16.08.2010
Location of notification requirements
21.58 As noted above, the collection principles in both the NPPs and IPPs provide that, in certain circumstances, agencies and organisations must ensure that an individual whose personal information has been, or is to be, collected, is aware of a number of matters. One way of ensuring awareness is through notification. A question arises whether the ‘Collection’ principle should set out notification requirements that apply at or around the time personal information is collected, or whether these requirements should be set out in another principle that more explicitly relates to notification.
21.59 This issue is dealt with in Chapter 23, where the ALRC recommends that the notification requirements that are currently located in the collection principles in the IPPs and NPPs should be moved to a separate privacy principle called ‘Notification’.[78]
Collection of sensitive information: location of provisions
21.60 Currently, the collection of sensitive information by organisations is covered in a separate privacy principle, NPP 10. The collection of sensitive information by agencies is not dealt with explicitly in the IPPs.
21.61 There is a question whether the ‘Collection’ principle also should deal with the collection of sensitive information, or whether the collection of sensitive information should be dealt with in a separate principle. This question is addressed in Chapter 22, where the ALRC recommends that the provisions that relate to the collection of sensitive information should be contained in the ‘Collection’ principle.[79]
Limitation on collection: reasonable purposes?
Background
21.62 As noted above, currently an organisation is prohibited from collecting personal information unless the information is necessary for one or more of its functions or activities.[80] An agency only may collect personal information if the:
information is collected for a lawful purpose directly related to a function or activity of the agency; and
collection of that information is necessary for, or directly related to, that purpose.[81]
21.63 The OPC’s guidelines on collection of information by organisations provide that:
The Commissioner interprets ‘necessary’ in a practical sense. If an organisation cannot in practice effectively pursue a legitimate function or activity without collecting personal information, then the Commissioner would ordinarily consider it necessary for that function or activity.[82]
21.64 The High Court of Australia has also noted that ‘there is, in Australia, a long history of judicial and legislative use of the term “necessary”, not as meaning essential or indispensable, but as meaning reasonably appropriate and adapted’.[83] A question arises whether agencies and organisations only should be able to collect personal information for purposes that a reasonable person would consider appropriate in the circumstances.
21.65 Some Canadian privacy law, for example, provides for an objective test in these circumstances. For instance, the federal legislation provides that an organisation may collect, use or disclose personal information ‘only for purposes that a reasonable person would consider are appropriate in the circumstances’.[84] Similarly, Alberta’s information privacy legislation states:
Where an organization collects personal information, it may do so only to the extent that is reasonable for meeting the purposes for which the information is collected.[85]
21.66 The Australian Privacy Foundation submitted to the Senate Legal and Constitutional References Committee inquiry into the Privacy Act (Senate Committee privacy inquiry) that the NPPs should provide that collection be limited by such an objective test.[86] The OPC’s review of the private sector provisions of the Privacy Act (OPC Review) rejected the adoption of an objective test to ascertain whether collection of personal information is necessary for an organisation’s functions or activities. It stated that, while it would enable an individual to challenge the collection of personal information, it would be difficult to implement in practice and ‘it is not likely that the benefits of doing so would outweigh the costs’.[87]
Submissions and consultations
21.67 In DP 72, the ALRC proposed that the ‘Collection’ principle in the model UPPs should provide that an agency or organisation must not collect personal information unless it reasonably believes the information is necessary for one or more of its functions or activities.[88]
21.68 Stakeholders’ opinions on this proposal were divided. Some stakeholders supported the introduction of a ‘reasonable belief’ test.[89] A number of stakeholders however, expressed a preference for a more objective test, where what is reasonable is determined from the perspective of a reasonable person and not the agency or organisation.[90] For example, the Office of the Victorian Privacy Commissioner submitted:
Agencies or organisations should only collect personal information that is necessary for their functions or activities, not information that an agency or organisation reasonably believes may be necessary for their functions or activities. The distinction is an important one: in the former case the test is an objective one which is determined by a regulator; in the latter case the test is a subjective one which is determined by the organisation collecting the information.[91]
