspects of collecting solicited personal information:
• when an APP entity can collect personal information: the requirements vary according to whether the personal information is or is not sensitive information, and whether the APP entity is an agency or an organisation
• how an APP entity must collect personal information: the same requirements apply to all APP entities and to all kinds of personal information.
3.3 In summary, the principles that apply are:
• an agency may only collect personal information that is reasonably necessary for, or directly related to, one or more of its functions or activities (APP 3.1)
• an organisation may only collect personal information that is reasonably necessary for one or more of its functions or activities (APP 3.2)
• and, in addition to the above requirements, an APP entity may only collect sensitive information if the individual consents to the sensitive information being collected, unless an exception applies (APP 3.3)
• an APP entity must collect personal information:
o only by lawful and fair means (APP 3.5), and
o directly from the individual, unless an exception applies (APP 3.6).
‘Solicit’ and ‘collect’
3.4 APP 3 applies where an APP entity ‘solicits’ personal information, whether or not it ultimately collects it.
3.5 An APP entity ‘collects’ personal information ‘only if the entity collects the personal information for inclusion in a record or generally available publication’ (s 6(1)). This concept applies broadly, and includes gathering, acquiring or obtaining personal information from any source and by any means. In practice, all personal information that is held by an entity will generally be treated as information that was collected by the entity. ‘Collect’ is discussed in more detail in Chapter B (Key concepts).
3.6 An APP entity ‘solicits’ personal information ‘if the entity requests another entity to provide the personal information, or to provide a kind of information in which that personal information is included’ (s 6(1)). The request may be made to an agency, organisation, individual or a small business operator. A ‘request’ is an active step taken by an entity to collect information, and may not involve direct communication between the entity and an individual.
3.7 Examples of solicited information include:
• information provided by an individual in response to a request, direction or order
• information about an individual provided by another entity in response to a request, direction, order or arrangement for sharing or transferring information between both entities
• a completed form or application submitted by an individual
• a complaint letter sent in response to a general invitation on an entity’s website to individuals to complain to the entity
• an employment application sent in response to either a job advertisement published by an entity or an expression of interest register maintained by the entity
• a form completed to enter a competition being conducted by an entity
• information provided to a ‘fraud hotline’ that is designed to capture ‘tip-offs’ from the public
• an entry in an APP entity’s visitors book
• a record of a credit card payment
• CCTV footage that identifies individuals.
3.8 APP 4 applies if an entity receives ‘unsolicited’ personal information – that is, if no active step was taken by the entity to collect the information. Examples are given in Chapter 4 (APP 4).
Collection for an APP entity’s ‘functions or activities’
3.9 An APP entity must only collect personal information which is reasonably necessary for (or, for agencies, directly related to) ‘one or more of the entity’s functions or activities’ (APPs 3.1 and 3.2). Different criteria apply for ascertaining the functions and activities of agencies and organisations.
3.10 Determining whether a particular collection of personal information is permitted involves a two-step process:
• identifying an APP entity’s functions or activities
• determining whether the particular collection of personal information is reasonably necessary for (or, for agencies, directly related to) one of those functions or activities.
Identifying the functions or activities of an APP entity
3.11 An agency’s functions will be conferred either by legislation (including a subordinate legislative instrument) or an executive scheme or arrangement established by government. Identifying an agency’s functions involves examining the legal instruments that confer or describe the agency’s functions. These include:
• Acts and subordinate legislative instruments
• the Administrative Arrangements Order made by the Governor-General
• government decisions or ministerial statements that announce a new government function.
3.12 The activities of an agency will be related to its functions. The activities of an agency include incidental and support activities, such as human resource, corporate administration, property management and public relations activities.
3.13 One resource that describes an agency’s functions is that agency’s Information Publication Scheme (IPS) entry. Agencies to which the Freedom of Information Act 1982 applies are required to publish on a website ‘details of the functions of the agency’. This forms part of the IPS established by the FOI Act (ss 8(2)(c), 8D(3)). The IPS entries of most agencies are readily accessible through an IPS icon or link on the homepage of the agency’s website. Another resource that describes agency functions and activities is the annual report of an agency, usually accessible from the agency’s website.
3.14 An organisation’s functions or activities include:
• current functions or activities of the organisation
• proposed functions or activities the organisation has decided to carry out and for which it has established plans
• activities the organisation carries out in support of its other functions and activities, such as human resource, corporate administration, property management and public relations activities.
3.15 The functions and activities of an organisation will commonly be described (though not necessarily exhaustively) on a website, in an annual report, and in corporate brochures, advertising, product disclosure statements and client and customer letters and emails.
3.16 The functions and activities of an organisation do not include functions and activities of a related body corporate that are not also functions or activities of the organisation. However, the related body corporate may separately be subject to the Privacy Act.
3.17 In addition, the functions and activities of an organisation are limited to those in which it may lawfully engage.
Collection that is ‘directly related’ to an agency’s functions or activities
3.18 An agency may only collect personal information that is ‘reasonably necessary for’ or ‘directly related to’ the agency’s functions or activities (APP 3.1). To comply with APP 3.1, an agency’s collection of personal information only needs to meet one of these two criteria.
3.19 To be ‘directly related to’, a clear and direct connection must exist between the personal information being collected and an agency function or activity.
Collection that is ‘reasonably necessary’ for an APP entity’s functions or activities
3.20 An APP entity may collect personal information that is ‘reasonably necessary for’ a function or activity of the entity (APP 3.1 and APP 3.2).
