Information destruction and retention requirements

Background

28.53 Sometimes privacy law requires an agency or organisation that has collected personal information to destroy, delete or de-identify that information after a set period of time or in certain circumstances. This requirement may arise where, for example, an organisation has collected personal information for the specific purpose of identifying an individual. When the identification process has been completed, the organisation may no longer have a lawful reason to hold the personal information. Accordingly, destruction or de-identification of the information may be the most effective means of ensuring that the individual’s information is not subsequently misused or disclosed without authorisation.

28.54 The NPPs require an organisation to

take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under [the ‘Use and Disclosure’ principle].[73]

28.55 No equivalent obligation applies to agencies under the IPPs.[74] A number of other jurisdictions, however, impose such a requirement on government agencies. For example, Canadian government institutions must dispose of personal information in their control in accordance with regulations under the Privacy Act 1985 (Canada) and rules promulgated by the responsible minister.[75] German privacy law also requires public bodies to erase personal data in certain circumstances.[76] Similarly, some state and territory laws require government bodies to destroy or permanently de-identify personal information when it is no longer needed.[77]

28.56 Conversely, privacy and other laws may require an agency or organisation to retain personal information for a minimum period of time. The requirement to retain personal information arises frequently in the context of health care and research. For example, the ‘data security and data retention’ principle in Victorian health privacy law limits the circumstances in which a health service provider can delete information, and sets out certain procedures to be followed where deletion is allowed.[78]

28.57 Requirements to retain personal information also arise under public sector archives legislation.[79] The Archives Act 1983 (Cth) prohibits the destruction of Commonwealth records without the permission of the National Archives of Australia (National Archives), subject to certain exceptions. These exceptions include where destruction is ‘required by any law’ or is in accordance with a ‘normal administrative practice’.[80]

28.58 The Management Advisory Committee[81] has issued the report, Note for File: A Report on Record-Keeping in the Australian Public Service, which sets out the Australian Government’s record-keeping obligations. This document provides that only a small proportion of Commonwealth records need to be retained by the National Archives, including ‘significant policy documents, and records of significant decisions’.[82] Documents outside this class may be disposed of once there is no longer a business need for their retention. For example:

  • conversational, personal or other unimportant emails which record no significant information, action or decision

  • most draft documents and working papers which do not record a significant change of policy/direction

  • informal notes/notepads/diaries, where any significant information has been properly transferred to the agency’s corporate recordkeeping systems

  • superfluous copies of any Commonwealth record.[83]

Options for reform

28.59 The ALRC has considered two reforms directed towards clarifying what is required of a regulated entity in order to fulfil its data destruction requirements:

  • changing the terminology used in the data destruction principle; and

  • imposing more specific requirements for how personal information should be ‘destroyed’.

28.60 The ALRC also has considered possible changes to the scope of data destruction requirements, including:

  • applying the data destruction principle to agencies;

  • modifying the permitted reasons for retaining personal information; and

  • providing individuals with the right to request the destruction of personal information.

Terminology for data destruction

28.61 As noted above, currently the NPPs require organisations to ‘destroy or permanently de-identify’ personal information where it is no longer needed. Stakeholders have suggested that the term ‘de-identification’ is not sufficiently clear in the context of the Privacy Act.[84] The ALRC has examined the appropriate terminology for any data destruction requirement, including the approach that should be taken to information that falls outside the definition of ‘personal information’ for the purposes of the Privacy Act. This issue is discussed in Chapter 6.

28.62 In DP 72, the ALRC suggested that the term ‘permanently de-identify’—both in the context of the ‘Data Security’ principle and more broadly in the Privacy Act—should be replaced with the alternative term ‘render non-identifiable’.[85] A few stakeholders supported this change in terminology in the context of the data destruction requirement.[86] Two stakeholders submitted, however, that the terms ‘destroy’ and ‘render non-identifiable’ should be defined in the Privacy Act.[87]

ALRC’s view

28.63 The term ‘render non-identifiable’ should be used in the ‘Data Security’ principle, rather than the term ‘permanently de-identify’. This makes it clear that compliance with a data destruction requirement includes taking steps to prevent future re-identification of data.

