16.08.2010
43.9 An act or practice is not an interference with privacy if it consists of the collection or disclosure of personal information by a body corporate from or to a ‘related body corporate’.[13] The stated reason for this exemption is to ‘recognise [the] commercial reality that, for many bodies corporate to continue to operate effectively, they need to be able to communicate with related bodies corporate’.[14]
43.10 The partial exemption for related bodies corporate does not apply in a range of circumstances, including:
the collection or disclosure of ‘sensitive information’;[15]
the collection of personal information from an entity that is exempt from the Privacy Act;[16]
where the company is a contractor under a Commonwealth contract and: the collection or disclosure of personal information from or to the related company is contrary to a contractual provision; or the collection of personal information is for the purpose of meeting an obligation under the contract and the disclosure is for direct marketing purposes;[17] and
if the acts and practices of the company: breach the tax file number (TFN) guidelines, or involve an unauthorised requirement or request for disclosure of an individual’s TFN; contravene Part 2 of the Data-matching Program (Assistance and Tax) Act 1990 (Cth) or the data-matching guidelines made under that Act; constitute a breach of the guidelines under s 135AA of the National Health Act 1953 (Cth); or constitute a credit reporting infringement by a credit reporting agency or a credit provider.[18]
43.11 Before an organisation can rely on this exemption to disclose non-sensitive personal information to other related companies, it must take reasonable steps to ensure that the individual knows that the organisation has collected the information, the use that will be made of the information and the types of organisations to which the information is usually disclosed.[19] In addition, although related companies may share personal information, the handling of that information is still subject to the NPPs in other respects.[20] For example, each company within the group of related companies must use the information for the primary purpose for which it was originally collected, and may use the personal information for a secondary purpose only where that purpose is allowed by NPP 2.1.[21]
43.12 The way the exemption operates may be illustrated by the following example. A large furniture store collects an individual’s credit card details to receive payment for a sofa, and the individual’s name and address in order to deliver the sofa. The related body corporate exemption allows the furniture store to pass on the individual’s name, address and credit card details to a related delivery company. The delivery company is allowed to collect the information from the furniture company without having to inform the individual that it has collected that information. The delivery company can use this personal information only for the purpose for which the furniture store collected it (ie, delivery of the sofa). It cannot use the information for an unrelated purpose.
43.13 The related bodies corporate exemption has been criticised as a potential loophole through which corporate groups could evade the coverage of the Privacy Act.[22] In its submissions to previous inquiries, Electronic Frontiers Australia submitted that the exemption enables large businesses intentionally to structure their affairs to take advantage of the exemption. In its view, individuals should not have to ask or attempt to investigate corporate structures to find out how far their personal information could be spread. Electronic Frontiers Australia submitted that the exemption should be removed and related bodies corporate treated as third parties.[23]
Submissions and consultations
43.14 In submissions to this Inquiry, some stakeholders supported retaining the current exemption for related bodies corporate.[24] For example, Telstra submitted that the exemption is ‘necessary for efficient and effective business practices’.[25]The Hobart Branch of the National Seniors Association Ltd also submitted that it needed to transfer personal information to related bodies, including between its national body and local branches.[26]
43.15 Other stakeholders have submitted, however, that the breadth of the exemption can result in uses of personal information which are contrary to the reasonable expectations of individuals.[27] The Cyberspace Law and Policy Centre, for example, noted that ‘many corporate relationships are obscure and customers of one trading enterprise are often unaware of other ownership or control relationships’.[28] The Office of the Privacy Commissioner (OPC) submitted that organisations should inform individuals about related companies with which they regularly exchange information.[29]
43.16 Concerns also have been raised about the potential for the exemption to allow personal information to be used for direct marketing by related bodies corporate without an individual’s knowledge or consent.[30] The ABA submitted, however, that these concerns do not relate to the related bodies corporate exemption—rather, they are about the use of personal information once it has been shared.[31]
43.17 The OPC also suggested that the Privacy Act should be amended to clarify that, where an organisation discloses personal information to a related body corporate in an overseas jurisdiction, that transfer will be subject to the ‘Cross-Border Data Flows’ principle in the model Unified Privacy Principles (UPPs).[32]
ALRC’s view
43.18 In the interest of business efficacy, companies that have a shared ownership or controlling interest should be able to share non-sensitive personal information. The partial exemption for related bodies corporate is subject to a number of limitations. First, it is confined to non-sensitive personal information. Secondly, the exemption does not apply to the collection of personal information from an entity that is exempt from compliance with the Privacy Act. In addition, before an organisation can disclose such information to other related companies, it must take reasonable steps to ensure that individuals know the types of organisations to which the information is usually disclosed. Finally, although related companies may share non-sensitive personal information, they must otherwise comply with all the other privacy principles in the handling of that information.
