68.53 A number of policy approaches can be taken to the assessment of the capacity of individuals under the age of 18. Capacity could be assessed with reference to the following factors (or a combination of them):
according to a young person’s capacity to understand;
by fixing a general cut-off age;
according to the young person’s age and capacity to understand—for example, by deeming that young people over a certain age have legal capacity, and under a certain age do not have capacity, and for an age bracket in between which would require individual assessment of capacity;
according to the context of the decision—for example, by setting certain ages of legal capacity in relation to particularly sensitive issues such as access to information relating to a termination of pregnancy, or disclosure to the family of a missing young person’s location; or
according to specific groups of young people—for example, by deeming young people who are married, parents themselves, living independently or homeless to have legal capacity.
68.54 Research on the decision-making capacity of children and young people, international law as reflected in CROC, and recent case law all support an individual assessment of capacity. This approach is consistent with the existing regime understood and applied under the Privacy Act, and in other privacy legislation in Australia. There also is strong support in the community for continuing this approach. Further, a model that involves communicating with a child or young person to help him or her to understand the nature and consequences of a decision is the best model for involving children and young people in decision-making processes, even where the child or young person is found to be incapable of making the decision without assistance. The assessment process lends itself to involving parents, guardians or other supporting adults, so that the child or young person receives support whether he or she is capable or incapable of making an independent decision.
68.55 There are practical limitations and difficulties with this approach. Individual assessment presupposes that it is possible to engage with the individual. It also requires that the person making the assessment is suitably qualified to provide support and make an appropriate judgment about the capacity of the individual to understand the nature and consequences of the decision. While such a situation generally exists in a doctor-patient relationship, it does not exist in a wide variety of circumstances involving decisions regarding an individual’s personal information. Such circumstances include an individual:
completing an online form with personal information in order to access subscriber-only parts of a website, where the conditions of access (set out on the website) include allowing the company to use the personal information for marketing purposes;
providing staff at a gym with a form containing details of medical conditions;
agreeing over the phone to participate in a survey, and disclosing sensitive personal information during the phone interview;
completing a form in which he or she agrees to the use by an organisation of his or her personal information held by the organisation for research purposes; or
sending a letter or email to an agency, or completing an online form, requesting access to a record containing his or her personal information.
68.56 In many of these situations, the agency or organisation may not be aware of the age of the individual it is engaging with, let alone be able to make an assessment regarding the capacity of the individual to understand the nature and consequences of the decision. While the individual in each scenario may appear to consent to the collection or disclosure of, or access to, his or her personal information, the agency or organisation does not know whether the individual understands fully the consequences that may arise from the decision. At present, in the absence of making a one-on-one assessment concerning the capacity of an individual under the age of 18, the Privacy Act provides no guidance on how to handle personal information in such situations.
68.57 Setting a minimum age at which individuals are assumed to be able to make decisions under the Privacy Act would clarify the operation of the law and simplify processes for determining capacity. So long as an agency or organisation can establish that an individual is of the age where he or she is presumed to have capacity, no assessment of capacity would be required.
68.58 Setting a minimum age also would have the benefit of protecting those under that age, by requiring a person with parental responsibility to make decisions on their behalf. This would be appropriate where there are serious or possibly negative consequences of a decision regarding personal information, and the child or young person is not capable of giving appropriate consideration to those consequences. A person with parental responsibility would be required to make, or refuse to make, the decision on behalf of the child or young person, and ensure the child or young person is supported in all the circumstances.
68.59 The simplicity of the minimum age solution, however, also has the potential to cause injustice. It has been suggested that the application of any age-based legislative provision is arbitrary, and may breach the principle of equality before the law. It is inevitable that, at whatever age the barrier is placed, there will be some over the age that do not have the required capacity, and there will be some under the age that would have the required capacity.
68.60 If a specified age option is desirable, the next step is to determine the appropriate age. Research on child development and brain development suggests that the cognitive ability to make independent decisions is generally in place by the age of 14 to 16, but this cognitive ability has not fully matured and individuals of this age will continue to be more susceptible than adults to psychosocial factors. The impact of psychosocial factors will differ depending on the circumstances in which the decision must be made and the potential consequences of the decision. Also relevant are the circumstances of the individual, including his or her stage of social development, socio-economic status, and the support available to, and accepted by, the individual.
68.61 It may be appropriate to make the age of presumption dependent on the nature of the personal information involved. For example, decisions regarding health information may involve more complex considerations, and attract more significant consequences, than decisions regarding disclosure of an email address for direct marketing purposes. The Privacy Act already makes a distinction between sensitive information and other personal information and applies additional protection to sensitive information. It may be appropriate to set a higher minimum age for making decisions relating to sensitive information than to other personal information. While this approach is likely to cause some confusion for agencies, organisations and individuals, the fact that differing requirements already apply to the handling of sensitive information suggests it is possible to implement this approach.
68.62 Consideration could also be given to a deeming provision for certain categories of young people. For example, those who, in practice, act independently of their parents or guardians could be deemed to possess legal capacity for the purposes of decisions made under the Privacy Act. Any situation requiring such individuals to have a person with parental responsibility to make a decision on their behalf may be impractical. It would be possible to include such an approach under the Privacy Act, although it may not be easy to define the categories and it would require additional administrative steps to prove a certain individual falls within a particular category.
