Collection of sensitive information

Current coverage by IPPs and NPPs

22.9 The IPPs do not regulate the collection of sensitive information separately from other forms of personal information. In contrast, NPP 10 regulates separately and specifically the collection of sensitive information. It prohibits the collection of such information, except in certain identified circumstances. NPP 10.1 provides that sensitive information can be collected only if the:

  • individual has consented;
  • collection is required by law;
  • collection is necessary to prevent or lessen a serious and imminent threat to the life or health of an individual and the individual is physically or legally incapable of giving or communicating consent to the collection; or
  • collection is necessary for the establishment, exercise or defence of a legal or equitable claim.

22.10 In addition, NPP 10.1 allows sensitive information to be collected in the course of the activities of a non-profit organisation.[8] This is permitted where: the information relates solely to the members of the organisation or to individuals who have regular contact with it in connection with its activities; and at, or before, the time of collection the organisation undertakes to the individual that it will not disclose the information without the individual’s consent.

22.11 NPPs 10.2, 10.3 and 10.4 regulate the collection of health information by organisations. Health information is a category of sensitive information. Issues concerning the collection of health information are discussed in Chapter 63.

Expansion of sensitive information provisions to agencies?

Background

22.12 The fact that the IPPs do not contain a principle dealing specifically with the collection of sensitive information is consistent with the Organisation for Economic Co-operation and Development’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) (OECD Guidelines), which also do not contain such a principle. Indeed, the Explanatory Memorandum to the OECD Guidelines states that ‘it is probably not possible to identify a set of data which are universally regarded as being sensitive’.[9] In contrast, as noted above, the EU Directive imposes additional restrictions on the processing of sensitive information, which includes the collection of such information by agencies and public authorities.[10]

22.13 Should agencies also be subject to restrictions in collecting sensitive information? There is precedent for such a position in Australian jurisdictions as Victorian, Tasmanian and Northern Territory privacy legislation imposes restrictions on the collection of sensitive information by agencies.[11]

Submissions and consultations

22.14 In response to Issues Paper 31, Review of Privacy (IP 31), a number of stakeholders submitted that agencies, like organisations, also should be subject to a ‘sensitive information’ privacy principle.[12]

22.15 In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC proposed that agencies, as well as organisations, should be subject to requirements relating to the collection of sensitive information, as defined in the Privacy Act, and that these requirements should be located in the ‘Collection’ principle.[13] There was general support for this approach.[14] Reasons given for supporting the extension of the requirements to agencies include that:

  • Individual’s sensitive information requires consistency of protection regardless of whether that information is handled by a public or private sector entity;[15]
  • risks associated with subsequent misuse of this information are no less serious where the information is collected by an agency;[16] and
  • such an approach is consistent with that taken in Victoria, Tasmania and the Northern Territory.[17]
  • 22.16 Stakeholders supported locating the collection of sensitive information provisions within the ‘Collection’ principle on the basis that:
  • a separate privacy principle for sensitive information would be ‘unnecessarily complicated’;[18] and
  • it would assist relevant entities ‘to navigate the Privacy Act and to understand their specific obligations’.[19]

22.17 Two stakeholders expressed support ‘in principle’ only.[20] The Australian Federal Police expressed support on the basis that there would be an appropriate exemption to enable law enforcement agencies to perform their functions.[21] The Australian Privacy Foundation expressed reservations about certain exceptions to the general prohibition against the collection of sensitive information.[22]

22.18 The Department of Agriculture, Fisheries and Forestry noted that this approach represented a ‘fundamental new direction for the public sector’.[23] Medicare Australia, expressed some concerns about the ramifications of the proposal.

Given that agencies have not up to now been required to categorise relevant personal information as ‘sensitive’, careful consideration would be required as it may have consequences for the administration and payment of claims for government health benefits.[24]

ALRC’s view

22.19 There are strong policy reasons to require agencies, and not just organisations, to be subject to restrictions relating to the collection of sensitive information. An individual’s sensitive information should not be subject to lesser protections concerning its initial collection merely because it is collected by an agency rather than an organisation.

