Background

Role of consent in the privacy principles

19.3 As stated above, consent is only relevant to the application of a some privacy principles. Consent is either framed as an exception to a general prohibition against personal information being handled in a particular way or as a basis to authorise the handling of personal information in a particular way. Significantly, in each case, consent is not the only exception to a stated prohibition, nor the only basis for permitting the handling of personal information in a particular way.

19.4 The Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs) do not require that an individual give his or her consent to the collection of that individual’s personal information. There is, however, a general prohibition against an organisation collecting sensitive information about an individual. One of the exceptions to that prohibition is where the individual has given consent.[1]

19.5 There is a general prohibition against an organisation using or disclosing personal information about an individual for a purpose other than the primary purpose of collection. One of the exceptions to that prohibition is where an individual has given consent to the use or disclosure.[2]

19.6 Similarly, there is a general prohibition against an agency using information obtained for a particular purpose for any other purpose.[3] One of the exceptions to that prohibition is where the individual concerned has consented to the use of the information for that other purpose.[4] Further, the general prohibition against an agency’s ability to disclose personal information does not apply where the individual has consented to the disclosure.[5]

19.7 An organisation is only authorised to transfer an individual’s personal information to a foreign country in defined circumstances.[6] One of those circumstances is where the individual consents to the transfer.[7]

Meaning and elements of consent

19.8 The term ‘consent’ is defined in the Privacy Act to mean ‘express consent or implied consent’,[8] but remains otherwise undefined. The Macquarie Dictionary defines ‘consent’ as being ‘to give assent; agree; comply or yield’.[9]

19.9 The concept of consent arises in many different contexts. The Privacy Act does not affect the general law applicable to consent. The requisite elements of consent must be met, therefore, including voluntariness; and capacity to understand, provide and communicate.[10]

19.10 Whether consent is voluntary depends on whether an individual has a clear option not to consent. Relevant to this assessment is whether receiving the option not to consent, and withholding consent itself, involves no financial cost to, and little effort from, the individual.[11] A further relevant consideration is whether an individual’s option to consent to one purpose is freely available and not bundled with other purposes.[12]

19.11 The need for consent to be voluntary and informed in information privacy contexts has been emphasised in a number of existing guidelines,[13] international instruments,[14] regional models,[15] and overseas legislation.[16] The OPC has generally explained the concept of consent as follows:

Consent means voluntary agreement to some act, practice or purpose. It has two elements: knowledge of the matter agreed to, and voluntary agreement. Consent can be express or implied. Express consent is given explicitly, either orally or in writing. Implied consent arises where consent may reasonably be inferred in the circumstances from the conduct of the individual and the organisation. Consent is invalid if there is extreme pressure or coercion.

Only a competent individual can give consent although an organisation can ordinarily assume capacity unless there is something to alert it otherwise. Competence means that individuals are capable of understanding issues based on reasoned judgements and communicating their decisions. The general law about competence and incapacity will apply to the issue of consent.[17]

19.12 The OPC’s Guidelines on Privacy in the Private Health Sector[18] (the Health Guidelines) explain the key elements of consent as follows:

Consent must be voluntary—the individual must have a genuine opportunity to provide or withhold consent; that is, they must be able to say ‘yes’ or ‘no’ without extreme pressure which would equate to an overpowering of will.

Consent must be informed—the individual must know what it is they are agreeing to. In other words, the individual needs to be aware of the implications of providing or withholding consent, having received the information in a way meaningful to them and appropriate in the circumstances.

The individual must have the capacity to provide consent—the individual must be capable of understanding the issues relating to the decision, forming a view based on reasoned judgment and communicating their decision.[19]

19.13 The National Statement on Ethical Conduct in Human Research (National Statement) provides guidance concerning consent to participate in research, and states, in part, that:

The requirement [for consent] has the following conditions: consent should be a voluntary choice, and should be based on sufficient understanding and adequate understanding of both the proposed research and the implications of participation in it …

The process of communicating information to participants and seeking their consent should not be merely a matter of satisfying a formal requirement. The aim is mutual understanding between researchers and participants …

No person should be subject to coercion or pressure in deciding whether to participate.[20]

19.14 The European Parliament’s Directive on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data (EU Directive), defines ‘the data subject’s consent’ as ‘any freely given, specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him to be processed’.[21]

19.15 The draft Asia-Pacific Privacy Charter provides that consent should be ‘freely-given, informed, variable and revocable’. It states that consent is ‘meaningless if people are not given full information, or have no option but to consent in order to obtain a benefit or service’.[22]

19.16 What is required to demonstrate that consent has been obtained from an individual remains a live issue in privacy regulation. Specific requirements are often highly dependent on the context in which the personal information is collected, used or disclosed, including how the consent is sought, and the characteristics of the individual from whom consent is sought. For example, the National Statement:

Consent may be expressed orally, in writing or by some other means (for example, return of a survey or conduct implying consent) depending on:

(a) the nature, complexity and level of risk of the research; and

(b) the participant’s personal and cultural circumstances.[23]

19.17 In the context of giving guidance in relation to the use and disclosure of personal information for a purpose other than the primary purpose of collection, the OPC has stated:

It may be possible to infer consent from the individual’s failure to opt out provided that the option to opt out was clearly and prominently presented and easy to take up. If the organisation’s use or disclosure has serious consequences for the individual, the organisation would have to be able to show that the individual could have been expected to understand what was going to happen to information about them and gave their consent. In such situations it would ordinarily be more appropriate for the organisation to seek express consent.[24]

19.18 The OPC has issued a number of ‘tips for compliance’ in relation to establishing consent, including:

An organisation would have the most difficulty establishing consent to a use or disclosure where it wishes to rely on a failure to object to a use or disclosure to imply consent …

An organisation will be in an increasingly better position to establish that the individual consented the more it can satisfy the following points:

  • it is likely that the individual received and read the information about the use or disclosure;

  • the chance to opt out of the offer is clearly stated and likely to be understood by the individual and the individual is likely to be aware of the implications of not opting out;

  • the opting in or opting out is freely available and not bundled with other purposes;

  • receiving the chance to opt out involves no financial cost to, and little effort from, the individual;

  • opting out involves little effort from, and no or virtually no cost to the individual;

  • the consequences of failing to opt out are harmless;

  • if the individual opts out later, the individual is fully restored, where possible and appropriate, to the circumstances they would have been in if they had opted out earlier.[25]

19.19 The Health Guidelines note that there are situations where health service providers reasonably may rely on implied consent from individuals to handle health information in particular ways. The following example is given:

If a medical practitioner collects a specimen to send to a pathology laboratory for testing, it would be reasonable to consider that the individual is giving implied consent to the passing of necessary information to that laboratory.[26]

19.20 The Health Guidelines provide also that where consent is required to collect and use personal information for public health purposes, such as those concerning the establishment and maintenance of a disease register, it may sometimes be appropriate to give individuals the opportunity to opt out of being included on the register. They provide that such an approach only would be appropriate ‘where individuals are clearly informed about the option to opt out and it is prominently presented and easy to adopt’.[27]

19.21 In exploring the general meaning of consent in privacy law, it is useful also to refer to other jurisdictions. Most comparable foreign jurisdictions do not provide a detailed statutory definition of consent in their privacy legislation. For example, consent is not defined in the Data Protection Act 1998 (UK).

19.22 There are, however, some examples of comparatively detailed statutory provisions regulating consent. Italian information privacy law contains a provision called ‘consent’ that states:

1. Processing of personal data by private entities or profit-seeking public bodies shall only be allowed if the data subject gives his/her express consent.

2. The data subject’s consent may refer either to the process as a whole or to one or more of the operations thereof.

3. The data subject’s consent shall only be deemed to be effective if it is given freely and specifically with regard to a clearly identified processing operation, if it is documented in writing, and if the data subject has been provided with the information referred to in Section 13.

4. Consent shall be given in writing of the processing concerns sensitive data.[28]

19.23 German privacy legislation requires that consent be based on a ‘free decision of the data subject’; that it be in writing except where special circumstances render some other form appropriate; and that the consent refer expressly to the collection, process or use of ‘special categories of personal data’.[29]

19.24 The Model Code for the Protection of Personal Information, which is set out in Canada’s Personal Information Protection and Electronic Documents Act 2000 (PIPED Act), states that, in obtaining consent, the reasonable expectations of the individual are relevant. The Model Code also states that organisations generally should seek express consent when the information is likely to be considered sensitive, and that implied consent generally would be appropriate when the information is less sensitive.[30]

Bundled consent

19.25 Bundled consent refers to the practice of an agency or organisation ‘bundling’ together, or consolidating, multiple requests for an individual’s consent to a wide range of uses and disclosures of personal information, without giving the individual the option of selecting to which uses and disclosures he or she agrees. Bundled consent is often sought as part of the terms and conditions of a product or service.[31]

19.26 Submissions from consumer groups to the OPC’s review of the private sector provisions of the Privacy Act (OPC Review) were highly critical of the practice, stating, for example, that it undermines the requirement that consent be meaningful, informed and freely given.[32] Similar sentiments were expressed to the Senate Legal and Constitutional References Committee inquiry into the Privacy Act (Senate Committee privacy inquiry). For example, one stakeholder stated that it was difficult for individuals to give free and informed consent when presented only with broad or vague statements concerning possible use and disclosure, or when told that services would not be provided in the absence of consent.[33]

19.27 On the other hand, there may be circumstances in which organisations legitimately seek bundled consent from consumers. The business sector, and particularly the finance and telecommunications industries, emphasised to the OPC Review and the Senate Committee privacy inquiry the need to seek bundled consent in order to achieve business efficiency and reduce costs to the consumer. For example, telecommunications organisations submitted that to obtain consent for each specific use of an individual’s personal information would significantly increase the complexity and costs of compliance. These costs, they argued, would inevitably be passed on to the consumer.[34]

