Third party decision making under the Privacy Act

70.9 As discussed in Chapter 1, the focus of the Privacy Act is the protection of the privacy of an individual’s personal information. As such, all of the rights and entitlements embedded in the Act are connected with the individual, and in some cases require or enable the individual to give consent, request access or exercise a right. There is no explicit recognition in the Act of third parties acting on behalf of individuals.^[1]

70.10 For situations where an individual merely requires assistance from a third party, but the third party must have access to personal information about the individual in order to provide the necessary assistance, the ‘Use and Disclosure’ principle recommended in this Report provides that an agency or organisation may disclose personal information to a third party with consent of the individual.^[2]

70.11 It is possible for an individual to authorise a third party to act on his or her behalf. While this is not set out in the Privacy Act, the OPC has advised that there is nothing in the Act that prevents such an authorisation.^[3] On its website, the OPC confirms that the Privacy Act does not prevent an agency or organisation from dealing with a third party authorised by an individual to act on his or her behalf.^[4] The OPC goes on to note that organisations have a variety of procedures to ensure appropriate authorisation, including identity validation procedures. The OPC suggests that some organisations with existing customer verification procedures for telephone services may use such procedures for authorisation of third parties. The OPC also notes, however, that an organisation may decide that the circumstances and risk require a more robust authorisation process, such as the provision of written authorisation. Further guidance is not provided, although it is stated that the

Privacy Commissioner would expect that if a customer was to follow the security and identification procedures an organisation uses in its ordinary dealings, and give their consent, a third party may be able to act on that customer’s behalf.^[5]

70.12 Consensual authorisation is not a viable option, however, when dealing with an individual who lacks the capacity to provide authorisation. The ‘authorised by law’ exception in a number of the existing Information Privacy Principles (IPPs) and National Privacy Principles (NPPs) has been interpreted as allowing for recognition of substitute decision makers authorised by a federal, state or territory law.^[6] This is simply an implicit recognition of the powers of authorised substitute decision makers that have been established by the relevant federal, state or territory legislation or the instrument or order of appointment.^[7] The OPC has stated that a third party is able to exercise a right on behalf of an individual where a formal guardianship or administration order is in place, despite the absence of an express provision to that effect in the Privacy Act.^[8]

Examples of existing third party arrangements

70.13 A number of agencies and organisations have adopted third party arrangements as part of their normal course of business which allow for ongoing recognition of an authorised third party. For example, Optus has a procedure for establishing a third party authority nominated by the account holder to act on his or her behalf. A nominated person can request, change and supply information regarding the account. A nominated person, however, cannot do anything that requires the account holder’s signature or verbal electronic authorisation, including changing personal details or activating a new service.^[9] Optus notes that, in some cases, third party access is the primary form of communication between Optus and the customer, especially for customers with a disability or those from a non-English speaking background.^[10]

70.14 Telstra also has a system for naming an ‘authorised representative’ who is able to access information about an account on behalf of the ‘legal lessee’.^[11] MBF Health has an option for nominating a person to undertake membership transactions, collect benefits, or both, on behalf of the primary member. The nominee has the same rights and obligations as the primary member, including access to the health information of all persons on the membership.^[12]

70.15 Centrelink has nominee arrangements that are underpinned by legislation.^[13] Individuals can nominate any third party to act on their behalf in one or more of the following ways: to make enquiries only; to receive payments (payment nominee); or to act and make changes generally (correspondence nominee). Forms and processes for nominee arrangements are also used by Centrelink to recognise persons authorised as a substitute decision maker by a federal, state or territory law. As at 20 July 2007, there were 347,047 nominee arrangements in place: 25,753 payment arrangements; 285,398 correspondence only arrangements; and 35,896 with both payments and correspondence arrangements in place. Only 4% of these reflected a court, tribunal or guardianship or administration order or a formal power of attorney arrangement.^[14]

70.16 The Centrelink nominee arrangements have operated administratively in the past, although they were given a legislative basis in 2002. On the introduction of the provisions, the need for a legislative basis was explained as follows:

The amendments relating to nominees form a part of the measures being undertaken to give effect to the Government’s commitment to implement a simpler and more coherent social security system.

Nominees are particularly relevant to youth allowance, age pension and disability support pension recipients who have difficulty managing their own financial affairs.

Currently, the law only provides for a payment nominee and arrangements relating to correspondence are dealt with administratively. Similarly, the current law does not clearly set out the duties and obligations of nominees. With an ageing population the use of nominees is likely to increase so it is considered appropriate to address these issues now.^[15]

70.17 Part 3A of the Social Security (Administration) Act 1999 (Cth) provides the detail for the operation of the nominee arrangements, including the functions and responsibilities of nominees. In particular, the payment or correspondence nominee has a duty to act at all times in the best interests of the principal beneficiary.^[16] There is also provision for the suspension or revocation of nominee appointments.^[17]

70.18 Concerns were expressed in previous inquiries about the potential for abuse of nominee arrangements governed by Centrelink,^[18] including: inadequate safeguards around the appointment of nominees; inadequate penalties for a breach of nominee obligations; and problems with identifying abuse. In its 2007 report, Older People and the Law, the House of Representative Standing Committee on Legal and Constitutional Affairs noted that most of the concerns raised with the Committee centred on payment nominee arrangements, which have a higher risk of financial abuse than correspondence-only arrangements. Centrelink indicated to the Committee that it does not have a set schedule to review nominee arrangements, but only a small number of instances of abuse had been brought to Centrelink’s attention.^[19]