Existing Australian laws relating to privacy of individuals under the age of 18

Privacy Act

68.15 The personal information of individuals under the age of 18 is regulated by a number of laws. The laws that apply will depend upon who holds the information, although generally personal information held by Commonwealth and ACT agencies or their contractors, or held by non-government bodies not otherwise exempt from the operation of the Act, is regulated by the Privacy Act.[19] Many of the ALRC’s recommendations to streamline and clarify the operation of the Privacy Act and other privacy laws in Australia also will improve the handling of personal information of individuals under the age of 18.[20] In particular, the ALRC recommends that the Information Privacy Principles (IPPs) that apply to agencies, and the National Privacy Principles (NPPs) that apply to organisations, be replaced with a single set of principles, referred to in this Report as the model Unified Privacy Principles (UPPs).[21]

68.16 Many aspects of the privacy principles may require or allow an individual to provide consent to the collection, use or disclosure of personal information about him or her. The Act also establishes a number of situations where an individual can make a request or exercise a right. Each of these situations has a decision-making element. These include:

  • consenting to the collection of sensitive information;[22]

  • consenting to a particular use or disclosure of personal information, including consent to use such information for the purpose of direct marketing;[23]

  • requesting not to receive further direct marketing communications from an organisation;[24]

  • consenting to the transfer of personal information outside of Australia;[25]

  • requesting access to personal information held by an agency or organisation;[26]

  • opting for anonymity or pseudonymity in transacting with an agency or organisation;[27] and

  • making a complaint against an agency or organisation.[28]

68.17 A number of other requirements set out in the privacy principles aim to provide information to the individual to alert him or her to the circumstances of the collection, use and disclosure of personal information about him or her.[29] In some cases, this information will assist an individual in deciding whether to provide or withhold consent to a particular collection, use or disclosure, or to make a request under the Act.

68.18 The Privacy Act sets no minimum age at which an individual can make decisions regarding his or her personal information. The Guidelines to the National Privacy Principles suggest that each case must be considered individually, and give guidance as to when a young person may have the capacity to make a decision on his or her own behalf.

As a general principle, a young person is able to give consent when he or she has sufficient understanding and maturity to understand what is being proposed. In some circumstances, it may be appropriate for a parent or guardian to consent on behalf of a young person; for example if the child is very young or lacks the maturity of understanding to do so themselves.[30]

68.19 The Guidelines on Privacy in the Public Health Sector stress that where a young person is capable of making his or her own decisions regarding personal information, he or she should be allowed to do so.[31] The Guidelines further suggest that, even if the young person is not competent to make a decision, his or her views should still be considered.[32]

68.20 At present, there is no structure in the Privacy Act for making decisions on behalf of an individual unable to make a decision concerning the privacy of his or her personal information.[33] It is assumed that parents are responsible for making decisions on behalf of children or young people incapable of making the decision themselves.[34]

Other privacy legislation

68.21 Some states and territories have legislation or administrative practices that regulate the privacy of certain personal information held by state or territory public sector agencies.[35] Most apply specifically to health information and are discussed in more detail in Chapter 2.

68.22 Generally, these statutes and schemes adopt the same approach to children and young people as the Privacy Act. Individuals under the age of 18 are given the same rights and protections as adults, and there are no specific protections or additional provisions relating to children or young people.

68.23 Some state and territory legislation, however, does provide statutory guidance on when a child or young person will be considered capable of making decisions without a parent or guardian regarding his or her personal information. For example, s 85(3) of the Health Records Act 2001 (Vic) states:

(3) For the purposes of sub-sections (1) and (2), an individual is incapable of giving consent, making the request or exercising the right of access if he or she is incapable by reason of age, injury, disease, senility, illness, disability, physical impairment or mental disorder of—

(a) understanding the general nature and effect of giving the consent, making the request or exercising the right of access (as the case requires); or

(b) communicating the consent or refusal of consent, making the request or personally exercising the right of access (as the case requires)—

despite the provision of reasonable assistance by another person.

68.24 In the Health Records (Privacy and Access) Act 1997 (ACT), the test of capacity is linked to the ability to understand the nature of, and give consent to, a health service.[36] Some legislation also includes express provisions on how, and by whom, decisions can be made on behalf of a child or young person unable to make his or her own decisions.[37]

[19] For a more detailed analysis of the scope of existing privacy laws in Australia, see Ch 2.

[20] These recommendations include adoption of nationally consistent privacy laws across jurisdictions (Ch 3), amendment of the Act to achieve greater logical consistency, simplicity and clarity (Rec 5–2), and inclusion of an objects clause in the Act (Rec 5–4).

[21] See Rec 18–2.

[22] See ‘Collection’ principle and discussion in Ch 21.

[23] See ‘Use and Disclosure’ principle and ‘Direct Marketing’ principle and discussion in Chs 25 and 26.

[24] See ‘Direct Marketing’ principle and discussion in Ch 26.

[25] See ‘Cross-Border Data Flows’ principle and discussion in Ch 31.

[26] See ‘Access and Correction’ principle and discussion in Ch 29.

[27] See ‘Anonymity and Pseudonymity’ principle and discussion in Ch 20.

[28] See discussion in Ch 49.

[29] See, eg, ‘Notification’ principle, which requires an agency or organisation to take such steps, if any, as are reasonable to ensure the individual is aware of a list of factors relating to the collection and use of their personal information, and the ‘Openness’ principle, which requires agencies and organisations to create a Privacy Policy: Chs 23, 24.

[30] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 21. Guidelines relating to the IPPs are more ambivalent, noting it may not be appropriate to rely on consent given by another person if a person under the age of 18 years is sufficiently old and mature to consent on their own behalf: Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 8–11: Advice to Agencies about Using and Disclosing Personal Information (1996), 29.

[31] Office of the Federal Privacy Commissioner, Guidelines on Privacy in the Private Health Sector (2001), 33.

[32] Ibid, 34.

[33] The only exception is NPP 2.4 which allows disclosure of health information to a ‘responsible’ third party in the event that an individual is incapable of giving or communicating consent for disclosure, and the disclosure is necessary for the care or treatment of the individual or for compassionate reasons: Privacy Act 1988 (Cth) sch 3, NPP 2.4. The decision to disclose is made by the health care service provider. A ‘responsible’ person is defined to include a parent of the individual: Privacy Act 1988 (Cth) sch 3, NPP 2.5.

[34] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 213.

[35] For an overview of privacy regulation in the states and territories, see Ch 2.

[36] ‘Young person’ is defined as a person under 18 years of age other than a person ‘who is of sufficient age, and of sufficient mental and emotional maturity, to (a) understand the nature of a health service; and (b) give consent to a health service’: Health Records (Privacy and Access) Act 1997 (ACT) s 25, Dictionary.

[37] Health Records Act 2001 (Vic) s 85(6) states that ‘If the child is incapable, the giving, making or exercising of the consent, request or right may be provided by a parent or other authorised representative of the child’. Part 4 cl 4(3) of the draft National Health Information Code is an identical provision, and the Health Records and Information Privacy Act 2002 (NSW) s 7 has a similar operation. Health Records (Privacy and Access) Act 1997 (ACT) s 25, Dictionary specifies that the rights of an incapable young person are to be exercised by a parent, guardian or other person with parental responsibility.