3.21 The ‘reasonably necessary’ test is an objective test: whether a reasonable person who is properly informed would agree that the personal information being collected is reasonably required for one of the APP entity’s functions or activities. The entity has responsibility for being able to explain how that ‘reasonably necessary’ test is met.
3.22 Factors that may be important in determining whether a collection of personal information is reasonably necessary for a function or activity include:
• the primary purpose of collection
• how the information will be used in undertaking a function or activity of the entity (for example, collection on the basis that information may become necessary for future activities would not be reasonably necessary)
• whether the entity could undertake the function or activity without collecting that information, or by collecting a lesser amount of personal information.
3.23 The following are instances in which the Privacy Commissioner has previously ruled that a collection of personal information was not reasonably necessary for an entity’s function or activity:
• a job applicant being asked to advise if they had suffered a work-related injury or illness, when this was not relevant to the position being advertised
• a person applying to open a bank account being asked to complete a standard form application that included a question about marital status, when this had no bearing on the applicant’s eligibility to open an account
• a medical practitioner photographing a patient for the patient’s medical file, when this was not necessary to provide a health service.
3.24 Other examples of personal information collection that may not be reasonably necessary for an APP entity’s functions or activities include:
• collecting personal information about a group of individuals, when information is only required for some of those individuals
• collecting more personal information than is required for a function or activity – for example, collecting all information entered on a person’s drivers licence when the purpose is to establish if the person is aged 18 years or over
• collecting personal information that is not required for a function or activity but is being entered in a database for future reference
• an organisation collecting personal information for or on behalf of a related body corporate where the collection of that information is not reasonably necessary for the organisation’s own functions or activities.
Collecting sensitive information
3.25 APP 3.3 imposes an additional requirement for collecting sensitive information about an individual. Unless an exception applies, an APP entity must:
• satisfy the criteria above, ie the collection of the sensitive information must be reasonably necessary for (or, for agencies, directly related to) one or more of the entity’s functions or activities, and
• the individual about whom the sensitive information relates must consent to the collection.
3.26 ‘Sensitive information’ is defined in s 6(1), and is discussed in more detail in Chapter B (Key concepts).
3.27 ‘Consent’ is defined in s 6(1) as ‘express consent or implied consent’, and is discussed in more detail in Chapter B. The four key elements of consent are:
• the consent must be voluntary
• the individual must be adequately informed before giving consent
• the consent must be current and specific, and
• the individual must have the capacity to understand and communicate their consent.
3.28 APP 3.4 lists five exceptions to the requirement for consent. These are considered below.
Collecting sensitive information as required or authorised by law
3.29 An APP entity may collect sensitive information if the collection ‘is required or authorised by or under an Australian law or a court/tribunal order’ (APP 3.4(a)). The meaning of ‘required or authorised by or under an Australian law or a court/tribunal order’ is discussed in more detail in Chapter B (Key concepts).
3.30 An example of where a law or order may require or authorise collection of sensitive information is the collection by an authorised officer under the Migration Act of personal identifiers (that may include biometric information) from a non-citizen who is in immigration detention.
Collecting sensitive information where a permitted general situation exists
3.31 An APP entity may collect sensitive information if a ‘permitted general situation’ exists in relation to the collection (APP 3.4(b)).
3.32 Section 16A lists seven permitted general situations (two of which apply only to agencies). The seven situations are set out below, and are discussed in Chapter C (Permitted general situations) (including the meaning of relevant terms).
Lessening or preventing a serious threat to life, health or safety
3.33 An APP entity may collect sensitive information if:
• the entity reasonably believes the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety, and
• it is unreasonable or impracticable to obtain the individual’s consent (s 16A(1), Item 1).
3.34 Examples of where this exception might apply are:
• collecting health information about an individual who is seriously injured, requires treatment and is unable at that time to give informed consent
• collecting sensitive information that is required to provide assistance to a child who may be at risk of physical or sexual abuse by a parent.
Taking appropriate action in relation to suspected unlawful activity or serious misconduct
3.35 An APP entity may collect sensitive information if:
• the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being, or may be engaged in, and
• the entity reasonably believes that the collection is necessary in order for the entity to take appropriate action in relation to the matter (s 16A(1), Item 2).
3.36 Examples of where this exception might apply are the collection of sensitive information by:
• an APP entity that is investigating suspected fraud within the entity
• an agency that is investigating a suspected serious breach of the Australian Public Service Code of Conduct.
Locating a missing person
3.37 An APP entity may collect sensitive information if:
• the entity reasonably believes that the collection is reasonably necessary to assist any APP entity, body or person to locate a person who has been reported as missing, and
• the collection complies with rules made by the Information Commissioner under s 16A(2) of the Privacy Act (s 16A(1), Item 3).
Reasonably necessary for establishing, exercising or defending a legal or equitable claim
3.38 An APP entity may collect sensitive information if the collection is reasonably necessary to establish, exercise or defend a legal or equitable claim (s 16A(1), Item 4).
3.39 An example of where this exception might apply is an insurer collecting health information about an individual who has made an insurance compensation claim but is suspected of misrepresenting their claim or the extent of their injuries.
Reasonably necessary for a confidential alternative dispute resolution process
3.40 An APP entity may collect sensitive information if the collection is reasonably necessary for the purposes of a confidential alternative dispute resolution process (s 16A(1), Item 5).
3.41 An example of where this exception might apply is an alternative dispute resolution practitioner making a record of a party recounting their version of events, where that account includes the disclosure of sensitive information about an individual who is directly or indirectly involved in the dispute.
