Information privacy

6.109   The Privacy Act is Australia’s key information privacy law. The Act is concerned with the protection of personal information held by certain entities, rather than with privacy more generally. Personal information is defined in s 6(1) of the Act as information or opinion about an identified individual, or an individual who is reasonably identifiable, whether or not true and whether or not in material form.

6.110   The Privacy Act provides 13 ‘Australian Privacy Principles’ (APPs) that set out the broad requirements on collection, use, disclosure and other handling of personal information.[96] The APPs bind only ‘APP entities’—primarily Australian Government agencies and large private sector organisations with a turnover of more than $3 million. Certain small businesses are also bound, such as those that provide health services and those that disclose personal information to anyone else for a benefit, service or advantage.[97] Generally, individuals are not bound by the Privacy Act.[98]

6.111   Privacy of health information may be a special concern for persons with disability. Health and genetic information is ‘sensitive information’ that is subject to stronger protection under the APPs.[99] Separate Commonwealth legislation protects healthcare identifiers[100] and eHealth records.[101]

6.112   The major issue for stakeholders was to ensure that personal information is able to be shared appropriately in order to support persons with disability. National Disability Services, for example, stated:

The key challenge is often to transfer sufficient personal information (such as medication requirements or worker safety issues) that will enable the provision of high quality, tailored and safe support, while also protecting the right to privacy.[102]

6.113   There is a public interest in families and friends being involved in the care and treatment of people with a mental illness, for example, and this clearly involves the sharing of information.[103] The NSWCID observed that, for a person with an intellectual disability, there may be ‘numerous times in a month when an agency needs to obtain information about the person from a range of sources and provide information to a range of agencies or individuals’.[104] The ACT Disability, Aged and Carer Advocacy Service noted:

If [supported decision-making] frameworks are to reduce or replace the use of guardianship, consideration needs to be given to how relevant information can be shared with decision supporters while balancing the right of people with disability to privacy.[105]

Individual decision-making and the Privacy Act

6.114   The Privacy Act makes no express provision for supporters or representatives to be recognised as acting on behalf of an individual in relation to decisions about the handling of personal information held by APP entities.

6.115   Some state privacy legislation does provide for representatives. The Health Records and Information Privacy Act 2002 (NSW), for example, provides for the position of an ‘authorised representative’ to act on behalf of an individual who is ‘incapable of doing an act authorised, permitted or required’ by the Act.[106]

6.116   An authorised representative may not do an act on behalf of an individual who is capable of doing that act, unless the individual expressly authorises the authorised representative to do that act.[107]

6.117   An ‘authorised representative’ for these purposes means a person appointed under an enduring power of attorney, a guardian, a person having parental responsibility (if the individual is a child), or person who is ‘otherwise empowered under law to exercise any functions as an agent of or in the best interests of the individual’.[108] Essentially, therefore, the NSW Health Records and Information Privacy Act provides recognition for representatives, but not for supporters, as those terms are used in this Report.

6.118   The ALRC has considered previously whether the Privacy Act should include provision for representatives. In its 2008 report, For Your Information: Australian Privacy Law and Practice, the ALRC recommended that the Privacy Act should be amended to include the concept of a ‘nominee’. An agency or organisation would be able to establish nominee arrangements and then ‘deal with an individual’s nominee as if the nominee were the individual’.[109] The ALRC recommended that nominee arrangements should include, at a minimum, the following elements:

(a)     a nomination can be made by an individual or a substitute decision maker authorised by a federal, state or territory law;

(b)     the nominee can be an individual or an entity;

(c)     the nominee has a duty to act at all times in the best interests of the individual; and

(d)     the nomination can be revoked by the individual, the nominee or the agency or organisation.[110]

6.119   The ALRC concluded that establishing nominee arrangements would ‘provide flexibility for individuals to decide who can act as their “agent” for the purposes of the Privacy Act, and also operate as a useful mechanism in situations where an individual has limited, intermittent or declining capacity’.[111]

6.120   The rationale for the original ALRC recommendations was to address problems faced by individuals and their representatives in gaining access to benefits and services due to perceived or real conflicts with the Privacy Act. That is, organisations refusing to provide information or deal with supporters ‘because of the Privacy Act’. Similar concerns were expressed in this Inquiry.[112]

6.121   The ALRC’s 2008 recommendations would have provided recognition for both supporters and representatives. The ALRC envisaged that a nominee could be either nominated by the individual or a substitute decision-maker appointed under some other law. While it would not be necessary for an authorised substitute decision-maker to be registered as a nominee for the agency or organisation to recognise that person, the nominee arrangements were seen as a convenient way for the decision-maker to be recognised for ongoing dealings with the agency or organisation.[113]

The Commonwealth model and the Privacy Act

Recommendation 6–4               The Australian Information Commissioner should develop guidelines consistent with the Commonwealth decision-making model describing the role of supporters and explaining how ‘APP entities’ should recognise the role of supporters in assisting people to exercise their rights under the Privacy Act 1988 (Cth).