28.64 Consider the following hypothetical example. An organisation holds property-related documents containing personal information about one of its customers, X. When X ceases to be a customer, the organisation, in the absence of any other legal requirement, no longer has a lawful purpose for holding these documents, and therefore is subject to a data destruction requirement. If the organisation merely blacks out X’s name wherever it appears, arguably the documents have been permanently de-identified. This will not necessarily preclude the documents from later being re-identified, however, if a person is able to match the information in these documents with other publicly available information, such as government land title information. On the other hand, an obligation to render the information non-identifiable would require the organisation to take additional steps to ensure that the information in the documents cannot be matched easily with other available data to allow the documents to be re-identified.

28.65 In Chapter 6, the ALRC concludes that it is unnecessary to include definitions of ‘re-identifiable data’ and ‘non-identifiable data’ in the Privacy Act. Rather, the relevant question is whether information is about ‘an identified or reasonably identifiable individual’. This decision will always be contextual and will have to be considered on a case-by-case basis.

Manner of destroying or rendering non-identifiable personal information

Background

28.66 A further issue is whether requirements should be imposed—either in law or by the OPC—stipulating what an entity needs to do to destroy or render non-identifiable personal information. For example, in the context of deleting digital records, the Victorian Society for Computers and the Law has noted that:

[E]specially in the case of larger organisations, it may be practically impossible to guarantee the complete destruction of particular information, or if it is possible, the destruction process may be unreasonably costly and burdensome. The practical effect is that organisations requested to delete information may be encouraged to disregard such requests, to make only cursory and incomplete attempts to delete information, or to pass on the costs of deletion to consumers.[88]

28.67 One model for providing such guidance is the Fair and Accurate Credit Transactions Act 2003 (US), which requires companies that handle consumer reports to destroy information in accordance with regulations issued by the relevant regulatory agency.[89] The Final Rule issued by the Federal Trade Commission, for example, requires persons to ‘properly dispose of [consumer information] by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal’.[90] Reasonable measures include:

  • implementing and monitoring compliance with policies and procedures that require the burning, pulverizing or shredding of papers containing consumer information so that the information cannot practically be read or reconstructed;

  • implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practically be read or reconstructed;

  • after due diligence, entering into and monitoring compliance with a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with the rule.[91]

28.68 Alternatively, regulated entities could be required to destroy or render non-identifiable personal information in compliance with an industry standard. For example, the National Association for Information Destruction (NAID) Certification Program sets out minimum standards for information destruction services, including security, employee hiring and screening, operational destruction programs and insurance.[92]

Submissions and consultations

28.69 In DP 72, the ALRC suggested that guidance should be developed and published by the OPC on the requirement to destroy or render non-identifiable personal information.[93] The majority of stakeholders that commented on this issue supported the ALRC’s proposal.[94]

28.70 Other stakeholders provided qualified support. The NHMRC noted the need for some health information and non-health genetic information to be re-identified in the future.[95] NAID suggested that there should be clear guidance in Australian privacy laws to require businesses that have privacy obligations for secure information destruction to do so in accordance with an industry standard.[96] Optus suggested that, in formulating this guidance, the OPC should have regard to the practical implications of these activities and should consult broadly with industry experts on these matters.[97]

ALRC’s view

28.71 The requirement to destroy or render non-identifiable personal information has caused considerable confusion. The ALRC recommends, below, that the OPC should provide guidance about the responsibilities agencies and organisations have under the ‘Data Security’ principle. This should include guidance on the manner in which personal information should be destroyed or rendered non-identifiable. This guidance should address both paper-based records and electronic media. It also may be useful for this guidance to refer to relevant standards for information destruction; for example, the requirements of the NAID Certification Program.

Extending the data destruction requirement to agencies?

