Unsolicited personal information

Background

21.36 Agencies and organisations sometimes receive unsolicited personal information. This occurs where personal information is received by an agency or organisation that has taken no active steps to collect that information. This is increasingly common in the digital age where information can be transmitted easily and quickly.

21.37 Sometimes unsolicited personal information received by an agency is particularly sensitive—for instance, in the area of community services, an agency may receive information relating to domestic violence or abuse. It has been noted that where such information remains on file, ‘there is a danger that it will indirectly influence an agency official in their decisions about, or interactions with, the individual’.[46]

21.38 The IPPs, to some extent, make a distinction between the obligations imposed on an agency that solicits personal information and one that receives unsolicited personal information. IPPs 2 and 3 impose certain obligations on an agency only where it has solicited personal information. The obligations in IPP 1, however, which do not refer expressly to solicited information, have been said to apply where an agency receives unsolicited material—from sources such as a ministerial letter or a tip-off from an informer.[47]

21.39 NPP 1 does not distinguish between the obligations imposed on an organisation in respect of solicited and unsolicited information, although it does address separately personal information obtained directly from the individual concerned, and information collected from a third party.[48] This is relevant because unsolicited personal information tends to be received from third parties.

Submissions and consultations

21.40 In IP 31, the ALRC asked what obligations, if any, should apply to an agency or organisation when it receives unsolicited information that it intends to include in a record or a generally available publication.[49]

21.41 In response to IP 31, a number of stakeholders stated that, where an agency or organisation receives unsolicited personal information, this information should be covered by the privacy principles.[50] Some stakeholders suggested specific obligations that should apply in respect of unsolicited information:

  • The ‘accuracy of such information should be checked as soon as possible with the subject, where possible, unless the source is a publicly available source’.[51] The OPC submitted that this was particularly important where the information may be used to deny an individual ‘access to essential services’.[52]
  • The individual should be given the opportunity to give or withhold consent to his or her personal information being used in these circumstances.[53]
  • Unsolicited information that is ‘irrelevant to the functions’ of the entity that receives it should be destroyed.[54]

21.42 Some stakeholders stated that no additional obligations should be imposed in respect of the collection of unsolicited information because the existing rules are sufficient.[55] Others suggested that it was not helpful to make a distinction between solicited and unsolicited information.[56] For example, the Centre for Law and Genetics argued that the distinction between solicited and unsolicited information derives from paper-based record keeping and ‘should not be maintained in a modern computer-data driven environment’. It submitted that where an organisation or agency proposes to keep or use unsolicited information, it should be subject to the usual privacy principles.[57]

21.43 One stakeholder submitted that obligations only should be imposed on agencies or organisations in respect of unsolicited personal information which they retain.[58]

21.44 In DP 72, the ALRC proposed that the ‘Collection’ principle should provide that where an agency or organisation receives unsolicited personal information, it must either: (a) destroy the information immediately without using or disclosing it; or (b) comply with all relevant provisions in the UPPs that apply to the information in question, as if the agency or organisation had taken active steps to collect the information.[59]

21.45 There was some support for this proposal[60] and, more generally, for an approach providing for privacy protection regardless of whether personal information is obtained directly or indirectly from a third party.[61] The majority of stakeholders, however, expressed qualified support, raising three main areas of concern. The first was about the consequences of requiring unsolicited information to be destroyed immediately. Stakeholders stated that such an obligation was problematic because:

  • an agency or organisation may need a deliberative period within which to consider whether to retain unsolicited personal information, and such deliberation ought to be a permitted use or disclosure;[62]
  • it could make agencies and organisations ‘hyper-vigilant’ about destruction and could therefore lead to some information being destroyed in error; [63] and
  • such a prescriptive approach would be financially and operationally onerous without delivering any clear extra privacy protection for individuals.[64]

21.46 The second area of concern was about nominating destruction as an option in certain circumstances. Stakeholders noted that destruction of personal information:

  • was only an option where it did not breach the requirements of relevant records retention legislation;[65] and
  • could impact negatively on accountability and audit requirements, leading, for example, to accusations of ‘cover-ups’ where a matter appears not to have been investigated.[66]

