Additional exceptions?

Missing persons

25.127 Concern has been expressed that the IPPs and NPPs do not cover adequately the disclosure of personal information to law enforcement authorities, and the use of the information by them, when undertaking functions that do not or may not involve a criminal offence or breach of the law but are nevertheless in the public interest.[169] The typical example of this is missing person investigations by the police and others. In contrast, Tasmanian privacy legislation expressly allows the use and disclosure of personal information where the secondary purpose is the investigation of missing persons by a law enforcement agency.[170]

25.128 The OPC review of the private sector provisions of the Privacy Act (OPC Review) noted that stakeholders did not generally call for a change to the NPPs in the law enforcement context. It stated that ‘generally, it appears the construction of the law is considered to be reasonable, but problems seem to arise in its application’.[171] The OPC stated that it would work with the law enforcement community, private sector bodies and community representatives to develop practical guidance to assist private sector organisations in understanding their obligations under the Privacy Act.[172]

25.129 In its submission to the Senate Legal and Constitutional References Committee inquiry into the Privacy Act (Senate Committee privacy inquiry), the AFP noted that, while education may have a role to play in raising awareness, it was unlikely to offer a complete solution.It submitted that a possible solution might be to give it the power to issue a notice to produce.[173] The Senate Committee privacy inquiry supported the OPC’s recommendation to develop practical guidance in this area, but considered that the Australian Government also should consider additional mechanisms to resolve the issue.[174]

Submissions and consultations

25.130 In IP 31, the ALRC asked whether agencies and organisations should be permitted expressly to disclose personal information to assist in the investigation of missing persons.[175] In response to IP 31, a number of stakeholders supported such an amendment.[176] CrimTrac, for example, submitted that it is sometimes necessary for police to share information such as criminal records to assist in searching for missing persons.[177]

25.131 The AFP noted the difficulties that police have in accessing information about missing persons. It stated that:

Police action to locate missing persons may not involve the enforcement of a criminal law, may not always be necessary to prevent or lessen serious and imminent threat to life or health, the person is unlikely to have consented to the information being disclosed for this purpose nor would it be reasonably likely that [he or she would be] aware the information would be disclosed to police … This situation arguably means that the Privacy Act currently denies a missing person the knowledge or right to know that their relatives and friends are looking for them. The Privacy Act should authorise police and relevant non government organisations to access personal information that constitutes evidence of life so that police or these other agencies can locate the missing person, secure their safety if necessary and give them the option of re-uniting with their family and friends.[178]

25.132 Major Kathy Smith of the Salvation Army Family Tracing Service (South Australia) submitted that the Privacy Act should be amended to allow the Service to be ‘given information or confirmation of the whereabouts of the person [it is] looking for’, given its role in reuniting family members who have become separated.[179]

25.133 The Office of the Information Commissioner (Northern Territory), however, expressed concern about amending the privacy principles to authorise unconditionally disclosures to organisations to assist them in missing person investigations. The Office noted that it had issued two Grants of Authorisation for Northern Territory agencies to assist a private sector organisation to search for missing persons.[180]

25.134 The Institute of Mercantile Agents suggested a more extensive amendment to permit all private and public sector entities that deal with missing persons to ‘have regulated and audited access to locator information’. In particular, it stated that its members should have access to such information because ‘the costs of missing persons not meeting their obligations’ amounts to at least four billion dollars annually.[181]

25.135 Other stakeholders opposed any change to the privacy principles in respect of missing persons, noting that sometimes a missing person has committed no offence and does not wish to be located.[182] The OPC submitted that:

The current exceptions in NPP 2 and IPPs 10 and 11 of the Privacy Act are adequate, achieve the right balance and are appropriate for the circumstances of a missing person. The Office acknowledges that there may be circumstances where an individual may choose not to remain in contact with the people they know and believes that allowing the disclosure of personal information generally for the use in locating missing persons would adversely impact upon the privacy rights of those individuals. Further, the Office notes that the Commissioner’s power to make Public Interest Determinations (PIDs) provide a mechanism to deal with possible circumstances in which the provisions are not adequate.[183]

25.136 The ATO stated:

We would have some reservations … about disclosing information in the case of a missing person. In some situations, such as family breakdown or domestic violence, there may be a report of a missing person, but it is difficult to determine whether the person is in fact ‘missing’ or has chosen to move away for another reason.[184]