28.72 As noted above, the Privacy Act currently imposes a requirement to destroy personal information only to organisations. In DP 72, the ALRC proposed that the ‘Data Security’ principle should impose a data destruction requirement on both agencies and organisations—that is, they should be required to destroy or render non-identifiable personal information, where it is no longer necessary for a purpose permitted by the UPPs.[98]

Submissions and consultations

28.73 A number of government and non-government stakeholders supported applying a ‘data destruction’ requirement to agencies.[99] As one stakeholder commented:

The single greatest protection for personal information against unexpected and unwelcome secondary uses, and ‘function creep’ is to delete or de-identify it. If it no longer exists in identifiable form, it can no longer pose a risk to privacy.[100]

28.74 The Queensland Government, however, did not support applying a uniform requirement to destroy or render non-identifiable personal information to agencies and organisations. It noted:

to suggest that agencies could simply destroy personal information either at the point of reception or when it is deemed no longer necessary for the purpose for which it was collected disregards that governmental decisions and actions must be transparent.[101]

28.75 National Archives suggested that, because of requirements under the Archives Act, records of Commonwealth agencies should be excepted from any requirement under the UPPs to destroy or render non-identifiable personal information.[102] The Australian Federal Police also submitted that any data destruction decisions should be left to the agency and legislation such as the Archives Act.[103]

28.76 A number of stakeholders—while not opposing the extension of a data destruction requirement to agencies—were concerned about the potential damage that could be caused if records are destroyed prematurely.[104] The South Australian Government noted that destroying information, or rendering it non-identifiable, can have a negative effect. Destruction of juvenile justice records from the 1970s, for example, has limited the work of the current South Australian Commission of Inquiry into Children in State Care. It also noted a number of situations where the failure to destroy or render information non-identifiable permitted positive action to be taken. For example:

  • retention of records from the former South Australian Protector of Aborigines and adoption records has assisted in the process of reconnecting members of the Stolen Generation with their families

  • adoption, immigration and social welfare records have assisted with the reunification of child migrants with family members

  • workers compensation cases, such as those for asbestosis have been successfully concluded because of the retention of a range of employment and health records

  • internationally, a range of reconstruction issues post-WWII and post-‘Cold War’ have been assisted by the retention of records from the former governments.[105]

28.77 PIAC noted that much of its work in the ‘Stolen Wages’ project would not have been possible if the personal information of claimants had been destroyed or rendered non-identifiable by government agencies.[106] The Human Rights and Equal Opportunity Commission noted that the Bringing Them Home Report recommended

that no records relating to Indigenous individual, families or communities or to any children, Indigenous or otherwise, removed from their families for any reason, whether held by government or non-government agencies, be destroyed.[107]

28.78 Australian Government Centrelink and Suncorp-Metway Ltd also commented that compliance with this proposal could be a potentially onerous administrative burden on agencies and organisations.[108]

ALRC’s view

28.79 Destroying, or rendering non-identifiable, personal information provides an important layer of privacy protection by removing the possibility of future misuse of, or unauthorised access to, that information. These benefits apply equally to personal information held by agencies and organisations. Accordingly, there are compelling policy reasons why a data destruction requirement should apply to agencies as well as organisations.

28.80 Concerns have been raised by a number of stakeholders—in particular, agencies—about the potential for a data destruction requirement to conflict with other requirements for agencies to retain information. These concerns can be accommodated adequately by wording carefully the permitted reasons for retention of personal information. This issue is considered below.

Permitted reasons for retaining personal information

28.81 NPP 4.2 requires organisations to destroy personal information ‘if it is no longer needed for any purpose for which the information may be used or disclosed under [the ‘Use and Disclosure’ principle]’. The ‘Data Security’ principle that was proposed in DP 72 included similar reasons for retention—that is, that personal information may be retained if it is ‘needed for any purpose permitted by the UPPs’.

Submissions and consultations

28.82 A number of stakeholders submitted that it is unlikely that the permitted reasons for retention of personal information that the ALRC proposed would resolve potential conflicts with other legal obligations to retain information.[109] The AGD advised that the ‘Data Security’ principle would need to accommodate situations where an agency’s enabling legislation requires it to retain personal information.[110] GE Money was concerned that the ALRC’s formulation might not cover an organisation that keeps the information for the purpose of dispute resolution.[111]

28.83 The National Archives commented that, without suitable qualifications, the proposed ‘data destruction’ requirement could undermine the requirement in the Archives Act to obtain the permission of Archives before destroying or altering personal information contained in Commonwealth records.

