17.08.2010
Combining individual assessment and age of presumption approaches
68.102 A system of individual assessment is the fairest and most appropriate way to determine if an individual under the age of 18 has the capacity to make a decision. As far as possible, a system of individual assessment should be incorporated formally into the Privacy Act.
68.103 The ALRC is alert, however, to the impracticalities of imposing an ‘across-the-board’ individual assessment approach. Decisions relating to personal information arise in a wide variety of contexts, many of which do not allow for individual assessment by the relevant agency or organisation. At present, it is assumed that an individual who completes a form, makes a phone call or ticks a box has the capacity to make the required decision regarding his or her personal information. The consequences of the decision to allow collection or disclosure of personal information, however, can be significant. This is of particular concern given that children and young people increasingly interact with agencies and organisations in the online environment without adult supervision.
68.104 The ALRC recommends a model that combines individual assessment and a minimum age of presumption of capacity. In all circumstances where an individual assessment is reasonable and practicable, any individual under the age of 18 should be assessed to determine if he or she has the capacity to make a decision to give consent, make a request or exercise a right of access under the Act. Where individual assessment is not reasonable or practicable, there should be a set age at which a presumption of legal capacity exists, and under which it is presumed the individual cannot make a decision in his or her own right. Even if a presumption is initially adopted, the presumption subsequently may be overridden by an individual assessment.
68.105 This approach has two benefits. First, the individual assessment element is flexible and recognises the ways in which cognitive capacity develops. Second, it provides certainty and enables practical operation in those situations where individual assessment is not reasonable or practicable.
68.106 The ALRC is aware that setting an age of presumption in the legislation may have a negative effect on the system of individual assessment and, in practice, suggest a general presumption for all decisions regarding personal information. The age of presumption is intended to be a fall back position, only to be relied upon in certain circumstances.
68.107 In DP 72, the ALRC used the words ‘where it is practicable’ to define when an individual assessment should be undertaken. The ALRC is now of the view that an individual assessment should be undertaken where it is ‘reasonable and practicable’. This obligation is consistent with a number of the model UPPs that seek to establish high-level obligations on agencies and organisations to undertake certain activities, while acknowledging cost compliance issues and practical business requirements.[177]
Setting the age of presumption
68.108 As outlined above, in many jurisdictions the age of presumption of legal capacity in relation to privacy decisions has been set at 16, with individual assessment below that age that allows for recognition of capacity in individual circumstances. In the United Kingdom it is assumed that those under the age of 12 do not have capacity, but legislation provides for individual assessment to be conducted above that age. COPPA in the United States, which is focused on the protection of children’s privacy in the online environment, requires parental authority or consent before personal information can be collected from any child under the age of 13.[178]
68.109 If the ALRC’s recommendations are implemented, the age of presumption of capacity will apply only where individual assessment is not reasonable or practicable. The age chosen must provide appropriate recognition of the capacity of the vast majority of individuals above a certain age, without exposing a large number of individuals to the potential consequences of decision making they are not equipped to deal with.
68.110 The balance between parental authority and the evolving capacities of young people to make decisions on their own also must be considered. The recognition of legal capacity will allow young people above a certain age to refuse to consent to disclosure of personal information to others, including their parents.[179]
68.111 While many global corporations are familiar with COPPA and already have policies and practices in place on their websites to facilitate parental consent requirements for individuals aged 12 or under, the ALRC does not consider that 13 is an appropriate age at which to expect all young people to take on the responsibilities and consequences of decision making relating to personal information.
68.112 Given previous debates in the Australian community, and the latest research that highlights the impact of psychosocial factors on adolescent decision making, the ALRC recommends that the minimum age for presumption of capacity be set at 15. Fifteen is the age at which a young person is entitled to obtain a separate Medicare card without parental permission. Under the ALRC’s recommendation, where an individual assessment is not reasonable or practicable, individuals aged 15 and over will be assumed to have the capacity to make decisions under the Privacy Act. Individuals under the age of 15 must have a person with parental responsibility make the decision on their behalf.
