Information privacy

6.88 The Privacy Act is Australia’s key information privacy law. The Act is concerned with the protection of personal information held by certain entities, rather than with privacy more generally. Personal information is defined in s 6(1) of the Act as information or opinion about an identified individual, or an individual who is reasonably identifiable, whether or not true and whether or not in material form.

6.89 The Privacy Act provides 13 ‘Australian Privacy Principles’ (APPs) that set out the broad requirements on collection, use, disclosure and other handling of personal information.[67] The APPs bind only ‘APP entities’—primarily Australian Government agencies and large private sector organisations with a turnover of more than $3 million. Certain small businesses are also bound, such as those that provide health services and those that disclose personal information to anyone else for a benefit, service or advantage.[68] Generally, individuals are not bound by the Privacy Act.[69]

6.90 Privacy of health information may be a special concern for people with disability. Health and genetic information is ‘sensitive information’ that is subject to stronger protection under the APPs.[70] Separate Commonwealth legislation protects healthcare identifiers[71] and eHealth records.[72]

6.91 The major issue for stakeholders was to ensure that personal information is able to be shared appropriately in order to support people with disability. National Disability Services, for example, stated:

The key challenge is often to transfer sufficient personal information (such as medication requirements or worker safety issues) that will enable the provision of high quality, tailored and safe support, while also protecting the right to privacy.[73]

6.92 There is a public interest in families and friends being involved in the care and treatment of people with a mental illness, for example, and this clearly involves the sharing of information.[74] The NSWCID observed that, for a person with an intellectual disability, there may be ‘numerous times in a month when an agency needs to obtain information about the person from a range of sources and provide information to a range of agencies or individuals’.[75] The ACT Disability, Aged and Carer Advocacy Service noted:

If [supported decision-making] frameworks are to reduce or replace the use of guardianship, consideration needs to be given to how relevant information can be shared with decision supporters while balancing the right of people with disability to privacy.[76]

Individual decision-making and the Privacy Act

6.93 The Privacy Act makes no express provision for supporters or representatives to be recognised as acting on behalf of an individual in relation to decisions about the handling of personal information held by APP entities.

6.94 Some state privacy legislation does provide for representatives. The Health Records and Information Privacy Act 2002 (NSW), for example, provides for the position of an ‘authorised representative’ to act on behalf of an individual who is ‘incapable of doing an act authorised, permitted or required’ by the Act.[77]

6.95 An authorised representative may not do an act on behalf of an individual who is capable of doing that act, unless the individual expressly authorises the authorised representative to do that act.[78]

6.96 An ‘authorised representative’ for these purposes means a person appointed under an enduring power of attorney, a guardian, a person having parental responsibility (if the individual is a child), or person who is ‘otherwise empowered under law to exercise any functions as an agent of or in the best interests of the individual’.[79] Essentially, therefore, the Health Records and Information Privacy Act 2002 provides recognition for representatives, but not for supporters, as those terms are used in this Discussion Paper.

6.97 The ALRC has considered previously whether the Privacy Act should include provision for representatives. In its 2008 report, For Your Information: Australian Privacy Law and Practice, the ALRC recommended that the Privacy Act should be amended to include the concept of a ‘nominee’. An agency or organisation would be able to establish nominee arrangements and then ‘deal with an individual’s nominee as if the nominee were the individual’.[80] The ALRC recommended that nominee arrangements should include, at a minimum, the following elements:

(a) a nomination can be made by an individual or a substitute decision maker authorised by a federal, state or territory law;

(b) the nominee can be an individual or an entity;

(c) the nominee has a duty to act at all times in the best interests of the individual; and

(d) the nomination can be revoked by the individual, the nominee or the agency or organisation.[81]

6.98 The ALRC concluded that establishing nominee arrangements would ‘provide flexibility for individuals to decide who can act as their “agent” for the purposes of the Privacy Act, and also operate as a useful mechanism in situations where an individual has limited, intermittent or declining capacity’.[82]

