Access to personal information: exceptions

29.37 The IPPs and the NPPs place obligations on agencies and organisations to provide individuals with access to personal information that they hold about the individuals, unless a specific exception applies. There are a number of differences, however, between these exceptions. Questions therefore arise about:

  • whether the ‘Access and Correction’ principle in the model UPPs should provide different exceptions to an individual’s right of access, depending on whether the information is held by an agency or organisation; and

  • what should be the content of such exceptions.

Different exceptions for agencies and organisations?

Background

29.38 As noted above, IPP 6 provides that an agency should provide an individual with access

except to the extent that the record-keeper is required or authorised to refuse to provide the individual with access to that record under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.[37]

29.39 This provision generally limits the right to access personal information under the Privacy Act to the right to obtain access to information under Part IV of the FOI Act. For documents that are more than 30 years of age, the exemptions to access to documents under s 33 of the Archives Act 1983 (Cth) may apply.

29.40 In comparison, the exceptions to an organisation’s obligation to provide individuals with access to their personal information are set out in an exhaustive list in NPPs 6.1 and 6.2.

Submissions and consultations

29.41 In DP 72, the ALRC asked what exceptions should apply to an agency’s obligation to provide an individual with access to personal information that it holds about him or her. In particular, the ALRC asked whether the exceptions should mirror the provisions in Part IV of the FOI Act, or whether another set of exceptions should apply.[38]

29.42 Some stakeholders were of the view that the provisions of Part IV of the FOI Act should be mirrored in the Privacy Act.[39] Others submitted that the exceptions that apply to organisations under the ‘Access and Correction’ principle also should apply to agencies.[40] ACMA submitted that it was essential that any exceptions recognise the public interest in law enforcement and regulatory agencies being able to fulfil their regulatory and enforcement functions.[41]

29.43 National Legal Aid submitted that an individual’s interest in obtaining access to his or her personal information should be given a higher priority than access to other kinds of information. Accordingly, the barriers to access under the FOI Act should be reduced in the Privacy Act. It noted that the FOI Act contains provisions that attempt to reduce the barriers to access,[42] and submitted that these provisions could be extended and clarified in the Privacy Act.[43]

ALRC’s view

29.44 Exceptions to the ‘Access and Correction’ principle should be consistent with exemptions under the FOI Act. Similarly, the exceptions to the ‘Access and Correction’ principle should be consistent with exemptions under the Archives Act.[44] Agencies should not be subject to conflicting obligations under different legislative schemes in relation to the same information. Further, individuals should not be able to compel access to information under the Privacy Act that would otherwise be exempt under the FOI Act or the Archives Act.

29.45 Accordingly, the exemptions under the FOI Act should continue to apply to agencies when making decisions about access to personal information under the Privacy Act.[45] For information held in documents that are 30 years or more of age, the exemptions in the Archives Act should apply.[46]

29.46 The ALRC notes that some of the exemptions under the FOI Act are modified where an individual requests access to personal information about him or her, or disclosure of a document is in the public interest. For example, s 38(1) of the FOI Act, which provides that a document is exempt from disclosure if disclosure is prohibited by legislation, generally does not apply so far as the document in question contains personal information about the person requesting access to it.[47]

29.47 On 24 September 2007, following the release of DP 72, the then Attorney-General of Australia referred to the ALRC for inquiry and report matters relating to the extent to which the FOI Act and related laws continue to provide an effective framework for access to information in Australia. The issue of whether the FOI exemptions should be amended to deal with requests for access to personal information should be considered as part of that review.

What should be the content of the exceptions?

Background

29.48 Above, the ALRC recommends that, where an agency receives a request for access to, or correction of, personal information under the Privacy Act, the agency should continue to apply the relevant provisions set out in other federal laws—most notably, exempt documents under the FOI Act. Consequently, the exceptions to access provided in the ‘Access and Correction’ principle will apply only to organisations.

29.49 Currently, NPP 6.1 includes a lengthy list of exceptions to an organisation’s obligation to provide an individual with access to personal information, including (among others) where providing access would: have an unreasonable impact on the privacy of other individuals; relate to legal proceedings between the organisation and individual and would not be accessible through the discovery process; be unlawful; or prejudice investigation of a possible unlawful activity. Additionally, an organisation is not required to provide access to personal information it holds about an individual to the extent that:

(a) in the case of personal information other than health information—providing access would pose a serious and imminent threat to the life or health of any individual; or

(b) in the case of health information—providing access would pose a serious threat to the life or health of any individual …[48]

29.50 Furthermore, NPP 6.2 allows an organisation to give an individual an explanation of personal information, rather than direct access, ‘where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process’.

