16.08.2010

Collection from the individual

Background

21.11 NPP 1 obliges an organisation, where reasonable and practicable, to collect personal information about an individual only from that individual. The Revised Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000 acknowledges that there will be situations in which it would not be ‘reasonable and practicable’ to collect directly from an individual. It states that:

An example would be where direct collection would prejudice the purpose of collection (eg in the case where an enforcement body is investigating a breach of a criminal law).[6]

21.12 The OPC has issued guidance on this principle, which sets out the following factors to be balanced in assessing whether it is reasonable and practicable to collect information directly from an individual:

  • whether it is possible to collect the information directly;
  • whether a reasonable individual might expect information about him or her to be collected directly or indirectly;
  • how sensitive the information is;
  • the cost to an organisation of collecting directly rather than indirectly;
  • the privacy consequences for the individual if the information is collected indirectly; and
  • what is accepted practice (by consumers and the industry).[7]

21.13 IPPs 1–3 do not impose an equivalent requirement on agencies to collect information directly from an individual where reasonable and practicable.

21.14 There is precedent in other jurisdictions for requiring agencies, where reasonable, only to collect personal information from the individual concerned. In New South Wales, for example, such an obligation applies to agencies unless the individual concerned has authorised collection from someone else or, where the information relates to a person under the age of 16, the information has been provided by a parent or guardian.[8] Privacy laws in New Zealand and Germany require agencies to collect personal information directly from the individuals concerned, except in certain specified circumstances, such as where:

  • the administrative task to be fulfilled by its nature or purpose makes collection from other persons or bodies necessary;[9]
  • non-compliance would not prejudice the interests of the individual concerned;[10]
  • non-compliance is necessary to avoid prejudice to the maintenance of the law … including the prevention, detection, investigation, prosecution, and punishment of offences; or
  • compliance would prejudice the purpose of the collection.[11]

21.15 Privacy laws in Canada require a government institution, where possible, to collect personal information that it intends to use for an administrative purpose directly from the individual to whom it relates except in certain specified circumstances.[12] Similarly, United States law requires agencies to

collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual’s rights, benefits, and privileges under Federal programs.[13]

Submissions and consultations

21.16 In the Issues Paper, Review of Privacy (IP 31) the ALRC asked whether agencies also should be subject to a general requirement that, where reasonable and practicable, they should collect information about an individual only from the individual concerned.[14]

21.17 Some stakeholders expressed the view that agencies should be subject to such a requirement, stating that there is no reason to retain different rules for agencies and organisations in these circumstances.[15] Some stakeholders emphasised that the requirement should apply only where reasonable and practicable, and that collection should not be jeopardised when it is not reasonable or practicable to obtain the information from the individual.[16]

21.18 Other stakeholders, however, opposed the imposition of this requirement.[17] For example, the Australian Federal Police (AFP) stated that law enforcement agencies routinely collect personal information from a range of sources, and that a ‘reasonable and practicable test may not be sensitive enough to recognise this and may have significant operational impacts’.[18] The Australian Government Department of Families, Community Services and Indigenous Affairs (FaCSIA) submitted that such a requirement would hamper agencies’ whole of government approach to service delivery because:

Requiring each agency to separately collect information from the individual for the same programme would lead to a duplication of process and increase administrative inefficiency of government agencies.[19]

21.19 In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC proposed that the:

  • UPPs should contain a principle called ‘Collection’ that requires agencies and organisations, where reasonable and practicable, to collect personal information only from the individual concerned; and
  • OPC should provide guidance to clarify when it would not be reasonable and practicable to collect such information from the individual concerned.[20]

21.20 Many stakeholders supported this proposal.[21] Reasons given for supporting direct collection of personal information from the individual concerned include that it gives individuals ‘an opportunity to refuse to participate in the collection or provide their information on conditions’ and increases the likelihood that the information collected will be relevant, accurate and complete.[22]

21.21 Some stakeholders that supported the proposal emphasised that there will be many cases where it will be necessary to obtain personal information from sources other than the individual concerned, and that guidance should address these circumstances.[23] For example, the National Health and Medical Research Council (NHMRC) noted that such circumstances include the taking of family, medical or social histories and the collection of information provided in confidence by third parties to health care providers.[24] The Department of Foreign Affairs and Trade submitted that it regularly collects personal information about individuals from third parties.