22.20 The finite list of categories of personal information that comprise sensitive information have been treated differently from other forms of personal information because, if misused, the information can be particularly damaging to the individual concerned or those associated with the individual. As explained in Chapter 6, information relating to race or ethnic origin, political or religious beliefs, trade union membership and sexual orientation, for example, is highly personal and may provide the basis for unjustified discrimination and other forms of mistreatment.

22.21 The risks associated with sensitive information being subsequently misused are sufficiently serious to justify imposing an obligation on agencies to abide by restrictions on the collection of sensitive information. Such restrictions however, should allow for the collection of sensitive information by agencies for legitimate reasons.[25]

22.22 The provisions dealing with the collection of all personal information, including sensitive information, should be located in a single privacy principle called ‘Collection’ in the model Unified Privacy Principles (UPPs). Locating the provisions within a single principle emphasises the obligations to be imposed on agencies and organisations at the collection stage of the information cycle.

22.23 It is illogical to deal with the collection of sensitive information in a separate privacy principle, particularly as the existence of a separate principle can convey the incorrect impression that there is a completely separate regime applicable to sensitive information at all stages of the information cycle.[26] Further, the approach recommended by the ALRC is consistent with that taken in NPP 2, which includes a consideration of the use and disclosure of all personal information, including sensitive information, where relevant.[27]

Recommendation 22-1 The model Unified Privacy Principles should set out the requirements of agencies and organisations in relation to the collection of personal information that is defined as ‘sensitive information’ for the purposes of the Privacy Act. These requirements should be located in the ‘Collection’ principle.

Required or authorised by or under law

Background

22.24 NPP 10.1(b) contains an exception to the prohibition against the collection of personal information where it is required by law. There is no exception where a collection is authorised, but not required, by or under law.[28] As agencies are currently not subject to any separate restrictions concerning the collection of sensitive information, they are able to collect such information where it is authorised by law, provided that the collection complies with the IPPs regulating the collection of personal information.

22.25 An issue arises as to whether there should be an exception to the general prohibition against the collection of sensitive information where the particular collection is authorised, or specifically authorised, by or under law.[29] The issue is pertinent particularly in light of the ALRC’s recommendation to subject agencies to restrictions on the collection of sensitive information.

Submissions and consultations

22.26 In response to IP 31, the Australian Government Department of Health and Ageing (DOHA) submitted that the absence of an exception to the general prohibition against the collection of sensitive information where a collection is authorised by law would ‘impose significant limitations on agencies’, for example, by preventing them from collecting sensitive information from third parties unless specifically required to do so. DOHA submitted that there should be an exception to the prohibition on collecting sensitive information where the collection is required or authorised by law.[30]

22.27 In DP 72, the ALRC proposed that the sensitive information provisions should contain an exception permitting the collection of sensitive information by an agency or organisation where the collection is required or specifically authorised by or under law.[31]

22.28 Stakeholders views on this proposal were divided. There was some support for this approach.[32] For example, the Public Interest Advocacy Centre (PIAC) acknowledged that agencies and organisations still must be able to collect sensitive information for legitimate purposes, and that to allow only collections ‘required by law’ was too narrow.[33] The Office of the Privacy Commissioner (OPC) supported the condition of ‘specific authorisation’ being added, stating that it was appropriate particularly in the context of sensitive information.[34]

22.29 Some stakeholders, however, expressed strong concerns about the proposed condition requiring collection to be ‘specifically’ authorised, particularly as it applied to agencies.[35] They submitted that such a requirement would:

  • create ‘rigidity’ not in keeping with the intended flexibility of the high level principles;[36]
  • have potentially far reaching implications and may affect the capacity of agencies to fulfil their statutory functions and powers;[37]
  • be difficult to establish, because express specific authorisation to collect categories of sensitive information—such as criminal records or details of membership of trade or professional associations—will not usually be provided for in legislation, although it may be necessarily implied that in certain circumstances agencies have this authority;[38] and
  • require a careful review of current legislation to ensure that sensitive information required by agencies to administer properly government programs is specifically mentioned.[39]

22.30 The Office of the Victorian Privacy Commissioner (OVPC) opposed the proposal on a different basis. In its view, the proposal was not stringent enough. The OVPC submitted that the requirement to collect sensitive information must be mandatory, and not simply permissive or discretionary.[40]

ALRC’s view

22.31 An exception which permits agencies and organisations to collect sensitive information where the collection is required by law is too narrow. The ‘Collection’ principle must contain an exception which allows for the legitimate collection of sensitive information authorised by law. Agencies, in particular, may need such information to fulfil their statutory functions, including those relating to law enforcement and the administration of government programs.