6.122   Successive Australian Governments have not responded to the ALRC’s recommendations concerning decision-making arrangements under the Privacy Act.[114] There seems good reason to revisit this issue in the context of the present Inquiry.

6.123   The Privacy Act does not prevent a supporter from providing assistance to the individual where this is done with the consent of the individual. Where the assistance requires the supporter to have access to the personal information of the individual, the individual can provide consent for the agency or organisation to disclose the information to the supporter. Sometimes it should be quite clear, for example, that a requested disclosure of personal information would be permitted by APP 6.[115]

6.124   There are concerns, however, that such arrangements are not implemented consistently, or recognised by agencies and organisations.[116] The NSWCID submitted:

So far as possible, people with intellectual disability should be given the support that they need to make their own privacy decisions. If this is not adequate, there needs to be a legislative system of substitute consent and/or administrative safeguards that provides reasonable safeguards on the privacy of the individual whilst also recognising that other rights of the individual may be imperilled if personal information cannot be gathered and promptly used as occasions arise.[117]

6.125   If the privacy rules covering this sort of information exchange are ‘cumbersome or complex’, then optimal support of people with intellectual disabilities will not occur.[118] Other stakeholders referred to the desirability of uniform Commonwealth, state and territory privacy regulation.[119]

6.126   The advantages of recognising supporters in Commonwealth laws are discussed in Chapter 4. In particular, formalisation of support is likely to create greater certainty for third parties about the role of supporters, and facilitate the provision of support to people who need it. In the context of information privacy, this is likely to allow third parties to interact with supporters with greater confidence, allowing for timely collection, use and disclosure of information.

6.127   There is a downside to this approach, however, in that legislative arrangements may work against flexible practices by encouraging the perception that a supporter must be formally appointed in order to be recognised. On the other hand, more informal arrangements may not be implemented consistently or recognised by APP entities. Some form of legislative underpinning may be more effective in establishing recognition of supporters.

6.128   Incorporating the Commonwealth decision-making model within the Privacy Act may facilitate assistance for people in making and communicating decisions concerning control of their personal information by recognising supporters, including family and carers, as being able to act on their behalf. At the least, supporters should be recognised and be made subject to a duty to support an individual’s will and preferences in relation to the handling of their personal information.

6.129   However, some circumstances will require a more rigorous process for appointment and verification than others, due to the potential consequences of the disclosure of personal information or the transaction involved. For example, a bank or other financial institution might establish an arrangement that has effect for the purposes of disclosing account balances and banking transactions, but does not extend to a supporter withdrawing funds from an account on behalf of the individual, without putting further integrity measures in place.

6.130   While there was some support for the Discussion Paper proposals,[120] the OAIC did not consider amendments to the Privacy Act are needed. In this context, the OAIC advised that it does not generally support amendments to the Privacy Act unless there is evidence that the difficulty encountered is as a result of the current legislative framework. It was suggested that ‘non-legislative measures, such as improved guidance, should be favoured’ and, if this approach were found to be insufficient,

careful consideration would need to be given to the regulatory impact of any amendments to ensure that they do not introduce additional complexities for individuals and APP entities, and meet the objectives of the Privacy Act set out in s 2A.[121]

6.131   The Privacy Act does not prevent supported decision-making where the individual has provided consent to the arrangement. Where the assistance requires the supporter to have access to the personal information of the individual, the individual can provide consent for the APP entity to disclose the information to the supporter.[122] The OAIC considered that a consistent application of the Commonwealth supported decision-making model can be achieved through the development of specific and targeted guidance for APP entities.[123]

6.132   In the Discussion Paper, the ALRC proposed that the Privacy Act should permit APP entities to establish a supporters and representatives scheme, but stated that this should not be mandatory.[124]

6.133   APP entities need to retain the flexibility to develop practices and procedures consistent with their broader operations. Agencies and organisations are subject to other obligations—such as the bankers’ duty of confidentiality or particular legislative provisions—which place limits on decision-making by supporters. Each agency and organisation needs to consider the extent to which it is able to recognise and act upon decisions made by a supporter.

6.134   Applying the Commonwealth decision-making model in the Privacy Act would differ from other contexts, in that provisions would apply potentially to an individual’s relationships with the full range of APP entities—Commonwealth government agencies and private sector organisations—and have to be administered by them, rather than by a single agency, such as the NDIA or Centrelink.

6.135   The ALRC concludes that it is not necessary to amend the Privacy Act itself to encourage the recognition of supported decision-making in privacy regulation. To begin with, there is no case for allowing all APP entities to create mechanisms for appointing representatives, although they should have processes for recognising substitute decision-makers appointed under state or territory law.

6.136   As suggested by the OAIC, the preferable approach may be to encourage supported decision-making through guidelines describing the role of supporters and explaining how APP entities should recognise the role of supporters in assisting people to exercise their rights under the Privacy Act.