For example, personal information is collected from next of kin and foreign authorities when dealing with consular cases; from other agencies, both state and Commonwealth, when establishing a passport applicant’s identity and citizenship or conducting fraud investigations; from other employees when undertaking Code of Conduct and other internal investigations; and from a range of sources when processing security clearances for potential employees. It is assumed that each of these collections would fall within the ‘reasonable and practicable’ limitation … Guidance from the OPC to this effect would be necessary if this recommendation is adopted.[25]

21.22 Similarly, the Department of Defence welcomed guidance from the OPC on the parameters of what is ‘reasonable and practicable’. It stated such guidance should not inhibit its ability to collect personal information about an individual’s family and friends for the purposes of identity process checks and security clearance assessments.[26]

21.23 Stakeholders suggested also that the OPC’s guidance cover collection:

  • from persons authorised to act on behalf of the individual, such as parents and guardians;[27]
  • from children and persons with a decision-making impairment;[28]
  • processes which will gather information about multiple individuals, such as family support services and counselling;[29]
  • for the purposes of investigations by agencies and organisations.[30]

21.24 Some stakeholders supported the proposal, subject to general reservations about the value of OPC guidance based, in part, on its non-binding nature.[31] Stakeholders emphasised the importance of OPC guidance being developed in consultation with all relevant stakeholders,[32] including privacy commissioners across all jurisdictions.[33]

21.25 The Public Interest Advocacy Centre expressed the view that, while there was a need to clarify when it is not reasonable and practicable to collect personal information directly from the individual, such guidance should be contained in the Privacy Act, the regulations or a binding code.[34]

21.26 Similarly, many stakeholders submitted that the principle itself ought to include a number of exceptions, including:

  • for the collection of personal information for statistical and research purposes;[35]
  • for the appropriate verification of an individual’s circumstances from reliable third parties, including for the purposes of: facilitating health benefits and social services; providing support for disadvantaged customers; and preventing or lessening the instances of fraud;[36]
  • where the party from whom the organisation or agency intends to collect the personal information of another individual has: the express or implied consent of that individual; actual or ostensible authority to act on behalf of the individual; or carer or parental responsibilities and duties with respect to the individual; and[37]
  • to allow agencies to perform their law enforcement functions properly, and collect criminal intelligence, including through the receipt of anonymous and confidential tip-offs.[38]

21.27 Other stakeholders also expressed concerns that the principle should not limit an agency’s intelligence, investigative and compliance functions; and emphasised, for example, the impracticability of collecting personal information from a suspect or witness only from that person.[39]

21.28 The Australian Taxation Office (ATO), however, opposed the proposal outright. It expressed ‘very strong concerns’ that it would prejudice its activities and impose upon it a resource-intensive administrative burden. The ATO stated that it did not want to be placed in a position of having to rebut a presumption that it should collect information directly from an individual.

Collecting information from third parties is an essential part of the investigative and compliance activities of the Tax Office. The proposed principles would prejudice necessary activities such as:

• verifying information through independent third parties

• using third parties as a first source of information in particular where serious tax non-compliance is suspected, including criminal activity

• lawfully gathering and matching information about larger numbers of individuals for data matching activities, and

collecting and using information in the many reports of transactions that the taxation law requires third parties to provide to the Tax Office.

