‘Required or authorised by or under law’

16.2 An act or practice ‘required or authorised by or under law’ is an exception (the ‘required or authorised exception’) to a number of the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs).^[1] For example, IPP 11(1)(d) provides that a record-keeper may disclose personal information to a person, body or agency if the disclosure is required or authorised by or under law. NPP 2.1(g) similarly provides that an organisation may use or disclose personal information for a secondary purpose if the use or disclosure is required or authorised by or under law. The required or authorised exception also applies to other areas of the Privacy Act, such as credit reporting.^[2]

16.3 The ALRC recommends that acts or practices that are required or authorised by or under law should be an exception to a number of the model UPPs, including the ‘Collection’, ‘Use and Disclosure’, ‘Data Security’, ‘Access and Correction’ and the ‘Cross-border data flow’ principles. It is also referred to in the ‘Notification’ principle.^[3]

16.4 State and territory privacy laws include similar exceptions. For example, s 25 of the Privacy and Personal Information Protection Act 1998 (NSW) provides that it is an exception to various Information Privacy Principles under that Act if an agency is ‘lawfully authorised or required not to comply with the principle concerned’, or ‘non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law’.^[4]

Scope of the exception

‘Required’ by or under law

16.5 The Office of the Privacy Commissioner (OPC) states that an agency should inform an individual that it is ‘required’ to collect personal information in accordance with IPP 2 only ‘in the rare case where the agency has no choice in whether or not it collects the information’.^[5] This interpretation is consistent with interpretations of ‘required’ in the context of other laws.^[6]For example, in Department of Premier & Cabinet v Hulls, the Victorian Court of Appeal found that ‘required’ meant ‘demands’ or ‘necessitates’.^[7]

16.6 The Revised Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000 (Cth) states that the use of the word ‘required’ in NPP 2.1(g) is intended to cover situations where a law unambiguously requires a certain act or practice. It also suggests, however, that a law could require an act or practice by implication.

There could be situations where the law requires some actions which, of necessity, involve particular uses or disclosures, but this sort of implied requirement would be conservatively interpreted.^[8]

16.7 The interpretation of ‘required by law’ seems to be consistent across the NPPs and IPPs. In relation to NPP 2.1(g) (Use and disclosure), the OPC states that ‘required by law’ covers ‘circumstances in which there is a legal obligation to use or disclose personal information in a particular way’.^[9] Examples provided by the OPC of when the use or disclosure of personal information is required include where there are statutory requirements to report matters to agencies or enforcement bodies, or where legislation requires an organisation to ‘carry out some action, which of necessity involves particular uses or disclosures of personal information’.^[10] This is reflected in Rahman v Ashpole,^[11]in which Graham Jheld that disclosure of personal information by a bank to Centrelink was required or authorised by or under the provisions of the Social Security (Administration) Act 1999 (Cth).^[12]

16.8 The OPC suggests a similar interpretation of ‘required by law’ in relation to IPP 10 (Limits on use of personal information). The OPC states that an agency may be required by law to use personal information for another purpose if it is governed by legislation that requires it to perform a specific function, and the only possible way it can perform that function is by using the particular information for a purpose other than that for which it was obtained.^[13] In the context of IPP 11, Commonwealth tribunals have held that there is no reason to depart from the ordinary meaning of the term ‘require’; that is, ‘to demand, exact or command by authority’ or ‘to have as a necessary or essential condition for success, fulfilment, etc’.^[14]

16.9 The Guidelines to the Information Privacy Principles,issued by the Office of the Victorian Privacy Commissioner (OVPC), state that:

words such as ‘must’ or ‘shall’ will indicate a requirement, and may be accompanied by the presence of a sanction for non-compliance.^[15]

16.10 The guidelines list warrants, court orders and statutory provisions as examples.

‘Authorised’ by or under law

16.11 While an agency or an organisation that is ‘required’ by law to engage in an act or practice has no choice in the matter, an agency that is ‘authorised’ by law has a discretion as to whether it will engage in an act or practice.^[16] The Revised Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000 (Cth) states that thereference to ‘authorised’, ‘encompasses circumstances where the law permits, but does not require, use or disclosure’. ^[17]

16.12 In the opinion of the OPC, an act or practice is not ‘authorised’ solely because there is no law prohibiting it.^[18] Further, the law that authorises an act or practice must provide a ‘specific relevant discretion’. For example, a general provision that a statutory office-holder or the head of an agency may do anything necessary or convenient to be done for, or in connection with, a function does not meet this criterion.^[19]

16.13 Sometimes, authorisation will be express. For example, s 250–10 of the Private Health Insurance Act 2007 (Cth) provides that, under certain circumstances, disclosure of personal information to the Private Health Insurance Ombudsman is taken to be authorised by law under the Privacy Act.^[20]A law also can impliedly ‘authorise’ an act or practice.

16.14 Again, the interpretation of the phrase ‘authorised by law’ has been consistent across the IPPs and NPPs. The OPC has stated in the context of the required or authorised exception to IPP 10 and IPP 11:

A use or disclosure may fall within 10.1(c) or 11.1(d) if the law requires or authorises a function or activity that clearly and directly entails the use or disclosure. Here, the use or disclosure is impliedly authorised by law because it is essential to effect a scheme the law lays down.^[21]

16.15 In the context of IPP 11, as with the term ‘required’, Commonwealth tribunals have held that there is no reason to depart from the ordinary meaning of the term ‘authorised’; that is, ‘to give someone the power or right to do something’ or ‘to give permission for something’.^[22] In Caratti v Commissioner of Taxation,^[23]French J held that it was within the course of duties of an officer of the Australian Taxation Office (ATO) to disclose to the Director of Public Prosecutions information relevant to possible criminal proceedings. French J found that the disclosure fell within the required or authorised exception and so did not contravene IPP 10 or IPP 11.