Assessing capacity
68.113 In DP 72, the ALRC proposed that a test of capacity be included in the Privacy Act. The test of capacity was intended to be applied when assessing the capacity of adults, as well as individuals under the age of 18. In Chapter 70, the policy basis for setting out a test of capacity in the Privacy Act is discussed. The ALRC concludes that it is not appropriate to set out a particular test for capacity in the Privacy Act. Sufficient clarification can be given in guidance to be developed and published by the OPC, drawing on existing literature regarding the assessment.[180]
Making decisions for a child or young person who lacks capacity
68.114 The Privacy Act does not provide any mechanism for making decisions on behalf of an individual under the age of 18 who is found, either by assessment or a reliance on the presumption, to be incapable of making a decision on his or her own behalf. It is assumed that parents or guardians will make these decisions. In DP 72, the ALRC proposed that the position be clarified in the Privacy Act and suggested specifying that a person with ‘parental responsibility’ must make such decisions.[181] The term ‘parental responsibility’ has been adopted in many Australian statutes dealing with duties, powers, responsibilities and authority of parents and persons acting as parents.[182]
68.115 This issue did not elicit many comments from stakeholders, although the ALRC notes general support for the clarification of the requirements for the handling of personal information of children and young people.
68.116 It is necessary to give specific legislative authority to persons with parental responsibility to make these kinds of decisions on behalf of children and young people lacking capacity. The duty of parents to provide for the welfare of their children implicitly gives authority to parents to make a range of decisions on behalf of their children who lack capacity,[183] but unlike other particular areas of decision making, there is no case law on matters relating to the handling of personal information.[184] It is not unusual for legislation to provide specific authority to persons with parental responsibility to make decisions on behalf of children and young people, including privacy legislation in a number of Australian and overseas jurisdictions.[185] Some Australian case law has interpreted the lack of specific legislative authority as showing a deliberate intention to omit parental authority.[186]
68.117 The term ‘person with parental responsibility’ encompasses parents, guardians, foster carers and other persons given parental responsibility by statute or a court order. The common law doctrine of in loco parentis also will operate to enable other persons standing in the role of parent either on a permanent or temporary basis—such as teachers, adult siblings, grandparents and carers—to make decisions on behalf of a child or young person lacking capacity. The authority for those other persons to make privacy-related decisions will be determined by the extent of the delegation of the parental responsibility.[187]
68.118 The ALRC notes that the common law provides a limitation on the authority of the parent by requiring that the acts of the parent must advance or protect the welfare of the child.[188] Courts have an inherent parens patriae jurisdiction to supervise the care and control of minors by parents and guardians.[189] This limitation on parental authority and court supervision would extend to all persons exercising parental responsibility.
Implementing the age of presumption
68.119 While the ALRC considers that agencies and organisations should give active consideration to establishing a process for individual assessment of the capacity of individuals under the age of 18, it recognises that this is not always reasonable or practicable. Where an agency or organisation seeks to rely on the presumed age of capacity, there should be some obligation on the agency or organisation to determine or verify the age of the individual.
68.120 As discussed in DP 72, the ALRC does not consider that agencies and organisations should be subject to an absolute requirement to establish that an individual is aged 15 or over before relying on the decision of that individual.[190] This would involve a significant compliance burden. Stakeholders supported a limitation on the liability of agencies and organisations in this context.
68.121 The Privacy Act shouldinclude a provision which balances the obligations of agencies and organisations to verify the age of an individual before relying on the age of presumption of capacity with practical realities. The provision should be couched as a positive obligation on agencies and organisations to take such steps, if any, as are reasonable in the circumstances to verify that the individual is aged 15 or over. This wording incorporates the concept of making a risk assessment—balancing the need to protect the privacy of children and young people, the costs of compliance, and the impact on all clients and customers of the agency or organisation—before deciding what age verification system should be implemented for any specific purpose. The term ‘such steps, if any, as are reasonable in the circumstances’ has been adopted in a number of the model UPPs.[191]
68.122 It is not appropriate to prescribe in the Privacy Act or subordinate legislation how the age verification mechanisms should be implemented. The market may be expected to continue to develop a range of age verification mechanisms, and there must be sufficient flexibility for agencies and organisations to develop mechanisms that suit their functions and the context in which privacy-related decision making is required.[192] Neither is it feasible for the OPC to spend significant resources monitoring compliance by agencies and organisations. The existence and effectiveness of an age verification mechanism, however, would be an issue for consideration as part of any complaint about a breach of the Act, or as part of an audit of compliance.