21.47 The third area of concern arose in relation to circumstances where stakeholders submitted that they would not be able to perform properly their functions if they were required either to destroy unsolicited information or comply with all the model UPPs in respect of that information. Particular concerns were expressed about complying with the ‘Notification’ principle, which imposes obligations on agencies and organisations to notify or otherwise ensure an individual is aware of certain matters concerning the collection of his or her personal information. This concern arose principally in relation to reliance by agencies on unsolicited personal information via anonymous and confidential tip-offs in order to investigate offences and non-compliant activity, as well as part of the general practice of collecting criminal intelligence.[67] Other contexts in which this concern arose included where:

  • the Administrative Review Tribunal receives unsolicited information about third parties during its review processes;[68] and

  • schools receive unsolicited information from other schools about the behaviour and needs of pupils who are transferring schools.[69]

21.48 Other stakeholders expressed qualified support for the proposal, on the basis that it was made clear that:

  • ‘using or disclosing’ unsolicited personal information includes taking any action; and
  • the option to destroy the information is exercised within a limited time, otherwise the obligations concerning data security would apply.[70]

21.49 A small number of stakeholders expressed outright opposition to the proposal on various grounds, including that it:

  • is unnecessary or a matter more appropriately dealt with by OPC guidance, because organisations are currently subject to the privacy principles regardless of whether they receive personal information via solicited or unsolicited means;[71]
  • will place unnecessary burdens on agencies to require them to meet the notification obligations in respect of unsolicited information;[72] and
  • may be inappropriate for organisations to destroy immediately unsolicited personal information. For example, they may be required to retain the information for a period of time to consider its contents, check its accuracy or assess whether they have an obligation to act on the information received.[73]

21.50 A small number of stakeholders suggested that the meaning of ‘unsolicited’ should be clarified.[74] The Cyberspace Law and Policy Centre, and the Australian Privacy Foundation expressed the view that the Privacy Act or the Explanatory Memorandum to the amending legislation should make it clear that unsolicited personal information is included within the meaning of ‘collect’.[75] The OPC noted that there are a number of ways in which personal information may be received without being solicited, for example via misdirected mail, promotional material, or third parties. It suggested that it publish guidance to clarify the meaning of ‘unsolicited’ in the context of the ‘Collection’ principle..[76]

ALRC’s view

21.51 Many agencies and organisations receive a large amount of unsolicited personal information. The fact that an agency or organisation has done nothing to cause personal information to be sent to it should not mean, however, that such information falls outside the protection of the privacy principles.

21.52 The risk that personal information will be used or disclosed in violation of a person’s privacy only becomes significant where, on receiving unsolicited personal information, the agency or organisation retains it. If an agency or organisation is required, or decides, to retain unsolicited personal information then it should comply with all of the privacy principles in respect of that information, as if the agency or organisation had taken active steps to collect the information.

21.53 An agency or organisation may have no option but to retain personal information. For example, retention may be required because of the requirements of records retention legislation such as the Archives Act 1983 (Cth) or it may otherwise be reasonable to retain the information in light of accountability, audit or evidentiary requirements.

21.54 Some stakeholders expressed concerns that they would not always be able to comply with the obligations imposed by the privacy principles in respect of certain unsolicited information. Compliance with the ‘Notification’ principle raised particular concerns. It is important to emphasise, however, that the requirement to comply with relevant privacy principles encompasses a consideration of any qualifications or exceptions to those principles. For example, the obligation to notify or otherwise ensure that an individual is aware of certain matters concerning the collection of his or her personal information is limited to taking such steps, if any, that are reasonable in the circumstances. In some circumstances it will be reasonable for an agency or organisation to take no steps to notify an individual about the collection of personal information. Such circumstances may include the receipt of unsolicited confidential ‘tip-offs’ relating to unlawful activity.[77]

21.55 A requirement to destroy immediately unsolicited personal information is impracticable, and an agency or organisation will require a deliberative period within which to consider whether it can lawfully collect the unsolicited information and whether it wishes to retain that information. If the collection is lawful and the agency or organisation decides to keep the information then, as stated above, the obligations that apply to the ‘active’ collection of personal information should apply. If the collection is unlawful or the agency or organisation does not wish to retain the information then the agency or organisation should destroy the information as soon as practicable without using or disclosing it—if it is lawful and reasonable to do so. A use or disclosure made for the purpose of determining whether the information needs to be retained should, however, be permissible. For example, an agency or organisation may need to use or disclose the information in order to receive advice about whether to retain or destroy it.