Necessary for a diplomatic or consular function or activity
3.42 An agency may collect sensitive information if the agency reasonably believes the collection is necessary for the agency’s diplomatic or consular functions or activities (s 16A(1), Item 6).
3.43 An example of where this exception might apply is where an agency with diplomatic or consular functions collects sensitive information about an individual who is overseas and in need of consular assistance because the individual has been hospitalised, is suffering a psychiatric illness, has been arrested or is missing.
Necessary for certain Defence Force activities outside Australia
3.44 The Defence Force (as defined in s 6(1)) may collect sensitive information if it reasonably believes the collection to be necessary for a warlike operation, peacekeeping, civil aid, humanitarian assistance, a medical emergency, a civil emergency or disaster relief occurring outside Australia and the external Territories (s 16A(1), Item 7).
Collecting sensitive information where a permitted health situation exists
3.45 An organisation may collect sensitive information if a ‘permitted health situation’ exists in relation to the collection (APP 3.4(c)). This exception does not apply to agencies.
3.46 Section 16B lists two permitted health situations that relate to the collection of health information by an organisation. The two situations are set out below, and are discussed in Chapter D (Permitted health situations) (including the meaning of relevant terms).
Providing a health service
3.47 An organisation may collect health information about an individual if the information is necessary to provide a health service to the individual, and either:
• the collection is required or authorised by or under an Australian law (other than the Privacy Act), or
• the information is collected in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation (s 16B(1)).
3.48 An example of where this exception might apply is where a participant in the personally controlled electronic health record (PCEHR) system collects health information included in a consumer’s PCEHR as authorised by the Personally Controlled Electronic Health Records Act 2012.
Conducting research
3.49 An organisation may collect health information about an individual if the collection is necessary for research relevant to public health or public safety, the compilation or analysis of statistics relevant to public health or public safety, or the management, funding or monitoring of a health service, and:
• the particular purpose cannot be served by collecting de-identified information
• it is impracticable to obtain the individual’s consent, and
• the collection is either:
o required by or under an Australian law (other than the Privacy Act)
o in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation, or
o in accordance with guidelines approved by the Information Commissioner under s 95A of the Privacy Act (s 16B(2)).
3.50 An example of where this exception might apply is an organisation conducting longitudinal research into heart disease and requiring health information about a large number of individuals from different data sources for research linkage. In this case, the collection must be required by law or carried out in accordance with the rules or guidelines referred to in s 16B(2).
Collecting sensitive information for an enforcement activity
3.51 An enforcement body may collect sensitive information where:
• if the body is the Immigration Department – the Department reasonably believes that collecting the information is reasonably necessary for, or directly related to, one or more enforcement related activities conducted by, or on behalf of, the Department (APP 3.4(d)(i))
• for other enforcement bodies – the body reasonably believes that collecting the information is reasonably necessary for, or directly related to, one or more of the body’s functions or activities (APP 3.4(d)(ii)).
3.52 ‘Enforcement body’ is defined in s 6(1) as a list of specific bodies. The list includes Commonwealth, State and Territory bodies that are responsible for policing, criminal investigations, and administering laws to protect the public revenue or to impose penalties or sanctions. Examples of Commonwealth enforcement bodies are the Australian Federal Police, Australian Crime Commission, Customs, the Integrity Commissioner, Australian Prudential Regulation Authority and Australian Securities and Investments Commission.
3.53 For an enforcement body to collect sensitive information using this exception, it must:
• for the Immigration Department, identify the ‘enforcement related activities’ it conducts or that are conducted on its behalf, and for other enforcement bodies, identify their ‘functions or activities’, and
• ‘reasonably believe’ that the collection is either ‘reasonably necessary for’ or ‘directly related to’ one or more of those functions or activities.
3.54 ‘Reasonably believes’ is discussed in more detail in Chapter B (Key concepts). Identifying the ‘functions or activities’ of an agency is discussed above at paragraphs 3.11 to 3.13, while ‘reasonable necessary for’ and ‘directly related to’ are discussed above at paragraphs 3.18 to 3.24.
3.55 ‘Enforcement related activities’ is defined in s 6(1) and discussed in Chapter B (Key concepts). Where applied to the Immigration Department, the activities could include assessing and enforcing compliance with visa and citizenship requirements, and detecting, preventing, investigating and prosecuting breaches of visa, immigration and citizenship laws. Non-enforcement related activities of the Department do not fall within this exception.
3.56 An example of where the Immigration Department may collect sensitive information from an individual using this exception is where it reasonably believes that the sensitive information directly relates to the function of investigating whether a person has breached an immigration law.
Collection of sensitive information by a non-profit organisation
3.57 A non-profit organisation may collect sensitive information if:
• the information relates to the activities of the organisation, and
• the information relates solely to the members of the organisation, or to individuals who have regular contact with the organisation in connection with its activities (APP 3.4(e)).
3.58 ‘Non-profit organisation’ is defined in s 6(1) as an organisation ‘that is a non-profit organisation; and that engages in activities for cultural, recreational, political, religious, philosophical, professional, trade or trade union purposes’. The term ‘cultural purposes’ includes both racial and ethnic purposes.