25.137 In DP 72, the ALRC expressed the preliminary view that the privacy principles do not need to be amended to allow expressly agencies and organisations to use or disclose personal information to assist in the investigation of missing persons.[185] Privacy advocates expressed support for this view.[186] The OPC also supported this approach. It submitted that the area of missing persons investigations ‘may not be one which can be completely resolved through amendments within the parameters of the Privacy Act itself’.[187]

25.138 The AFP, however, submitted in response to the ALRC’s proposal to remove the requirement that a threat to an individual’s life, health or safety be imminent,[188] that this did not address adequately missing persons investigations. It provided the following example to illustrate a situation that it submitted would justify the creation of an exception relating to missing persons:

A young man goes missing due to psychological health issues and becomes disconnected from his significant relationships. He is unaware that his family have lodged a missing persons report. The longer he is away from his support network the harder it is to make contact, particularly without knowing that a missing persons report has been made …

If personal information is disclosed and the person is located by police, they then have the right to choose whether they have contact with their family or not. At the very least the Police may be able to assist the young man in re-establishing his contacts that may have a flow on effect in benefiting his mental health and general wellbeing.[189]

ALRC’s view

25.139 Authorising the disclosure of personal information to assist in missing persons investigations raises complex issues and competing policy considerations. Those involved in seeking to locate missing persons may be assisted by an express exception in the Privacy Act, authorising disclosure. In some cases, an express authorisation may assist in locating missing persons, and in delivering positive results where the missing persons want to be located.

25.140 On the other hand, the creation of an express exception may result in adverse consequences in cases where missing persons do not wish to be located. As a number of stakeholders pointed out, sometimes missing persons have not committed an offence and may be seeking to hide—not from the authorities but from others. For example, individuals for personal reasons may choose to disassociate themselves from family and friends, or may seek to conceal their whereabouts in order to protect their safety. Examples of the latter are where an individual has fled from a violent relationship, or has witnessed a violent crime and fears retaliation. To create a general exception in respect of all missing person investigations risks interfering with the privacy of certain missing individuals and, possibly, endangering their lives.

25.141 On balance, therefore, it is undesirable for a new exception to the ‘Use and Disclosure’ principle to be created to allow expressly for disclosure of personal information to assist in missing persons investigations. Where an agency or organisation has a legitimate reason to search for a missing person, it may be able to avail itself of one of the other exceptions to the general prohibition in the ‘Use and Disclosure’ principle, or it may seek a public interest determination.[190]

25.142 Some of the ALRC’s recommendations concerning other exceptions in the ‘Use and Disclosure’ principle, if implemented, would assist in broadening the scope of situations in which disclosure of personal information in missing persons investigations would be authorised. In particular, the ALRC’s recommendation that agencies and organisations should be authorised to use or disclose personal information where there is a serious threat to an individual’s life, health or safety would allow the disclosure of personal information in some missing persons investigations.[191] The fact that agencies and organisations would no longer need to establish that the threat to a missing individual is imminent will increase the likelihood of the applicability of the exception.

25.143 Depending on the circumstances of a matter, the law enforcement exception in the ‘Use and Disclosure’ principle also may serve to authorise the disclosure of personal information in a missing person investigation.

Disclosure of ‘incidents’ by insured professionals to insurers

25.144 Insured professionals may need to disclose ‘incidents’ to their insurers, such as those that may result in an action for damages for negligence. For example, a doctor may need to disclose the existence of an incident to his or her insurer so that the insurer can assess the legal risk and make financial provision for a possible future claim. The incident may or may not mature into a legal claim. While disclosure of the doctor’s personal information to the insurer occurs with consent, the legality of the disclosure of the patient’s personal information is likely to be less clear, needing to be justified pursuant to another exception to the use and disclosure principle.

25.145 NPP 2.1(a) could be relied upon in the above circumstances. If the disclosure involves health information, which is sensitive information, the purpose of providing advice in relation to indemnity will have to be ‘directly related’ to the primary purpose of collection of the patient’s information—generally being the care and treatment of the patient. In addition, NPP 2.1(a) requires that the individual would reasonably expect the doctor to disclose his or her personal information to the doctor’s insurer following an incident.[192] Many patients may not have considered this.