I accept the Commissioner’s submissions that on the face of the pleading any disclosures made by the Commissioner … of information obtained in the course of the taxation audits or otherwise under the Act, the Taxation Administration Act or the Fringe Benefit Tax Assessment Act 1986, which contains similar provisions, were permitted by the statutory provisions and were not made in contravention of them.^[24]

16.16 The OPC has provided similar guidance on the meaning of the term ‘authorised’ in the context of the NPPs—namely, that it means there is authority to do something but the organisation can decide whether or not to do it.^[25] In the context of NPP 2.1(g), Wilson FM in the Federal Magistrates Court has held that the disclosure of documents that contained personal information, but which also contained information relevant to the investigation of the receipt of ‘income’, was ‘authorised’ for the purposes of the Privacy Act by s 77A of the Bankruptcy Act 1966 (Cth),but only to the extent that the documents were relevant to the trustee’s investigation.^[26] Wilson FM held that if the necessary financial information could be provided to the trustee, without disclosure of ‘personal information’, that would constitute sufficient compliance by the respondent with the trustee’s request under s 77A of the Bankruptcy Act 1966 (Cth).^[27]

16.17 The Guidelines to the Information Privacy Principles,issued by the OVPC, state that words such as ‘may’ are indicative of authorisation. The Guidelines provide that ‘an authorising power must be reasonably specific; a general power or function for “anything incidental” would be insufficient’.^[28]

‘By or under law’

16.18 In Scott v Enfield City, Wells J explained the distinction between ‘by or under’ law as follows:

The word ‘by’ implies, I apprehend, that the use or intended use belonged to a class of use directly permitted by a provision or provisions of the Act or bylaw; the word ‘under’ implies that the authorization of the use or intended use was an act-in-law validly done pursuant to the Act or by–law.^[29]

16.19 In R v Tkacz, however,Malcolm CJ acknowledged that while, in particular contexts, a distinction can be made between ‘by’ and ‘under’, there are other contexts where they have the same meaning.^[30]

‘Law’

16.20 What kinds of laws can require or authorise acts or practices for the purposes of the exception? Only a few cases have considered what is meant by ‘law’ for the purposes of the ‘required or authorised’ exception. It has been held that ‘law’ in the context of the exception includes a federal Act^[31] and court rules.^[32]

16.21 The OPC’s Guidelines to the National Privacy Principles provide that ‘law’ includes Commonwealth, state and territory legislation, as well as common law.^[33]

16.22 The OPC’s Plain English Guidelines to the Information Privacy Principles provide more detailed advice on the meaning of ‘law’. They provide that ‘law’ for the purposes of the required or authorised exception to IPP 10 and IPP 11 means Commonwealth acts and delegated legislation, and state and territory laws where the state or territory has ‘validly legislated to bind the Commonwealth’.^[34] The Guidelines also state that ‘law’ includes:

• documents with the force of Commonwealth law (a document may have the ‘force of law’ if it is an offence to breach its provisions, or it is possible for a penalty lawfully to be imposed if its provisions are breached, for example, industrial awards);

• disclosures to Commonwealth ministers; and

• Commonwealth parliamentary privilege.^[35]

16.23 The OPC states that a number of laws normally are not accepted as ‘law’ for the purpose of the required or authorised exception, including:

• state law that does not validly bind the Commonwealth;

• Cabinet decisions;

• inter-agency agreements and contracts between an agency and other parties;

• common law; and

• requests for personal information from foreign governments.^[36]

16.24 Common law, for these purposes, ‘consists of broad statements of legal principle and is made by judges—as opposed to statute law which is legislation made by Parliament’.^[37]

16.25 In the second reading speech for the Privacy Amendment (Private Sector) Bill 2000,the then Attorney-General stated that the ‘national privacy principles recognise the operation of state and territory legislation and the common law’.^[38]

16.26 State and territory courts and tribunals have held that the meaning of ‘law’ in relation to similar exceptions under state and territory privacy laws: includes a common law duty of care to warn;^[39] an order for pre-trial discovery;^[40] a subpoena to disclose information to a court;^[41] and a warrant to obtain records from a hospital under a state Act.^[42] In its submission to the NSW Attorney General’s Department review of the Privacy and Personal Information Protection Act 1998 (NSW), the Office of the NSW Privacy Commissioner (Privacy NSW) stated that the scope of ‘other law’ in s 25 of the Act was unclear.^[43]

Clarifying the scope of the exception

Clarifying the scope of ‘law’

16.27 In the Discussion Paper, Review of Privacy Law (DP 72), the ALRC expressed the preliminary view that the scope of the required or authorised exception required clarification.^[44] It noted that some stakeholders had expressed concern that the ambiguity in the operation of this exception can create uncertainty for individuals, agencies, organisations and privacy regulators.

16.28 The ALRC stated that while the scope of the words ‘required’ and ‘authorised’ appear to be well understood, the categories of laws that are ‘law’ for the purposes of the exception were less clear.

16.29 The ALRC expressed the preliminary view that federal Acts and delegated legislation are clearly ‘law’ for the purpose of the exception. These laws are subject to various accountability requirements, including the scrutiny of Parliament and disallowance. These accountability requirements help to ensure that any reliance on the required or authorised exception is appropriate and justified.

16.30 The ALRC also expressed the view that ‘law’ should include state and territory Acts and delegated legislation. These laws also are subject to accountability requirements. If state and territory laws were not considered law for the purposes of the exception, an organisation, for example, could find that they were subject to conflicting obligations under the Privacy Act and a state or territory Act or piece of delegated legislation.