3.59 There are three criteria a non-profit organisation must meet to rely on this exception to collect sensitive information:
• firstly, the non-profit organisation can rely on this exception only when collecting sensitive information for an activity that is undertaken for one of the specified purposes in the definition of ‘non-profit organisation’ (s 6(1)). An organisation conducting activities for some other purpose cannot rely on this exception to collect sensitive information
• secondly, the sensitive information that is collected must ‘relate’ to the activity that is being conducted for a specified purpose. A clear relationship, assessed objectively, must exist between the information collected and that activity. For example, the information may relate to a fundraising activity undertaken by a non-profit organisation to support its cultural, recreational, political, religious, philosophical, professional, trade or trade union purpose.
• thirdly, the sensitive information must relate solely to a member of the organisation, or an individual who has regular contact with the organisation in connection with its activities. Collection of sensitive information about a relative of a member of the organisation would not be covered unless the relative was also a member or person in regular contact with the non-profit organisation.
3.60 Examples of where a non-profit organisation may be permitted to collect sensitive information are:
• a religious organisation collecting information about the views of its members on religious or moral issues
• a trade union collecting information about the political views of a job applicant.
Collecting by lawful and fair means
3.61 An APP entity must collect personal information ‘only by lawful and fair means’ (APP 3.5). This requirement applies to all APP entities.
Collecting by lawful means
3.62 A collection of personal information is lawful if it is not contrary to law. This is different to the phrase ‘required or authorised by law’ that is used in some other APP principles, where a law or legal order is needed to require or authorise a particular information-handling activity.
3.63 A means of collection will not be lawful if a law, legal order or legal principle prevents that means of collection. Examples include:
• collecting in breach of legislation, for example:
o collecting via computer hacking
o collecting using telephone interception or a listening device except under the authority of a warrant
o requesting or requiring information in connection with, or for the purpose of, an act of discrimination
• collecting by a means that would constitute a civil wrong, for example, by trespassing on private property or threatening damage to a person unless information is provided
• collecting information contrary to a court or tribunal order, for example, contrary to an injunction issued against the collector.
Collecting by fair means
3.64 A ‘fair means’ of collecting information is one that is not oppressive, does not involve intimidation or deception, and is not unreasonably intrusive. Whether a collection uses unfair means will depend on the circumstances. For example, it would usually be unfair to collect personal information covertly without the knowledge of the individual. However, this may be a fair means of collection if undertaken in connection with a fraud investigation.
3.65 The following are given as examples of where a collection of personal information may be unfair:
• collecting from a file dumped by accident on a street, or from an electronic device which is lost or left unattended
• collecting from an individual who is traumatised, in a state of shock or intoxicated
• collecting in a way that disrespects cultural differences
• misrepresenting the purpose or effect of collection, or the consequences for the individual of not providing the requested information
• collecting by telephoning an individual in the middle of the night
• collecting by deception, for example, wrongly claiming to be a police officer, doctor or trusted organisation.
Collecting directly from the individual
3.66 APP 3.6 provides that an APP entity ‘must collect personal information about an individual only from the individual’, unless one of three exceptions apply:
• for all APP entities – it is unreasonable or impracticable for the entity to collect personal information only from the individual
• for agencies – the individual consents to the personal information being collected from someone other than the individual
• for agencies – the agency is required or authorised by or under an Australian law, or a court/tribunal order, to collect the information from someone other than the individual.
Unreasonable or impracticable
3.67 Whether it is ‘unreasonable or impracticable’ to collect personal information only from the individual concerned will depend on the circumstances of the particular case. Considerations that may be relevant include:
• whether it is difficult to collect the information directly from that individual
• whether the individual would reasonably expect information about them to be collected directly from them or from another source
• the sensitivity of the information being collected
• whether direct collection would jeopardise a purpose of collection or the integrity of the information collected
• whether the cost of collecting directly from the individual would be excessive
• any privacy risk if the information is collected from another source.
3.68 The following are given as examples of when it may be unreasonable or impracticable to collect personal information only from the individual concerned:
• collection by a law enforcement agency of personal information about an individual who is under investigation, where the collection may jeopardise the investigation if the information is collected only from that individual
• if a legal or official document that is mailed to an individual is returned to the sender, the individual’s current contact details may need to be obtained from another source.
Consent by the individual
3.69 The term ‘consent’ is discussed at paragraph 3.27 and in Chapter B (Key concepts). As noted in those sections, consent can be express or implied, and must be voluntary, informed, current and specific, and the individual must have capacity to consent.
3.70 An example of where an agency might collect information from someone other than the individual is where an individual consents to one agency disclosing their personal information (such as contact details) to the other agency.
Required or authorised by law or a court or tribunal order
3.71 The meaning of ‘required or authorised by or under an Australian law or a court/tribunal order’ is discussed in Chapter B (Key concepts). It is a common feature of legislation that an agency, for the purpose of performing a function or exercising a power, is authorised to require a person or body to provide information.
3.72 An example of where collection by an agency from someone other than the individual concerned might be required or authorised by law is the Privacy Act s 44, which provides that the Information Commissioner may issue a notice to a person requiring them to provide specified information for the purpose of an investigation under the Privacy Act (and that information may include personal information).
Chapter 4 — Australian Privacy Principle 4 – Dealing with unsolicited personal information
Key points
• APP 4 outlines the steps an APP entity must take if it receives unsolicited personal information.
• Unsolicited personal information is information received by an APP entity where the entity has taken no active step to collect the information.
• If an APP entity receives unsolicited information, it must decide whether it could have collected the information under APP 3 (collection of solicited personal information).
• If the entity determines it could not have collected the information under APP 3, different rules apply according to whether or not the information is contained in ‘a Commonwealth record’.
