Personal Information Digest

Background

47.37 The Commissioner has the function under s 27(1)(g) of maintaining and publishing annually a record of ‘the matters set out in records maintained by record keepers in accordance with clause 3 of IPP 5’. Record keepers, in this context, are agencies; and the record is known as the Personal Information Digest (Digest). The matters that must be included in the Digest are:

  • the nature of the records of personal information kept by or on behalf of the record keeper;

  • the purpose for which each type of record is kept;

  • the classes of individuals about whom records are kept;

  • the period for which each type of record is kept;

  • the persons who are entitled to have access to personal information contained in the records and the conditions under which they are entitled to have that access; and

  • the steps that should be taken by persons wishing to obtain access to that information.

47.38 Currently, agencies provide their Digest entries to the OPC, which then makes them available on the OPC website.

Submissions and consultations

47.39 In DP 72, the ALRC identified support in submissions and consultations for changing the Digest requirements. A number of agencies submitted that the Digest entries were repetitive to prepare annually and not useful for the public, particularly given the increasing tendency of agencies to publish a privacy policy on their websites.

47.40 In DP 72, the ALRC proposed that the general notification principles currently located in the IPPs and NPPs should be consolidated and simplified into an ‘Openness’ principle.[61] The proposed principle would require an agency to produce a ‘Privacy Policy’ setting out the type of information currently required in the Digest entry, with some additions. The agency or organisation would be required to take reasonable steps to make its Privacy Policy available to an individual electronically, such as on its website, or in hard copy.[62]

47.41 The Cyberspace Law and Policy Centre did not disagree with the proposal to abolish the Personal Information Digest, which it acknowledged has rarely been used. It argued, however, that the OPC should prepare and publish a consolidated index of all Privacy Policies, which would allow public interest groups and the media to compare the policies.[63]

ALRC’s view

47.42 The implementation of the recommendations in Chapter 24, dealing with the ‘Openness’ principle in the model UPPs, would obviate any need for the current requirement to prepare a Digest entry. It would also mean that the corresponding obligation on the Commissioner to prepare the consolidated Digest could be removed.

47.43 It is not necessary for the OPC to undertake a corresponding obligation in relation to Privacy Policies—that is, to prepare and publish on its website a consolidated index of all Privacy Policies. Such a process would be resource intensive and is unlikely to increase awareness of privacy policies more generally. In the current electronic environment, individuals seeking an agency’s Privacy Policy are more likely to go to the agency’s website than look on the OPC website. The key concern is that Privacy Policies should be readily available to members of the public, which would be achieved by the requirement to make them available without charge electronically; and, on request, in hard copy or in an alternative form accessible to individuals with special needs.[64]

Recommendation 47-3 Subject to the implementation of Recommendation 24–1, requiring agencies to develop and publish Privacy Policies, the Privacy Act should be amended to remove the requirement in s 27(1)(g) to maintain and publish the Personal Information Digest.

[61] See Ch 24.

[62] Rec 24–2.

[63] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[64] Rec 24–2.