19.28 The finance industry emphasised that seeking a single consent for multiple uses of information—for example, in an application for finance—was necessary to ensure that the information could be used not only to process the application, but to manage the account, administer insurance claims, recover money owed and maintain the value of the asset.[35] In 2005, the OPC stated that it would develop guidelines on bundled consent.[36]

Submissions and consultations

Meaning of consent

19.29 In Discussion Paper 72, Review of Australian Privacy Law (DP 72), the ALRC canvassed a number of options for reform to clarify the meaning of consent as it applies to the privacy principles. These options included:

  • amending the Privacy Act to set out:

– in detail what is required to obtain the requisite consent in the many contexts in which it may be sought under the Act, and with greater precision, the factors that should be taken into account in obtaining an individual’s consent;

  • requiring the OPC to provide more guidance on what constitutes consent for the purposes of the privacy principles in various contexts; or

  • combining elements of the above approaches.[37]

19.30 The ALRC formed the preliminary view that consent should be dealt with through further OPC guidance about what is required of agencies and organisations to obtain an individual’s consent for the purposes of the Privacy Act. The ALRC proposed that this guidance should cover consent as it applies in various contexts, and should include advice on when it is and is not appropriate to use the mechanism of bundled consent.[38]

19.31 Most stakeholders supported the ALRC’s proposal.[39] A number of stakeholders expressed the view that the provision of guidance was preferable to amending the statutory definition of consent.[40] For example, the Federation of Community Legal Centres (FCLC) submitted that:

Due to the complexity of the issues, the proposal that the OPC provide further guidance to agencies and organisations about what is required to obtain an individual’s consent is probably the most realistic of the … options suggested.[41]

19.32 The OPC submitted that it would not support approaches to amend the current definition of consent or to set out consent requirements for a given sector in legislative provisions.

These options risk introducing greater complexity into privacy regulation without having demonstrated a deficiency in the current consent framework. Accordingly, the [OPC] suggests that guidance material is the best approach to reducing uncertainty on consent requirements.[42]

19.33 Stakeholders emphasised the value of guidelines in clarifying legislation, enhancing compliance, promoting consistent implementation, increasing public awareness, and maintaining flexibility.[43] The FCLC, however, pointed out that

a significant weakness of the ‘guidance’ approach is that by definition, it does not require organisations and agencies to behave in the manner suggested, and cannot specify that there will be legal consequences if they do not adequately consider whether consent has genuinely been obtained. Instead, it is left to the courts to develop the law. This approach therefore risks simply retaining the burden of upholding privacy rights on aggrieved parties, often those least likely to make a complaint.[44]

19.34 Stakeholders emphasised the importance of the guidance being developed in consultation with relevant bodies, including state and territory privacy commissioners,[45] marginalised communities and their advocates,[46] various industry sectors,[47] agencies and organisations.[48] For example, the OPC suggested that it consult with agencies, organisations and other stakeholders to determine the need for, and content of, guidance material relating to consent in various contexts.[49]

19.35 Stakeholders expressed views about the content of the OPC’s guidance. There was support for the guidance to address the:

  • age at which consent can be given;[50]

  • issues relating to consent for vulnerable populations in a service delivery context, especially as it applies to dealings in sensitive information;[51] and

  • essential elements of consent: namely that consent be voluntary, informed, specific and current, and that the individual concerned has capacity to consent.[52]

19.36 The National Health and Medical Research Council, however, submitted that it was imperative that the capacity to obtain extended and unspecified consents for research purposes, as described in the National Statement on Ethical Conduct in Human Research,[53]is retained.[54]

19.37 The FCLC noted the elements of consent identified by the ALRC in DP 72, namely, the context in which consent is sought; and whether the consent is informed, voluntary and freely available. It submitted that:

These factors are often intertwined and are all underpinned by social disadvantage …

We would add to these considerations a further emphasis that the factors to be assessed may not be simply personal to individuals; rather they also arise from people’s membership of communities which are structurally disadvantaged. For example, a young Sudanese man whose experience of officialdom is limited to over-policing is unlikely to have confidence that if he is requested to provide data he can legitimately refuse. However, his response may be wrongly interpreted as simple personal passivity.[55]

19.38 Microsoft Asia Pacific submitted that the OPC’s guidance on consent should include a ‘tiered consent model’. It stated:

A tiered consent model seeks to tie the minimum permissible level of consent that a regulated entity must obtain to the risk inherent in the proposed activity involving an individual’s personal information. For example, the privacy risk associated with the collection, use or disclosure of sensitive information is quite high, so regulated entities should be required to obtain explicit, opt-in consent from individuals.