Guidance
68.123 The ALRC recommends that the OPC develop and publish guidance on the handling of personal information of individuals under the age of 18. A number of issues have been raised in this chapter where guidance will be required to assist agencies and organisations to interpret and comply with their obligations under the recommended provisions of the Privacy Act. These issues include:
how to involve children, young people, their parents and others with parental responsibility in decision-making processes. This includes providing reasonable assistance to individuals to understand and communicate decisions, and encouraging parental support where this is appropriate;
when it is reasonable and practicable to undertake individual assessment of the capacity of a child or young person;
appropriate practices for undertaking individual assessments;
what constitutes reasonable steps to verify the age of an individual where the agency or organisation seeks to rely on the age of presumption of capacity, including when it may be reasonable to have no age verification mechanism in place; and
appropriate practices for seeking consent from a person with parental responsibility on behalf of a child or young person lacking capacity, and identification of categories of persons that normally would be considered to have parental responsibility.
Privacy Policies and training requirements
68.124 One of the themes highlighted by stakeholders was a lack of knowledge and experience on the part of agencies and organisations when dealing with children and young people. The ALRC recommends, therefore, a number of practical solutions to raise the level of awareness of the proposed provisions and improve their practical application.
68.125 In Chapter 24, the ALRC recommends that agencies and organisations develop and publish a Privacy Policy that sets out how the agency or organisation manages personal information and how personal information is collected, held, used and disclosed.[193] Agencies and organisations that handle the personal information of individuals under the age of 18 should address in their Privacy Policies how such information is managed. Issues addressed could include: whether an individual assessment of capacity is carried out and by whom; what age verification mechanisms (if any) are used; and how a person with parental responsibility may act on behalf of a child or young person lacking capacity.
68.126 Agencies and organisations that regularly handle the personal information of individuals under the age of 18 should ensure that their staff are trained adequately to deal with issues concerning the capacity of children and young people. The ALRC notes concerns of stakeholders regarding the compliance burden associated with this recommendation. The ALRC has worded the recommendation to apply only to relevant staff, and has not included a requirement that staff be trained to conduct capacity assessments. It is noted, however, that staff in agencies and organisations that regularly deal with children and young people must become familiar with issues concerning capacity and how that agency or organisation deals with those issues.[194] Where individual assessments are reasonable and practicable, certain staff will need to be trained to undertake such assessments appropriately. Where individual assessments are not routinely undertaken, staff should be made aware of the steps to be taken to determine if an individual is 15 years old or over, and what must occur if an individual is under that age.
Recommendation 68-1 The Privacy Act should be amended to provide that where it is reasonable and practicable to make an assessment about the capacity of an individual under the age of 18 to give consent, make a request or exercise a right of access under the Act, an assessment about the individual’s capacity should be undertaken. Where an assessment of capacity is not reasonable or practicable, then an individual:
(a) aged 15 or over is presumed to be capable of giving consent, making a request or exercising a right of access; and
(b) under the age of 15 is presumed to be incapable of giving consent, making a request or exercising a right of access.
Recommendation 68-2 The Privacy Act should be amended to provide that where an individual under the age of 18 is assessed or presumed to not have capacity under the Act, any consent, request or exercise of a right in relation to that individual must be provided or made by a person with parental responsibility for the individual.
Recommendation 68-3 The Privacy Act should be amended to provide that, in order to rely on the age-based presumption, an agency or organisation is required to take such steps, if any, as are reasonable in the circumstances to verify that the individual is aged 15 or over.
Recommendation 68-4 The Office of the Privacy Commissioner should develop and publish guidance for applying the new provisions of the Privacy Act relating to individuals under the age of 18, including on:
(a) the involvement of children, young people and persons with parental responsibility in decision-making processes;
(b) situations in which it is reasonable and practicable to make an assessment regarding capacity of children and young people;
(c) practices and criteria to be used in determining whether a child or young person is capable of giving consent, making a request or exercising a right on his or her own behalf, including reasonable steps required to verify the age of an individual;
(d) the provision of reasonable assistance to children and young people to understand and communicate decisions; and
(e) the requirements to obtain consent from a person with parental responsibility for the child or young person in appropriate circumstances.