• If the unsolicited personal information is contained in a Commonwealth record, APP 4 does not require it to be destroyed or de-identifed.
• Other unsolicited personal information that could not have been collected under APP 3 (collection of solicited personal information), must be destroyed or de-identified as soon as practicable if it is lawful and reasonable to do so.
• If an APP entity is not required to destroy or de-identify the unsolicited personal information under APP 4, the entity may retain the information but must deal with it in accordance with APPs 5-13.
What does APP 4 say?
4.1 APP 4 outlines the steps an APP entity must take if it receives unsolicited personal information. Unsolicited personal information is personal information received by an APP entity that has not been requested by that entity.
4.2 An APP entity that receives unsolicited personal information must decide whether or not it could have collected the information under APP 3, and:
• if the entity could not have collected the information and the information is not contained in a Commonwealth record – the entity must destroy or de-identify the information as soon as practicable, if it is lawful and reasonable to do so, or
• if the information is contained in a Commonwealth record, or the entity could have collected the information under APP 3, or the entity is not required to destroy or de-identify the information – the entity may keep the information but must deal with it in accordance with APPs 5–13.
4.3 In effect, APP 4 requires an APP entity to consider the following issues:
• has the entity received unsolicited personal information?
• could the entity have collected that personal information under APP 3?
• if the entity is an agency – is the information contained in a Commonwealth record?
• should unsolicited personal information held by the entity be destroyed or de-identified, or should it be retained and dealt with in accordance with APP 5 to 13?
What is ‘unsolicited’ personal information?
4.4 All personal information received by an APP entity is to be classified as either solicited or unsolicited personal information. The Privacy Act defines ‘solicit’ but does not define ‘unsolicited’. Therefore, personal information received by an entity that does not fall within the definition of ‘solicited’ is unsolicited information.
4.5 The term ‘solicit’ is discussed in Chapter 3 (APP 3) including examples of solicited personal information. In summary, an APP entity solicits personal information if it requests another agency, organisation, individual or small business operator to provide the personal information, or other information in which that personal information is included. A ‘request’ is an active step taken by an APP entity to collect information, and may not involve direct communication between the entity and an individual.
4.6 Applying that definition of ‘solicit’, unsolicited personal information is information that an APP entity receives but has taken no active steps to collect. Examples include:
• misdirected mail received by an entity
• correspondence to Ministers and Government departments from members of the community, or other unsolicited correspondence to an entity
• a petition sent to an entity that contains names and addresses
• an employment application sent to an entity on an individual’s own initiative and not in response to an advertised vacancy
• a promotional flyer containing personal information, sent to an entity by an individual promoting the individual’s business or services.
4.7 As a general rule, personal information provided to an AAP entity that is additional to information that has been solicited by the entity should be treated as unsolicited information. For example, if an individual completes an application form provided by an entity but attaches financial records not requested by the entity, these should be treated as unsolicited information and dealt with as required by APP 4.3 or 4.4 (see below).
4.8 In some instances, an APP entity may have difficulty deciding whether personal information it receives falls within the terms of the entity’s request and is therefore solicited information. In such circumstances, an APP entity should focus on the nature of the additional information and the connection it has with the entity’s request.
Could unsolicited personal information have been collected by the entity under APP 3?
4.9 An APP entity that receives unsolicited personal information must, ‘within a reasonable period after receiving the information’, decide whether the information could have been collected by the entity under APP 3 (APP 4.1).
4.10 The tests for deciding whether personal information can be collected by an entity are set out in APP 3 (see Chapter 3):
• an agency may only collect personal information that is reasonably necessary for, or directly related to, one or more of its functions or activities (APP 3.1)
• an organisation may only collect personal information that is reasonably necessary for one or more of its functions or activities (APP 3.2)
• and, in addition to the above requirements, an APP entity may only collect sensitive information if the individual consents to the sensitive information being collected, unless an exception applies (APP 3.3).
4.11 What is a ‘reasonable period’ for deciding whether unsolicited personal information could have been collected under APP 3 will depend on the circumstances of the particular case. The entity should decide that issue promptly after the unsolicited information is received.
4.12 APP 4.2 permits an entity to use or disclose the unsolicited personal information (for example, in internal discussions) for the purpose of determining whether the information could have been collected under APP 3.
Dealing with unsolicited personal information
4.13 If an APP entity receives unsolicited personal information that it determines it could not have collected under APP 3, it has an obligation to destroy or de-identify the information as soon as practicable, unless it is contained in a ‘Commonwealth record’ or it is unlawful or unreasonable to do so (APP 4.3). In practice, this means that different rules apply to agencies and organisations when handling this unsolicited personal information.
Unsolicited personal information received by an agency
4.14 The term ‘Commonwealth record’ in s 6(1) of the Privacy Act has the same meaning as in s 3 of the Archives Act 1983. The core meaning is ‘a record that is the property of the Commonwealth’ or a Commonwealth agency. This is likely to include, in almost all cases, all personal information collected or received by agencies.
4.15 If the unsolicited personal information is contained in a Commonwealth record, the agency is not required to destroy or de-identify the information under APP 4.3, even if it determines that it could not have collected the information under APP 3. However, an agency still needs to consider its obligations under the Archives Act.
4.16 A Commonwealth record can, as a general rule, only be destroyed or altered in accordance with s 24 of the Archives Act. The grounds on which this may be done include ‘normal administrative practice’ and destruction or alteration in accordance with an arrangement approved by the Archives (often titled a Records Disposal Authority). See Chapter B (Key concepts) for more information about Commonwealth records.
