18.09.2014
6.109 The Privacy Act is Australia’s key information privacy law. The Act is concerned with the protection of personal information held by certain entities, rather than with privacy more generally. Personal information is defined in s 6(1) of the Act as information or opinion about an identified individual, or an individual who is reasonably identifiable, whether or not true and whether or not in material form.
6.110 The Privacy Act provides 13 ‘Australian Privacy Principles’ (APPs) that set out the broad requirements on collection, use, disclosure and other handling of personal information.[96] The APPs bind only ‘APP entities’—primarily Australian Government agencies and large private sector organisations with a turnover of more than $3 million. Certain small businesses are also bound, such as those that provide health services and those that disclose personal information to anyone else for a benefit, service or advantage.[97] Generally, individuals are not bound by the Privacy Act.[98]
6.111 Privacy of health information may be a special concern for persons with disability. Health and genetic information is ‘sensitive information’ that is subject to stronger protection under the APPs.[99] Separate Commonwealth legislation protects healthcare identifiers[100] and eHealth records.[101]
6.112 The major issue for stakeholders was to ensure that personal information is able to be shared appropriately in order to support persons with disability. National Disability Services, for example, stated:
The key challenge is often to transfer sufficient personal information (such as medication requirements or worker safety issues) that will enable the provision of high quality, tailored and safe support, while also protecting the right to privacy.[102]
6.113 There is a public interest in families and friends being involved in the care and treatment of people with a mental illness, for example, and this clearly involves the sharing of information.[103] The NSWCID observed that, for a person with an intellectual disability, there may be ‘numerous times in a month when an agency needs to obtain information about the person from a range of sources and provide information to a range of agencies or individuals’.[104] The ACT Disability, Aged and Carer Advocacy Service noted:
If [supported decision-making] frameworks are to reduce or replace the use of guardianship, consideration needs to be given to how relevant information can be shared with decision supporters while balancing the right of people with disability to privacy.[105]
Individual decision-making and the Privacy Act
6.114 The Privacy Act makes no express provision for supporters or representatives to be recognised as acting on behalf of an individual in relation to decisions about the handling of personal information held by APP entities.
6.115 Some state privacy legislation does provide for representatives. The Health Records and Information Privacy Act 2002 (NSW), for example, provides for the position of an ‘authorised representative’ to act on behalf of an individual who is ‘incapable of doing an act authorised, permitted or required’ by the Act.[106]
6.116 An authorised representative may not do an act on behalf of an individual who is capable of doing that act, unless the individual expressly authorises the authorised representative to do that act.[107]
6.117 An ‘authorised representative’ for these purposes means a person appointed under an enduring power of attorney, a guardian, a person having parental responsibility (if the individual is a child), or person who is ‘otherwise empowered under law to exercise any functions as an agent of or in the best interests of the individual’.[108] Essentially, therefore, the NSW Health Records and Information Privacy Act provides recognition for representatives, but not for supporters, as those terms are used in this Report.
6.118 The ALRC has considered previously whether the Privacy Act should include provision for representatives. In its 2008 report, For Your Information: Australian Privacy Law and Practice, the ALRC recommended that the Privacy Act should be amended to include the concept of a ‘nominee’. An agency or organisation would be able to establish nominee arrangements and then ‘deal with an individual’s nominee as if the nominee were the individual’.[109] The ALRC recommended that nominee arrangements should include, at a minimum, the following elements:
(a) a nomination can be made by an individual or a substitute decision maker authorised by a federal, state or territory law;
(b) the nominee can be an individual or an entity;
(c) the nominee has a duty to act at all times in the best interests of the individual; and
(d) the nomination can be revoked by the individual, the nominee or the agency or organisation.[110]
6.119 The ALRC concluded that establishing nominee arrangements would ‘provide flexibility for individuals to decide who can act as their “agent” for the purposes of the Privacy Act, and also operate as a useful mechanism in situations where an individual has limited, intermittent or declining capacity’.[111]
6.120 The rationale for the original ALRC recommendations was to address problems faced by individuals and their representatives in gaining access to benefits and services due to perceived or real conflicts with the Privacy Act. That is, organisations refusing to provide information or deal with supporters ‘because of the Privacy Act’. Similar concerns were expressed in this Inquiry.[112]
6.121 The ALRC’s 2008 recommendations would have provided recognition for both supporters and representatives. The ALRC envisaged that a nominee could be either nominated by the individual or a substitute decision-maker appointed under some other law. While it would not be necessary for an authorised substitute decision-maker to be registered as a nominee for the agency or organisation to recognise that person, the nominee arrangements were seen as a convenient way for the decision-maker to be recognised for ongoing dealings with the agency or organisation.[113]
The Commonwealth model and the Privacy Act
Recommendation 6–4 The Australian Information Commissioner should develop guidelines consistent with the Commonwealth decision-making model describing the role of supporters and explaining how ‘APP entities’ should recognise the role of supporters in assisting people to exercise their rights under the Privacy Act 1988 (Cth).