43.19 The above restrictions largely limit the application of the partial exemption for related bodies corporate to transfers of personal information within the reasonable expectations of individuals. The ALRC also makes a number of recommendations in this Report to improve the transparency of information handling practices, through the ‘Openness’ principle and the ‘Notification’ principle in the model UPPs.[33] These principles may require an organisation to inform individuals about related organisations with which they regularly exchange information.[34]
43.20 One of the main issues raised about the related bodies corporate exemption is the potential for personal information to be used by a related company for the purpose of direct marketing. In Chapter 26, the ALRC recommends that organisations should be subject to a ‘Direct Marketing’ principle, which sets out the circumstances in which an organisation may use or disclose personal information for the purpose of direct marketing. In particular, the recommended principle provides that, where the individual is not an existing customer[35] or is under 15 years of age: the individual must have consented to the direct marketing; or the organisation must demonstrate that it was impracticable to seek such consent.[36] The organisation also must advise the individual that he or she can opt out of any further direct marketing, and provide a simple and functional means by which the individual can unsubscribe.[37]
43.21 In Chapter 31, the ALRC recommends that s 13B of the Privacy Act should be amended to clarify that, if an organisation transfers personal information to a related body corporate outside Australia, the transfer will be subject to the ‘Cross-Border Data Flows’ principle.[38]
[13]Privacy Act 1988 (Cth) s 13B(1). Section 6(8) of the Privacy Act provides that ‘the question whether bodies corporate are related to each other is determined in the manner in which that question is determined under the Corporations Act’. A ‘related body corporate’ is defined in s 50 of the Corporations Act to mean that where a body corporate is a holding company of another body corporate, a subsidiary of another body corporate, or a subsidiary of a holding company of another body corporate, the first mentioned body and the other body are related to each other.
[14] Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), [138].
[15]Privacy Act 1988 (Cth) s 13B(1). The definition of sensitive information is discussed in Ch 6.
[16] Ibid s 13B(1A)(a), (b).
[17] Ibid s 13B(2).
[18] Ibid s 13E.
[19] Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), [139].
[20]Privacy Act 1988 (Cth), note to s 13B(1); Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), [141].
[21] Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), [141].
[22] Parliament of Australia—House of Representatives Standing Committee on Legal and Constitutional Affairs, Advisory Report on the Privacy Amendment (Private Sector) Bill 2000 (2000), [9.9].
[23] Electronic Frontiers Australia Inc, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 22 December 2004; Electronic Frontiers Australia Inc, Submission to the Senate Legal and Constitutional References Committee Inquiry into the Privacy Act 1988, 24 February 2005.
[24] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007; Telstra, Submission PR 185, 9 February 2007; National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007.
[25]Telstra, Submission PR 185, 9 February 2007.
[26]Hobart Branch of National Seniors Association Ltd, Submission PR 368, 4 December 2007.
[27]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007, referring to Electronic Frontiers Australia Inc, Submission to the Senate Legal and Constitutional References Committee Inquiry into the Privacy Act 1988, 24 February 2005.
[28]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[29]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[30]Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Queensland Government Commission for Children and Young People and Child Guardian, Submission PR 171, 5 February 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007.
[31]Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.
[32]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[33]See Chs 23, 24.
[34] See, in particular, Rec 23–2(f).
[35] In Ch 26, the ALRC notes that an individual who is an ‘existing customer’ of a particular organisation will probably not be an ‘existing customer’ of a related body corporate of that organisation.
[36] Rec 26–4(a).
[37] Rec 26–4(b),(c).
[38] Rec 31–5.