Discussion Paper proposals

29.51 The ‘Access and Correction’ principle proposed in DP 72 primarily retained the exceptions to an individual’s right to obtain access to personal information set out in NPP 6. The ALRC proposed one change, however, to the exception that allows an organisation to deny access where providing access would pose a serious threat to an individual’s life or health. This was that the:

  • two exceptions in NPP 6.1(a) and (b) should be consolidated into a single exception in the ‘Access and Correction’ principle in the proposed UPPs; and

  • exception would apply where providing access to the personal information in question would be ‘reasonably likely to pose a serious threat to the life or health of any individual’.[49]

29.52 This change reflected the ALRC’s proposal that the ‘Use and Disclosure’ principle should contain an exception permitting an agency or organisation to use and disclose personal information if the use or disclosure was necessary to lessen or prevent a ‘serious’ (as opposed to a ‘serious and imminent’) threat.[50]

Submissions and consultations

Threat to life or health

29.53 The majority of stakeholders who commented on this issue supported the ALRC’s proposal to remove the word ‘imminent’ from the exception to the ‘Access and Correction’ principle.[51] The Department of Human Services generally supported this proposal, but noted that determining whether access could pose a ‘serious threat’ often is not practicable in the context of the relationships of the Department and service delivery agencies with individuals.[52] The National Catholic Education Commission and Independent Schools Council of Australia supported the removal of the word ‘imminent’, but commented that they would prefer that the word ‘significant’ be used rather than the word ‘serious’.[53] One stakeholder advised that it failed to see ‘why a right of access should be given priority over any threat to the life or health of an individual’.[54]

29.54 The OPC disagreed with the proposal. It submitted that—other than in the context of health information—the ‘Access and Correction’ principle should retain the ‘serious and imminent’ test for threats to the life or health of an individual. The OPC was concerned that removing the existing requirement for the threat to be imminent, and allowing an organisation to deny access to an individual on the grounds that ‘such access would be reasonably likely to pose a serious threat to the life or health of any individual’, would unjustifiably lower the current privacy protections offered under NPP 6. The OPC acknowledged, however, that the removal of the ‘imminent’ test might be justified in the context of the disclosure of health information, particularly mental health information or other information that may have a ‘highly emotional element’.[55]

29.55 Some other stakeholders supported retaining the words ‘serious and imminent threat’ in the ‘Access and Correction’ principle, as well as the principles dealing with the collection of sensitive information and the use and disclosure of personal information.[56] On a related issue, one stakeholder submitted that

it is not clear what the intention of the ALRC is in modifying the grounds on which access by an individual to their personal information should be able to be refused from when providing access ‘would pose a serious threat’ to the life or health of any individual to where this ‘would be reasonably likely to pose a serious threat’.[57]

Other exceptions to access rights

29.56 Some stakeholders submitted that other exceptions in the proposed ‘Access and Correction’ principle were not sufficiently stringent. Concerns were expressed about the exceptions permitting an organisation to deny an individual access to his or her personal information if: denying access is required or authorised by or under law;[58] providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; [59] and providing access would be likely to prejudice activities ‘by or on behalf of an enforcement body’.[60] Liberty Victoria submitted that, other than in the context of a criminal investigation, individuals always should be able to access and correct personal information held by agencies or organisations.[61]

29.57 Avant Mutual Group Ltd noted that the exception for existing or anticipated legal proceedings should be consistent with the common law and the provisions of the Evidence Act 1995 (Cth) relating to client legal privilege.[62]

29.58 Privacy advocates also raised concerns about the exception set out in the proposed UPPs, which would permit an organisation to provide an individual with an explanation for a commercially sensitive decision, rather than direct access to the information.[63] The Cyberspace Law and Policy Centre, for example, was concerned that this exception could be used to deny direct access to personal information in situations where such access would be appropriate. The Centre also commented that the note following UPP 9.2[64] was tautologous. The Centre submitted that this note should be replaced by one advising that ‘the mere fact that some explanation may be necessary in order to understand information such as a score or algorithm result should not be taken as grounds for withholding information’.[65] Privacy NSW submitted that this exception should be incorporated into UPP 9.1.[66]

ALRC’s view

Threat to life or health

29.59 An individual should not be entitled to obtain access to personal information that an organisation holds about him or her if providing access would pose a serious threat to the life or health of any individual (including the individual seeking access). There should not be a further requirement that this threat is ‘imminent’. This is consistent with the change that the ALRC is recommending to the exception under the ‘Use and Disclosure’ principle.[67]

29.60 In Chapter 25, the ALRC discusses the meaning of ‘serious threat’ in the context of the recommended exception to the ‘Use and Disclosure’ principle. It notes that the ALRC’s recommendation that the ‘imminent’ threat requirement be removed means that an assessment of when a threat will take place is no longer required. An assessment of whether a threat is likely to eventuate, however, still will be necessary. This discussion applies equally in the context of denying an individual access to personal information.