21.69 The OPC expressed its support for the proposal, but submitted that the reasonableness of the purpose of collection also should be addressed.[92]
Establishing that the purpose of collection is reasonable is more important than whether there is a reasonable necessity. If only the latter requirement applied, collections may be necessary, albeit for purposes that would seem unreasonable and beyond what individuals may expect is a reasonable function or activity of that organisation or agency …
Accordingly, the Office reiterates the potential value of a collection principle requiring that an organisation may only collect personal information for purposes that are reasonable, where ‘reasonable’ means ‘what a reasonable person would consider appropriate under the circumstances’.[93]
21.70 Some stakeholders submitted that the proposal should include requirements that:
collection is proportional to the functions or activities of the agency or organisation;[94]
there is a relationship between the perceived necessity of collection and the particular purpose of collection of the information in question;[95] and
collection is for a lawful purpose.[96]
21.71 Other stakeholders opposed the proposal on varying grounds, namely that:
it is unnecessary because the intent in the requirement in NPP.1 is sufficiently clear;[97]
the test is too strict, and agencies should be able to continue to collect information because it will directly assist in achieving a lawful purpose without having to establish that a particular collection is necessary to achieve that purpose;[98] and
the requirement for belief in the necessity of information is impracticable in certain contexts.[99]
ALRC’s view
21.72 The ALRC acknowledges the concerns expressed by some stakeholders that the test proposed in DP 72 is not sufficiently objective. What is ‘necessary’ for the functions or activities of an agency or organisation should be determined objectively, rather than by the subjective belief of the agency or organisation.
21.73 An objective test is necessary to ensure appropriate privacy protection in circumstances where an agency or organisation claims that it is necessary to collect an individual’s personal information for the legitimate purpose of providing a service to the individual, but the agency’s or organisation’s real purpose is an illegitimate one—such as on-selling the data to a third party. In such situations, agencies and organisations should not be able to rely simply on their subjective views about the necessity of the collection, even where those views may have a reasonable basis. Rather, the test for necessity should be from the perspective of a reasonable person.
21.74 An objective test should encourage organisations and agencies to give careful consideration to whether the personal information they collect is genuinely necessary for their functions or activities.
21.75 The requirement in NPP 1 that an organisation must not collect personal information unless it is ‘necessary for one or more of its functions or activities’ implies an objective test—the collection has to be necessary, not necessary merely in the opinion of the organisation. Such an interpretation is also within the spirit of the privacy principles as a whole.
21.76 The requirement in NPP 1 should be applied to agencies as well as organisations. As discussed in Chapter 18, the NPPs should form the general template in drafting and structuring the UPPs. The wording of NPP 1 arguably is simpler than that of its equivalent provision, IPP 1.
21.77 It is unnecessary for the ‘Collection’ principle to provide expressly that the perspective of the reasonable person is to be applied in determining the necessity of the collection. It is also unnecessary to provide expressly that the purpose of collection is to be lawful and objectively reasonable. It is implied that the activities and functions pursuant to which agencies and organisations collect personal information must be lawful. It also is implied that collection pursuant to those functions must be lawful. The ‘Collection’ principle does not, and cannot, make unlawful collections lawful, such as where agencies collect information beyond the scope of their powers. In the case of sensitive information, the restrictions placed on collection assist in ensuring that the purposes of collection are reasonable. For example, it is reasonable to collect sensitive information because it is required by law or necessary for the establishment of a legal claim.[100]
21.78 The ALRC notes the ATO’s concerns about the strictness of prohibiting collection of personal information unless it is necessary for an entity’s functions or activities. This approach is consistent with IPP 1, however, which also includes a requirement of necessity. Further, such concerns may be assuaged somewhat by the fact that, historically, what is ‘necessary’ has been interpreted in a practical and liberal manner, as noted above.
Recommendation 21-5 The ‘Collection’ principle in the model Unified Privacy Principles should provide that an agency or organisation must not collect personal information unless it is necessary for one or more of its functions or activities.