21.56 The above approach ensures that the spectrum of personal information that an agency or organisation may lawfully retain, use and disclose is not expanded merely because the entity has taken no steps to collect the information. The threshold requirement that an agency or organisation is only permitted to collect personal information that is ‘necessary for one or more of its functions or activities’ also should apply to the retention of unsolicited personal information.

21.57 The OPC should develop and publish guidance about the meaning of ‘unsolicited’ in the context of the ‘Collection’ principle. The ALRC notes the OPC’s support for the development of such guidance.

Recommendation 21-3 The ‘Collection’ principle should provide that, where an agency or organisation receives unsolicited personal information, it must either:

(a) if lawful and reasonable to do so, destroy the information as soon as practicable without using or disclosing it except for the purpose of determining whether the information should be retained; or

(b) comply with all relevant provisions in the model Unified Privacy Principles that apply to the information in question, as if the agency or organisation had taken active steps to collect the information.

Recommendation 21-4 The Office of the Privacy Commissioner should develop and publish guidance about the meaning of ‘unsolicited’ in the context of the ‘Collection’ principle.

[46] Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.

[47] See Explanatory Memorandum, Privacy Bill 1988 (Cth), [59].

[48] See Privacy Act 1988 (Cth) sch 3, NPPs 1.4, 1.5.

[49] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 4–4.

[50] See, eg, G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.

[51] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007. A number of other stakeholders expressed similar views: see, eg, Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007; AAMI, Submission PR 147, 29 January 2007; Institute of Mercantile Agents, Submission PR 101, 15 January 2007; W Caelli, Submission PR 99, 15 January 2007.

[52] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[53] I Turnbull, Submission PR 82, 12 January 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007.

[54] Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007. A similar point was raised by Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007.

[55] See, eg, Australian Federal Police, Submission PR 186, 9 February 2007; Confidential, Submission PR 165, 1 February 2007; Confidential, Submission PR 143, 24 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[56] Centre for Law and Genetics, Submission PR 127, 16 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[57] Centre for Law and Genetics, Submission PR 127, 16 January 2007.

[58] DLA Phillips Fox, Submission PR 111, 15 January 2007.

[59] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 18–2.

[60] Anglicare Tasmania, Submission PR 514, 21 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Australian Digital Alliance, Submission PR 422, 7 December 2007. The Australian Direct Marketing Association did not disagree with the proposal: Australian Direct Marketing Association, Submission PR 543, 21 December 2007.

[61] Australasian Compliance Institute, Submission PR 419, 7 December 2007.

[62] See, eg, Confidential, Submission PR 570, 13 February 2008; Medicare Australia, Submission PR 534, 21 December 2007; Human Rights and Equal Opportunity Commission, Submission PR 500, 20 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[63] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[64] National Australia Bank, Submission PR 408, 7 December 2007.

[65] Australian Government Centrelink, Submission PR 555, 21 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

[66] Australian Government Centrelink, Submission PR 555, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007.

[67] Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Australian Federal Police, Submission PR 545, 24 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007.

[68] Administrative Appeals Tribunal, Submission PR 481, 17 December 2007.

[69] National Catholic Education Commission and Independent Schools Council of Australia, Submission PR 462, 12 December 2007.

[70] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[71] Optus, Submission PR 532, 21 December 2007.

[72] Queensland Government, Submission PR 490, 19 December 2007.

[73] GE Money Australia, Submission PR 537, 21 December 2007.

[74] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[75] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[76]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[77] The ‘Notification’ principle is discussed in Ch 23.