25.146 The OPC has issued guidelines on the application of the privacy principles to the private health sector. These guidelines make it clear, therefore, that disclosures of incidents to insurers:

  • are covered in the ‘directly related’ limb of the exception in specified circumstances, and

  • may fall within the reasonable expectations of an individual.[193]

25.147 In addition, disclosure of incidents to insurers may fall within the ‘required or authorised by or under law’ exception. For example, under s 21 of the Insurance Contracts Act 1984 (Cth), an insured has a duty to disclosure to the insurer before the contract of insurance is entered into, every matter known to the insured, that:

  • the insured knows to be a matter relevant to the decision of the insurer whether to accept the risk and, if so, on what terms; or

  • a reasonable person in the circumstances could be expected to know to be a relevant matter.

Submissions and consultations

25.148 In IP 31, the ALRC asked whether the exceptions in NPP 2 are adequate to cover: (a) disclosures by a professional of a client’s personal information pursuant to an indemnity insurance contract where the provision of professional services has led to an adverse outcome; and (b) on-disclosures by insurers to members of their ‘cases committees’, often comprising experts in the relevant profession, who advise insurers about making provision for possible future claims.[194]

25.149 In response to IP 31, UNITED Medical Protection submitted that disclosure of incidents to insurers would either fall within the ambit of NPP 2.1(a) (related or directly related purpose and within reasonable expectations of individual) or NPP 2.1 (g) (required or authorised by or under law). Nonetheless, UNITED Medical Protection submitted that, in the interests of clarity, an exception to the ‘Use and Disclosure’ principle should be created to allow professionals to make disclosures to their professional indemnity insurers, or the matter should be dealt with by way of public interest determination.[195] Similarly, the Australian Bankers’ Association suggested that the best solution would be to create an express exception to the general prohibition against use and disclosure for a secondary purpose ‘to allow for disclosure of incidents to insurers’.[196]

25.150 In DP 72, the ALRC expressed the preliminary view that it is unnecessary to amend the ‘Use and Disclosure’ principle to provide for an express exception authorising the disclosure of incidents by insured professionals.[197] The OPC and the Cyberspace Law and Policy Centre supported expressly the view that such an exception is unnecessary.[198]

ALRC’s view

25.151 It is unnecessary to create a new exception to the ‘Use and Disclosure’ principle to allow for the notification of incidents by professionals to insurers. Disclosures of this nature may be authorised by existing exceptions to the ‘Use and Disclosure’ principle, namely:

  • if the individual affected has consented to the disclosure;

  • if the disclosure is required or authorised by or under law; or

  • in circumstances where: there is a relation, or, in the case of sensitive information, a direct relation between the disclosure and the primary purpose of collection; and the disclosure is within the reasonable expectations of the individual.[199]

25.152 Relevant professional bodies should educate their clients about the need for professionals to disclose incidents to insurers. Raising awareness in this area will increase the likelihood that such disclosures will fall within the reasonable expectations of individuals. Education will play a key part in obviating any perceived need for a discrete exception in this regard.

Due diligence

25.153 A prospective purchaser of a business undertakes a process of due diligence to assess the value of the business’s assets and liabilities. This process may involve the collection and disclosure of personal information about employees, customers, trading partners and business associates. An issue raised in the OPC Review was whether the practice of due diligence on the sale and purchase of a business raises any particular privacy concerns.[200] The issue of due diligence in the context of mergers and acquisitions has also been raised in this Inquiry.[201]

25.154 In 2002, the OPC issued an information sheet concerning the application of key NPPs to due diligence when buying and selling a business.[202] The information sheet provides expressly that:

Personal information may be disclosed by a vendor of a business … to prospective purchasers of that business … for the purpose of due diligence investigations. Such disclosure will occur before the sale has been completed.[203]

25.155 In the OPC Review, the OPC reported that it had not received a complaint about a breach of privacy during a due diligence exercise. It stated that it is not practical to require an organisation in the process of due diligence to gain the consent of everyone whose personal information is transferred and it recommended that the Australian Government should consider amending the NPPs to take into account the practice of due diligence.[204] New Zealand law, for instance, allows disclosure of information where ‘it is necessary to facilitate the sale or other disposition of a business as a going concern’.[205]

25.156 In IP 31, the ALRC solicited views as to whether the privacy principles needed to be amended to allow for the disclosure of personal information during the course of due diligence. The ALRC also asked whether there is a need to amend Information Sheet 16 in this regard.[206] Only the Queensland Council for Civil Liberties made a submission on this issue. It stated:

We are not sure whether on a flexible and pragmatic approach to the privacy principles that due diligence actually raises serious privacy issues. However, if it is a serious concern, then a relevant amendment should be made.[207]

