23.07.2010
8.87 Although the drafters of the Privacy Act may not have had genetic samples in mind, the NPPs are drafted as high level principles capable of flexible interpretation in a myriad of circumstances. The NPPs do not prescribe exactly what an organisation must do to comply with them. Rather, they apply broad standards—for example, based on whether an organisation has taken ‘reasonable steps’ to do something, whether certain possible actions are ‘reasonable and practicable’ or ‘impracticable’ and whether information is ‘necessary’ for certain purposes.[94]
8.88 It has been stated that one strength of the principles is that they are ‘technology neutral’,[95] that is, principles of fair information handling can be applied evenly, no matter the form in which information is held or stored:
The result is that the NPPs apply equally to conventional, electronic and digital environments. This neutrality also aims to ensure that the legislation will not date and will work in practice now and for many years to come.[96]
8.89 Given the close analogies between genetic samples and forms of data or information, the Inquiry has concluded that the NPPs are sufficiently flexible to extend sensible and balanced privacy protection to genetic samples. The question therefore becomes how best to change privacy laws to make them apply sensibly to the handling of samples. Four possible options are as follows:
- Amend the Act to define ‘personal information’ and ‘record’ to include bodily samples and leave the courts and the Privacy Commissioner to interpret how the NPPs are to apply to samples in practice;[97]
- In addition to Option 1, insert new interpretation provisions in the Privacy Act to assist in applying the existing NPPs to bodily samples, or amend the NPPs to better adapt them to the handling of bodily samples, as well as to personal information;[98]
- Insert a new set of privacy principles into the Privacy Act dealing specifically with the fair handling of bodily samples; or
- Enact a new set of privacy principles in the Human Tissue Acts, other existing legislation, or in new stand alone legislation.
8.90 Option 1 would leave the NPPs in their current form. This is the approach taken in New South Wales, where the legislation covers ‘body samples’[99] but the privacy principles make no special provision for the application of these principles to such samples.[100] The Inquiry is not aware of any situation in which the New South Wales privacy principles have been applied to a bodily sample. However, there is uncertainty as to how a court would, for example, apply the access principle.
8.91 While it may be possible to apply some of the NPPs coherently to samples without further interpretative assistance, in relation to other principles, amendment or interpretative aid appears necessary to ensure predictability of application and desirable regulatory outcomes. This is particularly true in relation to the access principle. The changes necessary to implement a right of access to samples, including rights exercisable by first-degree genetic relatives,[101] appear to be substantial and are not easily accommodated within the existing wording of the NPPs.
8.92 Under Option 3, a new set of privacy principles dealing with the handling of bodily samples would be inserted into the Privacy Act. A range of consequential changes to other parts of the Privacy Act would also be necessary—notably to the provisions that define what acts or practices constitute an ‘interference with the privacy of an individual’.[102] This approach may be criticised as adding to the proliferation of privacy principles. In addition to the IPPs and NPPs, the Privacy Act already contains distinct regimes for regulating the handling of credit reporting information[103] and tax file numbers.[104]
8.93 Option 4 is considered, and rejected, in Chapter 20, particularly in so far as the Human Tissue Acts might be used as the vehicle for reform. Enacting a new set of privacy principles in other existing legislation, or in new stand alone legislation also presents significant problems. The new rules would have to be consistent with information privacy legislation and would introduce even more complexity into the regulation of the handling of bodily samples.
8.94 Under the Inquiry’s favoured option, Option 2, new interpretation provisions could be inserted into the Privacy Act to assist in applying the existing NPPs to bodily samples. For example, a new section could be inserted to explain how the access principle (NPP 6) is to be applied to a bodily sample and to state that ‘disclosure’ in relation to a bodily sample means transfer of possession or control of the sample. Because the handling of personal information by Commonwealth or Australian Capital Territory public sector agencies is governed by the IPPs, rather than the NPPs, it would also be necessary to give detailed consideration to new provisions applying the IPPs to bodily samples.[105]
8.95 Constitutional limits on federal legislative power are an important consideration in examining how best to extend privacy protection of genetic samples at the federal level. The external affairs power[106] is an important constitutional underpinning for the Privacy Act. The Act gave effect to Australia’s agreement to implement the Organisation for Economic Cooperation and Development’s 1980 Guidelines for the Protection of Privacy and Transborder Flows of Personal Data (OECD guidelines) and to its obligations under Article 17 of the International Covenant on Civil and Political Rights 1966. To the extent that extending the coverage of the Privacy Act to genetic samples may be characterised as protecting information privacy, the amending legislation may also be able to rely on the external affairs power, along with other powers such as the corporations power.[107] In any case, state and territory legislation will also be necessary, especially given that many existing collections of genetic samples are held in state public health systems and lie beyond the reach of Commonwealth legislative power.