Such a gap may lead to the unregulated destruction of public records containing personal information through zealous interpretation, or deliberate misuse to avoid accounting for government actions involving individuals.[112]

28.84 Some stakeholders suggested that there should be an exception from the data destruction requirement for health records.[113] The National Health and Medical Research Council (NHMRC), for example, advised that the Australian Code for the Responsible Conduct of Research recommends a minimum retention period for research data of five years from the date of publication. Longer retention periods are provided for particular areas of research. For example, clinical trial data should be retained for a minimum of 15 years. For areas such as gene therapy, research data must be retained permanently.[114]

28.85 The Department of Health and Ageing submitted that the requirement for an agency or organisation to destroy or render non-identifiable personal information should take into account primary and secondary purposes. This could be relevant particularly to genetic information and samples.[115]

28.86 Other stakeholders submitted that the purpose for which personal information may be retained under the proposed ‘data destruction’ requirement—that is, where the information is needed for any purpose permitted by the UPPs—should be more stringent.[116] The Cyberspace Law and Policy Centre and the Australian Privacy Foundation, for example, suggested that personal information should be retained only for a secondary purpose for which it has already legitimately been used, or where there is express legal authority for retention.[117] One stakeholder also submitted that the ‘data destruction’ requirement should provide a maximum time frame for retention of personal information.[118]

ALRC’s view

28.87 The data destruction requirement included in the ‘Data Security’ principle must be worded so as to accommodate the various reasons why agencies and organisations may need to retain personal information. These include, for example, where the information is still necessary for its primary purpose of collection or where destruction could conflict with a legal obligation to retain the information.

28.88 This can be achieved by including two limbs for the retention of personal information. First, personal information should be destroyed or rendered non-identifiable ‘if it is no longer needed for any purpose for which it can be used or disclosed under the UPPs’. This limb is equivalent to the current formulation in NPP 4.

28.89 Secondly, the retention of personal information should be permitted expressly where retention is required or authorised by or under law.[119] In particular, this exception is directed towards the potential conflict between a data destruction requirement and agencies’ archiving obligations. It also will address concerns raised by stakeholders about: the potential for a data destruction requirement to conflict with a relevant requirement under an agency’s enabling legislation; and the need for an agency or organisation to retain personal information in the event of future litigation. In Chapter 16, the ALRC discusses the scope of exceptions to the Privacy Act for acts and practices that are ‘required or authorised by or under law’. It is appropriate that (where relevant) the acts and practices considered in Chapter 16 should be excepted from the recommended data destruction requirement.

28.90 Even with the recommended exception for acts and practices that are ‘required or authorised by or under law’, the interaction between the data destruction requirement in the Privacy Act and the retention provisions of the Archives Act still may be ambiguous. In particular, s 24(2) of the Archives Act provides an exception from the requirement not to destroy, or otherwise dispose of, a Commonwealth record where destruction is ‘required by law’. It is unclear whether the obligation to comply with the destruction requirements in the ‘Data Security’ principle are ‘required by law’ within the context of s 24(2) of the Archives Act.

28.91 Agencies’ responsibilities under the Archives Act should take precedence over the data destruction requirement in the ‘Data Security’ principle. In order to make this policy clear, the ALRC recommends that the ‘Data Security’ principle provide that the obligation to destroy or render non-identifiable personal information is not ‘required by law’ for the purposes of the Archives Act. The finer detail of drafting and decisions about whether the provision is best placed in the ‘Data Security’ principle or in the Archives Act are matters for the Australian Government to resolve, with the assistance of the Office of Parliamentary Counsel.