25.157 In DP 72, the ALRC expressed the preliminary view that there is no need to create a new exception to the ‘Use and Disclosure’ principle dealing with the use and disclosure of personal information in the course of due diligence.[208] The OPC and privacy advocates expressly supported the ALRC’s view.[209]

ALRC’s view

25.158 No need has been demonstrated to create a new exception to the ‘Use and Disclosure’ principle dealing with the use and disclosure of personal information in the course of due diligence. The fact that very few stakeholders identified a problem suggests that the use and disclosure principles are being applied in a flexible and pragmatic manner in this area. Moreover, the OPC’s guidance on this issue takes a purposive approach, acknowledging expressly that disclosure for the purpose of due diligence is authorised.

Legal advice and proceedings

25.159 Neither the IPPs nor the NPPs provide expressly for the use and disclosure of personal information for the purpose of obtaining legal advice or for use in legal proceedings. There is precedent, however, for such an approach in the privacy legislation of other jurisdictions.[210]

25.160 IP 31 and DP 72 did not address the issue of whether there needed to be an express exception to the privacy principles relating to legal advice and legal proceedings. Following the release of DP 72, however, Avant Mutual Group Ltd stated that:

Proposed UPP 5 does not provide an exemption from the non-disclosure provisions for providing legal advice and for legal services in anticipation of and/or for actual legal proceedings whether before a court, tribunal or statutory authority …

Proposed UPP 2.6(e) allows collection where it ‘is necessary for the establishment, exercise or defence of a legal or equitable claim’. Furthermore proposed UPP 9(d) allows objection to be taken to access when the documents were created for anticipated or actual legal proceedings between the organisation and the individual and the information would not be accessible by the process of discovery in the proceedings.

Avant submits that consistency requires that if an organisation is rightly able to collect information for the establishment, exercise or defence of a legal or equitable claim there should be a corresponding ability to disclose or use information to legal advisers and third parties such as independent experts for the same purpose. However … the term ‘establishment, exercise or defence of a legal or equitable claim’ is too narrow and use and disclosure should be permissible in order to obtain legal advice and for legal services provided in anticipation of and/or for actual proceedings before a Court, Tribunal or Statutory Authority.[211]

ALRC’s view

25.161 It appears to be unnecessary to amend the ‘Use and Disclosure’ principle to provide an express exception relating to use and disclosure of personal information for the purposes of obtaining legal advice or for use in legal proceedings. This view is based on two main reasons. First, depending on the circumstances, other exceptions in the ‘Use and Disclosure’ principle, which are addressed below, can be relied upon to authorise such use or disclosure. Secondly, the OPC has taken a purposive and pragmatic approach in its interpretation of the privacy principles in this area. If the OPC were to change its purposive approach, consideration could then be given to creating an express exception.

25.162 Use or disclosure for the purpose of legal advice or legal proceedings could be authorised where there is a requisite connection with the primary purpose of collection, and within the reasonable expectations of the individual.[212] The OPC’s guidelines in the health area, for example, recognise expressly that disclosure of health information to a lawyer solely for the purpose of addressing liability indemnity arrangements, or for the defence of anticipated or existing legal proceedings, could be directly related secondary purposes.[213]

25.163 The law enforcement exception also expressly authorises use and disclosure of personal information where it is believed to be reasonably necessary by or on behalf of an enforcement body in preparation for, or conduct of, court or tribunal proceedings.[214]

25.164 Lastly, the ‘required or authorised by or under law’ exception could authorise disclosure of personal information for use in legal proceedings. The ALRC has recommended that the Privacy Act should be amended to provide that ‘law’ for the purposes of determining when an act or practice is required or authorised by or under law includes an order of a court or tribunal.[215] This exception, for example, authorises the disclosure of personal information in legal proceedings pursuant to an order for pre-trial discovery, or a subpoena to produce documents or give evidence.

25.165 In C v Commonwealth Agency the Privacy Commissioner formed the view that the disclosure of the complainant’s personal information to the legal counsel of the relevant agency was ‘authorised by law, as it was subject to legal professional privilege’.[216] The Privacy Commissioner, therefore, held that the exception in NPP 2.1(g)—disclosure authorised by or under law—applied. While the ALRC queries the conclusion that the doctrine of legal professional privilege is capable of authorising a disclosure, the outcome is significant in that it demonstrates the OPC’s pragmatic approach in this area.