Recommendation 68-5 Agencies and organisations that regularly handle the personal information of individuals under the age of 18 should address in their Privacy Policies how such information is managed and how the agency or organisation will determine the capacity of individuals under the age of 18.
Recommendation 68-6 Agencies and organisations that regularly handle the personal information of individuals under the age of 18 should ensure that relevant staff receive training about issues concerning capacity, including when it is necessary to deal with third parties on behalf of those individuals.
[177] See the ‘Collection’, ‘Direct Marketing’ and ‘Access and Correction’ principles.
[178] See, eg, Children’s Online Privacy Protection Act 1998 15 USCA § 6501 (US). This influenced the Australian Labor Party’s proposed amendment to the Privacy Amendment (Private Sector) Act 2000 (Cth) headed ‘Special protection for children’ also adopted this cut-off age: Commonwealth of Australia, Parliamentary Debates, Senate, 30 November 2006, 20302 (N Bolkus). See also Internet Industry Association, Internet Industry Privacy Code of Practice: Consultation Draft 1.0 (2001).
[179] The disclosure will be permissible if this is expected as part of the primary purpose of collection, or a related secondary purpose. See, eg, the discussion on this point in relation to school reports in Ch 69.
[180] See Rec 68–4 below for guidance on these issues to be developed by the OPC.
[181] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [60.101], Proposals 60–2, 61–2.
[182] See, eg, Family Law Act 1975 (Cth) s 61B; Children and Young Persons (Care and Protection) Act 1998 (NSW) s 3; Adoption Act 1994 (WA) s 4.
[183] Department of Health and Community Services (NT) v JWB (1992) 175 CLR 218, 278, 315–317; Gillick v West Norfolk and Wisbech AHA [1986] AC 112.
[184] For a list of the kinds of decision making authorities that have been considered by the courts, see J Seymour, ‘An “Uncontrollable” Child: A Case Study in Children’s and Parents’ Rights’ in P Alston, S Parker and J Seymour (eds), Children, Rights and the Law (1992) 98, 113.
[185] See, eg, Health Records and Information Privacy Act 2002 (NSW) s 7; Health Records Act 2001 (Vic) s 85(6); Health Records (Privacy and Access) Act 1997 (ACT) s 25; Health Information Privacy Code 1994 (NZ) cl 3; Health Information Protection Act 2004 (Ontario) s 23(2).
[186] Hinch and Television and Telecasters (Melbourne) Pty Ltd (1996) 85 A Crim R 555. The legislation under consideration allowed the disclosure of the identity of a victim of sexual assault with the consent of the victim or the court. In this case, the victim was an eight year old boy and his parents had consented to the disclosure of the boy’s identity. The court ruled that the child did not have capacity to consent, and the parents did not have the authority to make that decision on behalf of the child.
[187] For example, it would not be expected that a soccer coach temporarily in charge of the child or young person has the authority to provide consent for the disclosure of a child or young person’s personal information to an organisation for commercial purposes. It may be appropriate, however, for a teacher to consent to disclosure of a student’s information in order to participate in an online educational activity approved by the school.
[188] Department of Health and Community Services (NT) v JWB (1992) 175 CLR 218, 316; Gillick v West Norfolk and Wisbech AHA [1986] AC 112, 170.
[189] Department of Health and Community Services (NT) v JWB (1992) 175 CLR 218.
[190] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [60.108].
[191] See ‘Notification’ and ‘Collection and Access’ principles.
[192] This regulatory approach has been adopted by the Australian Communications and Media Authority in relation to age verification processes to be developed for the purposes of restricting under-age access to material rated as R18+ or MA15+: Explanatory Statement, Restricted Access Systems Declaration 2007 (Cth), 8–9.
[193] See Recs 24–1, 24–2.
[194] For a similar discussion on staff awareness regarding issues concerning capacity in adult clients and customers, see Ch 70.