16.08.2010
25.169 In DP 72, the ALRC considered whether agencies or organisations should be required to record their use or disclosure of personal information when this occurs for a purpose other than the primary purpose of collection. In ALRC 22, the ALRC did not recommend that record-keepers be obliged to keep a log of all uses and disclosures of personal information because the administrative costs would be too high.[217] The ALRC suggested, however, that the Human Rights Commission (as it was then called) should encourage record-keepers to adopt the practice of logging disclosures, at least those disclosures that would represent a particularly objectionable interference with individual privacy.[218]
25.170 Under NPP 2, an organisation is required to make a written note of its use or disclosure of personal information only where it relates to a specified law enforcement purpose.[219] NPP 2 has been criticised on the basis that it does not require organisations to record their use and disclosure of personal information in times of emergencies ‘to ensure that a trace of the activities of privacy-abusers is retained’.[220]
25.171 Similarly, IPPs 10 and 11 require an agency to make a written note of its use and disclosure of information only where it is for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the purpose of the protection of the public revenue. In 1995, the House of Representatives Standing Committee on Legal and Constitutional Affairs recommended that every agency should keep a record of authorised disclosures of confidential third party information for the purpose of checking the legitimacy of access to such information. It recommended that the record should include the names of individuals and organisations about whom information is disclosed, the names of the individuals and organisations to whom that disclosure is made, and the date of the disclosure.[221]
Submissions and consultations
25.172 In response to IP 31, some stakeholders supported a requirement for agencies and organisations to record their use and disclosure of personal information for a secondary purpose.[222] For example, the Australian Privacy Foundation submitted that some record should be kept to allow: reconstruction in the event of an inquiry or challenge; notification of third parties where information is later corrected; and notification of individuals following a security breach.[223]
25.173 A number of stakeholders suggested limitations to the operation of any such requirement. Some stated that it should apply only if there is no direct link between the primary and secondary purpose.[224] The Queensland Government submitted that a more general requirement may result in an ‘undue administrative burden’.[225] Other stakeholders submitted that there should be no recording requirement where the individual has consented to the use or disclosure,[226] or where he or she is already aware of the use or disclosure.[227]
25.174 The South Australian Government stated that:
Importance should be placed on the requirement of agencies and organisations to adhere to records management best practice. In the public sector, governments already have these requirements, supporting the principle that government should be open and accountable to all citizens …
If the exemption for small business is removed then recording use or disclosure could become burdensome. If the regulatory requirements were limited to a high, policy level which addresses systematic practices in which information is used, the regulatory burden would not be as heavy.[228]
25.175 The NHMRC stated that such recording represented good practice, but submitted that a ‘requirement will impose significant burdens and costs’. It advocated ‘an educative approach that highlights the various ways in which information transactions can be recorded and the benefits of doing so where practicable’.[229]
25.176 Some stakeholders were opposed to any such recording requirement. It was submitted that the existing requirements are ‘an unmanageable burden’ and that any extension would be ‘potentially onerous’,[230] and would increase the cost of compliance.[231] UNITED Medical Protection stated that such a requirement would place a particular burden on medical practices because considerable time and cost would be required to create the logging system and then to carry out the logging process. It submitted that a better way to protect privacy is through appropriate limitations on use and disclosure.[232]
25.177 The AFP stated that a recording requirement would not ‘enhance the current accountability framework applying to police use of personal information’ and may lead to duplication.[233]
25.178 In DP 72, the ALRC expressed the preliminary view that it is undesirable to require agencies and organisations to record their use or disclosure of personal information for a purpose other than the primary purpose of collection. The ALRC also expressed the view that the current recording requirements that apply in the law enforcement context should be retained.[234]
25.179 This approach was supported by some stakeholders.[235] The Insurance Council of Australia, for example, strongly opposed a mandatory logging requirement on the basis that ‘it would present a major logistical task for little practical benefit’.[236] Other stakeholders stated that the ‘Use and Disclosure’ principle should incorporate the existing requirements under the IPPs and NPPs relating to logging use and disclosure of personal information for law enforcement purposes.[237] The OPC also suggested that consideration be given to requiring agencies and organisations to keep a log of disclosures under the exception in the ‘Use and Disclosure’ principle in the model UPPs relating to investigating or reporting unlawful activity.[238]
25.180 The Cyberspace Law and Policy Centre, however, expressed opposition to the suggested approach. It submitted that the ‘Use and Disclosure’ principle should include a specific requirement to keep a log or record of all uses and disclosures pursuant to each of the exceptions set out in the principle.
If designed into systems, recording of exceptional uses and disclosures should be both easy and cheap, and would in our view have a wide range of collateral benefits. Good record-keeping is simply good business practice.[239]
ALRC’s view
25.181 It is important that agencies and organisations implement proper record- management systems. This is essential for a number of reasons, only one of which is to protect personal information. For example, proper record management is essential in the health care context to facilitate the provision of optimal health care to patients. Similarly, proper record management is critical in criminal investigations to ensure that the continuity of the chain of custody of evidence can be established.