Where the privacy risk is lower, for example, where an organisation proposes to use or disclose non-sensitive personal information for a secondary purpose, regulated entities should be able to obtain consent by offering individuals a meaningful opportunity to opt-out of the proposed use or disclosure. Finally, where the privacy risk is lowest, it should be sufficient for a regulated entity to obtain implied consent from the data subject based on the organisation’s notification of the proposed dealing and the data subject’s subsequent conduct.[56]

19.39 A smaller number of stakeholders, however, submitted that proposing further OPC guidance on consent was not enough, and that the Privacy Act should be amended to include a more detailed definition of consent.[57] Some stakeholders submitted that the definition should set out a non-exhaustive list of factors to be taken into account in determining whether a person’s consent has been obtained.[58]

19.40 The Public Interest Advocacy Centre (PIAC) submitted that:

Unless the issue of consent is clearly understood and consistently applied, the privacy principles stand on fragile foundations. There clearly needs to be greater clarity as to the meaning of consent in the Privacy Act. Rather than hiving off this problem to the OPC to deal with in yet more guidelines, the ALRC should recommend that the definition of ‘consent’ in the Privacy Act should be amended to set out with greater precision what factors need to be taken into account in obtaining a person’s consent or determining whether or not consent has been given …

PIAC agrees that consent will inevitably depend on context and that what is required to obtain consent in one situation may be different to what is required in another situation. However, it is possible to distil some core elements of consent, and these should be enshrined in legislation.[59]

19.41 Both Cyberspace Law and Policy Centre and the Australian Privacy Foundation submitted that the definition of consent should be amended to deal with a number of key issues concerning consent, including to prevent the abuse of bundled consent. They each expressed the view that the Privacy Act, or the explanatory memorandum, should provide that:

  • implied consent must be clear and unambiguous;

  • a mere failure to opt out cannot be regarded as consent, even where the opt out is clearly and prominently displayed; contrary to the OPC’s guidance on this issue; and

  • where a person has no choice but to provide information in order to obtain a benefit, no consent to any uses of that information beyond the express purpose of collection may be implied.[60]

Bundled consent

19.42 In response to IP 31, a large number of stakeholders expressed concern about the use of bundled consent. They noted that this requires individuals to adopt an all or nothing approach—that is, they are unable to specify what particular uses or disclosures are, and are not, acceptable to them.[61] One example given was of a real estate agent said to use a single form to request a prospective tenant’s consent to the disclosure of personal information to the media, the landlord, residential tenancy databases and the local real estate industry body, even though each of these entities would use the information differently, and for different purposes.[62]

19.43 Stakeholders expressed particular concerns about circumstances in which a failure to provide consent leads to an agency or organisation withholding access to goods or services.[63] Some stakeholders observed, however, that sometimes an agency or organisation needs to use or disclose an individual’s personal information to enable it to provide a particular service, and that in such circumstances it should be permitted to withhold the service unless consent is provided.[64]

19.44 The OPC submitted that

where an agency or organisation wants to use information for a purpose other than [the purpose] for which it was collected, then the individual’s consent should be sought for the extended use of that information but it should not be made a condition of the original service.[65]

19.45 Some stakeholders submitted that bundling consent is necessary for practical reasons. These include:

  • where an agency or organisation has multiple interactions with an individual client, and must therefore handle the individual’s personal information many times;[66]

  • where an organisation has a large number of clients, it can be ‘impractical and unworkable’ to allow customers to negotiate terms on an individual basis;[67] and

  • sometimes there is a practical necessity to outsource parts of a business, which leads to a greater number of entities handling an individual’s personal information.[68]

19.46 Some stakeholders submitted that this area of the law needs to be clarified,[69] and a number expressed support for OPC guidance on how and when to seek bundled consent.[70]

Discussion Paper proposal

19.47 As noted above, in DP 72, the ALRC proposed that the OPC provide further guidance on consent, including when it is and is not appropriate to use the mechanism of ‘bundled consent’.[71] The ALRC’s approach acknowledged that there may be circumstances where the use of bundled consent may be legitimate, and others where it will not.

19.48 This approach received general support.[72] Some stakeholders welcomed the opportunity to participate in developing guidance in consultation with the OPC in relation to the use of bundled consent in their particular industries.[73] Others submitted that the OPC should engage with various industry sectors and other stakeholders, including state and territory privacy commissioners, in formulating such guidance.[74] The OPC noted that it is currently producing guidance material on bundled consent pursuant to the recommendation made in the OPC Review.[75]

19.49 Some stakeholders emphasised the benefits of bundled consent, including in terms of efficiency and practicality, especially for small business.[76] They submitted that prohibiting bundled consent would give rise to significant system issues and compliance costs. Contacting customers to seek separate consents would be expensive and result in costly information technology systems changes.[77]

19.50 Many stakeholders supported the proposed guidance validating the use of bundled consent in appropriate situations. For example, the Department of Defence submitted that the OPC’s guidance should allow bundled consent to enable identity-related services to be provided to Defence personnel. It submitted that bundled consent

is also required to enable appropriate audit, management, control and protection measures to be adopted for identity related information, especially when IT-management ‘best practice’ regularly changes with the emergence of new technology to perform basic data management functions, such as backup and restore.[78]