16.31 Professor Dennis Pearce and Stephen Argument state that the usual form of parliamentary oversight is a requirement that delegated legislation be tabled in the parliament.^[45] For example, at the Commonwealth level, s 38(1) of the Legislative Instruments Act 2003 (Cth) requires that all legislative instruments be tabled in each House of Parliament. Pearce and Argument note that the principle that delegated legislation should be reviewed by parliament has been accepted in all Australian jurisdictions, however, in practice such acceptance has been variable.^[46]

16.32 In DP 72, the ALRC also expressed the preliminary view that it is unclear whether ‘law’ should include an order of a court or tribunal; documents that are given the force of law by an Act of Parliament, such as industrial awards; or statutory instruments such as Local Environmental Plans made under planning laws.^[47]

16.33 As discussed above, there is some authority for this in the context of privacy law and practice. Further, commentators on the Australian Constitution, for example, argue that it is clear that, in the context of case law on s 109 of the Constitution, subordinate legislation and awards fall within the term ‘law’. Valid subordinate legislation made under a Commonwealth Act will override contrary state legislation.^[48]

Some awards and orders may amount to quasi-judicial determinations that sit uneasily within the rubric of legislation. Nevertheless, the High Court has consistently held that a State law is displaced by a valid quasi-judicial decision by force of the Commonwealth Act under which it is made.^[49]

16.34 In DP 72, the ALRC also asked whether the definition of ‘law’ should include common law or equitable duties.^[50] The ALRC noted that it is not clear to what extent a ‘law’ includes a common law or equitable duty for the purposes of the required or authorised exception. The ALRC and the Australian Health Ethics Committee (AHEC) of the National Health and Medical Research Council (NHMRC) considered this issue in Essentially Yours: The Protection of Human Genetic Information in Australia (ALRC 96). The ALRC and AHEC noted that:

It appears to be accepted that ‘law’ may include the common law. However, it is not entirely clear whether NPP 2.1(d) permits a doctor to disclose confidential information where the disclosure is covered by the public interest exception to the common law duty of confidentiality. In an Attorney-General’s Department information paper, the Government acknowledged that the health profession had a strong respect for the confidentiality of health information and maintained sound privacy practices. The paper stated that the ‘legislation is not intended to interfere with those professional values and standards’.^[51]

16.35 The ALRC and AHEC concluded that the application of the Privacy Act to the disclosure of health information by doctors and other health professionals, in circumstances that may not breach common law or ethical requirements of confidentiality, may require clarification.^[52]

16.36 There is some authority, in other legal contexts, for the view that the term ‘law’ includes the common law. In Oates v Williams,^[53]the Full Court of the Federal Court held that the phrase ‘despite anything in any other law’ in a statute under consideration was ‘a reference to any law, whether common law or statute’. This statement was later adopted by the High Court in Attorney-General of the Commonwealth v Oates.^[54]

16.37 Commentators on the Australian Constitution argue that, while the term ‘law’ has an imprecise meaning, the terminology in s 109, when compared with other provisions of the Australian Constitution, suggests that the term ‘law’ in s 109 includes the common law.^[55]

16.38 If the Privacy Act is amendedto include a definition of ‘law’, to what extent should common law or equitable duties be captured by that definition? One option is to include a general reference to ‘common law and equitable duties’? It may be, however, that the inclusion of such a broad reference has unintended consequences. For example, it is arguable that it could enable an agency or organisation to contract out of its obligations under the Privacy Act by way of an exclusion clause. There is no express provision in the Privacy Act similar to s 68 of the Trade Practices Act 1974 (Cth), for example, which renders any term of a contract that seeks to exclude, restrict or modify certain provisions and rights void. It may be that there would be an argument that such a contract would be void or illegal if it infringed public policy.^[56]

A contract may be illegal because it is prohibited by statute, or because it infringes a rule of public policy. It should not, however, be thought that wherever statutory requirements are not fulfilled the resulting contract, if indeed one results, is necessarily illegal or affected by illegality.^[57]

16.39 Another option is to refer to particular classes of common law and equitable duties in the definition of ‘law’. The question then is which common law and equitable duties should be caught by the definition of ‘law’? Three categories of duties could be considered: first, common law or equitable duties of confidentiality; secondly, a school’s duty of care; and thirdly, the common law duty of procedural fairness.

16.40 Common law and equitable duties of confidence are discussed in detail in Chapter 15. In essence, legally enforceable obligations to maintain confidence may arise in contract and equity. Duties of confidentiality are owed, for example, by banks;^[58] doctors^[59] and health professionals;^[60] and where information is collected by compulsion under statutory powers.^[61]Some duties are subject to exceptions, for example, the banker’s duty of confidentiality.^[62] As discussed above, the ALRC has previously drawn attention to the need for clarification in relation to duties of confidentiality. Such duties, and the exceptions to those duties, are commonly relied upon in the context of the required or authorised exception.

16.41 Should a school’s common law duty of care fall within the definition of ‘law’?^[63] It is now well established that teachers and school authorities are under a duty to take reasonable care to protect pupils in their charge from a reasonably foreseeable risk of injury.^[64] The duty includes a positive duty to act^[65] and is non-delegable, because of the special relationship between students and school authorities.^[66]

16.42 Finally, should the definition of ‘law’ include common law duties of procedural fairness? There is a duty at common law to afford procedural fairness when exercising a power which affects a person’s rights, interests or legitimate expectations.^[67] The Privacy Commissioner occasionally has accepted that a disclosure of personal information is necessary to satisfy requirements imposed by the common law principles of procedural fairness.^[68]

16.43 In Skase and Minister for Immigration and Multicultural and Indigenous Affairs,^[69]Deputy President Forgie considered the relationship between s 33 of the Administrative Appeals Tribunal Act 1975 (Cth) and the IPPs. The issue before the Administrative Appeals Tribunal (AAT) was whether a person, not a party to the application before the AAT, could examine the AAT’s file. Deputy President Forgie declined to make an order authorising disclosure under s 33. She noted, however, that s 33 was wide enough to authorise or permit the AAT to make a direction permitting disclosure, referring here to the required or authorised exception in IPP 11.1(d). She commented that issues of procedural fairness would be relevant to the AAT’s exercise of discretion in this context.^[70] Implicit in Forgie’s reasoning is the view that the common law principles of procedural fairness would be caught by the term ‘law’.

