Access to personal information: intermediaries

Background

29.65 NPP 6.3 currently requires an organisation that has lawfully denied an individual access to his or her personal information to considerproviding access to the information to a mutually agreed third party intermediary. The object behind this provision was explained in the Explanatory Memorandum and other material accompanying its introduction:

[NPP 6.3] is not intended to provide a mechanism to reduce access if access would otherwise be required. There will be some cases—investigations of fraud or theft for example—where no form of access is appropriate. In other cases, it should be considered as an alternative to complete denial of access. For example, in the health context, an intermediary could usefully explain the contents of the health record to the individual as an alternative to denying access to the health information altogether.[71]

29.66 In other words, NPP 6.3 requires an organisation to consider whether a compromise can be reached that would allow an individual some form of indirect access to his or her personal information in circumstances where direct access is not appropriate. The IPPs do not contain an equivalent provision. The FOI Act, however, provides that where an agency denies a request for access to a document containing personal information, provided by a ‘qualified person’,[72] on the basis that disclosure of the information might be detrimental to the applicant’s physical or mental health or well-being, the agency may provide access to the document through another qualified person nominated by the applicant.[73]

29.67 The OPC, in its review of the private sector provisions of the Privacy Act (the OPC Review), noted concerns that the obligation in NPP 6.3 for an organisation to ‘consider’ the use of intermediaries, where the organisation is not required to provide access, is inadequate.[74]

Discussion Paper proposals

29.68 In DP 72, the ALRC proposed that the ‘Access and Correction’ principle should provide that an organisation must take ‘reasonable steps’ to reach an appropriate compromise, involving the use of a mutually agreed intermediary in certain circumstances. The ALRC proposed that the OPC should provide guidance about what would be ‘reasonable steps’ in this context.[75] The ALRC also expressed the preliminary view that this provision would be useful in the context of providing access to personal information held by agencies.[76]

Submissions and consultations

Organisations

29.69 A large number of stakeholders supported the proposition that an organisation that is not required to provide an individual with access to his or her personal information should take reasonable steps to provide access to the information through a mutually agreed intermediary.[77] Optus, for example, submitted that

the proposed ‘Access and Correction’ principle should make it clearer that an organisation should give more than cursory consideration to whether a mutually agreed intermediary should be used in instances where a request to access information is legitimately refused.[78]

29.70 Some stakeholders suggested ways to improve the operation of the proposed provision. These included removing the qualification, ‘provided that the compromise would allow sufficient access to meet the needs of both parties’, which was considered unnecessarily restrictive.[79] The Cyberspace Law and Policy Centre and the Australian Privacy Foundation also suggested that the Privacy Commissioner should be empowered to act as an intermediary, if requested by the parties, or in the event that the parties are unable to agree on an alternative intermediary.[80]

29.71 The Australian Bankers’ Association Inc (ABA) and Suncorp-Metway Ltd supported the ALRC’s proposal in principle, but noted that it should not be mandatory for the organisation to engage a mutually agreed intermediary where the organisation itself is capable of taking other reasonable steps to achieve a compromise regarding access to the information. Other reasonable steps could include, for example, the use of an external dispute resolution scheme.[81] Other stakeholders submitted that the existing provisions were adequate, considering the limited circumstances in which access can be denied.[82] The Attorney-General’s Department (AGD) suggested an exception to the provision where taking reasonable steps to reach a compromise could prejudice the detection or investigation of unlawful activity.[83]

29.72 A number of stakeholders also supported the proposal that the OPC should provide guidance about the meaning of ‘reasonable steps’ in this context.[84] Privacy advocates expressed concern that organisations could use the existence of grounds for withholding some information as an excuse for denying access in its entirety. Accordingly, they suggested that the OPC guidance should address the need for organisations to withhold personal information to the minimum extent necessary.[85]

Agencies

29.73 The majority of stakeholders that commented on this issue supported requiring an agency to take reasonable steps to reach a compromise by providing access through a mutually agreed intermediary.[86] Privacy NSW, for example, noted that unless there is an equivalent provision for agencies, there will be differing levels of access rights for individuals, depending on whether the personal information is held by an agency or organisation.[87] The AFP and ACMA highlighted the need for exemptions to allow law enforcement and regulatory agencies properly to perform their functions.[88] ACMA also was concerned about the resource implications of the proposal.[89]

ALRC’s view

29.74 A provision requiring an agency or organisation to take reasonable steps to provide an individual with as much personal information as possible, in circumstances where access to the information legitimately can be refused, is important. Such a provision allows for a more flexible, nuanced approach to requests for access where direct access is not appropriate. One such reasonable step is the use of an intermediary. The benefits of an intermediary provision apply equally whether information is held by an agency or organisation.

‘Reasonable steps’ to provide access

29.75 The present requirement in NPP 6.3—that an organisation must ‘consider’ the use of a mutually agreed intermediary—potentially is open to abuse. Technically, the requirement would be fulfilled where an organisation briefly contemplates, and then immediately rejects, such a course of action.