19.51 Stakeholders from the financial services industry supported the use of bundled consent in that industry on the basis that it was legitimate, in accordance with feedback from customers that they do not want to be contacted for their consent for each component of a service, and necessary in order to reduce costs to the consumer and achieve business efficiency.[79] The Financial Planning Association submitted that:

Typically in financial advice and product supply there exists a chain of relationships that would require complex and onerous consent arrangements if bundled consent is not permitted. This would not be in the interests of the end client and we suggest that appropriate guidance be provided to enable this type of scenario to be maintained.[80]

19.52 GE Money submitted that:

A financial service provider taking information in an application from an individual may need to use that information to assess the application for credit, open an account, provide credit funds to the individual, maintain the account, and transact the account in accordance with the instructions of the customer on an ongoing basis …

In many instances there will be no way in which the service provider can ‘unbundle’ the consent and still provide the product. Organisations may very genuinely not be able to exclude a particular use of information and still provide the product.[81]

19.53 Stakeholders from the telecommunications industry also supported the use of bundled consent.[82] AAPT opposed any change that would imply that bundled consent in contracts or Standard Form Agreements in the telecommunications industry may not be appropriate.

The concept of Standard Form of Agreements is well known in industries where there are mass customers, and the ability for mass or residential customers to individually negotiate on these terms, particularly in relation to specific section of the Standard Form of Agreement is simply impractical and unworkable.[83]

19.54 Other stakeholders noted when bundled consent would be inappropriate. For example, Anglicare Tasmania, in supporting the proposal for guidance, submitted that:

Real estate agents should not use bundled consent for any matter not directly related to processing the application [for lease](which would include confirming the applicant’s identity and conducting reasonable reference checks) and managing any resulting tenancy (which would include provision of the tenant’s contact details to trades people conducting essential repairs and maintenance and contacting the tenant about inspection times and dates or changes to the lease).[84]

19.55 A minority of stakeholders were of the view that the ALRC’s proposal concerning guidance was insufficient. Some opposed the practice of bundled consent in any circumstances. Liberty Victoria submitted that:

Under no circumstances is bundled consent adequate. Private information belongs to the individual. Use of their information requires that consent be informed, be voluntary, be freely available and not bundled with other purposes. Bundling not only undermines the voluntariness of consent but the right to privacy generally.[85]

19.56 Privacy advocates submitted that the definition of consent needs to be amended to prevent abuse of the practice of bundled consent and that, in particular, ‘wherever consent is applicable to the operation of a privacy principle, separate consent should be required for each proposed purpose of use’.[86] PIAC submitted that bundled consent should be prohibited or subject to strict limitations.[87]

19.57 The Australian Digital Alliance expressed reservations about the likelihood of OPC guidance stopping organisations from using bundled consent in inappropriate circumstances. It noted that:

Consumers are very often subject to ‘bundled consents’ in relation to Digital Rights Management (DRM). Products containing DRM technology often require a consumer to click ‘I agree’ to all the terms and conditions, which include privacy provisions. These provisions can involve giving consent to collection of a broad range of personal information, and use of the consumer’s information in a wide range of ways, including permission to pass information on to third parties. In many cases there is little justification (other than profiling or marketing) for the organisation to be collecting this personal information.[88]

ALRC’s view

Meaning of ‘consent’

19.58 The most appropriate way to clarify the meaning of consent, as it applies to the privacy principles, is for the OPC to provide further guidance in this regard. The guidance should address the factors to be taken into account by agencies and organisations in assessing whether consent has been obtained.

19.59 There is a pressing need for contextual guidance on consent. What is required to demonstrate that consent has been obtained is often highly dependant on the context in which personal information is collected, used and disclosed. The ALRC, therefore, recommends that the OPC’s guidance should cover express and implied consent as it applies in various contexts, such as those that arise in transactions concerning financial services, credit reporting, telecommunications, health services and research, and service delivery. The guidance could address, for example, circumstances in which reliance on express consent is preferable to reliance on implied consent.

19.60 While some factors that are relevant in assessing whether consent has been obtained will likely remain constant in all contexts—for example, the requirements that consent be voluntary, informed and given by an individual with capacity to understand—there may need to be flexibility in the treatment of other factors. For example, in some contexts it will be appropriate for consent to be obtained in relation to a specific collection, use, disclosure or cross-border transfer; whereas for research purposes, it may be legitimate for an informed individual to be able to give extended and unspecified consent, as described in the National Statement.[89]

19.61 Amending the Privacy Act to set out in detail what is required to obtain the requisite consent in the many contexts in which it may be sought is problematic. This approach would require a very large number of prescriptive rules that attempt to cover the wide variety of situations in which an agency or organisation may seek consent to deal with an individual’s personal information. Such an approach would be inconsistent with the ALRC’s view that a principles-based approach should continue to be at the heart of the Privacy Act.[90] Moreover, such an approach would be doomed to fail because it would be very difficult, if not impossible, to cover every relevant context.