4.17 Unsolicited personal information held by an agency in a Commonwealth record must be dealt with in accordance with APPs 5-13 (APP 4.4). See paragraphs [4.28]-[4.30] for information about this requirement.
Unsolicited personal information received by an organisation
4.18 Unsolicited personal information received by an organisation, that could not have been collected under APP 3 must, as soon as practicable, be destroyed or de-identified if it is lawful and reasonable to do so (APP 4.3).
When is destruction or de-identification ‘lawful’?
4.19 It is lawful for an organisation to destroy or de-identify unsolicited personal information unless there is a law or legal order that prevents that occurring.
4.20 The circumstances in which it may be unlawful for an organisation to destroy or de-identify unsolicited personal information include where:
• a legislative provision in an Act or subordinate instrument requires an organisation to retain the information for a specified purpose – for example, for auditing, inspection or reporting purposes
• a court, tribunal or body with legal power to issue binding orders, has made an order requiring the information to be retained for a specified purpose or period.
4.21 As those examples illustrate, it is important that each organisation is aware of the legal rules or orders that may prevent it from destroying or de-identifying unsolicited personal information.
When is destruction or de-identification ‘reasonable’?
4.22 The ‘reasonableness’ requirement must be applied consistently with the stated object of APP 4, which is to ensure that unsolicited personal information is ordinarily destroyed or de-identified unless an organisation could have collected the information under APP 3. Accordingly, an organisation that is relying on this requirement to retain unsolicited personal information must point to a clear reason that would make it unreasonable to destroy or de-identify the information.
4.23 Considerations that may be taken into account by an organisation include:
• the quantity, extent and sensitivity of the personal information
• whether the information is commingled with solicited personal information, and it would be impractical for the organisation to separate the information (see paragraph [4.24] for an example of where it may be practicable to separate solicited and unsolicited information)
• whether a law enforcement authority has requested that the information be retained pending the completion of an investigation
• whether the entity has considered a range of options for destroying or de-identifying the information
• where destruction or de-identification is unreasonable within a short timeframe, whether the destruction or de-identification task could be undertaken using a staged approach.
4.24 Those and other relevant considerations should be applied cautiously. Before deciding that it is reasonable to retain unsolicited personal information, an entity should examine viable options for destroying or de-identifying the information. For example, it may be practicable to transcribe or convert, and produce a new record of, solicited person information that is commingled with unsolicited information. The original record containing the unsolicited information could then be destroyed or de-identified.
4.25 For further discussion of destroying and de-identifying information, see Chapter B (Key concepts) and Chapter 11 (APP 11) of these Guidelines.
Destroying or de-identifying unsolicited personal information ‘as soon as practicable’
4.26 The requirement that unsolicited personal information be destroyed or de-identified ‘as soon as practicable’ requires prompt action by an organisation. That is, an organisation should promptly identify that it has collected unsolicited personal information, that the information could not be collected under APP 3, and that it would be lawful and reasonable to destroy or de-identify it. Prompt action should then be taken to destroy or de-identify the information.
4.27 In adopting a timetable that is ‘practicable’, an organisation can take technical and resource considerations into account. However, those considerations must be balanced with the organisation’s obligation to act promptly when required by APP 4.3 to destroy or de-identify unsolicited personal information.
Deal with unsolicited personal information that is not destroyed or de-identified?
4.28 An APP entity may retain unsolicited personal information if it is not required by APP 4.3 to destroy or de-identify it. The information must then be dealt with in accordance with APPs 5-13 (APP 4.4). This means, for example, that a notice of collection may be required (APP 5), the information cannot be used for a secondary purpose unless an exception applies (APP 6), the security of the information must be protected (APP 11), and an individual can apply for access to the information (APP 12) and to correct any inaccuracy in the information (APP 13).
4.29 An APP entity should take particular note of APP 11.2. It requires that personal information held by an entity that it no longer needs for any purpose permitted by the APPs should be destroyed or de-identified. That is, unsolicited personal information that is retained under APP 4.4 may nevertheless need to be destroyed or de-identified if required by APP 11.2 (see Chapter 11 for further details).
Australian Privacy Principle 5 – Notification of the collection of personal information
Key points
• An APP entity that collects personal information about an individual must take reasonable steps to notify the individual, or otherwise ensure the individual is aware, of certain matters.
• The matters include:
o the APP entity’s identity and contact details
o the fact and circumstances of collection
o whether the collection is required or authorised by law
o the purposes of collection
o the consequences if personal information is not collected
o the APP entity’s usual disclosures of personal information of the kind collected by the entity
o information about the APP entity’s APP Privacy Policy
o whether the APP entity is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located.
• An APP entity must provide notification before, or at the time it collects personal information. If this is not practicable, notification should be provided as soon as practicable after collection.
What does APP 5 say?
5.1 APP 5 requires an APP entity that collects personal information about an individual to take reasonable steps to notify the individual of certain matters or otherwise ensure the individual is aware of those matters (generally referred to in this chapter as ‘APP 5 matters’). The notification must occur at or before the time of collection, or as soon as practicable afterwards.
5.2 The notification requirement applies to all personal information ‘collected’ about an individual, either directly from the individual or from a third party. It applies to solicited information (APP 3) and also unsolicited information that is not destroyed or de-identified by the entity (APP 4) (see Chapters 3 (APP 3), 4 (APP 4) and B (Key concepts)).