28.92 The application of the recommended data destruction requirement can be illustrated using the example of an agency that collects personal information for the purpose of a clinical trial. The agency can retain the information for as long as it is needed for the primary purpose of collection—that is, the clinical trial. The Australian Code for the Responsible Conduct of Research provides that, for most clinical trials, information should be retained for a minimum of 15 years.[120] This will be relevant to determining whether the information is still ‘needed’ for the clinical trial. After this period of time, the agency should destroy the information or render it non-identifiable, unless:

  • it is necessary for a secondary purpose for which it can be used or disclosed under the model UPPs. This could include, for example, inclusion in a properly constituted research database; or

  • retention is required or authorised by or under law. This could include, for example, where the information is subject to archiving obligations.

28.93 The application of the recommended data destruction requirement is sufficiently flexible to accommodate the various types of personal information that is held by agencies and organisations. The ALRC acknowledges that there often will be a need to retain health information for a longer period of time than other personal information. This may include follow-up on adverse events associated with particular treatments or research projects. This will be a factor in whether the information is still ‘needed’. Accordingly, there is no need for a specific exception for health information.

Recommendation 28-4 (a) The ‘Data Security’ principle should require an agency or organisation to take reasonable steps to destroy or render non-identifiable personal information if:

(i) it is no longer needed for any purpose for which it can be used or disclosed under the model Unified Privacy Principles; and

(ii) retention is not required or authorised by or under law.

(b) The obligation to destroy or render non-identifiable personal information is not ‘required by law’ for the purposes of s 24 of the Archives Act 1983 (Cth).

General right to destruction of personal information

28.94 A further issue that arises in relation to data destruction is whether an individual should have the right to request that an agency or organisation destroy personal information that relates to him or her and, if so, in what circumstances or upon what conditions should such a right be exercisable.[121]

28.95 Stakeholders have generally opposed amending the privacy principles to give individuals the right to request that agencies and organisations destroy their personal information.[122] Some were concerned that such a requirement would be too blunt an instrument, because it would not allow agencies and organisations to deal with the information otherwise than by destruction, even if some other method would be more appropriate.[123] Moreover, some stakeholders suggested that individuals’ rights of access and correction adequately address the underlying problem.[124]

ALRC’s view

28.96 The ALRC does not support giving an individual a general right to require that an agency or organisation destroy personal information it holds about the individual. Such an amendment could promote unnecessary rigidity by encouraging personal information to be destroyed even where another method of dealing with the information would be more appropriate—for example, where rendering non-identifiable personal information could satisfy the privacy rights of an individual while concurrently allowing organisations to evaluate the effectiveness of a program or activity to which the information relates. Such an amendment also may conflict with retention and destruction obligations set out in other legislation, for example, archives legislation.

OPC guidance

28.97 The application of a data destruction requirement is not always self-evident. In particular, uncertainty may arise about when it is appropriate to destroy or render non-identifiable personal information. As noted above, confusion also arises about the manner in which information should be destroyed or rendered non-identifiable.

28.98 In DP 72, the ALRC proposed that the OPC provide guidance as to when it is appropriate to destroy or render non-identifiable personal information that is no longer needed.[125] The ALRC suggested that this guidance could address situations where destruction of personal information would be inappropriate—for example, if the personal information may later be needed for the purposes of litigation.

28.99 A number of stakeholders supported the provision of OPC guidance on the data destruction requirements.[126] Some stakeholders expressed particular support for certain aspects of the proposed OPC guidance, including: personal information that forms part of a historical record;[127] and the interaction between the data destruction requirement and legislative records retention requirements.[128]

28.100 The ABA submitted, however, that the OPC is not in a position to determine when an organisation ‘needs’ to retain personal information.[129] Similarly, GE Money submitted that

the guidance suggested in this proposal is not primarily concerned with matters of privacy law … Different organisations in different industries are faced with a large range of record retention obligations under many pieces of legislation. Organisations must consider these sometimes complex and overlapping obligations and form and implement compliant record retention policies that they consider to be compliant with all relevant legislation.[130]