19.62 The merits of amending the definition of consent in the Privacy Act to include, for example, the elements of consent, are also questionable. The concept of consent is not peculiar to privacy law. The common law has an important role to play in determining the elements of consent. A statutory definition is unable to capture nuances in the evolution of the common law and may have unintended consequences. The definition may be interpreted too restrictively, creating an undesirable restriction on the flow of information. Significantly, it tends to be civil law jurisdictions that possess a detailed statutory definition of consent. In these jurisdictions, such a process of codification may be more desirable, given that there is less scope to develop the law through the process of statutory interpretation by courts and others.

19.63 In assessing the merits of legislative amendment to the definition of consent, the ALRC has considered how consent has been dealt with in other pieces of federal legislation. Examples of expansion of the concept of consent in federal legislation appear in very specific circumstances. For example the:

  • Crimes Act 1914 (Cth) sets out the steps that must be taken for informed consent to forensic procedures to be established.[91]

  • Criminal Code (Cth) defines consent, in relation to sexual offences, as ‘free and voluntary agreement’ and sets out examples of circumstances in which a person does not consent to an act, such as where the person submits because of force, the fear of force or because the person is unlawfully detained.[92]

  • Spam Act 2003 (Cth) defines consent as express consent or consent that can be reasonably inferred from the conduct, and the business and other relationships, of the individual or organisation concerned.[93] It also defines consent in the specific context of sending an electronic message, in particular, the circumstances in which consent may be inferred from publication of an electronic address.[94]

19.64 Many other federal statutes which refer to consent, do not define it. Some provide that consent to entry of premises by an authorised person is not lawful unless the person voluntarily consents.[95]

19.65 The above survey highlights the fact that, while it may be possible to resort to legislation to define or explain consent in a particular context, providing a statutory definition that applies across a wide variety of contexts remains problematic.

Bundled consent

19.66 The parameters of the practice of bundled consent, and the circumstances in which it is appropriate to rely on such consent, needs to be clarified. Such clarification will provide greater protection for individuals and increased certainty for agencies and organisations.

19.67 It is apparent from views expressed to this Inquiry that agencies and organisations may abuse the practice of bundled consent. It is equally apparent, however, that there may be legitimate circumstances in which agencies and organisations may use and rely on bundled consent.

19.68 The OPC should develop and publish guidance on bundled consent. This guidance should address the practice of bundled consent in specific industry sectors, such as finance, debt collection, credit reporting, telecommunications, and residential tenancy. It should consider also the use of the practice when dealing with marginalised communities and in relation to the collection, use or disclosure of sensitive information. Finally, it is imperative that the OPC develops its guidance on consent, including bundled consent, in consultation with relevant stakeholders and industry sectors.

Recommendation 19-1 The Office of the Privacy Commissioner should develop and publish further guidance about what is required of agencies and organisations to obtain an individual’s consent for the purposes of the Privacy Act. This guidance should:

(a) address the factors to be taken into account by agencies and organisations in assessing whether consent has been obtained;

(b) cover express and implied consent as it applies in various contexts; and

(c) include advice on when it is and is not appropriate to use the mechanism of ‘bundled consent’.

[1]Privacy Act 1988 (Cth) sch 3, NPP 10.1(a).

[2] Ibid sch 3, NPP 2.1(b).

[3] Ibid s 14, IPP 10.1.

[4] Ibid s 14, IPP 10.1(a).

[5] Ibid s 14, IPP 11.1(a).

[6] Ibid sch 3, NPP 9.

[7] Ibid sch 3, NPP 9(b). Under the ALRC’s recommended principle dealing with ‘Cross-border Data Flows’, consent to transfer is one of a number of bases upon which an agency or organisation can transfer personal information overseas without remaining accountable for that personal information. See Ch 31.

[8] Ibid s 6(1).

[9]Macquarie Dictionary (online ed, 2007).

[10] J Douglas-Stewart, Annotated National Privacy Principles (3rd ed, 2007).

[11] F Cate, ‘The Failure of Fair Information Practice Principles’ in J Winn (ed) Consumer Protection in the Age of the ‘Information Economy’ (2007) 341, 364–365.

[12] In Australian Law Reform Commission and Australian Health Ethics Committee, Essentially Yours: The Protection of Human Genetic Information in Australia, ALRC 96 (2003), [28.46], it was stated that the practice of bundling consents has the potential to undermine the voluntariness of consent of an applicant for insurance. Bundled consent is discussed further below.

[13] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001); Office of the Federal Privacy Commissioner, Guidelines on Privacy in the Private Health Sector (2001); National Health and Medical Research Council, Australian Research Council and Australian Vice Chancellors’ Committee, National Statement on Ethical Conduct in Human Research (2007). In Australian Law Reform Commission and Australian Health Ethics Committee, Essentially Yours: The Protection of Human Genetic Information in Australia, ALRC 96 (2003), [28.27]; [28.34]–[28.37], the ALRC also emphasised the importance of consent being informed and voluntary.

