Implementing third party arrangements

70.110 In DP 72, the ALRC put forward a number of proposals aimed at assisting the implementation of provisions and processes relating to third party representatives, which would require:

  • the OPC to develop and publish guidance relating to assessing the capacity of an individual;[159] and practices and procedures for allowing the involvement of third parties to assist an individual to make and communicate privacy decisions;[160] and

  • agencies and organisations that handle personal information about individuals incapable of making a decision to address in their Privacy Policies how such information is managed;[161] and ensure that their staff are trained adequately to assess the decision-making capacity of individuals.[162]

Submissions and consultations

70.111 Stakeholders generally agreed that the OPC should provide guidance in these circumstances,[163] and in so doing should consult with banks,[164] people with disabilities, their carers and disability services,[165] peak disability advocacy groups, disability discrimination commissioners and others with expertise and experience on capacity issues.[166]

70.112 In relation to the guidance on assessing capacity, GE Money opposed the proposal, on the basis that decisions regarding capacity have an impact beyond privacy, and the OPC is not the appropriate body to be providing guidance on how to assess capacity.[167] In relation to the guidance on involving third parties assisting to make and communicate privacy decisions, the ADMA expressed doubts about the effectiveness of the proposal.[168]

70.113 A number of submissions supported the proposal that agencies and organisations that handle personal information about adults incapable of making a decision should include information about the management of such information in their Privacy Policy.[169] Optus supported an alternative proposal, that such information be required to be provided on request, rather than required to be included in Privacy Policies.[170] The OPC recognised the possible compliance burden on business, given that almost all agencies and organisations will deal at some time with capacity issues. The OPC suggested rewording the proposal so that agencies and organisations, ‘where practicable’, should include the information in their Privacy Policies.[171]

70.114 There were some concerns about the ALRC’s proposal that agencies and organisations that regularly handle personal information about adults incapable of making a decision ensure that staff are trained adequately to assess the decision-making capacity of individuals.[172] While there was support for the proposal,[173] the Australian Taxation Office (ATO) considered it excessive, suggesting instead that the training requirement be

confined to those bodies whose functions specifically include service provision to client groups with these special needs (such as the Department of Health and Ageing) … For other agencies such as the Tax Office, providing meaningful training on these issues for all staff would not be an efficient or effective use of resources.[174]

70.115 The ATO acknowledged, however, that it regularly deals with individuals with capacity issues and that its staff must be conscious of relevant issues when dealing with these individuals or their carers. The ABA suggested that basic training in behavioural warning signs would be appropriate, but stressed that bank staff should not be required to make assessments about capacity that would ordinarily only be made by a qualified medical practitioner or psychologist.[175]

ALRC’s view

OPC guidance

70.116 Guidance, to be developed and published by the OPC, is essential to facilitate the effective use of third party representatives consistent with the Privacy Act. Areas that should be included in the guidance include:

  • The involvement of third parties, with the consent of an individual, to assist the individual to make and communicate privacy decisions. The consensual involvement of third parties is consistent with the Privacy Act, but there appears to be some confusion in practice about when third parties—including interpreters, counsellors and legal representatives—can assist the individual to access personal information about himself or herself and communicate with an agency or organisation in relation to issues under the Privacy Act.

  • Establishing and administering nominee arrangements. The new provisions of the Privacy Act will need to be explained and agencies and organisations encouraged to establish nominee arrangements. Many aspects of a nominee arrangement will be left for each agency or organisation to develop to suit its own purposes, but OPC guidance on these issues will assist agencies and organisations to consider what is appropriate in their circumstances.

  • Identifying and dealing with issues concerning capacity, including the application of a presumption of capacity. The need to consider such issues is relevant not only in the privacy context, but in all dealings between the agency or organisation and an individual who may have capacity issues. While the OPC could draw on publications already in the public domain regarding capacity and recognition of substitute decision makers,[176] it would be necessary to put these practices into the context of decision making under the Privacy Act.

  • Recognising and verifying the authority of substitute decision makers authorised by a federal, state or territory law. The existence of inconsistent state and territory laws makes this a difficult area for agencies and organisations to navigate. As with capacity issues, the need to recognise and verify the authority of substitute decision makers is not limited to the privacy context. Where properly authorised substitute decision makers are not recognised for the purposes of the Privacy Act, however, this can have an impact on access to services and benefits for individuals with an incapacity.

70.117 As suggested in submissions, it will be important for the OPC to consult with people with disabilities, their carers and disability services, peak disability advocacy groups, and disability discrimination commissioners and others that have worked on capacity issues. The best practice guide developed by Privacy NSW on Privacy and People with Decision-Making Disabilities, which includes a checklist for dealing with capacity and alternative decision-making issues,is a good example of guidance that highlights issues concerning capacity and dealing with authorised substitute decision makers.