28.101 Some stakeholders commented on the role for OPC guidance in addressing the relative merits of destruction and de-identification of personal information.[131] The Cyberspace Law and Policy Centre, for example, submitted that destruction sometimes could be preferable to de-identification, such as where retaining non-identifiable data could lead to statistical inferences being drawn about a group of people.[132] In comparison, the OVPC submitted that—in light of the potential statistical and research value of information—information generally should be retained in a de-identified form.[133] Optus submitted that the OPC should ensure that the obligation on agencies and organisations to destroy or render non-identifiable information is applied flexibly.[134]

28.102 The OPC noted that guidance on the relationship between the UPPs and legislative records retention requirements would need to be developed in collaboration with agencies having expertise in those other requirements.[135] Other stakeholders also noted the need for further consultation by the OPC with: consumer groups, privacy advocates and community legal centres;[136] National Archives;[137] and state and territory privacy commissioners.[138]

ALRC’s view

28.103 The OPC should provide guidance on when it is appropriate to destroy or render non-identifiable personal information that is no longer needed for any purpose for which it can be used or disclosed under the UPPs and retention is not required or authorised by or under law. In particular, guidance usefully could address when it is appropriate to destroy or render non-identifiable personal information that forms part of a historical record and personal information that may be needed for the purpose of future dispute resolution. OPC guidance also could clarify the interaction between the data destruction requirements and legislative records retention requirements.

28.104 The decision whether an agency or organisation destroys personal information or, in the alternative, renders the information non-identifiable is a decision for that agency or organisation. Provided the information is no longer about an individual who is ‘identified or reasonably identifiable’, it is outside the ambit of the Privacy Act.[139] Where the information is rendered non-identifiable, rather than destroyed, use of the information for the research proposal will be governed by broader principles of research ethics and, where appropriate, review by a Human Research Ethics Committee.[140]

Recommendation 28-5 The Office of the Privacy Commissioner should develop and publish guidance about the destruction of personal information, or rendering such information non-identifiable. This guidance should address matters such as:

(a) when it is appropriate to destroy or render non-identifiable personal information, including personal information that:

(i) forms part of a historical record; and

(ii) may need to be preserved, in some form, for the purpose of future dispute resolution;

(b) the interaction between the data destruction requirements and legislative records retention requirements; and

(c) the manner in which personal information should be destroyed or rendered non-identifiable.

[73]Privacy Act 1988 (Cth) sch 3, NPP 4.2. In the recommendation below and in the ‘Data Security’ principle, the ALRC avoids using the term ‘de-identify’ and instead uses the term ‘render non-identifiable’. This change in terminology reflects the position discussed in Ch 6 and later in this chapter.

[74] Section 18F of the Privacy Act, however, requires credit providers and credit reporting agencies to delete certain personal information in accordance with prescriptive timeframes.

[75]Privacy Act RS 1985, c P-21 (Canada) s 6(3).

[76]Federal Data Protection Act 1990 (Germany) s 20(2).

[77] See Information Privacy Act 2000 (Vic) sch 1, IPP 4.2; Personal Information Protection Act 2004 (Tas) sch 1, PIPP 4(2); Information Act 2002 (NT) sch 2, IPP 4.2.

[78] See Health Records Act 2001 (Vic) sch 1, Health Privacy Principles 4.2, 4.3. These procedures involve the making of a written note of the person to whom the deleted information related, the period covered by the information and the date of deletion. This is discussed further in Part H.

[79] See Archives Act 1983 (Cth).

[80]Ibid s 24.

[81] The Management Advisory Committee is a forum of Secretaries and Agency Heads established under the Public Service Act 1999 (Cth) to advise the Australian Government on matters relating to the management of the Australian Public Service.

[82]Australian Government Management Advisory Committee, Note for File: A Report on Recordkeeping in the Australian Public Service (2007), 3.

[83]Ibid, 16.

[84] See, for example, CSIRO, Submission PR 176, 6 February 2007. See also, in the context of research, Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007. Submissions to this effect also were made to the OPC review of the private sector provisions: National Health and Medical Research Council, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 10 December 2004; Australian Institute of Health and Welfare, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 23 December 2004; Australian Nursing Federation, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 1 February 2005.

[85] This change in terminology is discussed in DP 72: Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Chs 3, 25 and 58.

