16.08.2010
Background
22.76 As noted above, the IPPs do not impose special restrictions on the collection of sensitive information; nor do they distinguish between the treatment of sensitive information and non-sensitive personal information at other stages of the information cycle such as use, disclosure, access and disposal. Guidelines issued by the OPC acknowledge expressly that where sensitive information is concerned, ‘more care to protect individuals’ privacy may be appropriate than is required by the letter of the IPPs’.[94]
22.77 In addition to imposing restrictions on the collection of sensitive information, the NPPs also provide some further limited protections in relation to the use and disclosure of sensitive information. As discussed in Chapter 25, NPP 2, which permits use and disclosure of personal information, sets a more stringent requirement in respect of the use and disclosure of sensitive information under one of its limbs. Where personal information is to be used or disclosed for a purpose other than the primary purpose of collection, that other purpose is to be related to the primary purpose of collection. In the case of the use or disclosure of sensitive information, however, that other purpose must be directly related to the primary purpose of collection.[95]
22.78 NPP 2 also prohibits the use of sensitive information for the secondary purpose of direct marketing.[96] The NPPs, however, do not impose separate requirements for the handling of sensitive information in all aspects of the information cycle.
22.79 The Privacy Act also provides, outside the context of the privacy principles, that ‘related bodies corporate’ cannot share sensitive information in the same way that they may share other personal information.[97]
22.80 Some jurisdictions, like New Zealand, do not distinguish between the treatment of sensitive and non-sensitive personal information.[98] Equally, however, others like the United Kingdom and Germany, have separate provisions for regulating the handling of sensitive and non-sensitive personal information.[99] New South Wales privacy law also distinguishes between the disclosure of sensitive and non-sensitive personal information.[100]
Submissions and consultations
22.81 The ALRC asked in IP 31:
Should federal privacy principles establish a separate regime for the public and private sectors regulating sensitive information in all aspects of the information cycle, including collection, use, disclosure, storage, access, retention and disposal? If so, what should that regime include?[101]
22.82 A number of stakeholders supported the articulation of rules relating to sensitive information with reference to all aspects of the information cycle.[102] On the other hand, a large number of stakeholders submitted that it would be preferable simply to maintain the status quo.[103] For example, it was submitted that instituting a separate regime for handling sensitive information ‘would unnecessarily complicate’ this area.[104]
22.83 In DP 72, the ALRC expressed the preliminary view that, if its other proposals were adopted, it would be unnecessary to make any further provisions in the UPPs or elsewhere in the Privacy Act to deal with sensitive information.[105]
22.84 A small number of stakeholders submitted that additional protections should apply to sensitive information at each stage of the information cycle, and not merely at the collection stage.[106] PIAC expressed the view that the consequences of misuse of sensitive information at other stages of the information cycle could be of equal or greater seriousness as at the collection stage.[107]
22.85 Privacy NSW submitted that protection for sensitive information should be addressed in each of the privacy principles. In particular, it expressed the view that consent should be required for primary and secondary uses, disclosures, and cross-border flows of sensitive information. It stated that:
If an agency or organisation is required to afford sensitive information special protection at the point of collection, then there is surely an equal expectation that the subsequent dealings with that information will also be specially protected.[108]
ALRC’s view
22.86 The ALRC acknowledges that sensitive information may, in certain circumstances, warrant additional protection beyond the stage of its collection. This is due largely to the potential harmful consequences of its misuse.
22.87 In other chapters of this Report, the ALRC endorses some additional protections for sensitive information at other stages of the information cycle. Namely, the ALRC expresses the view that:
The limb of the ‘Use and Disclosure’ principle, which deals with use and disclosure of personal information for a purpose other than the primary purpose of collection, should continue to require a direct relation between the primary purpose of collection and the proposed purpose of use or disclosure where the information is sensitive.[109]
The ‘Direct Marketing’ principle should restrict the ability of an organisation to use sensitive information without consent for the purpose of direct marketing, where it proposes to market to non-existing customers or persons under the age of 15 years.[110]
In interpreting the obligation in the ‘Data Security’ principle for agencies and organisations to take reasonable steps to protect personal information from misuse and loss, whether a particular security measure is determined to be ‘reasonable’ will depend on many factors, including the sensitivity of the information.[111]
The OPC should develop and publish guidance about the ‘reasonable steps’ agencies and organisations should take to prevent misuse and loss of personal information, which addresses the factors to be taken into account in determining what are ‘reasonable steps’, including the sensitivity of the information.[112]
The OPC should develop and publish further guidance about what is required of agencies and organisations to obtain an individual’s consent for the purposes of the Privacy Act.[113] This guidance should assist agencies and organisations in understanding consent as it applies to the use, disclosure and transfer overseas, of sensitive information.[114]
Health information, which is a particularly important type of sensitive information, should be regulated separately by the new Privacy (Health Information) Regulations, rather than being dealt with under the UPPs. These Regulations will specify rules tailored to this particular type of sensitive information.[115]
22.88 In light of the above, it is unnecessary to include any further provisions in the model UPPs to deal with sensitive information.
[94] Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 4–7: Advice to Agencies about Storage and Security of Personal Information, and Access to and Correction of Personal Information (1998), 1.
[95]Privacy Act 1988 (Cth) sch 3, NPP2.1(a).
[96] Ibid sch 3, NPP 2.1(c).
[97] Ibid s 13B.
[98] See Privacy Act 1993 (NZ).
[99] See Data Protection Act 1998 (UK) sch 1 (Principle 1), sch 3; Federal Data Protection Act 1990 (Germany).
[100]Privacy and Personal Information Protection Act 1998 (NSW) ss 18, 19.
[101] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 4–32.
[102] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; AAMI, Submission PR 147, 29 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007.
[103] Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007; Australian Federal Police, Submission PR 186, 9 February 2007; Law Council of Australia, Submission PR 177, 8 February 2007; National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007; AXA, Submission PR 119, 15 January 2007; Insurance Council of Australia, Submission PR 110, 15 January 2007.
[104] Australian Federal Police, Submission PR 186, 9 February 2007. See also Law Council of Australia, Submission PR 177, 8 February 2007.
[105] See Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [19.24], [19.30]–[19.34].
[106] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Privacy NSW, Submission PR 468, 14 December 2007. See also Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[107] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.
[108] Privacy NSW, Submission PR 468, 14 December 2007.
[109] See Ch 25 and UPP 5.1(a).
[110] See Ch 26 and UPP 6.2(a).
[111] See Ch 28.
[112] See Ch 28 and Rec 28–3.
[113] See Ch 19 and Rec 19–1.
[114] See UPPs 5.1(b) and 11.(1)(b).
[115] See Pt H, especially Chs 60, 63.