Information in Privacy Policies

70.118 While there was support in submissions to require agencies and organisations to address in their Privacy Policies how information relating to individuals with an incapacity will be handled, the ALRC does not recommend making this a requirement in all Privacy Policies.[177] The personal information of individuals lacking decision-making capacity will not be handled differently from the personal information of other individuals—the only difference will be that communication with the agency or organisation may be through a third party instead of directly with the individual.

70.119 Agencies and organisations should advise their clients and customers about the third party arrangements that operate in that agency or organisation. This extends to third party arrangements for all individuals, not only those with an incapacity, and includes nominee arrangements if such arrangements have been established.

70.120 The best way for agencies and organisations to communicate their practices for dealing with third parties is to develop formats that can be targeted to the clients and customers of, and the particular processes adopted by, the agency or organisation. The guidance to be developed by the OPC on third party representatives should highlight the benefits of making this information publicly available.

Training requirements

70.121 The ALRC recommends that agencies and organisations that regularly handle personal information about individuals with a temporary or permanent incapacity should ensure that relevant staff interacting with those individuals are trained adequately to recognise capacity issues, and know how to deal with them. This is not the same as expecting staff to make an assessment of capacity, a decision that should be undertaken by professionals consistent with laws and guidelines established by guardianship and administration legislation in each state and territory. Staff dealing with the general public should, however, be aware of problems that may arise in dealing with clients who have capacity issues. Training also should deal with recognition of third parties authorised as substitute decision makers under another federal, state or territory law.

Recommendation 70-3 The Office of the Privacy Commissioner should develop and publish guidance for dealing with third party representatives, including in relation to:

(a) the involvement of third parties, with the consent of an individual, to assist the individual to make and communicate privacy decisions;

(b) establishing and administering nominee arrangements;

(c) identifying and dealing with issues concerning capacity; and

(d) recognising and verifying the authority of substitute decision makers authorised by a federal, state or territory law.

Recommendation 70-4 Agencies and organisations that regularly handle personal information about adults with limited or no capacity to provide consent, make a request or exercise a right under the Privacy Act,should ensure that relevant staff are trained adequately in relation to issues concerning capacity, and in recognising and verifying the authority of third party representatives.

[159] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 61–4.

[160] Ibid, Proposal 62–1.

[161] Ibid, Proposal 61–5.

[162] Ibid, Proposal 61–6.

[163] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Government of South Australia, Submission PR 565, 29 January 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Law Council of Australia, Submission PR 527, 21 December 2007; Confidential, Submission PR 519, 21 December 2007; Australian Mercantile Agents Association, Submission PR 508, 21 December 2007; Australian Investigators Association, Submission PR 507, 21 December 2007; Australian Collectors Association, Submission PR 505, 20 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; ACT Government Department of Disability, Housing and Community Services, Submission PR 495, 19 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Insurance Council of Australia, Submission PR 485, 18 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; Office of the Public Advocate Queensland, Submission PR 435, 10 December 2007; Carers Australia, Submission PR 423, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Festival of Light Australia, Submission PR 354, 1 December 2007.

[164] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.

[165] ACT Government Department of Disability, Housing and Community Services, Submission PR 495, 19 December 2007.

[166] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[167] GE Money Australia, Submission PR 537, 21 December 2007.

[168] Australian Direct Marketing Association, Submission PR 543, 21 December 2007.

[169] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Government of South Australia, Submission PR 565, 29 January 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Office of the Public Advocate Queensland, Submission PR 435, 10 December 2007.

[170] Optus, Submission PR 532, 21 December 2007.

[171] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[172] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 61–6.

[173] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Government of South Australia, Submission PR 565, 29 January 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Office of the Public Advocate Queensland, Submission PR 435, 10 December 2007; Carers Australia, Submission PR 423, 7 December 2007.

[174] Australian Taxation Office, Submission PR 515, 21 December 2007. The ATO has over 21,000 employees.

[175] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.

[176] Examples of capacity checklists and guides include: P Darzins, W Molloy and D Strang (eds), Who Can Decide?: The Six Step Capacity Assessment Process (2005); Disability Advocacy NSW, Capacity Checklist <www.da.org.au/publications.asp> at 5 May 2008.

[177] The ALRC recommends that agencies and organisations should set out clearly expressed policies on their handling of personal information in a Privacy Policy, including how they collect, hold, use and disclose personal information: see Rec 24–1.