29.61 The exception to an organisation’s obligations to provide an individual with access to his or her personal information where it would pose a serious threat to life or health should apply where such a threat is ‘reasonably likely’ to occur. In most situations, an organisation will not be able to conclude definitively that providing an individual with access to his or her personal information ‘will’ pose a serious threat to an individual’s life or health. This uncertainty has been dealt with in the language used in the other contexts where it arises. For example, in the ‘Use and Disclosure’ principle, the information may be used or disclosed where an agency or organisation ‘reasonably believes’ the use or disclosure is necessary to lessen or prevent such a threat. Similarly, under the FOI Act, an agency can deny a request for access where disclosure ‘would, or could reasonably be expected to endanger the life or physical safety of any person’.[68]

29.62 This recommendation may increase the likelihood that an individual will be denied access to his or her personal information. The ALRC is making a number of recommendations, however, that will lessen the detriment resulting from a refusal of access. In particular, the ALRC recommends that, where an agency or organisation considers that it is not required to provide an individual with access to personal information, it must take reasonable steps to provide the individual with as much of the information as possible. This could include providing information through a mutually agreed intermediary.[69] A more stringent intermediary provision is recommended where an organisation denies an individual access to his or her health information because providing access would be reasonably likely to pose a serious threat to any individual.[70] These provisions offset sufficiently any lessening of individuals’ rights to access their own personal information that may result from broadening this exception.

Other exceptions to access rights

29.63 With the exception of the change recommended above, the ‘Access and Correction’ principle should include the existing exceptions in NPP 6. These exceptions—for example, where denying access is required or authorised by or under law, or where providing access could prejudice law enforcement activities—balance appropriately the public interest in safeguarding the handling of personal information with competing public interests.

29.64 The ALRC agrees with the Cyberspace Law and Policy Centre, however, that the statutory note presently set out in NPP 6 (that ‘an organisation breaches NPP 6.1 if it relies on NPP 6.2 to give an individual an explanation for a commercially sensitive decision in circumstances where UPP 9.2 does not apply’) is tautologous and should be removed. A statutory note should be included in the ‘Access and Correction’ principle stating that the mere fact that some explanation may be necessary in order to understand information should not be taken as grounds for withholding information.

Recommendation 29-2 The ‘Access and Correction’ principle should provide that:

(a) if an agency holds personal information about an individual, the individual concerned is entitled to have access to that personal information, except to the extent that the agency is required or authorised to refuse to provide the individual with access to that personal information under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents; and

(b) subject to Recommendation 29­–3, if an organisation holds personal information about an individual, the individual concerned shall be entitled to have access to that personal information, except to the extent that one of the exceptions to the right of access presently set out in National Privacy Principle 6.1 or 6.2 applies.

Recommendation 29-3 The ‘Access and Correction’ principle should provide that, where an organisation holds personal information about an individual, it is not required to provide access to the information to the extent that providing access would be reasonably likely to pose a serious threat to the life or health of any individual.

[37]Privacy Act 1988 (Cth) s 14, IPP 6.

[38]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Question 12–1.

[39] See, eg, Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008; Australian Taxation Office, Submission PR 515, 21 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Australian Government Department of Defence, Submission PR 440, 10 December 2007.

[40]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Medicare Australia, Submission PR 534, 21 December 2007.

[41]Australian Communications and Media Authority, Submission PR 522, 21 December 2007.

[42] See Freedom of Information Act 1982 (Cth) ss 36(1)(b), 38(2).

[43]National Legal Aid, Submission PR 521, 21 December 2007.

[44] In this Report, an ‘exception’, as applied to the privacy principles, applies where a requirement in the privacy principles does not apply to any entity in a specified situation or in respect of certain conduct. Part IV of the FOI Act sets out a number of ‘exempt documents’, to which the access requirements of the FOI Act do not apply. Section 33 of the Archives Act sets out ‘exempt records’, to which the Act’s access provisions do not apply.

[45] Including exemptions under Freedom of Information Act 1982 (Cth) ss 12, 13 and pt IV.

[46]The exemptions in the Archives Act are similar to those in the FOI Act.

[47]Freedom of Information Act 1982 (Cth) s 38(2), (3).

[48]Privacy Act 1988 (Cth) sch 3, NPP 6.1.

[49]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 26–6.

[50]Ibid, Proposal 22–3.

[51]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[52]Australian Government Department of Human Services, Submission PR 541, 21 December 2007.

[53]National Catholic Education Commission and Independent Schools Council of Australia, Submission PR 462, 12 December 2007.

[54]Confidential, Submission PR 536, 21 December 2007.

[55]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[56]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Optus, Submission PR 532, 21 December 2007.

[57]Confidential, Submission PR 570, 13 February 2008.

[58]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[59]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[60]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[61]Liberty Victoria—Victorian Council for Civil Liberties, Submission PR 540, 21 December 2007.

[62]Avant Mutual Group Ltd, Submission PR 421, 7 December 2007.

[63]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007.

[64]This note stated, ‘an organisation breaches UPP 9.1 if it relies on UPP 9.2 to give an individual an explanation for a commercially sensitive decision in circumstances where UPP 9.2 does not apply’.

[65]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[66]Privacy NSW, Submission PR 468, 14 December 2007.

[67] Rec 25–3.

[68]Freedom of Information Act 1982 (Cth) s 37(1).

[69] Rec 29–4.

[70] Rec 63–6.