25.182 While the promotion of best practice in record management is to be encouraged, privacy legislation should not mandate that agencies and organisations record each use and disclosure of personal information made for a purpose other than the primary purpose of collection. The sheer volume of use and disclosure of personal information by agencies and organisations on a daily basis would render such a requirement impractical, costly and onerous. This is particularly so for those agencies and organisations that handle large volumes of personal information. Such a requirement cannot be justified on a cost and benefit basis.
25.183 The potential benefits of such an approach include that it would: increase transparency in the handling of personal information by agencies and organisations; and assist individuals in tracing the use and disclosure of their personal information after collection. These benefits are, however, outweighed by the disproportionate compliance burden that would be imposed on agencies and organisations. Moreover, such benefits are likely to be delivered by other mechanisms in the Privacy Act, including requirements under the privacy principles relating to notification and openness.[240]
25.184 In addition, the ALRC has recommended that the Privacy Act should be amended to impose an obligation on agencies and organisations to notify the Privacy Commissioner and affected individuals about data breaches—essentially unauthorised acquisitions of personal information—which may give rise to a real risk of serious harm to individuals.[241] A data breach notification requirement is substantially more likely to deliver increased privacy protection to individuals than a general requirement to log every use and disclosure of personal information for a secondary purpose.
25.185 While imposing a general legislative requirement to log use and disclosure is, on balance, untenable, there is considerable merit in imposing such a requirement in the special context of law enforcement. The existing requirements for agencies and organisations to log uses and disclosures that fall within the relevant law enforcement exception, therefore, should be retained.
Logging reports of unlawful activity
25.186 The ALRC notes that one stakeholder suggested that agencies and organisations should be required to record disclosure of personal information made under the requirement in the ‘Use and Disclosure’ principle to report suspected unlawful activity to the authorities.
25.187 To the extent that an agency or organisation reports unlawful activity to an enforcement body, it is very likely that such disclosure falls within the parameters of the exceptions relating both to unlawful activity and law enforcement in the ‘Use and Disclosure’ principle. This is because, in many instances, an agency or organisation would reasonably believe that reporting the information is necessary to allow the enforcement body to investigate the matter. Not all use and disclosure under the unlawful activity exception, however, would overlap with the law enforcement exception. For example, internal use of personal information by an organisation for the purpose of investigating unlawful activity or the reporting of unlawful activity to a relevant person or authority that does not fall within the legislative definition of ‘enforcement body’ would be outside the scope of the law enforcement exception.
25.188 On balance, given the area of overlap between the exceptions relating to unlawful activity and law enforcement, it seems unnecessary for the Privacy Act to require the logging of all use and disclosure under the unlawful activity exception. Such an approach also would increase compliance costs. Moreover, if logging of use and disclosure under the unlawful activity exception were to be mandated, it would create an expectation that logging should be required where personal information is used or disclosed under other, arguably quasi-related, exceptions, such as where use or disclosure is required or authorised by or under law. This would impose potentially disproportionate compliance burdens on agencies and organisations.
[217] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [22.114]–[22.117].
[218] Australian Law Reform Commission, Privacy, ALRC 22 (1983), Vol 2, 197.
[219] See Privacy Act 1988 (Cth) sch 3, NPP 2.2.
[220] R Clarke, ‘Serious Flaws in the National Privacy Principles’ (1998) 4 Privacy Law & Policy Reporter 176,177.
[221] Parliament of Australia—House of Representatives Standing Committee on Legal and Constitutional Affairs, In Confidence: A Report of the Inquiry into the Protection of Confidential Personal and Commercial Information Held by the Commonwealth (1995), rec 6.
[222] Australian Privacy Foundation, Submission PR 167, 2 February 2007; I Turnbull, Submission PR 82, 12 January 2007. One stakeholder stated that the obligation should apply to primary and secondary use or disclosure: Centre for Law and Genetics, Submission PR 127, 16 January 2007.
[223] Australian Privacy Foundation, Submission PR 167, 2 February 2007.
[224] Queensland Government, Submission PR 242, 15 March 2007; Australian Taxation Office, Submission PR 168, 15 February 2007; AAMI, Submission PR 147, 29 January 2007.
[225] Queensland Government, Submission PR 242, 15 March 2007.
[226] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; AXA, Submission PR 119, 15 January 2007.
[227] AXA, Submission PR 119, 15 January 2007. The OPC submitted that any recording requirement should not impact adversely on the privacy of third parties: Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[228] Government of South Australia, Submission PR 187, 12 February 2007.
[229] National Health and Medical Research Council, Submission PR 114, 15 January 2007.
[230] Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007. See also Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Law Council of Australia, Submission PR 177, 8 February 2007.
[231] National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007.
[232] UNITED Medical Protection, Submission PR 118, 15 January 2007.
[233] Australian Federal Police, Submission PR 186, 9 February 2007. See also Law Council of Australia, Submission PR 177, 8 February 2007.
[234] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [22.114]–[22.117].
[235] Insurance Council of Australia, Submission PR 485, 18 December 2007; Avant Mutual Group Ltd, Submission PR 421, 7 December 2007.
[236] Insurance Council of Australia, Submission PR 485, 18 December 2007.
[237] Confidential, Submission PR 570, 13 February 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[238] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[239] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[240] See Chs 23 and 24 respectively.
[241] See Ch 51, Rec 51–1.