16.44 In KD v Registrar, NSW Medical Board,^[71] a case examining the NSW equivalent of the required or authorised by law exception, the Administrative Decisions Tribunal (ADT) found that procedural fairness required the NSW Medical Board to disclose to a medical practitioner an applicant’s letter of complaint to the Board concerning the practitioner’s conduct of a procedure. As procedural fairness required the Board to disclose the substance of the complaint to the practitioner, the ADT held that the Medical Board could rely on the exception in s 25 of the Privacy and Personal Information Protection Act 1998 (NSW).^[72] The ADT also found, however, that procedural fairness did not require the disclosure of a subsequent letter from the applicant to the Board, enclosing her Medicare claims history.^[73]

While the Board has statutory and common law obligations requiring it to provide information to a practitioner the subject of investigation, it does not follow that it is required to disclose all information obtained in the course of that investigation.^[74]

16.45 On the other hand, a determination by the Victorian Privacy Commissioner held that, under Victorian legislation, where a person lodges a complaint with an organisation about an individual, arguably it is part of the primary purpose of collection to show the complaint to the individual concerned in the interests of procedural fairness. In any event, the Victorian Privacy Commissioner held that showing the complaint to the individual concerned amounts to disclosure for a related secondary purpose and would be within the complainant’s reasonable expectations.^[75]

16.46 It is clear that there is authority for the view that certain categories of common law and equitable duties fall within the term ‘law’ for the purposes of the required or authorised exception.

16.47 The ALRC therefore asked in DP 72 whether the definition of a ‘law’, for the purposes of determining when an act or practice is required or authorised by or under a law, should include: a common law or equitable duty; an order of a court or tribunal; documents that are given the force of law by an Act of Parliament, such as industrial awards; and statutory instruments such as a Local Environmental Plan made under a planning law.^[76]

Submissions and consultations

16.48 The OPC, the Australian Privacy Foundation and a number of other stakeholders supported the inclusion of a non-exhaustive definition of ‘law’ in the Privacy Act.^[77]

16.49 Telstra, on the other hand, argued that it was unnecessary to define the term ‘law’.

The term ‘laws’ is used in this context in many different Acts, and Telstra is not aware of any general principle that the term needs to be defined for the purposes of those Acts, nor is there any great uncertainty caused by this lack of definition. Accordingly, there is no reason why this term should be exhaustively defined in the Privacy Act. Rather, this term should be left to be interpreted in the usual way.^[78]

16.50 The OPC argued that, for clarity, any definition of ‘law’ should remind agencies and organisations that they need to determine, first, whether the particular law applies to them (which may vary depending on the type of entity), and secondly, whether the relevant law in fact requires or authorises the proposed act or practice by that entity.^[79] For example, a Commonwealth agency would need to determine whether a state-based statutory instrument applied to it before seeking to relying on its provisions in the context of this exception.

16.51 In terms of what the definition of ‘law’ should include, there was some support for including an express reference to common law. This support, however, was generally predicated on the need for exceptions to common law duties of confidentiality to be recognised under the Privacy Act.^[80] The Australian Bankers’ Association (ABA) argued that this was an important issue for banks. It noted that a banker’s duty of confidentiality in relation to his or her customer is a common law duty to which there are four exceptions under which a bank is authorised or may be required to disclose information:

(i) with the express or implied consent of the customer; (ii) under compulsion of law; (iii) a duty to the public to disclose; and (iv) the interests of the bank require disclosure.^[81]

16.52 The ABA submitted that

it is important for these exceptions to be recognised under the Privacy Act as they currently exist otherwise the duty of confidentiality could be rendered absolute and so in conflict with the permissive aspects of the UPPs placing banks at a significant disadvantage to their competitors.^[82]

16.53 The National Catholic Education Commission and Independent Schools Council of Australia questioned whether a school’s duty of care towards its pupils is a ‘law’ for the purposes of the exception.

Schools apply the current provision as including common law duties such as Schools’ common law duty of care towards pupils on the basis that it could not have been intended by the legislature to override this important and frequently litigated duty by privacy legislation.^[83]

16.54 The NHMRC submitted that the definition of ‘law’ should accommodate the need for health care professionals to ‘disclose confidential information where the disclosure is covered by the public interest exception to the common law duty of confidentiality’.^[84]

16.55 Other stakeholders, however, such as the Public Interest Advocacy Centre (PIAC) and the ATO, thought that including common law and equitable duties in the definition of ‘law’ would create too much uncertainty.^[85] National Legal Aid submitted:

we foresee problems in extending the definition of required or specifically authorised under law to common law and equitable duties without further qualification. Such duties are inherently elastic and, if broadly applied, could significantly impact on the protection provided by privacy laws.^[86]

16.56 The OPC raised a concern about whether any unintended consequences would arise from specifically including the common law within the scope of ‘law’. It noted that common law or equitable principles may lack the ‘clarity or certainty of those found elsewhere, such as in legislation’.^[87] By way of example, the OPC referred to Breen v Williams,^[88]in which the High Court held that there was no right of access to medical records under common law. The OPC submitted that it would be concerned if a health service provider sought to rely on the common law principles expressed in Breen v Williams as an ‘authorisation’ to deny access to health information under NPP 2.1(h). The OPC suggested that the ALRC’s final Report should explore the extent to which the common law can be relied upon to ‘require or authorise’ acts.