[14] European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995).

[15] G Greenleaf and N Waters, The Asia-Pacific Privacy Charter, Working Draft 1.0, 3 September 2003 (2003) WorldLII Privacy Law Resources <www.worldlii.org/int/other/PrivLRes/2003/1.html> at 5 May 2008.

[16] For example, Personal Data Act 1998 (Sweden) s 3, which defines consent as ‘every kind of voluntary, specific and unambiguous expression of will by which the registered person, after having received information, accepts processing of personal data concerning him or her’.

[17] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 22.

[18] Office of the Federal Privacy Commissioner, Guidelines on Privacy in the Private Health Sector (2001).

[19] Ibid, [A.5.2].

[20] National Health and Medical Research Council, Australian Research Council and Australian Vice Chancellors’ Committee, National Statement on Ethical Conduct in Human Research (2007), Ch 2.2.

[21] European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995), art 2(h).

[22] G Greenleaf and N Waters, The Asia-Pacific Privacy Charter, Working Draft 1.0, 3 September 2003 (2003) WorldLII Privacy Law Resources <www.worldlii.org/int/other/PrivLRes/2003/1.html> at 5 May 2008, Principle 2.

[23] National Health and Medical Research Council, Australian Research Council and Australian Vice Chancellors’ Committee, National Statement on Ethical Conduct in Human Research (2007), Ch 2.2.

[24] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 37. This guidance replicates what was stated in the Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), [344]. Some privacy advocates have criticised the OPC’s guidance in this regard: Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[25] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 38.

[26] Office of the Federal Privacy Commissioner, Guidelines on Privacy in the Private Health Sector (2001), [A.5.3].

[27] Ibid, [A.5.3].

[28]Personal Data Protection Code 2003 (Italy) s 23.

[29]Federal Data Protection Act 1990 (Germany) s 4(a).

[30]Personal Information Protection and Electronic Documents Act 2000 SC 2000, c 5 (Canada) sch 1, Principle 4.35, 4.36.

[31] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 82.

[32] Ibid, 85.

[33] See Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [4.140]–[4.141].

[34] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 86. See also Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [4.142]–[4.143].

[35] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 86.

[36] Ibid, rec 22.

[37] Australian Law Reform Commission, Review of Australian Privacy Law: An Overview of Discussion Paper 72 (2007), [16.26]–[16.35].

[38] Ibid, Proposal 16–1. Stakeholders’ views on the ALRC’s approach to bundled consent are addressed separately below.

[39] Government of South Australia, Submission PR 565, 29 January 2008; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Anglicare Tasmania, Submission PR 514, 21 December 2007; Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007; Federation of Community Legal Centres (Vic), Submission PR 509, 21 December 2007; New South Wales Aboriginal Justice Advisory Council, Submission PR 501, 20 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Insurance Council of Australia, Submission PR 485, 18 December 2007; Microsoft Asia Pacific, Submission PR 463, 12 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007; Australian Government Department of Defence, Submission PR 440, 10 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007; Mortgage and Finance Association of Australia, Submission PR 344, 19 November 2007.

[40] See, eg, Optus, Submission PR 532, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Federation of Community Legal Centres (Vic), Submission PR 509, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[41] Federation of Community Legal Centres (Vic), Submission PR 509, 21 December 2007.

[42] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[43] Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007; Mortgage and Finance Association of Australia, Submission PR 344, 19 November 2007.

[44] Federation of Community Legal Centres (Vic), Submission PR 509, 21 December 2007.

[45] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[46] Federation of Community Legal Centres (Vic), Submission PR 509, 21 December 2007.

[47] National Australia Bank, Submission PR 408, 7 December 2007.

[48] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007. The National Health and Medical Research Council stated that it would be pleased to assist in the development of guidance on consent in the context of health care and research: National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[49] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[50] Pharmacy Guild of Australia, Submission PR 433, 10 December 2007. One stakeholder submitted that there were particular situations where children and young people should be able to seek medical assistance without parental consent: New South Wales Aboriginal Justice Advisory Council, Submission PR 501, 20 December 2007.

[51] Government of South Australia, Submission PR 565, 29 January 2008.

[52] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007. The Queensland Government supported, in general terms, provision by the OPC of guidance on the nature of, and requirements for, valid consent in particular circumstances: Queensland Government, Submission PR 490, 19 December 2007.

[53] National Health and Medical Research Council, Australian Research Council and Australian Vice Chancellors’ Committee, National Statement on Ethical Conduct in Human Research (2007).

[54] National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[55] Federation of Community Legal Centres (Vic), Submission PR 509, 21 December 2007.

[56] Microsoft Asia Pacific, Submission PR 463, 12 December 2007. The OPC agreed that ‘the greater the sensitivity of the information or the practice, the more likely it is that consent should be expressed actively, rather than implied’: Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[57] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Liberty Victoria—Victorian Council for Civil Liberties, Submission PR 540, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007.