The Tax Office believes that adequate protection is already in place for taxpayers when third party information is used.[40]

21.29 Other stakeholders noted the ‘operational challenges’ and ‘human resource costs’ associated with implementing the proposal. [41] For example, the Department of Families, Housing, Community Services and Indigenous Affairs expressed concern about the ‘potential impost on individuals having to provide the same information to multiple agencies’.[42]

21.30 Finally, a number of tribunals submitted that it would not be reasonable and practicable for them, in carrying out their review processes, to collect personal information only from the individuals concerned.[43]

ALRC’s view

21.31 Agencies and organisations should be required to collect personal information only from the individual to whom the information relates, where it is reasonable and practicable to do so. Such a requirement increases the likelihood that personal information collected will be accurate, relevant, complete and up-to-date. It also gives individuals an opportunity to participate in the collection process. As noted above, this requirement already applies to organisations.

21.32 The qualification that the requirement applies only ‘where reasonable and practicable’ is significant, particularly as it applies to agencies. There will be many situations where it will not be reasonable or practicable to collect personal information directly from the individual concerned. For example, the requirement is not intended to limit the coercive information-gathering powers of agencies, or the exercise of their intelligence, investigative and compliance functions. As noted above, the Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000 acknowledged expressly that it will not be reasonable and practicable to collect personal information directly from an individual where direct collection would prejudice the purpose of collection, such as where a law enforcement body is investigating a breach of a criminal law.

21.33 Some stakeholders expressed the view that the principle itself should set out a number of circumstances when it would not be reasonable and practicable for the requirement to apply. It would be inconsistent with the adoption of high-level principles to introduce detailed and prescriptive rules concerning the application of this requirement.[44]

21.34 The OPC should develop and publish further guidance, in consultation with relevant stakeholders, to clarify when it would not be reasonable and practicable to collect personal information only from the individual concerned. While the OPC’s current guidance addresses the general factors to be considered in assessing whether it is reasonable and practicable to collect personal information directly from an individual, the ALRC recommends that the further guidance address specific circumstances where direct collection may not be reasonable and practicable. In particular, taking into account the views expressed by stakeholders about the areas requiring clarification, the guidance should address collection:

  • of personal information by agencies pursuant to the exercise of their coercive information-gathering powers or in accordance with their intelligence-gathering, investigatory and compliance functions;
  • of statistical data;
  • of personal information in circumstances in which it is necessary to verify an individual’s personal information;
  • of personal information in circumstances in which the collection process is likely to, or will, disclose the personal information of multiple individuals; and
  • from children, persons with a decision-making incapacity and those authorised to provide personal information on behalf of the individual.

21.35 The ALRC acknowledges the concerns expressed by a number of tribunals that it would not be reasonable and practicable for them, in respect of their review processes, to collect information directly from the individuals concerned. This is one of a number of concerns expressed by tribunals concerning the application of privacy principles to them. These concerns have been addressed in the ALRC’s recommendation to exempt partially tribunals from the operation of the Privacy Act.[45]

Recommendation 21-1 The model Unified Privacy Principles should contain a principle called ‘Collection’ that requires agencies and organisations, where reasonable and practicable, to collect personal information about an individual only from the individual concerned.

Recommendation 21-2 The Office of the Privacy Commissioner should develop and publish further guidance to clarify when it would not be reasonable and practicable to collect personal information about an individual only from the individual concerned. In particular, the guidance should address collection:

(a) of personal information by agencies pursuant to the exercise of their coercive information-gathering powers or in accordance with their intelligence-gathering, investigative, and compliance functions;

(b) of statistical data;

(c) of personal information in circumstances in which it is necessary to verify an individual’s personal information;

(d) of personal information in circumstances in which the collection process is likely to, or will, disclose the personal information of multiple individuals; and

(e) from persons under the age of 18, persons with a decision-making incapacity and those authorised to provide personal information on behalf of the individual.

[6] Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), [337].

[7] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 31–32.

[8]Privacy and Personal Information Protection Act 1998 (NSW) s 9.

[9]Federal Data Protection Act 1990 (Germany) s 4(2)(a).