16.57 In consultations undertaken by the ALRC, concerns were also raised about whether including a broad reference to common law and equitable duties may allow an agency or organisation effectively to contract out of its obligations under the Privacy Act. For example, if an organisation was under a contractual obligation to disclose information, it could argue that the obligation for specific performance under that contract is a common law duty which falls within the required or authorised exception.

16.58 There were few submissions which specifically addressed the other proposed limbs of the definition of ‘law’. PIAC argued that the definition should only include an order of a court or tribunal to the extent that privacy issues were canvassed in the matter that was before the court or tribunal.^[89] PIAC did not support an extension of the definition to statutory instruments (such as Local Environmental Plans) on the basis that they were not subject to parliamentary scrutiny and may be developed by local government without any consideration of privacy issues.^[90] The OPC also noted that there was often comparatively little oversight of documents given the force of Commonwealth law, such as industrial awards, but supported the proposal to include industrial awards in the definition.^[91]

16.59 The only submission to address the use of the term ‘by or under law’ in the ‘required or authorised’ exception in the Privacy Act, was that of the OPC, which supported it.^[92]

ALRC’s view

16.60 There is currently some uncertainty about the scope of the term ‘law’ in the required or authorised exception. This uncertainty operates on two levels. First, there is uncertainty about the extent to which particular kinds of laws are caught by the term ‘law’—for example, whether the term law includes industrial awards given the force of Commonwealth law. Secondly, there is uncertainty stemming from apparent inconsistencies in the interpretation of whether particular categories of laws are caught by the term ‘law’ in the context of the IPPs, as opposed to the NPPs. For example, as noted above, the OPC’s Guidelines to the National Privacy Principles provide that ‘law’ includes common law,^[93] however, its Plain English Guidelines to the Information Privacy Principles indicate that, for agencies, ‘law’ generally does not include common law.^[94]

16.61 The ALRC acknowledges the view of Telstra that it is not necessary to define the term ‘law’ in the Privacy Act. The ALRC notes, however, that the term ‘law’ is currently defined in several Commonwealth statutes,^[95] although not as comprehensively as that proposed in DP 72.

16.62 It is important to articulate clearly the scope of the required or authorised exception, which is included in six of the model UPPs. Expressly setting out categories of law in an inclusive definition should generate more clarity and certainty in the application of the exception.

16.63 The definition of ‘law’ for the purposes of the ‘required or authorised’ by law exception should include Commonwealth and state and territory Acts and delegated legislation. In DP 72, the ALRC proposed including statutory instruments, such as a Local Environmental Plan made under a planning law in the definition. The ALRC acknowledges, however, the argument made in PIAC’s submission that such instruments may not be subject to the same level of parliamentary oversight as Acts and pieces of delegated legislation. Accordingly, the ALRC recommends that the definition refer only to delegated legislation, so as to ensure that those legislative instruments captured by the definition are subject to some form of parliamentary review. In the ALRC’s view, a reference to statutory instruments (such as Local Environmental Plans) should not be included.

16.64 The ALRC accepts the concerns raised by stakeholders that including a broad reference to ‘common law and equitable duties’ in the definition of ‘law’ may have unintended consequences. It may enable, for example, an agency or organisation to contract out of its obligations under the Privacy Act by way of an exclusion clause. For this reason, rather than referring to ‘common law and equitable duties’ generally in the definition of law, it is preferable to specify particular common law and equitable duties.

16.65 A number of stakeholders supported the inclusion of common law and equitable duties of confidentiality and the exceptions to those duties, in the definition of ‘law’. The ALRC has previously highlighted the need for greater clarity in this area.^[96] In the ALRC’s view, common law and equitable duties of confidentiality should be included in the definition of ‘law’. This definition should make express mention of the exceptions to such duties.

16.66 One stakeholder argued that it was important that a school’s duty of care was reflected in the definition of ‘law’.^[97] As noted above, there is some authority for the view that a school’s duty of care will fall within the term ‘law’. Given the limited authority on point, however, the ALRC is not convinced that a specific reference to a school’s duty of care in the definition of ‘law’ is warranted. In reaching this conclusion, the ALRC is not expressing the view that a school’s common law duty of care will never fall within the definition of the term ‘law’ for the purposes of the required or authorised exception. Whether it does or does not will depend on the factual circumstances of a particular case.

16.67 There is some support for the view that ‘law’ in the context of the required or authorised exception should include the common law principles of procedural fairness. No submissions specifically addressed the issue, however, and the ALRC’s view is that no specific reference should be made to common law principles of procedural fairness in the definition of ‘law’. As with a school’s duty of care, a strong consideration in reaching this view is that the definition of law recommended by the ALRC is inclusive. In reaching this conclusion, the ALRC is not expressing the view that the common law principles of procedural fairness will never be caught by the term ‘law’ for the purposes of the required or authorised exception.

16.68 If confusion develops as to the extent to which common law or equitable duties other than duties of confidentiality fall within the definition of ‘law’, it may be appropriate for the OPC to issue guidance in this regard.

16.69 The ALRC proposed in DP 72 that the definition of a ‘law’ should include an order of a court or tribunal. The few submissions which addressed this issue did not provide any compelling arguments for its omission. The ALRC remains of the view that orders of a court or tribunal should be included in this definition.

16.70 The ALRC also proposed in DP 72 that the definition should include documents given the force of law by an Act of Parliament, such as industrial awards. The OPC supported this proposal, although it noted that there can be comparatively little oversight of such documents. The ALRC notes that such documents have been interpreted as constituting laws for the purposes of s 109 of the Australian Constitution. For these reasons, the ALRC confirms its view that this limb should be included in the definition of ‘law’.