Methods of collection
21.79 NPP 1 and IPPs 1–3 apply generally to the collection of personal information. They do not refer to particular methods of collection.
21.80 Privacy advocates submitted that the Privacy Act, or the Explanatory Memorandum to the amending legislation, should make it clear that the ‘Collection’ principle applies to specific methods of collection—namely to information that is: obtained by observation or surveillance; extracted from other records, such as books; and generated internally as a result of transactions.[101] Privacy advocates acknowledged that ‘the practice of Privacy Commissioners seems to assume that observations [by surveillance] constitutes collection, and case law to the contrary is not known’.[102]
21.81 It is unnecessary to amend the Act to refer to specific methods of collection. The ALRC is not convinced that a mischief has been identified warranting such an amendment. It is clear that personal information may be collected by surveillance. The OPC’s guidance on the obligation in NPP 1 for an organisation to collect personal information only by lawful and fair means and not in an unreasonably intrusive manner acknowledges the possibility that personal information may be collected by surveillance. The guidance notes that there will be some circumstances, for example, investigation of fraud or other unlawful activity, where covert collection of personal information by surveillance or other means would be fair.[103]
21.82 It is also clear that personal information may be collected from publicly available sources, such as books. Guidance issued by the OPC confirms this approach.[104]
[78] See Rec 23–1.
[79] See Rec 22–1. A summary of the ‘Collection’ principle, UPP 2, is set out at the end of this chapter. It includes the provisions relating to the collection of sensitive information. The collection of sensitive information, however, is discussed in Ch 22, and the collection of sensitive information for the purpose of research is discussed in Ch 65.
[80]Privacy Act 1988 (Cth) sch 3, NPP 1.1.
[81] Ibid s 14, IPP 1.1.
[82] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 27.
[83]Mulholland v Australian Electoral Commission (2004) 220 CLR 181, [39].
[84]Personal Information Protection and Electronic Documents Act 2000 SC 2000, c 5 (Canada) s 5(3). See also s 3.
[85]Personal Information Protection Act 2003 RS (Alberta) c.P–6.5 s 11(2). In IP 31, the ALRC sought views on whether a similar test should be introduced in the Privacy Act: See Australian Law Reform Commission, Review of Privacy, IP 31 (2006), [4.68], [11.127]. This issue, however, was not addressed by stakeholders, other than the OPC.
[86] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [4.170]. See also Australian Privacy Foundation, Submission to the Senate Legal and Constitutional References Committee Inquiry into the Privacy Act 1988, 1 March 2005.
[87] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 91.
[88] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 18–3.
[89] Australian Government Department of Human Services, Submission PR 541, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Optus, Submission PR 532, 21 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007. The Australian Direct Marketing Association stated that it did not disagree with the proposal: Australian Direct Marketing Association, Submission PR 543, 21 December 2007.
[90] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; I Graham, Submission PR 427, 9 December 2007. See also Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007, which expressed a preference for the test used in Canadian privacy law. The Public Interest Advocacy Centre submitted that ‘a more objective and appropriate approach would be to focus on the information itself and to ask whether that information is reasonably necessary for one of more of the agency or organisation’s functions or activities’: Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.
[91] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.
[92] Other stakeholders expressed a similar view: Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[93] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[94] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[95] Ibid.
[96] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; I Graham, Submission PR 427, 9 December 2007. Some stakeholders also submitted that this requirement should apply to the maximum extent practicable to information: obtained from observation or surveillance; extracted from other records; and generated within an organisation or agency as a result of a transaction: Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[97]Confidential, Submission PR 570, 13 February 2008.
[98] Australian Taxation Office, Submission PR 515, 21 December 2007.
[99] Confidential, Submission PR 488, 19 December 2007.
[100] Sensitive information is discussed in Ch 22.
[101] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[102] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[103] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 27.
[104] Office of the Federal Privacy Commissioner, Privacy and Personal Information That is Publicly Available, Information Sheet 17 (2003). The OPC has noted that this Information Sheet has gained widespread support: Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 262.