25.166 The doctrine of legal professional privilege—or client legal privilege, as it is described in the Evidence Act 1995 (Cth)—in summary, protects from disclosure confidential communications between a lawyer and his or her client made for the dominant purpose of seeking legal advice or for preparing for actual or contemplated litigation. The doctrine of privilege, therefore, has the effect of limiting the interference with the privacy of an individual whose personal information is the subject of protected confidential communications.

25.167 In drafting the model UPPs, the ALRC has assumed that an agency or organisation is entitled to disclose personal information to a legal adviser for the dominant purpose of obtaining legal advice. For example, the ‘Collection’ principle, UPP 2.4 provides that:

If an agency or organisation receives unsolicited personal information about an individual from someone else, it must either:

(a) if lawful and reasonable to do so, destroy the information as soon as practicable without using or disclosing it except for the purpose of determining whether the information should be retained; or

(b) comply with all relevant provisions in the UPPs that apply to the information in question, as if the agency or organisation had actively collected the information.

25.168 As discussed in Chapter 21, an agency or organisation may need to use or disclose personal information in order to receive advice about whether to retain or destroy it.

[169] See Department of Foreign Affairs and Trade, Submission to the Senate Legal and Constitutional References Committee Inquiry into the Privacy Act 1988, 8 March 2005.

[170]Personal Information Protection Act 2004 (Tas) sch 1, PIPP 2(1)(g)(vi).

[171] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 223.

[172] Ibid, rec 65.

[173] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [5.119], [5.121].

[174] Ibid, [7.52].

[175] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 4–7(a).

[176] CrimTrac, Submission PR 158, 31 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[177] CrimTrac, Submission PR 158, 31 January 2007.

[178] Australian Federal Police, Submission PR 186, 9 February 2007.

[179] K Smith, Submission PR 246, 8 March 2007. See also Salvation Army, Submission PR 15, 2 June 2006.

[180] Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007. The decisions granting those authorisations are available at http://www/nt.gov.au/justice/infocomm/
publications/decisions.shtml
(Grants of Authorisation 1 and 2 of 2005).

[181] Institute of Mercantile Agents, Submission PR 101, 15 January 2007.

[182] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Australian Taxation Office, Submission PR 168, 15 February 2007.

[183] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007. Public interest determinations are discussed in Ch 47.

[184] Australian Taxation Office, Submission PR 168, 15 February 2007.

[185]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [22.76]–[22.79].

[186] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[187] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[188] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 22–3, which is discussed above.

[189] Australian Federal Police, Submission PR 545, 24 December 2007.

[190] Public interest determinations are discussed in Ch 47.

[191] See Rec 25–3.

[192] The exception in NPP 2.1(a) is reproduced in the ‘Use and Disclosure’ principle, at UPP 5.1(a).

[193] Office of the Federal Privacy Commissioner, Guidelines on Privacy in the Private Health Sector (2001).

[194] See Australian Law Reform Commission, Review of Privacy, IP 31 (2006), [4.84].

[195] UNITED Medical Protection, Submission PR 118, 15 January 2007.

[196] Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007. See also National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007.

[197] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [22.87]–[22.91].

[198] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[199] See UPP 5.1(a).

[200] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), [6.11].

[201] G Hill, Consultation PC 21, Melbourne, 8 May 2006.

[202] Office of the Federal Privacy Commissioner, Application of Key NPPs to Due Diligence and Completion when Buying and Selling a Business, Information Sheet 16 (2002).

[203] Ibid, 1.

[204] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 191 and rec 57.

[205]Privacy Act 1993 (NZ) s 6, Principle 11.

[206] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), [4.106]–[4.107].

[207] Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007.

[208] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [22.99]–[22.100].

[209] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[210] See, eg, Data Protection Act 1998 (UK) s 35(2); Privacy Act 1993 (NZ) s 6, Principle 10(c)(iv); Principle 11(e)(iv). The relevant provision in the UK legislation is set out in Ch 44. See Ch 44 also for a general discussion on obtaining personal information from third parties for the purpose of pursuing or defending legal claims.

[211] Avant Mutual Group Ltd, Submission PR 421, 7 December 2007.

[212] See UPP 5.1(a).

[213] Office of the Federal Privacy Commissioner, Guidelines on Privacy in the Private Health Sector (2001), 14–15.

[214] See UPP 5.1(f)(v).

[215] See Rec 16–1.

[216]C v Commonwealth Agency [2005] PrivCmrA 3.