Reasonable steps to notify or ensure awareness
5.3 An APP entity must take ‘such steps (if any) as are reasonable in the circumstances’ to notify an individual of the APP 5 matters or otherwise ensure they are aware of those matters (APP 5.1). The ‘reasonable steps’ test is an objective test: namely, whether a reasonable person in those circumstances would agree that the APP entity has acted reasonably in providing a notice or ensuring awareness. It is the responsibility of the entity to show that reasonable steps were taken.
5.4 Factors that may be important in deciding whether reasonable steps were taken include:
• the type of personal information collected – for example, additional steps may be reasonable for collecting sensitive information or information of a sensitive nature
• the risk of harm to an individual – for example, additional steps may be reasonable if an entity collects personal information for the purpose of making a decision with serious consequences for the individual
• any special needs of the individual – for example, additional steps may be reasonable if personal information is collected from an individual from a non-English speaking background who does not readily understand the APP 5 matters
• the practicability of taking particular steps – however, an entity is not automatically excused from notifying individuals of the APP 5 matters simply because this is inconvenient or costly.
5.5 The following are given as examples of reasonable steps that an APP entity could consider:
• if the entity collects personal information directly from an individual who completes a form or uses an online facility – clearly and prominently displaying the APP 5 matters in the form, or providing a readily accessible link to an APP 5 notice, the individual should be asked to confirm they have reviewed the notice before providing their personal information
• if personal information is collected by telephone – explaining the APP 5 matters to the individual at the commencement of the call (perhaps following a template script)
• if the entity collects personal information from another entity – confirming whether the other entity has provided the relevant APP 5 notice to the individual, or whether the individual was otherwise aware of the APP 5 matters at the time of collection.
When not taking any steps might be reasonable
5.6 APP 5.1 acknowledges that it may be reasonable for an APP entity to not take any steps to provide a notice or ensure awareness of all or some of the APP 5 matters. The following are given as examples of when this may be reasonable:
• the individual is aware that personal information is being collected, the purpose of collection and other matters relating to the collection – for example, a doctor has informed a patient that a specialist to whom the patient is referred for treatment will obtain the patient’s health information from the doctor
• an entity collects personal information from an individual on a recurring basis over a short period in relation to the same matter, and the individual is aware (or reasonably ought to be aware) that a separate notice will not be issued for each instance of collection
• notification may pose a serious threat to the life, health or safety of an individual or pose a threat to public health or safety – for example, a law enforcement agency obtaining information from a confidential source for the purpose of an investigation
• notification may jeopardise the purpose of collection or the integrity of the information collected – for example, a law enforcement agency undertaking covert surveillance of an individual in connection with a criminal investigation
• notification would be inconsistent with a legal obligation – for example, by breaching a statutory secrecy provision, a client’s legal professional privilege, or a legal obligation of confidence.
Matters to be notified
5.7 APP 5.2 lists the matters (discussed separately below) that must be notified to an individual or of which they must be made aware. The obligation on an APP entity to take reasonable steps to notify the individual, or make them aware, of these matters applies separately to each matter. This means that it may be reasonable for an APP entity to notify some but not all of the APP 5 matters.
The APP entity’s identity and contact details (APP 5.2(a))
5.8 Notification is to include the identity and contact details of the APP entity. This should include the position title, telephone number and email address of a contact who handles enquiries and requests relating to the Privacy Act. Consideration should be given to establishing a generic telephone number and email address (for example privacy@agency.gov.au) that will not change with staff movements. This ensures awareness of a contact if an individual chooses to exercise any available rights to request access to, or correction of, personal information later (APPs 12 and 13).
The facts and circumstances of collection (APP 5.2(b))
5.9 Notification is to include the fact either that the entity has collected personal information from the individual, if the individual may not be aware of this, or that the information has been collected from a third party. The notice is also to include the circumstances of the collection, such as the date, time, place and method of collection.
5.10 The following are given as examples of matters that could be notified:
• that the individual’s personal information was or will be collected from another entity or individual
• that personal information is collected through use of a hidden radio-frequency identification tag (RFID tags), software (such as cookies), or biometric technology (such as voice or facial recognition).
5.11 Where personal information is collected from an entity other than an individual, the notice should include the name of that entity. Where personal information is collected from another individual, consideration should be given to whether it would be a breach of that person’s privacy to identify them in the APP 5 notice.
If the collection is required or authorised by law (APP 5.2(c))
5.12 Notification is to include, if applicable, the fact that a collection is required or authorised by or under an Australian law or a court or tribunal order. (The phrase ‘required or authorised by law’ is discussed in Chapter B (Key concepts), including the term ‘Australian law’.)
5.13 APP 5.2(c) requires the APP 5 notice to include the name of the Australian law, or details of the particular court or tribunal order, that requires or authorises the collection. The notice should name the particular law relied upon, and not the range of laws available to the entity to collect personal information, nor a generic description (such as ‘taxation law’). If practicable, the notice should include the provision of the law relied upon for collection and, if applicable, the title of a legislative instrument relied upon.
The purpose of collection (APP 5.2(d))
6.1 Notification is to include the purposes for which the APP entity collects personal information. This should include the primary purpose of collection, that is, the specific activity for which particular personal information is collected. If the entity may use or disclose personal information for another purpose (known as a ‘secondary purpose’), this should also be noted. This may create a reasonable expectation that the information will be used or disclosed for a secondary purpose, of relevance to the exception in APP 6.2(a) (this exception and the terms ‘primary purpose’ and ‘secondary purpose’ of collection are discussed in Chapter 6 (APP 6)).