22.32 The ALRC acknowledges the concerns expressed by stakeholders that ‘specific’ authorisation to collect sensitive information is rarely provided for in legislation. Many agencies possess generally worded coercive information-gathering powers, which do not refer specifically to sensitive information. Imposing a ‘specific authorisation’ requirement would likely necessitate a review of current legislation to ensure that, where needed, the collection of sensitive information is specifically authorised. An exception which permits the collection of sensitive information where it is specifically authorised by or under law, therefore, is too restrictive, particularly in its application to agencies. The relevant exception to the prohibition against the collection of sensitive information should permit collection where it is required or authorised by or under law.

22.33 The ALRC considered an alternative option for reform, in light of the fact that most of the concerns expressed about the ‘specific authorisation’ requirement relate to its application to agencies. This alternative is to have an exception allowing for the collection of sensitive information by: agencies where it is required or authorised by or under law; and organisations where it is required or specifically authorised by or under law.

22.34 On balance, it would be simpler to have the same exception apply to both agencies and organisations to avoid the types of complications that currently arise due to the existence of a dual set of principles.[41] It should be emphasised that, under the recommended exception, agencies and organisations will still need to identify the law that requires or authorises their collection of sensitive information.

Recommendation 22-2 The sensitive information provisions should contain an exception permitting the collection of sensitive information by an agency or organisation where the collection is required or authorised by or under law.

Emergency situations

Background

22.35 A question arises whether agencies and organisations should be able to collect sensitive information in emergency situations where an individual is unable to give consent. If so, how should such an exception to the general prohibition against the collection of sensitive information be framed?

22.36 Part VIA of the Privacy Act, which commenced operation on 7 December 2006, displaces some of the requirements in the IPPs and NPPs.[42] It provides a separate regime for the collection, use and disclosure of personal information where there is a connection to an emergency or disaster that has been the subject of a written declaration by the Prime Minister or a minister. The Part VIA regime is considered in more detail in Chapter 44.

22.37 The collection of sensitive information in emergencies not the subject of a declaration by the Prime Minister or minister, may be covered by the exception in NPP 10, which allows for the collection of sensitive information where it is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, and the individual whom the information concerns is incapable of giving consent.[43] The question arises whether this is an appropriately framed exception.

22.38 The principles covering use and disclosure of information by agencies and organisations similarly require that there be a ‘serious and imminent’ threat to the life or health of an individual.[44] Concern has been expressed, however, that the Privacy Act does not respond adequately to the need to share personal information in emergency situations. In the context of the use and disclosure principles, the requirement that there be a ‘serious and imminent’ threat to the life or health of an individual poses difficulties in practice because often it may only be possible to establish a serious or imminent threat. Particularly in the case of disaster recovery, the threat may be serious but no longer ‘imminent’.[45]

22.39 By way of comparison, German privacy law, for example, specifically allows for the collection by public bodies of ‘special categories of personal data’ where: it is ‘urgently needed to protect an important public interest’; ‘it is urgently necessary in order to avert serious prejudice to the public interest or to safeguard important public interest concerns’; or ‘it is necessary on compelling grounds relating to … obligations of the Federal Government in the area of crisis management or … for humanitarian measures’.[46]

Submissions and consultations

22.40 In DP 72, the ALRC proposed broadening the exception relating to emergency situations not the subject of a ministerial declaration under the Act, by permitting the collection of sensitive information by an agency or organisation where: the collection is necessary to lessen or prevent a serious threat to the life or health of any individual; and the individual whom the information concerns is incapable of giving consent.[47]

22.41 The proposed removal of the requirement that a threat be ‘imminent’ received support from a range of stakeholders, including state privacy commissioners, organisations, and some public sector bodies.[48] For example, the OVPC stated that:

The current requirement under NPP 10.1(c) and under the Victorian IPP 10.1(c) that a threat be both serious and ‘imminent’ may currently be too stringent to be effective. In my experience the requirement of imminence has led to uncertainty and confusion on the part of agencies.[49]