6.122 Successive Australian Governments have not responded to the ALRC’s recommendations concerning decision-making arrangements under the Privacy Act.[114] There seems good reason to revisit this issue in the context of the present Inquiry.
6.123 The Privacy Act does not prevent a supporter from providing assistance to the individual where this is done with the consent of the individual. Where the assistance requires the supporter to have access to the personal information of the individual, the individual can provide consent for the agency or organisation to disclose the information to the supporter. Sometimes it should be quite clear, for example, that a requested disclosure of personal information would be permitted by APP 6.[115]
6.124 There are concerns, however, that such arrangements are not implemented consistently, or recognised by agencies and organisations.[116] The NSWCID submitted:
So far as possible, people with intellectual disability should be given the support that they need to make their own privacy decisions. If this is not adequate, there needs to be a legislative system of substitute consent and/or administrative safeguards that provides reasonable safeguards on the privacy of the individual whilst also recognising that other rights of the individual may be imperilled if personal information cannot be gathered and promptly used as occasions arise.[117]
6.125 If the privacy rules covering this sort of information exchange are ‘cumbersome or complex’, then optimal support of people with intellectual disabilities will not occur.[118] Other stakeholders referred to the desirability of uniform Commonwealth, state and territory privacy regulation.[119]
6.126 The advantages of recognising supporters in Commonwealth laws are discussed in Chapter 4. In particular, formalisation of support is likely to create greater certainty for third parties about the role of supporters, and facilitate the provision of support to people who need it. In the context of information privacy, this is likely to allow third parties to interact with supporters with greater confidence, allowing for timely collection, use and disclosure of information.
6.127 There is a downside to this approach, however, in that legislative arrangements may work against flexible practices by encouraging the perception that a supporter must be formally appointed in order to be recognised. On the other hand, more informal arrangements may not be implemented consistently or recognised by APP entities. Some form of legislative underpinning may be more effective in establishing recognition of supporters.
6.128 Incorporating the Commonwealth decision-making model within the Privacy Act may facilitate assistance for people in making and communicating decisions concerning control of their personal information by recognising supporters, including family and carers, as being able to act on their behalf. At the least, supporters should be recognised and be made subject to a duty to support an individual’s will and preferences in relation to the handling of their personal information.
6.129 However, some circumstances will require a more rigorous process for appointment and verification than others, due to the potential consequences of the disclosure of personal information or the transaction involved. For example, a bank or other financial institution might establish an arrangement that has effect for the purposes of disclosing account balances and banking transactions, but does not extend to a supporter withdrawing funds from an account on behalf of the individual, without putting further integrity measures in place.
6.130 While there was some support for the Discussion Paper proposals,[120] the OAIC did not consider amendments to the Privacy Act are needed. In this context, the OAIC advised that it does not generally support amendments to the Privacy Act unless there is evidence that the difficulty encountered is as a result of the current legislative framework. It was suggested that ‘non-legislative measures, such as improved guidance, should be favoured’ and, if this approach were found to be insufficient,
careful consideration would need to be given to the regulatory impact of any amendments to ensure that they do not introduce additional complexities for individuals and APP entities, and meet the objectives of the Privacy Act set out in s 2A.[121]
6.131 The Privacy Act does not prevent supported decision-making where the individual has provided consent to the arrangement. Where the assistance requires the supporter to have access to the personal information of the individual, the individual can provide consent for the APP entity to disclose the information to the supporter.[122] The OAIC considered that a consistent application of the Commonwealth supported decision-making model can be achieved through the development of specific and targeted guidance for APP entities.[123]
6.132 In the Discussion Paper, the ALRC proposed that the Privacy Act should permit APP entities to establish a supporters and representatives scheme, but stated that this should not be mandatory.[124]
6.133 APP entities need to retain the flexibility to develop practices and procedures consistent with their broader operations. Agencies and organisations are subject to other obligations—such as the bankers’ duty of confidentiality or particular legislative provisions—which place limits on decision-making by supporters. Each agency and organisation needs to consider the extent to which it is able to recognise and act upon decisions made by a supporter.