8.96 The Inquiry acknowledges that reform will require review of the audit, investigation, complaints handling and enforcement provisions of the Act to determine whether they continue to be appropriate where the protection of genetic samples is at issue.[108]
8.97 The resource and policy implications for the OFPC, as the regulator of a future regime that covers samples, will also require more detailed consideration. The OFPC submitted that the implications of the proposed reform for the OFPC generally, and for the compliance unit in particular, are substantial and not limited to major resourcing issues.[109] These implications include that the OFPC would need to:
- develop new expertise to audit compliance;
- address how the regulation of bodily samples would interact with other regulatory standards and OFPC functions; and
- review complaints handling functions and education strategies.
8.98 Any regulator given new responsibility for regulating the privacy of genetic samples would face similar challenges, whatever the exact mechanisms of regulation. The Inquiry considers the OFPC to be well suited to the task, by reason of its long-standing experience in the regulation of information privacy in Australia. Privacy NSW noted that the proposed reform
would expand the responsibilities of the OFPC and necessitate adequate funding and resources to enable it to carry out all its regulatory responsibilities and functions. However this expanded role would have a positive benefit in better enabling the OFPC to address a range of privacy issues which the current restricted definition inhibits them from dealing with.[111]
[94] See eg Privacy Act 1988 (Cth) NPP 1.
[95] See Attorney-General’s Department, Submission to Australian Senate Select Committee on Information Technologies Inquiry into E-Privacy, 1 August 2000.
[96] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), OFPC, Sydney, 2.
[97] The Privacy Commissioner might develop guidelines to assist organisations to apply the NPPs to genetic samples. Such guidelines are not legally binding but indicate how the Privacy Commissioner will interpret and apply the NPPs: Privacy Act 1988 (Cth) s 27(1)(e).
[98] For example, by referring throughout to ‘disclosure, use or transfer’ rather than to ‘use or disclosure’.
[99]Privacy and Personal Information Protection Act 1998 (NSW) s 4(2); Health Records and Information Privacy Act 2002 (NSW) s 5(2).
[100] See Privacy and Personal Information Protection Act 1998 (NSW) Pt 2; Health Records and Information Privacy Act 2002 (NSW) Sch 1.
[101] Genetic relatives should also be able exercise similar rights of access to genetic information, other than samples.
[102]Privacy Act 1988 (Cth) ss 13, 13A.
[103] Ibid Pt IIIA.
[104] Ibid s 17. There are also data-matching guidelines issued under the Data-matching Program (Assistance and Tax) Act 1990 (Cth) and the Medicare and Pharmaceutical Benefits Program privacy guidelines issued under s 135AA of the National Health Act 1953 (Cth).
[105] The language of the IPPs may be less suited to such application than that of the NPPs. For example, while the NPPs refer simply to organisations dealing with ‘personal information’, the IPPs refer to ‘record-keepers’ having ‘possession or control of a record that contains personal information’.
[106] Australian Constitution s 51(xxix).
[107] Australian Constitution s 51(xx).
[108] Office of the Federal Privacy Commissioner, Submission G164, 27 June 2002; Office of the Federal Privacy Commissioner, Submission G294, 6 January 2003; Commonwealth Department of Health and Ageing, Submission G313, 6 February 2003.
[109] The OFPC stated that ‘the resource requirements for the Office to enforce the Privacy Principles for body samples in any meaningful way across the health sector alone would run into millions of dollars for an Office whose total budget is currently less than $5 million’: Office of the Federal Privacy Commissioner, Submission G294, 6 January 2003.
[110] Ibid.
[111] Office of the Privacy Commissioner (NSW), Submission G257, 20 December 2002.