29.76 The proposal that an agency or organisation should take ‘reasonable steps’ to reach an appropriate compromise regarding access to personal information, where such access legitimately can be refused, received considerable support from stakeholders. Law enforcement and regulatory agencies were concerned, however, that a requirement to take ‘reasonable steps’ may not clarify sufficiently that, in some circumstances, it would not be appropriate for an agency or organisation to take any steps to provide access.

29.77 The intermediary requirement should provide that agencies and organisations must take ‘such steps, if any, as are reasonable’.[90] This will ensure that the requirement is stringent enough that agencies and organisations must give more than superficial consideration to the use of an intermediary. The revised wording of the requirement remains sufficiently flexible to accommodate situations where the circumstances justify the agency or organisation taking no steps to provide access. This may be the case, for example, where an agency is investigating unlawful activity. The OPC, in its guidance on the ‘Access and Correction’ principle, should address what would be considered ‘reasonable steps’ in this context.[91]

Reaching an ‘appropriate compromise’

29.78 The intermediary requirement proposed in DP 72 required organisations to ‘reach an appropriate compromise’ with individuals seeking access to their personal information. This wording potentially is ambiguous. This requirement can be stated more clearly as being to ‘provide the individual with as much of the information as is possible’.

29.79 In addition, the ALRC agrees with stakeholders that the proposed wording—‘provided that the compromise would allow sufficient access to meet the needs of both parties’—may restrict the operation of the principle unnecessarily. For example, there will be circumstances where a compromise may not be sufficient to meet the needs of both parties, but remains preferable to refusing access. These words, therefore, have not been included in the recommended ‘Access and Correction’ principle.

A ‘mutually agreed’ intermediary

29.80 As framed, the ‘Access and Correction’ principle in the model UPPs is limited to situations where the parties can agree on an intermediary. It does not contain a ‘circuit breaker’ to deal with situations where the parties fail to reach such an agreement. In Chapter 63, the ALRC recommends that, where an organisation denies an individual access to his or her health information on the grounds that it is reasonably likely to pose a serious threat to any individual, the individual should have the right to nominate a health service provider and request that the organisation provide the nominated health service provider with access to the information.[92] Considering the large number of access complaints that relate to health information,[93] this procedure could apply to many situations where mutual agreement on an intermediary cannot be reached.

29.81 It is possible that an officer of the OPC may, in some situations, agree to act as an intermediary. The decision to take on any such role will be dependent on the OPC being sufficiently resourced, and the relevant officer being appropriately qualified.

Access other than through an intermediary

29.82 Providing access through the use of a mutually agreed intermediary is not the only way that an agency or organisation may provide limited access to personal information. Other ways include, for example, giving a verbal summary of the personal information, excluding the information covered by the exception.[94] The ALRC recommends, therefore, that the reasonable steps taken by an agency or organisation to reach an appropriate compromise should include the use of an intermediary.

Recommendation 29-4 The ‘Access and Correction’ principle should provide that, where an agency or organisation is not required to provide an individual with access to his or her personal information, the agency or organisation must take such steps, if any, as are reasonable to provide the individual with as much of the information as possible, including through the use of a mutually agreed intermediary.

[71]Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), [376]. See also Office of the Federal Privacy Commissioner, Access and the Use of Intermediaries, Information Sheet 5 (2001).

[72] ‘Qualified person’ is defined in the Act to mean ‘a person who carries on, and is entitled to carry on, an occupation that involves the provision of care for the physical or mental health of people or for their well being’. It includes a non-exhaustive list of such people, including a: medical practitioner; psychiatrist; psychologist; marriage guidance counselor; and social worker: Freedom of Information Act 1982 (Cth) s 41(8).

[73]Ibid s 41.

[74]Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 114, 116.

[75] See Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 26–2.

[76]Ibid, Proposal 12–8(c).

[77]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Avant Mutual Group Ltd, Submission PR 421, 7 December 2007.

[78]Optus, Submission PR 532, 21 December 2007.

[79]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[80]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[81]Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007.

[82]Confidential, Submission PR 536, 21 December 2007; Insurance Council of Australia, Submission PR 485, 18 December 2007.

[83]Australian Government Attorney-General’s Department, Submission PR 546, 24 December 2007.

[84]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; ANZ, Submission PR 467, 13 December 2007.

[85]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[86]Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Australia Post, Submission PR 445, 10 December 2007.

[87]Privacy NSW, Submission PR 468, 14 December 2007.

[88]Australian Federal Police, Submission PR 545, 24 December 2007; Australian Communications and Media Authority, Submission PR 522, 21 December 2007.

[89]Australian Communications and Media Authority, Submission PR 522, 21 December 2007.

[90] This wording is consistent with that in the ‘Notification’ principle.

[91] See Rec 29–9.

[92] See Rec 63–6.

[93] Of the 330 NPP complaints against health care providers received by the OPC between 21 December 2001 and 31 January 2005, 163 concerned a refusal of access to health records. Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 112.

[94]Office of the Federal Privacy Commissioner, Access and the Use of Intermediaries, Information Sheet 5 (2001).