[10]Privacy Act 1993 (NZ) s 6, IPP 2(c).

[11] Ibid s 6, IPP 2(e).

[12] See Privacy Act RS 1985, c P-21 (Canada) s 5(1); Privacy Act 1993 (NZ) s 6, IPP 2; Federal Data Protection Act 1990 (Germany) s 4(2).

[13] See Privacy Act 1974 5 USC § 552a (US).

[14] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 4–3.

[15] See, eg, Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007; AAMI, Submission PR 147, 29 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007; W Caelli, Submission PR 99, 15 January 2007.

[16] See, eg, Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Queensland Government, Submission PR 242, 15 March 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Competition and Consumer Commission, Submission PR 178, 31 January 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007; Confidential, Submission PR 143, 24 January 2007; Australian Government Department of Human Services, Submission PR 136, 19 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[17] Australian Federal Police, Submission PR 186, 9 February 2007; Australian Taxation Office, Submission PR 168, 15 February 2007; Australian Government Department of Families‚ Community Services and Indigenous Affairs, Submission PR 162, 31 January 2007; Confidential, Submission PR 165, 1 February 2007.

[18] Australian Federal Police, Submission PR 186, 9 February 2007. See also Confidential, Submission PR 165, 1 February 2007.

[19] Australian Government Department of Families‚ Community Services and Indigenous Affairs, Submission PR 162, 31 January 2007.

[20] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 18–1.

[21] Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007. One stakeholder submitted that it did not disagree with this approach: Australian Direct Marketing Association, Submission PR 543, 21 December 2007.

[22] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[23] Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008; Medicare Australia, Submission PR 534, 21 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[24] National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[25] Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008.

[26] Australian Government Department of Defence, Submission PR 440, 10 December 2007. Another stakeholder noted that it would be impracticable to obtain information directly from an individual in the context of considering the promotion of servicemen, in matters relating to discipline, and investigations of wrongdoing, offences and breaches of security: D Meehan, Submission PR 345, 22 November 2007.

[27] Medicare Australia, Submission PR 534, 21 December 2007.

[28] Government of South Australia, Submission PR 565, 29 January 2008.

[29] Ibid. The Office of the Victorian Privacy Commissioner noted that an individual may need to disclose information about their family circumstances when applying for financial assistance or welfare benefits: Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[30] Government of South Australia, Submission PR 565, 29 January 2008; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007.

[31] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[32] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007: The NHMRC submitted that it would be pleased to assist in the development of guidance on when it would not be reasonable and practicable to collect directly from the individual in the context of health care and human research: National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[33] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[34] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007. GE Money similarly expressed the view that ‘to the greatest extent possible, the Act and the Regulations should stand alone as a clear compliance framework for organisations’: GE Money Australia, Submission PR 537, 21 December 2007.

[35] Australian Institute of Health and Welfare, Submission PR 552, 2 January 2008; Australian Bureau of Statistics, Submission PR 383, 6 December 2007.

[36] Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007.

[37] Australia Post, Submission PR 445, 10 December 2007.

[38] Australian Federal Police, Submission PR 545, 24 December 2007; Australian Government Department of Families‚ Housing‚ Community Services and Indigenous Affairs, Submission PR 559, 15 January 2008.

[39] Confidential, Submission PR 448, 11 December 2007; Confidential, Submission PR 488, 19 December 2007.

[40] Australian Taxation Office, Submission PR 515, 21 December 2007.

[41] Australian Government Department of Families‚ Housing‚ Community Services and Indigenous Affairs, Submission PR 559, 15 January 2008; Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008.

[42] Australian Government Department of Families‚ Housing‚ Community Services and Indigenous Affairs, Submission PR 559, 15 January 2008.

[43] Migration Review Tribunal and Refugee Review Tribunal, Submission PR 533, 21 December 2007; Administrative Appeals Tribunal, Submission PR 481, 17 December 2007.

[44] See Rec 18–1.

[45] See Rec 35–1.