16.71 Finally, the phrase ‘by or under law’ should be retained. There is judicial authority to support the view that the terms ‘by’ and ‘under’ have slightly different meanings. No concerns about the phrase were raised in submissions and the OPC supported its retention.

‘Specifically authorised’

16.72 While acts and practices that are ‘required’ by law will be relatively rare, the ‘authorised’ by or under law exception could potentially except a wide range of acts and practices from the limits imposed by the Privacy Act. One issue for consideration is whether the ‘authorised’ by or under law exception should be narrowed. The European Union Article 29 Data Protection Working Party has criticised the required or authorised exception under the Privacy Act as being imprecise:

The wording ‘authorised’ as opposed to ‘specifically authorised’ which existed in the January 1999 edition of the National Principles can also be read to mean that all secondary purposes that are not forbidden are allowed. In the working party’s view such a wide exemption would virtually devoid the purpose limitation principle of any value.^[98]

16.73 The term ‘specifically authorised’ is used in a number of federal Acts. Section 51 of the Trade Practices Act 1974 (Cth) provides that, in deciding whether a person has contravened Part IV of the Act (restrictive trade practices), anything specified in, or ‘specifically authorised’ by certain laws must be disregarded. Section 43A of the Environment Protection and Biodiversity Conservation Act 1999 (Cth) (EPBC Act) refers to ‘specific environmental authorisation’. The Federal Court considered the meaning of this phrase in Minister for the Environment & Heritage v Greentree (No 2),^[99]in which Sackville J considered whether the respondents were specifically authorised to undertake certain activities on land that was ‘declared Ramsar wetland’.

The language of s 43A(1)(b) of the EPBC Act implies that there is a distinction between an action which is authorised under an Act and one which is specifically authorised … in my view [specifically authorised] does not mean that the authorisation must only relate to a single site or to a single activity on land. It is in my view enough that the authorisation covers a defined class of activities or identifiable land which includes the subject land.^[100]

16.74 In DP 72, the ALRC noted that the required or authorised exception is essential to grant governments the discretion to provide that personal information be handled in particular ways. The ALRC therefore proposed that it remain as an exception to a number of the proposed UPPs. The ALRC proposed, however, that a new exception be provided in relation to certain principles—namely, an exception where an act or practice is ‘specifically authorised’. The ALRC expressed the preliminary view that an exception for acts and practices that are ‘specifically authorised’ would require the law expressly to authorise a defined class of acts and practices that would otherwise contravene the principle in the Privacy Act. Accordingly, it would require the Australian Parliament and state and territory parliaments to turn their minds to how the proposed law would interact with the Privacy Act, and the competing interests for and against the handling of personal information in a particular manner.^[101]

16.75 The ALRC proposed including the ‘specifically authorised’ exception in the proposed ‘Collection’ and ‘Specific Notification’ principles.^[102] NPP 10.1(b) currently provides that an organisation must not collect sensitive information about an individual unless the collection is required by law. In DP 72, the ALRC expressed the view that this exception is too narrow. The ALRC considered proposing an exception to the ‘Collection’ principle if an act or practice were ‘authorised by law’, but reached the preliminary view that such an exception may be too wide, as it could include laws that impliedly authorise certain acts and practices. The ALRC proposed, therefore, that an agency or organisation should not collect sensitive information unless the collection is ‘required or specifically authorised by or under law’.^[103]

16.76 The ALRC also proposed the introduction of a new ‘Specific Notification’ principle that would require agencies and organisations to take reasonable steps to inform an individual of certain matters. The ALRC proposed, however, that agencies should not be required to take reasonable steps to inform individuals of the matters listed in the proposed principles if they were required or specifically authorised by or under law not to do so.^[104] As discussed in Chapter 23, however, the ALRC no longer holds the view that this exception is appropriate.

16.77 In DP 72, the ALRC also asked whether the proposed ‘Use and Disclosure’ principle should contain an exception allowing an agency or organisation to use or disclose personal information for a purpose other than the primary purpose of collection where this is ‘required or specifically authorised by or under law,’ instead of simply ‘required or authorised by or under law’.^[105]

Submissions and consultations

16.78 Few submissions addressed the question of whether the term ‘specifically authorised’ should be adopted in favour of the term ‘authorised’ in all of the UPPs. Those that did comment supported the inclusion of the term ‘specifically authorised’ so as to ‘promote regulatory certainty’.^[106]For example, the OPC stated:

As the Office understands it, the effect of including the term ‘specifically authorised’, as opposed to simply ‘authorised’, is that the relevant principle will only permit information-handling acts or practices that are expressly authorised by or under law. Such an amendment would lessen regulatory complexity and uncertainty by clarifying that legal authorities for various acts or practices cannot be implied or incidental.^[107]

16.79 This view was shared by Privacy NSW.^[108] Many stakeholders, however, raised concerns about the use of the term ‘specifically authorised’ in the ‘Use and Disclosure’ principle and the ‘Collection’ principle. Whilst the case for the inclusion of this term will be considered in Chapters 25 and 21 respectively, mention is made here of the submissions which raised concerns with general application.