22.42 The South Australian Government supported the removal of the requirement that the threat be ‘imminent’, but suggested that the term ‘imminent’ be replaced with another term that suggests likelihood without implying urgency, such as ‘probable’ or ‘likely’. It submitted that this would be ‘consistent with a risk management approach, which generally assesses likelihood as well as consequence’.[50]

22.43 A small number of stakeholders, however, opposed the removal of the requirement that the threat be imminent, principally on the basis that it would lower privacy protections for individuals.[51] For example, the OPC expressed the view that an individual’s privacy rights should not be undermined unnecessarily by virtue of his or her inability to give consent. It submitted that, if the requirement that the threat be ‘imminent’ is removed, then in cases where an individual is incapable of giving consent to a collection, agencies and organisations should be required to obtain consent from the individual’s authorised representative, where it is reasonably practicable to do so.[52]

22.44 Similarly, PIAC expressed concern that:

If the exception can be triggered simply when a threat is ‘serious’ it could be used to justify bulk collection of sensitive information without consent on the basis that the information may be useful at some time in the future to prevent serious harm (for example, collection of health information in respect of people with mental illness, where there may be a potential for serious threat to health, but no imminence, because the illness may be episodic, or controlled by medication).[53]

22.45 Other aspects of the proposal received qualified support. Two stakeholders submitted that if there is a serious threat to the life or health of an individual, then the exception should apply regardless of whether an individual is capable of giving, or gives, consent to the collection.[54] One stakeholder expressed the view that the exception should be extended to allow collections of sensitive information where it is necessary to lessen or prevent a serious threat to public health or public safety.[55]

22.46 PIAC also submitted that there was a need to clarify whether ‘incapable of giving consent’ referred to physical or legal incapacity.[56]

ALRC’s view

22.47 An agency or organisation should be permitted to collect sensitive information where such a collection is necessary to prevent or lessen a serious threat to the life or health of any individual, and the individual to whom the information concerns is incapable of giving consent. The provision relating to this exception should clarify that ‘incapable of giving consent’ extends to legal and physical incapacity to give or communicate consent, consistent with the approach in NPP 10.1(c).

22.48 As discussed in Chapter 25, the current requirement that a threat must be both serious and imminent is too difficult to satisfy. It can lead to personal information not being used or disclosed in circumstances where there are compelling reasons justifying its use or disclosure.[57] The relevant exception to the prohibition on the collection of sensitive information should be relaxed so that it is triggered where a threat is serious, but not necessarily imminent. This would allow an agency or organisation to take preventative action to stop a threat from developing into a crisis. This formulation strikes an appropriate balance between respecting the privacy rights of an individual and the public interest in averting threats to life and health.

22.49 The requirement that a threat be serious implies considerations of both consequence and likelihood.[58] It is not necessary to replace ‘imminent’ with another word suggesting likelihood, such as ‘probable’ or ‘likely’, as proposed by one stakeholder. If it is improbable that a threat will eventuate, then the threat cannot be considered serious.

22.50 Further, it is not necessary to extend the ambit of the exception to apply to the collection of sensitive information where it is necessary to lessen or prevent a serious threat to public health or public safety. Other exceptions to the prohibition on the collection of sensitive information will address these concerns. Of particular application in this context is the exception which permits a collection required or authorised by or under law.[59] For example, state and territory public health legislation requires health service providers to collect and record certain information about health consumers with ‘notifiable diseases’, such as tuberculosis, Creutzfeldt-Jakob disease and HIV/AIDS.[60] In other cases, it may be possible for agencies and organisations to rely on the exception permitting collection where it is necessary to lessen or prevent a serious threat to the life or health of any individual, where that individual is incapable of consenting.

Recommendation 22-3 The sensitive information provisions should contain an exception permitting the collection of sensitive information by an agency or organisation where the collection is necessary to lessen or prevent a serious threat to the life or health of any individual, where the individual whom the information concerns is legally or physically incapable of giving or communicating consent.

Other situations not involving a serious threat to life or health

Background

22.51 Concerns have been raised about the provision of services to vulnerable persons who are unable to provide informed consent in circumstances which may not necessarily involve a serious threat to life or health.