The consequences for the individual if personal information is not collected (APP 5.2(e))
5.14 Notification is to include the main consequences (if any) for the individual if all or some of the personal information is not collected by the APP entity.
5.15 An entity is not required to list all possible or remote consequences, but only the main consequences that could be expected to result. If the individual can avoid or lessen those consequences by providing some but not other personal information, this should be explained.
5.16 The following are given as examples of consequences that may result if personal information is not collected:
• an application for a licence, benefit, allowance or concession cannot be processed
• an individual cannot be notified of the results of a competition they entered
• an entity cannot properly investigate or resolve an individual’s complaint
• a different level of service will be provided to the individual – for example, the individual may not be eligible to purchase a discounted flight without providing a medical certificate.
Other APP entities, bodies or persons to which the information is usually disclosed (APP 5.2(f))
5.17 Notification is to include any other entity, body or person, or the types of other entities, bodies or persons, to which the APP entity usually discloses personal information of the kind collected by the entity.
5.18 An APP entity is not required to include in an AAP 5 notice that a particular disclosure has occurred or will occur. Rather, APP 5.2(f) requires notification of the ‘usual’ practices of the entity in disclosing personal information of that ‘kind’ to other entities or ‘types’ of entity (or bodies or persons).
5.19 A ‘usual’ disclosure is one that occurs regularly, under an agreed arrangement, or that can reasonably be predicted or anticipated. It does not include a disclosure that may occur in exceptional or special circumstances (such as a disclosure under warrant to a law enforcement agency).
5.20 The ‘kind’ of personal information that is usually disclosed may be described, for example, as ‘contact details’, ‘employment history’, ‘educational qualifications’ or ‘complaint details’.
5.21 If the personal information is usually disclosed to a particular entity, body or person, it should be named, unless it would be impracticable to include a long list of entities. In that case, the ‘type’ of entity, body or person can be described, for example, as ‘health insurers’ or ‘State Government motor vehicle licensing authorities’. The list or description should include any related body corporate of the AAP entity to which information is usually disclosed. An APP entity is not required to describe the disclosure practices of the entity, body or person to which the information is disclosed. However, if it is known that that entity, body or person usually discloses the personal information to other entities, this could be noted.
The APP entity’s APP Privacy Policy (APP 5.2(g) and (h))
5.22 Notification is to include that the APP entity’s APP Privacy Policy contains information about how the individual may:
• access and seek correction of the personal information held by the entity (APP 5.2(g))
• complain to the entity about a breach of the APPs, or any registered APP code that binds the entity, and how the entity will deal with such a complaint (APP 5.2(h)).
5.23 Where possible, an APP 5 notice should include a link to the Privacy Policy on the entity’s website or explain how it may be accessed. (The APP Privacy Policy requirements are discussed in Chapter 1, APP 1.)
Cross-border disclosure (APP 5.2(i) and (j))
5.24 Notification is to include:
• whether the APP entity is likely to disclose the personal information to overseas recipients (APP 5.2(i)), and
• if so, the countries in which such recipients are likely to be located if it is practicable to specify those counties in the notice or to otherwise make the individual aware of them (APP 5.2(j)).
5.25 This requirement only applies to a likely disclosure of personal information to an overseas recipient, and not the likely use of that information by the entity. For example, where personal information is routed through servers located outside Australia, this will generally be considered a use and not a disclosure. Similarly, if an APP entity makes personal information accessible to an overseas office of the entity (for example, a consular office), this is a use but not a disclosure.
5.26 An example of when it may be impracticable to specify the countries in which overseas recipients are located is where personal information is likely to be disclosed to numerous overseas recipients and determining where those recipients are located could be unduly costly. However, the entity has responsibility to show why it is impracticable to list the countries.
5.27 The requirement to notify an individual if information being collected is likely to be disclosed to overseas recipients, and the location of those recipients, complements the obligation on APP entities under APP 1.4(f) and (g) to describe overseas disclosure practices in an APP Privacy Policy.
5.28 Other matters that an APP entity should consider including in an APP 5 notice, though not required by APP 5 to do so, include:
• how the overseas recipient might use, disclose and protect the personal information
• how the individual can request further information about laws or binding schemes that protect privacy in the country of receipt
• how the individual can access personal information held by the overseas recipient
• any action the individual may take to prevent information being given to an overseas recipient, and the consequences of that action occurring.
When notification is to occur
5.29 If notification is required under APP 5, it must occur either:
• at or before the time an APP entity collects an individual’s personal information, or
• if that is not practicable, as soon as practicable after the collection occurs.
5.30 This requirement recognises that it is preferable that an individual can make an informed choice about whether to provide personal information to an APP entity.
5.31 Notification before or at the time of collection is not required if it impracticable to do so. Examples may include where:
• an APP entity has received unsolicited personal information about an individual, and notification is required because the entity is not required under APP 4.3 to destroy or de-identify that information (see paragraph [5.2] above)
• urgent collection of the personal information is required and giving a notice would unreasonably delay the collection – for example, where there is a serious threat to an individual’s life or health or to public safety
5.32 The test of impracticability is an objective test. The AAP entity has responsibility to show why it would be impracticable to give notification before or at the time of collection. Options for providing early notification should, so far as practicable, be built into information collection processes and systems – for example, including relevant information in standard forms and online collection mechanisms.
5.33 If notification does not occur before or at the time of collection, the APP entity must take reasonable steps to provide notification, or make the individual aware, as soon as practicable thereafter. Once again, the AAP entity has responsibility to justify any delay in notification.