16.80 A number of government agencies^[109] expressed concern about the proposed extension of the exception in the context of the ‘Use and Disclosure’ principle.^[110] The ATO argued that the proposed approach does not ‘adequately take into account the nature of much Commonwealth law on disclosure’.^[111] It submitted that the ATO currently relied on implied authorisations in some contexts, ‘for example, laws may lay down a specific scheme of which some uses and disclosures of personal information are an inseparable part’.^[112] It noted that many taxation law provisions were of this nature.^[113]

Also, there are important provisions in taxation law which evidence a parliamentary intention that disclosures of taxation information are made for defined aims, but where it could be said that disclosures are not ‘specifically’ authorised as the content of potential disclosures is not specified. While disclosures made under these provisions are clearly ‘authorised by law’, it is possible that some would not be able to be said to be ‘specifically authorised by law’ …

We expect that many existing Commonwealth laws would contain disclosure powers of this type, and that a Privacy Act requirement that disclosures be specifically authorised could compromise disclosures which Parliament clearly intended could be made.^[114]

16.81 The Australian Federal Police also objected to the use of the word ‘specifically’.

The use of the word ‘specifically’ assumes that all the powers and functions of an agency will always be set out expressly in the legislation. However, practical experience demonstrates that the legislation does not always address every issue and it is sometimes necessary to determine what is required by necessary implication as well as by what is expressed. There is a real concern that the inclusion of the word ‘specifically’would only enable an agency and the courts to look at specific powers.^[115]

16.82 This view was also shared by Medicare Australia:

We do not agree that the requirement be narrowed to a condition where the use or disclosure be ‘specifically’ authorised. This would necessitate that legislation governing the functions and activities of an agency would need to cover all foreseeable actions in administering the programs the agency is responsible for, and for either anticipating future developments or regularly amending existing legislation to keep up with changes. In the case of Medicare Australia, we have specific functions expressed in legislation, but the activities required to administer those functions are not always specifically defined.^[116]

16.83 This lack of support extended to organisations.^[117] For example, Avant Mutual Group Ltd argued that adding the term ‘specifically authorised’ was superfluous. It noted that there are many laws which are not prescriptive and argued that the introduction of the term ‘specifically’ could have the ‘unintended consequence of preventing the release of personal information when a fair reading of the law allows disclosure’, citing s 40(3) of the Insurance Contracts Act 1984 (Cth) as an example.^[118]

16.84 This view was shared by Telstra, which argued that the amendment was unnecessary and only would create uncertainty. Telstra argued that a use or disclosure was either ‘authorised or not authorised by or under law’.^[119] The Australian Finance Conference expressed concern about the ‘potential additional compliance obligations that such a narrowing could attract’, which, in its view, could impose major operational costs.^[120]

16.85 Similar concerns were expressed in submissions concerning the use of the term ‘specifically authorised’ in relation to the collection of sensitive information.^[121] For example, the Australian Communications and Media Authority submitted:

This Proposal has potentially far reaching implications and may impact on the capacity of agencies to fulfil their statutory functions and powers … A ‘specific authorisation’ to ‘collect’ criminal record information will frequently not exist and it is usually the case that an agency will have this authority by implication.^[122]

ALRC’s view

16.86 Legislation should set out clearly whether it is intended to require or authorise an act or practice for the purposes of the Privacy Act. In the interest of clarity and transparency, such provisions should set out the type of information to be included, the scope of the requirement or authorisation, and the extent to which the Privacy Act applies to the handling of that information.

16.87 It is the ALRC’s view, however, that the term ‘specifically authorised’ should not be adopted in the Privacy Act. While there is little case law on ‘authorised by law’, that which does exist demonstrates that authorisation involves permission and, so, more than an absence of prohibition.^[123] Even where disclosure is ‘authorised’, courts will set limits on the extent of disclosure.^[124]

16.88 While the inclusion of the phrase ‘specifically authorised’ was supported by a number of stakeholders, strong concerns were expressed by agencies. Agencies argued that it would have far-reaching implications, affecting their ability to fulfil their statutory functions and exercise their powers. Agencies may need to rely on implied authorisations, but arguably would be prevented from doing so if the term ‘specifically authorised’ were included in the Privacy Act.

16.89 In Chapter 27, the ALRC recommends that the Privacy Act be amended to empower the Privacy Commissioner to direct an agency to provide to the Privacy Commissioner a Privacy Impact Assessment (PIA) in relation to a new project or development that the Privacy Commissioner considers may have a significant impact on the handling of personal information.^[125] In the ALRC’s view, a PIA generally should be prepared when a provision in new legislation may require or authorise an act or practice relating to the handling of personal information that would otherwise be regulated by the Privacy Act.^[126] If a PIA is prepared, federal Parliament will be required to turn its mind to how the proposed law will interact with the Privacy Act and assess the competing interests for and against the handling of personal information in a particular manner.

Clear references to an exception in legislation

16.90 Federal legislation contains a number of provisions that require or authorise certain acts or practices for the purpose of the Privacy Act. Most of these provisions relate to the disclosure of personal information.^[127] For example, s 42(1)(g) of the Australian Passports Act 2005 (Cth) provides that the minister performing functions under the Act may request certain persons to disclose personal information about a person to whom an Australian travel document has been issued. Section 42(3) then provides that, for the purposes of IPP 11(1)(d) and NPP 2.1(g), such a disclosure is required or authorised by law.

16.91 The interaction between these provisions and the Privacy Act, however, is not always clear. For example, some provisions under federal legislation require or authorise disclosure of information, but do not state that it is required or authorised for the purposes of the Privacy Act.^[128] Other provisions, such as s 488B of the Migration Act 1958 (Cth), provide that certain disclosures of information may occur ‘even if the information is personal information (as defined in the Privacy Act 1988)’.^[129]

16.92 In DP 72, the ALRC noted that stakeholders had submitted that legislation which intends to rely on the required or authorised exception should include clear references to this fact in the legislation.^[130] It was noted that ambiguity in legislation can cause uncertainty for agencies, individuals, organisations and, potentially, the OPC, as to how information should be handled, and whether relevant provisions meet the requirements under the Privacy Act.^[131] Amending legislation which is intended to rely on the required or authorised exception so that it includes clear reference to this in the legislation is one option that was considered.^[132]

ALRC’s view

16.93 It would be too onerous to amend all existing federal, state and territory legislation that may require or authorise an act or practice relating to the handling of personal information. Federal, state and territory parliaments should, however, ensure that proposed laws that are intended to rely on the required or authorised exception should, where possible, make such authorisation express. Ideally, the legislation also should include clear references to the exception under the Privacy Act.