22.52 The Community Services Ministers’ Advisory Council (CSMAC) expressed such a concern in the context of providing services to vulnerable persons, where those services are reliant on the collection of sensitive information. For example, those running accommodation services for homeless individuals will sometimes need access to information about the health of the individual before providing accommodation to that individual.[61]

22.53 The CSMAC queried whether a mere decline in health, or the dangers associated with ‘sleeping rough’, would be considered a ‘serious threat to life or health’, or whether a crisis event is required to trigger the exception. It noted that many err on the side of caution, thus affecting the accessibility of services for vulnerable individuals.[62] It stated that:

A person may have impaired competence (either short or long term) to provide informed consent and there is no alternative consent provider, such as a legal guardian or family member. This is a frequent dilemma for homeless services, where the capacity to provide informed consent may be limited by factors such as the use of substances or mental health problems. In such circumstances, there is a dilemma about how to treat consent: a person might provide consent which is of dubious validity, or alternatively, may refuse consent but with a limited understanding of either the consent or the implications of their refusal, which may affect their treatment or access to services that they have requested.[63]

Submissions and consultations

22.54 In DP 72, the ALRC asked whether the collection of sensitive information should be permitted where all of the following conditions are met:

(a) the individual is incapable of giving consent;

(b) the collection is necessary to provide an essential service for the benefit of the individual; and

(c) the collection would be reasonable in all the circumstances.[64]

22.55 Stakeholders’ views on this issue were divided. Some stakeholders were supportive of the above approach, particularly in its application to the collection of health information.[65] For example, the National Health and Medical Research Council, expressed the view that such an approach

will assist in the efficient delivery of health and personal care in circumstances where a paid carer is assisting a person who is incapable of giving consent to the carer collecting the person’s health information (for example, when a personal carer collects pharmaceuticals on behalf of a person with dementia).[66]

22.56 Avant Mutual Group Ltd expressed qualified support on the assumption that:

  • the incapable individual concerned does not have an appropriate person, such as a guardian or partner, to give consent on his or her behalf; and
  • a medical practitioner is of the view that the withholding of treatment will compromise the individual’s health.[67]

22.57 A number of stakeholders, however, opposed such an exception to the collection of sensitive information.[68] Reasons for opposing the exception included that:

  • there are inherent difficulties in defining ‘essential services’, particularly beyond what is covered by health information provisions—for example, it is unclear that financial services or welfare in general are properly described as ‘essential’, despite being potentially beneficial to an individual;[69]
  • the question of what ‘is reasonable in the circumstances’ is unclear in its scope and application;[70]
  • given its reliance on relatively vague terms, it may lead to regulatory complexity and uncertainty, as it may be difficult for the OPC to apply consistently;[71]
  • it has the potential to be abused, because it appears to allow agencies and organisations to bypass seeking consent from an authorised representative of the incapable individual;[72]
  • it is paternalistic and overlooks the fact that ‘the consequences of collection in well-meaning circumstances may not necessarily be perceived by affected individuals as being beneficial’;[73]
  • it is unnecessary;[74] and
  • while conceived with homeless persons in mind, it could have unintended or undesirable consequences.[75]

22.58 The OPC suggested that service providers for homeless people consider applying for a Public Interest Determination (PID) to address the collection of sensitive information from persons lacking the capacity to give consent. The OPC submitted that a PID process is ‘likely to permit more careful and deliberate consideration of the specific issue’ than can be undertaken in the ALRC’s wide ranging Inquiry. Further, it stated that:

Unlike an amendment to the principles, a PID, if made, could also be drafted more precisely to ensure that its scope is more certain than a generally applicable exception to a collection principle. Such precision allows for regulation to be created that is narrow and focused on addressing the specific matter at hand.[76]

ALRC’s view

22.59 The ALRC acknowledges the wide array of concerns expressed by stakeholders about the creation of an exception permitting the collection of sensitive information in order to provide essential services to individuals incapable of giving consent. The difficulties associated with the creation and implementation of such an exception significantly outweigh any potential benefit which it may confer on some vulnerable individuals. In particular, the ALRC agrees that defining ‘essential service’ is problematic, and that the adoption of such an exception may have unintended and undesirable consequences.