6.134 Applying the Commonwealth decision-making model in the Privacy Act would differ from other contexts, in that provisions would apply potentially to an individual’s relationships with the full range of APP entities—Commonwealth government agencies and private sector organisations—and have to be administered by them, rather than by a single agency, such as the NDIA or Centrelink.
6.135 The ALRC concludes that it is not necessary to amend the Privacy Act itself to encourage the recognition of supported decision-making in privacy regulation. To begin with, there is no case for allowing all APP entities to create mechanisms for appointing representatives, although they should have processes for recognising substitute decision-makers appointed under state or territory law.
6.136 As suggested by the OAIC, the preferable approach may be to encourage supported decision-making through guidelines describing the role of supporters and explaining how APP entities should recognise the role of supporters in assisting people to exercise their rights under the Privacy Act.
-
[96]
Privacy Act 1988 (Cth) sch 1.
-
[97]
‘APP entity’ is defined in Ibid s 6(1). Small businesses are not, in general, APP entities, with some exceptions as set out in s 6D.
-
[98]
There are some exceptions. For example, an individual who is a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), will be treated as an APP entity under the Privacy Act 1988 (Cth).
-
[99]
Privacy Act 1988 (Cth) s 6(1).
-
[100]
Healthcare Identifiers Act 2010 (Cth).
-
[101]
Personally Controlled Electronic Health Records Act 2012 (Cth).
-
[102]
National Disability Services, Submission 49.
-
[103]
Public Interest Advocacy Centre, Submission 41.
-
[104]
NSW Council for Intellectual Disability, Submission 33.
-
[105]
ADACAS, Submission 29.
-
[106]
Health Records and Information Privacy Act 2002 (NSW) s 7. An individual is defined as incapable ‘if the individual is incapable (despite the provision of reasonable assistance by another person) by reason of age, injury, illness, physical or mental impairment of: (a) understanding the general nature and effect of the act, or (b) communicating the individual’s intentions with respect to the act’.
-
[107]
Ibid s 8(3).
-
[108]
Ibid s 8.
-
[109]
Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report No 108 (2008) Rec 70–1.
-
[110]
Ibid Rec 70–2.
-
[111]
Ibid [70.96].
-
[112]
See, eg, NSW Council for Intellectual Disability, Submission 33; ADACAS, Submission 29.
-
[113]
Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report No 108 (2008) [70.101].
-
[114]
Many other recommendations made in the 2008 privacy report were implemented following the enactment of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth).
-
[115]
That is, the disclosure is for the purpose the information was collected, or the individual has consented to the disclosure of the information: Privacy Act 1988 (Cth) sch 1, cl 6.
-
[116]
Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report No 108 (2008) [70.104].
-
[117]
NSW Council for Intellectual Disability, Submission 33.
-
[118]
The NSWCID referred to the Health Records and Information Privacy Act 2002 (NSW) as a good model for dealing with ‘incapacity issues’: Ibid.
-
[119]
See, eg, Mental Health Coordinating Council, Submission 07. The ALRC has previously recommended an intergovernmental cooperative scheme that provides that the states and territories should enact legislation regulating the handling of personal information in the state and territory public sectors that is consistent with the Privacy Act: ALRC, For Your Information: Australian Privacy Law and Practice, Report No 108 (2008) Recs 3–4, 3–5.
-
[120]
National Mental Health Consumer & Carer Forum, Submission 100.
-
[121]
Office of the Australian Information Commissioner, Submission 132.
-
[122]
There are a number of other exceptions in the APPs, which permit the use and disclosure of an individual’s personal information to a representative, including where the use or disclosure is required or authorised by law; where a permitted health situation exists and information is disclosed to a responsible person for an individual; and in certain situations where there is a serious threat to the life, health or safety of any individual, or to public health or safety: See Privacy Act 1988 (Cth) ss 16A, 16B(5).
-
[123]
Office of the Australian Information Commissioner, Submission 132.
-
[124]
Australian Law Reform Commission, Equality, Capacity and Disability in Commonwealth Laws, Discussion Paper No 81 (2014) Proposal 6–4, [6.109].