[86] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007.

[87]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[88] Victorian Society for Computers and the Law Inc, Submission PR 137, 22 January 2007.

[89]Fair and Accurate Credit Transactions Act 2003 (United States) § 628.

[90]United States Government Federal Trade Commission, Disposal of Consumer Report Information and Records; Final Rule (2005), § 682.3 (a).

[91]Ibid, § 82.3 (b).

[92]National Association for Information Destruction Inc, NAID Certification Program—January 2008 (2008); National Association for Information Destruction Inc, NAID Certification Program for Information Destruction Operations <www.naidonline.org> at 18 April 2008.

[93]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 25–6.

[94]Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Medicare Australia, Submission PR 534, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007.

[95]National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[96]National Association for Information Destruction (Australasia), Submission PR 483, 17 December 2007.

[97]Optus, Submission PR 532, 21 December 2007.

[98]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 25–4.

[99]Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Liberty Victoria—Victorian Council for Civil Liberties, Submission PR 540, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; ACT Government Department of Disability, Housing and Community Services, Submission PR 495, 19 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

[100]G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007.

[101]Queensland Government, Submission PR 490, 19 December 2007.

[102]National Archives of Australia, Submission PR 414, 7 December 2007.

[103]Australian Federal Police, Submission PR 545, 24 December 2007.

[104]Government of South Australia, Submission PR 565, 29 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[105]Government of South Australia, Submission PR 565, 29 January 2008.

[106] The Stolen Wages project involved the investigation of claims by Indigenous clients who were denied access to wages, allowances and pensions held on trust by the Aborigines Welfare Board and subsequently the NSW Government.

[107]Human Rights and Equal Opportunity Commission, Submission PR 500, 20 December 2007, referring to Human Rights and Equal Opportunity Commission, Bringing Them Home: Report of the National Inquiry into the Separation of Aboriginal and Torres Strait Islander Children from their Families (1997).

[108]Australian Government Centrelink, Submission PR 555, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007.

[109] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Government Attorney-General’s Department, Submission PR 546, 24 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; National Archives of Australia, Submission PR 414, 7 December 2007.

[110]Australian Government Attorney-General’s Department, Submission PR 546, 24 December 2007.

[111]GE Money Australia, Submission PR 537, 21 December 2007.

[112]National Archives of Australia, Submission PR 414, 7 December 2007.

[113]Medicare Australia, Submission PR 534, 21 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[114]National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[115]Confidential, Submission PR 570, 13 February 2008.

[116]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[117]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[118]S Hawkins, Submission PR 382, 6 December 2007.

[119] The term ‘required or authorised by or under law’ is discussed in Ch 16.

[120] National Health and Medical Research Council and Australian Research Council, Australian Code for the Responsible Conduct of Research (2007), [2.1].

[121] See, eg, Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 4–19.

[122]Optus, Submission PR 532, 21 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007; Australian Taxation Office, Submission PR 168, 15 February 2007; Australian Government Department of Human Services, Submission PR 136, 19 January 2007; UNITED Medical Protection, Submission PR 118, 15 January 2007.

[123] See, eg, Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007; Australian Taxation Office, Submission PR 168, 15 February 2007; UNITED Medical Protection, Submission PR 118, 15 January 2007.

[124] Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007; UNITED Medical Protection, Submission PR 118, 15 January 2007. The ‘Access and Correction’ principle is discussed in Ch 29.

[125]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 25–5.

[126]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Confidential, Submission PR 519, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

[127]National Archives of Australia, Submission PR 414, 7 December 2007.

[128]Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

[129]Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.

[130]GE Money Australia, Submission PR 537, 21 December 2007.

[131] Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; National Archives of Australia, Submission PR 414, 7 December 2007.

[132]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[133]Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[134]Optus, Submission PR 532, 21 December 2007.

[135]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[136]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[137]National Archives of Australia, Submission PR 414, 7 December 2007.

[138]Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[139] The definition of personal information is discussed in Ch 6.

[140] The relationship between privacy laws and research is discussed in Chs 64–66.