22.60 There is merit in the OPC’s suggestion that PIDs in this area would provide for greater specificity and certainty in addressing the needs of particular vulnerable persons without risking the potential abuse of those persons’ privacy. If it transpired that any PIDs granted—for example, to service providers for homeless people—were ineffective in balancing the welfare and privacy of vulnerable individuals, it would then be appropriate for further consideration to be given to the merits of implementing a legislative solution.

Research

22.61 In some state and territory privacy legislation, there is a research-related exception to the prohibition on collection of sensitive information by agencies, and this is broader than that provided for in NPP 10. For example, in Victoria and the Northern Territory, public sector bodies can collect sensitive information—not just health information—if:

  • the collection is necessary for research, the compilation or analysis of statistics relevant to government funded targeted welfare or educational services,or relates to an individual’s racial or ethnic origin and is for the purpose of providing government funded targeted welfare or educational services;[77]
  • there is no other reasonably practicable alternative to collecting the information for that purpose; and
  • it is impracticable for the organisation to seek the individual’s consent to the collection.[78]

22.62 This raises the question of whether the model UPPs should permit the collection of sensitive information for research in areas other than health and medical research. This question is addressed separately in Chapter 65. In accordance with the recommendations made in that chapter, the ‘Collection’ principle contains an exception addressing collection of sensitive information necessary for research, where certain conditions are met.[79]

Other exceptions

Background

22.63 Other exceptions to the prohibition against the collection of sensitive information, which are currently included in NPP 10.1, are:

  • where the individual has consented;[80]
  • if the information is collected in the course of the activities of a non-profit organisation where specified conditions are met;[81] and
  • where the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.

22.64 The last-mentioned exception is worded in broader terms in the Data Protection Act 1998 (UK). That Act provides that one of the conditions upon which sensitive information can be processed is where it is:

  • necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), or for obtaining legal advice; or
  • otherwise necessary for the purposes of establishing, exercising or defending legal rights.[82]

Submissions and consultations

22.65 In DP 72, the ALRC included the above mentioned exceptions in the proposed ‘Collection’ principle. A small number of stakeholders submitted that these exceptions need to be amended. In particular, privacy advocates submitted that:

  • express or explicit consent should be required for the collection of sensitive information;[83] and
  • the exception relating to non-profit organisations should be redrafted.[84]

22.66 The Cyberspace Law and Policy Centre, for example, stated:

We suggest a preferable alternative that refers directly to the definition of sensitive information in the Act, and adds the caveat that the activities must be lawful, to avoid the exception covering organisations’ unlawful discrimination, race hate etc[85]

22.67 Specifically, privacy advocates suggested that the exception should be redrafted to allow the collection of sensitive information ‘if the information is collected in the course of the lawful activities of a non-profit organisation that has aims relating to sensitive information (as defined in the Act)’ where the existing conditions specified in NPP 10.2(d) are met.[86]

22.68 In addition, Avant Mutual Group Ltd (Avant) submitted that the exception relating to legal and equitable claims is too narrow, because it implies that it applies only to civil proceedings. Avant submitted that the exception should be broadened to

take into consideration that legal advice of a general nature may be sought and legal services provided in anticipation of and/or for actual proceedings including a civil claim before a Court and responding to a professional disciplinary complaint or action or investigation before a Tribunal or Statutory Authority.[87]

ALRC’s view

Consent exception

22.69 While there are likely to be situations where it would be appropriate for express consent to be obtained before collecting sensitive information, it would be impracticable and overly prescriptive to require express consent for each collection. This is so particularly in the context of collecting health information. The OPC’s Guidelines on Privacy in the Private Health Sector[88] note that there are situations where health service providers reasonably may rely on implied consent from individuals to handle health information in particular ways.[89] It should be emphasised that implied consent must still be voluntary, informed, and obtained from a person with capacity to consent.[90]

22.70 It is undesirable, therefore, to amend the consent exception to require express consent for the collection of sensitive information. Guidance from the OPC provides a more flexible mechanism for dealing with this issue. In Chapter 19, the ALRC recommends that the OPC should develop and publish guidance on consent which addresses express and implied consent as it applies in various contexts. The OPC’s guidance should address the practice of bundled consent as it applies to the collection of sensitive information.