[58] See, eg, Liberty Victoria—Victorian Council for Civil Liberties, Submission PR 540, 21 December 2007; Privacy NSW, Submission PR 468, 14 December 2007.

[59] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[60] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[61] See, eg, Australian Privacy Foundation, Submission PR 167, 2 February 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007; Australian Government Department of Human Services, Submission PR 136, 19 January 2007; Anglicare Tasmania, Submission PR 135, 19 January 2007; Legal Aid Commission of New South Wales, Submission PR 107, 15 January 2007; NSW Disability Discrimination Legal Centre (Inc), Submission PR 105, 16 January 2007.

[62] Anglicare Tasmania, Submission PR 135, 19 January 2007.

[63] See, eg, AAMI, Submission PR 147, 29 January 2007; Confidential, Submission PR 143, 24 January 2007; NSW Disability Discrimination Legal Centre (Inc), Submission PR 105, 16 January 2007; Institute of Mercantile Agents, Submission PR 101, 15 January 2007.

[64] Law Council of Australia, Submission PR 177, 8 February 2007; National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007.

[65] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[66] Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007; Telstra, Submission PR 185, 9 February 2007; Veda Advantage, Submission PR 163, 31 January 2007; National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007; AXA, Submission PR 119, 15 January 2007; DLA Phillips Fox, Submission PR 111, 15 January 2007; Victorian Automobile Chamber of Commerce, Submission PR 100, 15 January 2007.

[67] AAPT Ltd, Submission PR 338, 7 November 2007.

[68] Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007.

[69] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Law Council of Australia, Submission PR 177, 8 February 2007.

[70] Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007; Telstra, Submission PR 185, 9 February 2007; Anglicare Tasmania, Submission PR 135, 19 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007; DLA Phillips Fox, Submission PR 111, 15 January 2007.

[71] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 16–1.

[72] See, eg, Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Anglicare Tasmania, Submission PR 514, 21 December 2007; Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007; Australian Collectors Association, Submission PR 505, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Insurance Council of Australia, Submission PR 485, 18 December 2007; BUPA Australia Health, Submission PR 455, 7 December 2007; Australia Post, Submission PR 445, 10 December 2007; Australian Government Department of Defence, Submission PR 440, 10 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

[73] See, eg, Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Australian Collectors Association, Submission PR 505, 20 December 2007.

[74] Confidential, Submission PR 536, 21 December 2007; Confidential, Submission PR 519, 21 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; National Australia Bank, Submission PR 408, 7 December 2007.

[75] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007. See also Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), rec 22.

[76] See, eg, Confidential, Submission PR 519, 21 December 2007; ANZ, Submission PR 467, 13 December 2007; BUPA Australia Health, Submission PR 455, 7 December 2007; Retail Motor Industry, Submission PR 407, 7 December 2007.

[77] See, eg, Confidential, Submission PR 536, 21 December 2007; Confidential, Submission PR 519, 21 December 2007; BUPA Australia Health, Submission PR 455, 7 December 2007.

[78] Australian Government Department of Defence, Submission PR 440, 10 December 2007.

[79] See, eg, Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Financial Planning Association of Australia, Submission PR 496, 19 December 2007; National Australia Bank, Submission PR 408, 7 December 2007. Specific support was expressed for the use of bundled consent in the debt collection sector: Australian Collectors Association, Submission PR 505, 20 December 2007.

[80] Financial Planning Association of Australia, Submission PR 496, 19 December 2007.

[81] GE Money Australia, Submission PR 537, 21 December 2007.

[82] Optus, Submission PR 532, 21 December 2007; AAPT Ltd, Submission PR 338, 7 November 2007.

[83] AAPT Ltd, Submission PR 338, 7 November 2007

[84] Anglicare Tasmania, Submission PR 514, 21 December 2007.

[85] Liberty Victoria—Victorian Council for Civil Liberties, Submission PR 540, 21 December 2007.

[86] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[87] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[88] Australian Digital Alliance, Submission PR 422, 7 December 2007.

[89] National Health and Medical Research Council, Australian Research Council and Australian Vice Chancellors’ Committee, National Statement on Ethical Conduct in Human Research (2007).

[90] See Chs 4, 18.

[91]Crimes Act 1914 (Cth) ss 23WF, 23WG, 23XWG.

[92]Criminal Code (Cth) s 268.14 (Crime against humanity—rape); s 268.16 (Crime against humanity—enforced prostitution).

[93]Spam Act 2003 (Cth) sch 2 s 2.

[94] Ibid sch 2.

[95] See, eg, Energy Efficiency Opportunities Act 2006 (Cth) s 31; Fuel Quality Standards Act 2000 (Cth); Renewable Energy (Electricity) Act 2000 (Cth) s 46, s 117; Trade Practices Act 1974 (Cth) s 154D; Migration Act 1958 (Cth) s 268CC; Quarantine Act 1908 (Cth) s 66AW.