Models used in other jurisdictions
68.63 Most privacy legislation overseas takes the same approach as Australian privacy legislation in assuming all individuals, regardless of age, have the same level of protection for their personal information. Some overseas legislation makes provision, however, for determining when a child or young person may make decisions in his or her own right, or for determining who may make decisions on behalf of the child or young person.
68.64 The Privacy Act 1985 (Canada) and the Personal Information Protection and Electronic Documents Act 2000 (Canada) provide that rights or actions may be exercised or performed on behalf of a minor by an authorised person. It is assumed that an individual assessment approach is used in practice, although there is no guidance on the issue.
68.65 The United Kingdom uses a combined individual assessment and minimum age approach. Guidance has specified that an individual aged 12 or more is presumed to be of sufficient age and maturity to have the required understanding to exercise a right under the Data Protection Act 1998 (UK), but that an assessment of capacity should be made.
68.66 The Privacy Act 1993 (NZ) also uses a combined individual assessment and minimum age approach. The Act gives an agency the power to refuse to disclose information requested by an individual under the age of 16 if the disclosure would be contrary to the individual’s interests. There is no further guidance in the legislation or otherwise about assessing the capacity of a child or young person to make decisions under the Act, although an individual assessment approach can be assumed. The exception is in the Health Information Privacy Code 1994 (NZ),issued under the Privacy Act, which provides that, where an individual is under the age of 16, the individual’s parent or guardian may make decisions regarding the collection, use and disclosure of health information. As the provision is permissive, it does not preclude a child or young person from making a decision in his or her own right, but suggests that a decision by a parent or guardian will take precedence over that of the individual under the age of 16.
68.67 The Personal Health Information Protection Act 2004 (Ontario) has a number of interesting provisions relating to capacity, which combine an individual assessment and minimum age approach. Essentially, it assumes that a person aged 16 or over can consent to the collection, use or disclosure of personal information in his or her own right. It goes on to provide that a parent, children’s aid society or other person with parental responsibility may provide consent on behalf of an individual who is under the age of 16, but not if the information relates to: medical treatment about which the individual has made his or her own decision; or child and family services counselling in which the individual has participated on his or her own. The provision that parents or others mayprovide consent on behalf of an individual under the age of 16 is further qualified, however: if the individual is considered to be capable of consenting on his or her own, then the decision of the individual prevails over a conflicting decision of the parent or other substitute decision-maker.
Approach to reform
68.68 In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC determined that there was a need to clarify the Privacy Act’s approach to decision making by individuals under the age of 18. The ALRC proposed that a model be incorporated into the Actthat required individual assessment of capacity when practicable, but a legislative presumption of capacity at age 15 or over where assessment is not practicable. The approach to individual assessment of capacity reflected the existing law. The ALRC acknowledged, however, that in many situations an agency or organisation would not be able to make an individual assessment—either because the method of interaction (eg, online) precluded individual assessment or the staff of an agency or organisation were not sufficiently trained to make such an assessment. The age of 15 was selected following consideration of the research on adolescent decision making and the types of decisions made under the Privacy Act and likely consequences of those decisions. It was also consistent with the age at which a young person is entitled to access a separate Medicare card without parental permission.
 These approaches are based on models developed by the New South Wales Law Reform Commission in considering the consent of minors to medical treatment: New South Wales Law Reform Commission, Minors’ Consent to Medical Treatment, IP 24 (2004), Ch 3. The NSWLRC is expected to complete its report on this project in 2008.
 The agency or organisation would need to be alert to issues concerning capacity generally, as in relation to its dealings with all adult individuals: see Ch 69.
 The term ‘authorised representative’, and who may be an authorised representative, are discussed further below.
 J Morss, ‘But for the Barriers: Significant Extensions to Children’s Capacity’ (2004) 11 Psychiatry, Psychology and Law 319, 321–322.
 It should be noted that the consequences of access to, and disclosure of, health information may differ from decisions regarding health treatment. This is discussed below.
 The ALRC proposes retaining this distinction for sensitive information. For the definition of sensitive information, see Ch 6. See Ch 22 for a discussion of the provisions relating to sensitive information in the model UPPs.
 This position is set out in the Act only in relation to Scotland, which otherwise deems that an individual does not have legal capacity until the age of 16: Data Protection Act 1998 (UK) s 66. This also means that in Scotland an individual aged 16 has legal capacity, and no assessment is required. It was not considered necessary to spell out this position in the legislation in relation to Wales, England and Northern Ireland: United Kingdom Government Information Commissioner’s Office, Data Protection Act 1998 Legal Guidance (2001), 52.
 Privacy Act 1993 (NZ) s 29(1)(d). This also means that there is no power to refuse if the individual is aged 16 or over.
 Health Information Privacy Code 1994 (NZ) cl 3.
 Health Information Protection Act 2004 (Ontario) s 23(2). Each of these exceptions applies to sensitive areas that are regulated by other legislation dealing with the capacity of the individual to provide consent or participate in his or her own right, namely the Health Care Consent Act 1996 (Ontario) and the Child and Family Services Act 1990 (Ontario).
 Ibid s 23(3).
 Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007) Proposal 60–1.