Exception relating to non-profit organisations

22.71 The concerns about the drafting of the exception relating to non-profit organisations will best be addressed by the Office of Parliamentary Counsel. That Office will be responsible for drafting amendments to the Privacy Act, including the UPPs, if the ALRC’s recommendations are implemented by the Australian Government.

22.72 The definition of ‘non-profit organisation’ should be situated in Pt II of the Privacy Act, which deals with interpretation of terms, rather than in the ‘Collection’ principle.[91] It is logical to locate this definition with the other definitions in the Act. It also makes for simpler drafting of the exception relating to non-profit organisations within the ‘Collection’ principle.

Exception relating to legal and equitable claims

22.73 The ALRC is not convinced that there is a need to broaden the exception relating to the establishment, exercise or defence of legal and equitable claims. The ALRC did not receive sufficient feedback from stakeholders to enable it to assess properly the merits and consequences of broadening the exception. The ALRC does not recommend an amendment to this exception. It appears in its current form as an exception to the ‘Collection’ principle in the model UPPs.

22.74 It is important to note, however, that the ‘required or authorised by or under law’ exception[92] may permit the collection of sensitive information pursuant to orders made by courts and tribunals.[93] This is relevant because such orders will frequently be made in the course of proceedings in respect of which a person is establishing, exercising or defending a legal or equitable claim. The exception may provide additional scope for permitting the collection of sensitive information in such circumstances.

Exception relating to alternative dispute resolution

22.75 For reasons discussed in detail in Chapter 44, the ALRC also is of the view that the collection of sensitive information should be permitted where it is necessary for the purpose of a confidential alternative dispute resolution process.

[8] Non-profit organisation here means a non-profit organisation that has only racial, ethnic, political, religious, philosophical, professional, trade or trade union aims. See Privacy Act 1988 (Cth) sch 3, NPP 10.5.

[9] Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), Explanatory Memorandum, [19(a)].

[10] See European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995), art 2.

[11]Personal Information Protection Act 2004 (Tas) sch 1, IPP 10(1); Information Act 2002 (NT) sch, IPP 10.1; Information Privacy Act 2000 (Vic) sch 1, IPP 10.1.

[12] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[13] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 19–1.

[14] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007. The Australian Direct Marketing Association (ADMA) ‘did not disagree’ with this approach: Australian Direct Marketing Association, Submission PR 543, 21 December 2007.

[15] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[16] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[17] Ibid. See also Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[18] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[19] National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[20] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Australian Federal Police, Submission PR 545, 24 December 2007.

[21] Australian Federal Police, Submission PR 545, 24 December 2007.

[22] Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[23] Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008.

[24] Medicare Australia, Submission PR 534, 21 December 2007.

[25] The ALRC’s view on collection of sensitive information required or authorised by or under law is discussed below.

[26] The ALRC’s view on regulating sensitive information separately to other forms of personal information in other aspects of the information cycle is discussed below.

[27] This approach has been taken by the ALRC also in UPP 5 dealing with use and disclosure.

[28] The phrases ‘required by or under law’ and ‘authorised by or under law’ are discussed in detail in Ch 16.

[29] Arguments supporting the inclusion of a requirement that an act or practice be ‘specifically authorised’ are set out in Ch 16.

[30] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007. The Department noted that such an amendment would render the provision currently in NPP 10.2 redundant.

[31] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 19–2.

[32] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

[33] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[34] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[35] Australian Federal Police, Submission PR 545, 24 December 2007; Confidential, Submission PR 536, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Victoria Police, Submission PR 523, 21 December 2007; Australian Communications and Media Authority, Submission PR 522, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007; Queensland Government, Submission PR 490, 19 December 2007; Confidential, Submission PR 448, 11 December 2007.

[36] Queensland Government, Submission PR 490, 19 December 2007.

[37] Australian Communications and Media Authority, Submission PR 522, 21 December 2007. Victoria Police recommended that law enforcement functions be included in the exception: Victoria Police, Submission PR 523, 21 December 2007.

[38] Australian Federal Police, Submission PR 545, 24 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Victoria Police, Submission PR 523, 21 December 2007; Australian Communications and Media Authority, Submission PR 522, 21 December 2007; Confidential, Submission PR 448, 11 December 2007.

[39] Medicare Australia, Submission PR 534, 21 December 2007.