6.99 The rationale for the original ALRC recommendations was to address problems faced by individuals and their representatives in gaining access to benefits and services due to perceived or real conflicts with the Privacy Act. That is, organisations refusing to provide information or deal with supporters ‘because of the Privacy Act’. Similar concerns were expressed in this Inquiry.[83]

6.100 The ALRC’s 2008 recommendations would have provided recognition for both supporters and representatives.

6.101 The ALRC envisaged that a nominee could be either nominated by the individual or a substitute decision-maker appointed under some other law. While it would not be necessary for an authorised substitute decision-maker to be registered as a nominee for the agency or organisation to recognise that person, the nominee arrangements were seen as a convenient way for the decision-maker to be recognised for ongoing dealings with the agency or organisation.[84]

The Commonwealth model and the Privacy Act

Proposal 6–4 The Privacy Act 1988 (Cth) should be amended to include supporter and representative provisions consistent with the Commonwealth decision-making model.

6.102 Successive Australian Governments have not responded to the ALRC’s recommendations concerning decision-making arrangements under the Privacy Act.[85] There seems good reason to revisit this issue in the context of the present Inquiry.

6.103 The Privacy Act does not prevent a supporter from providing assistance to the individual where this is done with the consent of the individual. Where the assistance requires the supporter to have access to the personal information of the individual, the individual can provide consent for the agency or organisation to disclose the information to the supporter. Sometimes it should be quite clear, for example, that a requested disclosure of personal information would be covered by APP 6.[86]

6.104 There are concerns, however, that such arrangements are not implemented consistently, or recognised by agencies and organisations.[87] The NSWCID submitted:

So far as possible, people with intellectual disability should be given the support that they need to make their own privacy decisions. If this is not adequate, there needs to be a legislative system of substitute consent and/or administrative safeguards that provides reasonable safeguards on the privacy of the individual whilst also recognising that other rights of the individual may be imperilled if personal information cannot be gathered and promptly used as occasions arise.[88]

6.105 If the privacy rules covering this sort of information exchange are ‘cumbersome or complex’, then optimal support of people with intellectual disabilities will not occur.[89] Other stakeholders referred to the desirability of uniform Commonwealth, state and territory privacy regulation.[90]

6.106 The advantages of recognising supporters in Commonwealth laws are discussed in Chapter 4. In particular, formalisation of support is likely to create greater certainty for third parties about the role of supporters, and facilitate the provision of support to people who need it. In the context of information privacy, this is likely to allow third parties to interact with supporters with greater confidence, allowing for timely collection, use and disclosure of information.

6.107 There is a downside to this approach, in that legislative arrangements may work against flexible practices by encouraging the perception that a supporter must be formally appointed in order to be recognised. However, more informal arrangements may not be implemented consistently or recognised by APP entities. Some form of legislative underpinning may be more effective in establishing recognition of supporters.

6.108 In the ALRC’s view, the Privacy Act should be amended to include supporter and representative provisions consistent with the Commonwealth decision-making model. The new provisions would apply potentially to an individual’s relationships with the full range of APP entities—Commonwealth government agencies and private sector organisations.

6.109 The Privacy Act should permit APP entities to establish a supporters and representatives scheme, but this should not be mandatory. APP entities need to retain the flexibility to develop practices and procedures consistent with their broader operations. Agencies and organisations also may be subject to other obligations—such as the bankers’ duty of confidentiality or particular legislative provisions—which place limits on decision-making by supporters. Each agency and organisation must consider the extent to which it is able to recognise and act upon decisions made by a supporter.

6.110 Incorporating the Commonwealth decision-making model within the Privacy Act may facilitate assistance for people in making and communicating decisions concerning control of their personal information by recognising supporters, including family and carers, as being able to act on their behalf. At the least, supporters should be recognised and be made subject to a duty to support an individual’s will and preferences in relation to the handling of their personal information.

6.111 However, some circumstances will require a more rigorous process for appointment and verification than others, due to the potential consequences of the disclosure of personal information or the transaction involved. For example, a bank or other financial institution might establish an arrangement that has effect for the purposes of disclosing account balances and banking transactions, but does not extend to a supporter withdrawing funds from an account on behalf of the individual, without putting further integrity measures in place.