Review of legislation

16.94 In submissions to this Inquiry the Office of the Information Commissioner Northern Territory and the OVPC submitted that legislation that predates the Privacy Act may continue to justify what would otherwise constitute breaches of privacy principles. The importance of requiring any legislation that raises privacy issues to be reviewed at appropriate intervals to confirm that the Parliament continues to accept that it reflects an appropriate balance between privacy interests and other interests was emphasised in both submissions.^[133]

16.95 The Privacy Commissioner currently has various powers to review legislation for these purposes. These powers include a power under s 27(1)(f) of the Privacy Act to provide, on request or on the Commissioner’s own initiative, advice to a minister, agency or organisation on any matter relevant to the operation of the Act. In the ALRC’s view, this power enables the Privacy Commissioner to monitor legislation that requires or authorises certain acts and practices for the purposes of the Privacy Act, and provide advice to the minister responsible for that legislation, if those acts and practices are no longer considered appropriate. The Privacy Commissioner should exercise his or her power under this provision where appropriate.

A list of laws that require or authorise acts and practices

16.96 One option raised by the OPC in response to the Issues Paper, Review of Privacy (IP 31), is the compilation of a list of provisions that require or authorise acts or practices that would otherwise be regulated by the Privacy Act. Such a list would provide clarity for agencies, organisations, individual consumers and privacy regulators about whether certain laws met the criteria of the exception. The OPC suggested that such a project may require the coordination of numerous agencies and organisations, such as the OPC and, possibly, the Australian Government Attorney-General’s Department (AGD).

16.97 The OPC suggested that the list could act as a centralised resource for drafting and, potentially, the development of a standardised provision. The list also could serve an educative function by prompting agencies to consider privacy implications when developing legislation.^[134]

16.98 In DP 72, the ALRC noted that this proposal raised a range of issues. A threshold question is whether the list should have the force of law. One option is to locate the list in a schedule to the Privacy Act, another is to promulgate it in regulations. A less formal method is for the list to published by the AGD or the OPC, this would enable the content of the list to be amended more readily, but would not have the same legal authority as, for example, a schedule to the Privacy Act.

16.99 A further issue is whether the list should be comprehensive or indicative. One concern is that the practice of identifying some provisions and not others could produce an interpretation that listing was a necessary precondition for the exception to operate.

16.100 Another issue for consideration is which agency should be responsible for the preparation of such a list. One option would be for the OPC to compile. It is questionable, however, whether the OPC would have the resources to undertake such a task. Another option would be for the AGD to compile the list. Agency heads could supply the AGD with a list of provisions in legislation they administer that require or authorise the handling of personal information.

16.101 In DP 72, the ALRC asked whether a list should be compiled of laws that require or authorise acts or practices in relation to personal information that would otherwise be regulated by the Privacy Act. The ALRC also asked whether such a list should have the force of law, whether it should be comprehensive or indicative and what body should be responsible for compiling and updating the list.^[135]

Submissions and consultations

16.102 There was a range of views concerning this proposal. Some stakeholders expressed support for a comprehensive list;^[136] and some supported a list which had the force of law.^[137] For example, GE Money expressed the view that a list that was not comprehensive, or that did not have the force of law, would not provide certainty and may in fact cause further confusion.^[138] PIAC argued that:

compilation and maintenance of a comprehensive list of laws that require or authorise acts or practices that would otherwise be regulated by the Privacy Act would provide greater clarity.^[139]

16.103 PIAC also argued that compiling the list would provide a useful opportunity to review such laws to ensure they are consistent with recommended amendments to the Privacy Act.

16.104 The majority of stakeholders, however, argued that, if a list were to be developed, it should be indicative.^[140] The ABA argued that omission from the list should not mean that a particular law cannot be relied upon to satisfy the exemption.^[141] The Australian Privacy Foundation supported an indicative list, on the basis that it was impracticable to compile and maintain an exhaustive list.^[142]

16.105 Some stakeholders suggested that the list should be maintained by the OPC.^[143] The NHMRC submitted that it should be maintained by the AGD.^[144]

16.106 Other stakeholders, notably the OPC, disputed the merits of maintaining such a list at all. While acknowledging that it proposed the development of a consolidated digest of all relevant legislative provisions, the OPC stated that, upon further reflection, it was not convinced of the merits of the proposal.

In particular, the Office believes that the likely benefits of such a digest of laws may not justify the resources required to develop and maintain it. Accordingly, the Office would not seek to have primary responsibility for such a digest if it were adopted.^[145]

16.107 The OVPC shared the view that the compilation of a list would be impractical.^[146] A number of stakeholders—even some that supported the development of a comprehensive list—acknowledged that the compilation and continued updating of such a list would require significant resources.^[147] Others noted that the expenditure of public resources for this purpose was not warranted.^[148]

16.108 The Government of South Australia pointed out that it was already lawful for the OPC to publish educational material about principles, which could offer examples of disclosures authorised by law.^[149]

ALRC’s view

16.109 The benefits of creating a comprehensive or binding digest of relevant laws are unlikely to justify the resources required to develop and maintain it. The OPC already provides examples of particular statutes which require the use or disclosure of information in the context of NPP 2.1(g).^[150] Providing a list of examples of legislation would assist in providing greater clarity and facilitating compliance. The ALRC agrees that it should be made clear that omission from the list does not mean that a particular law cannot be relied upon for the purpose of the required or authorised by or under law exception.