[40] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[41] Such complications are discussed in Ch 18.

[42]Privacy Legislation Amendment (Emergencies and Disasters) Act 2006 (Cth).

[43]Privacy Act 1988 (Cth) sch 3, NPP 10.1(c).

[44] Ibid s 14, IPP 11; sch 3, NPP 2(e). The use and disclosure exception in NPP 2 applies also where there is a serious and imminent threat to the safety of an individual.

[45] Use and disclosure of personal information in emergency situations is discussed in Ch 25.

[46]Federal Data Protection Act 1990 (Germany) s 13.

[47] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 19–3.

[48] Confidential, Submission PR 570, 13 February 2008; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Tasmanian Government Department of Health and Human Services, Submission PR 436, 10 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

[49] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[50] Government of South Australia, Submission PR 565, 29 January 2008.

[51] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[52] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[53] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[54] Confidential, Submission PR 570, 13 February 2008; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[55] Confidential, Submission PR 570, 13 February 2008.

[56] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[57] See, in particular, Rec 25–3 and accompanying text.

[58] This view is discussed further in Ch 25.

[59] See Rec 22–2.

[60] See, eg, Public Health Act 1991 (NSW) s 14; Health (Infectious Diseases) Regulations 2001 (Vic) reg 6.

[61] Community Services Ministers’ Advisory Council, Submission PR 47, 28 July 2006.

[62] Ibid.

[63] Ibid.

[64] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Question 19–1.

[65] Government of South Australia, Submission PR 565, 29 January 2008; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007. One stakeholder was not opposed to inclusion of such an exception, provided the Privacy Act defined ‘essential service’ and the OPC issued binding rules relating to capacity to consent: Privacy NSW, Submission PR 468, 14 December 2007. Another stakeholder expressed the view that the exception should apply also to private health insurance and not just an ‘essential service’: Confidential, Submission PR 519, 21 December 2007.

[66] National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[67] Avant Mutual Group Ltd, Submission PR 421, 7 December 2007.

[68] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[69] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007. The Office of the Victorian Privacy Commissioner expressed the view that if the provision is ‘intended to apply to situations that deal only with “health information”, perhaps it is better dealt with in that context’: Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007. Another stakeholder stated that it would be necessary or desirable to provide guidance about the types of essential services contemplated by the provision: Confidential, Submission PR 570, 13 February 2008.

[70] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007. The Office of the Victorian Privacy Commissioner expressed the view that ‘great care needs to be taken to prevent “reasonable in all the circumstances” being broadly interpreted’: Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[71] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[72] Ibid. See also Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007. Another stakeholder expressed a similar view that it could lead agencies and organisations to ‘avoid extra hurdles in their work’: Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[73] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[74] Ibid.

[75] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[76] Ibid.

[77] See also Personal Information Protection Act 2004 (Tas) sch 1, PIPP 2(c).

[78]Information Privacy Act 2000 (Vic) sch 1, IPP 10.2; Information Act 2002 (NT) sch, IPP 10.2.

[79] The ‘Collection’ principle, UPP 2, is set out at the end of Ch 21.

[80] Consent is discussed in Ch 19.

[81] The definition of a ‘non-profit organisation’ is defined in NPP 10. 5 and set out above.

[82]Data Protection Act 1998 (UK) sch 3, cl 6.

[83] Australian Privacy Foundation, Submission PR 553, 2 January 2008. Two other stakeholders emphasised that there needs to be informed consent prior to the collection of sensitive information: Liberty Victoria—Victorian Council for Civil Liberties, Submission PR 540, 21 December 2007; Smartnet, Submission PR 457, 11 December 2007.

[84] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[85] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[86] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[87] Avant Mutual Group Ltd, Submission PR 421, 7 December 2007.

[88] Office of the Federal Privacy Commissioner, Guidelines on Privacy in the Private Health Sector (2001).

[89] This is discussed further in Ch 19.

[90] The elements of consent are discussed in Ch 19.

[91] The definition of ‘non-profit organisation’ currently appears in NPP 10.5.

[92] Rec 22–2.

[93] As discussed in Ch 16, the ALRC is of the view that ‘law’ for the purposes of this exception includes the orders of courts and tribunals. See Rec 16–1.